1. 19 Jan, 2018 25 commits
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 6ec8765f
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "We have various small DT fixes, and one important regression fix:
        The recent device tree bugfixes that were intended to address issues
        that 'dtc' started warning about in 4.15 fixed various USB PHY device
        nodes, but it turns out that we had code that depended on those nodes
        being incorrect and the probe failing with a particular error code.
        With the workaround we can also deal with correct device nodes.
        The DT fixes include:
         - Allwinner A10 and A20 had the display pipeline set up incorrectly
           (introduced in v4.15)
         - The Altera PMU lacked an interrupt-parent (never worked)
         - Pin muxing on the Openblocks A7 (never worked)
         - Clocks might get set up wrong on Armada 7K/8K (4.15 regression)
        We now have additional device tree patches to address all the
        remaining warnings introduced in 4.15, but decided to queue them for
        4.16 instead, to avoid risking another regression like the USB PHY
        thing mentioned above.
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        phy: work around 'phys' references to usb-nop-xceiv devices
        ARM: sunxi_defconfig: Enable CMA
        arm64: dts: socfpga: add missing interrupt-parent
        ARM: dts: sun[47]i: Fix display backend 1 output to TCON0 remote endpoint
        ARM64: dts: marvell: armada-cp110: Fix clock resources for various node
        ARM: dts: da850-lcdk: Remove leading 0x and 0s from unit address
        ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.15-8' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 4917d5df
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "More than we'd like after rc8, but nothing very alarming either, just
        tying up loose ends before the release:
        Since we changed powernv to use cpufreq_get() from show_cpuinfo(), we
        see warnings with PREEMPT enabled. But the preempt_disable() in
        show_cpuinfo() doesn't actually prevent CPU hotplug as it suggests, so
        remove it.
        Two updates to the recently merged RFI flush code. Wire up the generic
        sysfs file to report the status, and add a debugfs file to allow
        enabling/disabling it at runtime.
        Two updates to xmon, one to add the RFI flush related fields to the
        paca dump, and another to not use hashed pointers in the paca dump.
        And one minor fix to add a missing include of linux/types.h in
        asm/hvcall.h, not seen to break the build in upstream, but correct
        Thanks to: Benjamin Herrenschmidt, Michal Suchanek, Nicholas Piggin"
      * tag 'powerpc-4.15-8' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/pseries: include linux/types.h in asm/hvcall.h
        powerpc/64s: Allow control of RFI flush via debugfs
        powerpc/64s: Wire up cpu_show_meltdown()
        powerpc: Don't preempt_disable() in show_cpuinfo()
        powerpc/xmon: Don't print hashed pointers in paca dump
        powerpc/xmon: Add RFI flush related fields to paca dump
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.15-rc9' of git://people.freedesktop.org/~airlied/linux · 9abc9378
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Nouveau, i915, vmwgfx and sun4i regression fixes.
        The i915 change fixes a display corruption problem introduced in 4.15,
        the nouveau changes are for regressions in 4.15, one of the vmwgfx
        fixes goes back a little further, the other is a 4.15 regression fix,
        the 3 sun4i changes fix blank HDMI output on those devices"
      * tag 'drm-fixes-for-v4.15-rc9' of git://people.freedesktop.org/~airlied/linux:
        drm/nouveau/mmu/mcp77: fix regressions in stolen memory handling
        drm/nouveau/bar/gk20a: Avoid bar teardown during init
        drm/nouveau/drm/nouveau: Pass the proper arguments to nvif_object_map_handle()
        drm/vmwgfx: fix memory corruption with legacy/sou connectors
        drm/vmwgfx: Fix a boot time warning
        drm/i915: Fix deadlock in i830_disable_pipe()
        drm/i915: Redo plane sanitation during readout
        drm/i915: Add .get_hw_state() method for planes
        drm/sun4i: hdmi: Add missing rate halving check in sun4i_tmds_determine_rate
        drm/sun4i: hdmi: Fix incorrect assignment in sun4i_tmds_determine_rate
        drm/sun4i: hdmi: Check for unset best_parent in sun4i_tmds_determine_rate
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · d342740e
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "6 fixes"
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        sparse doesn't support struct randomization
        proc: fix coredump vs read /proc/*/stat race
        scripts/gdb/linux/tasks.py: fix get_thread_info
        scripts/decodecode: fix decoding for AArch64 (arm64) instructions
        mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages
        mm/memory.c: release locked page in do_swap_page()
    • Matthew Wilcox's avatar
      ia64: Rewrite atomic_add and atomic_sub · 4b664e73
      Matthew Wilcox authored
      Force __builtin_constant_p to evaluate whether the argument to atomic_add
      & atomic_sub is constant in the front-end before optimisations which
      can lead GCC to output a call to __bad_increment_for_ia64_fetch_and_add().
      See GCC bugzilla 83653.
      Signed-off-by: default avatarJakub Jelinek <jakub@redhat.com>
      Signed-off-by: default avatarMatthew Wilcox <mawilcox@microsoft.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Matthew Wilcox's avatar
      sparse doesn't support struct randomization · a3d6c976
      Matthew Wilcox authored
      Without this patch, I drown in a sea of unknown attribute warnings
      Link: http://lkml.kernel.org/r/20180117024539.27354-1-willy@infradead.org
      Signed-off-by: default avatarMatthew Wilcox <mawilcox@microsoft.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Alexey Dobriyan's avatar
      proc: fix coredump vs read /proc/*/stat race · 8bb2ee19
      Alexey Dobriyan authored
      do_task_stat() accesses IP and SP of a task without bumping reference
      count of a stack (which became an entity with independent lifetime at
      some point).
      Steps to reproduce:
          #include <stdio.h>
          #include <sys/types.h>
          #include <sys/stat.h>
          #include <fcntl.h>
          #include <sys/time.h>
          #include <sys/resource.h>
          #include <unistd.h>
          #include <sys/wait.h>
          int main(void)
          	setrlimit(RLIMIT_CORE, &(struct rlimit){});
          	while (1) {
          		char buf[64];
          		char buf2[4096];
          		pid_t pid;
          		int fd;
          		pid = fork();
          		if (pid == 0) {
          			*(volatile int *)0 = 0;
          		snprintf(buf, sizeof(buf), "/proc/%u/stat", pid);
          		fd = open(buf, O_RDONLY);
          		read(fd, buf2, sizeof(buf2));
          		waitpid(pid, NULL, 0);
          	return 0;
          BUG: unable to handle kernel paging request at 0000000000003fd8
          IP: do_task_stat+0x8b4/0xaf0
          PGD 800000003d73e067 P4D 800000003d73e067 PUD 3d558067 PMD 0
          Oops: 0000 [#1] PREEMPT SMP PTI
          CPU: 0 PID: 1417 Comm: a.out Not tainted 4.15.0-rc8-dirty #2
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc27 04/01/2014
          RIP: 0010:do_task_stat+0x8b4/0xaf0
          Call Trace:
          RIP: 0033:0x7f4d7928cba0
          RSP: 002b:00007ffddb245158 EFLAGS: 00000246
          Code: 03 b7 a0 01 00 00 4c 8b 4c 24 70 4c 8b 44 24 78 4c 89 74 24 18 e9 91 f9 ff ff f6 45 4d 02 0f 84 fd f7 ff ff 48 8b 45 40 48 89 ef <48> 8b 80 d8 3f 00 00 48 89 44 24 20 e8 9b 97 eb ff 48 89 44 24
          RIP: do_task_stat+0x8b4/0xaf0 RSP: ffffc90000607cc8
          CR2: 0000000000003fd8
      John Ogness said: for my tests I added an else case to verify that the
      race is hit and correctly mitigated.
      Link: http://lkml.kernel.org/r/20180116175054.GA11513@avx2
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Reported-by: default avatar"Kohli, Gaurav" <gkohli@codeaurora.org>
      Tested-by: default avatarJohn Ogness <john.ogness@linutronix.de>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Xi Kangjie's avatar
      scripts/gdb/linux/tasks.py: fix get_thread_info · 883d50f5
      Xi Kangjie authored
      Since kernel 4.9, the thread_info has been moved into task_struct, no
      longer locates at the bottom of kernel stack.
      See commits c65eacbe ("sched/core: Allow putting thread_info into
      task_struct") and 15f4eae7 ("x86: Move thread_info into
      Before fix:
        (gdb) set $current = $lx_current()
        (gdb) p $lx_thread_info($current)
        $1 = {flags = 1470918301}
        (gdb) p $current.thread_info
        $2 = {flags = 2147483648}
      After fix:
        (gdb) p $lx_thread_info($current)
        $1 = {flags = 2147483648}
        (gdb) p $current.thread_info
        $2 = {flags = 2147483648}
      Link: http://lkml.kernel.org/r/20180118210159.17223-1-imxikangjie@gmail.com
      Fixes: 15f4eae7
       ("x86: Move thread_info into task_struct")
      Signed-off-by: default avatarXi Kangjie <imxikangjie@gmail.com>
      Acked-by: default avatarJan Kiszka <jan.kiszka@siemens.com>
      Acked-by: default avatarKieran Bingham <kbingham@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Will Deacon's avatar
      scripts/decodecode: fix decoding for AArch64 (arm64) instructions · be9fa663
      Will Deacon authored
      There are a couple of problems with the decodecode script and arm64:
      1. AArch64 objdump refuses to disassemble .4byte directives as instructions,
         insisting that they are data values and displaying them as:
      	a94153f3	.word	0xa94153f3		<-- trapping instruction
         This is resolved by using the .inst directive instead.
      2. Disassembly of branch instructions attempts to provide the target as
         an offset from a symbol, e.g.:
         0:	34000082	cbz	w2, 10 <.text+0x10>
        however this falls foul of the grep -v, which matches lines containing
        ".text" and ends up removing all branch instructions from the dump.
      This patch resolves both issues by using the .inst directive for 4-byte
      quantities on arm64 and stripping the resulting binaries (as is done on
      arm already) to remove the mapping symbols.
      Link: http://lkml.kernel.org/r/1506596147-23630-1-git-send-email-will.deacon@arm.com
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Reviewed-by: default avatarDave Martin <Dave.Martin@arm.com>
      Cc: Michal Marek <mmarek@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Oscar Salvador's avatar
      mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages · 6bec6ad7
      Oscar Salvador authored
      When setting page_owner = on, the following warning can be seen in the
      boot log:
        WARNING: CPU: 0 PID: 0 at mm/page_alloc.c:2537 drain_all_pages+0x171/0x1a0
        Modules linked in:
        CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.15.0-rc7-next-20180109-1-default+ #7
        Hardware name: Dell Inc. Latitude E7470/0T6HHJ, BIOS 1.11.3 11/09/2016
        RIP: 0010:drain_all_pages+0x171/0x1a0
        Call Trace:
          ? set_init_arg+0x55/0x55
        Code: c5 ed ff 89 df 48 c7 c6 20 3b 71 82 e8 f9 4b 52 00 3b 05 d7 0b f8 00 89 c3 72 d5 5b 5d 41 5
      This warning is shown because we are calling drain_all_pages() in
      init_early_allocated_pages(), but mm_percpu_wq is not up yet, it is being
      set up later on in kernel_init_freeable() -> init_mm_internals().
      Link: http://lkml.kernel.org/r/20180109153921.GA13070@techadventures.net
      Signed-off-by: default avatarOscar Salvador <osalvador@techadventures.net>
      Acked-by: default avatarJoonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Ayush Mittal <ayush.m@samsung.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Minchan Kim's avatar
      mm/memory.c: release locked page in do_swap_page() · f8020772
      Minchan Kim authored
      James reported a bug in swap paging-in from his testing.  It is that
      do_swap_page doesn't release locked page so system hang-up happens due
      to a deadlock on PG_locked.
      It was introduced by 0bcac06f ("mm, swap: skip swapcache for swapin
      of synchronous device") because I missed swap cache hit places to update
      swapcache variable to work well with other logics against swapcache in
      This patch fixes it.
      Debugged by James Bottomley.
      Link: http://lkml.kernel.org/r/<1514407817.4169.4.camel@HansenPartnership.com>
      Link: http://lkml.kernel.org/r/20180102235606.GA19438@bbox
      Signed-off-by: default avatarMinchan Kim <minchan@kernel.org>
      Reported-by: default avatarJames Bottomley <James.Bottomley@hansenpartnership.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Cc: Huang Ying <ying.huang@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 726ba84b
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       1) Fix BPF divides by zero, from Eric Dumazet and Alexei Starovoitov.
       2) Reject stores into bpf context via st and xadd, from Daniel
       3) Fix a memory leak in TUN, from Cong Wang.
       4) Disable RX aggregation on a specific troublesome configuration of
          r8152 in a Dell TB16b dock.
       5) Fix sw_ctx leak in tls, from Sabrina Dubroca.
       6) Fix program replacement in cls_bpf, from Daniel Borkmann.
       7) Fix uninitialized station_info structures in cfg80211, from Johannes
       8) Fix miscalculation of transport header offset field in flow
          dissector, from Eric Dumazet.
       9) Fix LPM tree leak on failure in mlxsw driver, from Ido Schimmel.
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (29 commits)
        ibmvnic: Fix IPv6 packet descriptors
        ibmvnic: Fix IP offload control buffer
        ipv6: don't let tb6_root node share routes with other node
        ip6_gre: init dev->mtu and dev->hard_header_len correctly
        mlxsw: spectrum_router: Free LPM tree upon failure
        flow_dissector: properly cap thoff field
        fm10k: mark PM functions as __maybe_unused
        cfg80211: fix station info handling bugs
        netlink: reset extack earlier in netlink_rcv_skb
        can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
        can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
        bpf: mark dst unknown on inconsistent {s, u}bounds adjustments
        bpf: fix cls_bpf on filter replace
        Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500
        tls: reset crypto_info when do_tls_setsockopt_tx fails
        tls: return -EBUSY if crypto_info is already set
        tls: fix sw_ctx leak
        net/tls: Only attach to sockets in ESTABLISHED state
        net: fs_enet: do not call phy_stop() in interrupts
        r8152: disable RX aggregation on Dell TB16 dock
    • Arnd Bergmann's avatar
      phy: work around 'phys' references to usb-nop-xceiv devices · b7563e27
      Arnd Bergmann authored
      Stefan Wahren reports a problem with a warning fix that was merged
      for v4.15: we had lots of device nodes with a 'phys' property pointing
      to a device node that is not compliant with the binding documented in
      This generally works because USB HCD drivers that support both the generic
      phy subsystem and the older usb-phy subsystem ignore most errors from
      phy_get() and related calls and then use the usb-phy driver instead.
      However, it turns out that making the usb-nop-xceiv device compatible with
      the generic-phy binding changes the phy_get() return code from -EINVAL to
      -EPROBE_DEFER, and the dwc2 usb controller driver for bcm2835 now returns
      -EPROBE_DEFER from its probe function rather than ignoring the failure,
      breaking all USB support on raspberry-pi when CONFIG_GENERIC_PHY is
      enabled. The same code is used in the dwc3 driver and the usb_add_hcd()
      function, so a reasonable assumption would be that many other platforms
      are affected as well.
      I have reviewed all the related patches and concluded that "usb-nop-xceiv"
      is the only USB phy that is affected by the change, and since it is by far
      the most commonly referenced phy, all the other USB phy drivers appear
      to be used in ways that are are either safe in DT (they don't use the
      'phys' property), or in the driver (they already ignore -EPROBE_DEFER
      from generic-phy when usb-phy is available).
      To work around the problem, this adds a special case to _of_phy_get()
      so we ignore any PHY node that is compatible with "usb-nop-xceiv",
      as we know that this can never load no matter how much we defer. In the
      future, we might implement a generic-phy driver for "usb-nop-xceiv"
      and then remove this workaround.
      Since we generally want older kernels to also want to work with the
      fixed devicetree files, it would be good to backport the patch into
      stable kernels as well (3.13+ are possibly affected), even though they
      don't contain any of the patches that may have caused regressions.
      Fixes: 014d6da6 ARM: dts: bcm283x: Fix DTC warnings about missing phy-cells
      Fixes: c5bbf358 arm: dts: nspire: Add missing #phy-cells to usb-nop-xceiv
      Fixes: 44e5dced arm: dts: marvell: Add missing #phy-cells to usb-nop-xceiv
      Fixes: f568f6f5 ARM: dts: omap: Add missing #phy-cells to usb-nop-xceiv
      Fixes: d745d5f2 ARM: dts: imx51-zii-rdu1: Add missing #phy-cells to usb-nop-xceiv
      Fixes: 915fbe59 ARM: dts: imx: Add missing #phy-cells to usb-nop-xceiv
      Link: https://marc.info/?l=linux-usb&m=151518314314753&w=2
      Link: https://patchwork.kernel.org/patch/10158145/
      Cc: stable@vger.kernel.org
      Cc: Felipe Balbi <balbi@kernel.org>
      Cc: Eric Anholt <eric@anholt.net>
      Tested-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Tested-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Acked-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
    • Maxime Ripard's avatar
      ARM: sunxi_defconfig: Enable CMA · c13e7f31
      Maxime Ripard authored
      The DRM driver most notably, but also out of tree drivers (for now) like
      the VPU or GPU drivers, are quite big consumers of large, contiguous memory
      buffers. However, the sunxi_defconfig doesn't enable CMA in order to
      mitigate that, which makes them almost unusable.
      Enable it to make sure it somewhat works.
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2018-01-18' of... · 04cef3ea
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2018-01-18' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      Display corruption regression bugfix with both a prep patch and a
      follow-up fix
      * tag 'drm-intel-fixes-2018-01-18' of git://anongit.freedesktop.org/drm/drm-intel:
        drm/i915: Fix deadlock in i830_disable_pipe()
        drm/i915: Redo plane sanitation during readout
        drm/i915: Add .get_hw_state() method for planes
    • Thomas Falcon's avatar
      ibmvnic: Fix IPv6 packet descriptors · a0dca10f
      Thomas Falcon authored
      Packet descriptor generation for IPv6 is broken.
      Properly set L3 and L4 protocol flags for IPv6 descriptors.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Thomas Falcon's avatar
      ibmvnic: Fix IP offload control buffer · f6897943
      Thomas Falcon authored
      Set some missing fields in the IP control offload buffer. This buffer is
      used to enable checksum and TCP segmentation offload in the VNIC server.
      The buffer length field and the checksum offloading bits were not set
      properly, so fix that here.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-4.15-20180118' of... · 69c4a65e
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-4.15-20180118' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      Marc Kleine-Budde says:
      pull-request: can 2018-01-18
      this is a pull reqeust of two patches for net/master:
      The syzkaller project triggered two WARN_ONCE() in the af_can code from
      userspace and we decided to replace it by a pr_warn_once().
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Wei Wang's avatar
      ipv6: don't let tb6_root node share routes with other node · 591ff9ea
      Wei Wang authored
      After commit 4512c43e, if we add a route to the subtree of tb6_root
      which does not have any route attached to it yet, the current code will
      let tb6_root and the node in the subtree share the same route.
      This could cause problem cause tb6_root has RTN_INFO flag marked and the
      tree repair and clean up code will not work properly.
      This commit makes sure tb6_root->leaf points back to null_entry instead
      of sharing route with other node.
      It fixes the following syzkaller reported issue:
      BUG: KASAN: use-after-free in ipv6_prefix_equal include/net/ipv6.h:540 [inline]
      BUG: KASAN: use-after-free in fib6_add_1+0x165f/0x1790 net/ipv6/ip6_fib.c:618
      Read of size 8 at addr ffff8801bc043498 by task syz-executor5/19819
      CPU: 1 PID: 19819 Comm: syz-executor5 Not tainted 4.15.0-rc7+ #186
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:53
       print_address_description+0x73/0x250 mm/kasan/report.c:252
       kasan_report_error mm/kasan/report.c:351 [inline]
       kasan_report+0x25b/0x340 mm/kasan/report.c:409
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
       ipv6_prefix_equal include/net/ipv6.h:540 [inline]
       fib6_add_1+0x165f/0x1790 net/ipv6/ip6_fib.c:618
       fib6_add+0x5fa/0x1540 net/ipv6/ip6_fib.c:1214
       __ip6_ins_rt+0x6c/0x90 net/ipv6/route.c:1003
       ip6_route_add+0x141/0x190 net/ipv6/route.c:2790
       ipv6_route_ioctl+0x4db/0x6b0 net/ipv6/route.c:3299
       inet6_ioctl+0xef/0x1e0 net/ipv6/af_inet6.c:520
       sock_do_ioctl+0x65/0xb0 net/socket.c:958
       sock_ioctl+0x2c2/0x440 net/socket.c:1055
       vfs_ioctl fs/ioctl.c:46 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
      RIP: 0033:0x452ac9
      RSP: 002b:00007fd42b321c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
      RDX: 0000000020fd7000 RSI: 000000000000890b RDI: 0000000000000013
      RBP: 000000000000049e R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f4f70
      R13: 00000000ffffffff R14: 00007fd42b3226d4 R15: 0000000000000000
      Fixes: 4512c43e
       ("ipv6: remove null_entry before adding default route")
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Dave Airlie's avatar
      Merge branch 'linux-4.15' of git://github.com/skeggsb/linux into drm-fixes · ee62249d
      Dave Airlie authored
      Thought I'd try my luck getting one more in:
      - Two fixes for Tegra (one is to common code, but our userspace doesn't hit it).
      - One for NV5x-class MCPs
      * 'linux-4.15' of git://github.com/skeggsb/linux:
        drm/nouveau/mmu/mcp77: fix regressions in stolen memory handling
        drm/nouveau/bar/gk20a: Avoid bar teardown during init
        drm/nouveau/drm/nouveau: Pass the proper arguments to nvif_object_map_handle()
    • Alexey Kodanev's avatar
      ip6_gre: init dev->mtu and dev->hard_header_len correctly · 128bb975
      Alexey Kodanev authored
      Commit b05229f4 ("gre6: Cleanup GREv6 transmit path,
      call common GRE functions") moved dev->mtu initialization
      from ip6gre_tunnel_setup() to ip6gre_tunnel_init(), as a
      result, the previously set values, before ndo_init(), are
      reset in the following cases:
      * rtnl_create_link() can update dev->mtu from IFLA_MTU
      * ip6gre_tnl_link_config() is invoked before ndo_init() in
        netlink and ioctl setup, so ndo_init() can reset MTU
        adjustments with the lower device MTU as well, dev->mtu
        and dev->hard_header_len.
        Not applicable for ip6gretap because it has one more call
        to ip6gre_tnl_link_config(tunnel, 1) in ip6gre_tap_init().
      Fix the first case by updating dev->mtu with 'tb[IFLA_MTU]'
      parameter if a user sets it manually on a device creation,
      and fix the second one by moving ip6gre_tnl_link_config()
      call after register_netdevice().
      Fixes: b05229f4 ("gre6: Cleanup GREv6 transmit path, call common GRE functions")
      Fixes: db2ec95d
       ("ip6_gre: Fix MTU setting")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Free LPM tree upon failure · ed604c5d
      Ido Schimmel authored
      When a new LPM tree is created, we try to replace the trees in the
      existing virtual routers with it. If we fail, the tree needs to be
      Currently, this does not happen in the unlikely case where we fail to
      bind the tree to the first virtual router, since its reference count
      never transitions from 1 to 0.
      Fix that by taking a reference before binding the tree.
      Fixes: fc922bb0
       ("mlxsw: spectrum_router: Use one LPM tree for all virtual routers")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Ben Skeggs's avatar
      drm/nouveau/mmu/mcp77: fix regressions in stolen memory handling · 2ffa64eb
      Ben Skeggs authored
      - Fixes addition of stolen memory base address to PTEs.
      - Removes support for compression.
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Tested-by: default avatarPierre Moreau <pierre.morrow@free.fr>
    • Jon Hunter's avatar
      drm/nouveau/bar/gk20a: Avoid bar teardown during init · e062a01e
      Jon Hunter authored
      Commit bbb163e1 ("drm/nouveau/bar: implement bar1 teardown")
      introduced add a teardown helper function for BAR1. During
      initialisation of the Nouveau, initially all the teardown helpers are
      called once, before calling their init counterparts. For gk20a, after
      the BAR1 teardown function is called, the device is hanging during the
      initialisation of the FB sub-device. At this point it is unclear why
      this is happening and this is still under investigation. However, this
      change is preventing Tegra124 devices from booting when Nouveau is
      enabled. To allow Tegra124 to boot, remove the teardown helper for
      This is based upon a previous patch by Guillaume Tucker but limits
      the workaround to only gk20a GPUs.
      Fixes: bbb163e1
       ("drm/nouveau/bar: implement bar1 teardown")
      Reported-by: Guillaume Tucker's avatarGuillaume Tucker <guillaume.tucker@collabora.com>
      Signed-off-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
    • Thierry Reding's avatar
      drm/nouveau/drm/nouveau: Pass the proper arguments to nvif_object_map_handle() · b554b12a
      Thierry Reding authored
      This is obviously wrong in the current code. Make sure to record the
      correct size of the arguments and pass the actual arguments to the
      nvif_object_map_handle() function.
      Suggested-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
  2. 18 Jan, 2018 15 commits