Linux/linux 6cff0a1drivers/platform/x86 intel_pmc_ipc.c

Merge tag 'platform-drivers-x86-v4.14-3' of 
git://git.infradead.org/linux-platform-drivers-x86

Pull x86 platform driver fixes from Darren Hart:
 "Use a spin_lock instead of mutex in atomic context. The devm_ fix is a
  dependency. Summary:

  intel_pmc_ipc:
   - Use spin_lock to protect GCR updates
   - Use devm_* calls in driver probe function"

* tag 'platform-drivers-x86-v4.14-3' of 
git://git.infradead.org/linux-platform-drivers-x86:
  platform/x86: intel_pmc_ipc: Use spin_lock to protect GCR updates
  platform/x86: intel_pmc_ipc: Use devm_* calls in driver probe function

Linux/linux 6687aebdrivers/platform/x86 intel_pmc_ipc.c

platform/x86: intel_pmc_ipc: Use spin_lock to protect GCR updates

Currently, update_no_reboot_bit() function implemented in this driver
uses mutex_lock() to protect its register updates. But this function is
called with in atomic context in iTCO_wdt_start() and iTCO_wdt_stop()
functions in iTCO_wdt.c driver, which in turn causes "sleeping into
atomic context" issue. This patch fixes this issue by replacing the
mutex_lock() with spin_lock() to protect the GCR read/write/update APIs.

Fixes: 9d855d4 ("platform/x86: intel_pmc_ipc: Fix iTCO_wdt GCS memory mapping failure")
Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kupuswamy at linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko at linux.intel.com>

Linux/linux 83beee5drivers/platform/x86 intel_pmc_ipc.c

platform/x86: intel_pmc_ipc: Use devm_* calls in driver probe function

This patch cleans up unnecessary free/alloc calls in ipc_plat_probe(),
ipc_pci_probe() and ipc_plat_get_res() functions by using devm_*
calls.

This patch also adds proper error handling for failure cases in
ipc_pci_probe() function.

Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy at linux.intel.com>
[andy: fixed style issues, missed devm_free_irq(), removed unnecessary log message]
Signed-off-by: Andy Shevchenko <andriy.shevchenko at linux.intel.com>

Linux/linux 06987dakernel workqueue.c

Merge branch 'for-4.14-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq

Pull workqueue fix from Tejun Heo:
 "This is a fix for an old bug in workqueue. Workqueue used a mutex to
  arbitrate who gets to be the manager of a pool. When the manager role
  gets released, the mutex gets unlocked while holding the pool's
  irqsafe spinlock. This can lead to deadlocks as mutex's internal
  spinlock isn't irqsafe. This got discovered by recent fixes to mutex
  lockdep annotations.

  The fix is a bit invasive for rc6 but if anything were wrong with the
  fix it would likely have already blown up in -next, and we want the
  fix in -stable anyway"

* 'for-4.14-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
  workqueue: replace pool->manager_arb mutex with a flag
DeltaFile
+15-22kernel/workqueue.c
+15-221 files

Linux/linux 2f1b11cdrivers/pinctrl pinctrl-amd.c pinctrl-mcp23s08.c

Merge tag 'pinctrl-v4.14-4' of 
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:
 "Two last minute fixes for pin controllers, both regressions in
  specific drivers:

   - Fix a touchpad pin control issue on the AMD affecting Asus laptops

   - Fix an interrupt handling regression on the MCP23s08"

* tag 'pinctrl-v4.14-4' of 
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: mcp23s08: fix interrupt handling regression
  pinctrl/amd: fix masking of GPIO interrupts

Linux/linux 468b0e0drivers/regulator rn5t618-regulator.c axp20x-regulator.c

Merge tag 'regulator-fix-v4.14-rc5' of 
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "A couple of small driver specific bug fixes that have been collected
  since the merge window"

* tag 'regulator-fix-v4.14-rc5' of 
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: rn5t618: Do not index regulator_desc arrays by id
  regulator: axp20x: Fix poly-phase bit offset for AXP803 DCDC5/6

Linux/linux bb176f6. Makefile

Linux 4.14-rc6
DeltaFile
+1-1Makefile
+1-11 files

Linux/linux dd9d064Documentation/ABI/testing sysfs-bus-iio-proximity-as3935, Documentation/devicetree/bindings/iio/proximity as3935.txt

Merge tag 'staging-4.14-rc6' of 
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging and IIO fixes from Greg KH:
 "Here are a small number of patches to resolve some reported IIO and a
  staging driver problem. Nothing major here, full details are in the
  shortlog below.

  All have been in linux-next with no reported issues"

* tag 'staging-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: bcm2835-audio: Fix memory corruption
  iio: adc: at91-sama5d2_adc: fix probe error on missing trigger property
  iio: adc: dln2-adc: fix build error
  iio: dummy: events: Add missing break
  staging: iio: ade7759: fix signed extension bug on shift of a u8
  iio: pressure: zpa2326: Remove always-true check which confuses gcc
  iio: proximity: as3935: noise detection + threshold changes

Linux/linux 17e7637drivers/android binder_alloc.c binder.c, drivers/hv channel_mgmt.c

Merge tag 'char-misc-4.14-rc6' of 
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc driver fixes from Greg KH:
 "Here are four small fixes for 4.14-rc6.

  Three of them are binder driver fixes for reported issues, and the
  last one is a hyperv driver bugfix. Nothing major, but good fixes to
  get into 4.14-final.

  All of these have been in linux-next with no reported issues"

* tag 'char-misc-4.14-rc6' of 
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  android: binder: Fix null ptr dereference in debug msg
  android: binder: Don't get mm from task
  vmbus: hvsock: add proper sync for vmbus_hvsock_device_unregister()
  binder: call poll_wait() unconditionally.

Linux/linux 5805992drivers/phy/marvell phy-mvebu-cp110-comphy.c, drivers/phy/rockchip phy-rockchip-typec.c

Merge tag 'usb-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB/PHY fixes from Greg KH:
 "Here are a small number of USB and PHY driver fixes for 4.14-rc6

  There is the usual musb and xhci fixes in here, as well as some needed
  phy patches. Also is a nasty regression fix for usbfs that has started
  to hit a lot of people using virtual machines.

  All of these have been in linux-next with no reported problems"

* tag 'usb-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (26 
commits)
  usb: hub: Allow reset retry for USB2 devices on connect bounce
  USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
  MAINTAINERS: fix git tree url for musb module
  usb: quirks: add quirk for WORLDE MINI MIDI keyboard
  usb: musb: sunxi: Explicitly release USB PHY on exit
  usb: musb: Check for host-mode using is_host_active() on reset interrupt
  usb: musb: musb_cppi41: Configure the number of channels for DA8xx
  usb: musb: musb_cppi41: Fix cppi41_set_dma_mode() for DA8xx
  usb: musb: musb_cppi41: Fix the address of teardown and autoreq registers
  USB: musb: fix late external abort on suspend
  USB: musb: fix session-bit runtime-PM quirk
  usb: cdc_acm: Add quirk for Elatec TWN3

    [9 lines not shown]

Linux/linux 2ab19d5drivers/regulator axp20x-regulator.c rn5t618-regulator.c

Merge remote-tracking branches 'regulator/fix/axp20x' and 'regulator/fix/rn5t618' into 
regulator-linus

Linux/linux 02982f8scripts/mod file2alias.c devicetable-offsets.c

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input

Pull input fix from Dmitry Torokhov:
 "A fix for a broken commit in the previous pull breaking automatic
  module loading of input handlers, such ad evdev"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: do not use property bits when generating module alias

Linux/linux 09c3e01scripts/mod file2alias.c devicetable-offsets.c

Input: do not use property bits when generating module alias

The commit 8724ecb07229 ("Input: allow matching device IDs on property
bits") started using property bits when generating module aliases for input
handlers, but did not adjust the generation of MODALIAS attribute on input
device uevents, breaking automatic module loading. Given that no handler
currently uses property bits in their module tables, let's revert this part
of the commit for now.

Reported-by: Damien Wyart <damien.wyart at gmail.com>
Tested-by: Damien Wyart <damien.wyart at gmail.com>
Fixes: 8724ecb07229 ("Input: allow matching device IDs on property bits")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>

Linux/linux 936fd00arch/x86/include/asm tlbflush.h io.h, arch/x86/kernel head32.c

Merge branch 'x86-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Thomas Gleixner:
 "A couple of fixes addressing the following issues:

   - The last polishing for the TLB code, removing the last BUG_ON() and
     the debug file along with tidying up the lazy TLB code.

   - Prevent triple fault on 1st Gen. 486 caused by stupidly calling the
     early IDT setup after the first function which causes a fault which
     should be caught by the exception table.

   - Limit the mmap of /dev/mem to valid addresses

   - Prevent late microcode loading on Broadwell X

   - Remove a redundant assignment in the cache info code"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/mm: Limit mmap() of /dev/mem to valid physical addresses
  x86/mm: Remove debug/x86/tlb_defer_switch_to_init_mm
  x86/mm: Tidy up "x86/mm: Flush more aggressively in lazy TLB mode"
  x86/mm/64: Remove the last VM_BUG_ON() from the TLB code
  x86/microcode/intel: Disable late loading on model 79

    [2 lines not shown]

Linux/linux 9e415a8drivers/clocksource cs5535-clockevt.c

Merge branch 'timers-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull timer fix from Thomas Gleixner:
 "A single fix to make the cs5535 clock event driver robust agaist
  spurious interrupts"

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  clockevents/drivers/cs5535: Improve resilience to spurious interrupts

Linux/linux 5670a84kernel cpu.c

Merge branch 'smp-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull smp/hotplug fix from Thomas Gleixner:
 "The recent rework of the callback invocation missed to cleanup the
  leftovers of the operation, so under certain circumstances a
  subsequent CPU hotplug operation accesses stale data and crashes.
  Clean it up."

* 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  cpu/hotplug: Reset node state after operation
DeltaFile
+5-0kernel/cpu.c
+5-01 files

Linux/linux 085cf9b. MAINTAINERS, tools/perf/Documentation perf-record.txt

Merge branch 'perf-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull perf fixes from Thomas Gleixner:
 "A series of fixes for perf tooling:

   - Make xyarray return the X/Y size correctly which fixes a crash in
     the exit code.

   - Fix the libc path in test so it works not only on Debian/Ubuntu
     correctly

   - Check for eBPF file existance and output a useful error message
     instead of failing to compile a non existant file

   - Make sure perf_hpp_fmt is not longer references before freeing it

   - Use list_del_init() in the histogram code to prevent a crash when
     the already deleted element is deleted again

   - Remove the leftovers of the removed '-l' option

   - Add reviewer entries to the MAINTAINERS file"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:

    [8 lines not shown]

Linux/linux 4f184d7Documentation/devicetree/bindings/interrupt-controller arm,gic-v3.txt, drivers/irqchip irq-gic-v3-its.c irq-tango.c

Merge branch 'irq-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull irq fixes from Thomas Gleixner:
 "A set of small fixes mostly in the irq drivers area:

   - Make the tango irq chip work correctly, which requires a new
     function in the generiq irq chip implementation

   - A set of updates to the GIC-V3 ITS driver removing a bogus BUG_ON()
     and parsing the VCPU table size correctly"

* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  genirq: generic chip: remove irq_gc_mask_disable_reg_and_ack()
  irqchip/tango: Use irq_gc_mask_disable_and_ack_set
  genirq: generic chip: Add irq_gc_mask_disable_and_ack_set()
  irqchip/gic-v3-its: Add missing changes to support 52bit physical address
  irqchip/gic-v3-its: Fix the incorrect parsing of VCPU table size
  irqchip/gic-v3-its: Fix the incorrect BUG_ON in its_init_vpe_domain()
  DT: arm,gic-v3: Update the ITS size in the examples

Linux/linux b8d389etools/objtool check.c

Merge branch 'core-urgent-for-linus' of 
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull objtool fix from Thomas Gleixner:
 "Plug a memory leak in the instruction decoder"

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  objtool: Fix memory leak in decode_instructions()

Linux/linux b5ac3bedrivers/net/can flexcan.c, drivers/net/ethernet/aquantia/atlantic aq_ethtool.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:
 "A little more than usual this time around. Been travelling, so that is
  part of it.

  Anyways, here are the highlights:

   1) Deal with memcontrol races wrt. listener dismantle, from Eric
      Dumazet.

   2) Handle page allocation failures properly in nfp driver, from Jaku
      Kicinski.

   3) Fix memory leaks in macsec, from Sabrina Dubroca.

   4) Fix crashes in pppol2tp_session_ioctl(), from Guillaume Nault.

   5) Several fixes in bnxt_en driver, including preventing potential
      NVRAM parameter corruption from Michael Chan.

   6) Fix for KRACK attacks in wireless, from Johannes Berg.

   7) rtnetlink event generation fixes from Xin Long.


    [49 lines not shown]

Linux/linux 8d5f4b0drivers/net/ethernet/stmicro/stmmac stmmac_main.c

stmmac: Don't access tx_q->dirty_tx before netif_tx_lock

This is the possible reason for different hard to reproduce
problems on my ARMv7-SMP test system.

The symptoms are in recent kernels imprecise external aborts,
and in older kernels various kinds of network stalls and
unexpected page allocation failures.

My testing indicates that the trouble started between v4.5 and v4.6
and prevails up to v4.14.

Using the dirty_tx before acquiring the spin lock is clearly
wrong and was first introduced with v4.6.

Fixes: e3ad57c96715 ("stmmac: review RX/TX ring management")

Signed-off-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 864e2a1net/ipv6 ip6_output.c ip6_flowlabel.c

ipv6: flowlabel: do not leave opt->tot_len with garbage

When syzkaller team brought us a C repro for the crash [1] that
had been reported many times in the past, I finally could find
the root cause.

If FlowLabel info is merged by fl6_merge_options(), we leave
part of the opt_space storage provided by udp/raw/l2tp with random value
in opt_space.tot_len, unless a control message was provided at sendmsg()
time.

Then ip6_setup_cork() would use this random value to perform a kzalloc()
call. Undefined behavior and crashes.

Fix is to properly set tot_len in fl6_merge_options()

At the same time, we can also avoid consuming memory and cpu cycles
to clear it, if every option is copied via a kmemdup(). This is the
change in ip6_setup_cork().

[1]
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:

    [41 lines not shown]

Linux/linux 66bdededrivers/of of_mdio.c

of_mdio: Fix broken PHY IRQ in case of probe deferral

If an Ethernet PHY is initialized before the interrupt controller it is
connected to, a message like the following is printed:

    irq: no irq domain found for /interrupt-controller at e61c0000 !

However, the actual error is ignored, leading to a non-functional (POLL)
PHY interrupt later:

    Micrel KSZ8041RNLI ee700000.ethernet-ffffffff:01: attached PHY driver [Micrel 
KSZ8041RNLI] (mii_bus:phy_addr=ee700000.ethernet-ffffffff:01, irq=POLL)

Depending on whether the PHY driver will fall back to polling, Ethernet
may or may not work.

To fix this:
  1. Switch of_mdiobus_register_phy() from irq_of_parse_and_map() to
     of_irq_get().
     Unlike the former, the latter returns -EPROBE_DEFER if the
     interrupt controller is not yet available, so this condition can be
     detected.
     Other errors are handled the same as before, i.e. use the passed
     mdio->irq[addr] as interrupt.
  2. Propagate and handle errors from of_mdiobus_register_phy() and

    [4 lines not shown]
DeltaFile
+27-12drivers/of/of_mdio.c
+27-121 files

Linux/linux 7433a8dlib ts_kmp.c ts_fsm.c

textsearch: fix typos in library helpers

Fix spellos (typos) in textsearch library helpers.

Signed-off-by: Randy Dunlap <rdunlap at infradead.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
DeltaFile
+1-1lib/ts_kmp.c
+1-1lib/ts_fsm.c
+2-22 files

Linux/linux 6cb3ecenet/rxrpc af_rxrpc.c

rxrpc: Don't release call mutex on error pointer

Don't release call mutex at the end of rxrpc_kernel_begin_call() if the
call pointer actually holds an error value.

Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
Reported-by: Marc Dionne <marc.dionne at auristor.com>
Signed-off-by: David Howells <dhowells at redhat.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 748759ddrivers/net/ethernet/stmicro/stmmac stmmac_main.c dwmac4_descs.c

Merge branch 'stmmac-hw-tstamp-fixes'

Jose Abreu says:

====================
net: stmmac: Fix HW timestamping

Three fixes for HW timestamping feature, all of them for RX side.
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 9454360drivers/net/ethernet/stmicro/stmmac dwmac4_descs.c

net: stmmac: Prevent infinite loop in get_rx_timestamp_status()

Prevent infinite loop by correctly setting the loop condition to
break when i == 10.

Signed-off-by: Jose Abreu <joabreu at synopsys.com>
Cc: David S. Miller <davem at davemloft.net>
Cc: Joao Pinto <jpinto at synopsys.com>
Cc: Giuseppe Cavallaro <peppe.cavallaro at st.com>
Cc: Alexandre Torgue <alexandre.torgue at st.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 9c8080ddrivers/net/ethernet/stmicro/stmmac stmmac_main.c

net: stmmac: Add missing call to dev_kfree_skb()

When RX HW timestamp is enabled and a frame is discarded we are
not freeing the skb but instead only setting to NULL the entry.

Add a call to dev_kfree_skb_any() so that skb entry is correctly
freed.

Signed-off-by: Jose Abreu <joabreu at synopsys.com>
Cc: David S. Miller <davem at davemloft.net>
Cc: Joao Pinto <jpinto at synopsys.com>
Cc: Giuseppe Cavallaro <peppe.cavallaro at st.com>
Cc: Alexandre Torgue <alexandre.torgue at st.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 9887094drivers/net/ethernet/stmicro/stmmac stmmac_main.c

net: stmmac: Fix stmmac_get_rx_hwtstamp()

When using GMAC4 the valid timestamp is from CTX next desc but
we are passing the previous desc to get_rx_timestamp_status()
callback.

Fix this and while at it rework a little bit the function logic.

Signed-off-by: Jose Abreu <joabreu at synopsys.com>
Cc: David S. Miller <davem at davemloft.net>
Cc: Joao Pinto <jpinto at synopsys.com>
Cc: Giuseppe Cavallaro <peppe.cavallaro at st.com>
Cc: Alexandre Torgue <alexandre.torgue at st.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux e5f468bdrivers/input input.c joydev.c, drivers/input/keyboard tca8418_keypad.c

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input

Pull input fixes from Dmitry Torokhov:

 - joydev now implements a blacklist to avoid creating joystick nodes
   for accelerometers found in composite devices such as PlaStation
   controllers

 - assorted driver fixes

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: ims-psu - check if CDC union descriptor is sane
  Input: joydev - blacklist ds3/ds4/udraw motion sensors
  Input: allow matching device IDs on property bits
  Input: factor out and export input_device_id matching code
  Input: goodix - poll the 'buffer status' bit before reading data
  Input: axp20x-pek - fix module not auto-loading for axp221 pek
  Input: tca8418 - enable interrupt after it has been requested
  Input: stmfts - fix setting ABS_MT_POSITION_* maximum size
  Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen
  Input: synaptics - disable kernel tracking on SMBus devices

Linux/linux ec0145efs namespace.c, fs/btrfs super.c

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull vfs fixes from Al Viro:
 "MS_I_VERSION fixes - Mimi's fix + missing bits picked from Matthew
  (his patch contained a duplicate of the fs/namespace.c fix as well,
  but by that point the original fix had already been applied)"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  Convert fs/*/* to SB_I_VERSION
  vfs: fix mounting a filesystem with i_version

Linux/linux 14aefd9drivers/net/ethernet/mellanox/mlxsw reg.h

mlxsw: reg: Add Tunneling IPinIP General Configuration Register

The TIGCR register is used for setting up the IPinIP Tunnel
configuration.

Fixes: ee954d1a91b2 ("mlxsw: spectrum_router: Support GRE tunnels")
Signed-off-by: Petr Machata <petrm at mellanox.com>
Reviewed-by: Ido Schimmel <idosch at mellanox.com>
Signed-off-by: Jiri Pirko <jiri at mellanox.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux dcbda28drivers/net/ethernet/mellanox/mlxsw spectrum_router.c

mlxsw: spectrum_router: Configure TIGCR on init

Spectrum tunnels do not default to ttl of "inherit" like the Linux ones
do. Configure TIGCR on router init so that the TTL of tunnel packets is
copied from the overlay packets.

Fixes: ee954d1a91b2 ("mlxsw: spectrum_router: Support GRE tunnels")
Signed-off-by: Petr Machata <petrm at mellanox.com>
Reviewed-by: Ido Schimmel <idosch at mellanox.com>
Signed-off-by: Jiri Pirko <jiri at mellanox.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 0247880drivers/net/ethernet/mellanox/mlxsw reg.h spectrum_router.c

Merge branch 'mlxsw-fixes'

Jiri Pirko says:

====================
mlxsw: spectrum: Configure TTL of "inherit" for offloaded tunnels

Petr says:

Currently mlxsw only offloads tunnels that are configured with TTL of "inherit"
(which is the default). However, Spectrum defaults to 255 and the driver
neglects to change the configuration. Thus the tunnel packets from offloaded
tunnels always have TTL of 255, even though tunnels with explicit TTL of 255 are
never actually offloaded.

To fix this, introduce support for TIGCR, the register that keeps the related
bits of global tunnel configuration, and use it on first offload to properly
configure inheritance of TTL of tunnel packets from overlay packets.
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 95491e3net/core ethtool.c

net: ethtool: remove error check for legacy setting transceiver type

Commit 9cab88726929605 ("net: ethtool: Add back transceiver type")
restores the transceiver type to struct ethtool_link_settings and
convert_link_ksettings_to_legacy_settings() but forgets to remove the
error check for the same in convert_legacy_settings_to_link_ksettings().
This prevents older versions of ethtool to change link settings.

    # ethtool --version
    ethtool version 3.16

    # ethtool -s eth0 autoneg on speed 100 duplex full
    Cannot set new settings: Invalid argument
      not setting speed
      not setting duplex
      not setting autoneg

While newer versions of ethtool works.

    # ethtool --version
    ethtool version 4.10

    # ethtool -s eth0 autoneg on speed 100 duplex full
    [   57.703268] sh-eth ee700000.ethernet eth0: Link is Down
    [   59.618227] sh-eth ee700000.ethernet eth0: Link is Up - 100Mbps/Full - flow control 

    [7 lines not shown]
DeltaFile
+2-3net/core/ethtool.c
+2-31 files

Linux/linux 1b5f962net/core sock_reuseport.c, net/ipv4 inet_hashtables.c udp.c

soreuseport: fix initialization race

Syzkaller stumbled upon a way to trigger
WARNING: CPU: 1 PID: 13881 at net/core/sock_reuseport.c:41
reuseport_alloc+0x306/0x3b0 net/core/sock_reuseport.c:39

There are two initialization paths for the sock_reuseport structure in a
socket: Through the udp/tcp bind paths of SO_REUSEPORT sockets or through
SO_ATTACH_REUSEPORT_[CE]BPF before bind.  The existing implementation
assumedthat the socket lock protected both of these paths when it actually
only protects the SO_ATTACH_REUSEPORT path.  Syzkaller triggered this
double allocation by running these paths concurrently.

This patch moves the check for double allocation into the reuseport_alloc
function which is protected by a global spin lock.

Fixes: e32ea7e74727 ("soreuseport: fast reuseport UDP socket selection")
Fixes: c125e80b8868 ("soreuseport: fast reuseport TCP socket selection")
Signed-off-by: Craig Gallek <kraig at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 66c5451net/bridge br_netlink.c

net: bridge: fix returning of vlan range op errors

When vlan tunnels were introduced, vlan range errors got silently
dropped and instead 0 was returned always. Restore the previous
behaviour and return errors to user-space.

Fixes: efa5356b0d97 ("bridge: per vlan dst_metadata netlink support")
Signed-off-by: Nikolay Aleksandrov <nikolay at cumulusnetworks.com>
Acked-by: Roopa Prabhu <roopa at cumulusnetworks.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 54d4311net/core skbuff.c

sock: correct sk_wmem_queued accounting on efault in tcp zerocopy

Syzkaller hits WARN_ON(sk->sk_wmem_queued) in sk_stream_kill_queues
after triggering an EFAULT in __zerocopy_sg_from_iter.

On this error, skb_zerocopy_stream_iter resets the skb to its state
before the operation with __pskb_trim. It cannot kfree_skb like
datagram callers, as the skb may have data from a previous send call.

__pskb_trim calls skb_condense for unowned skbs, which adjusts their
truesize. These tcp skbuffs are owned and their truesize must add up
to sk_wmem_queued. But they match because their skb->sk is NULL until
tcp_transmit_skb.

Temporarily set skb->sk when calling __pskb_trim to signal that the
skbuffs are owned and avoid the skb_condense path.

Fixes: 52267790ef52 ("sock: add MSG_ZEROCOPY")
Signed-off-by: Willem de Bruijn <willemb at google.com>
Reviewed-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
DeltaFile
+4-0net/core/skbuff.c
+4-01 files

Linux/linux d2b2762kernel/bpf verifier.c, tools/testing/selftests/bpf test_verifier.c

Merge branch 'bpf-range-marking-fixes'

Daniel Borkmann says:

====================
Two BPF fixes for range marking

The set contains two fixes for direct packet access range
markings and test cases for all direct packet access patterns
that the verifier matches on.

They are targeted for net tree, note that once net gets merged
into net-next, there will be a minor merge conflict due to
signature change of the function find_good_pkt_pointers() as
well as data_meta patterns present in net-next tree. You can
just add bool false to the data_meta patterns and I will
follow-up with properly converting the patterns for data_meta
in a similar way.
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux fb2a311kernel/bpf verifier.c

bpf: fix off by one for range markings with L{T, E} patterns

During review I noticed that the current logic for direct packet
access marking in check_cond_jmp_op() has an off by one for the
upper right range border when marking in find_good_pkt_pointers()
with BPF_JLT and BPF_JLE. It's not really harmful given access
up to pkt_end is always safe, but we should nevertheless correct
the range marking before it becomes ABI. If pkt_data' denotes a
pkt_data derived pointer (pkt_data + X), then for pkt_data' < pkt_end
in the true branch as well as for pkt_end <= pkt_data' in the false
branch we mark the range with X although it should really be X - 1
in these cases. For example, X could be pkt_end - pkt_data, then
when testing for pkt_data' < pkt_end the verifier simulation cannot
deduce that a byte load of pkt_data' - 1 would succeed in this
branch.

Fixes: b4e432f1000a ("bpf: enable BPF_J{LT, LE, SLT, SLE} opcodes in verifier")
Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
Acked-by: Alexei Starovoitov <ast at kernel.org>
Acked-by: John Fastabend <john.fastabend at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
DeltaFile
+21-12kernel/bpf/verifier.c
+21-121 files

Linux/linux b37242ctools/testing/selftests/bpf test_verifier.c

bpf: add test cases to bpf selftests to cover all access tests

Lets add test cases to cover really all possible direct packet
access tests for good/bad access cases so we keep tracking them.

Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
Acked-by: Alexei Starovoitov <ast at kernel.org>
Acked-by: John Fastabend <john.fastabend at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 0fd4759kernel/bpf verifier.c

bpf: fix pattern matches for direct packet access

Alexander had a test program with direct packet access, where
the access test was in the form of data + X > data_end. In an
unrelated change to the program LLVM decided to swap the branches
and emitted code for the test in form of data + X <= data_end.
We hadn't seen these being generated previously, thus verifier
would reject the program. Therefore, fix up the verifier to
detect all test cases, so we don't run into such issues in the
future.

Fixes: b4e432f1000a ("bpf: enable BPF_J{LT, LE, SLT, SLE} opcodes in verifier")
Reported-by: Alexander Alemayhu <alexander at alemayhu.com>
Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
Acked-by: Alexei Starovoitov <ast at kernel.org>
Acked-by: John Fastabend <john.fastabend at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
DeltaFile
+24-0kernel/bpf/verifier.c
+24-01 files

Linux/linux 8695a53kernel/bpf devmap.c

bpf: devmap fix arithmetic overflow in bitmap_size calculation

An integer overflow is possible in dev_map_bitmap_size() when
calculating the BITS_TO_LONG logic which becomes, after macro
replacement,

        (((n) + (d) - 1)/ (d))

where 'n' is a __u32 and 'd' is (8 * sizeof(long)). To avoid
overflow cast to u64 before arithmetic.

Reported-by: Richard Weinberger <richard at nod.at>
Acked-by: Daniel Borkmann <daniel at iogearbox.net>
Signed-off-by: John Fastabend <john.fastabend at gmail.com>
Acked-by: Alexei Starovoitov <ast at kernel.org>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 0787643drivers/dma altera-msgdma.c

Merge tag 'dmaengine-fix-4.14-rc6' of git://git.infradead.org/users/vkoul/slave-dma

Pull dmaengine fix from Vinod Koul:
 "Late fix for altera driver which fixes the locking in driver"

* tag 'dmaengine-fix-4.14-rc6' of git://git.infradead.org/users/vkoul/slave-dma:
  dmaengine: altera: Use IRQ-safe spinlock calls in the error paths as well

Linux/linux 1f7c70dkernel cpu.c

cpu/hotplug: Reset node state after operation

The recent rework of the cpu hotplug internals changed the usage of the per
cpu state->node field, but missed to clean it up after usage.

So subsequent hotplug operations use the stale pointer from a previous
operation and hand it into the callback functions. The callbacks then
dereference a pointer which either belongs to a different facility or
points to freed and potentially reused memory. In either case data
corruption and crashes are the obvious consequence.

Reset the node and the last pointers in the per cpu state to NULL after the
operation which set them has completed.

Fixes: 96abb968549c ("smp/hotplug: Allow external multi-instance rollback")
Reported-by: Tvrtko Ursulin <tursulin at ursulin.net>
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
Cc: Peter Zijlstra <peterz at infradead.org>
Cc: Sebastian Andrzej Siewior <bigeasy at linutronix.de>
Cc: Boris Ostrovsky <boris.ostrovsky at oracle.com>
Cc: "Paul E. McKenney" <paulmck at linux.vnet.ibm.com>
Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1710211606130.3213 at nanos
DeltaFile
+5-0kernel/cpu.c
+5-01 files

Linux/linux 43ebf97drivers/net/ethernet/aquantia/atlantic aq_ethtool.c aq_nic.c, drivers/net/ethernet/aquantia/atlantic/hw_atl hw_atl_b0.c hw_atl_utils.c

Merge branch 'aquantia-fixes'

Igor Russkikh says:

====================
net: aquantia: Atlantic driver 10/2017 updates

This patchset fixes various issues in driver,
improves parameters for better performance on 10Gbit link
====================

Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 4c8bb60drivers/net/ethernet/aquantia/atlantic aq_pci_func.c

net: aquantia: Limit number of MSIX irqs to the number of cpus

There is no much practical use from having MSIX vectors more that number
of cpus, thus cap this first with preconfigured limit, then with number
of cpus online.

Signed-off-by: Pavel Belous <pavel.belous at aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh at aquantia.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 93d87b8drivers/net/ethernet/aquantia/atlantic aq_nic.c

net: aquantia: Fixed transient link up/down/up notification

When doing ifconfig down/up, driver did not reported carrier_off neither
in nic_stop nor in nic_start. That caused link to be visible as "up"
during couple of seconds immediately after "ifconfig up".

Signed-off-by: Pavel Belous <pavel.belous at aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh at aquantia.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux 6849540drivers/net/ethernet/aquantia/atlantic aq_pci_func.c

net: aquantia: mmio unmap was not performed on driver removal

That may lead to mmio resource leakage.

Signed-off-by: Pavel Belous <pavel.belous at aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh at aquantia.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

Linux/linux b82ee71drivers/net/ethernet/aquantia/atlantic aq_ethtool.c aq_nic.c, drivers/net/ethernet/aquantia/atlantic/hw_atl hw_atl_b0.c hw_atl_a0.c

net: aquantia: Enable coalescing management via ethtool interface

Aquantia NIC allows both TX and RX interrupt throttle rate (ITR)
management, but this was used in a very limited way via predefined
values. This patch allows to setup ITR default values via module
command line arguments and via standard ethtool coalescing settings.

Signed-off-by: Pavel Belous <pavel.belous at aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh at aquantia.com>
Signed-off-by: David S. Miller <davem at davemloft.net>