linux-toradex.git/arch/mips, branch v4.4.2 Linux kernel for Apalis and Colibri modules Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-01-07T00:15:03+00:00 Linus Torvalds torvalds@linux-foundation.org 2016-01-07T00:15:03+00:00 51cb67c0b0fcb91581b15bd2e85f29af4d4b2df6 Pull networking fixes from David Miller: "As usual, there are a couple straggler bug fixes: 1) qlcnic_alloc_mbx_args() error returns are not checked in qlcnic driver. Fix from Insu Yun. 2) SKB refcounting bug in connector, from Florian Westphal. 3) vrf_get_saddr() has to propagate fib_lookup() errors to it's callers, from David Ahern. 4) Fix AF_UNIX splice/bind deadlock, from Rainer Weikusat. 5) qdisc_rcu_free() fails to free the per-cpu qstats. Fix from John Fastabend. 6) vmxnet3 driver passes wrong page to dma_map_page(), fix from Shrikrishna Khare. 7) Don't allow zero cwnd in tcp_cwnd_reduction(), from Yuchung Cheng" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: tcp: fix zero cwnd in tcp_cwnd_reduction Driver: Vmxnet3: Fix regression caused by 5738a09 net: qmi_wwan: Add WeTelecom-WPD600N mkiss: fix scribble on freed memory net: possible use after free in dst_release net: sched: fix missing free per cpu on qstats ARM: net: bpf: fix zero right shift 6pack: fix free memory scribbles net: filter: make JITs zero A for SKF_AD_ALU_XOR_X bridge: Only call /sbin/bridge-stp for the initial network namespace af_unix: Fix splice-bind deadlock net: Propagate lookup failure in l3mdev_get_saddr to caller r8152: add reset_resume function connector: bump skb->users before callback invocation cxgb4: correctly handling failed allocation qlcnic: correctly handle qlcnic_alloc_mbx_args 
Pull networking fixes from David Miller:
 "As usual, there are a couple straggler bug fixes:

   1) qlcnic_alloc_mbx_args() error returns are not checked in qlcnic
      driver.  Fix from Insu Yun.

   2) SKB refcounting bug in connector, from Florian Westphal.

   3) vrf_get_saddr() has to propagate fib_lookup() errors to it's
      callers, from David Ahern.

   4) Fix AF_UNIX splice/bind deadlock, from Rainer Weikusat.

   5) qdisc_rcu_free() fails to free the per-cpu qstats.  Fix from John
      Fastabend.

   6) vmxnet3 driver passes wrong page to dma_map_page(), fix from
     Shrikrishna Khare.

   7) Don't allow zero cwnd in tcp_cwnd_reduction(), from Yuchung Cheng"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  tcp: fix zero cwnd in tcp_cwnd_reduction
  Driver: Vmxnet3: Fix regression caused by 5738a09
  net: qmi_wwan: Add WeTelecom-WPD600N
  mkiss: fix scribble on freed memory
  net: possible use after free in dst_release
  net: sched: fix missing free per cpu on qstats
  ARM: net: bpf: fix zero right shift
  6pack: fix free memory scribbles
  net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
  bridge: Only call /sbin/bridge-stp for the initial network namespace
  af_unix: Fix splice-bind deadlock
  net: Propagate lookup failure in l3mdev_get_saddr to caller
  r8152: add reset_resume function
  connector: bump skb->users before callback invocation
  cxgb4: correctly handling failed allocation
  qlcnic: correctly handle qlcnic_alloc_mbx_args
net: filter: make JITs zero A for SKF_AD_ALU_XOR_X 2016-01-06T05:43:52+00:00 Rabin Vincent rabin@rab.in 2016-01-05T15:23:07+00:00 55795ef5469290f89f04e12e662ded604909e462 The SKF_AD_ALU_XOR_X ancillary is not like the other ancillary data instructions since it XORs A with X while all the others replace A with some loaded value. All the BPF JITs fail to clear A if this is used as the first instruction in a filter. This was found using american fuzzy lop. Add a helper to determine if A needs to be cleared given the first instruction in a filter, and use this in the JITs. Except for ARM, the rest have only been compile-tested. Fixes: 3480593131e0 ("net: filter: get rid of BPF_S_* enum") Signed-off-by: Rabin Vincent <rabin@rab.in> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
The SKF_AD_ALU_XOR_X ancillary is not like the other ancillary data
instructions since it XORs A with X while all the others replace A with
some loaded value.  All the BPF JITs fail to clear A if this is used as
the first instruction in a filter.  This was found using american fuzzy
lop.

Add a helper to determine if A needs to be cleared given the first
instruction in a filter, and use this in the JITs.  Except for ARM, the
rest have only been compile-tested.

Fixes: 3480593131e0 ("net: filter: get rid of BPF_S_* enum")
Signed-off-by: Rabin Vincent <rabin@rab.in>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
MIPS: VDSO: Fix build error with binutils 2.24 and earlier 2015-12-29T22:41:55+00:00 Guenter Roeck linux@roeck-us.net 2015-12-24T05:04:31+00:00 398c7500a1f5f74e207bd2edca1b1721b3cc1f1e Commit 2a037f310bab ("MIPS: VDSO: Fix build error") tries to fix a build error seen with binutils 2.24 and earlier. However, the fix does not work, and again results in the already known build errors if the kernel is built with an earlier version of binutils. CC arch/mips/vdso/gettimeofday.o /tmp/ccnOVbHT.s: Assembler messages: /tmp/ccnOVbHT.s:50: Error: can't resolve `_start' {*UND* section} - `L0 {.text section} /tmp/ccnOVbHT.s:374: Error: can't resolve `_start' {*UND* section} - `L0 {.text section} scripts/Makefile.build:258: recipe for target 'arch/mips/vdso/gettimeofday.o' failed make[2]: *** [arch/mips/vdso/gettimeofday.o] Error 1 Fixes: 2a037f310bab ("MIPS: VDSO: Fix build error") Cc: Qais Yousef <qais.yousef@imgtec.com> Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/11926/ Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Ralf Baechle <ralf@linux-mips.org> 
Commit 2a037f310bab ("MIPS: VDSO: Fix build error") tries to fix a build
error seen with binutils 2.24 and earlier. However, the fix does not work,
and again results in the already known build errors if the kernel is built
with an earlier version of binutils.

CC      arch/mips/vdso/gettimeofday.o
/tmp/ccnOVbHT.s: Assembler messages:
/tmp/ccnOVbHT.s:50: Error: can't resolve `_start' {*UND* section} - `L0 {.text section}
/tmp/ccnOVbHT.s:374: Error: can't resolve `_start' {*UND* section} - `L0 {.text section}
scripts/Makefile.build:258: recipe for target 'arch/mips/vdso/gettimeofday.o' failed
make[2]: *** [arch/mips/vdso/gettimeofday.o] Error 1

Fixes: 2a037f310bab ("MIPS: VDSO: Fix build error")
Cc: Qais Yousef <qais.yousef@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/11926/
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
MIPS: Fix bitrot in __get_user_unaligned() 2015-12-27T19:07:44+00:00 Al Viro viro@zeniv.linux.org.uk 2015-12-25T17:09:30+00:00 930c0f708e156613c37b97cf583c4c6b07d99cce Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Ralf Baechle <ralf@linux-mips.org> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
MIPS: Fix build error due to unused variables. 2015-12-22T14:21:18+00:00 Ralf Baechle ralf@linux-mips.org 2015-11-27T18:17:01+00:00 ec7b97208aaed46bd3fbe166d5909228c380a720 c861519fcf95b2d46cb4275903423b43ae150a40 ("MIPS: Fix delay loops which may be removed by GCC.") which made it upstream was an outdated version of the patch and is lacking some the removal of two variables that became unused thus resulting in further warnings and build breakage. The commit from ae878615d7cee5d7346946cf1ae1b60e427013c2 was correct however. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> 
c861519fcf95b2d46cb4275903423b43ae150a40 ("MIPS: Fix delay loops which may
be removed by GCC.") which made it upstream was an outdated version of the
patch and is lacking some the removal of two variables that became unused
thus resulting in further warnings and build breakage.  The commit
from ae878615d7cee5d7346946cf1ae1b60e427013c2 was correct however.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
MIPS: VDSO: Fix build error 2015-12-22T11:23:31+00:00 Qais Yousef qais.yousef@imgtec.com 2015-12-08T10:11:43+00:00 2a037f310bab89b7db5b86c7954cf69c229c87ca Commit ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") introduced a build error. For MIPS VDSO to be compiled it requires binutils version 2.25 or above but the check in the Makefile had inverted logic causing it to be compiled in if binutils is below 2.25. This fixes the following compilation error: CC arch/mips/vdso/gettimeofday.o /tmp/ccsExcUd.s: Assembler messages: /tmp/ccsExcUd.s:62: Error: can't resolve `_start' {*UND* section} - `L0' {.text section} /tmp/ccsExcUd.s:467: Error: can't resolve `_start' {*UND* section} - `L0' {.text section} make[2]: *** [arch/mips/vdso/gettimeofday.o] Error 1 make[1]: *** [arch/mips/vdso] Error 2 make: *** [arch/mips] Error 2 [ralf@linux-mips: Fixed Sergei's complaint on the formatting of the cited commit and generally reformatted the log message.] Signed-off-by: Qais Yousef <qais.yousef@imgtec.com> Cc: alex@alex-smith.me.uk Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/11745/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org> 
Commit ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") introduced a
build error.

For MIPS VDSO to be compiled it requires binutils version 2.25 or above but
the check in the Makefile had inverted logic causing it to be compiled in if
binutils is below 2.25.

This fixes the following compilation error:

CC      arch/mips/vdso/gettimeofday.o
/tmp/ccsExcUd.s: Assembler messages:
/tmp/ccsExcUd.s:62: Error: can't resolve `_start' {*UND* section} - `L0' {.text section}
/tmp/ccsExcUd.s:467: Error: can't resolve `_start' {*UND* section} - `L0' {.text section}
make[2]: *** [arch/mips/vdso/gettimeofday.o] Error 1
make[1]: *** [arch/mips/vdso] Error 2
make: *** [arch/mips] Error 2

[ralf@linux-mips: Fixed Sergei's complaint on the formatting of the
cited commit and generally reformatted the log message.]

Signed-off-by: Qais Yousef <qais.yousef@imgtec.com>
Cc: alex@alex-smith.me.uk
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/11745/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
MIPS: CPS: drop .set mips64r2 directives 2015-12-22T11:16:32+00:00 Paul Burton paul.burton@imgtec.com 2015-08-05T22:42:40+00:00 f3575e230cf8537951ebe3cc19974c5db2ff4f1c Commit 977e043d5ea1 ("MIPS: kernel: cps-vec: Replace mips32r2 ISA level with mips64r2") leads to .set mips64r2 directives being present in 32 bit (ie. CONFIG_32BIT=y) kernels. This is incorrect & leads to MIPS64 instructions being emitted by the assembler when expanding pseudo-instructions. For example the "move" instruction can legitimately be expanded to a "daddu". This causes problems when the kernel is run on a MIPS32 CPU, as CONFIG_32BIT kernels of course often are... Fix this by dropping the .set <ISA> directives entirely now that Kconfig should be ensuring that kernels including this code are built with a suitable -march= compiler flag. Signed-off-by: Paul Burton <paul.burton@imgtec.com> Cc: Markos Chandras <markos.chandras@imgtec.com> Cc: James Hogan <james.hogan@imgtec.com> Cc: <stable@vger.kernel.org> # 3.16+ Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/10869/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org> 
Commit 977e043d5ea1 ("MIPS: kernel: cps-vec: Replace mips32r2 ISA level
with mips64r2") leads to .set mips64r2 directives being present in 32
bit (ie. CONFIG_32BIT=y) kernels. This is incorrect & leads to MIPS64
instructions being emitted by the assembler when expanding
pseudo-instructions. For example the "move" instruction can legitimately
be expanded to a "daddu". This causes problems when the kernel is run on
a MIPS32 CPU, as CONFIG_32BIT kernels of course often are...

Fix this by dropping the .set <ISA> directives entirely now that Kconfig
should be ensuring that kernels including this code are built with a
suitable -march= compiler flag.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: <stable@vger.kernel.org> # 3.16+
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/10869/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
MIPS: uaccess: Take EVA into account in [__]clear_user 2015-12-22T10:58:43+00:00 James Hogan james.hogan@imgtec.com 2015-08-05T15:41:39+00:00 d6a428fb583738ad685c91a684748cdee7b2a05f __clear_user() (and clear_user() which uses it), always access the user mode address space, which results in EVA store instructions when EVA is enabled even if the current user address limit is KERNEL_DS. Fix this by adding a new symbol __bzero_kernel for the normal kernel address space bzero in EVA mode, and call that from __clear_user() if eva_kernel_access(). Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Markos Chandras <markos.chandras@imgtec.com> Cc: Paul Burton <paul.burton@imgtec.com> Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com> Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/10844/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org> 
__clear_user() (and clear_user() which uses it), always access the user
mode address space, which results in EVA store instructions when EVA is
enabled even if the current user address limit is KERNEL_DS.

Fix this by adding a new symbol __bzero_kernel for the normal kernel
address space bzero in EVA mode, and call that from __clear_user() if
eva_kernel_access().

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10844/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
MIPS: uaccess: Take EVA into account in __copy_from_user() 2015-12-22T10:55:24+00:00 James Hogan james.hogan@imgtec.com 2015-08-05T15:41:38+00:00 6f06a2c45d8d714ea3b11a360b4a7191e52acaa4 When EVA is in use, __copy_from_user() was unconditionally using the EVA instructions to read the user address space, however this can also be used for kernel access. If the address isn't a valid user address it will cause an address error or TLB exception, and if it is then user memory may be read instead of kernel memory. For example in the following stack trace from Linux v3.10 (changes since then will prevent this particular one still happening) kernel_sendmsg() set the user address limit to KERNEL_DS, and tcp_sendmsg() goes on to use __copy_from_user() with a kernel address in KSeg0. [<8002d434>] __copy_fromuser_common+0x10c/0x254 [<805710e0>] tcp_sendmsg+0x5f4/0xf00 [<804e8e3c>] sock_sendmsg+0x78/0xa0 [<804e8f28>] kernel_sendmsg+0x24/0x38 [<804ee0f8>] sock_no_sendpage+0x70/0x7c [<8017c820>] pipe_to_sendpage+0x80/0x98 [<8017c6b0>] splice_from_pipe_feed+0xa8/0x198 [<8017cc54>] __splice_from_pipe+0x4c/0x8c [<8017e844>] splice_from_pipe+0x58/0x78 [<8017e884>] generic_splice_sendpage+0x20/0x2c [<8017d690>] do_splice_from+0xb4/0x110 [<8017d710>] direct_splice_actor+0x24/0x30 [<8017d394>] splice_direct_to_actor+0xd8/0x208 [<8017d51c>] do_splice_direct+0x58/0x7c [<8014eaf4>] do_sendfile+0x1dc/0x39c [<8014f82c>] SyS_sendfile+0x90/0xf8 Add the eva_kernel_access() check in __copy_from_user() like the one in copy_from_user(). Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Markos Chandras <markos.chandras@imgtec.com> Cc: Paul Burton <paul.burton@imgtec.com> Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com> Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/10843/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org> 
When EVA is in use, __copy_from_user() was unconditionally using the EVA
instructions to read the user address space, however this can also be
used for kernel access. If the address isn't a valid user address it
will cause an address error or TLB exception, and if it is then user
memory may be read instead of kernel memory.

For example in the following stack trace from Linux v3.10 (changes since
then will prevent this particular one still happening) kernel_sendmsg()
set the user address limit to KERNEL_DS, and tcp_sendmsg() goes on to
use __copy_from_user() with a kernel address in KSeg0.

[<8002d434>] __copy_fromuser_common+0x10c/0x254
[<805710e0>] tcp_sendmsg+0x5f4/0xf00
[<804e8e3c>] sock_sendmsg+0x78/0xa0
[<804e8f28>] kernel_sendmsg+0x24/0x38
[<804ee0f8>] sock_no_sendpage+0x70/0x7c
[<8017c820>] pipe_to_sendpage+0x80/0x98
[<8017c6b0>] splice_from_pipe_feed+0xa8/0x198
[<8017cc54>] __splice_from_pipe+0x4c/0x8c
[<8017e844>] splice_from_pipe+0x58/0x78
[<8017e884>] generic_splice_sendpage+0x20/0x2c
[<8017d690>] do_splice_from+0xb4/0x110
[<8017d710>] direct_splice_actor+0x24/0x30
[<8017d394>] splice_direct_to_actor+0xd8/0x208
[<8017d51c>] do_splice_direct+0x58/0x7c
[<8014eaf4>] do_sendfile+0x1dc/0x39c
[<8014f82c>] SyS_sendfile+0x90/0xf8

Add the eva_kernel_access() check in __copy_from_user() like the one in
copy_from_user().

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10843/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
MIPS: uaccess: Fix strlen_user with EVA 2015-12-22T10:54:13+00:00 James Hogan james.hogan@imgtec.com 2015-08-05T15:41:37+00:00 5dc62fdd8383afbd2faca6b6e6ea1052b45b0124 The strlen_user() function calls __strlen_kernel_asm in both branches of the eva_kernel_access() conditional. For EVA it should be calling __strlen_user_eva for user accesses, otherwise it will load from the kernel address space instead of the user address space, and the access checking will likely be ineffective at preventing it due to EVA's overlapping user and kernel address spaces. This was found after extending the test_user_copy module to cover user string access functions, which gave the following error with EVA: test_user_copy: illegal strlen_user passed Fortunately the use of strlen_user() has been all but eradicated from the mainline kernel, so only out of tree modules could be affected. Fixes: e3a9b07a9caf ("MIPS: asm: uaccess: Add EVA support for str*_user operations") Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Markos Chandras <markos.chandras@imgtec.com> Cc: Paul Burton <paul.burton@imgtec.com> Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com> Cc: linux-mips@linux-mips.org Cc: <stable@vger.kernel.org> # 3.15.x- Patchwork: https://patchwork.linux-mips.org/patch/10842/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org> 
The strlen_user() function calls __strlen_kernel_asm in both branches of
the eva_kernel_access() conditional. For EVA it should be calling
__strlen_user_eva for user accesses, otherwise it will load from the
kernel address space instead of the user address space, and the access
checking will likely be ineffective at preventing it due to EVA's
overlapping user and kernel address spaces.

This was found after extending the test_user_copy module to cover user
string access functions, which gave the following error with EVA:

test_user_copy: illegal strlen_user passed

Fortunately the use of strlen_user() has been all but eradicated from
the mainline kernel, so only out of tree modules could be affected.

Fixes: e3a9b07a9caf ("MIPS: asm: uaccess: Add EVA support for str*_user operations")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: <stable@vger.kernel.org> # 3.15.x-
Patchwork: https://patchwork.linux-mips.org/patch/10842/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>