1. 16 Jan, 2019 1 commit
  2. 13 Jan, 2019 1 commit
  3. 12 Jan, 2019 5 commits
    • Michael Chan's avatar
      bnxt_en: Fix context memory allocation. · 6ef982de
      Michael Chan authored
      When allocating memory pages for context memory, if the last page table
      should be fully populated, the current code will set nr_pages to 0 when
      calling bnxt_alloc_ctx_mem_blk().  This will cause the last page table
      to be completely blank and causing some RDMA failures.
      
      Fix it by setting the last page table's nr_pages to the remainder only
      if it is non-zero.
      
      Fixes: 08fe9d18 ("bnxt_en: Add Level 2 context memory paging support.")
      Reported-by: default avatarEric Davis <eric.davis@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ef982de
    • Michael Chan's avatar
      bnxt_en: Fix ring checking logic on 57500 chips. · 0b815023
      Michael Chan authored
      In bnxt_hwrm_check_pf_rings(), add the proper flag to test the NQ
      resources.  Without the proper flag, the firmware will change
      the NQ resource allocation and remap the IRQ, causing missing
      IRQs.  This issue shows up when adding MQPRIO TX queues, for example.
      
      Fixes: 36d65be9 ("bnxt_en: Disable MSIX before re-reserving NQs/CMPL rings.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b815023
    • Gustavo A. R. Silva's avatar
      mISDN: hfcsusb: Use struct_size() in kzalloc() · 8d008e64
      Gustavo A. R. Silva authored
      One of the more common cases of allocation size calculations is finding the
      size of a structure that has a zero-sized array at the end, along with memory
      for some number of elements for that array. For example:
      
      struct foo {
          int stuff;
          void *entry[];
      };
      
      instance = kzalloc(sizeof(struct foo) + sizeof(void *) * count, GFP_KERNEL);
      
      Instead of leaving these open-coded and prone to type mistakes, we can now
      use the new struct_size() helper:
      
      instance = kzalloc(struct_size(instance, entry, count), GFP_KERNEL);
      
      This code was detected with the help of Coccinelle.
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d008e64
    • Jia-Ju Bai's avatar
      isdn: i4l: isdn_tty: Fix some concurrency double-free bugs · 2ff33d66
      Jia-Ju Bai authored
      The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
      concurrently executed.
      
      isdn_tty_tiocmset
        isdn_tty_modem_hup
          line 719: kfree(info->dtmf_state);
          line 721: kfree(info->silence_state);
          line 723: kfree(info->adpcms);
          line 725: kfree(info->adpcmr);
      
      isdn_tty_set_termios
        isdn_tty_modem_hup
          line 719: kfree(info->dtmf_state);
          line 721: kfree(info->silence_state);
          line 723: kfree(info->adpcms);
          line 725: kfree(info->adpcmr);
      
      Thus, some concurrency double-free bugs may occur.
      
      These possible bugs are found by a static tool written by myself and
      my manual code review.
      
      To fix these possible bugs, the mutex lock "modem_info_mutex" used in
      isdn_tty_tiocmset() is added in isdn_tty_set_termios().
      Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2ff33d66
    • Zha Bin's avatar
      vhost/vsock: fix vhost vsock cid hashing inconsistent · 7fbe078c
      Zha Bin authored
      The vsock core only supports 32bit CID, but the Virtio-vsock spec define
      CID (dst_cid and src_cid) as u64 and the upper 32bits is reserved as
      zero. This inconsistency causes one bug in vhost vsock driver. The
      scenarios is:
      
        0. A hash table (vhost_vsock_hash) is used to map an CID to a vsock
        object. And hash_min() is used to compute the hash key. hash_min() is
        defined as:
        (sizeof(val) <= 4 ? hash_32(val, bits) : hash_long(val, bits)).
        That means the hash algorithm has dependency on the size of macro
        argument 'val'.
        0. In function vhost_vsock_set_cid(), a 64bit CID is passed to
        hash_min() to compute the hash key when inserting a vsock object into
        the hash table.
        0. In function vhost_vsock_get(), a 32bit CID is passed to hash_min()
        to compute the hash key when looking up a vsock for an CID.
      
      Because the different size of the CID, hash_min() returns different hash
      key, thus fails to look up the vsock object for an CID.
      
      To fix this bug, we keep CID as u64 in the IOCTLs and virtio message
      headers, but explicitly convert u64 to u32 when deal with the hash table
      and vsock core.
      
      Fixes: 834e772c ("vhost/vsock: fix use-after-free in network stack callers")
      Link: https://github.com/stefanha/virtio/blob/vsock/trunk/content.texSigned-off-by: default avatarZha Bin <zhabin@linux.alibaba.com>
      Reviewed-by: default avatarLiu Jiang <gerry@linux.alibaba.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7fbe078c
  4. 11 Jan, 2019 18 commits
  5. 10 Jan, 2019 15 commits