Ross Lagerwall [Thu, 17 Jan 2019 15:34:38 +0000 (15:34 +0000)]
net: Fix usage of pskb_trim_rcsum
In certain cases, pskb_trim_rcsum() may change skb pointers.
Reinitialize header pointers afterwards to avoid potential
use-after-frees. Add a note in the documentation of
pskb_trim_rcsum(). Found by KASAN.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Petazzoni [Wed, 16 Jan 2019 09:53:58 +0000 (10:53 +0100)]
net: phy: mdio_bus: add missing device_del() in mdiobus_register() error handling
The current code in __mdiobus_register() doesn't properly handle
failures returned by the devm_gpiod_get_optional() call: it returns
immediately, without unregistering the device that was added by the
call to device_register() earlier in the function.
This leaves a stale device, which then causes a NULL pointer
dereference in the code that handles deferred probing:
[ 1.489982] Unable to handle kernel NULL pointer dereference at virtual address
00000074
[ 1.498110] pgd = (ptrval)
[ 1.500838] [
00000074] *pgd=
00000000
[ 1.504432] Internal error: Oops: 17 [#1] SMP ARM
[ 1.509133] Modules linked in:
[ 1.512192] CPU: 1 PID: 51 Comm: kworker/1:3 Not tainted
4.20.0-00039-g3b73a4cc8b3e-dirty #99
[ 1.520708] Hardware name: Xilinx Zynq Platform
[ 1.525261] Workqueue: events deferred_probe_work_func
[ 1.530403] PC is at klist_next+0x10/0xfc
[ 1.534403] LR is at device_for_each_child+0x40/0x94
[ 1.539361] pc : [<
c0683fbc>] lr : [<
c0455d90>] psr:
200e0013
[ 1.545628] sp :
ceeefe68 ip :
00000001 fp :
ffffe000
[ 1.550863] r10:
00000000 r9 :
c0c66790 r8 :
00000000
[ 1.556079] r7 :
c0457d44 r6 :
00000000 r5 :
ceeefe8c r4 :
cfa2ec78
[ 1.562604] r3 :
00000064 r2 :
c0457d44 r1 :
ceeefe8c r0 :
00000064
[ 1.569129] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 1.576263] Control:
18c5387d Table:
0ed7804a DAC:
00000051
[ 1.582013] Process kworker/1:3 (pid: 51, stack limit = 0x(ptrval))
[ 1.588280] Stack: (0xceeefe68 to 0xceef0000)
[ 1.592630] fe60:
cfa2ec78 c0c03c08 00000000 c0457d44 00000000 c0c66790
[ 1.600814] fe80:
00000000 c0455d90 ceeefeac 00000064 00000000 0d7a542e cee9d494 cfa2ec78
[ 1.608998] fea0:
cfa2ec78 00000000 c0457d44 c0457d7c cee9d494 c0c03c08 00000000 c0455dac
[ 1.617182] fec0:
cf98ba44 cf926a00 cee9d494 0d7a542e 00000000 cf935a10 cf935a10 cf935a10
[ 1.625366] fee0:
c0c4e9b8 c0457d7c c0c4e80c 00000001 cf935a10 c0457df4 cf935a10 c0c4e99c
[ 1.633550] ff00:
c0c4e99c c045a27c c0c4e9c4 ced63f80 cfde8a80 cfdebc00 00000000 c013893c
[ 1.641734] ff20:
cfde8a80 cfde8a80 c07bd354 ced63f80 ced63f94 cfde8a80 00000008 c0c02d00
[ 1.649936] ff40:
cfde8a98 cfde8a80 ffffe000 c0139a30 ffffe000 c0c6624a c07bd354 00000000
[ 1.658120] ff60:
ffffe000 cee9e780 ceebfe00 00000000 ceeee000 ced63f80 c0139788 cf8cdea4
[ 1.666304] ff80:
cee9e79c c013e598 00000001 ceebfe00 c013e44c 00000000 00000000 00000000
[ 1.674488] ffa0:
00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
[ 1.682671] ffc0:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 1.690855] ffe0:
00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[ 1.699058] [<
c0683fbc>] (klist_next) from [<
c0455d90>] (device_for_each_child+0x40/0x94)
[ 1.707241] [<
c0455d90>] (device_for_each_child) from [<
c0457d7c>] (device_reorder_to_tail+0x38/0x88)
[ 1.716476] [<
c0457d7c>] (device_reorder_to_tail) from [<
c0455dac>] (device_for_each_child+0x5c/0x94)
[ 1.725692] [<
c0455dac>] (device_for_each_child) from [<
c0457d7c>] (device_reorder_to_tail+0x38/0x88)
[ 1.734927] [<
c0457d7c>] (device_reorder_to_tail) from [<
c0457df4>] (device_pm_move_to_tail+0x28/0x40)
[ 1.744235] [<
c0457df4>] (device_pm_move_to_tail) from [<
c045a27c>] (deferred_probe_work_func+0x58/0x8c)
[ 1.753746] [<
c045a27c>] (deferred_probe_work_func) from [<
c013893c>] (process_one_work+0x210/0x4fc)
[ 1.762888] [<
c013893c>] (process_one_work) from [<
c0139a30>] (worker_thread+0x2a8/0x5c0)
[ 1.771072] [<
c0139a30>] (worker_thread) from [<
c013e598>] (kthread+0x14c/0x154)
[ 1.778482] [<
c013e598>] (kthread) from [<
c01010e8>] (ret_from_fork+0x14/0x2c)
[ 1.785689] Exception stack(0xceeeffb0 to 0xceeefff8)
[ 1.790739] ffa0:
00000000 00000000 00000000 00000000
[ 1.798923] ffc0:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 1.807107] ffe0:
00000000 00000000 00000000 00000000 00000013 00000000
[ 1.813724] Code:
e92d47f0 e1a05000 e8900048 e1a00003 (
e5937010)
[ 1.819844] ---[ end trace
3c2c0c8b65399ec9 ]---
The actual error that we had from devm_gpiod_get_optional() was
-EPROBE_DEFER, due to the GPIO being provided by a driver that is
probed later than the Ethernet controller driver.
To fix this, we simply add the missing device_del() invocation in the
error path.
Fixes: 69226896ad636 ("mdio_bus: Issue GPIO RESET to PHYs")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Otto Sabart [Mon, 14 Jan 2019 11:56:36 +0000 (12:56 +0100)]
doc: net: fix bad references to network drivers
Fix "reference to nonexisting document" warnings.
Fixes: b255e500c8dc ("net: documentation: build a directory structure for drivers")
Signed-off-by: Otto Sabart <ottosabart@seberm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yang Wei [Thu, 17 Jan 2019 15:30:03 +0000 (23:30 +0800)]
macvlan: replace kfree_skb by consume_skb for drop profiles
Replace the kfree_skb() by consume_skb() to be drop monitor(dropwatch,
perf) friendly.
Signed-off-by: Yang Wei <yang.wei9@zte.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yang Wei [Thu, 17 Jan 2019 15:11:30 +0000 (23:11 +0800)]
neighbour: Do not perturb drop profiles when neigh_probe
Replace the kfree_skb() by consume_skb() to be drop monitor(dropwatch,
perf) friendly.
Signed-off-by: Yang Wei <yang.wei9@zte.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lendacky, Thomas [Thu, 17 Jan 2019 14:20:14 +0000 (14:20 +0000)]
amd-xgbe: Fix mdio access for non-zero ports and clause 45 PHYs
The XGBE hardware has support for performing MDIO operations using an
MDIO command request. The driver mistakenly uses the mdio port address
as the MDIO command request device address instead of the MDIO command
request port address. Additionally, the driver does not properly check
for and create a clause 45 MDIO command.
Check the supplied MDIO register to determine if the request is a clause
45 operation (MII_ADDR_C45). For a clause 45 operation, extract the device
address and register number from the supplied MDIO register and use them
to set the MDIO command request device address and register number fields.
For a clause 22 operation, the MDIO request device address is set to zero
and the MDIO command request register number is set to the supplied MDIO
register. In either case, the supplied MDIO port address is used as the
MDIO command request port address.
Fixes: 732f2ab7afb9 ("amd-xgbe: Add support for MDIO attached PHYs")
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Tested-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Camelia Groza [Thu, 17 Jan 2019 12:33:33 +0000 (14:33 +0200)]
net: phy: add missing phy driver features
The phy drivers for CS4340 and TN2020 are missing their
features attributes. Add them.
Fixes: 719655a14971 ("net: phy: Replace phy driver features u32 with link_mode bitmap")
Reported-by: Scott Wood <oss@buserror.net>
Signed-off-by: Camelia Groza <camelia.groza@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Madalin Bucur [Thu, 17 Jan 2019 09:42:27 +0000 (11:42 +0200)]
dpaa_eth: NETIF_F_LLTX requires to do our own update of trans_start
As txq_trans_update() only updates trans_start when the lock is held,
trans_start does not get updated if NETIF_F_LLTX is declared.
Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yunjian Wang [Thu, 17 Jan 2019 01:46:41 +0000 (09:46 +0800)]
net: bridge: Fix ethernet header pointer before check skb forwardable
The skb header should be set to ethernet header before using
is_skb_forwardable. Because the ethernet header length has been
considered in is_skb_forwardable(including dev->hard_header_len
length).
To reproduce the issue:
1, add 2 ports on linux bridge br using following commands:
$ brctl addbr br
$ brctl addif br eth0
$ brctl addif br eth1
2, the MTU of eth0 and eth1 is 1500
3, send a packet(Data 1480, UDP 8, IP 20, Ethernet 14, VLAN 4)
from eth0 to eth1
So the expect result is packet larger than 1500 cannot pass through
eth0 and eth1. But currently, the packet passes through success, it
means eth1's MTU limit doesn't take effect.
Fixes: f6367b4660dd ("bridge: use is_skb_forwardable in forward path")
Cc: bridge@lists.linux-foundation.org
Cc: Nkolay Aleksandrov <nikolay@cumulusnetworks.com>
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jason Wang [Wed, 16 Jan 2019 08:54:42 +0000 (16:54 +0800)]
vhost: log dirty page correctly
Vhost dirty page logging API is designed to sync through GPA. But we
try to log GIOVA when device IOTLB is enabled. This is wrong and may
lead to missing data after migration.
To solve this issue, when logging with device IOTLB enabled, we will:
1) reuse the device IOTLB translation result of GIOVA->HVA mapping to
get HVA, for writable descriptor, get HVA through iovec. For used
ring update, translate its GIOVA to HVA
2) traverse the GPA->HVA mapping to get the possible GPA and log
through GPA. Pay attention this reverse mapping is not guaranteed
to be unique, so we should log each possible GPA in this case.
This fix the failure of scp to guest during migration. In -next, we
will probably support passing GIOVA->GPA instead of GIOVA->HVA.
Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API")
Reported-by: Jintack Lim <jintack@cs.columbia.edu>
Cc: Jintack Lim <jintack@cs.columbia.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jakub Kicinski [Sat, 12 Jan 2019 20:51:05 +0000 (12:51 -0800)]
Documentation: timestamping: correct path to net_tstamp.h
net_tstamp.h is an UAPI header, so it was moved under include/uapi.
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nicolas Dichtel [Thu, 17 Jan 2019 10:27:22 +0000 (11:27 +0100)]
af_packet: fix raw sockets over 6in4 tunnel
Since commit
cb9f1b783850, scapy (which uses an AF_PACKET socket in
SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel:
Here is a example of the setup:
$ ip link set ntfp2 up
$ ip addr add 10.125.0.1/24 dev ntfp2
$ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2
$ ip addr add fd00:cafe:cafe::1/128 dev tun1
$ ip link set dev tun1 up
$ ip route add fd00:200::/64 dev tun1
$ scapy
>>> p = []
>>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest()
>>> send(p, count=1, inter=0.1)
>>> quit()
$ ip -s link ls dev tun1 | grep -A1 "TX.*errors"
TX: bytes packets errors dropped carrier collsns
0 0 1 0 0 0
The problem is that the network offset is set to the hard_header_len of the
output device (tun1, ie 14 + 20) and in our case, because the packet is
small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes
(ipv6 header) starting from the network offset).
This problem is more generally related to device with variable hard header
length. To avoid a too intrusive patch in the current release, a (ugly)
workaround is proposed in this patch. It has to be cleaned up in net-next.
Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1
Link: http://patchwork.ozlabs.org/patch/1024489/
Fixes: cb9f1b783850 ("ip: validate header length on virtual device xmit")
CC: Willem de Bruijn <willemb@google.com>
CC: Maxim Mikityanskiy <maximmi@mellanox.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexey Kodanev [Wed, 16 Jan 2019 16:17:45 +0000 (19:17 +0300)]
udp6: add missing rehash callback to udplite
After commit
23b0269e58ae ("net: udp6: prefer listeners bound to an
address"), UDP-Lite only works when specifying a local address for
the sockets.
This is related to the problem addressed in the commit
719f835853a9
("udp: add rehash on connect()"). Moreover, __udp6_lib_lookup() now
looks for a socket immediately in the secondary hash table.
And this issue was found with LTP/network tests as well.
Fixes: 23b0269e58ae ("net: udp6: prefer listeners bound to an address")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexey Kodanev [Wed, 16 Jan 2019 16:17:44 +0000 (19:17 +0300)]
udp: add missing rehash callback to udplite
After commit
4cdeeee9252a ("net: udp: prefer listeners bound to an
address"), UDP-Lite only works when specifying a local address for
the sockets.
This is related to the problem addressed in the commit
719f835853a9
("udp: add rehash on connect()"). Moreover, __udp4_lib_lookup() now
looks for a socket immediately in the secondary hash table.
The issue was found with LTP/network tests (UDP-Lite test-cases).
Fixes: 4cdeeee9252a ("net: udp: prefer listeners bound to an address")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ivan Vecera [Wed, 16 Jan 2019 15:53:52 +0000 (16:53 +0100)]
net/sched: cls_flower: allocate mask dynamically in fl_change()
Recent changes (especially
05cd271fd61a ("cls_flower: Support multiple
masks per priority")) in the fl_flow_mask structure grow it and its
current size e.g. on x86_64 with defconfig is 760 bytes and more than
1024 bytes with some debug options enabled. Prior the mentioned commit
its size was 176 bytes (using defconfig on x86_64).
With regard to this fact it's reasonable to allocate this structure
dynamically in fl_change() to reduce its stack size.
v2:
- use kzalloc() instead of kcalloc()
Fixes: 05cd271fd61a ("cls_flower: Support multiple masks per priority")
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: Paul Blakey <paulb@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johan Hovold [Wed, 16 Jan 2019 10:27:08 +0000 (11:27 +0100)]
net: dsa: realtek-smi: fix OF child-node lookup
Use the new of_get_compatible_child() helper to look up child nodes to
avoid ever matching non-child nodes elsewhere in the tree.
Also fix up the related struct device_node leaks.
Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
Cc: stable <stable@vger.kernel.org> # 4.19: 36156f9241cb0
Cc: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Colin Ian King [Tue, 15 Jan 2019 18:03:38 +0000 (18:03 +0000)]
atm: he: fix sign-extension overflow on large shift
Shifting the 1 by exp by an int can lead to sign-extension overlow when
exp is 31 since 1 is an signed int and sign-extending this result to an
unsigned long long will set the upper 32 bits. Fix this by shifting an
unsigned long.
Detected by cppcheck:
(warning) Shifting signed 32-bit value by 31 bits is undefined behaviour
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Willem de Bruijn [Tue, 15 Jan 2019 16:40:02 +0000 (11:40 -0500)]
udp: with udp_segment release on error path
Failure __ip_append_data triggers udp_flush_pending_frames, but these
tests happen later. The skb must be freed directly.
Fixes: bec1f6f697362 ("udp: generate gso with UDP_SEGMENT")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Taehee Yoo [Tue, 15 Jan 2019 16:35:22 +0000 (01:35 +0900)]
net: bpfilter: change section name of bpfilter UMH blob.
The section of bpfilter UMH blob is the ".bpfilter_umh". but this is not
an explicit section. so linking warning occurred at compile time for the
powerpc.
So, this patch makes use of the ".rodata" instead of the ".bpfilter_umh".
Config condition:
CONFIG_BPFILTER=y
CONFIG_BPFILTER_UMH=y
Result:
ld: warning: orphan section `.bpfilter_umh' from
`net/bpfilter/bpfilter_umh_blob.o' being placed in section `.bpfilter_umh'
Fixes: 61fbf5933d42 ("net: bpfilter: restart bpfilter_umh when error occurred")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrew Lunn [Tue, 15 Jan 2019 15:55:30 +0000 (16:55 +0100)]
net: phy: Add missing features to PHY drivers
The bcm87xx and micrel driver has PHYs which are missing the .features
value. Add them. The bcm87xx is a 10G FEC only PHY. Add the needed
features definition of this PHY.
Fixes: 719655a14971 ("net: phy: Replace phy driver features u32 with link_mode bitmap")
Reported-by: Scott Wood <oss@buserror.net>
Reported-by: Camelia Groza <camelia.groza@nxp.com>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jakub Kicinski [Mon, 14 Jan 2019 18:52:45 +0000 (10:52 -0800)]
ipv6: route: place a warning with duplicated string with correct extack
"IPv6: " prefix is already added by pr_fmt, no need to include
it again in the pr_warn() format. The message predates extack
support, we can replace the whole thing with an extack message.
Suggested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Davide Caratti [Mon, 14 Jan 2019 17:16:44 +0000 (18:16 +0100)]
selftests: tc-testing: fix parsing of ife type
In iproute2 commit
90c5c969f0b9 ("fix print_0xhex on 32 bit"), the format
specifier for the ife type changed from 0x%X to %#llX, causing systematic
failures in the following TDC test cases:
7682 - Create valid ife encode action with mark and pass control
ef47 - Create valid ife encode action with mark and pipe control
df43 - Create valid ife encode action with mark and continue control
e4cf - Create valid ife encode action with mark and drop control
ccba - Create valid ife encode action with mark and reclassify control
a1cf - Create valid ife encode action with mark and jump control
cb3d - Create valid ife encode action with mark value at 32-bit maximum
95ed - Create valid ife encode action with prio and pass control
aa17 - Create valid ife encode action with prio and pipe control
74c7 - Create valid ife encode action with prio and continue control
7a97 - Create valid ife encode action with prio and drop control
f66b - Create valid ife encode action with prio and reclassify control
3056 - Create valid ife encode action with prio and jump control
7dd3 - Create valid ife encode action with prio value at 32-bit maximum
05bb - Create valid ife encode action with tcindex and pass control
ce65 - Create valid ife encode action with tcindex and pipe control
09cd - Create valid ife encode action with tcindex and continue control
8eb5 - Create valid ife encode action with tcindex and continue control
451a - Create valid ife encode action with tcindex and drop control
d76c - Create valid ife encode action with tcindex and reclassify control
e731 - Create valid ife encode action with tcindex and jump control
b7b8 - Create valid ife encode action with tcindex value at 16-bit maximum
2a9c - Create valid ife encode action with mac src parameter
cf5c - Create valid ife encode action with mac dst parameter
2353 - Create valid ife encode action with mac src and mac dst parameters
552c - Create valid ife encode action with mark and type parameters
0421 - Create valid ife encode action with prio and type parameters
4017 - Create valid ife encode action with tcindex and type parameters
fac3 - Create valid ife encode action with index at 32-bit maximnum
7c25 - Create valid ife decode action with pass control
dccb - Create valid ife decode action with pipe control
7bb9 - Create valid ife decode action with continue control
d9ad - Create valid ife decode action with drop control
219f - Create valid ife decode action with reclassify control
8f44 - Create valid ife decode action with jump control
b330 - Create ife encode action with cookie
Change 'matchPattern' values, allowing '0' and '0x0' if ife type is equal
to 0, and accepting both '0x' and '0X' otherwise, to let these tests pass
both with old and new tc binaries.
While at it, fix a small typo in test case fac3 ('maximnum'->'maximum').
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Konstantin Khlebnikov [Mon, 14 Jan 2019 10:38:43 +0000 (13:38 +0300)]
net/core/neighbour: fix kmemleak minimal reference count for hash tables
This should be 1 for normal allocations, 0 disables leak reporting.
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
Fixes: 85704cb8dcfd ("net/core/neighbour: tell kmemleak about hash tables")
Signed-off-by: David S. Miller <davem@davemloft.net>
Xin Long [Mon, 14 Jan 2019 10:34:02 +0000 (18:34 +0800)]
sctp: allocate sctp_sockaddr_entry with kzalloc
The similar issue as fixed in Commit
4a2eb0c37b47 ("sctp: initialize
sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event") also exists
in sctp_inetaddr_event, as Alexander noticed.
To fix it, allocate sctp_sockaddr_entry with kzalloc for both sctp
ipv4 and ipv6 addresses, as does in sctp_v4/6_copy_addrlist().
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Xin Long [Mon, 14 Jan 2019 10:10:06 +0000 (18:10 +0800)]
erspan: build the header with the right proto according to erspan_ver
As said in draft-foschiano-erspan-03#section4:
Different frame variants known as "ERSPAN Types" can be
distinguished based on the GRE "Protocol Type" field value: Type I
and II's value is 0x88BE while Type III's is 0x22EB [ETYPES].
So set it properly in erspan_xmit() according to erspan_ver. While at
it, also remove the unused parameter 'proto' in erspan_fb_xmit().
Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ross Lagerwall [Mon, 14 Jan 2019 09:16:56 +0000 (09:16 +0000)]
openvswitch: Avoid OOB read when parsing flow nlattrs
For nested and variable attributes, the expected length of an attribute
is not known and marked by a negative number. This results in an OOB
read when the expected length is later used to check if the attribute is
all zeros. Fix this by using the actual length of the attribute rather
than the expected length.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Bezrukov [Mon, 14 Jan 2019 08:14:41 +0000 (08:14 +0000)]
net: usb: aqc111: Extend HWID table by TRENDnet device
New device of TRENDnet based on aqc111u
Add this ID to blacklist of cdc_ether driver as well
Signed-off-by: Dmitry Bezrukov <dmitry.bezrukov@aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cong Wang [Sat, 12 Jan 2019 02:55:42 +0000 (18:55 -0800)]
net_sched: refetch skb protocol for each filter
Martin reported a set of filters don't work after changing
from reclassify to continue. Looking into the code, it
looks like skb protocol is not always fetched for each
iteration of the filters. But, as demonstrated by Martin,
TC actions could modify skb->protocol, for example act_vlan,
this means we have to refetch skb protocol in each iteration,
rather than using the one we fetch in the beginning of the loop.
This bug is _not_ introduced by commit
3b3ae880266d
("net: sched: consolidate tc_classify{,_compat}"), technically,
if act_vlan is the only action that modifies skb protocol, then
it is commit
c7e2b9689ef8 ("sched: introduce vlan action") which
introduced this bug.
Reported-by: Martin Olsson <martin.olsson+netdev@sentorsecurity.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Timotej Lazar [Sun, 13 Jan 2019 00:22:55 +0000 (01:22 +0100)]
net: phy: meson-gxl: Use the genphy_soft_reset callback
Since the referenced commit, Ethernet fails to come up at boot on the
board meson-gxl-s905x-libretech-cc. Fix this by re-enabling the
genphy_soft_reset callback for the Amlogic Meson GXL PHY driver.
Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset")
Signed-off-by: Timotej Lazar <timotej.lazar@araneo.si>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
yupeng [Fri, 11 Jan 2019 23:07:24 +0000 (15:07 -0800)]
net: add document for several snmp counters
add document for below counters:
TcpEstabResets
TcpAttemptFails
TcpOutRsts
TcpExtTCPSACKDiscard
TcpExtTCPDSACKIgnoredOld
TcpExtTCPDSACKIgnoredNoUndo
TcpExtTCPSackShifted
TcpExtTCPSackMerged
TcpExtTCPSackShiftFallback
TcpExtTCPWantZeroWindowAdv
TcpExtTCPToZeroWindowAdv
TcpExtTCPFromZeroWindowAdv
TcpExtDelayedACKs
TcpExtDelayedACKLocked
TcpExtDelayedACKLost
TcpExtTCPLossProbes
TcpExtTCPLossProbeRecovery
Signed-off-by: yupeng <yupeng0921@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Fri, 11 Jan 2019 14:27:35 +0000 (06:27 -0800)]
fou, fou6: do not assume linear skbs
Both gue_err() and gue6_err() incorrectly assume
linear skbs. Fix them to use pskb_may_pull().
BUG: KMSAN: uninit-value in gue6_err+0x475/0xc40 net/ipv6/fou6.c:101
CPU: 0 PID: 18083 Comm: syz-executor1 Not tainted 5.0.0-rc1+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
__msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
gue6_err+0x475/0xc40 net/ipv6/fou6.c:101
__udp6_lib_err_encap_no_sk net/ipv6/udp.c:434 [inline]
__udp6_lib_err_encap net/ipv6/udp.c:491 [inline]
__udp6_lib_err+0x18d0/0x2590 net/ipv6/udp.c:522
udplitev6_err+0x118/0x130 net/ipv6/udplite.c:27
icmpv6_notify+0x462/0x9f0 net/ipv6/icmp.c:784
icmpv6_rcv+0x18ac/0x3fa0 net/ipv6/icmp.c:872
ip6_protocol_deliver_rcu+0xb5a/0x23a0 net/ipv6/ip6_input.c:394
ip6_input_finish net/ipv6/ip6_input.c:434 [inline]
NF_HOOK include/linux/netfilter.h:289 [inline]
ip6_input+0x2b6/0x350 net/ipv6/ip6_input.c:443
dst_input include/net/dst.h:450 [inline]
ip6_rcv_finish+0x4e7/0x6d0 net/ipv6/ip6_input.c:76
NF_HOOK include/linux/netfilter.h:289 [inline]
ipv6_rcv+0x34b/0x3f0 net/ipv6/ip6_input.c:272
__netif_receive_skb_one_core net/core/dev.c:4973 [inline]
__netif_receive_skb net/core/dev.c:5083 [inline]
process_backlog+0x756/0x10e0 net/core/dev.c:5923
napi_poll net/core/dev.c:6346 [inline]
net_rx_action+0x78b/0x1a60 net/core/dev.c:6412
__do_softirq+0x53f/0x93a kernel/softirq.c:293
do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1039
</IRQ>
do_softirq kernel/softirq.c:338 [inline]
__local_bh_enable_ip+0x16f/0x1a0 kernel/softirq.c:190
local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
rcu_read_unlock_bh include/linux/rcupdate.h:696 [inline]
ip6_finish_output2+0x1d64/0x25f0 net/ipv6/ip6_output.c:121
ip6_finish_output+0xae4/0xbc0 net/ipv6/ip6_output.c:154
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip6_output+0x5ca/0x710 net/ipv6/ip6_output.c:171
dst_output include/net/dst.h:444 [inline]
ip6_local_out+0x164/0x1d0 net/ipv6/output_core.c:176
ip6_send_skb+0xfa/0x390 net/ipv6/ip6_output.c:1727
udp_v6_send_skb+0x1733/0x1d20 net/ipv6/udp.c:1169
udpv6_sendmsg+0x424e/0x45d0 net/ipv6/udp.c:1466
inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
__sys_sendmmsg+0x580/0xad0 net/socket.c:2211
__do_sys_sendmmsg net/socket.c:2240 [inline]
__se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2237
__x64_sys_sendmmsg+0x56/0x70 net/socket.c:2237
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:
00007f4a5204fc78 EFLAGS:
00000246 ORIG_RAX:
0000000000000133
RAX:
ffffffffffffffda RBX:
0000000000000004 RCX:
0000000000457ec9
RDX:
00000000040001ab RSI:
0000000020000240 RDI:
0000000000000003
RBP:
000000000073bf00 R08:
0000000000000000 R09:
0000000000000000
R10:
0000000000000000 R11:
0000000000000246 R12:
00007f4a520506d4
R13:
00000000004c4ce5 R14:
00000000004d85d8 R15:
00000000ffffffff
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:159
kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
slab_post_alloc_hook mm/slab.h:446 [inline]
slab_alloc_node mm/slub.c:2754 [inline]
__kmalloc_node_track_caller+0xe9e/0xff0 mm/slub.c:4377
__kmalloc_reserve net/core/skbuff.c:140 [inline]
__alloc_skb+0x309/0xa20 net/core/skbuff.c:208
alloc_skb include/linux/skbuff.h:1012 [inline]
alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5288
sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2091
sock_alloc_send_skb+0xca/0xe0 net/core/sock.c:2108
__ip6_append_data+0x42ed/0x5dc0 net/ipv6/ip6_output.c:1443
ip6_append_data+0x3c2/0x650 net/ipv6/ip6_output.c:1619
icmp6_send+0x2f5c/0x3c40 net/ipv6/icmp.c:574
icmpv6_send+0xe5/0x110 net/ipv6/ip6_icmp.c:43
ip6_link_failure+0x5c/0x2c0 net/ipv6/route.c:2231
dst_link_failure include/net/dst.h:427 [inline]
vti_xmit net/ipv4/ip_vti.c:229 [inline]
vti_tunnel_xmit+0xf3b/0x1ea0 net/ipv4/ip_vti.c:265
__netdev_start_xmit include/linux/netdevice.h:4382 [inline]
netdev_start_xmit include/linux/netdevice.h:4391 [inline]
xmit_one net/core/dev.c:3278 [inline]
dev_hard_start_xmit+0x604/0xc40 net/core/dev.c:3294
__dev_queue_xmit+0x2e48/0x3b80 net/core/dev.c:3864
dev_queue_xmit+0x4b/0x60 net/core/dev.c:3897
neigh_direct_output+0x42/0x50 net/core/neighbour.c:1511
neigh_output include/net/neighbour.h:508 [inline]
ip6_finish_output2+0x1d4e/0x25f0 net/ipv6/ip6_output.c:120
ip6_finish_output+0xae4/0xbc0 net/ipv6/ip6_output.c:154
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip6_output+0x5ca/0x710 net/ipv6/ip6_output.c:171
dst_output include/net/dst.h:444 [inline]
ip6_local_out+0x164/0x1d0 net/ipv6/output_core.c:176
ip6_send_skb+0xfa/0x390 net/ipv6/ip6_output.c:1727
udp_v6_send_skb+0x1733/0x1d20 net/ipv6/udp.c:1169
udpv6_sendmsg+0x424e/0x45d0 net/ipv6/udp.c:1466
inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
__sys_sendmmsg+0x580/0xad0 net/socket.c:2211
__do_sys_sendmmsg net/socket.c:2240 [inline]
__se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2237
__x64_sys_sendmmsg+0x56/0x70 net/socket.c:2237
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Fixes: b8a51b38e4d4 ("fou, fou6: ICMP error handlers for FoU and GUE")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Stefano Brivio <sbrivio@redhat.com>
Cc: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Davide Caratti [Fri, 11 Jan 2019 14:08:23 +0000 (15:08 +0100)]
selftests: tc-testing: fix tunnel_key failure if dst_port is unspecified
After commit
1c25324caf82 ("net/sched: act_tunnel_key: Don't dump dst port
if it wasn't set"), act_tunnel_key doesn't dump anymore the destination
port, unless it was explicitly configured. This caused systematic failures
in the following TDC test case:
7a88 - Add tunnel_key action with cookie parameter
Avoid matching zero values of TCA_TUNNEL_KEY_ENC_DST_PORT to let the test
pass again.
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Davide Caratti [Fri, 11 Jan 2019 10:49:58 +0000 (11:49 +0100)]
selftests: tc-testing: drop test on missing tunnel key id
After merge of commit
80ef0f22ceda ("net/sched: act_tunnel_key: Allow
key-less tunnels"), act_tunnel_key does not reject anymore requests to
install 'set' rules where the key id is missing. Therefore, drop the
following TDC testcase:
ba4e - Add tunnel_key set action with missing mandatory id parameter
because it's going to become a systematic fail as soon as userspace
iproute2 will start supporting key-less tunnels.
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrew Lunn [Thu, 10 Jan 2019 23:15:21 +0000 (00:15 +0100)]
net: phy: marvell: Fix deadlock from wrong locking
m88e1318_set_wol() takes the lock as part of phy_select_page(). Don't
take the lock again with phy_read(), use the unlocked __phy_read().
Fixes: 424ca4c55121 ("net: phy: marvell: fix paged access races")
Reported-by: Åke Rehnman <ake.rehnman@gmail.com>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrew Lunn [Thu, 10 Jan 2019 21:48:36 +0000 (22:48 +0100)]
net: phy: marvell: Errata for mv88e6390 internal PHYs
The VOD can be out of spec, unless some magic value is poked into an
undocumented register in an undocumented page.
Fixes: e4cf8a38fc0d ("net: phy: Marvell: Add mv88e6390 internal PHY")
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Greg Kroah-Hartman [Thu, 10 Jan 2019 20:24:13 +0000 (21:24 +0100)]
IN_BADCLASS: fix macro to actually work
Commit
65cab850f0ee ("net: Allow class-e address assignment via ifconfig
ioctl") modified the IN_BADCLASS macro a bit, but unfortunatly one too
many '(' characters were added to the line, making any code that used
it, not build properly.
Also, the macro now compares an unsigned with a signed value, which
isn't ok, so fix that up by making both types match properly.
Reported-by: Christopher Ferris <cferris@google.com>
Fixes: 65cab850f0ee ("net: Allow class-e address assignment via ifconfig ioctl")
Cc: Dave Taht <dave.taht@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Willem de Bruijn [Thu, 10 Jan 2019 19:40:33 +0000 (14:40 -0500)]
tcp: allow MSG_ZEROCOPY transmission also in CLOSE_WAIT state
TCP transmission with MSG_ZEROCOPY fails if the peer closes its end of
the connection and so transitions this socket to CLOSE_WAIT state.
Transmission in close wait state is acceptable. Other similar tests in
the stack (e.g., in FastOpen) accept both states. Relax this test, too.
Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg276886.html
Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg227390.html
Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY")
Reported-by: Marek Majkowski <marek@cloudflare.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
CC: Yuchung Cheng <ycheng@google.com>
CC: Neal Cardwell <ncardwell@google.com>
CC: Soheil Hassas Yeganeh <soheil@google.com>
CC: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Heiner Kallweit [Thu, 10 Jan 2019 19:22:26 +0000 (20:22 +0100)]
net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031
So far genphy_soft_reset was used automatically if the PHY driver
didn't implement the soft_reset callback. This changed with the
mentioned commit and broke KSZ9031. To fix this configure the
KSZ9031 PHY driver to use genphy_soft_reset.
Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset")
Reported-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Tested-by: Tony Lindgren <tony@atomide.com>
Tested-by: Sekhar Nori <nsekhar@ti.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Davide Caratti [Thu, 10 Jan 2019 19:21:02 +0000 (20:21 +0100)]
net/sched: act_tunnel_key: fix memory leak in case of action replace
running the following TDC test cases:
7afc - Replace tunnel_key set action with all parameters
364d - Replace tunnel_key set action with all parameters and cookie
it's possible to trigger kmemleak warnings like:
unreferenced object 0xffff94797127ab40 (size 192):
comm "tc", pid 3248, jiffies
4300565293 (age 1006.862s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 c0 93 f9 8a ff ff ff ff ................
41 84 ee 89 ff ff ff ff 00 00 00 00 00 00 00 00 A...............
backtrace:
[<
000000001e85b61c>] tunnel_key_init+0x31d/0x820 [act_tunnel_key]
[<
000000007f3f6ee7>] tcf_action_init_1+0x384/0x4c0
[<
00000000e89e3ded>] tcf_action_init+0x12b/0x1a0
[<
00000000c1c8c0f8>] tcf_action_add+0x73/0x170
[<
0000000095a9fc28>] tc_ctl_action+0x122/0x160
[<
000000004bebeac5>] rtnetlink_rcv_msg+0x263/0x2d0
[<
000000009fd862dd>] netlink_rcv_skb+0x4a/0x110
[<
00000000b55199e7>] netlink_unicast+0x1a0/0x250
[<
000000004996cd21>] netlink_sendmsg+0x2c1/0x3c0
[<
000000004d6a94b4>] sock_sendmsg+0x36/0x40
[<
000000005d9f0208>] ___sys_sendmsg+0x280/0x2f0
[<
00000000dec19023>] __sys_sendmsg+0x5e/0xa0
[<
000000004b82ac81>] do_syscall_64+0x5b/0x180
[<
00000000a0f1209a>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<
000000002926b2ab>] 0xffffffffffffffff
when the tunnel_key action is replaced, the kernel forgets to release the
dst metadata: ensure they are released by tunnel_key_init(), the same way
it's done in tunnel_key_release().
Fixes: d0f6dd8a914f4 ("net/sched: Introduce act_tunnel_key")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Howells [Thu, 10 Jan 2019 16:59:13 +0000 (16:59 +0000)]
Revert "rxrpc: Allow failed client calls to be retried"
The changes introduced to allow rxrpc calls to be retried creates an issue
when it comes to refcounting afs_call structs. The problem is that when
rxrpc_send_data() queues the last packet for an asynchronous call, the
following sequence can occur:
(1) The notify_end_tx callback is invoked which causes the state in the
afs_call to be changed from AFS_CALL_CL_REQUESTING or
AFS_CALL_SV_REPLYING.
(2) afs_deliver_to_call() can then process event notifications from rxrpc
on the async_work queue.
(3) Delivery of events, such as an abort from the server, can cause the
afs_call state to be changed to AFS_CALL_COMPLETE on async_work.
(4) For an asynchronous call, afs_process_async_call() notes that the call
is complete and tried to clean up all the refs on async_work.
(5) rxrpc_send_data() might return the amount of data transferred
(success) or an error - which could in turn reflect a local error or a
received error.
Synchronising the clean up after rxrpc_kernel_send_data() returns an error
with the asynchronous cleanup is then tricky to get right.
Mostly revert commit
c038a58ccfd6704d4d7d60ed3d6a0fca13cf13a4. The two API
functions the original commit added aren't currently used. This makes
rxrpc_kernel_send_data() always return successfully if it queued the data
it was given.
Note that this doesn't affect synchronous calls since their Rx notification
function merely pokes a wait queue and does not refcounting. The
asynchronous call notification function *has* to do refcounting and pass a
ref over the work item to avoid the need to sync the workqueue in call
cleanup.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 16 Jan 2019 04:29:21 +0000 (20:29 -0800)]
Merge branch 'tipc-uninit-values'
Ying Xue says:
====================
tipc: fix uninit-value issues reported by syzbot
Recently, syzbot complained that TIPC module exits several issues
associated with uninit-value type. So, in this series, we try to
fix them as many as possible.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Ying Xue [Mon, 14 Jan 2019 09:22:29 +0000 (17:22 +0800)]
tipc: fix uninit-value in tipc_nl_compat_doit
BUG: KMSAN: uninit-value in tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
CPU: 0 PID: 4514 Comm: syz-executor485 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
tipc_nl_compat_recv+0x164b/0x2700 net/tipc/netlink_compat.c:1153
genl_family_rcv_msg net/netlink/genetlink.c:599 [inline]
genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624
netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447
genl_rcv+0x63/0x80 net/netlink/genetlink.c:635
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337
netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg net/socket.c:640 [inline]
___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
__sys_sendmsg net/socket.c:2080 [inline]
SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
SyS_sendmsg+0x54/0x80 net/socket.c:2087
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43fda9
RSP: 002b:
00007ffd0c184ba8 EFLAGS:
00000213 ORIG_RAX:
000000000000002e
RAX:
ffffffffffffffda RBX:
00000000004002c8 RCX:
000000000043fda9
RDX:
0000000000000000 RSI:
0000000020023000 RDI:
0000000000000003
RBP:
00000000006ca018 R08:
00000000004002c8 R09:
00000000004002c8
R10:
00000000004002c8 R11:
0000000000000213 R12:
00000000004016d0
R13:
0000000000401760 R14:
0000000000000000 R15:
0000000000000000
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc_node mm/slub.c:2737 [inline]
__kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
__kmalloc_reserve net/core/skbuff.c:138 [inline]
__alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:984 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg net/socket.c:640 [inline]
___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
__sys_sendmsg net/socket.c:2080 [inline]
SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
SyS_sendmsg+0x54/0x80 net/socket.c:2087
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
In tipc_nl_compat_recv(), when the len variable returned by
nlmsg_attrlen() is 0, the message is still treated as a valid one,
which is obviously unresonable. When len is zero, it means the
message not only doesn't contain any valid TLV payload, but also
TLV header is not included. Under this stituation, tlv_type field
in TLV header is still accessed in tipc_nl_compat_dumpit() or
tipc_nl_compat_doit(), but the field space is obviously illegal.
Of course, it is not initialized.
Reported-by: syzbot+bca0dc46634781f08b38@syzkaller.appspotmail.com
Reported-by: syzbot+6bdb590321a7ae40c1a6@syzkaller.appspotmail.com
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ying Xue [Mon, 14 Jan 2019 09:22:28 +0000 (17:22 +0800)]
tipc: fix uninit-value in tipc_nl_compat_name_table_dump
syzbot reported:
BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
CPU: 0 PID: 6290 Comm: syz-executor848 Not tainted 4.19.0-rc8+ #70
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x306/0x460 lib/dump_stack.c:113
kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
__msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
__arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
__fswab32 include/uapi/linux/swab.h:59 [inline]
tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
__tipc_nl_compat_dumpit+0x59e/0xdb0 net/tipc/netlink_compat.c:205
tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:270
tipc_nl_compat_handle net/tipc/netlink_compat.c:1151 [inline]
tipc_nl_compat_recv+0x1402/0x2760 net/tipc/netlink_compat.c:1210
genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x307/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x440179
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:
00007ffecec49318 EFLAGS:
00000213 ORIG_RAX:
000000000000002e
RAX:
ffffffffffffffda RBX:
00000000004002c8 RCX:
0000000000440179
RDX:
0000000000000000 RSI:
0000000020000100 RDI:
0000000000000003
RBP:
00000000006ca018 R08:
0000000000000000 R09:
00000000004002c8
R10:
0000000000000000 R11:
0000000000000213 R12:
0000000000401a00
R13:
0000000000401a90 R14:
0000000000000000 R15:
0000000000000000
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
slab_post_alloc_hook mm/slab.h:446 [inline]
slab_alloc_node mm/slub.c:2727 [inline]
__kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
__kmalloc_reserve net/core/skbuff.c:138 [inline]
__alloc_skb+0x422/0xe90 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:996 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x307/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
We cannot take for granted the thing that the length of data contained
in TLV is longer than the size of struct tipc_name_table_query in
tipc_nl_compat_name_table_dump().
Reported-by: syzbot+06e771a754829716a327@syzkaller.appspotmail.com
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ying Xue [Mon, 14 Jan 2019 09:22:27 +0000 (17:22 +0800)]
tipc: fix uninit-value in tipc_nl_compat_link_set
syzbot reports following splat:
BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
CPU: 1 PID: 9306 Comm: syz-executor172 Not tainted 4.20.0-rc7+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
__msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
strlen+0x3b/0xa0 lib/string.c:486
nla_put_string include/net/netlink.h:1154 [inline]
__tipc_nl_compat_link_set net/tipc/netlink_compat.c:708 [inline]
tipc_nl_compat_link_set+0x929/0x1220 net/tipc/netlink_compat.c:744
__tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
The uninitialised access happened in
nla_put_string(skb, TIPC_NLA_LINK_NAME, lc->name)
This is because lc->name string is not validated before it's used.
Reported-by: syzbot+d78b8a29241a195aefb8@syzkaller.appspotmail.com
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ying Xue [Mon, 14 Jan 2019 09:22:26 +0000 (17:22 +0800)]
tipc: fix uninit-value in tipc_nl_compat_bearer_enable
syzbot reported:
BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:484
CPU: 1 PID: 6371 Comm: syz-executor652 Not tainted 4.19.0-rc8+ #70
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x306/0x460 lib/dump_stack.c:113
kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
__msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
strlen+0x3b/0xa0 lib/string.c:484
nla_put_string include/net/netlink.h:1011 [inline]
tipc_nl_compat_bearer_enable+0x238/0x7b0 net/tipc/netlink_compat.c:389
__tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
tipc_nl_compat_doit+0x39f/0xae0 net/tipc/netlink_compat.c:344
tipc_nl_compat_recv+0x147c/0x2760 net/tipc/netlink_compat.c:1107
genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x307/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x440179
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:
00007fffef7beee8 EFLAGS:
00000213 ORIG_RAX:
000000000000002e
RAX:
ffffffffffffffda RBX:
00000000004002c8 RCX:
0000000000440179
RDX:
0000000000000000 RSI:
0000000020000100 RDI:
0000000000000003
RBP:
00000000006ca018 R08:
0000000000000000 R09:
00000000004002c8
R10:
0000000000000000 R11:
0000000000000213 R12:
0000000000401a00
R13:
0000000000401a90 R14:
0000000000000000 R15:
0000000000000000
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
slab_post_alloc_hook mm/slab.h:446 [inline]
slab_alloc_node mm/slub.c:2727 [inline]
__kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
__kmalloc_reserve net/core/skbuff.c:138 [inline]
__alloc_skb+0x422/0xe90 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:996 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x307/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
The root cause is that we don't validate whether bear name is a valid
string in tipc_nl_compat_bearer_enable().
Meanwhile, we also fix the same issue in the following functions:
tipc_nl_compat_bearer_disable()
tipc_nl_compat_link_stat_dump()
tipc_nl_compat_media_set()
tipc_nl_compat_bearer_set()
Reported-by: syzbot+b33d5cae0efd35dbfe77@syzkaller.appspotmail.com
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ying Xue [Mon, 14 Jan 2019 09:22:25 +0000 (17:22 +0800)]
tipc: fix uninit-value in tipc_nl_compat_link_reset_stats
syzbot reports following splat:
BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
CPU: 1 PID: 11057 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
__msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295
strlen+0x3b/0xa0 lib/string.c:486
nla_put_string include/net/netlink.h:1154 [inline]
tipc_nl_compat_link_reset_stats+0x1f0/0x360 net/tipc/netlink_compat.c:760
__tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:
00007f2557338c78 EFLAGS:
00000246 ORIG_RAX:
000000000000002e
RAX:
ffffffffffffffda RBX:
0000000000000003 RCX:
0000000000457ec9
RDX:
0000000000000000 RSI:
00000000200001c0 RDI:
0000000000000003
RBP:
000000000073bf00 R08:
0000000000000000 R09:
0000000000000000
R10:
0000000000000000 R11:
0000000000000246 R12:
00007f25573396d4
R13:
00000000004cb478 R14:
00000000004d86c8 R15:
00000000ffffffff
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
slab_post_alloc_hook mm/slab.h:446 [inline]
slab_alloc_node mm/slub.c:2759 [inline]
__kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
__kmalloc_reserve net/core/skbuff.c:137 [inline]
__alloc_skb+0x309/0xa20 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:998 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
The uninitialised access happened in tipc_nl_compat_link_reset_stats:
nla_put_string(skb, TIPC_NLA_LINK_NAME, name)
This is because name string is not validated before it's used.
Reported-by: syzbot+e01d94b5a4c266be6e4c@syzkaller.appspotmail.com
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ying Xue [Mon, 14 Jan 2019 09:22:24 +0000 (17:22 +0800)]
tipc: fix uninit-value in in tipc_conn_rcv_sub
syzbot reported:
BUG: KMSAN: uninit-value in tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373
CPU: 0 PID: 66 Comm: kworker/u4:4 Not tainted 4.17.0-rc3+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: tipc_rcv tipc_conn_recv_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:113
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373
tipc_conn_rcv_from_sock net/tipc/topsrv.c:409 [inline]
tipc_conn_recv_work+0x3cd/0x560 net/tipc/topsrv.c:424
process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145
worker_thread+0x113c/0x24f0 kernel/workqueue.c:2279
kthread+0x539/0x720 kernel/kthread.c:239
ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:412
Local variable description: ----s.i@tipc_conn_recv_work
Variable was created at:
tipc_conn_recv_work+0x65/0x560 net/tipc/topsrv.c:419
process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145
In tipc_conn_rcv_from_sock(), it always supposes the length of message
received from sock_recvmsg() is not smaller than the size of struct
tipc_subscr. However, this assumption is false. Especially when the
length of received message is shorter than struct tipc_subscr size,
we will end up touching uninitialized fields in tipc_conn_rcv_sub().
Reported-by: syzbot+8951a3065ee7fd6d6e23@syzkaller.appspotmail.com
Reported-by: syzbot+75e6e042c5bbf691fc82@syzkaller.appspotmail.com
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 16 Jan 2019 04:12:01 +0000 (20:12 -0800)]
Merge branch 'sch_cake-leaf-qdisc-fixes'
Toke Høiland-Jørgensen says:
====================
sched: Fix qdisc interactions exposed by using sch_cake as a leaf qdisc
This series fixes a couple of issues exposed by running sch_cake as a
leaf qdisc in an HFSC tree, which were discovered and reported by Pete
Heist. The interaction between CAKE's GSO splitting and the parent
qdisc's notion of its own queue length could cause queue stalls. While
investigating the report, I also noticed that several qdiscs would
dereference the skb pointer after dequeue, which is potentially
problematic since the GSO splitting code also frees the original skb.
See the individual patches in the series for details.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Toke Høiland-Jørgensen [Wed, 9 Jan 2019 16:09:44 +0000 (17:09 +0100)]
sch_cake: Correctly update parent qlen when splitting GSO packets
To ensure parent qdiscs have the same notion of the number of enqueued
packets even after splitting a GSO packet, update the qdisc tree with the
number of packets that was added due to the split.
Reported-by: Pete Heist <pete@heistp.net>
Tested-by: Pete Heist <pete@heistp.net>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Toke Høiland-Jørgensen [Wed, 9 Jan 2019 16:09:43 +0000 (17:09 +0100)]
sched: Fix detection of empty queues in child qdiscs
Several qdiscs check on enqueue whether the packet was enqueued to a class
with an empty queue, in which case the class is activated. This is done by
checking if the qlen is exactly 1 after enqueue. However, if GSO splitting
is enabled in the child qdisc, a single packet can result in a qlen longer
than 1. This means the activation check fails, leading to a stalled queue.
Fix this by checking if the queue is empty *before* enqueue, and running
the activation logic if this was the case.
Reported-by: Pete Heist <pete@heistp.net>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Toke Høiland-Jørgensen [Wed, 9 Jan 2019 16:09:42 +0000 (17:09 +0100)]
sched: Avoid dereferencing skb pointer after child enqueue
Parent qdiscs may dereference the pointer to the enqueued skb after
enqueue. However, both CAKE and TBF call consume_skb() on the original skb
when splitting GSO packets, leading to a potential use-after-free in the
parent. Fix this by avoiding dereferencing the skb pointer after enqueueing
to the child.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hangbin Liu [Thu, 10 Jan 2019 03:17:42 +0000 (11:17 +0800)]
ip6_gre: update version related info when changing link
We forgot to update ip6erspan version related info when changing link,
which will cause setting new hwid failed.
Reported-by: Jianlin Shi <jishi@redhat.com>
Fixes: 94d7d8f292870 ("ip6_gre: add erspan v2 support")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Heiner Kallweit [Wed, 9 Jan 2019 19:34:56 +0000 (20:34 +0100)]
net: phy: fix too strict check in phy_start_aneg
When adding checks to detect wrong usage of the phylib API we added
a check to phy_start_aneg() which is too strict. If the phylib
state machine is in state PHY_HALTED we should allow reconfiguring
and restarting aneg, and just don't touch the state.
Fixes: 2b3e88ea6528 ("net: phy: improve phy state checking")
Reported-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Tested-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jeff Kirsher [Wed, 9 Jan 2019 17:10:53 +0000 (09:10 -0800)]
Revert "igb: reduce CPU0 latency when updating statistics"
This reverts commit
59361316afcb08569af21e1af83e89c7051c055a.
Due to problems found in additional testing, this causes an illegal
context switch in the RCU read-side critical section.
CC: Dave Jones <davej@codemonkey.org.uk>
CC: Cong Wang <xiyou.wangcong@gmail.com>
CC: Jan Jablonsky <jan.jablonsky@thalesgroup.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Wed, 9 Jan 2019 10:50:07 +0000 (13:50 +0300)]
selftests/txtimestamp: Fix an equals vs assign bug
This should be == instead of =.
Fixes: b52354aa068e ("selftests: expand txtimestamp with ipv6 dgram + raw and pf_packet")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ido Schimmel [Wed, 9 Jan 2019 09:57:39 +0000 (09:57 +0000)]
net: ipv4: Fix memory leak in network namespace dismantle
IPv4 routing tables are flushed in two cases:
1. In response to events in the netdev and inetaddr notification chains
2. When a network namespace is being dismantled
In both cases only routes associated with a dead nexthop group are
flushed. However, a nexthop group will only be marked as dead in case it
is populated with actual nexthops using a nexthop device. This is not
the case when the route in question is an error route (e.g.,
'blackhole', 'unreachable').
Therefore, when a network namespace is being dismantled such routes are
not flushed and leaked [1].
To reproduce:
# ip netns add blue
# ip -n blue route add unreachable 192.0.2.0/24
# ip netns del blue
Fix this by not skipping error routes that are not marked with
RTNH_F_DEAD when flushing the routing tables.
To prevent the flushing of such routes in case #1, add a parameter to
fib_table_flush() that indicates if the table is flushed as part of
namespace dismantle or not.
Note that this problem does not exist in IPv6 since error routes are
associated with the loopback device.
[1]
unreferenced object 0xffff888066650338 (size 56):
comm "ip", pid 1206, jiffies
4294786063 (age 26.235s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 b0 1c 62 61 80 88 ff ff ..........ba....
e8 8b a1 64 80 88 ff ff 00 07 00 08 fe 00 00 00 ...d............
backtrace:
[<
00000000856ed27d>] inet_rtm_newroute+0x129/0x220
[<
00000000fcdfc00a>] rtnetlink_rcv_msg+0x397/0xa20
[<
00000000cb85801a>] netlink_rcv_skb+0x132/0x380
[<
00000000ebc991d2>] netlink_unicast+0x4c0/0x690
[<
0000000014f62875>] netlink_sendmsg+0x929/0xe10
[<
00000000bac9d967>] sock_sendmsg+0xc8/0x110
[<
00000000223e6485>] ___sys_sendmsg+0x77a/0x8f0
[<
000000002e94f880>] __sys_sendmsg+0xf7/0x250
[<
00000000ccb1fa72>] do_syscall_64+0x14d/0x610
[<
00000000ffbe3dae>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<
000000003a8b605b>] 0xffffffffffffffff
unreferenced object 0xffff888061621c88 (size 48):
comm "ip", pid 1206, jiffies
4294786063 (age 26.235s)
hex dump (first 32 bytes):
6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
6b 6b 6b 6b 6b 6b 6b 6b d8 8e 26 5f 80 88 ff ff kkkkkkkk..&_....
backtrace:
[<
00000000733609e3>] fib_table_insert+0x978/0x1500
[<
00000000856ed27d>] inet_rtm_newroute+0x129/0x220
[<
00000000fcdfc00a>] rtnetlink_rcv_msg+0x397/0xa20
[<
00000000cb85801a>] netlink_rcv_skb+0x132/0x380
[<
00000000ebc991d2>] netlink_unicast+0x4c0/0x690
[<
0000000014f62875>] netlink_sendmsg+0x929/0xe10
[<
00000000bac9d967>] sock_sendmsg+0xc8/0x110
[<
00000000223e6485>] ___sys_sendmsg+0x77a/0x8f0
[<
000000002e94f880>] __sys_sendmsg+0xf7/0x250
[<
00000000ccb1fa72>] do_syscall_64+0x14d/0x610
[<
00000000ffbe3dae>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<
000000003a8b605b>] 0xffffffffffffffff
Fixes: 8cced9eff1d4 ("[NETNS]: Enable routing configuration in non-initial namespace.")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Olivier Matz [Wed, 9 Jan 2019 09:57:21 +0000 (10:57 +0100)]
ip6_gre: fix tunnel list corruption for x-netns
In changelink ops, the ip6gre_net pointer is retrieved from
dev_net(dev), which is wrong in case of x-netns. Thus, the tunnel is not
unlinked from its current list and is relinked into another net
namespace. This corrupts the tunnel lists and can later trigger a kernel
oops.
Fix this by retrieving the netns from device private area.
Fixes: c8632fc30bb0 ("net: ip6_gre: Split up ip6gre_changelink()")
Cc: Petr Machata <petrm@mellanox.com>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 15 Jan 2019 21:31:46 +0000 (13:31 -0800)]
Merge git://git./pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
This is the first batch of Netfilter fixes for your net tree:
1) Fix endless loop in nf_tables rules netlink dump, from Phil Sutter.
2) Reference counter leak in object from the error path, from Taehee Yoo.
3) Selective rule dump requires table and chain.
4) Fix DNAT with nft_flow_offload reverse route lookup, from wenxu.
5) Use GFP_KERNEL_ACCOUNT in vmalloc allocation from ebtables, from
Shakeel Butt.
6) Set ifindex from route to fix interaction with VRF slave device,
also from wenxu.
7) Use nfct_help() to check for conntrack helper, IPS_HELPER status
flag is only set from explicit helpers via -j CT, from Henry Yen.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Tue, 15 Jan 2019 17:28:26 +0000 (05:28 +1200)]
Merge tag 'trace-v5.0-rc1' of git://git./linux/kernel/git/rostedt/linux-trace
Pull tracing fix from Steven Rostedt:
"Andrea Righi fixed a NULL pointer dereference in trace_kprobe_create()
It is possible to trigger a NULL pointer dereference by writing an
incorrectly formatted string to the krpobe_events file"
* tag 'trace-v5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()
Linus Torvalds [Tue, 15 Jan 2019 17:13:36 +0000 (05:13 +1200)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix regression in multi-SKB responses to RTM_GETADDR, from Arthur
Gautier.
2) Fix ipv6 frag parsing in openvswitch, from Yi-Hung Wei.
3) Unbounded recursion in ipv4 and ipv6 GUE tunnels, from Stefano
Brivio.
4) Use after free in hns driver, from Yonglong Liu.
5) icmp6_send() needs to handle the case of NULL skb, from Eric
Dumazet.
6) Missing rcu read lock in __inet6_bind() when operating on mapped
addresses, from David Ahern.
7) Memory leak in tipc-nl_compat_publ_dump(), from Gustavo A. R. Silva.
8) Fix PHY vs r8169 module loading ordering issues, from Heiner
Kallweit.
9) Fix bridge vlan memory leak, from Ido Schimmel.
10) Dev refcount leak in AF_PACKET, from Jason Gunthorpe.
11) Infoleak in ipv6_local_error(), flow label isn't completely
initialized. From Eric Dumazet.
12) Handle mv88e6390 errata, from Andrew Lunn.
13) Making vhost/vsock CID hashing consistent, from Zha Bin.
14) Fix lack of UMH cleanup when it unexpectedly exits, from Taehee Yoo.
15) Bridge forwarding must clear skb->tstamp, from Paolo Abeni.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
bnxt_en: Fix context memory allocation.
bnxt_en: Fix ring checking logic on 57500 chips.
mISDN: hfcsusb: Use struct_size() in kzalloc()
net: clear skb->tstamp in bridge forwarding path
net: bpfilter: disallow to remove bpfilter module while being used
net: bpfilter: restart bpfilter_umh when error occurred
net: bpfilter: use cleanup callback to release umh_info
umh: add exit routine for UMH process
isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
vhost/vsock: fix vhost vsock cid hashing inconsistent
net: stmmac: Prevent RX starvation in stmmac_napi_poll()
net: stmmac: Fix the logic of checking if RX Watchdog must be enabled
net: stmmac: Check if CBS is supported before configuring
net: stmmac: dwxgmac2: Only clear interrupts that are active
net: stmmac: Fix PCI module removal leak
tools/bpf: fix bpftool map dump with bitfields
tools/bpf: test btf bitfield with >=256 struct member offset
bpf: fix bpffs bitfield pretty print
net: ethernet: mediatek: fix warning in phy_start_aneg
tcp: change txhash on SYN-data timeout
...
Andrea Righi [Fri, 11 Jan 2019 06:01:13 +0000 (07:01 +0100)]
tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()
It is possible to trigger a NULL pointer dereference by writing an
incorrectly formatted string to krpobe_events (trying to create a
kretprobe omitting the symbol).
Example:
echo "r:event_1 " >> /sys/kernel/debug/tracing/kprobe_events
That triggers this:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000000
#PF error: [normal kernel read fault]
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 6 PID: 1757 Comm: bash Not tainted 5.0.0-rc1+ #125
Hardware name: Dell Inc. XPS 13 9370/0F6P3V, BIOS 1.5.1 08/09/2018
RIP: 0010:kstrtoull+0x2/0x20
Code: 28 00 00 00 75 17 48 83 c4 18 5b 41 5c 5d c3 b8 ea ff ff ff eb e1 b8 de ff ff ff eb da e8 d6 36 bb ff 66 0f 1f 44 00 00 31 c0 <80> 3f 2b 55 48 89 e5 0f 94 c0 48 01 c7 e8 5c ff ff ff 5d c3 66 2e
RSP: 0018:
ffffb5d482e57cb8 EFLAGS:
00010246
RAX:
0000000000000000 RBX:
0000000000000001 RCX:
ffffffff82b12720
RDX:
ffffb5d482e57cf8 RSI:
0000000000000000 RDI:
0000000000000000
RBP:
ffffb5d482e57d70 R08:
ffffa0c05e5a7080 R09:
ffffa0c05e003980
R10:
0000000000000000 R11:
0000000040000000 R12:
ffffa0c04fe87b08
R13:
0000000000000001 R14:
000000000000000b R15:
ffffa0c058d749e1
FS:
00007f137c7f7740(0000) GS:
ffffa0c05e580000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000000 CR3:
0000000497d46004 CR4:
00000000003606e0
Call Trace:
? trace_kprobe_create+0xb6/0x840
? _cond_resched+0x19/0x40
? _cond_resched+0x19/0x40
? __kmalloc+0x62/0x210
? argv_split+0x8f/0x140
? trace_kprobe_create+0x840/0x840
? trace_kprobe_create+0x840/0x840
create_or_delete_trace_kprobe+0x11/0x30
trace_run_command+0x50/0x90
trace_parse_run_command+0xc1/0x160
probes_write+0x10/0x20
__vfs_write+0x3a/0x1b0
? apparmor_file_permission+0x1a/0x20
? security_file_permission+0x31/0xf0
? _cond_resched+0x19/0x40
vfs_write+0xb1/0x1a0
ksys_write+0x55/0xc0
__x64_sys_write+0x1a/0x20
do_syscall_64+0x5a/0x120
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fix by doing the proper argument checks in trace_kprobe_create().
Cc: Ingo Molnar <mingo@redhat.com>
Link: https://lore.kernel.org/lkml/20190111095108.b79a2ee026185cbd62365977@kernel.org
Link: http://lkml.kernel.org/r/20190111060113.GA22841@xps-13
Fixes: 6212dd29683e ("tracing/kprobes: Use dyn_event framework for kprobe events")
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andrea Righi <righi.andrea@gmail.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Ming Lei [Tue, 15 Jan 2019 03:59:52 +0000 (11:59 +0800)]
sbitmap: Protect swap_lock from hardirq
Because we may call blk_mq_get_driver_tag() directly from
blk_mq_dispatch_rq_list() without holding any lock, then HARDIRQ may
come and the above DEADLOCK is triggered.
Commit
ab53dcfb3e7b ("sbitmap: Protect swap_lock from hardirq") tries to
fix this issue by using 'spin_lock_bh', which isn't enough because we
complete request from hardirq context direclty in case of multiqueue.
Cc: Clark Williams <williams@redhat.com>
Fixes: ab53dcfb3e7b ("sbitmap: Protect swap_lock from hardirq")
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Steven Rostedt (VMware) [Mon, 14 Jan 2019 17:25:40 +0000 (12:25 -0500)]
sbitmap: Protect swap_lock from softirqs
The swap_lock used by sbitmap has a chain with locks taken from softirq,
but the swap_lock is not protected from being preempted by softirqs.
A chain exists of:
sbq->ws[i].wait -> dispatch_wait_lock -> swap_lock
Where the sbq->ws[i].wait lock can be taken from softirq context, which
means all locks below it in the chain must also be protected from
softirqs.
Reported-by: Clark Williams <williams@redhat.com>
Fixes: 58ab5e32e6fd ("sbitmap: silence bogus lockdep IRQ warning")
Fixes: ea86ea2cdced ("sbitmap: amortize cost of clearing bits")
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Mon, 14 Jan 2019 18:26:28 +0000 (06:26 +1200)]
Merge tag 'gpio-v5.0-2' of git://git./linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"The patch hitting the MMC/SD subsystem is fixing up my own mess when
moving semantics from MMC/SD over to gpiolib. Ulf is on vacation but I
managed to reach him on chat and obtain his ACK.
The other two are early-rc fixes that are not super serious but pretty
annoying so I'd like to get rid of them.
Summary:
- Get rid of some WARN_ON() from the ACPI code
- Staticize a symbol
- Fix MMC polarity detection"
* tag 'gpio-v5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
mmc: core: don't override the CD GPIO level when "cd-inverted" is set
gpio: pca953x: Make symbol 'pca953x_i2c_regmap' static
gpiolib-acpi: Remove unnecessary WARN_ON from acpi_gpiochip_free_interrupts
Linus Torvalds [Mon, 14 Jan 2019 18:24:36 +0000 (06:24 +1200)]
Merge tag 'mfd-next-4.21' of git://git./linux/kernel/git/lee/mfd
Pull MFD updates from Lee Jones:
"New Device Support
- Add support for Power Supply to AXP813
- Add support for GPIO, ADC, AC and Battery Power Supply to AXP803
- Add support for UART to Exynos LPASS
Fix-ups:
- Use supplied MACROS; ti_am335x_tscadc
- Trivial spelling/whitespace/alignment; tmio, axp20x, rave-sp
- Regmap changes; bd9571mwv, wm5110-tables
- Kconfig dependencies; MFD_AT91_USART
- Supply shared data for child-devices; madera-core
- Use new of_node_name_eq() API call; max77620, stmpe
- Use managed resources (devm_*); tps65218
- Comment descriptions; ingenic-tcu
- Coding style; madera-core
Bug Fixes:
- Fix section mismatches; twl-core, db8500-prcmu
- Correct error path related issues; mt6397-core, ab8500-core, mc13xxx-core
- IRQ related fixes; tps6586x
- Ensure proper initialisation sequence; qcom_rpm
- Repair potential memory leak; cros_ec_dev"
* tag 'mfd-next-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: (25 commits)
mfd: exynos-lpass: Enable UART module support
mfd: mc13xxx: Fix a missing check of a register-read failure
mfd: cros_ec: Add commands to control codec
mfd: madera: Remove spurious semicolon in while loop
mfd: rave-sp: Fix typo in rave_sp_checksum comment
mfd: ingenic-tcu: Fix bit field description in header
mfd: tps65218: Use devm_regmap_add_irq_chip and clean up error path in probe()
mfd: Use of_node_name_eq() for node name comparisons
mfd: cros_ec_dev: Add missing mfd_remove_devices() call in remove
mfd: axp20x: Add supported cells for AXP803
mfd: axp20x: Re-align MFD cell entries
mfd: axp20x: Add AC power supply cell for AXP813
mfd: wm5110: Add missing ASRC rate register
mfd: qcom_rpm: write fw_version to CTRL_REG
mfd: tps6586x: Handle interrupts on suspend
mfd: madera: Add shared data for accessory detection
mfd: at91-usart: Add platform dependency
mfd: bd9571mwv: Add volatile register to make DVFS work
mfd: ab8500-core: Return zero in get_register_interruptible()
mfd: tmio: Typo s/use use/use/
...
Linus Torvalds [Mon, 14 Jan 2019 18:21:10 +0000 (06:21 +1200)]
Merge tag 'backlight-next-4.21' of git://git./linux/kernel/git/lee/backlight
Pull backlight updates from Lee Jones:
"Fix-ups:
- Use new of_node_name_eq() API call
Bug Fixes:
- Internally track 'enabled' state in pwm_bl
- Fix auto-generated pwm_bl brightness tables parsed by DT
* tag 'backlight-next-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight:
backlight: 88pm860x_bl: Use of_node_name_eq for node name comparisons
backlight: pwm_bl: Fix devicetree parsing with auto-generated brightness tables
backlight: pwm_bl: Re-add driver internal enabled tracking
Henry Yen [Mon, 14 Jan 2019 09:59:43 +0000 (17:59 +0800)]
netfilter: nft_flow_offload: fix checking method of conntrack helper
This patch uses nfct_help() to detect whether an established connection
needs conntrack helper instead of using test_bit(IPS_HELPER_BIT,
&ct->status).
The reason is that IPS_HELPER_BIT is only set when using explicit CT
target.
However, in the case that a device enables conntrack helper via command
"echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper", the status of
IPS_HELPER_BIT will not present any change, and consequently it loses
the checking ability in the context.
Signed-off-by: Henry Yen <henry.yen@mediatek.com>
Reviewed-by: Ryder Lee <ryder.lee@mediatek.com>
Tested-by: John Crispin <john@phrozen.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Linus Torvalds [Sun, 13 Jan 2019 22:41:12 +0000 (10:41 +1200)]
Linux 5.0-rc2
Jonathan Neuschäfer [Sat, 12 Jan 2019 17:14:30 +0000 (18:14 +0100)]
kernel/sys.c: Clarify that UNAME26 does not generate unique versions anymore
UNAME26 is a mechanism to report Linux's version as 2.6.x, for
compatibility with old/broken software. Due to the way it is
implemented, it would have to be updated after 5.0, to keep the
resulting versions unique. Linus Torvalds argued:
"Do we actually need this?
I'd rather let it bitrot, and just let it return random versions. It
will just start again at 2.4.60, won't it?
Anybody who uses UNAME26 for a 5.x kernel might as well think it's
still 4.x. The user space is so old that it can't possibly care about
differences between 4.x and 5.x, can it?
The only thing that matters is that it shows "2.4.<largeenough>",
which it will do regardless"
Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Sun, 13 Jan 2019 22:34:14 +0000 (10:34 +1200)]
Merge tag 'armsoc-fixes' of git://git./linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Olof Johansson:
"A bigger batch than I anticipated this week, for two reasons:
- Some fallout on Davinci from board file -> DTB conversion, that
also includes a few longer-standing fixes (i.e. not recent
regressions).
- drivers/reset material that has been in linux-next for a while, but
didn't get sent to us until now for a variety of reasons
(maintainer out sick, holidays, etc). There's a functional
dependency in there such that one platform (Altera's SoCFPGA) won't
boot without one of the patches; instead of reverting the patch
that got merged, I looked at this set and decided it was small
enough that I'll pick it up anyway. If you disagree I can revisit
with a smaller set.
That being said, there's also a handful of the usual stuff:
- Fix for a crash on Armada 7K/8K when the kernel touches
PSCI-reserved memory
- Fix for PCIe reset on Macchiatobin (Armada 8K development board,
what this email is sent from in fact :)
- Enable a few new-merged modules for Amlogic in arm64 defconfig
- Error path fixes on Integrator
- Build fix for Renesas and Qualcomm
- Initialization fix for Renesas RZ/G2E
.. plus a few more fixlets"
* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (28 commits)
ARM: integrator: impd1: use struct_size() in devm_kzalloc()
qcom-scm: Include <linux/err.h> header
gpio: pl061: handle failed allocations
ARM: dts: kirkwood: Fix polarity of GPIO fan lines
arm64: dts: marvell: mcbin: fix PCIe reset signal
arm64: dts: marvell: armada-ap806: reserve PSCI area
ARM: dts: da850-lcdk: Correct the sound card name
ARM: dts: da850-lcdk: Correct the audio codec regulators
ARM: dts: da850-evm: Correct the sound card name
ARM: dts: da850-evm: Correct the audio codec regulators
ARM: davinci: omapl138-hawk: fix label names in GPIO lookup entries
ARM: davinci: dm644x-evm: fix label names in GPIO lookup entries
ARM: davinci: dm355-evm: fix label names in GPIO lookup entries
ARM: davinci: da850-evm: fix label names in GPIO lookup entries
ARM: davinci: da830-evm: fix label names in GPIO lookup entries
arm64: defconfig: enable modules for amlogic s400 sound card
reset: uniphier-glue: Add AHCI reset control support in glue layer
dt-bindings: reset: uniphier: Add AHCI core reset description
reset: uniphier-usb3: Rename to reset-uniphier-glue
dt-bindings: reset: uniphier: Replace the expression of USB3 with generic peripherals
...
Linus Torvalds [Sun, 13 Jan 2019 17:55:51 +0000 (05:55 +1200)]
Merge tag 'for-5.0-rc1-tag' of git://git./linux/kernel/git/kdave/linux
Pull btrfs fixes from David Sterba:
- two regression fixes in clone/dedupe ioctls, the generic check
callback needs to lock extents properly and wait for io to avoid
problems with writeback and relocation
- fix deadlock when using free space tree due to block group creation
- a recently added check refuses a valid fileystem with seeding device,
make that work again with a quickfix, proper solution needs more
intrusive changes
* tag 'for-5.0-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
btrfs: Use real device structure to verify dev extent
Btrfs: fix deadlock when using free space tree due to block group creation
Btrfs: fix race between reflink/dedupe and relocation
Btrfs: fix race between cloning range ending at eof and writeback
Linus Torvalds [Sun, 13 Jan 2019 17:51:08 +0000 (05:51 +1200)]
Merge tag 'driver-core-5.0-rc2' of git://git./linux/kernel/git/gregkh/driver-core
Pull driver core fixes from Greg KH:
"Here is one small sysfs change, and a documentation update for 5.0-rc2
The sysfs change moves from using BUG_ON to WARN_ON, as discussed in
an email thread on lkml while trying to track down another driver bug.
sysfs should not be crashing and preventing people from seeing where
they went wrong. Now it properly recovers and warns the developer.
The documentation update removes the use of BUS_ATTR() as the kernel
is moving away from this to use the specific BUS_ATTR_RW() and friends
instead. There are pending patches in all of the different subsystems
to remove the last users of this macro, but for now, don't advertise
it should be used anymore to keep new ones from being introduced.
Both have been in linux-next with no reported issues"
* tag 'driver-core-5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
Documentation: driver core: remove use of BUS_ATTR
sysfs: convert BUG_ON to WARN_ON
Linus Torvalds [Sun, 13 Jan 2019 17:49:35 +0000 (05:49 +1200)]
Merge tag 'staging-5.0-rc2' of git://git./linux/kernel/git/gregkh/staging
Pull staging driver fixes from Greg KH:
"Here are some small staging driver fixes for some reported issues.
One reverts a patch that was made to the rtl8723bs driver that turned
out to not be needed at all as it was a bug in clang. The others fix
up some reported issues in the rtl8188eu driver and update the
MAINTAINERS file to point to Larry for this driver so he can get the
bug reports easier.
All have been in linux-next with no reported issues"
* tag 'staging-5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
Revert "staging: rtl8723bs: Mark ACPI table declaration as used"
staging: rtl8188eu: Fix module loading from tasklet for WEP encryption
staging: rtl8188eu: Fix module loading from tasklet for CCMP encryption
MAINTAINERS: Add entry for staging driver r8188eu
Linus Torvalds [Sun, 13 Jan 2019 17:47:48 +0000 (05:47 +1200)]
Merge tag 'tty-5.0-rc2' of git://git./linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH:
"Here are 2 tty and serial fixes for 5.0-rc2 that resolve some reported
issues.
The first is a simple serial driver fix for a regression that showed
up in 5.0-rc1. The second one resolves a number of reported issues
with the recent tty locking fixes that went into 5.0-rc1. Lots of
people have tested the second one and say it resolves their issues.
Both have been in linux-next with no reported issues"
* tag 'tty-5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
tty: Don't hold ldisc lock in tty_reopen() if ldisc present
serial: lantiq: Do not swap register read/writes
Linus Torvalds [Sun, 13 Jan 2019 17:45:28 +0000 (05:45 +1200)]
Merge tag 'usb-5.0-rc2' of git://git./linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are some small USB driver fixes and quirk updates for 5.0-rc2.
The majority here are some quirks for some storage devices to get them
to work properly. There's also a fix here to resolve the reported
issues with some audio devices that say they are UAC3 compliant, but
really are not.
And a fix up for the MAINTAINERS file to remove a dead url.
All have been in linux-next with no reported issues"
* tag 'usb-5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
usb: storage: Remove outdated URL from MAINTAINERS
USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB
usbcore: Select only first configuration for non-UAC3 compliant devices
USB: storage: add quirk for SMI SM3350
USB: storage: don't insert sane sense for SPC3+ when bad sense specified
usb: cdc-acm: send ZLP for Telit 3G Intel based modems
Linus Torvalds [Sun, 13 Jan 2019 17:43:40 +0000 (05:43 +1200)]
Merge tag '5.0-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull cifs fixes from Steve French:
"A set of cifs/smb3 fixes, 4 for stable, most from Pavel. His patches
fix an important set of crediting (flow control) problems, and also
two problems in cifs_writepages, ddressing some large i/o and also
compounding issues"
* tag '5.0-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
cifs: update internal module version number
CIFS: Fix error paths in writeback code
CIFS: Move credit processing to mid callbacks for SMB3
CIFS: Fix credits calculation for cancelled requests
cifs: Fix potential OOB access of lock element array
cifs: Limit memory used by lock request calls to a page
cifs: move large array from stack to heap
CIFS: Do not hide EINTR after sending network packets
CIFS: Fix credit computation for compounded requests
CIFS: Do not set credits to 1 if the server didn't grant anything
CIFS: Fix adjustment of credits for MTU requests
cifs: Fix a tiny potential memory leak
cifs: Fix a debug message
Olof Johansson [Sun, 13 Jan 2019 06:06:54 +0000 (22:06 -0800)]
Merge tag 'reset-for-5.0-rc2' of git://git.pengutronix.de/git/pza/linux into fixes
Late reset controller changes for v5.0
This adds missing deassert functionality to the ARC HSDK reset driver,
fixes some indentation and grammar issues in the kernel docs, adds a
helper to count the number of resets on a device for the non-DT case
as well, adds an early reset driver for SoCFPGA and simple reset driver
support for Stratix10, and generalizes the uniphier USB3 glue layer
reset to also cover AHCI.
* tag 'reset-for-5.0-rc2' of git://git.pengutronix.de/git/pza/linux:
reset: uniphier-glue: Add AHCI reset control support in glue layer
dt-bindings: reset: uniphier: Add AHCI core reset description
reset: uniphier-usb3: Rename to reset-uniphier-glue
dt-bindings: reset: uniphier: Replace the expression of USB3 with generic peripherals
ARM: socfpga: dts: document "altr,stratix10-rst-mgr" binding
reset: socfpga: add an early reset driver for SoCFPGA
reset: fix null pointer dereference on dev by dev_name
reset: Add reset_control_get_count()
reset: Improve reset controller kernel docs
ARC: HSDK: improve reset driver
Signed-off-by: Olof Johansson <olof@lixom.net>
Olof Johansson [Sun, 13 Jan 2019 06:03:59 +0000 (22:03 -0800)]
Merge tag 'mvebu-fixes-5.0-1' of git://git.infradead.org/linux-mvebu into fixes
mvebu fixes for 5.0
They are all device tree fixes which also worth being in stable:
- Reserve PSCI area on Armada 7K/8K preventing the kernel accessing
this area and crashing while doing it.
- Use correct PCIe reset signal on MACCHIATOBin (Armada 8040 based)
- Fix polarity of GPIO fan line D-Link DNS NASes(kikwood based)
* tag 'mvebu-fixes-5.0-1' of git://git.infradead.org/linux-mvebu:
ARM: dts: kirkwood: Fix polarity of GPIO fan lines
arm64: dts: marvell: mcbin: fix PCIe reset signal
arm64: dts: marvell: armada-ap806: reserve PSCI area
Signed-off-by: Olof Johansson <olof@lixom.net>
Olof Johansson [Sun, 13 Jan 2019 06:03:18 +0000 (22:03 -0800)]
Merge tag 'integrator-fixes-armsoc' of git://git./linux/kernel/git/linusw/linux-integrator into fixes
Fixes for the Integrator:
- Handle failed allocations in the IM/PC bus attachment.
- Use struct_size() for allocation.
* tag 'integrator-fixes-armsoc' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-integrator:
ARM: integrator: impd1: use struct_size() in devm_kzalloc()
gpio: pl061: handle failed allocations
Signed-off-by: Olof Johansson <olof@lixom.net>
Olof Johansson [Sun, 13 Jan 2019 06:02:28 +0000 (22:02 -0800)]
Merge tag 'amlogic-fixes' of https://git./linux/kernel/git/khilman/linux-amlogic into fixes
Amlogic DT fixes for v5.0-rc
- arm64: defconfig: enable modules for amlogic s400 sound card
* tag 'amlogic-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-amlogic:
arm64: defconfig: enable modules for amlogic s400 sound card
Signed-off-by: Olof Johansson <olof@lixom.net>
Olof Johansson [Sun, 13 Jan 2019 06:01:49 +0000 (22:01 -0800)]
Merge tag 'qcom-fixes-for-5.0-rc1' of git://git./linux/kernel/git/agross/linux into fixes
Qualcomm Driver Fixes for 5.0-rc1
* Add required includes into qcom_scm.h
* tag 'qcom-fixes-for-5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux:
qcom-scm: Include <linux/err.h> header
Signed-off-by: Olof Johansson <olof@lixom.net>
Olof Johansson [Sun, 13 Jan 2019 06:00:36 +0000 (22:00 -0800)]
Merge tag 'davinci-fixes-for-v5.0' of git://git./linux/kernel/git/nsekhar/linux-davinci into fixes
This pull request fixes some more regressions on legacy
DaVinci board support due to GPIO driver clean-up introduced
in v4.20 kernel. These are marked for stable.
Also has fixes for some long standing Audio issues on DA850
boards.
* tag 'davinci-fixes-for-v5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci:
ARM: dts: da850-lcdk: Correct the sound card name
ARM: dts: da850-lcdk: Correct the audio codec regulators
ARM: dts: da850-evm: Correct the sound card name
ARM: dts: da850-evm: Correct the audio codec regulators
ARM: davinci: omapl138-hawk: fix label names in GPIO lookup entries
ARM: davinci: dm644x-evm: fix label names in GPIO lookup entries
ARM: davinci: dm355-evm: fix label names in GPIO lookup entries
ARM: davinci: da850-evm: fix label names in GPIO lookup entries
ARM: davinci: da830-evm: fix label names in GPIO lookup entries
Signed-off-by: Olof Johansson <olof@lixom.net>
Olof Johansson [Sun, 13 Jan 2019 05:59:42 +0000 (21:59 -0800)]
Merge tag 'renesas-fixes-for-v5.0' of https://git./linux/kernel/git/horms/renesas into fixes
Renesas ARM Based SoC Fixes for v5.0
Renesas SoCs:
* Fix build regressions caused by move of Kconfig symbols
RZ/G2E (r8a774c0) SoC:
* Correct initialization order of 3DG-{A,B} in SYSC driver
* tag 'renesas-fixes-for-v5.0' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas:
soc: renesas: r8a774c0-sysc: Fix initialization order of 3DG-{A,B}
ARM: shmobile: fix build regressions
Signed-off-by: Olof Johansson <olof@lixom.net>
John Hubbard [Sun, 13 Jan 2019 01:29:09 +0000 (17:29 -0800)]
phy: fix build breakage: add PHY_MODE_SATA
Commit
49e54187ae0b ("ata: libahci_platform: comply to PHY framework") uses
the PHY_MODE_SATA, but that enum had not yet been added. This caused a
build failure for me, with today's linux.git.
Also, there is a potentially conflicting (mis-named) PHY_MODE_SATA, hiding
in the Marvell Berlin SATA PHY driver.
Fix the build by:
1) Renaming Marvell's defined value to a more scoped name,
in order to avoid any potential conflicts: PHY_BERLIN_MODE_SATA.
2) Adding the missing enum, which was going to be added anyway as part
of [1].
[1] https://lkml.kernel.org/r/
20190108163124.6409-3-miquel.raynal@bootlin.com
Fixes: 49e54187ae0b ("ata: libahci_platform: comply to PHY framework")
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Acked-by: Jens Axboe <axboe@kernel.dk>
Acked-by: Olof Johansson <olof@lixom.net>
Cc: Grzegorz Jaszczyk <jaz@semihalf.com>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Sat, 12 Jan 2019 21:40:51 +0000 (13:40 -0800)]
Merge tag 'for-linus-
20190112' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
- NVMe pull request from Christoph, with little fixes all over the map
- Loop caching fix for offset/bs change (Jaegeuk Kim)
- Block documentation tweaks (Jeff, Jon, Weiping, John)
- null_blk zoned tweak (John)
- ahch mvebu suspend/resume support. Should have gone into the merge
window, but there was some confusion on which tree had it. (Miquel)
* tag 'for-linus-
20190112' of git://git.kernel.dk/linux-block: (22 commits)
ata: ahci: mvebu: request PHY suspend/resume for Armada 3700
ata: ahci: mvebu: add Armada 3700 initialization needed for S2RAM
ata: ahci: mvebu: do Armada 38x configuration only on relevant SoCs
ata: ahci: mvebu: remove stale comment
ata: libahci_platform: comply to PHY framework
loop: drop caches if offset or block_size are changed
block: fix kerneldoc comment for blk_attempt_plug_merge()
nvme: don't initlialize ctrl->cntlid twice
nvme: introduce NVME_QUIRK_IGNORE_DEV_SUBNQN
nvme: pad fake subsys NQN vid and ssvid with zeros
nvme-multipath: zero out ANA log buffer
nvme-fabrics: unset write/poll queues for discovery controllers
nvme-tcp: don't ask if controller is fabrics
nvme-tcp: remove dead code
nvme-pci: fix out of bounds access in nvme_cqe_pending
nvme-pci: rerun irq setup on IO queue init errors
nvme-pci: use the same attributes when freeing host_mem_desc_bufs.
nvme-pci: fix the wrong setting of nr_maps
block: doc: add slice_idle_us to bfq documentation
block: clarify documentation for blk_{start|finish}_plug
...
Linus Torvalds [Sat, 12 Jan 2019 18:52:40 +0000 (10:52 -0800)]
Merge tag 'remove-dma_zalloc_coherent-5.0' of git://git.infradead.org/users/hch/dma-mapping
Pull dma_zalloc_coherent() removal from Christoph Hellwig:
"We've always had a weird situation around dma_zalloc_coherent. To
safely support mapping the allocations to userspace major
architectures like x86 and arm have always zeroed allocations from
dma_alloc_coherent, but a couple other architectures were missing that
zeroing either always or in corner cases.
Then later we grew anothe dma_zalloc_coherent interface to explicitly
request zeroing, but that just added __GFP_ZERO to the allocation
flags, which for some allocators that didn't end up using the page
allocator ended up being a no-op and still not zeroing the
allocations.
So for this merge window I fixed up all remaining architectures to
zero the memory in dma_alloc_coherent, and made dma_zalloc_coherent a
no-op wrapper around dma_alloc_coherent, which fixes all of the above
issues.
dma_zalloc_coherent is now pointless and can go away, and Luis helped
me writing a cocchinelle script and patch series to kill it, which I
think we should apply now just after -rc1 to finally settle these
issue"
* tag 'remove-dma_zalloc_coherent-5.0' of git://git.infradead.org/users/hch/dma-mapping:
dma-mapping: remove dma_zalloc_coherent()
cross-tree: phase out dma_zalloc_coherent() on headers
cross-tree: phase out dma_zalloc_coherent()
David S. Miller [Sat, 12 Jan 2019 18:51:39 +0000 (10:51 -0800)]
Merge branch 'bnxt_en-Bug-fixes-for-57500-chips'
Michael Chan says:
====================
bnxt_en: Bug fixes for 57500 chips.
Two small bug fixes for ring checking and context memory allocation
that affect the new 57500 chips.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Chan [Sat, 12 Jan 2019 05:13:05 +0000 (00:13 -0500)]
bnxt_en: Fix context memory allocation.
When allocating memory pages for context memory, if the last page table
should be fully populated, the current code will set nr_pages to 0 when
calling bnxt_alloc_ctx_mem_blk(). This will cause the last page table
to be completely blank and causing some RDMA failures.
Fix it by setting the last page table's nr_pages to the remainder only
if it is non-zero.
Fixes: 08fe9d181606 ("bnxt_en: Add Level 2 context memory paging support.")
Reported-by: Eric Davis <eric.davis@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Chan [Sat, 12 Jan 2019 05:13:04 +0000 (00:13 -0500)]
bnxt_en: Fix ring checking logic on 57500 chips.
In bnxt_hwrm_check_pf_rings(), add the proper flag to test the NQ
resources. Without the proper flag, the firmware will change
the NQ resource allocation and remap the IRQ, causing missing
IRQs. This issue shows up when adding MQPRIO TX queues, for example.
Fixes: 36d65be9a880 ("bnxt_en: Disable MSIX before re-reserving NQs/CMPL rings.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sat, 12 Jan 2019 18:39:43 +0000 (10:39 -0800)]
Merge tag 'for-linus' of git://git./virt/kvm/kvm
Pull KVM fixes from Radim Krčmář:
"Minor fixes for new code, corner cases, and documentation"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
x86/kvm/nVMX: don't skip emulated instruction twice when vmptr address is not backed
Documentation/virtual/kvm: Update URL for AMD SEV API specification
KVM/VMX: Avoid return error when flush tlb successfully in the hv_remote_flush_tlb_with_range()
kvm: sev: Fail KVM_SEV_INIT if already initialized
KVM: validate userspace input in kvm_clear_dirty_log_protect()
KVM: x86: Fix bit shifting in update_intel_pt_cfg
Linus Torvalds [Sat, 12 Jan 2019 18:30:43 +0000 (10:30 -0800)]
Merge tag 'drm-fixes-2019-01-11-1' of git://anongit.freedesktop.org/drm/drm
Pull more drm fixes from Daniel Vetter:
"Dave sends out his pull, everybody remembers holidays are over :-)
Since Dave's already in weekend mode and it was quite a few patches I
figured better to apply all the pulls and forward them to you. Hence
here 2nd part of bugfixes for -rc2.
nouveau:
- backlight fix
- falcon register access fix
- fan fix.
i915:
- Disable PSR for Apple panels
- Broxton ERR_PTR error state fix
- Kabylake VECS workaround fix
- Unwind failure on pinning the gen7 ppgtt
- GVT workload request allocation fix
core:
- Fix fb-helper to work correctly with SDL 1.2 bugs
- Fix lockdep warning in the atomic ioctl and setproperty"
* tag 'drm-fixes-2019-01-11-1' of git://anongit.freedesktop.org/drm/drm:
drm/nouveau/falcon: avoid touching registers if engine is off
drm/nouveau: Don't disable polling in fallback mode
drm/nouveau: register backlight on pascal and newer
drm: Fix documentation generation for DP_DPCD_QUIRK_NO_PSR
drm/i915: init per-engine WAs for all engines
drm/i915: Unwind failure on pinning the gen7 ppgtt
drm/i915: Skip the ERR_PTR error state
drm/i915: Disable PSR in Apple panels
gpu/drm: Fix lock held when returning to user space.
drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2
drm/i915/gvt: Fix workload request allocation before request add
Gustavo A. R. Silva [Tue, 8 Jan 2019 21:27:05 +0000 (15:27 -0600)]
mISDN: hfcsusb: Use struct_size() in kzalloc()
One of the more common cases of allocation size calculations is finding the
size of a structure that has a zero-sized array at the end, along with memory
for some number of elements for that array. For example:
struct foo {
int stuff;
void *entry[];
};
instance = kzalloc(sizeof(struct foo) + sizeof(void *) * count, GFP_KERNEL);
Instead of leaving these open-coded and prone to type mistakes, we can now
use the new struct_size() helper:
instance = kzalloc(struct_size(instance, entry, count), GFP_KERNEL);
This code was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paolo Abeni [Tue, 8 Jan 2019 17:45:05 +0000 (18:45 +0100)]
net: clear skb->tstamp in bridge forwarding path
Matteo reported forwarding issues inside the linux bridge,
if the enslaved interfaces use the fq qdisc.
Similar to commit
8203e2d844d3 ("net: clear skb->tstamp in
forwarding paths"), we need to clear the tstamp field in
the bridge forwarding path.
Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.")
Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC")
Reported-and-tested-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sat, 12 Jan 2019 02:05:41 +0000 (18:05 -0800)]
Merge branch 'bpfilter-fixes'
Taehee Yoo says:
====================
net: bpfilter: fix two bugs in bpfilter
This patches fix two bugs in the bpfilter_umh which are related in
iptables command.
The first patch adds an exit code for UMH process.
This provides an opportunity to cleanup members of the umh_info
to modules which use the UMH.
In order to identify UMH processes, a new flag PF_UMH is added.
The second patch makes the bpfilter_umh use UMH cleanup callback.
The third patch adds re-start routine for the bpfilter_umh.
The bpfilter_umh does not re-start after error occurred.
because there is no re-start routine in the module.
The fourth patch ensures that the bpfilter.ko module will not removed while
it's being used.
The bpfilter.ko is not protected by locks or module reference counter.
Therefore that can be removed while module is being used.
In order to protect that, mutex is used.
The first and second patch are preparation patches for the third and
fourth patch.
TEST #1
while :
do
modprobe bpfilter
kill -9 <pid of the bpfilter_umh>
iptables -vnL
done
TEST #2
while :
do
iptables -I FORWARD -m string --string ap --algo kmp &
iptables -F &
modprobe -rv bpfilter &
done
TEST #3
while :
do
modprobe bpfilter &
modprobe -rv bpfilter &
done
The TEST1 makes a failure of iptables command.
This is fixed by the third patch.
The TEST2 makes a panic because of a race condition in the bpfilter_umh
module.
This is fixed by the fourth patch.
The TEST3 makes a double-create UMH process.
This is fixed by the third and fourth patch.
v4 :
- declare the exit_umh() as static inline
- check stop flag in the load_umh() to avoid a double-create UMH
v3 :
- Avoid unnecessary list lookup for non-UMH processes
- Add a new PF_UMH flag
v2 : add the first and second patch
v1 : Initial patch
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Taehee Yoo [Tue, 8 Jan 2019 17:25:10 +0000 (02:25 +0900)]
net: bpfilter: disallow to remove bpfilter module while being used
The bpfilter.ko module can be removed while functions of the bpfilter.ko
are executing. so panic can occurred. in order to protect that, locks can
be used. a bpfilter_lock protects routines in the
__bpfilter_process_sockopt() but it's not enough because __exit routine
can be executed concurrently.
Now, the bpfilter_umh can not run in parallel.
So, the module do not removed while it's being used and it do not
double-create UMH process.
The members of the umh_info and the bpfilter_umh_ops are protected by
the bpfilter_umh_ops.lock.
test commands:
while :
do
iptables -I FORWARD -m string --string ap --algo kmp &
modprobe -rv bpfilter &
done
splat looks like:
[ 298.623435] BUG: unable to handle kernel paging request at
fffffbfff807440b
[ 298.628512] #PF error: [normal kernel read fault]
[ 298.633018] PGD
124327067 P4D
124327067 PUD
11c1a3067 PMD
119eb2067 PTE 0
[ 298.638859] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 298.638859] CPU: 0 PID: 2997 Comm: iptables Not tainted 4.20.0+ #154
[ 298.638859] RIP: 0010:__mutex_lock+0x6b9/0x16a0
[ 298.638859] Code: c0 00 00 e8 89 82 ff ff 80 bd 8f fc ff ff 00 0f 85 d9 05 00 00 48 8b 85 80 fc ff ff 48 bf 00 00 00 00 00 fc ff df 48 c1 e8 03 <80> 3c 38 00 0f 85 1d 0e 00 00 48 8b 85 c8 fc ff ff 49 39 47 58 c6
[ 298.638859] RSP: 0018:
ffff88810e7777a0 EFLAGS:
00010202
[ 298.638859] RAX:
1ffffffff807440b RBX:
ffff888111bd4d80 RCX:
0000000000000000
[ 298.638859] RDX:
1ffff110235ff806 RSI:
ffff888111bd5538 RDI:
dffffc0000000000
[ 298.638859] RBP:
ffff88810e777b30 R08:
0000000080000002 R09:
0000000000000000
[ 298.638859] R10:
0000000000000000 R11:
0000000000000000 R12:
fffffbfff168a42c
[ 298.638859] R13:
ffff888111bd4d80 R14:
ffff8881040e9a05 R15:
ffffffffc03a2000
[ 298.638859] FS:
00007f39e3758700(0000) GS:
ffff88811ae00000(0000) knlGS:
0000000000000000
[ 298.638859] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 298.638859] CR2:
fffffbfff807440b CR3:
000000011243e000 CR4:
00000000001006f0
[ 298.638859] Call Trace:
[ 298.638859] ? mutex_lock_io_nested+0x1560/0x1560
[ 298.638859] ? kasan_kmalloc+0xa0/0xd0
[ 298.638859] ? kmem_cache_alloc+0x1c2/0x260
[ 298.638859] ? __alloc_file+0x92/0x3c0
[ 298.638859] ? alloc_empty_file+0x43/0x120
[ 298.638859] ? alloc_file_pseudo+0x220/0x330
[ 298.638859] ? sock_alloc_file+0x39/0x160
[ 298.638859] ? __sys_socket+0x113/0x1d0
[ 298.638859] ? __x64_sys_socket+0x6f/0xb0
[ 298.638859] ? do_syscall_64+0x138/0x560
[ 298.638859] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 298.638859] ? __alloc_file+0x92/0x3c0
[ 298.638859] ? init_object+0x6b/0x80
[ 298.638859] ? cyc2ns_read_end+0x10/0x10
[ 298.638859] ? cyc2ns_read_end+0x10/0x10
[ 298.638859] ? hlock_class+0x140/0x140
[ 298.638859] ? sched_clock_local+0xd4/0x140
[ 298.638859] ? sched_clock_local+0xd4/0x140
[ 298.638859] ? check_flags.part.37+0x440/0x440
[ 298.638859] ? __lock_acquire+0x4f90/0x4f90
[ 298.638859] ? set_rq_offline.part.89+0x140/0x140
[ ... ]
Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Taehee Yoo [Tue, 8 Jan 2019 17:24:53 +0000 (02:24 +0900)]
net: bpfilter: restart bpfilter_umh when error occurred
The bpfilter_umh will be stopped via __stop_umh() when the bpfilter
error occurred.
The bpfilter_umh() couldn't start again because there is no restart
routine.
The section of the bpfilter_umh_{start/end} is no longer .init.rodata
because these area should be reused in the restart routine. hence
the section name is changed to .bpfilter_umh.
The bpfilter_ops->start() is restart callback. it will be called when
bpfilter_umh is stopped.
The stop bit means bpfilter_umh is stopped. this bit is set by both
start and stop routine.
Before this patch,
Test commands:
$ iptables -vnL
$ kill -9 <pid of bpfilter_umh>
$ iptables -vnL
[ 480.045136] bpfilter: write fail -32
$ iptables -vnL
All iptables commands will fail.
After this patch,
Test commands:
$ iptables -vnL
$ kill -9 <pid of bpfilter_umh>
$ iptables -vnL
$ iptables -vnL
Now, all iptables commands will work.
Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Taehee Yoo [Tue, 8 Jan 2019 17:24:34 +0000 (02:24 +0900)]
net: bpfilter: use cleanup callback to release umh_info
Now, UMH process is killed, do_exit() calls the umh_info->cleanup callback
to release members of the umh_info.
This patch makes bpfilter_umh's cleanup routine to use the
umh_info->cleanup callback.
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Taehee Yoo [Tue, 8 Jan 2019 17:23:56 +0000 (02:23 +0900)]
umh: add exit routine for UMH process
A UMH process which is created by the fork_usermode_blob() such as
bpfilter needs to release members of the umh_info when process is
terminated.
But the do_exit() does not release members of the umh_info. hence module
which uses UMH needs own code to detect whether UMH process is
terminated or not.
But this implementation needs extra code for checking the status of
UMH process. it eventually makes the code more complex.
The new PF_UMH flag is added and it is used to identify UMH processes.
The exit_umh() does not release members of the umh_info.
Hence umh_info->cleanup callback should release both members of the
umh_info and the private data.
Suggested-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jia-Ju Bai [Tue, 8 Jan 2019 13:04:48 +0000 (21:04 +0800)]
isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.
isdn_tty_tiocmset
isdn_tty_modem_hup
line 719: kfree(info->dtmf_state);
line 721: kfree(info->silence_state);
line 723: kfree(info->adpcms);
line 725: kfree(info->adpcmr);
isdn_tty_set_termios
isdn_tty_modem_hup
line 719: kfree(info->dtmf_state);
line 721: kfree(info->silence_state);
line 723: kfree(info->adpcms);
line 725: kfree(info->adpcmr);
Thus, some concurrency double-free bugs may occur.
These possible bugs are found by a static tool written by myself and
my manual code review.
To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Zha Bin [Tue, 8 Jan 2019 08:07:03 +0000 (16:07 +0800)]
vhost/vsock: fix vhost vsock cid hashing inconsistent
The vsock core only supports 32bit CID, but the Virtio-vsock spec define
CID (dst_cid and src_cid) as u64 and the upper 32bits is reserved as
zero. This inconsistency causes one bug in vhost vsock driver. The
scenarios is:
0. A hash table (vhost_vsock_hash) is used to map an CID to a vsock
object. And hash_min() is used to compute the hash key. hash_min() is
defined as:
(sizeof(val) <= 4 ? hash_32(val, bits) : hash_long(val, bits)).
That means the hash algorithm has dependency on the size of macro
argument 'val'.
0. In function vhost_vsock_set_cid(), a 64bit CID is passed to
hash_min() to compute the hash key when inserting a vsock object into
the hash table.
0. In function vhost_vsock_get(), a 32bit CID is passed to hash_min()
to compute the hash key when looking up a vsock for an CID.
Because the different size of the CID, hash_min() returns different hash
key, thus fails to look up the vsock object for an CID.
To fix this bug, we keep CID as u64 in the IOCTLs and virtio message
headers, but explicitly convert u64 to u32 when deal with the hash table
and vsock core.
Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
Link: https://github.com/stefanha/virtio/blob/vsock/trunk/content.tex
Signed-off-by: Zha Bin <zhabin@linux.alibaba.com>
Reviewed-by: Liu Jiang <gerry@linux.alibaba.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>