Jakub Sitnicki [Wed, 8 Jun 2016 13:13:34 +0000 (15:13 +0200)]
ipv6: Skip XFRM lookup if dst_entry in socket cache is valid
At present we perform an xfrm_lookup() for each UDPv6 message we
send. The lookup involves querying the flow cache (flow_cache_lookup)
and, in case of a cache miss, creating an XFRM bundle.
If we miss the flow cache, we can end up creating a new bundle and
deriving the path MTU (xfrm_init_pmtu) from on an already transformed
dst_entry, which we pass from the socket cache (sk->sk_dst_cache) down
to xfrm_lookup(). This can happen only if we're caching the dst_entry
in the socket, that is when we're using a connected UDP socket.
To put it another way, the path MTU shrinks each time we miss the flow
cache, which later on leads to incorrectly fragmented payload. It can
be observed with ESPv6 in transport mode:
1) Set up a transformation and lower the MTU to trigger fragmentation
# ip xfrm policy add dir out src ::1 dst ::1 \
tmpl src ::1 dst ::1 proto esp spi 1
# ip xfrm state add src ::1 dst ::1 \
proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
# ip link set dev lo mtu 1500
2) Monitor the packet flow and set up an UDP sink
# tcpdump -ni lo -ttt &
# socat udp6-listen:12345,fork /dev/null &
3) Send a datagram that needs fragmentation with a connected socket
# perl -e 'print "@" x 1470 | socat - udp6:[::1]:12345
2016/06/07 18:52:52 socat[724] E read(3, 0x555bb3d5ba00, 8192): Protocol error
00:00:00.000000 IP6 ::1 > ::1: frag (0|1448) ESP(spi=0x00000001,seq=0x2), length 1448
00:00:00.000014 IP6 ::1 > ::1: frag (1448|32)
00:00:00.000050 IP6 ::1 > ::1: ESP(spi=0x00000001,seq=0x3), length 1272
(^ ICMPv6 Parameter Problem)
00:00:00.000022 IP6 ::1 > ::1: ESP(spi=0x00000001,seq=0x5), length 136
4) Compare it to a non-connected socket
# perl -e 'print "@" x 1500' | socat - udp6-sendto:[::1]:12345
00:00:40.535488 IP6 ::1 > ::1: frag (0|1448) ESP(spi=0x00000001,seq=0x6), length 1448
00:00:00.000010 IP6 ::1 > ::1: frag (1448|64)
What happens in step (3) is:
1) when connecting the socket in __ip6_datagram_connect(), we
perform an XFRM lookup, miss the flow cache, create an XFRM
bundle, and cache the destination,
2) afterwards, when sending the datagram, we perform an XFRM lookup,
again, miss the flow cache (due to mismatch of flowi6_iif and
flowi6_oif, which is an issue of its own), and recreate an XFRM
bundle based on the cached (and already transformed) destination.
To prevent the recreation of an XFRM bundle, avoid an XFRM lookup
altogether whenever we already have a destination entry cached in the
socket. This prevents the path MTU shrinkage and brings us on par with
UDPv4.
The fix also benefits connected PINGv6 sockets, another user of
ip6_sk_dst_lookup_flow(), who also suffer messages being transformed
twice.
Joint work with Hannes Frederic Sowa.
Reported-by: Jan Tluka <jtluka@redhat.com>
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guillaume Nault [Wed, 8 Jun 2016 10:59:17 +0000 (12:59 +0200)]
l2tp: fix configuration passed to setup_udp_tunnel_sock()
Unused fields of udp_cfg must be all zeros. Otherwise
setup_udp_tunnel_sock() fills ->gro_receive and ->gro_complete
callbacks with garbage, eventually resulting in panic when used by
udp_gro_receive().
[ 72.694123] BUG: unable to handle kernel paging request at
ffff880033f87d78
[ 72.695518] IP: [<
ffff880033f87d78>] 0xffff880033f87d78
[ 72.696530] PGD
26e2067 PUD
26e3067 PMD
342ed063 PTE
8000000033f87163
[ 72.696530] Oops: 0011 [#1] SMP KASAN
[ 72.696530] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core ip6_udp_tunnel udp_tunnel pptp gre pppox ppp_generic slhc crc32c_intel ghash_clmulni_intel jitterentropy_rng sha256_generic hmac drbg ansi_cprng aesni_intel evdev aes_x86_64 ablk_helper cryptd lrw gf128mul glue_helper serio_raw acpi_cpufreq button proc\
essor ext4 crc16 jbd2 mbcache virtio_blk virtio_net virtio_pci virtio_ring virtio
[ 72.696530] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.7.0-rc1 #1
[ 72.696530] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
[ 72.696530] task:
ffff880035b59700 ti:
ffff880035b70000 task.ti:
ffff880035b70000
[ 72.696530] RIP: 0010:[<
ffff880033f87d78>] [<
ffff880033f87d78>] 0xffff880033f87d78
[ 72.696530] RSP: 0018:
ffff880035f87bc0 EFLAGS:
00010246
[ 72.696530] RAX:
ffffed000698f996 RBX:
ffff88003326b840 RCX:
ffffffff814cc823
[ 72.696530] RDX:
ffff88003326b840 RSI:
ffff880033e48038 RDI:
ffff880034c7c780
[ 72.696530] RBP:
ffff880035f87c18 R08:
000000000000a506 R09:
0000000000000000
[ 72.696530] R10:
ffff880035f87b38 R11:
ffff880034b9344d R12:
00000000ebfea715
[ 72.696530] R13:
0000000000000000 R14:
ffff880034c7c780 R15:
0000000000000000
[ 72.696530] FS:
0000000000000000(0000) GS:
ffff880035f80000(0000) knlGS:
0000000000000000
[ 72.696530] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 72.696530] CR2:
ffff880033f87d78 CR3:
0000000033c98000 CR4:
00000000000406a0
[ 72.696530] Stack:
[ 72.696530]
ffffffff814cc834 ffff880034b93468 0000001481416818 ffff88003326b874
[ 72.696530]
ffff880034c7ccb0 ffff880033e48038 ffff88003326b840 ffff880034b93462
[ 72.696530]
ffff88003326b88a ffff88003326b88c ffff880034b93468 ffff880035f87c70
[ 72.696530] Call Trace:
[ 72.696530] <IRQ>
[ 72.696530] [<
ffffffff814cc834>] ? udp_gro_receive+0x1c6/0x1f9
[ 72.696530] [<
ffffffff814ccb1c>] udp4_gro_receive+0x2b5/0x310
[ 72.696530] [<
ffffffff814d989b>] inet_gro_receive+0x4a3/0x4cd
[ 72.696530] [<
ffffffff81431b32>] dev_gro_receive+0x584/0x7a3
[ 72.696530] [<
ffffffff810adf7a>] ? __lock_is_held+0x29/0x64
[ 72.696530] [<
ffffffff814321f7>] napi_gro_receive+0x124/0x21d
[ 72.696530] [<
ffffffffa000b145>] virtnet_receive+0x8df/0x8f6 [virtio_net]
[ 72.696530] [<
ffffffffa000b27e>] virtnet_poll+0x1d/0x8d [virtio_net]
[ 72.696530] [<
ffffffff81431350>] net_rx_action+0x15b/0x3b9
[ 72.696530] [<
ffffffff815893d6>] __do_softirq+0x216/0x546
[ 72.696530] [<
ffffffff81062392>] irq_exit+0x49/0xb6
[ 72.696530] [<
ffffffff81588e9a>] do_IRQ+0xe2/0xfa
[ 72.696530] [<
ffffffff81587a49>] common_interrupt+0x89/0x89
[ 72.696530] <EOI>
[ 72.696530] [<
ffffffff810b05df>] ? trace_hardirqs_on_caller+0x229/0x270
[ 72.696530] [<
ffffffff8102b3c7>] ? default_idle+0x1c/0x2d
[ 72.696530] [<
ffffffff8102b3c5>] ? default_idle+0x1a/0x2d
[ 72.696530] [<
ffffffff8102bb8c>] arch_cpu_idle+0xa/0xc
[ 72.696530] [<
ffffffff810a6c39>] default_idle_call+0x1a/0x1c
[ 72.696530] [<
ffffffff810a6d96>] cpu_startup_entry+0x15b/0x20f
[ 72.696530] [<
ffffffff81039a81>] start_secondary+0x12c/0x133
[ 72.696530] Code: ff ff ff ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f 00 7e f8 33 00 88 ff ff 6d 61 58 81 ff ff ff ff 5e de 0a 81 ff ff ff ff <00> 5c e2 34 00 88 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 72.696530] RIP [<
ffff880033f87d78>] 0xffff880033f87d78
[ 72.696530] RSP <
ffff880035f87bc0>
[ 72.696530] CR2:
ffff880033f87d78
[ 72.696530] ---[ end trace
ad7758b9a1dccf99 ]---
[ 72.696530] Kernel panic - not syncing: Fatal exception in interrupt
[ 72.696530] Kernel Offset: disabled
[ 72.696530] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
v2: use empty initialiser instead of "{ NULL }" to avoid relying on
first field's type.
Fixes:
38fd2af24fcf ("udp: Add socket based GRO and config")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hariprasad Shenai [Wed, 8 Jun 2016 09:27:28 +0000 (14:57 +0530)]
cxgb4: Add device id of T540-BT adapter
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Dooks [Tue, 7 Jun 2016 18:27:51 +0000 (19:27 +0100)]
net-sysfs: fix missing <linux/of_net.h>
The of_find_net_device_by_node() function is defined in
<linux/of_net.h> but not included in the .c file that
implements it. Fix the following warning by including the
header:
net/core/net-sysfs.c:1494:19: warning: symbol 'of_find_net_device_by_node' was not declared. Should it be static?
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Toshiaki Makita [Tue, 7 Jun 2016 10:14:17 +0000 (19:14 +0900)]
bridge: Don't insert unnecessary local fdb entry on changing mac address
The missing br_vlan_should_use() test caused creation of an unneeded
local fdb entry on changing mac address of a bridge device when there is
a vlan which is configured on a bridge port but not on the bridge
device.
Fixes:
2594e9064a57 ("bridge: vlan: add per-vlan struct and move to rhashtables")
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 8 Jun 2016 00:14:10 +0000 (17:14 -0700)]
Merge git://git./pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter/IPVS fixes for net
The following patchset contains two Netfilter/IPVS fixes for your net
tree, they are:
1) Fix missing alignment in next offset calculation for standard
targets, introduced in the previous merge window, patch from
Florian Westphal.
2) Fix to correct the handling of outgoing connections which use the
SIP-pe such that the binding of a real-server is updated when needed.
This was an omission from changes introduced by Marco Angaroni in
the previous merge window too, to allow handling of outgoing
connections by the SIP-pe. Patch and report came via Simon Horman.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Yuchung Cheng [Mon, 6 Jun 2016 22:07:18 +0000 (15:07 -0700)]
tcp: record TLP and ER timer stats in v6 stats
The v6 tcp stats scan do not provide TLP and ER timer information
correctly like the v4 version . This patch fixes that.
Fixes:
6ba8a3b19e76 ("tcp: Tail loss probe (TLP)")
Fixes:
eed530b6c676 ("tcp: early retransmit")
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann [Mon, 6 Jun 2016 20:50:39 +0000 (22:50 +0200)]
net: sched: fix tc_should_offload for specific clsact classes
When offloading classifiers such as u32 or flower to hardware, and the
qdisc is clsact (TC_H_CLSACT), then we need to differentiate its classes,
since not all of them handle ingress, therefore we must leave those in
software path. Add a .tcf_cl_offload() callback, so we can generically
handle them, tested on ixgbe.
Fixes:
10cbc6843446 ("net/sched: cls_flower: Hardware offloaded filters statistics support")
Fixes:
5b33f48842fa ("net/flower: Introduce hardware offload support")
Fixes:
a1b7c5fd7fe9 ("net: sched: add cls_u32 offload hooks for netdevs")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
WANG Cong [Mon, 6 Jun 2016 16:54:30 +0000 (09:54 -0700)]
act_police: fix a crash during removal
The police action is using its own code to initialize tcf hash
info, which makes us to forgot to initialize a->hinfo correctly.
Fix this by calling the helper function tcf_hash_create() directly.
This patch fixed the following crash:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
IP: [<
ffffffff810c099f>] __lock_acquire+0xd3/0xf91
PGD
d3c34067 PUD
d3e18067 PMD 0
Oops: 0000 [#1] SMP
CPU: 2 PID: 853 Comm: tc Not tainted 4.6.0+ #87
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task:
ffff8800d3e28040 ti:
ffff8800d3f6c000 task.ti:
ffff8800d3f6c000
RIP: 0010:[<
ffffffff810c099f>] [<
ffffffff810c099f>] __lock_acquire+0xd3/0xf91
RSP: 0000:
ffff88011b203c80 EFLAGS:
00010002
RAX:
0000000000000046 RBX:
0000000000000000 RCX:
0000000000000000
RDX:
0000000000000000 RSI:
0000000000000000 RDI:
0000000000000028
RBP:
ffff88011b203d40 R08:
0000000000000001 R09:
0000000000000000
R10:
ffff88011b203d58 R11:
ffff88011b208000 R12:
0000000000000001
R13:
ffff8800d3e28040 R14:
0000000000000028 R15:
0000000000000000
FS:
0000000000000000(0000) GS:
ffff88011b200000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000028 CR3:
00000000d4be1000 CR4:
00000000000006e0
Stack:
ffff8800d3e289c0 0000000000000046 000000001b203d60 ffffffff00000000
0000000000000000 ffff880000000000 0000000000000000 ffffffff00000000
ffffffff8187142c ffff88011b203ce8 ffff88011b203ce8 ffffffff8101dbfc
Call Trace:
<IRQ>
[<
ffffffff8187142c>] ? __tcf_hash_release+0x77/0xd1
[<
ffffffff8101dbfc>] ? native_sched_clock+0x1a/0x35
[<
ffffffff8101dbfc>] ? native_sched_clock+0x1a/0x35
[<
ffffffff810a9604>] ? sched_clock_local+0x11/0x78
[<
ffffffff810bf6a1>] ? mark_lock+0x24/0x201
[<
ffffffff810c1dbd>] lock_acquire+0x120/0x1b4
[<
ffffffff810c1dbd>] ? lock_acquire+0x120/0x1b4
[<
ffffffff8187142c>] ? __tcf_hash_release+0x77/0xd1
[<
ffffffff81aad89f>] _raw_spin_lock_bh+0x3c/0x72
[<
ffffffff8187142c>] ? __tcf_hash_release+0x77/0xd1
[<
ffffffff8187142c>] __tcf_hash_release+0x77/0xd1
[<
ffffffff81871a27>] tcf_action_destroy+0x49/0x7c
[<
ffffffff81870b1c>] tcf_exts_destroy+0x20/0x2d
[<
ffffffff8189273b>] u32_destroy_key+0x1b/0x4d
[<
ffffffff81892788>] u32_delete_key_freepf_rcu+0x1b/0x1d
[<
ffffffff810de3b8>] rcu_process_callbacks+0x610/0x82e
[<
ffffffff8189276d>] ? u32_destroy_key+0x4d/0x4d
[<
ffffffff81ab0bc1>] __do_softirq+0x191/0x3f4
Fixes:
ddf97ccdd7cb ("net_sched: add network namespace support for tc actions")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Mon, 6 Jun 2016 16:12:39 +0000 (09:12 -0700)]
fq_codel: return non zero qlen in class dumps
We properly scan the flow list to count number of packets,
but John passed 0 to gnet_stats_copy_queue() so we report
a zero value to user space instead of the result.
Fixes:
640158536632 ("net: sched: restrict use of qstats qlen")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: John Fastabend <john.r.fastabend@intel.com>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 7 Jun 2016 23:27:15 +0000 (16:27 -0700)]
Merge branch 'u32-hwoffload-fixes'
Jakub Kicinski says:
====================
cls_u32 hardware offload fixes
This set fixes two small issues with error codes I noticed
in cls_u32. Second patch could be viewed as user space API
change but that portion of API is not part of any release,
yet.
Compile tested only.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Jakub Kicinski [Mon, 6 Jun 2016 15:16:48 +0000 (16:16 +0100)]
net: cls_u32: be more strict about skip-sw flag
Return an error if user requested skip-sw and the underlaying
hardware cannot handle tc offloads (or offloads are disabled).
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jakub Kicinski [Mon, 6 Jun 2016 15:16:47 +0000 (16:16 +0100)]
net: cls_u32: fix error code for invalid flags
'err' variable is not set in this test, we would return whatever
previous test set 'err' to.
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Acked-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Colin Ian King [Mon, 6 Jun 2016 15:08:41 +0000 (16:08 +0100)]
gtp: #define _UAPI_LINUX_GTP_H_ and not _UAPI_LINUX_GTP_H__
Fix clang build warning:
./include/uapi/linux/gtp.h:1:9: warning: '_UAPI_LINUX_GTP_H_' is
used as a header guard here, followed by #define of a different
macro [-Wheader-guard]
fix by defining _UAPI_LINUX_GTP_H_ and not _UAPI_LINUX_GTP_H__
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Colin Ian King [Mon, 6 Jun 2016 08:21:44 +0000 (09:21 +0100)]
net: fec: fix spelling mistakes and add missing newline
trivial fix to spelling mistakes and add missing newline in pr_err
messages
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Fugang Duan <fugang.duan@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 7 Jun 2016 23:02:04 +0000 (16:02 -0700)]
Merge branch 'bnxt_en-fixes'
Michael Chan says:
====================
bnxt_en: Bug fixes.
Fix a race condition and VLAN rx acceleration logic.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Chan [Mon, 6 Jun 2016 06:37:16 +0000 (02:37 -0400)]
bnxt_en: Simplify VLAN receive logic.
Since both CTAG and STAG rx acceleration must be enabled together, we
only need to check one feature flag (NETIF_F_HW_VLAN_CTAG_RX) before
calling __vlan_hwaccel_put_tag().
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Chan [Mon, 6 Jun 2016 06:37:15 +0000 (02:37 -0400)]
bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.
The hardware can only be set to strip or not strip both the VLAN CTAG and
STAG. It cannot strip one and not strip the other. Add logic to
bnxt_fix_features() to toggle both feature flags when the user is toggling
one of them.
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Chan [Mon, 6 Jun 2016 06:37:14 +0000 (02:37 -0400)]
bnxt_en: Fix tx push race condition.
Set the is_push flag in the software BD before the tx data is pushed to
the chip. It is possible to get the tx interrupt as soon as the tx data
is pushed. The tx handler will not handle the event properly if the
is_push flag is not set and it will crash.
Signed-off-by: Michael Chan <michael.chan@broadocm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wu Fengguang [Sat, 4 Jun 2016 23:17:19 +0000 (07:17 +0800)]
rxrpc: fix ptr_ret.cocci warnings
net/rxrpc/rxkad.c:1165:1-3: WARNING: PTR_ERR_OR_ZERO can be used
Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
Generated by: scripts/coccinelle/api/ptr_ret.cocci
CC: David Howells <dhowells@redhat.com>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 7 Jun 2016 22:10:16 +0000 (15:10 -0700)]
Merge branch 'rds-packet-assembly-fixes'
Sowmini Varadhan says:
====================
RDS: TCP: socket locking RDS packet assembly fixes
This three part patchset fixes bugs in synchronization between
rds_tcp_accept_one() and the rds-tcp send/recv path.
Patch 1 ensures that the lock_sock() is taken appropriately
and the RDS datagram reassembly state is reset to synchronize
with the receive path.
Patch 2 ensures that partially sent RDS datagrams will get
retransmitted after rds_tcp_accept_one() switches sockets.
Patch 3 fixes a race window which would prematurely re-enable
rds_send_xmit() before the rds_tcp_connection setup has been
completed in rds_tcp_accept_one().
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Sowmini Varadhan [Sat, 4 Jun 2016 21:00:00 +0000 (14:00 -0700)]
RDS: TCP: fix race windows in send-path quiescence by rds_tcp_accept_one()
The send path needs to be quiesced before resetting callbacks from
rds_tcp_accept_one(), and commit
eb192840266f ("RDS:TCP: Synchronize
rds_tcp_accept_one with rds_send_xmit when resetting t_sock") achieves
this using the c_state and RDS_IN_XMIT bit following the pattern
used by rds_conn_shutdown(). However this leaves the possibility
of a race window as shown in the sequence below
take t_conn_lock in rds_tcp_conn_connect
send outgoing syn to peer
drop t_conn_lock in rds_tcp_conn_connect
incoming from peer triggers rds_tcp_accept_one, conn is
marked CONNECTING
wait for RDS_IN_XMIT to quiesce any rds_send_xmit threads
call rds_tcp_reset_callbacks
[.. race-window where incoming syn-ack can cause the conn
to be marked UP from rds_tcp_state_change ..]
lock_sock called from rds_tcp_reset_callbacks, and we set
t_sock to null
As soon as the conn is marked UP in the race-window above, rds_send_xmit()
threads will proceed to rds_tcp_xmit and may encounter a null-pointer
deref on the t_sock.
Given that rds_tcp_state_change() is invoked in softirq context, whereas
rds_tcp_reset_callbacks() is in workq context, and testing for RDS_IN_XMIT
after lock_sock could result in a deadlock with tcp_sendmsg, this
commit fixes the race by using a new c_state, RDS_TCP_RESETTING, which
will prevent a transition to RDS_CONN_UP from rds_tcp_state_change().
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sowmini Varadhan [Sat, 4 Jun 2016 20:59:59 +0000 (13:59 -0700)]
RDS: TCP: Retransmit half-sent datagrams when switching sockets in rds_tcp_reset_callbacks
When we switch a connection's sockets in rds_tcp_rest_callbacks,
any partially sent datagram must be retransmitted on the new
socket so that the receiver can correctly reassmble the RDS
datagram. Use rds_send_reset() which is designed for this purpose.
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sowmini Varadhan [Sat, 4 Jun 2016 20:59:58 +0000 (13:59 -0700)]
RDS: TCP: Add/use rds_tcp_reset_callbacks to reset tcp socket safely
When rds_tcp_accept_one() has to replace the existing tcp socket
with a newer tcp socket (duelling-syn resolution), it must lock_sock()
to suppress the rds_tcp_data_recv() path while callbacks are being
changed. Also, existing RDS datagram reassembly state must be reset,
so that the next datagram on the new socket does not have corrupted
state. Similarly when resetting the newly accepted socket, appropriate
locks and synchronization is needed.
This commit ensures correct synchronization by invoking
kernel_sock_shutdown to reset a newly accepted sock, and by taking
appropriate lock_sock()s (for old and new sockets) when resetting
existing callbacks.
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sat, 4 Jun 2016 19:55:13 +0000 (12:55 -0700)]
fq_codel: fix NET_XMIT_CN behavior
My prior attempt to fix the backlogs of parents failed.
If we return NET_XMIT_CN, our parents wont increase their backlog,
so our qdisc_tree_reduce_backlog() should take this into account.
v2: Florian Westphal pointed out that we could drop the packet,
so we need to save qdisc_pkt_len(skb) in a temp variable before
calling fq_codel_drop()
Fixes:
9d18562a2278 ("fq_codel: add batch ability to fq_codel_drop()")
Fixes:
2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Reported-by: Stas Nichiporovich <stasn77@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: WANG Cong <xiyou.wangcong@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann [Sat, 4 Jun 2016 18:50:59 +0000 (20:50 +0200)]
bpf, trace: use READ_ONCE for retrieving file ptr
In bpf_perf_event_read() and bpf_perf_event_output(), we must use
READ_ONCE() for fetching the struct file pointer, which could get
updated concurrently, so we must prevent the compiler from potential
refetching.
We already do this with tail calls for fetching the related bpf_prog,
but not so on stored perf events. Semantics for both are the same
with regards to updates.
Fixes:
a43eec304259 ("bpf: introduce bpf_perf_event_output() helper")
Fixes:
35578d798400 ("bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
WANG Cong [Fri, 3 Jun 2016 22:05:57 +0000 (15:05 -0700)]
net_sched: keep backlog updated with qlen
For gso_skb we only update qlen, backlog should be updated too.
Note, it is correct to just update these stats at one layer,
because the gso_skb is cached there.
Reported-by: Stas Nichiporovich <stasn77@gmail.com>
Fixes:
2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Helge Deller [Fri, 3 Jun 2016 21:49:17 +0000 (23:49 +0200)]
soreuseport: add compat case for setsockopt SO_ATTACH_REUSEPORT_CBPF
Commit
538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
missed to add the compat case for the SO_ATTACH_REUSEPORT_CBPF option.
Signed-off-by: Helge Deller <deller@gmx.de>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Helge Deller [Fri, 3 Jun 2016 17:19:20 +0000 (19:19 +0200)]
soreuseport: Fix reuseport_bpf testcase on 32bit architectures
This fixes the following compiler warnings when compiling the
reuseport_bpf testcase on a 32 bit platform:
reuseport_bpf.c: In function ‘attach_ebpf’:
reuseport_bpf.c:114:15: warning: cast from pointer to integer of ifferent size [-Wpointer-to-int-cast]
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michal Schmidt [Fri, 3 Jun 2016 13:32:18 +0000 (15:32 +0200)]
bnx2x: allow adding VLANs while interface is down
Since implementing VLAN filtering in commit
05cc5a39ddb74
("bnx2x: add vlan filtering offload") bnx2x refuses to add a VLAN while
the interface is down:
# ip link add link enp3s0f0 enp3s0f0_10 type vlan id 10
RTNETLINK answers: Bad address
and in dmesg (with bnx2x.debug=0x20):
bnx2x: [bnx2x_vlan_rx_add_vid:12941(enp3s0f0)]Ignoring VLAN
configuration the interface is down
Other drivers have no problem with this.
Fix this peculiar behavior in the following way:
- Accept requests to add/kill VID regardless of the device state.
Maintain the requested list of VIDs in the bp->vlan_reg list.
- If the device is up, try to configure the VID list into the hardware.
If we run out of VLAN credits or encounter a failure configuring an
entry, fall back to accepting all VLANs.
If we successfully configure all entries from the list, turn the
fallback off.
- Use the same code for reconfiguring VLANs during NIC load.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Acked-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marco Angaroni [Mon, 16 May 2016 17:18:09 +0000 (19:18 +0200)]
ipvs: update real-server binding of outgoing connections in SIP-pe
Previous patch that introduced handling of outgoing packets in SIP
persistent-engine did not call ip_vs_check_template() in case packet was
matching a connection template. Assumption was that real-server was
healthy, since it was sending a packet just in that moment.
There are however real-server fault conditions requiring that association
between call-id and real-server (represented by connection template)
gets updated. Here is an example of the sequence of events:
1) RS1 is a back2back user agent that handled call-id1 and call-id2
2) RS1 is down and was marked as unavailable
3) new message from outside comes to IPVS with call-id1
4) IPVS reschedules the message to RS2, which becomes new call handler
5) RS2 forwards the message outside, translating call-id1 to call-id2
6) inside pe->conn_out() IPVS matches call-id2 with existing template
7) IPVS does not change association call-id2 <-> RS1
8) new message comes from client with call-id2
9) IPVS reschedules the message to a real-server potentially different
from RS2, which is now the correct destination
This patch introduces ip_vs_check_template() call in the handling of
outgoing packets for SIP-pe. And also introduces a second optional
argument for ip_vs_check_template() that allows to check if dest
associated to a connection template is the same dest that was identified
as the source of the packet. This is to change the real-server bound to a
particular call-id independently from its availability status: the idea
is that it's more reliable, for in->out direction (where internal
network can be considered trusted), to always associate a call-id with
the last real-server that used it in one of its messages. Think about
above sequence of events where, just after step 5, RS1 returns instead
to be available.
Comparison of dests is done by simply comparing pointers to struct
ip_vs_dest; there should be no cases where struct ip_vs_dest keeps its
memory address, but represent a different real-server in terms of
ip-address / port.
Fixes:
39b972231536 ("ipvs: handle connections started by real-servers")
Signed-off-by: Marco Angaroni <marcoangaroni@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
David S. Miller [Sun, 5 Jun 2016 02:14:53 +0000 (22:14 -0400)]
Merge tag 'wireless-drivers-for-davem-2016-06-04' of git://git./linux/kernel/git/kvalo/wireless-drivers
Kalle Valo says:
====================
wireless-drivers fixes for 4.7
brcmfmac
* add fallback RSSI report for devices that do not report per-chain values
* fix a null pointer derefence regression on PCIe full dongle devices
rtlwifi
* fix scheduling while atomic regression from commit
49f86ec21c01
MAINTAINERS
* add file patterns for wireless device tree bindings
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Geert Uytterhoeven [Sun, 22 May 2016 09:06:10 +0000 (11:06 +0200)]
MAINTAINERS: Add file patterns for wireless device tree bindings
Submitters of device tree binding documentation may forget to CC
the subsystem maintainer if this is missing.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: linux-wireless@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
David S. Miller [Fri, 3 Jun 2016 23:54:23 +0000 (19:54 -0400)]
Merge branch 'mediatek-fixes'
John Crispin says:
====================
net-next: mediatek: improve phy support
The current driver did not handle the RGMII delay modes and asymmetric flow
control properly. The mii_bus is not freed properly. Also add support for
fixed-phy allowing the driver to work on SoCs that have an internal gigabit
switch.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
John Crispin [Fri, 3 Jun 2016 08:17:09 +0000 (10:17 +0200)]
net-next: mediatek: properly handle RGMII modes
If an external Gigabit PHY is connected to either of the MACs we need to
be able to tell the PHY to use a delay. Not doing so will result in heavy
packet loss and/or data corruption when using PHYs such as the IC+ IP1001.
We tell the PHY which MII delay mode to use via the devictree.
The ethernet driver needs to be adapted to handle all 3 rgmii-*id modes
in the same way as normal rgmii when setting up the MAC.
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Crispin [Fri, 3 Jun 2016 08:17:08 +0000 (10:17 +0200)]
net-next: mediatek: add fixed-phy support
The MT7623 SoC has a builtin gigabit switch. If we want to use it, GMAC1
needs to be configured using a fixed link speed and flow control settings.
The easiest way to do this is to used the fixed-phy driver, allowing us to
reuse the existing mdio polling code to setup the MAC.
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Crispin [Fri, 3 Jun 2016 08:17:07 +0000 (10:17 +0200)]
net-next: mediatek: fix gigabit and flow control advertisement
The current code will not setup the PHYs advertisement features correctly.
Fix this and properly advertise Gigabit features and properly handle
asymmetric pause frames.
Signed-off-by: Sean Wang <keyhaede@gmail.com>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Crispin [Fri, 3 Jun 2016 08:17:06 +0000 (10:17 +0200)]
net-next: mediatek: use mdiobus_free() in favour of kfree()
The driver currently uses kfree() to clear the mii_bus. This is not the
correct way to clear the memory and mdiobus_free() should be used instead.
This patch fixes the two instances where this happens in the driver.
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ivan Khoronzhuk [Thu, 2 Jun 2016 13:14:52 +0000 (16:14 +0300)]
net: ethernet: ti: cpsw: fix rx-usecs interrupt pacing consistency
The rx-usecs shouldn't be changed while interface down/up.
Currently, for instance, if it's set to 100us, after interface
down/up it's 500us. It's a hidden bug that can lead to lavish
interrupt pacing time increasing while "down/up" up to max value.
Steps to reproduce:
- set rx-usecs to be 100us
- down/up interface
- read new unexpected rx-usecs
Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yangbo Lu [Thu, 2 Jun 2016 09:36:28 +0000 (17:36 +0800)]
gianfar: fix the last transmit buffer descriptor
When the transmit hardware timestamping is enabled, an additional
TxBD would be added and would be set as the last TxBD with TXBD_LAST
and TXBD_INTERRUPT. However this has been broken by a patch recently.
This made the software couldn't get transmit hardware timestamps and
resulted in call trace. So, this patch is to fix this issue.
Fixes:
48963b4492e9 ("gianfar: Remove redundant ops for do_tstamp
from xmit()")
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
Reviewed-by: Claudiu Manoil <claudiu.manoil@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
WANG Cong [Wed, 1 Jun 2016 23:15:19 +0000 (16:15 -0700)]
sch_tbf: update backlog as well
Fixes:
2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
WANG Cong [Wed, 1 Jun 2016 23:15:18 +0000 (16:15 -0700)]
sch_red: update backlog as well
Fixes:
2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
WANG Cong [Wed, 1 Jun 2016 23:15:17 +0000 (16:15 -0700)]
sch_drr: update backlog as well
Fixes:
2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
WANG Cong [Wed, 1 Jun 2016 23:15:16 +0000 (16:15 -0700)]
sch_prio: update backlog as well
We need to update backlog too when we update qlen.
Joint work with Stas.
Reported-by: Stas Nichiporovich <stasn77@gmail.com>
Tested-by: Stas Nichiporovich <stasn77@gmail.com>
Fixes:
2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
WANG Cong [Wed, 1 Jun 2016 23:15:15 +0000 (16:15 -0700)]
sch_hfsc: always keep backlog updated
hfsc updates backlog lazily, that is only when we
dump the stats. This is problematic after we begin to
update backlog in qdisc_tree_reduce_backlog().
Reported-by: Stas Nichiporovich <stasn77@gmail.com>
Tested-by: Stas Nichiporovich <stasn77@gmail.com>
Fixes:
2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Franky Lin [Thu, 2 Jun 2016 09:00:27 +0000 (02:00 -0700)]
brcmfmac: add eth_type_trans back for PCIe full dongle
A regression was introduced in commit
9c349892ccc9 ("brcmfmac: revise
handling events in receive path") which moves eth_type_trans() call
to brcmf_rx_frame(). Msgbuf layer doesn't use brcmf_rx_frame() but invokes
brcmf_netif_rx() directly. In such case the Ethernet header was not
stripped out resulting in null pointer dereference in the networking
stack.
BUG: unable to handle kernel NULL pointer dereference at
0000000000000048
IP: [<
ffffffff814c3ce6>] enqueue_to_backlog+0x56/0x260
PGD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: fuse ipt_MASQUERADE nf_nat_masquerade_ipv4
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype
[...]
rtsx_pci scsi_mod usbcore usb_common i8042 serio nvme nvme_core
CPU: 7 PID: 1340 Comm: irq/136-brcmf_p Not tainted 4.7.0-rc1-mainline #1
Hardware name: Dell Inc. XPS 15 9550/0N7TVV, BIOS 01.02.00 04/07/2016
task:
ffff8804a0c5bd00 ti:
ffff88049e124000 task.ti:
ffff88049e124000
RIP: 0010:[<
ffffffff814c3ce6>] [<
ffffffff814c3ce6>]
enqueue_to_backlog+0x56/0x260
RSP: 0018:
ffff88049e127ca0 EFLAGS:
00010046
RAX:
0000000000000000 RBX:
ffff8804bddd7c40 RCX:
000000000000002f
RDX:
0000000000000000 RSI:
0000000000000007 RDI:
ffff8804bddd7d4c
RBP:
ffff88049e127ce8 R08:
0000000000000000 R09:
0000000000000000
R10:
ffff8804bddd12c0 R11:
000000000000149e R12:
0000000000017c40
R13:
ffff88049e127d08 R14:
ffff8804a9bd6d00 R15:
ffff8804bddd7d4c
FS:
0000000000000000(0000) GS:
ffff8804bddc0000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000048 CR3:
0000000001806000 CR4:
00000000003406e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Stack:
ffff8804bdddad00 ffff8804ad089e00 0000000000000000 0000000000000282
0000000000000000 ffff8804a9bd6d00 ffff8804a1b27e00 ffff8804a9bd6d00
ffff88002ee88000 ffff88049e127d28 ffffffff814c3f3b ffffffff81311fc3
Call Trace:
[<
ffffffff814c3f3b>] netif_rx_internal+0x4b/0x170
[<
ffffffff81311fc3>] ? swiotlb_tbl_unmap_single+0xf3/0x120
[<
ffffffff814c5467>] netif_rx_ni+0x27/0xc0
[<
ffffffffa08519e9>] brcmf_netif_rx+0x49/0x70 [brcmfmac]
[<
ffffffffa08564d4>] brcmf_msgbuf_process_rx+0x2b4/0x570 [brcmfmac]
[<
ffffffff81020017>] ? __xen_set_pgd_hyper+0x57/0xd0
[<
ffffffff810d60b0>] ? irq_forced_thread_fn+0x70/0x70
[<
ffffffffa0857381>] brcmf_proto_msgbuf_rx_trigger+0x31/0xe0 [brcmfmac]
[<
ffffffffa0861e8f>] brcmf_pcie_isr_thread+0x7f/0x110 [brcmfmac]
[<
ffffffff810d60d0>] irq_thread_fn+0x20/0x50
[<
ffffffff810d63ad>] irq_thread+0x12d/0x1c0
[<
ffffffff815d07d5>] ? __schedule+0x2f5/0x7a0
[<
ffffffff810d61d0>] ? wake_threads_waitq+0x30/0x30
[<
ffffffff810d6280>] ? irq_thread_dtor+0xb0/0xb0
[<
ffffffff81098ea8>] kthread+0xd8/0xf0
[<
ffffffff815d4b7f>] ret_from_fork+0x1f/0x40
[<
ffffffff81098dd0>] ? kthread_worker_fn+0x170/0x170
Code: 1c f5 60 9a 8e 81 9c 58 0f 1f 44 00 00 48 89 45 d0 fa 66 0f 1f
44 00 00 4c 8d bb 0c 01 00 00 4c 89 ff e8 5e 08 11 00 49 8b 56 20 <48>
8b 52 48 83 e2 01 74 10 8b 8b 08 01 00 00 8b 15 59 c5 42 00
RIP [<
ffffffff814c3ce6>] enqueue_to_backlog+0x56/0x260
RSP <
ffff88049e127ca0>
CR2:
0000000000000048
Fixes:
9c349892ccc9 ("brcmfmac: revise handling events in receive path")
Reported-by: Rafal Milecki <zajec5@gmail.com>
Reported-by: Grey Christoforo <grey@christoforo.net>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Signed-off-by: Franky Lin <franky.lin@broadcom.com>
[arend@broadcom.com: rephrased the commit message]
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Kangjie Lu [Thu, 2 Jun 2016 08:11:20 +0000 (04:11 -0400)]
rds: fix an infoleak in rds_inc_info_copy
The last field "flags" of object "minfo" is not initialized.
Copying this object out may leak kernel stack data.
Assign 0 to it to avoid leak.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Kangjie Lu [Thu, 2 Jun 2016 08:04:56 +0000 (04:04 -0400)]
tipc: fix an infoleak in tipc_nl_compat_link_dump
link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Thu, 2 Jun 2016 21:52:43 +0000 (14:52 -0700)]
Possible problem with
e6afc8ac ("udp: remove headers from UDP packets before queueing")
Paul Moore tracked a regression caused by a recent commit, which
mistakenly assumed that sk_filter() could be avoided if socket
had no current BPF filter.
The intent was to avoid udp_lib_checksum_complete() overhead.
But sk_filter() also checks skb_pfmemalloc() and
security_sock_rcv_skb(), so better call it.
Fixes:
e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Paul Moore <paul@paul-moore.com>
Tested-by: Paul Moore <paul@paul-moore.com>
Tested-by: Stephen Smalley <sds@tycho.nsa.gov>
Cc: samanthakumar <samanthakumar@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vincent Palatin [Wed, 1 Jun 2016 15:53:48 +0000 (08:53 -0700)]
stmmac: do not sleep in atomic context for mdio_reset
stmmac_mdio_reset() has been updated to use msleep rather udelay
(as some PHY requires a one second delay there).
It called from stmmac_resume() within the spin_lock_irqsave block
atomic context triggering 'scheduling while atomic'.
The stmmac_priv lock usage is not fully documented, but it seems
to protect the access to the MAC registers / DMA structures rather
than the MDIO bus or the PHY (which have separate locking),
so we can push the spin_lock after the stmmac_mdio_reset call.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Wed, 1 Jun 2016 00:04:44 +0000 (02:04 +0200)]
netfilter: x_tables: don't reject valid target size on some architectures
Quoting John Stultz:
In updating a 32bit arm device from 4.6 to Linus' current HEAD, I
noticed I was having some trouble with networking, and realized that
/proc/net/ip_tables_names was suddenly empty.
Digging through the registration process, it seems we're catching on the:
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
target_offset + sizeof(struct xt_standard_target) != next_offset)
return -EINVAL;
Where next_offset seems to be 4 bytes larger then the
offset + standard_target struct size.
next_offset needs to be aligned via XT_ALIGN (so we can access all members
of ip(6)t_entry struct).
This problem didn't show up on i686 as it only needs 4-byte alignment for
u64, but iptables userspace on other 32bit arches does insert extra padding.
Reported-by: John Stultz <john.stultz@linaro.org>
Tested-by: John Stultz <john.stultz@linaro.org>
Fixes:
7ed2abddd20cf ("netfilter: x_tables: check standard target size too")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arnd Bergmann [Wed, 1 Jun 2016 13:29:13 +0000 (15:29 +0200)]
qed: fix qed_fill_link() error handling
gcc warns about qed_fill_link possibly accessing uninitialized data:
drivers/net/ethernet/qlogic/qed/qed_main.c: In function 'qed_fill_link':
drivers/net/ethernet/qlogic/qed/qed_main.c:1170:35: error: 'link_caps' may be used uninitialized in this function [-Werror=maybe-uninitialized]
While this warning is only about the specific case of CONFIG_QED_SRIOV
being disabled but the function getting called for a VF (which should
never happen), another possibility is that qed_mcp_get_*() fails without
returning data.
This rearranges the code so we bail out in either of the two cases
and print a warning instead of accessing the uninitialized data.
The qed_link_output structure remains untouched in this case, but
all callers first call memset() on it, so at least we are not leaking
stack data then.
As discussed, we also use a compile-time check to ensure we never
use any of the VF code if CONFIG_QED_SRIOV is disabled, and the
PCI device table is updated to no longer bind to virtual functions
in that configuration.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Colin Ian King [Wed, 1 Jun 2016 13:16:50 +0000 (14:16 +0100)]
net/ethoc: fix null dereference on error exit path
priv is assigned to NULL however some of the early error exit paths to
label 'free' dereference priv, causing a null pointer dereference.
Move the label 'free' to just the free_netdev statement, and add a new
exit path 'free2' for the error cases were clk_disable_unprepare needs
calling before the final free.
Fixes issue found by CoverityScan, CID#113260
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 2 Jun 2016 00:54:19 +0000 (17:54 -0700)]
Merge git://git./pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix incorrect timestamp in nfnetlink_queue introduced when addressing
y2038 safe timestamp, from Florian Westphal.
2) Get rid of leftover conntrack definition from the previous merge
window, oneliner from Florian.
3) Make nf_queue handler pernet to resolve race on dereferencing the
hook state structure with netns removal, from Eric Biederman.
4) Ensure clean exit on unregistered helper ports, from Taehee Yoo.
5) Restore FLOWI_FLAG_KNOWN_NH in nf_dup_ipv6. This got lost while
generalizing xt_TEE to add packet duplication support in nf_tables,
from Paolo Abeni.
6) Insufficient netlink NFTA_SET_TABLE attribute check in
nf_tables_getset(), from Phil Turnbull.
7) Reject helper registration on duplicated ports via modparams.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 2 Jun 2016 00:53:19 +0000 (17:53 -0700)]
Merge tag 'mac80211-for-davem-2016-06-01' of git://git./linux/kernel/git/jberg/mac80211
Johannes Berg says:
====================
Three small fixes for the current cycle:
* missing netlink attribute check in hwsim wmediumd (Martin)
* fast xmit structure alignment fix (Felix)
* mesh path flush/synchronisation fix (Bob)
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Wed, 1 Jun 2016 05:28:28 +0000 (22:28 -0700)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix negative error code usage in ATM layer, from Stefan Hajnoczi.
2) If CONFIG_SYSCTL is disabled, the default TTL is not initialized
properly. From Ezequiel Garcia.
3) Missing spinlock init in mvneta driver, from Gregory CLEMENT.
4) Missing unlocks in hwmb error paths, also from Gregory CLEMENT.
5) Fix deadlock on team->lock when propagating features, from Ivan
Vecera.
6) Work around buffer offset hw bug in alx chips, from Feng Tang.
7) Fix double listing of SCTP entries in sctp_diag dumps, from Xin
Long.
8) Various statistics bug fixes in mlx4 from Eric Dumazet.
9) Fix some randconfig build errors wrt fou ipv6 from Arnd Bergmann.
10) All of l2tp was namespace aware, but the ipv6 support code was not
doing so. From Shmulik Ladkani.
11) Handle on-stack hrtimers properly in pktgen, from Guenter Roeck.
12) Propagate MAC changes properly through VLAN devices, from Mike
Manning.
13) Fix memory leak in bnx2x_init_one(), from Vitaly Kuznetsov.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (62 commits)
sfc: Track RPS flow IDs per channel instead of per function
usbnet: smsc95xx: fix link detection for disabled autonegotiation
virtio_net: fix virtnet_open and virtnet_probe competing for try_fill_recv
bnx2x: avoid leaking memory on bnx2x_init_one() failures
fou: fix IPv6 Kconfig options
openvswitch: update checksum in {push,pop}_mpls
sctp: sctp_diag should dump sctp socket type
net: fec: update dirty_tx even if no skb
vlan: Propagate MAC address to VLANs
atm: iphase: off by one in rx_pkt()
atm: firestream: add more reserved strings
vxlan: Accept user specified MTU value when create new vxlan link
net: pktgen: Call destroy_hrtimer_on_stack()
timer: Export destroy_hrtimer_on_stack()
net: l2tp: Make l2tp_ip6 namespace aware
Documentation: ip-sysctl.txt: clarify secure_redirects
sfc: use flow dissector helpers for aRFS
ieee802154: fix logic error in ieee802154_llsec_parse_dev_addr
net: nps_enet: Disable interrupts before napi reschedule
net/lapb: tuse %*ph to dump buffers
...
Linus Torvalds [Wed, 1 Jun 2016 05:20:56 +0000 (22:20 -0700)]
Merge git://git./linux/kernel/git/davem/sparc
Pull sparc fixes from David Miller:
"sparc64 mmu context allocation and trap return bug fixes"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc64: Fix return from trap window fill crashes.
sparc: Harden signal return frame checks.
sparc64: Take ctx_alloc_lock properly in hugetlb_setup().
Jon Cooper [Tue, 31 May 2016 18:12:32 +0000 (19:12 +0100)]
sfc: Track RPS flow IDs per channel instead of per function
Otherwise we get confused when two flows on different channels get the
same flow ID.
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Christoph Fritz [Thu, 26 May 2016 02:06:47 +0000 (04:06 +0200)]
usbnet: smsc95xx: fix link detection for disabled autonegotiation
To detect link status up/down for connections where autonegotiation is
explicitly disabled, we don't get an irq but need to poll the status
register for link up/down detection.
This patch adds a workqueue to poll for link status.
Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
wangyunjian [Tue, 31 May 2016 03:52:43 +0000 (11:52 +0800)]
virtio_net: fix virtnet_open and virtnet_probe competing for try_fill_recv
In function virtnet_open() and virtnet_probe(), func try_fill_recv() may
be executed at the same time. VQ in virtqueue_add() has not been protected
well and BUG_ON will be triggered when virito_net.ko being removed.
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vitaly Kuznetsov [Mon, 30 May 2016 13:00:54 +0000 (15:00 +0200)]
bnx2x: avoid leaking memory on bnx2x_init_one() failures
bnx2x_init_bp() allocates memory with bnx2x_alloc_mem_bp() so if we
fail later in bnx2x_init_one() we need to free this memory
with bnx2x_free_mem_bp() to avoid leakages. E.g. I'm observing memory
leaks reported by kmemleak when a failure (unrelated) happens in
bnx2x_vfpf_acquire().
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Acked-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Arnd Bergmann [Tue, 31 May 2016 20:42:11 +0000 (22:42 +0200)]
fou: fix IPv6 Kconfig options
The Kconfig options I added to work around broken compilation ended
up screwing up things more, as I used the wrong symbol to control
compilation of the file, resulting in IPv6 fou support to never be built
into the kernel.
Changing CONFIG_NET_FOU_IPV6_TUNNELS to CONFIG_IPV6_FOU fixes that
problem, I had renamed the symbol in one location but not the other,
and as the file is never being used by other kernel code, this did not
lead to a build failure that I would have caught.
After that fix, another issue with the same patch becomes obvious, as we
'select INET6_TUNNEL', which is related to IPV6_TUNNEL, but not the same,
and this can still cause the original build failure when IPV6_TUNNEL is
not built-in but IPV6_FOU is. The fix is equally trivial, we just need
to select the right symbol.
I have successfully build 350 randconfig kernels with this patch
and verified that the driver is now being built.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: Valentin Rothberg <valentinrothberg@gmail.com>
Fixes:
fabb13db448e ("fou: add Kconfig options for IPv6 support")
Signed-off-by: David S. Miller <davem@davemloft.net>
Simon Horman [Mon, 30 May 2016 05:04:25 +0000 (14:04 +0900)]
openvswitch: update checksum in {push,pop}_mpls
In the case of CHECKSUM_COMPLETE the skb checksum should be updated in
{push,pop}_mpls() as they the type in the ethernet header.
As suggested by Pravin Shelar.
Cc: Pravin Shelar <pshelar@nicira.com>
Fixes:
25cd9ba0abc0 ("openvswitch: Add basic MPLS support to kernel")
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Xin Long [Sun, 29 May 2016 09:42:13 +0000 (17:42 +0800)]
sctp: sctp_diag should dump sctp socket type
Now we cannot distinguish that one sk is a udp or sctp style when
we use ss to dump sctp_info. it's necessary to dump it as well.
For sctp_diag, ss support is not officially available, thus there
are no official users of this yet, so we can add this field in the
middle of sctp_info without breaking user API.
v1->v2:
- move 'sctpi_s_type' field to the end of struct sctp_info, so
that it won't cause incompatibility with applications already
built.
- add __reserved3 in sctp_info to make sure sctp_info is 8-byte
alignment.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Troy Kisky [Fri, 27 May 2016 20:30:40 +0000 (13:30 -0700)]
net: fec: update dirty_tx even if no skb
If dirty_tx isn't updated, then dma_unmap_single
can be called twice.
This fixes a
[ 58.420980] ------------[ cut here ]------------
[ 58.425667] WARNING: CPU: 0 PID: 377 at /home/schurig/d/mkarm/linux-4.5/lib/dma-debug.c:1096 check_unmap+0x9d0/0xab8()
[ 58.436405] fec
2188000.ethernet: DMA-API: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=66 bytes]
encountered by Holger
Signed-off-by: Troy Kisky <troy.kisky@boundarydevices.com>
Tested-by: <holgerschurig@gmail.com>
Acked-by: Fugang Duan <fugang.duan@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mike Manning [Fri, 27 May 2016 16:45:07 +0000 (17:45 +0100)]
vlan: Propagate MAC address to VLANs
The MAC address of the physical interface is only copied to the VLAN
when it is first created, resulting in an inconsistency after MAC
address changes of only newly created VLANs having an up-to-date MAC.
The VLANs should continue inheriting the MAC address of the physical
interface until the VLAN MAC address is explicitly set to any value.
This allows IPv6 EUI64 addresses for the VLAN to reflect any changes
to the MAC of the physical interface and thus for DAD to behave as
expected.
Signed-off-by: Mike Manning <mmanning@brocade.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Fri, 27 May 2016 10:34:35 +0000 (13:34 +0300)]
atm: iphase: off by one in rx_pkt()
The iadev->rx_open[] array holds "iadev->num_vc" pointers (this code
assumes that pointers are 32 bits). So the > here should be >= or else
we could end up reading a garbage pointer from one element beyond the
end of the array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Fri, 27 May 2016 10:33:50 +0000 (13:33 +0300)]
atm: firestream: add more reserved strings
This bug was there when the driver was first added in back in year 2000.
It causes a Smatch warning:
drivers/atm/firestream.c:849 process_incoming()
error: buffer overflow 'res_strings' 60 <= 63
There are supposed to be 64 entries in this array and the missing
strings are clearly in the 30 40 range. I added them as reserved 37 to
reserved 40. It's possible that strings are really supposed to be added
in the middle instead of at the end, but this approach is safe, in that
it fixes the bug and doesn't break anything that wasn't already broken.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Chen Haiquan [Fri, 27 May 2016 02:49:11 +0000 (10:49 +0800)]
vxlan: Accept user specified MTU value when create new vxlan link
When create a new vxlan link, example:
ip link add vtap mtu 1440 type vxlan vni 1 dev eth0
The argument "mtu" has no effect, because it is not set to conf->mtu. The
default value is used in vxlan_dev_configure function.
This problem was introduced by commit
0dfbdf4102b9 (vxlan: Factor out device
configuration).
Fixes:
0dfbdf4102b9 (vxlan: Factor out device configuration)
Signed-off-by: Chen Haiquan <oc@yunify.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guenter Roeck [Fri, 27 May 2016 00:21:06 +0000 (17:21 -0700)]
net: pktgen: Call destroy_hrtimer_on_stack()
If CONFIG_DEBUG_OBJECTS_TIMERS=y, hrtimer_init_on_stack() requires
a matching call to destroy_hrtimer_on_stack() to clean up timer
debug objects.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guenter Roeck [Fri, 27 May 2016 00:21:05 +0000 (17:21 -0700)]
timer: Export destroy_hrtimer_on_stack()
hrtimer_init_on_stack() needs a matching call to
destroy_hrtimer_on_stack(), so both need to be exported.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Tue, 31 May 2016 16:43:24 +0000 (09:43 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
"Three bugs fixes and an update for the default configuration"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390: fix info leak in do_sigsegv
s390/config: update default configuration
s390/bpf: fix recache skb->data/hlen for skb_vlan_push/pop
s390/bpf: reduce maximum program size to 64 KB
Linus Torvalds [Tue, 31 May 2016 16:27:00 +0000 (09:27 -0700)]
Merge tag 'gpio-v4.7-2' of git://git./linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"A bunch of GPIO fixes for the v4.7 series:
- Drop the lock before reading out the GPIO direction setting in
drivers supporting the .get_direction() callback: some of them may
be slowpath.
- Flush GPIO direction setting before locking a GPIO as an IRQ: some
electronics or other poking around in the registers behind our back
may have happened, so flush the direction status before trying to
lock the line for use by IRQs.
- Bail out silently when asked to perform operations on NULL GPIO
descriptors. That is what all the get_*_optional() is about: we
get optional GPIO handles, if they are not there, we get NULL.
- Handle compatible ioctl() correctly: we need to convert the ioctl()
pointer using compat_ptr() here like everyone else.
- Disable the broken .to_irq() on the LPC32xx platform. The whole
irqchip infrastructure was replaced in the last merge window, and a
new implementation will be needed"
* tag 'gpio-v4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: drop lock before reading GPIO direction
gpio: bail out silently on NULL descriptors
gpio: handle compatible ioctl() pointers
gpio: flush direction status in gpiochip_lock_as_irq()
gpio: lpc32xx: disable broken to_irq support
Felix Fietkau [Thu, 19 May 2016 15:34:38 +0000 (17:34 +0200)]
mac80211: fix fast_tx header alignment
The header field is defined as u8[] but also accessed as struct
ieee80211_hdr. Enforce an alignment of 2 to prevent unnecessary
unaligned accesses, which can be very harmful for performance on many
platforms.
Fixes:
e495c24731a2 ("mac80211: extend fast-xmit for more ciphers")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Bob Copeland [Sun, 15 May 2016 17:19:16 +0000 (13:19 -0400)]
mac80211: mesh: flush mesh paths unconditionally
Currently, the mesh paths associated with a nexthop station are cleaned
up in the following code path:
__sta_info_destroy_part1
synchronize_net()
__sta_info_destroy_part2
-> cleanup_single_sta
-> mesh_sta_cleanup
-> mesh_plink_deactivate
-> mesh_path_flush_by_nexthop
However, there are a couple of problems here:
1) the paths aren't flushed at all if the MPM is running in userspace
(e.g. when using wpa_supplicant or authsae)
2) there is no synchronize_rcu between removing the path and readers
accessing the nexthop, which means the following race is possible:
CPU0 CPU1
~~~~ ~~~~
sta_info_destroy_part1()
synchronize_net()
rcu_read_lock()
mesh_nexthop_resolve()
mpath = mesh_path_lookup()
[...] -> mesh_path_flush_by_nexthop()
sta = rcu_dereference(
mpath->next_hop)
kfree(sta)
access sta <-- CRASH
Fix both of these by unconditionally flushing paths before destroying
the sta, and by adding a synchronize_net() after path flush to ensure
no active readers can still dereference the sta.
Fixes this crash:
[ 348.529295] BUG: unable to handle kernel paging request at
00020040
[ 348.530014] IP: [<
f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
[ 348.530014] *pde =
00000000
[ 348.530014] Oops: 0000 [#1] PREEMPT
[ 348.530014] Modules linked in: drbg ansi_cprng ctr ccm ppp_generic slhc ipt_MASQUERADE nf_nat_masquerade_ipv4 8021q ]
[ 348.530014] CPU: 0 PID: 20597 Comm: wget Tainted: G O 4.6.0-rc5-wt=V1 #1
[ 348.530014] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016 11/07/2014
[ 348.530014] task:
f64fa280 ti:
f4f9c000 task.ti:
f4f9c000
[ 348.530014] EIP: 0060:[<
f929245d>] EFLAGS:
00010246 CPU: 0
[ 348.530014] EIP is at ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
[ 348.530014] EAX:
f4ce63e0 EBX:
00000088 ECX:
f3788416 EDX:
00020008
[ 348.530014] ESI:
00000000 EDI:
00000088 EBP:
f6409a4c ESP:
f6409a40
[ 348.530014] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 348.530014] CR0:
80050033 CR2:
00020040 CR3:
33190000 CR4:
00000690
[ 348.530014] Stack:
[ 348.530014]
00000000 f4ce63e0 f5f9bd80 f6409a64 f9291d80 0000ce67 f5d51e00 f4ce63e0
[ 348.530014]
f3788416 f6409a80 f9291dc1 f4ce8320 f4ce63e0 f5d51e00 f4ce63e0 f4ce8320
[ 348.530014]
f6409a98 f9277f6f 00000000 00000000 0000007c 00000000 f6409b2c f9278dd1
[ 348.530014] Call Trace:
[ 348.530014] [<
f9291d80>] mesh_nexthop_lookup+0xbb/0xc8 [mac80211]
[ 348.530014] [<
f9291dc1>] mesh_nexthop_resolve+0x34/0xd8 [mac80211]
[ 348.530014] [<
f9277f6f>] ieee80211_xmit+0x92/0xc1 [mac80211]
[ 348.530014] [<
f9278dd1>] __ieee80211_subif_start_xmit+0x807/0x83c [mac80211]
[ 348.530014] [<
c04df012>] ? sch_direct_xmit+0xd7/0x1b3
[ 348.530014] [<
c022a8c6>] ? __local_bh_enable_ip+0x5d/0x7b
[ 348.530014] [<
f956870c>] ? nf_nat_ipv4_out+0x4c/0xd0 [nf_nat_ipv4]
[ 348.530014] [<
f957e036>] ? iptable_nat_ipv4_fn+0xf/0xf [iptable_nat]
[ 348.530014] [<
c04c6f45>] ? netif_skb_features+0x14d/0x30a
[ 348.530014] [<
f9278e10>] ieee80211_subif_start_xmit+0xa/0xe [mac80211]
[ 348.530014] [<
c04c769c>] dev_hard_start_xmit+0x1f8/0x267
[ 348.530014] [<
c04c7261>] ? validate_xmit_skb.isra.120.part.121+0x10/0x253
[ 348.530014] [<
c04defc6>] sch_direct_xmit+0x8b/0x1b3
[ 348.530014] [<
c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
[ 348.530014] [<
c04c7cfb>] dev_queue_xmit+0xa/0xc
[ 348.530014] [<
f91bfc7a>] batadv_send_skb_packet+0xd6/0xec [batman_adv]
[ 348.530014] [<
f91bfdc4>] batadv_send_unicast_skb+0x15/0x4a [batman_adv]
[ 348.530014] [<
f91b5938>] batadv_dat_send_data+0x27e/0x310 [batman_adv]
[ 348.530014] [<
f91c30b5>] ? batadv_tt_global_hash_find.isra.11+0x8/0xa [batman_adv]
[ 348.530014] [<
f91b63f3>] batadv_dat_snoop_outgoing_arp_request+0x208/0x23d [batman_adv]
[ 348.530014] [<
f91c0cd9>] batadv_interface_tx+0x206/0x385 [batman_adv]
[ 348.530014] [<
c04c769c>] dev_hard_start_xmit+0x1f8/0x267
[ 348.530014] [<
c04c7261>] ? validate_xmit_skb.isra.120.part.121+0x10/0x253
[ 348.530014] [<
c04defc6>] sch_direct_xmit+0x8b/0x1b3
[ 348.530014] [<
c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
[ 348.530014] [<
f80cbd2a>] ? igb_xmit_frame+0x57/0x72 [igb]
[ 348.530014] [<
c04c7cfb>] dev_queue_xmit+0xa/0xc
[ 348.530014] [<
f843a326>] br_dev_queue_push_xmit+0xeb/0xfb [bridge]
[ 348.530014] [<
f843a35f>] br_forward_finish+0x29/0x74 [bridge]
[ 348.530014] [<
f843a23b>] ? deliver_clone+0x3b/0x3b [bridge]
[ 348.530014] [<
f843a714>] __br_forward+0x89/0xe7 [bridge]
[ 348.530014] [<
f843a336>] ? br_dev_queue_push_xmit+0xfb/0xfb [bridge]
[ 348.530014] [<
f843a234>] deliver_clone+0x34/0x3b [bridge]
[ 348.530014] [<
f843a68b>] ? br_flood+0x95/0x95 [bridge]
[ 348.530014] [<
f843a66d>] br_flood+0x77/0x95 [bridge]
[ 348.530014] [<
f843a809>] br_flood_forward+0x13/0x1a [bridge]
[ 348.530014] [<
f843a68b>] ? br_flood+0x95/0x95 [bridge]
[ 348.530014] [<
f843b877>] br_handle_frame_finish+0x392/0x3db [bridge]
[ 348.530014] [<
c04e9b2b>] ? nf_iterate+0x2b/0x6b
[ 348.530014] [<
f843baa6>] br_handle_frame+0x1e6/0x240 [bridge]
[ 348.530014] [<
f843b4e5>] ? br_handle_local_finish+0x6a/0x6a [bridge]
[ 348.530014] [<
c04c4ba0>] __netif_receive_skb_core+0x43a/0x66b
[ 348.530014] [<
f843b8c0>] ? br_handle_frame_finish+0x3db/0x3db [bridge]
[ 348.530014] [<
c023cea4>] ? resched_curr+0x19/0x37
[ 348.530014] [<
c0240707>] ? check_preempt_wakeup+0xbf/0xfe
[ 348.530014] [<
c0255dec>] ? ktime_get_with_offset+0x5c/0xfc
[ 348.530014] [<
c04c4fc1>] __netif_receive_skb+0x47/0x55
[ 348.530014] [<
c04c57ba>] netif_receive_skb_internal+0x40/0x5a
[ 348.530014] [<
c04c61ef>] napi_gro_receive+0x3a/0x94
[ 348.530014] [<
f80ce8d5>] igb_poll+0x6fd/0x9ad [igb]
[ 348.530014] [<
c0242bd8>] ? swake_up_locked+0x14/0x26
[ 348.530014] [<
c04c5d29>] net_rx_action+0xde/0x250
[ 348.530014] [<
c022a743>] __do_softirq+0x8a/0x163
[ 348.530014] [<
c022a6b9>] ? __hrtimer_tasklet_trampoline+0x19/0x19
[ 348.530014] [<
c021100f>] do_softirq_own_stack+0x26/0x2c
[ 348.530014] <IRQ>
[ 348.530014] [<
c022a957>] irq_exit+0x31/0x6f
[ 348.530014] [<
c0210eb2>] do_IRQ+0x8d/0xa0
[ 348.530014] [<
c058152c>] common_interrupt+0x2c/0x40
[ 348.530014] Code: e7 8c 00 66 81 ff 88 00 75 12 85 d2 75 0e b2 c3 b8 83 e9 29 f9 e8 a7 5f f9 c6 eb 74 66 81 e3 8c 005
[ 348.530014] EIP: [<
f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211] SS:ESP 0068:
f6409a40
[ 348.530014] CR2:
0000000000020040
[ 348.530014] ---[ end trace
48556ac26779732e ]---
[ 348.530014] Kernel panic - not syncing: Fatal exception in interrupt
[ 348.530014] Kernel Offset: disabled
Cc: stable@vger.kernel.org
Reported-by: Fred Veldini <fred.veldini@gmail.com>
Tested-by: Fred Veldini <fred.veldini@gmail.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Martin Willi [Fri, 13 May 2016 10:41:48 +0000 (12:41 +0200)]
mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
A wmediumd that does not send this attribute causes a NULL pointer
dereference, as the attribute is accessed even if it does not exist.
The attribute was required but never checked ever since userspace frame
forwarding has been introduced. The issue gets more problematic once we
allow wmediumd registration from user namespaces.
Cc: stable@vger.kernel.org
Fixes:
7882513bacb1 ("mac80211_hwsim driver support userspace frame tx/rx")
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Pablo Neira Ayuso [Tue, 24 May 2016 09:23:51 +0000 (11:23 +0200)]
netfilter: nf_ct_helper: bail out on duplicated helpers
Don't allow registration of helpers using the same tuple:
{ l3proto, l4proto, src-port }
We lookup for the helper from the packet path using this tuple through
__nf_ct_helper_find(). Therefore, we have to avoid having two helpers
with the same tuple to ensure predictible behaviour.
Don't compare the helper string names anymore since it is valid to
register two helpers with the same name, but using different tuples.
This is also implicitly fixing up duplicated helper registration via
ports= modparam since the name comparison was defeating the tuple
duplication validation.
Reported-by: Feng Gao <gfree.wind@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Linus Torvalds [Mon, 30 May 2016 22:27:07 +0000 (15:27 -0700)]
Merge branch 'uuid' (lib/uuid fixes from Andy)
Merge lib/uuid fixes from Andy Shevchenko.
* emailed patches from Andy Shevchenko <andriy.shevchenko@linux.intel.com>:
lib/uuid.c: use correct offset in uuid parser
lib/uuid: add a test module
Bjørn Mork [Mon, 30 May 2016 14:40:42 +0000 (17:40 +0300)]
lib/uuid.c: use correct offset in uuid parser
Use '+ 0' and '+ 1' as offsets, like they were intended, instead of
adding to the result.
Fixes:
2b1b0d66704a ("lib/uuid.c: introduce a few more generic helpers")
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andy Shevchenko [Mon, 30 May 2016 14:40:41 +0000 (17:40 +0300)]
lib/uuid: add a test module
It appears that somehow I missed a test of the latest UUID rework which
landed in the kernel. Present a small test module to avoid such cases
in the future.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Mon, 30 May 2016 22:20:18 +0000 (15:20 -0700)]
Merge branch 'linus' of git://git./linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:
"This fixes the following issues:
- missing selection in public_key that may result in a build failure
- Potential crash in error path in omap-sham
- ccp AES XTS bug that affects requests larger than 4096"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: ccp - Fix AES XTS error for request sizes above 4096
crypto: public_key: select CRYPTO_AKCIPHER
crypto: omap-sham - potential Oops on error in probe
Linus Walleij [Mon, 30 May 2016 15:11:59 +0000 (17:11 +0200)]
gpio: drop lock before reading GPIO direction
When adding the gpiochip, the GPIO HW drivers' callback get_direction()
could get called in atomic context. Some of the GPIO HW drivers may
sleep when accessing the register.
Move the lock before initializing the descriptors.
Reported-by: Laxman Dewangan <ldewangan@nvidia.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Linus Walleij [Mon, 30 May 2016 14:48:39 +0000 (16:48 +0200)]
gpio: bail out silently on NULL descriptors
In
fdeb8e1547cb9dd39d5d7223b33f3565cf86c28e
("gpio: reflect base and ngpio into gpio_device")
assumed that GPIO descriptors are either valid or error
pointers, but gpiod_get_[index_]optional() actually return
NULL descriptors and then all subsequent calls should just
bail out.
Cc: stable@vger.kernel.org
Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Cc: Florian Fainelli <f.fainelli@gmail.com>
Cc: Andrew Lunn <andrew@lunn.ch>
Fixes:
fdeb8e1547cb ("gpio: reflect base and ngpio into gpio_device")
Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Linus Walleij [Fri, 27 May 2016 12:24:04 +0000 (14:24 +0200)]
gpio: handle compatible ioctl() pointers
If we're using the compatible ioctl() we need to handle the
argument pointer in a special way or there will be trouble.
Fixes:
3c702e9987e2 ("gpio: add a userspace chardev ABI for GPIOs")
Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Phil Turnbull [Fri, 27 May 2016 17:34:04 +0000 (13:34 -0400)]
netfilter: nf_tables: validate NFTA_SET_TABLE parameter
If the NFTA_SET_TABLE parameter is missing and the NLM_F_DUMP flag is
not set, then a NULL pointer dereference is triggered in
nf_tables_set_lookup because ctx.table is NULL.
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Paolo Abeni [Thu, 26 May 2016 17:08:10 +0000 (19:08 +0200)]
netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags
With the commit
48e8aa6e3137 ("ipv6: Set FLOWI_FLAG_KNOWN_NH at
flowi6_flags") ip6_pol_route() callers were asked to to set the
FLOWI_FLAG_KNOWN_NH properly and xt_TEE was updated accordingly,
but with the later refactor in commit
bbde9fc1824a ("netfilter:
factor out packet duplication for IPv4/IPv6") the flowi6_flags
update was lost.
This commit re-add it just before the routing decision.
Fixes:
bbde9fc1824a ("netfilter: factor out packet duplication for IPv4/IPv6")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Taehee Yoo [Sat, 14 May 2016 13:19:53 +0000 (22:19 +0900)]
netfilter: nf_ct_helper: Fix helper unregister count.
helpers should unregister the only registered ports.
but, helper cannot have correct registered ports value when
failed to register.
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Linus Walleij [Wed, 25 May 2016 08:56:03 +0000 (10:56 +0200)]
gpio: flush direction status in gpiochip_lock_as_irq()
As irqchip and gpiochip functions are orthogonal, the IRQ
set-up or something else can have changed the direction of
the GPIO line from what the GPIO descriptor knows when we
get into gpiochip_lock_as_irq(). Make sure to re-read the
direction setting if we have the .get_direction() callback
enabled for the chip.
Else we get problems like this:
iio iio:device2: interrupts on the rising edge
gpio gpiochip2: (
8012e080.gpio): gpiochip_lock_as_irq:
tried to flag a GPIO set as output for IRQ
gpio gpiochip2: (
8012e080.gpio): unable to lock HW IRQ 0 for IRQ
genirq: Failed to request resources for l3g4200d-trigger
(irq 111) on irqchip nmk1-32-63
iio iio:device2: failed to request trigger IRQ.
st-gyro-i2c: probe of 2-0068 failed with error -22
Fixes:
72d320006177 ("gpio: set up initial state from .get_direction()")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Sylvain Lemieux [Wed, 11 May 2016 17:40:00 +0000 (13:40 -0400)]
gpio: lpc32xx: disable broken to_irq support
The "to_irq" functionality is broken inside this driver since commit
76ba59f8366f ("genirq: Add irq_domain-aware core IRQ handler").
The addition of the new lpc32xx irqchip driver in 4.7, fixed the
lpc32xx platform interrupt issue.
When switching to the new lpc32xx irqchip driver, a warning appear
in the lpc32xx gpio driver: warning: "NR_IRQS" redefined.
To remove this warning (temporary solution), this patch
disables the broken "to_irq" mapping functionality support.
Signed-off-by: Sylvain Lemieux <slemieux@tycoint.com>
Acked-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Shmulik Ladkani [Thu, 26 May 2016 17:16:36 +0000 (20:16 +0300)]
net: l2tp: Make l2tp_ip6 namespace aware
l2tp_ip6 tunnel and session lookups were still using init_net, although
the l2tp core infrastructure already supports lookups keyed by 'net'.
As a result, l2tp_ip6_recv discarded packets for tunnels/sessions
created in namespaces other than the init_net.
Fix, by using dev_net(skb->dev) or sock_net(sk) where appropriate.
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Garver [Thu, 26 May 2016 16:28:05 +0000 (12:28 -0400)]
Documentation: ip-sysctl.txt: clarify secure_redirects
Clarify how secure_redirects works. Mention that RFC1122 always applies.
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: David S. Miller <davem@davemloft.net>
Edward Cree [Thu, 26 May 2016 20:46:05 +0000 (21:46 +0100)]
sfc: use flow dissector helpers for aRFS
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Baozeng Ding [Thu, 26 May 2016 13:07:42 +0000 (21:07 +0800)]
ieee802154: fix logic error in ieee802154_llsec_parse_dev_addr
Fix a logic error to avoid potential null pointer dereference.
Signed-off-by: Baozeng Ding <sploving1@gmail.com>
Reviewed-by: Stefan Schmidt<stefan@osg.samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Elad Kanfi [Thu, 26 May 2016 12:00:06 +0000 (15:00 +0300)]
net: nps_enet: Disable interrupts before napi reschedule
Since NAPI works by shutting down event interrupts when theres
work and turning them on when theres none, the net driver must
make sure that interrupts are disabled when it reschedules polling.
By calling napi_reschedule, the driver switches to polling mode,
therefor there should be no interrupt interference.
Any received packets will be handled in nps_enet_poll by polling the HW
indication of received packet until all packets are handled.
Signed-off-by: Elad Kanfi <eladkan@mellanox.com>
Acked-by: Noam Camus <noamca@mellanox.com>
Tested-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Shevchenko [Thu, 26 May 2016 11:43:52 +0000 (14:43 +0300)]
net/lapb: tuse %*ph to dump buffers
Use %*ph specifier to dump small buffers in hex format instead doing this
byte-by-byte.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Thu, 26 May 2016 06:46:22 +0000 (09:46 +0300)]
ptp: oops in ptp_ioctl()
If we pass ERR_PTR(-EFAULT) to kfree() then it's going to oops.
Fixes:
2ece068e1b1d ('ptp: use memdup_user().')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Arnd Bergmann [Wed, 25 May 2016 14:50:46 +0000 (16:50 +0200)]
fou: add Kconfig options for IPv6 support
A previous patch added the fou6.ko module, but that failed to link
in a couple of configurations:
net/built-in.o: In function `ip6_tnl_encap_add_fou_ops':
net/ipv6/fou6.c:88: undefined reference to `ip6_tnl_encap_add_ops'
net/ipv6/fou6.c:94: undefined reference to `ip6_tnl_encap_add_ops'
net/ipv6/fou6.c:97: undefined reference to `ip6_tnl_encap_del_ops'
net/built-in.o: In function `ip6_tnl_encap_del_fou_ops':
net/ipv6/fou6.c:106: undefined reference to `ip6_tnl_encap_del_ops'
net/ipv6/fou6.c:107: undefined reference to `ip6_tnl_encap_del_ops'
If CONFIG_IPV6=m, ip6_tnl_encap_add_ops/ip6_tnl_encap_del_ops
are in a module, but fou6.c can still be built-in, and that
obviously fails to link.
Also, if CONFIG_IPV6=y, but CONFIG_IPV6_TUNNEL=m or
CONFIG_IPV6_TUNNEL=n, the same problem happens for a different
reason.
This adds two new silent Kconfig symbols to work around both
problems:
- CONFIG_IPV6_FOU is now always set to 'm' if either CONFIG_NET_FOU=m
or CONFIG_IPV6=m
- CONFIG_IPV6_FOU_TUNNEL is set implicitly when IPV6_FOU is enabled
and NET_FOU_IP_TUNNELS is also turned out, and it will ensure
that CONFIG_IPV6_TUNNEL is also available.
The options could be made user-visible as well, to give additional
room for configuration, but it seems easier not to bother users
with more choice here.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes:
aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels")
Signed-off-by: David S. Miller <davem@davemloft.net>
Arnd Bergmann [Wed, 25 May 2016 14:50:45 +0000 (16:50 +0200)]
ipv6: hide ip6_encap_hlen/ip6_tnl_encap definitions
A recent cleanup moved MAX_IPTUN_ENCAP_OPS along with some other
definitions, but it is now invisible when CONFIG_INET is
not defined, but still referenced from ip6_tunnel.h:
In file included from net/xfrm/xfrm_input.c:17:0:
include/net/ip6_tunnel.h:67:17: error: 'MAX_IPTUN_ENCAP_OPS' undeclared here (not in a function)
ip6tun_encaps[MAX_IPTUN_ENCAP_OPS];
^~~~~~~~~~~~~~~~~~~
This hides the ip6_encap_hlen and ip6_tnl_encap functions inside
of CONFIG_INET so we don't run into the the problem.
Alternatively we could move the macro out of the #ifdef again to
restore the previous behavior
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes:
55c2bc143224 ("net: Cleanup encap items in ip_tunnels.h")
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sun, 29 May 2016 03:41:12 +0000 (20:41 -0700)]
sparc64: Fix return from trap window fill crashes.
We must handle data access exception as well as memory address unaligned
exceptions from return from trap window fill faults, not just normal
TLB misses.
Otherwise we can get an OOPS that looks like this:
ld-linux.so.2(36808): Kernel bad sw trap 5 [#1]
CPU: 1 PID: 36808 Comm: ld-linux.so.2 Not tainted 4.6.0 #34
task:
fff8000303be5c60 ti:
fff8000301344000 task.ti:
fff8000301344000
TSTATE:
0000004410001601 TPC:
0000000000a1a784 TNPC:
0000000000a1a788 Y:
00000002 Not tainted
TPC: <do_sparc64_fault+0x5c4/0x700>
g0:
fff8000024fc8248 g1:
0000000000db04dc g2:
0000000000000000 g3:
0000000000000001
g4:
fff8000303be5c60 g5:
fff800030e672000 g6:
fff8000301344000 g7:
0000000000000001
o0:
0000000000b95ee8 o1:
000000000000012b o2:
0000000000000000 o3:
0000000200b9b358
o4:
0000000000000000 o5:
fff8000301344040 sp:
fff80003013475c1 ret_pc:
0000000000a1a77c
RPC: <do_sparc64_fault+0x5bc/0x700>
l0:
00000000000007ff l1:
0000000000000000 l2:
000000000000005f l3:
0000000000000000
l4:
fff8000301347e98 l5:
fff8000024ff3060 l6:
0000000000000000 l7:
0000000000000000
i0:
fff8000301347f60 i1:
0000000000102400 i2:
0000000000000000 i3:
0000000000000000
i4:
0000000000000000 i5:
0000000000000000 i6:
fff80003013476a1 i7:
0000000000404d4c
I7: <user_rtt_fill_fixup+0x6c/0x7c>
Call Trace:
[
0000000000404d4c] user_rtt_fill_fixup+0x6c/0x7c
The window trap handlers are slightly clever, the trap table entries for them are
composed of two pieces of code. First comes the code that actually performs
the window fill or spill trap handling, and then there are three instructions at
the end which are for exception processing.
The userland register window fill handler is:
add %sp, STACK_BIAS + 0x00, %g1; \
ldxa [%g1 + %g0] ASI, %l0; \
mov 0x08, %g2; \
mov 0x10, %g3; \
ldxa [%g1 + %g2] ASI, %l1; \
mov 0x18, %g5; \
ldxa [%g1 + %g3] ASI, %l2; \
ldxa [%g1 + %g5] ASI, %l3; \
add %g1, 0x20, %g1; \
ldxa [%g1 + %g0] ASI, %l4; \
ldxa [%g1 + %g2] ASI, %l5; \
ldxa [%g1 + %g3] ASI, %l6; \
ldxa [%g1 + %g5] ASI, %l7; \
add %g1, 0x20, %g1; \
ldxa [%g1 + %g0] ASI, %i0; \
ldxa [%g1 + %g2] ASI, %i1; \
ldxa [%g1 + %g3] ASI, %i2; \
ldxa [%g1 + %g5] ASI, %i3; \
add %g1, 0x20, %g1; \
ldxa [%g1 + %g0] ASI, %i4; \
ldxa [%g1 + %g2] ASI, %i5; \
ldxa [%g1 + %g3] ASI, %i6; \
ldxa [%g1 + %g5] ASI, %i7; \
restored; \
retry; nop; nop; nop; nop; \
b,a,pt %xcc, fill_fixup_dax; \
b,a,pt %xcc, fill_fixup_mna; \
b,a,pt %xcc, fill_fixup;
And the way this works is that if any of those memory accesses
generate an exception, the exception handler can revector to one of
those final three branch instructions depending upon which kind of
exception the memory access took. In this way, the fault handler
doesn't have to know if it was a spill or a fill that it's handling
the fault for. It just always branches to the last instruction in
the parent trap's handler.
For example, for a regular fault, the code goes:
winfix_trampoline:
rdpr %tpc, %g3
or %g3, 0x7c, %g3
wrpr %g3, %tnpc
done
All window trap handlers are 0x80 aligned, so if we "or" 0x7c into the
trap time program counter, we'll get that final instruction in the
trap handler.
On return from trap, we have to pull the register window in but we do
this by hand instead of just executing a "restore" instruction for
several reasons. The largest being that from Niagara and onward we
simply don't have enough levels in the trap stack to fully resolve all
possible exception cases of a window fault when we are already at
trap level 1 (which we enter to get ready to return from the original
trap).
This is executed inline via the FILL_*_RTRAP handlers. rtrap_64.S's
code branches directly to these to do the window fill by hand if
necessary. Now if you look at them, we'll see at the end:
ba,a,pt %xcc, user_rtt_fill_fixup;
ba,a,pt %xcc, user_rtt_fill_fixup;
ba,a,pt %xcc, user_rtt_fill_fixup;
And oops, all three cases are handled like a fault.
This doesn't work because each of these trap types (data access
exception, memory address unaligned, and faults) store their auxiliary
info in different registers to pass on to the C handler which does the
real work.
So in the case where the stack was unaligned, the unaligned trap
handler sets up the arg registers one way, and then we branched to
the fault handler which expects them setup another way.
So the FAULT_TYPE_* value ends up basically being garbage, and
randomly would generate the backtrace seen above.
Reported-by: Nick Alcock <nix@esperi.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sun, 29 May 2016 20:28:39 +0000 (13:28 -0700)]
Merge tag 'scsi-fixes' of git://git./linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"This is a set of four fixes noticed in the merge window. The aacraid
one is an optimisation, the mp3sas one fixes a spurious printk, the
sd_check_events one fixes a theoretical race and the failed zero
length commands fixes a bug in our completion/retry routines that has
been causing problems in the field"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
aacraid: do not activate events on non-SRC adapters
mpt3sas: add missing curly braces
sd: get disk reference in sd_check_events()
scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands