1. 06 12月, 2016 9 次提交
    • K
      net: ping: check minimum size on ICMP header length · 0eab121e
      Kees Cook 提交于
      Prior to commit c0371da6 ("put iov_iter into msghdr") in v3.19, there
      was no check that the iovec contained enough bytes for an ICMP header,
      and the read loop would walk across neighboring stack contents. Since the
      iov_iter conversion, bad arguments are noticed, but the returned error is
      EFAULT. Returning EINVAL is a clearer error and also solves the problem
      prior to v3.19.
      
      This was found using trinity with KASAN on v3.18:
      
      BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
      Read of size 8 by task trinity-c2/9623
      page:ffffffbe034b9a08 count:0 mapcount:0 mapping:          (null) index:0x0
      flags: 0x0()
      page dumped because: kasan: bad access detected
      CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G    BU         3.18.0-dirty #15
      Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
      Call trace:
      [<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
      [<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
      [<     inline     >] __dump_stack lib/dump_stack.c:15
      [<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
      [<     inline     >] print_address_description mm/kasan/report.c:147
      [<     inline     >] kasan_report_error mm/kasan/report.c:236
      [<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
      [<     inline     >] check_memory_region mm/kasan/kasan.c:264
      [<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
      [<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
      [<     inline     >] memcpy_from_msg include/linux/skbuff.h:2667
      [<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
      [<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
      [<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
      [<     inline     >] __sock_sendmsg_nosec net/socket.c:624
      [<     inline     >] __sock_sendmsg net/socket.c:632
      [<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
      [<     inline     >] SYSC_sendto net/socket.c:1797
      [<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
      
      CVE-2016-8399
      Reported-by: NQidan He <i@flanker017.me>
      Fixes: c319b4d7 ("net: ipv4: add IPPROTO_ICMP socket kind")
      Cc: stable@vger.kernel.org
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0eab121e
    • P
      atm: lanai: set error code when ioremap fails · 4606c9e8
      Pan Bian 提交于
      In function lanai_dev_open(), when the call to ioremap() fails, the
      value of return variable result is 0. 0 means no error in this context.
      This patch fixes the bug, assigning "-ENOMEM" to result when ioremap()
      returns a NULL pointer.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188791Signed-off-by: NPan Bian <bianpan2016@163.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4606c9e8
    • P
      net: usb: set error code when usb_alloc_urb fails · 51920830
      Pan Bian 提交于
      In function lan78xx_probe(), variable ret takes the errno code on
      failures. However, when the call to usb_alloc_urb() fails, its value
      will keeps 0. 0 indicates success in the context, which is inconsistent
      with the execution result. This patch fixes the bug, assigning
      "-ENOMEM" to ret when usb_alloc_urb() returns a NULL pointer.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188771Signed-off-by: NPan Bian <bianpan2016@163.com>
      Acked-by: NWoojung Huh <woojung.huh@microchip.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      51920830
    • P
      net: bridge: set error code on failure · b5958963
      Pan Bian 提交于
      Function br_sysfs_addbr() does not set error code when the call
      kobject_create_and_add() returns a NULL pointer. It may be better to
      return "-ENOMEM" when kobject_create_and_add() fails.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188781Signed-off-by: NPan Bian <bianpan2016@163.com>
      Acked-by: NStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b5958963
    • S
      net: af_mpls.c add space before open parenthesis · 14dd3e1b
      Suraj Deshmukh 提交于
      Adding space after switch keyword before open
      parenthesis for readability purpose.
      
      This patch fixes the checkpatch.pl warning:
      space required before the open parenthesis '('
      Signed-off-by: NSuraj Deshmukh <surajssd009005@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      14dd3e1b
    • P
      netdev: broadcom: propagate error code · 89aa8445
      Pan Bian 提交于
      Function bnxt_hwrm_stat_ctx_alloc() always returns 0, even if the call
      to _hwrm_send_message() fails. It may be better to propagate the errors
      to the caller of bnxt_hwrm_stat_ctx_alloc().
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188661Signed-off-by: NPan Bian <bianpan2016@163.com>
      Acked-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      89aa8445
    • D
      Merge branch 'fib-suffix-length-fixes' · 2279b752
      David S. Miller 提交于
      Alexander Duyck says:
      
      ====================
      IPv4 FIB suffix length fixes
      
      In reviewing the patch from Robert Shearman and looking over the code I
      realized there were a few different bugs we were still carrying in the IPv4
      FIB lookup code.
      
      These two patches are based off of Robert's original patch, but take things
      one step further by splitting them up to address two additional issues I
      found.
      
      So first have Robert's original patch which was addressing the fact that
      us calling update_suffix in resize is expensive when it is called per add.
      To address that I incorporated the core bit of the patch which was us
      dropping the update_suffix call from resize.
      
      The first patch in the series does a rename and fix on the push_suffix and
      pull_suffix code.  Specifically we drop the need to pass a leaf and
      secondly we fix things so we pull the suffix as long as the value of the
      suffix in the node is dropping.
      
      The second patch addresses the original issue reported as well as
      optimizing the code for the fact that update_suffix is only really meant to
      go through and clean things up when we are decreasing a suffix.  I had
      originally added code for it to somehow cause an increase, but if we push
      the suffix when a new leaf is added we only ever have to handle pulling
      down the suffix with update_suffix so I updated the code to reflect that.
      
      As far as side effects the only ones I think that will be obvious should be
      the fact that some routes may be able to be found earlier since before we
      relied on resize to update the suffix lengths, and now we are updating them
      before we add or remove the leaf.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2279b752
    • A
      ipv4: Drop suffix update from resize code · a52ca62c
      Alexander Duyck 提交于
      It has been reported that update_suffix can be expensive when it is called
      on a large node in which most of the suffix lengths are the same.  The time
      required to add 200K entries had increased from around 3 seconds to almost
      49 seconds.
      
      In order to address this we need to move the code for updating the suffix
      out of resize and instead just have it handled in the cases where we are
      pushing a node that increases the suffix length, or will decrease the
      suffix length.
      
      Fixes: 5405afd1 ("fib_trie: Add tracking value for suffix length")
      Reported-by: NRobert Shearman <rshearma@brocade.com>
      Signed-off-by: NAlexander Duyck <alexander.h.duyck@intel.com>
      Reviewed-by: NRobert Shearman <rshearma@brocade.com>
      Tested-by: NRobert Shearman <rshearma@brocade.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a52ca62c
    • A
      ipv4: Drop leaf from suffix pull/push functions · 1a239173
      Alexander Duyck 提交于
      It wasn't necessary to pass a leaf in when doing the suffix updates so just
      drop it.  Instead just pass the suffix and work with that.
      
      Since we dropped the leaf there is no need to include that in the name so
      the names are updated to node_push_suffix and node_pull_suffix.
      
      Finally I noticed that the logic for pulling the suffix length back
      actually had some issues.  Specifically it would stop prematurely if there
      was a longer suffix, but it was not as long as the original suffix.  I
      updated the code to address that in node_pull_suffix.
      
      Fixes: 5405afd1 ("fib_trie: Add tracking value for suffix length")
      Suggested-by: NRobert Shearman <rshearma@brocade.com>
      Signed-off-by: NAlexander Duyck <alexander.h.duyck@intel.com>
      Reviewed-by: NRobert Shearman <rshearma@brocade.com>
      Tested-by: NRobert Shearman <rshearma@brocade.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a239173
  2. 04 12月, 2016 2 次提交
  3. 03 12月, 2016 24 次提交
    • L
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 8dc0f265
      Linus Torvalds 提交于
      Pull ARM SoC fixes from Arnd Bergmann:
       "This should be the last set of bugfixes for arm-soc in v4.9. None of
        these are critical regressions, but it would be nice to still get them
        merged.
      
         - On the Juno platform, the idle latency was described wrong, leading
           to suboptimal cpuidle tuning.
      
         - Also on the same platform, PCI I/O space was set up incorrectly and
           could not work.
      
         - On the sti platform, a syntactically incorrect DT entry caused
           warnings.
      
         - The newly added 'gr8' platform has somewhat confusing file names,
           which we rename for consistency"
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        arm64: dts: juno: fix cluster sleep state entry latency on all SoC versions
        arm64: dts: juno: Correct PCI IO window
        ARM: dts: STiH407-family: fix i2c nodes
        ARM: gr8: Rename the DTSI and relevant DTS
      8dc0f265
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8bca927f
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Lots more phydev and probe error path leaks in various drivers by
          Johan Hovold.
      
       2) Fix race in packet_set_ring(), from Philip Pettersson.
      
       3) Use after free in dccp_invalid_packet(), from Eric Dumazet.
      
       4) Signnedness overflow in SO_{SND,RCV}BUFFORCE, also from Eric
          Dumazet.
      
       5) When tunneling between ipv4 and ipv6 we can be left with the wrong
          skb->protocol value as we enter the IPSEC engine and this causes all
          kinds of problems. Set it before the output path does any
          dst_output() calls, from Eli Cooper.
      
       6) bcmgenet uses wrong device struct pointer in DMA API calls, fix from
          Florian Fainelli.
      
       7) Various netfilter nat bug fixes from FLorian Westphal.
      
       8) Fix memory leak in ipvlan_link_new(), from Gao Feng.
      
       9) Locking fixes, particularly wrt. socket lookups, in l2tp from
          Guillaume Nault.
      
      10) Avoid invoking rhash teardowns in atomic context by moving netlink
          cb->done() dump completion from a worker thread. Fix from Herbert
          Xu.
      
      11) Buffer refcount problems in tun and macvtap on errors, from Jason
          Wang.
      
      12) We don't set Kconfig symbol DEFAULT_TCP_CONG properly when the user
          selects BBR. Fix from Julian Wollrath.
      
      13) Fix deadlock in transmit path on altera TSE driver, from Lino
          Sanfilippo.
      
      14) Fix unbalanced reference counting in dsa_switch_tree, from Nikita
          Yushchenko.
      
      15) tc_tunnel_key needs to be properly exported to userspace via uapi,
          fix from Roi Dayan.
      
      16) rds_tcp_init_net() doesn't unregister notifier in error path, fix
          from Sowmini Varadhan.
      
      17) Stale packet header pointer access after pskb_expand_head() in
          genenve driver, fix from Sabrina Dubroca.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (103 commits)
        net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
        geneve: avoid use-after-free of skb->data
        tipc: check minimum bearer MTU
        net: renesas: ravb: unintialized return value
        sh_eth: remove unchecked interrupts for RZ/A1
        net: bcmgenet: Utilize correct struct device for all DMA operations
        NET: usb: qmi_wwan: add support for Telit LE922A PID 0x1040
        cdc_ether: Fix handling connection notification
        ip6_offload: check segs for NULL in ipv6_gso_segment.
        RDS: TCP: unregister_netdevice_notifier() in error path of rds_tcp_init_net
        Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()"
        ipv6: Set skb->protocol properly for local output
        ipv4: Set skb->protocol properly for local output
        packet: fix race condition in packet_set_ring
        net: ethernet: altera: TSE: do not use tx queue lock in tx completion handler
        net: ethernet: altera: TSE: Remove unneeded dma sync for tx buffers
        net: ethernet: stmmac: fix of-node and fixed-link-phydev leaks
        net: ethernet: stmmac: platform: fix outdated function header
        net: ethernet: stmmac: dwmac-meson8b: fix probe error path
        net: ethernet: stmmac: dwmac-generic: fix probe error path
        ...
      8bca927f
    • E
      net: avoid signed overflows for SO_{SND|RCV}BUFFORCE · b98b0bc8
      Eric Dumazet 提交于
      CAP_NET_ADMIN users should not be allowed to set negative
      sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
      corruptions, crashes, OOM...
      
      Note that before commit 82981930 ("net: cleanups in
      sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
      and SO_RCVBUF were vulnerable.
      
      This needs to be backported to all known linux kernels.
      
      Again, many thanks to syzkaller team for discovering this gem.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b98b0bc8
    • S
      geneve: avoid use-after-free of skb->data · 5b010147
      Sabrina Dubroca 提交于
      geneve{,6}_build_skb can end up doing a pskb_expand_head(), which
      makes the ip_hdr(skb) reference we stashed earlier stale. Since it's
      only needed as an argument to ip_tunnel_ecn_encap(), move this
      directly in the function call.
      
      Fixes: 08399efc ("geneve: ensure ECN info is handled properly in all tx/rx paths")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5b010147
    • M
      tipc: check minimum bearer MTU · 3de81b75
      Michal Kubeček 提交于
      Qian Zhang (张谦) reported a potential socket buffer overflow in
      tipc_msg_build() which is also known as CVE-2016-8632: due to
      insufficient checks, a buffer overflow can occur if MTU is too short for
      even tipc headers. As anyone can set device MTU in a user/net namespace,
      this issue can be abused by a regular user.
      
      As agreed in the discussion on Ben Hutchings' original patch, we should
      check the MTU at the moment a bearer is attached rather than for each
      processed packet. We also need to repeat the check when bearer MTU is
      adjusted to new device MTU. UDP case also needs a check to avoid
      overflow when calculating bearer MTU.
      
      Fixes: b97bf3fd ("[TIPC] Initial merge")
      Signed-off-by: NMichal Kubecek <mkubecek@suse.cz>
      Reported-by: NQian Zhang (张谦) <zhangqian-c@360.cn>
      Acked-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3de81b75
    • D
      Merge tag 'linux-can-fixes-for-4.9-20161201' of... · f0d21e89
      David S. Miller 提交于
      Merge tag 'linux-can-fixes-for-4.9-20161201' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2016-12-02
      
      this is a pull request for net/master.
      
      There are two patches by Stephane Grosjean, who adds support for the new
      PCAN-USB X6 USB interface to the pcan_usb driver.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f0d21e89
    • D
      net: renesas: ravb: unintialized return value · 50d5aa4c
      Dan Carpenter 提交于
      We want to set the other "err" variable here so that we can return it
      later.  My version of GCC misses this issue but I caught it with a
      static checker.
      
      Fixes: 9f70eb33 ("net: ethernet: renesas: ravb: fix fixed-link phydev leaks")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Reviewed-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      50d5aa4c
    • C
      sh_eth: remove unchecked interrupts for RZ/A1 · 33d446db
      Chris Brandt 提交于
      When streaming a lot of data and the RZ/A1 can't keep up, some status bits
      will get set that are not being checked or cleared which cause the
      following messages and the Ethernet driver to stop working. This
      patch fixes that issue.
      
      irq 21: nobody cared (try booting with the "irqpoll" option)
      handlers:
      [<c036b71c>] sh_eth_interrupt
      Disabling IRQ #21
      
      Fixes: db893473 ("sh_eth: Add support for r7s72100")
      Signed-off-by: NChris Brandt <chris.brandt@renesas.com>
      Acked-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      33d446db
    • F
      net: bcmgenet: Utilize correct struct device for all DMA operations · 8c4799ac
      Florian Fainelli 提交于
      __bcmgenet_tx_reclaim() and bcmgenet_free_rx_buffers() are not using the
      same struct device during unmap that was used for the map operation,
      which makes DMA-API debugging warn about it. Fix this by always using
      &priv->pdev->dev throughout the driver, using an identical device
      reference for all map/unmap calls.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8c4799ac
    • L
      Fix up a couple of field names in the CREDITS file · ed8d747f
      Linus Torvalds 提交于
      Ozgur Karatas reported that the very first entry in the CREDITS file had
      the wrong tag for name (M: instead of N: - it happened when moving the
      entry from the MAINTAINERS file, where 'M:' stands for "Maintainer").
      
      And when I went looking, I found a couple of other cases of wrong
      tagging too.
      Reported-by: NOzgur Karatas <mueddib@yandex.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ed8d747f
    • D
      NET: usb: qmi_wwan: add support for Telit LE922A PID 0x1040 · 9bd813da
      Daniele Palmas 提交于
      This patch adds support for PID 0x1040 of Telit LE922A.
      
      The qmi adapter requires to have DTR set for proper working,
      so QMI_WWAN_QUIRK_DTR has been enabled.
      Signed-off-by: NDaniele Palmas <dnlplm@gmail.com>
      Acked-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9bd813da
    • K
      cdc_ether: Fix handling connection notification · d5c83d0d
      Kristian Evensen 提交于
      Commit bfe9b9d2 ("cdc_ether: Improve ZTE MF823/831/910 handling")
      introduced a work-around in usbnet_cdc_status() for devices that exported
      cdc carrier on twice on connect. Before the commit, this behavior caused
      the link state to be incorrect. It was assumed that all CDC Ethernet
      devices would either export this behavior, or send one off and then one on
      notification (which seems to be the default behavior).
      
      Unfortunately, it turns out multiple devices sends a connection
      notification multiple times per second (via an interrupt), even when
      connection state does not change. This has been observed with several
      different USB LAN dongles (at least), for example 13b1:0041 (Linksys).
      After bfe9b9d2, the link state has been set as down and then up for
      each notification. This has caused a flood of Netlink NEWLINK messages and
      syslog to be flooded with messages similar to:
      
      cdc_ether 2-1:2.0 eth1: kevent 12 may have been dropped
      
      This commit fixes the behavior by reverting usbnet_cdc_status() to how it
      was before bfe9b9d2. The work-around has been moved to a separate
      status-function which is only called when a known, affect device is
      detected.
      
      v1->v2:
      
      * Do not open-code netif_carrier_ok() (thanks Henning Schild).
      * Call netif_carrier_off() instead of usb_link_change(). This prevents
      calling schedule_work() twice without giving the work queue a chance to be
      processed (thanks Bjørn Mork).
      
      Fixes: bfe9b9d2 ("cdc_ether: Improve ZTE MF823/831/910 handling")
      Reported-by: NHenning Schild <henning.schild@siemens.com>
      Signed-off-by: NKristian Evensen <kristian.evensen@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d5c83d0d
    • A
      ip6_offload: check segs for NULL in ipv6_gso_segment. · 6b6ebb6b
      Artem Savkov 提交于
      segs needs to be checked for being NULL in ipv6_gso_segment() before calling
      skb_shinfo(segs), otherwise kernel can run into a NULL-pointer dereference:
      
      [   97.811262] BUG: unable to handle kernel NULL pointer dereference at 00000000000000cc
      [   97.819112] IP: [<ffffffff816e52f9>] ipv6_gso_segment+0x119/0x2f0
      [   97.825214] PGD 0 [   97.827047]
      [   97.828540] Oops: 0000 [#1] SMP
      [   97.831678] Modules linked in: vhost_net vhost macvtap macvlan nfsv3 rpcsec_gss_krb5
      nfsv4 dns_resolver nfs fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4
      iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack
      ipt_REJECT nf_reject_ipv4 tun ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter
      bridge stp llc snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic snd_hda_intel
      snd_hda_codec edac_mce_amd snd_hda_core edac_core snd_hwdep kvm_amd snd_seq kvm snd_seq_device
      snd_pcm irqbypass snd_timer ppdev parport_serial snd parport_pc k10temp pcspkr soundcore parport
      sp5100_tco shpchp sg wmi i2c_piix4 acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc
      ip_tables xfs libcrc32c sr_mod cdrom sd_mod ata_generic pata_acpi amdkfd amd_iommu_v2 radeon
      broadcom bcm_phy_lib i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops
      ttm ahci serio_raw tg3 firewire_ohci libahci pata_atiixp drm ptp libata firewire_core pps_core
      i2c_core crc_itu_t fjes dm_mirror dm_region_hash dm_log dm_mod
      [   97.927721] CPU: 1 PID: 3504 Comm: vhost-3495 Not tainted 4.9.0-7.el7.test.x86_64 #1
      [   97.935457] Hardware name: AMD Snook/Snook, BIOS ESK0726A 07/26/2010
      [   97.941806] task: ffff880129a1c080 task.stack: ffffc90001bcc000
      [   97.947720] RIP: 0010:[<ffffffff816e52f9>]  [<ffffffff816e52f9>] ipv6_gso_segment+0x119/0x2f0
      [   97.956251] RSP: 0018:ffff88012fc43a10  EFLAGS: 00010207
      [   97.961557] RAX: 0000000000000000 RBX: ffff8801292c8700 RCX: 0000000000000594
      [   97.968687] RDX: 0000000000000593 RSI: ffff880129a846c0 RDI: 0000000000240000
      [   97.975814] RBP: ffff88012fc43a68 R08: ffff880129a8404e R09: 0000000000000000
      [   97.982942] R10: 0000000000000000 R11: ffff880129a84076 R12: 00000020002949b3
      [   97.990070] R13: ffff88012a580000 R14: 0000000000000000 R15: ffff88012a580000
      [   97.997198] FS:  0000000000000000(0000) GS:ffff88012fc40000(0000) knlGS:0000000000000000
      [   98.005280] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   98.011021] CR2: 00000000000000cc CR3: 0000000126c5d000 CR4: 00000000000006e0
      [   98.018149] Stack:
      [   98.020157]  00000000ffffffff ffff88012fc43ac8 ffffffffa017ad0a 000000000000000e
      [   98.027584]  0000001300000000 0000000077d59998 ffff8801292c8700 00000020002949b3
      [   98.035010]  ffff88012a580000 0000000000000000 ffff88012a580000 ffff88012fc43a98
      [   98.042437] Call Trace:
      [   98.044879]  <IRQ> [   98.046803]  [<ffffffffa017ad0a>] ? tg3_start_xmit+0x84a/0xd60 [tg3]
      [   98.053156]  [<ffffffff815eeee0>] skb_mac_gso_segment+0xb0/0x130
      [   98.059158]  [<ffffffff815eefd3>] __skb_gso_segment+0x73/0x110
      [   98.064985]  [<ffffffff815ef40d>] validate_xmit_skb+0x12d/0x2b0
      [   98.070899]  [<ffffffff815ef5d2>] validate_xmit_skb_list+0x42/0x70
      [   98.077073]  [<ffffffff81618560>] sch_direct_xmit+0xd0/0x1b0
      [   98.082726]  [<ffffffff815efd86>] __dev_queue_xmit+0x486/0x690
      [   98.088554]  [<ffffffff8135c135>] ? cpumask_next_and+0x35/0x50
      [   98.094380]  [<ffffffff815effa0>] dev_queue_xmit+0x10/0x20
      [   98.099863]  [<ffffffffa09ce057>] br_dev_queue_push_xmit+0xa7/0x170 [bridge]
      [   98.106907]  [<ffffffffa09ce161>] br_forward_finish+0x41/0xc0 [bridge]
      [   98.113430]  [<ffffffff81627cf2>] ? nf_iterate+0x52/0x60
      [   98.118735]  [<ffffffff81627d6b>] ? nf_hook_slow+0x6b/0xc0
      [   98.124216]  [<ffffffffa09ce32c>] __br_forward+0x14c/0x1e0 [bridge]
      [   98.130480]  [<ffffffffa09ce120>] ? br_dev_queue_push_xmit+0x170/0x170 [bridge]
      [   98.137785]  [<ffffffffa09ce4bd>] br_forward+0x9d/0xb0 [bridge]
      [   98.143701]  [<ffffffffa09cfbb7>] br_handle_frame_finish+0x267/0x560 [bridge]
      [   98.150834]  [<ffffffffa09d0064>] br_handle_frame+0x174/0x2f0 [bridge]
      [   98.157355]  [<ffffffff8102fb89>] ? sched_clock+0x9/0x10
      [   98.162662]  [<ffffffff810b63b2>] ? sched_clock_cpu+0x72/0xa0
      [   98.168403]  [<ffffffff815eccf5>] __netif_receive_skb_core+0x1e5/0xa20
      [   98.174926]  [<ffffffff813659f9>] ? timerqueue_add+0x59/0xb0
      [   98.180580]  [<ffffffff815ed548>] __netif_receive_skb+0x18/0x60
      [   98.186494]  [<ffffffff815ee625>] process_backlog+0x95/0x140
      [   98.192145]  [<ffffffff815edccd>] net_rx_action+0x16d/0x380
      [   98.197713]  [<ffffffff8170cff1>] __do_softirq+0xd1/0x283
      [   98.203106]  [<ffffffff8170b2bc>] do_softirq_own_stack+0x1c/0x30
      [   98.209107]  <EOI> [   98.211029]  [<ffffffff8108a5c0>] do_softirq+0x50/0x60
      [   98.216166]  [<ffffffff815ec853>] netif_rx_ni+0x33/0x80
      [   98.221386]  [<ffffffffa09eeff7>] tun_get_user+0x487/0x7f0 [tun]
      [   98.227388]  [<ffffffffa09ef3ab>] tun_sendmsg+0x4b/0x60 [tun]
      [   98.233129]  [<ffffffffa0b68932>] handle_tx+0x282/0x540 [vhost_net]
      [   98.239392]  [<ffffffffa0b68c25>] handle_tx_kick+0x15/0x20 [vhost_net]
      [   98.245916]  [<ffffffffa0abacfe>] vhost_worker+0x9e/0xf0 [vhost]
      [   98.251919]  [<ffffffffa0abac60>] ? vhost_umem_alloc+0x40/0x40 [vhost]
      [   98.258440]  [<ffffffff81003a47>] ? do_syscall_64+0x67/0x180
      [   98.264094]  [<ffffffff810a44d9>] kthread+0xd9/0xf0
      [   98.268965]  [<ffffffff810a4400>] ? kthread_park+0x60/0x60
      [   98.274444]  [<ffffffff8170a4d5>] ret_from_fork+0x25/0x30
      [   98.279836] Code: 8b 93 d8 00 00 00 48 2b 93 d0 00 00 00 4c 89 e6 48 89 df 66 89 93 c2 00 00 00 ff 10 48 3d 00 f0 ff ff 49 89 c2 0f 87 52 01 00 00 <41> 8b 92 cc 00 00 00 48 8b 80 d0 00 00 00 44 0f b7 74 10 06 66
      [   98.299425] RIP  [<ffffffff816e52f9>] ipv6_gso_segment+0x119/0x2f0
      [   98.305612]  RSP <ffff88012fc43a10>
      [   98.309094] CR2: 00000000000000cc
      [   98.312406] ---[ end trace 726a2c7a2d2d78d0 ]---
      Signed-off-by: NArtem Savkov <asavkov@redhat.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6b6ebb6b
    • S
      RDS: TCP: unregister_netdevice_notifier() in error path of rds_tcp_init_net · 721c7443
      Sowmini Varadhan 提交于
      If some error is encountered in rds_tcp_init_net, make sure to
      unregister_netdevice_notifier(), else we could trigger a panic
      later on, when the modprobe from a netns fails.
      Signed-off-by: NSowmini Varadhan <sowmini.varadhan@oracle.com>
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      721c7443
    • E
      Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()" · 80d1106a
      Eli Cooper 提交于
      This reverts commit ae148b08
      ("ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()").
      
      skb->protocol is now set in __ip_local_out() and __ip6_local_out() before
      dst_output() is called. It is no longer necessary to do it for each tunnel.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NEli Cooper <elicooper@gmx.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      80d1106a
    • E
      ipv6: Set skb->protocol properly for local output · b4e479a9
      Eli Cooper 提交于
      When xfrm is applied to TSO/GSO packets, it follows this path:
      
          xfrm_output() -> xfrm_output_gso() -> skb_gso_segment()
      
      where skb_gso_segment() relies on skb->protocol to function properly.
      
      This patch sets skb->protocol to ETH_P_IPV6 before dst_output() is called,
      fixing a bug where GSO packets sent through an ipip6 tunnel are dropped
      when xfrm is involved.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NEli Cooper <elicooper@gmx.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b4e479a9
    • E
      ipv4: Set skb->protocol properly for local output · f4180439
      Eli Cooper 提交于
      When xfrm is applied to TSO/GSO packets, it follows this path:
      
          xfrm_output() -> xfrm_output_gso() -> skb_gso_segment()
      
      where skb_gso_segment() relies on skb->protocol to function properly.
      
      This patch sets skb->protocol to ETH_P_IP before dst_output() is called,
      fixing a bug where GSO packets sent through a sit tunnel are dropped
      when xfrm is involved.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NEli Cooper <elicooper@gmx.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f4180439
    • P
      packet: fix race condition in packet_set_ring · 84ac7260
      Philip Pettersson 提交于
      When packet_set_ring creates a ring buffer it will initialize a
      struct timer_list if the packet version is TPACKET_V3. This value
      can then be raced by a different thread calling setsockopt to
      set the version to TPACKET_V1 before packet_set_ring has finished.
      
      This leads to a use-after-free on a function pointer in the
      struct timer_list when the socket is closed as the previously
      initialized timer will not be deleted.
      
      The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
      changing the packet version while also taking the lock at the start
      of packet_set_ring.
      
      Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
      Signed-off-by: NPhilip Pettersson <philip.pettersson@gmail.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      84ac7260
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 4aa675aa
      Linus Torvalds 提交于
      Pull KVM fixes from Radim Krčmář:
       "All architectures avoid memory corruption in an error path. ARM
        prevents bogus acknowledgement of interrupts"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: use after free in kvm_ioctl_create_device()
        KVM: arm/arm64: vgic: Don't notify EOI for non-SPIs
      4aa675aa
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 3e52d063
      Linus Torvalds 提交于
      Pull i2c fix from Wolfram Sang:
       "Here is the revert for the regression of the i2c-octeon driver I
        mentioned last time. I wished for a bit more feedback, but all people
        working actively on it are in need of this patch, so here it goes"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        Revert "i2c: octeon: thunderx: Limit register access retries"
      3e52d063
    • L
      net: ethernet: altera: TSE: do not use tx queue lock in tx completion handler · 2219d5ed
      Lino Sanfilippo 提交于
      The driver already uses its private lock for synchronization between xmit
      and xmit completion handler making the additional use of the xmit_lock
      unnecessary.
      Furthermore the driver does not set NETIF_F_LLTX resulting in xmit to be
      called with the xmit_lock held and then taking the private lock while xmit
      completion handler does the reverse, first take the private lock, then the
      xmit_lock.
      Fix these issues by not taking the xmit_lock in the tx completion handler.
      Signed-off-by: NLino Sanfilippo <LinoSanfilippo@gmx.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2219d5ed
    • L
      net: ethernet: altera: TSE: Remove unneeded dma sync for tx buffers · 151a14db
      Lino Sanfilippo 提交于
      An explicit dma sync for device directly after mapping as well as an
      explicit dma sync for cpu directly before unmapping is unnecessary and
      costly on the hotpath. So remove these calls.
      Signed-off-by: NLino Sanfilippo <LinoSanfilippo@gmx.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      151a14db
    • A
      default exported asm symbols to zero · 8ab2ae65
      Arnd Bergmann 提交于
      With binutils-2.26 and before, a weak missing symbol was kept during the
      final link, and a missing CRC for an export would lead to that CRC being
      treated as zero implicitly.  With binutils-2.27, the crc symbol gets
      dropped, and any module trying to use it will fail to load.
      
      This sets the weak CRC symbol to zero explicitly, making it defined in
      vmlinux, which in turn lets us load the modules referring to that CRC.
      
      The comment above the __CRC_SYMBOL macro suggests that this was always
      the intention, although it also seems that all symbols defined in C have
      a correct CRC these days, and only the exports that are now done in
      assembly need this.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Tested-by: NAdam Borowski <kilobyte@angband.pl>
      Cc: stable@kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8ab2ae65
    • S
      arm64: dts: juno: fix cluster sleep state entry latency on all SoC versions · 909e481e
      Sudeep Holla 提交于
      The core and the cluster sleep state entry latencies can't be same as
      cluster sleep involves more work compared to core level e.g. shared
      cache maintenance.
      
      Experiments have shown on an average about 100us more latency for the
      cluster sleep state compared to the core level sleep. This patch fixes
      the entry latency for the cluster sleep state.
      
      Fixes: 28e10a8f ("arm64: dts: juno: Add idle-states to device tree")
      Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Cc: "Jon Medhurst (Tixy)" <tixy@linaro.org>
      Reviewed-by: NLiviu Dudau <Liviu.Dudau@arm.com>
      Signed-off-by: NSudeep Holla <sudeep.holla@arm.com>
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      909e481e
  4. 02 12月, 2016 5 次提交