1. 23 2月, 2017 3 次提交
  2. 20 2月, 2017 3 次提交
    • L
      Linux 4.10 · c470abd4
      Linus Torvalds 提交于
      c470abd4
    • A
      Fix missing sanity check in /dev/sg · 137d01df
      Al Viro 提交于
      What happens is that a write to /dev/sg is given a request with non-zero
      ->iovec_count combined with zero ->dxfer_len.  Or with ->dxferp pointing
      to an array full of empty iovecs.
      
      Having write permission to /dev/sg shouldn't be equivalent to the
      ability to trigger BUG_ON() while holding spinlocks...
      
      Found by Dmitry Vyukov and syzkaller.
      
      [ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
        underlying issue.  - Linus ]
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      137d01df
    • J
      scsi: don't BUG_ON() empty DMA transfers · fd3fc0b4
      Johannes Thumshirn 提交于
      Don't crash the machine just because of an empty transfer. Use WARN_ON()
      combined with returning an error.
      
      Found by Dmitry Vyukov and syzkaller.
      
      [ Changed to "WARN_ON_ONCE()". Al has a patch that should fix the root
        cause, but a BUG_ON() is not acceptable in any case, and a WARN_ON()
        might still be a cause of excessive log spamming.
      
        NOTE! If this warning ever triggers, we may end up leaking resources,
        since this doesn't bother to try to clean the command up. So this
        WARN_ON_ONCE() triggering does imply real problems. But BUG_ON() is
        much worse.
      
        People really need to stop using BUG_ON() for "this shouldn't ever
        happen". It makes pretty much any bug worse.     - Linus ]
      Signed-off-by: NJohannes Thumshirn <jthumshirn@suse.de>
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: James Bottomley <jejb@linux.vnet.ibm.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: stable@kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      fd3fc0b4
  3. 19 2月, 2017 9 次提交
  4. 18 2月, 2017 12 次提交
    • D
      irda: Fix lockdep annotations in hashbin_delete(). · 4c03b862
      David S. Miller 提交于
      A nested lock depth was added to the hasbin_delete() code but it
      doesn't actually work some well and results in tons of lockdep splats.
      
      Fix the code instead to properly drop the lock around the operation
      and just keep peeking the head of the hashbin queue.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Tested-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c03b862
    • L
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 6dc39c50
      Linus Torvalds 提交于
      Pull block layer fix from Jens Axboe:
       "A single fix for a lockdep splat reported by Thomas and Gabriel"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        cfq-iosched: don't call wbt_disable_default() with IRQs disabled
      6dc39c50
    • P
      vxlan: fix oops in dev_fill_metadata_dst · 22f0708a
      Paolo Abeni 提交于
      Since the commit 0c1d70af ("net: use dst_cache for vxlan device")
      vxlan_fill_metadata_dst() calls vxlan_get_route() passing a NULL
      dst_cache pointer, so the latter should explicitly check for
      valid dst_cache ptr. Unfortunately the commit d71785ff ("net: add
      dst_cache to ovs vxlan lwtunnel") removed said check.
      
      As a result is possible to trigger a null pointer access calling
      vxlan_fill_metadata_dst(), e.g. with:
      
      ovs-vsctl add-br ovs-br0
      ovs-vsctl add-port ovs-br0 vxlan0 -- set interface vxlan0 \
      	type=vxlan options:remote_ip=192.168.1.1 \
      	options:key=1234 options:dst_port=4789 ofport_request=10
      ip address add dev ovs-br0 172.16.1.2/24
      ovs-vsctl set Bridge ovs-br0 ipfix=@i -- --id=@i create IPFIX \
      	targets=\"172.16.1.1:1234\" sampling=1
      iperf -c 172.16.1.1 -u -l 1000 -b 10M -t 1 -p 1234
      
      This commit addresses the issue passing to vxlan_get_route() the
      dst_cache already available into the lwt info processed by
      vxlan_fill_metadata_dst().
      
      Fixes: d71785ff ("net: add dst_cache to ovs vxlan lwtunnel")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Acked-by: NJiri Benc <jbenc@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      22f0708a
    • A
      dccp: fix freeing skb too early for IPV6_RECVPKTINFO · 5edabca9
      Andrey Konovalov 提交于
      In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
      is forcibly freed via __kfree_skb in dccp_rcv_state_process if
      dccp_v6_conn_request successfully returns.
      
      However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
      is saved to ireq->pktopts and the ref count for skb is incremented in
      dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
      in dccp_rcv_state_process.
      
      Fix by calling consume_skb instead of doing goto discard and therefore
      calling __kfree_skb.
      
      Similar fixes for TCP:
      
      fb7e2399 [TCP]: skb is unexpectedly freed.
      0aea76d3 tcp: SYN packets are now
      simply consumed
      Signed-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5edabca9
    • L
      Merge tag 'powerpc-4.10-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 2fe1e8a7
      Linus Torvalds 提交于
      Pull powerpc fix from Michael Ellerman:
       "One fix from Paul: we can not use the radix MMU under a hypervisor for
        now.
      
        Although the code checked if the processor supports radix, that is not
        sufficient"
      
      * tag 'powerpc-4.10-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/64: Disable use of radix under a hypervisor
      2fe1e8a7
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · a0d5ef45
      Linus Torvalds 提交于
      Pull input fix from Dmitry Torokhov:
       "Just a single change to Elan touchpad driver to recognize a new ACPI
        ID"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: elan_i2c - add ELAN0605 to the ACPI table
      a0d5ef45
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 444a034d
      Linus Torvalds 提交于
      Pull i2c fix from Wolfram Sang:
       "I2C has a revert to fix a regression"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        Revert "i2c: designware: detect when dynamic tar update is possible"
      444a034d
    • L
      Merge tag 'mmc-v4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 6adfd6ac
      Linus Torvalds 提交于
      Pull MMC fix from Ulf Hansson:
       "Fix multi-bit bus width without high-speed mode for MMC"
      
      * tag 'mmc-v4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: core: fix multi-bit bus width without high-speed mode
      6adfd6ac
    • L
      Merge tag 'ntb-4.10-bugfixes' of git://github.com/jonmason/ntb · 7ed1b125
      Linus Torvalds 提交于
      Pull NTB bugfixes frfom Jon Mason:
       "NTB bug fixes to address a crash when unloading the ntb module, a DMA
        engine unmap leak, allowing the proper queue choice, and clearing the
        SKX irq bit"
      
      * tag 'ntb-4.10-bugfixes' of git://github.com/jonmason/ntb:
        ntb: ntb_hw_intel: link_poll isn't clearing the pending status properly
        ntb_transport: Pick an unused queue
        ntb: ntb_perf missing dmaengine_unmap_put
        NTB: ntb_transport: fix debugfs_remove_recursive
      7ed1b125
    • D
      dpaa_eth: small leak on error · 785f3577
      Dan Carpenter 提交于
      This should be >= instead of > here.  It means that we don't increment
      the free count enough so it becomes off by one.
      
      Fixes: 9ad1a374 ("dpaa_eth: add support for DPAA Ethernet")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      785f3577
    • A
      Merge tag 'reset-for-4.10-fixes' of https://git.pengutronix.de/git/pza/linux into fixes · 6fe1bfc4
      Arnd Bergmann 提交于
      Pull "Reset controller fixes for v4.10" from Philipp Zabel:
      
      - Remove erroneous negation of the error check of the reset function
        to decrement trigger_count in the error case, not on success. This
        fixes shared resets to actually only trigger once, as intended.
      
      * tag 'reset-for-4.10-fixes' of https://git.pengutronix.de/git/pza/linux:
        reset: fix shared reset triggered_count decrement on error
      6fe1bfc4
    • A
      packet: Do not call fanout_release from atomic contexts · 2bd624b4
      Anoob Soman 提交于
      Commit 66644982 ("packet: call fanout_release, while UNREGISTERING a
      netdev"), unfortunately, introduced the following issues.
      
      1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside
      rcu_read-side critical section. rcu_read_lock disables preemption, most often,
      which prohibits calling sleeping functions.
      
      [  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
      [  ]
      [  ] rcu_scheduler_active = 1, debug_locks = 0
      [  ] 4 locks held by ovs-vswitchd/1969:
      [  ]  #0:  (cb_lock){++++++}, at: [<ffffffff8158a6c9>] genl_rcv+0x19/0x40
      [  ]  #1:  (ovs_mutex){+.+.+.}, at: [<ffffffffa04878ca>] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
      [  ]  #2:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81564157>] rtnl_lock+0x17/0x20
      [  ]  #3:  (rcu_read_lock){......}, at: [<ffffffff81614165>] packet_notifier+0x5/0x3f0
      [  ]
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff810c9077>] lockdep_rcu_suspicious+0x107/0x110
      [  ]  [<ffffffff810a2da7>] ___might_sleep+0x57/0x210
      [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
      [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
      [  ]  [<ffffffff810de93f>] ? vprintk_default+0x1f/0x30
      [  ]  [<ffffffff81186e88>] ? printk+0x4d/0x4f
      [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock).
      "sleeping function called from invalid context"
      
      [  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
      [  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
      [  ] INFO: lockdep is turned off.
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff810a2f52>] ___might_sleep+0x202/0x210
      [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
      [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
      [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      3. calling dev_remove_pack(&fanout->prot_hook), from inside
      spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack()
      -> synchronize_net(), which might sleep.
      
      [  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
      [  ] INFO: lockdep is turned off.
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff81186274>] __schedule_bug+0x64/0x73
      [  ]  [<ffffffff8162b8cb>] __schedule+0x6b/0xd10
      [  ]  [<ffffffff8162c5db>] schedule+0x6b/0x80
      [  ]  [<ffffffff81630b1d>] schedule_timeout+0x38d/0x410
      [  ]  [<ffffffff810ea3fd>] synchronize_sched_expedited+0x53d/0x810
      [  ]  [<ffffffff810ea6de>] synchronize_rcu_expedited+0xe/0x10
      [  ]  [<ffffffff8154eab5>] synchronize_net+0x35/0x50
      [  ]  [<ffffffff8154eae3>] dev_remove_pack+0x13/0x20
      [  ]  [<ffffffff8161077e>] fanout_release+0xbe/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      4. fanout_release() races with calls from different CPU.
      
      To fix the above problems, remove the call to fanout_release() under
      rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and
      netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order
      to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
      __fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
      fanout->prot_hook is removed as well.
      
      Fixes: 66644982 ("packet: call fanout_release, while UNREGISTERING a netdev")
      Reported-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NAnoob Soman <anoob.soman@citrix.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2bd624b4
  5. 17 2月, 2017 13 次提交