1. 23 4月, 2018 9 次提交
    • C
      llc: delete timers synchronously in llc_sk_free() · b905ef9a
      Cong Wang 提交于
      The connection timers of an llc sock could be still flying
      after we delete them in llc_sk_free(), and even possibly
      after we free the sock. We could just wait synchronously
      here in case of troubles.
      
      Note, I leave other call paths as they are, since they may
      not have to wait, at least we can change them to synchronously
      when needed.
      
      Also, move the code to net/llc/llc_conn.c, which is apparently
      a better place.
      
      Reported-by: <syzbot+f922284c18ea23a8e457@syzkaller.appspotmail.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b905ef9a
    • G
      l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow · 5411b618
      Guillaume Nault 提交于
      Commit 0e0c3fee ("l2tp: hold reference on tunnels printed in pppol2tp proc file")
      assumed that if pppol2tp_seq_stop() was called with non-NULL private
      data (the 'v' pointer), then pppol2tp_seq_start() would not be called
      again. It turns out that this isn't guaranteed, and overflowing the
      seq_file's buffer in pppol2tp_seq_show() is a way to get into this
      situation.
      
      Therefore, pppol2tp_seq_stop() needs to reset pd->tunnel, so that
      pppol2tp_seq_start() won't drop a reference again if it gets called.
      We also have to clear pd->session, because the rest of the code expects
      a non-NULL tunnel when pd->session is set.
      
      The l2tp_debugfs module has the same issue. Fix it in the same way.
      
      Fixes: 0e0c3fee ("l2tp: hold reference on tunnels printed in pppol2tp proc file")
      Fixes: f726214d ("l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5411b618
    • D
      Merge branch 's390-qeth-fixes' · 353697e6
      David S. Miller 提交于
      Julian Wiedmann says:
      
      ====================
      s390/qeth: fixes 2018-04-19
      
      Please apply the following qeth fixes for 4.17. The common theme
      seems to be error handling improvements in various areas of cmd IO.
      
      Patches 1-3 should also go back to stable.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      353697e6
    • J
      s390/qeth: use Read device to query hypervisor for MAC · b7493e91
      Julian Wiedmann 提交于
      For z/VM NICs, qeth needs to consider which of the three CCW devices in
      an MPC group it uses for requesting a managed MAC address.
      
      On the Base device, the hypervisor returns a default MAC which is
      pre-assigned when creating the NIC (this MAC is also returned by the
      READ MAC primitive). Querying any other device results in the allocation
      of an additional MAC address.
      
      For consistency with READ MAC and to avoid using up more addresses than
      necessary, it is preferable to use the NIC's default MAC. So switch the
      the diag26c over to using a NIC's Read device, which should always be
      identical to the Base device.
      
      Fixes: ec61bd2f ("s390/qeth: use diag26c to get MAC address on L2")
      Signed-off-by: NJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b7493e91
    • J
      s390/qeth: fix request-side race during cmd IO timeout · db71bbbd
      Julian Wiedmann 提交于
      Submitting a cmd IO request (usually on the WRITE device, but for IDX
      also on the READ device) is currently done with ccw_device_start()
      and a manual timeout in the caller.
      On timeout, the caller cleans up the related resources (eg. IO buffer).
      But 1) the IO might still be active and utilize those resources, and
          2) when the IO completes, qeth_irq() will attempt to clean up the
             same resources again.
      
      Instead of introducing additional resource locking, switch to
      ccw_device_start_timeout() to ensure IO termination after timeout, and
      let the IRQ handler alone deal with cleaning up after a request.
      
      This also removes a stray write->irq_pending reset from
      clear_ipacmd_list(). The routine doesn't terminate any pending IO on
      the WRITE device, so this should be handled properly via IO timeout
      in the IRQ handler.
      Signed-off-by: NJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db71bbbd
    • J
      s390/qeth: fix MAC address update sequence · bcacfcbc
      Julian Wiedmann 提交于
      When changing the MAC address on a L2 qeth device, current code first
      unregisters the old address, then registers the new one.
      If HW rejects the new address (or the IO fails), the device ends up with
      no operable address at all.
      
      Re-order the code flow so that the old address only gets dropped if the
      new address was registered successfully. While at it, add logic to catch
      some corner-cases.
      Signed-off-by: NJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bcacfcbc
    • J
      s390/qeth: handle failure on workqueue creation · a936b1ef
      Julian Wiedmann 提交于
      Creating the global workqueue during driver init may fail, deal with it.
      Also, destroy the created workqueue on any subsequent error.
      
      Fixes: 0f54761d ("qeth: Support VEPA mode")
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a936b1ef
    • J
      s390/qeth: avoid control IO completion stalls · 901e3f49
      Julian Wiedmann 提交于
      For control IO, qeth currently tracks the index of the buffer that it
      expects to complete the next IO on each qeth_channel. If the channel
      presents an IRQ while this buffer has not yet completed, no completion
      processing for _any_ completed buffer takes place.
      So if the 'next buffer' is skipped for any sort of reason* (eg. when it
      is released due to error conditions, before the IO is started), the
      buffer obviously won't switch to PROCESSED until it is eventually
      allocated for a _different_ IO and completes.
      Until this happens, all completion processing on that channel stalls
      and pending requests possibly time out.
      
      As a fix, remove the whole 'next buffer' logic and simply process any
      IO buffer right when it completes. A channel will never have more than
      one IO pending, so there's no risk of processing out-of-sequence.
      
      *Note: currently just one location in the code really handles this problem,
             by advancing the 'next' index manually.
      Signed-off-by: NJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      901e3f49
    • J
      s390/qeth: fix error handling in adapter command callbacks · 686c97ee
      Julian Wiedmann 提交于
      Make sure to check both return code fields before(!) processing the
      command response. Otherwise we risk operating on invalid data.
      
      This matches an earlier fix for SETASSPARMS commands, see
      commit ad3cbf61 ("s390/qeth: fix error handling in checksum cmd callback").
      Signed-off-by: NJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      686c97ee
  2. 21 4月, 2018 9 次提交
    • L
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal · 83beed7b
      Linus Torvalds 提交于
      Pull thermal fixes from Eduardo Valentin:
       "A couple of fixes for the thermal subsystem"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal:
        dt-bindings: thermal: Remove "cooling-{min|max}-level" properties
        dt-bindings: thermal: remove no longer needed samsung thermal properties
      83beed7b
    • L
      Merge tag 'mmc-v4.17-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 7e3cb169
      Linus Torvalds 提交于
      Pull MMC fixes from Ulf Hansson:
       "A couple of MMC host fixes:
      
         - sdhci-pci: Fixup tuning for AMD for eMMC HS200 mode
      
         - renesas_sdhi_internal_dmac: Avoid data corruption by limiting
           DMA RX"
      
      * tag 'mmc-v4.17-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: renesas_sdhi_internal_dmac: limit DMA RX for old SoCs
        mmc: sdhci-pci: Only do AMD tuning for HS200
      7e3cb169
    • L
      Merge tag 'md/4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md · 7768ee3f
      Linus Torvalds 提交于
      Pull MD fixes from Shaohua Li:
       "Three small fixes for MD:
      
         - md-cluster fix for faulty device from Guoqing
      
         - writehint fix for writebehind IO for raid1 from Mariusz
      
         - a live lock fix for interrupted recovery from Yufen"
      
      * tag 'md/4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
        raid1: copy write hint from master bio to behind bio
        md/raid1: exit sync request if MD_RECOVERY_INTR is set
        md-cluster: don't update recovery_offset for faulty device
      7768ee3f
    • D
      vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion · a9e5b732
      David Howells 提交于
      In do_mount() when the MS_* flags are being converted to MNT_* flags,
      MS_RDONLY got accidentally convered to SB_RDONLY.
      
      Undo this change.
      
      Fixes: e462ec50 ("VFS: Differentiate mount flags (MS_*) from internal superblock flags")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a9e5b732
    • D
      afs: Fix server record deletion · 66062592
      David Howells 提交于
      AFS server records get removed from the net->fs_servers tree when
      they're deleted, but not from the net->fs_addresses{4,6} lists, which
      can lead to an oops in afs_find_server() when a server record has been
      removed, for instance during rmmod.
      
      Fix this by deleting the record from the by-address lists before posting
      it for RCU destruction.
      
      The reason this hasn't been noticed before is that the fileserver keeps
      probing the local cache manager, thereby keeping the service record
      alive, so the oops would only happen when a fileserver eventually gets
      bored and stops pinging or if the module gets rmmod'd and a call comes
      in from the fileserver during the window between the server records
      being destroyed and the socket being closed.
      
      The oops looks something like:
      
        BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
        ...
        Workqueue: kafsd afs_process_async_call [kafs]
        RIP: 0010:afs_find_server+0x271/0x36f [kafs]
        ...
        Call Trace:
         afs_deliver_cb_init_call_back_state3+0x1f2/0x21f [kafs]
         afs_deliver_to_call+0x1ee/0x5e8 [kafs]
         afs_process_async_call+0x5b/0xd0 [kafs]
         process_one_work+0x2c2/0x504
         worker_thread+0x1d4/0x2ac
         kthread+0x11f/0x127
         ret_from_fork+0x24/0x30
      
      Fixes: d2ddc776 ("afs: Overhaul volume and server record caching and fileserver rotation")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      66062592
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · a72db42c
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Unbalanced refcounting in TIPC, from Jon Maloy.
      
       2) Only allow TCP_MD5SIG to be set on sockets in close or listen state.
          Once the connection is established it makes no sense to change this.
          From Eric Dumazet.
      
       3) Missing attribute validation in neigh_dump_table(), also from Eric
          Dumazet.
      
       4) Fix address comparisons in SCTP, from Xin Long.
      
       5) Neigh proxy table clearing can deadlock, from Wolfgang Bumiller.
      
       6) Fix tunnel refcounting in l2tp, from Guillaume Nault.
      
       7) Fix double list insert in team driver, from Paolo Abeni.
      
       8) af_vsock.ko module was accidently made unremovable, from Stefan
          Hajnoczi.
      
       9) Fix reference to freed llc_sap object in llc stack, from Cong Wang.
      
      10) Don't assume netdevice struct is DMA'able memory in virtio_net
          driver, from Michael S. Tsirkin.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (62 commits)
        net/smc: fix shutdown in state SMC_LISTEN
        bnxt_en: Fix memory fault in bnxt_ethtool_init()
        virtio_net: sparse annotation fix
        virtio_net: fix adding vids on big-endian
        virtio_net: split out ctrl buffer
        net: hns: Avoid action name truncation
        docs: ip-sysctl.txt: fix name of some ipv6 variables
        vmxnet3: fix incorrect dereference when rxvlan is disabled
        llc: hold llc_sap before release_sock()
        MAINTAINERS: Direct networking documentation changes to netdev
        atm: iphase: fix spelling mistake: "Tansmit" -> "Transmit"
        net: qmi_wwan: add Wistron Neweb D19Q1
        net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN"
        net: stmmac: Disable ACS Feature for GMAC >= 4
        net: mvpp2: Fix DMA address mask size
        net: change the comment of dev_mc_init
        net: qualcomm: rmnet: Fix warning seen with fill_info
        tun: fix vlan packet truncation
        tipc: fix infinite loop when dumping link monitor summary
        tipc: fix use-after-free in tipc_nametbl_stop
        ...
      a72db42c
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · b9abdcfd
      Linus Torvalds 提交于
      Pull vfs fixes from Al Viro:
       "Assorted fixes.
      
        Some of that is only a matter with fault injection (broken handling of
        small allocation failure in various mount-related places), but the
        last one is a root-triggerable stack overflow, and combined with
        userns it gets really nasty ;-/"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        Don't leak MNT_INTERNAL away from internal mounts
        mm,vmscan: Allow preallocating memory for register_shrinker().
        rpc_pipefs: fix double-dput()
        orangefs_kill_sb(): deal with allocation failures
        jffs2_kill_sb(): deal with failed allocations
        hypfs_kill_super(): deal with failed allocations
      b9abdcfd
    • L
      Merge tag 'ecryptfs-4.17-rc2-fixes' of... · 43f70c96
      Linus Torvalds 提交于
      Merge tag 'ecryptfs-4.17-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs
      
      Pull eCryptfs fixes from Tyler Hicks:
       "Minor cleanups and a bug fix to completely ignore unencrypted
        filenames in the lower filesystem when filename encryption is enabled
        at the eCryptfs layer"
      
      * tag 'ecryptfs-4.17-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
        eCryptfs: don't pass up plaintext names when using filename encryption
        ecryptfs: fix spelling mistake: "cadidate" -> "candidate"
        ecryptfs: lookup: Don't check if mount_crypt_stat is NULL
      43f70c96
    • L
      Merge tag 'for_v4.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 0d9cf33b
      Linus Torvalds 提交于
       - isofs memory leak fix
      
       - two fsnotify fixes of event mask handling
      
       - udf fix of UTF-16 handling
      
       - couple other smaller cleanups
      
      * tag 'for_v4.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        udf: Fix leak of UTF-16 surrogates into encoded strings
        fs: ext2: Adding new return type vm_fault_t
        isofs: fix potential memory leak in mount option parsing
        MAINTAINERS: add an entry for FSNOTIFY infrastructure
        fsnotify: fix typo in a comment about mark->g_list
        fsnotify: fix ignore mask logic in send_to_group()
        isofs compress: Remove VLA usage
        fs: quota: Replace GFP_ATOMIC with GFP_KERNEL in dquot_init
        fanotify: fix logic of events on child
      0d9cf33b
  3. 20 4月, 2018 22 次提交