1. 13 9月, 2017 3 次提交
    • E
      tcp/dccp: remove reqsk_put() from inet_child_forget() · da8ab578
      Eric Dumazet 提交于
      Back in linux-4.4, I inadvertently put a call to reqsk_put() in
      inet_child_forget(), forgetting it could be called from two different
      points.
      
      In the case it is called from inet_csk_reqsk_queue_add(), we want to
      keep the reference on the request socket, since it is released later by
      the caller (tcp_v{4|6}_rcv())
      
      This bug never showed up because atomic_dec_and_test() was not signaling
      the underflow, and SLAB_DESTROY_BY RCU semantic for request sockets
      prevented the request to be put in quarantine.
      
      Recent conversion of socket refcount from atomic_t to refcount_t finally
      exposed the bug.
      
      So move the reqsk_put() to inet_csk_listen_stop() to fix this.
      
      Thanks to Shankara Pailoor for using syzkaller and providing
      a nice set of .config and C repro.
      
      WARNING: CPU: 2 PID: 4277 at lib/refcount.c:186
      refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:186
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 2 PID: 4277 Comm: syz-executor0 Not tainted 4.13.0-rc7 #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      Ubuntu-1.8.2-1ubuntu1 04/01/2014
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:16 [inline]
       dump_stack+0xf7/0x1aa lib/dump_stack.c:52
       panic+0x1ae/0x3a7 kernel/panic.c:180
       __warn+0x1c4/0x1d9 kernel/panic.c:541
       report_bug+0x211/0x2d0 lib/bug.c:183
       fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:190
       do_trap_no_signal arch/x86/kernel/traps.c:224 [inline]
       do_trap+0x260/0x390 arch/x86/kernel/traps.c:273
       do_error_trap+0x118/0x340 arch/x86/kernel/traps.c:310
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323
       invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:846
      RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:186
      RSP: 0018:ffff88006e006b60 EFLAGS: 00010286
      RAX: 0000000000000026 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000026 RSI: 1ffff1000dc00d2c RDI: ffffed000dc00d60
      RBP: ffff88006e006bf0 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000dc00d6d
      R13: 00000000ffffffff R14: 0000000000000001 R15: ffff88006ce9d340
       refcount_dec_and_test+0x1a/0x20 lib/refcount.c:211
       reqsk_put+0x71/0x2b0 include/net/request_sock.h:123
       tcp_v4_rcv+0x259e/0x2e20 net/ipv4/tcp_ipv4.c:1729
       ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
       NF_HOOK include/linux/netfilter.h:248 [inline]
       ip_local_deliver+0x1ce/0x6d0 net/ipv4/ip_input.c:257
       dst_input include/net/dst.h:477 [inline]
       ip_rcv_finish+0x8db/0x19c0 net/ipv4/ip_input.c:397
       NF_HOOK include/linux/netfilter.h:248 [inline]
       ip_rcv+0xc3f/0x17d0 net/ipv4/ip_input.c:488
       __netif_receive_skb_core+0x1fb7/0x31f0 net/core/dev.c:4298
       __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4336
       process_backlog+0x1c5/0x6d0 net/core/dev.c:5102
       napi_poll net/core/dev.c:5499 [inline]
       net_rx_action+0x6d3/0x14a0 net/core/dev.c:5565
       __do_softirq+0x2cb/0xb2d kernel/softirq.c:284
       do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:898
       </IRQ>
       do_softirq.part.16+0x63/0x80 kernel/softirq.c:328
       do_softirq kernel/softirq.c:176 [inline]
       __local_bh_enable_ip+0x84/0x90 kernel/softirq.c:181
       local_bh_enable include/linux/bottom_half.h:31 [inline]
       rcu_read_unlock_bh include/linux/rcupdate.h:705 [inline]
       ip_finish_output2+0x8ad/0x1360 net/ipv4/ip_output.c:231
       ip_finish_output+0x74e/0xb80 net/ipv4/ip_output.c:317
       NF_HOOK_COND include/linux/netfilter.h:237 [inline]
       ip_output+0x1cc/0x850 net/ipv4/ip_output.c:405
       dst_output include/net/dst.h:471 [inline]
       ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
       ip_queue_xmit+0x8c6/0x1810 net/ipv4/ip_output.c:504
       tcp_transmit_skb+0x1963/0x3320 net/ipv4/tcp_output.c:1123
       tcp_send_ack.part.35+0x38c/0x620 net/ipv4/tcp_output.c:3575
       tcp_send_ack+0x49/0x60 net/ipv4/tcp_output.c:3545
       tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:5795 [inline]
       tcp_rcv_state_process+0x4876/0x4b60 net/ipv4/tcp_input.c:5930
       tcp_v4_do_rcv+0x58a/0x820 net/ipv4/tcp_ipv4.c:1483
       sk_backlog_rcv include/net/sock.h:907 [inline]
       __release_sock+0x124/0x360 net/core/sock.c:2223
       release_sock+0xa4/0x2a0 net/core/sock.c:2715
       inet_wait_for_connect net/ipv4/af_inet.c:557 [inline]
       __inet_stream_connect+0x671/0xf00 net/ipv4/af_inet.c:643
       inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:682
       SYSC_connect+0x204/0x470 net/socket.c:1628
       SyS_connect+0x24/0x30 net/socket.c:1609
       entry_SYSCALL_64_fastpath+0x18/0xad
      RIP: 0033:0x451e59
      RSP: 002b:00007f474843fc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002a
      RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 0000000000451e59
      RDX: 0000000000000010 RSI: 0000000020002000 RDI: 0000000000000007
      RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
      R13: 00007ffc040a0f8f R14: 00007f47484409c0 R15: 0000000000000000
      
      Fixes: ebb516af ("tcp/dccp: fix race at listener dismantle phase")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NShankara Pailoor <sp3485@columbia.edu>
      Tested-by: NShankara Pailoor <sp3485@columbia.edu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      da8ab578
    • C
      openvswitch: Fix an error handling path in 'ovs_nla_init_match_and_action()' · 5829e62a
      Christophe JAILLET 提交于
      All other error handling paths in this function go through the 'error'
      label. This one should do the same.
      
      Fixes: 9cc9a5cb ("datapath: Avoid using stack larger than 1024.")
      Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Acked-by: NPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5829e62a
    • N
      smsc95xx: Configure pause time to 0xffff when tx flow control enabled · 9c082731
      Nisar Sayed 提交于
      Configure pause time to 0xffff when tx flow control enabled
      
      Set pause time to 0xffff in the pause frame to indicate the
      partner to stop sending the packets. When RX buffer frees up,
      the device sends pause frame with pause time zero for partner to
      resume transmission.
      
      Fixes: 2f7ca802 ("Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
      Signed-off-by: NNisar Sayed <Nisar.Sayed@microchip.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9c082731
  2. 12 9月, 2017 8 次提交
  3. 10 9月, 2017 7 次提交
    • D
      net: qualcomm: rmnet: Fix a double free · 1f4f554a
      Dan Carpenter 提交于
      There is a typo here so we accidentally free "skb" instead of "skbn".
      It leads to a double free and a leak.  After discussing with Subash,
      it's better to just move the check before the allocation and avoid the
      need to free.
      
      Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1f4f554a
    • L
      Merge tag 'nfsd-4.14' of git://linux-nfs.org/~bfields/linux · ad9a19d0
      Linus Torvalds 提交于
      Pull nfsd updates from Bruce Fields:
       "More RDMA work and some op-structure constification from Chuck Lever,
        and a small cleanup to our xdr encoding"
      
      * tag 'nfsd-4.14' of git://linux-nfs.org/~bfields/linux:
        svcrdma: Estimate Send Queue depth properly
        rdma core: Add rdma_rw_mr_payload()
        svcrdma: Limit RQ depth
        svcrdma: Populate tail iovec when receiving
        nfsd: Incoming xdr_bufs may have content in tail buffer
        svcrdma: Clean up svc_rdma_build_read_chunk()
        sunrpc: Const-ify struct sv_serv_ops
        nfsd: Const-ify NFSv4 encoding and decoding ops arrays
        sunrpc: Const-ify instances of struct svc_xprt_ops
        nfsd4: individual encoders no longer see error cases
        nfsd4: skip encoder in trivial error cases
        nfsd4: define ->op_release for compound ops
        nfsd4: opdesc will be useful outside nfs4proc.c
        nfsd4: move some nfsd4 op definitions to xdr4.h
      ad9a19d0
    • L
      Merge branch 'for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 66ba772e
      Linus Torvalds 提交于
      Pull btrfs updates from David Sterba:
       "The changes range through all types: cleanups, core chagnes, sanity
        checks, fixes, other user visible changes, detailed list below:
      
         - deprecated: user transaction ioctl
      
         - mount option ssd does not change allocation alignments
      
         - degraded read-write mount is allowed if all the raid profile
           constraints are met, now based on more accurate check
      
         - defrag: do not reset compression afterwards; the NOCOMPRESS flag
           can be now overriden by defrag
      
         - prep work for better extent reference tracking (related to the
           qgroup slowness with balance)
      
         - prep work for compression heuristics
      
         - memory allocation reductions (may help latencies on a loaded
           system)
      
         - better accounting for io waiting states
      
         - error handling improvements (removed BUGs)
      
         - added more sanity checks for shared refs
      
         - fix readdir vs pagefault deadlock under some circumstances
      
         - fix for 'no-hole' mode, certain combination of compressed and
           inline extents
      
         - send: fix emission of invalid clone operations
      
         - fixup file mode if setting acls fail
      
         - more fixes from fuzzing
      
         - oher cleanups"
      
      * 'for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: (104 commits)
        btrfs: submit superblock io with REQ_META and REQ_PRIO
        btrfs: remove unnecessary memory barrier in btrfs_direct_IO
        btrfs: remove superfluous chunk_tree argument from btrfs_alloc_dev_extent
        btrfs: Remove chunk_objectid parameter of btrfs_alloc_dev_extent
        btrfs: pass fs_info to btrfs_del_root instead of tree_root
        Btrfs: add one more sanity check for shared ref type
        Btrfs: remove BUG_ON in __add_tree_block
        Btrfs: remove BUG() in add_data_reference
        Btrfs: remove BUG() in print_extent_item
        Btrfs: remove BUG() in btrfs_extent_inline_ref_size
        Btrfs: convert to use btrfs_get_extent_inline_ref_type
        Btrfs: add a helper to retrive extent inline ref type
        btrfs: scrub: simplify scrub worker initialization
        btrfs: scrub: clean up division in scrub_find_csum
        btrfs: scrub: clean up division in __scrub_mark_bitmap
        btrfs: scrub: use bool for flush_all_writes
        btrfs: preserve i_mode if __btrfs_set_acl() fails
        btrfs: Remove extraneous chunk_objectid variable
        btrfs: Remove chunk_objectid argument from btrfs_make_block_group
        btrfs: Remove extra parentheses from condition in copy_items()
        ...
      66ba772e
    • L
      Merge branch 'for-4.14/block-postmerge' of git://git.kernel.dk/linux-block · 126e76ff
      Linus Torvalds 提交于
      Pull followup block layer updates from Jens Axboe:
       "I ended up splitting the main pull request for this series into two,
        mainly because of clashes between NVMe fixes that went into 4.13 after
        the for-4.14 branches were split off. This pull request is mostly
        NVMe, but not exclusively. In detail, it contains:
      
         - Two pull request for NVMe changes from Christoph. Nothing new on
           the feature front, basically just fixes all over the map for the
           core bits, transport, rdma, etc.
      
         - Series from Bart, cleaning up various bits in the BFQ scheduler.
      
         - Series of bcache fixes, which has been lingering for a release or
           two. Coly sent this in, but patches from various people in this
           area.
      
         - Set of patches for BFQ from Paolo himself, updating both
           documentation and fixing some corner cases in performance.
      
         - Series from Omar, attempting to now get the 4k loop support
           correct. Our confidence level is higher this time.
      
         - Series from Shaohua for loop as well, improving O_DIRECT
           performance and fixing a use-after-free"
      
      * 'for-4.14/block-postmerge' of git://git.kernel.dk/linux-block: (74 commits)
        bcache: initialize dirty stripes in flash_dev_run()
        loop: set physical block size to logical block size
        bcache: fix bch_hprint crash and improve output
        bcache: Update continue_at() documentation
        bcache: silence static checker warning
        bcache: fix for gc and write-back race
        bcache: increase the number of open buckets
        bcache: Correct return value for sysfs attach errors
        bcache: correct cache_dirty_target in __update_writeback_rate()
        bcache: gc does not work when triggering by manual command
        bcache: Don't reinvent the wheel but use existing llist API
        bcache: do not subtract sectors_to_gc for bypassed IO
        bcache: fix sequential large write IO bypass
        bcache: Fix leak of bdev reference
        block/loop: remove unused field
        block/loop: fix use after free
        bfq: Use icq_to_bic() consistently
        bfq: Suppress compiler warnings about comparisons
        bfq: Check kstrtoul() return value
        bfq: Declare local functions static
        ...
      126e76ff
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · fbd01410
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
       "The iwlwifi firmware compat fix is in here as well as some other
        stuff:
      
        1) Fix request socket leak introduced by BPF deadlock fix, from Eric
           Dumazet.
      
        2) Fix VLAN handling with TXQs in mac80211, from Johannes Berg.
      
        3) Missing __qdisc_drop conversions in prio and qfq schedulers, from
           Gao Feng.
      
        4) Use after free in netlink nlk groups handling, from Xin Long.
      
        5) Handle MTU update properly in ipv6 gre tunnels, from Xin Long.
      
        6) Fix leak of ipv6 fib tables on netns teardown, from Sabrina Dubroca
           with follow-on fix from Eric Dumazet.
      
        7) Need RCU and preemption disabled during generic XDP data patch,
           from John Fastabend"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (54 commits)
        bpf: make error reporting in bpf_warn_invalid_xdp_action more clear
        Revert "mdio_bus: Remove unneeded gpiod NULL check"
        bpf: devmap, use cond_resched instead of cpu_relax
        bpf: add support for sockmap detach programs
        net: rcu lock and preempt disable missing around generic xdp
        bpf: don't select potentially stale ri->map from buggy xdp progs
        net: tulip: Constify tulip_tbl
        net: ethernet: ti: netcp_core: no need in netif_napi_del
        davicom: Display proper debug level up to 6
        net: phy: sfp: rename dt properties to match the binding
        dt-binding: net: sfp binding documentation
        dt-bindings: add SFF vendor prefix
        dt-bindings: net: don't confuse with generic PHY property
        ip6_tunnel: fix setting hop_limit value for ipv6 tunnel
        ip_tunnel: fix setting ttl and tos value in collect_md mode
        ipv6: fix typo in fib6_net_exit()
        tcp: fix a request socket leak
        sctp: fix missing wake ups in some situations
        netfilter: xt_hashlimit: fix build error caused by 64bit division
        netfilter: xt_hashlimit: alloc hashtable with right size
        ...
      fbd01410
    • L
      Merge branch 'akpm' (patches from Andrew) · fbf4432f
      Linus Torvalds 提交于
      Merge more updates from Andrew Morton:
      
       - most of the rest of MM
      
       - a small number of misc things
      
       - lib/ updates
      
       - checkpatch
      
       - autofs updates
      
       - ipc/ updates
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (126 commits)
        ipc: optimize semget/shmget/msgget for lots of keys
        ipc/sem: play nicer with large nsops allocations
        ipc/sem: drop sem_checkid helper
        ipc: convert kern_ipc_perm.refcount from atomic_t to refcount_t
        ipc: convert sem_undo_list.refcnt from atomic_t to refcount_t
        ipc: convert ipc_namespace.count from atomic_t to refcount_t
        kcov: support compat processes
        sh: defconfig: cleanup from old Kconfig options
        mn10300: defconfig: cleanup from old Kconfig options
        m32r: defconfig: cleanup from old Kconfig options
        drivers/pps: use surrounding "if PPS" to remove numerous dependency checks
        drivers/pps: aesthetic tweaks to PPS-related content
        cpumask: make cpumask_next() out-of-line
        kmod: move #ifdef CONFIG_MODULES wrapper to Makefile
        kmod: split off umh headers into its own file
        MAINTAINERS: clarify kmod is just a kernel module loader
        kmod: split out umh code into its own file
        test_kmod: flip INT checks to be consistent
        test_kmod: remove paranoid UINT_MAX check on uint range processing
        vfat: deduplicate hex2bin()
        ...
      fbf4432f
    • L
      remove gperf left-overs from build system · c054be10
      Linus Torvalds 提交于
      I removed all the gperf use, but not the Makefile rules.  Sam Ravnborg
      says I get bonus points for cleaning this up.  I'll hold him to it.
      Requested-by: NSam Ravnborg <sam@ravnborg.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c054be10
  4. 09 9月, 2017 22 次提交