1. 12 4月, 2018 1 次提交
    • J
      sr: get/drop reference to device in revalidate and check_events · 2d097c50
      Jens Axboe 提交于
      We can't just use scsi_cd() to get the scsi_cd structure, we have
      to grab a live reference to the device. For both callbacks, we're
      not inside an open where we already hold a reference to the device.
      
      This fixes device removal/addition under concurrent device access,
      which otherwise could result in the below oops.
      
      NULL pointer dereference at 0000000000000010
      PGD 0 P4D 0
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in:
      sr 12:0:0:0: [sr2] scsi-1 drive
       scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl
      sr 12:0:0:0: Attached scsi CD-ROM sr2
       sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc
      sr 12:0:0:0: Attached scsi generic sg7 type 5
       igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif]
      CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650
      Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016
      RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod]
      RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292
      RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66
      RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000
      RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000
      R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d
      R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000
      FS:  00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       ? __invalidate_device+0x48/0x60
       check_disk_change+0x4c/0x60
       sr_block_open+0x16/0xd0 [sr_mod]
       __blkdev_get+0xb9/0x450
       ? iget5_locked+0x1c0/0x1e0
       blkdev_get+0x11e/0x320
       ? bdget+0x11d/0x150
       ? _raw_spin_unlock+0xa/0x20
       ? bd_acquire+0xc0/0xc0
       do_dentry_open+0x1b0/0x320
       ? inode_permission+0x24/0xc0
       path_openat+0x4e6/0x1420
       ? cpumask_any_but+0x1f/0x40
       ? flush_tlb_mm_range+0xa0/0x120
       do_filp_open+0x8c/0xf0
       ? __seccomp_filter+0x28/0x230
       ? _raw_spin_unlock+0xa/0x20
       ? __handle_mm_fault+0x7d6/0x9b0
       ? list_lru_add+0xa8/0xc0
       ? _raw_spin_unlock+0xa/0x20
       ? __alloc_fd+0xaf/0x160
       ? do_sys_open+0x1a6/0x230
       do_sys_open+0x1a6/0x230
       do_syscall_64+0x5a/0x100
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      Reviewed-by: NLee Duncan <lduncan@suse.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      2d097c50
  2. 10 4月, 2018 2 次提交
    • O
      loop: fix LOOP_GET_STATUS lock imbalance · bdac616d
      Omar Sandoval 提交于
      Commit 2d1d4c1e made loop_get_status() drop lo_ctx_mutex before
      returning, but the loop_get_status_old(), loop_get_status64(), and
      loop_get_status_compat() wrappers don't call loop_get_status() if the
      passed argument is NULL. The callers expect that the lock is dropped, so
      make sure we drop it in that case, too.
      
      Reported-by: syzbot+31e8daa8b3fc129e75f2@syzkaller.appspotmail.com
      Fixes: 2d1d4c1e ("loop: don't call into filesystem while holding lo_ctl_mutex")
      Signed-off-by: NOmar Sandoval <osandov@fb.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      bdac616d
    • T
      block/loop: fix deadlock after loop_set_status · 1e047eaa
      Tetsuo Handa 提交于
      syzbot is reporting deadlocks at __blkdev_get() [1].
      
      ----------------------------------------
      [   92.493919] systemd-udevd   D12696   525      1 0x00000000
      [   92.495891] Call Trace:
      [   92.501560]  schedule+0x23/0x80
      [   92.502923]  schedule_preempt_disabled+0x5/0x10
      [   92.504645]  __mutex_lock+0x416/0x9e0
      [   92.510760]  __blkdev_get+0x73/0x4f0
      [   92.512220]  blkdev_get+0x12e/0x390
      [   92.518151]  do_dentry_open+0x1c3/0x2f0
      [   92.519815]  path_openat+0x5d9/0xdc0
      [   92.521437]  do_filp_open+0x7d/0xf0
      [   92.527365]  do_sys_open+0x1b8/0x250
      [   92.528831]  do_syscall_64+0x6e/0x270
      [   92.530341]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      [   92.931922] 1 lock held by systemd-udevd/525:
      [   92.933642]  #0: 00000000a2849e25 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x73/0x4f0
      ----------------------------------------
      
      The reason of deadlock turned out that wait_event_interruptible() in
      blk_queue_enter() got stuck with bdev->bd_mutex held at __blkdev_put()
      due to q->mq_freeze_depth == 1.
      
      ----------------------------------------
      [   92.787172] a.out           S12584   634    633 0x80000002
      [   92.789120] Call Trace:
      [   92.796693]  schedule+0x23/0x80
      [   92.797994]  blk_queue_enter+0x3cb/0x540
      [   92.803272]  generic_make_request+0xf0/0x3d0
      [   92.807970]  submit_bio+0x67/0x130
      [   92.810928]  submit_bh_wbc+0x15e/0x190
      [   92.812461]  __block_write_full_page+0x218/0x460
      [   92.815792]  __writepage+0x11/0x50
      [   92.817209]  write_cache_pages+0x1ae/0x3d0
      [   92.825585]  generic_writepages+0x5a/0x90
      [   92.831865]  do_writepages+0x43/0xd0
      [   92.836972]  __filemap_fdatawrite_range+0xc1/0x100
      [   92.838788]  filemap_write_and_wait+0x24/0x70
      [   92.840491]  __blkdev_put+0x69/0x1e0
      [   92.841949]  blkdev_close+0x16/0x20
      [   92.843418]  __fput+0xda/0x1f0
      [   92.844740]  task_work_run+0x87/0xb0
      [   92.846215]  do_exit+0x2f5/0xba0
      [   92.850528]  do_group_exit+0x34/0xb0
      [   92.852018]  SyS_exit_group+0xb/0x10
      [   92.853449]  do_syscall_64+0x6e/0x270
      [   92.854944]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      [   92.943530] 1 lock held by a.out/634:
      [   92.945105]  #0: 00000000a2849e25 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0x3c/0x1e0
      ----------------------------------------
      
      The reason of q->mq_freeze_depth == 1 turned out that loop_set_status()
      forgot to call blk_mq_unfreeze_queue() at error paths for
      info->lo_encrypt_type != NULL case.
      
      ----------------------------------------
      [   37.509497] CPU: 2 PID: 634 Comm: a.out Tainted: G        W        4.16.0+ #457
      [   37.513608] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
      [   37.518832] RIP: 0010:blk_freeze_queue_start+0x17/0x40
      [   37.521778] RSP: 0018:ffffb0c2013e7c60 EFLAGS: 00010246
      [   37.524078] RAX: 0000000000000000 RBX: ffff8b07b1519798 RCX: 0000000000000000
      [   37.527015] RDX: 0000000000000002 RSI: ffffb0c2013e7cc0 RDI: ffff8b07b1519798
      [   37.529934] RBP: ffffb0c2013e7cc0 R08: 0000000000000008 R09: 47a189966239b898
      [   37.532684] R10: dad78b99b278552f R11: 9332dca72259d5ef R12: ffff8b07acd73678
      [   37.535452] R13: 0000000000004c04 R14: 0000000000000000 R15: ffff8b07b841e940
      [   37.538186] FS:  00007fede33b9740(0000) GS:ffff8b07b8e80000(0000) knlGS:0000000000000000
      [   37.541168] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   37.543590] CR2: 00000000206fdf18 CR3: 0000000130b30006 CR4: 00000000000606e0
      [   37.546410] Call Trace:
      [   37.547902]  blk_freeze_queue+0x9/0x30
      [   37.549968]  loop_set_status+0x67/0x3c0 [loop]
      [   37.549975]  loop_set_status64+0x3b/0x70 [loop]
      [   37.549986]  lo_ioctl+0x223/0x810 [loop]
      [   37.549995]  blkdev_ioctl+0x572/0x980
      [   37.550003]  block_ioctl+0x34/0x40
      [   37.550006]  do_vfs_ioctl+0xa7/0x6d0
      [   37.550017]  ksys_ioctl+0x6b/0x80
      [   37.573076]  SyS_ioctl+0x5/0x10
      [   37.574831]  do_syscall_64+0x6e/0x270
      [   37.576769]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
      ----------------------------------------
      
      [1] https://syzkaller.appspot.com/bug?id=cd662bc3f6022c0979d01a262c318fab2ee9b56fSigned-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: Nsyzbot <bot+48594378e9851eab70bcd6f99327c7db58c5a28a@syzkaller.appspotmail.com>
      Fixes: ecdd0959 ("block/loop: fix race between I/O and set_status")
      Cc: Ming Lei <tom.leiming@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: stable <stable@vger.kernel.org>
      Cc: Jens Axboe <axboe@fb.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      1e047eaa
  3. 06 4月, 2018 1 次提交
    • K
      kernel.h: Retain constant expression output for max()/min() · 3c8ba0d6
      Kees Cook 提交于
      In the effort to remove all VLAs from the kernel[1], it is desirable to
      build with -Wvla.  However, this warning is overly pessimistic, in that
      it is only happy with stack array sizes that are declared as constant
      expressions, and not constant values.  One case of this is the
      evaluation of the max() macro which, due to its construction, ends up
      converting constant expression arguments into a constant value result.
      
      All attempts to rewrite this macro with __builtin_constant_p() failed
      with older compilers (e.g.  gcc 4.4)[2].  However, Martin Uecker,
      constructed[3] a mind-shattering solution that works everywhere.
      Cthulhu fhtagn!
      
      This patch updates the min()/max() macros to evaluate to a constant
      expression when called on constant expression arguments.  This removes
      several false-positive stack VLA warnings from an x86 allmodconfig build
      when -Wvla is added:
      
        $ diff -u before.txt after.txt | grep ^-
        -drivers/input/touchscreen/cyttsp4_core.c:871:2: warning: ISO C90 forbids variable length array ‘ids’ [-Wvla]
        -fs/btrfs/tree-checker.c:344:4: warning: ISO C90 forbids variable length array ‘namebuf’ [-Wvla]
        -lib/vsprintf.c:747:2: warning: ISO C90 forbids variable length array ‘sym’ [-Wvla]
        -net/ipv4/proc.c:403:2: warning: ISO C90 forbids variable length array ‘buff’ [-Wvla]
        -net/ipv6/proc.c:198:2: warning: ISO C90 forbids variable length array ‘buff’ [-Wvla]
        -net/ipv6/proc.c:218:2: warning: ISO C90 forbids variable length array ‘buff64’ [-Wvla]
      
      This also updates two cases where different enums were being compared
      and explicitly casts them to int (which matches the old side-effect of
      the single-evaluation code): one in tpm/tpm_tis_core.h, and one in
      drm/drm_color_mgmt.c.
      
       [1] https://lkml.org/lkml/2018/3/7/621
       [2] https://lkml.org/lkml/2018/3/10/170
       [3] https://lkml.org/lkml/2018/3/20/845Co-Developed-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Co-Developed-by: NMartin Uecker <Martin.Uecker@med.uni-goettingen.de>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Acked-by: NIngo Molnar <mingo@kernel.org>
      Acked-by: NMiguel Ojeda <miguel.ojeda.sandonis@gmail.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3c8ba0d6
  4. 05 4月, 2018 3 次提交
    • O
      Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad · 04bb1719
      Ondrej Zary 提交于
      The touch sensor buttons on Sony VAIO VGN-CS series laptops (e.g.
      VGN-CS31S) are a separate PS/2 device. As the MUX is disabled for all
      VAIO machines by the nomux blacklist, the data from touch sensor
      buttons and touchpad are combined. The protocol used by the buttons is
      probably similar to the touchpad protocol (both are Synaptics) so both
      devices get enabled. The controller combines the data, creating a mess
      which results in random button clicks, touchpad stopping working and
      lost sync error messages:
      psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 4
      psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
      psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
      psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
      psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
      psmouse serio1: issuing reconnect request
      
      Add a new i8042_dmi_forcemux_table whitelist with VGN-CS.
      With MUX enabled, touch sensor buttons are detected as separate device
      (and left disabled as there's currently no driver), fixing all touchpad
      problems.
      Signed-off-by: NOndrej Zary <linux@rainbow-software.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      04bb1719
    • A
      netdevsim: remove incorrect __net_initdata annotations · 87248d31
      Arnd Bergmann 提交于
      The __net_initdata section cannot currently be used for structures that
      get cleaned up in an exitcall using unregister_pernet_operations:
      
      WARNING: vmlinux.o(.text+0x868c34): Section mismatch in reference from the function nsim_devlink_exit() to the (unknown reference) .init.data:(unknown)
      The function nsim_devlink_exit() references
      the (unknown reference) __initdata (unknown).
      This is often because nsim_devlink_exit lacks a __initdata
      annotation or the annotation of (unknown) is wrong.
      WARNING: vmlinux.o(.text+0x868c64): Section mismatch in reference from the function nsim_devlink_init() to the (unknown reference) .init.data:(unknown)
      WARNING: vmlinux.o(.text+0x8692bc): Section mismatch in reference from the function nsim_fib_exit() to the (unknown reference) .init.data:(unknown)
      WARNING: vmlinux.o(.text+0x869300): Section mismatch in reference from the function nsim_fib_init() to the (unknown reference) .init.data:(unknown)
      
      As that warning tells us, discarding the structure after a module is
      loaded would lead to a undefined behavior when that module is removed.
      
      It might be possible to change that annotation so it has no effect for
      loadable modules, but I have not figured out exactly how to do that, and
      we want this to be fixed in -rc1.
      
      This just removes the annotations, just like we do for all other such
      modules.
      
      Fixes: 37923ed6 ("netdevsim: Add simple FIB resource controller via devlink")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      87248d31
    • B
      sfc: remove ctpio_dmabuf_start from stats · 458bd99e
      Bert Kenward 提交于
      The ctpio_dmabuf_start entry is not actually a stat and shouldn't
      be exposed to ethtool.
      
      Fixes: 2c0b6ee8 ("sfc: expose CTPIO stats on NICs that support them")
      Signed-off-by: NBert Kenward <bkenward@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      458bd99e
  5. 04 4月, 2018 11 次提交
    • A
      nvmem: disallow modular CONFIG_NVMEM · 2a37ce25
      Arnd Bergmann 提交于
      The new of_get_nvmem_mac_address() helper function causes a link error
      with CONFIG_NVMEM=m:
      
      drivers/of/of_net.o: In function `of_get_nvmem_mac_address':
      of_net.c:(.text+0x168): undefined reference to `of_nvmem_cell_get'
      of_net.c:(.text+0x19c): undefined reference to `nvmem_cell_read'
      of_net.c:(.text+0x1a8): undefined reference to `nvmem_cell_put'
      
      I could not come up with a good solution for this, as the code is always
      built-in. Using an #if IS_REACHABLE() check around it would solve the
      link time issue but then stop it from working in that configuration.
      Making of_nvmem_cell_get() an inline function could also solve that, but
      seems a bit ugly since it's somewhat larger than most inline functions,
      and it would just bring that problem into the callers.  Splitting the
      function into a separate file might be an alternative.
      
      This uses the big hammer by making CONFIG_NVMEM itself a 'bool' symbol,
      which avoids the problem entirely but makes the vmlinux larger for anyone
      that might use NVMEM support but doesn't need it built-in otherwise.
      
      Fixes: 9217e566 ("of_net: Implement of_get_nvmem_mac_address helper")
      Cc: Mike Looijmans <mike.looijmans@topic.nl>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: Andrew Lunn <andrew@lunn.ch>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: netdev@vger.kernel.org
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: Mike Looijmans
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2a37ce25
    • T
      net: hns3: fix length overflow when CONFIG_ARM64_64K_PAGES · 48d154e7
      Tan Xiaojun 提交于
      When enable the config item "CONFIG_ARM64_64K_PAGES", the size of PAGE_SIZE
      is 65536(64K). But the type of length is u16, it will overflow. So change it
      to u32.
      Signed-off-by: NTan Xiaojun <tanxiaojun@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      48d154e7
    • D
      nfp: use full 40 bits of the NSP buffer address · 1489bbd1
      Dirk van der Merwe 提交于
      The NSP default buffer is a piece of NFP memory where additional
      command data can be placed.  Its format has been copied from
      host buffer, but the PCIe selection bits do not make sense in
      this case.  If those get masked out from a NFP address - writes
      to random place in the chip memory may be issued and crash the
      device.
      
      Even in the general NSP buffer case, it doesn't make sense to have the
      PCIe selection bits there anymore. These are unused at the moment, and
      when it becomes necessary, the PCIe selection bits should rather be
      moved to another register to utilise more bits for the buffer address.
      
      This has never been an issue because the buffer used to be
      allocated in memory with less-than-38-bit-long address but that
      is about to change.
      
      Fixes: 1a64821c ("nfp: add support for service processor access")
      Signed-off-by: NDirk van der Merwe <dirk.vandermerwe@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1489bbd1
    • A
      lan78xx: Connect phy early · 92571a1a
      Alexander Graf 提交于
      When using wicked with a lan78xx device attached to the system, we
      end up with ethtool commands issued on the device before an ifup
      got issued. That lead to the following crash:
      
          Unable to handle kernel NULL pointer dereference at virtual address 0000039c
          pgd = ffff800035b30000
          [0000039c] *pgd=0000000000000000
          Internal error: Oops: 96000004 [#1] SMP
          Modules linked in: [...]
          Supported: Yes
          CPU: 3 PID: 638 Comm: wickedd Tainted: G            E      4.12.14-0-default #1
          Hardware name: raspberrypi rpi/rpi, BIOS 2018.03-rc2 02/21/2018
          task: ffff800035e74180 task.stack: ffff800036718000
          PC is at phy_ethtool_ksettings_get+0x20/0x98
          LR is at lan78xx_get_link_ksettings+0x44/0x60 [lan78xx]
          pc : [<ffff0000086f7f30>] lr : [<ffff000000dcca84>] pstate: 20000005
          sp : ffff80003671bb20
          x29: ffff80003671bb20 x28: ffff800035e74180
          x27: ffff000008912000 x26: 000000000000001d
          x25: 0000000000000124 x24: ffff000008f74d00
          x23: 0000004000114809 x22: 0000000000000000
          x21: ffff80003671bbd0 x20: 0000000000000000
          x19: ffff80003671bbd0 x18: 000000000000040d
          x17: 0000000000000001 x16: 0000000000000000
          x15: 0000000000000000 x14: ffffffffffffffff
          x13: 0000000000000000 x12: 0000000000000020
          x11: 0101010101010101 x10: fefefefefefefeff
          x9 : 7f7f7f7f7f7f7f7f x8 : fefefeff31677364
          x7 : 0000000080808080 x6 : ffff80003671bc9c
          x5 : ffff80003671b9f8 x4 : ffff80002c296190
          x3 : 0000000000000000 x2 : 0000000000000000
          x1 : ffff80003671bbd0 x0 : ffff80003671bc00
          Process wickedd (pid: 638, stack limit = 0xffff800036718000)
          Call trace:
          Exception stack(0xffff80003671b9e0 to 0xffff80003671bb20)
          b9e0: ffff80003671bc00 ffff80003671bbd0 0000000000000000 0000000000000000
          ba00: ffff80002c296190 ffff80003671b9f8 ffff80003671bc9c 0000000080808080
          ba20: fefefeff31677364 7f7f7f7f7f7f7f7f fefefefefefefeff 0101010101010101
          ba40: 0000000000000020 0000000000000000 ffffffffffffffff 0000000000000000
          ba60: 0000000000000000 0000000000000001 000000000000040d ffff80003671bbd0
          ba80: 0000000000000000 ffff80003671bbd0 0000000000000000 0000004000114809
          baa0: ffff000008f74d00 0000000000000124 000000000000001d ffff000008912000
          bac0: ffff800035e74180 ffff80003671bb20 ffff000000dcca84 ffff80003671bb20
          bae0: ffff0000086f7f30 0000000020000005 ffff80002c296000 ffff800035223900
          bb00: 0000ffffffffffff 0000000000000000 ffff80003671bb20 ffff0000086f7f30
          [<ffff0000086f7f30>] phy_ethtool_ksettings_get+0x20/0x98
          [<ffff000000dcca84>] lan78xx_get_link_ksettings+0x44/0x60 [lan78xx]
          [<ffff0000087cbc40>] ethtool_get_settings+0x68/0x210
          [<ffff0000087cc0d4>] dev_ethtool+0x214/0x2180
          [<ffff0000087e5008>] dev_ioctl+0x400/0x630
          [<ffff00000879dd00>] sock_do_ioctl+0x70/0x88
          [<ffff00000879f5f8>] sock_ioctl+0x208/0x368
          [<ffff0000082cde10>] do_vfs_ioctl+0xb0/0x848
          [<ffff0000082ce634>] SyS_ioctl+0x8c/0xa8
          Exception stack(0xffff80003671bec0 to 0xffff80003671c000)
          bec0: 0000000000000009 0000000000008946 0000fffff4e841d0 0000aa0032687465
          bee0: 0000aaaafa2319d4 0000fffff4e841d4 0000000032687465 0000000032687465
          bf00: 000000000000001d 7f7fff7f7f7f7f7f 72606b622e71ff4c 7f7f7f7f7f7f7f7f
          bf20: 0101010101010101 0000000000000020 ffffffffffffffff 0000ffff7f510c68
          bf40: 0000ffff7f6a9d18 0000ffff7f44ce30 000000000000040d 0000ffff7f6f98f0
          bf60: 0000fffff4e842c0 0000000000000001 0000aaaafa2c2e00 0000ffff7f6ab000
          bf80: 0000fffff4e842c0 0000ffff7f62a000 0000aaaafa2b9f20 0000aaaafa2c2e00
          bfa0: 0000fffff4e84818 0000fffff4e841a0 0000ffff7f5ad0cc 0000fffff4e841a0
          bfc0: 0000ffff7f44ce3c 0000000080000000 0000000000000009 000000000000001d
          bfe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      
      The culprit is quite simple: The driver tries to access the phy left and right,
      but only actually has a working reference to it when the device is up.
      
      The fix thus is quite simple too: Get a reference to the phy on probe already
      and keep it even when the device is going down.
      
      With this patch applied, I can successfully run wicked on my system and bring
      the interface up and down as many times as I want, without getting NULL pointer
      dereferences in between.
      Signed-off-by: NAlexander Graf <agraf@suse.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      92571a1a
    • J
      nfp: add a separate counter for packets with CHECKSUM_COMPLETE · 0df57e60
      Jakub Kicinski 提交于
      We are currently counting packets with CHECKSUM_COMPLETE as
      "hw_rx_csum_ok".  This is confusing.  Add a new counter.
      To make sure it fits in the same cacheline move the less used
      error counter to a different location.
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: NDirk van der Merwe <dirk.vandermerwe@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0df57e60
    • R
      net: phy: marvell10g: add thermal hwmon device · 0d3ad854
      Russell King 提交于
      Add a thermal monitoring device for the Marvell 88x3310, which updates
      once a second.  We also need to hook into the suspend/resume mechanism
      to ensure that the thermal monitoring is reconfigured when we resume.
      Suggested-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0d3ad854
    • E
      pptp: remove a buggy dst release in pptp_connect() · bfacfb45
      Eric Dumazet 提交于
      Once dst has been cached in socket via sk_setup_caps(),
      it is illegal to call ip_rt_put() (or dst_release()),
      since sk_setup_caps() did not change dst refcount.
      
      We can still dereference it since we hold socket lock.
      
      Caugth by syzbot :
      
      BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
      BUG: KASAN: use-after-free in dst_release+0x27/0xa0 net/core/dst.c:185
      Write of size 4 at addr ffff8801c54dc040 by task syz-executor4/20088
      
      CPU: 1 PID: 20088 Comm: syz-executor4 Not tainted 4.16.0+ #376
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x1a7/0x27d lib/dump_stack.c:53
       print_address_description+0x73/0x250 mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report+0x23c/0x360 mm/kasan/report.c:412
       check_memory_region_inline mm/kasan/kasan.c:260 [inline]
       check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
       kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
       atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
       dst_release+0x27/0xa0 net/core/dst.c:185
       sk_dst_set include/net/sock.h:1812 [inline]
       sk_dst_reset include/net/sock.h:1824 [inline]
       sock_setbindtodevice net/core/sock.c:610 [inline]
       sock_setsockopt+0x431/0x1b20 net/core/sock.c:707
       SYSC_setsockopt net/socket.c:1845 [inline]
       SyS_setsockopt+0x2ff/0x360 net/socket.c:1828
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x4552d9
      RSP: 002b:00007f4878126c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00007f48781276d4 RCX: 00000000004552d9
      RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000013
      RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000
      R10: 00000000200010c0 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 0000000000000526 R14: 00000000006fac30 R15: 0000000000000000
      
      Allocated by task 20088:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:447
       set_track mm/kasan/kasan.c:459 [inline]
       kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
       kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
       kmem_cache_alloc+0x12e/0x760 mm/slab.c:3542
       dst_alloc+0x11f/0x1a0 net/core/dst.c:104
       rt_dst_alloc+0xe9/0x540 net/ipv4/route.c:1520
       __mkroute_output net/ipv4/route.c:2265 [inline]
       ip_route_output_key_hash_rcu+0xa49/0x2c60 net/ipv4/route.c:2493
       ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2322
       __ip_route_output_key include/net/route.h:126 [inline]
       ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2577
       ip_route_output_ports include/net/route.h:163 [inline]
       pptp_connect+0xa84/0x1170 drivers/net/ppp/pptp.c:453
       SYSC_connect+0x213/0x4a0 net/socket.c:1639
       SyS_connect+0x24/0x30 net/socket.c:1620
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      Freed by task 20082:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:447
       set_track mm/kasan/kasan.c:459 [inline]
       __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
       kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
       __cache_free mm/slab.c:3486 [inline]
       kmem_cache_free+0x83/0x2a0 mm/slab.c:3744
       dst_destroy+0x266/0x380 net/core/dst.c:140
       dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
       __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
       rcu_do_batch kernel/rcu/tree.c:2675 [inline]
       invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline]
       __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline]
       rcu_process_callbacks+0xd6c/0x17b0 kernel/rcu/tree.c:2914
       __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
      
      The buggy address belongs to the object at ffff8801c54dc000
       which belongs to the cache ip_dst_cache of size 168
      The buggy address is located 64 bytes inside of
       168-byte region [ffff8801c54dc000, ffff8801c54dc0a8)
      The buggy address belongs to the page:
      page:ffffea0007153700 count:1 mapcount:0 mapping:ffff8801c54dc000 index:0x0
      flags: 0x2fffc0000000100(slab)
      raw: 02fffc0000000100 ffff8801c54dc000 0000000000000000 0000000100000010
      raw: ffffea0006b34b20 ffffea0006b6c1e0 ffff8801d674a1c0 0000000000000000
      page dumped because: kasan: bad access detected
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bfacfb45
    • F
      net: dsa: mt7530: Use NULL instead of plain integer · 18bd5949
      Florian Fainelli 提交于
      We would be passing 0 instead of NULL as the rsp argument to
      mt7530_fdb_cmd(), fix that.
      
      Fixes: b8f126a8 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: NSean Wang <sean.wang@mediatek.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      18bd5949
    • F
      net: dsa: b53: Fix sparse warnings in b53_mmap.c · 861690d0
      Florian Fainelli 提交于
      sparse complains about the following warnings:
      
      drivers/net/dsa/b53/b53_mmap.c:33:31: warning: incorrect type in
      initializer (different address spaces)
      drivers/net/dsa/b53/b53_mmap.c:33:31:    expected unsigned char
      [noderef] [usertype] <asn:2>*regs
      drivers/net/dsa/b53/b53_mmap.c:33:31:    got void *priv
      
      and indeed, while what we are doing is functional, we are dereferencing
      a void * pointer into a void __iomem * which is not great. Just use the
      defined b53_mmap_priv structure which holds our register base and use
      that.
      
      Fixes: 967dd82f ("net: dsa: b53: Add support for Broadcom RoboSwitch")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      861690d0
    • F
      net: systemport: Fix sparse warnings in bcm_sysport_insert_tsb() · c0eb0558
      Florian Fainelli 提交于
      skb->protocol is a __be16 which we would be calling htons() against,
      while this is not wrong per-se as it correctly results in swapping the
      value on LE hosts, this still upsets sparse. Adopt a similar pattern to
      what other drivers do and just assign ip_ver to skb->protocol, and then
      use htons() against the different constants such that the compiler can
      resolve the values at build time.
      
      Fixes: 80105bef ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c0eb0558
    • F
      net: bcmgenet: Fix sparse warnings in bcmgenet_put_tx_csum() · 6f894211
      Florian Fainelli 提交于
      skb->protocol is a __be16 which we would be calling htons() against,
      while this is not wrong per-se as it correctly results in swapping the
      value on LE hosts, this still upsets sparse. Adopt a similar pattern to
      what other drivers do and just assign ip_ver to skb->protocol, and then
      use htons() against the different constants such that the compiler can
      resolve the values at build time.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6f894211
  6. 03 4月, 2018 6 次提交
  7. 02 4月, 2018 16 次提交