1. 19 5月, 2017 10 次提交
  2. 18 5月, 2017 29 次提交
    • I
      mlxsw: spectrum: Avoid possible NULL pointer dereference · c0e01eac
      Ido Schimmel 提交于
      In case we got an FDB notification for a port that doesn't exist we
      execute an FDB entry delete to prevent it from re-appearing the next
      time we poll for notifications.
      
      If the operation failed we would trigger a NULL pointer dereference as
      'mlxsw_sp_port' is NULL.
      
      Fix it by reporting the error using the underlying bus device instead.
      
      Fixes: 12f1501e ("mlxsw: spectrum: remove FDB entry in case we get unknown object notification")
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c0e01eac
    • G
      sh_eth: Do not print an error message for probe deferral · b7ce520e
      Geert Uytterhoeven 提交于
      EPROBE_DEFER is not an error, hence printing an error message like
      
          sh-eth ee700000.ethernet: failed to initialise MDIO
      
      may confuse the user.
      
      To fix this, suppress the error message in case of probe deferral.
      While at it, shorten the message, and add the actual error code.
      Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: NLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b7ce520e
    • G
      sh_eth: Use platform device for printing before register_netdev() · 5f5c5449
      Geert Uytterhoeven 提交于
      The MDIO initialization failure message is printed using the network
      device, before it has been registered, leading to:
      
           (null): failed to initialise MDIO
      
      Use the platform device instead to fix this:
      
          sh-eth ee700000.ethernet: failed to initialise MDIO
      
      Fixes: daacf03f ("sh_eth: Register MDIO bus before registering the network device")
      Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: NLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5f5c5449
    • D
      Merge branch 'mlxsw-fixes' · b16c4c48
      David S. Miller 提交于
      Jiri Pirko says:
      
      ====================
      mlxsw: couple of fixes
      
      Couple of fixes from Arkadi
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b16c4c48
    • A
      mlxsw: spectrum_router: Fix rif counter freeing routine · 6b1206bb
      Arkadi Sharshevsky 提交于
      During rif counter freeing the counter index can be invalid. Add check
      of validity before freeing the counter.
      
      Fixes: e0c0afd8 ("mlxsw: spectrum: Support for counters on router interfaces")
      Signed-off-by: NArkadi Sharshevsky <arkadis@mellanox.com>
      Signed-off-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6b1206bb
    • A
      mlxsw: spectrum_dpipe: Fix incorrect entry index · 6dd4aba3
      Arkadi Sharshevsky 提交于
      In case of disabled counters the entry index will be incorrect. Fix this
      by moving the entry index set before the counter status check.
      
      Fixes: 2ba5999f ("mlxsw: spectrum: Add Support for erif table entries access")
      Signed-off-by: NArkadi Sharshevsky <arkadis@mellanox.com>
      Reviewed-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6dd4aba3
    • B
      drm/atmel-hlcdc: Fix output initialization · 6bee9b78
      Boris Brezillon 提交于
      drm_of_find_panel_or_bridge() is expecting np to point to the encoder
      node, not the bridge or panel this encoder is feeding.
      Moreover, the endpoint parameter passed to drm_of_find_panel_or_bridge()
      is always set to zero, which prevents us from probing all outputs.
      
      We also move the atmel_hlcdc_rgb_output allocation after the
      panel/bridge detection to avoid useless allocations.
      Reported-by: NAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Fixes: ebc94461 ("drm: convert drivers to use drm_of_find_panel_or_bridge")
      Signed-off-by: NBoris Brezillon <boris.brezillon@free-electrons.com>
      Tested-by: NAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: NSean Paul <seanpaul@chromium.org>
      Link: http://patchwork.freedesktop.org/patch/msgid/1495110921-4032-1-git-send-email-boris.brezillon@free-electrons.com
      6bee9b78
    • A
      gpu: host1x: select IOMMU_IOVA · 52499a6a
      Arnd Bergmann 提交于
      When IOMMU_IOVA is not built-in but host1x is, we get a link error:
      
      drivers/gpu/host1x/dev.o: In function `host1x_remove':
      dev.c:(.text.host1x_remove+0x50): undefined reference to `put_iova_domain'
      drivers/gpu/host1x/dev.o: In function `host1x_probe':
      dev.c:(.text.host1x_probe+0x31c): undefined reference to `init_iova_domain'
      dev.c:(.text.host1x_probe+0x38c): undefined reference to `put_iova_domain'
      drivers/gpu/host1x/cdma.o: In function `host1x_cdma_init':
      cdma.c:(.text.host1x_cdma_init+0x238): undefined reference to `alloc_iova'
      cdma.c:(.text.host1x_cdma_init+0x2c0): undefined reference to `__free_iova'
      drivers/gpu/host1x/cdma.o: In function `host1x_cdma_deinit':
      cdma.c:(.text.host1x_cdma_deinit+0xb0): undefined reference to `free_iova'
      
      This adds the same select statement that we have for drm_tegra.
      
      Fixes: 404bfb78 ("gpu: host1x: Add IOMMU support")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NMikko Perttunen <mperttunen@nvidia.com>
      Signed-off-by: NSean Paul <seanpaul@chromium.org>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170419182449.885312-1-arnd@arndb.de
      52499a6a
    • G
      cxgb4: update latest firmware version supported · 1ac91bff
      Ganesh Goudar 提交于
      Change t4fw_version.h to update latest firmware version
      number to 1.16.43.0.
      Signed-off-by: NGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1ac91bff
    • B
      qmi_wwan: add another Lenovo EM74xx device ID · 486181bc
      Bjørn Mork 提交于
      In their infinite wisdom, and never ending quest for end user frustration,
      Lenovo has decided to use a new USB device ID for the wwan modules in
      their 2017 laptops.  The actual hardware is still the Sierra Wireless
      EM7455 or EM7430, depending on region.
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      486181bc
    • E
      sctp: do not inherit ipv6_{mc|ac|fl}_list from parent · fdcee2cb
      Eric Dumazet 提交于
      SCTP needs fixes similar to 83eaddab ("ipv6/dccp: do not inherit
      ipv6_mc_list from parent"), otherwise bad things can happen.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fdcee2cb
    • P
      udp: make *udp*_queue_rcv_skb() functions static · a3f96c47
      Paolo Abeni 提交于
      Since the udp memory accounting refactor, we don't need any more
      to export the *udp*_queue_rcv_skb(). Make them static and fix
      a couple of sparse warnings:
      
      net/ipv4/udp.c:1615:5: warning: symbol 'udp_queue_rcv_skb' was not
      declared. Should it be static?
      net/ipv6/udp.c:572:5: warning: symbol 'udpv6_queue_rcv_skb' was not
      declared. Should it be static?
      
      Fixes: 850cbadd ("udp: use it's own memory accounting schema")
      Fixes: c915fe13 ("udplite: fix NULL pointer dereference")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a3f96c47
    • T
      bridge: netlink: check vlan_default_pvid range · a2858602
      Tobias Jungel 提交于
      Currently it is allowed to set the default pvid of a bridge to a value
      above VLAN_VID_MASK (0xfff). This patch adds a check to br_validate and
      returns -EINVAL in case the pvid is out of bounds.
      
      Reproduce by calling:
      
      [root@test ~]# ip l a type bridge
      [root@test ~]# ip l a type dummy
      [root@test ~]# ip l s bridge0 type bridge vlan_filtering 1
      [root@test ~]# ip l s bridge0 type bridge vlan_default_pvid 9999
      [root@test ~]# ip l s dummy0 master bridge0
      [root@test ~]# bridge vlan
      port	vlan ids
      bridge0	 9999 PVID Egress Untagged
      
      dummy0	 9999 PVID Egress Untagged
      
      Fixes: 0f963b75 ("bridge: netlink: add support for default_pvid")
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NTobias Jungel <tobias.jungel@bisdn.de>
      Acked-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a2858602
    • G
      net: ethernet: faraday: To support device tree usage. · 47ab37a1
      Greentime Hu 提交于
      To support device tree usage for ftmac100.
      Signed-off-by: NGreentime Hu <green.hu@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      47ab37a1
    • L
      net: x25: fix one potential use-after-free issue · 64df6d52
      linzhang 提交于
      The function x25_init is not properly unregister related resources
      on error handler.It is will result in kernel oops if x25_init init
      failed, so add properly unregister call on error handler.
      
      Also, i adjust the coding style and make x25_register_sysctl properly
      return failure.
      Signed-off-by: Nlinzhang <xiaolou4617@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      64df6d52
    • D
      bpf: adjust verifier heuristics · 3c2ce60b
      Daniel Borkmann 提交于
      Current limits with regards to processing program paths do not
      really reflect today's needs anymore due to programs becoming
      more complex and verifier smarter, keeping track of more data
      such as const ALU operations, alignment tracking, spilling of
      PTR_TO_MAP_VALUE_ADJ registers, and other features allowing for
      smarter matching of what LLVM generates.
      
      This also comes with the side-effect that we result in fewer
      opportunities to prune search states and thus often need to do
      more work to prove safety than in the past due to different
      register states and stack layout where we mismatch. Generally,
      it's quite hard to determine what caused a sudden increase in
      complexity, it could be caused by something as trivial as a
      single branch somewhere at the beginning of the program where
      LLVM assigned a stack slot that is marked differently throughout
      other branches and thus causing a mismatch, where verifier
      then needs to prove safety for the whole rest of the program.
      Subsequently, programs with even less than half the insn size
      limit can get rejected. We noticed that while some programs
      load fine under pre 4.11, they get rejected due to hitting
      limits on more recent kernels. We saw that in the vast majority
      of cases (90+%) pruning failed due to register mismatches. In
      case of stack mismatches, majority of cases failed due to
      different stack slot types (invalid, spill, misc) rather than
      differences in spilled registers.
      
      This patch makes pruning more aggressive by also adding markers
      that sit at conditional jumps as well. Currently, we only mark
      jump targets for pruning. For example in direct packet access,
      these are usually error paths where we bail out. We found that
      adding these markers, it can reduce number of processed insns
      by up to 30%. Another option is to ignore reg->id in probing
      PTR_TO_MAP_VALUE_OR_NULL registers, which can help pruning
      slightly as well by up to 7% observed complexity reduction as
      stand-alone. Meaning, if a previous path with register type
      PTR_TO_MAP_VALUE_OR_NULL for map X was found to be safe, then
      in the current state a PTR_TO_MAP_VALUE_OR_NULL register for
      the same map X must be safe as well. Last but not least the
      patch also adds a scheduling point and bumps the current limit
      for instructions to be processed to a more adequate value.
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3c2ce60b
    • D
      ipv6: Check ip6_find_1stfragopt() return value properly. · 7dd7eb95
      David S. Miller 提交于
      Do not use unsigned variables to see if it returns a negative
      error or not.
      
      Fixes: 2423496a ("ipv6: Prevent overrun when parsing v6 header options")
      Reported-by: NJulia Lawall <julia.lawall@lip6.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7dd7eb95
    • Y
      selftests/bpf: fix broken build due to types.h · 579f1d92
      Yonghong Song 提交于
      Commit 0a5539f6 ("bpf: Provide a linux/types.h override
      for bpf selftests.") caused a build failure for tools/testing/selftest/bpf
      because of some missing types:
          $ make -C tools/testing/selftests/bpf/
          ...
          In file included from /home/yhs/work/net-next/tools/testing/selftests/bpf/test_pkt_access.c:8:
          ../../../include/uapi/linux/bpf.h:170:3: error: unknown type name '__aligned_u64'
                          __aligned_u64   key;
          ...
          /usr/include/linux/swab.h:160:8: error: unknown type name '__always_inline'
          static __always_inline __u16 __swab16p(const __u16 *p)
          ...
      The type __aligned_u64 is defined in linux:include/uapi/linux/types.h.
      
      The fix is to copy missing type definition into
      tools/testing/selftests/bpf/include/uapi/linux/types.h.
      Adding additional include "string.h" resolves __always_inline issue.
      
      Fixes: 0a5539f6 ("bpf: Provide a linux/types.h override for bpf selftests.")
      Signed-off-by: NYonghong Song <yhs@fb.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      579f1d92
    • L
      Merge tag 'for-4.12/dm-fixes-2' of... · dac94e29
      Linus Torvalds 提交于
      Merge tag 'for-4.12/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - a couple DM thin provisioning fixes
      
       - a few request-based DM and DM multipath fixes for issues that were
         made when merging Christoph's changes with Bart's changes for 4.12
      
       - a DM bufio unsigned overflow fix
      
       - a couple pure fixes for the DM cache target.
      
       - various very small tweaks to the DM cache target that enable
         considerable speed improvements in the face of continuous IO. Given
         that the cache target was significantly reworked for 4.12 I see no
         reason to sit on these advances until 4.13 considering the favorable
         results associated with such minimalist tweaks.
      
      * tag 'for-4.12/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm cache: handle kmalloc failure allocating background_tracker struct
        dm bufio: make the parameter "retain_bytes" unsigned long
        dm mpath: multipath_clone_and_map must not return -EIO
        dm mpath: don't return -EIO from dm_report_EIO
        dm rq: add a missing break to map_request
        dm space map disk: fix some book keeping in the disk space map
        dm thin metadata: call precommit before saving the roots
        dm cache policy smq: don't do any writebacks unless IDLE
        dm cache: simplify the IDLE vs BUSY state calculation
        dm cache: track all IO to the cache rather than just the origin device's IO
        dm cache policy smq: stop preemptively demoting blocks
        dm cache policy smq: put newly promoted entries at the top of the multiqueue
        dm cache policy smq: be more aggressive about triggering a writeback
        dm cache policy smq: only demote entries in bottom half of the clean multiqueue
        dm cache: fix incorrect 'idle_time' reset in IO tracker
      dac94e29
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 243bfd2c
      Linus Torvalds 提交于
      Pull i2c fixes from Wolfram Sang:
       "Here are some bugfixes from I2C, especially removing a wrongly
        displayed error message for all i2c muxes"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: xgene: Set ACPI_COMPANION_I2C
        i2c: mv64xxx: don't override deferred probing when getting irq
        i2c: mux: only print failure message on error
        i2c: mux: reg: rename label to indicate what it does
        i2c: mux: reg: put away the parent i2c adapter on probe failure
      243bfd2c
    • D
      Merge branch 'bnxt_en-DCBX-fixes' · f917174c
      David S. Miller 提交于
      Michael Chan says:
      
      ====================
      bnxt_en: DCBX fixes.
      
      2 bug fixes for the case where the NIC's firmware DCBX agent is enabled.
      With these fixes, we will return the proper information to lldpad.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f917174c
    • M
      bnxt_en: Check status of firmware DCBX agent before setting DCB_CAP_DCBX_HOST. · f667724b
      Michael Chan 提交于
      Otherwise, all the host based DCBX settings from lldpad will fail if the
      firmware DCBX agent is running.
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f667724b
    • M
      bnxt_en: Call bnxt_dcb_init() after getting firmware DCBX configuration. · 87fe6032
      Michael Chan 提交于
      In the current code, bnxt_dcb_init() is called too early before we
      determine if the firmware DCBX agent is running or not.  As a result,
      we are not setting the DCB_CAP_DCBX_HOST and DCB_CAP_DCBX_LLD_MANAGED
      flags properly to report to DCBNL.
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      87fe6032
    • E
      net: fix compile error in skb_orphan_partial() · 9142e900
      Eric Dumazet 提交于
      If CONFIG_INET is not set, net/core/sock.c can not compile :
      
      net/core/sock.c: In function ‘skb_orphan_partial’:
      net/core/sock.c:1810:2: error: implicit declaration of function
      ‘skb_is_tcp_pure_ack’ [-Werror=implicit-function-declaration]
        if (skb_is_tcp_pure_ack(skb))
        ^
      
      Fix this by always including <net/tcp.h>
      
      Fixes: f6ba8d33 ("netem: fix skb_orphan_partial()")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
      Reported-by: NRandy Dunlap <rdunlap@infradead.org>
      Reported-by: NStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9142e900
    • L
      sparc/ftrace: Fix ftrace graph time measurement · 48078d2d
      Liam R. Howlett 提交于
      The ftrace function_graph time measurements of a given function is not
      accurate according to those recorded by ftrace using the function
      filters.  This change pulls the x86_64 fix from 'commit 722b3c74
      ("ftrace/graph: Trace function entry before updating index")' into the
      sparc specific prepare_ftrace_return which stops ftrace from
      counting interrupted tasks in the time measurement.
      
      Example measurements for select_task_rq_fair running "hackbench 100
      process 1000":
      
                    |  tracing/trace_stat/function0  |  function_graph
       Before patch |  2.802 us                      |  4.255 us
       After patch  |  2.749 us                      |  3.094 us
      Signed-off-by: NLiam R. Howlett <Liam.Howlett@Oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      48078d2d
    • O
      sparc: Fix -Wstringop-overflow warning · deba804c
      Orlando Arias 提交于
      Greetings,
      
      GCC 7 introduced the -Wstringop-overflow flag to detect buffer overflows
      in calls to string handling functions [1][2]. Due to the way
      ``empty_zero_page'' is declared in arch/sparc/include/setup.h, this
      causes a warning to trigger at compile time in the function mem_init(),
      which is subsequently converted to an error. The ensuing patch fixes
      this issue and aligns the declaration of empty_zero_page to that of
      other architectures. Thank you.
      
      Cheers,
      Orlando.
      
      [1] https://gcc.gnu.org/ml/gcc-patches/2016-10/msg02308.html
      [2] https://gcc.gnu.org/gcc-7/changes.htmlSigned-off-by: NOrlando Arias <oarias@knights.ucf.edu>
      
      --------------------------------------------------------------------------------
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      deba804c
    • N
      sparc64: Fix mapping of 64k pages with MAP_FIXED · b6c41cb0
      Nitin Gupta 提交于
      An incorrect huge page alignment check caused
      mmap failure for 64K pages when MAP_FIXED is used
      with address not aligned to HPAGE_SIZE.
      
      Orabug: 25885991
      
      Fixes: dcd1912d ("sparc64: Add 64K page size support")
      Signed-off-by: NNitin Gupta <nitin.m.gupta@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6c41cb0
    • C
      ipv6: Prevent overrun when parsing v6 header options · 2423496a
      Craig Gallek 提交于
      The KASAN warning repoted below was discovered with a syzkaller
      program.  The reproducer is basically:
        int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
        send(s, &one_byte_of_data, 1, MSG_MORE);
        send(s, &more_than_mtu_bytes_data, 2000, 0);
      
      The socket() call sets the nexthdr field of the v6 header to
      NEXTHDR_HOP, the first send call primes the payload with a non zero
      byte of data, and the second send call triggers the fragmentation path.
      
      The fragmentation code tries to parse the header options in order
      to figure out where to insert the fragment option.  Since nexthdr points
      to an invalid option, the calculation of the size of the network header
      can made to be much larger than the linear section of the skb and data
      is read outside of it.
      
      This fix makes ip6_find_1stfrag return an error if it detects
      running out-of-bounds.
      
      [   42.361487] ==================================================================
      [   42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
      [   42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
      [   42.366469]
      [   42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
      [   42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
      [   42.368824] Call Trace:
      [   42.369183]  dump_stack+0xb3/0x10b
      [   42.369664]  print_address_description+0x73/0x290
      [   42.370325]  kasan_report+0x252/0x370
      [   42.370839]  ? ip6_fragment+0x11c8/0x3730
      [   42.371396]  check_memory_region+0x13c/0x1a0
      [   42.371978]  memcpy+0x23/0x50
      [   42.372395]  ip6_fragment+0x11c8/0x3730
      [   42.372920]  ? nf_ct_expect_unregister_notifier+0x110/0x110
      [   42.373681]  ? ip6_copy_metadata+0x7f0/0x7f0
      [   42.374263]  ? ip6_forward+0x2e30/0x2e30
      [   42.374803]  ip6_finish_output+0x584/0x990
      [   42.375350]  ip6_output+0x1b7/0x690
      [   42.375836]  ? ip6_finish_output+0x990/0x990
      [   42.376411]  ? ip6_fragment+0x3730/0x3730
      [   42.376968]  ip6_local_out+0x95/0x160
      [   42.377471]  ip6_send_skb+0xa1/0x330
      [   42.377969]  ip6_push_pending_frames+0xb3/0xe0
      [   42.378589]  rawv6_sendmsg+0x2051/0x2db0
      [   42.379129]  ? rawv6_bind+0x8b0/0x8b0
      [   42.379633]  ? _copy_from_user+0x84/0xe0
      [   42.380193]  ? debug_check_no_locks_freed+0x290/0x290
      [   42.380878]  ? ___sys_sendmsg+0x162/0x930
      [   42.381427]  ? rcu_read_lock_sched_held+0xa3/0x120
      [   42.382074]  ? sock_has_perm+0x1f6/0x290
      [   42.382614]  ? ___sys_sendmsg+0x167/0x930
      [   42.383173]  ? lock_downgrade+0x660/0x660
      [   42.383727]  inet_sendmsg+0x123/0x500
      [   42.384226]  ? inet_sendmsg+0x123/0x500
      [   42.384748]  ? inet_recvmsg+0x540/0x540
      [   42.385263]  sock_sendmsg+0xca/0x110
      [   42.385758]  SYSC_sendto+0x217/0x380
      [   42.386249]  ? SYSC_connect+0x310/0x310
      [   42.386783]  ? __might_fault+0x110/0x1d0
      [   42.387324]  ? lock_downgrade+0x660/0x660
      [   42.387880]  ? __fget_light+0xa1/0x1f0
      [   42.388403]  ? __fdget+0x18/0x20
      [   42.388851]  ? sock_common_setsockopt+0x95/0xd0
      [   42.389472]  ? SyS_setsockopt+0x17f/0x260
      [   42.390021]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
      [   42.390650]  SyS_sendto+0x40/0x50
      [   42.391103]  entry_SYSCALL_64_fastpath+0x1f/0xbe
      [   42.391731] RIP: 0033:0x7fbbb711e383
      [   42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      [   42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
      [   42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
      [   42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
      [   42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
      [   42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
      [   42.397257]
      [   42.397411] Allocated by task 3789:
      [   42.397702]  save_stack_trace+0x16/0x20
      [   42.398005]  save_stack+0x46/0xd0
      [   42.398267]  kasan_kmalloc+0xad/0xe0
      [   42.398548]  kasan_slab_alloc+0x12/0x20
      [   42.398848]  __kmalloc_node_track_caller+0xcb/0x380
      [   42.399224]  __kmalloc_reserve.isra.32+0x41/0xe0
      [   42.399654]  __alloc_skb+0xf8/0x580
      [   42.400003]  sock_wmalloc+0xab/0xf0
      [   42.400346]  __ip6_append_data.isra.41+0x2472/0x33d0
      [   42.400813]  ip6_append_data+0x1a8/0x2f0
      [   42.401122]  rawv6_sendmsg+0x11ee/0x2db0
      [   42.401505]  inet_sendmsg+0x123/0x500
      [   42.401860]  sock_sendmsg+0xca/0x110
      [   42.402209]  ___sys_sendmsg+0x7cb/0x930
      [   42.402582]  __sys_sendmsg+0xd9/0x190
      [   42.402941]  SyS_sendmsg+0x2d/0x50
      [   42.403273]  entry_SYSCALL_64_fastpath+0x1f/0xbe
      [   42.403718]
      [   42.403871] Freed by task 1794:
      [   42.404146]  save_stack_trace+0x16/0x20
      [   42.404515]  save_stack+0x46/0xd0
      [   42.404827]  kasan_slab_free+0x72/0xc0
      [   42.405167]  kfree+0xe8/0x2b0
      [   42.405462]  skb_free_head+0x74/0xb0
      [   42.405806]  skb_release_data+0x30e/0x3a0
      [   42.406198]  skb_release_all+0x4a/0x60
      [   42.406563]  consume_skb+0x113/0x2e0
      [   42.406910]  skb_free_datagram+0x1a/0xe0
      [   42.407288]  netlink_recvmsg+0x60d/0xe40
      [   42.407667]  sock_recvmsg+0xd7/0x110
      [   42.408022]  ___sys_recvmsg+0x25c/0x580
      [   42.408395]  __sys_recvmsg+0xd6/0x190
      [   42.408753]  SyS_recvmsg+0x2d/0x50
      [   42.409086]  entry_SYSCALL_64_fastpath+0x1f/0xbe
      [   42.409513]
      [   42.409665] The buggy address belongs to the object at ffff88000969e780
      [   42.409665]  which belongs to the cache kmalloc-512 of size 512
      [   42.410846] The buggy address is located 24 bytes inside of
      [   42.410846]  512-byte region [ffff88000969e780, ffff88000969e980)
      [   42.411941] The buggy address belongs to the page:
      [   42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
      [   42.413298] flags: 0x100000000008100(slab|head)
      [   42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
      [   42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
      [   42.415074] page dumped because: kasan: bad access detected
      [   42.415604]
      [   42.415757] Memory state around the buggy address:
      [   42.416222]  ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   42.416904]  ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   42.418273]                    ^
      [   42.418588]  ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   42.419273]  ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   42.419882] ==================================================================
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NCraig Gallek <kraig@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2423496a
    • M
      kbuild: skip install/check of headers right under uapi directories · 05d8cba4
      Masahiro Yamada 提交于
      Since commit 61562f98 ("uapi: export all arch specifics
      directories"), "make INSTALL_HDR_PATH=$root/usr headers_install"
      deletes standard glibc headers and others in $(root)/usr/include.
      
      The cause of the issue is that headers_install now starts descending
      from arch/$(hdr-arch)/include/uapi with $(root)/usr/include for its
      destination when installing asm headers.  So, headers already there
      are assumed to be unwanted.
      
      When headers_install starts descending from include/uapi with
      $(root)/usr/include for its destination, it works around the problem
      by creating an dummy destination $(root)/usr/include/uapi, but this
      is tricky.
      
      To fix the problem in a clean way is to skip headers install/check
      in include/uapi and arch/$(hdr-arch)/include/uapi because we know
      there are only sub-directories in uapi directories.  A good side
      effect is the empty destination $(root)/usr/include/uapi will go
      away.
      
      I am also removing the trailing slash in the headers_check target to
      skip checking in arch/$(hdr-arch)/include/uapi.
      
      Fixes: 61562f98 ("uapi: export all arch specifics directories")
      Reported-by: NDan Williams <dan.j.williams@intel.com>
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Tested-by: NDan Williams <dan.j.williams@intel.com>
      Acked-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      05d8cba4
  3. 17 5月, 2017 1 次提交
    • I
      neighbour: update neigh timestamps iff update is effective · 77d71233
      Ihar Hrachyshka 提交于
      It's a common practice to send gratuitous ARPs after moving an
      IP address to another device to speed up healing of a service. To
      fulfill service availability constraints, the timing of network peers
      updating their caches to point to a new location of an IP address can be
      particularly important.
      
      Sometimes neigh_update calls won't touch neither lladdr nor state, for
      example if an update arrives in locktime interval. The neigh->updated
      value is tested by the protocol specific neigh code, which in turn
      will influence whether NEIGH_UPDATE_F_OVERRIDE gets set in the
      call to neigh_update() or not. As a result, we may effectively ignore
      the update request, bailing out of touching the neigh entry, except that
      we still bump its timestamps inside neigh_update.
      
      This may be a problem for updates arriving in quick succession. For
      example, consider the following scenario:
      
      A service is moved to another device with its IP address. The new device
      sends three gratuitous ARP requests into the network with ~1 seconds
      interval between them. Just before the first request arrives to one of
      network peer nodes, its neigh entry for the IP address transitions from
      STALE to DELAY.  This transition, among other things, updates
      neigh->updated. Once the kernel receives the first gratuitous ARP, it
      ignores it because its arrival time is inside the locktime interval. The
      kernel still bumps neigh->updated. Then the second gratuitous ARP
      request arrives, and it's also ignored because it's still in the (new)
      locktime interval. Same happens for the third request. The node
      eventually heals itself (after delay_first_probe_time seconds since the
      initial transition to DELAY state), but it just wasted some time and
      require a new ARP request/reply round trip. This unfortunate behaviour
      both puts more load on the network, as well as reduces service
      availability.
      
      This patch changes neigh_update so that it bumps neigh->updated (as well
      as neigh->confirmed) only once we are sure that either lladdr or entry
      state will change). In the scenario described above, it means that the
      second gratuitous ARP request will actually update the entry lladdr.
      
      Ideally, we would update the neigh entry on the very first gratuitous
      ARP request. The locktime mechanism is designed to ignore ARP updates in
      a short timeframe after a previous ARP update was honoured by the kernel
      layer. This would require tracking timestamps for state transitions
      separately from timestamps when actual updates are received. This would
      probably involve changes in neighbour struct. Therefore, the patch
      doesn't tackle the issue of the first gratuitous APR ignored, leaving
      it for a follow-up.
      Signed-off-by: NIhar Hrachyshka <ihrachys@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      77d71233