1. 02 8月, 2018 1 次提交
    • E
      bonding: avoid lockdep confusion in bond_get_stats() · 7e2556e4
      Eric Dumazet 提交于
      syzbot found that the following sequence produces a LOCKDEP splat [1]
      
      ip link add bond10 type bond
      ip link add bond11 type bond
      ip link set bond11 master bond10
      
      To fix this, we can use the already provided nest_level.
      
      This patch also provides correct nesting for dev->addr_list_lock
      
      [1]
      WARNING: possible recursive locking detected
      4.18.0-rc6+ #167 Not tainted
      --------------------------------------------
      syz-executor751/4439 is trying to acquire lock:
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
      
      but task is already holding lock:
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
      (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&bond->stats_lock)->rlock);
        lock(&(&bond->stats_lock)->rlock);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      3 locks held by syz-executor751/4439:
       #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
       #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
       #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
       #2: (____ptrval____) (rcu_read_lock){....}, at: bond_get_stats+0x0/0x560 include/linux/compiler.h:215
      
      stack backtrace:
      CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
       check_deadlock kernel/locking/lockdep.c:1809 [inline]
       validate_chain kernel/locking/lockdep.c:2405 [inline]
       __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
       lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
       __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
       _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
       spin_lock include/linux/spinlock.h:310 [inline]
       bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
       dev_get_stats+0x10f/0x470 net/core/dev.c:8316
       bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432
       dev_get_stats+0x10f/0x470 net/core/dev.c:8316
       rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169
       rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611
       rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268
       rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300
       rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline]
       rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716
       notifier_call_chain+0x180/0x390 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
       call_netdevice_notifiers net/core/dev.c:1753 [inline]
       netdev_features_change net/core/dev.c:1321 [inline]
       netdev_change_features+0xb3/0x110 net/core/dev.c:7759
       bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120
       bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755
       bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528
       dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327
       dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
       sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992
       sock_ioctl+0x30d/0x680 net/socket.c:1093
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
       ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
       __do_sys_ioctl fs/ioctl.c:708 [inline]
       __se_sys_ioctl fs/ioctl.c:706 [inline]
       __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x440859
      Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffc51a92878 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440859
      RDX: 0000000020000040 RSI: 0000000000008990 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
      R10: 00000000022d5880 R11: 0000000000000213 R12: 0000000000007390
      R13: 0000000000401db0 R14: 0000000000000000 R15: 0000000000000000
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7e2556e4
  2. 01 8月, 2018 13 次提交
  3. 31 7月, 2018 16 次提交
  4. 30 7月, 2018 9 次提交
    • J
      virtio_balloon: fix another race between migration and ballooning · 89da619b
      Jiang Biao 提交于
      Kernel panic when with high memory pressure, calltrace looks like,
      
      PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java"
       #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb
       #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942
       #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30
       #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8
       #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46
       #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc
       #6 [ffff881ec7ed7838] __node_set at ffffffff81680300
       #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f
       #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5
       #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8
          [exception RIP: _raw_spin_lock_irqsave+47]
          RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046
          RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8
          RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008
          RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098
          R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000
          R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0
          ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
      
      It happens in the pagefault and results in double pagefault
      during compacting pages when memory allocation fails.
      
      Analysed the vmcore, the page leads to second pagefault is corrupted
      with _mapcount=-256, but private=0.
      
      It's caused by the race between migration and ballooning, and lock
      missing in virtballoon_migratepage() of virtio_balloon driver.
      This patch fix the bug.
      
      Fixes: e2250429 ("virtio_balloon: introduce migration primitives to balloon pages")
      Cc: stable@vger.kernel.org
      Signed-off-by: NJiang Biao <jiang.biao2@zte.com.cn>
      Signed-off-by: NHuang Chong <huang.chong@zte.com.cn>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      89da619b
    • A
      can: ems_usb: Fix memory leak on ems_usb_disconnect() · 72c05f32
      Anton Vasilyev 提交于
      ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
      is no its deallocation in ems_usb_disconnect().
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: NAnton Vasilyev <vasilyev@ispras.ru>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      72c05f32
    • L
      Linux 4.18-rc7 · acb18725
      Linus Torvalds 提交于
      acb18725
    • J
      openvswitch: meter: Fix setting meter id for new entries · 25432eba
      Justin Pettit 提交于
      The meter code would create an entry for each new meter.  However, it
      would not set the meter id in the new entry, so every meter would appear
      to have a meter id of zero.  This commit properly sets the meter id when
      adding the entry.
      
      Fixes: 96fbc13d ("openvswitch: Add meter infrastructure")
      Signed-off-by: NJustin Pettit <jpettit@ovn.org>
      Cc: Andy Zhou <azhou@ovn.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      25432eba
    • L
      Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 3cfb6772
      Linus Torvalds 提交于
      Pull ext4 fixes from Ted Ts'o:
       "Some miscellaneous ext4 fixes for 4.18; one fix is for a regression
        introduced in 4.18-rc4.
      
        Sorry for the late-breaking pull. I was originally going to wait for
        the next merge window, but Eric Whitney found a regression introduced
        in 4.18-rc4, so I decided to push out the regression plus the other
        fixes now. (The other commits have been baking in linux-next since
        early July)"
      
      * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: fix check to prevent initializing reserved inodes
        ext4: check for allocation block validity with block group locked
        ext4: fix inline data updates with checksums enabled
        ext4: clear mmp sequence number when remounting read-only
        ext4: fix false negatives *and* false positives in ext4_check_descriptors()
      3cfb6772
    • D
      netlink: Do not subscribe to non-existent groups · 7acf9d42
      Dmitry Safonov 提交于
      Make ABI more strict about subscribing to group > ngroups.
      Code doesn't check for that and it looks bogus.
      (one can subscribe to non-existing group)
      Still, it's possible to bind() to all possible groups with (-1)
      
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: netdev@vger.kernel.org
      Signed-off-by: NDmitry Safonov <dima@arista.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7acf9d42
    • L
      squashfs: be more careful about metadata corruption · 01cfb793
      Linus Torvalds 提交于
      Anatoly Trosinenko reports that a corrupted squashfs image can cause a
      kernel oops.  It turns out that squashfs can end up being confused about
      negative fragment lengths.
      
      The regular squashfs_read_data() does check for negative lengths, but
      squashfs_read_metadata() did not, and the fragment size code just
      blindly trusted the on-disk value.  Fix both the fragment parsing and
      the metadata reading code.
      Reported-by: NAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Phillip Lougher <phillip@squashfs.org.uk>
      Cc: stable@kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      01cfb793
    • T
      ext4: fix check to prevent initializing reserved inodes · 50122847
      Theodore Ts'o 提交于
      Commit 8844618d: "ext4: only look at the bg_flags field if it is
      valid" will complain if block group zero does not have the
      EXT4_BG_INODE_ZEROED flag set.  Unfortunately, this is not correct,
      since a freshly created file system has this flag cleared.  It gets
      almost immediately after the file system is mounted read-write --- but
      the following somewhat unlikely sequence will end up triggering a
      false positive report of a corrupted file system:
      
         mkfs.ext4 /dev/vdc
         mount -o ro /dev/vdc /vdc
         mount -o remount,rw /dev/vdc
      
      Instead, when initializing the inode table for block group zero, test
      to make sure that itable_unused count is not too large, since that is
      the case that will result in some or all of the reserved inodes
      getting cleared.
      
      This fixes the failures reported by Eric Whiteney when running
      generic/230 and generic/231 in the the nojournal test case.
      
      Fixes: 8844618d ("ext4: only look at the bg_flags field if it is valid")
      Reported-by: NEric Whitney <enwlinux@gmail.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      50122847
    • E
      NET: stmmac: align DMA stuff to largest cache line length · 9939a46d
      Eugeniy Paltsev 提交于
      As for today STMMAC_ALIGN macro (which is used to align DMA stuff)
      relies on L1 line length (L1_CACHE_BYTES).
      This isn't correct in case of system with several cache levels
      which might have L1 cache line length smaller than L2 line. This
      can lead to sharing one cache line between DMA buffer and other
      data, so we can lose this data while invalidate DMA buffer before
      DMA transaction.
      
      Fix that by using SMP_CACHE_BYTES instead of L1_CACHE_BYTES for
      aligning.
      Signed-off-by: NEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9939a46d
  5. 29 7月, 2018 1 次提交