1. 15 11月, 2017 2 次提交
    • B
      vhost/scsi: Use safe iteration in vhost_scsi_complete_cmd_work() · 816e85ed
      Byungchul Park 提交于
      The following patch changed the behavior which originally did safe
      iteration. Make it safe as it was.
      
         12bdcbd5
         vhost/scsi: Don't reinvent the wheel but use existing llist API
      Signed-off-by: NByungchul Park <byungchul.park@lge.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      816e85ed
    • M
      virtio_balloon: fix deadlock on OOM · c7cdff0e
      Michael S. Tsirkin 提交于
      fill_balloon doing memory allocations under balloon_lock
      can cause a deadlock when leak_balloon is called from
      virtballoon_oom_notify and tries to take same lock.
      
      To fix, split page allocation and enqueue and do allocations outside the lock.
      
      Here's a detailed analysis of the deadlock by Tetsuo Handa:
      
      In leak_balloon(), mutex_lock(&vb->balloon_lock) is called in order to
      serialize against fill_balloon(). But in fill_balloon(),
      alloc_page(GFP_HIGHUSER[_MOVABLE] | __GFP_NOMEMALLOC | __GFP_NORETRY) is
      called with vb->balloon_lock mutex held. Since GFP_HIGHUSER[_MOVABLE]
      implies __GFP_DIRECT_RECLAIM | __GFP_IO | __GFP_FS, despite __GFP_NORETRY
      is specified, this allocation attempt might indirectly depend on somebody
      else's __GFP_DIRECT_RECLAIM memory allocation. And such indirect
      __GFP_DIRECT_RECLAIM memory allocation might call leak_balloon() via
      virtballoon_oom_notify() via blocking_notifier_call_chain() callback via
      out_of_memory() when it reached __alloc_pages_may_oom() and held oom_lock
      mutex. Since vb->balloon_lock mutex is already held by fill_balloon(), it
      will cause OOM lockup.
      
        Thread1                                       Thread2
          fill_balloon()
            takes a balloon_lock
            balloon_page_enqueue()
              alloc_page(GFP_HIGHUSER_MOVABLE)
                direct reclaim (__GFP_FS context)       takes a fs lock
                  waits for that fs lock                  alloc_page(GFP_NOFS)
                                                            __alloc_pages_may_oom()
                                                              takes the oom_lock
                                                              out_of_memory()
                                                                blocking_notifier_call_chain()
                                                                  leak_balloon()
                                                                    tries to take that balloon_lock and deadlocks
      Reported-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Wei Wang <wei.w.wang@intel.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      c7cdff0e
  2. 13 11月, 2017 3 次提交
    • L
      Linux 4.14 · bebc6082
      Linus Torvalds 提交于
      bebc6082
    • L
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 152bbb43
      Linus Torvalds 提交于
      Pull x86 fixes from Thomas Gleixner:
       "A set of small fixes:
      
         - make KGDB work again which got broken by the conversion of WARN()
           to #UD. The WARN fixup needs to run before the notifier callchain,
           otherwise KGDB tries to handle it and crashes.
      
         - disable KASAN in the ORC unwinder to prevent false positive KASAN
           warnings
      
         - prevent default mapping above 47bit when 5 level page tables are
           enabled
      
         - make the delay calibration optimization work correctly, which had
           the conditionals the wrong way around and was operating on data
           which was not yet updated.
      
         - remove the bogus X86_TRAP_BP trap init from the default IDT init
           table, which broke 32bit int3 handling by overwriting the correct
           int3 setup.
      
         - replace this_cpu* with boot_cpu_data access in the preemptible
           oprofile init code"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/debug: Handle warnings before the notifier chain, to fix KGDB crash
        x86/mm: Fix ELF_ET_DYN_BASE for 5-level paging
        x86/idt: Remove X86_TRAP_BP initialization in idt_setup_traps()
        x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
        x86/unwind: Disable KASAN checking in the ORC unwinder
        x86/smpboot: Make optimization of delay calibration work correctly
      152bbb43
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 69581c74
      Linus Torvalds 提交于
      Pull perf tool fixes from Thomas Gleixner:
       "A small set of fixes for perf tool:
      
         - synchronize the i915 drm header to avoid the 'out of date' warning
      
         - make sure that perf trace cleans up its temporary files on exit
      
         - unbreak the build with newer flex versions
      
         - add missing braces in the eBPF parsing rules"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        tooling/headers: Sync the tools/include/uapi/drm/i915_drm.h UAPI header
        perf trace: Call machine__exit() at exit
        perf tools: Fix eBPF event specification parsing
        perf tools: Add "reject" option for parse-events.l
      69581c74
  3. 12 11月, 2017 1 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · b3954568
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Use after free in vlan, from Cong Wang.
      
       2) Handle NAPI poll with a zero budget properly in mlx5 driver, from
          Saeed Mahameed.
      
       3) If DMA mapping fails in mlx5 driver, NULL out page, from Inbar
          Karmy.
      
       4) Handle overrun in RX FIFO of sun4i CAN driver, from Gerhard
          Bertelsmann.
      
       5) Missing return in mdb and vlan prepare phase of DSA layer, from
          Vivien Didelot.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        vlan: fix a use-after-free in vlan_device_event()
        net: dsa: return after vlan prepare phase
        net: dsa: return after mdb prepare phase
        can: ifi: Fix transmitter delay calculation
        tcp: fix tcp_fastretrans_alert warning
        tcp: gso: avoid refcount_t warning from tcp_gso_segment()
        can: peak: Add support for new PCIe/M2 CAN FD interfaces
        can: sun4i: handle overrun in RX FIFO
        can: c_can: don't indicate triple sampling support for D_CAN
        net/mlx5e: Increase Striding RQ minimum size limit to 4 multi-packet WQEs
        net/mlx5e: Set page to null in case dma mapping fails
        net/mlx5e: Fix napi poll with zero budget
        net/mlx5: Cancel health poll before sending panic teardown command
        net/mlx5: Loop over temp list to release delay events
        rds: ib: Fix NULL pointer dereference in debug code
      b3954568
  4. 11 11月, 2017 14 次提交
  5. 10 11月, 2017 20 次提交
    • M
      can: ifi: Fix transmitter delay calculation · 4f711675
      Marek Vasut 提交于
      The CANFD transmitter delay calculation formula was updated in the
      latest software drop from IFI and improves the behavior of the IFI
      CANFD core during bitrate switching. Use the new formula to improve
      stability of the CANFD operation.
      Signed-off-by: NMarek Vasut <marex@denx.de>
      Cc: Markus Marb <markus@marb.org>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      4f711675
    • Y
      tcp: fix tcp_fastretrans_alert warning · 0eb96bf7
      Yuchung Cheng 提交于
      This patch fixes the cause of an WARNING indicatng TCP has pending
      retransmission in Open state in tcp_fastretrans_alert().
      
      The root cause is a bad interaction between path mtu probing,
      if enabled, and the RACK loss detection. Upong receiving a SACK
      above the sequence of the MTU probing packet, RACK could mark the
      probe packet lost in tcp_fastretrans_alert(), prior to calling
      tcp_simple_retransmit().
      
      tcp_simple_retransmit() only enters Loss state if it newly marks
      the probe packet lost. If the probe packet is already identified as
      lost by RACK, the sender remains in Open state with some packets
      marked lost and retransmitted. Then the next SACK would trigger
      the warning. The likely scenario is that the probe packet was
      lost due to its size or network congestion. The actual impact of
      this warning is small by potentially entering fast recovery an
      ACK later.
      
      The simple fix is always entering recovery (Loss) state if some
      packet is marked lost during path MTU probing.
      
      Fixes: a0370b3f ("tcp: enable RACK loss detection to trigger recovery")
      Reported-by: NOleksandr Natalenko <oleksandr@natalenko.name>
      Reported-by: NAlexei Starovoitov <alexei.starovoitov@gmail.com>
      Reported-by: NRoman Gushchin <guro@fb.com>
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0eb96bf7
    • E
      tcp: gso: avoid refcount_t warning from tcp_gso_segment() · 7ec318fe
      Eric Dumazet 提交于
      When a GSO skb of truesize O is segmented into 2 new skbs of truesize N1
      and N2, we want to transfer socket ownership to the new fresh skbs.
      
      In order to avoid expensive atomic operations on a cache line subject to
      cache bouncing, we replace the sequence :
      
      refcount_add(N1, &sk->sk_wmem_alloc);
      refcount_add(N2, &sk->sk_wmem_alloc); // repeated by number of segments
      
      refcount_sub(O, &sk->sk_wmem_alloc);
      
      by a single
      
      refcount_add(sum_of(N) - O, &sk->sk_wmem_alloc);
      
      Problem is :
      
      In some pathological cases, sum(N) - O might be a negative number, and
      syzkaller bot was apparently able to trigger this trace [1]
      
      atomic_t was ok with this construct, but we need to take care of the
      negative delta with refcount_t
      
      [1]
      refcount_t: saturated; leaking memory.
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 8404 at lib/refcount.c:77 refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 0 PID: 8404 Comm: syz-executor2 Not tainted 4.14.0-rc5-mm1+ #20
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:16 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:52
       panic+0x1e4/0x41c kernel/panic.c:183
       __warn+0x1c4/0x1e0 kernel/panic.c:546
       report_bug+0x211/0x2d0 lib/bug.c:183
       fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:177
       do_trap_no_signal arch/x86/kernel/traps.c:211 [inline]
       do_trap+0x260/0x390 arch/x86/kernel/traps.c:260
       do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:297
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:310
       invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
      RIP: 0010:refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
      RSP: 0018:ffff8801c606e3a0 EFLAGS: 00010282
      RAX: 0000000000000026 RBX: 0000000000001401 RCX: 0000000000000000
      RDX: 0000000000000026 RSI: ffffc900036fc000 RDI: ffffed0038c0dc68
      RBP: ffff8801c606e430 R08: 0000000000000001 R09: 0000000000000000
      R10: ffff8801d97f5eba R11: 0000000000000000 R12: ffff8801d5acf73c
      R13: 1ffff10038c0dc75 R14: 00000000ffffffff R15: 00000000fffff72f
       refcount_add+0x1b/0x60 lib/refcount.c:101
       tcp_gso_segment+0x10d0/0x16b0 net/ipv4/tcp_offload.c:155
       tcp4_gso_segment+0xd4/0x310 net/ipv4/tcp_offload.c:51
       inet_gso_segment+0x60c/0x11c0 net/ipv4/af_inet.c:1271
       skb_mac_gso_segment+0x33f/0x660 net/core/dev.c:2749
       __skb_gso_segment+0x35f/0x7f0 net/core/dev.c:2821
       skb_gso_segment include/linux/netdevice.h:3971 [inline]
       validate_xmit_skb+0x4ba/0xb20 net/core/dev.c:3074
       __dev_queue_xmit+0xe49/0x2070 net/core/dev.c:3497
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3538
       neigh_hh_output include/net/neighbour.h:471 [inline]
       neigh_output include/net/neighbour.h:479 [inline]
       ip_finish_output2+0xece/0x1460 net/ipv4/ip_output.c:229
       ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317
       NF_HOOK_COND include/linux/netfilter.h:238 [inline]
       ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
       dst_output include/net/dst.h:459 [inline]
       ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
       ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504
       tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1137
       tcp_write_xmit+0x663/0x4de0 net/ipv4/tcp_output.c:2341
       __tcp_push_pending_frames+0xa0/0x250 net/ipv4/tcp_output.c:2513
       tcp_push_pending_frames include/net/tcp.h:1722 [inline]
       tcp_data_snd_check net/ipv4/tcp_input.c:5050 [inline]
       tcp_rcv_established+0x8c7/0x18a0 net/ipv4/tcp_input.c:5497
       tcp_v4_do_rcv+0x2ab/0x7d0 net/ipv4/tcp_ipv4.c:1460
       sk_backlog_rcv include/net/sock.h:909 [inline]
       __release_sock+0x124/0x360 net/core/sock.c:2264
       release_sock+0xa4/0x2a0 net/core/sock.c:2776
       tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1462
       inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
       sock_sendmsg_nosec net/socket.c:632 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:642
       ___sys_sendmsg+0x31c/0x890 net/socket.c:2048
       __sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2138
      
      Fixes: 14afee4b ("net: convert sock.sk_wmem_alloc from atomic_t to refcount_t")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7ec318fe
    • S
      can: peak: Add support for new PCIe/M2 CAN FD interfaces · 4cbdd0ee
      Stephane Grosjean 提交于
      This adds support for the following PEAK-System CAN FD interfaces:
      
      PCAN-cPCIe FD         CAN FD Interface for cPCI Serial (2 or 4 channels)
      PCAN-PCIe/104-Express CAN FD Interface for PCIe/104-Express (1, 2 or 4 ch.)
      PCAN-miniPCIe FD      CAN FD Interface for PCIe Mini (1, 2 or 4 channels)
      PCAN-PCIe FD OEM      CAN FD Interface for PCIe OEM version (1, 2 or 4 ch.)
      PCAN-M.2              CAN FD Interface for M.2 (1 or 2 channels)
      
      Like the PCAN-PCIe FD interface, all of these boards run the same IP Core
      that is able to handle CAN FD (see also http://www.peak-system.com).
      Signed-off-by: NStephane Grosjean <s.grosjean@peak-system.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      4cbdd0ee
    • G
      can: sun4i: handle overrun in RX FIFO · 4dcf924c
      Gerhard Bertelsmann 提交于
      SUN4Is CAN IP has a 64 byte deep FIFO buffer. If the buffer is not
      drained fast enough (overrun) it's getting mangled. Already received
      frames are dropped - the data can't be restored.
      Signed-off-by: NGerhard Bertelsmann <info@gerhard-bertelsmann.de>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      4dcf924c
    • R
      can: c_can: don't indicate triple sampling support for D_CAN · fb5f0b3e
      Richard Schütz 提交于
      The D_CAN controller doesn't provide a triple sampling mode, so don't set
      the CAN_CTRLMODE_3_SAMPLES flag in ctrlmode_supported. Currently enabling
      triple sampling is a no-op.
      Signed-off-by: NRichard Schütz <rschuetz@uni-koblenz.de>
      Cc: linux-stable <stable@vger.kernel.org> # >= v3.6
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      fb5f0b3e
    • A
      x86/debug: Handle warnings before the notifier chain, to fix KGDB crash · b8347c21
      Alexander Shishkin 提交于
      Commit:
      
        9a93848f ("x86/debug: Implement __WARN() using UD0")
      
      turned warnings into UD0, but the fixup code only runs after the
      notify_die() chain. This is a problem, in particular, with kgdb,
      which kicks in as if it was a BUG().
      
      Fix this by running the fixup code before the notifier chain in
      the invalid op handler path.
      Signed-off-by: NAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Tested-by: NIlya Dryomov <idryomov@gmail.com>
      Acked-by: NDaniel Thompson <daniel.thompson@linaro.org>
      Acked-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: Jason Wessel <jason.wessel@windriver.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Richard Weinberger <richard.weinberger@gmail.com>
      Cc: <stable@vger.kernel.org> # v4.12+
      Link: http://lkml.kernel.org/r/20170724100428.19173-1-alexander.shishkin@linux.intel.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      b8347c21
    • E
      net/mlx5e: Increase Striding RQ minimum size limit to 4 multi-packet WQEs · d1c61e6d
      Eugenia Emantayev 提交于
      This is to prevent the case of working with a single MPWQE
      (1 WQE is always reserved as RQ is linked-list).
      When the WQE is fully consumed, HW should still have available buffer
      in order not to drop packets.
      
      Fixes: 461017cb ("net/mlx5e: Support RX multi-packet WQE (Striding RQ)")
      Signed-off-by: NEugenia Emantayev <eugenia@mellanox.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Cc: kernel-team@fb.com
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      d1c61e6d
    • I
      net/mlx5e: Set page to null in case dma mapping fails · 2e50b261
      Inbar Karmy 提交于
      Currently, when dma mapping fails, put_page is called,
      but the page is not set to null. Later, in the page_reuse treatment in
      mlx5e_free_rx_descs(), mlx5e_page_release() is called for the second time,
      improperly doing dma_unmap (for a non-mapped address) and an extra put_page.
      Prevent this by nullifying the page pointer when dma_map fails.
      
      Fixes: accd5883 ("net/mlx5e: Introduce RX Page-Reuse")
      Signed-off-by: NInbar Karmy <inbark@mellanox.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Cc: kernel-team@fb.com
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      2e50b261
    • S
      net/mlx5e: Fix napi poll with zero budget · 2a8d6065
      Saeed Mahameed 提交于
      napi->poll can be called with budget 0, e.g. in netpoll scenarios
      where the caller only wants to poll TX rings
      (poll_one_napi@net/core/netpoll.c).
      
      The below commit changed RX polling from "while" loop to "do {} while",
      which caused to ignore the initial budget and handle at least one RX
      packet.
      
      This fixes the following warning:
      [ 2852.049194] mlx5e_napi_poll+0x0/0x260 [mlx5_core] exceeded budget in poll
      [ 2852.049195] ------------[ cut here ]------------
      [ 2852.049195] WARNING: CPU: 0 PID: 25691 at net/core/netpoll.c:171 netpoll_poll_dev+0x18a/0x1a0
      
      Fixes: 4b7dfc99 ("net/mlx5e: Early-return on empty completion queues")
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Reported-by: NMartin KaFai Lau <kafai@fb.com>
      Tested-by: NMartin KaFai Lau <kafai@fb.com>
      Cc: kernel-team@fb.com
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      2a8d6065
    • H
      net/mlx5: Cancel health poll before sending panic teardown command · d2aa060d
      Huy Nguyen 提交于
      After the panic teardown firmware command, health_care detects the error
      in PCI bus and calls the mlx5_pci_err_detected. This health_care flow is
      no longer needed because the panic teardown firmware command will bring
      down the PCI bus communication with the HCA.
      
      The solution is to cancel the health care timer and its pending
      workqueue request before sending panic teardown firmware command.
      
      Kernel trace:
      mlx5_core 0033:01:00.0: Shutdown was called
      mlx5_core 0033:01:00.0: health_care:154:(pid 9304): handling bad device here
      mlx5_core 0033:01:00.0: mlx5_handle_bad_state:114:(pid 9304): NIC state 1
      mlx5_core 0033:01:00.0: mlx5_pci_err_detected was called
      mlx5_core 0033:01:00.0: mlx5_enter_error_state:96:(pid 9304): start
      mlx5_3:mlx5_ib_event:3061:(pid 9304): warning: event on port 0
      mlx5_core 0033:01:00.0: mlx5_enter_error_state:104:(pid 9304): end
      Unable to handle kernel paging request for data at address 0x0000003f
      Faulting instruction address: 0xc0080000434b8c80
      
      Fixes: 8812c24d ('net/mlx5: Add fast unload support in shutdown flow')
      Signed-off-by: NHuy Nguyen <huyn@mellanox.com>
      Reviewed-by: NMoshe Shemesh <moshe@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      d2aa060d
    • H
      net/mlx5: Loop over temp list to release delay events · b8cce68b
      Huy Nguyen 提交于
      list_splice_init initializing waiting_events_list after splicing it to
      temp list, therefore we should loop over temp list to fire the events.
      
      Fixes: 4ca637a2 ("net/mlx5: Delay events till mlx5 interface's add complete for pci resume")
      Signed-off-by: NHuy Nguyen <huyn@mellanox.com>
      Signed-off-by: NFeras Daoud <ferasda@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      b8cce68b
    • H
      rds: ib: Fix NULL pointer dereference in debug code · 1cb483a5
      Håkon Bugge 提交于
      rds_ib_recv_refill() is a function that refills an IB receive
      queue. It can be called from both the CQE handler (tasklet) and a
      worker thread.
      
      Just after the call to ib_post_recv(), a debug message is printed with
      rdsdebug():
      
                  ret = ib_post_recv(ic->i_cm_id->qp, &recv->r_wr, &failed_wr);
                  rdsdebug("recv %p ibinc %p page %p addr %lu ret %d\n", recv,
                           recv->r_ibinc, sg_page(&recv->r_frag->f_sg),
                           (long) ib_sg_dma_address(
                                  ic->i_cm_id->device,
                                  &recv->r_frag->f_sg),
                          ret);
      
      Now consider an invocation of rds_ib_recv_refill() from the worker
      thread, which is preemptible. Further, assume that the worker thread
      is preempted between the ib_post_recv() and rdsdebug() statements.
      
      Then, if the preemption is due to a receive CQE event, the
      rds_ib_recv_cqe_handler() will be invoked. This function processes
      receive completions, including freeing up data structures, such as the
      recv->r_frag.
      
      In this scenario, rds_ib_recv_cqe_handler() will process the receive
      WR posted above. That implies, that the recv->r_frag has been freed
      before the above rdsdebug() statement has been executed. When it is
      later executed, we will have a NULL pointer dereference:
      
      [ 4088.068008] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      [ 4088.076754] IP: rds_ib_recv_refill+0x87/0x620 [rds_rdma]
      [ 4088.082686] PGD 0 P4D 0
      [ 4088.085515] Oops: 0000 [#1] SMP
      [ 4088.089015] Modules linked in: rds_rdma(OE) rds(OE) rpcsec_gss_krb5(E) nfsv4(E) dns_resolver(E) nfs(E) fscache(E) mlx4_ib(E) ib_ipoib(E) rdma_ucm(E) ib_ucm(E) ib_uverbs(E) ib_umad(E) rdma_cm(E) ib_cm(E) iw_cm(E) ib_core(E) binfmt_misc(E) sb_edac(E) intel_powerclamp(E) coretemp(E) kvm_intel(E) kvm(E) irqbypass(E) crct10dif_pclmul(E) crc32_pclmul(E) ghash_clmulni_intel(E) pcbc(E) aesni_intel(E) crypto_simd(E) iTCO_wdt(E) glue_helper(E) iTCO_vendor_support(E) sg(E) cryptd(E) pcspkr(E) ipmi_si(E) ipmi_devintf(E) ipmi_msghandler(E) shpchp(E) ioatdma(E) i2c_i801(E) wmi(E) lpc_ich(E) mei_me(E) mei(E) mfd_core(E) nfsd(E) auth_rpcgss(E) nfs_acl(E) lockd(E) grace(E) sunrpc(E) ip_tables(E) ext4(E) mbcache(E) jbd2(E) fscrypto(E) mgag200(E) i2c_algo_bit(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E)
      [ 4088.168486]  fb_sys_fops(E) ahci(E) ixgbe(E) libahci(E) ttm(E) mdio(E) ptp(E) pps_core(E) drm(E) sd_mod(E) libata(E) crc32c_intel(E) mlx4_core(E) i2c_core(E) dca(E) megaraid_sas(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) [last unloaded: rds]
      [ 4088.193442] CPU: 20 PID: 1244 Comm: kworker/20:2 Tainted: G           OE   4.14.0-rc7.master.20171105.ol7.x86_64 #1
      [ 4088.205097] Hardware name: Oracle Corporation ORACLE SERVER X5-2L/ASM,MOBO TRAY,2U, BIOS 31110000 03/03/2017
      [ 4088.216074] Workqueue: ib_cm cm_work_handler [ib_cm]
      [ 4088.221614] task: ffff885fa11d0000 task.stack: ffffc9000e598000
      [ 4088.228224] RIP: 0010:rds_ib_recv_refill+0x87/0x620 [rds_rdma]
      [ 4088.234736] RSP: 0018:ffffc9000e59bb68 EFLAGS: 00010286
      [ 4088.240568] RAX: 0000000000000000 RBX: ffffc9002115d050 RCX: ffffc9002115d050
      [ 4088.248535] RDX: ffffffffa0521380 RSI: ffffffffa0522158 RDI: ffffffffa0525580
      [ 4088.256498] RBP: ffffc9000e59bbf8 R08: 0000000000000005 R09: 0000000000000000
      [ 4088.264465] R10: 0000000000000339 R11: 0000000000000001 R12: 0000000000000000
      [ 4088.272433] R13: ffff885f8c9d8000 R14: ffffffff81a0a060 R15: ffff884676268000
      [ 4088.280397] FS:  0000000000000000(0000) GS:ffff885fbec80000(0000) knlGS:0000000000000000
      [ 4088.289434] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 4088.295846] CR2: 0000000000000020 CR3: 0000000001e09005 CR4: 00000000001606e0
      [ 4088.303816] Call Trace:
      [ 4088.306557]  rds_ib_cm_connect_complete+0xe0/0x220 [rds_rdma]
      [ 4088.312982]  ? __dynamic_pr_debug+0x8c/0xb0
      [ 4088.317664]  ? __queue_work+0x142/0x3c0
      [ 4088.321944]  rds_rdma_cm_event_handler+0x19e/0x250 [rds_rdma]
      [ 4088.328370]  cma_ib_handler+0xcd/0x280 [rdma_cm]
      [ 4088.333522]  cm_process_work+0x25/0x120 [ib_cm]
      [ 4088.338580]  cm_work_handler+0xd6b/0x17aa [ib_cm]
      [ 4088.343832]  process_one_work+0x149/0x360
      [ 4088.348307]  worker_thread+0x4d/0x3e0
      [ 4088.352397]  kthread+0x109/0x140
      [ 4088.355996]  ? rescuer_thread+0x380/0x380
      [ 4088.360467]  ? kthread_park+0x60/0x60
      [ 4088.364563]  ret_from_fork+0x25/0x30
      [ 4088.368548] Code: 48 89 45 90 48 89 45 98 eb 4d 0f 1f 44 00 00 48 8b 43 08 48 89 d9 48 c7 c2 80 13 52 a0 48 c7 c6 58 21 52 a0 48 c7 c7 80 55 52 a0 <4c> 8b 48 20 44 89 64 24 08 48 8b 40 30 49 83 e1 fc 48 89 04 24
      [ 4088.389612] RIP: rds_ib_recv_refill+0x87/0x620 [rds_rdma] RSP: ffffc9000e59bb68
      [ 4088.397772] CR2: 0000000000000020
      [ 4088.401505] ---[ end trace fe922e6ccf004431 ]---
      
      This bug was provoked by compiling rds out-of-tree with
      EXTRA_CFLAGS="-DRDS_DEBUG -DDEBUG" and inserting an artificial delay
      between the rdsdebug() and ib_ib_port_recv() statements:
      
         	       /* XXX when can this fail? */
      	       ret = ib_post_recv(ic->i_cm_id->qp, &recv->r_wr, &failed_wr);
      +		if (can_wait)
      +			usleep_range(1000, 5000);
      	       rdsdebug("recv %p ibinc %p page %p addr %lu ret %d\n", recv,
      			recv->r_ibinc, sg_page(&recv->r_frag->f_sg),
      			(long) ib_sg_dma_address(
      
      The fix is simply to move the rdsdebug() statement up before the
      ib_post_recv() and remove the printing of ret, which is taken care of
      anyway by the non-debug code.
      Signed-off-by: NHåkon Bugge <haakon.bugge@oracle.com>
      Reviewed-by: NKnut Omang <knut.omang@oracle.com>
      Reviewed-by: NWei Lin Guay <wei.lin.guay@oracle.com>
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1cb483a5
    • L
      Merge branch 'akpm' (patches from Andrew) · 1c9dbd46
      Linus Torvalds 提交于
      Merge misc fixes from Andrew Morton:
       "2 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        MAINTAINERS: update TPM driver infrastructure changes
        sysctl: add register_sysctl() dummy helper
      1c9dbd46
    • J
      MAINTAINERS: update TPM driver infrastructure changes · 60fdb44a
      Jarkko Sakkinen 提交于
      [akpm@linux-foundation.org: alpha-sort CREDITS, per Randy]
      Link: http://lkml.kernel.org/r/20170915223811.21368-1-jarkko.sakkinen@linux.intel.comSigned-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Cc: Marcel Selhorst <tpmdd@selhorst.net>
      Cc: Ashley Lai <ashleydlai@gmail.com>
      Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
      Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Håvard Skinnemoen <hskinnemoen@gmail.com>
      Cc: Martin Kepplinger <martink@posteo.de>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Hans-Christian Noren Egtvedt <egtvedt@samfundet.no>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Gertjan van Wingerde <gwingerde@gmail.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      60fdb44a
    • A
      sysctl: add register_sysctl() dummy helper · e609a6b8
      Arnd Bergmann 提交于
      register_sysctl() has been around for five years with commit
      fea478d4 ("sysctl: Add register_sysctl for normal sysctl users") but
      now that arm64 started using it, I ran into a compile error:
      
        arch/arm64/kernel/armv8_deprecated.c: In function 'register_insn_emulation_sysctl':
        arch/arm64/kernel/armv8_deprecated.c:257:2: error: implicit declaration of function 'register_sysctl'
      
      This adds a inline function like we already have for
      register_sysctl_paths() and register_sysctl_table().
      
      Link: http://lkml.kernel.org/r/20171106133700.558647-1-arnd@arndb.de
      Fixes: 38b9aeb3 ("arm64: Port deprecated instruction emulation to new sysctl interface")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NDave Martin <Dave.Martin@arm.com>
      Acked-by: NKees Cook <keescook@chromium.org>
      Acked-by: NWill Deacon <will.deacon@arm.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>
      Cc: Alex Benne <alex.bennee@linaro.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e609a6b8
    • L
      Merge tag 'pci-v4.14-fixes-7' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 5cff3684
      Linus Torvalds 提交于
      Pull PCI maintainership updates from Bjorn Helgaas:
       "Update MAINTAINERS for HiSilicon, Microsemi Switchtec, and native host
        bridge drivers (Gabriele Paoloni, Sebastian Andrzej Siewior).
      
        Note that starting with changes intended for v4.16, Lorenzo Pieralisi
        will maintain the drivers/pci/{dwc,endpoint,host} directories. My
        intent is to continue to merge those changes via my tree, so this
        should be transparent to you"
      
      * tag 'pci-v4.14-fixes-7' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        MAINTAINERS: Add Lorenzo Pieralisi for PCI host bridge drivers
        MAINTAINERS: Remove Gabriele Paoloni as HiSilicon PCI maintainer
        MAINTAINERS: Remove Stephen Bates as Microsemi Switchtec maintainer
      5cff3684
    • L
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · e7a7912a
      Linus Torvalds 提交于
      Pull ARM fix from Russell King:
       "Last ARM fix for 4.14.
      
        This plugs a hole in dump_instr(), which, with certain conditions
        satisfied, can dump instructions from kernel space"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8720/1: ensure dump_instr() checks addr_limit
      e7a7912a
    • L
      Merge tag 'pm-final-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 3fefc318
      Linus Torvalds 提交于
      Pull final power management fixes from Rafael Wysocki:
       "These fix a regression in the schedutil cpufreq governor introduced by
        a recent change and blacklist Dell XPS13 9360 from using the Low Power
        S0 Idle _DSM interface which triggers serious problems on one of these
        machines.
      
        Specifics:
      
         - Prevent the schedutil cpufreq governor from using the utilization
           of a wrong CPU in some cases which started to happen after one of
           the recent changes in it (Chris Redpath).
      
         - Blacklist Dell XPS13 9360 from using the Low Power S0 Idle _DSM
           interface as that causes serious issue (related to NVMe) to appear
           on one of these machines, even though the other Dells XPS13 9360 in
           somewhat different HW configurations behave correctly (Rafael
           Wysocki)"
      
      * tag 'pm-final-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / PM: Blacklist Low Power S0 Idle _DSM for Dell XPS13 9360
        cpufreq: schedutil: Examine the correct CPU when we update util
      3fefc318
    • L
      Merge tag 'sound-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · d93d4ce1
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "The amount of the changes isn't as quite small as wished, nevertheless
        they are straight fixes that deserve merging to 4.14 final.
      
        Most of fixes are about ALSA core bugs spotted by fuzzer: a follow-up
        fix for the previous nested rwsem patch, a fix to avoid the resource
        hogs due to too many concurrent ALSA timer invocations, and a fix for
        a crash with SYSEX MIDI transfer over OSS sequencer emulation that is
        used by none but fuzzer.
      
        The rest are usual HD-audio and USB-audio device-specific quirks,
        which are safe to apply"
      
      * tag 'sound-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - fix headset mic problem for Dell machines with alc274
        ALSA: seq: Fix OSS sysex delivery in OSS emulation
        ALSA: seq: Avoid invalid lockdep class warning
        ALSA: timer: Limit max instances per timer
        ALSA: usb-audio: support new Amanero Combo384 firmware version
      d93d4ce1