1. 05 12月, 2015 9 次提交
    • P
      atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation · f2a3771a
      Pavel Machek 提交于
      atl1c driver is doing order-4 allocation with GFP_ATOMIC
      priority. That often breaks  networking after resume. Switch to
      GFP_KERNEL. Still not ideal, but should be significantly better.
      
      atl1c_setup_ring_resources() is called from .open() function, and
      already uses GFP_KERNEL, so this change is safe.
      Signed-off-by: NPavel Machek <pavel@ucw.cz>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f2a3771a
    • H
      rhashtable: Use __vmalloc with GFP_ATOMIC for table allocation · d3716f18
      Herbert Xu 提交于
      When an rhashtable user pounds rhashtable hard with back-to-back
      insertions we may end up growing the table in GFP_ATOMIC context.
      Unfortunately when the table reaches a certain size this often
      fails because we don't have enough physically contiguous pages
      to hold the new table.
      
      Eric Dumazet suggested (and in fact wrote this patch) using
      __vmalloc instead which can be used in GFP_ATOMIC context.
      Reported-by: NPhil Sutter <phil@nwl.cc>
      Suggested-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d3716f18
    • N
      gre6: allow to update all parameters via rtnl · 6a61d4db
      Nicolas Dichtel 提交于
      Parameters were updated only if the kernel was unable to find the tunnel
      with the new parameters, ie only if core pamareters were updated (keys,
      addr, link, type).
      Now it's possible to update ttl, hoplimit, flowinfo and flags.
      
      Fixes: c12b395a ("gre: Support GRE over IPv6")
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6a61d4db
    • G
      pppoe: fix memory corruption in padt work structure · fe53985a
      Guillaume Nault 提交于
      pppoe_connect() mustn't touch the padt_work field of pppoe sockets
      because that work could be already pending.
      
      [   21.473147] BUG: unable to handle kernel NULL pointer dereference at 00000004
      [   21.474523] IP: [<c1043177>] process_one_work+0x29/0x31c
      [   21.475164] *pde = 00000000
      [   21.475513] Oops: 0000 [#1] SMP
      [   21.475910] Modules linked in: pppoe pppox ppp_generic slhc crc32c_intel aesni_intel virtio_net xts aes_i586 lrw gf128mul ablk_helper cryptd evdev acpi_cpufreq processor serio_raw button ext4 crc16 mbcache jbd2 virtio_blk virtio_pci virtio_ring virtio
      [   21.476168] CPU: 2 PID: 164 Comm: kworker/2:2 Not tainted 4.4.0-rc1 #1
      [   21.476168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
      [   21.476168] task: f5f83c00 ti: f5e28000 task.ti: f5e28000
      [   21.476168] EIP: 0060:[<c1043177>] EFLAGS: 00010046 CPU: 2
      [   21.476168] EIP is at process_one_work+0x29/0x31c
      [   21.484082] EAX: 00000000 EBX: f678b2a0 ECX: 00000004 EDX: 00000000
      [   21.484082] ESI: f6c69940 EDI: f5e29ef0 EBP: f5e29f0c ESP: f5e29edc
      [   21.484082]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      [   21.484082] CR0: 80050033 CR2: 000000a4 CR3: 317ad000 CR4: 00040690
      [   21.484082] Stack:
      [   21.484082]  00000000 f6c69950 00000000 f6c69940 c0042338 f5e29f0c c1327945 00000000
      [   21.484082]  00000008 f678b2a0 f6c69940 f678b2b8 f5e29f30 c1043984 f5f83c00 f6c69970
      [   21.484082]  f678b2a0 c10437d3 f6775e80 f678b2a0 c10437d3 f5e29fac c1047059 f5e29f74
      [   21.484082] Call Trace:
      [   21.484082]  [<c1327945>] ? _raw_spin_lock_irq+0x28/0x30
      [   21.484082]  [<c1043984>] worker_thread+0x1b1/0x244
      [   21.484082]  [<c10437d3>] ? rescuer_thread+0x229/0x229
      [   21.484082]  [<c10437d3>] ? rescuer_thread+0x229/0x229
      [   21.484082]  [<c1047059>] kthread+0x8f/0x94
      [   21.484082]  [<c1327a32>] ? _raw_spin_unlock_irq+0x22/0x26
      [   21.484082]  [<c1327ee9>] ret_from_kernel_thread+0x21/0x38
      [   21.484082]  [<c1046fca>] ? kthread_parkme+0x19/0x19
      [   21.496082] Code: 5d c3 55 89 e5 57 56 53 89 c3 83 ec 24 89 d0 89 55 e0 8d 7d e4 e8 6c d8 ff ff b9 04 00 00 00 89 45 d8 8b 43 24 89 45 dc 8b 45 d8 <8b> 40 04 8b 80 e0 00 00 00 c1 e8 05 24 01 88 45 d7 8b 45 e0 8d
      [   21.496082] EIP: [<c1043177>] process_one_work+0x29/0x31c SS:ESP 0068:f5e29edc
      [   21.496082] CR2: 0000000000000004
      [   21.496082] ---[ end trace e362cc9cf10dae89 ]---
      Reported-by: NAndrew <nitr0@seti.kr.ua>
      Fixes: 287f3a94 ("pppoe: Use workqueue to die properly when a PADT is received")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fe53985a
    • D
      Merge branch 'mvpp2-fixes' · 6001f340
      David S. Miller 提交于
      Marcin Wojtas says:
      
      ====================
      Marvell Armada 375 mvpp2 fixes
      
      During my work on mvneta driver I revised mvpp2, and it occurred that the
      initial version of Marvell Armada 375 SoC comprised bugs around
      DMA-unmapping in both ingress and egress paths - not all buffers were
      umapped in TX path and none(!) in RX. Three patches that I send fix
      this situation.
      
      Any feedback would be welcome.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6001f340
    • M
      net: mvpp2: fix refilling BM pools in RX path · b5015854
      Marcin Wojtas 提交于
      In hitherto code in case of RX buffer allocation error during refill,
      original buffer is pushed to the network stack, but the amount of
      available buffer pointers in BM pool is decreased.
      
      This commit fixes the situation by moving refill call before skb_put(),
      and returning original buffer pointer to the pool in case of an error.
      Signed-off-by: NMarcin Wojtas <mw@semihalf.com>
      
      Fixes: 3f518509 ("ethernet: Add new driver for Marvell Armada 375
      network unit")
      
      Cc: <stable@vger.kernel.org> # v3.18+
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b5015854
    • M
      net: mvpp2: fix buffers' DMA handling on RX path · 4229d502
      Marcin Wojtas 提交于
      Each allocated buffer, whose pointer is put into BM pool is DMA-mapped.
      Hence it should be properly unmapped after usage or when removing buffers
      from pool.
      
      This commit fixes DMA handling on RX path by adding dma_unmap_single() in
      mvpp2_rx() and in mvpp2_bufs_free(). The latter function's argument number
      had to be increased for this purpose.
      Signed-off-by: NMarcin Wojtas <mw@semihalf.com>
      
      Fixes: 3f518509 ("ethernet: Add new driver for Marvell Armada 375
      network unit")
      
      Cc: <stable@vger.kernel.org> # v3.18+
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4229d502
    • M
      net: mvpp2: fix missing DMA region unmap in egress processing · e864b4c7
      Marcin Wojtas 提交于
      The Tx descriptor release code currently calls dma_unmap_single() and
      dev_kfree_skb_any() if the descriptor is associated with a non-NULL skb.
      This condition is true only for the last fragment of the packet.
      
      Since every descriptor's buffer is DMA-mapped it has to be properly
      unmapped.
      Signed-off-by: NMarcin Wojtas <mw@semihalf.com>
      
      Fixes: 3f518509 ("ethernet: Add new driver for Marvell Armada 375
      network unit")
      
      Cc: <stable@vger.kernel.org> # v3.18+
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e864b4c7
    • H
      rhashtable: Prevent spurious EBUSY errors on insertion · 3cf92222
      Herbert Xu 提交于
      Thomas and Phil observed that under stress rhashtable insertion
      sometimes failed with EBUSY, even though this error should only
      ever been seen when we're under attack and our hash chain length
      has grown to an unacceptable level, even after a rehash.
      
      It turns out that the logic for detecting whether there is an
      existing rehash is faulty.  In particular, when two threads both
      try to grow the same table at the same time, one of them may see
      the newly grown table and thus erroneously conclude that it had
      been rehashed.  This is what leads to the EBUSY error.
      
      This patch fixes this by remembering the current last table we
      used during insertion so that rhashtable_insert_rehash can detect
      when another thread has also done a resize/rehash.  When this is
      detected we will give up our resize/rehash and simply retry the
      insertion with the new table.
      Reported-by: NThomas Graf <tgraf@suug.ch>
      Reported-by: NPhil Sutter <phil@nwl.cc>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Tested-by: NPhil Sutter <phil@nwl.cc>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3cf92222
  2. 04 12月, 2015 18 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 071f5d10
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
       "A lot of Thanksgiving turkey leftovers accumulated, here goes:
      
         1) Fix bluetooth l2cap_chan object leak, from Johan Hedberg.
      
         2) IDs for some new iwlwifi chips, from Oren Givon.
      
         3) Fix rtlwifi lockups on boot, from Larry Finger.
      
         4) Fix memory leak in fm10k, from Stephen Hemminger.
      
         5) We have a route leak in the ipv6 tunnel infrastructure, fix from
            Paolo Abeni.
      
         6) Fix buffer pointer handling in arm64 bpf JIT,f rom Zi Shen Lim.
      
         7) Wrong lockdep annotations in tcp md5 support, fix from Eric
            Dumazet.
      
         8) Work around some middle boxes which prevent proper handling of TCP
            Fast Open, from Yuchung Cheng.
      
         9) TCP repair can do huge kmalloc() requests, build paged SKBs
            instead.  From Eric Dumazet.
      
        10) Fix msg_controllen overflow in scm_detach_fds, from Daniel
            Borkmann.
      
        11) Fix device leaks on ipmr table destruction in ipv4 and ipv6, from
            Nikolay Aleksandrov.
      
        12) Fix use after free in epoll with AF_UNIX sockets, from Rainer
            Weikusat.
      
        13) Fix double free in VRF code, from Nikolay Aleksandrov.
      
        14) Fix skb leaks on socket receive queue in tipc, from Ying Xue.
      
        15) Fix ifup/ifdown crach in xgene driver, from Iyappan Subramanian.
      
        16) Fix clearing of persistent array maps in bpf, from Daniel
            Borkmann.
      
        17) In TCP, for the cross-SYN case, we don't initialize tp->copied_seq
            early enough.  From Eric Dumazet.
      
        18) Fix out of bounds accesses in bpf array implementation when
            updating elements, from Daniel Borkmann.
      
        19) Fill gaps in RCU protection of np->opt in ipv6 stack, from Eric
            Dumazet.
      
        20) When dumping proxy neigh entries, we have to accomodate NULL
            device pointers properly, from Konstantin Khlebnikov.
      
        21) SCTP doesn't release all ipv6 socket resources properly, fix from
            Eric Dumazet.
      
        22) Prevent underflows of sch->q.qlen for multiqueue packet
            schedulers, also from Eric Dumazet.
      
        23) Fix MAC and unicast list handling in bnxt_en driver, from Jeffrey
            Huang and Michael Chan.
      
        24) Don't actively scan radar channels, from Antonio Quartulli"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (110 commits)
        net: phy: reset only targeted phy
        bnxt_en: Setup uc_list mac filters after resetting the chip.
        bnxt_en: enforce proper storing of MAC address
        bnxt_en: Fixed incorrect implementation of ndo_set_mac_address
        net: lpc_eth: remove irq > NR_IRQS check from probe()
        net_sched: fix qdisc_tree_decrease_qlen() races
        openvswitch: fix hangup on vxlan/gre/geneve device deletion
        ipv4: igmp: Allow removing groups from a removed interface
        ipv6: sctp: implement sctp_v6_destroy_sock()
        arm64: bpf: add 'store immediate' instruction
        ipv6: kill sk_dst_lock
        ipv6: sctp: add rcu protection around np->opt
        net/neighbour: fix crash at dumping device-agnostic proxy entries
        sctp: use GFP_USER for user-controlled kmalloc
        sctp: convert sack_needed and sack_generation to bits
        ipv6: add complete rcu protection around np->opt
        bpf: fix allocation warnings in bpf maps and integer overflow
        mvebu: dts: enable IP checksum with jumbo frames for Armada 38x on Port0
        net: mvneta: enable setting custom TX IP checksum limit
        net: mvneta: fix error path for building skb
        ...
      071f5d10
    • L
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 2873d32f
      Linus Torvalds 提交于
      Pull block fixes from Jens Axboe:
       "A collection of fixes from this series.  The most important here is a
        regression fix for an issue that some folks would hit in blk-merge.c,
        and the NVMe queue depth limit for the screwed up Apple "nvme"
        controller.
      
        In more detail, this pull request contains:
      
         - a set of fixes for null_blk, including a fix for a few corner cases
           where we could hang the device.  From Arianna and Paolo.
      
         - lightnvm:
              - A build improvement from Keith.
              - Update the qemu pci id detection from Matias.
              - Error handling fixes for leaks and other little fixes from
                Sudip and Wenwei.
      
         - fix from Eric where BLKRRPART would not return EBUSY for whole
           device mounts, only when partitions were mounted.
      
         - fix from Jan Kara, where EOF O_DIRECT reads would return
           negatively.
      
         - remove check for rq_mergeable() when checking limits for cloned
           requests.  The check doesn't make any sense.  It's assuming that
           since NOMERGE is set on the request that we don't have to
           recalculate limits since the request didn't change, but that's not
           true if the request has been redirected.  From Hannes.
      
         - correctly get the bio front segment value set for single segment
           bio's, fixing a BUG() in blk-merge.  From Ming"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        nvme: temporary fix for Apple controller reset
        null_blk: change type of completion_nsec to unsigned long
        null_blk: guarantee device restart in all irq modes
        null_blk: set a separate timer for each command
        blk-merge: fix computing bio->bi_seg_front_size in case of single segment
        direct-io: Fix negative return from dio read beyond eof
        block: Always check queue limits for cloned requests
        lightnvm: missing nvm_lock acquire
        lightnvm: unconverted ppa returned in get_bb_tbl
        lightnvm: refactor and change vendor id for qemu
        lightnvm: do device max sectors boundary check first
        lightnvm: fix ioctl memory leaks
        lightnvm: free memory when gennvm register fails
        lightnvm: Simplify config when disabled
        Return EBUSY from BLKRRPART for mounted whole-dev fs
      2873d32f
    • L
      Merge tag 'trace-v4.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · c041f087
      Linus Torvalds 提交于
      Pull tracing fix from Steven Rostedt:
       "During the merge window I added a new file that is used to filter
        trace events on pids.  It filters all events where only tasks with
        their pid in that file exists.  It also handles the sched_switch and
        sched_wakeup trace events where the current task does not have its pid
        in the file, but the task either being switched to or awaken does.
      
        Unfortunately, I forgot about sched_wakeup_new and sched_waking.  Both
        of these tracepoints use the same class as the sched_wakeup
        tracepoint, and they too should be included in what gets filtered by
        the set_event_pid file"
      
      * tag 'trace-v4.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Add sched_wakeup_new and sched_waking tracepoints for pid filter
      c041f087
    • D
      Merge tag 'mac80211-for-davem-2015-12-02' of... · e3c9b1ef
      David S. Miller 提交于
      Merge tag 'mac80211-for-davem-2015-12-02' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      A small set of fixes for 4.4:
       * fix scanning in mac80211 to not actively scan radar
         channels (from Antonio)
       * fix uninitialized variable in remain-on-channel that
         could lead to treating frame TX as remain-on-channel
         and not sending the frame at all
       * remove NL80211_FEATURE_FULL_AP_CLIENT_STATE again, it
         was broken and needs more work, we'll enable it later
       * fix call_rcu() induced use-after-reset/free in mesh
         (that was suddenly causing issues in certain tests)
       * always request block-ack window size 64 as we found
         some APs will otherwise crash (really ...)
       * fix P2P-Device teardown sequence to avoid restarting
         with uninitialized data
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e3c9b1ef
    • J
      net: phy: reset only targeted phy · cf18b778
      Jérôme Pouiller 提交于
      It is possible to address another chip on same MDIO bus. The case is
      correctly handled for media advertising. It is taken into account
      only if mii_data->phy_id == phydev->addr. However, this condition
      was missing for reset case.
      Signed-off-by: NJérôme Pouiller <jezz@sysmic.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cf18b778
    • D
      Merge branch 'bnxt_en-fixes' · c5ba5c8a
      David S. Miller 提交于
      Michael Chan says:
      
      ====================
      bnxt_en: set mac address and uc_list bug fixes.
      
      Fix ndo_set_mac_address() for PF and VF.
      Re-apply uc_list after chip reset.
      
      v2: Fix compile error if CONFIG_BNXT_SRIOV is not set.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5ba5c8a
    • M
      bnxt_en: Setup uc_list mac filters after resetting the chip. · b664f008
      Michael Chan 提交于
      Call bnxt_cfg_rx_mode() in bnxt_init_chip() to setup uc_list and
      mc_list mac address filters.  Before the patch, uc_list is not
      setup again after chip reset (such as ethtool ring size change)
      and macvlans don't work any more after that.
      
      Modify bnxt_cfg_rx_mode() to return error codes appropriately so
      that the init chip sequence can detect any failures.
      Signed-off-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b664f008
    • J
      bnxt_en: enforce proper storing of MAC address · bdd4347b
      Jeffrey Huang 提交于
      For PF, the bp->pf.mac_addr always holds the permanent MAC
      addr assigned by the HW.  For VF, the bp->vf.mac_addr always
      holds the administrator assigned VF MAC addr. The random
      generated VF MAC addr should never get stored to bp->vf.mac_addr.
      This way, when the VF wants to change the MAC address, we can tell
      if the adminstrator has already set it and disallow the VF from
      changing it.
      
      v2: Fix compile error if CONFIG_BNXT_SRIOV is not set.
      Signed-off-by: NJeffrey Huang <huangjw@broadcom.com>
      Signed-off-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bdd4347b
    • J
      bnxt_en: Fixed incorrect implementation of ndo_set_mac_address · 1fc2cfd0
      Jeffrey Huang 提交于
      The existing ndo_set_mac_address only copies the new MAC addr
      and didn't set the new MAC addr to the HW. The correct way is
      to delete the existing default MAC filter from HW and add
      the new one. Because of RFS filters are also dependent on the
      default mac filter l2 context, the driver must go thru
      close_nic() to delete the default MAC and RFS filters, then
      open_nic() to set the default MAC address to HW.
      Signed-off-by: NJeffrey Huang <huangjw@broadcom.com>
      Signed-off-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1fc2cfd0
    • V
      net: lpc_eth: remove irq > NR_IRQS check from probe() · 39198ec9
      Vladimir Zapolskiy 提交于
      If the driver is used on an ARM platform with SPARSE_IRQ defined,
      semantics of NR_IRQS is different (minimal value of virtual irqs) and
      by default it is set to 16, see arch/arm/include/asm/irq.h.
      
      This value may be less than the actual number of virtual irqs, which
      may break the driver initialization. The check removal allows to use
      the driver on such a platform, and, if irq controller driver works
      correctly, the check is not needed on legacy platforms.
      
      Fixes a runtime problem:
      
          lpc-eth 31060000.ethernet: error getting resources.
          lpc_eth: lpc-eth: not found (-6).
      Signed-off-by: NVladimir Zapolskiy <vz@mleia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      39198ec9
    • E
      net_sched: fix qdisc_tree_decrease_qlen() races · 4eaf3b84
      Eric Dumazet 提交于
      qdisc_tree_decrease_qlen() suffers from two problems on multiqueue
      devices.
      
      One problem is that it updates sch->q.qlen and sch->qstats.drops
      on the mq/mqprio root qdisc, while it should not : Daniele
      reported underflows errors :
      [  681.774821] PAX: sch->q.qlen: 0 n: 1
      [  681.774825] PAX: size overflow detected in function qdisc_tree_decrease_qlen net/sched/sch_api.c:769 cicus.693_49 min, count: 72, decl: qlen; num: 0; context: sk_buff_head;
      [  681.774954] CPU: 2 PID: 19 Comm: ksoftirqd/2 Tainted: G           O    4.2.6.201511282239-1-grsec #1
      [  681.774955] Hardware name: ASUSTeK COMPUTER INC. X302LJ/X302LJ, BIOS X302LJ.202 03/05/2015
      [  681.774956]  ffffffffa9a04863 0000000000000000 0000000000000000 ffffffffa990ff7c
      [  681.774959]  ffffc90000d3bc38 ffffffffa95d2810 0000000000000007 ffffffffa991002b
      [  681.774960]  ffffc90000d3bc68 ffffffffa91a44f4 0000000000000001 0000000000000001
      [  681.774962] Call Trace:
      [  681.774967]  [<ffffffffa95d2810>] dump_stack+0x4c/0x7f
      [  681.774970]  [<ffffffffa91a44f4>] report_size_overflow+0x34/0x50
      [  681.774972]  [<ffffffffa94d17e2>] qdisc_tree_decrease_qlen+0x152/0x160
      [  681.774976]  [<ffffffffc02694b1>] fq_codel_dequeue+0x7b1/0x820 [sch_fq_codel]
      [  681.774978]  [<ffffffffc02680a0>] ? qdisc_peek_dequeued+0xa0/0xa0 [sch_fq_codel]
      [  681.774980]  [<ffffffffa94cd92d>] __qdisc_run+0x4d/0x1d0
      [  681.774983]  [<ffffffffa949b2b2>] net_tx_action+0xc2/0x160
      [  681.774985]  [<ffffffffa90664c1>] __do_softirq+0xf1/0x200
      [  681.774987]  [<ffffffffa90665ee>] run_ksoftirqd+0x1e/0x30
      [  681.774989]  [<ffffffffa90896b0>] smpboot_thread_fn+0x150/0x260
      [  681.774991]  [<ffffffffa9089560>] ? sort_range+0x40/0x40
      [  681.774992]  [<ffffffffa9085fe4>] kthread+0xe4/0x100
      [  681.774994]  [<ffffffffa9085f00>] ? kthread_worker_fn+0x170/0x170
      [  681.774995]  [<ffffffffa95d8d1e>] ret_from_fork+0x3e/0x70
      
      mq/mqprio have their own ways to report qlen/drops by folding stats on
      all their queues, with appropriate locking.
      
      A second problem is that qdisc_tree_decrease_qlen() calls qdisc_lookup()
      without proper locking : concurrent qdisc updates could corrupt the list
      that qdisc_match_from_root() parses to find a qdisc given its handle.
      
      Fix first problem adding a TCQ_F_NOPARENT qdisc flag that
      qdisc_tree_decrease_qlen() can use to abort its tree traversal,
      as soon as it meets a mq/mqprio qdisc children.
      
      Second problem can be fixed by RCU protection.
      Qdisc are already freed after RCU grace period, so qdisc_list_add() and
      qdisc_list_del() simply have to use appropriate rcu list variants.
      
      A future patch will add a per struct netdev_queue list anchor, so that
      qdisc_tree_decrease_qlen() can have more efficient lookups.
      Reported-by: NDaniele Fucini <dfucini@gmail.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Cong Wang <cwang@twopensource.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4eaf3b84
    • P
      openvswitch: fix hangup on vxlan/gre/geneve device deletion · 13175303
      Paolo Abeni 提交于
      Each openvswitch tunnel vport (vxlan,gre,geneve) holds a reference
      to the underlying tunnel device, but never released it when such
      device is deleted.
      Deleting the underlying device via the ip tool cause the kernel to
      hangup in the netdev_wait_allrefs() loop.
      This commit ensure that on device unregistration dp_detach_port_notify()
      is called for all vports that hold the device reference, properly
      releasing it.
      
      Fixes: 614732ea ("openvswitch: Use regular VXLAN net_device device")
      Fixes: b2acd1dc ("openvswitch: Use regular GRE net_device instead of vport")
      Fixes: 6b001e68 ("openvswitch: Use Geneve device.")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Acked-by: NFlavio Leitner <fbl@sysclose.org>
      Acked-by: NPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      13175303
    • A
      ipv4: igmp: Allow removing groups from a removed interface · 4eba7bb1
      Andrew Lunn 提交于
      When a multicast group is joined on a socket, a struct ip_mc_socklist
      is appended to the sockets mc_list containing information about the
      joined group.
      
      If the interface is hot unplugged, this entry becomes stale. Prior to
      commit 52ad353a ("igmp: fix the problem when mc leave group") it
      was possible to remove the stale entry by performing a
      IP_DROP_MEMBERSHIP, passing either the old ifindex or ip address on
      the interface. However, this fix enforces that the interface must
      still exist. Thus with time, the number of stale entries grows, until
      sysctl_igmp_max_memberships is reached and then it is not possible to
      join and more groups.
      
      The previous patch fixes an issue where a IP_DROP_MEMBERSHIP is
      performed without specifying the interface, either by ifindex or ip
      address. However here we do supply one of these. So loosen the
      restriction on device existence to only apply when the interface has
      not been specified. This then restores the ability to clean up the
      stale entries.
      Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
      Fixes: 52ad353a "(igmp: fix the problem when mc leave group")
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4eba7bb1
    • E
      ipv6: sctp: implement sctp_v6_destroy_sock() · 602dd62d
      Eric Dumazet 提交于
      Dmitry Vyukov reported a memory leak using IPV6 SCTP sockets.
      
      We need to call inet6_destroy_sock() to properly release
      inet6 specific fields.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      602dd62d
    • D
      Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 79aecc72
      David S. Miller 提交于
      Johan Hedberg says:
      
      ====================
      pull request: bluetooth 2015-12-01
      
      Here's a Bluetooth fix for the 4.4-rc series that fixes a memory leak of
      the Security Manager L2CAP channel that'll happen for every LE
      connection.
      
      Please let me know if there are any issues pulling. Thanks.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      79aecc72
    • Y
      arm64: bpf: add 'store immediate' instruction · df849ba3
      Yang Shi 提交于
      aarch64 doesn't have native store immediate instruction, such operation
      has to be implemented by the below instruction sequence:
      
      Load immediate to register
      Store register
      Signed-off-by: NYang Shi <yang.shi@linaro.org>
      CC: Zi Shen Lim <zlim.lnx@gmail.com>
      CC: Xi Wang <xi.wang@gmail.com>
      Reviewed-by: NZi Shen Lim <zlim.lnx@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df849ba3
    • E
      ipv6: kill sk_dst_lock · 6bd4f355
      Eric Dumazet 提交于
      While testing the np->opt RCU conversion, I found that UDP/IPv6 was
      using a mixture of xchg() and sk_dst_lock to protect concurrent changes
      to sk->sk_dst_cache, leading to possible corruptions and crashes.
      
      ip6_sk_dst_lookup_flow() uses sk_dst_check() anyway, so the simplest
      way to fix the mess is to remove sk_dst_lock completely, as we did for
      IPv4.
      
      __ip6_dst_store() and ip6_dst_store() share same implementation.
      
      sk_setup_caps() being called with socket lock being held or not,
      we have to use sk_dst_set() instead of __sk_dst_set()
      
      Note that I had to move the "np->dst_cookie = rt6_get_cookie(rt);"
      in ip6_dst_store() before the sk_setup_caps(sk, dst) call.
      
      This is because ip6_dst_store() can be called from process context,
      without any lock held.
      
      As soon as the dst is installed in sk->sk_dst_cache, dst can be freed
      from another cpu doing a concurrent ip6_dst_store()
      
      Doing the dst dereference before doing the install is needed to make
      sure no use after free would trigger.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6bd4f355
    • E
      ipv6: sctp: add rcu protection around np->opt · c836a8ba
      Eric Dumazet 提交于
      This patch completes the work I did in commit 45f6fad8
      ("ipv6: add complete rcu protection around np->opt"), as I missed
      sctp part.
      
      This simply makes sure np->opt is used with proper RCU locking
      and accessors.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c836a8ba
  3. 03 12月, 2015 13 次提交