1. 27 5月, 2020 7 次提交
    • F
      net: stmmac: enable timestamp snapshot for required PTP packets in dwmac v5.10a · f2fb6b62
      Fugang Duan 提交于
      For rx filter 'HWTSTAMP_FILTER_PTP_V2_EVENT', it should be
      PTP v2/802.AS1, any layer, any kind of event packet, but HW only
      take timestamp snapshot for below PTP message: sync, Pdelay_req,
      Pdelay_resp.
      
      Then it causes below issue when test E2E case:
      ptp4l[2479.534]: port 1: received DELAY_REQ without timestamp
      ptp4l[2481.423]: port 1: received DELAY_REQ without timestamp
      ptp4l[2481.758]: port 1: received DELAY_REQ without timestamp
      ptp4l[2483.524]: port 1: received DELAY_REQ without timestamp
      ptp4l[2484.233]: port 1: received DELAY_REQ without timestamp
      ptp4l[2485.750]: port 1: received DELAY_REQ without timestamp
      ptp4l[2486.888]: port 1: received DELAY_REQ without timestamp
      ptp4l[2487.265]: port 1: received DELAY_REQ without timestamp
      ptp4l[2487.316]: port 1: received DELAY_REQ without timestamp
      
      Timestamp snapshot dependency on register bits in received path:
      SNAPTYPSEL TSMSTRENA TSEVNTENA 	PTP_Messages
      01         x         0          SYNC, Follow_Up, Delay_Req,
                                      Delay_Resp, Pdelay_Req, Pdelay_Resp,
                                      Pdelay_Resp_Follow_Up
      01         0         1          SYNC, Pdelay_Req, Pdelay_Resp
      
      For dwmac v5.10a, enabling all events by setting register
      DWC_EQOS_TIME_STAMPING[SNAPTYPSEL] to 2’b01, clearing bit [TSEVNTENA]
      to 0’b0, which can support all required events.
      Signed-off-by: NFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f2fb6b62
    • D
      Merge branch 'nexthop-group-fixes' · 4d5c32ec
      David S. Miller 提交于
      David Ahern says:
      
      ====================
      nexthops: Fix 2 fundamental flaws with nexthop groups
      
      Nik's torture tests have exposed 2 fundamental mistakes with the initial
      nexthop code for groups. First, the nexthops entries and num_nh in the
      nh_grp struct should not be modified once the struct is set under rcu.
      Doing so has major affects on the datapath seeing valid nexthop entries.
      
      Second, the helpers in the header file were convenient for not repeating
      code, but they cause datapath walks to potentially see 2 different group
      structs after an rcu replace, disrupting a walk of the path objects.
      This second problem applies solely to IPv4 as I re-used too much of the
      existing code in walking legs of a multipath route.
      
      Patches 1 is refactoring change to simplify the overhead of reviewing and
      understanding the change in patch 2 which fixes the update of nexthop
      groups when a compnent leg is removed.
      
      Patches 3-5 address the second problem. Patch 3 inlines the multipath
      check such that the mpath lookup and subsequent calls all use the same
      nh_grp struct. Patches 4 and 5 fix datapath uses of fib_info_num_path
      with iterative calls to fib_info_nhc.
      
      fib_info_num_path can be used in control plane path in a 'for loop' with
      subsequent fib_info_nhc calls to get each leg since the nh_grp struct is
      only changed while holding the rtnl; the combination can not be used in
      the data plane with external nexthops as it involves repeated dereferences
      of nh_grp struct which can change between calls.
      
      Similarly, nexthop_is_multipath can be used for branching decisions in
      the datapath since the nexthop type can not be changed (a group can not
      be converted to standalone and vice versa).
      
      Patch set developed in coordination with Nikolay Aleksandrov. He did a
      lot of work creating a good reproducer, discussing options to fix it
      and testing iterations.
      
      I have adapted Nik's commands into additional tests in the nexthops
      selftest script which I will send against -next.
      
      v2
      - fixed whitespace errors
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4d5c32ec
    • D
      ipv4: nexthop version of fib_info_nh_uses_dev · 1fd1c768
      David Ahern 提交于
      Similar to the last path, need to fix fib_info_nh_uses_dev for
      external nexthops to avoid referencing multiple nh_grp structs.
      Move the device check in fib_info_nh_uses_dev to a helper and
      create a nexthop version that is called if the fib_info uses an
      external nexthop.
      
      Fixes: 430a0491 ("nexthop: Add support for nexthop groups")
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1fd1c768
    • D
      ipv4: Refactor nhc evaluation in fib_table_lookup · af7888ad
      David Ahern 提交于
      FIB lookups can return an entry that references an external nexthop.
      While walking the nexthop struct we do not want to make multiple calls
      into the nexthop code which can result in 2 different structs getting
      accessed - one returning the number of paths the rest of the loop
      seeing a different nh_grp struct. If the nexthop group shrunk, the
      result is an attempt to access a fib_nh_common that does not exist for
      the new nh_grp struct but did for the old one.
      
      To fix that move the device evaluation code to a helper that can be
      used for inline fib_nh path as well as external nexthops.
      
      Update the existing check for fi->nh in fib_table_lookup to call a
      new helper, nexthop_get_nhc_lookup, which walks the external nexthop
      with a single rcu dereference.
      
      Fixes: 430a0491 ("nexthop: Add support for nexthop groups")
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      af7888ad
    • D
      nexthop: Expand nexthop_is_multipath in a few places · 0b5e2e39
      David Ahern 提交于
      I got too fancy consolidating checks on multipath type. The result
      is that path lookups can access 2 different nh_grp structs as exposed
      by Nik's torture tests. Expand nexthop_is_multipath within nexthop.h to
      avoid multiple, nh_grp dereferences and make decisions based on the
      consistent struct.
      
      Only 2 places left using nexthop_is_multipath are within IPv6, both
      only check that the nexthop is a multipath for a branching decision
      which are acceptable.
      
      Fixes: 430a0491 ("nexthop: Add support for nexthop groups")
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0b5e2e39
    • N
      nexthops: don't modify published nexthop groups · 90f33bff
      Nikolay Aleksandrov 提交于
      We must avoid modifying published nexthop groups while they might be
      in use, otherwise we might see NULL ptr dereferences. In order to do
      that we allocate 2 nexthoup group structures upon nexthop creation
      and swap between them when we have to delete an entry. The reason is
      that we can't fail nexthop group removal, so we can't handle allocation
      failure thus we move the extra allocation on creation where we can
      safely fail and return ENOMEM.
      
      Fixes: 430a0491 ("nexthop: Add support for nexthop groups")
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      90f33bff
    • D
      nexthops: Move code from remove_nexthop_from_groups to remove_nh_grp_entry · ac21753a
      David Ahern 提交于
      Move nh_grp dereference and check for removing nexthop group due to
      all members gone into remove_nh_grp_entry.
      
      Fixes: 430a0491 ("nexthop: Add support for nexthop groups")
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ac21753a
  2. 26 5月, 2020 10 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 963bdfc7
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Set VLAN tag in tcp reset/icmp unreachable packets to reject
         connections in the bridge family, from Michael Braun.
      
      2) Incorrect subcounter flag update in ipset, from Phil Sutter.
      
      3) Possible buffer overflow in the pptp conntrack helper, based
         on patch from Dan Carpenter.
      
      4) Restore userspace conntrack helper hook logic that broke after
         hook consolidation rework.
      
      5) Unbreak userspace conntrack helper registration via
         nfnetlink_cthelper.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      963bdfc7
    • D
      Merge tag 'mac80211-for-net-2020-05-25' of... · 1a6da4fc
      David S. Miller 提交于
      Merge tag 'mac80211-for-net-2020-05-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      A few changes:
       * fix a debugfs vs. wiphy rename crash
       * fix an invalid HE spec definition
       * fix a mesh timer crash
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a6da4fc
    • Q
      qlcnic: fix missing release in qlcnic_83xx_interrupt_test. · 15c97385
      Qiushi Wu 提交于
      In function qlcnic_83xx_interrupt_test(), function
      qlcnic_83xx_diag_alloc_res() is not handled by function
      qlcnic_83xx_diag_free_res() after a call of the function
      qlcnic_alloc_mbx_args() failed. Fix this issue by adding
      a jump target "fail_mbx_args", and jump to this new target
      when qlcnic_alloc_mbx_args() failed.
      
      Fixes: b6b4316c ("qlcnic: Handle qlcnic_alloc_mbx_args() failure")
      Signed-off-by: NQiushi Wu <wu000273@umn.edu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      15c97385
    • V
      dpaa_eth: fix usage as DSA master, try 3 · 5d14c304
      Vladimir Oltean 提交于
      The dpaa-eth driver probes on compatible string for the MAC node, and
      the fman/mac.c driver allocates a dpaa-ethernet platform device that
      triggers the probing of the dpaa-eth net device driver.
      
      All of this is fine, but the problem is that the struct device of the
      dpaa_eth net_device is 2 parents away from the MAC which can be
      referenced via of_node. So of_find_net_device_by_node can't find it, and
      DSA switches won't be able to probe on top of FMan ports.
      
      It would be a bit silly to modify a core function
      (of_find_net_device_by_node) to look for dev->parent->parent->of_node
      just for one driver. We're just 1 step away from implementing full
      recursion.
      
      Actually there have already been at least 2 previous attempts to make
      this work:
      - Commit a1a50c8e ("fsl/man: Inherit parent device and of_node")
      - One or more of the patches in "[v3,0/6] adapt DPAA drivers for DSA":
        https://patchwork.ozlabs.org/project/netdev/cover/1508178970-28945-1-git-send-email-madalin.bucur@nxp.com/
        (I couldn't really figure out which one was supposed to solve the
        problem and how).
      
      Point being, it looks like this is still pretty much a problem today.
      On T1040, the /sys/class/net/eth0 symlink currently points to
      
      ../../devices/platform/ffe000000.soc/ffe400000.fman/ffe4e6000.ethernet/dpaa-ethernet.0/net/eth0
      
      which pretty much illustrates the problem. The closest of_node we've got
      is the "fsl,fman-memac" at /soc@ffe000000/fman@400000/ethernet@e6000,
      which is what we'd like to be able to reference from DSA as host port.
      
      For of_find_net_device_by_node to find the eth0 port, we would need the
      parent of the eth0 net_device to not be the "dpaa-ethernet" platform
      device, but to point 1 level higher, aka the "fsl,fman-memac" node
      directly. The new sysfs path would look like this:
      
      ../../devices/platform/ffe000000.soc/ffe400000.fman/ffe4e6000.ethernet/net/eth0
      
      And this is exactly what SET_NETDEV_DEV does. It sets the parent of the
      net_device. The new parent has an of_node associated with it, and
      of_dev_node_match already checks for the of_node of the device or of its
      parent.
      
      Fixes: a1a50c8e ("fsl/man: Inherit parent device and of_node")
      Fixes: c6e26ea8 ("dpaa_eth: change device used")
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5d14c304
    • V
      net/tls: fix race condition causing kernel panic · 0cada332
      Vinay Kumar Yadav 提交于
      tls_sw_recvmsg() and tls_decrypt_done() can be run concurrently.
      // tls_sw_recvmsg()
      	if (atomic_read(&ctx->decrypt_pending))
      		crypto_wait_req(-EINPROGRESS, &ctx->async_wait);
      	else
      		reinit_completion(&ctx->async_wait.completion);
      
      //tls_decrypt_done()
        	pending = atomic_dec_return(&ctx->decrypt_pending);
      
        	if (!pending && READ_ONCE(ctx->async_notify))
        		complete(&ctx->async_wait.completion);
      
      Consider the scenario tls_decrypt_done() is about to run complete()
      
      	if (!pending && READ_ONCE(ctx->async_notify))
      
      and tls_sw_recvmsg() reads decrypt_pending == 0, does reinit_completion(),
      then tls_decrypt_done() runs complete(). This sequence of execution
      results in wrong completion. Consequently, for next decrypt request,
      it will not wait for completion, eventually on connection close, crypto
      resources freed, there is no way to handle pending decrypt response.
      
      This race condition can be avoided by having atomic_read() mutually
      exclusive with atomic_dec_return(),complete().Intoduced spin lock to
      ensure the mutual exclution.
      
      Addressed similar problem in tx direction.
      
      v1->v2:
      - More readable commit message.
      - Corrected the lock to fix new race scenario.
      - Removed barrier which is not needed now.
      
      Fixes: a42055e8 ("net/tls: Add support for async encryption of records for performance")
      Signed-off-by: NVinay Kumar Yadav <vinay.yadav@chelsio.com>
      Reviewed-by: NJakub Kicinski <kuba@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0cada332
    • P
      netfilter: nfnetlink_cthelper: unbreak userspace helper support · 703acd70
      Pablo Neira Ayuso 提交于
      Restore helper data size initialization and fix memcopy of the helper
      data size.
      
      Fixes: 157ffffe ("netfilter: nfnetlink_cthelper: reject too large userspace allocation requests")
      Reviewed-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      703acd70
    • P
      netfilter: conntrack: make conntrack userspace helpers work again · ee04805f
      Pablo Neira Ayuso 提交于
      Florian Westphal says:
      
      "Problem is that after the helper hook was merged back into the confirm
      one, the queueing itself occurs from the confirm hook, i.e. we queue
      from the last netfilter callback in the hook-list.
      
      Therefore, on return, the packet bypasses the confirm action and the
      connection is never committed to the main conntrack table.
      
      To fix this there are several ways:
      1. revert the 'Fixes' commit and have a extra helper hook again.
         Works, but has the drawback of adding another indirect call for
         everyone.
      
      2. Special case this: split the hooks only when userspace helper
         gets added, so queueing occurs at a lower priority again,
         and normal enqueue reinject would eventually call the last hook.
      
      3. Extend the existing nf_queue ct update hook to allow a forced
         confirmation (plus run the seqadj code).
      
      This goes for 3)."
      
      Fixes: 827318fe ("netfilter: conntrack: remove helper hook again")
      Reviewed-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      ee04805f
    • P
      netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code · 4c559f15
      Pablo Neira Ayuso 提交于
      Dan Carpenter says: "Smatch complains that the value for "cmd" comes
      from the network and can't be trusted."
      
      Add pptp_msg_name() helper function that checks for the array boundary.
      
      Fixes: f09943fe ("[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port")
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      4c559f15
    • P
      netfilter: ipset: Fix subcounter update skip · a164b95a
      Phil Sutter 提交于
      If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not
      update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE
      must be set, not unset.
      
      Fixes: 6e01781d ("netfilter: ipset: set match: add support to match the counters")
      Signed-off-by: NPhil Sutter <phil@nwl.cc>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      a164b95a
    • M
      netfilter: nft_reject_bridge: enable reject with bridge vlan · e9c284ec
      Michael Braun 提交于
      Currently, using the bridge reject target with tagged packets
      results in untagged packets being sent back.
      
      Fix this by mirroring the vlan id as well.
      
      Fixes: 85f5b308 ("netfilter: bridge: add reject support")
      Signed-off-by: NMichael Braun <michael-dev@fami-braun.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      e9c284ec
  3. 25 5月, 2020 6 次提交
    • J
      cfg80211: fix debugfs rename crash · 0bbab5f0
      Johannes Berg 提交于
      Removing the "if (IS_ERR(dir)) dir = NULL;" check only works
      if we adjust the remaining code to not rely on it being NULL.
      Check IS_ERR_OR_NULL() before attempting to dereference it.
      
      I'm not actually entirely sure this fixes the syzbot crash as
      the kernel config indicates that they do have DEBUG_FS in the
      kernel, but this is what I found when looking there.
      
      Cc: stable@vger.kernel.org
      Fixes: d82574a8 ("cfg80211: no need to check return value of debugfs_create functions")
      Reported-by: syzbot+fd5332e429401bf42d18@syzkaller.appspotmail.com
      Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20200525113816.fc4da3ec3d4b.Ica63a110679819eaa9fb3bc1b7437d96b1fd187d@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>
      0bbab5f0
    • P
      ieee80211: Fix incorrect mask for default PE duration · d031781b
      Pradeep Kumar Chitrapu 提交于
      Fixes bitmask for HE opration's default PE duration.
      
      Fixes: daa5b835 ("mac80211: update HE operation fields to D3.0")
      Signed-off-by: NPradeep Kumar Chitrapu <pradeepc@codeaurora.org>
      Link: https://lore.kernel.org/r/20200506102430.5153-1-pradeepc@codeaurora.orgSigned-off-by: NJohannes Berg <johannes.berg@intel.com>
      d031781b
    • L
      mac80211: mesh: fix discovery timer re-arming issue / crash · e2d4a80f
      Linus Lüssing 提交于
      On a non-forwarding 802.11s link between two fairly busy
      neighboring nodes (iperf with -P 16 at ~850MBit/s TCP;
      1733.3 MBit/s VHT-MCS 9 80MHz short GI VHT-NSS 4), so with
      frequent PREQ retries, usually after around 30-40 seconds the
      following crash would occur:
      
      [ 1110.822428] Unable to handle kernel read from unreadable memory at virtual address 00000000
      [ 1110.830786] Mem abort info:
      [ 1110.833573]   Exception class = IABT (current EL), IL = 32 bits
      [ 1110.839494]   SET = 0, FnV = 0
      [ 1110.842546]   EA = 0, S1PTW = 0
      [ 1110.845678] user pgtable: 4k pages, 48-bit VAs, pgd = ffff800076386000
      [ 1110.852204] [0000000000000000] *pgd=00000000f6322003, *pud=00000000f62de003, *pmd=0000000000000000
      [ 1110.861167] Internal error: Oops: 86000004 [#1] PREEMPT SMP
      [ 1110.866730] Modules linked in: pppoe ppp_async batman_adv ath10k_pci ath10k_core ath pppox ppp_generic nf_conntrack_ipv6 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_FLOWOFFLOAD slhc nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack iptable_mangle iptable_filter ip_tables crc_ccitt compat nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 usb_storage xhci_plat_hcd xhci_pci xhci_hcd dwc3 usbcore usb_common
      [ 1110.932190] Process swapper/3 (pid: 0, stack limit = 0xffff0000090c8000)
      [ 1110.938884] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.14.162 #0
      [ 1110.944965] Hardware name: LS1043A RGW Board (DT)
      [ 1110.949658] task: ffff8000787a81c0 task.stack: ffff0000090c8000
      [ 1110.955568] PC is at 0x0
      [ 1110.958097] LR is at call_timer_fn.isra.27+0x24/0x78
      [ 1110.963055] pc : [<0000000000000000>] lr : [<ffff0000080ff29c>] pstate: 00400145
      [ 1110.970440] sp : ffff00000801be10
      [ 1110.973744] x29: ffff00000801be10 x28: ffff000008bf7018
      [ 1110.979047] x27: ffff000008bf87c8 x26: ffff000008c160c0
      [ 1110.984352] x25: 0000000000000000 x24: 0000000000000000
      [ 1110.989657] x23: dead000000000200 x22: 0000000000000000
      [ 1110.994959] x21: 0000000000000000 x20: 0000000000000101
      [ 1111.000262] x19: ffff8000787a81c0 x18: 0000000000000000
      [ 1111.005565] x17: ffff0000089167b0 x16: 0000000000000058
      [ 1111.010868] x15: ffff0000089167b0 x14: 0000000000000000
      [ 1111.016172] x13: ffff000008916788 x12: 0000000000000040
      [ 1111.021475] x11: ffff80007fda9af0 x10: 0000000000000001
      [ 1111.026777] x9 : ffff00000801bea0 x8 : 0000000000000004
      [ 1111.032080] x7 : 0000000000000000 x6 : ffff80007fda9aa8
      [ 1111.037383] x5 : ffff00000801bea0 x4 : 0000000000000010
      [ 1111.042685] x3 : ffff00000801be98 x2 : 0000000000000614
      [ 1111.047988] x1 : 0000000000000000 x0 : 0000000000000000
      [ 1111.053290] Call trace:
      [ 1111.055728] Exception stack(0xffff00000801bcd0 to 0xffff00000801be10)
      [ 1111.062158] bcc0:                                   0000000000000000 0000000000000000
      [ 1111.069978] bce0: 0000000000000614 ffff00000801be98 0000000000000010 ffff00000801bea0
      [ 1111.077798] bd00: ffff80007fda9aa8 0000000000000000 0000000000000004 ffff00000801bea0
      [ 1111.085618] bd20: 0000000000000001 ffff80007fda9af0 0000000000000040 ffff000008916788
      [ 1111.093437] bd40: 0000000000000000 ffff0000089167b0 0000000000000058 ffff0000089167b0
      [ 1111.101256] bd60: 0000000000000000 ffff8000787a81c0 0000000000000101 0000000000000000
      [ 1111.109075] bd80: 0000000000000000 dead000000000200 0000000000000000 0000000000000000
      [ 1111.116895] bda0: ffff000008c160c0 ffff000008bf87c8 ffff000008bf7018 ffff00000801be10
      [ 1111.124715] bdc0: ffff0000080ff29c ffff00000801be10 0000000000000000 0000000000400145
      [ 1111.132534] bde0: ffff8000787a81c0 ffff00000801bde8 0000ffffffffffff 000001029eb19be8
      [ 1111.140353] be00: ffff00000801be10 0000000000000000
      [ 1111.145220] [<          (null)>]           (null)
      [ 1111.149917] [<ffff0000080ff77c>] run_timer_softirq+0x184/0x398
      [ 1111.155741] [<ffff000008081938>] __do_softirq+0x100/0x1fc
      [ 1111.161130] [<ffff0000080a2e28>] irq_exit+0x80/0xd8
      [ 1111.166002] [<ffff0000080ea708>] __handle_domain_irq+0x88/0xb0
      [ 1111.171825] [<ffff000008081678>] gic_handle_irq+0x68/0xb0
      [ 1111.177213] Exception stack(0xffff0000090cbe30 to 0xffff0000090cbf70)
      [ 1111.183642] be20:                                   0000000000000020 0000000000000000
      [ 1111.191461] be40: 0000000000000001 0000000000000000 00008000771af000 0000000000000000
      [ 1111.199281] be60: ffff000008c95180 0000000000000000 ffff000008c19360 ffff0000090cbef0
      [ 1111.207101] be80: 0000000000000810 0000000000000400 0000000000000098 ffff000000000000
      [ 1111.214920] bea0: 0000000000000001 ffff0000089167b0 0000000000000000 ffff0000089167b0
      [ 1111.222740] bec0: 0000000000000000 ffff000008c198e8 ffff000008bf7018 ffff000008c19000
      [ 1111.230559] bee0: 0000000000000000 0000000000000000 ffff8000787a81c0 ffff000008018000
      [ 1111.238380] bf00: ffff00000801c000 ffff00000913ba34 ffff8000787a81c0 ffff0000090cbf70
      [ 1111.246199] bf20: ffff0000080857cc ffff0000090cbf70 ffff0000080857d0 0000000000400145
      [ 1111.254020] bf40: ffff000008018000 ffff00000801c000 ffffffffffffffff ffff0000080fa574
      [ 1111.261838] bf60: ffff0000090cbf70 ffff0000080857d0
      [ 1111.266706] [<ffff0000080832e8>] el1_irq+0xe8/0x18c
      [ 1111.271576] [<ffff0000080857d0>] arch_cpu_idle+0x10/0x18
      [ 1111.276880] [<ffff0000080d7de4>] do_idle+0xec/0x1b8
      [ 1111.281748] [<ffff0000080d8020>] cpu_startup_entry+0x20/0x28
      [ 1111.287399] [<ffff00000808f81c>] secondary_start_kernel+0x104/0x110
      [ 1111.293662] Code: bad PC value
      [ 1111.296710] ---[ end trace 555b6ca4363c3edd ]---
      [ 1111.301318] Kernel panic - not syncing: Fatal exception in interrupt
      [ 1111.307661] SMP: stopping secondary CPUs
      [ 1111.311574] Kernel Offset: disabled
      [ 1111.315053] CPU features: 0x0002000
      [ 1111.318530] Memory Limit: none
      [ 1111.321575] Rebooting in 3 seconds..
      
      With some added debug output / delays we were able to push the crash from
      the timer callback runner into the callback function and by that shedding
      some light on which object holding the timer gets corrupted:
      
      [  401.720899] Unable to handle kernel read from unreadable memory at virtual address 00000868
      [...]
      [  402.335836] [<ffff0000088fafa4>] _raw_spin_lock_bh+0x14/0x48
      [  402.341548] [<ffff000000dbe684>] mesh_path_timer+0x10c/0x248 [mac80211]
      [  402.348154] [<ffff0000080ff29c>] call_timer_fn.isra.27+0x24/0x78
      [  402.354150] [<ffff0000080ff77c>] run_timer_softirq+0x184/0x398
      [  402.359974] [<ffff000008081938>] __do_softirq+0x100/0x1fc
      [  402.365362] [<ffff0000080a2e28>] irq_exit+0x80/0xd8
      [  402.370231] [<ffff0000080ea708>] __handle_domain_irq+0x88/0xb0
      [  402.376053] [<ffff000008081678>] gic_handle_irq+0x68/0xb0
      
      The issue happens due to the following sequence of events:
      
      1) mesh_path_start_discovery():
      -> spin_unlock_bh(&mpath->state_lock) before mesh_path_sel_frame_tx()
      
      2) mesh_path_free_rcu()
      -> del_timer_sync(&mpath->timer)
         [...]
      -> kfree_rcu(mpath)
      
      3) mesh_path_start_discovery():
      -> mod_timer(&mpath->timer, ...)
         [...]
      -> rcu_read_unlock()
      
      4) mesh_path_free_rcu()'s kfree_rcu():
      -> kfree(mpath)
      
      5) mesh_path_timer() starts after timeout, using freed mpath object
      
      So a use-after-free issue due to a timer re-arming bug caused by an
      early spin-unlocking.
      
      This patch fixes this issue by re-checking if mpath is about to be
      free'd and if so bails out of re-arming the timer.
      
      Cc: stable@vger.kernel.org
      Fixes: 050ac52c ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol")
      Cc: Simon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: NLinus Lüssing <ll@simonwunderlich.de>
      Link: https://lore.kernel.org/r/20200522170413.14973-1-linus.luessing@c0d3.blueSigned-off-by: NJohannes Berg <johannes.berg@intel.com>
      e2d4a80f
    • L
      Merge tag 'efi-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 98790bba
      Linus Torvalds 提交于
      Pull EFI fixes from Thomas Gleixner:
       "A set of EFI fixes:
      
         - Don't return a garbage screen info when EFI framebuffer is not
           available
      
         - Make the early EFI console work properly with wider fonts instead
           of drawing garbage
      
         - Prevent a memory buffer leak in allocate_e820()
      
         - Print the firmware error record properly so it can be decoded by
           users
      
         - Fix a symbol clash in the host tool build which only happens with
           newer compilers.
      
         - Add a missing check for the event log version of TPM which caused
           boot failures on several Dell systems due to an attempt to decode
           SHA-1 format with the crypto agile algorithm"
      
      * tag 'efi-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        tpm: check event log version before reading final events
        efi: Pull up arch-specific prototype efi_systab_show_arch()
        x86/boot: Mark global variables as static
        efi: cper: Add support for printing Firmware Error Record Reference
        efi/libstub/x86: Avoid EFI map buffer alloc in allocate_e820()
        efi/earlycon: Fix early printk for wider fonts
        efi/libstub: Avoid returning uninitialized data from setup_graphics()
      98790bba
    • L
      Merge tag 'x86-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 667b6249
      Linus Torvalds 提交于
      Pull x86 fixes from Thomas Gleixner:
       "Two fixes for x86:
      
         - Unbreak stack dumps for inactive tasks by interpreting the special
           first frame left by __switch_to_asm() correctly.
      
           The recent change not to skip the first frame so ORC and frame
           unwinder behave in the same way caused all entries to be
           unreliable, i.e. prepended with '?'.
      
         - Use cpumask_available() instead of an implicit NULL check of a
           cpumask_var_t in mmio trace to prevent a Clang build warning"
      
      * tag 'x86-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks
        x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables
      667b6249
    • L
      Merge tag 'sched-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 9e61d12b
      Linus Torvalds 提交于
      Pull scheduler fixes from Thomas Gleixner:
       "A set of fixes for the scheduler:
      
         - Fix handling of throttled parents in enqueue_task_fair() completely.
      
           The recent fix overlooked a corner case where the first iteration
           terminates due to an entity already being on the runqueue which
           makes the list management incomplete and later triggers the
           assertion which checks for completeness.
      
         - Fix a similar problem in unthrottle_cfs_rq().
      
         - Show the correct uclamp values in procfs which prints the effective
           value twice instead of requested and effective"
      
      * tag 'sched-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list
        sched/debug: Fix requested task uclamp values shown in procfs
        sched/fair: Fix enqueue_task_fair() warning some more
      9e61d12b
  4. 24 5月, 2020 17 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · caffb99b
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix RCU warnings in ipv6 multicast router code, from Madhuparna
          Bhowmik.
      
       2) Nexthop attributes aren't being checked properly because of
          mis-initialized iterator, from David Ahern.
      
       3) Revert iop_idents_reserve() change as it caused performance
          regressions and was just working around what is really a UBSAN bug
          in the compiler. From Yuqi Jin.
      
       4) Read MAC address properly from ROM in bmac driver (double iteration
          proceeds past end of address array), from Jeremy Kerr.
      
       5) Add Microsoft Surface device IDs to r8152, from Marc Payne.
      
       6) Prevent reference to freed SKB in __netif_receive_skb_core(), from
          Boris Sukholitko.
      
       7) Fix ACK discard behavior in rxrpc, from David Howells.
      
       8) Preserve flow hash across packet scrubbing in wireguard, from Jason
          A. Donenfeld.
      
       9) Cap option length properly for SO_BINDTODEVICE in AX25, from Eric
          Dumazet.
      
      10) Fix encryption error checking in kTLS code, from Vadim Fedorenko.
      
      11) Missing BPF prog ref release in flow dissector, from Jakub Sitnicki.
      
      12) dst_cache must be used with BH disabled in tipc, from Eric Dumazet.
      
      13) Fix use after free in mlxsw driver, from Jiri Pirko.
      
      14) Order kTLS key destruction properly in mlx5 driver, from Tariq
          Toukan.
      
      15) Check devm_platform_ioremap_resource() return value properly in
          several drivers, from Tiezhu Yang.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (71 commits)
        net: smsc911x: Fix runtime PM imbalance on error
        net/mlx4_core: fix a memory leak bug.
        net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend
        net: phy: mscc: fix initialization of the MACsec protocol mode
        net: stmmac: don't attach interface until resume finishes
        net: Fix return value about devm_platform_ioremap_resource()
        net/mlx5: Fix error flow in case of function_setup failure
        net/mlx5e: CT: Correctly get flow rule
        net/mlx5e: Update netdev txq on completions during closure
        net/mlx5: Annotate mutex destroy for root ns
        net/mlx5: Don't maintain a case of del_sw_func being null
        net/mlx5: Fix cleaning unmanaged flow tables
        net/mlx5: Fix memory leak in mlx5_events_init
        net/mlx5e: Fix inner tirs handling
        net/mlx5e: kTLS, Destroy key object after destroying the TIS
        net/mlx5e: Fix allowed tc redirect merged eswitch offload cases
        net/mlx5: Avoid processing commands before cmdif is ready
        net/mlx5: Fix a race when moving command interface to events mode
        net/mlx5: Add command entry handling completion
        rxrpc: Fix a memory leak in rxkad_verify_response()
        ...
      caffb99b
    • D
      net: smsc911x: Fix runtime PM imbalance on error · 539d39ad
      Dinghao Liu 提交于
      Remove runtime PM usage counter decrement when the
      increment function has not been called to keep the
      counter balanced.
      Signed-off-by: NDinghao Liu <dinghao.liu@zju.edu.cn>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      539d39ad
    • D
      Merge tag 'mlx5-fixes-2020-05-22' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · e3181e9a
      David S. Miller 提交于
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2020-05-22
      
      This series introduces some fixes to mlx5 driver.
      
      Please pull and let me know if there is any problem.
      
      For -stable v4.13
         ('net/mlx5: Add command entry handling completion')
      
      For -stable v5.2
         ('net/mlx5: Fix error flow in case of function_setup failure')
         ('net/mlx5: Fix memory leak in mlx5_events_init')
      
      For -stable v5.3
         ('net/mlx5e: Update netdev txq on completions during closure')
         ('net/mlx5e: kTLS, Destroy key object after destroying the TIS')
         ('net/mlx5e: Fix inner tirs handling')
      
      For -stable v5.6
         ('net/mlx5: Fix cleaning unmanaged flow tables')
         ('net/mlx5: Fix a race when moving command interface to events mode')
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e3181e9a
    • Q
      net/mlx4_core: fix a memory leak bug. · febfd9d3
      Qiushi Wu 提交于
      In function mlx4_opreq_action(), pointer "mailbox" is not released,
      when mlx4_cmd_box() return and error, causing a memory leak bug.
      Fix this issue by going to "out" label, mlx4_free_cmd_mailbox() can
      free this pointer.
      
      Fixes: fe6f700d ("net/mlx4_core: Respond to operation request by firmware")
      Signed-off-by: NQiushi Wu <wu000273@umn.edu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      febfd9d3
    • G
      net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend · 4c64b83d
      Grygorii Strashko 提交于
      vlan_for_each() are required to be called with rtnl_lock taken, otherwise
      ASSERT_RTNL() warning will be triggered - which happens now during System
      resume from suspend:
        cpsw_suspend()
        |- cpsw_ndo_stop()
          |- __hw_addr_ref_unsync_dev()
            |- cpsw_purge_all_mc()
               |- vlan_for_each()
                  |- ASSERT_RTNL();
      
      Hence, fix it by surrounding cpsw_ndo_stop() by rtnl_lock/unlock() calls.
      
      Fixes: 15180eca ("net: ethernet: ti: cpsw: fix vlan mcast")
      Signed-off-by: NGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c64b83d
    • A
      net: phy: mscc: fix initialization of the MACsec protocol mode · 0ddfee1f
      Antoine Tenart 提交于
      At the very end of the MACsec block initialization in the MSCC PHY
      driver, the MACsec "protocol mode" is set. This setting should be set
      based on the PHY id within the package, as the bank used to access the
      register used depends on this. This was not done correctly, and only the
      first bank was used leading to the two upper PHYs being unstable when
      using the VSC8584. This patch fixes it.
      
      Fixes: 1bbe0ecc ("net: phy: mscc: macsec initialization")
      Signed-off-by: NAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0ddfee1f
    • L
      net: stmmac: don't attach interface until resume finishes · 31096c3e
      Leon Yu 提交于
      Commit 14b41a29 ("net: stmmac: Delete txtimer in suspend") was the
      first attempt to fix a race between mod_timer() and setup_timer()
      during stmmac_resume(). However the issue still exists as the commit
      only addressed half of the issue.
      
      Same race can still happen as stmmac_resume() re-attaches interface
      way too early - even before hardware is fully initialized.  Worse,
      doing so allows network traffic to restart and stmmac_tx_timer_arm()
      being called in the middle of stmmac_resume(), which re-init tx timers
      in stmmac_init_coalesce().  timer_list will be corrupted and system
      crashes as a result of race between mod_timer() and setup_timer().
      
        systemd--1995    2.... 552950018us : stmmac_suspend: 4994
        ksoftirq-9       0..s2 553123133us : stmmac_tx_timer_arm: 2276
        systemd--1995    0.... 553127896us : stmmac_resume: 5101
        systemd--320     7...2 553132752us : stmmac_tx_timer_arm: 2276
        (sd-exec-1999    5...2 553135204us : stmmac_tx_timer_arm: 2276
        ---------------------------------
        pc : run_timer_softirq+0x468/0x5e0
        lr : run_timer_softirq+0x570/0x5e0
        Call trace:
         run_timer_softirq+0x468/0x5e0
         __do_softirq+0x124/0x398
         irq_exit+0xd8/0xe0
         __handle_domain_irq+0x6c/0xc0
         gic_handle_irq+0x60/0xb0
         el1_irq+0xb8/0x180
         arch_cpu_idle+0x38/0x230
         default_idle_call+0x24/0x3c
         do_idle+0x1e0/0x2b8
         cpu_startup_entry+0x28/0x48
         secondary_start_kernel+0x1b4/0x208
      
      Fix this by deferring netif_device_attach() to the end of
      stmmac_resume().
      Signed-off-by: NLeon Yu <leoyu@nvidia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      31096c3e
    • T
      net: Fix return value about devm_platform_ioremap_resource() · ef24d6c3
      Tiezhu Yang 提交于
      When call function devm_platform_ioremap_resource(), we should use IS_ERR()
      to check the return value and return PTR_ERR() if failed.
      Signed-off-by: NTiezhu Yang <yangtiezhu@loongson.cn>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ef24d6c3
    • M
      sparc32: fix page table traversal in srmmu_nocache_init() · 0cfc8a8d
      Mike Rapoport 提交于
      The srmmu_nocache_init() uses __nocache_fix() macro to add an offset to
      page table entry to access srmmu_nocache_pool.
      
      But since sparc32 has only three actual page table levels, pgd, p4d and
      pud are essentially the same thing and pgd_offset() and p4d_offset() are
      no-ops, the __nocache_fix() should be done only at PUD level.
      
      Remove __nocache_fix() for p4d_offset() and pud_offset() and keep it
      only for PUD and lower levels.
      
      Fixes: c2bc26f7 ("sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()")
      Signed-off-by: NMike Rapoport <rppt@linux.ibm.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Anatoly Pugachev <matorola@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0cfc8a8d
    • L
      Merge branch 'akpm' (patches from Andrew) · 423b8baf
      Linus Torvalds 提交于
      Merge misc fixes from Andrew Morton:
       "11 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        MAINTAINERS: add files related to kdump
        z3fold: fix use-after-free when freeing handles
        sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()
        MAINTAINERS: update email address for Naoya Horiguchi
        sh: include linux/time_types.h for sockios
        kasan: disable branch tracing for core runtime
        selftests/vm/write_to_hugetlbfs.c: fix unused variable warning
        selftests/vm/.gitignore: add mremap_dontunmap
        rapidio: fix an error in get_user_pages_fast() error handling
        x86: bitops: fix build regression
        device-dax: don't leak kernel memory to user space after unloading kmem
      423b8baf
    • L
      Merge tag 'driver-core-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · 23f0dac8
      Linus Torvalds 提交于
      Pull driver core fixes from Greg KH:
       "So, turns out the kobject fix didn't quite work, so here are four
        patches that in the end, result in just two driver core fixes for
        reported issues that no one has had problems with.
      
        The kobject patch that was originally in here has now been reverted,
        as Guenter reported boot problems with it on some of his systems"
      
      * tag 'driver-core-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        Revert "kobject: Make sure the parent does not get released before its children"
        kobject: Make sure the parent does not get released before its children
        driver core: Fix handling of SYNC_STATE_ONLY + STATELESS device links
        driver core: Fix SYNC_STATE_ONLY device link implementation
      23f0dac8
    • L
      Merge tag 'char-misc-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 0e36fd45
      Linus Torvalds 提交于
      Pull char/misc fixes from Greg KH:
       "Here are some small char/misc driver fixes for 5.7-rc7 that resolve
        some reported issues. Included in here are tiny fixes for the mei,
        coresight, rtsx, ipack, and mhi drivers.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'char-misc-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        misc: rtsx: Add short delay after exit from ASPM
        bus: mhi: core: Fix some error return code
        ipack: tpci200: fix error return code in tpci200_register()
        coresight: cti: remove incorrect NULL return check
        mei: release me_cl object reference
      0e36fd45
    • L
      Merge tag 'staging-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 8f261041
      Linus Torvalds 提交于
      Pull staging/iio fixes from Greg KH:
       "Here are some small staging and IIO driver fixes for 5.7-rc7
      
        Nothing major, just a collection of IIO driver fixes for reported
        issues, and a few small staging driver fixes that people have found.
        Full details are in the shortlog.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: wfx: unlock on error path
        staging: greybus: Fix uninitialized scalar variable
        staging: kpc2000: fix error return code in kp2000_pcie_probe()
        iio: sca3000: Remove an erroneous 'get_device()'
        iio: adc: stm32-dfsdm: fix device used to request dma
        iio: adc: stm32-adc: fix device used to request dma
        iio: adc: ti-ads8344: Fix channel selection
        staging: iio: ad2s1210: Fix SPI reading
        iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()'
        iio: imu: st_lsm6dsx: unlock on error in st_lsm6dsx_shub_write_raw()
        iio: chemical: atlas-sensor: correct DO-SM channels
      8f261041
    • L
      Merge tag 'tty-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · d3044d7d
      Linus Torvalds 提交于
      Pull tty/serial fix from Greg KH:
       "Here is a single serial driver fix for 5.7-rc7. It resolves an issue
        with the SiFive serial console init sequence that was reported a
        number of times.
      
        It has been in linux-next for a while now with no reported issues"
      
      * tag 'tty-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        tty: serial: add missing spin_lock_init for SiFive serial console
      d3044d7d
    • L
      Merge tag 's390-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 9bca7c40
      Linus Torvalds 提交于
      Pull s390 fixes from Vasily Gorbik:
      
       - Add missing R_390_JMP_SLOT relocation type in KASLR code.
      
       - Fix set_huge_pte_at for empty ptes issue which has been uncovered
         with arch page table helper tests.
      
       - Correct initrd location for kdump kernel.
      
       - Fix s390_mmio_read/write with MIO in PCI code.
      
      * tag 's390-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/kaslr: add support for R_390_JMP_SLOT relocation type
        s390/mm: fix set_huge_pte_at() for empty ptes
        s390/kexec_file: fix initrd location for kdump kernel
        s390/pci: Fix s390_mmio_read/write with MIO
      9bca7c40
    • B
      MAINTAINERS: add files related to kdump · ca6edee6
      Baoquan He 提交于
      Kdump is implemented based on kexec, however some files are only related
      to crash dumping and missing, add them to KDUMP entry.
      Signed-off-by: NBaoquan He <bhe@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Acked-by: NDave Young <dyoung@redhat.com>
      Link: http://lkml.kernel.org/r/20200520103633.GW5029@MiWiFi-R3L-srvSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ca6edee6
    • U
      z3fold: fix use-after-free when freeing handles · d8f117ab
      Uladzislau Rezki 提交于
      free_handle() for a foreign handle may race with inter-page compaction,
      what can lead to memory corruption.
      
      To avoid that, take write lock not read lock in free_handle to be
      synchronized with __release_z3fold_page().
      
      For example KASAN can detect it:
      
        ==================================================================
        BUG: KASAN: use-after-free in LZ4_decompress_safe+0x2c4/0x3b8
        Read of size 1 at addr ffffffc976695ca3 by task GoogleApiHandle/4121
      
        CPU: 0 PID: 4121 Comm: GoogleApiHandle Tainted: P S         OE     4.19.81-perf+ #162
        Hardware name: Sony Mobile Communications. PDX-203(KONA) (DT)
        Call trace:
           LZ4_decompress_safe+0x2c4/0x3b8
           lz4_decompress_crypto+0x3c/0x70
           crypto_decompress+0x58/0x70
           zcomp_decompress+0xd4/0x120
           ...
      
      Apart from that, initialize zhdr->mapped_count in init_z3fold_page() and
      remove "newpage" variable because it is not used anywhere.
      Signed-off-by: NUladzislau Rezki <uladzislau.rezki@sony.com>
      Signed-off-by: NVitaly Wool <vitaly.wool@konsulko.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Cc: Qian Cai <cai@lca.pw>
      Cc: Raymond Jennings <shentino@gmail.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20200520082100.28876-1-vitaly.wool@konsulko.comSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d8f117ab