1. 03 2月, 2017 1 次提交
    • M
      mlx4: Fix memory leak after mlx4_en_update_priv() · f32b20e8
      Martin KaFai Lau 提交于
      In mlx4_en_update_priv(), dst->tx_ring[t] and dst->tx_cq[t]
      are over-written by src->tx_ring[t] and src->tx_cq[t] without
      first calling kfree.
      
      One of the reproducible code paths is by doing 'ethtool -L'.
      
      The fix is to do the kfree in mlx4_en_free_resources().
      
      Here is the kmemleak report:
      unreferenced object 0xffff880841211800 (size 2048):
        comm "ethtool", pid 3096, jiffies 4294716940 (age 528.353s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff81930718>] kmemleak_alloc+0x28/0x50
          [<ffffffff8120b213>] kmem_cache_alloc_trace+0x103/0x260
          [<ffffffff8170e0a8>] mlx4_en_try_alloc_resources+0x118/0x1a0
          [<ffffffff817065a9>] mlx4_en_set_ringparam+0x169/0x210
          [<ffffffff818040c5>] dev_ethtool+0xae5/0x2190
          [<ffffffff8181b898>] dev_ioctl+0x168/0x6f0
          [<ffffffff817d7a72>] sock_do_ioctl+0x42/0x50
          [<ffffffff817d819b>] sock_ioctl+0x21b/0x2d0
          [<ffffffff81247a73>] do_vfs_ioctl+0x93/0x6a0
          [<ffffffff812480f9>] SyS_ioctl+0x79/0x90
          [<ffffffff8193d7ea>] entry_SYSCALL_64_fastpath+0x18/0xad
          [<ffffffffffffffff>] 0xffffffffffffffff
      unreferenced object 0xffff880841213000 (size 2048):
        comm "ethtool", pid 3096, jiffies 4294716940 (age 528.353s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff81930718>] kmemleak_alloc+0x28/0x50
          [<ffffffff8120b213>] kmem_cache_alloc_trace+0x103/0x260
          [<ffffffff8170e0cb>] mlx4_en_try_alloc_resources+0x13b/0x1a0
          [<ffffffff817065a9>] mlx4_en_set_ringparam+0x169/0x210
          [<ffffffff818040c5>] dev_ethtool+0xae5/0x2190
          [<ffffffff8181b898>] dev_ioctl+0x168/0x6f0
          [<ffffffff817d7a72>] sock_do_ioctl+0x42/0x50
          [<ffffffff817d819b>] sock_ioctl+0x21b/0x2d0
          [<ffffffff81247a73>] do_vfs_ioctl+0x93/0x6a0
          [<ffffffff812480f9>] SyS_ioctl+0x79/0x90
          [<ffffffff8193d7ea>] entry_SYSCALL_64_fastpath+0x18/0xad
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      (gdb) list *mlx4_en_try_alloc_resources+0x118
      0xffffffff8170e0a8 is in mlx4_en_try_alloc_resources (drivers/net/ethernet/mellanox/mlx4/en_netdev.c:2145).
      2140                    if (!dst->tx_ring_num[t])
      2141                            continue;
      2142
      2143                    dst->tx_ring[t] = kzalloc(sizeof(struct mlx4_en_tx_ring *) *
      2144                                              MAX_TX_RINGS, GFP_KERNEL);
      2145                    if (!dst->tx_ring[t])
      2146                            goto err_free_tx;
      2147
      2148                    dst->tx_cq[t] = kzalloc(sizeof(struct mlx4_en_cq *) *
      2149                                            MAX_TX_RINGS, GFP_KERNEL);
      (gdb) list *mlx4_en_try_alloc_resources+0x13b
      0xffffffff8170e0cb is in mlx4_en_try_alloc_resources (drivers/net/ethernet/mellanox/mlx4/en_netdev.c:2150).
      2145                    if (!dst->tx_ring[t])
      2146                            goto err_free_tx;
      2147
      2148                    dst->tx_cq[t] = kzalloc(sizeof(struct mlx4_en_cq *) *
      2149                                            MAX_TX_RINGS, GFP_KERNEL);
      2150                    if (!dst->tx_cq[t]) {
      2151                            kfree(dst->tx_ring[t]);
      2152                            goto err_free_tx;
      2153                    }
      2154            }
      
      Fixes: ec25bc04 ("net/mlx4_en: Add resilience in low memory systems")
      Cc: Eugenia Emantayev <eugenia@mellanox.com>
      Cc: Saeed Mahameed <saeedm@mellanox.com>
      Cc: Tariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f32b20e8
  2. 02 2月, 2017 10 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 6d04dfc8
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix handling of interrupt status in stmmac driver. Just because we
          have masked the event from generating interrupts, doesn't mean the
          bit won't still be set in the interrupt status register. From Alexey
          Brodkin.
      
       2) Fix DMA API debugging splats in gianfar driver, from Arseny Solokha.
      
       3) Fix off-by-one error in __ip6_append_data(), from Vlad Yasevich.
      
       4) cls_flow does not match on icmpv6 codes properly, from Simon Horman.
      
       5) Initial MAC address can be set incorrectly in some scenerios, from
          Ivan Vecera.
      
       6) Packet header pointer arithmetic fix in ip6_tnl_parse_tlv_end_lim(),
          from Dan Carpenter.
      
       7) Fix divide by zero in __tcp_select_window(), from Eric Dumazet.
      
       8) Fix crash in iwlwifi when unregistering thermal zone, from Jens
          Axboe.
      
       9) Check for DMA mapping errors in starfire driver, from Alexey
          Khoroshilov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (31 commits)
        tcp: fix 0 divide in __tcp_select_window()
        ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
        net: fix ndo_features_check/ndo_fix_features comment ordering
        net/sched: matchall: Fix configuration race
        be2net: fix initial MAC setting
        ipv6: fix flow labels when the traffic class is non-0
        net: thunderx: avoid dereferencing xcv when NULL
        net/sched: cls_flower: Correct matching on ICMPv6 code
        ipv6: Paritially checksum full MTU frames
        net/mlx4_core: Avoid command timeouts during VF driver device shutdown
        gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page
        net: ethtool: add support for 2500BaseT and 5000BaseT link modes
        can: bcm: fix hrtimer/tasklet termination in bcm op removal
        net: adaptec: starfire: add checks for dma mapping errors
        net: phy: micrel: KSZ8795 do not set SUPPORTED_[Asym_]Pause
        can: Fix kernel panic at security_sock_rcv_skb
        net: macb: Fix 64 bit addressing support for GEM
        stmmac: Discard masked flags in interrupt status register
        net/mlx5e: Check ets capability before ets query FW command
        net/mlx5e: Fix update of hash function/key via ethtool
        ...
      6d04dfc8
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 2883aaea
      Linus Torvalds 提交于
      Pull fscache fixes from Al Viro.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fscache: Fix dead object requeue
        fscache: Clear outstanding writes when disabling a cookie
        FS-Cache: Initialise stores_lock in netfs cookie
      2883aaea
    • E
      tcp: fix 0 divide in __tcp_select_window() · 06425c30
      Eric Dumazet 提交于
      syszkaller fuzzer was able to trigger a divide by zero, when
      TCP window scaling is not enabled.
      
      SO_RCVBUF can be used not only to increase sk_rcvbuf, also
      to decrease it below current receive buffers utilization.
      
      If mss is negative or 0, just return a zero TCP window.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NDmitry Vyukov  <dvyukov@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      06425c30
    • D
      ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() · 63117f09
      Dan Carpenter 提交于
      Casting is a high precedence operation but "off" and "i" are in terms of
      bytes so we need to have some parenthesis here.
      
      Fixes: fbfa743a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      63117f09
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · e387dc12
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
       "This fixes a bug in CBC/CTR on ARM64 that breaks chaining as well as a
        bug in the core API that causes registration failures when a driver
        unloads and then reloads an algorithm"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes
        crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
      e387dc12
    • L
      Merge tag 'dmaengine-fix-4.10-rc7' of git://git.infradead.org/users/vkoul/slave-dma · 35609502
      Linus Torvalds 提交于
      Pull dmaengine fixes from Vinod Koul:
       "A couple of fixes showed up late in the cycle so sending them up and
        sending early in the week and not on Friday :).
      
        They fix a double lock in pl330 driver and runtime pm fixes for cppi
        driver"
      
      * tag 'dmaengine-fix-4.10-rc7' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: pl330: fix double lock
        dmaengine: cppi41: Clean up pointless warnings
        dmaengine: cppi41: Fix oops in cppi41_runtime_resume
        dmaengine: cppi41: Fix runtime PM timeouts with USB mass storage
      35609502
    • D
      net: fix ndo_features_check/ndo_fix_features comment ordering · 1a2a1444
      Dimitris Michailidis 提交于
      Commit cdba756f ("net: move ndo_features_check() close to
      ndo_start_xmit()") inadvertently moved the doc comment for
      .ndo_fix_features instead of .ndo_features_check. Fix the comment
      ordering.
      
      Fixes: cdba756f ("net: move ndo_features_check() close to ndo_start_xmit()")
      Signed-off-by: NDimitris Michailidis <dmichail@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a2a1444
    • Y
      net/sched: matchall: Fix configuration race · fd62d9f5
      Yotam Gigi 提交于
      In the current version, the matchall internal state is split into two
      structs: cls_matchall_head and cls_matchall_filter. This makes little
      sense, as matchall instance supports only one filter, and there is no
      situation where one exists and the other does not. In addition, that led
      to some races when filter was deleted while packet was processed.
      
      Unify that two structs into one, thus simplifying the process of matchall
      creation and deletion. As a result, the new, delete and get callbacks have
      a dummy implementation where all the work is done in destroy and change
      callbacks, as was done in cls_cgroup.
      
      Fixes: bf3994d2 ("net/sched: introduce Match-all classifier")
      Reported-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NYotam Gigi <yotamg@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fd62d9f5
    • L
      Merge tag 'pinctrl-v4.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · c325b353
      Linus Torvalds 提交于
      Pull pin control fixes from Linus Walleij:
       "Another week, another set of pin control fixes. The subsystem has seen
        high patch-spot activity recently.
      
        The majority of the patches are for Intel, I vaguely think it mostly
        concern phones, tablets and maybe chromebooks and even laptops with
        this Intel Atom family chips.
      
        Driver fixes only:
      
         - one fix to the Berlin driver making the SD card work fully again.
      
         - one fix to the Allwinner/sunxi bias function: one premature change
           needs to be partially reverted.
      
         - the remaining four patches are to Intel embedded SoCs: baytrail
           (three patches) and merrifield (one patch): register access
           debounce fixes and a missing spinlock"
      
      * tag 'pinctrl-v4.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: baytrail: Add missing spinlock usage in byt_gpio_irq_handler
        pinctrl: baytrail: Debounce register is one per community
        pinctrl: baytrail: Rectify debounce support (part 2)
        pinctrl: intel: merrifield: Add missed check in mrfld_config_set()
        pinctrl: sunxi: Don't enforce bias disable (for now)
        pinctrl: berlin-bg4ct: fix the value for "sd1a" of pin SCRD0_CRD_PRES
      c325b353
    • I
      be2net: fix initial MAC setting · 4993b39a
      Ivan Vecera 提交于
      Recent commit 34393529 ("be2net: fix MAC addr setting on privileged
      BE3 VFs") allows privileged BE3 VFs to set its MAC address during
      initialization. Although the initial MAC for such VFs is already
      programmed by parent PF the subsequent setting performed by VF is OK,
      but in certain cases (after fresh boot) this command in VF can fail.
      
      The MAC should be initialized only when:
      1) no MAC is programmed (always except BE3 VFs during first init)
      2) programmed MAC is different from requested (e.g. MAC is set when
         interface is down). In this case the initial MAC programmed by PF
         needs to be deleted.
      
      The adapter->dev_mac contains MAC address currently programmed in HW so
      it should be zeroed when the MAC is deleted from HW and should not be
      filled when MAC is set when interface is down in be_mac_addr_set() as
      no programming is performed in this case.
      
      Example of failure without the fix (immediately after fresh boot):
      
      # ip link set eth0 up  <- eth0 is BE3 PF
      be2net 0000:01:00.0 eth0: Link is Up
      
      # echo 1 > /sys/class/net/eth0/device/sriov_numvfs  <- Create 1 VF
      ...
      be2net 0000:01:04.0: Emulex OneConnect(be3): VF  port 0
      
      # ip link set eth8 up  <- eth8 is created privileged VF
      be2net 0000:01:04.0: opcode 59-1 failed:status 1-76
      RTNETLINK answers: Input/output error
      
      # echo 0 > /sys/class/net/eth0/device/sriov_numvfs  <- Delete VF
      iommu: Removing device 0000:01:04.0 from group 33
      ...
      
      # echo 1 > /sys/class/net/eth0/device/sriov_numvfs  <- Create it again
      iommu: Removing device 0000:01:04.0 from group 33
      ...
      
      # ip link set eth8 up
      be2net 0000:01:04.0 eth8: Link is Up
      
      Initialization is now OK.
      
      v2 - Corrected the comment and condition check suggested by Suresh & Harsha
      
      Fixes: 34393529 ("be2net: fix MAC addr setting on privileged BE3 VFs")
      Cc: Sathya Perla <sathya.perla@broadcom.com>
      Cc: Ajit Khaparde <ajit.khaparde@broadcom.com>
      Cc: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
      Cc: Somnath Kotur <somnath.kotur@broadcom.com>
      Signed-off-by: NIvan Vecera <cera@cera.cz>
      Acked-by: NSriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4993b39a
  3. 01 2月, 2017 12 次提交
    • L
      Merge tag 'trace-4.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · a2ca3d61
      Linus Torvalds 提交于
      Pull tracing fix from Steven Rostedt:
       "It was reported to me that the thread created by the hwlat tracer does
        not migrate after the first instance. I found that there was as small
        bug in the logic, and fixed it. It's minor, but should be fixed
        regardless. There's not much impact outside the hwlat tracer"
      
      * tag 'trace-4.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix hwlat kthread migration
      a2ca3d61
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 283725af
      Linus Torvalds 提交于
      Pull input subsystem fixes from Dmitry Torokhov:
       "A fix for a crash in the wm97xx driver and synaptics-rmi4 will stop
        throwing erroneous warnings."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: synaptics-rmi4 - fix reversed conditions in enable/disable_irq_wake
        Input: wm97xx - make missing platform data non-fatal
      283725af
    • L
      Merge branch 'for-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · f1774f46
      Linus Torvalds 提交于
      Pull cgroup fix from Tejun Heo:
       "The cgroup creation path was getting the order of operations wrong and
        exposing cgroups which don't have their names set yet to controllers
        which can lead to NULL derefs.
      
        This contains the fix for the bug"
      
      * 'for-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup: don't online subsystems before cgroup_name/path() are operational
      f1774f46
    • L
      Merge branch 'for-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu · 298a2d87
      Linus Torvalds 提交于
      Pull percpu fix from Tejun Heo:
       "Douglas found and fixed a ref leak bug in percpu_ref_tryget[_live]().
      
        The bug is caused by storing the return value of atomic_long_inc_not_zero()
        into an int temp variable before returning it as a bool. The interim
        cast to int loses the upper bits and can lead to false negatives. As
        percpu_ref uses a high bit to mark a draining counter, this can happen
        relatively easily.
      
        Fixed by using bool for the temp variable"
      
      * 'for-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
        percpu-refcount: fix reference leak during percpu-atomic transition
      298a2d87
    • L
      Merge branch 'for-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · 52e02f27
      Linus Torvalds 提交于
      Pull libata fixes from Tejun Heo:
       "Three libata fixes: an error handling fix, blacklist addition for
        another fallout from upping the default max sectors, and fix for a
        sense data reporting bug which affects new harddrives which can report
        sense data"
      
      * 'for-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ata: sata_mv:- Handle return value of devm_ioremap.
        libata: Fix ATA request sense
        libata: apply MAX_SEC_1024 to all CX1-JB*-HP devices
      52e02f27
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · c9194b99
      Linus Torvalds 提交于
      Pull HID fixes from Jiri Kosina:
      
       - regression fix (sleeping while atomic) for cp2112, from Johan Hovold
      
       - regression fix for proximity handling under certain circumstances in
         Wacom driver, from Jason Gerecke
      
       - functional fix for Logitech Rumblepad 2, from Ardinartsev Nikita
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: cp2112: fix gpio-callback error handling
        HID: cp2112: fix sleep-while-atomic
        HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2
        HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL
        HID: wacom: Fix poor prox handling in 'wacom_pl_irq'
      c9194b99
    • L
      Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 · 415f9b71
      Linus Torvalds 提交于
      Pull cifs fix from Steve French:
       "A small cifs fix for stable"
      
      * 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: initialize file_info_lock
      415f9b71
    • D
      fscache: Fix dead object requeue · e26bfebd
      David Howells 提交于
      Under some circumstances, an fscache object can become queued such that it
      fscache_object_work_func() can be called once the object is in the
      OBJECT_DEAD state.  This results in the kernel oopsing when it tries to
      invoke the handler for the state (which is hard coded to 0x2).
      
      The way this comes about is something like the following:
      
       (1) The object dispatcher is processing a work state for an object.  This
           is done in workqueue context.
      
       (2) An out-of-band event comes in that isn't masked, causing the object to
           be queued, say EV_KILL.
      
       (3) The object dispatcher finishes processing the current work state on
           that object and then sees there's another event to process, so,
           without returning to the workqueue core, it processes that event too.
           It then follows the chain of events that initiates until we reach
           OBJECT_DEAD without going through a wait state (such as
           WAIT_FOR_CLEARANCE).
      
           At this point, object->events may be 0, object->event_mask will be 0
           and oob_event_mask will be 0.
      
       (4) The object dispatcher returns to the workqueue processor, and in due
           course, this sees that the object's work item is still queued and
           invokes it again.
      
       (5) The current state is a work state (OBJECT_DEAD), so the dispatcher
           jumps to it - resulting in an OOPS.
      
      When I'm seeing this, the work state in (1) appears to have been either
      LOOK_UP_OBJECT or CREATE_OBJECT (object->oob_table is
      fscache_osm_lookup_oob).
      
      The window for (2) is very small:
      
       (A) object->event_mask is cleared whilst the event dispatch process is
           underway - though there's no memory barrier to force this to the top
           of the function.
      
           The window, therefore is from the time the object was selected by the
           workqueue processor and made requeueable to the time the mask was
           cleared.
      
       (B) fscache_raise_event() will only queue the object if it manages to set
           the event bit and the corresponding event_mask bit was set.
      
           The enqueuement is then deferred slightly whilst we get a ref on the
           object and get the per-CPU variable for workqueue congestion.  This
           slight deferral slightly increases the probability by allowing extra
           time for the workqueue to make the item requeueable.
      
      Handle this by giving the dead state a processor function and checking the
      for the dead state address rather than seeing if the processor function is
      address 0x2.  The dead state processor function can then set a flag to
      indicate that it's occurred and give a warning if it occurs more than once
      per object.
      
      If this race occurs, an oops similar to the following is seen (note the RIP
      value):
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000002
      IP: [<0000000000000002>] 0x1
      PGD 0
      Oops: 0010 [#1] SMP
      Modules linked in: ...
      CPU: 17 PID: 16077 Comm: kworker/u48:9 Not tainted 3.10.0-327.18.2.el7.x86_64 #1
      Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 12/27/2015
      Workqueue: fscache_object fscache_object_work_func [fscache]
      task: ffff880302b63980 ti: ffff880717544000 task.ti: ffff880717544000
      RIP: 0010:[<0000000000000002>]  [<0000000000000002>] 0x1
      RSP: 0018:ffff880717547df8  EFLAGS: 00010202
      RAX: ffffffffa0368640 RBX: ffff880edf7a4480 RCX: dead000000200200
      RDX: 0000000000000002 RSI: 00000000ffffffff RDI: ffff880edf7a4480
      RBP: ffff880717547e18 R08: 0000000000000000 R09: dfc40a25cb3a4510
      R10: dfc40a25cb3a4510 R11: 0000000000000400 R12: 0000000000000000
      R13: ffff880edf7a4510 R14: ffff8817f6153400 R15: 0000000000000600
      FS:  0000000000000000(0000) GS:ffff88181f420000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000002 CR3: 000000000194a000 CR4: 00000000001407e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Stack:
       ffffffffa0363695 ffff880edf7a4510 ffff88093f16f900 ffff8817faa4ec00
       ffff880717547e60 ffffffff8109d5db 00000000faa4ec18 0000000000000000
       ffff8817faa4ec18 ffff88093f16f930 ffff880302b63980 ffff88093f16f900
      Call Trace:
       [<ffffffffa0363695>] ? fscache_object_work_func+0xa5/0x200 [fscache]
       [<ffffffff8109d5db>] process_one_work+0x17b/0x470
       [<ffffffff8109e4ac>] worker_thread+0x21c/0x400
       [<ffffffff8109e290>] ? rescuer_thread+0x400/0x400
       [<ffffffff810a5acf>] kthread+0xcf/0xe0
       [<ffffffff810a5a00>] ? kthread_create_on_node+0x140/0x140
       [<ffffffff816460d8>] ret_from_fork+0x58/0x90
       [<ffffffff810a5a00>] ? kthread_create_on_node+0x140/0x140
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJeremy McNicoll <jeremymc@redhat.com>
      Tested-by: NFrank Sorenson <sorenson@redhat.com>
      Tested-by: NBenjamin Coddington <bcodding@redhat.com>
      Reviewed-by: NBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      e26bfebd
    • D
      fscache: Clear outstanding writes when disabling a cookie · 6bdded59
      David Howells 提交于
      fscache_disable_cookie() needs to clear the outstanding writes on the
      cookie it's disabling because they cannot be completed after.
      
      Without this, fscache_nfs_open_file() gets stuck because it disables the
      cookie when the file is opened for writing but can't uncache the pages till
      afterwards - otherwise there's a race between the open routine and anyone
      who already has it open R/O and is still reading from it.
      
      Looking in /proc/pid/stack of the offending process shows:
      
      [<ffffffffa0142883>] __fscache_wait_on_page_write+0x82/0x9b [fscache]
      [<ffffffffa014336e>] __fscache_uncache_all_inode_pages+0x91/0xe1 [fscache]
      [<ffffffffa01740fa>] nfs_fscache_open_file+0x59/0x9e [nfs]
      [<ffffffffa01ccf41>] nfs4_file_open+0x17f/0x1b8 [nfsv4]
      [<ffffffff8117350e>] do_dentry_open+0x16d/0x2b7
      [<ffffffff811743ac>] vfs_open+0x5c/0x65
      [<ffffffff81184185>] path_openat+0x785/0x8fb
      [<ffffffff81184343>] do_filp_open+0x48/0x9e
      [<ffffffff81174710>] do_sys_open+0x13b/0x1cb
      [<ffffffff811747b9>] SyS_open+0x19/0x1b
      [<ffffffff81001c44>] do_syscall_64+0x80/0x17a
      [<ffffffff8165c2da>] return_from_SYSCALL_64+0x0/0x7a
      [<ffffffffffffffff>] 0xffffffffffffffff
      Reported-by: NJianhong Yin <jiyin@redhat.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJeff Layton <jlayton@redhat.com>
      Acked-by: NSteve Dickson <steved@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      6bdded59
    • D
      FS-Cache: Initialise stores_lock in netfs cookie · 62deb818
      David Howells 提交于
      Initialise the stores_lock in fscache netfs cookies.  Technically, it
      shouldn't be necessary, since the netfs cookie is an index and stores no
      data, but initialising it anyway adds insignificant overhead.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reviewed-by: NJeff Layton <jlayton@redhat.com>
      Acked-by: NSteve Dickson <steved@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      62deb818
    • D
      ipv6: fix flow labels when the traffic class is non-0 · 90427ef5
      Dimitris Michailidis 提交于
      ip6_make_flowlabel() determines the flow label for IPv6 packets. It's
      supposed to be passed a flow label, which it returns as is if non-0 and
      in some other cases, otherwise it calculates a new value.
      
      The problem is callers often pass a flowi6.flowlabel, which may also
      contain traffic class bits. If the traffic class is non-0
      ip6_make_flowlabel() mistakes the non-0 it gets as a flow label and
      returns the whole thing. Thus it can return a 'flow label' longer than
      20b and the low 20b of that is typically 0 resulting in packets with 0
      label. Moreover, different packets of a flow may be labeled differently.
      For a TCP flow with ECN non-payload and payload packets get different
      labels as exemplified by this pair of consecutive packets:
      
      (pure ACK)
      Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2::
          0110 .... = Version: 6
          .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
              .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
              .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
          .... .... .... 0001 1100 1110 0100 1001 = Flow Label: 0x1ce49
          Payload Length: 32
          Next Header: TCP (6)
      
      (payload)
      Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2::
          0110 .... = Version: 6
          .... 0000 0010 .... .... .... .... .... = Traffic Class: 0x02 (DSCP: CS0, ECN: ECT(0))
              .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
              .... .... ..10 .... .... .... .... .... = Explicit Congestion Notification: ECN-Capable Transport codepoint '10' (2)
          .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
          Payload Length: 688
          Next Header: TCP (6)
      
      This patch allows ip6_make_flowlabel() to be passed more than just a
      flow label and has it extract the part it really wants. This was simpler
      than modifying the callers. With this patch packets like the above become
      
      Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2::
          0110 .... = Version: 6
          .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
              .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
              .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
          .... .... .... 1010 1111 1010 0101 1110 = Flow Label: 0xafa5e
          Payload Length: 32
          Next Header: TCP (6)
      
      Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2::
          0110 .... = Version: 6
          .... 0000 0010 .... .... .... .... .... = Traffic Class: 0x02 (DSCP: CS0, ECN: ECT(0))
              .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
              .... .... ..10 .... .... .... .... .... = Explicit Congestion Notification: ECN-Capable Transport codepoint '10' (2)
          .... .... .... 1010 1111 1010 0101 1110 = Flow Label: 0xafa5e
          Payload Length: 688
          Next Header: TCP (6)
      Signed-off-by: NDimitris Michailidis <dmichail@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      90427ef5
    • V
      net: thunderx: avoid dereferencing xcv when NULL · c73e4426
      Vincent 提交于
      This fixes the following smatch and coccinelle warnings:
      
        drivers/net/ethernet/cavium/thunder/thunder_xcv.c:119 xcv_setup_link() error: we previously assumed 'xcv' could be null (see line 118) [smatch]
        drivers/net/ethernet/cavium/thunder/thunder_xcv.c:119:16-20: ERROR: xcv is NULL but dereferenced. [coccinelle]
      
      Fixes: 6465859a ("net: thunderx: Add RGMII interface type support")
      Signed-off-by: NVincent Stehlé <vincent.stehle@laposte.net>
      Cc: Sunil Goutham <sgoutham@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c73e4426
  4. 31 1月, 2017 16 次提交
    • S
      tracing: Fix hwlat kthread migration · 79c6f448
      Steven Rostedt (VMware) 提交于
      The hwlat tracer creates a kernel thread at start of the tracer. It is
      pinned to a single CPU and will move to the next CPU after each period of
      running. If the user modifies the migration thread's affinity, it will not
      change after that happens.
      
      The original code created the thread at the first instance it was called,
      but later was changed to destroy the thread after the tracer was finished,
      and would not be created until the next instance of the tracer was
      established. The code that initialized the affinity was only called on the
      initial instantiation of the tracer. After that, it was not initialized, and
      the previous affinity did not match the current newly created one, making
      it appear that the user modified the thread's affinity when it did not, and
      the thread failed to migrate again.
      
      Cc: stable@vger.kernel.org
      Fixes: 0330f7aa ("tracing: Have hwlat trace migrate across tracing_cpumask CPUs")
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      79c6f448
    • J
      HID: cp2112: fix gpio-callback error handling · 8e9faa15
      Johan Hovold 提交于
      In case of a zero-length report, the gpio direction_input callback would
      currently return success instead of an errno.
      
      Fixes: 1ffb3c40 ("HID: cp2112: make transfer buffers DMA capable")
      Cc: stable <stable@vger.kernel.org>     # 4.9
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      8e9faa15
    • J
      HID: cp2112: fix sleep-while-atomic · 7a7b5df8
      Johan Hovold 提交于
      A recent commit fixing DMA-buffers on stack added a shared transfer
      buffer protected by a spinlock. This is broken as the USB HID request
      callbacks can sleep. Fix this up by replacing the spinlock with a mutex.
      
      Fixes: 1ffb3c40 ("HID: cp2112: make transfer buffers DMA capable")
      Cc: stable <stable@vger.kernel.org>	# 4.9
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      7a7b5df8
    • C
      Input: synaptics-rmi4 - fix reversed conditions in enable/disable_irq_wake · 05e0be7c
      Christophe JAILLET 提交于
      These tests are reversed.  A warning should be displayed if an error is
      returned, not on success.
      Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      05e0be7c
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · f9a42e0d
      Linus Torvalds 提交于
      Pull sparc fixes from David Miller:
       "Several small bug fixes and tidies, along with a fix for non-resumable
        memory errors triggered by userspace"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Handle PIO & MEM non-resumable errors.
        sparc64: Zero pages on allocation for mondo and error queues.
        sparc: Fixed typo in sstate.c. Replaced panicing with panicking
        sparc: use symbolic names for tsb indexing
      f9a42e0d
    • D
      Merge branch 'sparc64-non-resumable-user-error-recovery' · 54791b27
      David S. Miller 提交于
      Liam R. Howlett says:
      
      ====================
      sparc64: Recover from userspace non-resumable PIO & MEM errors
      
      A non-resumable error from userspace is able to cause a kernel panic or trap
      loop due to the setup and handling of the queued traps once in the kernel.
      This patch series addresses both of these issues.
      
      The queues are fixed by simply zeroing the memory before use.
      
      PIO errors from userspace will result in a SIGBUS being sent to the user
      process.
      
      The MEM errors form userspace will result in a SIGKILL and also cause the
      offending pages to be claimed so they are no longer used in future tasks.
      SIGKILL is used to ensure that the process does not try to coredump and result
      in an attempt to read the memory again from within kernel space.  Although
      there is a HV call to scrub the memory (mem_scrub), there is no easy way to
      guarantee that the real memory address(es) are not used by other tasks.
      Clearing the error with mem_scrub would zero the memory and cause the other
      processes to proceed with bad data.
      
      The handling of other non-resumable errors remain unchanged and will cause a
      panic.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      54791b27
    • L
      sparc64: Handle PIO & MEM non-resumable errors. · 04748724
      Liam R. Howlett 提交于
      User processes trying to access an invalid memory address via PIO will
      receive a SIGBUS signal instead of causing a panic.  Memory errors will
      receive a SIGKILL since a SIGBUS may result in a coredump which may
      attempt to repeat the faulting access.
      Signed-off-by: NLiam R. Howlett <Liam.Howlett@Oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      04748724
    • L
      sparc64: Zero pages on allocation for mondo and error queues. · 7a7dc961
      Liam R. Howlett 提交于
      Error queues use a non-zero first word to detect if the queues are full.
      Using pages that have not been zeroed may result in false positive
      overflow events.  These queues are set up once during boot so zeroing
      all mondo and error queue pages is safe.
      
      Note that the false positive overflow does not always occur because the
      page allocation for these queues is so early in the boot cycle that
      higher number CPUs get fresh pages.  It is only when traps are serviced
      with lower number CPUs who were given already used pages that this issue
      is exposed.
      Signed-off-by: NLiam R. Howlett <Liam.Howlett@Oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7a7dc961
    • S
      net/sched: cls_flower: Correct matching on ICMPv6 code · 040587af
      Simon Horman 提交于
      When matching on the ICMPv6 code ICMPV6_CODE rather than
      ICMPV4_CODE attributes should be used.
      
      This corrects what appears to be a typo.
      
      Sample usage:
      
      tc qdisc add dev eth0 ingress
      tc filter add dev eth0 protocol ipv6 parent ffff: flower \
      	indev eth0 ip_proto icmpv6 type 128 code 0 action drop
      
      Without this change the code parameter above is effectively ignored.
      
      Fixes: 7b684884 ("net/sched: cls_flower: Support matching on ICMP type and code")
      Signed-off-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      040587af
    • D
      Merge tag 'linux-can-fixes-for-4.10-20170130' of... · 0d29ed28
      David S. Miller 提交于
      Merge tag 'linux-can-fixes-for-4.10-20170130' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2017-01-30
      
      this is a pull request of one patch.
      
      The patch is by Oliver Hartkopp and fixes the hrtimer/tasklet termination in
      bcm op removal.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0d29ed28
    • L
      Merge tag 'rtc-4.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux · 751321b3
      Linus Torvalds 提交于
      Pull RTC fix from Alexandre Belloni:
       "A single fix for this cycle. It is worth taking it for 4.10 so that
        distributions will not have CONFIG_RTC_DRV_JZ4740 switching from m to
        y in their config.
      
        Summary:
         - Allow jz4740 to build as a module again by using kernel_halt()"
      
      * tag 'rtc-4.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux:
        rtc: jz4740: make the driver buildable as a module again
      751321b3
    • V
      ipv6: Paritially checksum full MTU frames · 2b89ed65
      Vlad Yasevich 提交于
      IPv6 will mark data that is smaller that mtu - headersize as
      CHECKSUM_PARTIAL, but if the data will completely fill the mtu,
      the packet checksum will be computed in software instead.
      Extend the conditional to include the data that fills the mtu
      as well.
      Signed-off-by: NVladislav Yasevich <vyasevic@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2b89ed65
    • J
      net/mlx4_core: Avoid command timeouts during VF driver device shutdown · d585df1c
      Jack Morgenstein 提交于
      Some Hypervisors detach VFs from VMs by instantly causing an FLR event
      to be generated for a VF.
      
      In the mlx4 case, this will cause that VF's comm channel to be disabled
      before the VM has an opportunity to invoke the VF device's "shutdown"
      method.
      
      The result is that the VF driver on the VM will experience a command
      timeout during the shutdown process when the Hypervisor does not deliver
      a command-completion event to the VM.
      
      To avoid FW command timeouts on the VM when the driver's shutdown method
      is invoked, we detect the absence of the VF's comm channel at the very
      start of the shutdown process. If the comm-channel has already been
      disabled, we cause all FW commands during the device shutdown process to
      immediately return success (and thus avoid all command timeouts).
      Signed-off-by: NJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d585df1c
    • D
      Merge tag 'mlx5-fixes-2017-01-27' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 6415aa50
      David S. Miller 提交于
      Saeed Mahameed says:
      
      ====================
      mlx5-fixes-2017-01-27
      
      A couple of mlx5 core and ethernet driver fixes.
      
      From Or, A couple of error return values and error handling fixes.
      From Hadar, Support TC encapsulation offloads even when the mlx5e uplink
      device is stacked  under an upper device.
      From Gal, Two patches to fix RSS hash modifications via ethtool.
      From Moshe, Added a needed ets capability check.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6415aa50
    • D
      Merge tag 'wireless-drivers-for-davem-2017-01-29' of... · 051a2e08
      David S. Miller 提交于
      Merge tag 'wireless-drivers-for-davem-2017-01-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.10
      
      Most important here are fixes to two iwlwifi crashes, but there's also
      a firmware naming fix for iwlwifi and a revert of an older bcma patch.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      051a2e08
    • A
      gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page · 4af0e5bb
      Arseny Solokha 提交于
      In spite of switching to paged allocation of Rx buffers, the driver still
      called dma_unmap_single() in the Rx queues tear-down path.
      
      The DMA region unmapping code in free_skb_rx_queue() basically predates
      the introduction of paged allocation to the driver. While being refactored,
      it apparently hasn't reflected the change in the DMA API usage by its
      counterpart gfar_new_page().
      
      As a result, setting an interface to the DOWN state now yields the following:
      
        # ip link set eth2 down
        fsl-gianfar ffe24000.ethernet: DMA-API: device driver frees DMA memory with wrong function [device address=0x000000001ecd0000] [size=40]
        ------------[ cut here ]------------
        WARNING: CPU: 1 PID: 189 at lib/dma-debug.c:1123 check_unmap+0x8e0/0xa28
        CPU: 1 PID: 189 Comm: ip Tainted: G           O    4.9.5 #1
        task: dee73400 task.stack: dede2000
        NIP: c02101e8 LR: c02101e8 CTR: c0260d74
        REGS: dede3bb0 TRAP: 0700   Tainted: G           O     (4.9.5)
        MSR: 00021000 <CE,ME>  CR: 28002222  XER: 00000000
      
        GPR00: c02101e8 dede3c60 dee73400 000000b6 dfbd033c dfbd36c4 1f622000 dede2000
        GPR08: 00000007 c05b1634 1f622000 00000000 22002484 100a9904 00000000 00000000
        GPR16: 00000000 db4c849c 00000002 db4c8480 00000001 df142240 db4c84bc 00000000
        GPR24: c0706148 c0700000 00029000 c07552e8 c07323b4 dede3cb8 c07605e0 db535540
        NIP [c02101e8] check_unmap+0x8e0/0xa28
        LR [c02101e8] check_unmap+0x8e0/0xa28
        Call Trace:
        [dede3c60] [c02101e8] check_unmap+0x8e0/0xa28 (unreliable)
        [dede3cb0] [c02103b8] debug_dma_unmap_page+0x88/0x9c
        [dede3d30] [c02dffbc] free_skb_resources+0x2c4/0x404
        [dede3d80] [c02e39b4] gfar_close+0x24/0xc8
        [dede3da0] [c0361550] __dev_close_many+0xa0/0xf8
        [dede3dd0] [c03616f0] __dev_close+0x2c/0x4c
        [dede3df0] [c036b1b8] __dev_change_flags+0xa0/0x174
        [dede3e10] [c036b2ac] dev_change_flags+0x20/0x60
        [dede3e30] [c03e130c] devinet_ioctl+0x540/0x824
        [dede3e90] [c0347dcc] sock_ioctl+0x134/0x298
        [dede3eb0] [c0111814] do_vfs_ioctl+0xac/0x854
        [dede3f20] [c0111ffc] SyS_ioctl+0x40/0x74
        [dede3f40] [c000f290] ret_from_syscall+0x0/0x3c
        --- interrupt: c01 at 0xff45da0
            LR = 0xff45cd0
        Instruction dump:
        811d001c 7c66482e 813d0020 9061000c 807f000c 5463103a 7cc6182e 3c60c052
        386309ac 90c10008 4cc63182 4826b845 <0fe00000> 4bfffa60 3c80c052 388402c4
        ---[ end trace 695ae6d7ac1d0c47 ]---
        Mapped at:
         [<c02e22a8>] gfar_alloc_rx_buffs+0x178/0x248
         [<c02e3ef0>] startup_gfar+0x368/0x570
         [<c036aeb4>] __dev_open+0xdc/0x150
         [<c036b1b8>] __dev_change_flags+0xa0/0x174
         [<c036b2ac>] dev_change_flags+0x20/0x60
      
      Even though the issue was discovered in 4.9 kernel, the code in question
      is identical in the current net and net-next trees.
      
      Fixes: 75354148 ("gianfar: Add paged allocation and Rx S/G")
      Signed-off-by: NArseny Solokha <asolokha@kb.kras.ru>
      Acked-by: NClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4af0e5bb
  5. 30 1月, 2017 1 次提交