1. 08 4月, 2019 2 次提交
    • N
      rhashtable: allow rht_bucket_var to return NULL. · ff302db9
      NeilBrown 提交于
      Rather than returning a pointer to a static nulls, rht_bucket_var()
      now returns NULL if the bucket doesn't exist.
      This will make the next patch, which stores a bitlock in the
      bucket pointer, somewhat cleaner.
      
      This change involves introducing __rht_bucket_nested() which is
      like rht_bucket_nested(), but doesn't provide the static nulls,
      and changing rht_bucket_nested() to call this and possible
      provide a static nulls - as is still needed for the non-var case.
      Signed-off-by: NNeilBrown <neilb@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ff302db9
    • N
      rhashtable: use cmpxchg() in nested_table_alloc() · 7a41c294
      NeilBrown 提交于
      nested_table_alloc() relies on the fact that there is
      at most one spinlock allocated for every slot in the top
      level nested table, so it is not possible for two threads
      to try to allocate the same table at the same time.
      
      This assumption is a little fragile (it is not explicit) and is
      unnecessary as cmpxchg() can be used instead.
      
      A future patch will replace the spinlocks by per-bucket bitlocks,
      and then we won't be able to protect the slot pointer with a spinlock.
      
      So replace rcu_assign_pointer() with cmpxchg() - which has equivalent
      barrier properties.
      If it the cmp fails, free the table that was just allocated.
      Signed-off-by: NNeilBrown <neilb@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7a41c294
  2. 07 4月, 2019 29 次提交
  3. 06 4月, 2019 2 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f83f7151
      David S. Miller 提交于
      Minor comment merge conflict in mlx5.
      
      Staging driver has a fixup due to the skb->xmit_more changes
      in 'net-next', but was removed in 'net'.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f83f7151
    • L
      Merge tag 'mm-compaction-5.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mel/linux · 7f46774c
      Linus Torvalds 提交于
      Pull mm/compaction fixes from Mel Gorman:
       "The merge window for 5.1 introduced a number of compaction-related
        patches. with intermittent reports of corruption and functional
        issues. The bugs are due to sloopy checking of zone boundaries and a
        corner case where invalid indexes are used to access the free lists.
      
        Reports are not common but at least two users and 0-day have tripped
        over them. There is a chance that one of the syzbot reports are
        related but it has not been confirmed properly.
      
        The normal submission path is with Andrew but there have been some
        delays and I consider them urgent enough that they should be picked up
        before RC4 to avoid duplicate reports.
      
        All of these have been successfully tested on older RC windows. This
        will make this branch look like a rebase but in fact, they've simply
        been lifted again from Andrew's tree and placed on a fresh branch.
        I've no reason to believe that this has invalidated the testing given
        the lack of change in compaction and the nature of the fixes"
      
      * tag 'mm-compaction-5.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mel/linux:
        mm/compaction.c: abort search if isolation fails
        mm/compaction.c: correct zone boundary handling when resetting pageblock skip hints
      7f46774c
  4. 05 4月, 2019 7 次提交
    • G
      tty: mark Siemens R3964 line discipline as BROKEN · c7084edc
      Greg Kroah-Hartman 提交于
      The n_r3964 line discipline driver was written in a different time, when
      SMP machines were rare, and users were trusted to do the right thing.
      Since then, the world has moved on but not this code, it has stayed
      rooted in the past with its lovely hand-crafted list structures and
      loads of "interesting" race conditions all over the place.
      
      After attempting to clean up most of the issues, I just gave up and am
      now marking the driver as BROKEN so that hopefully someone who has this
      hardware will show up out of the woodwork (I know you are out there!)
      and will help with debugging a raft of changes that I had laying around
      for the code, but was too afraid to commit as odds are they would break
      things.
      
      Many thanks to Jann and Linus for pointing out the initial problems in
      this codebase, as well as many reviews of my attempts to fix the issues.
      It was a case of whack-a-mole, and as you can see, the mole won.
      Reported-by: NJann Horn <jannh@google.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c7084edc
    • L
      Merge tag 'drm-fixes-2019-04-05' of git://anongit.freedesktop.org/drm/drm · ea2cec24
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "Pretty quiet week, just some amdgpu and i915 fixes.
      
        i915:
         - deadlock fix
         - gvt fixes
      
        amdgpu:
         - PCIE dpm feature fix
         - Powerplay fixes"
      
      * tag 'drm-fixes-2019-04-05' of git://anongit.freedesktop.org/drm/drm:
        drm/i915/gvt: Fix kerneldoc typo for intel_vgpu_emulate_hotplug
        drm/i915/gvt: Correct the calculation of plane size
        drm/amdgpu: remove unnecessary rlc reset function on gfx9
        drm/i915: Always backoff after a drm_modeset_lock() deadlock
        drm/i915/gvt: do not let pin count of shadow mm go negative
        drm/i915/gvt: do not deliver a workload if its creation fails
        drm/amd/display: VBIOS can't be light up HDMI when restart system
        drm/amd/powerplay: fix possible hang with 3+ 4K monitors
        drm/amd/powerplay: correct data type to avoid overflow
        drm/amd/powerplay: add ECC feature bit
        drm/amd/amdgpu: fix PCIe dpm feature issue (v3)
      ea2cec24
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 0548740e
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Several hash table refcount fixes in batman-adv, from Sven
          Eckelmann.
      
       2) Use after free in bpf_evict_inode(), from Daniel Borkmann.
      
       3) Fix mdio bus registration in ixgbe, from Ivan Vecera.
      
       4) Unbounded loop in __skb_try_recv_datagram(), from Paolo Abeni.
      
       5) ila rhashtable corruption fix from Herbert Xu.
      
       6) Don't allow upper-devices to be added to vrf devices, from Sabrina
          Dubroca.
      
       7) Add qmi_wwan device ID for Olicard 600, from Bjørn Mork.
      
       8) Don't leave skb->next poisoned in __netif_receive_skb_list_ptype,
          from Alexander Lobakin.
      
       9) Missing IDR checks in mlx5 driver, from Aditya Pakki.
      
      10) Fix false connection termination in ktls, from Jakub Kicinski.
      
      11) Work around some ASPM issues with r8169 by disabling rx interrupt
          coalescing on certain chips. From Heiner Kallweit.
      
      12) Properly use per-cpu qstat values on NOLOCK qdiscs, from Paolo
          Abeni.
      
      13) Fully initialize sockaddr_in structures in SCTP, from Xin Long.
      
      14) Various BPF flow dissector fixes from Stanislav Fomichev.
      
      15) Divide by zero in act_sample, from Davide Caratti.
      
      16) Fix bridging multicast regression introduced by rhashtable
          conversion, from Nikolay Aleksandrov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (106 commits)
        ibmvnic: Fix completion structure initialization
        ipv6: sit: reset ip header pointer in ipip6_rcv
        net: bridge: always clear mcast matching struct on reports and leaves
        libcxgb: fix incorrect ppmax calculation
        vlan: conditional inclusion of FCoE hooks to match netdevice.h and bnx2x
        sch_cake: Make sure we can write the IP header before changing DSCP bits
        sch_cake: Use tc_skb_protocol() helper for getting packet protocol
        tcp: Ensure DCTCP reacts to losses
        net/sched: act_sample: fix divide by zero in the traffic path
        net: thunderx: fix NULL pointer dereference in nicvf_open/nicvf_stop
        net: hns: Fix sparse: some warnings in HNS drivers
        net: hns: Fix WARNING when remove HNS driver with SMMU enabled
        net: hns: fix ICMP6 neighbor solicitation messages discard problem
        net: hns: Fix probabilistic memory overwrite when HNS driver initialized
        net: hns: Use NAPI_POLL_WEIGHT for hns driver
        net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw()
        flow_dissector: rst'ify documentation
        ipv6: Fix dangling pointer when ipv6 fragment
        net-gro: Fix GRO flush when receiving a GSO packet.
        flow_dissector: document BPF flow dissector environment
        ...
      0548740e
    • T
      ibmvnic: Fix completion structure initialization · bbd669a8
      Thomas Falcon 提交于
      Fix device initialization completion handling for vNIC adapters.
      Initialize the completion structure on probe and reinitialize when needed.
      This also fixes a race condition during kdump where the driver can attempt
      to access the completion struct before it is initialized:
      
      Unable to handle kernel paging request for data at address 0x00000000
      Faulting instruction address: 0xc0000000081acbe0
      Oops: Kernel access of bad area, sig: 11 [#1]
      LE SMP NR_CPUS=2048 NUMA pSeries
      Modules linked in: ibmvnic(+) ibmveth sunrpc overlay squashfs loop
      CPU: 19 PID: 301 Comm: systemd-udevd Not tainted 4.18.0-64.el8.ppc64le #1
      NIP:  c0000000081acbe0 LR: c0000000081ad964 CTR: c0000000081ad900
      REGS: c000000027f3f990 TRAP: 0300   Not tainted  (4.18.0-64.el8.ppc64le)
      MSR:  800000010280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE,TM[E]> CR: 28228288  XER: 00000006
      CFAR: c000000008008934 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1
      GPR00: c0000000081ad964 c000000027f3fc10 c0000000095b5800 c0000000221b4e58
      GPR04: 0000000000000003 0000000000000001 000049a086918581 00000000000000d4
      GPR08: 0000000000000007 0000000000000000 ffffffffffffffe8 d0000000014dde28
      GPR12: c0000000081ad900 c000000009a00c00 0000000000000001 0000000000000100
      GPR16: 0000000000000038 0000000000000007 c0000000095e2230 0000000000000006
      GPR20: 0000000000400140 0000000000000001 c00000000910c880 0000000000000000
      GPR24: 0000000000000000 0000000000000006 0000000000000000 0000000000000003
      GPR28: 0000000000000001 0000000000000001 c0000000221b4e60 c0000000221b4e58
      NIP [c0000000081acbe0] __wake_up_locked+0x50/0x100
      LR [c0000000081ad964] complete+0x64/0xa0
      Call Trace:
      [c000000027f3fc10] [c000000027f3fc60] 0xc000000027f3fc60 (unreliable)
      [c000000027f3fc60] [c0000000081ad964] complete+0x64/0xa0
      [c000000027f3fca0] [d0000000014dad58] ibmvnic_handle_crq+0xce0/0x1160 [ibmvnic]
      [c000000027f3fd50] [d0000000014db270] ibmvnic_tasklet+0x98/0x130 [ibmvnic]
      [c000000027f3fda0] [c00000000813f334] tasklet_action_common.isra.3+0xc4/0x1a0
      [c000000027f3fe00] [c000000008cd13f4] __do_softirq+0x164/0x400
      [c000000027f3fef0] [c00000000813ed64] irq_exit+0x184/0x1c0
      [c000000027f3ff20] [c0000000080188e8] __do_irq+0xb8/0x210
      [c000000027f3ff90] [c00000000802d0a4] call_do_irq+0x14/0x24
      [c000000026a5b010] [c000000008018adc] do_IRQ+0x9c/0x130
      [c000000026a5b060] [c000000008008ce4] hardware_interrupt_common+0x114/0x120
      Signed-off-by: NThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bbd669a8
    • L
      ipv6: sit: reset ip header pointer in ipip6_rcv · bb9bd814
      Lorenzo Bianconi 提交于
      ipip6 tunnels run iptunnel_pull_header on received skbs. This can
      determine the following use-after-free accessing iph pointer since
      the packet will be 'uncloned' running pskb_expand_head if it is a
      cloned gso skb (e.g if the packet has been sent though a veth device)
      
      [  706.369655] BUG: KASAN: use-after-free in ipip6_rcv+0x1678/0x16e0 [sit]
      [  706.449056] Read of size 1 at addr ffffe01b6bd855f5 by task ksoftirqd/1/=
      [  706.669494] Hardware name: HPE ProLiant m400 Server/ProLiant m400 Server, BIOS U02 08/19/2016
      [  706.771839] Call trace:
      [  706.801159]  dump_backtrace+0x0/0x2f8
      [  706.845079]  show_stack+0x24/0x30
      [  706.884833]  dump_stack+0xe0/0x11c
      [  706.925629]  print_address_description+0x68/0x260
      [  706.982070]  kasan_report+0x178/0x340
      [  707.025995]  __asan_report_load1_noabort+0x30/0x40
      [  707.083481]  ipip6_rcv+0x1678/0x16e0 [sit]
      [  707.132623]  tunnel64_rcv+0xd4/0x200 [tunnel4]
      [  707.185940]  ip_local_deliver_finish+0x3b8/0x988
      [  707.241338]  ip_local_deliver+0x144/0x470
      [  707.289436]  ip_rcv_finish+0x43c/0x14b0
      [  707.335447]  ip_rcv+0x628/0x1138
      [  707.374151]  __netif_receive_skb_core+0x1670/0x2600
      [  707.432680]  __netif_receive_skb+0x28/0x190
      [  707.482859]  process_backlog+0x1d0/0x610
      [  707.529913]  net_rx_action+0x37c/0xf68
      [  707.574882]  __do_softirq+0x288/0x1018
      [  707.619852]  run_ksoftirqd+0x70/0xa8
      [  707.662734]  smpboot_thread_fn+0x3a4/0x9e8
      [  707.711875]  kthread+0x2c8/0x350
      [  707.750583]  ret_from_fork+0x10/0x18
      
      [  707.811302] Allocated by task 16982:
      [  707.854182]  kasan_kmalloc.part.1+0x40/0x108
      [  707.905405]  kasan_kmalloc+0xb4/0xc8
      [  707.948291]  kasan_slab_alloc+0x14/0x20
      [  707.994309]  __kmalloc_node_track_caller+0x158/0x5e0
      [  708.053902]  __kmalloc_reserve.isra.8+0x54/0xe0
      [  708.108280]  __alloc_skb+0xd8/0x400
      [  708.150139]  sk_stream_alloc_skb+0xa4/0x638
      [  708.200346]  tcp_sendmsg_locked+0x818/0x2b90
      [  708.251581]  tcp_sendmsg+0x40/0x60
      [  708.292376]  inet_sendmsg+0xf0/0x520
      [  708.335259]  sock_sendmsg+0xac/0xf8
      [  708.377096]  sock_write_iter+0x1c0/0x2c0
      [  708.424154]  new_sync_write+0x358/0x4a8
      [  708.470162]  __vfs_write+0xc4/0xf8
      [  708.510950]  vfs_write+0x12c/0x3d0
      [  708.551739]  ksys_write+0xcc/0x178
      [  708.592533]  __arm64_sys_write+0x70/0xa0
      [  708.639593]  el0_svc_handler+0x13c/0x298
      [  708.686646]  el0_svc+0x8/0xc
      
      [  708.739019] Freed by task 17:
      [  708.774597]  __kasan_slab_free+0x114/0x228
      [  708.823736]  kasan_slab_free+0x10/0x18
      [  708.868703]  kfree+0x100/0x3d8
      [  708.905320]  skb_free_head+0x7c/0x98
      [  708.948204]  skb_release_data+0x320/0x490
      [  708.996301]  pskb_expand_head+0x60c/0x970
      [  709.044399]  __iptunnel_pull_header+0x3b8/0x5d0
      [  709.098770]  ipip6_rcv+0x41c/0x16e0 [sit]
      [  709.146873]  tunnel64_rcv+0xd4/0x200 [tunnel4]
      [  709.200195]  ip_local_deliver_finish+0x3b8/0x988
      [  709.255596]  ip_local_deliver+0x144/0x470
      [  709.303692]  ip_rcv_finish+0x43c/0x14b0
      [  709.349705]  ip_rcv+0x628/0x1138
      [  709.388413]  __netif_receive_skb_core+0x1670/0x2600
      [  709.446943]  __netif_receive_skb+0x28/0x190
      [  709.497120]  process_backlog+0x1d0/0x610
      [  709.544169]  net_rx_action+0x37c/0xf68
      [  709.589131]  __do_softirq+0x288/0x1018
      
      [  709.651938] The buggy address belongs to the object at ffffe01b6bd85580
                      which belongs to the cache kmalloc-1024 of size 1024
      [  709.804356] The buggy address is located 117 bytes inside of
                      1024-byte region [ffffe01b6bd85580, ffffe01b6bd85980)
      [  709.946340] The buggy address belongs to the page:
      [  710.003824] page:ffff7ff806daf600 count:1 mapcount:0 mapping:ffffe01c4001f600 index:0x0
      [  710.099914] flags: 0xfffff8000000100(slab)
      [  710.149059] raw: 0fffff8000000100 dead000000000100 dead000000000200 ffffe01c4001f600
      [  710.242011] raw: 0000000000000000 0000000000380038 00000001ffffffff 0000000000000000
      [  710.334966] page dumped because: kasan: bad access detected
      
      Fix it resetting iph pointer after iptunnel_pull_header
      
      Fixes: a09a4c8d ("tunnels: Remove encapsulation offloads on decap")
      Tested-by: NJianlin Shi <jishi@redhat.com>
      Signed-off-by: NLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bb9bd814
    • D
      Merge branch 'tipc-improve-TIPC-unicast-link-throughput' · 8f4043f1
      David S. Miller 提交于
      Tuong Lien says:
      
      ====================
      tipc: improve TIPC unicast link throughput
      
      The series introduces an algorithm to improve TIPC throughput especially
      in terms of packet loss, also tries to reduce packet duplication due to
      overactive NACK sending mechanism.
      
      The link failover situation is also covered by the patches.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8f4043f1
    • T
      tipc: adapt link failover for new Gap-ACK algorithm · 58ee86b8
      Tuong Lien 提交于
      In commit 0ae955e2656d ("tipc: improve TIPC throughput by Gap ACK
      blocks"), we enhance the link transmq by releasing as many packets as
      possible with the multi-ACKs from peer node. This also means the queue
      is now non-linear and the peer link deferdq becomes vital.
      
      Whereas, in the case of link failover, all messages in the link transmq
      need to be transmitted as tunnel messages in such a way that message
      sequentiality and cardinality per sender is preserved. This requires us
      to maintain the link deferdq somehow, so that when the tunnel messages
      arrive, the inner user messages along with the ones in the deferdq will
      be delivered to upper layer correctly.
      
      The commit accomplishes this by defining a new queue in the TIPC link
      structure to hold the old link deferdq when link failover happens and
      process it upon receipt of tunnel messages.
      
      Also, in the case of link syncing, the link deferdq will not be purged
      to avoid unnecessary retransmissions that in the worst case will fail
      because the packets might have been freed on the sending side.
      Acked-by: NYing Xue <ying.xue@windriver.com>
      Acked-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      58ee86b8