1. 08 5月, 2017 5 次提交
  2. 05 5月, 2017 12 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 4ac4d584
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) The wireless rate info fix from Johannes Berg.
      
       2) When a RAW socket is in hdrincl mode, we need to make sure that the
          user provided at least a minimally sized ipv4/ipv6 header. Fix from
          Alexander Potapenko.
      
       3) We must emit IFLA_PHYS_PORT_NAME netlink attributes using
          nla_put_string() so that it is NULL terminated.
      
       4) Fix a bug in TCP fastopen handling, wherein child sockets
          erroneously inherit the fastopen_req from the parent, and later can
          end up derefencing freed memory or doing a double free. From Eric
          Dumazet.
      
       5) Don't clear out netdev stats at close time in tg3 driver, from
          YueHaibing.
      
       6) Fix refcount leak in xt_CT, from Gao Feng.
      
       7) In nft_set_bitmap() don't leak dummy elements, from Liping Zhang.
      
       8) Fix deadlock due to taking the expectation lock twice, also from
          Liping Zhang.
      
       9) Make xt_socket work again with ipv6, from Peter Tirsek.
      
      10) Don't allow IPV6 to be used with IPVS if ipv6.disable=1, from Paolo
          Abeni.
      
      11) Make the BPF loader more flexible wrt. changes to the bpf MAP entry
          layout. From Jesper Dangaard Brouer.
      
      12) Fix ethtool reported device name in aquantia driver, from Pavel
          Belous.
      
      13) Fix build failures due to the compile time size test not working in
          netfilter conntrack. From Geert Uytterhoeven.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (52 commits)
        cfg80211: make RATE_INFO_BW_20 the default
        ipv6: initialize route null entry in addrconf_init()
        qede: Fix possible misconfiguration of advertised autoneg value.
        qed: Fix overriding of supported autoneg value.
        qed*: Fix possible overflow for status block id field.
        rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string
        netvsc: make sure napi enabled before vmbus_open
        aquantia: Fix driver name reported by ethtool
        ipv4, ipv6: ensure raw socket message is big enough to hold an IP header
        net/sched: remove redundant null check on head
        tcp: do not inherit fastopen_req from parent
        forcedeth: remove unnecessary carrier status check
        ibmvnic: Move queue restarting in ibmvnic_tx_complete
        ibmvnic: Record SKB RX queue during poll
        ibmvnic: Continue skb processing after skb completion error
        ibmvnic: Check for driver reset first in ibmvnic_xmit
        ibmvnic: Wait for any pending scrqs entries at driver close
        ibmvnic: Clean up tx pools when closing
        ibmvnic: Whitespace correction in release_rx_pools
        ibmvnic: Delete napi's when releasing driver resources
        ...
      4ac4d584
    • L
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 8d5e72df
      Linus Torvalds 提交于
      Pull SCSI updates from James Bottomley:
       "This update includes the usual round of major driver updates
        (hisi_sas, ufs, fnic, cxlflash, be2iscsi, ipr, stex). There's also the
        usual amount of cosmetic and spelling stuff"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (155 commits)
        scsi: qla4xxx: fix spelling mistake: "Tempalate" -> "Template"
        scsi: stex: make S6flag static
        scsi: mac_esp: fix to pass correct device identity to free_irq()
        scsi: aacraid: pci_alloc_consistent() failures on ARM64
        scsi: ufs: make ufshcd_get_lists_status() register operation obvious
        scsi: ufs: use MASK_EE_STATUS
        scsi: mac_esp: Replace bogus memory barrier with spinlock
        scsi: fcoe: make fcoe_e_d_tov and fcoe_r_a_tov static
        scsi: sd_zbc: Do not write lock zones for reset
        scsi: sd_zbc: Remove superfluous assignments
        scsi: sd: sd_zbc: Rename sd_zbc_setup_write_cmnd
        scsi: Improve scsi_get_sense_info_fld
        scsi: sd: Cleanup sd_done sense data handling
        scsi: sd: Improve sd_completed_bytes
        scsi: sd: Fix function descriptions
        scsi: mpt3sas: remove redundant wmb
        scsi: mpt: Move scsi_remove_host() out of mptscsih_remove_host()
        scsi: sg: reset 'res_in_use' after unlinking reserved array
        scsi: mvumi: remove code handling zero scsi_sg_count(scmd) case
        scsi: fusion: fix spelling mistake: "Persistancy" -> "Persistency"
        ...
      8d5e72df
    • L
      Merge tag 'gpio-v4.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 2bd80401
      Linus Torvalds 提交于
      Pull GPIO updates from Linus Walleij:
       "This is the bulk of GPIO changes for the v4.12 kernel cycle.
      
        Core changes:
      
         - Return NULL from gpiod_get_optional() when GPIOLIB is disabled.
           This was a much discussed change. It affects use cases where people
           write drivers that might or might not be using GPIO resources. I
           have decided that this is the lesser evil right now.
      
         - Make gpiod_count() behave consistently across different hardware
           descriptions.
      
         - Fix the syntax around open drain/open source to not infer active
           high/low semantics.
      
        New drivers:
      
         - A new single-register fixed-direction framework driver for hardware
           that have lines controlled by a single register that just work in
           one direction (out or in), including IRQ support.
      
         - Support the Fintek F71889A GPIO SuperIO controller.
      
         - Support the National NI 169445 MMIO GPIO.
      
         - Support for the X-Gene derivative of the DWC GPIO controller
      
         - Support for the Rohm BD9571MWV-M PMIC GPIO controller.
      
         - Refactor the Gemini GPIO driver to a generic Faraday FTGPIO driver
           and replace both the Gemini and the Moxa ART custom drivers with
           this driver.
      
        Driver improvements:
      
         - A whole slew of drivers have their spinlocks chaned to raw
           spinlocks as they provide irqchips, and thus we are progressing on
           realtime compliance.
      
         - Use devm_irq_alloc_descs() in a slew of drivers, getting managed
           resources.
      
         - Support for the embedded PWM controller inside the MVEBU driver.
      
         - Debounce, open source and open drain support for the Aspeed driver.
      
         - Misc smaller fixes like spelling and syntax and whatnot"
      
      * tag 'gpio-v4.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: (77 commits)
        gpio: f7188x: Add a missing break
        gpio: omap: return error if requested debounce time is not possible
        gpio: Add ROHM BD9571MWV-M PMIC GPIO driver
        gpio: gpio-wcove: fix GPIO IRQ status mask
        gpio: DT bindings, move tca9554 from pcf857x to pca953x
        gpio: move tca9554 from pcf857x to pca953x
        gpio: arizona: Correct check whether the pin is an input
        gpio: Add XRA1403 DTS binding documentation
        dt-bindings: add exar to vendor prefixes list
        gpio: gpio-wcove: fix irq pending status bit width
        gpio: dwapb: use dwapb_read instead of readl_relaxed
        gpio: aspeed: Add open-source and open-drain support
        gpio: aspeed: Add debounce support
        gpio: aspeed: dt: Add optional clocks property
        gpio: aspeed: dt: Fix description alignment in bindings document
        gpio: mvebu: Add limited PWM support
        gpio: Use unsigned int for interrupt numbers
        gpio: f7188x: Add F71889A GPIO support.
        gpio: core: Decouple open drain/source flag with active low/high
        gpio: arizona: Correct handling for reading input GPIOs
        ...
      2bd80401
    • L
      Merge tag 'platform-drivers-x86-v4.12-1' of git://git.infradead.org/linux-platform-drivers-x86 · 99a7583d
      Linus Torvalds 提交于
      Pull x86 platform-drivers update from Darren Hart:
       "This represents a significantly larger and more complex set of changes
        than those of prior merge windows.
      
        In particular, we had several changes with dependencies on other
        subsystems which we felt were best managed through merges of immutable
        branches, including one each from input, i2c, and leds. Two patches
        for the watchdog subsystem are included after discussion with Wim and
        Guenter following a collision in linux-next (this should be resolved
        and you should only see these two appear in this pull request). These
        are called out in the "External" section below.
      
        Summary of changes:
         - significant further cleanup of fujitsu-laptop and hp-wmi
         - new model support for ideapad, asus, silead, and xiaomi
         - new hotkeys for thinkpad and models using intel-vbtn
         - dell keyboard backlight improvements
         - build and dependency improvements
         - intel * ipc fixes, cleanups, and api updates
         - single isolated fixes noted below
      
        External:
         - watchdog: iTCO_wdt: Add PMC specific noreboot update api
         - watchdog: iTCO_wdt: cleanup set/unset no_reboot_bit functions
         - Merge branch 'ib/4.10-sparse-keymap-managed'
         - Merge branch 'i2c/for-INT33FE'
         - Merge branch 'linux-leds/dell-laptop-changes-for-4.12'
      
        platform/x86:
         - Add Intel Cherry Trail ACPI INT33FE device driver
         - remove sparse_keymap_free() calls
         - Make SILEAD_DMI depend on TOUCHSCREEN_SILEAD
      
        asus-wmi:
         - try to set als by default
         - fix cpufv sysfs file permission
      
        acer-wmi:
         - setup accelerometer when ACPI device was found
      
        ideapad-laptop:
         - Add IdeaPad V310-15ISK to no_hw_rfkill
         - Add IdeaPad 310-15IKB to no_hw_rfkill
      
        intel_pmc_ipc:
         - use gcr mem base for S0ix counter read
         - Fix iTCO_wdt GCS memory mapping failure
         - Add pmc gcr read/write/update api's
         - fix gcr offset
      
        dell-laptop:
         - Add keyboard backlight timeout AC settings
         - Handle return error form dell_get_intensity.
         - Protect kbd_state against races
         - Refactor kbd_led_triggers_store()
      
        hp-wireless:
         - reuse module_acpi_driver
         - add Xiaomi's hardware id to the supported list
      
        intel-vbtn:
         - add volume up and down
      
        INT33FE:
         - add i2c dependency
      
        hp-wmi:
         - Cleanup exit paths
         - Do not shadow errors in sysfs show functions
         - Use DEVICE_ATTR_(RO|RW) helper macros
         - Refactor dock and tablet state fetchers
         - Cleanup wireless get_(hw|sw)state functions
         - Refactor redundant HPWMI_READ functions
         - Standardize enum usage for constants
         - Cleanup local variable declarations
         - Do not shadow error values
         - Fix detection for dock and tablet mode
         - Fix error value for hp_wmi_tablet_state
      
        fujitsu-laptop:
         - simplify error handling in acpi_fujitsu_laptop_add()
         - do not log LED registration failures
         - switch to managed LED class devices
         - reorganize LED-related code
         - refactor LED registration
         - select LEDS_CLASS
         - remove redundant fields from struct fujitsu_bl
         - account for backlight power when determining brightness
         - do not log set_lcd_level() failures in bl_update_status()
         - ignore errors when setting backlight power
         - make disable_brightness_adjust a boolean
         - clean up use_alt_lcd_levels handling
         - sync brightness in set_lcd_level()
         - simplify set_lcd_level()
         - merge set_lcd_level_alt() into set_lcd_level()
         - switch to a managed backlight device
         - only handle backlight when appropriate
         - update debug message logged by call_fext_func()
         - rename call_fext_func() arguments
         - simplify call_fext_func()
         - clean up local variables in call_fext_func()
         - remove keycode fields from struct fujitsu_bl
         - model-dependent sparse keymap overrides
         - use a sparse keymap for hotkey event generation
         - switch to a managed hotkey input device
         - refactor hotkey input device setup
         - use a sparse keymap for brightness key events
         - switch to a managed backlight input device
         - refactor backlight input device setup
         - remove pf_device field from struct fujitsu_bl
         - only register platform device if FUJ02E3 is present
         - add and remove platform device in separate functions
         - simplify platform device attribute definitions
         - remove backlight-related attributes from the platform device
         - cleanup error labels in fujitsu_init()
         - only register backlight device if FUJ02B1 is present
         - sync backlight power status in acpi_fujitsu_laptop_add()
         - register backlight device in a separate function
         - simplify brightness key event generation logic
         - decrease indentation in acpi_fujitsu_bl_notify()
      
        intel-hid:
         - Add missing ->thaw callback
         - do not set parents of input devices explicitly
         - remove redundant set_bit() call
         - use devm_input_allocate_device() for HID events input device
         - make intel_hid_set_enable() take a boolean argument
         - simplify enabling/disabling HID events
      
        silead_dmi:
         - Add touchscreen info for Surftab Wintron 7.0
         - Abort early if DMI does not match
         - Do not treat all devices as i2c_clients
         - Add entry for Insyde 7W tablets
         - Constify properties arrays
      
        intel_scu_ipc:
         - Introduce intel_scu_ipc_raw_command()
         - Introduce SCU_DEVICE() macro
         - Remove redundant subarch check
         - Rearrange init sequence
         - Platform data is mandatory
      
        asus-nb-wmi:
         - Add wapf4 quirk for the X302UA
      
        dell-*:
         - Call new led hw_changed API on kbd brightness change
         - Add a generic dell-laptop notifier chain
      
        eeepc-laptop:
         - Skip unknown key messages 0x50 0x51
      
        thinkpad_acpi:
         - add mapping for new hotkeys
         - guard generic hotkey case"
      
      * tag 'platform-drivers-x86-v4.12-1' of git://git.infradead.org/linux-platform-drivers-x86: (108 commits)
        platform/x86: Make SILEAD_DMI depend on TOUCHSCREEN_SILEAD
        platform/x86: asus-wmi: try to set als by default
        platform/x86: asus-wmi: fix cpufv sysfs file permission
        platform/x86: acer-wmi: setup accelerometer when ACPI device was found
        platform/x86: ideapad-laptop: Add IdeaPad V310-15ISK to no_hw_rfkill
        platform/x86: intel_pmc_ipc: use gcr mem base for S0ix counter read
        platform/x86: intel_pmc_ipc: Fix iTCO_wdt GCS memory mapping failure
        watchdog: iTCO_wdt: Add PMC specific noreboot update api
        watchdog: iTCO_wdt: cleanup set/unset no_reboot_bit functions
        platform/x86: intel_pmc_ipc: Add pmc gcr read/write/update api's
        platform/x86: intel_pmc_ipc: fix gcr offset
        platform/x86: dell-laptop: Add keyboard backlight timeout AC settings
        platform/x86: dell-laptop: Handle return error form dell_get_intensity.
        platform/x86: hp-wireless: reuse module_acpi_driver
        platform/x86: intel-vbtn: add volume up and down
        platform/x86: INT33FE: add i2c dependency
        platform/x86: hp-wmi: Cleanup exit paths
        platform/x86: hp-wmi: Do not shadow errors in sysfs show functions
        platform/x86: hp-wmi: Use DEVICE_ATTR_(RO|RW) helper macros
        platform/x86: hp-wmi: Refactor dock and tablet state fetchers
        ...
      99a7583d
    • L
      Merge tag 'vfio-v4.12-rc1' of git://github.com/awilliam/linux-vfio · c336bf8e
      Linus Torvalds 提交于
      Pull VFIO updates from Alex Williamson:
      
       - Updates for SPAPR IOMMU backend including compatibility test and
         memory allocation check (Alexey Kardashevskiy)
      
       - Updates for type1 IOMMU backend to remove asynchronous locked page
         accounting and remove redundancy (Alex Williamson)
      
      * tag 'vfio-v4.12-rc1' of git://github.com/awilliam/linux-vfio:
        vfio/type1: Reduce repetitive calls in vfio_pin_pages_remote()
        vfio/type1: Prune vfio_pin_page_external()
        vfio/type1: Remove locked page accounting workqueue
        vfio/spapr_tce: Check kzalloc() return when preregistering memory
        vfio/powerpc/spapr_tce: Enforce IOMMU type compatibility check
      c336bf8e
    • L
      Merge tag 'for-linus-4.12b-rc0b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · a9648072
      Linus Torvalds 提交于
      Pull xen updates from Juergen Gross:
       "Xen fixes and featrues for 4.12. The main changes are:
      
         - enable building the kernel with Xen support but without enabling
           paravirtualized mode (Vitaly Kuznetsov)
      
         - add a new 9pfs xen frontend driver (Stefano Stabellini)
      
         - simplify Xen's cpuid handling by making use of cpu capabilities
           (Juergen Gross)
      
         - add/modify some headers for new Xen paravirtualized devices
           (Oleksandr Andrushchenko)
      
         - EFI reset_system support under Xen (Julien Grall)
      
         - and the usual cleanups and corrections"
      
      * tag 'for-linus-4.12b-rc0b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: (57 commits)
        xen: Move xen_have_vector_callback definition to enlighten.c
        xen: Implement EFI reset_system callback
        arm/xen: Consolidate calls to shutdown hypercall in a single helper
        xen: Export xen_reboot
        xen/x86: Call xen_smp_intr_init_pv() on BSP
        xen: Revert commits da72ff5b and 72a9b186
        xen/pvh: Do not fill kernel's e820 map in init_pvh_bootparams()
        xen/scsifront: use offset_in_page() macro
        xen/arm,arm64: rename __generic_dma_ops to xen_get_dma_ops
        xen/arm,arm64: fix xen_dma_ops after 815dd187 "Consolidate get_dma_ops..."
        xen/9pfs: select CONFIG_XEN_XENBUS_FRONTEND
        x86/cpu: remove hypervisor specific set_cpu_features
        vmware: set cpu capabilities during platform initialization
        x86/xen: use capabilities instead of fake cpuid values for xsave
        x86/xen: use capabilities instead of fake cpuid values for x2apic
        x86/xen: use capabilities instead of fake cpuid values for mwait
        x86/xen: use capabilities instead of fake cpuid values for acpi
        x86/xen: use capabilities instead of fake cpuid values for acc
        x86/xen: use capabilities instead of fake cpuid values for mtrr
        x86/xen: use capabilities instead of fake cpuid values for aperf
        ...
      a9648072
    • J
      cfg80211: make RATE_INFO_BW_20 the default · 842be75c
      Johannes Berg 提交于
      Due to the way I did the RX bitrate conversions in mac80211 with
      spatch, going setting flags to setting the value, many drivers now
      don't set the bandwidth value for 20 MHz, since with the flags it
      wasn't necessary to (there was no 20 MHz flag, only the others.)
      
      Rather than go through and try to fix up all the drivers, instead
      renumber the enum so that 20 MHz, which is the typical bandwidth,
      actually has the value 0, making those drivers all work again.
      
      If VHT was hit used with a driver not reporting it, e.g. iwlmvm,
      this manifested in hitting the bandwidth warning in
      cfg80211_calculate_bitrate_vht().
      Reported-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Tested-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      842be75c
    • W
      ipv6: initialize route null entry in addrconf_init() · 2f460933
      WANG Cong 提交于
      Andrey reported a crash on init_net.ipv6.ip6_null_entry->rt6i_idev
      since it is always NULL.
      
      This is clearly wrong, we have code to initialize it to loopback_dev,
      unfortunately the order is still not correct.
      
      loopback_dev is registered very early during boot, we lose a chance
      to re-initialize it in notifier. addrconf_init() is called after
      ip6_route_init(), which means we have no chance to correct it.
      
      Fix it by moving this initialization explicitly after
      ipv6_add_dev(init_net.loopback_dev) in addrconf_init().
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2f460933
    • D
      Merge branch 'qed-fixes' · 15981952
      David S. Miller 提交于
      Sudarsana Reddy Kalluru says:
      
      ====================
      qed*: Bug fix series.
      
      The series contains minor bug fixes for qed/qede drivers.
      
      Please consider applying it to 'net' branch.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      15981952
    • S
      qede: Fix possible misconfiguration of advertised autoneg value. · 161adb04
      sudarsana.kalluru@cavium.com 提交于
      Fail the configuration of advertised speed-autoneg value if the config
      update is not supported.
      Signed-off-by: NSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: NYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      161adb04
    • S
      qed: Fix overriding of supported autoneg value. · 34f9199c
      sudarsana.kalluru@cavium.com 提交于
      Driver currently uses advertised-autoneg value to populate the
      supported-autoneg field. When advertised field is updated, user gets
      the same value for supported field. Supported-autoneg value need to be
      populated from the link capabilities value returned by the MFW.
      Signed-off-by: NSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: NYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      34f9199c
    • S
      qed*: Fix possible overflow for status block id field. · f870a3c6
      sudarsana.kalluru@cavium.com 提交于
      Value for status block id could be more than 256 in 100G mode, need to
      update its data type from u8 to u16.
      Signed-off-by: NSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: NYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f870a3c6
  3. 04 5月, 2017 23 次提交
    • M
      rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string · 77ef033b
      Michal Schmidt 提交于
      IFLA_PHYS_PORT_NAME is a string attribute, so terminate it with \0.
      Otherwise libnl3 fails to validate netlink messages with this attribute.
      "ip -detail a" assumes too that the attribute is NUL-terminated when
      printing it. It often was, due to padding.
      
      I noticed this as libvirtd failing to start on a system with sfc driver
      after upgrading it to Linux 4.11, i.e. when sfc added support for
      phys_port_name.
      Signed-off-by: NMichal Schmidt <mschmidt@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      77ef033b
    • S
      netvsc: make sure napi enabled before vmbus_open · 2be0f264
      stephen hemminger 提交于
      This fixes a race where vmbus callback for new packet arriving
      could occur before NAPI is initialized.
      Signed-off-by: NStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2be0f264
    • P
      aquantia: Fix driver name reported by ethtool · 5900eca1
      Pavel Belous 提交于
      V2: using "aquantia" subsystem tag.
      
      The command "ethtool -i ethX" should display driver name (driver: atlantic)
      instead vendor name (driver: aquantia).
      Signed-off-by: NPavel Belous <pavel.belous@aquantia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5900eca1
    • A
      ipv4, ipv6: ensure raw socket message is big enough to hold an IP header · 86f4c90a
      Alexander Potapenko 提交于
      raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied
      from the userspace contains the IPv4/IPv6 header, so if too few bytes are
      copied, parts of the header may remain uninitialized.
      
      This bug has been detected with KMSAN.
      
      For the record, the KMSAN report:
      
      ==================================================================
      BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0
      inter: 0
      CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:16
       dump_stack+0x143/0x1b0 lib/dump_stack.c:52
       kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078
       __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510
       nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577
       ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
       nf_hook_entry_hookfn ./include/linux/netfilter.h:102
       nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310
       nf_hook ./include/linux/netfilter.h:212
       NF_HOOK ./include/linux/netfilter.h:255
       rawv6_send_hdrinc net/ipv6/raw.c:673
       rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919
       inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
       sock_sendmsg_nosec net/socket.c:633
       sock_sendmsg net/socket.c:643
       SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
       SyS_sendto+0xbc/0xe0 net/socket.c:1664
       do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
       entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
      RIP: 0033:0x436e03
      RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000
      origin: 00000000d9400053
       save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362
       kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257
       kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270
       slab_alloc_node mm/slub.c:2735
       __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341
       __kmalloc_reserve net/core/skbuff.c:138
       __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
       alloc_skb ./include/linux/skbuff.h:933
       alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678
       sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903
       sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920
       rawv6_send_hdrinc net/ipv6/raw.c:638
       rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919
       inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
       sock_sendmsg_nosec net/socket.c:633
       sock_sendmsg net/socket.c:643
       SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
       SyS_sendto+0xbc/0xe0 net/socket.c:1664
       do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
       return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
      ==================================================================
      
      , triggered by the following syscalls:
        socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
        sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM
      
      A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket
      instead of a PF_INET6 one.
      Signed-off-by: NAlexander Potapenko <glider@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      86f4c90a
    • C
      net/sched: remove redundant null check on head · 985538ee
      Colin Ian King 提交于
      head is previously null checked and so the 2nd null check on head
      is redundant and therefore can be removed.
      
      Detected by CoverityScan, CID#1399505 ("Logically dead code")
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      985538ee
    • E
      tcp: do not inherit fastopen_req from parent · 8b485ce6
      Eric Dumazet 提交于
      Under fuzzer stress, it is possible that a child gets a non NULL
      fastopen_req pointer from its parent at accept() time, when/if parent
      morphs from listener to active session.
      
      We need to make sure this can not happen, by clearing the field after
      socket cloning.
      
      BUG: Double free or freeing an invalid pointer
      Unexpected shadow byte: 0xFB
      CPU: 3 PID: 20933 Comm: syz-executor3 Not tainted 4.11.0+ #306
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
      01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:16 [inline]
       dump_stack+0x292/0x395 lib/dump_stack.c:52
       kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
       kasan_report_double_free+0x5c/0x70 mm/kasan/report.c:185
       kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:580
       slab_free_hook mm/slub.c:1357 [inline]
       slab_free_freelist_hook mm/slub.c:1379 [inline]
       slab_free mm/slub.c:2961 [inline]
       kfree+0xe8/0x2b0 mm/slub.c:3882
       tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline]
       tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328
       inet_child_forget+0xb8/0x600 net/ipv4/inet_connection_sock.c:898
       inet_csk_reqsk_queue_add+0x1e7/0x250
      net/ipv4/inet_connection_sock.c:928
       tcp_get_cookie_sock+0x21a/0x510 net/ipv4/syncookies.c:217
       cookie_v4_check+0x1a19/0x28b0 net/ipv4/syncookies.c:384
       tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1384 [inline]
       tcp_v4_do_rcv+0x731/0x940 net/ipv4/tcp_ipv4.c:1421
       tcp_v4_rcv+0x2dc0/0x31c0 net/ipv4/tcp_ipv4.c:1715
       ip_local_deliver_finish+0x4cc/0xc20 net/ipv4/ip_input.c:216
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ip_local_deliver+0x1ce/0x700 net/ipv4/ip_input.c:257
       dst_input include/net/dst.h:492 [inline]
       ip_rcv_finish+0xb1d/0x20b0 net/ipv4/ip_input.c:396
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ip_rcv+0xd8c/0x19c0 net/ipv4/ip_input.c:487
       __netif_receive_skb_core+0x1ad1/0x3400 net/core/dev.c:4210
       __netif_receive_skb+0x2a/0x1a0 net/core/dev.c:4248
       process_backlog+0xe5/0x6c0 net/core/dev.c:4868
       napi_poll net/core/dev.c:5270 [inline]
       net_rx_action+0xe70/0x18e0 net/core/dev.c:5335
       __do_softirq+0x2fb/0xb99 kernel/softirq.c:284
       do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:899
       </IRQ>
       do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328
       do_softirq kernel/softirq.c:176 [inline]
       __local_bh_enable_ip+0x1cf/0x1e0 kernel/softirq.c:181
       local_bh_enable include/linux/bottom_half.h:31 [inline]
       rcu_read_unlock_bh include/linux/rcupdate.h:931 [inline]
       ip_finish_output2+0x9ab/0x15e0 net/ipv4/ip_output.c:230
       ip_finish_output+0xa35/0xdf0 net/ipv4/ip_output.c:316
       NF_HOOK_COND include/linux/netfilter.h:246 [inline]
       ip_output+0x1f6/0x7b0 net/ipv4/ip_output.c:404
       dst_output include/net/dst.h:486 [inline]
       ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
       ip_queue_xmit+0x9a8/0x1a10 net/ipv4/ip_output.c:503
       tcp_transmit_skb+0x1ade/0x3470 net/ipv4/tcp_output.c:1057
       tcp_write_xmit+0x79e/0x55b0 net/ipv4/tcp_output.c:2265
       __tcp_push_pending_frames+0xfa/0x3a0 net/ipv4/tcp_output.c:2450
       tcp_push+0x4ee/0x780 net/ipv4/tcp.c:683
       tcp_sendmsg+0x128d/0x39b0 net/ipv4/tcp.c:1342
       inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
       sock_sendmsg_nosec net/socket.c:633 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:643
       SYSC_sendto+0x660/0x810 net/socket.c:1696
       SyS_sendto+0x40/0x50 net/socket.c:1664
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      RIP: 0033:0x446059
      RSP: 002b:00007faa6761fb58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000000446059
      RDX: 0000000000000001 RSI: 0000000020ba3fcd RDI: 0000000000000017
      RBP: 00000000006e40a0 R08: 0000000020ba4ff0 R09: 0000000000000010
      R10: 0000000020000000 R11: 0000000000000282 R12: 0000000000708150
      R13: 0000000000000000 R14: 00007faa676209c0 R15: 00007faa67620700
      Object at ffff88003b5bbcb8, in cache kmalloc-64 size: 64
      Allocated:
      PID = 20909
       save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
       save_stack+0x43/0xd0 mm/kasan/kasan.c:513
       set_track mm/kasan/kasan.c:525 [inline]
       kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
       kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745
       kmalloc include/linux/slab.h:490 [inline]
       kzalloc include/linux/slab.h:663 [inline]
       tcp_sendmsg_fastopen net/ipv4/tcp.c:1094 [inline]
       tcp_sendmsg+0x221a/0x39b0 net/ipv4/tcp.c:1139
       inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
       sock_sendmsg_nosec net/socket.c:633 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:643
       SYSC_sendto+0x660/0x810 net/socket.c:1696
       SyS_sendto+0x40/0x50 net/socket.c:1664
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      Freed:
      PID = 20909
       save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
       save_stack+0x43/0xd0 mm/kasan/kasan.c:513
       set_track mm/kasan/kasan.c:525 [inline]
       kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
       slab_free_hook mm/slub.c:1357 [inline]
       slab_free_freelist_hook mm/slub.c:1379 [inline]
       slab_free mm/slub.c:2961 [inline]
       kfree+0xe8/0x2b0 mm/slub.c:3882
       tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline]
       tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328
       __inet_stream_connect+0x20c/0xf90 net/ipv4/af_inet.c:593
       tcp_sendmsg_fastopen net/ipv4/tcp.c:1111 [inline]
       tcp_sendmsg+0x23a8/0x39b0 net/ipv4/tcp.c:1139
       inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
       sock_sendmsg_nosec net/socket.c:633 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:643
       SYSC_sendto+0x660/0x810 net/socket.c:1696
       SyS_sendto+0x40/0x50 net/socket.c:1664
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      
      Fixes: e994b2f0 ("tcp: do not lock listener to process SYN packets")
      Fixes: 7db92362 ("tcp: fix potential double free issue for fastopen_req")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NWei Wang <weiwan@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8b485ce6
    • Z
      forcedeth: remove unnecessary carrier status check · 5d826b7b
      Zhu Yanjun 提交于
      Since netif_carrier_on() will do nothing if device's
      carrier is already on, so it's unnecessary to do
      carrier status check.
      
      It's the same for netif_carrier_off().
      Signed-off-by: NZhu Yanjun <yanjun.zhu@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5d826b7b
    • L
      Merge tag 'modules-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux · a1be8edd
      Linus Torvalds 提交于
      Pull modules updates from Jessica Yu:
      
       - Minor code cleanups
      
       - Fix section alignment for .init_array
      
      * tag 'modules-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux:
        kallsyms: Use bounded strnchr() when parsing string
        module: Unify the return value type of try_module_get
        module: set .init_array alignment to 8
      a1be8edd
    • L
      Merge tag 'trace-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 4c174688
      Linus Torvalds 提交于
      Pull tracing updates from Steven Rostedt:
       "New features for this release:
      
         - Pretty much a full rewrite of the processing of function plugins.
           i.e. echo do_IRQ:stacktrace > set_ftrace_filter
      
         - The rewrite was needed to add plugins to be unique to tracing
           instances. i.e. mkdir instance/foo; cd instances/foo; echo
           do_IRQ:stacktrace > set_ftrace_filter The old way was written very
           hacky. This removes a lot of those hacks.
      
         - New "function-fork" tracing option. When set, pids in the
           set_ftrace_pid will have their children added when the processes
           with their pids listed in the set_ftrace_pid file forks.
      
         - Exposure of "maxactive" for kretprobe in kprobe_events
      
         - Allow for builtin init functions to be traced by the function
           tracer (via the kernel command line). Module init function tracing
           will come in the next release.
      
         - Added more selftests, and have selftests also test in an instance"
      
      * tag 'trace-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: (60 commits)
        ring-buffer: Return reader page back into existing ring buffer
        selftests: ftrace: Allow some event trigger tests to run in an instance
        selftests: ftrace: Have some basic tests run in a tracing instance too
        selftests: ftrace: Have event tests also run in an tracing instance
        selftests: ftrace: Make func_event_triggers and func_traceonoff_triggers tests do instances
        selftests: ftrace: Allow some tests to be run in a tracing instance
        tracing/ftrace: Allow for instances to trigger their own stacktrace probes
        tracing/ftrace: Allow for the traceonoff probe be unique to instances
        tracing/ftrace: Enable snapshot function trigger to work with instances
        tracing/ftrace: Allow instances to have their own function probes
        tracing/ftrace: Add a better way to pass data via the probe functions
        ftrace: Dynamically create the probe ftrace_ops for the trace_array
        tracing: Pass the trace_array into ftrace_probe_ops functions
        tracing: Have the trace_array hold the list of registered func probes
        ftrace: If the hash for a probe fails to update then free what was initialized
        ftrace: Have the function probes call their own function
        ftrace: Have each function probe use its own ftrace_ops
        ftrace: Have unregister_ftrace_function_probe_func() return a value
        ftrace: Add helper function ftrace_hash_move_and_update_ops()
        ftrace: Remove data field from ftrace_func_probe structure
        ...
      4c174688
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk · 9c35baf6
      Linus Torvalds 提交于
      Pull printk updates from Petr Mladek:
      
       - There is a situation when early console is not deregistered because
         the preferred one matches a wrong entry. It caused messages to appear
         twice.
      
         This is the 2nd attempt to fix it. The first one was wrong, see the
         commit c6c7d83b ('Revert "console: don't prefer first registered
         if DT specifies stdout-path"').
      
         The fix is coupled with some small code clean up. Well, the console
         registration code would deserve a big one. We need to think about it.
      
       - Do not lose information about the preemtive context when the console
         semaphore is re-taken.
      
       - Do not block CPU hotplug when someone else is already pushing
         messages to the console.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
        printk: fix double printing with earlycon
        printk: rename selected_console -> preferred_console
        printk: fix name/type/scope of preferred_console var
        printk: Correctly handle preemption in console_unlock()
        printk: use console_trylock() in console_cpu_notify()
      9c35baf6
    • L
      Merge branch 'akpm' (patches from Andrew) · dd23f273
      Linus Torvalds 提交于
      Merge misc updates from Andrew Morton:
      
       - a few misc things
      
       - most of MM
      
       - KASAN updates
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (102 commits)
        kasan: separate report parts by empty lines
        kasan: improve double-free report format
        kasan: print page description after stacks
        kasan: improve slab object description
        kasan: change report header
        kasan: simplify address description logic
        kasan: change allocation and freeing stack traces headers
        kasan: unify report headers
        kasan: introduce helper functions for determining bug type
        mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page
        mm: hwpoison: call shake_page() unconditionally
        mm/swapfile.c: fix swap space leak in error path of swap_free_entries()
        mm/gup.c: fix access_ok() argument type
        mm/truncate: avoid pointless cleancache_invalidate_inode() calls.
        mm/truncate: bail out early from invalidate_inode_pages2_range() if mapping is empty
        fs/block_dev: always invalidate cleancache in invalidate_bdev()
        fs: fix data invalidation in the cleancache during direct IO
        zram: reduce load operation in page_same_filled
        zram: use zram_free_page instead of open-coded
        zram: introduce zram data accessor
        ...
      dd23f273
    • A
      kasan: separate report parts by empty lines · b1938599
      Andrey Konovalov 提交于
      Makes the report easier to read.
      
      Link: http://lkml.kernel.org/r/20170302134851.101218-10-andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b1938599
    • A
      kasan: improve double-free report format · 5ab6d91a
      Andrey Konovalov 提交于
      Changes double-free report header from
      
        BUG: Double free or freeing an invalid pointer
        Unexpected shadow byte: 0xFB
      
      to
      
        BUG: KASAN: double-free or invalid-free in kmalloc_oob_left+0xe5/0xef
      
      This makes a bug uniquely identifiable by the first report line.  To
      account for removing of the unexpected shadow value, print shadow bytes
      at the end of the report as in reports for other kinds of bugs.
      
      Link: http://lkml.kernel.org/r/20170302134851.101218-9-andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5ab6d91a
    • A
      kasan: print page description after stacks · 430a05f9
      Andrey Konovalov 提交于
      Moves page description after the stacks since it's less important.
      
      Link: http://lkml.kernel.org/r/20170302134851.101218-8-andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      430a05f9
    • A
      kasan: improve slab object description · 0c06f1f8
      Andrey Konovalov 提交于
      Changes slab object description from:
      
        Object at ffff880068388540, in cache kmalloc-128 size: 128
      
      to:
      
        The buggy address belongs to the object at ffff880068388540
         which belongs to the cache kmalloc-128 of size 128
        The buggy address is located 123 bytes inside of
         128-byte region [ffff880068388540, ffff8800683885c0)
      
      Makes it more explanatory and adds information about relative offset of
      the accessed address to the start of the object.
      
      Link: http://lkml.kernel.org/r/20170302134851.101218-7-andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0c06f1f8
    • A
      kasan: change report header · 7f0a84c2
      Andrey Konovalov 提交于
      Change report header format from:
      
        BUG: KASAN: use-after-free in unwind_get_return_address+0x28a/0x2c0 at addr ffff880069437950
        Read of size 8 by task insmod/3925
      
      to:
      
        BUG: KASAN: use-after-free in unwind_get_return_address+0x28a/0x2c0
        Read of size 8 at addr ffff880069437950 by task insmod/3925
      
      The exact access address is not usually important, so move it to the
      second line.  This also makes the header look visually balanced.
      
      Link: http://lkml.kernel.org/r/20170302134851.101218-6-andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7f0a84c2
    • A
      kasan: simplify address description logic · db429f16
      Andrey Konovalov 提交于
      Simplify logic for describing a memory address.  Add addr_to_page()
      helper function.
      
      Makes the code easier to follow.
      
      Link: http://lkml.kernel.org/r/20170302134851.101218-5-andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      db429f16
    • A
      kasan: change allocation and freeing stack traces headers · b6b72f49
      Andrey Konovalov 提交于
      Change stack traces headers from:
      
        Allocated:
        PID = 42
      
      to:
      
        Allocated by task 42:
      
      Makes the report one line shorter and look better.
      
      Link: http://lkml.kernel.org/r/20170302134851.101218-4-andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b6b72f49
    • A
      kasan: unify report headers · 7d418f7b
      Andrey Konovalov 提交于
      Unify KASAN report header format for different kinds of bad memory
      accesses.  Makes the code simpler.
      
      Link: http://lkml.kernel.org/r/20170302134851.101218-3-andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7d418f7b
    • A
      kasan: introduce helper functions for determining bug type · 5e82cd12
      Andrey Konovalov 提交于
      Patch series "kasan: improve error reports", v2.
      
      This patchset improves KASAN reports by making them easier to read and a
      little more detailed.  Also improves mm/kasan/report.c readability.
      
      Effectively changes a use-after-free report to:
      
        ==================================================================
        BUG: KASAN: use-after-free in kmalloc_uaf+0xaa/0xb6 [test_kasan]
        Write of size 1 at addr ffff88006aa59da8 by task insmod/3951
      
        CPU: 1 PID: 3951 Comm: insmod Tainted: G    B           4.10.0+ #84
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Call Trace:
         dump_stack+0x292/0x398
         print_address_description+0x73/0x280
         kasan_report.part.2+0x207/0x2f0
         __asan_report_store1_noabort+0x2c/0x30
         kmalloc_uaf+0xaa/0xb6 [test_kasan]
         kmalloc_tests_init+0x4f/0xa48 [test_kasan]
         do_one_initcall+0xf3/0x390
         do_init_module+0x215/0x5d0
         load_module+0x54de/0x82b0
         SYSC_init_module+0x3be/0x430
         SyS_init_module+0x9/0x10
         entry_SYSCALL_64_fastpath+0x1f/0xc2
        RIP: 0033:0x7f22cfd0b9da
        RSP: 002b:00007ffe69118a78 EFLAGS: 00000206 ORIG_RAX: 00000000000000af
        RAX: ffffffffffffffda RBX: 0000555671242090 RCX: 00007f22cfd0b9da
        RDX: 00007f22cffcaf88 RSI: 000000000004df7e RDI: 00007f22d0399000
        RBP: 00007f22cffcaf88 R08: 0000000000000003 R09: 0000000000000000
        R10: 00007f22cfd07d0a R11: 0000000000000206 R12: 0000555671243190
        R13: 000000000001fe81 R14: 0000000000000000 R15: 0000000000000004
      
        Allocated by task 3951:
         save_stack_trace+0x16/0x20
         save_stack+0x43/0xd0
         kasan_kmalloc+0xad/0xe0
         kmem_cache_alloc_trace+0x82/0x270
         kmalloc_uaf+0x56/0xb6 [test_kasan]
         kmalloc_tests_init+0x4f/0xa48 [test_kasan]
         do_one_initcall+0xf3/0x390
         do_init_module+0x215/0x5d0
         load_module+0x54de/0x82b0
         SYSC_init_module+0x3be/0x430
         SyS_init_module+0x9/0x10
         entry_SYSCALL_64_fastpath+0x1f/0xc2
      
        Freed by task 3951:
         save_stack_trace+0x16/0x20
         save_stack+0x43/0xd0
         kasan_slab_free+0x72/0xc0
         kfree+0xe8/0x2b0
         kmalloc_uaf+0x85/0xb6 [test_kasan]
         kmalloc_tests_init+0x4f/0xa48 [test_kasan]
         do_one_initcall+0xf3/0x390
         do_init_module+0x215/0x5d0
         load_module+0x54de/0x82b0
         SYSC_init_module+0x3be/0x430
         SyS_init_module+0x9/0x10
         entry_SYSCALL_64_fastpath+0x1f/0xc
      
        The buggy address belongs to the object at ffff88006aa59da0
         which belongs to the cache kmalloc-16 of size 16
        The buggy address is located 8 bytes inside of
         16-byte region [ffff88006aa59da0, ffff88006aa59db0)
        The buggy address belongs to the page:
        page:ffffea0001aa9640 count:1 mapcount:0 mapping:          (null) index:0x0
        flags: 0x100000000000100(slab)
        raw: 0100000000000100 0000000000000000 0000000000000000 0000000180800080
        raw: ffffea0001abe380 0000000700000007 ffff88006c401b40 0000000000000000
        page dumped because: kasan: bad access detected
      
        Memory state around the buggy address:
         ffff88006aa59c80: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
         ffff88006aa59d00: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
        >ffff88006aa59d80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
                                          ^
         ffff88006aa59e00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
         ffff88006aa59e80: fb fb fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
        ==================================================================
      
      from:
      
        ==================================================================
        BUG: KASAN: use-after-free in kmalloc_uaf+0xaa/0xb6 [test_kasan] at addr ffff88006c4dcb28
        Write of size 1 by task insmod/3984
        CPU: 1 PID: 3984 Comm: insmod Tainted: G    B           4.10.0+ #83
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Call Trace:
         dump_stack+0x292/0x398
         kasan_object_err+0x1c/0x70
         kasan_report.part.1+0x20e/0x4e0
         __asan_report_store1_noabort+0x2c/0x30
         kmalloc_uaf+0xaa/0xb6 [test_kasan]
         kmalloc_tests_init+0x4f/0xa48 [test_kasan]
         do_one_initcall+0xf3/0x390
         do_init_module+0x215/0x5d0
         load_module+0x54de/0x82b0
         SYSC_init_module+0x3be/0x430
         SyS_init_module+0x9/0x10
         entry_SYSCALL_64_fastpath+0x1f/0xc2
        RIP: 0033:0x7feca0f779da
        RSP: 002b:00007ffdfeae5218 EFLAGS: 00000206 ORIG_RAX: 00000000000000af
        RAX: ffffffffffffffda RBX: 000055a064c13090 RCX: 00007feca0f779da
        RDX: 00007feca1236f88 RSI: 000000000004df7e RDI: 00007feca1605000
        RBP: 00007feca1236f88 R08: 0000000000000003 R09: 0000000000000000
        R10: 00007feca0f73d0a R11: 0000000000000206 R12: 000055a064c14190
        R13: 000000000001fe81 R14: 0000000000000000 R15: 0000000000000004
        Object at ffff88006c4dcb20, in cache kmalloc-16 size: 16
        Allocated:
        PID = 3984
         save_stack_trace+0x16/0x20
         save_stack+0x43/0xd0
         kasan_kmalloc+0xad/0xe0
         kmem_cache_alloc_trace+0x82/0x270
         kmalloc_uaf+0x56/0xb6 [test_kasan]
         kmalloc_tests_init+0x4f/0xa48 [test_kasan]
         do_one_initcall+0xf3/0x390
         do_init_module+0x215/0x5d0
         load_module+0x54de/0x82b0
         SYSC_init_module+0x3be/0x430
         SyS_init_module+0x9/0x10
         entry_SYSCALL_64_fastpath+0x1f/0xc2
        Freed:
        PID = 3984
         save_stack_trace+0x16/0x20
         save_stack+0x43/0xd0
         kasan_slab_free+0x73/0xc0
         kfree+0xe8/0x2b0
         kmalloc_uaf+0x85/0xb6 [test_kasan]
         kmalloc_tests_init+0x4f/0xa48 [test_kasan]
         do_one_initcall+0xf3/0x390
         do_init_module+0x215/0x5d0
         load_module+0x54de/0x82b0
         SYSC_init_module+0x3be/0x430
         SyS_init_module+0x9/0x10
         entry_SYSCALL_64_fastpath+0x1f/0xc2
        Memory state around the buggy address:
         ffff88006c4dca00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
         ffff88006c4dca80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
        >ffff88006c4dcb00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
                                          ^
         ffff88006c4dcb80: fb fb fc fc 00 00 fc fc fb fb fc fc fb fb fc fc
         ffff88006c4dcc00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
        ==================================================================
      
      This patch (of 9):
      
      Introduce get_shadow_bug_type() function, which determines bug type
      based on the shadow value for a particular kernel address.  Introduce
      get_wild_bug_type() function, which determines bug type for addresses
      which don't have a corresponding shadow value.
      
      Link: http://lkml.kernel.org/r/20170302134851.101218-2-andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5e82cd12
    • N
      mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page · 286c469a
      Naoya Horiguchi 提交于
      Memory error handler calls try_to_unmap() for error pages in various
      states.  If the error page is a mlocked page, error handling could fail
      with "still referenced by 1 users" message.  This is because the page is
      linked to and stays in lru cache after the following call chain.
      
        try_to_unmap_one
          page_remove_rmap
            clear_page_mlock
              putback_lru_page
                lru_cache_add
      
      memory_failure() calls shake_page() to hanlde the similar issue, but
      current code doesn't cover because shake_page() is called only before
      try_to_unmap().  So this patches adds shake_page().
      
      Fixes: 23a003bf ("mm/madvise: pass return code of memory_failure() to userspace")
      Link: http://lkml.kernel.org/r/20170417055948.GM31394@yexl-desktop
      Link: http://lkml.kernel.org/r/1493197841-23986-3-git-send-email-n-horiguchi@ah.jp.nec.comSigned-off-by: NNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Reported-by: Nkernel test robot <lkp@intel.com>
      Cc: Xiaolong Ye <xiaolong.ye@intel.com>
      Cc: Chen Gong <gong.chen@linux.intel.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      286c469a
    • N
      mm: hwpoison: call shake_page() unconditionally · 8bcb74de
      Naoya Horiguchi 提交于
      shake_page() is called before going into core error handling code in
      order to ensure that the error page is flushed from lru_cache lists
      where pages stay during transferring among LRU lists.
      
      But currently it's not fully functional because when the page is linked
      to lru_cache by calling activate_page(), its PageLRU flag is set and
      shake_page() is skipped.  The result is to fail error handling with
      "still referenced by 1 users" message.
      
      When the page is linked to lru_cache by isolate_lru_page(), its PageLRU
      is clear, so that's fine.
      
      This patch makes shake_page() unconditionally called to avoild the
      failure.
      
      Fixes: 23a003bf ("mm/madvise: pass return code of memory_failure() to userspace")
      Link: http://lkml.kernel.org/r/20170417055948.GM31394@yexl-desktop
      Link: http://lkml.kernel.org/r/1493197841-23986-2-git-send-email-n-horiguchi@ah.jp.nec.comSigned-off-by: NNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Reported-by: Nkernel test robot <lkp@intel.com>
      Cc: Xiaolong Ye <xiaolong.ye@intel.com>
      Cc: Chen Gong <gong.chen@linux.intel.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8bcb74de
    • H
      mm/swapfile.c: fix swap space leak in error path of swap_free_entries() · 0ccfece6
      Huang Ying 提交于
      In swapcache_free_entries(), if swap_info_get_cont() returns NULL,
      something wrong occurs for the swap entry.  But we should still continue
      to free the following swap entries in the array instead of skip them to
      avoid swap space leak.  This is just problem in error path, where system
      may be in an inconsistent state, but it is still good to fix it.
      
      Link: http://lkml.kernel.org/r/20170421124739.24534-1-ying.huang@intel.comSigned-off-by: N"Huang, Ying" <ying.huang@intel.com>
      Acked-by: NTim Chen <tim.c.chen@linux.intel.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Shaohua Li <shli@kernel.org>
      Cc: Minchan Kim <minchan@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0ccfece6