1. 14 Feb, 2018 17 commits
    • David S. Miller's avatar
      Merge branch 'tipc-locking-fixes' · 080fe7aa
      David S. Miller authored
      Ying Xue says:
      
      ====================
      tipc: Fix missing RTNL lock protection during setting link properties
      
      At present it's unsafe to configure link properties through netlink
      as the entire setting process is not under RTNL lock protection. Now
      TIPC supports two different sets of netlink APIs at the same time, and
      they share the same set of backend functions to configure bearer,
      media and net properties. In order to solve the missing RTNL issue,
      we have to make the whole __tipc_nl_compat_doit() protected by RTNL,
      which means any function called within it cannot take RTNL any more.
      So in the series we first introduce the following new functions which
      doesn't hold RTNl lock:
      
       - __tipc_nl_bearer_disable()
       - __tipc_nl_bearer_enable()
       - __tipc_nl_bearer_set()
       - __tipc_nl_media_set()
       - __tipc_nl_net_set()
      
      Meanwhile, __tipc_nl_compat_doit() has been reconstructed to minimize
      the time of holding RTNL lock.
      
      Changes in v4:
       - Per suggestion of Kirill Tkhai, divided original big one patch into
         seven small ones so that they can be easily reviewed.
      
      Changes in v3:
       - Optimized return method of __tipc_nl_bearer_enable() regarding
         the comments from David M and Kirill Tkhai
       - Moved the allocations of memory in __tipc_nl_compat_doit() out
         of RTNL lock to minimize the time of holding RTNL lock according
         to the suggestion of Kirill Tkhai.
      
      Changes in v2:
       - The whole operation of setting bearer/media properties has been
         protected under RTNL, as per feedback from David M.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      080fe7aa
    • Ying Xue's avatar
      tipc: Fix missing RTNL lock protection during setting link properties · ed4ffdfe
      Ying Xue authored
      Currently when user changes link properties, TIPC first checks if
      user's command message contains media name or bearer name through
      tipc_media_find() or tipc_bearer_find() which is protected by RTNL
      lock. But when tipc_nl_compat_link_set() conducts the checking with
      the two functions, it doesn't hold RTNL lock at all, as a result,
      the following complaints were reported:
      
      audit: type=1400 audit(1514679888.244:9): avc:  denied  { write } for
      pid=3194 comm="syzkaller021477" path="socket:[11143]" dev="sockfs"
      ino=11143 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
      tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
      tclass=netlink_generic_socket permissive=1
      Reviewed-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      
      =============================
      WARNING: suspicious RCU usage
      4.15.0-rc5+ #152 Not tainted
      -----------------------------
      net/tipc/bearer.c:177 suspicious rcu_dereference_protected() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      2 locks held by syzkaller021477/3194:
        #0:  (cb_lock){++++}, at: [<00000000d20133ea>] genl_rcv+0x19/0x40
      net/netlink/genetlink.c:634
        #1:  (genl_mutex){+.+.}, at: [<00000000fcc5d1bc>] genl_lock
      net/netlink/genetlink.c:33 [inline]
        #1:  (genl_mutex){+.+.}, at: [<00000000fcc5d1bc>] genl_rcv_msg+0x115/0x140
      net/netlink/genetlink.c:622
      
      stack backtrace:
      CPU: 1 PID: 3194 Comm: syzkaller021477 Not tainted 4.15.0-rc5+ #152
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:17 [inline]
        dump_stack+0x194/0x257 lib/dump_stack.c:53
        lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585
        tipc_bearer_find+0x2b4/0x3b0 net/tipc/bearer.c:177
        tipc_nl_compat_link_set+0x329/0x9f0 net/tipc/netlink_compat.c:729
        __tipc_nl_compat_doit net/tipc/netlink_compat.c:288 [inline]
        tipc_nl_compat_doit+0x15b/0x660 net/tipc/netlink_compat.c:335
        tipc_nl_compat_handle net/tipc/netlink_compat.c:1119 [inline]
        tipc_nl_compat_recv+0x112f/0x18f0 net/tipc/netlink_compat.c:1201
        genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599
        genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
        netlink_rcv_skb+0x21e/0x460 net/netlink/af_netlink.c:2408
        genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
        netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline]
        netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1301
        netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1864
        sock_sendmsg_nosec net/socket.c:636 [inline]
        sock_sendmsg+0xca/0x110 net/socket.c:646
        sock_write_iter+0x31a/0x5d0 net/socket.c:915
        call_write_iter include/linux/fs.h:1772 [inline]
        new_sync_write fs/read_write.c:469 [inline]
        __vfs_write+0x684/0x970 fs/read_write.c:482
        vfs_write+0x189/0x510 fs/read_write.c:544
        SYSC_write fs/read_write.c:589 [inline]
        SyS_write+0xef/0x220 fs/read_write.c:581
        do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
        do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
        entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129
      
      In order to correct the mistake, __tipc_nl_compat_doit() has been
      protected by RTNL lock, which means the whole operation of setting
      bearer/media properties is under RTNL protection.
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Reported-by: default avatarsyzbot <syzbot+6345fd433db009b29413@syzkaller.appspotmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ed4ffdfe
    • Ying Xue's avatar
      tipc: Introduce __tipc_nl_net_set · 5631f65d
      Ying Xue authored
      Introduce __tipc_nl_net_set() which doesn't hold RTNL lock.
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5631f65d
    • Ying Xue's avatar
      tipc: Introduce __tipc_nl_media_set · 07ffb223
      Ying Xue authored
      Introduce __tipc_nl_media_set() which doesn't hold RTNL lock.
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      07ffb223
    • Ying Xue's avatar
      tipc: Introduce __tipc_nl_bearer_set · 93532bb1
      Ying Xue authored
      Introduce __tipc_nl_bearer_set() which doesn't holding RTNL lock.
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      93532bb1
    • Ying Xue's avatar
      tipc: Introduce __tipc_nl_bearer_enable · 45cf7edf
      Ying Xue authored
      Introduce __tipc_nl_bearer_enable() which doesn't hold RTNL lock.
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45cf7edf
    • Ying Xue's avatar
      tipc: Introduce __tipc_nl_bearer_disable · d59d8b77
      Ying Xue authored
      Introduce __tipc_nl_bearer_disable() which doesn't hold RTNL lock.
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d59d8b77
    • Ying Xue's avatar
      tipc: Refactor __tipc_nl_compat_doit · e5d1a1ee
      Ying Xue authored
      As preparation for adding RTNL to make (*cmd->transcode)() and
      (*cmd->transcode)() constantly protected by RTNL lock, we move out of
      memory allocations existing between them as many as possible so that
      the time of holding RTNL can be minimized in __tipc_nl_compat_doit().
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e5d1a1ee
    • David S. Miller's avatar
      Merge branch 'ibmvnic-leaks' · 361b1231
      David S. Miller authored
      Thomas Falcon says:
      
      ====================
      ibmvnic: Fix memory leaks in the driver
      
      This patch set is pretty self-explanatory. It includes
      a number of patches that fix memory leaks found with
      kmemleak in the ibmvnic driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      361b1231
    • Thomas Falcon's avatar
      ibmvnic: Clean RX pool buffers during device close · d0869c00
      Thomas Falcon authored
      During device close or reset, there were some cases of outstanding
      RX socket buffers not being freed. Include a function similar to the
      one that already exists to clean TX socket buffers in this case.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0869c00
    • Thomas Falcon's avatar
      ibmvnic: Free RX socket buffer in case of adapter error · 4b9b0f01
      Thomas Falcon authored
      If a RX buffer is returned to the client driver with an error, free the
      corresponding socket buffer before continuing.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b9b0f01
    • Thomas Falcon's avatar
      ibmvnic: Fix NAPI structures memory leak · 6e4842dd
      Thomas Falcon authored
      This memory is allocated during initialization but never freed,
      so do that now.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e4842dd
    • Thomas Falcon's avatar
      ibmvnic: Fix login buffer memory leaks · 34f0f4e3
      Thomas Falcon authored
      During device bringup, the driver exchanges login buffers with
      firmware. These buffers contain information such number of TX
      and RX queues alloted to the device, RX buffer size, etc. These
      buffers weren't being properly freed on device reset or close.
      
      We can free the buffer we send to firmware as soon as we get
      a response. There is information in the response buffer that
      the driver needs for normal operation so retain it until the
      next reset or removal.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34f0f4e3
    • Thomas Falcon's avatar
      ibmvnic: Wait until reset is complete to set carrier on · cc85c02e
      Thomas Falcon authored
      Pushes back setting the carrier on until the end of the reset
      code. This resolves a bug where a watchdog timer was detecting
      that a TX queue had stalled before the adapter reset was complete.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc85c02e
    • Jesper Dangaard Brouer's avatar
      Revert "net: thunderx: Add support for xdp redirect" · e6dbe939
      Jesper Dangaard Brouer authored
      This reverts commit aa136d0c.
      
      As I previously[1] pointed out this implementation of XDP_REDIRECT is
      wrong.  XDP_REDIRECT is a facility that must work between different
      NIC drivers.  Another NIC driver can call ndo_xdp_xmit/nicvf_xdp_xmit,
      but your driver patch assumes payload data (at top of page) will
      contain a queue index and a DMA addr, this is not true and worse will
      likely contain garbage.
      
      Given you have not fixed this in due time (just reached v4.16-rc1),
      the only option I see is a revert.
      
      [1] http://lkml.kernel.org/r/20171211130902.482513d3@redhat.com
      
      Cc: Sunil Goutham <sgoutham@cavium.com>
      Cc: Christina Jacob <cjacob@caviumnetworks.com>
      Cc: Aleksey Makarov <aleksey.makarov@cavium.com>
      Fixes: aa136d0c ("net: thunderx: Add support for xdp redirect")
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e6dbe939
    • Xin Long's avatar
      sctp: fix some copy-paste errors for file comments · fae8b6f4
      Xin Long authored
      This patch is to fix the file comments in stream.c and
      stream_interleave.c
      
      v1->v2:
        rephrase the comment for stream.c according to Neil's suggestion.
      
      Fixes: a8386317 ("sctp: prepare asoc stream for stream reconf")
      Fixes: 0c3f6f65 ("sctp: implement make_datafrag for sctp_stream_interleave")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fae8b6f4
    • Jakub Kicinski's avatar
      net: fix race on decreasing number of TX queues · ac5b7019
      Jakub Kicinski authored
      netif_set_real_num_tx_queues() can be called when netdev is up.
      That usually happens when user requests change of number of
      channels/rings with ethtool -L.  The procedure for changing
      the number of queues involves resetting the qdiscs and setting
      dev->num_tx_queues to the new value.  When the new value is
      lower than the old one, extra care has to be taken to ensure
      ordering of accesses to the number of queues vs qdisc reset.
      
      Currently the queues are reset before new dev->num_tx_queues
      is assigned, leaving a window of time where packets can be
      enqueued onto the queues going down, leading to a likely
      crash in the drivers, since most drivers don't check if TX
      skbs are assigned to an active queue.
      
      Fixes: e6484930 ("net: allocate tx queues in register_netdevice")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac5b7019
  2. 13 Feb, 2018 7 commits
  3. 12 Feb, 2018 13 commits
  4. 11 Feb, 2018 3 commits
    • Linus Torvalds's avatar
      Linux 4.16-rc1 · 7928b2cb
      Linus Torvalds authored
      7928b2cb
    • Al Viro's avatar
      unify {de,}mangle_poll(), get rid of kernel-side POLL... · 7a163b21
      Al Viro authored
      except, again, POLLFREE and POLL_BUSY_LOOP.
      
      With this, we finally get to the promised end result:
      
       - POLL{IN,OUT,...} are plain integers and *not* in __poll_t, so any
         stray instances of ->poll() still using those will be caught by
         sparse.
      
       - eventpoll.c and select.c warning-free wrt __poll_t
      
       - no more kernel-side definitions of POLL... - userland ones are
         visible through the entire kernel (and used pretty much only for
         mangle/demangle)
      
       - same behavior as after the first series (i.e. sparc et.al. epoll(2)
         working correctly).
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7a163b21
    • Linus Torvalds's avatar
      vfs: do bulk POLL* -> EPOLL* replacement · a9a08845
      Linus Torvalds authored
      This is the mindless scripted replacement of kernel use of POLL*
      variables as described by Al, done by this script:
      
          for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
              L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
              for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
          done
      
      with de-mangling cleanups yet to come.
      
      NOTE! On almost all architectures, the EPOLL* constants have the same
      values as the POLL* constants do.  But they keyword here is "almost".
      For various bad reasons they aren't the same, and epoll() doesn't
      actually work quite correctly in some cases due to this on Sparc et al.
      
      The next patch from Al will sort out the final differences, and we
      should be all done.
      Scripted-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a9a08845