1. 08 Apr, 2019 4 commits
    • NeilBrown's avatar
      rhashtable: add lockdep tracking to bucket bit-spin-locks. · 149212f0
      NeilBrown authored
      Native bit_spin_locks are not tracked by lockdep.
      
      The bit_spin_locks used for rhashtable buckets are local
      to the rhashtable implementation, so there is little opportunity
      for the sort of misuse that lockdep might detect.
      However locks are held while a hash function or compare
      function is called, and if one of these took a lock,
      a misbehaviour is possible.
      
      As it is quite easy to add lockdep support this unlikely
      possibility seems to be enough justification.
      
      So create a lockdep class for bucket bit_spin_lock and attach
      through a lockdep_map in each bucket_table.
      
      Without the 'nested' annotation in rhashtable_rehash_one(), lockdep
      correctly reports a possible problem as this lock is taken
      while another bucket lock (in another table) is held.  This
      confirms that the added support works.
      With the correct nested annotation in place, lockdep reports
      no problems.
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      149212f0
    • NeilBrown's avatar
      rhashtable: use bit_spin_locks to protect hash bucket. · 8f0db018
      NeilBrown authored
      This patch changes rhashtables to use a bit_spin_lock on BIT(1) of the
      bucket pointer to lock the hash chain for that bucket.
      
      The benefits of a bit spin_lock are:
       - no need to allocate a separate array of locks.
       - no need to have a configuration option to guide the
         choice of the size of this array
       - locking cost is often a single test-and-set in a cache line
         that will have to be loaded anyway.  When inserting at, or removing
         from, the head of the chain, the unlock is free - writing the new
         address in the bucket head implicitly clears the lock bit.
         For __rhashtable_insert_fast() we ensure this always happens
         when adding a new key.
       - even when lockings costs 2 updates (lock and unlock), they are
         in a cacheline that needs to be read anyway.
      
      The cost of using a bit spin_lock is a little bit of code complexity,
      which I think is quite manageable.
      
      Bit spin_locks are sometimes inappropriate because they are not fair -
      if multiple CPUs repeatedly contend of the same lock, one CPU can
      easily be starved.  This is not a credible situation with rhashtable.
      Multiple CPUs may want to repeatedly add or remove objects, but they
      will typically do so at different buckets, so they will attempt to
      acquire different locks.
      
      As we have more bit-locks than we previously had spinlocks (by at
      least a factor of two) we can expect slightly less contention to
      go with the slightly better cache behavior and reduced memory
      consumption.
      
      To enhance type checking, a new struct is introduced to represent the
        pointer plus lock-bit
      that is stored in the bucket-table.  This is "struct rhash_lock_head"
      and is empty.  A pointer to this needs to be cast to either an
      unsigned lock, or a "struct rhash_head *" to be useful.
      Variables of this type are most often called "bkt".
      
      Previously "pprev" would sometimes point to a bucket, and sometimes a
      ->next pointer in an rhash_head.  As these are now different types,
      pprev is NULL when it would have pointed to the bucket. In that case,
      'blk' is used, together with correct locking protocol.
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8f0db018
    • NeilBrown's avatar
      rhashtable: allow rht_bucket_var to return NULL. · ff302db9
      NeilBrown authored
      Rather than returning a pointer to a static nulls, rht_bucket_var()
      now returns NULL if the bucket doesn't exist.
      This will make the next patch, which stores a bitlock in the
      bucket pointer, somewhat cleaner.
      
      This change involves introducing __rht_bucket_nested() which is
      like rht_bucket_nested(), but doesn't provide the static nulls,
      and changing rht_bucket_nested() to call this and possible
      provide a static nulls - as is still needed for the non-var case.
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ff302db9
    • NeilBrown's avatar
      rhashtable: use cmpxchg() in nested_table_alloc() · 7a41c294
      NeilBrown authored
      nested_table_alloc() relies on the fact that there is
      at most one spinlock allocated for every slot in the top
      level nested table, so it is not possible for two threads
      to try to allocate the same table at the same time.
      
      This assumption is a little fragile (it is not explicit) and is
      unnecessary as cmpxchg() can be used instead.
      
      A future patch will replace the spinlocks by per-bucket bitlocks,
      and then we won't be able to protect the slot pointer with a spinlock.
      
      So replace rcu_assign_pointer() with cmpxchg() - which has equivalent
      barrier properties.
      If it the cmp fails, free the table that was just allocated.
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7a41c294
  2. 07 Apr, 2019 28 commits
  3. 06 Apr, 2019 1 commit
    • Heiner Kallweit's avatar
      r8169: disable tx interrupt coalescing on RTL8168 · eb94dc9a
      Heiner Kallweit authored
      In contrast to switching rx irq coalescing off what fixed an issue,
      switching tx irq coalescing off is merely a latency optimization,
      therefore net-next. As part of this change:
      
      - Remove INTT_0 .. INTT_3 constants, they aren't used.
      
      - Remove comment in rtl_hw_start_8169(), we now have a detailed
        description by the code in rtl_set_coalesce().
      
      - Due to switching irq coalescing off per default we don't need the
        initialization in rtl_hw_start_8168(). If ethtool is used to switch
        on coalescing then rtl_set_coalesce() will configure this register.
      
      For the sake of completeness: This patch just changes the default.
      Users still have the option to configure irq coalescing via ethtool.
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb94dc9a
  4. 05 Apr, 2019 7 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f83f7151
      David S. Miller authored
      Minor comment merge conflict in mlx5.
      
      Staging driver has a fixup due to the skb->xmit_more changes
      in 'net-next', but was removed in 'net'.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f83f7151
    • Linus Torvalds's avatar
      Merge tag 'mm-compaction-5.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mel/linux · 7f46774c
      Linus Torvalds authored
      Pull mm/compaction fixes from Mel Gorman:
       "The merge window for 5.1 introduced a number of compaction-related
        patches. with intermittent reports of corruption and functional
        issues. The bugs are due to sloopy checking of zone boundaries and a
        corner case where invalid indexes are used to access the free lists.
      
        Reports are not common but at least two users and 0-day have tripped
        over them. There is a chance that one of the syzbot reports are
        related but it has not been confirmed properly.
      
        The normal submission path is with Andrew but there have been some
        delays and I consider them urgent enough that they should be picked up
        before RC4 to avoid duplicate reports.
      
        All of these have been successfully tested on older RC windows. This
        will make this branch look like a rebase but in fact, they've simply
        been lifted again from Andrew's tree and placed on a fresh branch.
        I've no reason to believe that this has invalidated the testing given
        the lack of change in compaction and the nature of the fixes"
      
      * tag 'mm-compaction-5.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mel/linux:
        mm/compaction.c: abort search if isolation fails
        mm/compaction.c: correct zone boundary handling when resetting pageblock skip hints
      7f46774c
    • Greg Kroah-Hartman's avatar
      tty: mark Siemens R3964 line discipline as BROKEN · c7084edc
      Greg Kroah-Hartman authored
      The n_r3964 line discipline driver was written in a different time, when
      SMP machines were rare, and users were trusted to do the right thing.
      Since then, the world has moved on but not this code, it has stayed
      rooted in the past with its lovely hand-crafted list structures and
      loads of "interesting" race conditions all over the place.
      
      After attempting to clean up most of the issues, I just gave up and am
      now marking the driver as BROKEN so that hopefully someone who has this
      hardware will show up out of the woodwork (I know you are out there!)
      and will help with debugging a raft of changes that I had laying around
      for the code, but was too afraid to commit as odds are they would break
      things.
      
      Many thanks to Jann and Linus for pointing out the initial problems in
      this codebase, as well as many reviews of my attempts to fix the issues.
      It was a case of whack-a-mole, and as you can see, the mole won.
      Reported-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c7084edc
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-04-05' of git://anongit.freedesktop.org/drm/drm · ea2cec24
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Pretty quiet week, just some amdgpu and i915 fixes.
      
        i915:
         - deadlock fix
         - gvt fixes
      
        amdgpu:
         - PCIE dpm feature fix
         - Powerplay fixes"
      
      * tag 'drm-fixes-2019-04-05' of git://anongit.freedesktop.org/drm/drm:
        drm/i915/gvt: Fix kerneldoc typo for intel_vgpu_emulate_hotplug
        drm/i915/gvt: Correct the calculation of plane size
        drm/amdgpu: remove unnecessary rlc reset function on gfx9
        drm/i915: Always backoff after a drm_modeset_lock() deadlock
        drm/i915/gvt: do not let pin count of shadow mm go negative
        drm/i915/gvt: do not deliver a workload if its creation fails
        drm/amd/display: VBIOS can't be light up HDMI when restart system
        drm/amd/powerplay: fix possible hang with 3+ 4K monitors
        drm/amd/powerplay: correct data type to avoid overflow
        drm/amd/powerplay: add ECC feature bit
        drm/amd/amdgpu: fix PCIe dpm feature issue (v3)
      ea2cec24
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 0548740e
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Several hash table refcount fixes in batman-adv, from Sven
          Eckelmann.
      
       2) Use after free in bpf_evict_inode(), from Daniel Borkmann.
      
       3) Fix mdio bus registration in ixgbe, from Ivan Vecera.
      
       4) Unbounded loop in __skb_try_recv_datagram(), from Paolo Abeni.
      
       5) ila rhashtable corruption fix from Herbert Xu.
      
       6) Don't allow upper-devices to be added to vrf devices, from Sabrina
          Dubroca.
      
       7) Add qmi_wwan device ID for Olicard 600, from Bjørn Mork.
      
       8) Don't leave skb->next poisoned in __netif_receive_skb_list_ptype,
          from Alexander Lobakin.
      
       9) Missing IDR checks in mlx5 driver, from Aditya Pakki.
      
      10) Fix false connection termination in ktls, from Jakub Kicinski.
      
      11) Work around some ASPM issues with r8169 by disabling rx interrupt
          coalescing on certain chips. From Heiner Kallweit.
      
      12) Properly use per-cpu qstat values on NOLOCK qdiscs, from Paolo
          Abeni.
      
      13) Fully initialize sockaddr_in structures in SCTP, from Xin Long.
      
      14) Various BPF flow dissector fixes from Stanislav Fomichev.
      
      15) Divide by zero in act_sample, from Davide Caratti.
      
      16) Fix bridging multicast regression introduced by rhashtable
          conversion, from Nikolay Aleksandrov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (106 commits)
        ibmvnic: Fix completion structure initialization
        ipv6: sit: reset ip header pointer in ipip6_rcv
        net: bridge: always clear mcast matching struct on reports and leaves
        libcxgb: fix incorrect ppmax calculation
        vlan: conditional inclusion of FCoE hooks to match netdevice.h and bnx2x
        sch_cake: Make sure we can write the IP header before changing DSCP bits
        sch_cake: Use tc_skb_protocol() helper for getting packet protocol
        tcp: Ensure DCTCP reacts to losses
        net/sched: act_sample: fix divide by zero in the traffic path
        net: thunderx: fix NULL pointer dereference in nicvf_open/nicvf_stop
        net: hns: Fix sparse: some warnings in HNS drivers
        net: hns: Fix WARNING when remove HNS driver with SMMU enabled
        net: hns: fix ICMP6 neighbor solicitation messages discard problem
        net: hns: Fix probabilistic memory overwrite when HNS driver initialized
        net: hns: Use NAPI_POLL_WEIGHT for hns driver
        net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw()
        flow_dissector: rst'ify documentation
        ipv6: Fix dangling pointer when ipv6 fragment
        net-gro: Fix GRO flush when receiving a GSO packet.
        flow_dissector: document BPF flow dissector environment
        ...
      0548740e
    • Thomas Falcon's avatar
      ibmvnic: Fix completion structure initialization · bbd669a8
      Thomas Falcon authored
      Fix device initialization completion handling for vNIC adapters.
      Initialize the completion structure on probe and reinitialize when needed.
      This also fixes a race condition during kdump where the driver can attempt
      to access the completion struct before it is initialized:
      
      Unable to handle kernel paging request for data at address 0x00000000
      Faulting instruction address: 0xc0000000081acbe0
      Oops: Kernel access of bad area, sig: 11 [#1]
      LE SMP NR_CPUS=2048 NUMA pSeries
      Modules linked in: ibmvnic(+) ibmveth sunrpc overlay squashfs loop
      CPU: 19 PID: 301 Comm: systemd-udevd Not tainted 4.18.0-64.el8.ppc64le #1
      NIP:  c0000000081acbe0 LR: c0000000081ad964 CTR: c0000000081ad900
      REGS: c000000027f3f990 TRAP: 0300   Not tainted  (4.18.0-64.el8.ppc64le)
      MSR:  800000010280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE,TM[E]> CR: 28228288  XER: 00000006
      CFAR: c000000008008934 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1
      GPR00: c0000000081ad964 c000000027f3fc10 c0000000095b5800 c0000000221b4e58
      GPR04: 0000000000000003 0000000000000001 000049a086918581 00000000000000d4
      GPR08: 0000000000000007 0000000000000000 ffffffffffffffe8 d0000000014dde28
      GPR12: c0000000081ad900 c000000009a00c00 0000000000000001 0000000000000100
      GPR16: 0000000000000038 0000000000000007 c0000000095e2230 0000000000000006
      GPR20: 0000000000400140 0000000000000001 c00000000910c880 0000000000000000
      GPR24: 0000000000000000 0000000000000006 0000000000000000 0000000000000003
      GPR28: 0000000000000001 0000000000000001 c0000000221b4e60 c0000000221b4e58
      NIP [c0000000081acbe0] __wake_up_locked+0x50/0x100
      LR [c0000000081ad964] complete+0x64/0xa0
      Call Trace:
      [c000000027f3fc10] [c000000027f3fc60] 0xc000000027f3fc60 (unreliable)
      [c000000027f3fc60] [c0000000081ad964] complete+0x64/0xa0
      [c000000027f3fca0] [d0000000014dad58] ibmvnic_handle_crq+0xce0/0x1160 [ibmvnic]
      [c000000027f3fd50] [d0000000014db270] ibmvnic_tasklet+0x98/0x130 [ibmvnic]
      [c000000027f3fda0] [c00000000813f334] tasklet_action_common.isra.3+0xc4/0x1a0
      [c000000027f3fe00] [c000000008cd13f4] __do_softirq+0x164/0x400
      [c000000027f3fef0] [c00000000813ed64] irq_exit+0x184/0x1c0
      [c000000027f3ff20] [c0000000080188e8] __do_irq+0xb8/0x210
      [c000000027f3ff90] [c00000000802d0a4] call_do_irq+0x14/0x24
      [c000000026a5b010] [c000000008018adc] do_IRQ+0x9c/0x130
      [c000000026a5b060] [c000000008008ce4] hardware_interrupt_common+0x114/0x120
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbd669a8
    • Lorenzo Bianconi's avatar
      ipv6: sit: reset ip header pointer in ipip6_rcv · bb9bd814
      Lorenzo Bianconi authored
      ipip6 tunnels run iptunnel_pull_header on received skbs. This can
      determine the following use-after-free accessing iph pointer since
      the packet will be 'uncloned' running pskb_expand_head if it is a
      cloned gso skb (e.g if the packet has been sent though a veth device)
      
      [  706.369655] BUG: KASAN: use-after-free in ipip6_rcv+0x1678/0x16e0 [sit]
      [  706.449056] Read of size 1 at addr ffffe01b6bd855f5 by task ksoftirqd/1/=
      [  706.669494] Hardware name: HPE ProLiant m400 Server/ProLiant m400 Server, BIOS U02 08/19/2016
      [  706.771839] Call trace:
      [  706.801159]  dump_backtrace+0x0/0x2f8
      [  706.845079]  show_stack+0x24/0x30
      [  706.884833]  dump_stack+0xe0/0x11c
      [  706.925629]  print_address_description+0x68/0x260
      [  706.982070]  kasan_report+0x178/0x340
      [  707.025995]  __asan_report_load1_noabort+0x30/0x40
      [  707.083481]  ipip6_rcv+0x1678/0x16e0 [sit]
      [  707.132623]  tunnel64_rcv+0xd4/0x200 [tunnel4]
      [  707.185940]  ip_local_deliver_finish+0x3b8/0x988
      [  707.241338]  ip_local_deliver+0x144/0x470
      [  707.289436]  ip_rcv_finish+0x43c/0x14b0
      [  707.335447]  ip_rcv+0x628/0x1138
      [  707.374151]  __netif_receive_skb_core+0x1670/0x2600
      [  707.432680]  __netif_receive_skb+0x28/0x190
      [  707.482859]  process_backlog+0x1d0/0x610
      [  707.529913]  net_rx_action+0x37c/0xf68
      [  707.574882]  __do_softirq+0x288/0x1018
      [  707.619852]  run_ksoftirqd+0x70/0xa8
      [  707.662734]  smpboot_thread_fn+0x3a4/0x9e8
      [  707.711875]  kthread+0x2c8/0x350
      [  707.750583]  ret_from_fork+0x10/0x18
      
      [  707.811302] Allocated by task 16982:
      [  707.854182]  kasan_kmalloc.part.1+0x40/0x108
      [  707.905405]  kasan_kmalloc+0xb4/0xc8
      [  707.948291]  kasan_slab_alloc+0x14/0x20
      [  707.994309]  __kmalloc_node_track_caller+0x158/0x5e0
      [  708.053902]  __kmalloc_reserve.isra.8+0x54/0xe0
      [  708.108280]  __alloc_skb+0xd8/0x400
      [  708.150139]  sk_stream_alloc_skb+0xa4/0x638
      [  708.200346]  tcp_sendmsg_locked+0x818/0x2b90
      [  708.251581]  tcp_sendmsg+0x40/0x60
      [  708.292376]  inet_sendmsg+0xf0/0x520
      [  708.335259]  sock_sendmsg+0xac/0xf8
      [  708.377096]  sock_write_iter+0x1c0/0x2c0
      [  708.424154]  new_sync_write+0x358/0x4a8
      [  708.470162]  __vfs_write+0xc4/0xf8
      [  708.510950]  vfs_write+0x12c/0x3d0
      [  708.551739]  ksys_write+0xcc/0x178
      [  708.592533]  __arm64_sys_write+0x70/0xa0
      [  708.639593]  el0_svc_handler+0x13c/0x298
      [  708.686646]  el0_svc+0x8/0xc
      
      [  708.739019] Freed by task 17:
      [  708.774597]  __kasan_slab_free+0x114/0x228
      [  708.823736]  kasan_slab_free+0x10/0x18
      [  708.868703]  kfree+0x100/0x3d8
      [  708.905320]  skb_free_head+0x7c/0x98
      [  708.948204]  skb_release_data+0x320/0x490
      [  708.996301]  pskb_expand_head+0x60c/0x970
      [  709.044399]  __iptunnel_pull_header+0x3b8/0x5d0
      [  709.098770]  ipip6_rcv+0x41c/0x16e0 [sit]
      [  709.146873]  tunnel64_rcv+0xd4/0x200 [tunnel4]
      [  709.200195]  ip_local_deliver_finish+0x3b8/0x988
      [  709.255596]  ip_local_deliver+0x144/0x470
      [  709.303692]  ip_rcv_finish+0x43c/0x14b0
      [  709.349705]  ip_rcv+0x628/0x1138
      [  709.388413]  __netif_receive_skb_core+0x1670/0x2600
      [  709.446943]  __netif_receive_skb+0x28/0x190
      [  709.497120]  process_backlog+0x1d0/0x610
      [  709.544169]  net_rx_action+0x37c/0xf68
      [  709.589131]  __do_softirq+0x288/0x1018
      
      [  709.651938] The buggy address belongs to the object at ffffe01b6bd85580
                      which belongs to the cache kmalloc-1024 of size 1024
      [  709.804356] The buggy address is located 117 bytes inside of
                      1024-byte region [ffffe01b6bd85580, ffffe01b6bd85980)
      [  709.946340] The buggy address belongs to the page:
      [  710.003824] page:ffff7ff806daf600 count:1 mapcount:0 mapping:ffffe01c4001f600 index:0x0
      [  710.099914] flags: 0xfffff8000000100(slab)
      [  710.149059] raw: 0fffff8000000100 dead000000000100 dead000000000200 ffffe01c4001f600
      [  710.242011] raw: 0000000000000000 0000000000380038 00000001ffffffff 0000000000000000
      [  710.334966] page dumped because: kasan: bad access detected
      
      Fix it resetting iph pointer after iptunnel_pull_header
      
      Fixes: a09a4c8d ("tunnels: Remove encapsulation offloads on decap")
      Tested-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb9bd814