1. 14 May, 2018 14 commits
    • David Howells's avatar
      afs: Fix the non-encryption of calls · 4776cab4
      David Howells authored
      Some AFS servers refuse to accept unencrypted traffic, so can't be accessed
      with kAFS.  Set the AF_RXRPC security level to encrypt client calls to deal
      with this.
      
      Note that incoming service calls are set by the remote client and so aren't
      affected by this.
      
      This requires an AF_RXRPC patch to pass the value set by setsockopt to calls
      begun by the kernel.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      4776cab4
    • David Howells's avatar
      afs: Fix CB.CallBack handling · 428edade
      David Howells authored
      The handling of CB.CallBack messages sent by the fileserver to the client
      is broken in that they are currently being processed after the reply has
      been transmitted.
      
      This is not what the fileserver expects, however.  It holds up change
      visibility until the reply comes so as to maintain cache coherency, and so
      expects the client to have to refetch the state on the affected files.
      
      Fix CB.CallBack handling to perform the callback break before sending the
      reply.
      
      The fileserver is free to hold up status fetches issued by other threads on
      the same client that occur in reponse to the callback until any pending
      changes have been committed.
      
      Fixes: d001648e ("rxrpc: Don't expose skbs to in-kernel users [ver #2]")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      428edade
    • David Howells's avatar
      afs: Fix whole-volume callback handling · 68251f0a
      David Howells authored
      It's possible for an AFS file server to issue a whole-volume notification
      that callbacks on all the vnodes in the file have been broken.  This is
      done for R/O and backup volumes (which don't have per-file callbacks) and
      for things like a volume being taken offline.
      
      Fix callback handling to detect whole-volume notifications, to track it
      across operations and to check it during inode validation.
      
      Fixes: c435ee34 ("afs: Overhaul the callback handling")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      68251f0a
    • Marc Dionne's avatar
      afs: Fix afs_find_server search loop · f9c1bba3
      Marc Dionne authored
      The code that looks up servers by addresses makes the assumption
      that the list of addresses for a server is sorted.  It exits the
      loop if it finds that the target address is larger than the
      current candidate.  As the list is not currently sorted, this
      can lead to a failure to find a matching server, which can cause
      callbacks from that server to be ignored.
      
      Remove the early exit case so that the complete list is searched.
      
      Fixes: d2ddc776 ("afs: Overhaul volume and server record caching and fileserver rotation")
      Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f9c1bba3
    • David Howells's avatar
      afs: Fix the handling of an unfound server in CM operations · a86b06d1
      David Howells authored
      If the client cache manager operations that need the server record
      (CB.Callback, CB.InitCallBackState, and CB.InitCallBackState3) can't find
      the server record, they abort the call from the file server with
      RX_CALL_DEAD when they should return okay.
      
      Fixes: c35eccb1 ("[AFS]: Implement the CB.InitCallBackState3 operation.")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      a86b06d1
    • David Howells's avatar
      afs: Add a tracepoint to record callbacks from unlisted servers · 3709a399
      David Howells authored
      Add a tracepoint to record callbacks from servers for which we don't have a
      record.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      3709a399
    • David Howells's avatar
      afs: Fix the handling of CB.InitCallBackState3 to find the server by UUID · 001ab5a6
      David Howells authored
      Fix the handling of the CB.InitCallBackState3 service call to find the
      record of a server that we're using by looking it up by the UUID passed as
      the parameter rather than by its address (of which it might have many, and
      which may change).
      
      Fixes: c35eccb1 ("[AFS]: Implement the CB.InitCallBackState3 operation.")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      001ab5a6
    • David Howells's avatar
      afs: Fix VNOVOL handling in address rotation · 3d9fa911
      David Howells authored
      If a volume location record lists multiple file servers for a volume, then
      it's possible that due to a misconfiguration or a changing configuration
      that one of the file servers doesn't know about it yet and will abort
      VNOVOL.  Currently, the rotation algorithm will stop with EREMOTEIO.
      
      Fix this by moving on to try the next server if VNOVOL is returned.  Once
      all the servers have been tried and the record rechecked, the algorithm
      will stop with EREMOTEIO or ENOMEDIUM.
      
      Fixes: d2ddc776 ("afs: Overhaul volume and server record caching and fileserver rotation")
      Reported-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      3d9fa911
    • David Howells's avatar
      afs: Fix AFSFetchStatus decoder to provide OpenAFS compatibility · 684b0f68
      David Howells authored
      The OpenAFS server's RXAFS_InlineBulkStatus implementation has a bug
      whereby if an error occurs on one of the vnodes being queried, then the
      errorCode field is set correctly in the corresponding status, but the
      interfaceVersion field is left unset.
      
      Fix kAFS to deal with this by evaluating the AFSFetchStatus blob against
      the following cases when called from FS.InlineBulkStatus delivery:
      
       (1) If InterfaceVersion == 0 then:
      
           (a) If errorCode != 0 then it indicates the abort code for the
               corresponding vnode.
      
           (b) If errorCode == 0 then the status record is invalid.
      
       (2) If InterfaceVersion == 1 then:
      
           (a) If errorCode != 0 then it indicates the abort code for the
               corresponding vnode.
      
           (b) If errorCode == 0 then the status record is valid and can be
           	 parsed.
      
       (3) If InterfaceVersion is anything else then the status record is
           invalid.
      
      Fixes: dd9fbcb8 ("afs: Rearrange status mapping")
      Reported-by: default avatarJeffrey Altman <jaltman@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      684b0f68
    • David Howells's avatar
      afs: Fix server rotation's handling of fileserver probe failure · ec5a3b4b
      David Howells authored
      The server rotation algorithm just gives up if it fails to probe a
      fileserver.  Fix this by rotating to the next fileserver instead.
      
      Fixes: d2ddc776 ("afs: Overhaul volume and server record caching and fileserver rotation")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      ec5a3b4b
    • David Howells's avatar
      afs: Fix refcounting in callback registration · d4a96bec
      David Howells authored
      The refcounting on afs_cb_interest struct objects in
      afs_register_server_cb_interest() is wrong as it uses the server list
      entry's call back interest pointer without regard for the fact that it
      might be replaced at any time and the object thrown away.
      
      Fix this by:
      
       (1) Put a lock on the afs_server_list struct that can be used to
           mediate access to the callback interest pointers in the servers array.
      
       (2) Keep a ref on the callback interest that we get from the entry.
      
       (3) Dropping the old reference held by vnode->cb_interest if we replace
           the pointer.
      
      Fixes: c435ee34 ("afs: Overhaul the callback handling")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      d4a96bec
    • David Howells's avatar
      afs: Fix giving up callbacks on server destruction · f2686b09
      David Howells authored
      When a server record is destroyed, we want to send a message to the server
      telling it that we're giving up all the callbacks it has promised us.
      
      Apply two fixes to this:
      
       (1) Only send the FS.GiveUpAllCallBacks message if we actually got a
           callback from that server.  We assume this to be the case if we
           performed at least one successful FS operation on that server.
      
       (2) Send it to the address last used for that server rather than always
           picking the first address in the list (which might be unreachable).
      
      Fixes: d2ddc776 ("afs: Overhaul volume and server record caching and fileserver rotation")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f2686b09
    • David Howells's avatar
      afs: Fix address list parsing · 01fd79e6
      David Howells authored
      The parsing of port specifiers in the address list obtained from the DNS
      resolution upcall doesn't work as in4_pton() and in6_pton() will fail on
      encountering an unexpected delimiter (in this case, the '+' marking the
      port number).  However, in*_pton() can't be given multiple specifiers.
      
      Fix this by finding the delimiter in advance and not relying on in*_pton()
      to find the end of the address for us.
      
      Fixes: 8b2a464c ("afs: Add an address list concept")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      01fd79e6
    • David Howells's avatar
      afs: Fix directory page locking · b61f7dcf
      David Howells authored
      The afs directory loading code (primarily afs_read_dir()) locks all the
      pages that hold a directory's content blob to defend against
      getdents/getdents races and getdents/lookup races where the competitors
      issue conflicting reads on the same data.  As the reads will complete
      consecutively, they may retrieve different versions of the data and
      one may overwrite the data that the other is busy parsing.
      
      Fix this by not locking the pages at all, but rather by turning the
      validation lock into an rwsem and getting an exclusive lock on it whilst
      reading the data or validating the attributes and a shared lock whilst
      parsing the data.  Sharing the attribute validation lock should be fine as
      the data fetch will retrieve the attributes also.
      
      The individual page locks aren't needed at all as the only place they're
      being used is to serialise data loading.
      
      Without this patch, the:
      
       	if (!test_bit(AFS_VNODE_DIR_VALID, &dvnode->flags)) {
      		...
      	}
      
      part of afs_read_dir() may be skipped, leaving the pages unlocked when we
      hit the success: clause - in which case we try to unlock the not-locked
      pages, leading to the following oops:
      
        page:ffffe38b405b4300 count:3 mapcount:0 mapping:ffff98156c83a978 index:0x0
        flags: 0xfffe000001004(referenced|private)
        raw: 000fffe000001004 ffff98156c83a978 0000000000000000 00000003ffffffff
        raw: dead000000000100 dead000000000200 0000000000000001 ffff98156b27c000
        page dumped because: VM_BUG_ON_PAGE(!PageLocked(page))
        page->mem_cgroup:ffff98156b27c000
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:1205!
        ...
        RIP: 0010:unlock_page+0x43/0x50
        ...
        Call Trace:
         afs_dir_iterate+0x789/0x8f0 [kafs]
         ? _cond_resched+0x15/0x30
         ? kmem_cache_alloc_trace+0x166/0x1d0
         ? afs_do_lookup+0x69/0x490 [kafs]
         ? afs_do_lookup+0x101/0x490 [kafs]
         ? key_default_cmp+0x20/0x20
         ? request_key+0x3c/0x80
         ? afs_lookup+0xf1/0x340 [kafs]
         ? __lookup_slow+0x97/0x150
         ? lookup_slow+0x35/0x50
         ? walk_component+0x1bf/0x490
         ? path_lookupat.isra.52+0x75/0x200
         ? filename_lookup.part.66+0xa0/0x170
         ? afs_end_vnode_operation+0x41/0x60 [kafs]
         ? __check_object_size+0x9c/0x171
         ? strncpy_from_user+0x4a/0x170
         ? vfs_statx+0x73/0xe0
         ? __do_sys_newlstat+0x39/0x70
         ? __x64_sys_getdents+0xc9/0x140
         ? __x64_sys_getdents+0x140/0x140
         ? do_syscall_64+0x5b/0x160
         ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: f3ddee8d ("afs: Fix directory handling")
      Reported-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      b61f7dcf
  2. 12 May, 2018 14 commits
  3. 11 May, 2018 12 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 4bc87198
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Verify lengths of keys provided by the user is AF_KEY, from Kevin
          Easton.
      
       2) Add device ID for BCM89610 PHY. Thanks to Bhadram Varka.
      
       3) Add Spectre guards to some ATM code, courtesy of Gustavo A. R.
          Silva.
      
       4) Fix infinite loop in NSH protocol code. To Eric Dumazet we are most
          grateful for this fix.
      
       5) Line up /proc/net/netlink headers properly. This fix from YU Bo, we
          do appreciate.
      
       6) Use after free in TLS code. Once again we are blessed by the
          honorable Eric Dumazet with this fix.
      
       7) Fix regression in TLS code causing stalls on partial TLS records.
          This fix is bestowed upon us by Andrew Tomt.
      
       8) Deal with too small MTUs properly in LLC code, another great gift
          from Eric Dumazet.
      
       9) Handle cached route flushing properly wrt. MTU locking in ipv4, to
          Hangbin Liu we give thanks for this.
      
      10) Fix regression in SO_BINDTODEVIC handling wrt. UDP socket demux.
          Paolo Abeni, he gave us this.
      
      11) Range check coalescing parameters in mlx4 driver, thank you Moshe
          Shemesh.
      
      12) Some ipv6 ICMP error handling fixes in rxrpc, from our good brother
          David Howells.
      
      13) Fix kexec on mlx5 by freeing IRQs in shutdown path. Daniel Juergens,
          you're the best!
      
      14) Don't send bonding RLB updates to invalid MAC addresses. Debabrata
          Benerjee saved us!
      
      15) Uh oh, we were leaking in udp_sendmsg and ping_v4_sendmsg. The ship
          is now water tight, thanks to Andrey Ignatov.
      
      16) IPSEC memory leak in ixgbe from Colin Ian King, man we've got holes
          everywhere!
      
      17) Fix error path in tcf_proto_create, Jiri Pirko what would we do
          without you!
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (92 commits)
        net sched actions: fix refcnt leak in skbmod
        net: sched: fix error path in tcf_proto_create() when modules are not configured
        net sched actions: fix invalid pointer dereferencing if skbedit flags missing
        ixgbe: fix memory leak on ipsec allocation
        ixgbevf: fix ixgbevf_xmit_frame()'s return type
        ixgbe: return error on unsupported SFP module when resetting
        ice: Set rq_last_status when cleaning rq
        ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
        mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()'
        bonding: send learning packets for vlans on slave
        bonding: do not allow rlb updates to invalid mac
        net/mlx5e: Err if asked to offload TC match on frag being first
        net/mlx5: E-Switch, Include VF RDMA stats in vport statistics
        net/mlx5: Free IRQs in shutdown path
        rxrpc: Trace UDP transmission failure
        rxrpc: Add a tracepoint to log ICMP/ICMP6 and error messages
        rxrpc: Fix the min security level for kernel calls
        rxrpc: Fix error reception on AF_INET6 sockets
        rxrpc: Fix missing start of call timeout
        qed: fix spelling mistake: "taskelt" -> "tasklet"
        ...
      4bc87198
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.17-2' of git://git.linux-nfs.org/projects/anna/linux-nfs · a1f45efb
      Linus Torvalds authored
      Pull NFS client fixes from Anna Schumaker:
       "These patches fix both a possible corruption during NFSoRDMA MR
        recovery, and a sunrpc tracepoint crash.
      
        Additionally, Trond has a new email address to put in the MAINTAINERS
        file"
      
      * tag 'nfs-for-4.17-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        Change Trond's email address in MAINTAINERS
        sunrpc: Fix latency trace point crashes
        xprtrdma: Fix list corruption / DMAR errors during MR recovery
      a1f45efb
    • Roman Mashak's avatar
      net sched actions: fix refcnt leak in skbmod · a52956df
      Roman Mashak authored
      When application fails to pass flags in netlink TLV when replacing
      existing skbmod action, the kernel will leak refcnt:
      
      $ tc actions get action skbmod index 1
      total acts 0
      
              action order 0: skbmod pipe set smac 00:11:22:33:44:55
               index 1 ref 1 bind 0
      
      For example, at this point a buggy application replaces the action with
      index 1 with new smac 00:aa:22:33:44:55, it fails because of zero flags,
      however refcnt gets bumped:
      
      $ tc actions get actions skbmod index 1
      total acts 0
      
              action order 0: skbmod pipe set smac 00:11:22:33:44:55
               index 1 ref 2 bind 0
      $
      
      Tha patch fixes this by calling tcf_idr_release() on existing actions.
      
      Fixes: 86da71b5 ("net_sched: Introduce skbmod action")
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a52956df
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.17-rc5' of git://github.com/ceph/ceph-client · ac428036
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "These patches fix two long-standing bugs in the DIO code path, one of
        which is a crash trivially triggerable with splice()"
      
      * tag 'ceph-for-4.17-rc5' of git://github.com/ceph/ceph-client:
        ceph: fix iov_iter issues in ceph_direct_read_write()
        libceph: add osd_req_op_extent_osd_data_bvecs()
        ceph: fix rsize/wsize capping in ceph_direct_read_write()
      ac428036
    • Jiri Pirko's avatar
      net: sched: fix error path in tcf_proto_create() when modules are not configured · d68d75fd
      Jiri Pirko authored
      In case modules are not configured, error out when tp->ops is null
      and prevent later null pointer dereference.
      
      Fixes: 33a48927 ("sched: push TC filter protocol creation into a separate function")
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d68d75fd
    • Linus Torvalds's avatar
      Merge tag 'sh-for-4.17-fixes' of git://git.libc.org/linux-sh · 3f5f8596
      Linus Torvalds authored
      Pull arch/sh fixes from Rich Felker:
       "Fixes for critical regressions and a build failure.
      
        The regressions were introduced in 4.15 and 4.17-rc1 and prevented
        booting on affected systems"
      
      * tag 'sh-for-4.17-fixes' of git://git.libc.org/linux-sh:
        sh: switch to NO_BOOTMEM
        sh: mm: Fix unprotected access to struct device
        sh: fix build failure for J2 cpu with SMP disabled
      3f5f8596
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 7404bc27
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "There's a small memblock accounting problem when freeing the initrd
        and a Spectre-v2 mitigation for NVIDIA Denver CPUs which just requires
        a match on the CPU ID register.
      
        Summary:
      
         - Mitigate Spectre-v2 for NVIDIA Denver CPUs
      
         - Free memblocks corresponding to freed initrd area"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: capabilities: Add NVIDIA Denver CPU to bp_harden list
        arm64: Add MIDR encoding for NVIDIA CPUs
        arm64: To remove initrd reserved area entry from memblock
      7404bc27
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 5c6b5460
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "One fix for an actual regression, the change to the SYSCALL_DEFINE
        wrapper broke FTRACE_SYSCALLS for us due to a name mismatch. There's
        also another commit to the same code to make sure we match all our
        syscalls with various prefixes.
      
        And then just one minor build fix, and the removal of an unused
        variable that was removed and then snuck back in due to some rebasing.
      
        Thanks to: Naveen N. Rao"
      
      * tag 'powerpc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/pseries: Fix CONFIG_NUMA=n build
        powerpc/trace/syscalls: Update syscall name matching logic to account for ppc_ prefix
        powerpc/trace/syscalls: Update syscall name matching logic
        powerpc/64: Remove unused paca->soft_enabled
      5c6b5460
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · c110a8b7
      Linus Torvalds authored
      Pull tracing fix from Steven Rostedt:
       "Working on some new updates to trace filtering, I noticed that the
        regex_match_front() test was updated to be limited to the size of the
        pattern instead of the full test string.
      
        But as the test string is not guaranteed to be nul terminated, it
        still needs to consider the size of the test string"
      
      * tag 'trace-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix regex_match_front() to not over compare the test string
      c110a8b7
    • David S. Miller's avatar
      Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · f4d641a2
      David S. Miller authored
      Jeff Kirsher says:
      
      ====================
      Intel Wired LAN Driver Updates 2018-05-11
      
      This series contains fixes to the ice, ixgbe and ixgbevf drivers.
      
      Jeff Shaw provides a fix to ensure rq_last_status gets set, whether or
      not the hardware responds with an error in the ice driver.
      
      Emil adds a check for unsupported module during the reset routine for
      ixgbe.
      
      Luc Van Oostenryck fixes ixgbevf_xmit_frame() where it was not using the
      correct return value (int).
      
      Colin Ian King fixes a potential resource leak in ixgbe, where we were
      not freeing ipsec in our cleanup path.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4d641a2
    • David S. Miller's avatar
      Merge tag 'rxrpc-fixes-20180510' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · f0100891
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Fixes
      
      Here are three fixes for AF_RXRPC and two tracepoints that were useful for
      finding them:
      
       (1) Fix missing start of expect-Rx-by timeout on initial packet
           transmission so that calls will time out if the peer doesn't respond.
      
       (2) Fix error reception on AF_INET6 sockets by using the correct family of
           sockopts on the UDP transport socket.
      
       (3) Fix setting the minimum security level on kernel calls so that they
           can be encrypted.
      
       (4) Add a tracepoint to log ICMP/ICMP6 and other error reports from the
           transport socket.
      
       (5) Add a tracepoint to log UDP sendmsg failure so that we can find out if
           transmission failure occurred on the UDP socket.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0100891
    • Roman Mashak's avatar
      net sched actions: fix invalid pointer dereferencing if skbedit flags missing · af5d0184
      Roman Mashak authored
      When application fails to pass flags in netlink TLV for a new skbedit action,
      the kernel results in the following oops:
      
      [    8.307732] BUG: unable to handle kernel paging request at 0000000000021130
      [    8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0
      [    8.310595] Oops: 0000 [#1] SMP PTI
      [    8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw
      [    8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357
      [    8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140
      [    8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246
      [    8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000
      [    8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100
      [    8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122
      [    8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000
      [    8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000
      [    8.325590] FS:  00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000
      [    8.327001] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0
      [    8.329289] Call Trace:
      [    8.329735]  tcf_skbedit_init+0xa7/0xb0
      [    8.330423]  tcf_action_init_1+0x362/0x410
      [    8.331139]  ? try_to_wake_up+0x44/0x430
      [    8.331817]  tcf_action_init+0x103/0x190
      [    8.332511]  tc_ctl_action+0x11a/0x220
      [    8.333174]  rtnetlink_rcv_msg+0x23d/0x2e0
      [    8.333902]  ? _cond_resched+0x16/0x40
      [    8.334569]  ? __kmalloc_node_track_caller+0x5b/0x2c0
      [    8.335440]  ? rtnl_calcit.isra.31+0xf0/0xf0
      [    8.336178]  netlink_rcv_skb+0xdb/0x110
      [    8.336855]  netlink_unicast+0x167/0x220
      [    8.337550]  netlink_sendmsg+0x2a7/0x390
      [    8.338258]  sock_sendmsg+0x30/0x40
      [    8.338865]  ___sys_sendmsg+0x2c5/0x2e0
      [    8.339531]  ? pagecache_get_page+0x27/0x210
      [    8.340271]  ? filemap_fault+0xa2/0x630
      [    8.340943]  ? page_add_file_rmap+0x108/0x200
      [    8.341732]  ? alloc_set_pte+0x2aa/0x530
      [    8.342573]  ? finish_fault+0x4e/0x70
      [    8.343332]  ? __handle_mm_fault+0xbc1/0x10d0
      [    8.344337]  ? __sys_sendmsg+0x53/0x80
      [    8.345040]  __sys_sendmsg+0x53/0x80
      [    8.345678]  do_syscall_64+0x4f/0x100
      [    8.346339]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [    8.347206] RIP: 0033:0x7f591191da67
      [    8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [    8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67
      [    8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003
      [    8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000
      [    8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000
      [    8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0
      [    8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00
      00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30
      74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c
      [    8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840
      [    8.359770] CR2: 0000000000021130
      [    8.360438] ---[ end trace 60c66be45dfc14f0 ]---
      
      The caller calls action's ->init() and passes pointer to "struct tc_action *a",
      which later may be initialized to point at the existing action, otherwise
      "struct tc_action *a" is still invalid, and therefore dereferencing it is an
      error as happens in tcf_idr_release, where refcnt is decremented.
      
      So in case of missing flags tcf_idr_release must be called only for
      existing actions.
      
      v2:
          - prepare patch for net tree
      
      Fixes: 5e1567ae ("net sched: skbedit action fix late binding")
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af5d0184