- 25 Jun, 2019 1 commit
-
-
Alan Stern authored
The syzbot fuzzer found a bug in the p54 USB wireless driver. The issue involves a race between disconnect and the firmware-loader callback routine, and it has several aspects. One big problem is that when the firmware can't be loaded, the callback routine tries to unbind the driver from the USB _device_ (by calling device_release_driver) instead of from the USB _interface_ to which it is actually bound (by calling usb_driver_release_interface). The race involves access to the private data structure. The driver's disconnect handler waits for a completion that is signalled by the firmware-loader callback routine. As soon as the completion is signalled, you have to assume that the private data structure may have been deallocated by the disconnect handler -- even if the firmware was loaded without errors. However, the callback routine does access the private data several times after that point. Another problem is that, in order to ensure that the USB device structure hasn't been freed when the callback routine runs, the driver takes a reference to it. This isn't good enough any more, because now that the callback routine calls usb_driver_release_interface, it has to ensure that the interface structure hasn't been freed. Finally, the driver takes an unnecessary reference to the USB device structure in the probe function and drops the reference in the disconnect handler. This extra reference doesn't accomplish anything, because the USB core already guarantees that a device structure won't be deallocated while a driver is still bound to any of its interfaces. To fix these problems, this patch makes the following changes: Call usb_driver_release_interface() rather than device_release_driver(). Don't signal the completion until after the important information has been copied out of the private data structure, and don't refer to the private data at all thereafter. Lock udev (the interface's parent) before unbinding the driver instead of locking udev->parent. During the firmware loading process, take a reference to the USB interface instead of the USB device. Don't take an unnecessary reference to the device during probe (and then don't drop it during disconnect). Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com CC: <stable@vger.kernel.org> Acked-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
- 28 May, 2019 26 commits
-
-
Jia-Ju Bai authored
In b43_request_firmware(), when ieee80211_register_hw() fails, b43_one_core_detach() is called. In b43_bcma_remove() and b43_ssb_remove(), b43_one_core_detach() is called again. In this case, null-pointer dereferences and double-free problems can occur when the driver is removed. To fix this bug, the call to b43_one_core_detach() in b43_request_firmware() is deleted. This bug is found by a runtime fuzzing tool named FIZZER written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Colin Ian King authored
There is are two spelling mistakes in lbtf_deb_usb2 messages, fix these. Signed-off-by: Colin Ian King <colin.king@canonical.com> Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
YueHaibing authored
There is no callers in tree, so can be removed. Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warning: drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c: In function rtl_btc_btmpinfo_notify: drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c:319:17: warning: variable len set but not used [-Wunused-but-set-variable] drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c: In function exhalbtc_connect_notify: drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c:1581:16: warning: variable asso_type_v2 set but not used [-Wunused-but-set-variable] 'len' is never used since commit 6aad6075 ("rtlwifi: Add BT_MP_INFO to c2h handler.") so can be removed. 'asso_type_v2' is not used since introduction in commit 0843e98a ("rtlwifi: btcoex: add assoc type v2 to connection notify") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warning: drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c: In function rtl8821ae_dm_check_rssi_monitor: drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c:658:6: warning: variable cur_txokcnt set but not used [-Wunused-but-set-variable] drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c: In function rtl8821ae_dm_check_edca_turbo: drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c:2657:7: warning: variable b_last_is_cur_rdl_state set but not used [-Wunused-but-set-variable] They are never used so can be removed. Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Larry Finger authored
In this step, the read/write routines for the descriptors are converted to use __le32 quantities, thus a lot of casts can be removed. Callback routines still use the 8-bit arrays, but these are changed within the specified routine. The macro that cleared a descriptor has now been converted into an inline routine. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Larry Finger authored
As a first step in the conversion, the macros that set the RX and TX descriptors are converted to static inline routines, and the names are changed from upper to lower case. To minimize the changes in a given step, the input descriptor information is left as as a byte array (u8 *), even though it should be a little-endian word array (__le32 *). That will be changed later. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Larry Finger authored
This driver uses a set of local macros to manipulate the RX and TX descriptors, which are all little-endian quantities. These macros are replaced by the bitfield macros le32p_replace_bits() and le32_get_bits(). In several places, the macros operated on an entire 32-bit word. In these cases, a direct read or replacement is used. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Larry Finger authored
As the first step in converting from macros that get/set information in the RX and TX descriptors, unused macros are being removed. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Ping-Ke Shih authored
The cckswing tables cckswing_table_ch1ch13 and cckswing_table_ch14 are u8 array in little-endian order. To compare four u8 value with register u32 value, cast the value to cpu order. Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Ping-Ke Shih authored
ofdm_index_old[] is the index of ofdmswing_table[], and used to indicate initial value of ROFDM0_X{A,B}TXIQIMBALANCE in rtl8192de_phy_reg_2tarray[] table, and the initial value is corresponding to calibration thermal value written in efuse, namely rtlefuse->eeprom_thermalmeter. Then, local variable ofdm_index_old[] save to rtlpriv->dm.ofdm_index[] for operational use. If thermal value (temperature) is increasing, output TX power is lower. So, we calculate the delta between current and calibration thermal value, then add power to yield expected and the same output TX power. Thus, ofdm_index[] should be initialized as rtlpriv->dm.ofdm_index[], and shift to proper index depends on delta of thermal value. Then, new power value ofdmswing_table[ofdm_index[]] is written to register. Reported-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Ping-Ke Shih authored
This can reduce code size 264 bytes, and make code more readable. text data bss dec hex filename Before: 13586 0 16 13602 3522 rtl8192de/dm.o After: 13322 0 16 13338 341a rtl8192de/dm.o Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Ping-Ke Shih authored
This commit doesn't change logic at all. Since indentation is lower, the wrapped statements can be put in single line that will become more readable. Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Christian Lamparter authored
This patch fixes an issue with wpa_supplicant dropping all scan results because their where considered to be "too old" (e.g.: "skip - scan result not recent enough (121056.086325 seconds too old)") which is very weird because this looks like that the scan results have been received before a scan started. This is due to the inaccuracy of the default timing mechanism for calculating the BSS entry age. Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Christian Lamparter authored
This patch fixes a crash that got introduced when the mentioned patch replaced the direct list_head access with skb_peek_tail(). When the device is starting up, there are no entries in the queue, so previously to "Use skb_peek_tail() instead..." the target_skb would end up as the tail and head pointer which then could be used by __skb_queue_after to fill the empty queue. With skb_peek_tail() in its place will instead just return NULL which then causes a crash in the __skb_queue_after(). | BUG: unable to handle kernel NULL pointer dereference at 000000 | #PF error: [normal kernel read fault] | PGD 0 P4D 0 | Oops: 0000 [#1] SMP PTI | CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: GO 5.1.0-rc7-wt+ #218 | Hardware name: MSI MS-7816/Z87-G43 (MS-7816), BIOS V1.11 05/09/2015 | Workqueue: events request_firmware_work_func | RIP: 0010:p54_tx_pending+0x10f/0x1b0 [p54common] | Code: 78 06 80 78 28 00 74 6d <48> 8b 07 49 89 7c 24 08 49 89 04 24 4 | RSP: 0018:ffffa81c81927d90 EFLAGS: 00010086 | RAX: ffff9bbaaf131048 RBX: 0000000000020670 RCX: 0000000000020264 | RDX: ffff9bbaa976d660 RSI: 0000000000000202 RDI: 0000000000000000 | RBP: ffff9bbaa976d620 R08: 00000000000006c0 R09: ffff9bbaa976d660 | R10: 0000000000000000 R11: ffffe8480dbc5900 R12: ffff9bbb45e87700 | R13: ffff9bbaa976d648 R14: ffff9bbaa976d674 R15: ffff9bbaaf131048 | FS: 0000000000000000(0000) GS:ffff9bbb5ec00000(0000) knlGS:00000 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | CR2: 0000000000000000 CR3: 00000003695fc003 CR4: 00000000001606f0 | Call Trace: | p54_download_eeprom+0xbe/0x120 [p54common] | p54_read_eeprom+0x7f/0xc0 [p54common] | p54u_load_firmware_cb+0xe0/0x160 [p54usb] | request_firmware_work_func+0x42/0x80 | process_one_work+0x1f5/0x3f0 | worker_thread+0x28/0x3c0 Cc: stable@vger.kernel.org Fixes: e3554197 ("p54: Use skb_peek_tail() instead of direct head pointer accesses.") Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Neo Jou authored
The function strcpy() is inherently not safe. Though the function works without problems here, it would be better to use other safer function, e.g. strlcpy(), to replace strcpy() still. Signed-off-by: Neo Jou <neojou@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Weitao Hou authored
fix lengh to length Signed-off-by: Weitao Hou <houweitaoo@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Arend van Spriel authored
CONFIG_BRCMDBG selects WANT_DEV_COREDUMP but is only used by brcmfmac so reflect that in the Kconfig. Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Arend van Spriel authored
The number of Kconfig items related to brcmfmac is considerable and upcoming changes will add some more so it seems good idea to have a separate Kconfig file for brcmfmac. Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Arend van Spriel authored
With ISC license text in place under the LICENSES folder switch to using the SPDX license identifier to refer to the ISC license. Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Arend van Spriel authored
With ISC license text in place under the LICENSES folder switch to using the SPDX license identifier to refer to the ISC license. Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Arend van Spriel authored
With ISC license text in place under the LICENSES folder switch to using the SPDX license identifier to refer to the ISC license. Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Arend van Spriel authored
With ISC license text in place under the LICENSES folder switch to using the SPDX license identifier to refer to the ISC license. Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Yan-Hsuan Chuang authored
The LPS represents Leisure Power Save. When enabled, firmware will be in charge of turning radio off between beacons. Also firmware should turn on the radio when beacon is coming, and the data queued should be transmitted in TBTT period. Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Yan-Hsuan Chuang authored
Dump warning messages when we get a q_mapping larger than the AC numbers. And pick BE queue as default. Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Yan-Hsuan Chuang authored
AC numbers are defined as enum in mac80211, use them instead of bare 0-3 indexing. Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
- 27 May, 2019 5 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.gitKalle Valo authored
ath.git patches for 5.3. Major changes: ath10k * enable SDIO support, first one being QCA6174 hw3.2
-
YueHaibing authored
Fix sparse warning: drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:6216:14: warning: symbol 't4_get_tp_e2c_map' was not declared. Should it be static? Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David Ahern authored
I was really surprised that the IPv6 mtu exception followed by redirect test was passing as nothing about the code suggests it should. The problem is actually with the logic in the test script. Fix the test cases as follows: 1. add debug function to dump the initial and redirect gateway addresses for ipv6. This is shown only in verbose mode. It helps verify the output of 'route get'. 2. fix the check_exception logic for the reset case to make sure that for IPv4 neither mtu nor redirect appears in the 'route get' output. For IPv6, make sure mtu is not present and the gateway is the initial R1 lladdr. 3. fix the reset logic by using a function to delete the routes added by initial_route_*. This format works better for the nexthop version of the tests. While improving the test cases, go ahead and ensure that forwarding is disabled since IPv6 redirect requires it. Also, runs with kernel debugging enabled sometimes show a failure with one of the ipv4 tests, so spread the pings over longer time interval. The end result is that 2 tests now show failures: TEST: IPv6: mtu exception plus redirect [FAIL] and the VRF version. This is a bug in the IPv6 logic that will need to be fixed separately. Redirect followed by MTU works because __ip6_rt_update_pmtu hits the 'if (!rt6_cache_allowed_for_pmtu(rt6))' path and updates the mtu on the exception rt6_info. MTU followed by redirect does not have this logic. rt6_do_redirect creates a new exception and then rt6_insert_exception removes the old one which has the MTU exception. Fixes: ec810535 ("selftests: Add redirect tests") Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Colin Ian King authored
The pointer n is being assigned a value however this value is never read in the code block and the end of the code block continues to the next loop iteration. Clean up the code by removing the redundant assignment. Fixes: 1bff1a0c ("ipv4: Add function to send route updates") Addresses-Coverity: ("Unused value") Signed-off-by: Colin Ian King <colin.king@canonical.com> Reviewed-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Heiner Kallweit authored
PHY drivers don't have to and shouldn't fiddle with phylib internals. Most of the code in bcm87xx_config_init() can be removed because phylib takes care. In addition I replaced usage of PHY_10GBIT_FEC_FEATURES with an implementation of the get_features callback. PHY_10GBIT_FEC_FEATURES is used by this driver only and it's questionable whether there will be any other PHY supporting this mode only. Having said that in one of the next kernel versions we may decide to remove it. Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 26 May, 2019 8 commits
-
-
David S. Miller authored
Eric Dumazet says: ==================== inet: frags: avoid possible races at netns dismantle This patch series fixes a race happening on netns dismantle with frag queues. While rhashtable_free_and_destroy() is running, concurrent timers might run inet_frag_kill() and attempt rhashtable_remove_fast() calls. This is not allowed by rhashtable logic. Since I do not want to add expensive synchronize_rcu() calls in the netns dismantle path, I had to no longer inline netns_frags structures, but dynamically allocate them. The ten first patches make this preparation, so that the last patch clearly shows the fix. As this patch series is not exactly trivial, I chose to target 5.3. We will backport it once soaked a bit. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
syszbot found an interesting use-after-free [1] happening while IPv4 fragment rhashtable was destroyed at netns dismantle. While no insertions can possibly happen at the time a dismantling netns is destroying this rhashtable, timers can still fire and attempt to remove elements from this rhashtable. This is forbidden, since rhashtable_free_and_destroy() has no synchronization against concurrent inserts and deletes. Add a new fqdir->dead flag so that timers do not attempt a rhashtable_remove_fast() operation. We also have to respect an RCU grace period before starting the rhashtable_free_and_destroy() from process context, thus we use rcu_work infrastructure. This is a refinement of a prior rough attempt to fix this bug : https://marc.info/?l=linux-netdev&m=153845936820900&w=2 Since the rhashtable cleanup is now deferred to a work queue, netns dismantles should be slightly faster. [1] BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:194 [inline] BUG: KASAN: use-after-free in rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212 Read of size 8 at addr ffff8880a6497b70 by task kworker/0:0/5 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc1+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events rht_deferred_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __read_once_size include/linux/compiler.h:194 [inline] rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212 rht_deferred_worker+0x111/0x2030 lib/rhashtable.c:411 process_one_work+0x989/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x354/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 32687: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:489 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 __do_kmalloc_node mm/slab.c:3620 [inline] __kmalloc_node+0x4e/0x70 mm/slab.c:3627 kmalloc_node include/linux/slab.h:590 [inline] kvmalloc_node+0x68/0x100 mm/util.c:431 kvmalloc include/linux/mm.h:637 [inline] kvzalloc include/linux/mm.h:645 [inline] bucket_table_alloc+0x90/0x480 lib/rhashtable.c:178 rhashtable_init+0x3f4/0x7b0 lib/rhashtable.c:1057 inet_frags_init_net include/net/inet_frag.h:109 [inline] ipv4_frags_init_net+0x182/0x410 net/ipv4/ip_fragment.c:683 ops_init+0xb3/0x410 net/core/net_namespace.c:130 setup_net+0x2d3/0x740 net/core/net_namespace.c:316 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:439 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x440/0x980 kernel/fork.c:2692 __do_sys_unshare kernel/fork.c:2760 [inline] __se_sys_unshare kernel/fork.c:2758 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2758 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kfree+0xcf/0x220 mm/slab.c:3755 kvfree+0x61/0x70 mm/util.c:460 bucket_table_free+0x69/0x150 lib/rhashtable.c:108 rhashtable_free_and_destroy+0x165/0x8b0 lib/rhashtable.c:1155 inet_frags_exit_net+0x3d/0x50 net/ipv4/inet_fragment.c:152 ipv4_frags_exit_net+0x73/0x90 net/ipv4/ip_fragment.c:695 ops_exit_list.isra.0+0xaa/0x150 net/core/net_namespace.c:154 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:553 process_one_work+0x989/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x354/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880a6497b40 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 48 bytes inside of 1024-byte region [ffff8880a6497b40, ffff8880a6497f40) The buggy address belongs to the page: page:ffffea0002992580 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0xffff8880a64964c0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea0002916e88 ffffea000218fe08 ffff8880aa400ac0 raw: ffff8880a64964c0 ffff8880a6496040 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a6497a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a6497a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8880a6497b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8880a6497b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a6497c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 648700f7 ("inet: frags: use rhashtables for reassembly units") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
Following patch will add rcu grace period before fqdir rhashtable destruction, so we need to dynamically allocate fqdir structures to not force expensive synchronize_rcu() calls in netns dismantle path. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
fqdir will soon be dynamically allocated. We need to reach the struct net pointer from fqdir, so add it, and replace the various container_of() constructs by direct access to the new field. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
And pass an extra parameter, since we will soon dynamically allocate fqdir structures. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
(struct net *)->ieee802154_lowpan.fqdir will soon be a pointer, so make sure lowpan_frags_ns_ctl_table[] does not reference init_net. lowpan_frags_ns_sysctl_register() can perform the needed initialization for all netns. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
(struct net *)->nf_frag.fqdir will soon be a pointer, so make sure nf_ct_frag6_sysctl_table[] does not reference init_net. nf_ct_frag6_sysctl_register() can perform the needed initialization for all netns. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
(struct net *)->ipv6.fqdir will soon be a pointer, so make sure ip6_frags_ns_ctl_table[] does not reference init_net. ip6_frags_ns_ctl_register() can perform the needed initialization for all netns. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-