1. 22 Aug, 2017 7 commits
    • Andi Kleen's avatar
      perf tools: Increase maximum number of events in expressions · 8d3db2b9
      Andi Kleen authored
      Some of the upcoming metrics need more than 8 events. Increase the maximum
      number the parser supports.
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: http://lkml.kernel.org/r/20170811232634.30465-9-andi@firstfloor.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      8d3db2b9
    • Andi Kleen's avatar
      perf tools: Expression parser enhancements for metrics · d73bad06
      Andi Kleen authored
      Enhance the expression parser for more complex metric formulas.
      
      - Support python style IF ELSE operators
      - Add an #SMT_On magic variable for formulas that depend on the SMT
      status.
      
      Example: 4 *( CPU_CLK_UNHALTED.THREAD_ANY / 2 ) if #SMT_on else cycles
      
      - Support MIN/MAX operations
      
      Example: min(1 , IDQ.MITE_UOPS / ( UPI * 16 * ( ICACHE.HIT + ICACHE.MISSES ) / 4.0 ) )
      
      This is useful to fix up problems caused by multiplexing.
      
      - Support | & ^ operators
      - Minor cleanups and fixes
      - Support an \ escape for operators. This allows to specify event names
      like c2-residency
      - Support @ as an alternative for / to be able to specify pmus without
      conflicts with operators (like msr/tsc/ as msr@tsc@)
      
      Example: (cstate_core@c3\\-residency@ / msr@tsc@) * 100
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: http://lkml.kernel.org/r/20170811232634.30465-8-andi@firstfloor.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      d73bad06
    • Andi Kleen's avatar
      perf tools: Add utility function to detect SMT status · de5077c4
      Andi Kleen authored
      Add an smt_on() function to return if SMT is enabled or disabled.  Used
      in the next patch.
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: http://lkml.kernel.org/r/20170811232634.30465-7-andi@firstfloor.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      de5077c4
    • Andi Kleen's avatar
      perf bpf: Tighten detection of BPF events · 77d0871c
      Andi Kleen authored
        perf stat -e cpu/uops_executed.core,cmask=1/
      
      would be detected as a BPF source event because the .c matches the .c
      source BPF pattern.
      
      v2:
      
      Originally I tried to use lex lookahead, but it doesn't seem to work.
      
      This now extends the BPF pattern to match longer events, but then does
      an extra check in the C code to reject BPF matches that do not end with
      .c/.o/.obj
      
      This uses REJECT, which makes the flex scanner slower, but that
      shouldn't be a big problem for the perf events.
      
      Committer testing:
      
        # perf trace -e write -e /home/acme/bpf/tracepoint.c cat /etc/passwd > /dev/null
           0.000 ( 0.006 ms): cat/18485 write(fd: 1, buf: 0x7f59eebe1000, count: 3494                         ) ...
           0.006 (         ): raw_syscalls:sys_enter:NR 1 (1, 7f59eebe1000, da6, 22, 7f59eebe0010, 0))
           0.008 (         ): perf_bpf_probe:_write:(ffffffff9626b2c0))
           0.000 ( 0.010 ms): cat/18485  ... [continued]: write()) = 3494
        #
      
      It continues doing what was expected, i.e. identifying
      /home/acme/bpf/tracepoint.c as a BPF event and activates the clang
      machinery to build an eBPF object and then uses sys_bpf() to hook it up
      to the raw_syscalls:sys_enter tracepoint, etc.
      
      Andi forgot to add Wang to the CC list, fix it.
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Tested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Wang Nan <wangnan0@huawei.com>
      Link: http://lkml.kernel.org/r/20170811232634.30465-4-andi@firstfloor.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      77d0871c
    • Andi Kleen's avatar
      perf evsel: Fix buffer overflow while freeing events · 475fb533
      Andi Kleen authored
      Fix buffer overflow for:
      
        % perf stat -e msr/tsc/,cstate_core/c7-residency/ true
      
      that causes glibc free list corruption. For some reason it doesn't
      trigger in valgrind, but it is visible in AS:
      
        =================================================================
        ==32681==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000003f5c at pc 0x0000005671ef bp 0x7ffdaaac9ac0 sp 0x7ffdaaac9ab0
        READ of size 4 at 0x603000003f5c thread T0
          #0 0x5671ee in perf_evsel__close_fd util/evsel.c:1196
          #1 0x56c57a in perf_evsel__close util/evsel.c:1717
          #2 0x55ed5f in perf_evlist__close util/evlist.c:1631
          #3 0x4647e1 in __run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:749
          #4 0x4648e3 in run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:767
          #5 0x46e1bc in cmd_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:2785
          #6 0x52f83d in run_builtin /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:296
          #7 0x52fd49 in handle_internal_command /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:348
          #8 0x5300de in run_argv /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:392
          #9 0x5308f3 in main /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:530
          #10 0x7f0672d13400 in __libc_start_main (/lib64/libc.so.6+0x20400)
          #11 0x428419 in _start (/home/ak/hle/obj-perf/perf+0x428419)
      
        0x603000003f5c is located 0 bytes to the right of 28-byte region [0x603000003f40,0x603000003f5c)
        allocated by thread T0 here:
          #0 0x7f0675139020 in calloc (/lib64/libasan.so.3+0xc7020)
          #1 0x648a2d in zalloc util/util.h:23
          #2 0x648a88 in xyarray__new util/xyarray.c:9
          #3 0x566419 in perf_evsel__alloc_fd util/evsel.c:1039
          #4 0x56b427 in perf_evsel__open util/evsel.c:1529
          #5 0x56c620 in perf_evsel__open_per_thread util/evsel.c:1730
          #6 0x461dea in create_perf_stat_counter /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:263
          #7 0x4637d7 in __run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:600
          #8 0x4648e3 in run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:767
          #9 0x46e1bc in cmd_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:2785
          #10 0x52f83d in run_builtin /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:296
          #11 0x52fd49 in handle_internal_command /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:348
          #12 0x5300de in run_argv /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:392
          #13 0x5308f3 in main /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:530
          #14 0x7f0672d13400 in __libc_start_main (/lib64/libc.so.6+0x20400)
      
      The event is allocated with cpus == 1, but freed with cpus == real number
      When the evsel close function walks the file descriptors it exceeds the
      fd xyarray boundaries and reads random memory.
      
      v2:
      
      Now that xyarrays save their original dimensions we can use these to
      iterate the two dimensional fd arrays. Fix some users (close, ioctl) in
      evsel.c to use these fields directly. This allows simplifying the code
      and dropping quite a few function arguments. Adjust all callers by
      removing the unneeded arguments.
      
      The actual perf event reading still uses the original values from the
      evsel list.
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: http://lkml.kernel.org/r/20170811232634.30465-2-andi@firstfloor.org
      [ Fix up xy_max_[xy]() -> xyarray__max_[xy]() ]
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      475fb533
    • Andi Kleen's avatar
      perf xyarray: Save max_x, max_y · d74be476
      Andi Kleen authored
      Save the original array dimensions in xyarrays, so that users can
      retrieve them later. Add some inline functions to access these fields.
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: http://lkml.kernel.org/r/20170811232634.30465-1-andi@firstfloor.org
      [ As noticed by Jiri, fix up namespacing: xy__method() -> xyarray__method() ]
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      d74be476
    • Ingo Molnar's avatar
      Merge tag 'perf-core-for-mingo-4.14-20170821' of... · ba63f76e
      Ingo Molnar authored
      Merge tag 'perf-core-for-mingo-4.14-20170821' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/core
      
      Pull perf/core improvements and fixes from Arnaldo Carvalho de Melo:
      
      - Support --show-nr-samples in annotate's --stdio and --tui, using
        the existing 't' toggle to circulate 'percent', 'total-period' and
        'nr-samples' as the first column (Taeung Song)
      
      - Support FCMask and PortMask in JSON vendor events (Andi Kleen)
      
      - Fix off by one string allocation problem in 'perf trace' (Arnaldo Carvalho de Melo)
      
      - Use just one parse events state struct in yyparse(), fixing one
        reported segfault when a routine received a different data struct,
        smaller than the one it expected to use (Arnaldo Carvalho de Melo)
      
      - Remove unused cpu_relax() macros, they stopped being used when
        tools/perf lived in Documentation/ (Arnaldo Carvalho de Melo)
      
      - Fix double file test in libbpf's Makefile (Daniel Díaz):
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      ba63f76e
  2. 18 Aug, 2017 4 commits
  3. 17 Aug, 2017 12 commits
  4. 16 Aug, 2017 13 commits
    • Linus Torvalds's avatar
      Merge tag 'audit-pr-20170816' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit · 422ce075
      Linus Torvalds authored
      Pull audit fixes from Paul Moore:
       "Two small fixes to the audit code, both explained well in the
        respective patch descriptions, but the quick summary is one
        use-after-free fix, and one silly fanotify notification flag fix"
      
      * tag 'audit-pr-20170816' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
        audit: Receive unmount event
        audit: Fix use after free in audit_remove_watch_rule()
      422ce075
    • Kim Phillips's avatar
      perf test shell: Replace '|&' with '2>&1 |' to work with more shells · 35435cd0
      Kim Phillips authored
      Since we do not specify bash (and/or zsh) as a requirement, use the
      standard error redirection that is more widely supported.
      Signed-off-by: default avatarKim Phillips <kim.phillips@arm.com>
      Link: http://lkml.kernel.org/n/tip-ji5mhn3iilgch3eaay6csr6z@git.kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      35435cd0
    • Wang Nan's avatar
      perf bpf: Fix endianness problem when loading parameters in prologue · db26984a
      Wang Nan authored
      Perf's BPF prologue generator unconditionally fetches 8 bytes for
      function parameters, which causes problems on big endian machines. Thomas
      gives a detailed analysis for this problem:
      
       http://lkml.kernel.org/r/968ebda5-abe4-8830-8d69-49f62529d151@linux.vnet.ibm.com
      
       ---- 8< ----
        I investigated perf test BPF for s390x and have a question regarding
        the 38.3 subtest (bpf-prologue test) which fails on s390x.
      
        When I turn on trace_printk in tests/bpf-script-test-prologue.c
        I see this output in /sys/kernel/debug/tracing/trace:
      
        [root@s8360047 perf]# cat /sys/kernel/debug/tracing/trace
        perf-30229 [000] d..2 170161.535791: : f_mode 2001d00000000 offset:0 orig:0
        perf-30229 [000] d..2 170161.535809: : f_mode 6001f00000000 offset:0 orig:0
        perf-30229 [000] d..2 170161.535815: : f_mode 6001f00000000 offset:1 orig:0
        perf-30229 [000] d..2 170161.535819: : f_mode 2001d00000000 offset:1 orig:0
        perf-30229 [000] d..2 170161.535822: : f_mode 2001d00000000 offset:2 orig:1
        perf-30229 [000] d..2 170161.535825: : f_mode 6001f00000000 offset:2 orig:1
        perf-30229 [000] d..2 170161.535828: : f_mode 6001f00000000 offset:3 orig:1
        perf-30229 [000] d..2 170161.535832: : f_mode 2001d00000000 offset:3 orig:1
        perf-30229 [000] d..2 170161.535835: : f_mode 2001d00000000 offset:4 orig:0
        perf-30229 [000] d..2 170161.535841: : f_mode 6001f00000000 offset:4 orig:0
      
        [...]
      
        There are 3 parameters the eBPF program tests/bpf-script-test-prologue.c
        accesses: f_mode (member of struct file at offset 140) offset and orig.  They
        are parameters of the lseek() system call triggered in this test case in
        function llseek_loop().
      
        What is really strange is the value of f_mode. It is an 8 byte value, whereas
        in the probe event it is defined as a 4 byte value.  The lower 4 bytes are all
        zero and do not belong to member f_mode.  The correct value should be 2001d for
        read-only and 6001f for read-write open mode.
      
        Here is the output of the 'perf test -vv bpf' trace:
        Try to find probe point from debuginfo.
        Matched function: null_lseek [2d9310d]
         Probe point found: null_lseek+0
        Searching 'file' variable in context.
        Converting variable file into trace event.
        converting f_mode in file
        f_mode type is unsigned int.
        Opening /sys/kernel/debug/tracing//README write=0
        Searching 'offset' variable in context.
        Converting variable offset into trace event.
        offset type is long long int.
        Searching 'orig' variable in context.
        Converting variable orig into trace event.
        orig type is int.
        Found 1 probe_trace_events.
        Opening /sys/kernel/debug/tracing//kprobe_events write=1
        Writing event: p:perf_bpf_probe/func _text+8794224 f_mode=+140(%r2):x32
       ---- 8< ----
      
      This patch parses the type of each argument and converts data from memory to
      expected type.
      
      Now the test runs successfully on 4.13.0-rc5:
      
        [root@s8360046 perf]# ./perf test  bpf
        38: BPF filter                                 :
        38.1: Basic BPF filtering                      : Ok
        38.2: BPF pinning                              : Ok
        38.3: BPF prologue generation                  : Ok
        38.4: BPF relocation checker                   : Ok
        [root@s8360046 perf]#
      Signed-off-by: default avatarWang Nan <wangnan0@huawei.com>
      Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
      Link: http://lkml.kernel.org/r/20170815092159.31912-1-tmricht@linux.vnet.ibm.comSigned-off-by: default avatarThomas-Mich Richter <tmricht@linux.vnet.ibm.com>
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      db26984a
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 510c8a89
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix TCP checksum offload handling in iwlwifi driver, from Emmanuel
          Grumbach.
      
       2) In ksz DSA tagging code, free SKB if skb_put_padto() fails. From
          Vivien Didelot.
      
       3) Fix two regressions with bonding on wireless, from Andreas Born.
      
       4) Fix build when busypoll is disabled, from Daniel Borkmann.
      
       5) Fix copy_linear_skb() wrt. SO_PEEK_OFF, from Eric Dumazet.
      
       6) Set SKB cached route properly in inet_rtm_getroute(), from Florian
          Westphal.
      
       7) Fix PCI-E relaxed ordering handling in cxgb4 driver, from Ding
          Tianhong.
      
       8) Fix module refcnt leak in ULP code, from Sabrina Dubroca.
      
       9) Fix use of GFP_KERNEL in atomic contexts in AF_KEY code, from Eric
          Dumazet.
      
      10) Need to purge socket write queue in dccp_destroy_sock(), also from
          Eric Dumazet.
      
      11) Make bpf_trace_printk() work properly on 32-bit architectures, from
          Daniel Borkmann.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (47 commits)
        bpf: fix bpf_trace_printk on 32 bit archs
        PCI: fix oops when try to find Root Port for a PCI device
        sfc: don't try and read ef10 data on non-ef10 NIC
        net_sched: remove warning from qdisc_hash_add
        net_sched/sfq: update hierarchical backlog when drop packet
        net_sched: reset pointers to tcf blocks in classful qdiscs' destructors
        ipv4: fix NULL dereference in free_fib_info_rcu()
        net: Fix a typo in comment about sock flags.
        ipv6: fix NULL dereference in ip6_route_dev_notify()
        tcp: fix possible deadlock in TCP stack vs BPF filter
        dccp: purge write queue in dccp_destroy_sock()
        udp: fix linear skb reception with PEEK_OFF
        ipv6: release rt6->rt6i_idev properly during ifdown
        af_key: do not use GFP_KERNEL in atomic contexts
        tcp: ulp: avoid module refcnt leak in tcp_set_ulp
        net/cxgb4vf: Use new PCI_DEV_FLAGS_NO_RELAXED_ORDERING flag
        net/cxgb4: Use new PCI_DEV_FLAGS_NO_RELAXED_ORDERING flag
        PCI: Disable Relaxed Ordering Attributes for AMD A1100
        PCI: Disable Relaxed Ordering for some Intel processors
        PCI: Disable PCIe Relaxed Ordering if unsupported
        ...
      510c8a89
    • Daniel Borkmann's avatar
      bpf: fix bpf_trace_printk on 32 bit archs · 88a5c690
      Daniel Borkmann authored
      James reported that on MIPS32 bpf_trace_printk() is currently
      broken while MIPS64 works fine:
      
        bpf_trace_printk() uses conditional operators to attempt to
        pass different types to __trace_printk() depending on the
        format operators. This doesn't work as intended on 32-bit
        architectures where u32 and long are passed differently to
        u64, since the result of C conditional operators follows the
        "usual arithmetic conversions" rules, such that the values
        passed to __trace_printk() will always be u64 [causing issues
        later in the va_list handling for vscnprintf()].
      
        For example the samples/bpf/tracex5 test printed lines like
        below on MIPS32, where the fd and buf have come from the u64
        fd argument, and the size from the buf argument:
      
          [...] 1180.941542: 0x00000001: write(fd=1, buf=  (null), size=6258688)
      
        Instead of this:
      
          [...] 1625.616026: 0x00000001: write(fd=1, buf=009e4000, size=512)
      
      One way to get it working is to expand various combinations
      of argument types into 8 different combinations for 32 bit
      and 64 bit kernels. Fix tested by James on MIPS32 and MIPS64
      as well that it resolves the issue.
      
      Fixes: 9c959c86 ("tracing: Allow BPF programs to call bpf_trace_printk()")
      Reported-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Tested-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      88a5c690
    • dingtianhong's avatar
      PCI: fix oops when try to find Root Port for a PCI device · 0e405232
      dingtianhong authored
      Eric report a oops when booting the system after applying
      the commit a99b646a ("PCI: Disable PCIe Relaxed..."):
      
      [    4.241029] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
      [    4.247001] IP: pci_find_pcie_root_port+0x62/0x80
      [    4.253011] PGD 0
      [    4.253011] P4D 0
      [    4.253011]
      [    4.258013] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
      [    4.262015] Modules linked in:
      [    4.265005] CPU: 31 PID: 1 Comm: swapper/0 Not tainted 4.13.0-dbx-DEV #316
      [    4.271002] Hardware name: Intel RML,PCH/Iota_QC_19, BIOS 2.40.0 06/22/2016
      [    4.279002] task: ffffa2ee38cfa040 task.stack: ffffa51ec0004000
      [    4.285001] RIP: 0010:pci_find_pcie_root_port+0x62/0x80
      [    4.290012] RSP: 0000:ffffa51ec0007ab8 EFLAGS: 00010246
      [    4.295003] RAX: 0000000000000000 RBX: ffffa2ee36bae000 RCX: 0000000000000006
      [    4.303002] RDX: 000000000000081c RSI: ffffa2ee38cfa8c8 RDI: ffffa2ee36bae000
      [    4.310013] RBP: ffffa51ec0007b58 R08: 0000000000000001 R09: 0000000000000000
      [    4.317001] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa51ec0007ad0
      [    4.324005] R13: ffffa2ee36bae098 R14: 0000000000000002 R15: ffffa2ee37204818
      [    4.331002] FS:  0000000000000000(0000) GS:ffffa2ee3fcc0000(0000) knlGS:0000000000000000
      [    4.339002] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    4.345001] CR2: 0000000000000050 CR3: 000000401000f000 CR4: 00000000001406e0
      [    4.351002] Call Trace:
      [    4.354012]  ? pci_configure_device+0x19f/0x570
      [    4.359002]  ? pci_conf1_read+0xb8/0xf0
      [    4.363002]  ? raw_pci_read+0x23/0x40
      [    4.366011]  ? pci_read+0x2c/0x30
      [    4.370014]  ? pci_read_config_word+0x67/0x70
      [    4.374012]  pci_device_add+0x28/0x230
      [    4.378012]  ? pci_vpd_f0_read+0x50/0x80
      [    4.382014]  pci_scan_single_device+0x96/0xc0
      [    4.386012]  pci_scan_slot+0x79/0xf0
      [    4.389001]  pci_scan_child_bus+0x31/0x180
      [    4.394014]  acpi_pci_root_create+0x1c6/0x240
      [    4.398013]  pci_acpi_scan_root+0x15f/0x1b0
      [    4.402012]  acpi_pci_root_add+0x2e6/0x400
      [    4.406012]  ? acpi_evaluate_integer+0x37/0x60
      [    4.411002]  acpi_bus_attach+0xdf/0x200
      [    4.415002]  acpi_bus_attach+0x6a/0x200
      [    4.418014]  acpi_bus_attach+0x6a/0x200
      [    4.422013]  acpi_bus_scan+0x38/0x70
      [    4.426011]  acpi_scan_init+0x10c/0x271
      [    4.429001]  acpi_init+0x2fa/0x348
      [    4.433004]  ? acpi_sleep_proc_init+0x2d/0x2d
      [    4.437001]  do_one_initcall+0x43/0x169
      [    4.441001]  kernel_init_freeable+0x1d0/0x258
      [    4.445003]  ? rest_init+0xe0/0xe0
      [    4.449001]  kernel_init+0xe/0x150
      
      ====================== cut here =============================
      
      It looks like the pci_find_pcie_root_port() was trying to
      find the Root Port for the PCI device which is the Root
      Port already, it will return NULL and trigger the problem,
      so check the highest_pcie_bridge to fix thie problem.
      
      Fixes: a99b646a ("PCI: Disable PCIe Relaxed Ordering if unsupported")
      Fixes: c56d4450 ("PCI: Turn off Request Attributes to avoid Chelsio T5 Completion erratum")
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDing Tianhong <dingtianhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0e405232
    • Bert Kenward's avatar
      sfc: don't try and read ef10 data on non-ef10 NIC · 61deee96
      Bert Kenward authored
      The MAC stats command takes a port ID, which doesn't exist on
      pre-ef10 NICs (5000- and 6000- series). This is extracted from the
      NIC specific data; we misinterpret this as the ef10 data structure,
      causing us to read potentially unallocated data. With a KASAN kernel
      this can cause errors with:
         BUG: KASAN: slab-out-of-bounds in efx_mcdi_mac_stats
      
      Fixes: 0a2ab4d9 ("sfc: set the port-id when calling MC_CMD_MAC_STATS")
      Reported-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Tested-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarBert Kenward <bkenward@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61deee96
    • Konstantin Khlebnikov's avatar
      net_sched: remove warning from qdisc_hash_add · c90e9514
      Konstantin Khlebnikov authored
      It was added in commit e57a784d ("pkt_sched: set root qdisc
      before change() in attach_default_qdiscs()") to hide duplicates
      from "tc qdisc show" for incative deivices.
      
      After 59cc1f61 ("net: sched: convert qdisc linked list to hashtable")
      it triggered when classful qdisc is added to inactive device because
      default qdiscs are added before switching root qdisc.
      
      Anyway after commit ea327469 ("net: sched: avoid duplicates in
      qdisc dump") duplicates are filtered right in dumper.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c90e9514
    • Konstantin Khlebnikov's avatar
      net_sched/sfq: update hierarchical backlog when drop packet · 325d5dc3
      Konstantin Khlebnikov authored
      When sfq_enqueue() drops head packet or packet from another queue it
      have to update backlog at upper qdiscs too.
      
      Fixes: 2ccccf5f ("net_sched: update hierarchical backlog too")
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      325d5dc3
    • Konstantin Khlebnikov's avatar
      net_sched: reset pointers to tcf blocks in classful qdiscs' destructors · 89890422
      Konstantin Khlebnikov authored
      Traffic filters could keep direct pointers to classes in classful qdisc,
      thus qdisc destruction first removes all filters before freeing classes.
      Class destruction methods also tries to free attached filters but now
      this isn't safe because tcf_block_put() unlike to tcf_destroy_chain()
      cannot be called second time.
      
      This patch set class->block to NULL after first tcf_block_put() and
      turn second call into no-op.
      
      Fixes: 6529eaba ("net: sched: introduce tcf block infractructure")
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89890422
    • Eric Dumazet's avatar
      ipv4: fix NULL dereference in free_fib_info_rcu() · 187e5b3a
      Eric Dumazet authored
      If fi->fib_metrics could not be allocated in fib_create_info()
      we attempt to dereference a NULL pointer in free_fib_info_rcu() :
      
          m = fi->fib_metrics;
          if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
                  kfree(m);
      
      Before my recent patch, we used to call kfree(NULL) and nothing wrong
      happened.
      
      Instead of using RCU to defer freeing while we are under memory stress,
      it seems better to take immediate action.
      
      This was reported by syzkaller team.
      
      Fixes: 3fb07daf ("ipv4: add reference counting to metrics")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      187e5b3a
    • Tonghao Zhang's avatar
    • Eric Dumazet's avatar
      ipv6: fix NULL dereference in ip6_route_dev_notify() · 12d94a80
      Eric Dumazet authored
      Based on a syzkaller report [1], I found that a per cpu allocation
      failure in snmp6_alloc_dev() would then lead to NULL dereference in
      ip6_route_dev_notify().
      
      It seems this is a very old bug, thus no Fixes tag in this submission.
      
      Let's add in6_dev_put_clear() helper, as we will probably use
      it elsewhere (once available/present in net-next)
      
      [1]
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 17294 Comm: syz-executor6 Not tainted 4.13.0-rc2+ #10
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      task: ffff88019f456680 task.stack: ffff8801c6e58000
      RIP: 0010:__read_once_size include/linux/compiler.h:250 [inline]
      RIP: 0010:atomic_read arch/x86/include/asm/atomic.h:26 [inline]
      RIP: 0010:refcount_sub_and_test+0x7d/0x1b0 lib/refcount.c:178
      RSP: 0018:ffff8801c6e5f1b0 EFLAGS: 00010202
      RAX: 0000000000000037 RBX: dffffc0000000000 RCX: ffffc90005d25000
      RDX: ffff8801c6e5f218 RSI: ffffffff82342bbf RDI: 0000000000000001
      RBP: ffff8801c6e5f240 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff10038dcbe37
      R13: 0000000000000006 R14: 0000000000000001 R15: 00000000000001b8
      FS:  00007f21e0429700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001ddbc22000 CR3: 00000001d632b000 CR4: 00000000001426e0
      DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
      Call Trace:
       refcount_dec_and_test+0x1a/0x20 lib/refcount.c:211
       in6_dev_put include/net/addrconf.h:335 [inline]
       ip6_route_dev_notify+0x1c9/0x4a0 net/ipv6/route.c:3732
       notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1678
       call_netdevice_notifiers net/core/dev.c:1694 [inline]
       rollback_registered_many+0x91c/0xe80 net/core/dev.c:7107
       rollback_registered+0x1be/0x3c0 net/core/dev.c:7149
       register_netdevice+0xbcd/0xee0 net/core/dev.c:7587
       register_netdev+0x1a/0x30 net/core/dev.c:7669
       loopback_net_init+0x76/0x160 drivers/net/loopback.c:214
       ops_init+0x10a/0x570 net/core/net_namespace.c:118
       setup_net+0x313/0x710 net/core/net_namespace.c:294
       copy_net_ns+0x27c/0x580 net/core/net_namespace.c:418
       create_new_namespaces+0x425/0x880 kernel/nsproxy.c:107
       unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:206
       SYSC_unshare kernel/fork.c:2347 [inline]
       SyS_unshare+0x653/0xfa0 kernel/fork.c:2297
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      RIP: 0033:0x4512c9
      RSP: 002b:00007f21e0428c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000110
      RAX: ffffffffffffffda RBX: 0000000000718150 RCX: 00000000004512c9
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000062020200
      RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004b973d
      R13: 00000000ffffffff R14: 000000002001d000 R15: 00000000000002dd
      Code: 50 2b 34 82 c7 00 f1 f1 f1 f1 c7 40 04 04 f2 f2 f2 c7 40 08 f3 f3
      f3 f3 e8 a1 43 39 ff 4c 89 f8 48 8b 95 70 ff ff ff 48 c1 e8 03 <0f> b6
      0c 18 4c 89 f8 83 e0 07 83 c0 03 38 c8 7c 08 84 c9 0f 85
      RIP: __read_once_size include/linux/compiler.h:250 [inline] RSP:
      ffff8801c6e5f1b0
      RIP: atomic_read arch/x86/include/asm/atomic.h:26 [inline] RSP:
      ffff8801c6e5f1b0
      RIP: refcount_sub_and_test+0x7d/0x1b0 lib/refcount.c:178 RSP:
      ffff8801c6e5f1b0
      ---[ end trace e441d046c6410d31 ]---
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12d94a80
  5. 15 Aug, 2017 4 commits