1. 11 Jul, 2018 33 commits
  2. 03 Jul, 2018 7 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.139 · 16af0986
      Greg Kroah-Hartman authored
      16af0986
    • Szymon Janc's avatar
      Bluetooth: Fix connection if directed advertising and privacy is used · 679bd362
      Szymon Janc authored
      commit 082f2300 upstream.
      
      Local random address needs to be updated before creating connection if
      RPA from LE Direct Advertising Report was resolved in host. Otherwise
      remote device might ignore connection request due to address mismatch.
      
      This was affecting following qualification test cases:
      GAP/CONN/SCEP/BV-03-C, GAP/CONN/GCEP/BV-05-C, GAP/CONN/DCEP/BV-05-C
      
      Before patch:
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6          #11350 [hci0] 84680.231216
              Address: 56:BC:E8:24:11:68 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                        #11351 [hci0] 84680.246022
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7         #11352 [hci0] 84680.246417
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                        #11353 [hci0] 84680.248854
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11354 [hci0] 84680.249466
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                        #11355 [hci0] 84680.253222
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                          #11356 [hci0] 84680.458387
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:D6:76:8C:DF:82 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
              RSSI: -74 dBm (0xb6)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11357 [hci0] 84680.458737
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                        #11358 [hci0] 84680.469982
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25          #11359 [hci0] 84680.470444
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                          #11360 [hci0] 84680.474971
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection Cancel (0x08|0x000e) plen 0    #11361 [hci0] 84682.545385
      > HCI Event: Command Complete (0x0e) plen 4                        #11362 [hci0] 84682.551014
            LE Create Connection Cancel (0x08|0x000e) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                          #11363 [hci0] 84682.551074
            LE Connection Complete (0x01)
              Status: Unknown Connection Identifier (0x02)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Public (0x00)
              Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
              Connection interval: 0.00 msec (0x0000)
              Connection latency: 0 (0x0000)
              Supervision timeout: 0 msec (0x0000)
              Master clock accuracy: 0x00
      
      After patch:
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7    #210 [hci0] 667.152459
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                   #211 [hci0] 667.153613
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2        #212 [hci0] 667.153704
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                   #213 [hci0] 667.154584
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                     #214 [hci0] 667.182619
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
              RSSI: -70 dBm (0xba)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2       #215 [hci0] 667.182704
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                  #216 [hci0] 667.183599
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6    #217 [hci0] 667.183645
              Address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                  #218 [hci0] 667.184590
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25    #219 [hci0] 667.184613
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                    #220 [hci0] 667.186558
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                    #221 [hci0] 667.485824
            LE Connection Complete (0x01)
              Status: Success (0x00)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Master clock accuracy: 0x07
      @ MGMT Event: Device Connected (0x000b) plen 13          {0x0002} [hci0] 667.485996
              LE Address: 11:22:33:44:55:66 (OUI 11-22-33)
              Flags: 0x00000000
              Data length: 0
      Signed-off-by: default avatarSzymon Janc <szymon.janc@codecoup.pl>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      679bd362
    • Bjørn Mork's avatar
      cdc_ncm: avoid padding beyond end of skb · 9d4c1d93
      Bjørn Mork authored
      commit 49c2c3f2 upstream.
      
      Commit 4a0e3e98 ("cdc_ncm: Add support for moving NDP to end
      of NCM frame") added logic to reserve space for the NDP at the
      end of the NTB/skb.  This reservation did not take the final
      alignment of the NDP into account, causing us to reserve too
      little space. Additionally the padding prior to NDP addition did
      not ensure there was enough space for the NDP.
      
      The NTB/skb with the NDP appended would then exceed the configured
      max size. This caused the final padding of the NTB to use a
      negative count, padding to almost INT_MAX, and resulting in:
      
      [60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
      [60103.825998] IP: __memset+0x24/0x30
      [60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
      [60103.826013] Oops: 0002 [#1] SMP NOPTI
      [60103.826018] Modules linked in: (removed(
      [60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G           O 4.14.0-3-amd64 #1 Debian 4.14.17-1
      [60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
      [60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
      [60103.826171] RIP: 0010:__memset+0x24/0x30
      [60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
      [60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
      [60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
      [60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
      [60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
      [60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
      [60103.826194] FS:  00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
      [60103.826197] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
      [60103.826204] Call Trace:
      [60103.826212]  <IRQ>
      [60103.826225]  cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
      [60103.826236]  cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
      [60103.826246]  usbnet_start_xmit+0x5d/0x710 [usbnet]
      [60103.826254]  ? netif_skb_features+0x119/0x250
      [60103.826259]  dev_hard_start_xmit+0xa1/0x200
      [60103.826267]  sch_direct_xmit+0xf2/0x1b0
      [60103.826273]  __dev_queue_xmit+0x5e3/0x7c0
      [60103.826280]  ? ip_finish_output2+0x263/0x3c0
      [60103.826284]  ip_finish_output2+0x263/0x3c0
      [60103.826289]  ? ip_output+0x6c/0xe0
      [60103.826293]  ip_output+0x6c/0xe0
      [60103.826298]  ? ip_forward_options+0x1a0/0x1a0
      [60103.826303]  tcp_transmit_skb+0x516/0x9b0
      [60103.826309]  tcp_write_xmit+0x1aa/0xee0
      [60103.826313]  ? sch_direct_xmit+0x71/0x1b0
      [60103.826318]  tcp_tasklet_func+0x177/0x180
      [60103.826325]  tasklet_action+0x5f/0x110
      [60103.826332]  __do_softirq+0xde/0x2b3
      [60103.826337]  irq_exit+0xae/0xb0
      [60103.826342]  do_IRQ+0x81/0xd0
      [60103.826347]  common_interrupt+0x98/0x98
      [60103.826351]  </IRQ>
      [60103.826355] RIP: 0033:0x7f397bdf2282
      [60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
      [60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
      [60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
      [60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
      [60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
      [60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
      [60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
      e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
      ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
      [60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
      [60103.826444] CR2: ffff9641f2004000
      
      Commit e1069bbf ("net: cdc_ncm: Reduce memory use when kernel
      memory low") made this bug much more likely to trigger by reducing
      the NTB size under memory pressure.
      
      Link: https://bugs.debian.org/893393Reported-by: default avatarГорбешко Богдан <bodqhrohro@gmail.com>
      Reported-and-tested-by: default avatarDennis Wassenberg <dennis.wassenberg@secunet.com>
      Cc: Enrico Mioso <mrkiko.rs@gmail.com>
      Fixes: 4a0e3e98 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
      [ bmork:  tx_curr_size => tx_max and context fixup for v4.12 and older ]
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d4c1d93
    • Mike Snitzer's avatar
      dm thin: handle running out of data space vs concurrent discard · 052ef26b
      Mike Snitzer authored
      commit a685557f upstream.
      
      Discards issued to a DM thin device can complete to userspace (via
      fstrim) _before_ the metadata changes associated with the discards is
      reflected in the thinp superblock (e.g. free blocks).  As such, if a
      user constructs a test that loops repeatedly over these steps, block
      allocation can fail due to discards not having completed yet:
      1) fill thin device via filesystem file
      2) remove file
      3) fstrim
      
      From initial report, here:
      https://www.redhat.com/archives/dm-devel/2018-April/msg00022.html
      
      "The root cause of this issue is that dm-thin will first remove
      mapping and increase corresponding blocks' reference count to prevent
      them from being reused before DISCARD bios get processed by the
      underlying layers. However. increasing blocks' reference count could
      also increase the nr_allocated_this_transaction in struct sm_disk
      which makes smd->old_ll.nr_allocated +
      smd->nr_allocated_this_transaction bigger than smd->old_ll.nr_blocks.
      In this case, alloc_data_block() will never commit metadata to reset
      the begin pointer of struct sm_disk, because sm_disk_get_nr_free()
      always return an underflow value."
      
      While there is room for improvement to the space-map accounting that
      thinp is making use of: the reality is this test is inherently racey and
      will result in the previous iteration's fstrim's discard(s) completing
      vs concurrent block allocation, via dd, in the next iteration of the
      loop.
      
      No amount of space map accounting improvements will be able to allow
      user's to use a block before a discard of that block has completed.
      
      So the best we can really do is allow DM thinp to gracefully handle such
      aggressive use of all the pool's data by degrading the pool into
      out-of-data-space (OODS) mode.  We _should_ get that behaviour already
      (if space map accounting didn't falsely cause alloc_data_block() to
      believe free space was available).. but short of that we handle the
      current reality that dm_pool_alloc_data_block() can return -ENOSPC.
      Reported-by: default avatarDennis Yang <dennisyang@qnap.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      052ef26b
    • Keith Busch's avatar
      block: Fix transfer when chunk sectors exceeds max · a740830e
      Keith Busch authored
      commit 15bfd21f upstream.
      
      A device may have boundary restrictions where the number of sectors
      between boundaries exceeds its max transfer size. In this case, we need
      to cap the max size to the smaller of the two limits.
      Reported-by: default avatarJitendra Bhivare <jitendra.bhivare@broadcom.com>
      Tested-by: default avatarJitendra Bhivare <jitendra.bhivare@broadcom.com>
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a740830e
    • Maxime Chevallier's avatar
      spi: Fix scatterlist elements size in spi_map_buf · 9b46e5e9
      Maxime Chevallier authored
      commit ce99319a upstream.
      
      When SPI transfers can be offloaded using DMA, the SPI core need to
      build a scatterlist to make sure that the buffer to be transferred is
      dma-able.
      
      This patch fixes the scatterlist entry size computation in the case
      where the maximum acceptable scatterlist entry supported by the DMA
      controller is less than PAGE_SIZE, when the buffer is vmalloced.
      
      For each entry, the actual size is given by the minimum between the
      desc_len (which is the max buffer size supported by the DMA controller)
      and the remaining buffer length until we cross a page boundary.
      
      Fixes: 65598c13 ("spi: Fix per-page mapping of unaligned vmalloc-ed buffer")
      Signed-off-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b46e5e9
    • Liu Bo's avatar
      Btrfs: fix unexpected cow in run_delalloc_nocow · 0e1bd020
      Liu Bo authored
      commit 58113753 upstream.
      
      Fstests generic/475 provides a way to fail metadata reads while
      checking if checksum exists for the inode inside run_delalloc_nocow(),
      and csum_exist_in_range() interprets error (-EIO) as inode having
      checksum and makes its caller enter the cow path.
      
      In case of free space inode, this ends up with a warning in
      cow_file_range().
      
      The same problem applies to btrfs_cross_ref_exist() since it may also
      read metadata in between.
      
      With this, run_delalloc_nocow() bails out when errors occur at the two
      places.
      
      cc: <stable@vger.kernel.org> v2.6.28+
      Fixes: 17d217fe ("Btrfs: fix nodatasum handling in balancing code")
      Signed-off-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0e1bd020