1. 21 Jul, 2017 20 commits
    • Nagarathnam Muthusamy's avatar
      Adding asm-prototypes.h for genksyms to generate crc · ca2c0e7e
      Nagarathnam Muthusamy authored
      
      [ Upstream commit bdca8cc0 ]
      
      This patch adds the prototypes of assembly defined functions to asm-prototypes.h.
      Some prototypes are directly added as they are not present in any existing header
      files.
      Signed-off-by: default avatarNagarathnam Muthusamy <nagarathnam.muthusamy@oracle.com>
      Reviewed-by: default avatarBabu Moger <babu.moger@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca2c0e7e
    • Bert Kenward's avatar
      sfc: don't read beyond unicast address list · 28cc60e9
      Bert Kenward authored
      
      [ Upstream commit c70d6815 ]
      
      If we have more than 32 unicast MAC addresses assigned to an interface
      we will read beyond the end of the address table in the driver when
      adding filters. The next 256 entries store multicast addresses, so we
      will end up attempting to insert duplicate filters, which is mostly
      harmless. If we add more than 288 unicast addresses we will then read
      past the multicast address table, which is likely to be more exciting.
      
      Fixes: 12fb0da4 ("sfc: clean fallbacks between promisc/normal in efx_ef10_filter_sync_rx_mode")
      Signed-off-by: default avatarBert Kenward <bkenward@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28cc60e9
    • Arend van Spriel's avatar
      brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() · f888b9ad
      Arend van Spriel authored
      
      [ Upstream commit 8f44c9a4 ]
      
      The lower level nl80211 code in cfg80211 ensures that "len" is between
      25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
      "len" so thats's max of 2280.  However, the action_frame->data[] buffer is
      only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
      overflow.
      
      	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
      	       le16_to_cpu(action_frame->len));
      
      Cc: stable@vger.kernel.org # 3.9.x
      Fixes: 18e2f61d ("brcmfmac: P2P action frame tx.")
      Reported-by: default avatar"freenerguo(郭大兴)" <freenerguo@tencent.com>
      Signed-off-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f888b9ad
    • Eduardo Valentin's avatar
      bridge: mdb: fix leak on complete_info ptr on fail path · fdb5c326
      Eduardo Valentin authored
      
      [ Upstream commit 1bfb1596 ]
      
      We currently get the following kmemleak report:
      unreferenced object 0xffff8800039d9820 (size 32):
        comm "softirq", pid 0, jiffies 4295212383 (age 792.416s)
        hex dump (first 32 bytes):
          00 0c e0 03 00 88 ff ff ff 02 00 00 00 00 00 00  ................
          00 00 00 01 ff 11 00 02 86 dd 00 00 ff ff ff ff  ................
        backtrace:
          [<ffffffff8152b4aa>] kmemleak_alloc+0x4a/0xa0
          [<ffffffff811d8ec8>] kmem_cache_alloc_trace+0xb8/0x1c0
          [<ffffffffa0389683>] __br_mdb_notify+0x2a3/0x300 [bridge]
          [<ffffffffa038a0ce>] br_mdb_notify+0x6e/0x70 [bridge]
          [<ffffffffa0386479>] br_multicast_add_group+0x109/0x150 [bridge]
          [<ffffffffa0386518>] br_ip6_multicast_add_group+0x58/0x60 [bridge]
          [<ffffffffa0387fb5>] br_multicast_rcv+0x1d5/0xdb0 [bridge]
          [<ffffffffa037d7cf>] br_handle_frame_finish+0xcf/0x510 [bridge]
          [<ffffffffa03a236b>] br_nf_hook_thresh.part.27+0xb/0x10 [br_netfilter]
          [<ffffffffa03a3738>] br_nf_hook_thresh+0x48/0xb0 [br_netfilter]
          [<ffffffffa03a3fb9>] br_nf_pre_routing_finish_ipv6+0x109/0x1d0 [br_netfilter]
          [<ffffffffa03a4400>] br_nf_pre_routing_ipv6+0xd0/0x14c [br_netfilter]
          [<ffffffffa03a3c27>] br_nf_pre_routing+0x197/0x3d0 [br_netfilter]
          [<ffffffff814a2952>] nf_iterate+0x52/0x60
          [<ffffffff814a29bc>] nf_hook_slow+0x5c/0xb0
          [<ffffffffa037ddf4>] br_handle_frame+0x1a4/0x2c0 [bridge]
      
      This happens when switchdev_port_obj_add() fails. This patch
      frees complete_info object in the fail path.
      Reviewed-by: default avatarVallish Vaidyeshwara <vallish@amazon.com>
      Signed-off-by: default avatarEduardo Valentin <eduval@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fdb5c326
    • WANG Cong's avatar
      tap: convert a mutex to a spinlock · 09a279f3
      WANG Cong authored
      
      [ Upstream commit ffa423fb ]
      
      We are not allowed to block on the RCU reader side, so can't
      just hold the mutex as before. As a quick fix, convert it to
      a spinlock.
      
      Fixes: d9f1f61c ("tap: Extending tap device create/destroy APIs")
      Reported-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Tested-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Cc: Sainath Grandhi <sainath.grandhi@intel.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09a279f3
    • Guilherme G. Piccoli's avatar
      cxgb4: fix BUG() on interrupt deallocating path of ULD · c92947f9
      Guilherme G. Piccoli authored
      
      [ Upstream commit 6a146f3a ]
      
      Since the introduction of ULD (Upper-Layer Drivers), the MSI-X
      deallocating path changed in cxgb4: the driver frees the interrupts
      of ULD when unregistering it or on shutdown PCI handler.
      
      Problem is that if a MSI-X is not freed before deallocated in the PCI
      layer, it will trigger a BUG() due to still "alive" interrupt being
      tentatively quiesced.
      
      The below trace was observed when doing a simple unbind of Chelsio's
      adapter PCI function, like:
        "echo 001e:80:00.4 > /sys/bus/pci/drivers/cxgb4/unbind"
      
      Trace:
      
        kernel BUG at drivers/pci/msi.c:352!
        Oops: Exception in kernel mode, sig: 5 [#1]
        ...
        NIP [c0000000005a5e60] free_msi_irqs+0xa0/0x250
        LR [c0000000005a5e50] free_msi_irqs+0x90/0x250
        Call Trace:
        [c0000000005a5e50] free_msi_irqs+0x90/0x250 (unreliable)
        [c0000000005a72c4] pci_disable_msix+0x124/0x180
        [d000000011e06708] disable_msi+0x88/0xb0 [cxgb4]
        [d000000011e06948] free_some_resources+0xa8/0x160 [cxgb4]
        [d000000011e06d60] remove_one+0x170/0x3c0 [cxgb4]
        [c00000000058a910] pci_device_remove+0x70/0x110
        [c00000000064ef04] device_release_driver_internal+0x1f4/0x2c0
        ...
      
      This patch fixes the issue by refactoring the shutdown path of ULD on
      cxgb4 driver, by properly freeing and disabling interrupts on PCI
      remove handler too.
      
      Fixes: 0fbc81b3 ("Allocate resources dynamically for all cxgb4 ULD's")
      Reported-by: default avatarHarsha Thyagaraja <hathyaga@in.ibm.com>
      Signed-off-by: default avatarGuilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c92947f9
    • Huy Nguyen's avatar
      net/mlx5e: Initialize CEE's getpermhwaddr address buffer to 0xff · 3399c4c4
      Huy Nguyen authored
      
      [ Upstream commit d968f0f2 ]
      
      Latest change in open-lldp code uses bytes 6-11 of perm_addr buffer
      as the Ethernet source address for the host TLV packet.
      Since our driver does not fill these bytes, they stay at zero and
      the open-lldp code ends up sending the TLV packet with zero source
      address and the switch drops this packet.
      
      The fix is to initialize these bytes to 0xff. The open-lldp code
      considers 0xff:ff:ff:ff:ff:ff as the invalid address and falls back to
      use the host's mac address as the Ethernet source address.
      
      Fixes: 3a6a931d ("net/mlx5e: Support DCBX CEE API")
      Signed-off-by: default avatarHuy Nguyen <huyn@mellanox.com>
      Reviewed-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3399c4c4
    • Sowmini Varadhan's avatar
      rds: tcp: use sock_create_lite() to create the accept socket · e8c11223
      Sowmini Varadhan authored
      
      [ Upstream commit 0933a578 ]
      
      There are two problems with calling sock_create_kern() from
      rds_tcp_accept_one()
      1. it sets up a new_sock->sk that is wasteful, because this ->sk
         is going to get replaced by inet_accept() in the subsequent ->accept()
      2. The new_sock->sk is a leaked reference in sock_graft() which
         expects to find a null parent->sk
      
      Avoid these problems by calling sock_create_lite().
      Signed-off-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8c11223
    • Jason Wang's avatar
      virtio-net: fix leaking of ctx array · 354934e1
      Jason Wang authored
      
      [ Upstream commit 55281621 ]
      
      Fixes: commit d45b897b ("virtio_net: allow specifying context for rx")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      354934e1
    • Nikolay Aleksandrov's avatar
      vrf: fix bug_on triggered by rx when destroying a vrf · 34e7c498
      Nikolay Aleksandrov authored
      
      [ Upstream commit f630c38e ]
      
      When destroying a VRF device we cleanup the slaves in its ndo_uninit()
      function, but that causes packets to be switched (skb->dev == vrf being
      destroyed) even though we're pass the point where the VRF should be
      receiving any packets while it is being dismantled. This causes a BUG_ON
      to trigger if we have raw sockets (trace below).
      The reason is that the inetdev of the VRF has been destroyed but we're
      still sending packets up the stack with it, so let's free the slaves in
      the dellink callback as David Ahern suggested.
      
      Note that this fix doesn't prevent packets from going up when the VRF
      device is admin down.
      
      [   35.631371] ------------[ cut here ]------------
      [   35.631603] kernel BUG at net/ipv4/fib_frontend.c:285!
      [   35.631854] invalid opcode: 0000 [#1] SMP
      [   35.631977] Modules linked in:
      [   35.632081] CPU: 2 PID: 22 Comm: ksoftirqd/2 Not tainted 4.12.0-rc7+ #45
      [   35.632247] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
      [   35.632477] task: ffff88005ad68000 task.stack: ffff88005ad64000
      [   35.632632] RIP: 0010:fib_compute_spec_dst+0xfc/0x1ee
      [   35.632769] RSP: 0018:ffff88005ad67978 EFLAGS: 00010202
      [   35.632910] RAX: 0000000000000001 RBX: ffff880059a7f200 RCX: 0000000000000000
      [   35.633084] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff82274af0
      [   35.633256] RBP: ffff88005ad679f8 R08: 000000000001ef70 R09: 0000000000000046
      [   35.633430] R10: ffff88005ad679f8 R11: ffff880037731cb0 R12: 0000000000000001
      [   35.633603] R13: ffff8800599e3000 R14: 0000000000000000 R15: ffff8800599cb852
      [   35.634114] FS:  0000000000000000(0000) GS:ffff88005d900000(0000) knlGS:0000000000000000
      [   35.634306] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   35.634456] CR2: 00007f3563227095 CR3: 000000000201d000 CR4: 00000000000406e0
      [   35.634632] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   35.634865] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   35.635055] Call Trace:
      [   35.635271]  ? __lock_acquire+0xf0d/0x1117
      [   35.635522]  ipv4_pktinfo_prepare+0x82/0x151
      [   35.635831]  raw_rcv_skb+0x17/0x3c
      [   35.636062]  raw_rcv+0xe5/0xf7
      [   35.636287]  raw_local_deliver+0x169/0x1d9
      [   35.636534]  ip_local_deliver_finish+0x87/0x1c4
      [   35.636820]  ip_local_deliver+0x63/0x7f
      [   35.637058]  ip_rcv_finish+0x340/0x3a1
      [   35.637295]  ip_rcv+0x314/0x34a
      [   35.637525]  __netif_receive_skb_core+0x49f/0x7c5
      [   35.637780]  ? lock_acquire+0x13f/0x1d7
      [   35.638018]  ? lock_acquire+0x15e/0x1d7
      [   35.638259]  __netif_receive_skb+0x1e/0x94
      [   35.638502]  ? __netif_receive_skb+0x1e/0x94
      [   35.638748]  netif_receive_skb_internal+0x74/0x300
      [   35.639002]  ? dev_gro_receive+0x2ed/0x411
      [   35.639246]  ? lock_is_held_type+0xc4/0xd2
      [   35.639491]  napi_gro_receive+0x105/0x1a0
      [   35.639736]  receive_buf+0xc32/0xc74
      [   35.639965]  ? detach_buf+0x67/0x153
      [   35.640201]  ? virtqueue_get_buf_ctx+0x120/0x176
      [   35.640453]  virtnet_poll+0x128/0x1c5
      [   35.640690]  net_rx_action+0x103/0x343
      [   35.640932]  __do_softirq+0x1c7/0x4b7
      [   35.641171]  run_ksoftirqd+0x23/0x5c
      [   35.641403]  smpboot_thread_fn+0x24f/0x26d
      [   35.641646]  ? sort_range+0x22/0x22
      [   35.641878]  kthread+0x129/0x131
      [   35.642104]  ? __list_add+0x31/0x31
      [   35.642335]  ? __list_add+0x31/0x31
      [   35.642568]  ret_from_fork+0x2a/0x40
      [   35.642804] Code: 05 bd 87 a3 00 01 e8 1f ef 98 ff 4d 85 f6 48 c7 c7 f0 4a 27 82 41 0f 94 c4 31 c9 31 d2 41 0f b6 f4 e8 04 71 a1 ff 45 84 e4 74 02 <0f> 0b 0f b7 93 c4 00 00 00 4d 8b a5 80 05 00 00 48 03 93 d0 00
      [   35.644342] RIP: fib_compute_spec_dst+0xfc/0x1ee RSP: ffff88005ad67978
      
      Fixes: 193125db ("net: Introduce VRF device driver")
      Reported-by: default avatarChris Cormier <chriscormier@cumulusnetworks.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34e7c498
    • David Ahern's avatar
      net: ipv6: Compare lwstate in detecting duplicate nexthops · f3ef3b80
      David Ahern authored
      
      [ Upstream commit f06b7549 ]
      
      Lennert reported a failure to add different mpls encaps in a multipath
      route:
      
        $ ip -6 route add 1234::/16 \
              nexthop encap mpls 10 via fe80::1 dev ens3 \
              nexthop encap mpls 20 via fe80::1 dev ens3
        RTNETLINK answers: File exists
      
      The problem is that the duplicate nexthop detection does not compare
      lwtunnel configuration. Add it.
      
      Fixes: 19e42e45 ("ipv6: support for fib route lwtunnel encap attributes")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Reported-by: default avatarJoão Taveira Araújo <joao.taveira@gmail.com>
      Reported-by: default avatarLennert Buytenhek <buytenh@wantstofly.org>
      Acked-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Tested-by: default avatarLennert Buytenhek <buytenh@wantstofly.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3ef3b80
    • Derek Chickles's avatar
      liquidio: fix bug in soft reset failure detection · 1e28d50c
      Derek Chickles authored
      
      [ Upstream commit 05a6b4ca ]
      
      The code that detects a failed soft reset of Octeon is comparing the wrong
      value against the reset value of the Octeon SLI_SCRATCH_1 register,
      resulting in an inability to detect a soft reset failure.  Fix it by using
      the correct value in the comparison, which is any non-zero value.
      
      Fixes: f21fb3ed ("Add support of Cavium Liquidio ethernet adapters")
      Fixes: c0eab5b3 ("liquidio: CN23XX firmware download")
      Signed-off-by: default avatarDerek Chickles <derek.chickles@cavium.com>
      Signed-off-by: default avatarSatanand Burla <satananda.burla@cavium.com>
      Signed-off-by: default avatarRaghu Vatsavayi <raghu.vatsavayi@cavium.com>
      Signed-off-by: default avatarFelix Manlunas <felix.manlunas@cavium.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e28d50c
    • Alban Browaeys's avatar
      net: core: Fix slab-out-of-bounds in netdev_stats_to_stats64 · 1fe829df
      Alban Browaeys authored
      
      [ Upstream commit 9af9959e ]
      
      commit 9256645a ("net/core: relax BUILD_BUG_ON in
      netdev_stats_to_stats64") made an attempt to read beyond
      the size of the source a possibility.
      
      Fix to only copy src size to dest. As dest might be bigger than src.
      
       ==================================================================
       BUG: KASAN: slab-out-of-bounds in netdev_stats_to_stats64+0xe/0x30 at addr ffff8801be248b20
       Read of size 192 by task VBoxNetAdpCtl/6734
       CPU: 1 PID: 6734 Comm: VBoxNetAdpCtl Tainted: G           O    4.11.4prahal+intel+ #118
       Hardware name: LENOVO 20CDCTO1WW/20CDCTO1WW, BIOS GQET52WW (1.32 ) 05/04/2017
       Call Trace:
        dump_stack+0x63/0x86
        kasan_object_err+0x1c/0x70
        kasan_report+0x270/0x520
        ? netdev_stats_to_stats64+0xe/0x30
        ? sched_clock_cpu+0x1b/0x190
        ? __module_address+0x3e/0x3b0
        ? unwind_next_frame+0x1ea/0xb00
        check_memory_region+0x13c/0x1a0
        memcpy+0x23/0x50
        netdev_stats_to_stats64+0xe/0x30
        dev_get_stats+0x1b9/0x230
        rtnl_fill_stats+0x44/0xc00
        ? nla_put+0xc6/0x130
        rtnl_fill_ifinfo+0xe9e/0x3700
        ? rtnl_fill_vfinfo+0xde0/0xde0
        ? sched_clock+0x9/0x10
        ? sched_clock+0x9/0x10
        ? sched_clock_local+0x120/0x130
        ? __module_address+0x3e/0x3b0
        ? unwind_next_frame+0x1ea/0xb00
        ? sched_clock+0x9/0x10
        ? sched_clock+0x9/0x10
        ? sched_clock_cpu+0x1b/0x190
        ? VBoxNetAdpLinuxIOCtlUnlocked+0x14b/0x280 [vboxnetadp]
        ? depot_save_stack+0x1d8/0x4a0
        ? depot_save_stack+0x34f/0x4a0
        ? depot_save_stack+0x34f/0x4a0
        ? save_stack+0xb1/0xd0
        ? save_stack_trace+0x16/0x20
        ? save_stack+0x46/0xd0
        ? kasan_slab_alloc+0x12/0x20
        ? __kmalloc_node_track_caller+0x10d/0x350
        ? __kmalloc_reserve.isra.36+0x2c/0xc0
        ? __alloc_skb+0xd0/0x560
        ? rtmsg_ifinfo_build_skb+0x61/0x120
        ? rtmsg_ifinfo.part.25+0x16/0xb0
        ? rtmsg_ifinfo+0x47/0x70
        ? register_netdev+0x15/0x30
        ? vboxNetAdpOsCreate+0xc0/0x1c0 [vboxnetadp]
        ? vboxNetAdpCreate+0x210/0x400 [vboxnetadp]
        ? VBoxNetAdpLinuxIOCtlUnlocked+0x14b/0x280 [vboxnetadp]
        ? do_vfs_ioctl+0x17f/0xff0
        ? SyS_ioctl+0x74/0x80
        ? do_syscall_64+0x182/0x390
        ? __alloc_skb+0xd0/0x560
        ? __alloc_skb+0xd0/0x560
        ? save_stack_trace+0x16/0x20
        ? init_object+0x64/0xa0
        ? ___slab_alloc+0x1ae/0x5c0
        ? ___slab_alloc+0x1ae/0x5c0
        ? __alloc_skb+0xd0/0x560
        ? sched_clock+0x9/0x10
        ? kasan_unpoison_shadow+0x35/0x50
        ? kasan_kmalloc+0xad/0xe0
        ? __kmalloc_node_track_caller+0x246/0x350
        ? __alloc_skb+0xd0/0x560
        ? kasan_unpoison_shadow+0x35/0x50
        ? memset+0x31/0x40
        ? __alloc_skb+0x31f/0x560
        ? napi_consume_skb+0x320/0x320
        ? br_get_link_af_size_filtered+0xb7/0x120 [bridge]
        ? if_nlmsg_size+0x440/0x630
        rtmsg_ifinfo_build_skb+0x83/0x120
        rtmsg_ifinfo.part.25+0x16/0xb0
        rtmsg_ifinfo+0x47/0x70
        register_netdevice+0xa2b/0xe50
        ? __kmalloc+0x171/0x2d0
        ? netdev_change_features+0x80/0x80
        register_netdev+0x15/0x30
        vboxNetAdpOsCreate+0xc0/0x1c0 [vboxnetadp]
        vboxNetAdpCreate+0x210/0x400 [vboxnetadp]
        ? vboxNetAdpComposeMACAddress+0x1d0/0x1d0 [vboxnetadp]
        ? kasan_check_write+0x14/0x20
        VBoxNetAdpLinuxIOCtlUnlocked+0x14b/0x280 [vboxnetadp]
        ? VBoxNetAdpLinuxOpen+0x20/0x20 [vboxnetadp]
        ? lock_acquire+0x11c/0x270
        ? __audit_syscall_entry+0x2fb/0x660
        do_vfs_ioctl+0x17f/0xff0
        ? __audit_syscall_entry+0x2fb/0x660
        ? ioctl_preallocate+0x1d0/0x1d0
        ? __audit_syscall_entry+0x2fb/0x660
        ? kmem_cache_free+0xb2/0x250
        ? syscall_trace_enter+0x537/0xd00
        ? exit_to_usermode_loop+0x100/0x100
        SyS_ioctl+0x74/0x80
        ? do_sys_open+0x350/0x350
        ? do_vfs_ioctl+0xff0/0xff0
        do_syscall_64+0x182/0x390
        entry_SYSCALL64_slow_path+0x25/0x25
       RIP: 0033:0x7f7e39a1ae07
       RSP: 002b:00007ffc6f04c6d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
       RAX: ffffffffffffffda RBX: 00007ffc6f04c730 RCX: 00007f7e39a1ae07
       RDX: 00007ffc6f04c730 RSI: 00000000c0207601 RDI: 0000000000000007
       RBP: 00007ffc6f04c700 R08: 00007ffc6f04c780 R09: 0000000000000008
       R10: 0000000000000541 R11: 0000000000000206 R12: 0000000000000007
       R13: 00000000c0207601 R14: 00007ffc6f04c730 R15: 0000000000000012
       Object at ffff8801be248008, in cache kmalloc-4096 size: 4096
       Allocated:
       PID = 6734
        save_stack_trace+0x16/0x20
        save_stack+0x46/0xd0
        kasan_kmalloc+0xad/0xe0
        __kmalloc+0x171/0x2d0
        alloc_netdev_mqs+0x8a7/0xbe0
        vboxNetAdpOsCreate+0x65/0x1c0 [vboxnetadp]
        vboxNetAdpCreate+0x210/0x400 [vboxnetadp]
        VBoxNetAdpLinuxIOCtlUnlocked+0x14b/0x280 [vboxnetadp]
        do_vfs_ioctl+0x17f/0xff0
        SyS_ioctl+0x74/0x80
        do_syscall_64+0x182/0x390
        return_from_SYSCALL_64+0x0/0x6a
       Freed:
       PID = 5600
        save_stack_trace+0x16/0x20
        save_stack+0x46/0xd0
        kasan_slab_free+0x73/0xc0
        kfree+0xe4/0x220
        kvfree+0x25/0x30
        single_release+0x74/0xb0
        __fput+0x265/0x6b0
        ____fput+0x9/0x10
        task_work_run+0xd5/0x150
        exit_to_usermode_loop+0xe2/0x100
        do_syscall_64+0x26c/0x390
        return_from_SYSCALL_64+0x0/0x6a
       Memory state around the buggy address:
        ffff8801be248a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        ffff8801be248b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       >ffff8801be248b80: 00 00 00 00 00 00 00 00 00 00 00 07 fc fc fc fc
                                                           ^
        ffff8801be248c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ffff8801be248c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ==================================================================
      Signed-off-by: default avatarAlban Browaeys <alban.browaeys@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fe829df
    • Jiri Benc's avatar
      geneve: fix hlist corruption · 40d16256
      Jiri Benc authored
      
      [ Upstream commit 4b4c21fa ]
      
      It's not a good idea to add the same hlist_node to two different hash lists.
      This leads to various hard to debug memory corruptions.
      
      Fixes: 8ed66f0e ("geneve: implement support for IPv6-based tunnels")
      Cc: John W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarJiri Benc <jbenc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      40d16256
    • Jiri Benc's avatar
      vxlan: fix hlist corruption · b7b3a67e
      Jiri Benc authored
      
      [ Upstream commit 69e76661 ]
      
      It's not a good idea to add the same hlist_node to two different hash lists.
      This leads to various hard to debug memory corruptions.
      
      Fixes: b1be00a6 ("vxlan: support both IPv4 and IPv6 sockets in a single vxlan device")
      Signed-off-by: default avatarJiri Benc <jbenc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7b3a67e
    • Sabrina Dubroca's avatar
      ipv6: dad: don't remove dynamic addresses if link is down · 55db4f9f
      Sabrina Dubroca authored
      
      [ Upstream commit ec8add2a ]
      
      Currently, when the link for $DEV is down, this command succeeds but the
      address is removed immediately by DAD (1):
      
          ip addr add 1111::12/64 dev $DEV valid_lft 3600 preferred_lft 1800
      
      In the same situation, this will succeed and not remove the address (2):
      
          ip addr add 1111::12/64 dev $DEV
          ip addr change 1111::12/64 dev $DEV valid_lft 3600 preferred_lft 1800
      
      The comment in addrconf_dad_begin() when !IF_READY makes it look like
      this is the intended behavior, but doesn't explain why:
      
           * If the device is not ready:
           * - keep it tentative if it is a permanent address.
           * - otherwise, kill it.
      
      We clearly cannot prevent userspace from doing (2), but we can make (1)
      work consistently with (2).
      
      addrconf_dad_stop() is only called in two cases: if DAD failed, or to
      skip DAD when the link is down. In that second case, the fix is to avoid
      deleting the address, like we already do for permanent addresses.
      
      Fixes: 3c21edbd ("[IPV6]: Defer IPv6 device initialization until the link becomes ready.")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      55db4f9f
    • Gal Pressman's avatar
      net/mlx5e: Fix TX carrier errors report in get stats ndo · 419c4e86
      Gal Pressman authored
      
      [ Upstream commit 8ff93de7 ]
      
      Symbol error during carrier counter from PPCNT was mistakenly reported as
      TX carrier errors in get_stats ndo, although it's an RX counter.
      
      Fixes: 269e6b3a ("net/mlx5e: Report additional error statistics in get stats ndo")
      Signed-off-by: default avatarGal Pressman <galp@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      419c4e86
    • Mohamad Haj Yahia's avatar
      net/mlx5: Cancel delayed recovery work when unloading the driver · 8c66a467
      Mohamad Haj Yahia authored
      
      [ Upstream commit 2a0165a0 ]
      
      Draining the health workqueue will ignore future health works including
      the one that report hardware failure and thus we can't enter error state
      Instead cancel the recovery flow and make sure only recovery flow won't
      be scheduled.
      
      Fixes: 5e44fca5 ('net/mlx5: Only cancel recovery work when cleaning up device')
      Signed-off-by: default avatarMohamad Haj Yahia <mohamad@mellanox.com>
      Signed-off-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c66a467
    • Gal Pressman's avatar
      net/mlx5: Fix driver load error flow when firmware is stuck · 053ef953
      Gal Pressman authored
      
      [ Upstream commit 8ce59b16 ]
      
      When wait for firmware init fails, previous code would mistakenly
      return success and cause inconsistency in the driver state.
      
      Fixes: 6c780a02 ("net/mlx5: Wait for FW readiness before initializing command interface")
      Signed-off-by: default avatarGal Pressman <galp@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      053ef953
    • Gleb Fotengauer-Malinovskiy's avatar
      staging: android: uapi: drop definitions of removed ION_IOC_{FREE,SHARE} ioctls · d0f102d5
      Gleb Fotengauer-Malinovskiy authored
      commit f7a320ff upstream.
      
      This problem was found by strace ioctl list generator.
      
      Fixes: 15c6098c ("staging: android: ion: Remove ion_handle and ion_client")
      Signed-off-by: default avatarGleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
      Acked-by: default avatarLaura Abbott <labbott@redhat.com>
      Cc: "Dmitry V. Levin" <ldv@altlinux.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d0f102d5
  2. 15 Jul, 2017 11 commits
  3. 12 Jul, 2017 9 commits