1. 24 Aug, 2016 1 commit
    • mhiramat@kernel.org's avatar
      brcmfmac: Check rtnl_lock is locked when removing interface · 15dacf88
      mhiramat@kernel.org authored
      Check rtnl_lock is locked in brcmf_p2p_ifp_removed() by passing
      rtnl_locked flag. Actually the caller brcmf_del_if() checks whether
      the rtnl_lock is locked, but doesn't pass it to brcmf_p2p_ifp_removed().
      
      Without this fix, wpa_supplicant goes softlockup with rtnl_lock
      holding (this means all other process using netlink are locked up too)
      
      e.g.
      [ 4495.876627] INFO: task wpa_supplicant:7307 blocked for more than 10 seconds.
      [ 4495.876632]       Tainted: G        W       4.8.0-rc1+ #8
      [ 4495.876635] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [ 4495.876638] wpa_supplicant  D ffff974c647b39a0     0  7307      1 0x00000000
      [ 4495.876644]  ffff974c647b39a0 0000000000000000 ffff974c00000000 ffff974c7dc59c58
      [ 4495.876651]  ffff974c6b7417c0 ffff974c645017c0 ffff974c647b4000 ffffffff86f16c08
      [ 4495.876657]  ffff974c645017c0 0000000000000246 00000000ffffffff ffff974c647b39b8
      [ 4495.876664] Call Trace:
      [ 4495.876671]  [<ffffffff868aeccc>] schedule+0x3c/0x90
      [ 4495.876676]  [<ffffffff868af065>] schedule_preempt_disabled+0x15/0x20
      [ 4495.876682]  [<ffffffff868b0996>] mutex_lock_nested+0x176/0x3b0
      [ 4495.876686]  [<ffffffff867a2067>] ? rtnl_lock+0x17/0x20
      [ 4495.876690]  [<ffffffff867a2067>] rtnl_lock+0x17/0x20
      [ 4495.876720]  [<ffffffffc0ae9a5d>] brcmf_p2p_ifp_removed+0x4d/0x70 [brcmfmac]
      [ 4495.876741]  [<ffffffffc0aebde6>] brcmf_remove_interface+0x196/0x1b0 [brcmfmac]
      [ 4495.876760]  [<ffffffffc0ae9901>] brcmf_p2p_del_vif+0x111/0x220 [brcmfmac]
      [ 4495.876777]  [<ffffffffc0adefab>] brcmf_cfg80211_del_iface+0x21b/0x270 [brcmfmac]
      [ 4495.876820]  [<ffffffffc097b39e>] nl80211_del_interface+0xfe/0x3a0 [cfg80211]
      [ 4495.876825]  [<ffffffff867ca335>] genl_family_rcv_msg+0x1b5/0x370
      [ 4495.876832]  [<ffffffff860e5d8d>] ? trace_hardirqs_on+0xd/0x10
      [ 4495.876836]  [<ffffffff867ca56d>] genl_rcv_msg+0x7d/0xb0
      [ 4495.876839]  [<ffffffff867ca4f0>] ? genl_family_rcv_msg+0x370/0x370
      [ 4495.876846]  [<ffffffff867c9a47>] netlink_rcv_skb+0x97/0xb0
      [ 4495.876849]  [<ffffffff867ca168>] genl_rcv+0x28/0x40
      [ 4495.876854]  [<ffffffff867c93c3>] netlink_unicast+0x1d3/0x2f0
      [ 4495.876860]  [<ffffffff867c933b>] ? netlink_unicast+0x14b/0x2f0
      [ 4495.876866]  [<ffffffff867c97cb>] netlink_sendmsg+0x2eb/0x3a0
      [ 4495.876870]  [<ffffffff8676dad8>] sock_sendmsg+0x38/0x50
      [ 4495.876874]  [<ffffffff8676e4df>] ___sys_sendmsg+0x27f/0x290
      [ 4495.876882]  [<ffffffff8628b935>] ? mntput_no_expire+0x5/0x3f0
      [ 4495.876888]  [<ffffffff8628b9be>] ? mntput_no_expire+0x8e/0x3f0
      [ 4495.876894]  [<ffffffff8628b935>] ? mntput_no_expire+0x5/0x3f0
      [ 4495.876899]  [<ffffffff8628bd44>] ? mntput+0x24/0x40
      [ 4495.876904]  [<ffffffff86267830>] ? __fput+0x190/0x200
      [ 4495.876909]  [<ffffffff8676f125>] __sys_sendmsg+0x45/0x80
      [ 4495.876914]  [<ffffffff8676f172>] SyS_sendmsg+0x12/0x20
      [ 4495.876918]  [<ffffffff868b5680>] entry_SYSCALL_64_fastpath+0x23/0xc1
      [ 4495.876924]  [<ffffffff860e2b8f>] ? trace_hardirqs_off_caller+0x1f/0xc0
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      15dacf88
  2. 18 Aug, 2016 2 commits
    • Cathy Luo's avatar
      mwifiex: fix large amsdu packets causing firmware hang · c81396f3
      Cathy Luo authored
      Sometimes host prepares and downloads a large amsdu packet to firmware
      which leads to a memory corruption in firmware.
      The reason is __dev_alloc_skb() may allocate larger buffer than required
      size. This patch solves the problem by checking "adapter->tx_buf_size"
      instead of relying on skb_tailroom().
      Signed-off-by: default avatarCathy Luo <cluo@marvell.com>
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      c81396f3
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 184ca823
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Buffers powersave frame test is reversed in cfg80211, fix from Felix
          Fietkau.
      
       2) Remove bogus WARN_ON in openvswitch, from Jarno Rajahalme.
      
       3) Fix some tg3 ethtool logic bugs, and one that would cause no
          interrupts to be generated when rx-coalescing is set to 0.  From
          Satish Baddipadige and Siva Reddy Kallam.
      
       4) QLCNIC mailbox corruption and napi budget handling fix from Manish
          Chopra.
      
       5) Fix fib_trie logic when walking the trie during /proc/net/route
          output than can access a stale node pointer.  From David Forster.
      
       6) Several sctp_diag fixes from Phil Sutter.
      
       7) PAUSE frame handling fixes in mlxsw driver from Ido Schimmel.
      
       8) Checksum fixup fixes in bpf from Daniel Borkmann.
      
       9) Memork leaks in nfnetlink, from Liping Zhang.
      
      10) Use after free in rxrpc, from David Howells.
      
      11) Use after free in new skb_array code of macvtap driver, from Jason
          Wang.
      
      12) Calipso resource leak, from Colin Ian King.
      
      13) mediatek bug fixes (missing stats sync init, etc.) from Sean Wang.
      
      14) Fix bpf non-linear packet write helpers, from Daniel Borkmann.
      
      15) Fix lockdep splats in macsec, from Sabrina Dubroca.
      
      16) hv_netvsc bug fixes from Vitaly Kuznetsov, mostly to do with VF
          handling.
      
      17) Various tc-action bug fixes, from CONG Wang.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (116 commits)
        net_sched: allow flushing tc police actions
        net_sched: unify the init logic for act_police
        net_sched: convert tcf_exts from list to pointer array
        net_sched: move tc offload macros to pkt_cls.h
        net_sched: fix a typo in tc_for_each_action()
        net_sched: remove an unnecessary list_del()
        net_sched: remove the leftover cleanup_a()
        mlxsw: spectrum: Allow packets to be trapped from any PG
        mlxsw: spectrum: Unmap 802.1Q FID before destroying it
        mlxsw: spectrum: Add missing rollbacks in error path
        mlxsw: reg: Fix missing op field fill-up
        mlxsw: spectrum: Trap loop-backed packets
        mlxsw: spectrum: Add missing packet traps
        mlxsw: spectrum: Mark port as active before registering it
        mlxsw: spectrum: Create PVID vPort before registering netdevice
        mlxsw: spectrum: Remove redundant errors from the code
        mlxsw: spectrum: Don't return upon error in removal path
        i40e: check for and deal with non-contiguous TCs
        ixgbe: Re-enable ability to toggle VLAN filtering
        ixgbe: Force VLNCTRL.VFE to be set in all VMDq paths
        ...
      184ca823
  3. 17 Aug, 2016 21 commits
  4. 16 Aug, 2016 14 commits
  5. 15 Aug, 2016 2 commits
    • Wei Yongjun's avatar
      power_supply: tps65217-charger: fix missing platform_set_drvdata() · 33e7664a
      Wei Yongjun authored
      Add missing platform_set_drvdata() in tps65217_charger_probe(), otherwise
      calling platform_get_drvdata() in remove returns NULL.
      
      This is detected by Coccinelle semantic patch.
      
      Fixes: 3636859b ("power_supply: Add support for tps65217-charger")
      Signed-off-by: default avatarWei Yongjun <weiyj.lk@gmail.com>
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      33e7664a
    • Vegard Nossum's avatar
      tipc: fix NULL pointer dereference in shutdown() · d2fbdf76
      Vegard Nossum authored
      tipc_msg_create() can return a NULL skb and if so, we shouldn't try to
      call tipc_node_xmit_skb() on it.
      
          general protection fault: 0000 [#1] PREEMPT SMP KASAN
          CPU: 3 PID: 30298 Comm: trinity-c0 Not tainted 4.7.0-rc7+ #19
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
          task: ffff8800baf09980 ti: ffff8800595b8000 task.ti: ffff8800595b8000
          RIP: 0010:[<ffffffff830bb46b>]  [<ffffffff830bb46b>] tipc_node_xmit_skb+0x6b/0x140
          RSP: 0018:ffff8800595bfce8  EFLAGS: 00010246
          RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003023b0e0
          RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff83d12580
          RBP: ffff8800595bfd78 R08: ffffed000b2b7f32 R09: 0000000000000000
          R10: fffffbfff0759725 R11: 0000000000000000 R12: 1ffff1000b2b7f9f
          R13: ffff8800595bfd58 R14: ffffffff83d12580 R15: dffffc0000000000
          FS:  00007fcdde242700(0000) GS:ffff88011af80000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 00007fcddde1db10 CR3: 000000006874b000 CR4: 00000000000006e0
          DR0: 00007fcdde248000 DR1: 00007fcddd73d000 DR2: 00007fcdde248000
          DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602
          Stack:
           0000000000000018 0000000000000018 0000000041b58ab3 ffffffff83954208
           ffffffff830bb400 ffff8800595bfd30 ffffffff8309d767 0000000000000018
           0000000000000018 ffff8800595bfd78 ffffffff8309da1a 00000000810ee611
          Call Trace:
           [<ffffffff830c84a3>] tipc_shutdown+0x553/0x880
           [<ffffffff825b4a3b>] SyS_shutdown+0x14b/0x170
           [<ffffffff8100334c>] do_syscall_64+0x19c/0x410
           [<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
          Code: 90 00 b4 0b 83 c7 00 f1 f1 f1 f1 4c 8d 6d e0 c7 40 04 00 00 00 f4 c7 40 08 f3 f3 f3 f3 48 89 d8 48 c1 e8 03 c7 45 b4 00 00 00 00 <80> 3c 30 00 75 78 48 8d 7b 08 49 8d 75 c0 48 b8 00 00 00 00 00
          RIP  [<ffffffff830bb46b>] tipc_node_xmit_skb+0x6b/0x140
           RSP <ffff8800595bfce8>
          ---[ end trace 57b0484e351e71f1 ]---
      
      I feel like we should maybe return -ENOMEM or -ENOBUFS, but I'm not sure
      userspace is equipped to handle that. Anyway, this is better than a GPF
      and looks somewhat consistent with other tipc_msg_create() callers.
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2fbdf76