1. 15 Mar, 2017 7 commits
    • John David Anglin's avatar
      parisc: Optimize flush_kernel_vmap_range and invalidate_kernel_vmap_range · 316ec062
      John David Anglin authored
      The previously submitted patch did not resolve the random segmentation
      faults observed on the phantom buildd system.  There are still
      unresolved problems with the Debian 4.8 and 4.9 kernels on C8000.
      
      The attached patch removes the flush of the offset map pages and does a
      whole data cache flush for large ranges.  No other arch flushes the
      offset map in these routines as far as I can tell.
      
      I have not observed any random segmentation faults on rp3440 in two
      weeks of testing with 4.10.0 and 4.10.1.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Cc: stable@vger.kernel.org      # v4.8+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      316ec062
    • Mikulas Patocka's avatar
      parisc: support R_PARISC_SECREL32 relocation in modules · 5f655322
      Mikulas Patocka authored
      The parisc kernel doesn't work with CONFIG_MODVERSIONS since the commit
      71810db2. It can't load modules with the
      error: "module unix: Unknown relocation: 41".
      
      The commit changes __kcrctab from 64-bit valus to 32-bit values. The
      assembler generates R_PARISC_SECREL32 secrel relocation for them and the
      module loader doesn't support this relocation.
      
      This patch adds the R_PARISC_SECREL32 relocation to the module loader.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org	# v4.10+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      5f655322
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 95422dec
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is a rather large set of fixes. The bulk are for lpfc correcting
        a lot of issues in the new NVME driver code which just went in in the
        merge window.
      
        The others are:
      
         - fix a hang in the vmware paravirt driver caused by incorrect
           handling of the new MSI vector allocation
      
         - long standing bug in storvsc, which recent block changes turned
           from being a harmless annoyance into a hang
      
         - yet more fallout (in mpt3sas) from the changes to device blocking
      
        The remainder are small fixes and updates"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (34 commits)
        scsi: lpfc: Add shutdown method for kexec
        scsi: storvsc: Workaround for virtual DVD SCSI version
        scsi: lpfc: revise version number to 11.2.0.10
        scsi: lpfc: code cleanups in NVME initiator discovery
        scsi: lpfc: code cleanups in NVME initiator base
        scsi: lpfc: correct rdp diag portnames
        scsi: lpfc: remove dead sli3 nvme code
        scsi: lpfc: correct double print
        scsi: lpfc: Rename LPFC_MAX_EQ_DELAY to LPFC_MAX_EQ_DELAY_EQID_CNT
        scsi: lpfc: Rework lpfc Kconfig for NVME options
        scsi: lpfc: add transport eh_timed_out reference
        scsi: lpfc: Fix eh_deadline setting for sli3 adapters.
        scsi: lpfc: add NVME exchange aborts
        scsi: lpfc: Fix nvme allocation bug on failed nvme_fc_register_localport
        scsi: lpfc: Fix IO submission if WQ is full
        scsi: lpfc: Fix NVME CMD IU byte swapped word 1 problem
        scsi: lpfc: Fix RCTL value on NVME LS request and response
        scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
        scsi: lpfc: fix missing spin_unlock on sql_list_lock
        scsi: lpfc: don't dereference dma_buf->iocbq before null check
        ...
      95422dec
    • Linus Torvalds's avatar
      Merge tag 'gfs2-4.11-rc3.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 · aabcf5fc
      Linus Torvalds authored
      Pull gfs2 fix from Bob Peterson:
       "This is an emergency patch for 4.11-rc3
      
        The GFS2 developers uncovered a really nasty problem that can lead to
        random corruption and kernel panic, much like the last one. Andreas
        Gruenbacher wrote a simple one-line patch to fix the problem."
      
      * tag 'gfs2-4.11-rc3.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
        gfs2: Avoid alignment hole in struct lm_lockname
      aabcf5fc
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · defc7d75
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
      
       - self-test failure of crc32c on powerpc
      
       - regressions of ecb(aes) when used with xts/lrw in s5p-sss
      
       - a number of bugs in the omap RNG driver
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: s5p-sss - Fix spinlock recursion on LRW(AES)
        hwrng: omap - Do not access INTMASK_REG on EIP76
        hwrng: omap - use devm_clk_get() instead of of_clk_get()
        hwrng: omap - write registers after enabling the clock
        crypto: s5p-sss - Fix completing crypto request in IRQ handler
        crypto: powerpc - Fix initialisation of crc32c context
      defc7d75
    • Andreas Gruenbacher's avatar
      gfs2: Avoid alignment hole in struct lm_lockname · 28ea06c4
      Andreas Gruenbacher authored
      Commit 88ffbf3e switches to using rhashtables for glocks, hashing over
      the entire struct lm_lockname instead of its individual fields.  On some
      architectures, struct lm_lockname contains a hole of uninitialized
      memory due to alignment rules, which now leads to incorrect hash values.
      Get rid of that hole.
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      CC: <stable@vger.kernel.org> #v4.3+
      28ea06c4
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · ae50dfd6
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Ensure that mtu is at least IPV6_MIN_MTU in ipv6 VTI tunnel driver,
          from Steffen Klassert.
      
       2) Fix crashes when user tries to get_next_key on an LPM bpf map, from
          Alexei Starovoitov.
      
       3) Fix detection of VLAN fitlering feature for bnx2x VF devices, from
          Michal Schmidt.
      
       4) We can get a divide by zero when TCP socket are morphed into
          listening state, fix from Eric Dumazet.
      
       5) Fix socket refcounting bugs in skb_complete_wifi_ack() and
          skb_complete_tx_timestamp(). From Eric Dumazet.
      
       6) Use after free in dccp_feat_activate_values(), also from Eric
          Dumazet.
      
       7) Like bonding team needs to use ETH_MAX_MTU as netdev->max_mtu, from
          Jarod Wilson.
      
       8) Fix use after free in vrf_xmit(), from David Ahern.
      
       9) Don't do UDP Fragmentation Offload on IPComp ipsec packets, from
          Alexey Kodanev.
      
      10) Properly check napi_complete_done() return value in order to decide
          whether to re-enable IRQs or not in amd-xgbe driver, from Thomas
          Lendacky.
      
      11) Fix double free of hwmon device in marvell phy driver, from Andrew
          Lunn.
      
      12) Don't crash on malformed netlink attributes in act_connmark, from
          Etienne Noss.
      
      13) Don't remove routes with a higher metric in ipv6 ECMP route replace,
          from Sabrina Dubroca.
      
      14) Don't write into a cloned SKB in ipv6 fragmentation handling, from
          Florian Westphal.
      
      15) Fix routing redirect races in dccp and tcp, basically the ICMP
          handler can't modify the socket's cached route in it's locked by the
          user at this moment. From Jon Maxwell.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (108 commits)
        qed: Enable iSCSI Out-of-Order
        qed: Correct out-of-bound access in OOO history
        qed: Fix interrupt flags on Rx LL2
        qed: Free previous connections when releasing iSCSI
        qed: Fix mapping leak on LL2 rx flow
        qed: Prevent creation of too-big u32-chains
        qed: Align CIDs according to DORQ requirement
        mlxsw: reg: Fix SPVMLR max record count
        mlxsw: reg: Fix SPVM max record count
        net: Resend IGMP memberships upon peer notification.
        dccp: fix memory leak during tear-down of unsuccessful connection request
        tun: fix premature POLLOUT notification on tun devices
        dccp/tcp: fix routing redirect race
        ucc/hdlc: fix two little issue
        vxlan: fix ovs support
        net: use net->count to check whether a netns is alive or not
        bridge: drop netfilter fake rtable unconditionally
        ipv6: avoid write to a possibly cloned skb
        net: wimax/i2400m: fix NULL-deref at probe
        isdn/gigaset: fix NULL-deref at probe
        ...
      ae50dfd6
  2. 14 Mar, 2017 21 commits
    • Linus Torvalds's avatar
      Merge branch 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 352526f4
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
       "Three cgroup fixes.  Nothing critical:
      
         - the pids controller could trigger suspicious RCU warning
           spuriously. Fixed.
      
         - in the debug controller, %p -> %pK to protect kernel pointer
           from getting exposed.
      
         - documentation formatting fix"
      
      * 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroups: censor kernel pointer in debug files
        cgroup/pids: remove spurious suspicious RCU usage warning
        cgroup: Fix indenting in PID controller documentation
      352526f4
    • Linus Torvalds's avatar
      Merge branch 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · 6517569d
      Linus Torvalds authored
      Pull libata fixes from Tejun Heo:
       "Three libata fixes:
      
         - fix for a circular reference bug in sysfs code which prevented
           pata_legacy devices from being released after probe failure, which
           in turn prevented devres from releasing the associated resources.
      
         - drop spurious WARN in the command issue path which can be triggered
           by a legitimate passthrough command.
      
         - an ahci_qoriq specific fix"
      
      * 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ahci: qoriq: correct the sata ecc setting error
        libata: drop WARN from protocol error in ata_sff_qc_issue()
        libata: transport: Remove circular dependency at free time
      6517569d
    • Linus Torvalds's avatar
      Merge branch 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · bc258879
      Linus Torvalds authored
      Pull workqueue fix from Tejun Heo:
       "If a delayed work is queued with NULL @wq, workqueue code explodes
        after the timer expires at which point it's difficult to tell who the
        culprit was.
      
        This actually happened and the offender was net/smc this time.
      
        Add an explicit sanity check for it in the queueing path"
      
      * 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
      bc258879
    • Linus Torvalds's avatar
      Merge branch 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu · 83e63226
      Linus Torvalds authored
      Pull percpu fixes from Tejun Heo:
      
       - the allocation path was updating pcpu_nr_empty_pop_pages without the
         required locking which can lead to incorrect handling of empty chunks
         (e.g. keeping too many around), which is buggy but shouldn't lead to
         critical failures. Fixed by adding the locking
      
       - a trivial patch to drop an unused param from pcpu_get_pages()
      
      * 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
        percpu: remove unused chunk_alloc parameter from pcpu_get_pages()
        percpu: acquire pcpu_lock when updating pcpu_nr_empty_pop_pages
      83e63226
    • David S. Miller's avatar
      Merge branch 'qed-fixes' · 1e6a1cd8
      David S. Miller authored
      Yuval Mintz says:
      
      ====================
      qed: Fixes series
      
      This address several different issues in qed.
      The more significant portions:
      
      Patch #1 would cause timeout when qedr utilizes the highest
      CIDs availble for it [or when future qede adapters would utilize
      queues in some constellations].
      
      Patch #4 fixes a leak of mapped addresses; When iommu is enabled,
      offloaded storage protocols might eventually run out of resources
      and fail to map additional buffers.
      
      Patches #6,#7 were missing in the initial iSCSI infrastructure
      submissions, and would hamper qedi's stability when it reaches
      out-of-order scenarios.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e6a1cd8
    • Mintz, Yuval's avatar
      qed: Enable iSCSI Out-of-Order · 6b116b1d
      Mintz, Yuval authored
      Missing in the initial submission, qed fails to propagate qedi's
      request to enable OOO to firmware.
      
      Fixes: fc831825 ("qed: Add support for hardware offloaded iSCSI")
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b116b1d
    • Mintz, Yuval's avatar
      qed: Correct out-of-bound access in OOO history · db31d330
      Mintz, Yuval authored
      Need to set the number of entries in database, otherwise the logic
      would quickly surpass the array.
      
      Fixes: 1d6cff4f ("qed: Add iSCSI out of order packet handling")
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      db31d330
    • Ram Amrani's avatar
      qed: Fix interrupt flags on Rx LL2 · 1df2aded
      Ram Amrani authored
      Before iterating over the the LL2 Rx ring, the ring's
      spinlock is taken via spin_lock_irqsave().
      The actual processing of the packet [including handling
      by the protocol driver] is done without said lock,
      so qed releases the spinlock and re-claims it afterwards.
      
      Problem is that the final spin_lock_irqrestore() at the end
      of the iteration uses the original flags saved from the
      initial irqsave() instead of the flags from the most recent
      irqsave(). So it's possible that the interrupt status would
      be incorrect at the end of the processing.
      
      Fixes: 0a7fb11c ("qed: Add Light L2 support");
      CC: Ram Amrani <Ram.Amrani@cavium.com>
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1df2aded
    • Mintz, Yuval's avatar
      qed: Free previous connections when releasing iSCSI · 4621ceb2
      Mintz, Yuval authored
      Fixes: fc831825 ("qed: Add support for hardware offloaded iSCSI")
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4621ceb2
    • Mintz, Yuval's avatar
      qed: Fix mapping leak on LL2 rx flow · 752ecb2d
      Mintz, Yuval authored
      When receiving an Rx LL2 packet, qed fails to unmap the previous buffer.
      
      Fixes: 0a7fb11c ("qed: Add Light L2 support");
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      752ecb2d
    • Tomer Tayar's avatar
      qed: Prevent creation of too-big u32-chains · 3ef310a7
      Tomer Tayar authored
      Current Logic would allow the creation of a chain with U32_MAX + 1
      elements, when the actual maximum supported by the driver infrastructure
      is U32_MAX.
      
      Fixes: a91eb52a ("qed: Revisit chain implementation")
      Signed-off-by: default avatarTomer Tayar <Tomer.Tayar@cavium.com>
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ef310a7
    • Ram Amrani's avatar
      qed: Align CIDs according to DORQ requirement · f3e48119
      Ram Amrani authored
      The Doorbell HW block can be configured at a granularity
      of 16 x CIDs, so we need to make sure that the actual number
      of CIDs configured would be a multiplication of 16.
      
      Today, when RoCE is enabled - given that the number is unaligned,
      doorbelling the higher CIDs would fail to reach the firmware and
      would eventually timeout.
      
      Fixes: dbb799c3 ("qed: Initialize hardware for new protocols")
      Signed-off-by: default avatarRam Amrani <Ram.Amrani@cavium.com>
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f3e48119
    • David S. Miller's avatar
      Merge branch 'mlxsw-small-fixes' · a8aa3953
      David S. Miller authored
      Jiri Pirko says:
      
      ====================
      mlxsw: Couple of fixes
      
      Couple or small fixes.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8aa3953
    • Jiri Pirko's avatar
      mlxsw: reg: Fix SPVMLR max record count · e9093b11
      Jiri Pirko authored
      The num_rec field is 8 bit, so the maximal count number is 255.
      This fixes vlans learning not being enabled for wider ranges than 255.
      
      Fixes: a4feea74 ("mlxsw: reg: Add Switch Port VLAN MAC Learning register definition")
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e9093b11
    • Jiri Pirko's avatar
      mlxsw: reg: Fix SPVM max record count · f004ec06
      Jiri Pirko authored
      The num_rec field is 8 bit, so the maximal count number is 255. This
      fixes vlans not being enabled for wider ranges than 255.
      
      Fixes: b2e345f9 ("mlxsw: reg: Add Switch Port VID and Switch Port VLAN Membership registers definitions")
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f004ec06
    • Vlad Yasevich's avatar
      net: Resend IGMP memberships upon peer notification. · 37c343b4
      Vlad Yasevich authored
      When we notify peers of potential changes,  it's also good to update
      IGMP memberships.  For example, during VM migration, updating IGMP
      memberships will redirect existing multicast streams to the VM at the
      new location.
      Signed-off-by: default avatarVladislav Yasevich <vyasevic@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37c343b4
    • Hannes Frederic Sowa's avatar
      dccp: fix memory leak during tear-down of unsuccessful connection request · 72ef9c41
      Hannes Frederic Sowa authored
      This patch fixes a memory leak, which happens if the connection request
      is not fulfilled between parsing the DCCP options and handling the SYN
      (because e.g. the backlog is full), because we forgot to free the
      list of ack vectors.
      Reported-by: default avatarJianwen Ji <jiji@redhat.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72ef9c41
    • Hannes Frederic Sowa's avatar
      tun: fix premature POLLOUT notification on tun devices · b20e2d54
      Hannes Frederic Sowa authored
      aszlig observed failing ssh tunnels (-w) during initialization since
      commit cc9da6cc ("ipv6: addrconf: use stable address generator for
      ARPHRD_NONE"). We already had reports that the mentioned commit breaks
      Juniper VPN connections. I can't clearly say that the Juniper VPN client
      has the same problem, but it is worth a try to hint to this patch.
      
      Because of the early generation of link local addresses, the kernel now
      can start asking for routers on the local subnet much earlier than usual.
      Those router solicitation packets arrive inside the ssh channels and
      should be transmitted to the tun fd before the configuration scripts
      might have upped the interface and made it ready for transmission.
      
      ssh polls on the interface and receives back a POLL_OUT. It tries to send
      the earily router solicitation packet to the tun interface.  Unfortunately
      it hasn't been up'ed yet by config scripts, thus failing with -EIO. ssh
      doesn't retry again and considers the tun interface broken forever.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=121131
      Fixes: cc9da6cc ("ipv6: addrconf: use stable address generator for ARPHRD_NONE")
      Cc: Bjørn Mork <bjorn@mork.no>
      Reported-by: default avatarValdis Kletnieks <Valdis.Kletnieks@vt.edu>
      Cc: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
      Reported-by: default avatarJonas Lippuner <jonas@lippuner.ca>
      Cc: Jonas Lippuner <jonas@lippuner.ca>
      Reported-by: default avataraszlig <aszlig@redmoonstudios.org>
      Cc: aszlig <aszlig@redmoonstudios.org>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b20e2d54
    • Jon Maxwell's avatar
      dccp/tcp: fix routing redirect race · 45caeaa5
      Jon Maxwell authored
      As Eric Dumazet pointed out this also needs to be fixed in IPv6.
      v2: Contains the IPv6 tcp/Ipv6 dccp patches as well.
      
      We have seen a few incidents lately where a dst_enty has been freed
      with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that
      dst_entry. If the conditions/timings are right a crash then ensues when the
      freed dst_entry is referenced later on. A Common crashing back trace is:
      
       #8 [] page_fault at ffffffff8163e648
          [exception RIP: __tcp_ack_snd_check+74]
      .
      .
       #9 [] tcp_rcv_established at ffffffff81580b64
      #10 [] tcp_v4_do_rcv at ffffffff8158b54a
      #11 [] tcp_v4_rcv at ffffffff8158cd02
      #12 [] ip_local_deliver_finish at ffffffff815668f4
      #13 [] ip_local_deliver at ffffffff81566bd9
      #14 [] ip_rcv_finish at ffffffff8156656d
      #15 [] ip_rcv at ffffffff81566f06
      #16 [] __netif_receive_skb_core at ffffffff8152b3a2
      #17 [] __netif_receive_skb at ffffffff8152b608
      #18 [] netif_receive_skb at ffffffff8152b690
      #19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3]
      #20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3]
      #21 [] net_rx_action at ffffffff8152bac2
      #22 [] __do_softirq at ffffffff81084b4f
      #23 [] call_softirq at ffffffff8164845c
      #24 [] do_softirq at ffffffff81016fc5
      #25 [] irq_exit at ffffffff81084ee5
      #26 [] do_IRQ at ffffffff81648ff8
      
      Of course it may happen with other NIC drivers as well.
      
      It's found the freed dst_entry here:
      
       224 static bool tcp_in_quickack_mode(struct sock *sk)
       225 {
       226 ▹       const struct inet_connection_sock *icsk = inet_csk(sk);
       227 ▹       const struct dst_entry *dst = __sk_dst_get(sk);
       228 
       229 ▹       return (dst && dst_metric(dst, RTAX_QUICKACK)) ||
       230 ▹       ▹       (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);
       231 }
      
      But there are other backtraces attributed to the same freed dst_entry in
      netfilter code as well.
      
      All the vmcores showed 2 significant clues:
      
      - Remote hosts behind the default gateway had always been redirected to a
      different gateway. A rtable/dst_entry will be added for that host. Making
      more dst_entrys with lower reference counts. Making this more probable.
      
      - All vmcores showed a postitive LockDroppedIcmps value, e.g:
      
      LockDroppedIcmps                  267
      
      A closer look at the tcp_v4_err() handler revealed that do_redirect() will run
      regardless of whether user space has the socket locked. This can result in a
      race condition where the same dst_entry cached in sk->sk_dst_entry can be
      decremented twice for the same socket via:
      
      do_redirect()->__sk_dst_check()-> dst_release().
      
      Which leads to the dst_entry being prematurely freed with another socket
      pointing to it via sk->sk_dst_cache and a subsequent crash.
      
      To fix this skip do_redirect() if usespace has the socket locked. Instead let
      the redirect take place later when user space does not have the socket
      locked.
      
      The dccp/IPv6 code is very similar in this respect, so fixing it there too.
      
      As Eric Garver pointed out the following commit now invalidates routes. Which
      can set the dst->obsolete flag so that ipv4_dst_check() returns null and
      triggers the dst_release().
      
      Fixes: ceb33206 ("ipv4: Kill routes during PMTU/redirect updates.")
      Cc: Eric Garver <egarver@redhat.com>
      Cc: Hannes Sowa <hsowa@redhat.com>
      Signed-off-by: default avatarJon Maxwell <jmaxwell37@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45caeaa5
    • Zhao Qiang's avatar
      ucc/hdlc: fix two little issue · 02bb56dd
      Zhao Qiang authored
      1. modify bd_status from u32 to u16 in function hdlc_rx_done,
      because bd_status register is 16bits
      2. write bd_length register before writing bd_status register
      Signed-off-by: default avatarZhao Qiang <qiang.zhao@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02bb56dd
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.11-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · fb5fe0fd
      Linus Torvalds authored
      Pull some more powerpc fixes from Michael Ellerman:
       "The main item is the addition of the Power9 Machine Check handler.
        This was delayed to make sure some details were correct, and is as
        minimal as possible.
      
        The rest is small fixes, two for the Power9 PMU, two dealing with
        obscure toolchain problems, two for the PowerNV IOMMU code (used by
        VFIO), and one to fix a crash on 32-bit machines with macio devices
        due to missing dma_ops.
      
        Thanks to:
          Alexey Kardashevskiy, Cyril Bur, Larry Finger, Madhavan Srinivasan,
          Nicholas Piggin"
      
      * tag 'powerpc-4.11-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/64s: POWER9 machine check handler
        powerpc/64s: allow machine check handler to set severity and initiator
        powerpc/64s: fix handling of non-synchronous machine checks
        powerpc/pmac: Fix crash in dma-mapping.h with NULL dma_ops
        powerpc/powernv/ioda2: Update iommu table base on ownership change
        powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
        selftests/powerpc: Replace stxvx and lxvx with stxvd2x/lxvd2x
        powerpc/perf: Handle sdar_mode for marked event in power9
        powerpc/perf: Fix perf_get_data_addr() for power9 DD1
        powerpc/boot: Fix zImage TOC alignment
      fb5fe0fd
  3. 13 Mar, 2017 12 commits
    • Nicolas Dichtel's avatar
      vxlan: fix ovs support · c80498e3
      Nicolas Dichtel authored
      The required changes in the function vxlan_dev_create() were missing
      in commit 8bcdc4f3.
      The vxlan device is not registered anymore after this patch and the error
      path causes an stack dump:
       WARNING: CPU: 3 PID: 1498 at net/core/dev.c:6713 rollback_registered_many+0x9d/0x3f0
      
      Fixes: 8bcdc4f3 ("vxlan: add changelink support")
      CC: Roopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c80498e3
    • Andrey Vagin's avatar
      net: use net->count to check whether a netns is alive or not · 91864f58
      Andrey Vagin authored
      The previous idea was to check whether a net namespace is in
      net_exit_list or not. It doesn't work, because net->exit_list is used in
      __register_pernet_operations and __unregister_pernet_operations where
      all namespaces are added to a temporary list to make cleanup in a error
      case, so list_empty(&net->exit_list) always returns false.
      Reported-by: default avatarMantas Mikulėnas <grawity@gmail.com>
      Fixes: 002d8a1a ("net: skip genenerating uevents for network namespaces that are exiting")
      Signed-off-by: default avatarAndrei Vagin <avagin@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      91864f58
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.11-2' of git://git.infradead.org/linux-platform-drivers-x86 · 065f3e49
      Linus Torvalds authored
      Pull x86 platform driver updates from Darren Hart:
       "Asus fixes for the airplane LED and a long awaited fujitsu cleanup.
      
        asus-wmi:
         - Remove quirk_no_rfkill
         - Detect quirk_no_rfkill from the DSDT
      
        fujitsu-laptop:
         - remove redundant MODULE_ALIAS entries
         - autodetect LCD interface on all models
         - simplify acpi_bus_register_driver() error handling
         - remove redundant forward declarations
         - replace numeric values with constants
         - rename FUNC_RFKILL to FUNC_FLAGS
         - make platform-related variables match naming convention
         - replace "hotkey" with "laptop" in symbol names
         - clearly denote backlight-related symbols"
      
      * tag 'platform-drivers-x86-v4.11-2' of git://git.infradead.org/linux-platform-drivers-x86:
        platform/x86: asus-wmi: Remove quirk_no_rfkill
        platform/x86: asus-wmi: Detect quirk_no_rfkill from the DSDT
        platform/x86: fujitsu-laptop: remove redundant MODULE_ALIAS entries
        platform/x86: fujitsu-laptop: autodetect LCD interface on all models
        platform/x86: fujitsu-laptop: simplify acpi_bus_register_driver() error handling
        platform/x86: fujitsu-laptop: remove redundant forward declarations
        platform/x86: fujitsu-laptop: replace numeric values with constants
        platform/x86: fujitsu-laptop: rename FUNC_RFKILL to FUNC_FLAGS
        platform/x86: fujitsu-laptop: make platform-related variables match naming convention
        platform/x86: fujitsu-laptop: replace "hotkey" with "laptop" in symbol names
        platform/x86: fujitsu-laptop: clearly denote backlight-related symbols
      065f3e49
    • Florian Westphal's avatar
      bridge: drop netfilter fake rtable unconditionally · a13b2082
      Florian Westphal authored
      Andreas reports kernel oops during rmmod of the br_netfilter module.
      Hannes debugged the oops down to a NULL rt6info->rt6i_indev.
      
      Problem is that br_netfilter has the nasty concept of adding a fake
      rtable to skb->dst; this happens in a br_netfilter prerouting hook.
      
      A second hook (in bridge LOCAL_IN) is supposed to remove these again
      before the skb is handed up the stack.
      
      However, on module unload hooks get unregistered which means an
      skb could traverse the prerouting hook that attaches the fake_rtable,
      while the 'fake rtable remove' hook gets removed from the hooklist
      immediately after.
      
      Fixes: 34666d46 ("netfilter: bridge: move br_netfilter out of the core")
      Reported-by: default avatarAndreas Karis <akaris@redhat.com>
      Debugged-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a13b2082
    • Florian Westphal's avatar
      ipv6: avoid write to a possibly cloned skb · 79e49503
      Florian Westphal authored
      ip6_fragment, in case skb has a fraglist, checks if the
      skb is cloned.  If it is, it will move to the 'slow path' and allocates
      new skbs for each fragment.
      
      However, right before entering the slowpath loop, it updates the
      nexthdr value of the last ipv6 extension header to NEXTHDR_FRAGMENT,
      to account for the fragment header that will be inserted in the new
      ipv6-fragment skbs.
      
      In case original skb is cloned this munges nexthdr value of another
      skb.  Avoid this by doing the nexthdr update for each of the new fragment
      skbs separately.
      
      This was observed with tcpdump on a bridge device where netfilter ipv6
      reassembly is active:  tcpdump shows malformed fragment headers as
      the l4 header (icmpv6, tcp, etc). is decoded as a fragment header.
      
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Reported-by: default avatarAndreas Karis <akaris@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79e49503
    • Johan Hovold's avatar
      net: wimax/i2400m: fix NULL-deref at probe · 6e526fdf
      Johan Hovold authored
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer or accessing memory beyond the endpoint array should a
      malicious device lack the expected endpoints.
      
      The endpoints are specifically dereferenced in the i2400m_bootrom_init
      path during probe (e.g. in i2400mu_tx_bulk_out).
      
      Fixes: f398e424 ("i2400m/USB: probe/disconnect, dev init/shutdown
      and reset backends")
      Cc: Inaky Perez-Gonzalez <inaky@linux.intel.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e526fdf
    • Johan Hovold's avatar
      isdn/gigaset: fix NULL-deref at probe · 68c32f9c
      Johan Hovold authored
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: cf7776dc ("[PATCH] isdn4linux: Siemens Gigaset drivers -
      direct USB connection")
      Cc: stable <stable@vger.kernel.org>	# 2.6.17
      Cc: Hansjoerg Lipp <hjlipp@web.de>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      68c32f9c
    • Sabrina Dubroca's avatar
      ipv6: make ECMP route replacement less greedy · 67e19400
      Sabrina Dubroca authored
      Commit 27596472 ("ipv6: fix ECMP route replacement") introduced a
      loop that removes all siblings of an ECMP route that is being
      replaced. However, this loop doesn't stop when it has replaced
      siblings, and keeps removing other routes with a higher metric.
      We also end up triggering the WARN_ON after the loop, because after
      this nsiblings < 0.
      
      Instead, stop the loop when we have taken care of all routes with the
      same metric as the route being replaced.
      
        Reproducer:
        ===========
          #!/bin/sh
      
          ip netns add ns1
          ip netns add ns2
          ip -net ns1 link set lo up
      
          for x in 0 1 2 ; do
              ip link add veth$x netns ns2 type veth peer name eth$x netns ns1
              ip -net ns1 link set eth$x up
              ip -net ns2 link set veth$x up
          done
      
          ip -net ns1 -6 r a 2000::/64 nexthop via fe80::0 dev eth0 \
                  nexthop via fe80::1 dev eth1 nexthop via fe80::2 dev eth2
          ip -net ns1 -6 r a 2000::/64 via fe80::42 dev eth0 metric 256
          ip -net ns1 -6 r a 2000::/64 via fe80::43 dev eth0 metric 2048
      
          echo "before replace, 3 routes"
          ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
          echo
      
          ip -net ns1 -6 r c 2000::/64 nexthop via fe80::4 dev eth0 \
                  nexthop via fe80::5 dev eth1 nexthop via fe80::6 dev eth2
      
          echo "after replace, only 2 routes, metric 2048 is gone"
          ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
      
      Fixes: 27596472 ("ipv6: fix ECMP route replacement")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67e19400
    • Kirill A. Shutemov's avatar
      mm, gup: fix typo in gup_p4d_range() · ce70df08
      Kirill A. Shutemov authored
      gup_p4d_range() should call gup_pud_range(), not itself.
      
      [ This was not noticed on x86: this is the HAVE_GENERIC_RCU_GUP code
        used by arm[64] and powerpc    - Linus ]
      
      Fixes: c2febafc ("mm: convert generic code to 5-level paging")
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Reported-by: default avatarChris Packham <chris.packham@alliedtelesis.co.nz>
      Reported-by: default avatarAnton Blanchard <anton@samba.org>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ce70df08
    • Daniel Borkmann's avatar
      bpf: improve read-only handling · 65869a47
      Daniel Borkmann authored
      Improve bpf_{prog,jit_binary}_{un,}lock_ro() by throwing a
      one-time warning in case of an error when the image couldn't
      be set read-only, and also mark struct bpf_prog as locked when
      bpf_prog_lock_ro() was called.
      
      Reason for the latter is that bpf_prog_unlock_ro() is called from
      various places including error paths, and we shouldn't mess with
      page attributes when really not needed.
      
      For bpf_jit_binary_unlock_ro() this is not needed as jited flag
      implicitly indicates this, thus for archs with ARCH_HAS_SET_MEMORY
      we're guaranteed to have a previously locked image. Overall, this
      should also help us to identify any further potential issues with
      set_memory_*() helpers.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65869a47
    • Alexei Starovoitov's avatar
      selftests/bpf: fix broken build · 1da8ac7c
      Alexei Starovoitov authored
      Recent merge of 'linux-kselftest-4.11-rc1' tree broke bpf test build.
      None of the tests were building and test_verifier.c had tons of compiler errors.
      Fix it and add #ifdef CAP_IS_SUPPORTED to support old versions of libcap.
      Tested on centos 6.8 and 7
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Tested-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1da8ac7c
    • David Ahern's avatar
      mpls: Do not decrement alive counter for unregister events · 79099aab
      David Ahern authored
      Multipath routes can be rendered usesless when a device in one of the
      paths is deleted. For example:
      
      $ ip -f mpls ro ls
      100
      	nexthop as to 200 via inet 172.16.2.2  dev virt12
      	nexthop as to 300 via inet 172.16.3.2  dev br0
      101
      	nexthop as to 201 via inet6 2000:2::2  dev virt12
      	nexthop as to 301 via inet6 2000:3::2  dev br0
      
      $ ip li del br0
      
      When br0 is deleted the other hop is not considered in
      mpls_select_multipath because of the alive check -- rt_nhn_alive
      is 0.
      
      rt_nhn_alive is decremented once in mpls_ifdown when the device is taken
      down (NETDEV_DOWN) and again when it is deleted (NETDEV_UNREGISTER). For
      a 2 hop route, deleting one device drops the alive count to 0. Since
      devices are taken down before unregistering, the decrement on
      NETDEV_UNREGISTER is redundant.
      
      Fixes: c89359a4 ("mpls: support for dead routes")
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79099aab