1. 03 Feb, 2020 9 commits
    • Taehee Yoo's avatar
      netdevsim: fix using uninitialized resources · f5cd2160
      Taehee Yoo authored
      When module is being initialized, __init() calls bus_register() and
      driver_register().
      These functions internally create various resources and sysfs files.
      The sysfs files are used for basic operations(add/del device).
      /sys/bus/netdevsim/new_device
      /sys/bus/netdevsim/del_device
      
      These sysfs files use netdevsim resources, they are mostly allocated
      and initialized in ->probe() function, which is nsim_dev_probe().
      But, sysfs files could be executed before ->probe() is finished.
      So, accessing uninitialized data would occur.
      
      Another problem is very similar.
      /sys/bus/netdevsim/new_device internally creates sysfs files.
      /sys/devices/netdevsim<id>/new_port
      /sys/devices/netdevsim<id>/del_port
      
      These sysfs files also use netdevsim resources, they are mostly allocated
      and initialized in creating device routine, which is nsim_bus_dev_new().
      But they also could be executed before nsim_bus_dev_new() is finished.
      So, accessing uninitialized data would occur.
      
      To fix these problems, this patch adds flags, which means whether the
      operation is finished or not.
      The flag variable 'nsim_bus_enable' means whether netdevsim bus was
      initialized or not.
      This is protected by nsim_bus_dev_list_lock.
      The flag variable 'nsim_bus_dev->init' means whether nsim_bus_dev was
      initialized or not.
      This could be used in {new/del}_port_store() with no lock.
      
      Test commands:
          #SHELL1
          modprobe netdevsim
          while :
          do
              echo "1 1" > /sys/bus/netdevsim/new_device
              echo "1 1" > /sys/bus/netdevsim/del_device
          done
      
          #SHELL2
          while :
          do
              echo 1 > /sys/devices/netdevsim1/new_port
              echo 1 > /sys/devices/netdevsim1/del_port
          done
      
      Splat looks like:
      [   47.508954][ T1008] general protection fault, probably for non-canonical address 0xdffffc0000000021: 0000 I
      [   47.510793][ T1008] KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
      [   47.511963][ T1008] CPU: 2 PID: 1008 Comm: bash Not tainted 5.5.0+ #322
      [   47.512823][ T1008] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   47.514041][ T1008] RIP: 0010:__mutex_lock+0x10a/0x14b0
      [   47.514699][ T1008] Code: 08 84 d2 0f 85 7f 12 00 00 44 8b 0d 10 23 65 02 45 85 c9 75 29 49 8d 7f 68 48 b8 00 00 00 0f
      [   47.517163][ T1008] RSP: 0018:ffff888059b4fbb0 EFLAGS: 00010206
      [   47.517802][ T1008] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
      [   47.518941][ T1008] RDX: 0000000000000021 RSI: ffffffff85926440 RDI: 0000000000000108
      [   47.519732][ T1008] RBP: ffff888059b4fd30 R08: ffffffffc073fad0 R09: 0000000000000000
      [   47.520729][ T1008] R10: ffff888059b4fd50 R11: ffff88804bb38040 R12: 0000000000000000
      [   47.521702][ T1008] R13: dffffc0000000000 R14: ffffffff871976c0 R15: 00000000000000a0
      [   47.522760][ T1008] FS:  00007fd4be05a740(0000) GS:ffff88806c800000(0000) knlGS:0000000000000000
      [   47.523877][ T1008] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   47.524627][ T1008] CR2: 0000561c82b69cf0 CR3: 0000000065dd6004 CR4: 00000000000606e0
      [   47.527662][ T1008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   47.528604][ T1008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   47.529531][ T1008] Call Trace:
      [   47.529874][ T1008]  ? nsim_dev_port_add+0x50/0x150 [netdevsim]
      [   47.530470][ T1008]  ? mutex_lock_io_nested+0x1380/0x1380
      [   47.531018][ T1008]  ? _kstrtoull+0x76/0x160
      [   47.531449][ T1008]  ? _parse_integer+0xf0/0xf0
      [   47.531874][ T1008]  ? kernfs_fop_write+0x1cf/0x410
      [   47.532330][ T1008]  ? sysfs_file_ops+0x160/0x160
      [   47.532773][ T1008]  ? kstrtouint+0x86/0x110
      [   47.533168][ T1008]  ? nsim_dev_port_add+0x50/0x150 [netdevsim]
      [   47.533721][ T1008]  nsim_dev_port_add+0x50/0x150 [netdevsim]
      [   47.534336][ T1008]  ? sysfs_file_ops+0x160/0x160
      [   47.534858][ T1008]  new_port_store+0x99/0xb0 [netdevsim]
      [   47.535439][ T1008]  ? del_port_store+0xb0/0xb0 [netdevsim]
      [   47.536035][ T1008]  ? sysfs_file_ops+0x112/0x160
      [   47.536544][ T1008]  ? sysfs_kf_write+0x3b/0x180
      [   47.537029][ T1008]  kernfs_fop_write+0x276/0x410
      [   47.537548][ T1008]  ? __sb_start_write+0x215/0x2e0
      [   47.538110][ T1008]  vfs_write+0x197/0x4a0
      [ ... ]
      
      Fixes: f9d9db47 ("netdevsim: add bus attributes to add new and delete devices")
      Fixes: 794b2c05 ("netdevsim: extend device attrs to support port addition and deletion")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f5cd2160
    • Jakub Kicinski's avatar
      Merge branch 'bnxt_en-Bug-fixes' · 2b5ea294
      Jakub Kicinski authored
      Michael Chan says:
      
      =====================
      bnxt_en: Bug fixes
      
      3 patches that fix some issues in the firmware reset logic, starting
      with a small patch to refactor the code that re-enables SRIOV.  The
      last patch fixes a TC queue mapping issue.
      ====================
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2b5ea294
    • Michael Chan's avatar
      bnxt_en: Fix TC queue mapping. · 18e4960c
      Michael Chan authored
      The driver currently only calls netdev_set_tc_queue when the number of
      TCs is greater than 1.  Instead, the comparison should be greater than
      or equal to 1.  Even with 1 TC, we need to set the queue mapping.
      
      This bug can cause warnings when the number of TCs is changed back to 1.
      
      Fixes: 7809592d ("bnxt_en: Enable MSIX early in bnxt_init_one().")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      18e4960c
    • Vasundhara Volam's avatar
      bnxt_en: Fix logic that disables Bus Master during firmware reset. · d4073028
      Vasundhara Volam authored
      The current logic that calls pci_disable_device() in __bnxt_close_nic()
      during firmware reset is flawed.  If firmware is still alive, we're
      disabling the device too early, causing some firmware commands to
      not reach the firmware.
      
      Fix it by moving the logic to bnxt_reset_close().  If firmware is
      in fatal condition, we call pci_disable_device() before we free
      any of the rings to prevent DMA corruption of the freed rings.  If
      firmware is still alive, we call pci_disable_device() after the
      last firmware message has been sent.
      
      Fixes: 3bc7d4a3 ("bnxt_en: Add BNXT_STATE_IN_FW_RESET state.")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d4073028
    • Michael Chan's avatar
      bnxt_en: Fix RDMA driver failure with SRIOV after firmware reset. · 12de2ead
      Michael Chan authored
      bnxt_ulp_start() needs to be called before SRIOV is re-enabled after
      firmware reset.  Re-enabling SRIOV may consume all the resources and
      may cause the RDMA driver to fail to get MSIX and other resources.
      Fix it by calling bnxt_ulp_start() first before calling
      bnxt_reenable_sriov().
      
      We re-arrange the logic so that we call bnxt_ulp_start() and
      bnxt_reenable_sriov() in proper sequence in bnxt_fw_reset_task() and
      bnxt_open().  The former is the normal coordinated firmware reset sequence
      and the latter is firmware reset while the function is down.  This new
      logic is now more straight forward and will now fix both scenarios.
      
      Fixes: f3a6d206 ("bnxt_en: Call bnxt_ulp_stop()/bnxt_ulp_start() during error recovery.")
      Reported-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      12de2ead
    • Michael Chan's avatar
      bnxt_en: Refactor logic to re-enable SRIOV after firmware reset detected. · c16d4ee0
      Michael Chan authored
      Put the current logic in bnxt_open() to re-enable SRIOV after detecting
      firmware reset into a new function bnxt_reenable_sriov().  This call
      needs to be invoked in the firmware reset path also in the next patch.
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c16d4ee0
    • Nicolin Chen's avatar
      net: stmmac: Delete txtimer in suspend() · 14b41a29
      Nicolin Chen authored
      When running v5.5 with a rootfs on NFS, memory abort may happen in
      the system resume stage:
       Unable to handle kernel paging request at virtual address dead00000000012a
       [dead00000000012a] address between user and kernel address ranges
       pc : run_timer_softirq+0x334/0x3d8
       lr : run_timer_softirq+0x244/0x3d8
       x1 : ffff800011cafe80 x0 : dead000000000122
       Call trace:
        run_timer_softirq+0x334/0x3d8
        efi_header_end+0x114/0x234
        irq_exit+0xd0/0xd8
        __handle_domain_irq+0x60/0xb0
        gic_handle_irq+0x58/0xa8
        el1_irq+0xb8/0x180
        arch_cpu_idle+0x10/0x18
        do_idle+0x1d8/0x2b0
        cpu_startup_entry+0x24/0x40
        secondary_start_kernel+0x1b4/0x208
       Code: f9000693 a9400660 f9000020 b4000040 (f9000401)
       ---[ end trace bb83ceeb4c482071 ]---
       Kernel panic - not syncing: Fatal exception in interrupt
       SMP: stopping secondary CPUs
       SMP: failed to stop secondary CPUs 2-3
       Kernel Offset: disabled
       CPU features: 0x00002,2300aa30
       Memory Limit: none
       ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      It's found that stmmac_xmit() and stmmac_resume() sometimes might
      run concurrently, possibly resulting in a race condition between
      mod_timer() and setup_timer(), being called by stmmac_xmit() and
      stmmac_resume() respectively.
      
      Since the resume() runs setup_timer() every time, it'd be safer to
      have del_timer_sync() in the suspend() as the counterpart.
      Signed-off-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      14b41a29
    • Jakub Kicinski's avatar
      Merge tag 'rxrpc-fixes-20200203' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 3d80c653
      Jakub Kicinski authored
      David Howells says:
      
      ====================
      RxRPC fixes
      
      Here are a number of fixes for AF_RXRPC:
      
       (1) Fix a potential use after free in rxrpc_put_local() where it was
           accessing the object just put to get tracing information.
      
       (2) Fix insufficient notifications being generated by the function that
           queues data packets on a call.  This occasionally causes recvmsg() to
           stall indefinitely.
      
       (3) Fix a number of packet-transmitting work functions to hold an active
           count on the local endpoint so that the UDP socket doesn't get
           destroyed whilst they're calling kernel_sendmsg() on it.
      
       (4) Fix a NULL pointer deref that stemmed from a call's connection pointer
           being cleared when the call was disconnected.
      
      Changes:
      
       v2: Removed a couple of BUG() statements that got added.
      ====================
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3d80c653
    • David Howells's avatar
      rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect · 5273a191
      David Howells authored
      When a call is disconnected, the connection pointer from the call is
      cleared to make sure it isn't used again and to prevent further attempted
      transmission for the call.  Unfortunately, there might be a daemon trying
      to use it at the same time to transmit a packet.
      
      Fix this by keeping call->conn set, but setting a flag on the call to
      indicate disconnection instead.
      
      Remove also the bits in the transmission functions where the conn pointer is
      checked and a ref taken under spinlock as this is now redundant.
      
      Fixes: 8d94aa38 ("rxrpc: Calls shouldn't hold socket refs")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      5273a191
  2. 02 Feb, 2020 4 commits
    • Jakub Kicinski's avatar
      Merge branch 'Fix-reconnection-latency-caused-by-FIN-ACK-handling-race' · 83d0585f
      Jakub Kicinski authored
      SeongJae Park says:
      
      ====================
      Fix reconnection latency caused by FIN/ACK handling race
      
      The first patch fixes the problem by adjusting the first resend delay of
      the SYN in the case.  The second one adds a user space test to reproduce
      this problem.
      
      From v2
      (https://lore.kernel.org/linux-kselftest/20200201071859.4231-1-sj38.park@gmail.com/)
       - Use TCP_TIMEOUT_MIN as reduced delay (Neal Cardwall)
       - Add Reviewed-by and Signed-off-by from Eric Dumazet
      
      From v1
      (https://lore.kernel.org/linux-kselftest/20200131122421.23286-1-sjpark@amazon.com/)
       - Drop the trivial comment fix patch (Eric Dumazet)
       - Limit the delay adjustment to only the first SYN resend (Eric Dumazet)
       - selftest: Avoid use of hard-coded port number (Eric Dumazet)
       - Explain RST/ACK and FIN/ACK has no big difference (Neal Cardwell)
      ====================
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      83d0585f
    • SeongJae Park's avatar
      selftests: net: Add FIN_ACK processing order related latency spike test · af8c8a45
      SeongJae Park authored
      This commit adds a test for FIN_ACK process races related reconnection
      latency spike issues.  The issue has described and solved by the
      previous commit ("tcp: Reduce SYN resend delay if a suspicous ACK is
      received").
      
      The test program is configured with a server and a client process.  The
      server creates and binds a socket to a port that dynamically allocated,
      listen on it, and start a infinite loop.  Inside the loop, it accepts
      connection, reads 4 bytes from the socket, and closes the connection.
      The client is constructed as an infinite loop.  Inside the loop, it
      creates a socket with LINGER and NODELAY option, connect to the server,
      send 4 bytes data, try read some data from server.  After the read()
      returns, it measure the latency from the beginning of this loop to this
      point and if the latency is larger than 1 second (spike), print a
      message.
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarSeongJae Park <sjpark@amazon.de>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      af8c8a45
    • SeongJae Park's avatar
      tcp: Reduce SYN resend delay if a suspicous ACK is received · 9603d47b
      SeongJae Park authored
      When closing a connection, the two acks that required to change closing
      socket's status to FIN_WAIT_2 and then TIME_WAIT could be processed in
      reverse order.  This is possible in RSS disabled environments such as a
      connection inside a host.
      
      For example, expected state transitions and required packets for the
      disconnection will be similar to below flow.
      
      	 00 (Process A)				(Process B)
      	 01 ESTABLISHED				ESTABLISHED
      	 02 close()
      	 03 FIN_WAIT_1
      	 04 		---FIN-->
      	 05 					CLOSE_WAIT
      	 06 		<--ACK---
      	 07 FIN_WAIT_2
      	 08 		<--FIN/ACK---
      	 09 TIME_WAIT
      	 10 		---ACK-->
      	 11 					LAST_ACK
      	 12 CLOSED				CLOSED
      
      In some cases such as LINGER option applied socket, the FIN and FIN/ACK
      will be substituted to RST and RST/ACK, but there is no difference in
      the main logic.
      
      The acks in lines 6 and 8 are the acks.  If the line 8 packet is
      processed before the line 6 packet, it will be just ignored as it is not
      a expected packet, and the later process of the line 6 packet will
      change the status of Process A to FIN_WAIT_2, but as it has already
      handled line 8 packet, it will not go to TIME_WAIT and thus will not
      send the line 10 packet to Process B.  Thus, Process B will left in
      CLOSE_WAIT status, as below.
      
      	 00 (Process A)				(Process B)
      	 01 ESTABLISHED				ESTABLISHED
      	 02 close()
      	 03 FIN_WAIT_1
      	 04 		---FIN-->
      	 05 					CLOSE_WAIT
      	 06 				(<--ACK---)
      	 07	  			(<--FIN/ACK---)
      	 08 				(fired in right order)
      	 09 		<--FIN/ACK---
      	 10 		<--ACK---
      	 11 		(processed in reverse order)
      	 12 FIN_WAIT_2
      
      Later, if the Process B sends SYN to Process A for reconnection using
      the same port, Process A will responds with an ACK for the last flow,
      which has no increased sequence number.  Thus, Process A will send RST,
      wait for TIMEOUT_INIT (one second in default), and then try
      reconnection.  If reconnections are frequent, the one second latency
      spikes can be a big problem.  Below is a tcpdump results of the problem:
      
          14.436259 IP 127.0.0.1.45150 > 127.0.0.1.4242: Flags [S], seq 2560603644
          14.436266 IP 127.0.0.1.4242 > 127.0.0.1.45150: Flags [.], ack 5, win 512
          14.436271 IP 127.0.0.1.45150 > 127.0.0.1.4242: Flags [R], seq 2541101298
          /* ONE SECOND DELAY */
          15.464613 IP 127.0.0.1.45150 > 127.0.0.1.4242: Flags [S], seq 2560603644
      
      This commit mitigates the problem by reducing the delay for the next SYN
      if the suspicous ACK is received while in SYN_SENT state.
      
      Following commit will add a selftest, which can be also helpful for
      understanding of this issue.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarSeongJae Park <sjpark@amazon.de>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9603d47b
    • Lukas Bulwahn's avatar
      MAINTAINERS: correct entries for ISDN/mISDN section · dff6bc1b
      Lukas Bulwahn authored
      Commit 6d979850 ("isdn: move capi drivers to staging") cleaned up the
      isdn drivers and split the MAINTAINERS section for ISDN, but missed to add
      the terminal slash for the two directories mISDN and hardware. Hence, all
      files in those directories were not part of the new ISDN/mISDN SUBSYSTEM,
      but were considered to be part of "THE REST".
      
      Rectify the situation, and while at it, also complete the section with two
      further build files that belong to that subsystem.
      
      This was identified with a small script that finds all files belonging to
      "THE REST" according to the current MAINTAINERS file, and I investigated
      upon its output.
      
      Fixes: 6d979850 ("isdn: move capi drivers to staging")
      Signed-off-by: default avatarLukas Bulwahn <lukas.bulwahn@gmail.com>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dff6bc1b
  3. 01 Feb, 2020 9 commits
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · b7c3a17c
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Fix suspicious RCU usage in ipset, from Jozsef Kadlecsik.
      
      2) Use kvcalloc, from Joe Perches.
      
      3) Flush flowtable hardware workqueue after garbage collection run,
         from Paul Blakey.
      
      4) Missing flowtable hardware workqueue flush from nf_flow_table_free(),
         also from Paul.
      
      5) Restore NF_FLOW_HW_DEAD in flow_offload_work_del(), from Paul.
      
      6) Flowtable documentation fixes, from Matteo Croce.
      ====================
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b7c3a17c
    • Eric Dumazet's avatar
      cls_rsvp: fix rsvp_policy · cb3c0e6b
      Eric Dumazet authored
      NLA_BINARY can be confusing, since .len value represents
      the max size of the blob.
      
      cls_rsvp really wants user space to provide long enough data
      for TCA_RSVP_DST and TCA_RSVP_SRC attributes.
      
      BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
      BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
      BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
      CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       rsvp_get net/sched/cls_rsvp.h:258 [inline]
       gen_handle net/sched/cls_rsvp.h:402 [inline]
       rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
       tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
       rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
       netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45b349
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2774 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
       netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 6fa8c014 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cb3c0e6b
    • Sven Eckelmann's avatar
      MAINTAINERS: Orphan HSR network protocol · e8d5bb4d
      Sven Eckelmann authored
      The current maintainer Arvid Brodin <arvid.brodin@alten.se> hasn't
      contributed to the kernel since 2015-02-27. His company mail address is
      also bouncing and the company confirmed (2020-01-31) that no Arvid Brodin
      is working for them:
      
      > Vi har dessvärre ingen  Arvid Brodin som arbetar på ALTEN.
      
      A MIA person cannot be the maintainer. It is better to mark is as orphaned
      until some other person can jump in and take over the responsibility for
      HSR.
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e8d5bb4d
    • Dan Carpenter's avatar
      qed: Fix a error code in qed_hw_init() · d32a06f5
      Dan Carpenter authored
      If the qed_fw_overlay_mem_alloc() then we should return -ENOMEM instead
      of success.
      
      Fixes: 30d5f858 ("qed: FW 8.42.2.0 Add fw overlay feature")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d32a06f5
    • Dan Carpenter's avatar
      octeontx2-pf: Fix an IS_ERR() vs NULL bug · 08ff7818
      Dan Carpenter authored
      The otx2_mbox_get_rsp() function never returns NULL, it returns error
      pointers on error.
      
      Fixes: 34bfe0eb ("octeontx2-pf: MTU, MAC and RX mode config support")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      08ff7818
    • Eric Dumazet's avatar
      tcp: clear tp->segs_{in|out} in tcp_disconnect() · 784f8344
      Eric Dumazet authored
      tp->segs_in and tp->segs_out need to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: 2efd055c ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Marcelo Ricardo Leitner <mleitner@redhat.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      784f8344
    • Eric Dumazet's avatar
      tcp: clear tp->data_segs{in|out} in tcp_disconnect() · db7ffee6
      Eric Dumazet authored
      tp->data_segs_in and tp->data_segs_out need to be cleared
      in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: a44d6eac ("tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      db7ffee6
    • Eric Dumazet's avatar
      tcp: clear tp->delivered in tcp_disconnect() · 2fbdd562
      Eric Dumazet authored
      tp->delivered needs to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: ddf1af6f ("tcp: new delivery accounting")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2fbdd562
    • Eric Dumazet's avatar
      tcp: clear tp->total_retrans in tcp_disconnect() · c13c48c0
      Eric Dumazet authored
      total_retrans needs to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: SeongJae Park <sjpark@amazon.de>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c13c48c0
  4. 31 Jan, 2020 10 commits
  5. 30 Jan, 2020 8 commits
    • David Howells's avatar
      rxrpc: Fix missing active use pinning of rxrpc_local object · 04d36d74
      David Howells authored
      The introduction of a split between the reference count on rxrpc_local
      objects and the usage count didn't quite go far enough.  A number of kernel
      work items need to make use of the socket to perform transmission.  These
      also need to get an active count on the local object to prevent the socket
      from being closed.
      
      Fix this by getting the active count in those places.
      
      Also split out the raw active count get/put functions as these places tend
      to hold refs on the rxrpc_local object already, so getting and putting an
      extra object ref is just a waste of time.
      
      The problem can lead to symptoms like:
      
          BUG: kernel NULL pointer dereference, address: 0000000000000018
          ..
          CPU: 2 PID: 818 Comm: kworker/u9:0 Not tainted 5.5.0-fscache+ #51
          ...
          RIP: 0010:selinux_socket_sendmsg+0x5/0x13
          ...
          Call Trace:
           security_socket_sendmsg+0x2c/0x3e
           sock_sendmsg+0x1a/0x46
           rxrpc_send_keepalive+0x131/0x1ae
           rxrpc_peer_keepalive_worker+0x219/0x34b
           process_one_work+0x18e/0x271
           worker_thread+0x1a3/0x247
           kthread+0xe6/0xeb
           ret_from_fork+0x1f/0x30
      
      Fixes: 730c5fd4 ("rxrpc: Fix local endpoint refcounting")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      04d36d74
    • David Howells's avatar
      rxrpc: Fix insufficient receive notification generation · f71dbf2f
      David Howells authored
      In rxrpc_input_data(), rxrpc_notify_socket() is called if the base sequence
      number of the packet is immediately following the hard-ack point at the end
      of the function.  However, this isn't sufficient, since the recvmsg side
      may have been advancing the window and then overrun the position in which
      we're adding - at which point rx_hard_ack >= seq0 and no notification is
      generated.
      
      Fix this by always generating a notification at the end of the input
      function.
      
      Without this, a long call may stall, possibly indefinitely.
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f71dbf2f
    • David Howells's avatar
      rxrpc: Fix use-after-free in rxrpc_put_local() · fac20b9e
      David Howells authored
      Fix rxrpc_put_local() to not access local->debug_id after calling
      atomic_dec_return() as, unless that returned n==0, we no longer have the
      right to access the object.
      
      Fixes: 06d9532f ("rxrpc: Fix read-after-free in rxrpc_queue_local()")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      fac20b9e
    • Linus Torvalds's avatar
      Merge tag 'drm-next-2020-01-30' of git://anongit.freedesktop.org/drm/drm · 9f68e365
      Linus Torvalds authored
      Pull drm updates from Davbe Airlie:
       "This is the main pull request for graphics for 5.6. Usual selection of
        changes all over.
      
        I've got one outstanding vmwgfx pull that touches mm so kept it
        separate until after all of this lands. I'll try and get it to you
        soon after this, but it might be early next week (nothing wrong with
        code, just my schedule is messy)
      
        This also hits a lot of fbdev drivers with some cleanups.
      
        Other notables:
         - vulkan timeline semaphore support added to syncobjs
         - nouveau turing secureboot/graphics support
         - Displayport MST display stream compression support
      
        Detailed summary:
      
        uapi:
         - dma-buf heaps added (and fixed)
         - command line add support for panel oreientation
         - command line allow overriding penguin count
      
        drm:
         - mipi dsi definition updates
         - lockdep annotations for dma_resv
         - remove dma-buf kmap/kunmap support
         - constify fb_ops in all fbdev drivers
         - MST fix for daisy chained hotplug-
         - CTA-861-G modes with VIC >= 193 added
         - fix drm_panel_of_backlight export
         - LVDS decoder support
         - more device based logging support
         - scanline alighment for dumb buffers
         - MST DSC helpers
      
        scheduler:
         - documentation fixes
         - job distribution improvements
      
        panel:
         - Logic PD type 28 panel support
         - Jimax8729d MIPI-DSI
         - igenic JZ4770
         - generic DSI devicetree bindings
         - sony acx424AKP panel
         - Leadtek LTK500HD1829
         - xinpeng XPP055C272
         - AUO B116XAK01
         - GiantPlus GPM940B0
         - BOE NV140FHM-N49
         - Satoz SAT050AT40H12R2
         - Sharp LS020B1DD01D panels.
      
        ttm:
         - use blocking WW lock
      
        i915:
         - hw/uapi state separation
         - Lock annotation improvements
         - selftest improvements
         - ICL/TGL DSI VDSC support
         - VBT parsing improvments
         - Display refactoring
         - DSI updates + fixes
         - HDCP 2.2 for CFL
         - CML PCI ID fixes
         - GLK+ fbc fix
         - PSR fixes
         - GEN/GT refactor improvments
         - DP MST fixes
         - switch context id alloc to xarray
         - workaround updates
         - LMEM debugfs support
         - tiled monitor fixes
         - ICL+ clock gating programming removed
         - DP MST disable sequence fixed
         - LMEM discontiguous object maps
         - prefaulting for discontiguous objects
         - use LMEM for dumb buffers if possible
         - add LMEM mmap support
      
        amdgpu:
         - enable sync object timelines for vulkan
         - MST atomic routines
         - enable MST DSC support
         - add DMCUB display microengine support
         - DC OEM i2c support
         - Renoir DC fixes
         - Initial HDCP 2.x support
         - BACO support for Arcturus
         - Use BACO for runtime PM power save
         - gfxoff on navi10
         - gfx10 golden updates and fixes
         - DCN support on POWER
         - GFXOFF for raven1 refresh
         - MM engine idle handlers cleanup
         - 10bpc EDP panel fixes
         - renoir watermark fixes
         - SR-IOV fixes
         - Arcturus VCN fixes
         - GDDR6 training fixes
         - freesync fixes
         - Pollock support
      
        amdkfd:
         - unify more codepath with amdgpu
         - use KIQ to setup HIQ rather than MMIO
      
        radeon:
         - fix vma fault handler race
         - PPC DMA fix
         - register check fixes for r100/r200
      
        nouveau:
         - mmap_sem vs dma_resv fix
         - rewrite the ACR secure boot code for Turing
         - TU10x graphics engine support (TU11x pending)
         - Page kind mapping for turing
         - 10-bit LUT support
         - GP10B Tegra fixes
         - HD audio regression fix
      
        hisilicon/hibmc:
         - use generic fbdev code and helpers
      
        rockchip:
         - dsi/px30 support
      
        virtio:
         - fb damage support
         - static some functions
      
        vc4:
         - use dma_resv lock wrappers
      
        msm:
         - use dma_resv lock wrappers
         - sc7180 display + DSI support
         - a618 support
         - UBWC support improvements
      
        vmwgfx:
         - updates + new logging uapi
      
        exynos:
         - enable/disable callback cleanups
      
        etnaviv:
         - use dma_resv lock wrappers
      
        atmel-hlcdc:
         - clock fixes
      
        mediatek:
         - cmdq support
         - non-smooth cursor fixes
         - ctm property support
      
        sun4i:
         - suspend support
         - A64 mipi dsi support
      
        rcar-du:
         - Color management module support
         - LVDS encoder dual-link support
         - R8A77980 support
      
        analogic:
         - add support for an6345
      
        ast:
         - atomic modeset support
         - primary plane garbage fix
      
        arcgpu:
         - fixes for fourcc handling
      
        tegra:
         - minor fixes and improvments
      
        mcde:
         - vblank support
      
        meson:
         - OSD1 plane AFBC commit
      
        gma500:
         - add pageflip support
         - reomve global drm_dev
      
        komeda:
         - tweak debugfs output
         - d32 support
         - runtime PM suppotr
      
        udl:
         - use generic shmem helpers
         - cleanup and fixes"
      
      * tag 'drm-next-2020-01-30' of git://anongit.freedesktop.org/drm/drm: (1998 commits)
        drm/nouveau/fb/gp102-: allow module to load even when scrubber binary is missing
        drm/nouveau/acr: return error when registering LSF if ACR not supported
        drm/nouveau/disp/gv100-: not all channel types support reporting error codes
        drm/nouveau/disp/nv50-: prevent oops when no channel method map provided
        drm/nouveau: support synchronous pushbuf submission
        drm/nouveau: signal pending fences when channel has been killed
        drm/nouveau: reject attempts to submit to dead channels
        drm/nouveau: zero vma pointer even if we only unreference it rather than free
        drm/nouveau: Add HD-audio component notifier support
        drm/nouveau: fix build error without CONFIG_IOMMU_API
        drm/nouveau/kms/nv04: remove set but not used variable 'width'
        drm/nouveau/kms/nv50: remove set but not unused variable 'nv_connector'
        drm/nouveau/mmu: fix comptag memory leak
        drm/nouveau/gr/gp10b: Use gp100_grctx and gp100_gr_zbc
        drm/nouveau/pmu/gm20b,gp10b: Fix Falcon bootstrapping
        drm/exynos: Rename Exynos to lowercase
        drm/exynos: change callback names
        drm/mst: Don't do atomic checks over disabled managers
        drm/amdgpu: add the lost mutex_init back
        drm/amd/display: skip opp blank or unblank if test pattern enabled
        ...
      9f68e365
    • Linus Torvalds's avatar
      Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply · 4cadc60d
      Linus Torvalds authored
      Pull power supply and reset updates from Sebastian Reichel:
       "Core:
         - Add battery internal resistance temperature table support
      
        Drivers:
         - sc27xx: Optimize the battery resistance with measuring temperature
         - max17042-battery: Add MAX17055 support
         - bq25890-charger: Add support of BQ25892 and BQ25896 chips
         - misc fixes"
      
      * tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: (44 commits)
        power: supply: ipaq_micro_battery: remove unneeded semicolon
        power: supply: bq25890_charger: fix incorrect error return when bq25890_field_read fails
        power: supply: axp20x_usb_power: Only poll while offline
        power: supply: axp20x_usb_power: Add wakeup control
        power: supply: axp20x_usb_power: Allow offlining
        power: supply: axp20x_usb_power: Use a match structure
        power: suppy: ucs1002: Make the symbol 'ucs1002_regulator_enable' static
        power: reset: at91-poweroff: use proper master clock register offset
        power: reset: at91-poweroff: introduce struct shdwc_reg_config
        power: supply: bq25890_charger: Add DT and I2C ids for all supported chips
        dt-bindings: Add new chips to bq25890 binding documentation
        power: supply: bq25890_charger: Add support of BQ25892 and BQ25896 chips
        power: supply: core: Update sysfs-class-power ABI document
        power: supply: sbs-battery: Fix a signedness bug in sbs_get_battery_capacity()
        power: supply: ltc2941-battery-gauge: fix use-after-free
        power: supply: max17040: Correct IRQ wake handling
        power: supply: axp20x_usb_power: Remove unused device_node
        power: supply: axp20x_ac_power: Add wakeup control
        power: supply: axp20x_ac_power: Allow offlining
        power: supply: axp20x_ac_power: Fix reporting online status
        ...
      4cadc60d
    • Linus Torvalds's avatar
      Merge tag 'devicetree-for-5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 893e591b
      Linus Torvalds authored
      Pull devicetree updates from Rob Herring:
      
       - Update dtc to upstream v1.5.1-22-gc40aeb60b47a (plus 1 revert)
      
       - Fix for DMA coherent devices on Power
      
       - Rework and simplify the DT phandle cache code
      
       - DT schema conversions for LEDS, gpio-leds, STM32 dfsdm, STM32 UART,
         STM32 ROMEM, STM32 watchdog, STM32 DMAs, STM32 mlahb, STM32 RTC,
         STM32 RCC, STM32 syscon, rs485, Renesas rCar CSI2, Faraday FTIDE010,
         DWC2, Arm idle-states, Allwinner legacy resets, PRCM and clocks,
         Allwinner H6 OPP, Allwinner AHCI, Allwinner MBUS, Allwinner A31 CSI,
         Allwinner h/w codec, Allwinner A10 system ctrl, Allwinner SRAM,
         Allwinner USB PHY, Renesas CEU, generic PCI host, Arm Versatile PCI
      
       - New binding schemas for SATA and PATA controllers, TI and Infineon VR
         controllers, MAX31730
      
       - New compatible strings for i.MX8QM, WCN3991, renesas,r8a77961-wdt,
         renesas,etheravb-r8a77961
      
       - Add USB 'super-speed-plus' as a documented speed
      
       - Vendor prefixes for broadmobi, calaosystems, kam, and mps
      
       - Clean-up the multiple flavors of ST-Ericsson vendor prefixes
      
      * tag 'devicetree-for-5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: (66 commits)
        scripts/dtc: Revert "yamltree: Ensure consistent bracketing of properties with phandles"
        of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc
        dt-bindings: leds: Convert gpio-leds to DT schema
        dt-bindings: leds: Convert common LED binding to schema
        dt-bindings: PCI: Convert generic host binding to DT schema
        dt-bindings: PCI: Convert Arm Versatile binding to DT schema
        dt-bindings: Be explicit about installing deps
        dt-bindings: stm32: convert dfsdm to json-schema
        dt-bindings: serial: Convert STM32 UART to json-schema
        dt-bindings: serial: Convert rs485 bindings to json-schema
        dt-bindings: timer: Use non-empty ranges in example
        dt-bindings: arm-boards: typo fix
        dt-bindings: Add TI and Infineon VR Controllers as trivial devices
        dt-binding: usb: add "super-speed-plus"
        dt-bindings: rcar-csi2: Convert bindings to json-schema
        dt-bindings: iio: adc: ad7606: Fix wrong maxItems value
        dt-bindings: Convert Faraday FTIDE010 to DT schema
        dt-bindings: Create DT bindings for PATA controllers
        dt-bindings: Create DT bindings for SATA controllers
        dt: bindings: add vendor prefix for Kamstrup A/S
        ...
      893e591b
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 1c715a65
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Various mptcp fixupes from Florian Westphal and Geery Uytterhoeven.
      
       2) Don't clear the node/port GUIDs after we've assigned the correct
          values to them. From Leon Romanovsky.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net:
        net/core: Do not clear VF index for node/port GUIDs query
        mptcp: Fix undefined mptcp_handle_ipv6_mapped for modular IPV6
        net: drop_monitor: Use kstrdup
        udp: document udp_rcv_segment special case for looped packets
        mptcp: MPTCP_HMAC_TEST should depend on MPTCP
        mptcp: Fix incorrect IPV6 dependency check
        Revert "MAINTAINERS: mptcp@ mailing list is moderated"
        mptcp: handle tcp fallback when using syn cookies
        mptcp: avoid a lockdep splat when mcast group was joined
        mptcp: fix panic on user pointer access
        mptcp: defer freeing of cached ext until last moment
        net: mvneta: fix XDP support if sw bm is used as fallback
        sch_choke: Use kvcalloc
        mptcp: Fix build with PROC_FS disabled.
        MAINTAINERS: mptcp@ mailing list is moderated
      1c715a65
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide · 5e237e8c
      Linus Torvalds authored
      Pull IDE updates from David Miller:
      
       1) Fix mem region name in tx4949ide driver, from Christophe JAILLET.
      
       2) Make drive->dn read only, it should not be changeable by users. From
          Dan Carpenter.
      
       3) Several cast fixups from Krzysztof Kozlowski.
      
      There is also going to be a removal of a now unused IDE driver, but that
      will come via the MIPS tree.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide:
        ide: make drive->dn read only
        ide: serverworks: potential overflow in svwks_set_pio_mode()
        cmd64x: potential buffer overflow in cmd64x_program_timings()
        ide: remove unneeded header include path to drivers/ide
        ide: qd65xx: Fix cast to pointer from integer of different size
        ide: ht6560b: Fix cast to pointer from integer of different size
        ide: remove set but not used variable 'hwif'
        ide: remove unnecessary touch_softlockup_watchdog
        ide: tx4939ide: Fix the name used in a 'devm_request_mem_region()' call
        ide: Use dev_get_drvdata where possible
      5e237e8c