1. 27 Apr, 2017 4 commits
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.11-rc9' of git://github.com/ceph/ceph-client · 19ac4474
      Linus Torvalds authored
      Pull ceph fix from Ilya Dryomov:
       "A fix for a kernel stack overflow bug in ceph setattr code, marked for
        stable"
      
      * tag 'ceph-for-4.11-rc9' of git://github.com/ceph/ceph-client:
        ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
      19ac4474
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · f56fc7bd
      Linus Torvalds authored
      Pull vfs fixes from Al Viro:
      
       - fix orangefs handling of faults on write() - I'd missed that one back
         when orangefs was going through review.
      
       - readdir counterpart of "9p: cope with bogus responses from server in
         p9_client_{read,write}" - server might be lying or broken, and we'd
         better not overrun the kmalloc'ed buffer we are copying the results
         into.
      
       - NFS O_DIRECT read/write can leave iov_iter advanced by too much;
         that's what had been causing iov_iter_pipe() warnings davej had been
         seeing.
      
       - statx_timestamp.tv_nsec type fix (s32 -> u32). That one really should
         go in before 4.11.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        uapi: change the type of struct statx_timestamp.tv_nsec to unsigned
        fix nfs O_DIRECT advancing iov_iter too much
        p9_client_readdir() fix
        orangefs_bufmap_copy_from_iovec(): fix EFAULT handling
      f56fc7bd
    • Michael Kerrisk (man-pages)'s avatar
      statx: correct error handling of NULL pathname · 59372bbf
      Michael Kerrisk (man-pages) authored
      The change in commit 1e2f82d1 ("statx: Kill fd-with-NULL-path
      support in favour of AT_EMPTY_PATH") to error on a NULL pathname to
      statx() is inconsistent.
      
      It results in the error EINVAL for a NULL pathname.  Other system calls
      with similar APIs (fchownat(), fstatat(), linkat()), return EFAULT.
      
      The solution is simply to remove the EINVAL check.  As I already pointed
      out in [1], user_path_at*() and filename_lookup() will handle the NULL
      pathname as per the other APIs, to correctly produce the error EFAULT.
      
      [1] https://lkml.org/lkml/2017/4/26/561Signed-off-by: default avatarMichael Kerrisk <mtk.manpages@gmail.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Sandeen <sandeen@sandeen.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      59372bbf
    • Dmitry V. Levin's avatar
      uapi: change the type of struct statx_timestamp.tv_nsec to unsigned · 1741937d
      Dmitry V. Levin authored
      The comment asserting that the value of struct statx_timestamp.tv_nsec
      must be negative when statx_timestamp.tv_sec is negative, is wrong, as
      could be seen from the following example:
      
      	#define _FILE_OFFSET_BITS 64
      	#include <assert.h>
      	#include <fcntl.h>
      	#include <stdio.h>
      	#include <sys/stat.h>
      	#include <unistd.h>
      	#include <asm/unistd.h>
      	#include <linux/stat.h>
      
      	int main(void)
      	{
      		static const struct timespec ts[2] = {
      			{ .tv_nsec = UTIME_OMIT },
      			{ .tv_sec = -2, .tv_nsec = 42 }
      		};
      		assert(utimensat(AT_FDCWD, ".", ts, 0) == 0);
      
      		struct stat st;
      		assert(stat(".", &st) == 0);
      		printf("st_mtim.tv_sec = %lld, st_mtim.tv_nsec = %lu\n",
      		       (long long) st.st_mtim.tv_sec,
      		       (unsigned long) st.st_mtim.tv_nsec);
      
      		struct statx stx;
      		assert(syscall(__NR_statx, AT_FDCWD, ".", 0, 0, &stx) == 0);
      		printf("stx_mtime.tv_sec = %lld, stx_mtime.tv_nsec = %lu\n",
      		       (long long) stx.stx_mtime.tv_sec,
      		       (unsigned long) stx.stx_mtime.tv_nsec);
      
      		return 0;
      	}
      
      It expectedly prints:
      st_mtim.tv_sec = -2, st_mtim.tv_nsec = 42
      stx_mtime.tv_sec = -2, stx_mtime.tv_nsec = 42
      
      The more generic comment asserting that the value of struct
      statx_timestamp.tv_nsec might be negative is confusing to say the least.
      
      It contradicts both the struct stat.st_[acm]time_nsec tradition and
      struct timespec.tv_nsec requirements in utimensat syscall.
      If statx syscall ever returns a stx_[acm]time containing a negative
      tv_nsec that cannot be passed unmodified to utimensat syscall,
      it will cause an immense confusion.
      
      Fix this source of confusion by changing the type of struct
      statx_timestamp.tv_nsec from __s32 to __u32.
      
      Fixes: a528d35e ("statx: Add a system call to make enhanced file info available")
      Signed-off-by: default avatarDmitry V. Levin <ldv@altlinux.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: linux-api@vger.kernel.org
      cc: mtk.manpages@gmail.com
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      1741937d
  2. 26 Apr, 2017 11 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · f8324608
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "I didn't want the release to go out without the statx system call
        properly hooked up"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: Update syscall tables.
        sparc64: Fill in rest of HAVE_REGS_AND_STACK_ACCESS_API
      f8324608
    • David Howells's avatar
      statx: Kill fd-with-NULL-path support in favour of AT_EMPTY_PATH · 1e2f82d1
      David Howells authored
      With the new statx() syscall, the following both allow the attributes of
      the file attached to a file descriptor to be retrieved:
      
      	statx(dfd, NULL, 0, ...);
      
      and:
      
      	statx(dfd, "", AT_EMPTY_PATH, ...);
      
      Change the code to reject the first option, though this means copying
      the path and engaging pathwalk for the fstat() equivalent.  dfd can be a
      non-directory provided path is "".
      
      [ The timing of this isn't wonderful, but applying this now before we
        have statx() in any released kernel, before anybody starts using the
        NULL special case.    - Linus ]
      
      Fixes: a528d35e ("statx: Add a system call to make enhanced file info available")
      Reported-by: default avatarMichael Kerrisk <mtk.manpages@gmail.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Eric Sandeen <sandeen@sandeen.net>
      cc: fstests@vger.kernel.org
      cc: linux-api@vger.kernel.org
      cc: linux-man@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1e2f82d1
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · fc08b197
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) MLX5 bug fixes from Saeed Mahameed et al:
           - released wrong resources when firmware timeout happens
           - fix wrong check for encapsulation size limits
           - UAR memory leak
           - ETHTOOL_GRXCLSRLALL failed to fill in info->data
      
       2) Don't cache l3mdev on mis-matches local route, causes net devices to
          leak refs. From Robert Shearman.
      
       3) Handle fragmented SKBs properly in macsec driver, the problem is
          that we were mis-sizing the sgvec table. From Jason A. Donenfeld.
      
       4) We cannot have checksum offload enabled for inner UDP tunneled
          packet during IPSEC, from Ansis Atteka.
      
       5) Fix double SKB free in ravb driver, from Dan Carpenter.
      
       6) Fix CPU port handling in b53 DSA driver, from Florian Dainelli.
      
       7) Don't use on-stack buffers for usb_control_msg() in CAN usb driver,
          from Maksim Salau.
      
       8) Fix device leak in macvlan driver, from Herbert Xu. We have to purge
          the broadcast queue properly on port destroy.
      
       9) Fix tx ring entry limit on EF10 devices in sfc driver. From Bert
          Kenward.
      
      10) Fix memory leaks in team driver, from Pan Bian.
      
      11) Don't setup ipv6_stub before it can be actually used, from Paolo
          Abeni.
      
      12) Fix tipc socket flow control accounting, from Parthasarathy
          Bhuvaragan.
      
      13) Fix crash on module unload in hso driver, from Andreas Kemnade.
      
      14) Fix purging of bridge multicast entries, the problem is that if we
          don't defer it to ndo_uninit it's possible for new entries to get
          added after we purge. Fix from Xin Long.
      
      15) Don't return garbage for PACKET_HDRLEN getsockopt, from Alexander
          Potapenko.
      
      16) Fix autoneg stall properly in PHY layer, and revert micrel driver
          change that was papering over it. From Alexander Kochetkov.
      
      17) Don't dereference an ipv4 route as an ipv6 one in the ip6_tunnnel
          code, from Cong Wang.
      
      18) Clear out the congestion control private of the TCP socket in all of
          the right places, from Wei Wang.
      
      19) rawv6_ioctl measures SKB length incorrectly, fix from Jamie
          Bainbridge.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
        ipv6: check raw payload size correctly in ioctl
        tcp: memset ca_priv data to 0 properly
        ipv6: check skb->protocol before lookup for nexthop
        net: core: Prevent from dereferencing null pointer when releasing SKB
        macsec: dynamically allocate space for sglist
        Revert "phy: micrel: Disable auto negotiation on startup"
        net: phy: fix auto-negotiation stall due to unavailable interrupt
        net/packet: check length in getsockopt() called with PACKET_HDRLEN
        net: ipv6: regenerate host route if moved to gc list
        bridge: move bridge multicast cleanup to ndo_uninit
        ipv6: fix source routing
        qed: Fix error in the dcbx app meta data initialization.
        netvsc: fix calculation of available send sections
        net: hso: fix module unloading
        tipc: fix socket flow control accounting error at tipc_recv_stream
        tipc: fix socket flow control accounting error at tipc_send_stream
        ipv6: move stub initialization after ipv6 setup completion
        team: fix memory leaks
        sfc: tx ring can only have 2048 entries for all EF10 NICs
        macvlan: Fix device ref leak when purging bc_queue
        ...
      fc08b197
    • Jamie Bainbridge's avatar
      ipv6: check raw payload size correctly in ioctl · 105f5528
      Jamie Bainbridge authored
      In situations where an skb is paged, the transport header pointer and
      tail pointer can be the same because the skb contents are in frags.
      
      This results in ioctl(SIOCINQ/FIONREAD) incorrectly returning a
      length of 0 when the length to receive is actually greater than zero.
      
      skb->len is already correctly set in ip6_input_finish() with
      pskb_pull(), so use skb->len as it always returns the correct result
      for both linear and paged data.
      Signed-off-by: default avatarJamie Bainbridge <jbainbri@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      105f5528
    • Wei Wang's avatar
      tcp: memset ca_priv data to 0 properly · c1201444
      Wei Wang authored
      Always zero out ca_priv data in tcp_assign_congestion_control() so that
      ca_priv data is cleared out during socket creation.
      Also always zero out ca_priv data in tcp_reinit_congestion_control() so
      that when cc algorithm is changed, ca_priv data is cleared out as well.
      We should still zero out ca_priv data even in TCP_CLOSE state because
      user could call connect() on AF_UNSPEC to disconnect the socket and
      leave it in TCP_CLOSE state and later call setsockopt() to switch cc
      algorithm on this socket.
      
      Fixes: 2b0a8c9e ("tcp: add CDG congestion control")
      Reported-by: default avatarAndrey Konovalov  <andreyknvl@google.com>
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1201444
    • WANG Cong's avatar
      ipv6: check skb->protocol before lookup for nexthop · 199ab00f
      WANG Cong authored
      Andrey reported a out-of-bound access in ip6_tnl_xmit(), this
      is because we use an ipv4 dst in ip6_tnl_xmit() and cast an IPv4
      neigh key as an IPv6 address:
      
              neigh = dst_neigh_lookup(skb_dst(skb),
                                       &ipv6_hdr(skb)->daddr);
              if (!neigh)
                      goto tx_err_link_failure;
      
              addr6 = (struct in6_addr *)&neigh->primary_key; // <=== HERE
              addr_type = ipv6_addr_type(addr6);
      
              if (addr_type == IPV6_ADDR_ANY)
                      addr6 = &ipv6_hdr(skb)->daddr;
      
              memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
      
      Also the network header of the skb at this point should be still IPv4
      for 4in6 tunnels, we shold not just use it as IPv6 header.
      
      This patch fixes it by checking if skb->protocol is ETH_P_IPV6: if it
      is, we are safe to do the nexthop lookup using skb_dst() and
      ipv6_hdr(skb)->daddr; if not (aka IPv4), we have no clue about which
      dest address we can pick here, we have to rely on callers to fill it
      from tunnel config, so just fall to ip6_route_output() to make the
      decision.
      
      Fixes: ea3dc960 ("ip6_tunnel: Add support for wildcard tunnel endpoints.")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      199ab00f
    • Myungho Jung's avatar
      net: core: Prevent from dereferencing null pointer when releasing SKB · 9899886d
      Myungho Jung authored
      Added NULL check to make __dev_kfree_skb_irq consistent with kfree
      family of functions.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289Signed-off-by: default avatarMyungho Jung <mhjungk@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9899886d
    • Jason A. Donenfeld's avatar
      macsec: dynamically allocate space for sglist · 5294b830
      Jason A. Donenfeld authored
      We call skb_cow_data, which is good anyway to ensure we can actually
      modify the skb as such (another error from prior). Now that we have the
      number of fragments required, we can safely allocate exactly that amount
      of memory.
      
      Fixes: c09440f7 ("macsec: introduce IEEE 802.1AE driver")
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5294b830
    • David S. Miller's avatar
      Revert "phy: micrel: Disable auto negotiation on startup" · b43bd728
      David S. Miller authored
      This reverts commit 99f81afc.
      
      It was papering over the real problem, which is fixed by commit
      f555f34f ("net: phy: fix auto-negotiation stall due to unavailable
      interrupt")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b43bd728
    • Alexander Kochetkov's avatar
      net: phy: fix auto-negotiation stall due to unavailable interrupt · f555f34f
      Alexander Kochetkov authored
      The Ethernet link on an interrupt driven PHY was not coming up if the Ethernet
      cable was plugged before the Ethernet interface was brought up.
      
      The patch trigger PHY state machine to update link state if PHY was requested to
      do auto-negotiation and auto-negotiation complete flag already set.
      
      During power-up cycle the PHY do auto-negotiation, generate interrupt and set
      auto-negotiation complete flag. Interrupt is handled by PHY state machine but
      doesn't update link state because PHY is in PHY_READY state. After some time
      MAC bring up, start and request PHY to do auto-negotiation. If there are no new
      settings to advertise genphy_config_aneg() doesn't start PHY auto-negotiation.
      PHY continue to stay in auto-negotiation complete state and doesn't fire
      interrupt. At the same time PHY state machine expect that PHY started
      auto-negotiation and is waiting for interrupt from PHY and it won't get it.
      
      Fixes: 321beec5 ("net: phy: Use interrupts when available in NOLINK state")
      Signed-off-by: default avatarAlexander Kochetkov <al.kochet@gmail.com>
      Cc: stable <stable@vger.kernel.org> # v4.9+
      Tested-by: default avatarRoger Quadros <rogerq@ti.com>
      Tested-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f555f34f
    • Linus Torvalds's avatar
      Merge tag 'sound-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · ea3a8596
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Since we got a bonus week, let me try to screw a few pending fixes.
      
        A slightly large fix is the locking fix in ASoC STI driver, but it's
        pretty board-specific, and the risk is fairly low.
      
        All the rest are small / trivial fixes, mostly marked as stable, for
        ALSA sequencer core, ASoC topology, ASoC Intel bytcr and Firewire
        drivers"
      
      * tag 'sound-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ASoC: intel: Fix PM and non-atomic crash in bytcr drivers
        ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type
        ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
        ASoC: topology: Fix to store enum text values
        ASoC: STI: Fix null ptr deference in IRQ handler
        ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d
      ea3a8596
  3. 25 Apr, 2017 23 commits
    • Linus Torvalds's avatar
      Merge tag 'arc-4.11-final' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · ea839b41
      Linus Torvalds authored
      Pull ARC fix from Vineet Gupta:
       "Last minute fixes for ARC:
      
         - build error in Mellanox nps platform
      
         - addressing lack of saving FPU regs in releavnt configs"
      
      * tag 'arc-4.11-final' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARCv2: entry: save Accumulator register pair (r58:59) if present
        ARC: [plat-eznps] Fix build error
      ea839b41
    • Yan, Zheng's avatar
      ceph: fix recursion between ceph_set_acl() and __ceph_setattr() · 8179a101
      Yan, Zheng authored
      ceph_set_acl() calls __ceph_setattr() if the setacl operation needs
      to modify inode's i_mode. __ceph_setattr() updates inode's i_mode,
      then calls posix_acl_chmod().
      
      The problem is that __ceph_setattr() calls posix_acl_chmod() before
      sending the setattr request. The get_acl() call in posix_acl_chmod()
      can trigger a getxattr request. The reply of the getxattr request
      can restore inode's i_mode to its old value. The set_acl() call in
      posix_acl_chmod() sees old value of inode's i_mode, so it calls
      __ceph_setattr() again.
      
      Cc: stable@vger.kernel.org # needs backporting for < 4.9
      Link: http://tracker.ceph.com/issues/19688Reported-by: default avatarJerry Lee <leisurelysw24@gmail.com>
      Signed-off-by: default avatar"Yan, Zheng" <zyan@redhat.com>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      Tested-by: default avatarLuis Henriques <lhenriques@suse.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      8179a101
    • Alexander Potapenko's avatar
      net/packet: check length in getsockopt() called with PACKET_HDRLEN · fd2c83b3
      Alexander Potapenko authored
      In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4
      |val| remains uninitialized and the syscall may behave differently
      depending on its value, and even copy garbage to userspace on certain
      architectures. To fix this we now return -EINVAL if optlen is too small.
      
      This bug has been detected with KMSAN.
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd2c83b3
    • David Ahern's avatar
      net: ipv6: regenerate host route if moved to gc list · 8048ced9
      David Ahern authored
      Taking down the loopback device wreaks havoc on IPv6 routing. By
      extension, taking down a VRF device wreaks havoc on its table.
      
      Dmitry and Andrey both reported heap out-of-bounds reports in the IPv6
      FIB code while running syzkaller fuzzer. The root cause is a dead dst
      that is on the garbage list gets reinserted into the IPv6 FIB. While on
      the gc (or perhaps when it gets added to the gc list) the dst->next is
      set to an IPv4 dst. A subsequent walk of the ipv6 tables causes the
      out-of-bounds access.
      
      Andrey's reproducer was the key to getting to the bottom of this.
      
      With IPv6, host routes for an address have the dst->dev set to the
      loopback device. When the 'lo' device is taken down, rt6_ifdown initiates
      a walk of the fib evicting routes with the 'lo' device which means all
      host routes are removed. That process moves the dst which is attached to
      an inet6_ifaddr to the gc list and marks it as dead.
      
      The recent change to keep global IPv6 addresses added a new function,
      fixup_permanent_addr, that is called on admin up. That function restarts
      dad for an inet6_ifaddr and when it completes the host route attached
      to it is inserted into the fib. Since the route was marked dead and
      moved to the gc list, re-inserting the route causes the reported
      out-of-bounds accesses. If the device with the address is taken down
      or the address is removed, the WARN_ON in fib6_del is triggered.
      
      All of those faults are fixed by regenerating the host route if the
      existing one has been moved to the gc list, something that can be
      determined by checking if the rt6i_ref counter is 0.
      
      Fixes: f1705ec1 ("net: ipv6: Make address flushing on ifdown optional")
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8048ced9
    • Xin Long's avatar
      bridge: move bridge multicast cleanup to ndo_uninit · b1b9d366
      Xin Long authored
      During removing a bridge device, if the bridge is still up, a new mdb entry
      still can be added in br_multicast_add_group() after all mdb entries are
      removed in br_multicast_dev_del(). Like the path:
      
        mld_ifc_timer_expire ->
          mld_sendpack -> ...
            br_multicast_rcv ->
              br_multicast_add_group
      
      The new mp's timer will be set up. If the timer expires after the bridge
      is freed, it may cause use-after-free panic in br_multicast_group_expired.
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
      IP: [<ffffffffa07ed2c8>] br_multicast_group_expired+0x28/0xb0 [bridge]
      Call Trace:
       <IRQ>
       [<ffffffff81094536>] call_timer_fn+0x36/0x110
       [<ffffffffa07ed2a0>] ? br_mdb_free+0x30/0x30 [bridge]
       [<ffffffff81096967>] run_timer_softirq+0x237/0x340
       [<ffffffff8108dcbf>] __do_softirq+0xef/0x280
       [<ffffffff8169889c>] call_softirq+0x1c/0x30
       [<ffffffff8102c275>] do_softirq+0x65/0xa0
       [<ffffffff8108e055>] irq_exit+0x115/0x120
       [<ffffffff81699515>] smp_apic_timer_interrupt+0x45/0x60
       [<ffffffff81697a5d>] apic_timer_interrupt+0x6d/0x80
      
      Nikolay also found it would cause a memory leak - the mdb hash is
      reallocated and not freed due to the mdb rehash.
      
      unreferenced object 0xffff8800540ba800 (size 2048):
        backtrace:
          [<ffffffff816e2287>] kmemleak_alloc+0x67/0xc0
          [<ffffffff81260bea>] __kmalloc+0x1ba/0x3e0
          [<ffffffffa05c60ee>] br_mdb_rehash+0x5e/0x340 [bridge]
          [<ffffffffa05c74af>] br_multicast_new_group+0x43f/0x6e0 [bridge]
          [<ffffffffa05c7aa3>] br_multicast_add_group+0x203/0x260 [bridge]
          [<ffffffffa05ca4b5>] br_multicast_rcv+0x945/0x11d0 [bridge]
          [<ffffffffa05b6b10>] br_dev_xmit+0x180/0x470 [bridge]
          [<ffffffff815c781b>] dev_hard_start_xmit+0xbb/0x3d0
          [<ffffffff815c8743>] __dev_queue_xmit+0xb13/0xc10
          [<ffffffff815c8850>] dev_queue_xmit+0x10/0x20
          [<ffffffffa02f8d7a>] ip6_finish_output2+0x5ca/0xac0 [ipv6]
          [<ffffffffa02fbfc6>] ip6_finish_output+0x126/0x2c0 [ipv6]
          [<ffffffffa02fc245>] ip6_output+0xe5/0x390 [ipv6]
          [<ffffffffa032b92c>] NF_HOOK.constprop.44+0x6c/0x240 [ipv6]
          [<ffffffffa032bd16>] mld_sendpack+0x216/0x3e0 [ipv6]
          [<ffffffffa032d5eb>] mld_ifc_timer_expire+0x18b/0x2b0 [ipv6]
      
      This could happen when ip link remove a bridge or destroy a netns with a
      bridge device inside.
      
      With Nikolay's suggestion, this patch is to clean up bridge multicast in
      ndo_uninit after bridge dev is shutdown, instead of br_dev_delete, so
      that netif_running check in br_multicast_add_group can avoid this issue.
      
      v1->v2:
        - fix this issue by moving br_multicast_dev_del to ndo_uninit, instead
          of calling dev_close in br_dev_delete.
      
      (NOTE: Depends upon b6fe0440 ("bridge: implement missing ndo_uninit()"))
      
      Fixes: e10177ab ("bridge: multicast: fix handling of temp and perm entries")
      Reported-by: default avatarJianwen Ji <jiji@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b1b9d366
    • Sabrina Dubroca's avatar
      ipv6: fix source routing · ec9c4215
      Sabrina Dubroca authored
      Commit a149e7c7 ("ipv6: sr: add support for SRH injection through
      setsockopt") introduced handling of IPV6_SRCRT_TYPE_4, but at the same
      time restricted it to only IPV6_SRCRT_TYPE_0 and
      IPV6_SRCRT_TYPE_4. Previously, ipv6_push_exthdr() and fl6_update_dst()
      would also handle other values (ie STRICT and TYPE_2).
      
      Restore previous source routing behavior, by handling IPV6_SRCRT_STRICT
      and IPV6_SRCRT_TYPE_2 the same way as IPV6_SRCRT_TYPE_0 in
      ipv6_push_exthdr() and fl6_update_dst().
      
      Fixes: a149e7c7 ("ipv6: sr: add support for SRH injection through setsockopt")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ec9c4215
    • sudarsana.kalluru@cavium.com's avatar
      qed: Fix error in the dcbx app meta data initialization. · c8fcd133
      sudarsana.kalluru@cavium.com authored
      DCBX app_data array is initialized with the incorrect values for
      personality field. This would  prevent offloaded protocols from
      honoring the PFC.
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8fcd133
    • stephen hemminger's avatar
      netvsc: fix calculation of available send sections · fdfb70d2
      stephen hemminger authored
      My change (introduced in 4.11) to use find_first_clear_bit
      incorrectly assumed that the size argument was words, not bits.
      The effect was only a small limited number of the available send
      sections were being actually used. This can cause performance loss
      with some workloads.
      
      Since map_words is now used only during initialization, it can
      be on stack instead of in per-device data.
      
      Fixes: b58a1858 ("netvsc: simplify get next send section")
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdfb70d2
    • Andreas Kemnade's avatar
      net: hso: fix module unloading · a23f6ce6
      Andreas Kemnade authored
      keep tty driver until usb driver is unregistered
      rmmod hso
      produces traces like this without that:
      
      [40261.645904] usb 2-2: new high-speed USB device number 2 using ehci-omap
      [40261.854644] usb 2-2: New USB device found, idVendor=0af0, idProduct=8800
      [40261.862609] usb 2-2: New USB device strings: Mfr=3, Product=2, SerialNumber=0
      [40261.872772] usb 2-2: Product: Globetrotter HSUPA Modem
      [40261.880279] usb 2-2: Manufacturer: Option N.V.
      [40262.021270] hso 2-2:1.5: Not our interface
      [40265.556945] hso: unloaded
      [40265.559875] usbcore: deregistering interface driver hso
      [40265.595947] Unable to handle kernel NULL pointer dereference at virtual address 00000033
      [40265.604522] pgd = ecb14000
      [40265.611877] [00000033] *pgd=00000000
      [40265.617034] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
      [40265.622650] Modules linked in: hso(-) bnep bluetooth ipv6 arc4 twl4030_madc_hwmon wl18xx wlcore mac80211 cfg80211 snd_soc_simple_card snd_soc_simple_card_utils snd_soc_omap_twl4030 snd_soc_gtm601 generic_adc_battery extcon_gpio omap3_isp videobuf2_dma_contig videobuf2_memops wlcore_sdio videobuf2_v4l2 videobuf2_core ov9650 bmp280_i2c v4l2_common bmp280 bmg160_i2c bmg160_core at24 nvmem_core videodev bmc150_accel_i2c bmc150_magn_i2c media bmc150_accel_core tsc2007 bmc150_magn leds_tca6507 bno055 snd_soc_omap_mcbsp industrialio_triggered_buffer snd_soc_omap kfifo_buf snd_pcm_dmaengine gpio_twl4030 snd_soc_twl4030 twl4030_vibra twl4030_madc wwan_on_off ehci_omap pwm_bl pwm_omap_dmtimer panel_tpo_td028ttec1 encoder_opa362 connector_analog_tv omapdrm drm_kms_helper cfbfillrect syscopyarea cfbimgblt sysfillrect
      [40265.698211]  sysimgblt fb_sys_fops cfbcopyarea drm omapdss usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap2430 phy_twl4030_usb musb_hdrc twl4030_charger industrialio w2sg0004 twl4030_pwrbutton bq27xxx_battery w1_bq27000 omap_hdq [last unloaded: hso]
      [40265.723175] CPU: 0 PID: 2701 Comm: rmmod Not tainted 4.11.0-rc6-letux+ #6
      [40265.730346] Hardware name: Generic OMAP36xx (Flattened Device Tree)
      [40265.736938] task: ecb81100 task.stack: ecb82000
      [40265.741729] PC is at cdev_del+0xc/0x2c
      [40265.745666] LR is at tty_unregister_device+0x40/0x50
      [40265.750915] pc : [<c027472c>]    lr : [<c04b3ecc>]    psr: 600b0113
      sp : ecb83ea8  ip : eca4f898  fp : 00000000
      [40265.763000] r10: 00000000  r9 : 00000000  r8 : 00000001
      [40265.768493] r7 : eca4f800  r6 : 00000003  r5 : 00000000  r4 : ffffffff
      [40265.775360] r3 : c1458d54  r2 : 00000000  r1 : 00000004  r0 : ffffffff
      [40265.782257] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [40265.789764] Control: 10c5387d  Table: acb14019  DAC: 00000051
      [40265.795806] Process rmmod (pid: 2701, stack limit = 0xecb82218)
      [40265.802062] Stack: (0xecb83ea8 to 0xecb84000)
      [40265.806640] 3ea0:                   ec9e8100 c04b3ecc bf737378 ed5b7c00 00000003 bf7327ec
      [40265.815277] 3ec0: eca4f800 00000000 ec9fd800 eca4f800 bf737070 bf7328bc eca4f820 c05a9a04
      [40265.823883] 3ee0: eca4f820 00000000 00000001 eca4f820 ec9fd870 bf737070 eca4f854 ec9fd8a4
      [40265.832519] 3f00: ecb82000 00000000 00000000 c04e6960 eca4f820 bf737070 bf737048 00000081
      [40265.841125] 3f20: c01071e4 c04e6a60 ecb81100 bf737070 bf737070 c04e5d94 bf737020 c05a8f88
      [40265.849731] 3f40: bf737100 00000800 7f5fa254 00000081 c01071e4 c01c4afc 00000000 006f7368
      [40265.858367] 3f60: ecb815f4 00000000 c0cac9c4 c01071e4 ecb82000 00000000 00000000 c01512f4
      [40265.866973] 3f80: ed5b3200 c01071e4 7f5fa220 7f5fa220 bea78ec9 0010711c 7f5fa220 7f5fa220
      [40265.875579] 3fa0: bea78ec9 c0107040 7f5fa220 7f5fa220 7f5fa254 00000800 dd35b800 dd35b800
      [40265.884216] 3fc0: 7f5fa220 7f5fa220 bea78ec9 00000081 bea78dcc 00000000 bea78bd8 00000000
      [40265.892822] 3fe0: b6f70521 bea78b6c 7f5dd613 b6f70526 80070030 7f5fa254 ffffffff ffffffff
      [40265.901458] [<c027472c>] (cdev_del) from [<c04b3ecc>] (tty_unregister_device+0x40/0x50)
      [40265.909942] [<c04b3ecc>] (tty_unregister_device) from [<bf7327ec>] (hso_free_interface+0x80/0x144 [hso])
      [40265.919982] [<bf7327ec>] (hso_free_interface [hso]) from [<bf7328bc>] (hso_disconnect+0xc/0x18 [hso])
      [40265.929718] [<bf7328bc>] (hso_disconnect [hso]) from [<c05a9a04>] (usb_unbind_interface+0x84/0x200)
      [40265.939239] [<c05a9a04>] (usb_unbind_interface) from [<c04e6960>] (device_release_driver_internal+0x138/0x1cc)
      [40265.949798] [<c04e6960>] (device_release_driver_internal) from [<c04e6a60>] (driver_detach+0x60/0x6c)
      [40265.959503] [<c04e6a60>] (driver_detach) from [<c04e5d94>] (bus_remove_driver+0x64/0x8c)
      [40265.968017] [<c04e5d94>] (bus_remove_driver) from [<c05a8f88>] (usb_deregister+0x5c/0xb8)
      [40265.976654] [<c05a8f88>] (usb_deregister) from [<c01c4afc>] (SyS_delete_module+0x160/0x1dc)
      [40265.985443] [<c01c4afc>] (SyS_delete_module) from [<c0107040>] (ret_fast_syscall+0x0/0x1c)
      [40265.994171] Code: c1458d54 e59f3020 e92d4010 e1a04000 (e5941034)
      [40266.016693] ---[ end trace 9d5ac43c7e41075c ]---
      Signed-off-by: default avatarAndreas Kemnade <andreas@kemnade.info>
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a23f6ce6
    • Parthasarathy Bhuvaragan's avatar
      tipc: fix socket flow control accounting error at tipc_recv_stream · 05ff8378
      Parthasarathy Bhuvaragan authored
      Until now in tipc_recv_stream(), we update the received
      unacknowledged bytes based on a stack variable and not based on the
      actual message size.
      If the user buffer passed at tipc_recv_stream() is smaller than the
      received skb, the size variable in stack differs from the actual
      message size in the skb. This leads to a flow control accounting
      error causing permanent congestion.
      
      In this commit, we fix this accounting error by always using the
      size of the incoming message.
      
      Fixes: 10724cc7 ("tipc: redesign connection-level flow control")
      Signed-off-by: default avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
      Reviewed-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      05ff8378
    • Parthasarathy Bhuvaragan's avatar
      tipc: fix socket flow control accounting error at tipc_send_stream · 3364d61c
      Parthasarathy Bhuvaragan authored
      Until now in tipc_send_stream(), we return -1 when the socket
      encounters link congestion even if the socket had successfully
      sent partial data. This is incorrect as the application resends
      the same the partial data leading to data corruption at
      receiver's end.
      
      In this commit, we return the partially sent bytes as the return
      value at link congestion.
      
      Fixes: 10724cc7 ("tipc: redesign connection-level flow control")
      Signed-off-by: default avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
      Reviewed-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3364d61c
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v4.11-rc7' of... · d4a2fbce
      Takashi Iwai authored
      Merge tag 'asoc-fix-v4.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v4.11
      
      A few last minute fixes for v4.11, the STI fix is relatively large but
      driver specific and has been cooking in -next for a little while now:
      
       - A fix from Takashi for some suspend/resume related crashes in the
         Intel drivers.
       - A fix from Mousumi Jana for issues with incorrectly created
         enumeration controls generated from topology files which could cause
         problems for userspace.
       - Fixes from Arnaud Pouliquen for some crashes due to races with the
         interrupt handler in the STI driver.
      d4a2fbce
    • Paolo Abeni's avatar
      ipv6: move stub initialization after ipv6 setup completion · b7d6df57
      Paolo Abeni authored
      The ipv6 stub pointer is currently initialized before the ipv6
      routing subsystem: a 3rd party can access and use such stub
      before the routing data is ready.
      Moreover, such pointer is not cleared in case of initialization
      error, possibly leading to dangling pointers usage.
      
      This change addresses the above moving the stub initialization
      at the end of ipv6 init code.
      
      Fixes: 5f81bd2e ("ipv6: export a stub for IPv6 symbols used by vxlan")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7d6df57
    • Pan Bian's avatar
      team: fix memory leaks · 72ec0bc6
      Pan Bian authored
      In functions team_nl_send_port_list_get() and
      team_nl_send_options_get(), pointer skb keeps the return value of
      nlmsg_new(). When the call to genlmsg_put() fails, the memory is not
      freed(). This will result in memory leak bugs.
      
      Fixes: 9b00cf2d ("team: implement multipart netlink messages for options transfers")
      Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72ec0bc6
    • Mark Brown's avatar
      Merge remote-tracking branches 'asoc/fix/intel', 'asoc/fix/topology' and... · dc9617cb
      Mark Brown authored
      Merge remote-tracking branches 'asoc/fix/intel', 'asoc/fix/topology' and 'asoc/fix/sti' into asoc-linus
      dc9617cb
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-4.11-20170425' of... · fccb4422
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-4.11-20170425' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2017-04-25
      
      this is a pull request of three patches for net/master.
      
      There are two patches by Stephane Grosjean for that add a new variant to the
      PCAN-Chip USB driver. The other patch is by Maksim Salau, which swtiches the
      memory for USB transfers from heap to stack.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fccb4422
    • Bert Kenward's avatar
      sfc: tx ring can only have 2048 entries for all EF10 NICs · a53d26eb
      Bert Kenward authored
      Fixes: dd248f1b ("sfc: Add PCI ID for Solarflare 8000 series 10/40G NIC")
      Reported-by: default avatarPatrick Talbert <ptalbert@redhat.com>
      Signed-off-by: default avatarBert Kenward <bkenward@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a53d26eb
    • Takashi Iwai's avatar
      ASoC: intel: Fix PM and non-atomic crash in bytcr drivers · 6e4cac23
      Takashi Iwai authored
      The FE setups of Intel SST bytcr_rt5640 and bytcr_rt5651 drivers carry
      the ignore_suspend flag, and this prevents the suspend/resume working
      properly while the stream is running, since SST core code has the
      check of the running streams and returns -EBUSY.  Drop these
      superfluous flags for fixing the behavior.
      
      Also, the bytcr_rt5640 driver lacks of nonatomic flag in some FE
      definitions, which leads to the kernel Oops at suspend/resume like:
      
        BUG: scheduling while atomic: systemd-sleep/3144/0x00000003
        Call Trace:
         dump_stack+0x5c/0x7a
         __schedule_bug+0x55/0x70
         __schedule+0x63c/0x8c0
         schedule+0x3d/0x90
         schedule_timeout+0x16b/0x320
         ? del_timer_sync+0x50/0x50
         ? sst_wait_timeout+0xa9/0x170 [snd_intel_sst_core]
         ? sst_wait_timeout+0xa9/0x170 [snd_intel_sst_core]
         ? remove_wait_queue+0x60/0x60
         ? sst_prepare_and_post_msg+0x275/0x960 [snd_intel_sst_core]
         ? sst_pause_stream+0x9b/0x110 [snd_intel_sst_core]
         ....
      
      This patch addresses these appropriately, too.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Acked-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: <stable@vger.kernel.org> # v4.1+
      6e4cac23
    • Herbert Xu's avatar
      macvlan: Fix device ref leak when purging bc_queue · f6478218
      Herbert Xu authored
      When a parent macvlan device is destroyed we end up purging its
      broadcast queue without dropping the device reference count on
      the packet source device.  This causes the source device to linger.
      
      This patch drops that reference count.
      
      Fixes: 260916df ("macvlan: Fix potential use-after free for...")
      Reported-by: default avatarJoe Ghalam <Joe.Ghalam@dell.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6478218
    • Roman Spychała's avatar
      usb: plusb: Add support for PL-27A1 · 6f2aee0c
      Roman Spychała authored
      This patch adds support for the PL-27A1 by adding the appropriate
      USB ID's. This chip is used in the goobay Active USB 3.0 Data Link
      and Unitek Y-3501 cables.
      Signed-off-by: default avatarRoman Spychała <roed@onet.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f2aee0c
    • Maksim Salau's avatar
      net: can: usb: gs_usb: Fix buffer on stack · b05c73bd
      Maksim Salau authored
      Allocate buffers on HEAP instead of STACK for local structures
      that are to be sent using usb_control_msg().
      Signed-off-by: default avatarMaksim Salau <maksim.salau@gmail.com>
      Cc: linux-stable <stable@vger.kernel.org> # >= v4.8
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      b05c73bd
    • Stephane Grosjean's avatar
      can: usb: Kconfig: Add PCAN-USB X6 device in help text · 71b61156
      Stephane Grosjean authored
      This patch adds a text line in the help section of the CAN_PEAK_USB
      config item describing the support of the PCAN-USB X6 adapter, which is
      already included in the Kernel since 4.9.
      Signed-off-by: default avatarStephane Grosjean <s.grosjean@peak-system.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      71b61156
    • Stephane Grosjean's avatar
      can: usb: Add support of PCAN-Chip USB stamp module · ea8b65b5
      Stephane Grosjean authored
      This patch adds the support of the PCAN-Chip USB, a stamp module for
      customer hardware designs, which communicates via USB 2.0 with the
      hardware. The integrated CAN controller supports the protocols CAN 2.0 A/B
      as well as CAN FD. The physical CAN connection is determined by external
      wiring. The Stamp module with its single-sided mounting and plated
      half-holes is suitable for automatic assembly.
      
      Note that the chip is equipped with the same logic than the PCAN-USB FD.
      Signed-off-by: default avatarStephane Grosjean <s.grosjean@peak-system.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      ea8b65b5
  4. 24 Apr, 2017 2 commits