1. 27 Sep, 2018 2 commits
  2. 26 Sep, 2018 2 commits
  3. 25 Sep, 2018 12 commits
    • Parav Pandit's avatar
      RDMA/core: Set right entry state before releasing reference · 5c5702e2
      Parav Pandit authored
      Currently add_modify_gid() for IB link layer has followong issue
      in cache update path.
      
      When GID update event occurs, core releases reference to the GID
      table without updating its state and/or entry pointer.
      
      CPU-0                              CPU-1
      ------                             -----
      ib_cache_update()                    IPoIB ULP
         add_modify_gid()                   [..]
            put_gid_entry()
            refcnt = 0, but
            state = valid,
            entry is valid.
            (work item is not yet executed).
                                         ipoib_create_ah()
                                           rdma_create_ah()
                                              rdma_get_gid_attr() <--
                                         	Tries to acquire gid_attr
                                              which has refcnt = 0.
                                         	This is incorrect.
      
      GID entry state and entry pointer is provides the accurate GID enty
      state. Such fields must be updated with rwlock to protect against
      readers and, such fields must be in sane state before refcount can drop
      to zero. Otherwise above race condition can happen leading to
      use-after-free situation.
      
      Following backtrace has been observed when cache update for an IB port
      is triggered while IPoIB ULP is creating an AH.
      
      Therefore, when updating GID entry, first mark a valid entry as invalid
      through state and set the barrier so that no callers can acquired
      the GID entry, followed by release reference to it.
      
      refcount_t: increment on 0; use-after-free.
      WARNING: CPU: 4 PID: 29106 at lib/refcount.c:153 refcount_inc_checked+0x30/0x50
      Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
      RIP: 0010:refcount_inc_checked+0x30/0x50
      RSP: 0018:ffff8802ad36f600 EFLAGS: 00010082
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000002 RSI: 0000000000000008 RDI: ffffffff86710100
      RBP: ffff8802d6e60a30 R08: ffffed005d67bf8b R09: ffffed005d67bf8b
      R10: 0000000000000001 R11: ffffed005d67bf8a R12: ffff88027620cee8
      R13: ffff8802d6e60988 R14: ffff8802d6e60a78 R15: 0000000000000202
      FS: 0000000000000000(0000) GS:ffff8802eb200000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f3ab35e5c88 CR3: 00000002ce84a000 CR4: 00000000000006e0
      IPv6: ADDRCONF(NETDEV_CHANGE): ib1: link becomes ready
      Call Trace:
      rdma_get_gid_attr+0x220/0x310 [ib_core]
      ? lock_acquire+0x145/0x3a0
      rdma_fill_sgid_attr+0x32c/0x470 [ib_core]
      rdma_create_ah+0x89/0x160 [ib_core]
      ? rdma_fill_sgid_attr+0x470/0x470 [ib_core]
      ? ipoib_create_ah+0x52/0x260 [ib_ipoib]
      ipoib_create_ah+0xf5/0x260 [ib_ipoib]
      ipoib_mcast_join_complete+0xbbe/0x2540 [ib_ipoib]
      
      Fixes: b150c386 ("IB/core: Introduce GID entry reference counts")
      Signed-off-by: default avatarParav Pandit <parav@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      5c5702e2
    • Yishai Hadas's avatar
      IB/mlx5: Destroy the DEVX object upon error flow · e8ef090a
      Yishai Hadas authored
      Upon DEVX object creation the object must be destroyed upon a follows
      error flow.
      
      Fixes: 7efce369 ("IB/mlx5: Add obj create and destroy functionality")
      Signed-off-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Reviewed-by: default avatarArtemy Kovalyov <artemyko@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      e8ef090a
    • Mark Bloch's avatar
      IB/uverbs: Free uapi on destroy · a9360abd
      Mark Bloch authored
      Make sure we free struct uverbs_api once we clean the radix tree. It was
      allocated by uverbs_alloc_api().
      
      Fixes: 9ed3e5f4 ("IB/uverbs: Build the specs into a radix tree at runtime")
      Reported-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMark Bloch <markb@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      a9360abd
    • Greg Kroah-Hartman's avatar
      erge tag 'libnvdimm-fixes-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · a3852318
      Greg Kroah-Hartman authored
      Dan writes:
        "libnvdimm/dax for 4.19-rc6
      
        * (2) fixes for the dax error handling updates that were merged for
        v4.19-rc1. My mails to Al have been bouncing recently, so I do not have
        his ack but the uaccess change is of the trivial / obviously correct
        variety. The address_space_operations fixes a regression.
      
        * A filesystem-dax fix to correct the zero page lookup to be compatible
         with non-x86 (mips and s390) architectures."
      
      * tag 'libnvdimm-fixes-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        device-dax: Add missing address_space_operations
        uaccess: Fix is_source param for check_copy_size() in copy_to_iter_mcsafe()
        filesystem-dax: Fix use of zero page
      a3852318
    • Greg Kroah-Hartman's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 846e8dd4
      Greg Kroah-Hartman authored
      James writes:
        "SCSI fixes on 20180925
      
         Nine obvious bug fixes mostly in individual drivers.  The target fix
         is of particular importance because it's CVE related."
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: sd: don't crash the host on invalid commands
        scsi: ipr: System hung while dlpar adding primary ipr adapter back
        scsi: target: iscsi: Use bin2hex instead of a re-implementation
        scsi: target: iscsi: Use hex2bin instead of a re-implementation
        scsi: lpfc: Synchronize access to remoteport via rport
        scsi: ufs: Disable blk-mq for now
        scsi: sd: Contribute to randomness when running rotational device
        scsi: ibmvscsis: Ensure partition name is properly NUL terminated
        scsi: ibmvscsis: Fix a stringop-overflow warning
      846e8dd4
    • Greg Kroah-Hartman's avatar
      Merge tag 'usb-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · bfb0e9b4
      Greg Kroah-Hartman authored
      I wrote:
        "USB fixes for 4.19-rc6
      
         Here are some small USB core and driver fixes for reported issues for
         4.19-rc6.
      
         The most visible is the oops fix for when the USB core is built into the
         kernel that is present in 4.18.  Turns out not many people actually do
         that so it went unnoticed for a while.  The rest is some tiny typec,
         musb, and other core fixes.
      
         All have been in linux-next with no reported issues."
      
      * tag 'usb-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: typec: mux: Take care of driver module reference counting
        usb: core: safely deal with the dynamic quirk lists
        usb: roles: Take care of driver module reference counting
        USB: handle NULL config in usb_find_alt_setting()
        USB: fix error handling in usb_driver_claim_interface()
        USB: remove LPM management from usb_driver_claim_interface()
        USB: usbdevfs: restore warning for nonsensical flags
        USB: usbdevfs: sanitize flags more
        Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()"
        usb: musb: dsps: do not disable CPPI41 irq in driver teardown
      bfb0e9b4
    • Greg Kroah-Hartman's avatar
      Merge tag 'tty-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · ccf791e5
      Greg Kroah-Hartman authored
      I wrote:
        "TTY/Serial driver fixes for 4.19-rc6
      
         Here are a number of small tty and serial driver fixes for reported
         issues for 4.19-rc6.
      
         One should hopefully resolve a much-reported issue that syzbot has found
         in the tty layer.  Although there are still more issues there, getting
         this fixed is nice to see finally happen.
      
         All of these have been in linux-next for a while with no reported
         issues."
      
      * tag 'tty-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: imx: restore handshaking irq for imx1
        tty: vt_ioctl: fix potential Spectre v1
        tty: Drop tty->count on tty_reopen() failure
        serial: cpm_uart: return immediately from console poll
        tty: serial: lpuart: avoid leaking struct tty_struct
        serial: mvebu-uart: Fix reporting of effective CSIZE to userspace
      ccf791e5
    • Greg Kroah-Hartman's avatar
      Merge tag 'char-misc-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · fc0c8146
      Greg Kroah-Hartman authored
      Greg (well I), wrote:
        "Char/Misc driver fixes for 4.19-rc6
      
         Here are some soundwire and intel_th (tracing) driver fixes for some
         reported issues.
      
         All of these have been in linux-next for a week with no reported issues."
      
      * tag 'char-misc-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        intel_th: pci: Add Ice Lake PCH support
        intel_th: Fix resource handling for ACPI glue layer
        intel_th: Fix device removal logic
        soundwire: Fix acquiring bus lock twice during master release
        soundwire: Fix incorrect exit after configuring stream
        soundwire: Fix duplicate stream state assignment
      fc0c8146
    • Lu Baolu's avatar
      iommu/vt-d: Handle memory shortage on pasid table allocation · be9e6598
      Lu Baolu authored
      Pasid table memory allocation could return failure due to memory
      shortage. Limit the pasid table size to 1MiB because current 8MiB
      contiguous physical memory allocation can be hard to come by. W/o
      a PASID table, the device could continue to work with only shared
      virtual memory impacted. So, let's go ahead with context mapping
      even the memory allocation for pasid table failed.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107783
      Fixes: cc580e41 ("iommu/vt-d: Per PCI device pasid table interfaces")
      
      Cc: Ashok Raj <ashok.raj@intel.com>
      Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
      Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
      Reported-and-tested-by: default avatarPelton Kyle D <kyle.d.pelton@intel.com>
      Tested-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      be9e6598
    • Lubomir Rintel's avatar
      Revert "uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name" · 8c0f9f5b
      Lubomir Rintel authored
      This changes UAPI, breaking iwd and libell:
      
        ell/key.c: In function 'kernel_dh_compute':
        ell/key.c:205:38: error: 'struct keyctl_dh_params' has no member named 'private'; did you mean 'dh_private'?
          struct keyctl_dh_params params = { .private = private,
                                              ^~~~~~~
                                              dh_private
      
      This reverts commit 8a2336e5.
      
      Fixes: 8a2336e5 ("uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name")
      Signed-off-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Randy Dunlap <rdunlap@infradead.org>
      cc: Mat Martineau <mathew.j.martineau@linux.intel.com>
      cc: Stephan Mueller <smueller@chronox.de>
      cc: James Morris <jmorris@namei.org>
      cc: "Serge E. Hallyn" <serge@hallyn.com>
      cc: Mat Martineau <mathew.j.martineau@linux.intel.com>
      cc: Andrew Morton <akpm@linux-foundation.org>
      cc: Linus Torvalds <torvalds@linux-foundation.org>
      cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c0f9f5b
    • Greg Kroah-Hartman's avatar
      Merge gitolite.kernel.org:/pub/scm/linux/kernel/git/davem/net · 2dd68cc7
      Greg Kroah-Hartman authored
      Dave writes:
        "Networking fixes:
      
        1) Fix multiqueue handling of coalesce timer in stmmac, from Jose
           Abreu.
      
         2) Fix memory corruption in NFC, from Suren Baghdasaryan.
      
         3) Don't write reserved bits in ravb driver, from Kazuya Mizuguchi.
      
         4) SMC bug fixes from Karsten Graul, YueHaibing, and Ursula Braun.
      
         5) Fix TX done race in mvpp2, from Antoine Tenart.
      
         6) ipv6 metrics leak, from Wei Wang.
      
         7) Adjust firmware version requirements in mlxsw, from Petr Machata.
      
         8) Fix autonegotiation on resume in r8169, from Heiner Kallweit.
      
         9) Fixed missing entries when dumping /proc/net/if_inet6, from Jeff
            Barnhill.
      
         10) Fix double free in devlink, from Dan Carpenter.
      
         11) Fix ethtool regression from UFO feature removal, from Maciej
             Żenczykowski.
      
         12) Fix drivers that have a ndo_poll_controller() that captures the
             cpu entirely on loaded hosts by trying to drain all rx and tx
             queues, from Eric Dumazet.
      
         13) Fix memory corruption with jumbo frames in aquantia driver, from
             Friedemann Gerold."
      
      * gitolite.kernel.org:/pub/scm/linux/kernel/git/davem/net: (79 commits)
        net: mvneta: fix the remaining Rx descriptor unmapping issues
        ip_tunnel: be careful when accessing the inner header
        mpls: allow routes on ip6gre devices
        net: aquantia: memory corruption on jumbo frames
        tun: remove ndo_poll_controller
        nfp: remove ndo_poll_controller
        bnxt: remove ndo_poll_controller
        bnx2x: remove ndo_poll_controller
        mlx5: remove ndo_poll_controller
        mlx4: remove ndo_poll_controller
        i40evf: remove ndo_poll_controller
        ice: remove ndo_poll_controller
        igb: remove ndo_poll_controller
        ixgb: remove ndo_poll_controller
        fm10k: remove ndo_poll_controller
        ixgbevf: remove ndo_poll_controller
        ixgbe: remove ndo_poll_controller
        bonding: use netpoll_poll_dev() helper
        netpoll: make ndo_poll_controller() optional
        rds: Fix build regression.
        ...
      2dd68cc7
    • Heiko Stuebner's avatar
      iommu/rockchip: Free irqs in shutdown handler · 74bc2abc
      Heiko Stuebner authored
      In the iommu's shutdown handler we disable runtime-pm which could
      result in the irq-handler running unclocked and since commit
          3fc7c5c0 ("iommu/rockchip: Handle errors returned from PM framework")
      we warn about that fact.
      
      This can cause warnings on shutdown on some Rockchip machines, so
      free the irqs in the shutdown handler before we disable runtime-pm.
      Reported-by: default avatarEnric Balletbo i Serra <enric.balletbo@collabora.com>
      Fixes: 3fc7c5c0 ("iommu/rockchip: Handle errors returned from PM framework")
      Signed-off-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Tested-by: default avatarEnric Balletbo i Serra <enric.balletbo@collabora.com>
      Acked-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      74bc2abc
  4. 24 Sep, 2018 23 commits
    • Antoine Tenart's avatar
      net: mvneta: fix the remaining Rx descriptor unmapping issues · f4a51879
      Antoine Tenart authored
      With CONFIG_DMA_API_DEBUG enabled we get DMA unmapping warning in
      various places of the mvneta driver, for example when putting down an
      interface while traffic is passing through.
      
      The issue is when using s/w buffer management, the Rx buffers are mapped
      using dma_map_page but unmapped with dma_unmap_single. This patch fixes
      this by using the right unmapping function.
      
      Fixes: 562e2f46 ("net: mvneta: Improve the buffer allocation method for SWBM")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Reviewed-by: default avatarGregory CLEMENT <gregory.clement@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4a51879
    • Paolo Abeni's avatar
      ip_tunnel: be careful when accessing the inner header · ccfec9e5
      Paolo Abeni authored
      Cong noted that we need the same checks introduced by commit 76c0ddd8
      ("ip6_tunnel: be careful when accessing the inner header")
      even for ipv4 tunnels.
      
      Fixes: c5441932 ("GRE: Refactor GRE tunneling code.")
      Suggested-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ccfec9e5
    • Saif Hasan's avatar
      mpls: allow routes on ip6gre devices · d8e2262a
      Saif Hasan authored
      Summary:
      
      This appears to be necessary and sufficient change to enable `MPLS` on
      `ip6gre` tunnels (RFC4023).
      
      This diff allows IP6GRE devices to be recognized by MPLS kernel module
      and hence user can configure interface to accept packets with mpls
      headers as well setup mpls routes on them.
      
      Test Plan:
      
      Test plan consists of multiple containers connected via GRE-V6 tunnel.
      Then carrying out testing steps as below.
      
      - Carry out necessary sysctl settings on all containers
      
      ```
      sysctl -w net.mpls.platform_labels=65536
      sysctl -w net.mpls.ip_ttl_propagate=1
      sysctl -w net.mpls.conf.lo.input=1
      ```
      
      - Establish IP6GRE tunnels
      
      ```
      ip -6 tunnel add name if_1_2_1 mode ip6gre \
        local 2401:db00:21:6048:feed:0::1 \
        remote 2401:db00:21:6048:feed:0::2 key 1
      ip link set dev if_1_2_1 up
      sysctl -w net.mpls.conf.if_1_2_1.input=1
      ip -4 addr add 169.254.0.2/31 dev if_1_2_1 scope link
      
      ip -6 tunnel add name if_1_3_1 mode ip6gre \
        local 2401:db00:21:6048:feed:0::1 \
        remote 2401:db00:21:6048:feed:0::3 key 1
      ip link set dev if_1_3_1 up
      sysctl -w net.mpls.conf.if_1_3_1.input=1
      ip -4 addr add 169.254.0.4/31 dev if_1_3_1 scope link
      ```
      
      - Install MPLS encap rules on node-1 towards node-2
      
      ```
      ip route add 192.168.0.11/32 nexthop encap mpls 32/64 \
        via inet 169.254.0.3 dev if_1_2_1
      ```
      
      - Install MPLS forwarding rules on node-2 and node-3
      ```
      // node2
      ip -f mpls route add 32 via inet 169.254.0.7 dev if_2_4_1
      
      // node3
      ip -f mpls route add 64 via inet 169.254.0.12 dev if_4_3_1
      ```
      
      - Ping 192.168.0.11 (node4) from 192.168.0.1 (node1) (where routing
        towards 192.168.0.1 is via IP route directly towards node1 from node4)
      ```
      ping 192.168.0.11
      ```
      
      - tcpdump on interface to capture ping packets wrapped within MPLS
        header which inturn wrapped within IP6GRE header
      
      ```
      16:43:41.121073 IP6
        2401:db00:21:6048:feed::1 > 2401:db00:21:6048:feed::2:
        DSTOPT GREv0, key=0x1, length 100:
        MPLS (label 32, exp 0, ttl 255) (label 64, exp 0, [S], ttl 255)
        IP 192.168.0.1 > 192.168.0.11:
        ICMP echo request, id 1208, seq 45, length 64
      
      0x0000:  6000 2cdb 006c 3c3f 2401 db00 0021 6048  `.,..l<?$....!`H
      0x0010:  feed 0000 0000 0001 2401 db00 0021 6048  ........$....!`H
      0x0020:  feed 0000 0000 0002 2f00 0401 0401 0100  ......../.......
      0x0030:  2000 8847 0000 0001 0002 00ff 0004 01ff  ...G............
      0x0040:  4500 0054 3280 4000 ff01 c7cb c0a8 0001  E..T2.@.........
      0x0050:  c0a8 000b 0800 a8d7 04b8 002d 2d3c a05b  ...........--<.[
      0x0060:  0000 0000 bcd8 0100 0000 0000 1011 1213  ................
      0x0070:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
      0x0080:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
      0x0090:  3435 3637                                4567
      ```
      Signed-off-by: default avatarSaif Hasan <has@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d8e2262a
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · d2f85c9e
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-09-24
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Several fixes for BPF sockmap to only allow sockets being attached in
         ESTABLISHED state, from John.
      
      2) Fix up the license to LGPL/BSD for the libc compat header which contains
         fallback helpers that libbpf and bpftool is using, from Jakub.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2f85c9e
    • Selvin Xavier's avatar
      RDMA/bnxt_re: Fix system crash during RDMA resource initialization · de5c95d0
      Selvin Xavier authored
      bnxt_re_ib_reg acquires and releases the rtnl lock whenever it accesses
      the L2 driver.
      
      The following sequence can trigger a crash
      
      Acquires the rtnl_lock ->
      	Registers roce driver callback with L2 driver ->
      		release the rtnl lock
      bnxt_re acquires the rtnl_lock ->
      	Request for MSIx vectors ->
      		release the rtnl_lock
      
      Issue happens when bnxt_re proceeds with remaining part of initialization
      and L2 driver invokes bnxt_ulp_irq_stop as a part of bnxt_open_nic.
      
      The crash is in bnxt_qplib_nq_stop_irq as the NQ structures are
      not initialized yet,
      
      <snip>
      [ 3551.726647] BUG: unable to handle kernel NULL pointer dereference at (null)
      [ 3551.726656] IP: [<ffffffffc0840ee9>] bnxt_qplib_nq_stop_irq+0x59/0xb0 [bnxt_re]
      [ 3551.726674] PGD 0
      [ 3551.726679] Oops: 0002 1 SMP
      ...
      [ 3551.726822] Hardware name: Dell Inc. PowerEdge R720/08RW36, BIOS 2.4.3 07/09/2014
      [ 3551.726826] task: ffff97e30eec5ee0 ti: ffff97e3173bc000 task.ti: ffff97e3173bc000
      [ 3551.726829] RIP: 0010:[<ffffffffc0840ee9>] [<ffffffffc0840ee9>]
      bnxt_qplib_nq_stop_irq+0x59/0xb0 [bnxt_re]
      ...
      [ 3551.726872] Call Trace:
      [ 3551.726886] [<ffffffffc082cb9e>] bnxt_re_stop_irq+0x4e/0x70 [bnxt_re]
      [ 3551.726899] [<ffffffffc07d6a53>] bnxt_ulp_irq_stop+0x43/0x70 [bnxt_en]
      [ 3551.726908] [<ffffffffc07c82f4>] bnxt_reserve_rings+0x174/0x1e0 [bnxt_en]
      [ 3551.726917] [<ffffffffc07cafd8>] __bnxt_open_nic+0x368/0x9a0 [bnxt_en]
      [ 3551.726925] [<ffffffffc07cb62b>] bnxt_open_nic+0x1b/0x50 [bnxt_en]
      [ 3551.726934] [<ffffffffc07cc62f>] bnxt_setup_mq_tc+0x11f/0x260 [bnxt_en]
      [ 3551.726943] [<ffffffffc07d5f58>] bnxt_dcbnl_ieee_setets+0xb8/0x1f0 [bnxt_en]
      [ 3551.726954] [<ffffffff890f983a>] dcbnl_ieee_set+0x9a/0x250
      [ 3551.726966] [<ffffffff88fd6d21>] ? __alloc_skb+0xa1/0x2d0
      [ 3551.726972] [<ffffffff890f72fa>] dcb_doit+0x13a/0x210
      [ 3551.726981] [<ffffffff89003ff7>] rtnetlink_rcv_msg+0xa7/0x260
      [ 3551.726989] [<ffffffff88ffdb00>] ? rtnl_unicast+0x20/0x30
      [ 3551.726996] [<ffffffff88bf9dc8>] ? __kmalloc_node_track_caller+0x58/0x290
      [ 3551.727002] [<ffffffff890f7326>] ? dcb_doit+0x166/0x210
      [ 3551.727007] [<ffffffff88fd6d0d>] ? __alloc_skb+0x8d/0x2d0
      [ 3551.727012] [<ffffffff89003f50>] ? rtnl_newlink+0x880/0x880
      ...
      [ 3551.727104] [<ffffffff8911f7d5>] system_call_fastpath+0x1c/0x21
      ...
      [ 3551.727164] RIP [<ffffffffc0840ee9>] bnxt_qplib_nq_stop_irq+0x59/0xb0 [bnxt_re]
      [ 3551.727175] RSP <ffff97e3173bf788>
      [ 3551.727177] CR2: 0000000000000000
      
      Avoid this inconsistent state and  system crash by acquiring
      the rtnl lock for the entire duration of device initialization.
      Re-factor the code to remove the rtnl lock from the individual function
      and acquire and release it from the caller.
      
      Fixes: 1ac5a404 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
      Fixes: 6e04b103 ("RDMA/bnxt_re: Fix broken RoCE driver due to recent L2 driver changes")
      Signed-off-by: default avatarSelvin Xavier <selvin.xavier@broadcom.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      de5c95d0
    • Greg Kroah-Hartman's avatar
      Merge tag 'media/v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 02214bfc
      Greg Kroah-Hartman authored
      Mauro briefly writes:
        "media fixes for v4.19-rc5
      
         some drivers and Kbuild fixes"
      
      * tag 'media/v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        media: platform: fix cros-ec-cec build error
        media: staging/media/mt9t031/Kconfig: remove bogus entry
        media: i2c: mt9v111: Fix v4l2-ctrl error handling
        media: camss: add missing includes
        media: camss: Use managed memory allocations
        media: camss: mark PM functions as __maybe_unused
        media: af9035: prevent buffer overflow on write
        media: video_function_calls.rst: drop obsolete video-set-attributes reference
      02214bfc
    • Friedemann Gerold's avatar
      net: aquantia: memory corruption on jumbo frames · d26ed6b0
      Friedemann Gerold authored
      This patch fixes skb_shared area, which will be corrupted
      upon reception of 4K jumbo packets.
      
      Originally build_skb usage purpose was to reuse page for skb to eliminate
      needs of extra fragments. But that logic does not take into account that
      skb_shared_info should be reserved at the end of skb data area.
      
      In case packet data consumes all the page (4K), skb_shinfo location
      overflows the page. As a consequence, __build_skb zeroed shinfo data above
      the allocated page, corrupting next page.
      
      The issue is rarely seen in real life because jumbo are normally larger
      than 4K and that causes another code path to trigger.
      But it 100% reproducible with simple scapy packet, like:
      
          sendp(IP(dst="192.168.100.3") / TCP(dport=443) \
                / Raw(RandString(size=(4096-40))), iface="enp1s0")
      
      Fixes: 018423e9 ("net: ethernet: aquantia: Add ring support code")
      Reported-by: default avatarFriedemann Gerold <f.gerold@b-c-s.de>
      Reported-by: default avatarMichael Rauch <michael@rauch.be>
      Signed-off-by: default avatarFriedemann Gerold <f.gerold@b-c-s.de>
      Tested-by: default avatarNikita Danilov <nikita.danilov@aquantia.com>
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d26ed6b0
    • David S. Miller's avatar
      Merge branch 'netpoll-avoid-capture-effects-for-NAPI-drivers' · 841dfa43
      David S. Miller authored
      Eric Dumazet says:
      
      ====================
      netpoll: avoid capture effects for NAPI drivers
      
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC).
      
      This capture, showing one ksoftirqd eating all cycles
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      It seems that all networking drivers that do use NAPI
      for their TX completions, should not provide a ndo_poll_controller() :
      
      Most NAPI drivers have netpoll support already handled
      in core networking stack, since netpoll_poll_dev()
      uses poll_napi(dev) to iterate through registered
      NAPI contexts for a device.
      
      This patch series take care of the first round, we will
      handle other drivers in future rounds.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      841dfa43
    • Eric Dumazet's avatar
      tun: remove ndo_poll_controller · 765cdc20
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      tun uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      765cdc20
    • Eric Dumazet's avatar
      nfp: remove ndo_poll_controller · 0825ce70
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      nfp uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jakub Kicinski <jakub.kicinski@netronome.com>
      Acked-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Tested-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0825ce70
    • Eric Dumazet's avatar
      bnxt: remove ndo_poll_controller · 58e0e22b
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      bnxt uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Michael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58e0e22b
    • Eric Dumazet's avatar
      bnx2x: remove ndo_poll_controller · d8ea6a91
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      bnx2x uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Ariel Elior <ariel.elior@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d8ea6a91
    • Eric Dumazet's avatar
      mlx5: remove ndo_poll_controller · 9c29bcd1
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      mlx5 uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Saeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9c29bcd1
    • Eric Dumazet's avatar
      mlx4: remove ndo_poll_controller · a24b66c2
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      mlx4 uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Tariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a24b66c2
    • Eric Dumazet's avatar
      i40evf: remove ndo_poll_controller · 1aa28fb9
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      i40evf uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1aa28fb9
    • Eric Dumazet's avatar
      ice: remove ndo_poll_controller · 158a08a6
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      ice uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      158a08a6
    • Eric Dumazet's avatar
      igb: remove ndo_poll_controller · 0542997e
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      igb uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0542997e
    • Eric Dumazet's avatar
      ixgb: remove ndo_poll_controller · 2753166e
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      ixgb uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      
      This also removes a problematic use of disable_irq() in
      a context it is forbidden, as explained in commit
      af3e0fcf ("8139too: Use disable_irq_nosync() in
      rtl8139_poll_controller()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2753166e
    • Eric Dumazet's avatar
      fm10k: remove ndo_poll_controller · dda9d57e
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      lasts for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      fm10k uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dda9d57e
    • Eric Dumazet's avatar
      ixgbevf: remove ndo_poll_controller · 6f5d941e
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      ixgbevf uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f5d941e
    • Eric Dumazet's avatar
      ixgbe: remove ndo_poll_controller · b80e71a9
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      ixgbe uses NAPI for TX completions, so we better let core
      networking stack call the napi->poll() to avoid the capture.
      Reported-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Tested-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b80e71a9
    • Eric Dumazet's avatar
      bonding: use netpoll_poll_dev() helper · 93f62ad5
      Eric Dumazet authored
      We want to allow NAPI drivers to no longer provide
      ndo_poll_controller() method, as it has been proven problematic.
      
      team driver must not look at its presence, but instead call
      netpoll_poll_dev() which factorize the needed actions.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      93f62ad5
    • Eric Dumazet's avatar
      netpoll: make ndo_poll_controller() optional · ac3d9dd0
      Eric Dumazet authored
      As diagnosed by Song Liu, ndo_poll_controller() can
      be very dangerous on loaded hosts, since the cpu
      calling ndo_poll_controller() might steal all NAPI
      contexts (for all RX/TX queues of the NIC). This capture
      can last for unlimited amount of time, since one
      cpu is generally not able to drain all the queues under load.
      
      It seems that all networking drivers that do use NAPI
      for their TX completions, should not provide a ndo_poll_controller().
      
      NAPI drivers have netpoll support already handled
      in core networking stack, since netpoll_poll_dev()
      uses poll_napi(dev) to iterate through registered
      NAPI contexts for a device.
      
      This patch allows netpoll_poll_dev() to process NAPI
      contexts even for drivers not providing ndo_poll_controller(),
      allowing for following patches in NAPI drivers.
      
      Also we export netpoll_poll_dev() so that it can be called
      by bonding/team drivers in following patches.
      Reported-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Tested-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac3d9dd0
  5. 23 Sep, 2018 1 commit