1. 21 Dec, 2018 4 commits
    • Eric Dumazet's avatar
      tcp: fix a race in inet_diag_dump_icsk() · f0c928d8
      Eric Dumazet authored
      Alexei reported use after frees in inet_diag_dump_icsk() [1]
      
      Because we use refcount_set() when various sockets are setup and
      inserted into ehash, we also need to make sure inet_diag_dump_icsk()
      wont race with the refcount_set() operations.
      
      Jonathan Lemon sent a patch changing net_twsk_hashdance() but
      other spots would need risky changes.
      
      Instead, fix inet_diag_dump_icsk() as this bug came with
      linux-4.10 only.
      
      [1] Quoting Alexei :
      
      First something iterating over sockets finds already freed tw socket:
      
      refcount_t: increment on 0; use-after-free.
      WARNING: CPU: 2 PID: 2738 at lib/refcount.c:153 refcount_inc+0x26/0x30
      RIP: 0010:refcount_inc+0x26/0x30
      RSP: 0018:ffffc90004c8fbc0 EFLAGS: 00010282
      RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
      RDX: ffff88085ee9d680 RSI: ffff88085ee954c8 RDI: ffff88085ee954c8
      RBP: ffff88010ecbd2c0 R08: 0000000000000000 R09: 000000000000174c
      R10: ffffffff81e7c5a0 R11: 0000000000000000 R12: 0000000000000000
      R13: ffff8806ba9bf210 R14: ffffffff82304600 R15: ffff88010ecbd328
      FS:  00007f81f5a7d700(0000) GS:ffff88085ee80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f81e2a95000 CR3: 000000069b2eb006 CR4: 00000000003606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       inet_diag_dump_icsk+0x2b3/0x4e0 [inet_diag]  // sock_hold(sk); in net/ipv4/inet_diag.c:1002
       ? kmalloc_large_node+0x37/0x70
       ? __kmalloc_node_track_caller+0x1cb/0x260
       ? __alloc_skb+0x72/0x1b0
       ? __kmalloc_reserve.isra.40+0x2e/0x80
       __inet_diag_dump+0x3b/0x80 [inet_diag]
       netlink_dump+0x116/0x2a0
       netlink_recvmsg+0x205/0x3c0
       sock_read_iter+0x89/0xd0
       __vfs_read+0xf7/0x140
       vfs_read+0x8a/0x140
       SyS_read+0x3f/0xa0
       do_syscall_64+0x5a/0x100
      
      then a minute later twsk timer fires and hits two bad refcnts
      for this freed socket:
      
      refcount_t: decrement hit 0; leaking memory.
      WARNING: CPU: 31 PID: 0 at lib/refcount.c:228 refcount_dec+0x2e/0x40
      Modules linked in:
      RIP: 0010:refcount_dec+0x2e/0x40
      RSP: 0018:ffff88085f5c3ea8 EFLAGS: 00010296
      RAX: 000000000000002c RBX: ffff88010ecbd2c0 RCX: 000000000000083f
      RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000003f
      RBP: ffffc90003c77280 R08: 0000000000000000 R09: 00000000000017d3
      R10: ffffffff81e7c5a0 R11: 0000000000000000 R12: ffffffff82ad2d80
      R13: ffffffff8182de00 R14: ffff88085f5c3ef8 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fbe42685250 CR3: 0000000002209001 CR4: 00000000003606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <IRQ>
       inet_twsk_kill+0x9d/0xc0  // inet_twsk_bind_unhash(tw, hashinfo);
       call_timer_fn+0x29/0x110
       run_timer_softirq+0x36b/0x3a0
      
      refcount_t: underflow; use-after-free.
      WARNING: CPU: 31 PID: 0 at lib/refcount.c:187 refcount_sub_and_test+0x46/0x50
      RIP: 0010:refcount_sub_and_test+0x46/0x50
      RSP: 0018:ffff88085f5c3eb8 EFLAGS: 00010296
      RAX: 0000000000000026 RBX: ffff88010ecbd2c0 RCX: 000000000000083f
      RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000003f
      RBP: ffff88010ecbd358 R08: 0000000000000000 R09: 000000000000185b
      R10: ffffffff81e7c5a0 R11: 0000000000000000 R12: ffff88010ecbd358
      R13: ffffffff8182de00 R14: ffff88085f5c3ef8 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fbe42685250 CR3: 0000000002209001 CR4: 00000000003606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <IRQ>
       inet_twsk_put+0x12/0x20  // inet_twsk_put(tw);
       call_timer_fn+0x29/0x110
       run_timer_softirq+0x36b/0x3a0
      
      Fixes: 67db3e4b ("tcp: no longer hold ehash lock while calling tcp_get_info()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
      Acked-by: default avatarJonathan Lemon <jonathan.lemon@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0c928d8
    • Ganesh Goudar's avatar
      MAINTAINERS: update cxgb4 and cxgb3 maintainer · de985ec5
      Ganesh Goudar authored
      Arjun Vynipadath will be taking over as maintainer from now.
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      de985ec5
    • Herbert Xu's avatar
      ipv6: frags: Fix bogus skb->sk in reassembled packets · d15f5ac8
      Herbert Xu authored
      It was reported that IPsec would crash when it encounters an IPv6
      reassembled packet because skb->sk is non-zero and not a valid
      pointer.
      
      This is because skb->sk is now a union with ip_defrag_offset.
      
      This patch fixes this by resetting skb->sk when exiting from
      the reassembly code.
      Reported-by: default avatarXiumei Mu <xmu@redhat.com>
      Fixes: 219badfa ("ipv6: frags: get rid of ip6frag_skb_cb/...")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d15f5ac8
    • Allan W. Nielsen's avatar
      mscc: Configured MAC entries should be locked. · 8fd1a4af
      Allan W. Nielsen authored
      The MAC table in Ocelot supports auto aging (normal) and static entries.
      MAC entries that is manually configured should be static and not subject
      to aging.
      
      Fixes: a556c76a ("net: mscc: Add initial Ocelot switch support")
      Signed-off-by: default avatarAllan Nielsen <allan.nielsen@microchip.com>
      Reviewed-by: default avatarSteen Hegelund <steen.hegelund@microchip.com>
      Signed-off-by: default avatarSteen Hegelund <steen.hegelund@microchip.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8fd1a4af
  2. 20 Dec, 2018 17 commits
    • Linus Torvalds's avatar
      Merge tag 'm68k-for-v4.20-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k · 1d51b4b1
      Linus Torvalds authored
      Pull m68k fix from Geert Uytterhoeven:
       "Fix memblock-related crashes"
      
      * tag 'm68k-for-v4.20-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k:
        m68k: Fix memblock-related crashes
      1d51b4b1
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v4.20-2' of... · c0f3ece4
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v4.20-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fix from Masahiro Yamada:
       "Fix false positive warning/error about missing library for objtool"
      
      * tag 'kbuild-fixes-v4.20-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: fix false positive warning/error about missing libelf
      c0f3ece4
    • Linus Torvalds's avatar
      Merge tag 'char-misc-4.20-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 122b7e33
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are three tiny last-minute driver fixes for 4.20-rc8 that resolve
        some reported issues, and one MAINTAINERS file update.
      
        All of them are related to the hyper-v subsystem, it seems people are
        actually testing and using it now, which is nice to see :)
      
        The fixes are:
         - uio_hv_generic: fix for opening multiple times
         - Remove PCI dependancy on hyperv drivers
         - return proper error code for an unopened channel.
      
        And Sasha has signed up to help out with the hyperv maintainership.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'char-misc-4.20-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
        x86, hyperv: remove PCI dependency
        MAINTAINERS: Patch monkey for the Hyper-V code
        uio_hv_generic: set callbacks on open
      122b7e33
    • Linus Torvalds's avatar
      Merge tag 'tty-4.20-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · bfd7bd5b
      Linus Torvalds authored
      Pull tty/serial fix from Greg KH:
       "Here is a single fix, a revert, for the 8250 serial driver to resolve
        a reported problem.
      
        There was some attempted patches to fix the issue, but people are
        arguing about them, so reverting the patch to revert back to the 4.19
        and older behavior is the best thing to do at this late in the release
        cycle.
      
        The revert has been in linux-next with no reported issues"
      
      * tag 'tty-4.20-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        Revert "serial: 8250: Fix clearing FIFOs in RS485 mode again"
      bfd7bd5b
    • Linus Torvalds's avatar
      Merge tag 'usb-4.20-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 177c459b
      Linus Torvalds authored
      Pull USB fixes and ids from Greg KH:
       "Here are some late xhci fixes for 4.20-rc8 as well as a few new device
        ids for the option usb-serial driver.
      
        The xhci fixes resolve some many-reported issues and all of these have
        been in linux-next for a while with no reported problems"
      
      * tag 'usb-4.20-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd
        xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
        USB: serial: option: add Telit LN940 series
        USB: serial: option: add Fibocom NL668 series
        USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
        USB: serial: option: add GosunCn ZTE WeLink ME3630
        USB: serial: option: add HP lt4132
      177c459b
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.20-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · d31aeb78
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
         - Restore code to allow BKOPS and CACHE ctrl even if no HPI support
         - Reset HPI enabled state during re-init
         - Use a default minimum timeout when enabling CACHE ctrl
      
        MMC host:
         - omap_hsmmc: Fix DMA API warning
         - sdhci-tegra: Fix dt parsing of SDMMC pads autocal values
         - Correct register accesses when enabling v4 mode"
      
      * tag 'mmc-v4.20-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
        mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
        mmc: core: Reset HPI enabled state during re-init and in case of errors
        mmc: omap_hsmmc: fix DMA API warning
        mmc: tegra: Fix for SDMMC pads autocal parsing from dt
        mmc: sdhci: Fix sdhci_do_enable_v4_mode
      d31aeb78
    • Dave Chinner's avatar
      iomap: Revert "fs/iomap.c: get/put the page in iomap_page_create/release()" · a837eca2
      Dave Chinner authored
      This reverts commit 61c6de66.
      
      The reverted commit added page reference counting to iomap page
      structures that are used to track block size < page size state. This
      was supposed to align the code with page migration page accounting
      assumptions, but what it has done instead is break XFS filesystems.
      Every fstests run I've done on sub-page block size XFS filesystems
      has since picking up this commit 2 days ago has failed with bad page
      state errors such as:
      
      # ./run_check.sh "-m rmapbt=1,reflink=1 -i sparse=1 -b size=1k" "generic/038"
      ....
      SECTION       -- xfs
      FSTYP         -- xfs (debug)
      PLATFORM      -- Linux/x86_64 test1 4.20.0-rc6-dgc+
      MKFS_OPTIONS  -- -f -m rmapbt=1,reflink=1 -i sparse=1 -b size=1k /dev/sdc
      MOUNT_OPTIONS -- /dev/sdc /mnt/scratch
      
      generic/038 454s ...
       run fstests generic/038 at 2018-12-20 18:43:05
       XFS (sdc): Unmounting Filesystem
       XFS (sdc): Mounting V5 Filesystem
       XFS (sdc): Ending clean mount
       BUG: Bad page state in process kswapd0  pfn:3a7fa
       page:ffffea0000ccbeb0 count:0 mapcount:0 mapping:ffff88800d9b6360 index:0x1
       flags: 0xfffffc0000000()
       raw: 000fffffc0000000 dead000000000100 dead000000000200 ffff88800d9b6360
       raw: 0000000000000001 0000000000000000 00000000ffffffff
       page dumped because: non-NULL mapping
       CPU: 0 PID: 676 Comm: kswapd0 Not tainted 4.20.0-rc6-dgc+ #915
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
       Call Trace:
        dump_stack+0x67/0x90
        bad_page.cold.116+0x8a/0xbd
        free_pcppages_bulk+0x4bf/0x6a0
        free_unref_page_list+0x10f/0x1f0
        shrink_page_list+0x49d/0xf50
        shrink_inactive_list+0x19d/0x3b0
        shrink_node_memcg.constprop.77+0x398/0x690
        ? shrink_slab.constprop.81+0x278/0x3f0
        shrink_node+0x7a/0x2f0
        kswapd+0x34b/0x6d0
        ? node_reclaim+0x240/0x240
        kthread+0x11f/0x140
        ? __kthread_bind_mask+0x60/0x60
        ret_from_fork+0x24/0x30
       Disabling lock debugging due to kernel taint
      ....
      
      The failures are from anyway that frees pages and empties the
      per-cpu page magazines, so it's not a predictable failure or an easy
      to debug failure.
      
      generic/038 is a reliable reproducer of this problem - it has a 9 in
      10 failure rate on one of my test machines. Failure on other
      machines have been at random points in fstests runs but every run
      has ended up tripping this problem. Hence generic/038 was used to
      bisect the failure because it was the most reliable failure.
      
      It is too close to the 4.20 release (not to mention holidays) to
      try to diagnose, fix and test the underlying cause of the problem,
      so reverting the commit is the only option we have right now. The
      revert has been tested against a current tot 4.20-rc7+ kernel across
      multiple machines running sub-page block size XFs filesystems and
      none of the bad page state failures have been seen.
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Cc: Piotr Jaroszynski <pjaroszynski@nvidia.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: William Kucharski <william.kucharski@oracle.com>
      Cc: Darrick J. Wong <darrick.wong@oracle.com>
      Cc: Brian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a837eca2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 519be699
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Off by one in netlink parsing of mac802154_hwsim, from Alexander
          Aring.
      
       2) nf_tables RCU usage fix from Taehee Yoo.
      
       3) Flow dissector needs nhoff and thoff clamping, from Stanislav
          Fomichev.
      
       4) Missing sin6_flowinfo initialization in SCTP, from Xin Long.
      
       5) Spectrev1 in ipmr and ip6mr, from Gustavo A. R. Silva.
      
       6) Fix r8169 crash when DEBUG_SHIRQ is enabled, from Heiner Kallweit.
      
       7) Fix SKB leak in rtlwifi, from Larry Finger.
      
       8) Fix state pruning in bpf verifier, from Jakub Kicinski.
      
       9) Don't handle completely duplicate fragments as overlapping, from
          Michal Kubecek.
      
      10) Fix memory corruption with macb and 64-bit DMA, from Anssi Hannula.
      
      11) Fix TCP fallback socket release in smc, from Myungho Jung.
      
      12) gro_cells_destroy needs to napi_disable, from Lorenzo Bianconi.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (130 commits)
        rds: Fix warning.
        neighbor: NTF_PROXY is a valid ndm_flag for a dump request
        net: mvpp2: fix the phylink mode validation
        net/sched: cls_flower: Remove old entries from rhashtable
        net/tls: allocate tls context using GFP_ATOMIC
        iptunnel: make TUNNEL_FLAGS available in uapi
        gro_cell: add napi_disable in gro_cells_destroy
        lan743x: Remove MAC Reset from initialization
        net/mlx5e: Remove the false indication of software timestamping support
        net/mlx5: Typo fix in del_sw_hw_rule
        net/mlx5e: RX, Fix wrong early return in receive queue poll
        ipv6: explicitly initialize udp6_addr in udp_sock_create6()
        bnxt_en: Fix ethtool self-test loopback.
        net/rds: remove user triggered WARN_ON in rds_sendmsg
        net/rds: fix warn in rds_message_alloc_sgs
        ath10k: skip sending quiet mode cmd for WCN3990
        mac80211: free skb fraglist before freeing the skb
        nl80211: fix memory leak if validate_pae_over_nl80211() fails
        net/smc: fix TCP fallback socket release
        vxge: ensure data0 is initialized in when fetching firmware version information
        ...
      519be699
    • David S. Miller's avatar
      rds: Fix warning. · d84e7bc0
      David S. Miller authored
      >> net/rds/send.c:1109:42: warning: Using plain integer as NULL pointer
      
      Fixes: ea010070 ("net/rds: fix warn in rds_message_alloc_sgs")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d84e7bc0
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · ab63e725
      Linus Torvalds authored
      Pull virtio fix from Michael Tsirkin:
       "A last-minute fix for a test build"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        virtio: fix test build after uio.h change
      ab63e725
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.20-6' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 8c9dff1e
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
      
       - Fix TCP socket disconnection races by ensuring we always call
         xprt_disconnect_done() after releasing the socket.
      
       - Fix a race when clearing both XPRT_CONNECTING and XPRT_LOCKED
      
       - Remove xprt_connect_status() so it does not mask errors that should
         be handled by call_connect_status()
      
      * tag 'nfs-for-4.20-6' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        SUNRPC: Remove xprt_connect_status()
        SUNRPC: Fix a race with XPRT_CONNECTING
        SUNRPC: Fix disconnection races
      8c9dff1e
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · fe112793
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
      
       -  One nasty use-after-free bugfix, from this merge window however
      
       -  A less nasty use-after-free that can only zero some words at the
          beginning of the page, and hence is not really exploitable
      
       -  A NULL pointer dereference
      
       -  A dummy implementation of an AMD chicken bit MSR that Windows uses
          for some unknown reason
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs
        KVM: X86: Fix NULL deref in vcpu_scan_ioapic
        KVM: Fix UAF in nested posted interrupt processing
        KVM: fix unregistering coalesced mmio zone from wrong bus
      fe112793
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-4.20-4' of git://git.infradead.org/users/hch/dma-mapping · 2dd516ff
      Linus Torvalds authored
      Pull dma-mapping fix from Christoph Hellwig:
       "Fix a regression in dma-direct that didn't take account the magic AMD
        memory encryption mask in the DMA address"
      
      * tag 'dma-mapping-4.20-4' of git://git.infradead.org/users/hch/dma-mapping:
        dma-direct: do not include SME mask in the DMA supported check
      2dd516ff
    • David Ahern's avatar
      neighbor: NTF_PROXY is a valid ndm_flag for a dump request · c0fde870
      David Ahern authored
      When dumping proxy entries the dump request has NTF_PROXY set in
      ndm_flags. strict mode checking needs to be updated to allow this
      flag.
      
      Fixes: 51183d23 ("net/neighbor: Update neigh_dump_info for strict data checking")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c0fde870
    • Antoine Tenart's avatar
      net: mvpp2: fix the phylink mode validation · 1b451fb2
      Antoine Tenart authored
      The mvpp2_phylink_validate() sets all modes that are supported by a
      given PPv2 port. An mistake made the 10000baseT_Full mode being
      advertised in some cases when a port wasn't configured to perform at
      10G. This patch fixes this.
      
      Fixes: d97c9f4a ("net: mvpp2: 1000baseX support")
      Reported-by: default avatarRussell King <linux@armlinux.org.uk>
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b451fb2
    • Roi Dayan's avatar
      net/sched: cls_flower: Remove old entries from rhashtable · 599d2570
      Roi Dayan authored
      When replacing a rule we add the new rule to the rhashtable
      but only remove the old if not in skip_sw.
      This commit fix this and remove the old rule anyway.
      
      Fixes: 35cc3cef ("net/sched: cls_flower: Reject duplicated rules also under skip_sw")
      Signed-off-by: default avatarRoi Dayan <roid@mellanox.com>
      Reviewed-by: default avatarVlad Buslov <vladbu@mellanox.com>
      Acked-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      599d2570
    • Ganesh Goudar's avatar
      net/tls: allocate tls context using GFP_ATOMIC · c6ec179a
      Ganesh Goudar authored
      create_ctx can be called from atomic context, hence use
      GFP_ATOMIC instead of GFP_KERNEL.
      
      [  395.962599] BUG: sleeping function called from invalid context at mm/slab.h:421
      [  395.979896] in_atomic(): 1, irqs_disabled(): 0, pid: 16254, name: openssl
      [  395.996564] 2 locks held by openssl/16254:
      [  396.010492]  #0: 00000000347acb52 (sk_lock-AF_INET){+.+.}, at: do_tcp_setsockopt.isra.44+0x13b/0x9a0
      [  396.029838]  #1: 000000006c9552b5 (device_spinlock){+...}, at: tls_init+0x1d/0x280
      [  396.047675] CPU: 5 PID: 16254 Comm: openssl Tainted: G           O      4.20.0-rc6+ #25
      [  396.066019] Hardware name: Supermicro X10SRA-F/X10SRA-F, BIOS 2.0c 09/25/2017
      [  396.083537] Call Trace:
      [  396.096265]  dump_stack+0x5e/0x8b
      [  396.109876]  ___might_sleep+0x216/0x250
      [  396.123940]  kmem_cache_alloc_trace+0x1b0/0x240
      [  396.138800]  create_ctx+0x1f/0x60
      [  396.152504]  tls_init+0xbd/0x280
      [  396.166135]  tcp_set_ulp+0x191/0x2d0
      [  396.180035]  ? tcp_set_ulp+0x2c/0x2d0
      [  396.193960]  do_tcp_setsockopt.isra.44+0x148/0x9a0
      [  396.209013]  __sys_setsockopt+0x7c/0xe0
      [  396.223054]  __x64_sys_setsockopt+0x20/0x30
      [  396.237378]  do_syscall_64+0x4a/0x180
      [  396.251200]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: df9d4a17 ("net/tls: sleeping function from invalid context")
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c6ec179a
  3. 19 Dec, 2018 19 commits
    • wenxu's avatar
      iptunnel: make TUNNEL_FLAGS available in uapi · 1875a9ab
      wenxu authored
      ip l add dev tun type gretap external
      ip r a 10.0.0.1 encap ip dst 192.168.152.171 id 1000 dev gretap
      
      For gretap Key example when the command set the id but don't set the
      TUNNEL_KEY flags. There is no key field in the send packet
      
      In the lwtunnel situation, some TUNNEL_FLAGS should can be set by
      userspace
      Signed-off-by: default avatarwenxu <wenxu@ucloud.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1875a9ab
    • Lorenzo Bianconi's avatar
      gro_cell: add napi_disable in gro_cells_destroy · 8e1da73a
      Lorenzo Bianconi authored
      Add napi_disable routine in gro_cells_destroy since starting from
      commit c42858ea ("gro_cells: remove spinlock protecting receive
      queues") gro_cell_poll and gro_cells_destroy can run concurrently on
      napi_skbs list producing a kernel Oops if the tunnel interface is
      removed while gro_cell_poll is running. The following Oops has been
      triggered removing a vxlan device while the interface is receiving
      traffic
      
      [ 5628.948853] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      [ 5628.949981] PGD 0 P4D 0
      [ 5628.950308] Oops: 0002 [#1] SMP PTI
      [ 5628.950748] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.20.0-rc6+ #41
      [ 5628.952940] RIP: 0010:gro_cell_poll+0x49/0x80
      [ 5628.955615] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202
      [ 5628.956250] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000
      [ 5628.957102] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150
      [ 5628.957940] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000
      [ 5628.958803] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040
      [ 5628.959661] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040
      [ 5628.960682] FS:  0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
      [ 5628.961616] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 5628.962359] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0
      [ 5628.963188] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 5628.964034] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 5628.964871] Call Trace:
      [ 5628.965179]  net_rx_action+0xf0/0x380
      [ 5628.965637]  __do_softirq+0xc7/0x431
      [ 5628.966510]  run_ksoftirqd+0x24/0x30
      [ 5628.966957]  smpboot_thread_fn+0xc5/0x160
      [ 5628.967436]  kthread+0x113/0x130
      [ 5628.968283]  ret_from_fork+0x3a/0x50
      [ 5628.968721] Modules linked in:
      [ 5628.969099] CR2: 0000000000000008
      [ 5628.969510] ---[ end trace 9d9dedc7181661fe ]---
      [ 5628.970073] RIP: 0010:gro_cell_poll+0x49/0x80
      [ 5628.972965] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202
      [ 5628.973611] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000
      [ 5628.974504] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150
      [ 5628.975462] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000
      [ 5628.976413] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040
      [ 5628.977375] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040
      [ 5628.978296] FS:  0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
      [ 5628.979327] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 5628.980044] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0
      [ 5628.980929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 5628.981736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 5628.982409] Kernel panic - not syncing: Fatal exception in interrupt
      [ 5628.983307] Kernel Offset: disabled
      
      Fixes: c42858ea ("gro_cells: remove spinlock protecting receive queues")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e1da73a
    • Bryan Whitehead's avatar
      lan743x: Remove MAC Reset from initialization · e0e58787
      Bryan Whitehead authored
      The MAC Reset was noticed to erase important EEPROM settings.
      It is also unnecessary since a chip wide reset was done earlier
      in initialization, and that reset preserves EEPROM settings.
      
      There for this patch removes the unnecessary MAC specific reset.
      Signed-off-by: default avatarBryan Whitehead <Bryan.Whitehead@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e0e58787
    • Michael S. Tsirkin's avatar
      virtio: fix test build after uio.h change · c5c08bed
      Michael S. Tsirkin authored
      Fixes: d3849953 ("fs: decouple READ and WRITE from the block layer ops")
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      c5c08bed
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2018-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · d9842f38
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5-fixes-2018-12-19
      
      Some fixes for the mlx5 driver
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d9842f38
    • Alaa Hleihel's avatar
      net/mlx5e: Remove the false indication of software timestamping support · 47654204
      Alaa Hleihel authored
      mlx5 driver falsely advertises support of software timestamping.
      Fix it by removing the false indication.
      
      Fixes: ef9814de ("net/mlx5e: Add HW timestamping (TS) support")
      Signed-off-by: default avatarAlaa Hleihel <alaa@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      47654204
    • Yuval Avnery's avatar
      net/mlx5: Typo fix in del_sw_hw_rule · f0337889
      Yuval Avnery authored
      Expression terminated with "," instead of ";", resulted in
      set_fte getting bad value for modify_enable_mask field.
      
      Fixes: bd5251db ("net/mlx5_core: Introduce flow steering destination of type counter")
      Signed-off-by: default avatarYuval Avnery <yuvalav@mellanox.com>
      Reviewed-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      f0337889
    • Tariq Toukan's avatar
      net/mlx5e: RX, Fix wrong early return in receive queue poll · bfc69825
      Tariq Toukan authored
      When the completion queue of the RQ is empty, do not immediately return.
      If left-over decompressed CQEs (from the previous cycle) were processed,
      need to go to the finalization part of the poll function.
      
      Bug exists only when CQE compression is turned ON.
      
      This solves the following issue:
      mlx5_core 0000:82:00.1: mlx5_eq_int:544:(pid 0): CQ error on CQN 0xc08, syndrome 0x1
      mlx5_core 0000:82:00.1 p4p2: mlx5e_cq_error_event: cqn=0x000c08 event=0x04
      
      Fixes: 4b7dfc99 ("net/mlx5e: Early-return on empty completion queues")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Reviewed-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      bfc69825
    • Cong Wang's avatar
      ipv6: explicitly initialize udp6_addr in udp_sock_create6() · fb242745
      Cong Wang authored
      syzbot reported the use of uninitialized udp6_addr::sin6_scope_id.
      We can just set ::sin6_scope_id to zero, as tunnels are unlikely
      to use an IPv6 address that needs a scope id and there is no
      interface to bind in this context.
      
      For net-next, it looks different as we have cfg->bind_ifindex there
      so we can probably call ipv6_iface_scope_id().
      
      Same for ::sin6_flowinfo, tunnels don't use it.
      
      Fixes: 8024e028 ("udp: Add udp_sock_create for UDP tunnels to open listener socket")
      Reported-by: syzbot+c56449ed3652e6720f30@syzkaller.appspotmail.com
      Cc: Jon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fb242745
    • Michael Chan's avatar
      bnxt_en: Fix ethtool self-test loopback. · 84404d5f
      Michael Chan authored
      The current code has 2 problems.  It assumes that the RX ring for
      the loopback packet is combined with the TX ring.  This is not
      true if the ethtool channels are set to non-combined mode.  The
      second problem is that it won't work on 57500 chips without
      adjusting the logic to get the proper completion ring (cpr) pointer.
      Fix both issues by locating the proper cpr pointer through the RX
      ring.
      
      Fixes: e44758b7 ("bnxt_en: Use bnxt_cp_ring_info struct pointer as parameter for RX path.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84404d5f
    • David S. Miller's avatar
      Merge branch 'rds-fixes' · 912cb1d5
      David S. Miller authored
      Shamir Rabinovitch says:
      
      ====================
      WARNING in rds_message_alloc_sgs
      
      This patch set fix google syzbot rds bug found in linux-next.
      The first patch solve the syzbot issue.
      The second patch fix issue mentioned by Leon Romanovsky that
      drivers should not call WARN_ON as result from user input.
      
      syzbot bug report can be foud here: https://lkml.org/lkml/2018/10/31/28
      
      v1->v2:
      - patch 1: make rds_iov_vector fields name more descriptive (Hakon)
      - patch 1: fix potential mem leak in rds_rm_size if krealloc fail
        (Hakon)
      v2->v3:
      - patch 2: harden rds_sendmsg for invalid number of sgs (Gerd)
      v3->v4
      - Santosh a.b. on both patches + repost to net-dev
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      912cb1d5
    • shamir rabinovitch's avatar
      net/rds: remove user triggered WARN_ON in rds_sendmsg · c75ab8a5
      shamir rabinovitch authored
      per comment from Leon in rdma mailing list
      https://lkml.org/lkml/2018/10/31/312 :
      
      Please don't forget to remove user triggered WARN_ON.
      https://lwn.net/Articles/769365/
      "Greg Kroah-Hartman raised the problem of core kernel API code that will
      use WARN_ON_ONCE() to complain about bad usage; that will not generate
      the desired result if WARN_ON_ONCE() is configured to crash the machine.
      He was told that the code should just call pr_warn() instead, and that
      the called function should return an error in such situations. It was
      generally agreed that any WARN_ON() or WARN_ON_ONCE() calls that can be
      triggered from user space need to be fixed."
      
      in addition harden rds_sendmsg to detect and overcome issues with
      invalid sg count and fail the sendmsg.
      Suggested-by: default avatarLeon Romanovsky <leon@kernel.org>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarshamir rabinovitch <shamir.rabinovitch@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c75ab8a5
    • shamir rabinovitch's avatar
      net/rds: fix warn in rds_message_alloc_sgs · ea010070
      shamir rabinovitch authored
      redundant copy_from_user in rds_sendmsg system call expose rds
      to issue where rds_rdma_extra_size walk the rds iovec and and
      calculate the number pf pages (sgs) it need to add to the tail of
      rds message and later rds_cmsg_rdma_args copy the rds iovec again
      and re calculate the same number and get different result causing
      WARN_ON in rds_message_alloc_sgs.
      
      fix this by doing the copy_from_user only once per rds_sendmsg
      system call.
      
      When issue occur the below dump is seen:
      
      WARNING: CPU: 0 PID: 19789 at net/rds/message.c:316 rds_message_alloc_sgs+0x10c/0x160 net/rds/message.c:316
      Kernel panic - not syncing: panic_on_warn set ...
      CPU: 0 PID: 19789 Comm: syz-executor827 Not tainted 4.19.0-next-20181030+ #101
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x244/0x39d lib/dump_stack.c:113
       panic+0x2ad/0x55c kernel/panic.c:188
       __warn.cold.8+0x20/0x45 kernel/panic.c:540
       report_bug+0x254/0x2d0 lib/bug.c:186
       fixup_bug arch/x86/kernel/traps.c:178 [inline]
       do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
       do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
       invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
      RIP: 0010:rds_message_alloc_sgs+0x10c/0x160 net/rds/message.c:316
      Code: c0 74 04 3c 03 7e 6c 44 01 ab 78 01 00 00 e8 2b 9e 35 fa 4c 89 e0 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 14 9e 35 fa <0f> 0b 31 ff 44 89 ee e8 18 9f 35 fa 45 85 ed 75 1b e8 fe 9d 35 fa
      RSP: 0018:ffff8801c51b7460 EFLAGS: 00010293
      RAX: ffff8801bc412080 RBX: ffff8801d7bf4040 RCX: ffffffff8749c9e6
      RDX: 0000000000000000 RSI: ffffffff8749ca5c RDI: 0000000000000004
      RBP: ffff8801c51b7490 R08: ffff8801bc412080 R09: ffffed003b5c5b67
      R10: ffffed003b5c5b67 R11: ffff8801dae2db3b R12: 0000000000000000
      R13: 000000000007165c R14: 000000000007165c R15: 0000000000000005
       rds_cmsg_rdma_args+0x82d/0x1510 net/rds/rdma.c:623
       rds_cmsg_send net/rds/send.c:971 [inline]
       rds_sendmsg+0x19a2/0x3180 net/rds/send.c:1273
       sock_sendmsg_nosec net/socket.c:622 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:632
       ___sys_sendmsg+0x7fd/0x930 net/socket.c:2117
       __sys_sendmsg+0x11d/0x280 net/socket.c:2155
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x44a859
      Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f1d4710ada8 EFLAGS: 00000297 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044a859
      RDX: 0000000000000000 RSI: 0000000020001600 RDI: 0000000000000003
      RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dcc2c
      R13: 646e732f7665642f R14: 00007f1d4710b9c0 R15: 00000000006dcd2c
      Kernel Offset: disabled
      Rebooting in 86400 seconds..
      
      Reported-by: syzbot+26de17458aeda9d305d8@syzkaller.appspotmail.com
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarshamir rabinovitch <shamir.rabinovitch@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ea010070
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2018-12-19' of... · c6f4075e
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2018-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.20
      
      Last set of fixes for 4.20. All (except the mt76 fix) of these are
      important fixes to user reported problems and pretty small in size.
      
      rtlwifi
      
      * fix skb leak
      
      mwifiex
      
      * revert a commit from v4.19 due to problems with locking
      
      mt76
      
      * fix a potential NULL derenfence
      
      * add entry to MAINTAINERS
      
      iwlwifi
      
      * fix a firmware crash which was a regression introduced in v4.20-rc4
      
      ath10k
      
      * fix a firmware crash with wcn3990 firmware
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c6f4075e
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2018-12-19' of... · 49ce708b
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2018-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Just three fixes:
       * fix a memory leak in an error path
       * fix TXQs in interface teardown
       * free fraglist if we used it internally
         before returning SKB
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49ce708b
    • Geert Uytterhoeven's avatar
      m68k: Fix memblock-related crashes · bed1369f
      Geert Uytterhoeven authored
      When running the kernel in Fast RAM on Atari:
      
          Ignoring memory chunk at 0x0:0xe00000 before the first chunk
          ...
          Unable to handle kernel NULL pointer dereference at virtual address (ptrval)
          Oops: 00000000
          Modules linked in:
          PC: [<0069dbac>] free_all_bootmem+0x12c/0x186
          SR: 2714  SP: (ptrval)  a2: 005e3314
          d0: 00000000    d1: 0000000a    d2: 00000e00    d3: 00000000
          d4: 005e1fc0    d5: 0000001a    a0: 01000000    a1: 00000000
          Process swapper (pid: 0, task=(ptrval))
          Frame format=7 eff addr=00000736 ssw=0505 faddr=00000736
          wb 1 stat/addr/data: 0000 00000000 00000000
          wb 2 stat/addr/data: 0000 00000000 00000000
          wb 3 stat/addr/data: 0000 00000736 00000000
          push data: 00000000 00000000 00000000 00000000
          Stack from 005e1f84:
                  00000000 0000000a 027d3260 006b5006 00000000 00000000 00000000 00000000
                  0004f062 0003a220 0069e272 005e1ff8 0000054c 00000000 00e00000 00000000
                  00000001 00693cd8 027d3260 0004f062 0003a220 00691be6 00000000 00000000
                  00000000 00000000 00000000 00000000 006b5006 00000000 00690872
          Call Trace: [<0004f062>] printk+0x0/0x18
           [<0003a220>] parse_args+0x0/0x2d4
           [<0069e272>] memblock_virt_alloc_try_nid+0x0/0xa4
           [<00693cd8>] mem_init+0xa/0x5c
           [<0004f062>] printk+0x0/0x18
           [<0003a220>] parse_args+0x0/0x2d4
           [<00691be6>] start_kernel+0x1ca/0x462
           [<00690872>] _sinittext+0x872/0x11f8
          Code: 7a1a eaae 2270 6db0 0061 ef14 2f01 2f03 <96a9> 0736 2203 e589 d681 e78b d6a9 0732 2f03 2f40 0034 4eb9 0069 b8d0 260e 4fef
          Disabling lock debugging due to kernel taint
          Kernel panic - not syncing: Attempted to kill the idle task!
      
      As the kernel must run in the memory chunk with the lowest address,
      ST-RAM is ignored, and removed from the m68k_memory[] array.
      However, it is not removed from memblock, causing a crash later.
      
      More investigation shows that there are 3 places where memory chunks are
      ignored, all after the calls to memblock_add() in m68k_parse_bootinfo(),
      and thus causing crashes:
        1. On classic m68k CPUs with a MMU, paging_init() ignores all memory
           chunks below the first chunk, cfr. above,
        2. On Amigas equipped with a Zorro III bus, config_amiga() ignores all
           Zorro II memory,
        3. If CONFIG_SINGLE_MEMORY_CHUNK=y, m68k_parse_bootinfo() ignores all
           but the first memory chunk.
      
      Fix this by moving the calls to memblock_add() from
      m68k_parse_bootinfo() to paging_init(), after all ignored memory chunks
      have been removed from m68k_memory[].
      Reported-by: default avatarAndreas Schwab <schwab@linux-m68k.org>
      Fixes: 1008a115 ("m68k: switch to MEMBLOCK + NO_BOOTMEM")
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      bed1369f
    • Masahiro Yamada's avatar
      kbuild: fix false positive warning/error about missing libelf · ef7cfd00
      Masahiro Yamada authored
      For the same reason as commit 25896d07 ("x86/build: Fix compiler
      support check for CONFIG_RETPOLINE"), you cannot put this $(error ...)
      into the parse stage of the top Makefile.
      
      Perhaps I'd propose a more sophisticated solution later, but this is
      the best I can do for now.
      
      Link: https://lkml.org/lkml/2017/12/25/211Reported-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      Reported-by: default avatarBernd Edlinger <bernd.edlinger@hotmail.de>
      Reported-by: default avatarQian Cai <cai@lca.pw>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Tested-by: default avatarQian Cai <cai@lca.pw>
      ef7cfd00
    • Rakesh Pillai's avatar
      ath10k: skip sending quiet mode cmd for WCN3990 · 53884577
      Rakesh Pillai authored
      HL2.0 firmware does not support setting quiet mode.  If the host driver sends
      the quiet mode setting command to the HL2.0 firmware, it crashes with the below
      signature.
      
      fatal error received: err_qdi.c:456:EX:wlan_process:1:WLAN RT:207a:PC=b001b4f0
      
      The quiet mode command support is exposed by the firmware via thermal throttle
      wmi service. Enable ath10k thermal support if thermal throttle wmi service bit
      is set.  10.x firmware versions support this feature by default, but
      unfortunately do not advertise the support via service flags, hence have to
      manually set the service flag in ath10k_core_compat_services().
      
      Tested on QCA988X with 10.2.4.70.9-2. Also tested on WCN3990.
      Co-developed-by: default avatarGovind Singh <govinds@codeaurora.org>
      Co-developed-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarRakesh Pillai <pillair@codeaurora.org>
      Signed-off-by: default avatarGovind Singh <govinds@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      53884577
    • Sara Sharon's avatar
      mac80211: free skb fraglist before freeing the skb · 34b1e0e9
      Sara Sharon authored
      mac80211 uses the frag list to build AMSDU. When freeing
      the skb, it may not be really freed, since someone is still
      holding a reference to it.
      In that case, when TCP skb is being retransmitted, the
      pointer to the frag list is being reused, while the data
      in there is no longer valid.
      Since we will never get frag list from the network stack,
      as mac80211 doesn't advertise the capability, we can safely
      free and nullify it before releasing the SKB.
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      34b1e0e9