1. 06 Aug, 2016 3 commits
    • David Howells's avatar
      rxrpc: Fix races between skb free, ACK generation and replying · 372ee163
      David Howells authored
      Inside the kafs filesystem it is possible to occasionally have a call
      processed and terminated before we've had a chance to check whether we need
      to clean up the rx queue for that call because afs_send_simple_reply() ends
      the call when it is done, but this is done in a workqueue item that might
      happen to run to completion before afs_deliver_to_call() completes.
      
      Further, it is possible for rxrpc_kernel_send_data() to be called to send a
      reply before the last request-phase data skb is released.  The rxrpc skb
      destructor is where the ACK processing is done and the call state is
      advanced upon release of the last skb.  ACK generation is also deferred to
      a work item because it's possible that the skb destructor is not called in
      a context where kernel_sendmsg() can be invoked.
      
      To this end, the following changes are made:
      
       (1) kernel_rxrpc_data_consumed() is added.  This should be called whenever
           an skb is emptied so as to crank the ACK and call states.  This does
           not release the skb, however.  kernel_rxrpc_free_skb() must now be
           called to achieve that.  These together replace
           rxrpc_kernel_data_delivered().
      
       (2) kernel_rxrpc_data_consumed() is wrapped by afs_data_consumed().
      
           This makes afs_deliver_to_call() easier to work as the skb can simply
           be discarded unconditionally here without trying to work out what the
           return value of the ->deliver() function means.
      
           The ->deliver() functions can, via afs_data_complete(),
           afs_transfer_reply() and afs_extract_data() mark that an skb has been
           consumed (thereby cranking the state) without the need to
           conditionally free the skb to make sure the state is correct on an
           incoming call for when the call processor tries to send the reply.
      
       (3) rxrpc_recvmsg() now has to call kernel_rxrpc_data_consumed() when it
           has finished with a packet and MSG_PEEK isn't set.
      
       (4) rxrpc_packet_destructor() no longer calls rxrpc_hard_ACK_data().
      
           Because of this, we no longer need to clear the destructor and put the
           call before we free the skb in cases where we don't want the ACK/call
           state to be cranked.
      
       (5) The ->deliver() call-type callbacks are made to return -EAGAIN rather
           than 0 if they expect more data (afs_extract_data() returns -EAGAIN to
           the delivery function already), and the caller is now responsible for
           producing an abort if that was the last packet.
      
       (6) There are many bits of unmarshalling code where:
      
       		ret = afs_extract_data(call, skb, last, ...);
      		switch (ret) {
      		case 0:		break;
      		case -EAGAIN:	return 0;
      		default:	return ret;
      		}
      
           is to be found.  As -EAGAIN can now be passed back to the caller, we
           now just return if ret < 0:
      
       		ret = afs_extract_data(call, skb, last, ...);
      		if (ret < 0)
      			return ret;
      
       (7) Checks for trailing data and empty final data packets has been
           consolidated as afs_data_complete().  So:
      
      		if (skb->len > 0)
      			return -EBADMSG;
      		if (!last)
      			return 0;
      
           becomes:
      
      		ret = afs_data_complete(call, skb, last);
      		if (ret < 0)
      			return ret;
      
       (8) afs_transfer_reply() now checks the amount of data it has against the
           amount of data desired and the amount of data in the skb and returns
           an error to induce an abort if we don't get exactly what we want.
      
      Without these changes, the following oops can occasionally be observed,
      particularly if some printks are inserted into the delivery path:
      
      general protection fault: 0000 [#1] SMP
      Modules linked in: kafs(E) af_rxrpc(E) [last unloaded: af_rxrpc]
      CPU: 0 PID: 1305 Comm: kworker/u8:3 Tainted: G            E   4.7.0-fsdevel+ #1303
      Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
      Workqueue: kafsd afs_async_workfn [kafs]
      task: ffff88040be041c0 ti: ffff88040c070000 task.ti: ffff88040c070000
      RIP: 0010:[<ffffffff8108fd3c>]  [<ffffffff8108fd3c>] __lock_acquire+0xcf/0x15a1
      RSP: 0018:ffff88040c073bc0  EFLAGS: 00010002
      RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000000 RCX: ffff88040d29a710
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88040d29a710
      RBP: ffff88040c073c70 R08: 0000000000000001 R09: 0000000000000001
      R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: ffff88040be041c0 R15: ffffffff814c928f
      FS:  0000000000000000(0000) GS:ffff88041fa00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fa4595f4750 CR3: 0000000001c14000 CR4: 00000000001406f0
      Stack:
       0000000000000006 000000000be04930 0000000000000000 ffff880400000000
       ffff880400000000 ffffffff8108f847 ffff88040be041c0 ffffffff81050446
       ffff8803fc08a920 ffff8803fc08a958 ffff88040be041c0 ffff88040c073c38
      Call Trace:
       [<ffffffff8108f847>] ? mark_held_locks+0x5e/0x74
       [<ffffffff81050446>] ? __local_bh_enable_ip+0x9b/0xa1
       [<ffffffff8108f9ca>] ? trace_hardirqs_on_caller+0x16d/0x189
       [<ffffffff810915f4>] lock_acquire+0x122/0x1b6
       [<ffffffff810915f4>] ? lock_acquire+0x122/0x1b6
       [<ffffffff814c928f>] ? skb_dequeue+0x18/0x61
       [<ffffffff81609dbf>] _raw_spin_lock_irqsave+0x35/0x49
       [<ffffffff814c928f>] ? skb_dequeue+0x18/0x61
       [<ffffffff814c928f>] skb_dequeue+0x18/0x61
       [<ffffffffa009aa92>] afs_deliver_to_call+0x344/0x39d [kafs]
       [<ffffffffa009ab37>] afs_process_async_call+0x4c/0xd5 [kafs]
       [<ffffffffa0099e9c>] afs_async_workfn+0xe/0x10 [kafs]
       [<ffffffff81063a3a>] process_one_work+0x29d/0x57c
       [<ffffffff81064ac2>] worker_thread+0x24a/0x385
       [<ffffffff81064878>] ? rescuer_thread+0x2d0/0x2d0
       [<ffffffff810696f5>] kthread+0xf3/0xfb
       [<ffffffff8160a6ff>] ret_from_fork+0x1f/0x40
       [<ffffffff81069602>] ? kthread_create_on_node+0x1cf/0x1cf
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      372ee163
    • Wei Yongjun's avatar
      net: arc_emac: add missing of_node_put() in arc_emac_probe() · 54447f1a
      Wei Yongjun authored
      commit a94efbd7 ("ethernet: arc: emac_main: add missing of_node_put
      after calling of_parse_phandle") added missing of_node_put after calling
      of_parse_phandle, but missing the devm_ioremap_resource() error handling
      case.
      Signed-off-by: default avatarWei Yongjun <weiyj.lk@gmail.com>
      Reviewed-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      54447f1a
    • Ian Wienand's avatar
      OVS: Ignore negative headroom value · 5ef9f289
      Ian Wienand authored
      net_device->ndo_set_rx_headroom (introduced in
      871b642a) says
      
        "Setting a negtaive value reset the rx headroom
         to the default value".
      
      It seems that the OVS implementation in
      3a927bc7 overlooked this and sets
      dev->needed_headroom unconditionally.
      
      This doesn't have an immediate effect, but can mess up later
      LL_RESERVED_SPACE calculations, such as done in
      net/ipv6/mcast.c:mld_newpack.  For reference, this issue was found
      from a skb_panic raised there after the length calculations had given
      the wrong result.
      
      Note the other current users of this interface
      (drivers/net/tun.c:tun_set_headroom and
      drivers/net/veth.c:veth_set_rx_headroom) are both checking this
      correctly thus need no modification.
      
      Thanks to Ben for some pointers from the crash dumps!
      
      Cc: Benjamin Poirier <bpoirier@suse.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1361414Signed-off-by: default avatarIan Wienand <iwienand@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ef9f289
  2. 03 Aug, 2016 14 commits
    • David S. Miller's avatar
      Merge branch 'qlcnic-fixes' · 7cf210dc
      David S. Miller authored
      Manish Chopra says:
      
      ====================
      qlcnic: bug fixes
      
      This series fixes a data structure corruption bug in
      VF's async mailbox commands handling and an issue realted
      to napi poll budget in the driver.
      
      Please consider applying this series to "net"
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cf210dc
    • Manish Chopra's avatar
      b8b2372d
    • Manish Chopra's avatar
      qlcnic: fix napi budget alteration · fc4ca987
      Manish Chopra authored
      Driver modifies the supplied NAPI budget in qlcnic_83xx_msix_tx_poll()
      function. Instead, it should use the budget as it is.
      Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc4ca987
    • Manish Chopra's avatar
      qlcnic: fix data structure corruption in async mbx command handling · 2b10d3ec
      Manish Chopra authored
      This patch fixes a data structure corruption bug in the SRIOV VF mailbox
      handler code. While handling mailbox commands from the atomic context,
      driver is accessing and updating qlcnic_async_work_list_struct entry fields
      in the async work list. These fields could be concurrently accessed by the
      work function resulting in data corruption.
      
      This patch restructures async mbx command handling by using a separate
      async command list instead of using a list of work_struct structures.
      A single work_struct is used to schedule and handle the async commands
      with proper locking mechanism.
      Signed-off-by: default avatarRajesh Borundia <rajesh.borundia@qlogic.com>
      Signed-off-by: default avatarSony Chacko <sony.chacko@qlogic.com>
      Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b10d3ec
    • David S. Miller's avatar
      Merge branch 'tg3-fixes' · cfaa2189
      David S. Miller authored
      Siva Reddy Kallam says:
      
      ====================
      tg3: Disallow 0 rx coalesce time and correctly report RSS queues in tg3_get_rxnfc
      
      First patch:
              Diasllow rx coalescing time to be 0
      
      Second patch:
              Report the correct number of RSS queues through tg3_get_rxnfc
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cfaa2189
    • Siva Reddy Kallam's avatar
      tg3: Report the correct number of RSS queues through tg3_get_rxnfc · 9ce6fd7a
      Siva Reddy Kallam authored
      This patch remove the wrong substraction from info->data in
      tg3_get_rxnfc function. Without this patch, the number of RSS
      queues reported is less by one.
      Reported-by: default avatarMichal Soltys <soltys@ziu.info>
      Signed-off-by: default avatarSiva Reddy Kallam <siva.kallam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9ce6fd7a
    • Satish Baddipadige's avatar
      tg3: Fix for diasllow rx coalescing time to be 0 · 087d7a8c
      Satish Baddipadige authored
      When the rx coalescing time is 0, interrupts
      are not generated from the controller and rx path hangs.
      To avoid this rx hang, updating the driver to not allow
      rx coalescing time to be 0.
      Signed-off-by: default avatarSatish Baddipadige <satish.baddipadige@broadcom.com>
      Signed-off-by: default avatarSiva Reddy Kallam <siva.kallam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      087d7a8c
    • Jakub Kicinski's avatar
      bpf: fix method of PTR_TO_PACKET reg id generation · 1f415a74
      Jakub Kicinski authored
      Using per-register incrementing ID can lead to
      find_good_pkt_pointers() confusing registers which
      have completely different values.  Consider example:
      
      0: (bf) r6 = r1
      1: (61) r8 = *(u32 *)(r6 +76)
      2: (61) r0 = *(u32 *)(r6 +80)
      3: (bf) r7 = r8
      4: (07) r8 += 32
      5: (2d) if r8 > r0 goto pc+9
       R0=pkt_end R1=ctx R6=ctx R7=pkt(id=0,off=0,r=32) R8=pkt(id=0,off=32,r=32) R10=fp
      6: (bf) r8 = r7
      7: (bf) r9 = r7
      8: (71) r1 = *(u8 *)(r7 +0)
      9: (0f) r8 += r1
      10: (71) r1 = *(u8 *)(r7 +1)
      11: (0f) r9 += r1
      12: (07) r8 += 32
      13: (2d) if r8 > r0 goto pc+1
       R0=pkt_end R1=inv56 R6=ctx R7=pkt(id=0,off=0,r=32) R8=pkt(id=1,off=32,r=32) R9=pkt(id=1,off=0,r=32) R10=fp
      14: (71) r1 = *(u8 *)(r9 +16)
      15: (b7) r7 = 0
      16: (bf) r0 = r7
      17: (95) exit
      
      We need to get a UNKNOWN_VALUE with imm to force id
      generation so lines 0-5 make r7 a valid packet pointer.
      We then read two different bytes from the packet and
      add them to copies of the constructed packet pointer.
      r8 (line 9) and r9 (line 11) will get the same id of 1,
      independently.  When either of them is validated (line
      13) - find_good_pkt_pointers() will also mark the other
      as safe.  This leads to access on line 14 being mistakenly
      considered safe.
      
      Fixes: 969bf05e ("bpf: direct packet access")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f415a74
    • Arnd Bergmann's avatar
      net: xgene: fix maybe-uninitialized variable · ea966cb6
      Arnd Bergmann authored
      Building with -Wmaybe-uninitialized shows a potential use of
      an uninitialized variable:
      
      drivers/net/ethernet/apm/xgene/xgene_enet_hw.c: In function 'xgene_enet_phy_connect':
      drivers/net/ethernet/apm/xgene/xgene_enet_hw.c:802:23: warning: 'phy_dev' may be used uninitialized in this function [-Wmaybe-uninitialized]
      
      Although the compiler correctly identified this based on the function,
      the current code is still safe as long dev->of_node is non-NULL
      for the case of CONFIG_ACPI=n, which is currently the case.
      
      The warning is now disabled by default, but still appears when
      building with W=1, and other build test tools should be able to
      detect it as well. Adding an #else clause here makes the code
      more robust and makes it clear to the compiler that this cannot
      happen.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 8089a96f ("drivers: net: xgene: Add backward compatibility")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ea966cb6
    • Jarno Rajahalme's avatar
      openvswitch: Remove incorrect WARN_ONCE(). · bce91f8a
      Jarno Rajahalme authored
      ovs_ct_find_existing() issues a warning if an existing conntrack entry
      classified as IP_CT_NEW is found, with the premise that this should
      not happen.  However, a newly confirmed, non-expected conntrack entry
      remains IP_CT_NEW as long as no reply direction traffic is seen.  This
      has resulted into somewhat confusing kernel log messages.  This patch
      removes this check and warning.
      
      Fixes: 289f2253 ("openvswitch: Find existing conntrack entry after upcall.")
      Suggested-by: default avatarJoe Stringer <joe@ovn.org>
      Signed-off-by: default avatarJarno Rajahalme <jarno@ovn.org>
      Acked-by: default avatarJoe Stringer <joe@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bce91f8a
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · bf0f500b
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "A few updates and fixes:
      
         - move the suppressing of the __builtin_return_address >0 warning to
           the tracing directory only.
      
         - metag recordmcount fix for newer glibc's
      
         - two tracing histogram fixes that were reported by KASAN"
      
      * tag 'trace-v4.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix use-after-free in hist_register_trigger()
        tracing: Fix use-after-free in hist_unreg_all/hist_enable_unreg_all
        Makefile: Mute warning for __builtin_return_address(>0) for tracing only
        ftrace/recordmcount: Work around for addition of metag magic but not relocations
      bf0f500b
    • Geert Uytterhoeven's avatar
      fs/proc: Add compiler check for -Wno-override-init to support gcc < 4.2 · 4b2e0162
      Geert Uytterhoeven authored
      With gcc < 4.2 (e.g. 4.1.2):
      
            CC      fs/proc/task_mmu.o
          cc1: error: unrecognized command line option "-Wno-override-init"
      
      To fix this, only enable the compiler option when it is actually
      supported by the compiler.
      
      Fixes: ca52953f ("fs/proc/task_mmu.c: suppress compilation warnings with W=1")
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Acked-by: default avatarValdis Kletnieks <valdis.kletnieks@vt.edu>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4b2e0162
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f0936155
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix several cases of missing of_node_put() calls in various
          networking drivers.  From Peter Chen.
      
       2) Don't try to remove unconfigured VLANs in qed driver, from Yuval
          Mintz.
      
       3) Unbalanced locking in TIPC error handling, from Wei Yongjun.
      
       4) Fix lockups in CPDMA driver, from Grygorii Strashko.
      
       5) More MACSEC refcount et al fixes, from Sabrina Dubroca.
      
       6) Fix MAC address setting in r8169 during runtime suspend, from
          Chun-Hao Lin.
      
       7) Various printf format specifier fixes, from Heinrich Schuchardt.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (59 commits)
        qed: Fail driver load in 100g MSI mode.
        ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle
        ethernet: stmicro: stmmac: add missing of_node_put after calling of_parse_phandle
        ethernet: stmicro: stmmac: dwmac-socfpga: add missing of_node_put after calling of_parse_phandle
        ethernet: renesas: sh_eth: add missing of_node_put after calling of_parse_phandle
        ethernet: renesas: ravb_main: add missing of_node_put after calling of_parse_phandle
        ethernet: marvell: pxa168_eth: add missing of_node_put after calling of_parse_phandle
        ethernet: marvell: mvpp2: add missing of_node_put after calling of_parse_phandle
        ethernet: marvell: mvneta: add missing of_node_put after calling of_parse_phandle
        ethernet: hisilicon: hns: hns_dsaf_main: add missing of_node_put after calling of_parse_phandle
        ethernet: hisilicon: hns: hns_dsaf_mac: add missing of_node_put after calling of_parse_phandle
        ethernet: cavium: octeon: add missing of_node_put after calling of_parse_phandle
        ethernet: aurora: nb8800: add missing of_node_put after calling of_parse_phandle
        ethernet: arc: emac_main: add missing of_node_put after calling of_parse_phandle
        ethernet: apm: xgene: add missing of_node_put after calling of_parse_phandle
        ethernet: altera: add missing of_node_put
        8139too: fix system hang when there is a tx timeout event.
        qed: Fix error return code in qed_resc_alloc()
        net: qlcnic: avoid superfluous assignement
        dsa: b53: remove redundant if
        ...
      f0936155
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · d52bd54d
      Linus Torvalds authored
      Merge yet more updates from Andrew Morton:
      
       - the rest of ocfs2
      
       - various hotfixes, mainly MM
      
       - quite a bit of misc stuff - drivers, fork, exec, signals, etc.
      
       - printk updates
      
       - firmware
      
       - checkpatch
      
       - nilfs2
      
       - more kexec stuff than usual
      
       - rapidio updates
      
       - w1 things
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (111 commits)
        ipc: delete "nr_ipc_ns"
        kcov: allow more fine-grained coverage instrumentation
        init/Kconfig: add clarification for out-of-tree modules
        config: add android config fragments
        init/Kconfig: ban CONFIG_LOCALVERSION_AUTO with allmodconfig
        relay: add global mode support for buffer-only channels
        init: allow blacklisting of module_init functions
        w1:omap_hdq: fix regression
        w1: add helper macro module_w1_family
        w1: remove need for ida and use PLATFORM_DEVID_AUTO
        rapidio/switches: add driver for IDT gen3 switches
        powerpc/fsl_rio: apply changes for RIO spec rev 3
        rapidio: modify for rev.3 specification changes
        rapidio: change inbound window size type to u64
        rapidio/idt_gen2: fix locking warning
        rapidio: fix error handling in mbox request/release functions
        rapidio/tsi721_dma: advance queue processing from transfer submit call
        rapidio/tsi721: add messaging mbox selector parameter
        rapidio/tsi721: add PCIe MRRS override parameter
        rapidio/tsi721_dma: add channel mask and queue size parameters
        ...
      d52bd54d
  3. 02 Aug, 2016 23 commits