1. 09 Dec, 2019 4 commits
    • Xin Long's avatar
      sctp: fully initialize v4 addr in some functions · b6f3320b
      Xin Long authored
      Syzbot found a crash:
      
        BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline]
        BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
        BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
        Call Trace:
          crc32_body lib/crc32.c:112 [inline]
          crc32_le_generic lib/crc32.c:179 [inline]
          __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
          chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90
          crypto_shash_update+0x4c5/0x530 crypto/shash.c:107
          crc32c+0x150/0x220 lib/libcrc32c.c:47
          sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36
          __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640
          sctp_compute_cksum include/net/sctp/checksum.h:59 [inline]
          sctp_packet_pack net/sctp/output.c:528 [inline]
          sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597
          sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline]
          sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194
          sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757
          sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline]
          sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline]
          sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155
          sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185
          sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433
          sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline]
          sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672
      
      The issue was caused by transport->ipaddr set with uninit addr param, which
      was passed by:
      
        sctp_transport_init net/sctp/transport.c:47 [inline]
        sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
        sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
        sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]
      
      where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize
      the padding of addr->v4.
      
      Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
      will become the part of skb, and the issue occurs.
      
      This patch is to fix it by initializing the padding of addr->v4 in
      sctp_v4_from_addr_param(), as well as other functions that do the similar
      thing, and these functions shouldn't trust that the caller initializes the
      memory, as Marcelo suggested.
      
      Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6f3320b
    • Eric Dumazet's avatar
      bonding: fix bond_neigh_init() · 9e99bfef
      Eric Dumazet authored
      1) syzbot reported an uninit-value in bond_neigh_setup() [1]
      
       bond_neigh_setup() uses a temporary on-stack 'struct neigh_parms parms',
       but only clears parms.neigh_setup field.
      
       A stacked bonding device would then enter bond_neigh_setup()
       and read garbage from parms->dev.
      
       If we get really unlucky and garbage is matching @dev, then we
       could recurse and eventually crash.
      
       Let's make sure the whole structure is cleared to avoid surprises.
      
      2) bond_neigh_setup() can be called while another cpu manipulates
       the master device, removing or adding a slave.
       We need at least rcu protection to prevent use-after-free.
      
      Note: Prior code does not support a stack of bonding devices,
            this patch does not attempt to fix this, and leave a comment instead.
      
      [1]
      
      BUG: KMSAN: uninit-value in bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
      CPU: 0 PID: 11256 Comm: syz-executor.0 Not tainted 5.4.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
       __msan_warning+0x57/0xa0 mm/kmsan/kmsan_instr.c:245
       bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
       bond_neigh_init+0x216/0x4b0 drivers/net/bonding/bond_main.c:3626
       ___neigh_create+0x169e/0x2c40 net/core/neighbour.c:613
       __neigh_create+0xbd/0xd0 net/core/neighbour.c:674
       ip6_finish_output2+0x149a/0x2670 net/ipv6/ip6_output.c:113
       __ip6_finish_output+0x83d/0x8f0 net/ipv6/ip6_output.c:142
       ip6_finish_output+0x2db/0x420 net/ipv6/ip6_output.c:152
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:175
       dst_output include/net/dst.h:436 [inline]
       NF_HOOK include/linux/netfilter.h:305 [inline]
       mld_sendpack+0xebd/0x13d0 net/ipv6/mcast.c:1682
       mld_send_cr net/ipv6/mcast.c:1978 [inline]
       mld_ifc_timer_expire+0x116b/0x1680 net/ipv6/mcast.c:2477
       call_timer_fn+0x232/0x530 kernel/time/timer.c:1404
       expire_timers kernel/time/timer.c:1449 [inline]
       __run_timers+0xd60/0x1270 kernel/time/timer.c:1773
       run_timer_softirq+0x2d/0x50 kernel/time/timer.c:1786
       __do_softirq+0x4a1/0x83a kernel/softirq.c:293
       invoke_softirq kernel/softirq.c:375 [inline]
       irq_exit+0x230/0x280 kernel/softirq.c:416
       exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:536
       smp_apic_timer_interrupt+0x48/0x70 arch/x86/kernel/apic/apic.c:1138
       apic_timer_interrupt+0x2e/0x40 arch/x86/entry/entry_64.S:835
       </IRQ>
      RIP: 0010:kmsan_free_page+0x18d/0x1c0 mm/kmsan/kmsan_shadow.c:439
      Code: 4c 89 ff 44 89 f6 e8 82 0d ee ff 65 ff 0d 9f 26 3b 60 65 8b 05 98 26 3b 60 85 c0 75 24 e8 5b f6 35 ff 4c 89 6d d0 ff 75 d0 9d <48> 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 0f 0b 0f 0b 0f
      RSP: 0018:ffffb328034af818 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
      RAX: 0000000000000000 RBX: ffffe2d7471f8360 RCX: 0000000000000000
      RDX: ffffffffadea7000 RSI: 0000000000000004 RDI: ffff93496fcda104
      RBP: ffffb328034af850 R08: ffff934a47e86d00 R09: ffff93496fc41900
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
      R13: 0000000000000246 R14: 0000000000000000 R15: ffffe2d7472225c0
       free_pages_prepare mm/page_alloc.c:1138 [inline]
       free_pcp_prepare mm/page_alloc.c:1230 [inline]
       free_unref_page_prepare+0x1d9/0x770 mm/page_alloc.c:3025
       free_unref_page mm/page_alloc.c:3074 [inline]
       free_the_page mm/page_alloc.c:4832 [inline]
       __free_pages+0x154/0x230 mm/page_alloc.c:4840
       __vunmap+0xdac/0xf20 mm/vmalloc.c:2277
       __vfree mm/vmalloc.c:2325 [inline]
       vfree+0x7c/0x170 mm/vmalloc.c:2355
       copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:883 [inline]
       get_entries net/ipv6/netfilter/ip6_tables.c:1041 [inline]
       do_ip6t_get_ctl+0xfa4/0x1030 net/ipv6/netfilter/ip6_tables.c:1709
       nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
       nf_getsockopt+0x481/0x4e0 net/netfilter/nf_sockopt.c:122
       ipv6_getsockopt+0x264/0x510 net/ipv6/ipv6_sockglue.c:1400
       tcp_getsockopt+0x1c6/0x1f0 net/ipv4/tcp.c:3688
       sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3110
       __sys_getsockopt+0x533/0x7b0 net/socket.c:2129
       __do_sys_getsockopt net/socket.c:2144 [inline]
       __se_sys_getsockopt+0xe1/0x100 net/socket.c:2141
       __x64_sys_getsockopt+0x62/0x80 net/socket.c:2141
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45d20a
      Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 8d 8b fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 6a 8b fb ff c3 66 0f 1f 84 00 00 00 00 00
      RSP: 002b:0000000000a6f618 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
      RAX: ffffffffffffffda RBX: 0000000000a6f640 RCX: 000000000045d20a
      RDX: 0000000000000041 RSI: 0000000000000029 RDI: 0000000000000003
      RBP: 0000000000717cc0 R08: 0000000000a6f63c R09: 0000000000004000
      R10: 0000000000a6f740 R11: 0000000000000212 R12: 0000000000000003
      R13: 0000000000000000 R14: 0000000000000029 R15: 0000000000715b00
      
      Local variable description: ----parms@bond_neigh_init
      Variable was created at:
       bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
       bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
      
      Fixes: 9918d5bf ("bonding: modify only neigh_parms owned by us")
      Fixes: 234bcf8a ("net/bonding: correctly proxy slave neigh param setup ndo function")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e99bfef
    • Eric Dumazet's avatar
      neighbour: remove neigh_cleanup() method · f394722f
      Eric Dumazet authored
      neigh_cleanup() has not been used for seven years, and was a wrong design.
      
      Messing with shared pointer in bond_neigh_init() without proper
      memory barriers would at least trigger syzbot complains eventually.
      
      It is time to remove this stuff.
      
      Fixes: b63b70d8 ("IPoIB: Use a private hash table for path lookup in xmit path")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f394722f
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.5-20191208' of... · 43aad810
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.5-20191208' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-12-08
      
      this is a pull request of 13 patches for net/master.
      
      The first two patches are by Dan Murphy. He adds himself as a maintainer to the
      m-can MMIO and tcan SPI driver.
      
      The next two patches the j1939 stack. The first one is by Oleksij Rempel and
      fixes a locking problem found by the syzbot, the second one is by me an fixes a
      mistake in the documentation.
      
      Srinivas Neeli fixes missing RX CAN packets on CANFD2.0 in the xilinx driver.
      
      Sean Nyekjaer fixes a possible deadlock in the the flexcan driver after
      suspend/resume. Joakim Zhang contributes two patches for the flexcan driver
      that fix problems with the low power enter/exit.
      
      The next 4 patches all target the tcan part of the m_can driver. Sean Nyekjaer
      adds the required delay after reset and fixes the device tree binding example.
      Dan Murphy's patches make the wake-gpio optional.
      
      In the last patch Xiaolong Huang fixes several kernel memory info leaks to the
      USB device in the kvaser_usb_leaf driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43aad810
  2. 08 Dec, 2019 25 commits
    • Linus Torvalds's avatar
      Linux 5.5-rc1 · e42617b8
      Linus Torvalds authored
      e42617b8
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 95e6ba51
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) More jumbo frame fixes in r8169, from Heiner Kallweit.
      
       2) Fix bpf build in minimal configuration, from Alexei Starovoitov.
      
       3) Use after free in slcan driver, from Jouni Hogander.
      
       4) Flower classifier port ranges don't work properly in the HW offload
          case, from Yoshiki Komachi.
      
       5) Use after free in hns3_nic_maybe_stop_tx(), from Yunsheng Lin.
      
       6) Out of bounds access in mqprio_dump(), from Vladyslav Tarasiuk.
      
       7) Fix flow dissection in dsa TX path, from Alexander Lobakin.
      
       8) Stale syncookie timestampe fixes from Guillaume Nault.
      
      [ Did an evil merge to silence a warning introduced by this pull - Linus ]
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
        r8169: fix rtl_hw_jumbo_disable for RTL8168evl
        net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add()
        r8169: add missing RX enabling for WoL on RTL8125
        vhost/vsock: accept only packets with the right dst_cid
        net: phy: dp83867: fix hfs boot in rgmii mode
        net: ethernet: ti: cpsw: fix extra rx interrupt
        inet: protect against too small mtu values.
        gre: refetch erspan header from skb->data after pskb_may_pull()
        pppoe: remove redundant BUG_ON() check in pppoe_pernet
        tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
        tcp: tighten acceptance of ACKs not matching a child socket
        tcp: fix rejected syncookies due to stale timestamps
        lpc_eth: kernel BUG on remove
        tcp: md5: fix potential overestimation of TCP option space
        net: sched: allow indirect blocks to bind to clsact in TC
        net: core: rename indirect block ingress cb function
        net-sysfs: Call dev_hold always in netdev_queue_add_kobject
        net: dsa: fix flow dissection on Tx path
        net/tls: Fix return values to avoid ENOTSUPP
        net: avoid an indirect call in ____sys_recvmsg()
        ...
      95e6ba51
    • Linus Torvalds's avatar
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 138f371d
      Linus Torvalds authored
      Pull more SCSI updates from James Bottomley:
       "Eleven patches, all in drivers (no core changes) that are either minor
        cleanups or small fixes.
      
        They were late arriving, but still safe for -rc1"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: MAINTAINERS: Add the linux-scsi mailing list to the ISCSI entry
        scsi: megaraid_sas: Make poll_aen_lock static
        scsi: sd_zbc: Improve report zones error printout
        scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI
        scsi: qla2xxx: unregister ports after GPN_FT failure
        scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan
        scsi: pm80xx: Remove unused include of linux/version.h
        scsi: pm80xx: fix logic to break out of loop when register value is 2 or 3
        scsi: scsi_transport_sas: Fix memory leak when removing devices
        scsi: lpfc: size cpu map by last cpu id set
        scsi: ibmvscsi_tgt: Remove unneeded variable rc
      138f371d
    • Linus Torvalds's avatar
      Merge tag '5.5-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · a78f7cdd
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Nine cifs/smb3 fixes:
      
         - one fix for stable (oops during oplock break)
      
         - two timestamp fixes including important one for updating mtime at
           close to avoid stale metadata caching issue on dirty files (also
           improves perf by using SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB over the
           wire)
      
         - two fixes for "modefromsid" mount option for file create (now
           allows mode bits to be set more atomically and accurately on create
           by adding "sd_context" on create when modefromsid specified on
           mount)
      
         - two fixes for multichannel found in testing this week against
           different servers
      
         - two small cleanup patches"
      
      * tag '5.5-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: improve check for when we send the security descriptor context on create
        smb3: fix mode passed in on create for modetosid mount option
        cifs: fix possible uninitialized access and race on iface_list
        cifs: Fix lookup of SMB connections on multichannel
        smb3: query attributes on file close
        smb3: remove unused flag passed into close functions
        cifs: remove redundant assignment to pointer pneg_ctxt
        fs: cifs: Fix atime update check vs mtime
        CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
      a78f7cdd
    • Linus Torvalds's avatar
      Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 5bf9a06a
      Linus Torvalds authored
      Pull misc vfs cleanups from Al Viro:
       "No common topic, just three cleanups".
      
      * 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        make __d_alloc() static
        fs/namespace: add __user to open_tree and move_mount syscalls
        fs/fnctl: fix missing __user in fcntl_rw_hint()
      5bf9a06a
    • Xiaolong Huang's avatar
      can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices · da2311a6
      Xiaolong Huang authored
      Uninitialized Kernel memory can leak to USB devices.
      
      Fix this by using kzalloc() instead of kmalloc().
      Signed-off-by: default avatarXiaolong Huang <butterflyhuangxx@gmail.com>
      Fixes: 7259124e ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c")
      Cc: linux-stable <stable@vger.kernel.org> # >= v4.19
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      da2311a6
    • Dan Murphy's avatar
      can: tcan45x: Make wake-up GPIO an optional GPIO · 2de49735
      Dan Murphy authored
      The device has the ability to disable the wake-up pin option. The
      wake-up pin can be either force to GND or Vsup and does not have to be
      tied to a GPIO. In order for the device to not use the wake-up feature
      write the register to disable the WAKE_CONFIG option.
      Signed-off-by: default avatarDan Murphy <dmurphy@ti.com>
      Cc: Sean Nyekjaer <sean@geanix.com>
      Reviewed-by: default avatarSean Nyekjaer <sean@geanix.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      2de49735
    • Dan Murphy's avatar
      dt-bindings: tcan4x5x: Make wake-gpio an optional gpio · 1202d231
      Dan Murphy authored
      The wake-up of the device can be configured as an optional feature of
      the device. Move the wake-up gpio from a requried property to an
      optional property.
      Signed-off-by: default avatarDan Murphy <dmurphy@ti.com>
      Cc: Rob Herring <robh@kernel.org>
      Reviewed-by: default avatarSean Nyekjaer <sean@geanix.com>
      Tested-by: default avatarSean Nyekjaer <sean@geanix.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      1202d231
    • Sean Nyekjaer's avatar
      dt-bindings: can: tcan4x5x: reset pin is active high · 9c9e1b01
      Sean Nyekjaer authored
      Change the reset pin example to active high to be in line with
      the datasheet
      Signed-off-by: default avatarSean Nyekjaer <sean@geanix.com>
      Cc: Rob Herring <robh@kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      9c9e1b01
    • Sean Nyekjaer's avatar
      can: m_can: tcan4x5x: add required delay after reset · 60552253
      Sean Nyekjaer authored
      According to section "8.3.8 RST Pin" in the datasheet we are required to
      wait >700us after the device is reset.
      Signed-off-by: default avatarSean Nyekjaer <sean@geanix.com>
      Acked-by: default avatarDan Murphy <dmurphy@ti.com>
      Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      60552253
    • Joakim Zhang's avatar
      can: flexcan: poll MCR_LPM_ACK instead of GPR ACK for stop mode acknowledgment · 048e3a34
      Joakim Zhang authored
      Stop Mode is entered when Stop Mode is requested at chip level and
      MCR[LPM_ACK] is asserted by the FlexCAN.
      
      Double check with IP owner, the MCR[LPM_ACK] bit should be polled for
      stop mode acknowledgment, not the acknowledgment from chip level which
      is used to gate flexcan clocks.
      
      This patch depends on:
      
          b7603d08 ("can: flexcan: add low power enter/exit acknowledgment helper")
      
      Fixes: 5f186c25 (can: flexcan: fix stop mode acknowledgment)
      Tested-by: default avatarSean Nyekjaer <sean@geanix.com>
      Signed-off-by: default avatarJoakim Zhang <qiangqing.zhang@nxp.com>
      Cc: linux-stable <stable@vger.kernel.org> # >= v5.0
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      048e3a34
    • Joakim Zhang's avatar
      can: flexcan: add low power enter/exit acknowledgment helper · b7603d08
      Joakim Zhang authored
      The MCR[LPMACK] read-only bit indicates that FlexCAN is in a lower-power
      mode (Disabled mode, Doze mode, Stop mode).
      
      The CPU can poll this bit to know when FlexCAN has actually entered low
      power mode. The low power enter/exit acknowledgment helper will reduce
      code duplication for disabled mode, doze mode and stop mode.
      Tested-by: default avatarSean Nyekjaer <sean@geanix.com>
      Signed-off-by: default avatarJoakim Zhang <qiangqing.zhang@nxp.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      b7603d08
    • Sean Nyekjaer's avatar
      can: flexcan: fix possible deadlock and out-of-order reception after wakeup · e707180a
      Sean Nyekjaer authored
      When suspending, and there is still CAN traffic on the interfaces the
      flexcan immediately wakes the platform again. As it should :-). But it
      throws this error msg:
      
      [ 3169.378661] PM: noirq suspend of devices failed
      
      On the way down to suspend the interface that throws the error message
      calls flexcan_suspend() but fails to call flexcan_noirq_suspend(). That
      means flexcan_enter_stop_mode() is called, but on the way out of suspend
      the driver only calls flexcan_resume() and skips flexcan_noirq_resume(),
      thus it doesn't call flexcan_exit_stop_mode(). This leaves the flexcan
      in stop mode, and with the current driver it can't recover from this
      even with a soft reboot, it requires a hard reboot.
      
      This patch fixes the deadlock when using self wakeup, by calling
      flexcan_exit_stop_mode() from flexcan_resume() instead of
      flexcan_noirq_resume().
      
      This also fixes another issue: CAN frames are received out-of-order in
      first IRQ handler run after wakeup.
      
      The problem is that the wakeup latency from frame reception to the IRQ
      handler (where the CAN frames are sorted by timestamp) is much bigger
      than the time stamp counter wrap around time. This means it's
      impossible to sort the CAN frames by timestamp.
      
      The reason is that the controller exits stop mode during noirq resume,
      which means it receives frames immediately, but interrupt handling is
      still not possible.
      
      So exit stop mode during resume stage instead of noirq resume fixes this
      issue.
      
      Fixes: de3578c1 ("can: flexcan: add self wakeup support")
      Signed-off-by: default avatarSean Nyekjaer <sean@geanix.com>
      Tested-by: default avatarSean Nyekjaer <sean@geanix.com>
      Signed-off-by: default avatarJoakim Zhang <qiangqing.zhang@nxp.com>
      Cc: linux-stable <stable@vger.kernel.org> # >= v5.0
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      e707180a
    • Srinivas Neeli's avatar
      can: xilinx_can: Fix missing Rx can packets on CANFD2.0 · 9ab79b06
      Srinivas Neeli authored
      CANFD2.0 core uses BRAM for storing acceptance filter ID(AFID) and MASK
      (AFMASK)registers. So by default AFID and AFMASK registers contain random
      data. Due to random data, we are not able to receive all CAN ids.
      
      Initializing AFID and AFMASK registers with Zero before enabling
      acceptance filter to receive all packets irrespective of ID and Mask.
      
      Fixes: 0db90713 ("can: xilinx: add can 2.0 support")
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: default avatarSrinivas Neeli <srinivas.neeli@xilinx.com>
      Reviewed-by: default avatarNaga Sureshkumar Relli <naga.sureshkumar.relli@xilinx.com>
      Cc: linux-stable <stable@vger.kernel.org> # >= v5.0
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      9ab79b06
    • Marc Kleine-Budde's avatar
      can: j1939: fix address claim code example · 8ac9d71d
      Marc Kleine-Budde authored
      During development the define J1939_PGN_ADDRESS_REQUEST was renamed to
      J1939_PGN_REQUEST. It was forgotten to adjust the documentation
      accordingly.
      
      This patch fixes the name of the symbol.
      
      Reported-by: https://github.com/linux-can/can-utils/issues/159#issuecomment-556538798
      Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
      Cc: Oleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      8ac9d71d
    • Oleksij Rempel's avatar
      can: j1939: j1939_sk_bind(): take priv after lock is held · 00d4e14d
      Oleksij Rempel authored
      syzbot reproduced following crash:
      
      ===============================================================================
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 0 PID: 9844 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:__lock_acquire+0x1254/0x4a00 kernel/locking/lockdep.c:3828
      Code: 00 0f 85 96 24 00 00 48 81 c4 f0 00 00 00 5b 41 5c 41 5d 41 5e 41
      5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02
      00 0f 85 0b 28 00 00 49 81 3e 20 19 78 8a 0f 84 5f ee ff
      RSP: 0018:ffff888099c3fb48 EFLAGS: 00010006
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000218 RSI: 0000000000000000 RDI: 0000000000000001
      RBP: ffff888099c3fc60 R08: 0000000000000001 R09: 0000000000000001
      R10: fffffbfff146e1d0 R11: ffff888098720400 R12: 00000000000010c0
      R13: 0000000000000000 R14: 00000000000010c0 R15: 0000000000000000
      FS:  00007f0559e98700(0000) GS:ffff8880ae800000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fe4d89e0000 CR3: 0000000099606000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
       _raw_spin_lock_bh+0x33/0x50 kernel/locking/spinlock.c:175
       spin_lock_bh include/linux/spinlock.h:343 [inline]
       j1939_jsk_del+0x32/0x210 net/can/j1939/socket.c:89
       j1939_sk_bind+0x2ea/0x8f0 net/can/j1939/socket.c:448
       __sys_bind+0x239/0x290 net/socket.c:1648
       __do_sys_bind net/socket.c:1659 [inline]
       __se_sys_bind net/socket.c:1657 [inline]
       __x64_sys_bind+0x73/0xb0 net/socket.c:1657
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x45a679
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89
      f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
      f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f0559e97c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679
      RDX: 0000000000000018 RSI: 0000000020000240 RDI: 0000000000000003
      RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0559e986d4
      R13: 00000000004c09e9 R14: 00000000004d37d0 R15: 00000000ffffffff
      Modules linked in:
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 9844 at kernel/locking/mutex.c:1419
      mutex_trylock+0x279/0x2f0 kernel/locking/mutex.c:1427
      ===============================================================================
      
      This issues was caused by null pointer deference. Where j1939_sk_bind()
      was using currently not existing priv.
      
      Possible scenario may look as following:
      cpu0                                    cpu1
      bind()
                                              bind()
       j1939_sk_bind()
                                               j1939_sk_bind()
        priv = jsk->priv;
                                               priv = jsk->priv;
        lock_sock(sock->sk);
        priv = j1939_netdev_start(ndev);
        j1939_jsk_add(priv, jsk);
          jsk->priv = priv;
        relase_sock(sock->sk);
                                               lock_sock(sock->sk);
                                               j1939_jsk_del(priv, jsk);
                                               ..... ooops ......
      
      With this patch we move "priv = jsk->priv;" after the lock, to avoid
      assigning of wrong priv pointer.
      
      Reported-by: syzbot+99e9e1b200a1e363237d@syzkaller.appspotmail.com
      Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      00d4e14d
    • Dan Murphy's avatar
      MAINTAINERS: Add myself as a maintainer for TCAN4x5x · 1a2e9d2f
      Dan Murphy authored
      Adding myself to support the TI TCAN4X5X SPI CAN device.
      Signed-off-by: default avatarDan Murphy <dmurphy@ti.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      1a2e9d2f
    • Dan Murphy's avatar
      MAINTAINERS: Add myself as a maintainer for MMIO m_can · fd230ffa
      Dan Murphy authored
      Since I refactored the code to create a m_can framework and we
      have a MMIO MCAN IP as well add myself to help maintain the code.
      Signed-off-by: default avatarDan Murphy <dmurphy@ti.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      fd230ffa
    • Linus Torvalds's avatar
      Merge tag 'ntb-5.5' of git://github.com/jonmason/ntb · 9455d25f
      Linus Torvalds authored
      Pull NTB update from Jon Mason:
       "Just a simple patch to add a new Hygon Device ID to the AMD NTB device
        driver"
      
      * tag 'ntb-5.5' of git://github.com/jonmason/ntb:
        NTB: Add Hygon Device ID
      9455d25f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 73721451
      Linus Torvalds authored
      Pull more input updates from Dmitry Torokhov:
      
       - fixups for Synaptics RMI4 driver
      
       - a quirk for Goodinx touchscreen on Teclast tablet
      
       - a new keycode definition for activating privacy screen feature found
         on a few "enterprise" laptops
      
       - updates to snvs_pwrkey driver
      
       - polling uinput device for writing (which is always allowed) now works
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers
        Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash
        Input: goodix - add upside-down quirk for Teclast X89 tablet
        Input: add privacy screen toggle keycode
        Input: uinput - fix returning EPOLLOUT from uinput_poll
        Input: snvs_pwrkey - remove gratuitous NULL initializers
        Input: snvs_pwrkey - send key events for i.MX6 S, DL and Q
      73721451
    • Linus Torvalds's avatar
      Merge tag 'iomap-5.5-merge-14' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 95207d55
      Linus Torvalds authored
      Pull iomap fixes from Darrick Wong:
       "Fix a race condition and a use-after-free error:
      
         - Fix a UAF when reporting writeback errors
      
         - Fix a race condition when handling page uptodate on fragmented file
           with blocksize < pagesize"
      
      * tag 'iomap-5.5-merge-14' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        iomap: stop using ioend after it's been freed in iomap_finish_ioend()
        iomap: fix sub-page uptodate handling
      95207d55
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.5-merge-17' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 50caca9d
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "Fix a couple of resource management errors and a hang:
      
         - fix a crash in the log setup code when log mounting fails
      
         - fix a hang when allocating space on the realtime device
      
         - fix a block leak when freeing space on the realtime device"
      
      * tag 'xfs-5.5-merge-17' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: fix mount failure crash on invalid iclog memory access
        xfs: don't check for AG deadlock for realtime files in bunmapi
        xfs: fix realtime file data space leak
      50caca9d
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.5-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux · 316933cf
      Linus Torvalds authored
      Pull orangefs update from Mike Marshall:
       "orangefs: posix open permission checking...
      
        Orangefs has no open, and orangefs checks file permissions on each
        file access. Posix requires that file permissions be checked on open
        and nowhere else. Orangefs-through-the-kernel needs to seem posix
        compliant.
      
        The VFS opens files, even if the filesystem provides no method. We can
        see if a file was successfully opened for read and or for write by
        looking at file->f_mode.
      
        When writes are flowing from the page cache, file is no longer
        available. We can trust the VFS to have checked file->f_mode before
        writing to the page cache.
      
        The mode of a file might change between when it is opened and IO
        commences, or it might be created with an arbitrary mode.
      
        We'll make sure we don't hit EACCES during the IO stage by using
        UID 0"
      
      [ This is "posixish", but not a great solution in the long run, since a
        proper secure network server shouldn't really trust the client like this.
        But proper and secure POSIX behavior requires an open method and a
        resulting cookie for IO of some kind, or similar.    - Linus ]
      
      * tag 'for-linus-5.5-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux:
        orangefs: posix open permission checking...
      316933cf
    • Linus Torvalds's avatar
      Merge tag 'nfsd-5.5' of git://linux-nfs.org/~bfields/linux · 911d137a
      Linus Torvalds authored
      Pull nfsd updates from Bruce Fields:
       "This is a relatively quiet cycle for nfsd, mainly various bugfixes.
      
        Possibly most interesting is Trond's fixes for some callback races
        that were due to my incomplete understanding of rpc client shutdown.
        Unfortunately at the last minute I've started noticing a new
        intermittent failure to send callbacks. As the logic seems basically
        correct, I'm leaving Trond's patches in for now, and hope to find a
        fix in the next week so I don't have to revert those patches"
      
      * tag 'nfsd-5.5' of git://linux-nfs.org/~bfields/linux: (24 commits)
        nfsd: depend on CRYPTO_MD5 for legacy client tracking
        NFSD fixing possible null pointer derefering in copy offload
        nfsd: check for EBUSY from vfs_rmdir/vfs_unink.
        nfsd: Ensure CLONE persists data and metadata changes to the target file
        SUNRPC: Fix backchannel latency metrics
        nfsd: restore NFSv3 ACL support
        nfsd: v4 support requires CRYPTO_SHA256
        nfsd: Fix cld_net->cn_tfm initialization
        lockd: remove __KERNEL__ ifdefs
        sunrpc: remove __KERNEL__ ifdefs
        race in exportfs_decode_fh()
        nfsd: Drop LIST_HEAD where the variable it declares is never used.
        nfsd: document callback_wq serialization of callback code
        nfsd: mark cb path down on unknown errors
        nfsd: Fix races between nfsd4_cb_release() and nfsd4_shutdown_callback()
        nfsd: minor 4.1 callback cleanup
        SUNRPC: Fix svcauth_gss_proxy_init()
        SUNRPC: Trace gssproxy upcall results
        sunrpc: fix crash when cache_head become valid before update
        nfsd: remove private bin2hex implementation
        ...
      911d137a
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.5-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · fb9bf40c
      Linus Torvalds authored
      Pull NFS client updates from Trond Myklebust:
       "Highlights include:
      
        Features:
      
         - NFSv4.2 now supports cross device offloaded copy (i.e. offloaded
           copy of a file from one source server to a different target
           server).
      
         - New RDMA tracepoints for debugging congestion control and Local
           Invalidate WRs.
      
        Bugfixes and cleanups
      
         - Drop the NFSv4.1 session slot if nfs4_delegreturn_prepare waits for
           layoutreturn
      
         - Handle bad/dead sessions correctly in nfs41_sequence_process()
      
         - Various bugfixes to the delegation return operation.
      
         - Various bugfixes pertaining to delegations that have been revoked.
      
         - Cleanups to the NFS timespec code to avoid unnecessary conversions
           between timespec and timespec64.
      
         - Fix unstable RDMA connections after a reconnect
      
         - Close race between waking an RDMA sender and posting a receive
      
         - Wake pending RDMA tasks if connection fails
      
         - Fix MR list corruption, and clean up MR usage
      
         - Fix another RPCSEC_GSS issue with MIC buffer space"
      
      * tag 'nfs-for-5.5-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: (79 commits)
        SUNRPC: Capture completion of all RPC tasks
        SUNRPC: Fix another issue with MIC buffer space
        NFS4: Trace lock reclaims
        NFS4: Trace state recovery operation
        NFSv4.2 fix memory leak in nfs42_ssc_open
        NFSv4.2 fix kfree in __nfs42_copy_file_range
        NFS: remove duplicated include from nfs4file.c
        NFSv4: Make _nfs42_proc_copy_notify() static
        NFS: Fallocate should use the nfs4_fattr_bitmap
        NFS: Return -ETXTBSY when attempting to write to a swapfile
        fs: nfs: sysfs: Remove NULL check before kfree
        NFS: remove unneeded semicolon
        NFSv4: add declaration of current_stateid
        NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn
        NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()
        nfsv4: Move NFSPROC4_CLNT_COPY_NOTIFY to end of list
        SUNRPC: Avoid RPC delays when exiting suspend
        NFS: Add a tracepoint in nfs_fh_to_dentry()
        NFSv4: Don't retry the GETATTR on old stateid in nfs4_delegreturn_done()
        NFSv4: Handle NFS4ERR_OLD_STATEID in delegreturn
        ...
      fb9bf40c
  3. 07 Dec, 2019 11 commits
    • Steve French's avatar
      smb3: improve check for when we send the security descriptor context on create · 231e2a0b
      Steve French authored
      We had cases in the previous patch where we were sending the security
      descriptor context on SMB3 open (file create) in cases when we hadn't
      mounted with with "modefromsid" mount option.
      
      Add check for that mount flag before calling ad_sd_context in
      open init.
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      231e2a0b
    • Linus Torvalds's avatar
      Merge tag 'vfio-v5.5-rc1' of git://github.com/awilliam/linux-vfio · 94e89b40
      Linus Torvalds authored
      Pull VFIO updates from Alex Williamson:
      
       - Remove hugepage checks for reserved pfns (Ben Luo)
      
       - Fix irq-bypass unregister ordering (Jiang Yi)
      
      * tag 'vfio-v5.5-rc1' of git://github.com/awilliam/linux-vfio:
        vfio/pci: call irq_bypass_unregister_producer() before freeing irq
        vfio/type1: remove hugepage checks in is_invalid_reserved_pfn()
      94e89b40
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.5b-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · f74fd13f
      Linus Torvalds authored
      Pull more xen updates from Juergen Gross:
      
       - a patch to fix a build warning
      
       - a cleanup of no longer needed code in the Xen event handling
      
       - a small series for the Xen grant driver avoiding high order
         allocations and replacing an insane global limit by a per-call one
      
       - a small series fixing Xen frontend/backend module referencing
      
      * tag 'for-linus-5.5b-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen-blkback: allow module to be cleanly unloaded
        xen/xenbus: reference count registered modules
        xen/gntdev: switch from kcalloc() to kvcalloc()
        xen/gntdev: replace global limit of mapped pages by limit per call
        xen/gntdev: remove redundant non-zero check on ret
        xen/events: remove event handling recursion detection
      f74fd13f
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 6dc517a3
      Linus Torvalds authored
      Merge misc Kconfig updates from Andrew Morton:
       "A number of changes to Kconfig files under lib/ from Changbin Du and
        Krzysztof Kozlowski"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        lib/: fix Kconfig indentation
        kernel-hacking: move DEBUG_FS to 'Generic Kernel Debugging Instruments'
        kernel-hacking: move DEBUG_BUGVERBOSE to 'printk and dmesg options'
        kernel-hacking: create a submenu for scheduler debugging options
        kernel-hacking: move SCHED_STACK_END_CHECK after DEBUG_STACK_USAGE
        kernel-hacking: move Oops into 'Lockups and Hangs'
        kernel-hacking: move kernel testing and coverage options to same submenu
        kernel-hacking: group kernel data structures debugging together
        kernel-hacking: create submenu for arch special debugging options
        kernel-hacking: group sysrq/kgdb/ubsan into 'Generic Kernel Debugging Instruments'
      6dc517a3
    • Heiner Kallweit's avatar
      r8169: fix rtl_hw_jumbo_disable for RTL8168evl · 0fc75219
      Heiner Kallweit authored
      In referenced fix we removed the RTL8168e-specific jumbo config for
      RTL8168evl in rtl_hw_jumbo_enable(). We have to do the same in
      rtl_hw_jumbo_disable().
      
      v2: fix referenced commit id
      
      Fixes: 14012c9f ("r8169: fix jumbo configuration for RTL8168evl")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0fc75219
    • Linus Torvalds's avatar
      pipe: don't use 'pipe_wait() for basic pipe IO · 85190d15
      Linus Torvalds authored
      pipe_wait() may be simple, but since it relies on the pipe lock, it
      means that we have to do the wakeup while holding the lock.  That's
      unfortunate, because the very first thing the waked entity will want to
      do is to get the pipe lock for itself.
      
      So get rid of the pipe_wait() usage by simply releasing the pipe lock,
      doing the wakeup (if required) and then using wait_event_interruptible()
      to wait on the right condition instead.
      
      wait_event_interruptible() handles races on its own by comparing the
      wakeup condition before and after adding itself to the wait queue, so
      you can use an optimistic unlocked condition for it.
      
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      85190d15
    • Jiasen Lin's avatar
      NTB: Add Hygon Device ID · 9b5b99a8
      Jiasen Lin authored
      Signed-off-by: default avatarJiasen Lin <linjiasen@hygon.cn>
      Signed-off-by: default avatarJon Mason <jdmason@kudzu.us>
      9b5b99a8
    • Linus Torvalds's avatar
      pipe: remove 'waiting_writers' merging logic · a28c8b9d
      Linus Torvalds authored
      This code is ancient, and goes back to when we only had a single page
      for the pipe buffers.  The exact history is hidden in the mists of time
      (ie "before git", and in fact predates the BK repository too).
      
      At that long-ago point in time, it actually helped to try to merge big
      back-and-forth pipe reads and writes, and not limit pipe reads to the
      single pipe buffer in length just because that was all we had at a time.
      
      However, since then we've expanded the pipe buffers to multiple pages,
      and this logic really doesn't seem to make sense.  And a lot of it is
      somewhat questionable (ie "hmm, the user asked for a non-blocking read,
      but we see that there's a writer pending, so let's wait anyway to get
      the extra data that the writer will have").
      
      But more importantly, it makes the "go to sleep" logic much less
      obvious, and considering the wakeup issues we've had, I want to make for
      less of those kinds of things.
      
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a28c8b9d
    • Linus Torvalds's avatar
      pipe: fix and clarify pipe read wakeup logic · f467a6a6
      Linus Torvalds authored
      This is the read side version of the previous commit: it simplifies the
      logic to only wake up waiting writers when necessary, and makes sure to
      use a synchronous wakeup.  This time not so much for GNU make jobserver
      reasons (that pipe never fills up), but simply to get the writer going
      quickly again.
      
      A bit less verbose commentary this time, if only because I assume that
      the write side commentary isn't going to be ignored if you touch this
      code.
      
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f467a6a6
    • Linus Torvalds's avatar
      pipe: fix and clarify pipe write wakeup logic · 1b6b26ae
      Linus Torvalds authored
      The pipe rework ends up having been extra painful, partly becaused of
      actual bugs with ordering and caching of the pipe state, but also
      because of subtle performance issues.
      
      In particular, the pipe rework caused the kernel build to inexplicably
      slow down.
      
      The reason turns out to be that the GNU make jobserver (which limits the
      parallelism of the build) uses a pipe to implement a "token" system: a
      parallel submake will read a character from the pipe to get the job
      token before starting a new job, and will write a character back to the
      pipe when it is done.  The overall job limit is thus easily controlled
      by just writing the appropriate number of initial token characters into
      the pipe.
      
      But to work well, that really means that the old behavior of write
      wakeups being synchronous (WF_SYNC) is very important - when the pipe
      writer wakes up a reader, we want the reader to actually get scheduled
      immediately.  Otherwise you lose the parallelism of the build.
      
      The pipe rework lost that synchronous wakeup on write, and we had
      clearly all forgotten the reasons and rules for it.
      
      This rewrites the pipe write wakeup logic to do the required Wsync
      wakeups, but also clarifies the logic and avoids extraneous wakeups.
      
      It also ends up addign a number of comments about what oit does and why,
      so that we hopefully don't end up forgetting about this next time we
      change this code.
      
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1b6b26ae
    • Eric Dumazet's avatar
      net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add() · 2dd5616e
      Eric Dumazet authored
      Use the new tcf_proto_check_kind() helper to make sure user
      provided value is well formed.
      
      BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:606 [inline]
      BUG: KMSAN: uninit-value in string+0x4be/0x600 lib/vsprintf.c:668
      CPU: 0 PID: 12358 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
       __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
       string_nocheck lib/vsprintf.c:606 [inline]
       string+0x4be/0x600 lib/vsprintf.c:668
       vsnprintf+0x218f/0x3210 lib/vsprintf.c:2510
       __request_module+0x2b1/0x11c0 kernel/kmod.c:143
       tcf_proto_lookup_ops+0x171/0x700 net/sched/cls_api.c:139
       tc_chain_tmplt_add net/sched/cls_api.c:2730 [inline]
       tc_ctl_chain+0x1904/0x38a0 net/sched/cls_api.c:2850
       rtnetlink_rcv_msg+0x115a/0x1580 net/core/rtnetlink.c:5224
       netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5242
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x110f/0x1330 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
       __sys_sendmsg net/socket.c:2356 [inline]
       __do_sys_sendmsg net/socket.c:2365 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2363
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2363
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45a649
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f0790795c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a649
      RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000006
      RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f07907966d4
      R13: 00000000004c8db5 R14: 00000000004df630 R15: 00000000ffffffff
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
       kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
       kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
       slab_alloc_node mm/slub.c:2773 [inline]
       __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
       netlink_sendmsg+0x783/0x1330 net/netlink/af_netlink.c:1892
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
       __sys_sendmsg net/socket.c:2356 [inline]
       __do_sys_sendmsg net/socket.c:2365 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2363
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2363
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 6f96c3c6 ("net_sched: fix backward compatibility for TCA_KIND")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2dd5616e