1. 22 Mar, 2017 40 commits
    • Eric Dumazet's avatar
      inet: frag: release spinlock before calling icmp_send() · ec4fbd64
      Eric Dumazet authored
      Dmitry reported a lockdep splat [1] (false positive) that we can fix
      by releasing the spinlock before calling icmp_send() from ip_expire()
      
      This is a false positive because sending an ICMP message can not
      possibly re-enter the IP frag engine.
      
      [1]
      [ INFO: possible circular locking dependency detected ]
      4.10.0+ #29 Not tainted
      -------------------------------------------------------
      modprobe/12392 is trying to acquire lock:
       (_xmit_ETHER#2){+.-...}, at: [<ffffffff837a8182>] spin_lock
      include/linux/spinlock.h:299 [inline]
       (_xmit_ETHER#2){+.-...}, at: [<ffffffff837a8182>] __netif_tx_lock
      include/linux/netdevice.h:3486 [inline]
       (_xmit_ETHER#2){+.-...}, at: [<ffffffff837a8182>]
      sch_direct_xmit+0x282/0x6d0 net/sched/sch_generic.c:180
      
      but task is already holding lock:
       (&(&q->lock)->rlock){+.-...}, at: [<ffffffff8389a4d1>] spin_lock
      include/linux/spinlock.h:299 [inline]
       (&(&q->lock)->rlock){+.-...}, at: [<ffffffff8389a4d1>]
      ip_expire+0x51/0x6c0 net/ipv4/ip_fragment.c:201
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&(&q->lock)->rlock){+.-...}:
             validate_chain kernel/locking/lockdep.c:2267 [inline]
             __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3340
             lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755
             __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
             _raw_spin_lock+0x33/0x50 kernel/locking/spinlock.c:151
             spin_lock include/linux/spinlock.h:299 [inline]
             ip_defrag+0x3a2/0x4130 net/ipv4/ip_fragment.c:669
             ip_check_defrag+0x4e3/0x8b0 net/ipv4/ip_fragment.c:713
             packet_rcv_fanout+0x282/0x800 net/packet/af_packet.c:1459
             deliver_skb net/core/dev.c:1834 [inline]
             dev_queue_xmit_nit+0x294/0xa90 net/core/dev.c:1890
             xmit_one net/core/dev.c:2903 [inline]
             dev_hard_start_xmit+0x16b/0xab0 net/core/dev.c:2923
             sch_direct_xmit+0x31f/0x6d0 net/sched/sch_generic.c:182
             __dev_xmit_skb net/core/dev.c:3092 [inline]
             __dev_queue_xmit+0x13e5/0x1e60 net/core/dev.c:3358
             dev_queue_xmit+0x17/0x20 net/core/dev.c:3423
             neigh_resolve_output+0x6b9/0xb10 net/core/neighbour.c:1308
             neigh_output include/net/neighbour.h:478 [inline]
             ip_finish_output2+0x8b8/0x15a0 net/ipv4/ip_output.c:228
             ip_do_fragment+0x1d93/0x2720 net/ipv4/ip_output.c:672
             ip_fragment.constprop.54+0x145/0x200 net/ipv4/ip_output.c:545
             ip_finish_output+0x82d/0xe10 net/ipv4/ip_output.c:314
             NF_HOOK_COND include/linux/netfilter.h:246 [inline]
             ip_output+0x1f0/0x7a0 net/ipv4/ip_output.c:404
             dst_output include/net/dst.h:486 [inline]
             ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124
             ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1492
             ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1512
             raw_sendmsg+0x26de/0x3a00 net/ipv4/raw.c:655
             inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:761
             sock_sendmsg_nosec net/socket.c:633 [inline]
             sock_sendmsg+0xca/0x110 net/socket.c:643
             ___sys_sendmsg+0x4a3/0x9f0 net/socket.c:1985
             __sys_sendmmsg+0x25c/0x750 net/socket.c:2075
             SYSC_sendmmsg net/socket.c:2106 [inline]
             SyS_sendmmsg+0x35/0x60 net/socket.c:2101
             do_syscall_64+0x2e8/0x930 arch/x86/entry/common.c:281
             return_from_SYSCALL_64+0x0/0x7a
      
      -> #0 (_xmit_ETHER#2){+.-...}:
             check_prev_add kernel/locking/lockdep.c:1830 [inline]
             check_prevs_add+0xa8f/0x19f0 kernel/locking/lockdep.c:1940
             validate_chain kernel/locking/lockdep.c:2267 [inline]
             __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3340
             lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755
             __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
             _raw_spin_lock+0x33/0x50 kernel/locking/spinlock.c:151
             spin_lock include/linux/spinlock.h:299 [inline]
             __netif_tx_lock include/linux/netdevice.h:3486 [inline]
             sch_direct_xmit+0x282/0x6d0 net/sched/sch_generic.c:180
             __dev_xmit_skb net/core/dev.c:3092 [inline]
             __dev_queue_xmit+0x13e5/0x1e60 net/core/dev.c:3358
             dev_queue_xmit+0x17/0x20 net/core/dev.c:3423
             neigh_hh_output include/net/neighbour.h:468 [inline]
             neigh_output include/net/neighbour.h:476 [inline]
             ip_finish_output2+0xf6c/0x15a0 net/ipv4/ip_output.c:228
             ip_finish_output+0xa29/0xe10 net/ipv4/ip_output.c:316
             NF_HOOK_COND include/linux/netfilter.h:246 [inline]
             ip_output+0x1f0/0x7a0 net/ipv4/ip_output.c:404
             dst_output include/net/dst.h:486 [inline]
             ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124
             ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1492
             ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1512
             icmp_push_reply+0x372/0x4d0 net/ipv4/icmp.c:394
             icmp_send+0x156c/0x1c80 net/ipv4/icmp.c:754
             ip_expire+0x40e/0x6c0 net/ipv4/ip_fragment.c:239
             call_timer_fn+0x241/0x820 kernel/time/timer.c:1268
             expire_timers kernel/time/timer.c:1307 [inline]
             __run_timers+0x960/0xcf0 kernel/time/timer.c:1601
             run_timer_softirq+0x21/0x80 kernel/time/timer.c:1614
             __do_softirq+0x31f/0xbe7 kernel/softirq.c:284
             invoke_softirq kernel/softirq.c:364 [inline]
             irq_exit+0x1cc/0x200 kernel/softirq.c:405
             exiting_irq arch/x86/include/asm/apic.h:657 [inline]
             smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:962
             apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:707
             __read_once_size include/linux/compiler.h:254 [inline]
             atomic_read arch/x86/include/asm/atomic.h:26 [inline]
             rcu_dynticks_curr_cpu_in_eqs kernel/rcu/tree.c:350 [inline]
             __rcu_is_watching kernel/rcu/tree.c:1133 [inline]
             rcu_is_watching+0x83/0x110 kernel/rcu/tree.c:1147
             rcu_read_lock_held+0x87/0xc0 kernel/rcu/update.c:293
             radix_tree_deref_slot include/linux/radix-tree.h:238 [inline]
             filemap_map_pages+0x6d4/0x1570 mm/filemap.c:2335
             do_fault_around mm/memory.c:3231 [inline]
             do_read_fault mm/memory.c:3265 [inline]
             do_fault+0xbd5/0x2080 mm/memory.c:3370
             handle_pte_fault mm/memory.c:3600 [inline]
             __handle_mm_fault+0x1062/0x2cb0 mm/memory.c:3714
             handle_mm_fault+0x1e2/0x480 mm/memory.c:3751
             __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1397
             do_page_fault+0x54/0x70 arch/x86/mm/fault.c:1460
             page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1011
      
      other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&(&q->lock)->rlock);
                                     lock(_xmit_ETHER#2);
                                     lock(&(&q->lock)->rlock);
        lock(_xmit_ETHER#2);
      
       *** DEADLOCK ***
      
      10 locks held by modprobe/12392:
       #0:  (&mm->mmap_sem){++++++}, at: [<ffffffff81329758>]
      __do_page_fault+0x2b8/0xb60 arch/x86/mm/fault.c:1336
       #1:  (rcu_read_lock){......}, at: [<ffffffff8188cab6>]
      filemap_map_pages+0x1e6/0x1570 mm/filemap.c:2324
       #2:  (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff81984a78>]
      spin_lock include/linux/spinlock.h:299 [inline]
       #2:  (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff81984a78>]
      pte_alloc_one_map mm/memory.c:2944 [inline]
       #2:  (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff81984a78>]
      alloc_set_pte+0x13b8/0x1b90 mm/memory.c:3072
       #3:  (((&q->timer))){+.-...}, at: [<ffffffff81627e72>]
      lockdep_copy_map include/linux/lockdep.h:175 [inline]
       #3:  (((&q->timer))){+.-...}, at: [<ffffffff81627e72>]
      call_timer_fn+0x1c2/0x820 kernel/time/timer.c:1258
       #4:  (&(&q->lock)->rlock){+.-...}, at: [<ffffffff8389a4d1>] spin_lock
      include/linux/spinlock.h:299 [inline]
       #4:  (&(&q->lock)->rlock){+.-...}, at: [<ffffffff8389a4d1>]
      ip_expire+0x51/0x6c0 net/ipv4/ip_fragment.c:201
       #5:  (rcu_read_lock){......}, at: [<ffffffff8389a633>]
      ip_expire+0x1b3/0x6c0 net/ipv4/ip_fragment.c:216
       #6:  (slock-AF_INET){+.-...}, at: [<ffffffff839b3313>] spin_trylock
      include/linux/spinlock.h:309 [inline]
       #6:  (slock-AF_INET){+.-...}, at: [<ffffffff839b3313>] icmp_xmit_lock
      net/ipv4/icmp.c:219 [inline]
       #6:  (slock-AF_INET){+.-...}, at: [<ffffffff839b3313>]
      icmp_send+0x803/0x1c80 net/ipv4/icmp.c:681
       #7:  (rcu_read_lock_bh){......}, at: [<ffffffff838ab9a1>]
      ip_finish_output2+0x2c1/0x15a0 net/ipv4/ip_output.c:198
       #8:  (rcu_read_lock_bh){......}, at: [<ffffffff836d1dee>]
      __dev_queue_xmit+0x23e/0x1e60 net/core/dev.c:3324
       #9:  (dev->qdisc_running_key ?: &qdisc_running_key){+.....}, at:
      [<ffffffff836d3a27>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3423
      
      stack backtrace:
      CPU: 0 PID: 12392 Comm: modprobe Not tainted 4.10.0+ #29
      Hardware name: Google Google Compute Engine/Google Compute Engine,
      BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:16 [inline]
       dump_stack+0x2ee/0x3ef lib/dump_stack.c:52
       print_circular_bug+0x307/0x3b0 kernel/locking/lockdep.c:1204
       check_prev_add kernel/locking/lockdep.c:1830 [inline]
       check_prevs_add+0xa8f/0x19f0 kernel/locking/lockdep.c:1940
       validate_chain kernel/locking/lockdep.c:2267 [inline]
       __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3340
       lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755
       __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
       _raw_spin_lock+0x33/0x50 kernel/locking/spinlock.c:151
       spin_lock include/linux/spinlock.h:299 [inline]
       __netif_tx_lock include/linux/netdevice.h:3486 [inline]
       sch_direct_xmit+0x282/0x6d0 net/sched/sch_generic.c:180
       __dev_xmit_skb net/core/dev.c:3092 [inline]
       __dev_queue_xmit+0x13e5/0x1e60 net/core/dev.c:3358
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3423
       neigh_hh_output include/net/neighbour.h:468 [inline]
       neigh_output include/net/neighbour.h:476 [inline]
       ip_finish_output2+0xf6c/0x15a0 net/ipv4/ip_output.c:228
       ip_finish_output+0xa29/0xe10 net/ipv4/ip_output.c:316
       NF_HOOK_COND include/linux/netfilter.h:246 [inline]
       ip_output+0x1f0/0x7a0 net/ipv4/ip_output.c:404
       dst_output include/net/dst.h:486 [inline]
       ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124
       ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1492
       ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1512
       icmp_push_reply+0x372/0x4d0 net/ipv4/icmp.c:394
       icmp_send+0x156c/0x1c80 net/ipv4/icmp.c:754
       ip_expire+0x40e/0x6c0 net/ipv4/ip_fragment.c:239
       call_timer_fn+0x241/0x820 kernel/time/timer.c:1268
       expire_timers kernel/time/timer.c:1307 [inline]
       __run_timers+0x960/0xcf0 kernel/time/timer.c:1601
       run_timer_softirq+0x21/0x80 kernel/time/timer.c:1614
       __do_softirq+0x31f/0xbe7 kernel/softirq.c:284
       invoke_softirq kernel/softirq.c:364 [inline]
       irq_exit+0x1cc/0x200 kernel/softirq.c:405
       exiting_irq arch/x86/include/asm/apic.h:657 [inline]
       smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:962
       apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:707
      RIP: 0010:__read_once_size include/linux/compiler.h:254 [inline]
      RIP: 0010:atomic_read arch/x86/include/asm/atomic.h:26 [inline]
      RIP: 0010:rcu_dynticks_curr_cpu_in_eqs kernel/rcu/tree.c:350 [inline]
      RIP: 0010:__rcu_is_watching kernel/rcu/tree.c:1133 [inline]
      RIP: 0010:rcu_is_watching+0x83/0x110 kernel/rcu/tree.c:1147
      RSP: 0000:ffff8801c391f120 EFLAGS: 00000a03 ORIG_RAX: ffffffffffffff10
      RAX: dffffc0000000000 RBX: ffff8801c391f148 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 000055edd4374000 RDI: ffff8801dbe1ae0c
      RBP: ffff8801c391f1a0 R08: 0000000000000002 R09: 0000000000000000
      R10: dffffc0000000000 R11: 0000000000000002 R12: 1ffff10038723e25
      R13: ffff8801dbe1ae00 R14: ffff8801c391f680 R15: dffffc0000000000
       </IRQ>
       rcu_read_lock_held+0x87/0xc0 kernel/rcu/update.c:293
       radix_tree_deref_slot include/linux/radix-tree.h:238 [inline]
       filemap_map_pages+0x6d4/0x1570 mm/filemap.c:2335
       do_fault_around mm/memory.c:3231 [inline]
       do_read_fault mm/memory.c:3265 [inline]
       do_fault+0xbd5/0x2080 mm/memory.c:3370
       handle_pte_fault mm/memory.c:3600 [inline]
       __handle_mm_fault+0x1062/0x2cb0 mm/memory.c:3714
       handle_mm_fault+0x1e2/0x480 mm/memory.c:3751
       __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1397
       do_page_fault+0x54/0x70 arch/x86/mm/fault.c:1460
       page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1011
      RIP: 0033:0x7f83172f2786
      RSP: 002b:00007fffe859ae80 EFLAGS: 00010293
      RAX: 000055edd4373040 RBX: 00007f83175111c8 RCX: 000055edd4373238
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f8317510970
      RBP: 00007fffe859afd0 R08: 0000000000000009 R09: 0000000000000000
      R10: 0000000000000064 R11: 0000000000000000 R12: 000055edd4373040
      R13: 0000000000000000 R14: 00007fffe859afe8 R15: 0000000000000000
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ec4fbd64
    • Eric Dumazet's avatar
      tcp: initialize icsk_ack.lrcvtime at session start time · 15bb7745
      Eric Dumazet authored
      icsk_ack.lrcvtime has a 0 value at socket creation time.
      
      tcpi_last_data_recv can have bogus value if no payload is ever received.
      
      This patch initializes icsk_ack.lrcvtime for active sessions
      in tcp_finish_connect(), and for passive sessions in
      tcp_create_openreq_child()
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      15bb7745
    • Stanislaw Gruszka's avatar
      genetlink: fix counting regression on ctrl_dumpfamily() · 1d2a6a5e
      Stanislaw Gruszka authored
      Commit 2ae0f17d ("genetlink: use idr to track families") replaced
      
      	if (++n < fams_to_skip)
      		continue;
      into:
      
      	if (n++ < fams_to_skip)
      		continue;
      
      This subtle change cause that on retry ctrl_dumpfamily() call we omit
      one family that failed to do ctrl_fill_info() on previous call, because
      cb->args[0] = n number counts also family that failed to do
      ctrl_fill_info().
      
      Patch fixes the problem and avoid confusion in the future just decrease
      n counter when ctrl_fill_info() fail.
      
      User visible problem caused by this bug is failure to get access to
      some genetlink family i.e. nl80211. However problem is reproducible
      only if number of registered genetlink families is big enough to
      cause second call of ctrl_dumpfamily().
      
      Cc: Xose Vazquez Perez <xose.vazquez@gmail.com>
      Cc: Larry Finger <Larry.Finger@lwfinger.net>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Fixes: 2ae0f17d ("genetlink: use idr to track families")
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Acked-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1d2a6a5e
    • Daniel Borkmann's avatar
      socket, bpf: fix sk_filter use after free in sk_clone_lock · a97e50cc
      Daniel Borkmann authored
      In sk_clone_lock(), we create a new socket and inherit most of the
      parent's members via sock_copy() which memcpy()'s various sections.
      Now, in case the parent socket had a BPF socket filter attached,
      then newsk->sk_filter points to the same instance as the original
      sk->sk_filter.
      
      sk_filter_charge() is then called on the newsk->sk_filter to take a
      reference and should that fail due to hitting max optmem, we bail
      out and release the newsk instance.
      
      The issue is that commit 278571ba ("net: filter: simplify socket
      charging") wrongly combined the dismantle path with the failure path
      of xfrm_sk_clone_policy(). This means, even when charging failed, we
      call sk_free_unlock_clone() on the newsk, which then still points to
      the same sk_filter as the original sk.
      
      Thus, sk_free_unlock_clone() calls into __sk_destruct() eventually
      where it tests for present sk_filter and calls sk_filter_uncharge()
      on it, which potentially lets sk_omem_alloc wrap around and releases
      the eBPF prog and sk_filter structure from the (still intact) parent.
      
      Fix it by making sure that when sk_filter_charge() failed, we reset
      newsk->sk_filter back to NULL before passing to sk_free_unlock_clone(),
      so that we don't mess with the parents sk_filter.
      
      Only if xfrm_sk_clone_policy() fails, we did reach the point where
      either the parent's filter was NULL and as a result newsk's as well
      or where we previously had a successful sk_filter_charge(), thus for
      that case, we do need sk_filter_uncharge() to release the prior taken
      reference on sk_filter.
      
      Fixes: 278571ba ("net: filter: simplify socket charging")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a97e50cc
    • Eric Dumazet's avatar
      ipv4: provide stronger user input validation in nl_fib_input() · c64c0b3c
      Eric Dumazet authored
      Alexander reported a KMSAN splat caused by reads of uninitialized
      field (tb_id_in) from user provided struct fib_result_nl
      
      It turns out nl_fib_input() sanity tests on user input is a bit
      wrong :
      
      User can pretend nlh->nlmsg_len is big enough, but provide
      at sendmsg() time a too small buffer.
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c64c0b3c
    • Alexei Starovoitov's avatar
      bpf: fix hashmap extra_elems logic · 8c290e60
      Alexei Starovoitov authored
      In both kmalloc and prealloc mode the bpf_map_update_elem() is using
      per-cpu extra_elems to do atomic update when the map is full.
      There are two issues with it. The logic can be misused, since it allows
      max_entries+num_cpus elements to be present in the map. And alloc_extra_elems()
      at map creation time can fail percpu alloc for large map values with a warn:
      WARNING: CPU: 3 PID: 2752 at ../mm/percpu.c:892 pcpu_alloc+0x119/0xa60
      illegal size (32824) or align (8) for percpu allocation
      
      The fixes for both of these issues are different for kmalloc and prealloc modes.
      For prealloc mode allocate extra num_possible_cpus elements and store
      their pointers into extra_elems array instead of actual elements.
      Hence we can use these hidden(spare) elements not only when the map is full
      but during bpf_map_update_elem() that replaces existing element too.
      That also improves performance, since pcpu_freelist_pop/push is avoided.
      Unfortunately this approach cannot be used for kmalloc mode which needs
      to kfree elements after rcu grace period. Therefore switch it back to normal
      kmalloc even when full and old element exists like it was prior to
      commit 6c905981 ("bpf: pre-allocate hash map elements").
      
      Add tests to check for over max_entries and large map values.
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Fixes: 6c905981 ("bpf: pre-allocate hash map elements")
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c290e60
    • Govindarajulu Varadarajan's avatar
      enic: update enic maintainers · dd1ef791
      Govindarajulu Varadarajan authored
      update enic maintainers
      Signed-off-by: default avatarGovindarajulu Varadarajan <gvaradar@cisco.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dd1ef791
    • Doug Berger's avatar
      net: bcmgenet: remove bcmgenet_internal_phy_setup() · 31739eae
      Doug Berger authored
      Commit 6ac3ce82 ("net: bcmgenet: Remove excessive PHY reset")
      removed the bcmgenet_mii_reset() function from bcmgenet_power_up() and
      bcmgenet_internal_phy_setup() functions.  In so doing it broke the reset
      of the internal PHY devices used by the GENETv1-GENETv3 which required
      this reset before the UniMAC was enabled.  It also broke the internal
      GPHY devices used by the GENETv4 because the config_init that installed
      the AFE workaround was no longer occurring after the reset of the GPHY
      performed by bcmgenet_phy_power_set() in bcmgenet_internal_phy_setup().
      In addition the code in bcmgenet_internal_phy_setup() related to the
      "enable APD" comment goes with the bcmgenet_mii_reset() so it should
      have also been removed.
      
      Commit bd4060a6 ("net: bcmgenet: Power on integrated GPHY in
      bcmgenet_power_up()") moved the bcmgenet_phy_power_set() call to the
      bcmgenet_power_up() function, but failed to remove it from the
      bcmgenet_internal_phy_setup() function.  Had it done so, the
      bcmgenet_internal_phy_setup() function would have been empty and could
      have been removed at that time.
      
      Commit 5dbebbb4 ("net: bcmgenet: Software reset EPHY after power on")
      was submitted to correct the functional problems introduced by
      commit 6ac3ce82 ("net: bcmgenet: Remove excessive PHY reset"). It
      was included in v4.4 and made available on 4.3-stable. Unfortunately,
      it didn't fully revert the commit because this bcmgenet_mii_reset()
      doesn't apply the soft reset to the internal GPHY used by GENETv4 like
      the previous one did. This prevents the restoration of the AFE work-
      arounds for internal GPHY devices after the bcmgenet_phy_power_set() in
      bcmgenet_internal_phy_setup().
      
      This commit takes the alternate approach of removing the unnecessary
      bcmgenet_internal_phy_setup() function which shouldn't have been in v4.3
      so that when bcmgenet_mii_reset() was restored it should have only gone
      into bcmgenet_power_up().  This will avoid the problems while also
      removing the redundancy (and hopefully some of the confusion).
      
      Fixes: 6ac3ce82 ("net: bcmgenet: Remove excessive PHY reset")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31739eae
    • Alexander Potapenko's avatar
      ipv6: make sure to initialize sockc.tsflags before first use · d515684d
      Alexander Potapenko authored
      In the case udp_sk(sk)->pending is AF_INET6, udpv6_sendmsg() would
      jump to do_append_data, skipping the initialization of sockc.tsflags.
      Fix the problem by moving sockc.tsflags initialization earlier.
      
      The bug was detected with KMSAN.
      
      Fixes: c14ac945 ("sock: enable timestamping using control messages")
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d515684d
    • David S. Miller's avatar
      Merge branch 'fjes-fixes' · 1b33c0d2
      David S. Miller authored
      YASUAKI ISHIMATSU says:
      
      ====================
      fjes: Do not load fjes driver
      
      The fjes driver is used only by FUJITSU servers and almost of all
      servers in the world never use it. But currently if ACPI PNP0C02
      is defined in the ACPI table, the following message is always shown:
      
       "FUJITSU Extended Socket Network Device Driver - version 1.2
        - Copyright (c) 2015 FUJITSU LIMITED"
      
      The message makes users confused because there is no reason that
      the message is shown in other vendor servers.
      
      To avoid the confusion, the patch adds several checks.
      
      v3:
        - Rebase on latest net tree.
        - Add _STA method check to avoid loading fjes driver.
      
      v2:
        - Order local variable declarations from longest to shortest line
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b33c0d2
    • Yasuaki Ishimatsu's avatar
      fjes: Do not load fjes driver if extended socket device is not power on. · 2b396d30
      Yasuaki Ishimatsu authored
      The extended device socket cannot turn on/off while system is running.
      So when system boots up and the device is not power on, the fjes driver
      does not need be loaded.
      
      To check the status of the device, the patch adds ACPI _STA method check.
      Signed-off-by: default avatarYasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      CC: Taku Izumi <izumi.taku@jp.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b396d30
    • Yasuaki Ishimatsu's avatar
      fjes: Do not load fjes driver if system does not have extended socket device. · ac23d3ca
      Yasuaki Ishimatsu authored
      The fjes driver is used only by FUJITSU servers and almost of all
      servers in the world never use it. But currently if ACPI PNP0C02
      is defined in the ACPI table, the following message is always shown:
      
       "FUJITSU Extended Socket Network Device Driver - version 1.2
        - Copyright (c) 2015 FUJITSU LIMITED"
      
      The message makes users confused because there is no reason that
      the message is shown in other vendor servers.
      
      To avoid the confusion, the patch adds a check that the server
      has a extended socket device or not.
      Signed-off-by: default avatarYasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      CC: Taku Izumi <izumi.taku@jp.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac23d3ca
    • David S. Miller's avatar
      Merge branch 'mlx5-fixes' · efad54a1
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox mlx5 fixes 2017-03-21
      
      This series contains some mlx5 core and ethernet driver fixes.
      
      For -stable:
      net/mlx5e: Count LRO packets correctly (for kernel >= 4.2)
      net/mlx5e: Count GSO packets correctly (for kernel >= 4.2)
      net/mlx5: Increase number of max QPs in default profile (for kernel >= 4.0)
      net/mlx5e: Avoid supporting udp tunnel port ndo for VF reps (for kernel >= 4.10)
      net/mlx5e: Use the proper UAPI values when offloading TC vlan actions (for kernel >= v4.9)
      net/mlx5: E-Switch, Don't allow changing inline mode when flows are configured (for kernel >= 4.10)
      net/mlx5e: Change the TC offload rule add/del code path to be per NIC or E-Switch (for kernel >= 4.10)
      net/mlx5: Add missing entries for set/query rate limit commands (for kernel >= 4.8)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efad54a1
    • Gal Pressman's avatar
      net/mlx5e: Count LRO packets correctly · 8ab7e2ae
      Gal Pressman authored
      RX packets statistics ('rx_packets' counter) used to count LRO packets
      as one, even though it contains multiple segments.
      This patch will increment the counter by the number of segments, and
      align the driver with the behavior of other drivers in the stack.
      
      Note that no information is lost in this patch due to 'rx_lro_packets'
      counter existence.
      
      Before, ethtool showed:
      $ ethtool -S ens6 | egrep "rx_packets|rx_lro_packets"
           rx_packets: 435277
           rx_lro_packets: 35847
           rx_packets_phy: 1935066
      
      Now, we will see the more logical statistics:
      $ ethtool -S ens6 | egrep "rx_packets|rx_lro_packets"
           rx_packets: 1935066
           rx_lro_packets: 35847
           rx_packets_phy: 1935066
      
      Fixes: e586b3b0 ("net/mlx5: Ethernet Datapath files")
      Signed-off-by: default avatarGal Pressman <galp@mellanox.com>
      Cc: kernel-team@fb.com
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ab7e2ae
    • Gal Pressman's avatar
      net/mlx5e: Count GSO packets correctly · d3a4e4da
      Gal Pressman authored
      TX packets statistics ('tx_packets' counter) used to count GSO packets
      as one, even though it contains multiple segments.
      This patch will increment the counter by the number of segments, and
      align the driver with the behavior of other drivers in the stack.
      
      Note that no information is lost in this patch due to 'tx_tso_packets'
      counter existence.
      
      Before, ethtool showed:
      $ ethtool -S ens6 | egrep "tx_packets|tx_tso_packets"
           tx_packets: 61340
           tx_tso_packets: 60954
           tx_packets_phy: 2451115
      
      Now, we will see the more logical statistics:
      $ ethtool -S ens6 | egrep "tx_packets|tx_tso_packets"
           tx_packets: 2451115
           tx_tso_packets: 60954
           tx_packets_phy: 2451115
      
      Fixes: e586b3b0 ("net/mlx5: Ethernet Datapath files")
      Signed-off-by: default avatarGal Pressman <galp@mellanox.com>
      Cc: kernel-team@fb.com
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d3a4e4da
    • Maor Gottlieb's avatar
      net/mlx5: Increase number of max QPs in default profile · 5f40b4ed
      Maor Gottlieb authored
      With ConnectX-4 sharing SRQs from the same space as QPs, we hit a
      limit preventing some applications to allocate needed QPs amount.
      Double the size to 256K.
      
      Fixes: e126ba97 ('mlx5: Add driver for Mellanox Connect-IB adapters')
      Signed-off-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f40b4ed
    • Paul Blakey's avatar
      net/mlx5e: Avoid supporting udp tunnel port ndo for VF reps · 1ad9a00a
      Paul Blakey authored
      This was added to allow the TC offloading code to identify offloading
      encap/decap vxlan rules.
      
      The VF reps are effectively related to the same mlx5 PCI device as the
      PF. Since the kernel invokes the (say) delete ndo for each netdev, the
      FW erred on multiple vxlan dst port deletes when the port was deleted
      from the system.
      
      We fix that by keeping the registration to be carried out only by the
      PF. Since the PF serves as the uplink device, the VF reps will look
      up a port there and realize if they are ok to offload that.
      
      Tested:
       <SETUP VFS>
       <SETUP switchdev mode to have representors>
       ip link add vxlan1 type vxlan id 44 dev ens5f0 dstport 9999
       ip link set vxlan1 up
       ip link del dev vxlan1
      
      Fixes: 4a25730e ('net/mlx5e: Add ndo_udp_tunnel_add to VF representors')
      Signed-off-by: default avatarPaul Blakey <paulb@mellanox.com>
      Reviewed-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ad9a00a
    • Or Gerlitz's avatar
      net/mlx5e: Use the proper UAPI values when offloading TC vlan actions · 09c91ddf
      Or Gerlitz authored
      Currently we use the non UAPI values and we miss erring on
      the modify action which is not supported, fix that.
      
      Fixes: 8b32580d ('net/mlx5e: Add TC vlan action for SRIOV offloads')
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Reported-by: default avatarPetr Machata <petrm@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      09c91ddf
    • Roi Dayan's avatar
      net/mlx5: E-Switch, Don't allow changing inline mode when flows are configured · 375f51e2
      Roi Dayan authored
      Changing the eswitch inline mode can potentially cause already configured
      flows not to match the policy. E.g. set policy L4, add some L4 rules,
      set policy to L2 --> bad! Hence we disallow it.
      
      Keep track of how many offloaded rules are now set and refuse
      inline mode changes if this isn't zero.
      
      Fixes: bffaa916 ("net/mlx5: E-Switch, Add control for inline mode")
      Signed-off-by: default avatarRoi Dayan <roid@mellanox.com>
      Reviewed-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      375f51e2
    • Or Gerlitz's avatar
      net/mlx5e: Change the TC offload rule add/del code path to be per NIC or E-Switch · d85cdccb
      Or Gerlitz authored
      Refactor the code to deal with add/del TC rules to have handler per NIC/E-switch
      offloading use case, and push the latter into the e-switch code. This provides
      better separation and is to be used in down-stream patch for applying a fix.
      
      Fixes: bffaa916 ("net/mlx5: E-Switch, Add control for inline mode")
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d85cdccb
    • Or Gerlitz's avatar
      net/mlx5: Add missing entries for set/query rate limit commands · 1f30a86c
      Or Gerlitz authored
      The switch cases for the rate limit set and query commands were
      missing, which could get us wrong under fw error or driver reset
      flow, fix that.
      
      Fixes: 1466cc5b ('net/mlx5: Rate limit tables support')
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Reviewed-by: default avatarHadar Hen Zion <hadarh@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f30a86c
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2017-03-21' of... · bf601fe5
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2017-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.11
      
      iwlwifi
      
      * fix a user reported warning in DQA
      
      mwifiex
      
      * fix a potential double free
      * fix lost early debug logs
      * fix init wakeup warning message from device framework
      * add Ganapathi and Xinming as maintainers
      
      ath10k
      
      * fix regression with QCA6174 during resume and firmware crash
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf601fe5
    • Ying Xue's avatar
      tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe · 557d054c
      Ying Xue authored
      Until now, tipc_nametbl_unsubscribe() is called at subscriptions
      reference count cleanup. Usually the subscriptions cleanup is
      called at subscription timeout or at subscription cancel or at
      subscriber delete.
      
      We have ignored the possibility of this being called from other
      locations, which causes deadlock as we try to grab the
      tn->nametbl_lock while holding it already.
      
         CPU1:                             CPU2:
      ----------                     ----------------
      tipc_nametbl_publish
      spin_lock_bh(&tn->nametbl_lock)
      tipc_nametbl_insert_publ
      tipc_nameseq_insert_publ
      tipc_subscrp_report_overlap
      tipc_subscrp_get
      tipc_subscrp_send_event
                                   tipc_close_conn
                                   tipc_subscrb_release_cb
                                   tipc_subscrb_delete
                                   tipc_subscrp_put
      tipc_subscrp_put
      tipc_subscrp_kref_release
      tipc_nametbl_unsubscribe
      spin_lock_bh(&tn->nametbl_lock)
      <<grab nametbl_lock again>>
      
         CPU1:                              CPU2:
      ----------                     ----------------
      tipc_nametbl_stop
      spin_lock_bh(&tn->nametbl_lock)
      tipc_purge_publications
      tipc_nameseq_remove_publ
      tipc_subscrp_report_overlap
      tipc_subscrp_get
      tipc_subscrp_send_event
                                   tipc_close_conn
                                   tipc_subscrb_release_cb
                                   tipc_subscrb_delete
                                   tipc_subscrp_put
      tipc_subscrp_put
      tipc_subscrp_kref_release
      tipc_nametbl_unsubscribe
      spin_lock_bh(&tn->nametbl_lock)
      <<grab nametbl_lock again>>
      
      In this commit, we advance the calling of tipc_nametbl_unsubscribe()
      from the refcount cleanup to the intended callers.
      
      Fixes: d094c4d5 ("tipc: add subscription refcount to avoid invalid delete")
      Reported-by: default avatarJohn Thompson <thompa.atl@gmail.com>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      557d054c
    • Xin Long's avatar
      sctp: remove useless err from sctp_association_init · 58194778
      Xin Long authored
      This patch is to remove the unnecessary temporary variable 'err' from
      sctp_association_init.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58194778
    • Xin Long's avatar
      sctp: declare struct sctp_stream before using it · 1511949c
      Xin Long authored
      sctp_stream_free uses struct sctp_stream as a param, but struct sctp_stream
      is defined after it's declaration.
      
      This patch is to declare struct sctp_stream before sctp_stream_free.
      
      Fixes: a8386317 ("sctp: prepare asoc stream for stream reconf")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1511949c
    • Arnd Bergmann's avatar
      cpsw/netcp: cpts depends on posix_timers · 07fef362
      Arnd Bergmann authored
      With posix timers having become optional, we get a build error with
      the cpts time sync option of the CPSW driver:
      
      drivers/net/ethernet/ti/cpts.c: In function 'cpts_find_ts':
      drivers/net/ethernet/ti/cpts.c:291:23: error: implicit declaration of function 'ptp_classify_raw';did you mean 'ptp_classifier_init'? [-Werror=implicit-function-declaration]
      
      This adds a hard dependency on PTP_CLOCK to avoid the problem, as
      building it without PTP support makes no sense anyway.
      
      Fixes: baa73d9e ("posix-timers: Make them configurable")
      Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarNicolas Pitre <nico@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      07fef362
    • Arnd Bergmann's avatar
      cpsw/netcp: work around reverse cpts dependency · be9ca0d3
      Arnd Bergmann authored
      The dependency is reversed: cpsw and netcp call into cpts,
      but cpts depends on the other two in Kconfig. This can lead
      to cpts being a loadable module and its callers built-in:
      
      drivers/net/ethernet/ti/cpsw.o: In function `cpsw_remove':
      cpsw.c:(.text.cpsw_remove+0xd0): undefined reference to `cpts_release'
      drivers/net/ethernet/ti/cpsw.o: In function `cpsw_rx_handler':
      cpsw.c:(.text.cpsw_rx_handler+0x2dc): undefined reference to `cpts_rx_timestamp'
      drivers/net/ethernet/ti/cpsw.o: In function `cpsw_tx_handler':
      cpsw.c:(.text.cpsw_tx_handler+0x7c): undefined reference to `cpts_tx_timestamp'
      drivers/net/ethernet/ti/cpsw.o: In function `cpsw_ndo_stop':
      
      As a workaround, I'm introducing another Kconfig symbol to
      control the compilation of cpts, while making the actual
      module controlled by a silent symbol that is =y when necessary.
      
      Fixes: 6246168b ("net: ethernet: ti: netcp: add support of cpts")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be9ca0d3
    • David S. Miller's avatar
      Merge branch 'r8152-rx-settings' · 8fb106b2
      David S. Miller authored
      Hayes Wang says:
      
      ====================
      r8152: fix the rx settings of RTL8153
      
      The RMS and the rx early size should base on the same rx size. However,
      the RMS is set to 9K bytes now and the rx early depends on mtu. For using
      the rx buffer effectively, sync the two settings according to the mtu.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8fb106b2
    • hayeswang's avatar
      r8152: fix the rx early size of RTL8153 · b20cb60e
      hayeswang authored
      revert commit a59e6d81 ("r8152: correct the rx early size") and
      fix the rx early size as
      
      	(rx buffer size - rx packet size - rx desc size - alignment) / 4
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b20cb60e
    • hayeswang's avatar
      r8152: set the RMS of RTL8153 according to the mtu · 210c4f70
      hayeswang authored
      Set the received maximum size (RMS) according to the mtu size. It is
      unnecessary to receive a packet which is more than the size we could
      transmit. Besides, this could let the rx buffer be used effectively.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      210c4f70
    • Tejun Heo's avatar
      cgroup, net_cls: iterate the fds of only the tasks which are being migrated · a05d4fd9
      Tejun Heo authored
      The net_cls controller controls the classid field of each socket which
      is associated with the cgroup.  Because the classid is per-socket
      attribute, when a task migrates to another cgroup or the configured
      classid of the cgroup changes, the controller needs to walk all
      sockets and update the classid value, which was implemented by
      3b13758f ("cgroups: Allow dynamically changing net_classid").
      
      While the approach is not scalable, migrating tasks which have a lot
      of fds attached to them is rare and the cost is born by the ones
      initiating the operations.  However, for simplicity, both the
      migration and classid config change paths call update_classid() which
      scans all fds of all tasks in the target css.  This is an overkill for
      the migration path which only needs to cover a much smaller subset of
      tasks which are actually getting migrated in.
      
      On cgroup v1, this can lead to unexpected scalability issues when one
      tries to migrate a task or process into a net_cls cgroup which already
      contains a lot of fds.  Even if the migration traget doesn't have many
      to get scanned, update_classid() ends up scanning all fds in the
      target cgroup which can be extremely numerous.
      
      Unfortunately, on cgroup v2 which doesn't use net_cls, the problem is
      even worse.  Before bfc2cf6f ("cgroup: call subsys->*attach() only
      for subsystems which are actually affected by migration"), cgroup core
      would call the ->css_attach callback even for controllers which don't
      see actual migration to a different css.
      
      As net_cls is always disabled but still mounted on cgroup v2, whenever
      a process is migrated on the cgroup v2 hierarchy, net_cls sees
      identity migration from root to root and cgroup core used to call
      ->css_attach callback for those.  The net_cls ->css_attach ends up
      calling update_classid() on the root net_cls css to which all
      processes on the system belong to as the controller isn't used.  This
      makes any cgroup v2 migration O(total_number_of_fds_on_the_system)
      which is horrible and easily leads to noticeable stalls triggering RCU
      stall warnings and so on.
      
      The worst symptom is already fixed in upstream by bfc2cf6f
      ("cgroup: call subsys->*attach() only for subsystems which are
      actually affected by migration"); however, backporting that commit is
      too invasive and we want to avoid other cases too.
      
      This patch updates net_cls's cgrp_attach() to iterate fds of only the
      processes which are actually getting migrated.  This removes the
      surprising migration cost which is dependent on the total number of
      fds in the target cgroup.  As this leaves write_classid() the only
      user of update_classid(), open-code the helper into write_classid().
      Reported-by: default avatarDavid Goode <dgoode@fb.com>
      Fixes: 3b13758f ("cgroups: Allow dynamically changing net_classid")
      Cc: stable@vger.kernel.org # v4.4+
      Cc: Nina Schiff <ninasc@fb.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a05d4fd9
    • Tony Lindgren's avatar
      net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4 · 4071898b
      Tony Lindgren authored
      This gets qmicli working with the MDM6600 modem.
      
      Cc: Bjørn Mork <bjorn@mork.no>
      Reviewed-by: default avatarSebastian Reichel <sre@kernel.org>
      Tested-by: default avatarSebastian Reichel <sre@kernel.org>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4071898b
    • Zi Shen Lim's avatar
      selftests/bpf: fix broken build, take 2 · e8f1f34a
      Zi Shen Lim authored
      Merge of 'linux-kselftest-4.11-rc1':
      
      1. Partially removed use of 'test_objs' target, breaking force rebuild of
      BPFOBJ, introduced in commit d498f871 ("bpf: Rebuild bpf.o for any
      dependency update").
      
        Update target so dependency on BPFOBJ is restored.
      
      2. Introduced commit 2047f1d8 ("selftests: Fix the .c linking rule")
      which fixes order of LDLIBS.
      
        Commit d02d8986 ("bpf: Always test unprivileged programs") added
      libcap dependency into CFLAGS. Use LDLIBS instead to fix linking of
      test_verifier.
      
      3. Introduced commit d83c3ba0 ("selftests: Fix selftests build to
      just build, not run tests").
      
        Reordering the Makefile allows us to remove the 'all' target.
      
      Tested both:
          selftests/bpf$ make
      and
          selftests$ make TARGETS=bpf
      on Ubuntu 16.04.2.
      Signed-off-by: default avatarZi Shen Lim <zlim.lnx@gmail.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Tested-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Tested-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e8f1f34a
    • Soheil Hassas Yeganeh's avatar
      tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS · 4ef1b286
      Soheil Hassas Yeganeh authored
      SOF_TIMESTAMPING_OPT_STATS can be enabled and disabled
      while packets are collected on the error queue.
      So, checking SOF_TIMESTAMPING_OPT_STATS in sk->sk_tsflags
      is not enough to safely assume that the skb contains
      OPT_STATS data.
      
      Add a bit in sock_exterr_skb to indicate whether the
      skb contains opt_stats data.
      
      Fixes: 1c885808 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
      Reported-by: default avatarJongHwan Kim <zzoru007@gmail.com>
      Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ef1b286
    • Soheil Hassas Yeganeh's avatar
      tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs · 8605330a
      Soheil Hassas Yeganeh authored
      __sock_recv_timestamp can be called for both normal skbs (for
      receive timestamps) and for skbs on the error queue (for transmit
      timestamps).
      
      Commit 1c885808
      (tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING)
      assumes any skb passed to __sock_recv_timestamp are from
      the error queue, containing OPT_STATS in the content of the skb.
      This results in accessing invalid memory or generating junk
      data.
      
      To fix this, set skb->pkt_type to PACKET_OUTGOING for packets
      on the error queue. This is safe because on the receive path
      on local sockets skb->pkt_type is never set to PACKET_OUTGOING.
      With that, copy OPT_STATS from a packet, only if its pkt_type
      is PACKET_OUTGOING.
      
      Fixes: 1c885808 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
      Reported-by: default avatarJongHwan Kim <zzoru007@gmail.com>
      Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8605330a
    • Xin Long's avatar
      sctp: out_qlen should be updated when pruning unsent queue · 23bb09cf
      Xin Long authored
      This patch is to fix the issue that sctp_prsctp_prune_sent forgot
      to update q->out_qlen when removing a chunk from unsent queue.
      
      Fixes: 8dbdf1f5 ("sctp: implement prsctp PRIO policy")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      23bb09cf
    • Xin Long's avatar
      sctp: define dst_pending_confirm as a bit in sctp_transport · 1f904495
      Xin Long authored
      As tp->dst_pending_confirm's value can only be set 0 or 1, this
      patch is to change to define it as a bit instead of __u32.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f904495
    • Xin Long's avatar
      sctp: remove temporary variable confirm from sctp_packet_transmit · 486a43db
      Xin Long authored
      Commit c86a773c ("sctp: add dst_pending_confirm flag") introduced
      a temporary variable "confirm" in sctp_packet_transmit.
      
      But it broke the rule that longer lines should be above shorter ones.
      Besides, this variable is not necessary, so this patch is to just
      remove it and use tp->dst_pending_confirm directly.
      
      Fixes: c86a773c ("sctp: add dst_pending_confirm flag")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      486a43db
    • David Ahern's avatar
      net: vrf: Reset rt6i_idev in local dst after put · 3dc857f0
      David Ahern authored
      The VRF driver takes a reference to the inet6_dev on the VRF device for
      its rt6_local dst when handling local traffic through the VRF device as
      a loopback. When the device is deleted the driver does a put on the idev
      but does not reset rt6i_idev in the rt6_info struct. When the dst is
      destroyed, dst_destroy calls ip6_dst_destroy which does a second put for
      what is essentially the same reference causing it to be prematurely freed.
      Reset rt6i_idev after the put in the vrf driver.
      
      Fixes: b4869aa2 ("net: vrf: ipv6 support for local traffic to
                             local addresses")
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3dc857f0
    • Dan Carpenter's avatar
      bna: integer overflow bug in debugfs · 13e2d518
      Dan Carpenter authored
      We could allocate less memory than intended because we do:
      
      	bnad->regdata = kzalloc(len << 2, GFP_KERNEL);
      
      The shift can overflow leading to a crash.  This is debugfs code so the
      impact is very small.
      
      Fixes: 7afc5dbd ("bna: Add debugfs interface.")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarRasesh Mody <rasesh.mody@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      13e2d518