1. 17 Oct, 2015 1 commit
    • Nikolay Borisov's avatar
      netfilter: ipset: Fix sleeping memory allocation in atomic context · 00db674b
      Nikolay Borisov authored
      Commit 00590fdd introduced RCU locking in list type and in
      doing so introduced a memory allocation in list_set_add, which
      is done in an atomic context, due to the fact that ipset rcu
      list modifications are serialised with a spin lock. The reason
      why we can't use a mutex is that in addition to modifying the
      list with ipset commands, it's also being modified when a
      particular ipset rule timeout expires aka garbage collection.
      This gc is triggered from set_cleanup_entries, which in turn
      is invoked from a timer thus requiring the lock to be bh-safe.
      
      Concretely the following call chain can lead to "sleeping function
      called in atomic context" splat:
      call_ad -> list_set_uadt -> list_set_uadd -> kzalloc(, GFP_KERNEL).
      And since GFP_KERNEL allows initiating direct reclaim thus
      potentially sleeping in the allocation path.
      
      To fix the issue change the allocation type to GFP_ATOMIC, to
      correctly reflect that it is occuring in an atomic context.
      
      Fixes: 00590fdd ("netfilter: ipset: Introduce RCU locking in list type")
      Signed-off-by: default avatarNikolay Borisov <kernel@kyup.com>
      Acked-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      00db674b
  2. 13 Oct, 2015 1 commit
    • Florian Westphal's avatar
      netfilter: sync with packet rx also after removing queue entries · 514ed62e
      Florian Westphal authored
      We need to sync packet rx again after flushing the queue entries.
      Otherwise, the following race could happen:
      
      cpu1: nf_unregister_hook(H) called, H unliked from lists, calls
      synchronize_net() to wait for packet rx completion.
      
      Problem is that while no new nf_queue_entry structs that use H can be
      allocated, another CPU might receive a verdict from userspace just before
      cpu1 calls nf_queue_nf_hook_drop to remove this entry:
      
      cpu2: receive verdict from userspace, lock queue
      cpu2: unlink nf_queue_entry struct E, which references H, from queue list
      cpu1: calls nf_queue_nf_hook_drop, blocks on queue spinlock
      cpu2: unlock queue
      cpu1: nf_queue_nf_hook_drop drops affected queue entries
      cpu2: call nf_reinject for E
      cpu1: kfree(H)
      cpu2: potential use-after-free for H
      
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Fixes: 085db2c0 ("netfilter: Per network namespace netfilter hooks.")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      514ed62e
  3. 12 Oct, 2015 1 commit
    • lucien's avatar
      netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse · cc4998fe
      lucien authored
      --accept-local  option works for res.type == RTN_LOCAL, which should be
      from the local table, but there, the fib_info's nh->nh_scope =
      RT_SCOPE_NOWHERE ( > RT_SCOPE_HOST). in fib_create_info().
      
      	if (cfg->fc_scope == RT_SCOPE_HOST) {
      		struct fib_nh *nh = fi->fib_nh;
      
      		/* Local address is added. */
      		if (nhs != 1 || nh->nh_gw)
      			goto err_inval;
      		nh->nh_scope = RT_SCOPE_NOWHERE;   <===
      		nh->nh_dev = dev_get_by_index(net, fi->fib_nh->nh_oif);
      		err = -ENODEV;
      		if (!nh->nh_dev)
      			goto failure;
      
      but in our rpfilter_lookup_reverse():
      
      	if (dev_match || flags & XT_RPFILTER_LOOSE)
      		return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
      
      if nh->nh_scope > RT_SCOPE_HOST, it will fail. --accept-local option
      will never be passed.
      
      it seems the test is bogus and can be removed to fix this issue.
      
      	if (dev_match || flags & XT_RPFILTER_LOOSE)
      		return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
      
      ipv6 does not have this issue.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      cc4998fe
  4. 30 Sep, 2015 6 commits
  5. 29 Sep, 2015 15 commits
    • Pravin B Shelar's avatar
      skbuff: Fix skb checksum partial check. · 31b33dfb
      Pravin B Shelar authored
      Earlier patch 6ae459bd tried to detect void ckecksum partial
      skb by comparing pull length to checksum offset. But it does
      not work for all cases since checksum-offset depends on
      updates to skb->data.
      
      Following patch fixes it by validating checksum start offset
      after skb-data pointer is updated. Negative value of checksum
      offset start means there is no need to checksum.
      
      Fixes: 6ae459bd ("skbuff: Fix skb checksum flag on skb pull")
      Reported-by: default avatarAndrew Vagin <avagin@odin.com>
      Signed-off-by: default avatarPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31b33dfb
    • David Ahern's avatar
      net: ipv6: Add RT6_LOOKUP_F_IFACE flag if oif is set · 741a11d9
      David Ahern authored
      Wolfgang reported that IPv6 stack is ignoring oif in output route lookups:
      
          With ipv6, ip -6 route get always returns the specific route.
      
          $ ip -6 r
          2001:db8:e2::1 dev enp2s0  proto kernel  metric 256
          2001:db8:e2::/64 dev enp2s0  metric 1024
          2001:db8:e3::1 dev enp3s0  proto kernel  metric 256
          2001:db8:e3::/64 dev enp3s0  metric 1024
          fe80::/64 dev enp3s0  proto kernel  metric 256
          default via 2001:db8:e3::255 dev enp3s0  metric 1024
      
          $ ip -6 r get 2001:db8:e2::100
          2001:db8:e2::100 from :: dev enp2s0  src 2001:db8:e3::1  metric 0
              cache
      
          $ ip -6 r get 2001:db8:e2::100 oif enp3s0
          2001:db8:e2::100 from :: dev enp2s0  src 2001:db8:e3::1  metric 0
              cache
      
      The stack does consider the oif but a mismatch in rt6_device_match is not
      considered fatal because RT6_LOOKUP_F_IFACE is not set in the flags.
      
      Cc: Wolfgang Nothdurft <netdev@linux-dude.de>
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      741a11d9
    • Alexander Stein's avatar
      net sysfs: Print link speed as signed integer · 75c261b5
      Alexander Stein authored
      Otherwise 4294967295 (MBit/s) (-1) will be printed when there is no link.
      Documentation/ABI/testing/sysfs-class-net does not state if this shall be
      signed or unsigned.
      Also remove the now unused variable fmt_udec.
      Signed-off-by: default avatarAlexander Stein <alexander.stein@systec-electronic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75c261b5
    • Andrzej Hajda's avatar
      bna: fix error handling · 4c52b1da
      Andrzej Hajda authored
      Several functions can return negative value in case of error,
      so their return type should be fixed as well as type of variables
      to which this value is assigned.
      
      The problem has been detected using proposed semantic patch
      scripts/coccinelle/tests/assign_signed_to_unsigned.cocci [1].
      
      [1]: http://permalink.gmane.org/gmane.linux.kernel/2046107Signed-off-by: default avatarAndrzej Hajda <a.hajda@samsung.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4c52b1da
    • David S. Miller's avatar
      Merge branch 'af_unix_MSG_PEEK' · 3504bb63
      David S. Miller authored
      Aaron Conole says:
      
      ====================
      af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag
      
      This patch set implements a bugfix for kernel.org bugzilla #12323, allowing
      MSG_PEEK to return all queued data on the unix domain socket, not just the
      data contained in a single SKB.
      
      This is the v3 version of this patch, which includes a suggested modification
      by Eric Dumazet to convert the unix_sk() conversion macro to a static inline
      function. These patches are independent and can be applied separately.
      
      This set was tested over a 24-hour period, utilizing a loop continually
      executing the bugzilla issue attached python code. It was instrumented with
      a pr_err_once() ([   13.798683] unix: went there at least one time).
      
      v2->v3:
       - Added Eric Dumazet's suggestion for #define to static inline
       - Fixed an issue calling unix_state_lock() with an invalid argument
      
      v3->v4:
       - Eliminated an XXX comment
       - Changed from goto unlock to explicit unix_state_unlock() and break
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3504bb63
    • Aaron Conole's avatar
      af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag · 9f389e35
      Aaron Conole authored
      AF_UNIX sockets now return multiple skbs from recv() when MSG_PEEK flag
      is set.
      
      This is referenced in kernel bugzilla #12323 @
      https://bugzilla.kernel.org/show_bug.cgi?id=12323
      
      As described both in the BZ and lkml thread @
      http://lkml.org/lkml/2008/1/8/444 calling recv() with MSG_PEEK on an
      AF_UNIX socket only reads a single skb, where the desired effect is
      to return as much skb data has been queued, until hitting the recv
      buffer size (whichever comes first).
      
      The modified MSG_PEEK path will now move to the next skb in the tree
      and jump to the again: label, rather than following the natural loop
      structure. This requires duplicating some of the loop head actions.
      
      This was tested using the python socketpair python code attached to
      the bugzilla issue.
      Signed-off-by: default avatarAaron Conole <aconole@bytheb.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9f389e35
    • Aaron Conole's avatar
      af_unix: Convert the unix_sk macro to an inline function for type safety · 4613012d
      Aaron Conole authored
      As suggested by Eric Dumazet this change replaces the
      #define with a static inline function to enjoy
      complaints by the compiler when misusing the API.
      Signed-off-by: default avatarAaron Conole <aconole@bytheb.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4613012d
    • Denys Vlasenko's avatar
      net: sctp: Don't use 64 kilobyte lookup table for four elements · 2103d6b8
      Denys Vlasenko authored
      Seemingly innocuous sctp_trans_state_to_prio_map[] array
      is way bigger than it looks, since
      "[SCTP_UNKNOWN] = 2" expands into "[0xffff] = 2" !
      
      This patch replaces it with switch() statement.
      Signed-off-by: default avatarDenys Vlasenko <dvlasenk@redhat.com>
      CC: Vlad Yasevich <vyasevich@gmail.com>
      CC: Neil Horman <nhorman@tuxdriver.com>
      CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      CC: linux-sctp@vger.kernel.org
      CC: netdev@vger.kernel.org
      CC: linux-kernel@vger.kernel.org
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2103d6b8
    • Alexander Couzens's avatar
      l2tp: protect tunnel->del_work by ref_count · 06a15f51
      Alexander Couzens authored
      There is a small chance that tunnel_free() is called before tunnel->del_work scheduled
      resulting in a zero pointer dereference.
      Signed-off-by: default avatarAlexander Couzens <lynxis@fe80.eu>
      Acked-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      06a15f51
    • Ivan Mikhaylov's avatar
      net/ibm/emac: bump version numbers for correct work with ethtool · 661dfc65
      Ivan Mikhaylov authored
      The size of the MAC register dump used to be the size specified by the
      reg property in the device tree.  Userland has no good way of finding
      out that size, and it was not specified consistently for each MAC type,
      so ethtool would end up printing junk at the end of the register dump
      if the device tree didn't match the size it assumed.
      
      Using the new version numbers indicates unambiguously that the size of
      the MAC register dump is dependent only on the MAC type.
      
      Fixes: 5369c71f ("net/ibm/emac: fix size of emac dump memory areas")
      Signed-off-by: default avatarIvan Mikhaylov <ivan@ru.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      661dfc65
    • David S. Miller's avatar
      Merge branch 'sctp-accept-deadlock' · 51359bfc
      David S. Miller authored
      Karl Heiss says:
      
      ====================
      sctp: Fix SCTP deadlock
      
      These patches fix a deadlock during accept() of an SCTP connection.
      
      The first patch fixes whitespace issues.
      
      The second patch actually fixes the deadlock race.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51359bfc
    • Karl Heiss's avatar
      sctp: Prevent soft lockup when sctp_accept() is called during a timeout event · 635682a1
      Karl Heiss authored
      A case can occur when sctp_accept() is called by the user during
      a heartbeat timeout event after the 4-way handshake.  Since
      sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the
      bh_sock_lock in sctp_generate_heartbeat_event() will be taken with
      the listening socket but released with the new association socket.
      The result is a deadlock on any future attempts to take the listening
      socket lock.
      
      Note that this race can occur with other SCTP timeouts that take
      the bh_lock_sock() in the event sctp_accept() is called.
      
       BUG: soft lockup - CPU#9 stuck for 67s! [swapper:0]
       ...
       RIP: 0010:[<ffffffff8152d48e>]  [<ffffffff8152d48e>] _spin_lock+0x1e/0x30
       RSP: 0018:ffff880028323b20  EFLAGS: 00000206
       RAX: 0000000000000002 RBX: ffff880028323b20 RCX: 0000000000000000
       RDX: 0000000000000000 RSI: ffff880028323be0 RDI: ffff8804632c4b48
       RBP: ffffffff8100bb93 R08: 0000000000000000 R09: 0000000000000000
       R10: ffff880610662280 R11: 0000000000000100 R12: ffff880028323aa0
       R13: ffff8804383c3880 R14: ffff880028323a90 R15: ffffffff81534225
       FS:  0000000000000000(0000) GS:ffff880028320000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
       CR2: 00000000006df528 CR3: 0000000001a85000 CR4: 00000000000006e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
       Process swapper (pid: 0, threadinfo ffff880616b70000, task ffff880616b6cab0)
       Stack:
       ffff880028323c40 ffffffffa01c2582 ffff880614cfb020 0000000000000000
       <d> 0100000000000000 00000014383a6c44 ffff8804383c3880 ffff880614e93c00
       <d> ffff880614e93c00 0000000000000000 ffff8804632c4b00 ffff8804383c38b8
       Call Trace:
       <IRQ>
       [<ffffffffa01c2582>] ? sctp_rcv+0x492/0xa10 [sctp]
       [<ffffffff8148c559>] ? nf_iterate+0x69/0xb0
       [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148c716>] ? nf_hook_slow+0x76/0x120
       [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8149757d>] ? ip_local_deliver_finish+0xdd/0x2d0
       [<ffffffff81497808>] ? ip_local_deliver+0x98/0xa0
       [<ffffffff81496ccd>] ? ip_rcv_finish+0x12d/0x440
       [<ffffffff81497255>] ? ip_rcv+0x275/0x350
       [<ffffffff8145cfeb>] ? __netif_receive_skb+0x4ab/0x750
       ...
      
      With lockdep debugging:
      
       =====================================
       [ BUG: bad unlock balance detected! ]
       -------------------------------------
       CslRx/12087 is trying to release lock (slock-AF_INET) at:
       [<ffffffffa01bcae0>] sctp_generate_timeout_event+0x40/0xe0 [sctp]
       but there are no more locks to release!
      
       other info that might help us debug this:
       2 locks held by CslRx/12087:
       #0:  (&asoc->timers[i]){+.-...}, at: [<ffffffff8108ce1f>] run_timer_softirq+0x16f/0x3e0
       #1:  (slock-AF_INET){+.-...}, at: [<ffffffffa01bcac3>] sctp_generate_timeout_event+0x23/0xe0 [sctp]
      
      Ensure the socket taken is also the same one that is released by
      saving a copy of the socket before entering the timeout event
      critical section.
      Signed-off-by: default avatarKarl Heiss <kheiss@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      635682a1
    • Karl Heiss's avatar
      sctp: Whitespace fix · f05940e6
      Karl Heiss authored
      Fix indentation in sctp_generate_heartbeat_event.
      Signed-off-by: default avatarKarl Heiss <kheiss@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f05940e6
    • Mitch Williams's avatar
      i40e/i40evf: check for stopped admin queue · 43ae93a9
      Mitch Williams authored
      It's possible that while we are waiting for the spinlock, another
      entity (that owns the spinlock) has shut down the admin queue.
      If we then attempt to use the queue, we will panic.
      
      Add a check for this condition on the receive side. This matches
      an existing check on the send queue side.
      Signed-off-by: default avatarMitch Williams <mitch.a.williams@intel.com>
      Acked-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43ae93a9
    • Jesse Brandeburg's avatar
      i40e: fix VLAN inside VXLAN · c4bbac39
      Jesse Brandeburg authored
      Previously to this patch, the hardware was removing
      VLAN tags from the inner header of VXLAN packets.  The
      hardware configuration can be changed to leave the
      packet alone since that is what the linux stack
      expects for this type of VLAN in VXLAN packet.
      Signed-off-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4bbac39
  6. 27 Sep, 2015 2 commits
  7. 26 Sep, 2015 3 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 518a7cb6
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) When we run a tap on netlink sockets, we have to copy mmap'd SKBs
          instead of cloning them.  From Daniel Borkmann.
      
       2) When converting classical BPF into eBPF, fix the setting of the
          source reg to BPF_REG_X.  From Tycho Andersen.
      
       3) Fix igmpv3/mldv2 report parsing in the bridge multicast code, from
          Linus Lussing.
      
       4) Fix dst refcounting for ipv6 tunnels, from Martin KaFai Lau.
      
       5) Set NLM_F_REPLACE flag properly when replacing ipv6 routes, from
          Roopa Prabhu.
      
       6) Add some new cxgb4 PCI device IDs, from Hariprasad Shenai.
      
       7) Fix headroom tests and SKB leaks in ipv6 fragmentation code, from
          Florian Westphal.
      
       8) Check DMA mapping errors in bna driver, from Ivan Vecera.
      
       9) Several 8139cp bug fixes (dev_kfree_skb_any in interrupt context,
          misclearing of interrupt status in TX timeout handler, etc.) from
          David Woodhouse.
      
      10) In tipc, reset SKB header pointer after skb_linearize(), from Erik
          Hugne.
      
      11) Fix autobind races et al. in netlink code, from Herbert Xu with
          help from Tejun Heo and others.
      
      12) Missing SET_NETDEV_DEV in sunvnet driver, from Sowmini Varadhan.
      
      13) Fix various races in timewait timer and reqsk_queue_hadh_req, from
          Eric Dumazet.
      
      14) Fix array overruns in mac80211, from Johannes Berg and Dan
          Carpenter.
      
      15) Fix data race in rhashtable_rehash_one(), from Dmitriy Vyukov.
      
      16) Fix race between poll_one_napi and napi_disable, from Neil Horman.
      
      17) Fix byte order in geneve tunnel port config, from John W Linville.
      
      18) Fix handling of ARP replies over lightweight tunnels, from Jiri
          Benc.
      
      19) We can loop when fib rule dumps cross multiple SKBs, fix from Wilson
          Kok and Roopa Prabhu.
      
      20) Several reference count handling bug fixes in the PHY/MDIO layer
          from Russel King.
      
      21) Fix lockdep splat in ppp_dev_uninit(), from Guillaume Nault.
      
      22) Fix crash in icmp_route_lookup(), from David Ahern.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (116 commits)
        net: Fix panic in icmp_route_lookup
        net: update docbook comment for __mdiobus_register()
        ppp: fix lockdep splat in ppp_dev_uninit()
        net: via/Kconfig: GENERIC_PCI_IOMAP required if PCI not selected
        phy: marvell: add link partner advertised modes
        net: fix net_device refcounting
        phy: add phy_device_remove()
        phy: fixed-phy: properly validate phy in fixed_phy_update_state()
        net: fix phy refcounting in a bunch of drivers
        of_mdio: fix MDIO phy device refcounting
        phy: add proper phy struct device refcounting
        phy: fix mdiobus module safety
        net: dsa: fix of_mdio_find_bus() device refcount leak
        phy: fix of_mdio_find_bus() device refcount leak
        ip6_tunnel: Reduce log level in ip6_tnl_err() to debug
        ip6_gre: Reduce log level in ip6gre_err() to debug
        fib_rules: fix fib rule dumps across multiple skbs
        bnx2x: byte swap rss_key to comply to Toeplitz specs
        net: revert "net_sched: move tp->root allocation into fw_init()"
        lwtunnel: remove source and destination UDP port config option
        ...
      518a7cb6
    • David Ahern's avatar
      net: Fix panic in icmp_route_lookup · bdb06cbf
      David Ahern authored
      Andrey reported a panic:
      
      [ 7249.865507] BUG: unable to handle kernel pointer dereference at 000000b4
      [ 7249.865559] IP: [<c16afeca>] icmp_route_lookup+0xaa/0x320
      [ 7249.865598] *pdpt = 0000000030f7f001 *pde = 0000000000000000
      [ 7249.865637] Oops: 0000 [#1]
      ...
      [ 7249.866811] CPU: 0 PID: 0 Comm: swapper/0 Not tainted
      4.3.0-999-generic #201509220155
      [ 7249.866876] Hardware name: MSI MS-7250/MS-7250, BIOS 080014  08/02/2006
      [ 7249.866916] task: c1a5ab00 ti: c1a52000 task.ti: c1a52000
      [ 7249.866949] EIP: 0060:[<c16afeca>] EFLAGS: 00210246 CPU: 0
      [ 7249.866981] EIP is at icmp_route_lookup+0xaa/0x320
      [ 7249.867012] EAX: 00000000 EBX: f483ba48 ECX: 00000000 EDX: f2e18a00
      [ 7249.867045] ESI: 000000c0 EDI: f483ba70 EBP: f483b9ec ESP: f483b974
      [ 7249.867077]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      [ 7249.867108] CR0: 8005003b CR2: 000000b4 CR3: 36ee07c0 CR4: 000006f0
      [ 7249.867141] Stack:
      [ 7249.867165]  320310ee 00000000 00000042 320310ee 00000000 c1aeca00
      f3920240 f0c69180
      [ 7249.867268]  f483ba04 f855058b a89b66cd f483ba44 f8962f4b 00000000
      e659266c f483ba54
      [ 7249.867361]  8004753c f483ba5c f8962f4b f2031140 000003c1 ffbd8fa0
      c16b0e00 00000064
      [ 7249.867448] Call Trace:
      [ 7249.867494]  [<f855058b>] ? e1000_xmit_frame+0x87b/0xdc0 [e1000e]
      [ 7249.867534]  [<f8962f4b>] ? tcp_in_window+0xeb/0xb10 [nf_conntrack]
      [ 7249.867576]  [<f8962f4b>] ? tcp_in_window+0xeb/0xb10 [nf_conntrack]
      [ 7249.867615]  [<c16b0e00>] ? icmp_send+0xa0/0x380
      [ 7249.867648]  [<c16b102f>] icmp_send+0x2cf/0x380
      [ 7249.867681]  [<f89c8126>] nf_send_unreach+0xa6/0xc0 [nf_reject_ipv4]
      [ 7249.867714]  [<f89cd0da>] reject_tg+0x7a/0x9f [ipt_REJECT]
      [ 7249.867746]  [<f88c29a7>] ipt_do_table+0x317/0x70c [ip_tables]
      [ 7249.867780]  [<f895e0a6>] ? __nf_conntrack_find_get+0x166/0x3b0
      [nf_conntrack]
      [ 7249.867838]  [<f895eea8>] ? nf_conntrack_in+0x398/0x600 [nf_conntrack]
      [ 7249.867889]  [<f84c0035>] iptable_filter_hook+0x35/0x80 [iptable_filter]
      [ 7249.867933]  [<c16776a1>] nf_iterate+0x71/0x80
      [ 7249.867970]  [<c1677715>] nf_hook_slow+0x65/0xc0
      [ 7249.868002]  [<c1681811>] __ip_local_out_sk+0xc1/0xd0
      [ 7249.868034]  [<c1680f30>] ? ip_forward_options+0x1a0/0x1a0
      [ 7249.868066]  [<c1681836>] ip_local_out_sk+0x16/0x30
      [ 7249.868097]  [<c1684054>] ip_send_skb+0x14/0x80
      [ 7249.868129]  [<c16840f4>] ip_push_pending_frames+0x34/0x40
      [ 7249.868163]  [<c16844a2>] ip_send_unicast_reply+0x282/0x310
      [ 7249.868196]  [<c16a0863>] tcp_v4_send_reset+0x1b3/0x380
      [ 7249.868227]  [<c16a1b63>] tcp_v4_rcv+0x323/0x990
      [ 7249.868257]  [<c16776a1>] ? nf_iterate+0x71/0x80
      [ 7249.868289]  [<c167dc2b>] ip_local_deliver_finish+0x8b/0x230
      [ 7249.868322]  [<c167df4c>] ip_local_deliver+0x4c/0xa0
      [ 7249.868353]  [<c167dba0>] ? ip_rcv_finish+0x390/0x390
      [ 7249.868384]  [<c167d88c>] ip_rcv_finish+0x7c/0x390
      [ 7249.868415]  [<c167e280>] ip_rcv+0x2e0/0x420
      ...
      
      Prior to the VRF change the oif was not set in the flow struct, so the
      VRF support should really have only added the vrf_master_ifindex lookup.
      
      Fixes: 613d09b3 ("net: Use VRF device index for lookups on TX")
      Cc: Andrey Melnikov <temnota.am@gmail.com>
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bdb06cbf
    • Russell King's avatar
      net: update docbook comment for __mdiobus_register() · 59f06978
      Russell King authored
      Update the docbook comment for __mdiobus_register() to include the new
      module owner argument.  This resolves a warning found by the 0-day
      builder.
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59f06978
  8. 25 Sep, 2015 11 commits
    • Linus Torvalds's avatar
      Merge branch 'for-4.3-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · d4a748a1
      Linus Torvalds authored
      Pull another cgroup fix from Tejun Heo:
       "The cgroup writeback support got inadvertently enabled for traditional
        hierarchies revealing two regressions which are currently being worked
        on.  It shouldn't have been enabled on traditional hierarchies, so
        disable it on them.  This is enough to make the regressions go away
        for people who aren't experimenting with cgroup"
      
      * 'for-4.3-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup, writeback: don't enable cgroup writeback on traditional hierarchies
      d4a748a1
    • Guillaume Nault's avatar
      ppp: fix lockdep splat in ppp_dev_uninit() · 58a89eca
      Guillaume Nault authored
      ppp_dev_uninit() locks all_ppp_mutex while under rtnl mutex protection.
      ppp_create_interface() must then lock these mutexes in that same order
      to avoid possible deadlock.
      
      [  120.880011] ======================================================
      [  120.880011] [ INFO: possible circular locking dependency detected ]
      [  120.880011] 4.2.0 #1 Not tainted
      [  120.880011] -------------------------------------------------------
      [  120.880011] ppp-apitest/15827 is trying to acquire lock:
      [  120.880011]  (&pn->all_ppp_mutex){+.+.+.}, at: [<ffffffffa0145f56>] ppp_dev_uninit+0x64/0xb0 [ppp_generic]
      [  120.880011]
      [  120.880011] but task is already holding lock:
      [  120.880011]  (rtnl_mutex){+.+.+.}, at: [<ffffffff812e4255>] rtnl_lock+0x12/0x14
      [  120.880011]
      [  120.880011] which lock already depends on the new lock.
      [  120.880011]
      [  120.880011]
      [  120.880011] the existing dependency chain (in reverse order) is:
      [  120.880011]
      [  120.880011] -> #1 (rtnl_mutex){+.+.+.}:
      [  120.880011]        [<ffffffff81073a6f>] lock_acquire+0xcf/0x10e
      [  120.880011]        [<ffffffff813ab18a>] mutex_lock_nested+0x56/0x341
      [  120.880011]        [<ffffffff812e4255>] rtnl_lock+0x12/0x14
      [  120.880011]        [<ffffffff812d9d94>] register_netdev+0x11/0x27
      [  120.880011]        [<ffffffffa0147b17>] ppp_ioctl+0x289/0xc98 [ppp_generic]
      [  120.880011]        [<ffffffff8113b367>] do_vfs_ioctl+0x4ea/0x532
      [  120.880011]        [<ffffffff8113b3fd>] SyS_ioctl+0x4e/0x7d
      [  120.880011]        [<ffffffff813ad7d7>] entry_SYSCALL_64_fastpath+0x12/0x6f
      [  120.880011]
      [  120.880011] -> #0 (&pn->all_ppp_mutex){+.+.+.}:
      [  120.880011]        [<ffffffff8107334e>] __lock_acquire+0xb07/0xe76
      [  120.880011]        [<ffffffff81073a6f>] lock_acquire+0xcf/0x10e
      [  120.880011]        [<ffffffff813ab18a>] mutex_lock_nested+0x56/0x341
      [  120.880011]        [<ffffffffa0145f56>] ppp_dev_uninit+0x64/0xb0 [ppp_generic]
      [  120.880011]        [<ffffffff812d5263>] rollback_registered_many+0x19e/0x252
      [  120.880011]        [<ffffffff812d5381>] rollback_registered+0x29/0x38
      [  120.880011]        [<ffffffff812d53fa>] unregister_netdevice_queue+0x6a/0x77
      [  120.880011]        [<ffffffffa0146a94>] ppp_release+0x42/0x79 [ppp_generic]
      [  120.880011]        [<ffffffff8112d9f6>] __fput+0xec/0x192
      [  120.880011]        [<ffffffff8112dacc>] ____fput+0x9/0xb
      [  120.880011]        [<ffffffff8105447a>] task_work_run+0x66/0x80
      [  120.880011]        [<ffffffff81001801>] prepare_exit_to_usermode+0x8c/0xa7
      [  120.880011]        [<ffffffff81001900>] syscall_return_slowpath+0xe4/0x104
      [  120.880011]        [<ffffffff813ad931>] int_ret_from_sys_call+0x25/0x9f
      [  120.880011]
      [  120.880011] other info that might help us debug this:
      [  120.880011]
      [  120.880011]  Possible unsafe locking scenario:
      [  120.880011]
      [  120.880011]        CPU0                    CPU1
      [  120.880011]        ----                    ----
      [  120.880011]   lock(rtnl_mutex);
      [  120.880011]                                lock(&pn->all_ppp_mutex);
      [  120.880011]                                lock(rtnl_mutex);
      [  120.880011]   lock(&pn->all_ppp_mutex);
      [  120.880011]
      [  120.880011]  *** DEADLOCK ***
      
      Fixes: 8cb775bc ("ppp: fix device unregistration upon netns deletion")
      Reported-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Tested-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58a89eca
    • Sudip Mukherjee's avatar
      net: via/Kconfig: GENERIC_PCI_IOMAP required if PCI not selected · 21343ac2
      Sudip Mukherjee authored
      The builds of allmodconfig of avr32 is failing with:
      
      drivers/net/ethernet/via/via-rhine.c:1098:2: error: implicit declaration
      of function 'pci_iomap' [-Werror=implicit-function-declaration]
      drivers/net/ethernet/via/via-rhine.c:1119:2: error: implicit declaration
      of function 'pci_iounmap' [-Werror=implicit-function-declaration]
      
      The generic empty pci_iomap and pci_iounmap is used only if CONFIG_PCI
      is not defined and CONFIG_GENERIC_PCI_IOMAP is defined.
      
      Add GENERIC_PCI_IOMAP in the dependency list for VIA_RHINE as we are
      getting build failure when CONFIG_PCI and CONFIG_GENERIC_PCI_IOMAP both
      are not defined.
      Signed-off-by: default avatarSudip Mukherjee <sudip@vectorindia.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21343ac2
    • Russell King's avatar
      phy: marvell: add link partner advertised modes · 357cd64c
      Russell King authored
      Read the standard link partner advertisment registers and store it in
      phydev->lp_advertising, so ethtool can report this information to
      userspace via ethtool.  Zero it as per genphy if autonegotiation is
      disabled.  Tested with a Marvell 88E1512 PHY.
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      357cd64c
    • Linus Torvalds's avatar
      Merge branch 'for-linus-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 03e8f644
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "This is an assorted set I've been queuing up:
      
        Jeff Mahoney tracked down a tricky one where we ended up starting IO
        on the wrong mapping for special files in btrfs_evict_inode.  A few
        people reported this one on the list.
      
        Filipe found (and provided a test for) a difficult bug in reading
        compressed extents, and Josef fixed up some quota record keeping with
        snapshot deletion.  Chandan killed off an accounting bug during DIO
        that lead to WARN_ONs as we freed inodes"
      
      * 'for-linus-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: keep dropped roots in cache until transaction commit
        Btrfs: Direct I/O: Fix space accounting
        btrfs: skip waiting on ordered range for special files
        Btrfs: fix read corruption of compressed and shared extents
        Btrfs: remove unnecessary locking of cleaner_mutex to avoid deadlock
        Btrfs: don't initialize a space info as full to prevent ENOSPC
      03e8f644
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.3-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 101688f5
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
       "Highlights include:
      
        Stable patches:
         - fix v4.2 SEEK on files over 2 gigs
         - Fix a layout segment reference leak when pNFS I/O falls back to inband I/O.
         - Fix recovery of recalled read delegations
      
        Bugfixes:
         - Fix a case where NFSv4 fails to send CLOSE after a server reboot
         - Fix sunrpc to wait for connections to complete before retrying
         - Fix sunrpc races between transport connect/disconnect and shutdown
         - Fix an infinite loop when layoutget fail with BAD_STATEID
         - nfs/filelayout: Fix NULL reference caused by double freeing of fh_array
         - Fix a bogus WARN_ON_ONCE() in O_DIRECT when layout commit_through_mds is set
         - Fix layoutreturn/close ordering issues"
      
      * tag 'nfs-for-4.3-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFS41: make close wait for layoutreturn
        NFS: Skip checking ds_cinfo.buckets when lseg's commit_through_mds is set
        NFSv4.x/pnfs: Don't try to recover stateids twice in layoutget
        NFSv4: Recovery of recalled read delegations is broken
        NFS: Fix an infinite loop when layoutget fail with BAD_STATEID
        NFS: Do cleanup before resetting pageio read/write to mds
        SUNRPC: xs_sock_mark_closed() does not need to trigger socket autoclose
        SUNRPC: Lock the transport layer on shutdown
        nfs/filelayout: Fix NULL reference caused by double freeing of fh_array
        SUNRPC: Ensure that we wait for connections to complete before retrying
        SUNRPC: drop null test before destroy functions
        nfs: fix v4.2 SEEK on files over 2 gigs
        SUNRPC: Fix races between socket connection and destroy code
        nfs: fix pg_test page count calculation
        Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount
      101688f5
    • Linus Torvalds's avatar
      Merge tag 'sound-4.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · ddff42e5
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This ended up with a larger set of fixes than wished, unfortunately.
      
        As diffstat shows, the majority of changes are for various ASoC
        drivers (Realtek, Wolfson codec drivers, etc), in addition to a couple
        of HD-audio regression fixes.  All these are reasonably small and
        nothing to scare much"
      
      * tag 'sound-4.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (29 commits)
        ALSA: hda - Disable power_save_node for Thinkpads
        ALSA: hda/tegra - async probe for avoiding module loading deadlock
        ASoC: rt5645: Prevent the pop sound in case of playback and the jack is plugging
        ASoC: rt5645: Increase the delay time to remove the pop sound
        ASoC: rt5645: Use the type SOC_DAPM_SINGLE_AUTODISABLE to prevent the weird sound in runtime of power up
        ASoC: pxa: pxa2xx-ac97: fix dma requestor lines
        MAINTAINERS: Update website and git repo for Wolfson Microelectronics
        ASoC: fsl_ssi: Fix checking of dai format for AC97 mode
        ASoC: wm0010: fix error path
        ASoC: wm0010: fix memory leak
        ASoC: wm8960: correct the max register value of mic boost pga
        ASoC: wm8962: remove 64k sample rate support
        ASoC: davinci-mcasp: Fix devm_kasprintf format string
        ASoC: fix broken pxa SoC support
        ASoC: davinci-mcasp: Set .symmetric_rates = 1 in snd_soc_dai_driver
        ASoC: au1x: psc-i2s: Fix unused variable 'ret' warning
        ASoC: SPEAr: Make SND_SPEAR_SOC select SND_SOC_GENERIC_DMAENGINE_PCM
        ASoC: mediatek: Increase periods_min in capture
        ASoC: davinci-mcasp: Revise the FIFO threshold calculation
        ASoC: wm8960: correct gain value for input PGA and add microphone PGA
        ...
      ddff42e5
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.3-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 966966a6
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
       "These are fixes for things we merged for v4.3 (VPD, MSI, and bridge
        window management), and a new Renesas R8A7794 SoC device ID.
      
        Details:
      
        Resource management:
         - Revert pci_read_bridge_bases() unification (Bjorn Helgaas)
         - Clear IORESOURCE_UNSET when clipping a bridge window (Bjorn
           Helgaas)
      
        MSI:
         - Fix MSI IRQ domains for VFs on virtual buses (Alex Williamson)
      
        Renesas R-Car host bridge driver:
         - Add R8A7794 support (Sergei Shtylyov)
      
        Miscellaneous:
         - Fix devfn for VPD access through function 0 (Alex Williamson)
         - Use function 0 VPD only for identical functions (Alex Williamson)"
      
      * tag 'pci-v4.3-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: rcar: Add R8A7794 support
        PCI: Use function 0 VPD for identical functions, regular VPD for others
        PCI: Fix devfn for VPD access through function 0
        PCI/MSI: Fix MSI IRQ domains for VFs on virtual buses
        PCI: Clear IORESOURCE_UNSET when clipping a bridge window
        PCI: Revert "PCI: Call pci_read_bridge_bases() from core instead of arch code"
      966966a6
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · b6d980f4
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "AMD fixes for bugs introduced in the 4.2 merge window, and a few PPC
        bug fixes too"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: disable halt_poll_ns as default for s390x
        KVM: x86: fix off-by-one in reserved bits check
        KVM: x86: use correct page table format to check nested page table reserved bits
        KVM: svm: do not call kvm_set_cr0 from init_vmcb
        KVM: x86: trap AMD MSRs for the TSeg base and mask
        KVM: PPC: Book3S: Take the kvm->srcu lock in kvmppc_h_logical_ci_load/store()
        KVM: PPC: Book3S HV: Pass the correct trap argument to kvmhv_commence_exit
        KVM: PPC: Book3S HV: Fix handling of interrupted VCPUs
        kvm: svm: reset mmu on VCPU reset
      b6d980f4
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.3-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 57cb635c
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       - Wire up sys_membarrier()
       - cxl: Fix lockdep warning while creating afu_err_buff from Vaibhav
      
      * tag 'powerpc-4.3-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        cxl: Fix lockdep warning while creating afu_err_buff attribute
        powerpc: Wire up sys_membarrier()
      57cb635c
    • David Hildenbrand's avatar
      KVM: disable halt_poll_ns as default for s390x · 920552b2
      David Hildenbrand authored
      We observed some performance degradation on s390x with dynamic
      halt polling. Until we can provide a proper fix, let's enable
      halt_poll_ns as default only for supported architectures.
      
      Architectures are now free to set their own halt_poll_ns
      default value.
      Signed-off-by: default avatarDavid Hildenbrand <dahi@linux.vnet.ibm.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      920552b2