MHI will autostart the channel after the probe returns. This removes
the race where packets can be received while the probe is running.
Change-Id: I057621f283e71b1901d4b2d6a299964f0345a384
Signed-off-by: Chris Lew <clew@codeaurora.org>
Using the udp_v4_check() function to calculate the pseudo header
for the newly segmented UDP packets results in assigning the complement
of the value to the UDP header checksum field.
Always undo the complement the partial checksum value in order to
match the case where GSO is not used on the UDP transmit path.
Change-Id: Iba9e8f1e7a2a134bcac02b8f366755e6b2e03fb5
Fixes: ee80d1ebe5ba ("udp: add udp gso")
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: 6c035ba7e73aba4536a1112f9a0901ab40aab460
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Virtual devices such as tunnels and bonding can handle large packets.
Only segment packets when reaching a physical or loopback device.
Change-Id: I70a98ff455780a45ce3baea7b97e823716509802
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: 83aa025f535f76733e334e3d2a4d8577c8441a7e
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Allow specifying segment size in the send call.
The new control message performs the same function as socket option
UDP_SEGMENT while avoiding the extra system call.
Change-Id: I335dfba959d264ee181f6bc8da29cebb7685e7e1
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: 2e8de8576343ab540856082916bfb84d17288b08
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
When sending large datagrams that are later segmented, store data in
page frags to avoid copying from linear in skb_segment.
Change-Id: Iac57a69872655bc4f375260ddb2c9f0f06153cf4
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: 15e36f5b8e982debe43e425d2e12d34e022d51e9
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
skb_segment by default transfers allocated wmem from the gso skb
to the tail of the segment list. This underreports real truesize
of the list, especially if the tail might be dropped.
Similar to tcp_gso_segment, update wmem_alloc with the aggregate
list truesize and make each segment responsible for its own
share by setting skb->destructor.
Clear gso_skb->destructor prior to calling skb_segment to skip
the default assignment to tail.
Change-Id: I8f36b6d134f35fa9e4cbb012fcc9a3efcc91ba55
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: ad405857b174ed31a97982bb129c320d03321cf5
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Support generic segmentation offload for udp datagrams. Callers can
concatenate and send at once the payload of multiple datagrams with
the same destination.
To set segment size, the caller sets socket option UDP_SEGMENT to the
length of each discrete payload. This value must be smaller than or
equal to the relevant MTU.
A follow-up patch adds cmsg UDP_SEGMENT to specify segment size on a
per send call basis.
Total byte length may then exceed MTU. If not an exact multiple of
segment size, the last segment will be shorter.
The implementation adds a gso_size field to the udp socket, ip(v6)
cmsg cookie and inet_cork structure to be able to set the value at
setsockopt or cmsg time and to work with both lockless and corked
paths.
Initial benchmark numbers show UDP GSO about as expensive as TCP GSO.
tcp tso
3197 MB/s 54232 msg/s 54232 calls/s
6,457,754,262 cycles
tcp gso
1765 MB/s 29939 msg/s 29939 calls/s
11,203,021,806 cycles
tcp without tso/gso *
739 MB/s 12548 msg/s 12548 calls/s
11,205,483,630 cycles
udp
876 MB/s 14873 msg/s 624666 calls/s
11,205,777,429 cycles
udp gso
2139 MB/s 36282 msg/s 36282 calls/s
11,204,374,561 cycles
[*] after reverting commit 0a6b2a1dc2a2
("tcp: switch to GSO being always on")
Measured total system cycles ('-a') for one core while pinning both
the network receive path and benchmark process to that core:
perf stat -a -C 12 -e cycles \
./udpgso_bench_tx -C 12 -4 -D "$DST" -l 4
Note the reduction in calls/s with GSO. Bytes per syscall drops
increases from 1470 to 61818.
Change-Id: I0a51351c8ccb5d77eb5cdedbb9ee9e49d34832cb
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: bec1f6f697362c5bc635dacd7ac8499d0a10a4e7
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Implement generic segmentation offload support for udp datagrams. A
follow-up patch adds support to the protocol stack to generate such
packets.
UDP GSO is not UFO. UFO fragments a single large datagram. GSO splits
a large payload into a number of discrete UDP datagrams.
The implementation adds a GSO type SKB_UDP_GSO_L4 to differentiate it
from UFO (SKB_UDP_GSO).
IPPROTO_UDPLITE is excluded, as that protocol has no gso handler
registered.
Change-Id: Iff5e2f40ba816b4ee6675fa5a8f47d78c2ba91cb
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: ee80d1ebe5ba7f4bd74959c873119175a4fc08d3
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
UDP segmentation offload needs access to inet_cork in the udp layer.
Pass the struct to ip(6)_make_skb instead of allocating it on the
stack in that function itself.
This patch is a noop otherwise.
Change-Id: I75917a4f2f27aa26133d466663913fec4ae48470
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: 1cd7884dfd78df6284d27b008823b0b4a808f196
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Messages should only be broadcasted on nodes that have finished the
HELLO packet handshake. Ensure that the HELLO packet has been received
before broadcasting a control message to that node.
Change-Id: Id2f26c088a1a41a391c936cde9fb251c0b0c2144
Signed-off-by: Chris Lew <clew@codeaurora.org>
Remote IPC Router drivers expect the received packet to be aligned.
This case is only exposed using the MHI transport because it does not
ensure the packet will be received as one chunk like RPMSG GLINK.
Change-Id: I0e5c27e3c5896e6721c8bbbfcda29551f0968626
Signed-off-by: Chris Lew <clew@codeaurora.org>
Android restrictions prevent the usage of NET_ADMIN so QRTR can not
be correctly configured to node id 1 on Android targets. Init the
local nid to 1 so it does not need to be configured by the ns.
Change-Id: I679626c7b96aa7a074c69cc4fdc806a5dbde4639
Signed-off-by: Chris Lew <clew@codeaurora.org>
* remotes/origin/tmp-c50e5cb:
Linux 4.14.39
powerpc/eeh: Fix race with driver un/bind
arm/arm64: KVM: Add PSCI version selection API
tick/sched: Do not mess with an enqueued hrtimer
x86/microcode: Do not exit early from __reload_late()
x86/microcode/intel: Save microcode patch unconditionally
x86/smpboot: Don't use mwait_play_dead() on AMD systems
x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds
tools/lib/subcmd/pager.c: do not alias select() params
objtool, perf: Fix GCC 8 -Wrestrict error
drm/i915: Enable display WA#1183 from its correct spot
drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
cpufreq: powernv: Fix hardlockup due to synchronous smp_call in timer interrupt
earlycon: Use a pointer table to fix __earlycon_table stride
fpga-manager: altera-ps-spi: preserve nCONFIG state
libceph: validate con->state at the top of try_write()
libceph: reschedule a tick in finish_hunting()
libceph: un-backoff on tick when we have a authenticated session
ASoC: fsl_esai: Fix divisor calculation failure at lower ratio
crypto: drbg - set freed buffers to NULL
powerpc/powernv/npu: Do a PID GPU TLB flush when invalidating a large address range
powerpc/mm: Flush cache on memory hot(un)plug
KVM: arm/arm64: Close VMID generation race
ARM: socfpga_defconfig: Remove QSPI Sector 4K size force
ARM: amba: Don't read past the end of sysfs "driver_override" buffer
ARM: amba: Fix race condition with driver_override
ARM: amba: Make driver_override output consistent with other buses
PCI: aardvark: Fix PCIe Max Read Request Size setting
PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq mode
PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
ANDROID: binder: prevent transactions into own process.
vfio: ccw: process ssch with interrupts disabled
bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
scsi: sd: Defer spinning up drive while SANITIZE is in progress
kobject: don't use WARN for registration failures
mtd: rawnand: tango: Fix struct clk memory leak
mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic
ALSA: hda/realtek - change the location for one of two front mics
ALSA: hda/realtek - Update ALC255 depop optimize
ALSA: hda/realtek - Add some fixes for ALC233
ALSA: hda: Hardening for potential Spectre v1
ALSA: seq: oss: Hardening for potential Spectre v1
ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
ALSA: control: Hardening for potential Spectre v1
ALSA: rme9652: Hardening for potential Spectre v1
ALSA: hdspm: Hardening for potential Spectre v1
ALSA: asihpi: Hardening for potential Spectre v1
ALSA: opl3: Hardening for potential Spectre v1
ALSA: hda - Skip jack and others for non-existing PCM streams
ALSA: dice: fix error path to destroy initialized stream data
ALSA: dice: fix OUI for TC group
tty: Use __GFP_NOFAIL for tty_ldisc_get()
tty: Avoid possible error pointer dereference at tty_ldisc_restore().
tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
tty: Don't call panic() at tty_ldisc_init()
drm/virtio: fix vq wait_event condition
virtio_console: reset on out of memory
virtio_console: move removal code
virtio_console: drop custom control queue cleanup
virtio_console: free buffers after reset
virtio_console: don't tie bufs to a vq
virtio: add ability to iterate over vqs
ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
USB: Increment wakeup count on remote wakeup.
usb: core: Add quirk for HP v222w 16GB Mini
usb: typec: ucsi: Increase command completion timeout value
USB: serial: cp210x: add ID for NI USB serial console
USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
USB: serial: simple: add libtransistor console
xhci: Fix USB ports for Dell Inspiron 5775
Revert "xhci: plat: Register shutdown for xhci_plat"
usbip: vhci_hcd: check rhport before using in vhci_hub_control()
usbip: vhci_hcd: Fix usb device and sockfd leaks
usbip: usbip_host: fix to hold parent lock for device_attach() calls
usbip: usbip_event: fix to not print kernel pointer address
random: rate limit unseeded randomness warnings
random: fix possible sleeping allocation from irq context
random: set up the NUMA crng instances after the CRNG is fully initialized
ext4: fix bitmap position validation
ext4: add validity checks for bitmap block numbers
ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
ext4: set h_journal if there is a failure starting a reserved handle
ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
cfi: print target address on failure
Change-Id: I9a3d0c10b1a2d2c28872401cb656d490604352a7
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
The node list only respresents the adjacent nodes in the system. Rename
the list to qrtr_all_epts to better describe the list contents.
Change-Id: I168ca597d5b9b30d6c064c2a56b6e8b2dffa387b
Signed-off-by: Chris Lew <clew@codeaurora.org>
An ept can be associated with multiple node ids in network. The node
tree should keep track of how to send to a specific node id where as
the node list should keep track of all the adjacent nodes in the
network. Use the node list to broadcast control messages to adjacent
nodes.
Change-Id: If0f4828da149b6e590525518a8410f497f5e3894
Signed-off-by: Chris Lew <clew@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlroxuQACgkQONu9yGCS
aT5H3BAAq+AfTWGEbNgjlDMh0nNSzNG4QyitI79Y6fsJrXCy669X/+b0V7s7+RoL
R+UBw1REIG7cnDBOgNNYoyoC7UGGstBxD7X4TnnWZsGpYeilCdqETUfRT1UBIXMM
ZVnLgUcje/smCUIkJbmPzGQb6j+fRbanyynkeQ4PyXd5rHd7ncKyyYjXVE38dUm3
HiczG+F3KD6tkHcaA5PFt1Afw0EQACUYapIZIQgd7XISbskHSH9TMohrA+cTREpH
HSPw64KbTR0SuhfJiUJILTbsUNe9EHD7iEvT/wjwmD+pEgMrWxVfdFquaHX/HIBZ
Ex1brCNCvw8PCzMxhpLfkBxhc/I1swktO6/B87tWaeQtRLEaybuchaCsUuppfcPP
tCokNu2IDmLuhIEVl/kyD+GwQ3Xs95I5+o9wytpCYdS4NplX2AWsvQb00v2ZXuo6
VDa0x4aPUyLIGPITSYi2lmS10mrvCkzuvd0seuaPbM87Q2+5Mq1RxmQCvFzTgfGZ
Y+jKS3nomgP5b/QzhKM5O9y3DBMMyDx6zjwzPmhnR4mM2b1aBguk2Q1YbqXgwPJk
7GIUFeb+xD6pdWtK4lZc7Apxc2CUE7lTC0gn90EWwS5+vu+cljt4uvMmsuYLRVaw
/0+zLv+jMxkvEoI2Y0i+FuuJ2k46q8YFy1Lga0+xeVWdd1D84GI=
=0Lwm
-----END PGP SIGNATURE-----
Merge 4.14.39 into android-4.14
Changes in 4.14.39
ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
ext4: set h_journal if there is a failure starting a reserved handle
ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
ext4: add validity checks for bitmap block numbers
ext4: fix bitmap position validation
random: set up the NUMA crng instances after the CRNG is fully initialized
random: fix possible sleeping allocation from irq context
random: rate limit unseeded randomness warnings
usbip: usbip_event: fix to not print kernel pointer address
usbip: usbip_host: fix to hold parent lock for device_attach() calls
usbip: vhci_hcd: Fix usb device and sockfd leaks
usbip: vhci_hcd: check rhport before using in vhci_hub_control()
Revert "xhci: plat: Register shutdown for xhci_plat"
xhci: Fix USB ports for Dell Inspiron 5775
USB: serial: simple: add libtransistor console
USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
USB: serial: cp210x: add ID for NI USB serial console
usb: typec: ucsi: Increase command completion timeout value
usb: core: Add quirk for HP v222w 16GB Mini
USB: Increment wakeup count on remote wakeup.
ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
virtio: add ability to iterate over vqs
virtio_console: don't tie bufs to a vq
virtio_console: free buffers after reset
virtio_console: drop custom control queue cleanup
virtio_console: move removal code
virtio_console: reset on out of memory
drm/virtio: fix vq wait_event condition
tty: Don't call panic() at tty_ldisc_init()
tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
tty: Avoid possible error pointer dereference at tty_ldisc_restore().
tty: Use __GFP_NOFAIL for tty_ldisc_get()
ALSA: dice: fix OUI for TC group
ALSA: dice: fix error path to destroy initialized stream data
ALSA: hda - Skip jack and others for non-existing PCM streams
ALSA: opl3: Hardening for potential Spectre v1
ALSA: asihpi: Hardening for potential Spectre v1
ALSA: hdspm: Hardening for potential Spectre v1
ALSA: rme9652: Hardening for potential Spectre v1
ALSA: control: Hardening for potential Spectre v1
ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
ALSA: seq: oss: Hardening for potential Spectre v1
ALSA: hda: Hardening for potential Spectre v1
ALSA: hda/realtek - Add some fixes for ALC233
ALSA: hda/realtek - Update ALC255 depop optimize
ALSA: hda/realtek - change the location for one of two front mics
mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic
mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
mtd: rawnand: tango: Fix struct clk memory leak
kobject: don't use WARN for registration failures
scsi: sd: Defer spinning up drive while SANITIZE is in progress
bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
vfio: ccw: process ssch with interrupts disabled
ANDROID: binder: prevent transactions into own process.
PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq mode
PCI: aardvark: Fix PCIe Max Read Request Size setting
ARM: amba: Make driver_override output consistent with other buses
ARM: amba: Fix race condition with driver_override
ARM: amba: Don't read past the end of sysfs "driver_override" buffer
ARM: socfpga_defconfig: Remove QSPI Sector 4K size force
KVM: arm/arm64: Close VMID generation race
powerpc/mm: Flush cache on memory hot(un)plug
powerpc/powernv/npu: Do a PID GPU TLB flush when invalidating a large address range
crypto: drbg - set freed buffers to NULL
ASoC: fsl_esai: Fix divisor calculation failure at lower ratio
libceph: un-backoff on tick when we have a authenticated session
libceph: reschedule a tick in finish_hunting()
libceph: validate con->state at the top of try_write()
fpga-manager: altera-ps-spi: preserve nCONFIG state
earlycon: Use a pointer table to fix __earlycon_table stride
cpufreq: powernv: Fix hardlockup due to synchronous smp_call in timer interrupt
rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
drm/i915: Enable display WA#1183 from its correct spot
objtool, perf: Fix GCC 8 -Wrestrict error
tools/lib/subcmd/pager.c: do not alias select() params
x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds
x86/smpboot: Don't use mwait_play_dead() on AMD systems
x86/microcode/intel: Save microcode patch unconditionally
x86/microcode: Do not exit early from __reload_late()
tick/sched: Do not mess with an enqueued hrtimer
arm/arm64: KVM: Add PSCI version selection API
powerpc/eeh: Fix race with driver un/bind
Linux 4.14.39
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 upstream.
ceph_con_workfn() validates con->state before calling try_read() and
then try_write(). However, try_read() temporarily releases con->mutex,
notably in process_message() and ceph_con_in_msg_alloc(), opening the
window for ceph_con_close() to sneak in, close the connection and
release con->sock. When try_write() is called on the assumption that
con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock
gets passed to the networking stack:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: selinux_socket_sendmsg+0x5/0x20
Make sure con->state is valid at the top of try_write() and add an
explicit BUG_ON for this, similar to try_read().
Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/23706
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jason Dillaman <dillaman@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7b4c443d139f1d2b5570da475f7a9cbcef86740c upstream.
If we go without an established session for a while, backoff delay will
climb to 30 seconds. The keepalive timeout is also 30 seconds, so it's
pretty easily hit after a prolonged hunting for a monitor: we don't get
a chance to send out a keepalive in time, which means we never get back
a keepalive ack in time, cutting an established session and attempting
to connect to a different monitor every 30 seconds:
[Sun Apr 1 23:37:05 2018] libceph: mon0 10.80.20.99:6789 session established
[Sun Apr 1 23:37:36 2018] libceph: mon0 10.80.20.99:6789 session lost, hunting for new mon
[Sun Apr 1 23:37:36 2018] libceph: mon2 10.80.20.103:6789 session established
[Sun Apr 1 23:38:07 2018] libceph: mon2 10.80.20.103:6789 session lost, hunting for new mon
[Sun Apr 1 23:38:07 2018] libceph: mon1 10.80.20.100:6789 session established
[Sun Apr 1 23:38:37 2018] libceph: mon1 10.80.20.100:6789 session lost, hunting for new mon
[Sun Apr 1 23:38:37 2018] libceph: mon2 10.80.20.103:6789 session established
[Sun Apr 1 23:39:08 2018] libceph: mon2 10.80.20.103:6789 session lost, hunting for new mon
The regular keepalive interval is 10 seconds. After ->hunting is
cleared in finish_hunting(), call __schedule_delayed() to ensure we
send out a keepalive after 10 seconds.
Cc: stable@vger.kernel.org # 4.7+
Link: http://tracker.ceph.com/issues/23537
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jason Dillaman <dillaman@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit facb9f6eba3df4e8027301cc0e514dc582a1b366 upstream.
This means that if we do some backoff, then authenticate, and are
healthy for an extended period of time, a subsequent failure won't
leave us starting our hunting sequence with a large backoff.
Mirrors ceph.git commit d466bc6e66abba9b464b0b69687cf45c9dccf383.
Cc: stable@vger.kernel.org # 4.7+
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jason Dillaman <dillaman@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* remotes/origin/tmp-3f8d191:
Linux 4.14.38
ACPI / video: Only default only_lcd to true on Win8-ready _desktops_
s390/uprobes: implement arch_uretprobe_is_alive()
s390/dasd: fix IO error for newly defined devices
s390/cio: update chpid descriptor after resource accessibility event
tracing: Fix missing tab for hwlat_detector print format
block/swim: Fix IO error at end of medium
block/swim: Fix array bounds check
block/swim: Select appropriate drive on device open
block/swim: Rename macros to avoid inconsistent inverted logic
block/swim: Remove extra put_disk() call from error path
block/swim: Don't log an error message for an invalid ioctl
block/swim: Check drive type
m68k/mac: Don't remap SWIM MMIO region
fsnotify: Fix fsnotify_mark_connector race
cdrom: information leak in cdrom_ioctl_media_changed()
scsi: mptsas: Disable WRITE SAME
commoncap: Handle memory allocation failure.
Revert "mm/hmm: fix header file if/else/endif maze"
arm64: dts: rockchip: remove vdd_log from rk3399-puma
microblaze: Setup dependencies for ASM optimized lib functions
s390: correct module section names for expoline code revert
s390: correct nospec auto detection init order
s390: add sysfs attributes for spectre
s390: report spectre mitigation via syslog
s390: add automatic detection of the spectre defense
s390: move nobp parameter functions to nospec-branch.c
s390/entry.S: fix spurious zeroing of r0
s390: do not bypass BPENTER for interrupt system calls
s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*)
KVM: s390: force bp isolation for VSIE
s390: introduce execute-trampolines for branches
s390: run user space and KVM guests with modified branch prediction
s390: add options to change branch prediction behaviour for the kernel
s390/alternative: use a copy of the facility bit mask
s390: add optimized array_index_mask_nospec
s390: scrub registers on kernel entry and KVM exit
KVM: s390: wire up bpb feature
s390: enable CPU alternatives unconditionally
s390: introduce CPU alternatives
virtio_net: fix adding vids on big-endian
virtio_net: split out ctrl buffer
net: ethernet: ti: cpsw: fix tx vlan priority mapping
llc: fix NULL pointer deref for SOCK_ZAPPED
llc: hold llc_sap before release_sock()
net: sched: ife: check on metadata length
net: sched: ife: handle malformed tlv length
tcp: clear tp->packets_out when purging write queue
net: sched: ife: signal not finding metaid
strparser: Fix incorrect strp->need_bytes value.
amd-xgbe: Only use the SFP supported transceiver signals
strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
amd-xgbe: Improve KR auto-negotiation and training
sctp: do not check port in sctp_inet6_cmp_addr
amd-xgbe: Add pre/post auto-negotiation phy hooks
vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
pppoe: check sockaddr length in pppoe_connect()
tipc: add policy for TIPC_NLA_NET_ADDR
packet: fix bitfield update race
team: fix netconsole setup over team
net/smc: fix shutdown in state SMC_LISTEN
team: avoid adding twice the same option to the event list
net: fix deadlock while clearing neighbor proxy table
tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
net: af_packet: fix race in PACKET_{R|T}X_RING
tcp: don't read out-of-bounds opsize
llc: delete timers synchronously in llc_sk_free()
net: validate attribute sizes in neigh_dump_table()
l2tp: check sockaddr length in pppol2tp_connect()
KEYS: DNS: limit the length of option strings
ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
Revert "ath10k: send (re)assoc peer command when NSS changed"
tpm: add retry logic
tpm: tpm-interface: fix tpm_transmit/_cmd kdoc
tpm: cmd_ready command can be issued only after granting locality
i40e: Fix attach VF to VM issue
drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson GX SoCs
Revert "pinctrl: intel: Initialize GPIO properly when used through irqchip"
ANDROID: staging: lustre: fix filler function type
ANDROID: fs: gfs2: fix filler function type
ANDROID: fs: exofs: fix filler function type
ANDROID: fs: afs: fix filler function type
ANDROID: fs: nfs: fix filler function type
ANDROID: fs: fuse: fix filler function type mismatch
ANDROID: mm: fix filler function type mismatch
ANDROID: media-device: fix ioctl function types
ANDROID: v4l2-ioctl: fix function types for IOCTL_INFO_STD
ANDROID: arch/arm64/crypto: fix CFI in SHA CE
ANDROID: arm64: kvm: disable CFI
ANDROID: arm64: mark kpti_install_ng_mappings as __nocfi
ANDROID: arm64: disable CFI for cpu_replace_ttbr1
ANDROID: kallsyms: strip the .cfi postfix from symbols with CONFIG_CFI_CLANG
ANDROID: add support for clang Control Flow Integrity (CFI)
ANDROID: HACK: init: ensure initcall ordering with LTO
ANDROID: drivers/misc: disable LTO for lkdtm_rodata.o
ANDROID: arm64: vdso: disable LTO
FROMLIST: arm64: select ARCH_SUPPORTS_LTO_CLANG
FROMLIST: arm64: disable RANDOMIZE_MODULE_REGION_FULL with LTO_CLANG
ANDROID: arm64: disable ARM64_ERRATUM_843419 for clang LTO
ANDROID: arm64: pass code model to LLVMgold
FROMLIST: arm64: make mrs_s and msr_s macros work with LTO
FROMLIST: efi/libstub: disable LTO
FROMLIST: scripts/mod: disable LTO for empty.c
FROMLIST: kbuild: fix dynamic ftrace with clang LTO
FROMLIST: kbuild: add support for clang LTO
FROMLIST: arm64: fix -m for GNU gold
FROMLIST: arm64: add a workaround for GNU gold with ARM64_MODULE_PLTS
FROMLIST: arm64: explicitly pass --no-fix-cortex-a53-843419 to GNU gold
FROMLIST: kbuild: add __ld-ifversion and linker-specific macros
FROMLIST: kbuild: add ld-name macro
FROMLIST: arm64: keep .altinstructions and .altinstr_replacement
ANDROID: arm64: fix LD_DEAD_CODE_DATA_ELIMINATION
FROMLIST: kbuild: fix LD_DEAD_CODE_DATA_ELIMINATION
FROMLIST: kbuild: add __cc-ifversion and compiler-specific variants
UPSTREAM: console: Drop added "static" for newport_con
UPSTREAM: tracing: always define trace_{irq,preempt}_{enable_disable}
Conflicts:
Makefile
Change-Id: Ied1a215e68f428eff9c1911491a4e364ffd1f679
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlrlkV4ACgkQONu9yGCS
aT4+4RAAvG+qVTliLyVoSNznoj5vTjhZ4ew60N5yPOsll+g/lDIU91NGG6eXT1aS
HYcOjxrMzby3ubXwUrShBR8syzarAM9Q1WJgCfA7UmwGVr+kVa7Uv8LZ4SXtykZM
6L+hj4/BHeETH1OAkIkjADN3/as5gd1cbxmFuNnzoGCGVmpVdze757XDeh1KrkQN
xdiRnrhCAvy5FeBlPY8/vVuPzRnTAKi5UWH0mDKWh3v1ba31I3BSVIuXz81HnNPB
Yb3g/DRLAQeE7I54m4OjB9bWSM8Ei7SaARsHk/g1Bigs4QWEFOECPCEgfTNnBeu7
RYk9uYPznoqXb6YIUH2sq0lbem+Lj4Nku1YpkCBT9EUMHSmtbTXEQAzXNanNcag3
g5zBAP7+fVtK3K28uyQtwv+/jTBrwP6uWnZK1sAoOgrngOlBYe+/A9/1o+MKUE4K
ljIWh68AuFfLTWZtJtRMZq4g8J5GmhL3M5TarpakSKfMlHfTEY5bW4n+05ta87Cq
qgLLWnzZEzwTiiHxYp06hr0kpuzQ798LWP573Iz+6JkZYoSgvFXK0JnVwpDN1H+K
xv220wFi2vd0Y4HwaUcy9PdDOG8ROp8YoVWzpskLNyEVv1jPVc4jiOvwEiaJHFFO
KHHooLJjBEZxTrS0ok+coQqufao6kBsnlJzAJ3gQsKBnyGRg7H4=
=8nAH
-----END PGP SIGNATURE-----
Merge 4.14.38 into android-4.14
Changes in 4.14.38
Revert "pinctrl: intel: Initialize GPIO properly when used through irqchip"
drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson GX SoCs
i40e: Fix attach VF to VM issue
tpm: cmd_ready command can be issued only after granting locality
tpm: tpm-interface: fix tpm_transmit/_cmd kdoc
tpm: add retry logic
Revert "ath10k: send (re)assoc peer command when NSS changed"
bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
KEYS: DNS: limit the length of option strings
l2tp: check sockaddr length in pppol2tp_connect()
net: validate attribute sizes in neigh_dump_table()
llc: delete timers synchronously in llc_sk_free()
tcp: don't read out-of-bounds opsize
net: af_packet: fix race in PACKET_{R|T}X_RING
tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
net: fix deadlock while clearing neighbor proxy table
team: avoid adding twice the same option to the event list
net/smc: fix shutdown in state SMC_LISTEN
team: fix netconsole setup over team
packet: fix bitfield update race
tipc: add policy for TIPC_NLA_NET_ADDR
pppoe: check sockaddr length in pppoe_connect()
vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
amd-xgbe: Add pre/post auto-negotiation phy hooks
sctp: do not check port in sctp_inet6_cmp_addr
amd-xgbe: Improve KR auto-negotiation and training
strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
amd-xgbe: Only use the SFP supported transceiver signals
strparser: Fix incorrect strp->need_bytes value.
net: sched: ife: signal not finding metaid
tcp: clear tp->packets_out when purging write queue
net: sched: ife: handle malformed tlv length
net: sched: ife: check on metadata length
llc: hold llc_sap before release_sock()
llc: fix NULL pointer deref for SOCK_ZAPPED
net: ethernet: ti: cpsw: fix tx vlan priority mapping
virtio_net: split out ctrl buffer
virtio_net: fix adding vids on big-endian
s390: introduce CPU alternatives
s390: enable CPU alternatives unconditionally
KVM: s390: wire up bpb feature
s390: scrub registers on kernel entry and KVM exit
s390: add optimized array_index_mask_nospec
s390/alternative: use a copy of the facility bit mask
s390: add options to change branch prediction behaviour for the kernel
s390: run user space and KVM guests with modified branch prediction
s390: introduce execute-trampolines for branches
KVM: s390: force bp isolation for VSIE
s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*)
s390: do not bypass BPENTER for interrupt system calls
s390/entry.S: fix spurious zeroing of r0
s390: move nobp parameter functions to nospec-branch.c
s390: add automatic detection of the spectre defense
s390: report spectre mitigation via syslog
s390: add sysfs attributes for spectre
s390: correct nospec auto detection init order
s390: correct module section names for expoline code revert
microblaze: Setup dependencies for ASM optimized lib functions
arm64: dts: rockchip: remove vdd_log from rk3399-puma
Revert "mm/hmm: fix header file if/else/endif maze"
commoncap: Handle memory allocation failure.
scsi: mptsas: Disable WRITE SAME
cdrom: information leak in cdrom_ioctl_media_changed()
fsnotify: Fix fsnotify_mark_connector race
m68k/mac: Don't remap SWIM MMIO region
block/swim: Check drive type
block/swim: Don't log an error message for an invalid ioctl
block/swim: Remove extra put_disk() call from error path
block/swim: Rename macros to avoid inconsistent inverted logic
block/swim: Select appropriate drive on device open
block/swim: Fix array bounds check
block/swim: Fix IO error at end of medium
tracing: Fix missing tab for hwlat_detector print format
s390/cio: update chpid descriptor after resource accessibility event
s390/dasd: fix IO error for newly defined devices
s390/uprobes: implement arch_uretprobe_is_alive()
ACPI / video: Only default only_lcd to true on Win8-ready _desktops_
Linux 4.14.38
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f ]
For SOCK_ZAPPED socket, we don't need to care about llc->sap,
so we should just skip these refcount functions in this case.
Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ]
syzbot reported we still access llc->sap in llc_backlog_rcv()
after it is freed in llc_sap_remove_socket():
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
llc_conn_service net/llc/llc_conn.c:400 [inline]
llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
sk_backlog_rcv include/net/sock.h:909 [inline]
__release_sock+0x12f/0x3a0 net/core/sock.c:2335
release_sock+0xa4/0x2b0 net/core/sock.c:2850
llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
llc->sap is refcount'ed and llc_sap_remove_socket() is paired
with llc_sap_add_socket(). This can be amended by holding its refcount
before llc_sap_remove_socket() and releasing it after release_sock().
Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit d57493d6d1be26c8ac8516a4463bfe24956978eb ]
This patch checks if sk buffer is available to dererence ife header. If
not then NULL will returned to signal an malformed ife packet. This
avoids to crashing the kernel from outside.
Signed-off-by: Alexander Aring <aring@mojatatu.com>
Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit cc74eddd0ff325d57373cea99f642b787d7f76f5 ]
There is currently no handling to check on a invalid tlv length. This
patch adds such handling to avoid killing the kernel with a malformed
ife packet.
Signed-off-by: Alexander Aring <aring@mojatatu.com>
Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit f6cd14537ff9919081be19b9c53b9b19c0d3ea97 ]
We need to record stats for received metadata that we dont know how
to process. Have find_decode_metaid() return -ENOENT to capture this.
Signed-off-by: Alexander Aring <aring@mojatatu.com>
Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 9d0c75bf6e03d9bf80c55b0f677dc9b982958fd5 ]
strp_data_ready resets strp->need_bytes to 0 if strp_peek_len indicates
that the remainder of the message has been received. However,
do_strp_work does not reset strp->need_bytes to 0. If do_strp_work
completes a partial message, the value of strp->need_bytes will continue
to reflect the needed bytes of the previous message, causing
future invocations of strp_data_ready to return early if
strp->need_bytes is less than strp_peek_len. Resetting strp->need_bytes
to 0 in __strp_recv on handing a full message to the upper layer solves
this problem.
__strp_recv also calculates strp->need_bytes using stm->accum_len before
stm->accum_len has been incremented by cand_len. This can cause
strp->need_bytes to be equal to the full length of the message instead
of the full length minus the accumulated length. This, in turn, causes
strp_data_ready to return early, even when there is sufficient data to
complete the partial message. Incrementing stm->accum_len before using
it to calculate strp->need_bytes solves this problem.
Found while testing net/tls_sw recv path.
Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 7c5aba211dd61f41d737a2c51729eb9fdcd3edf4 ]
struct sock's sk_rcvtimeo is initialized to
LONG_MAX/MAX_SCHEDULE_TIMEOUT in sock_init_data. Calling
mod_delayed_work with a timeout of LONG_MAX causes spurious execution of
the work function. timer->expires is set equal to jiffies + LONG_MAX.
When timer_base->clk falls behind the current value of jiffies,
the delta between timer_base->clk and jiffies + LONG_MAX causes the
expiration to be in the past. Returning early from strp_start_timer if
timeo == LONG_MAX solves this problem.
Found while testing net/tls_sw recv path.
Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
Reviewed-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1071ec9d453a38023579714b64a951a2fb982071 ]
pf->cmp_addr() is called before binding a v6 address to the sock. It
should not check ports, like in sctp_inet_cmp_addr.
But sctp_inet6_cmp_addr checks the addr by invoking af(6)->cmp_addr,
sctp_v6_cmp_addr where it also compares the ports.
This would cause that setsockopt(SCTP_SOCKOPT_BINDX_ADD) could bind
multiple duplicated IPv6 addresses after Commit 40b4f0fd74e4 ("sctp:
lack the check for ports in sctp_v6_cmp_addr").
This patch is to remove af->cmp_addr called in sctp_inet6_cmp_addr,
but do the proper check for both v6 addrs and v4mapped addrs.
v1->v2:
- define __sctp_v6_cmp_addr to do the common address comparison
used for both pf and af v6 cmp_addr.
Fixes: 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr")
Reported-by: Jianwen Ji <jiji@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit ec518f21cb1a1b1f8a516499ea05c60299e04963 ]
Before syzbot/KMSAN bites, add the missing policy for TIPC_NLA_NET_ADDR
Fixes: 27c21416727a ("tipc: add net set to new netlink api")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit a6361f0ca4b25460f2cdf3235ebe8115f622901e ]
Updates to the bitfields in struct packet_sock are not atomic.
Serialize these read-modify-write cycles.
Move po->running into a separate variable. Its writes are protected by
po->bind_lock (except for one startup case at packet_create). Also
replace a textual precondition warning with lockdep annotation.
All others are set only in packet_setsockopt. Serialize these
updates by holding the socket lock. Analogous to other field updates,
also hold the lock when testing whether a ring is active (pg_vec).
Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg")
Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
Reported-by: Byoungyoung Lee <byoungyoung@purdue.edu>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1255fcb2a655f05e02f3a74675a6d6525f187afd ]
Calling shutdown with SHUT_RD and SHUT_RDWR for a listening SMC socket
crashes, because
commit 127f49705823 ("net/smc: release clcsock from tcp_listen_worker")
releases the internal clcsock in smc_close_active() and sets smc->clcsock
to NULL.
For SHUT_RD the smc_close_active() call is removed.
For SHUT_RDWR the kernel_sock_shutdown() call is omitted, since the
clcsock is already released.
Fixes: 127f49705823 ("net/smc: release clcsock from tcp_listen_worker")
Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
Reported-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 53b76cdf7e8fecec1d09e38aad2f8579882591a8 ]
When coming from ndisc_netdev_event() in net/ipv6/ndisc.c,
neigh_ifdown() is called with &nd_tbl, locking this while
clearing the proxy neighbor entries when eg. deleting an
interface. Calling the table's pndisc_destructor() with the
lock still held, however, can cause a deadlock: When a
multicast listener is available an IGMP packet of type
ICMPV6_MGM_REDUCTION may be sent out. When reaching
ip6_finish_output2(), if no neighbor entry for the target
address is found, __neigh_create() is called with &nd_tbl,
which it'll want to lock.
Move the elements into their own list, then unlock the table
and perform the destruction.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289
Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 5171b37d959641bbc619781caf62e61f7b940871 ]
In order to remove the race caught by syzbot [1], we need
to lock the socket before using po->tp_version as this could
change under us otherwise.
This means lock_sock() and release_sock() must be done by
packet_set_ring() callers.
[1] :
BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662
SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
SyS_setsockopt+0x76/0xa0 net/socket.c:1828
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x449099
RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099
RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003
RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000
R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001
Local variable description: ----req_u@packet_setsockopt
Variable was created at:
packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612
SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit b905ef9ab90115d001c1658259af4b1c65088779 ]
The connection timers of an llc sock could be still flying
after we delete them in llc_sk_free(), and even possibly
after we free the sock. We could just wait synchronously
here in case of troubles.
Note, I leave other call paths as they are, since they may
not have to wait, at least we can change them to synchronously
when needed.
Also, move the code to net/llc/llc_conn.c, which is apparently
a better place.
Reported-by: <syzbot+f922284c18ea23a8e457@syzkaller.appspotmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 ]
Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that
it actually points to valid data.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 ]
Adding a dns_resolver key whose payload contains a very long option name
resulted in that string being printed in full. This hit the WARN_ONCE()
in set_precision() during the printk(), because printk() only supports a
precision of up to 32767 bytes:
precision 1000000 too large
WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0
Fix it by limiting option strings (combined name + value) to a much more
reasonable 128 bytes. The exact limit is arbitrary, but currently the
only recognized option is formatted as "dnserror=%lu" which fits well
within this limit.
Also ratelimit the printks.
Reproducer:
perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s
This bug was found using syzkaller.
Reported-by: Mark Rutland <mark.rutland@arm.com>
Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 ]
KMSAN reported use of uninit-value that I tracked to lack
of proper size check on RTA_TABLE attribute.
I also believe RTA_PREFSRC lacks a similar check.
Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config")
Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
