| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Follow userspace nomenclature on this - the next commit adds
outdata_len.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
ceph_osdc_start_request() never return -EOLDSNAP
Signed-off-by: Yan, Zheng <zyan@redhat.com>
|
|
When rbytes mount option is enabled, directory size is recursive
size. Recursive size is not updated instantly. This can cause
directory size to change between successive stat(1)
Signed-off-by: Yan, Zheng <zyan@redhat.com>
|
|
Signed-off-by: Yan, Zheng <zyan@redhat.com>
|
|
This can happen if __close_session() in ceph_monc_stop() races with
a connection reset. We need to ignore such faults, otherwise it's
likely we would take !hunting, call __schedule_delayed() and end up
with delayed_work() executing on invalid memory, among other things.
The (two!) con->private tests are useless, as nothing ever clears
con->private. Nuke them.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
Doing __schedule_delayed() in the hunting branch is pointless, as the
tick will have already been scheduled by then.
What we need to do instead is *reschedule* it in the !hunting branch,
after reopen_session() changes hunt_mult, which affects the delay.
This helps with spacing out connection attempts and avoiding things
like two back-to-back attempts followed by a longer period of waiting
around.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
hunting is now set in __open_session() and cleared in finish_hunting(),
instead of all around. The "session lost" message is printed not only
on connection resets, but also on keepalive timeouts.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
Unless we are in the process of setting up a client (i.e. connecting to
the monitor cluster for the first time), apply a backoff: every time we
want to reopen a session, increase our timeout by a multiple (currently
2); when we complete the connection, reduce that multipler by 50%.
Mirrors ceph.git commit 794c86fd289bd62a35ed14368fa096c46736e9a2.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
Split ping interval and ping timeout: ping interval is 10s; keepalive
timeout is 30s.
Make monc_ping_timeout a constant while at it - it's not actually
exported as a mount option (and the rest of tick-related settings won't
be either), so it's got no place in ceph_options.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
Don't try to reconnect to the same monitor when we fail to establish
a session within a timeout or it's lost.
For that, pick_new_mon() needs to see the old value of cur_mon, so
don't clear it in __close_session() - all calls to __close_session()
but one are followed by __open_session() anyway. __open_session() is
only called when a new session needs to be established, so the "already
open?" branch, which is now in the way, is simply dropped.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
It is currently hard-coded in the mon_client that mdsmap and monmap
subs are continuous, while osdmap sub is always "onetime". To better
handle full clusters/pools in the osd_client, we need to be able to
issue continuous osdmap subs. Revamp subs code to allow us to specify
for each sub whether it should be continuous or not.
Although not strictly required for the above, switch to SUBSCRIBE2
protocol while at it, eliminating the ambiguity between a request for
"every map since X" and a request for "just the latest" when we don't
have a map yet (i.e. have epoch 0). SUBSCRIBE2 feature bit is now
required - it's been supported since pre-argonaut (2010).
Move "got mdsmap" call to the end of ceph_mdsc_handle_map() - calling
in before we validate the epoch and successfully install the new map
can mess up mon_client sub state.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
Coupling hunting state with subscribe state is not a good idea. Clear
hunting when we complete the authentication handshake.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
Our debugfs dir name is a concatenation of cluster fsid and client
unique ID ("global_id"). It used to be the case that we learned
global_id first, nowadays we always learn fsid first - the monmap is
sent before any auth replies are. ceph_debugfs_client_init() call in
ceph_monc_handle_map() is therefore never executed and can be removed.
Its counterpart in handle_auth_reply() doesn't really belong there
either: having to do monc->client and unlocking early to work around
lockdep is a testament to that. Move it into __ceph_open_session(),
where it can be called unconditionally.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
|
|
bond_get_stats() can be called from rtnetlink (with RTNL held)
or from /proc/net/dev seq handler (with RCU held)
The logic added in commit 5f0c5f73e5ef ("bonding: make global bonding
stats more reliable") kind of assumed only one cpu could run there.
If multiple threads are reading /proc/net/dev, stats can be really
messed up after a while.
A second problem is that some fields are 32bit, so we need to properly
handle the wrap around problem.
Given that RTNL is not always held, we need to use
bond_for_each_slave_rcu().
Fixes: 5f0c5f73e5ef ("bonding: make global bonding stats more reliable")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
Cc: Jay Vosburgh <j.vosburgh@gmail.com>
Cc: Veaceslav Falico <vfalico@gmail.com>
Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
When un-mapping skb->data in __bcmgenet_tx_reclaim(),
we must use the length that was used in original dma_map_single(),
instead of skb->len that might be bigger (includes the frags)
We simply can store skb_len into tx_cb_ptr->dma_len and use it
at unmap time.
Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Commit 85743f1eb345 ("net/mlx4_core: Set UAR page size to 4KB regardless
of system page size") introduced dependency where old VF drivers without
this fix fail to load if the PF driver runs with this commit.
To resolve this add a module parameter which disables that functionality
by default. If both the PF and VFs are running with a driver with that
commit the administrator may set the module param to true.
The module parameter is called enable_4k_uar.
Fixes: 85743f1eb345 ('net/mlx4_core: Set UAR page size to 4KB ...')
Signed-off-by: Eli Cohen <eli@mellanox.com>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Drop two extra occurrences of "on" in option title and help text.
Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.")
Cc: David Daney <david.daney@cavium.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Acked-by: David Daney <david.daney@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Add lan78xx_get_stats64 of ndo_get_stats64 to report
all statistics counters including errors from HW statistics.
Read from HW when auto suspend is disabled, use saved counter when
auto suspend is enabled because periodic call to ndo_get_stats64
prevents USB auto suspend.
Signed-off-by: Woojung Huh <woojung.huh@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Update to handle statistics counter rollover.
Check statistics counter periodically and compensate it when
counter value rolls over at max (20 or 32bits).
Simple mechanism adjusts monitoring timer to allow USB auto suspend.
Signed-off-by: Woojung Huh <woojung.huh@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
RDS_TCP_DEFAULT_BUFSIZE has been unused since commit 1edd6a14d24f
("RDS-TCP: Do not bloat sndbuf/rcvbuf in rds_tcp_tune").
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Add per-net sysctl tunables to set the size of sndbuf and
rcvbuf on the kernel tcp socket.
The tunables are added at /proc/sys/net/rds/tcp/rds_tcp_sndbuf
and /proc/sys/net/rds/tcp/rds_tcp_rcvbuf.
These values must be set before accept() or connect(),
and there may be an arbitrary number of existing rds-tcp
sockets when the tunable is modified. To make sure that all
connections in the netns pick up the same value for the tunable,
we reset existing rds-tcp connections in the netns, so that
they can reconnect with the new parameters.
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Convert the dma transfers to be dmaengine based, now pxa has a dmaengine
slave driver. This makes this driver a bit more PXA agnostic.
The driver was only compile tested. The risk is quite small as no
current PXA platform I'm aware of is using smc911x driver.
Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
Tested-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Remove unnecessary set of flag IFF_MULTICAST, since ether_setup
already does this.
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Remove unnecessary set of flag IFF_MULTICAST, since ether_setup
already does this.
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: Andy Gospodarek <gospo@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Fix a comment typo.
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
There were two issues here:
1) dma_mapping_error() return true/false but we want to return -ENOMEM
2) If dmaengine_prep_slave_sg() failed then "err" wasn't set but
presumably that should be -ENOMEM as well.
I changed the success path to "return 0;" instead of "return ret;" for
clarity.
Fixes: 94fe8c683cea ('ks8842: Support DMA when accessed via timberdale')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
eBPF defines this as BPF_TUNLEN_MAX and OVS just uses the hard-coded
value inside struct sw_flow_key. Thus, add and use IP_TUNNEL_OPTS_MAX
for this, which makes the code a bit more generic and allows to remove
BPF_TUNLEN_MAX from eBPF code.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
We can just add a small helper dst_tclassid() for retrieving the
dst->tclassid value. It makes the code a bit better in that we can
get rid of the ifdef from filter.c by moving this into the header.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Currently, the tc_classid from eBPF skb context is write-only, but there's
no good reason for tc programs to limit it to write-only. For example,
it can be used to transfer its state via tail calls where the resulting
tc_classid gets filled gradually.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
MVNETA_BM has a dependency on MVNETA, so we can only select the former
if the latter is enabled. However, the code dependency is the reverse:
The mvneta module can call into the mvneta_bm module, so mvneta cannot
be a built-in if mvneta_bm is a module, or we get a link error:
drivers/net/built-in.o: In function `mvneta_remove':
drivers/net/ethernet/marvell/mvneta.c:4211: undefined reference to `mvneta_bm_pool_destroy'
drivers/net/built-in.o: In function `mvneta_bm_update_mtu':
drivers/net/ethernet/marvell/mvneta.c:1034: undefined reference to `mvneta_bm_bufs_free'
This avoids the problem by further clarifying the dependency so that
MVNETA_BM is a silent Kconfig option that gets turned on by the
new MVNETA_BM_ENABLE option. This way both the core HWBM module and
the MVNETA_BM code are always built-in when needed.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: dc35a10f68d3 ("net: mvneta: bm: add support for hardware buffer management")
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
There are two issues with the current code. First one is that we need
to set res->class to 0 in case we use non-default classid matching.
This is important for the case where cls_bpf was initially set up with
an optional binding to a default class with tcf_bind_filter(), where
the underlying qdisc implements bind_tcf() that fills res->class and
tests for it later on when doing the classification. Convention for
these cases is that after tc_classify() was called, such qdiscs (atm,
drr, qfq, cbq, hfsc, htb) first test class, and if 0, then they lookup
based on classid.
Second, there's a bug with da mode, where res->classid is only assigned
a 16 bit minor, but it needs to expand to the full 32 bit major/minor
combination instead, therefore we need to expand with the bound major.
This is fine as classes belonging to a classful qdisc must share the
same major.
Fixes: 045efa82ff56 ("cls_bpf: introduce integrated actions")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Checkpatch updates for sunvnet.c and sunvnet_common.c.
Signed-off-by: Aaron Young <aaron.young@oracle.com>
Signed-off-by: Rashmi Narasimhan <rashmi.narasimhan@oracle.com>
Reviewed-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Reviewed-by: Alexandre Chartre <Alexandre.Chartre@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Add ldmvsw.c driver
Details:
The ldmvsw driver very closely follows the sunvnet.c code and makes
use of the sunvnet_common.c code for core functionality.
A significant difference between sunvnet and ldmvsw driver is
sunvnet creates a network interface for each vnet-port *parent*
node in the MD while the ldmvsw driver creates a network interface
for every vsw-port node in the Machine Description (MD).
Therefore the netdev_priv() for sunvnet is a vnet structure while
the netdev_priv() for ldmvsw is a vnet_port structure.
Vnet_port structures allocated by ldmvsw have the vsw bit set.
When finding the net_device associated with a port, the common code keys
off this bit to use either the net_device found in the vnet_port or the
net_device in the vnet structure (see the VNET_PORT_TO_NET_DEVICE() macro in
sunvnet_common.h). This scheme allows the common code to work with
both drivers with minimal changes.
Similar to Xen, network interfaces created by the ldmvsw driver will always
have a HW Addr (i.e. mac address) of FE:FF:FF:FF:FF:FF and each will be
assigned the devname "vif<cfg_handle>.<port_id>" - where <cfg_handle> and
<port_id> are a unique handle/port pair assigned to the associated
vsw-port node in the MD.
Signed-off-by: Aaron Young <aaron.young@oracle.com>
Signed-off-by: Rashmi Narasimhan <rashmi.narasimhan@oracle.com>
Reviewed-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Reviewed-by: Alexandre Chartre <Alexandre.Chartre@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Modify sunvnet common code and data structures to be compatible
with both sunvnet and ldmvsw drivers.
Details:
Sunvnet operates on "vnet-port" nodes which appear in the Machine
Description (MD) in a guest domain. Ldmvsw operates on "vsw-port"
nodes which appear in the MD of a service domain.
A difference between the sunvnet driver and the ldmvsw driver is
the sunvnet driver creates a network interface (i.e. a struct net_device)
for every vnet-port *parent* "network" node. Several vnet-ports may appear
under this common parent network node - each corresponding to a common parent
network interface. Conversely, since bridge/vswitch software will need
to interface with every vsw-port in a system, the ldmvsw driver creates
a network interface (i.e. a struct net_device) for every vsw-port - not
every parent node as with sunvnet. This difference required some special
handling in the common code as explained below.
There are 2 key data structures used by the sunvnet and ldmvsw drivers
(which are now found in sunvnet_common.h):
1. struct vnet_port
This structure represents a vnet-port node in sunvnet and a vsw-port
in the ldmvsw driver.
2. struct vnet
This structure represents a parent "network" node in sunvnet and a parent
"virtual-network-switch" node in ldmvsw.
Since the sunvnet driver allocates a net_device for every parent "network"
node, a net_device member appears in the struct vnet. Since the ldmvsw
driver allocates a net_device for every port, a net_device member was
added to the vnet_port. The common code distinguishes which structure
net_device member to use by checking a 'vsw' bit that was added to the
vnet_port structure. See the VNET_PORT_TO_NET_DEVICE() marco in
sunvnet_common.h.
The netdev_priv() in sunvnet is allocated as a vnet. The netdev_priv()
in ldmvsw is a vnet_port. Therefore, any place in the common code
where a netdev_priv() call was made, a wrapper function was implemented
in each driver to first get the vnet and/or vnet_port (in a driver
specific way) and pass them as newly added parameters to the common
functions (see wrapper funcs: vnet_set_rx_mode() and vnet_poll_controller()).
Since these wrapper functions call __tx_port_find(), __tx_port_find() was
moved from the common code back into sunvnet.c. Note - ldmvsw.c does not
require this function.
These changes also required that port_is_up() be made
into a common function and thus it was given a _common suffix and
exported like the other common functions.
A wrapper function was also added for vnet_start_xmit_common() to pass a
driver-specific function arg to return the port associated with a given
struct sk_buff and struct net_device. This was required because
vnet_start_xmit_common() grabs a lock prior to getting the associated
port. Using a function pointer arg allowed the code to work unchanged
without risking changes to the non-trivial locking logic in
vnet_start_xmit_common().
Signed-off-by: Aaron Young <aaron.young@oracle.com>
Signed-off-by: Rashmi Narasimhan <rashmi.narasimhan@oracle.com>
Reviewed-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Reviewed-by: Alexandre Chartre <Alexandre.Chartre@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Split sunvnet.c into sunvnet.c and sunvnet_common.c.
Details:
Since the sunvnet and ldmvsw drivers will both use common sunvnet code,
move the functions (and support functions) anticipated to be common code
from sunvnet.c to sunvnet_common.c. Similarly, sunvnet.h was renamed to
sunvnet_common.h. The sunvnet_common.c code will be compiled into the
kernel and act as a library of functions that are linked by either
(or both) drivers when loaded.
Function names for external functions in sunvnet_common.c (to be
called by both the sunvnet and ldmvsw drivers) were tagged with a "_common"
suffix to clearly designate them as common functions.
No functional changes as of yet... just moved code verbatim to the new
sunvnet_common.c/h files.
Makefile/Kconfig support added to build sunvnet_common.c file. The code
is included in the kernel if SUN_LDOMS is defined/selected.
NOTE - per the SubmittingPatches documentation, since the code was just
moved from one file another, the code was NOT checkpatch'd in this commit
to aid in review.
Signed-off-by: Aaron Young <aaron.young@oracle.com>
Signed-off-by: Rashmi Narasimhan <rashmi.narasimhan@oracle.com>
Reviewed-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Reviewed-by: Alexandre Chartre <Alexandre.Chartre@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Not all adapters have FC-NPIV configured. If bnx2fc is used with such an
adapter, driver would read irrelevant data from the the nvram and log
"FC-NPIV table with bad length..." In system logs.
Simply accept that reading '0' as the feature offset in nvram indicates
the feature isn't there and return.
Reported-by: Andrew Patterson <andrew.patterson@hpe.com>
Signed-off-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The result value is overwritten by a return value of
ravb_ptp_interrupt().
Signed-off-by: Yoshihiro Kaneko <ykaneko0929@gmail.com>
Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
When running small packets [length < 256 bytes] traffic, packets were
being dropped due to invalid data in those packets which were
delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
ensures copying latest and updated data into skb from the receive buffer.
Signed-off-by: Sony Chacko <sony.chacko@qlogic.com>
Signed-off-by: Manish Chopra <manish.chopra@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
If a dt mdio entry has been added least assume that we wont
search for phys attached. The DT and of_mdiobus_register already do
this. This stops DSA phys being found and phys created for them, as
this is handled by the DSA driver.
Signed-off-by: Phil Reid <preid@electromag.com.au>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
There was a missing unlock on the error path.
Fixes: 656e705243fd ('net-next: mediatek: add support for MT7623 ethernet')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: John Crispin <blogic@openwrt.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
of_phy_connect() returns NULL on error, it never returns error pointers.
Fixes: 656e705243fd ('net-next: mediatek: add support for MT7623 ethernet')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: John Crispin <blogic@openwrt.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Currently output of MPLS packets on tunnel vports is not allowed by Open
vSwitch. This is because historically encapsulation was done in such a way
that the inner_protocol field of the skb needed to hold the inner protocol
for both MPLS and tunnel encapsulation in order for GSO segmentation to be
performed correctly.
Since b2acd1dc3949 ("openvswitch: Use regular GRE net_device instead of
vport") Open vSwitch makes use of lwt to output to tunnel netdevs which
perform encapsulation. As no drivers expose support for MPLS offloads this
means that GSO packets are segmented in software by validate_xmit_skb(),
which is called from __dev_queue_xmit(), before tunnel encapsulation occurs.
This means that the inner protocol of MPLS is no longer needed by the time
encapsulation occurs and the contention on the inner_protocol field of the
skb no longer occurs.
Thus it is now safe to output MPLS to tunnel vports.
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Reviewed-by: Jesse Gross <jesse@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
No code changes. Since OCTEON is a Cavium product, move the driver to
the vendor directory to unclutter things a bit.
Signed-off-by: David Daney <david.daney@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Running the following command:
busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null
with any tracing enabled pretty very quickly leads to various NULL
pointer dereferences and VM BUG_ON()s, such as these:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [<ffffffff8119df6c>] generic_pipe_buf_release+0xc/0x40
Call Trace:
[<ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
[<ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
[<ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
[<ffffffff81196869>] do_sendfile+0x199/0x380
[<ffffffff81197600>] SyS_sendfile64+0x90/0xa0
[<ffffffff8192cbee>] entry_SYSCALL_64_fastpath+0x12/0x6d
page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0)
kernel BUG at include/linux/mm.h:367!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
RIP: [<ffffffff8119df9c>] generic_pipe_buf_release+0x3c/0x40
Call Trace:
[<ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
[<ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
[<ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
[<ffffffff81196869>] do_sendfile+0x199/0x380
[<ffffffff81197600>] SyS_sendfile64+0x90/0xa0
[<ffffffff8192cd1e>] tracesys_phase2+0x84/0x89
(busybox's cat uses sendfile(2), unlike the coreutils version)
This is because tracing_splice_read_pipe() can call splice_to_pipe()
with spd->nr_pages == 0. spd_pages underflows in splice_to_pipe() and
we fill the page pointers and the other fields of the pipe_buffers with
garbage.
All other callers of splice_to_pipe() avoid calling it when nr_pages ==
0, and we could make tracing_splice_read_pipe() do that too, but it
seems reasonable to have splice_to_page() handle this condition
gracefully.
Cc: stable@vger.kernel.org
Signed-off-by: Rabin Vincent <rabin@rab.in>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
The uas driver can never queue more then MAX_CMNDS (- 1) tags and tags
are shared between luns, so there is no need to claim that we can_queue
some random large number.
Not claiming that we can_queue 65536 commands, fixes the uas driver
failing to initialize while allocating the tag map with a "Page allocation
failure (order 7)" error on systems which have been running for a while
and thus have fragmented memory.
Cc: stable@vger.kernel.org
Reported-and-tested-by: Yves-Alexis Perez <corsac@corsac.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
An attack has become available which pretends to be a quirky
device circumventing normal sanity checks and crashes the kernel
by an insufficient number of interfaces. This patch adds a check
to the code path for quirky devices.
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Attacks that trick drivers into passing a NULL pointer
to usb_driver_claim_interface() using forged descriptors are
known. This thwarts them by sanity checking.
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
With commit 69bec7259853 ("USB: core: let USB device know device node"),
the port1 argument of usb_alloc_dev() gets overwritten as follows:
... usb_alloc_dev(..., unsigned port1)
{
...
if (!parent->parent) {
port1 = usb_hcd_find_raw_port_number(..., port1);
}
...
}
Later on, this now overwritten port1 gets assigned to ->portnum:
dev->portnum = port1;
However, since xhci_find_raw_port_number() isn't idempotent, the
aforementioned commit causes a number of KASAN splats like the following:
BUG: KASAN: slab-out-of-bounds in xhci_find_raw_port_number+0x98/0x170
at addr ffff8801d9311670
Read of size 8 by task kworker/2:1/87
[...]
Workqueue: usb_hub_wq hub_event
0000000000000188 000000005814b877 ffff8800cba17588 ffffffff8191447e
0000000041b58ab3 ffffffff82a03209 ffffffff819143a2 ffffffff82a252f4
ffff8801d93115e0 0000000000000188 ffff8801d9311628 ffff8800cba17588
Call Trace:
[<ffffffff8191447e>] dump_stack+0xdc/0x15e
[<ffffffff819143a2>] ? _atomic_dec_and_lock+0xa2/0xa2
[<ffffffff814e2cd1>] ? print_section+0x61/0xb0
[<ffffffff814e4939>] print_trailer+0x179/0x2c0
[<ffffffff814f0d84>] object_err+0x34/0x40
[<ffffffff814f4388>] kasan_report_error+0x2f8/0x8b0
[<ffffffff814eb91e>] ? __slab_alloc+0x5e/0x90
[<ffffffff812178c0>] ? __lock_is_held+0x90/0x130
[<ffffffff814f5091>] kasan_report+0x71/0xa0
[<ffffffff814ec082>] ? kmem_cache_alloc_trace+0x212/0x560
[<ffffffff81d99468>] ? xhci_find_raw_port_number+0x98/0x170
[<ffffffff814f33d4>] __asan_load8+0x64/0x70
[<ffffffff81d99468>] xhci_find_raw_port_number+0x98/0x170
[<ffffffff81db0105>] xhci_setup_addressable_virt_dev+0x235/0xa10
[<ffffffff81d9ea51>] xhci_setup_device+0x3c1/0x1430
[<ffffffff8121cddd>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff81d9fac0>] ? xhci_setup_device+0x1430/0x1430
[<ffffffff81d9fad3>] xhci_address_device+0x13/0x20
[<ffffffff81d2081a>] hub_port_init+0x55a/0x1550
[<ffffffff81d28705>] hub_event+0xef5/0x24d0
[<ffffffff81d27810>] ? hub_port_debounce+0x2f0/0x2f0
[<ffffffff8195e1ee>] ? debug_object_deactivate+0x1be/0x270
[<ffffffff81210203>] ? print_rt_rq+0x53/0x2d0
[<ffffffff8121657d>] ? trace_hardirqs_off+0xd/0x10
[<ffffffff8226acfb>] ? _raw_spin_unlock_irqrestore+0x5b/0x60
[<ffffffff81250000>] ? irq_domain_set_hwirq_and_chip+0x30/0xb0
[<ffffffff81256339>] ? debug_lockdep_rcu_enabled+0x39/0x40
[<ffffffff812178c0>] ? __lock_is_held+0x90/0x130
[<ffffffff81196877>] process_one_work+0x567/0xec0
[...]
Afterwards, xhci reports some functional errors:
xhci_hcd 0000:00:14.0: ERROR: unexpected setup address command completion
code 0x11.
xhci_hcd 0000:00:14.0: ERROR: unexpected setup address command completion
code 0x11.
usb 4-3: device not accepting address 2, error -22
Fix this by not overwriting the port1 argument in usb_alloc_dev(), but
storing the raw port number as required by OF in an additional variable,
raw_port.
Fixes: 69bec7259853 ("USB: core: let USB device know device node")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
Ilya Dryomov
Yan, Zheng
Eric Dumazet
Eli Cohen
Andreas Färber
Woojung Huh
Sowmini Varadhan
Robert Jarzmik
Zhang Shengju
Dan Carpenter
Daniel Borkmann
Arnd Bergmann
Aaron Young
Yuval Mintz
Yoshihiro Kaneko
Manish Chopra
Phil Reid
Simon Horman
David Daney
Wu Fengguang
Rabin Vincent
Hans de Goede
Oliver Neukum
Nicolai Stange