- Linux-stable-mirror - lists.linaro.org

[net 2/5] ixgbe: Use CONFIG_XFRM_OFFLOAD instead of CONFIG_XFRM

by Jeff Kirsher

From: Alexander Duyck <alexander.h.duyck(a)intel.com> There is no point in adding code if CONFIG_XFRM is defined that we won't use unless CONFIG_XFRM_OFFLOAD is defined. So instead of leaving this code floating around I am replacing the ifdef with what I believe is the correct one so that we only include the code and variables if they will actually be used. CC: stable <stable(a)vger.kernel.org> Signed-off-by: Alexander Duyck <alexander.h.duyck(a)intel.com> Acked-by: Shannon Nelson <shannon.nelson(a)oracle.com> Tested-by: Andrew Bowers <andrewx.bowers(a)intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher(a)intel.com> --- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 4 ++-- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h index fc534e91c6b2..144d5fe6b944 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h @@ -760,9 +760,9 @@ struct ixgbe_adapter { #define IXGBE_RSS_KEY_SIZE 40 /* size of RSS Hash Key in bytes */ u32 *rss_key; -#ifdef CONFIG_XFRM +#ifdef CONFIG_XFRM_OFFLOAD struct ixgbe_ipsec *ipsec; -#endif /* CONFIG_XFRM */ +#endif /* CONFIG_XFRM_OFFLOAD */ }; static inline u8 ixgbe_max_rss_indices(struct ixgbe_adapter *adapter) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c index f9e0dc041cfb..a925f05ec342 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c @@ -9896,7 +9896,7 @@ ixgbe_features_check(struct sk_buff *skb, struct net_device *dev, * the TSO, so it's the exception. */ if (skb->encapsulation && !(features & NETIF_F_TSO_MANGLEID)) { -#ifdef CONFIG_XFRM +#ifdef CONFIG_XFRM_OFFLOAD if (!skb->sp) #endif features &= ~NETIF_F_TSO; -- 2.17.1

7 years, 4 months

1
0
0 0

[net 1/5] ixgbe: Fix setting of TC configuration for macvlan case

by Jeff Kirsher

From: Alexander Duyck <alexander.h.duyck(a)intel.com> When we were enabling macvlan interfaces we weren't correctly configuring things until ixgbe_setup_tc was called a second time either by tweaking the number of queues or increasing the macvlan count past 15. The issue came down to the fact that num_rx_pools is not populated until after the queues and interrupts are reinitialized. Instead of trying to set it sooner we can just move the call to setup at least 1 traffic class to the SR-IOV/VMDq setup function so that we just set it for this one case. We already had a spot that was configuring the queues for TC 0 in the code here anyway so it makes sense to also set the number of TCs here as well. CC: stable <stable(a)vger.kernel.org> Fixes: 49cfbeb7a95c ("ixgbe: Fix handling of macvlan Tx offload") Signed-off-by: Alexander Duyck <alexander.h.duyck(a)intel.com> Tested-by: Andrew Bowers <andrewx.bowers(a)intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher(a)intel.com> --- drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c | 8 ++++++++ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 8 -------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c index 893a9206e718..d361f570ca37 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c @@ -593,6 +593,14 @@ static bool ixgbe_set_sriov_queues(struct ixgbe_adapter *adapter) } #endif + /* To support macvlan offload we have to use num_tc to + * restrict the queues that can be used by the device. + * By doing this we can avoid reporting a false number of + * queues. + */ + if (vmdq_i > 1) + netdev_set_num_tc(adapter->netdev, 1); + /* populate TC0 for use by pool 0 */ netdev_set_tc_queue(adapter->netdev, 0, adapter->num_rx_queues_per_pool, 0); diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c index 4929f7265598..f9e0dc041cfb 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c @@ -8822,14 +8822,6 @@ int ixgbe_setup_tc(struct net_device *dev, u8 tc) } else { netdev_reset_tc(dev); - /* To support macvlan offload we have to use num_tc to - * restrict the queues that can be used by the device. - * By doing this we can avoid reporting a false number of - * queues. - */ - if (!tc && adapter->num_rx_pools > 1) - netdev_set_num_tc(dev, 1); - if (adapter->hw.mac.type == ixgbe_mac_82598EB) adapter->hw.fc.requested_mode = adapter->last_lfc_mode; -- 2.17.1

7 years, 4 months

1
0
0 0

Re: [PATCH 4.16 01/48] mmap: introduce sane default mmap limits

by Greg Kroah-Hartman

On Mon, Jun 11, 2018 at 08:12:45AM +1000, David Airlie wrote: > Can you make sure you pull in > > 76ef6b28ea4f81c3d511866a9b31392caa833126 (tag: > drm-fixes-for-v4.17-rc6-urgent) > Author: Dave Airlie <airlied(a)redhat.com> > Date: Tue May 15 13:38:15 2018 +1000 > > drm: set FMODE_UNSIGNED_OFFSET for drm files > > Into anywhere this first patch goes? Thanks for pointing this out, now queued up. greg k-h

7 years, 4 months

1
0
0 0

[PATCH] mm: Fix devmem_is_allowed() for sub-page System RAM intersections

by Dan Williams

Hussam reports: I was poking around and for no real reason, I did cat /dev/mem and strings /dev/mem. Then I saw the following warning in dmesg. I saved it and rebooted immediately. memremap attempted on mixed range 0x000000000009c000 size: 0x1000 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11810 at kernel/memremap.c:98 memremap+0x104/0x170 [..] Call Trace: xlate_dev_mem_ptr+0x25/0x40 read_mem+0x89/0x1a0 __vfs_read+0x36/0x170 The memremap() implementation checks for attempts to remap System RAM with MEMREMAP_WB and instead redirects those mapping attempts to the linear map. However, that only works if the physical address range being remapped is page aligned. In low memory we have situations like the following: 00000000-00000fff : Reserved 00001000-0009fbff : System RAM 0009fc00-0009ffff : Reserved ...where System RAM intersects Reserved ranges on a sub-page page granularity. Given that devmem_is_allowed() special cases any attempt to map System RAM in the first 1MB of memory, replace page_is_ram() with the more precise region_intersects() to trap attempts to map disallowed ranges. Link: https://bugzilla.kernel.org/show_bug.cgi?id=199999 Fixes: 92281dee825f ("arch: introduce memremap()") Cc: <stable(a)vger.kernel.org> Cc: Christoph Hellwig <hch(a)lst.de> Reported-by: Hussam Al-Tayeb <me(a)hussam.eu.org> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> --- arch/x86/mm/init.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c index fec82b577c18..cee58a972cb2 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -706,7 +706,9 @@ void __init init_mem_mapping(void) */ int devmem_is_allowed(unsigned long pagenr) { - if (page_is_ram(pagenr)) { + if (region_intersects(PFN_PHYS(pagenr), PAGE_SIZE, + IORESOURCE_SYSTEM_RAM, IORES_DESC_NONE) + != REGION_DISJOINT) { /* * For disallowed memory regions in the low 1MB range, * request that the page be shown as all zeros.

7 years, 4 months

1
0
0 0

Please apply this commit to v4.14.y, 4.16.y and 4.17.y: c3635da2a336 ("PCI: hv: Do not wait forever on a device that has disappeared")

by Dexuan Cui

Hi, The patch has been in the mainline, and I have verified the commit can be cherry-picked cleanly to these 3 stable branches. The issue fixed by the patch also exists in 4.14, 4.16 and 4.17. It looks I forgot to add a "Cc: stable(a)vger.kernel.org" tag. Sorry. Thanks, -- Dexuan

7 years, 5 months

2
1
0 0

[PATCH v3 1/4] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ

by Amit Pundir

From: Suren Baghdasaryan <surenb(a)google.com> Out of bounds kernel accesses in st21nfca's NFC HCI layer might happen when handling ATR_REQ events if user-specified atr_req->length is bigger than the buffer size. In that case memcpy() inside st21nfca_tm_send_atr_res() will read extra bytes resulting in OOB read from the kernel heap. cc: Stable <stable(a)vger.kernel.org> Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Signed-off-by: Amit Pundir <amit.pundir(a)linaro.org> Reviewed-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> --- v3..v1: Resend. No changes. drivers/nfc/st21nfca/dep.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c index fd08be2917e6..3420c5104c94 100644 --- a/drivers/nfc/st21nfca/dep.c +++ b/drivers/nfc/st21nfca/dep.c @@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, atr_req = (struct st21nfca_atr_req *)skb->data; - if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + if (atr_req->length < sizeof(struct st21nfca_atr_req) || + atr_req->length > skb->len) { r = -EPROTO; goto exit; } -- 2.7.4

7 years, 5 months

2
3
0 0

Re: [PATCH] xfs: fix incorrect log_flushed on fsync

by Amir Goldstein

On Tue, Sep 19, 2017 at 9:32 AM, Greg KH <greg(a)kroah.com> wrote: > On Mon, Sep 18, 2017 at 10:29:25PM +0300, Amir Goldstein wrote: >> On Mon, Sep 18, 2017 at 9:35 PM, Greg KH <greg(a)kroah.com> wrote: >> > On Mon, Sep 18, 2017 at 09:00:30PM +0300, Amir Goldstein wrote: >> >> On Mon, Sep 18, 2017 at 8:11 PM, Darrick J. Wong >> >> <darrick.wong(a)oracle.com> wrote: >> >> > On Fri, Sep 15, 2017 at 03:40:24PM +0300, Amir Goldstein wrote: >> >> >> On Wed, Aug 30, 2017 at 4:38 PM, Amir Goldstein <amir73il(a)gmail.com> wrote: >> >> >> > When calling into _xfs_log_force{,_lsn}() with a pointer >> >> >> > to log_flushed variable, log_flushed will be set to 1 if: >> >> >> > 1. xlog_sync() is called to flush the active log buffer >> >> >> > AND/OR >> >> >> > 2. xlog_wait() is called to wait on a syncing log buffers >> >> >> > >> >> >> > xfs_file_fsync() checks the value of log_flushed after >> >> >> > _xfs_log_force_lsn() call to optimize away an explicit >> >> >> > PREFLUSH request to the data block device after writing >> >> >> > out all the file's pages to disk. >> >> >> > >> >> >> > This optimization is incorrect in the following sequence of events: >> >> >> > >> >> >> > Task A Task B >> >> >> > ------------------------------------------------------- >> >> >> > xfs_file_fsync() >> >> >> > _xfs_log_force_lsn() >> >> >> > xlog_sync() >> >> >> > [submit PREFLUSH] >> >> >> > xfs_file_fsync() >> >> >> > file_write_and_wait_range() >> >> >> > [submit WRITE X] >> >> >> > [endio WRITE X] >> >> >> > _xfs_log_force_lsn() >> >> >> > xlog_wait() >> >> >> > [endio PREFLUSH] >> >> >> > >> >> >> > The write X is not guarantied to be on persistent storage >> >> >> > when PREFLUSH request in completed, because write A was submitted >> >> >> > after the PREFLUSH request, but xfs_file_fsync() of task A will >> >> >> > be notified of log_flushed=1 and will skip explicit flush. >> >> >> > >> >> >> > If the system crashes after fsync of task A, write X may not be >> >> >> > present on disk after reboot. >> >> >> > >> >> >> > This bug was discovered and demonstrated using Josef Bacik's >> >> >> > dm-log-writes target, which can be used to record block io operations >> >> >> > and then replay a subset of these operations onto the target device. >> >> >> > The test goes something like this: >> >> >> > - Use fsx to execute ops of a file and record ops on log device >> >> >> > - Every now and then fsync the file, store md5 of file and mark >> >> >> > the location in the log >> >> >> > - Then replay log onto device for each mark, mount fs and compare >> >> >> > md5 of file to stored value >> >> >> > >> >> >> > Cc: Christoph Hellwig <hch(a)lst.de> >> >> >> > Cc: Josef Bacik <jbacik(a)fb.com> >> >> >> > Cc: <stable(a)vger.kernel.org> >> >> >> > Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> >> >> >> > --- >> >> >> > >> >> >> > Christoph, Dave, >> >> >> > >> >> >> > It's hard to believe, but I think the reported bug has been around >> >> >> > since 2005 f538d4da8d52 ("[XFS] write barrier support"), but I did >> >> >> > not try to test old kernels. >> >> >> >> >> >> Forgot to tag commit message with: >> >> >> Fixes: f538d4da8d52 ("[XFS] write barrier support") >> >> >> >> >> >> Maybe the tag could be added when applying to recent stables, >> >> >> so distros and older downstream stables can see the tag. >> >> >> >> >> >> The disclosure of the security bug fix (commit b31ff3cdf5) made me wonder >> >> >> if possible data loss bug should also be disclosed in some distros forum? >> >> >> I bet some users would care more about the latter than the former. >> >> >> Coincidentally, both data loss and security bugs fix the same commit.. >> >> > >> >> > Yes the the patch ought to get sent on to stable w/ fixes tag. One >> >> > would hope that the distros will pick up the stable fixes from there. >> >> >> >> >> >> Greg, for your consideration, please add >> >> Fixes: f538d4da8d52 ("[XFS] write barrier support") >> >> If not pushed yet. >> > >> > Add it to what? >> >> Sorry, add that tag when applying commit 47c7d0b1950258312 >> to stable trees, since I missed adding the tag before it was merged >> to master. > > Nah, as the tag is just needed to let me know where to backport stuff > to, I don't think it matters when I add it to the stable tree itself, so > I'll leave it as-is. > Greg, Related or not to above Fixes discussion, I now noticed that you never picked the patch for kernel 4.4. Ben did take it to 3.2 and 3.16 BTW. This is a very critical bug fix IMO. Were you waiting for an ACK from xfs maintainers or just an oversight? Or was it me who had to check up on that? Thanks, Amir.

7 years, 5 months

2
1
0 0

Linux 4.9.107 is not available on www.kernel.org

by Pavlos Parissis

Hi, Linux 4.9.107 was released on Jun 7th and www.kernel.org still points to 4.9.106 as latest version for 4.9 tree. I have seen delays before, but not for more than an hour. Is something broken? Cheers, Pavlos

7 years, 5 months

2
2
0 0

[merged] fs-binfmt_miscc-do-not-allow-offset-overflow.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: fs/binfmt_misc.c: do not allow offset overflow has been removed from the -mm tree. Its filename was fs-binfmt_miscc-do-not-allow-offset-overflow.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Subject: fs/binfmt_misc.c: do not allow offset overflow WHen registering a new binfmt_misc handler, it is possible to overflow the offset to get a negative value, which might crash the system, or possibly leak kernel data. Here is a crash log when 2500000000 was used as an offset: [ 6050.251552] BUG: unable to handle kernel paging request at ffff989cfd6edca0 [ 6050.252053] IP: load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] PGD 1ef3e067 P4D 1ef3e067 PUD 0 [ 6050.252053] Oops: 0000 [#1] SMP NOPTI [ 6050.252053] Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy [ 6050.252053] CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu [ 6050.252053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 [ 6050.252053] RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] RSP: 0018:ffffb6e383017e18 EFLAGS: 00010202 [ 6050.252053] RAX: 0000000000000003 RBX: ffff989d74a47100 RCX: ffff989cfd6edca0 [ 6050.252053] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff989d7d2e95e5 [ 6050.252053] RBP: ffffb6e383017e48 R08: 0000000000000001 R09: 0000000000000000 [ 6050.252053] R10: 0000000000000000 R11: fefefefefefefeff R12: 0000000000000001 [ 6050.252053] R13: ffff989d7d2e9580 R14: 0000000000000000 R15: ffffffffc0592160 [ 6050.252053] FS: 00007fa424c89740(0000) GS:ffff989d7fc00000(0000) knlGS:0000000000000000 [ 6050.252053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6050.252053] CR2: ffff989cfd6edca0 CR3: 000000003db08000 CR4: 00000000000006f0 [ 6050.252053] Call Trace: [ 6050.252053] search_binary_handler+0x97/0x1d0 [ 6050.252053] do_execveat_common.isra.34+0x667/0x810 [ 6050.252053] SyS_execve+0x31/0x40 [ 6050.252053] do_syscall_64+0x73/0x130 [ 6050.252053] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Use kstrtoint instead of simple_strtoul. It will work as the code already set the delimiter byte to '\0' and we only do it when the field is not empty. Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested with examples documented at Documentation/admin-guide/binfmt-misc.rst and other registrations from packages on Ubuntu. Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/binfmt_misc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff -puN fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow fs/binfmt_misc.c --- a/fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow +++ a/fs/binfmt_misc.c @@ -387,8 +387,13 @@ static Node *create_entry(const char __u s = strchr(p, del); if (!s) goto einval; - *s++ = '\0'; - e->offset = simple_strtoul(p, &p, 10); + *s = '\0'; + if (p != s) { + int r = kstrtoint(p, 10, &e->offset); + if (r != 0 || e->offset < 0) + goto einval; + } + p = s; if (*p++) goto einval; pr_debug("register: offset: %#x\n", e->offset); @@ -428,7 +433,8 @@ static Node *create_entry(const char __u if (e->mask && string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) goto einval; - if (e->size + e->offset > BINPRM_BUF_SIZE) + if (e->size > BINPRM_BUF_SIZE || + BINPRM_BUF_SIZE - e->size < e->offset) goto einval; pr_debug("register: magic/mask length: %i\n", e->size); if (USE_DEBUG) { _ Patches currently in -mm which might be from cascardo(a)canonical.com are

7 years, 5 months

1
0
0 0

[merged] mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset has been removed from the -mm tree. Its filename was mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Vlastimil Babka <vbabka(a)suse.cz> Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for allocations that can ignore memory policies. The zonelist is obtained from current CPU's node. This is a problem for __GFP_THISNODE allocations that want to allocate on a different node, e.g. because the allocating thread has been migrated to a different CPU. This has been observed to break SLAB in our 4.4-based kernel, because there it relies on __GFP_THISNODE working as intended. If a slab page is put on wrong node's list, then further list manipulations may corrupt the list because page_to_nid() is used to determine which node's list_lock should be locked and thus we may take a wrong lock and race. Current SLAB implementation seems to be immune by luck thanks to commit 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") but there may be others assuming that __GFP_THISNODE works as promised. We can fix it by simply removing the zonelist reset completely. There is actually no reason to reset it, because memory policies and cpusets don't affect the zonelist choice in the first place. This was different when commit 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their own restricted zonelists. We might consider this for 4.17 although I don't know if there's anything currently broken. SLAB is currently not affected, but in kernels older than 4.7 that don't yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") it is. That's at least 4.4 LTS. Older ones I'll have to check. So stable backports should be more important, but will have to be reviewed carefully, as the code went through many changes. BTW I think that also the ac->preferred_zoneref reset is currently useless if we don't also reset ac->nodemask from a mempolicy to NULL first (which we probably should for the OOM victims etc?), but I would leave that for a separate patch. Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") Acked-by: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: David Rientjes <rientjes(a)google.com> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 1 - 1 file changed, 1 deletion(-) diff -puN mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset mm/page_alloc.c --- a/mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset +++ a/mm/page_alloc.c @@ -4169,7 +4169,6 @@ retry: * orientated. */ if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) { - ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); ac->preferred_zoneref = first_zones_zonelist(ac->zonelist, ac->high_zoneidx, ac->nodemask); } _ Patches currently in -mm which might be from vbabka(a)suse.cz are

7 years, 5 months

1
0
0 0

[PATCH] arm64: Fix syscall restarting around signal suppressed by tracer

by Dave Martin

Commit 17c2895 ("arm64: Abstract syscallno manipulation") abstracts out the pt_regs.syscallno value for a syscall cancelled by a tracer as NO_SYSCALL, and provides helpers to set and check for this condition. However, the way this was implemented has the unintended side-effect of disabling part of the syscall restart logic. This comes about because the second in_syscall() check in do_signal() re-evaluates the "in a syscall" condition based on the updated pt_regs instead of the original pt_regs. forget_syscall() is explicitly called prior to the second check in order to prevent restart logic in the ret_to_user path being spuriously triggered, which means that the second in_syscall() check always yields false. This triggers a failure in tools/testing/selftests/seccomp/seccomp_bpf.c, when using ptrace to suppress a signal that interrups a nanosleep() syscall. Misbehaviour of this type is only expected in the case where a tracer suppresses a signal and the target process is either being single-stepped or the interrupted syscall attempts to restart via -ERESTARTBLOCK. This patch restores the old behaviour by performing the in_syscall() check only once at the start of the function. Fixes: 17c289586009 ("arm64: Abstract syscallno manipulation") Signed-off-by: Dave Martin <Dave.Martin(a)arm.com> Reported-by: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: Will Deacon <will.deacon(a)arm.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: <stable(a)vger.kernel.org> # 4.14.x- --- arch/arm64/kernel/signal.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 154b7d3..f212090 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -830,11 +830,12 @@ static void do_signal(struct pt_regs *regs) unsigned long continue_addr = 0, restart_addr = 0; int retval = 0; struct ksignal ksig; + bool syscall = in_syscall(regs); /* * If we were from a system call, check for system call restarting... */ - if (in_syscall(regs)) { + if (syscall) { continue_addr = regs->pc; restart_addr = continue_addr - (compat_thumb_mode(regs) ? 2 : 4); retval = regs->regs[0]; @@ -886,7 +887,7 @@ static void do_signal(struct pt_regs *regs) * Handle restarting a different system call. As above, if a debugger * has chosen to restart at a different PC, ignore the restart. */ - if (in_syscall(regs) && regs->pc == restart_addr) { + if (syscall && regs->pc == restart_addr) { if (retval == -ERESTART_RESTARTBLOCK) setup_restart_syscall(regs); user_rewind_single_step(current); -- 2.1.4

7 years, 5 months

2
1
0 0

[v3 PATCH 0/5] powerpc/pseries: Machien check handler improvements.

by Mahesh J Salgaonkar

This patch series includes some improvement to Machine check handler for pseries. Patch 1 fixes an issue where machine check handler crashes kernel while accessing vmalloc-ed buffer while in nmi context. Patch 2 fixes endain bug while restoring of r3 in MCE handler. Patch 4 dumps the SLB contents on SLB MCE errors to improve the debugability. Patch 5 display's the MCE error details on console. CHange in V3: - Moved patch 5 to patch 2 Change in V2: - patch 3: Display additional info (NIP and task info) in MCE error details. - patch 5: Fix endain bug while restoring of r3 in MCE handler. --- Mahesh Salgaonkar (5): powerpc/pseries: convert rtas_log_buf to linear allocation. powerpc/pseries: Fix endainness while restoring of r3 in MCE handler. powerpc/pseries: Define MCE error event section. powerpc/pseries: Dump and flush SLB contents on SLB MCE errors. powerpc/pseries: Display machine check error details. arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1 arch/powerpc/include/asm/rtas.h | 109 ++++++++++++++++++ arch/powerpc/kernel/rtasd.c | 2 arch/powerpc/mm/slb.c | 35 ++++++ arch/powerpc/platforms/pseries/ras.c | 155 +++++++++++++++++++++++++ 5 files changed, 299 insertions(+), 3 deletions(-) -- Signature

7 years, 5 months

4
7
0 0

[PATCH] dm bufio: avoid false-positive Wmaybe-uninitialized warning

by Nathan Chancellor

From: Arnd Bergmann <arnd(a)arndb.de> commit 590347e4000356f55eb10b03ced2686bd74dab40 upstream. gcc-6.3 and earlier show a new warning after a seemingly unrelated change to the arm64 PAGE_KERNEL definition: In file included from drivers/md/dm-bufio.c:14:0: drivers/md/dm-bufio.c: In function 'alloc_buffer': include/linux/sched/mm.h:182:56: warning: 'noio_flag' may be used uninitialized in this function [-Wmaybe-uninitialized] current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags; ^ The same warning happened earlier on linux-3.18 for MIPS and I did a workaround for that, but now it's come back. gcc-7 and newer are apparently smart enough to figure this out, and other architectures don't show it, so the best I could come up with is to rework the caller slightly in a way that makes it obvious enough to all arm64 compilers what is happening here. Fixes: 41acec624087 ("arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0()") Link: https://patchwork.kernel.org/patch/9692829/ Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> [snitzer: moved declarations inside conditional, altered vmalloc return] Signed-off-by: Mike Snitzer <snitzer(a)redhat.com> [nc: Backport to 4.9, adjust context for lack of 19809c2da28a] Signed-off-by: Nathan Chancellor <natechancellor(a)gmail.com> --- drivers/md/dm-bufio.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c index 3ec647e8b9c6..35fd57fdeba9 100644 --- a/drivers/md/dm-bufio.c +++ b/drivers/md/dm-bufio.c @@ -373,9 +373,6 @@ static void __cache_size_refresh(void) static void *alloc_buffer_data(struct dm_bufio_client *c, gfp_t gfp_mask, enum data_mode *data_mode) { - unsigned noio_flag; - void *ptr; - if (c->block_size <= DM_BUFIO_BLOCK_SIZE_SLAB_LIMIT) { *data_mode = DATA_MODE_SLAB; return kmem_cache_alloc(DM_BUFIO_CACHE(c), gfp_mask); @@ -399,16 +396,16 @@ static void *alloc_buffer_data(struct dm_bufio_client *c, gfp_t gfp_mask, * all allocations done by this process (including pagetables) are done * as if GFP_NOIO was specified. */ + if (gfp_mask & __GFP_NORETRY) { + unsigned noio_flag = memalloc_noio_save(); + void *ptr = __vmalloc(c->block_size, gfp_mask | __GFP_HIGHMEM, + PAGE_KERNEL); - if (gfp_mask & __GFP_NORETRY) - noio_flag = memalloc_noio_save(); - - ptr = __vmalloc(c->block_size, gfp_mask | __GFP_HIGHMEM, PAGE_KERNEL); - - if (gfp_mask & __GFP_NORETRY) memalloc_noio_restore(noio_flag); + return ptr; + } - return ptr; + return __vmalloc(c->block_size, gfp_mask | __GFP_HIGHMEM, PAGE_KERNEL); } /* -- 2.17.1

7 years, 5 months

1
1
0 0

[PATCHES] Networking

by David Miller

Please queue up the following netwokring bug fixes for v4.16 and v4.17 -stable, respectively. Thank you.

7 years, 5 months

2
1
0 0

[GIT PULL] commits for Linux 4.14

by Sasha Levin

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Greg, Pleae pull commits for Linux 4.14 . I've sent a review request for all commits over a week ago and all comments were addressed. Thanks, Sasha ===== The following changes since commit 3e496be2038a100fc53627238fe120dc4c948719: Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU" (2018-05-30 22:32:31 +0200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git tags/for-greg-4.14-05062018 for you to fetch changes up to a128744e79b872a66bdd0d1183d871c01b84eb9c: ARM: kexec: fix kdump register saving on panic() (2018-06-04 22:11:36 -0400) - ---------------------------------------------------------------- for-greg-4.14-05062018 - ---------------------------------------------------------------- Adam Ford (2): ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues ARM: dts: logicpd-som-lv: Fix Audio Mute Alexey Dobriyan (1): proc: revalidate kernel thread inodes to root:root Amir Goldstein (2): fsnotify: fix ignore mask logic in send_to_group() <linux/stringhash.h>: fix end_name_hash() for 64bit long Andres Rodriguez (1): drm/amdkfd: fix clock counter retrieval for node without GPU Andy Lutomirski (1): x86/selftests: Add mov_to_ss test Anson Huang (1): clocksource/drivers/imx-tpm: Correct some registers operation flow Arnaldo Carvalho de Melo (1): perf report: Fix switching to another perf.data file Arnd Bergmann (2): hexagon: add memset_io() helper hexagon: export csum_partial_copy_nocheck Arvind Yadav (2): HID: wacom: Release device resource data obtained by devres_alloc() HID: intel-ish-hid: use put_device() instead of kfree() Ashish Samant (1): ocfs2: take inode cluster lock before moving reflinked inode from orphan dir Balbir Singh (1): powerpc/powernv/memtrace: Let the arch hotunplug code flush cache Baolin Wang (3): parisc: time: Convert read_persistent_clock() to read_persistent_clock64() i2c: sprd: Prevent i2c accesses after suspend is called i2c: sprd: Fix the i2c count issue Ben Hutchings (2): drm/msm: Fix possible null dereference on failure of get_pages() mtd: Fix comparison in map_word_andequal() Bhadram Varka (1): arm64: tegra: Make BCM89610 PHY interrupt as active low Changbin Du (1): iommu/vt-d: fix shift-out-of-bounds in bug checking Chen Yu (1): ACPI / PM: Blacklist Low Power S0 Idle _DSM for ThinkPad X1 Tablet(2016) Chengguang Xu (2): isofs: fix potential memory leak in mount option parsing nvme: fix potential memory leak in option parsing Chris Leech (1): scsi: iscsi: respond to netlink with unicast when appropriate Christophe JAILLET (1): Input: synaptics-rmi4 - fix an unchecked out of memory error path Clément Péron (1): ARM: dts: cygnus: fix irq type for arm global timer Colin Ian King (2): scsi: isci: Fix infinite loop in while loop RDMA/iwpm: fix memory leak on map_info Dag Moxnes (1): rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp Dan Carpenter (2): drm/omap: silence unititialized variable warning drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() Daniel Borkmann (1): bpf, x64: fix memleak when not converging after image Daniel Glöckner (1): usb: musb: fix remote wakeup racing with suspend Dave Hansen (10): x86/pkeys/selftests: Give better unexpected fault error messages x86/pkeys/selftests: Stop using assert() x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal x86/pkeys/selftests: Allow faults on unknown keys x86/pkeys/selftests: Factor out "instruction page" x86/pkeys/selftests: Add PROT_EXEC test x86/pkeys/selftests: Fix pkey exhaustion test off-by-one x86/pkeys/selftests: Fix pointer math x86/pkeys/selftests: Save off 'prot' for allocations x86/pkeys/selftests: Add a test for pkey 0 Dave Young (1): kexec_file: do not add extra alignment to efi memmap David Gilhooley (1): arm64: Add MIDR encoding for NVIDIA CPUs David Howells (4): vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion rxrpc: Fix error reception on AF_INET6 sockets rxrpc: Fix the min security level for kernel calls afs: Fix the non-encryption of calls Emil Tantilov (1): ixgbe: return error on unsupported SFP module when resetting Emil Velikov (1): drm/msm: don't deref error pointer in the msm_fbdev_create error path Etienne Carriere (1): tee: check shm references are consistent in offset/size Evan Wang (2): libahci: Allow drivers to override stop_engine ata: ahci: mvebu: override ahci_stop_engine for mvebu AHCI Florian Fainelli (2): soc: bcm: raspberrypi-power: Fix use of __packed net: ethtool: Add missing kernel doc for FEC parameters Geert Uytterhoeven (3): soc: bcm2835: Make !RASPBERRYPI_FIRMWARE dummies return failure dt-bindings: meson-uart: DT fix s/clocks-names/clock-names/ dt-bindings: panel: lvds: Fix path to display timing bindings Greg Thelen (5): nvme: depend on INFINIBAND_ADDR_TRANS nvmet-rdma: depend on INFINIBAND_ADDR_TRANS ib_srpt: depend on INFINIBAND_ADDR_TRANS ib_srp: depend on INFINIBAND_ADDR_TRANS IB: make INFINIBAND_ADDR_TRANS configurable Hans de Goede (1): thermal: int3403_thermal: Fix NULL pointer deref on module load / probe Helge Deller (2): parisc: drivers.c: Fix section mismatches parisc: Move setup_profiling_timer() out of init section Huang Ying (1): mm, pagemap: fix swap offset value for PMD migration entry Håkon Bugge (1): IB/core: Make ib_mad_client_id atomic Igor Russkikh (1): net: aquantia: driver should correctly declare vlan_features bits Ilan Peer (1): mac80211: Adjust SAE authentication timeout Ingo Molnar (3): objtool, kprobes/x86: Sync the latest <asm/insn.h> header with tools/objtool/arch/x86/include/asm/insn.h x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI Jacopo Mondi (2): dt-bindings: serial: sh-sci: Add support for r8a77965 (H)SCIF dt-bindings: dmaengine: rcar-dmac: document R8A77965 support Jakob Unterwurzacher (1): can: dev: increase bus-off message severity Jakub Kicinski (1): nfp: ignore signals when communicating with management FW Janusz Krzysztofik (1): ARM: OMAP1: ams-delta: fix deferred_fiq handler Jeffrey Hugo (1): init: fix false positives in W+X checking Jerome Brunet (1): clk: honor CLK_MUX_ROUND_CLOSEST in generic clk mux Jianchao Wang (1): IB/rxe: add RXE_START_MASK for rxe_opcode IB_OPCODE_RC_SEND_ONLY_INV Jiang Biao (2): blkcg: don't hold blkcg lock when deactivating policy blkcg: init root blkcg_gq under lock Jim Gill (1): scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts Jingju Hou (1): net: phy: marvell: clear wol event before setting it John Fastabend (1): bpf: fix uninitialized variable in bpf tools Jon Maloy (1): tipc: fix bug in function tipc_nl_node_dump_monitor Josh Poimboeuf (5): objtool: Fix "noreturn" detection for recursive sibling calls objtool: Support GCC 8's cold subfunctions objtool: Support GCC 8 switch tables objtool: Detect RIP-relative switch table references objtool: Detect RIP-relative switch table references, part 2 Julian Wiedmann (1): s390/qeth: use Read device to query hypervisor for MAC Kan Liang (1): perf/x86/intel: Don't enable freeze-on-smi for PerfMon V1 Keith Busch (1): nvme: Set integrity flag for user passthrough commands Kevin Easton (1): af_key: Always verify length of provided sadb_key Krish Sadhukhan (1): x86: Add check for APIC access address for vmentry of L2 guests Laura Abbott (1): proc/kcore: don't bounds check against address 0 Liam Girdwood (1): ASoC: topology: Check widget kcontrols before deref. Loic Poulain (1): PCI: kirin: Fix reset gpio name Long Li (1): scsi: storvsc: Set up correct queue depth values for IDE devices Lukasz Majewski (1): doc: Add vendor prefix for Kieback & Peter GmbH Marian Rotariu (1): x86: Delay skip of emulated hypercall instruction Mark Rutland (4): arm64: ptrace: remove addr_limit manipulation arm64: fix possible spectre-v1 in ptrace_hbp_get_event() KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr() efi/libstub/arm64: Handle randomized TEXT_OFFSET Martin Schwidefsky (1): s390/smsgiucv: disable SMSG on module unload Masami Hiramatsu (3): selftests: ftrace: Add a testcase for multiple actions on trigger kprobes/x86: Prohibit probing on exception masking instructions uprobes/x86: Prohibit probing on MOV SS instruction Matan Barak (1): IB/uverbs: Fix validating mandatory attributes Matheus Castello (1): dt-bindings: pinctrl: sunxi: Fix reference to driver Mathieu Malaterre (4): driver core: add __printf verification to __ata_ehi_pushv_desc agp: uninorth: make two functions static sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h sched/deadline: Make the grub_reclaim() function static Matt Redfearn (1): MIPS: dts: Boston: Fix PCI bus dtc warnings: Michael J. Ruhl (1): IB/hfi1 Use correct type for num_user_context Michal Kalderon (2): qed: Fix l2 initializations over iWARP personality qede: Fix gfp flags sent to rdma event node allocation Mika Westerberg (1): ACPI / watchdog: Prefer iTCO_wdt on Lenovo Z50-70 Minchan Kim (1): mm: memcg: add __GFP_NOWARN in __memcg_schedule_kmem_cache_create() Ming Lei (1): scsi: target: fix crash with iscsi target and dvd Naveen N. Rao (2): powerpc/trace/syscalls: Update syscall name matching logic powerpc/trace/syscalls: Update syscall name matching logic to account for ppc_ prefix Nick Dyer (1): Input: atmel_mxt_ts - fix the firmware update Omar Sandoval (1): blk-mq: fix sysfs inflight counter Pablo Neira Ayuso (1): netfilter: nf_tables: NAT chain and extensions require NF_TABLES Parav Pandit (2): RDMA/cma: Fix use after destroy access to net namespace for IPoIB RDMA/cma: Do not query GID during QP state transition to RTR Paulo Alcantara (1): cifs: smb2ops: Fix listxattr() when there are no EAs Peter Rosin (3): i2c: pmcmsp: return message count on master_xfer success i2c: pmcmsp: fix error return from master_xfer i2c: viperboard: return message count on master_xfer success Peter Zijlstra (3): stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock kthread, sched/wait: Fix kthread_parkme() wait-loop sched/core: Introduce set_special_state() Ramon Fried (1): rpmsg: added MODULE_ALIAS for rpmsg_char Rich Felker (1): sh: fix build failure for J2 cpu with SMP disabled Rob Herring (1): spi: bcm2835aux: ensure interrupts are enabled for shared handler Roman Mashak (1): net sched actions: fix invalid pointer dereferencing if skbedit flags missing Russell King (2): ARM: keystone: fix platform_domain_notifier array overrun ARM: kexec: fix kdump register saving on panic() Sara Sharon (1): mac80211: use timeout from the AddBA response instead of the request Sebastian Sanchez (1): IB/hfi1: Fix memory leak in exception path in get_irq_affinity() Sekhar Nori (8): ARM: dts: da850: fix W=1 warnings with pinmux node ARM: davinci: board-da830-evm: fix GPIO lookup for MMC/SD ARM: davinci: board-da850-evm: fix GPIO lookup for MMC/SD ARM: davinci: board-omapl138-hawk: fix GPIO numbers for MMC/SD lookup ARM: davinci: board-dm355-evm: fix broken networking ARM: davinci: dm646x: fix timer interrupt generation ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF ARM: davinci: board-dm646x-evm: set VPIF capture card name Simon Gaiser (1): xen: xenbus_dev_frontend: Really return response string Sinan Kaya (2): MIPS: io: Prevent compiler reordering writeX() MIPS: io: Add barrier after register read in readX() Srinivas Kandagatla (1): ASoC: msm8916-wcd-analog: use threaded context for mbhc events Stefan Agner (2): drm/msm/dsi: use correct enum in dsi_get_cmd_fmt clk: imx6ull: use OSC clock during AXI rate change Stefan Raspl (1): smc: fix sendpage() call Taehee Yoo (1): netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update Tero Kristo (1): ARM: OMAP2+: powerdomain: use raw_smp_processor_id() for trace Tobias Jordan (1): remoteproc: qcom: Fix potential device node leaks Tobias Regnery (1): usb: typec: ucsi: fix tracepoint related build error Tomi Valkeinen (4): drm/omap: fix uninitialized ret variable drm/omap: fix possible NULL ref issue in tiler_reserve_2d drm/omap: check return value from soc_device_match drm/omap: handle alloc failures in omap_connector Tung Nguyen (1): tipc: fix infinite loop when dumping link monitor summary Tyler Hicks (1): eCryptfs: don't pass up plaintext names when using filename encryption Vinson Lee (1): scsi: megaraid_sas: Do not log an error if FW successfully initializes. Vladimir Zapolskiy (1): spi: sh-msiof: Fix bit field overflow writes to TSCR/RSCR Waiman Long (2): locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN Wanpeng Li (1): KVM: Extend MAX_IRQ_ROUTES to 4096 for all archs Yan Wang (1): ASoC: topology: Fix bugs of freeing soc topology Ying Xue (1): tipc: eliminate KMSAN uninit-value in strcmp complaint Zhu Yanjun (1): IB/rxe: avoid double kfree_skb dann frazier (1): net: hns: Avoid action name truncation hu huajun (1): KVM: X86: fix incorrect reference of trace_kvm_pi_irte_update jacek.tomaka(a)poczta.fm (1): x86/cpu/intel: Add missing TLB cpuid values oder_chiou(a)realtek.com (1): ASoC: rt5514: Add the missing register in the readable table pgzh (1): HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice sxauwsk (1): spi: cadence: Add usleep_range() for cdns_spi_fill_tx_fifo() van der Linden, Frank (1): x86/xen: Reset VCPU0 info pointer after shared_info remap Łukasz Stelmach (2): ARM: 8753/1: decompressor: add a missing parameter to the addruart macro ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel .../bindings/display/panel/panel-common.txt | 2 +- .../devicetree/bindings/dma/renesas,rcar-dmac.txt | 1 + .../bindings/pinctrl/allwinner,sunxi-pinctrl.txt | 6 +- .../bindings/serial/amlogic,meson-uart.txt | 2 +- .../bindings/serial/renesas,sci-serial.txt | 2 + .../devicetree/bindings/vendor-prefixes.txt | 1 + arch/arm/boot/compressed/head.S | 20 +- arch/arm/boot/dts/bcm-cygnus.dtsi | 2 +- arch/arm/boot/dts/da850.dtsi | 2 - arch/arm/boot/dts/logicpd-som-lv.dtsi | 11 +- arch/arm/kernel/machine_kexec.c | 34 ++- arch/arm/mach-davinci/board-da830-evm.c | 9 +- arch/arm/mach-davinci/board-da850-evm.c | 9 +- arch/arm/mach-davinci/board-dm355-evm.c | 6 + arch/arm/mach-davinci/board-dm646x-evm.c | 5 +- arch/arm/mach-davinci/board-omapl138-hawk.c | 10 +- arch/arm/mach-davinci/dm646x.c | 3 +- arch/arm/mach-keystone/pm_domain.c | 1 + arch/arm/mach-omap1/ams-delta-fiq.c | 28 +- arch/arm/mach-omap2/powerdomain.c | 4 +- arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi | 2 +- arch/arm64/include/asm/cputype.h | 6 + arch/arm64/kernel/ptrace.c | 20 +- arch/hexagon/include/asm/io.h | 6 + arch/hexagon/lib/checksum.c | 1 + arch/mips/boot/dts/img/boston.dts | 6 + arch/mips/include/asm/io.h | 4 +- arch/parisc/kernel/drivers.c | 7 +- arch/parisc/kernel/smp.c | 3 +- arch/parisc/kernel/time.c | 2 +- arch/powerpc/include/asm/ftrace.h | 29 ++- arch/powerpc/platforms/powernv/memtrace.c | 17 -- arch/sh/kernel/cpu/sh2/probe.c | 4 + arch/x86/events/intel/core.c | 9 +- arch/x86/include/asm/insn.h | 18 ++ arch/x86/kernel/cpu/intel.c | 3 + arch/x86/kernel/kexec-bzimage64.c | 5 +- arch/x86/kernel/kprobes/core.c | 4 + arch/x86/kernel/uprobes.c | 4 + arch/x86/kvm/hyperv.c | 2 +- arch/x86/kvm/svm.c | 5 +- arch/x86/kvm/vmx.c | 15 +- arch/x86/kvm/x86.c | 19 +- arch/x86/net/bpf_jit_comp.c | 4 +- arch/x86/xen/enlighten_hvm.c | 13 + block/blk-cgroup.c | 22 +- block/blk-mq.c | 19 ++ block/blk-mq.h | 4 +- block/genhd.c | 12 + block/partition-generic.c | 10 +- drivers/acpi/acpi_watchdog.c | 59 ++++- drivers/acpi/sleep.c | 13 + drivers/ata/ahci.c | 6 +- drivers/ata/ahci.h | 7 + drivers/ata/ahci_mvebu.c | 56 ++++ drivers/ata/ahci_qoriq.c | 2 +- drivers/ata/ahci_xgene.c | 4 +- drivers/ata/libahci.c | 20 +- drivers/ata/libata-eh.c | 4 +- drivers/ata/sata_highbank.c | 2 +- drivers/char/agp/uninorth-agp.c | 4 +- drivers/clk/clk-mux.c | 10 +- drivers/clk/clk.c | 7 +- drivers/clk/imx/clk-imx6ul.c | 2 +- drivers/clocksource/timer-imx-tpm.c | 8 +- drivers/firmware/efi/libstub/arm64-stub.c | 10 + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 13 +- drivers/gpu/drm/drm_dumb_buffers.c | 7 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- drivers/gpu/drm/msm/msm_fbdev.c | 11 +- drivers/gpu/drm/msm/msm_gem.c | 20 +- drivers/gpu/drm/omapdrm/dss/hdmi4.c | 2 +- drivers/gpu/drm/omapdrm/dss/hdmi4_core.c | 7 +- drivers/gpu/drm/omapdrm/dss/hdmi5.c | 2 +- drivers/gpu/drm/omapdrm/omap_connector.c | 10 + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 6 +- drivers/gpu/drm/omapdrm/tcm-sita.c | 2 +- drivers/hid/Kconfig | 7 +- drivers/hid/hid-ids.h | 8 + drivers/hid/hid-lenovo.c | 36 +++ drivers/hid/intel-ish-hid/ishtp/bus.c | 2 +- drivers/hid/wacom_sys.c | 4 +- drivers/i2c/busses/i2c-pmcmsp.c | 4 +- drivers/i2c/busses/i2c-sprd.c | 22 +- drivers/i2c/busses/i2c-viperboard.c | 2 +- drivers/infiniband/Kconfig | 5 +- drivers/infiniband/core/cma.c | 60 +++-- drivers/infiniband/core/iwpm_util.c | 5 +- drivers/infiniband/core/mad.c | 4 +- drivers/infiniband/core/uverbs_ioctl.c | 9 + drivers/infiniband/hw/hfi1/affinity.c | 11 +- drivers/infiniband/hw/hfi1/init.c | 4 +- drivers/infiniband/sw/rxe/rxe_opcode.c | 2 +- drivers/infiniband/sw/rxe/rxe_req.c | 1 - drivers/infiniband/sw/rxe/rxe_resp.c | 6 +- drivers/infiniband/ulp/srp/Kconfig | 2 +- drivers/infiniband/ulp/srpt/Kconfig | 2 +- drivers/input/rmi4/rmi_spi.c | 7 +- drivers/input/touchscreen/atmel_mxt_ts.c | 186 ++++++++------ drivers/iommu/dmar.c | 2 +- drivers/net/can/dev.c | 2 +- drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 + drivers/net/ethernet/hisilicon/hns/hnae.h | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 + .../net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c | 3 +- drivers/net/ethernet/qlogic/qed/qed_l2.c | 6 +- drivers/net/ethernet/qlogic/qede/qede_rdma.c | 2 +- drivers/net/phy/marvell.c | 9 + drivers/nvme/host/Kconfig | 2 +- drivers/nvme/host/core.c | 1 + drivers/nvme/host/fabrics.c | 6 + drivers/nvme/target/Kconfig | 2 +- drivers/pci/dwc/pcie-kirin.c | 2 +- drivers/remoteproc/qcom_q6v5_pil.c | 2 + drivers/rpmsg/rpmsg_char.c | 2 + drivers/s390/net/qeth_core_main.c | 2 +- drivers/s390/net/smsgiucv.c | 2 +- drivers/scsi/isci/port_config.c | 3 +- drivers/scsi/megaraid/megaraid_sas_fusion.c | 6 +- drivers/scsi/scsi_transport_iscsi.c | 29 ++- drivers/scsi/storvsc_drv.c | 7 +- drivers/scsi/vmw_pvscsi.c | 2 +- drivers/soc/bcm/raspberrypi-power.c | 2 +- drivers/spi/spi-bcm2835aux.c | 5 + drivers/spi/spi-cadence.c | 8 + drivers/spi/spi-sh-msiof.c | 1 + drivers/target/target_core_pscsi.c | 2 + drivers/tee/tee_core.c | 11 + drivers/thermal/int340x_thermal/int3403_thermal.c | 3 +- drivers/usb/musb/musb_host.c | 5 +- drivers/usb/musb/musb_host.h | 7 +- drivers/usb/musb/musb_virthub.c | 25 +- drivers/usb/typec/ucsi/Makefile | 2 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 3 +- fs/afs/rxrpc.c | 7 + fs/cifs/smb2ops.c | 6 + fs/ecryptfs/crypto.c | 41 ++- fs/ecryptfs/file.c | 21 +- fs/isofs/inode.c | 3 + fs/namespace.c | 2 +- fs/notify/fsnotify.c | 25 +- fs/ocfs2/refcounttree.c | 14 +- fs/proc/base.c | 6 + fs/proc/kcore.c | 23 +- fs/proc/task_mmu.c | 6 +- include/linux/clk-provider.h | 3 + include/linux/ethtool.h | 2 + include/linux/genhd.h | 4 +- include/linux/kvm_host.h | 8 +- include/linux/mtd/map.h | 2 +- include/linux/percpu-rwsem.h | 6 +- include/linux/rwsem.h | 6 + include/linux/sched.h | 50 +++- include/linux/sched/signal.h | 2 +- include/linux/stringhash.h | 4 +- include/soc/bcm2835/raspberrypi-firmware.h | 4 +- init/main.c | 7 + kernel/kthread.c | 7 +- kernel/locking/rwsem-xadd.c | 19 +- kernel/locking/rwsem.c | 2 - kernel/locking/rwsem.h | 30 ++- kernel/module.c | 5 + kernel/sched/core.c | 17 +- kernel/sched/deadline.c | 4 +- kernel/sched/rt.c | 2 - kernel/sched/sched.h | 5 +- kernel/signal.c | 17 +- kernel/stop_machine.c | 19 +- mm/memcontrol.c | 2 +- net/ipv6/netfilter/Kconfig | 55 ++-- net/key/af_key.c | 45 +++- net/mac80211/agg-tx.c | 4 + net/mac80211/mlme.c | 25 +- net/mac80211/tx.c | 3 +- net/netfilter/nf_tables_api.c | 2 +- net/rds/ib_cm.c | 3 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/local_object.c | 57 +++-- net/sched/act_skbedit.c | 3 +- net/smc/af_smc.c | 6 +- net/tipc/monitor.c | 2 +- net/tipc/node.c | 28 +- sound/soc/codecs/msm8916-wcd-analog.c | 9 +- sound/soc/codecs/rt5514.c | 3 + sound/soc/soc-topology.c | 6 +- tools/net/bpf_dbg.c | 7 +- tools/objtool/arch/x86/include/asm/insn.h | 18 ++ tools/objtool/check.c | 167 ++++++------ tools/objtool/elf.c | 42 ++- tools/objtool/elf.h | 2 + tools/perf/util/symbol.c | 8 +- .../inter-event/trigger-multi-actions-accept.tc | 44 ++++ tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/mov_ss_trap.c | 285 +++++++++++++++++++++ tools/testing/selftests/x86/mpx-mini-test.c | 7 +- tools/testing/selftests/x86/protection_keys.c | 254 ++++++++++++------ virt/kvm/arm/vgic/vgic-mmio-v2.c | 5 + 197 files changed, 2023 insertions(+), 743 deletions(-) create mode 100644 tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc create mode 100644 tools/testing/selftests/x86/mov_ss_trap.c -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAlsYhUwACgkQ3qZv95d3 LNwvAA/7B6rEh6KBvJ5c3uklyLNuYAPfyDqqKErxQufYU6oZ+fVnxrSXSPEPiKjZ XZ13wR4v/+4LE8/a3bKTlfplyrs9CD5Ty+o9GTTwQ9lbtymu/aEOYqkYd4QW0VgV /jIEY+o/stGW5nPdKYxZVe7g3KYSmSYqWumoHIqzhrxa1eWd6s84+zo72h+QuWXI ahM2b14bDqc4Ku6JoCj7qLq6HJvfQyKLGZwn1QcGKbHjfmX+j1/ccBEVlxlSjGHu YuMlqbzD9YSB+J7js2H6ZMcFcGRMqh0QM9QZOvod0sOdP3o3HtZjmDRn2nyrxWd1 DLyQz1acj6bsnJhsEKRGJ2NGKRgcwPVGhJCUjhjOCb/wbfPOxNsJF4NOVAISJm3Z e6GHN3HWQq4F1JPqGArqa7kphFqLoOTZ/V4pE/iRw9PUq6wu+6vbB05CXBUiMc7t WvPtT37EnYMZwVK4Sto3wAjV9h8On4tY1KRZxv94rSDQpyupLP3KhxQF+XnBs6np XMY6A3Avq3M+giOT1BpZbZsHb5l7WhoTcpD75jUW9gT1pTxuArXdI2VYl2AsULqj 5KmV7JB6d7xHxH+/hoAbORREIFnyEXV6ib8NDDaUrZo5KN09jzwXKMgJU99wTJ8u U9v9kjv7P9fJeTdR8yfxTx0PpXHYKsOPU1Fqj54/6WWYd/gGjZA= =UirW -----END PGP SIGNATURE-----

7 years, 5 months

3
2
0 0

[patch 105/118] fs/binfmt_misc.c: do not allow offset overflow

by akpm＠linux-foundation.org

From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Subject: fs/binfmt_misc.c: do not allow offset overflow WHen registering a new binfmt_misc handler, it is possible to overflow the offset to get a negative value, which might crash the system, or possibly leak kernel data. Here is a crash log when 2500000000 was used as an offset: [ 6050.251552] BUG: unable to handle kernel paging request at ffff989cfd6edca0 [ 6050.252053] IP: load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] PGD 1ef3e067 P4D 1ef3e067 PUD 0 [ 6050.252053] Oops: 0000 [#1] SMP NOPTI [ 6050.252053] Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy [ 6050.252053] CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu [ 6050.252053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 [ 6050.252053] RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] RSP: 0018:ffffb6e383017e18 EFLAGS: 00010202 [ 6050.252053] RAX: 0000000000000003 RBX: ffff989d74a47100 RCX: ffff989cfd6edca0 [ 6050.252053] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff989d7d2e95e5 [ 6050.252053] RBP: ffffb6e383017e48 R08: 0000000000000001 R09: 0000000000000000 [ 6050.252053] R10: 0000000000000000 R11: fefefefefefefeff R12: 0000000000000001 [ 6050.252053] R13: ffff989d7d2e9580 R14: 0000000000000000 R15: ffffffffc0592160 [ 6050.252053] FS: 00007fa424c89740(0000) GS:ffff989d7fc00000(0000) knlGS:0000000000000000 [ 6050.252053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6050.252053] CR2: ffff989cfd6edca0 CR3: 000000003db08000 CR4: 00000000000006f0 [ 6050.252053] Call Trace: [ 6050.252053] search_binary_handler+0x97/0x1d0 [ 6050.252053] do_execveat_common.isra.34+0x667/0x810 [ 6050.252053] SyS_execve+0x31/0x40 [ 6050.252053] do_syscall_64+0x73/0x130 [ 6050.252053] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Use kstrtoint instead of simple_strtoul. It will work as the code already set the delimiter byte to '\0' and we only do it when the field is not empty. Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested with examples documented at Documentation/admin-guide/binfmt-misc.rst and other registrations from packages on Ubuntu. Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/binfmt_misc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff -puN fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow fs/binfmt_misc.c --- a/fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow +++ a/fs/binfmt_misc.c @@ -387,8 +387,13 @@ static Node *create_entry(const char __u s = strchr(p, del); if (!s) goto einval; - *s++ = '\0'; - e->offset = simple_strtoul(p, &p, 10); + *s = '\0'; + if (p != s) { + int r = kstrtoint(p, 10, &e->offset); + if (r != 0 || e->offset < 0) + goto einval; + } + p = s; if (*p++) goto einval; pr_debug("register: offset: %#x\n", e->offset); @@ -428,7 +433,8 @@ static Node *create_entry(const char __u if (e->mask && string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) goto einval; - if (e->size + e->offset > BINPRM_BUF_SIZE) + if (e->size > BINPRM_BUF_SIZE || + BINPRM_BUF_SIZE - e->size < e->offset) goto einval; pr_debug("register: magic/mask length: %i\n", e->size); if (USE_DEBUG) { _

7 years, 5 months

1
0
0 0

[patch 079/118] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset

by akpm＠linux-foundation.org

From: Vlastimil Babka <vbabka(a)suse.cz> Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for allocations that can ignore memory policies. The zonelist is obtained from current CPU's node. This is a problem for __GFP_THISNODE allocations that want to allocate on a different node, e.g. because the allocating thread has been migrated to a different CPU. This has been observed to break SLAB in our 4.4-based kernel, because there it relies on __GFP_THISNODE working as intended. If a slab page is put on wrong node's list, then further list manipulations may corrupt the list because page_to_nid() is used to determine which node's list_lock should be locked and thus we may take a wrong lock and race. Current SLAB implementation seems to be immune by luck thanks to commit 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") but there may be others assuming that __GFP_THISNODE works as promised. We can fix it by simply removing the zonelist reset completely. There is actually no reason to reset it, because memory policies and cpusets don't affect the zonelist choice in the first place. This was different when commit 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their own restricted zonelists. We might consider this for 4.17 although I don't know if there's anything currently broken. SLAB is currently not affected, but in kernels older than 4.7 that don't yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") it is. That's at least 4.4 LTS. Older ones I'll have to check. So stable backports should be more important, but will have to be reviewed carefully, as the code went through many changes. BTW I think that also the ac->preferred_zoneref reset is currently useless if we don't also reset ac->nodemask from a mempolicy to NULL first (which we probably should for the OOM victims etc?), but I would leave that for a separate patch. Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") Acked-by: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: David Rientjes <rientjes(a)google.com> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 1 - 1 file changed, 1 deletion(-) diff -puN mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset mm/page_alloc.c --- a/mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset +++ a/mm/page_alloc.c @@ -4169,7 +4169,6 @@ retry: * orientated. */ if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) { - ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); ac->preferred_zoneref = first_zones_zonelist(ac->zonelist, ac->high_zoneidx, ac->nodemask); } _

7 years, 5 months

1
0
0 0

[patch 105/118] fs/binfmt_misc.c: do not allow offset overflow

by akpm＠linux-foundation.org

From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Subject: fs/binfmt_misc.c: do not allow offset overflow WHen registering a new binfmt_misc handler, it is possible to overflow the offset to get a negative value, which might crash the system, or possibly leak kernel data. Here is a crash log when 2500000000 was used as an offset: [ 6050.251552] BUG: unable to handle kernel paging request at ffff989cfd6edca0 [ 6050.252053] IP: load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] PGD 1ef3e067 P4D 1ef3e067 PUD 0 [ 6050.252053] Oops: 0000 [#1] SMP NOPTI [ 6050.252053] Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy [ 6050.252053] CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu [ 6050.252053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 [ 6050.252053] RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] RSP: 0018:ffffb6e383017e18 EFLAGS: 00010202 [ 6050.252053] RAX: 0000000000000003 RBX: ffff989d74a47100 RCX: ffff989cfd6edca0 [ 6050.252053] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff989d7d2e95e5 [ 6050.252053] RBP: ffffb6e383017e48 R08: 0000000000000001 R09: 0000000000000000 [ 6050.252053] R10: 0000000000000000 R11: fefefefefefefeff R12: 0000000000000001 [ 6050.252053] R13: ffff989d7d2e9580 R14: 0000000000000000 R15: ffffffffc0592160 [ 6050.252053] FS: 00007fa424c89740(0000) GS:ffff989d7fc00000(0000) knlGS:0000000000000000 [ 6050.252053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6050.252053] CR2: ffff989cfd6edca0 CR3: 000000003db08000 CR4: 00000000000006f0 [ 6050.252053] Call Trace: [ 6050.252053] search_binary_handler+0x97/0x1d0 [ 6050.252053] do_execveat_common.isra.34+0x667/0x810 [ 6050.252053] SyS_execve+0x31/0x40 [ 6050.252053] do_syscall_64+0x73/0x130 [ 6050.252053] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Use kstrtoint instead of simple_strtoul. It will work as the code already set the delimiter byte to '\0' and we only do it when the field is not empty. Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested with examples documented at Documentation/admin-guide/binfmt-misc.rst and other registrations from packages on Ubuntu. Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/binfmt_misc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff -puN fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow fs/binfmt_misc.c --- a/fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow +++ a/fs/binfmt_misc.c @@ -387,8 +387,13 @@ static Node *create_entry(const char __u s = strchr(p, del); if (!s) goto einval; - *s++ = '\0'; - e->offset = simple_strtoul(p, &p, 10); + *s = '\0'; + if (p != s) { + int r = kstrtoint(p, 10, &e->offset); + if (r != 0 || e->offset < 0) + goto einval; + } + p = s; if (*p++) goto einval; pr_debug("register: offset: %#x\n", e->offset); @@ -428,7 +433,8 @@ static Node *create_entry(const char __u if (e->mask && string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) goto einval; - if (e->size + e->offset > BINPRM_BUF_SIZE) + if (e->size > BINPRM_BUF_SIZE || + BINPRM_BUF_SIZE - e->size < e->offset) goto einval; pr_debug("register: magic/mask length: %i\n", e->size); if (USE_DEBUG) { _

7 years, 5 months

1
0
0 0

[patch 079/118] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset

by akpm＠linux-foundation.org

From: Vlastimil Babka <vbabka(a)suse.cz> Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for allocations that can ignore memory policies. The zonelist is obtained from current CPU's node. This is a problem for __GFP_THISNODE allocations that want to allocate on a different node, e.g. because the allocating thread has been migrated to a different CPU. This has been observed to break SLAB in our 4.4-based kernel, because there it relies on __GFP_THISNODE working as intended. If a slab page is put on wrong node's list, then further list manipulations may corrupt the list because page_to_nid() is used to determine which node's list_lock should be locked and thus we may take a wrong lock and race. Current SLAB implementation seems to be immune by luck thanks to commit 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") but there may be others assuming that __GFP_THISNODE works as promised. We can fix it by simply removing the zonelist reset completely. There is actually no reason to reset it, because memory policies and cpusets don't affect the zonelist choice in the first place. This was different when commit 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their own restricted zonelists. We might consider this for 4.17 although I don't know if there's anything currently broken. SLAB is currently not affected, but in kernels older than 4.7 that don't yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") it is. That's at least 4.4 LTS. Older ones I'll have to check. So stable backports should be more important, but will have to be reviewed carefully, as the code went through many changes. BTW I think that also the ac->preferred_zoneref reset is currently useless if we don't also reset ac->nodemask from a mempolicy to NULL first (which we probably should for the OOM victims etc?), but I would leave that for a separate patch. Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") Acked-by: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: David Rientjes <rientjes(a)google.com> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 1 - 1 file changed, 1 deletion(-) diff -puN mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset mm/page_alloc.c --- a/mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset +++ a/mm/page_alloc.c @@ -4169,7 +4169,6 @@ retry: * orientated. */ if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) { - ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); ac->preferred_zoneref = first_zones_zonelist(ac->zonelist, ac->high_zoneidx, ac->nodemask); } _

7 years, 5 months

1
0
0 0

[PATCH] kvm: fix typo in flag name

by Michael S. Tsirkin

KVM_X86_DISABLE_EXITS_HTL really refers to exit on halt. Obviously a typo: should be named KVM_X86_DISABLE_EXITS_HLT. Fixes: caa057a2cad ("KVM: X86: Provide a capability to disable HLT intercepts") Cc: stable(a)vger.kernel.org Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> --- arch/x86/kvm/x86.c | 4 ++-- include/uapi/linux/kvm.h | 4 ++-- tools/include/uapi/linux/kvm.h | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 71e7cda6d014..dcc64e7d946d 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -2894,7 +2894,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) r = KVM_CLOCK_TSC_STABLE; break; case KVM_CAP_X86_DISABLE_EXITS: - r |= KVM_X86_DISABLE_EXITS_HTL | KVM_X86_DISABLE_EXITS_PAUSE; + r |= KVM_X86_DISABLE_EXITS_HLT | KVM_X86_DISABLE_EXITS_PAUSE; if(kvm_can_mwait_in_guest()) r |= KVM_X86_DISABLE_EXITS_MWAIT; break; @@ -4248,7 +4248,7 @@ static int kvm_vm_ioctl_enable_cap(struct kvm *kvm, if ((cap->args[0] & KVM_X86_DISABLE_EXITS_MWAIT) && kvm_can_mwait_in_guest()) kvm->arch.mwait_in_guest = true; - if (cap->args[0] & KVM_X86_DISABLE_EXITS_HTL) + if (cap->args[0] & KVM_X86_DISABLE_EXITS_HLT) kvm->arch.hlt_in_guest = true; if (cap->args[0] & KVM_X86_DISABLE_EXITS_PAUSE) kvm->arch.pause_in_guest = true; diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h index b02c41e53d56..39e364c70caf 100644 --- a/include/uapi/linux/kvm.h +++ b/include/uapi/linux/kvm.h @@ -677,10 +677,10 @@ struct kvm_ioeventfd { }; #define KVM_X86_DISABLE_EXITS_MWAIT (1 << 0) -#define KVM_X86_DISABLE_EXITS_HTL (1 << 1) +#define KVM_X86_DISABLE_EXITS_HLT (1 << 1) #define KVM_X86_DISABLE_EXITS_PAUSE (1 << 2) #define KVM_X86_DISABLE_VALID_EXITS (KVM_X86_DISABLE_EXITS_MWAIT | \ - KVM_X86_DISABLE_EXITS_HTL | \ + KVM_X86_DISABLE_EXITS_HLT | \ KVM_X86_DISABLE_EXITS_PAUSE) /* for KVM_ENABLE_CAP */ diff --git a/tools/include/uapi/linux/kvm.h b/tools/include/uapi/linux/kvm.h index b02c41e53d56..39e364c70caf 100644 --- a/tools/include/uapi/linux/kvm.h +++ b/tools/include/uapi/linux/kvm.h @@ -677,10 +677,10 @@ struct kvm_ioeventfd { }; #define KVM_X86_DISABLE_EXITS_MWAIT (1 << 0) -#define KVM_X86_DISABLE_EXITS_HTL (1 << 1) +#define KVM_X86_DISABLE_EXITS_HLT (1 << 1) #define KVM_X86_DISABLE_EXITS_PAUSE (1 << 2) #define KVM_X86_DISABLE_VALID_EXITS (KVM_X86_DISABLE_EXITS_MWAIT | \ - KVM_X86_DISABLE_EXITS_HTL | \ + KVM_X86_DISABLE_EXITS_HLT | \ KVM_X86_DISABLE_EXITS_PAUSE) /* for KVM_ENABLE_CAP */ -- MST

7 years, 5 months

1
0
0 0

Apply 2ae89c7a82ea to all active branches

by Nathan Chancellor

Hi Greg, Please apply 2ae89c7a82ea ("kconfig: Avoid format overflow warning from GCC 8.1") to all active branches. I am rather tired of seeing these warnings every time I need to compile. It will apply cleanly. Thanks! Nathan

7 years, 5 months

2
1
0 0

panic at boot time with kernel >= 4.9.98 - uninitialized system_wq in early interrupt

by Max Asbock

We have been seeing kernel panics on certain systems with the 4.9.x stable kernel, where x >= 98. We captured the following panic message: [ 6.252000] BUG: unable to handle kernel NULL pointer dereference at 0000000000000102 [ 6.261222] IP: [<ffffffff810a8ea2>] __queue_work+0x32/0x430 [ 6.267826] PGD 0 [ 6.269951] [ 6.271887] Oops: 0000 [#1] SMP [ 6.275576] Modules linked in: [ 6.279264] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.100 #1 [ 6.296760] task: ffffffff81c114c0 task.stack: ffffffff81c00000 [ 6.303564] RIP: 0010:[<ffffffff810a8ea2>] [<ffffffff810a8ea2>] __queue_work+0x32/0x430 [ 6.312997] RSP: 0000:ffff897a40403d98 EFLAGS: 00010046 [ 6.319120] RAX: 0000000000000082 RBX: 0000000000000046 RCX: 0000000000000000 [ 6.327282] RDX: ffffffff81d02300 RSI: 0000000000000000 RDI: 0000000000002000 [ 6.335443] RBP: ffff897a40403dd0 R08: 00000000d431dd4b R09: 0000000000000000 [ 6.343606] R10: ffff897a40403e08 R11: ffffffff8227615c R12: ffffffff81d02300 [ 6.351766] R13: 0000000000002000 R14: 0000000000000000 R15: ffffffff81a88ffd [ 6.359930] FS: 0000000000000000(0000) GS:ffff897a40400000(0000) knlGS:0000000000000000 [ 6.369274] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6.375883] CR2: 0000000000000102 CR3: 0000000001c08000 CR4: 0000000000040630 [ 6.384045] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 6.392206] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 6.400366] Stack: [ 6.402801] 0000001000000000 0000200040403e08 0000000000000046 0000000000000002 [ 6.411723] ffffffff82275f40 ffff897a40403e08 ffffffff81a88ffd ffff897a40403de8 [ 6.420638] ffffffff810a9677 ffffffff82275f88 ffff897a40403e78 ffffffff8148dff4 [ 6.429554] Call Trace: [ 6.432473] <IRQ> [ 6.434698] [<ffffffff810a9677>] queue_work_on+0x27/0x40 [ 6.441121] [<ffffffff8148dff4>] crng_reseed+0x154/0x260 [ 6.447343] [<ffffffff8148e334>] credit_entropy_bits+0x234/0x2a0 [ 6.454343] [<ffffffff8148e77b>] ? add_interrupt_randomness+0x1bb/0x220 [ 6.462020] [<ffffffff8148e77b>] add_interrupt_randomness+0x1bb/0x220 [ 6.469506] [<ffffffff810ef8f0>] handle_irq_event_percpu+0x40/0x80 [ 6.476698] [<ffffffff810ef96b>] handle_irq_event+0x3b/0x60 [ 6.483211] [<ffffffff810f2e7f>] handle_level_irq+0x8f/0x110 [ 6.489823] [<ffffffff81030fd5>] handle_irq+0xb5/0x140 [ 6.495854] [<ffffffff81096651>] ? _local_bh_enable+0x21/0x50 [ 6.502562] [<ffffffff81038ab5>] ? __exit_idle+0x5/0x30 [ 6.508689] [<ffffffff817250cd>] do_IRQ+0x4d/0xe0 [ 6.514232] [<ffffffff81722ba0>] common_interrupt+0xa0/0xa0 [ 6.520744] <EOI> [ 6.522968] [<ffffffff81ddeb08>] ? vfs_caches_init+0xe1/0xe3 [ 6.529779] [<ffffffff81da212e>] start_kernel+0x451/0x4c8 [ 6.536096] [<ffffffff81da1acb>] ? set_init_arg+0x55/0x55 [ 6.542415] [<ffffffff81da1120>] ? early_idt_handler_array+0x120/0x120 [ 6.549995] [<ffffffff81da15d6>] x86_64_start_reservations+0x2a/0x2c [ 6.557381] [<ffffffff81da1714>] x86_64_start_kernel+0x13c/0x15f [ 6.564378] Code: 89 e5 41 57 41 56 49 89 f6 41 55 41 89 fd 41 54 49 89 d4 53 48 83 ec 10 89 7d d4 ff 14 25 80 86 c3 81 f6 c4 02 0f 85 1f 03 00 00 <41> f6 86 02 01 00 00 01 0f 85 b2 02 00 00 49 c7 c7 78 69 01 00 [ 6.591500] RIP [<ffffffff810a8ea2>] __queue_work+0x32/0x430 [ 6.598197] RSP <ffff897a40403d98> [ 6.602281] CR2: 0000000000000102 The NULL pointer dereference happens because the second argument to __queue_work is 0. The second argument is a struct workqueue_struct, specifically system_wq. This shows that an interrupt happened before the system_wq was initialized. We believe the problem was introduced with this commit: $ git show c3ff2da5cef05676d490fa9057b2dceb5e48cdb9 commit c3ff2da5cef05676d490fa9057b2dceb5e48cdb9 Author: Theodore Ts'o <tytso(a)mit.edu> Date: Mon Apr 23 18:51:28 2018 -0400 random: fix possible sleeping allocation from irq context commit 6c1e851c4edc13a43adb3ea4044e3fc8f43ccf7d upstream. We can do a sleeping allocation from an irq context when CONFIG_NUMA is enabled. Fix this by initializing the NUMA crng instances in a workqueue. Reported-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Reported-by: syzbot+9de458f6a5e713ee8c1a(a)syzkaller.appspotmail.com Fixes: 8ef35c866f8862df ("random: set up the NUMA crng instances...") Cc: stable(a)vger.kernel.org Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/char/random.c b/drivers/char/random.c index b979173..dbfb3e69 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -820,7 +820,7 @@ static int crng_fast_load(const char *cp, size_t len) } #ifdef CONFIG_NUMA -static void numa_crng_init(void) +static void do_numa_crng_init(struct work_struct *work) { int i; struct crng_state *crng; @@ -841,6 +841,13 @@ static void numa_crng_init(void) kfree(pool); } } + +static DECLARE_WORK(numa_crng_init_work, do_numa_crng_init); + +static void numa_crng_init(void) +{ + schedule_work(&numa_crng_init_work); +} #else static void numa_crng_init(void) {} #endif Apparently we can't count on system_wq being initialized when schedule_work is called in numa_crng_init from an early interrupt. I don't understand the underlying code enough to propose a fix right away. thanks, Max

7 years, 5 months

2
3
0 0

[PATCH] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec()

by Dan Williams

Mark notes that gcc optimization passes have the potential to elide necessary invocations of this instruction sequence, so include an optimization barrier. > I think that either way, we have a potential problem if the compiler > generates a branch dependent on the result of validate_index_nospec(). > > In that case, we could end up with codegen approximating: > > bool safe = false; > > if (idx < bound) { > idx = array_index_nospec(idx, bound); > safe = true; > } > > // this branch can be mispredicted > if (safe) { > foo = array[idx]; > } > > ... and thus we lose the nospec protection. I see GCC do this at -O0, but so far I haven't tricked it into doing this at -O1 or above. Regardless, I worry this is fragile -- GCC *can* generate code as per the above, even if it's unlikely to. Cc: <stable(a)vger.kernel.org> Fixes: babdde2698d4 ("x86: Implement array_index_mask_nospec") Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Ingo Molnar <mingo(a)kernel.org> Reported-by: Mark Rutland <mark.rutland(a)arm.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> --- arch/x86/include/asm/barrier.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h index 042b5e892ed1..41f7435c84a7 100644 --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -38,10 +38,11 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, { unsigned long mask; - asm ("cmp %1,%2; sbb %0,%0;" + asm volatile ("cmp %1,%2; sbb %0,%0;" :"=r" (mask) :"g"(size),"r" (index) :"cc"); + barrier(); return mask; }

7 years, 5 months

4
4
0 0

[PATCH v2 2/2] iommu/vt-d: fix dev iotlb pfsid use

by Jacob Pan

PFSID should be used in the invalidation descriptor for flushing device IOTLBs on SRIOV VFs. Signed-off-by: Jacob Pan <jacob.jun.pan(a)linux.intel.com> Cc: stable(a)vger.kernel.org Cc: "Ashok Raj" <ashok.raj(a)intel.com> Cc: "Lu Baolu" <baolu.lu(a)linux.intel.com> --- drivers/iommu/dmar.c | 6 +++--- drivers/iommu/intel-iommu.c | 17 ++++++++++++++++- include/linux/intel-iommu.h | 5 ++--- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c index 460bed4..7852678 100644 --- a/drivers/iommu/dmar.c +++ b/drivers/iommu/dmar.c @@ -1339,8 +1339,8 @@ void qi_flush_iotlb(struct intel_iommu *iommu, u16 did, u64 addr, qi_submit_sync(&desc, iommu); } -void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep, - u64 addr, unsigned mask) +void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid, + u16 qdep, u64 addr, unsigned mask) { struct qi_desc desc; @@ -1355,7 +1355,7 @@ void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep, qdep = 0; desc.low = QI_DEV_IOTLB_SID(sid) | QI_DEV_IOTLB_QDEP(qdep) | - QI_DIOTLB_TYPE; + QI_DIOTLB_TYPE | QI_DEV_IOTLB_PFSID(pfsid); qi_submit_sync(&desc, iommu); } diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c index 3d77d61..8b533cc 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -1503,6 +1503,20 @@ static void iommu_enable_dev_iotlb(struct device_domain_info *info) return; pdev = to_pci_dev(info->dev); + /* For IOMMU that supports device IOTLB throttling (DIT), we assign + * PFSID to the invalidation desc of a VF such that IOMMU HW can gauge + * queue depth at PF level. If DIT is not set, PFSID will be treated as + * reserved, which should be set to 0. + */ + if (!ecap_dit(info->iommu->ecap)) + info->pfsid = 0; + else { + struct pci_dev *pf_pdev; + + /* pdev will be returned if device is not a vf */ + pf_pdev = pci_physfn(pdev); + info->pfsid = PCI_DEVID(pf_pdev->bus->number, pf_pdev->devfn); + } #ifdef CONFIG_INTEL_IOMMU_SVM /* The PCIe spec, in its wisdom, declares that the behaviour of @@ -1568,7 +1582,8 @@ static void iommu_flush_dev_iotlb(struct dmar_domain *domain, sid = info->bus << 8 | info->devfn; qdep = info->ats_qdep; - qi_flush_dev_iotlb(info->iommu, sid, qdep, addr, mask); + qi_flush_dev_iotlb(info->iommu, sid, info->pfsid, + qdep, addr, mask); } spin_unlock_irqrestore(&device_domain_lock, flags); } diff --git a/include/linux/intel-iommu.h b/include/linux/intel-iommu.h index af1c05f..7fd9fbae 100644 --- a/include/linux/intel-iommu.h +++ b/include/linux/intel-iommu.h @@ -456,9 +456,8 @@ extern void qi_flush_context(struct intel_iommu *iommu, u16 did, u16 sid, u8 fm, u64 type); extern void qi_flush_iotlb(struct intel_iommu *iommu, u16 did, u64 addr, unsigned int size_order, u64 type); -extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep, - u64 addr, unsigned mask); - +extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid, + u16 qdep, u64 addr, unsigned mask); extern int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu); extern int dmar_ir_support(void); -- 2.7.4

7 years, 5 months

1
0
0 0

[PATCH 4.16.y] netfilter: nf_flow_table: attach dst to skbs

by Jason A. Donenfeld

commit 2a79fd3908acd88e6cb0e620c314d7b1fee56a02 upstream. Some drivers, such as vxlan and wireguard, use the skb's dst in order to determine things like PMTU. They therefore loose functionality when flow offloading is enabled. So, we ensure the skb has it before xmit'ing it in the offloading path. Signed-off-by: Jason A. Donenfeld <Jason(a)zx2c4.com> --- net/ipv4/netfilter/nf_flow_table_ipv4.c | 5 +++-- net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/nf_flow_table_ipv4.c b/net/ipv4/netfilter/nf_flow_table_ipv4.c index 0cd46bffa469..fc3923932eda 100644 --- a/net/ipv4/netfilter/nf_flow_table_ipv4.c +++ b/net/ipv4/netfilter/nf_flow_table_ipv4.c @@ -213,7 +213,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, enum flow_offload_tuple_dir dir; struct flow_offload *flow; struct net_device *outdev; - const struct rtable *rt; + struct rtable *rt; struct iphdr *iph; __be32 nexthop; @@ -234,7 +234,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, dir = tuplehash->tuple.dir; flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); - rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache; + rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache; if (unlikely(nf_flow_exceeds_mtu(skb, rt))) return NF_ACCEPT; @@ -251,6 +251,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, skb->dev = outdev; nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr); + skb_dst_set_noref(skb, &rt->dst); neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb); return NF_STOLEN; diff --git a/net/ipv6/netfilter/nf_flow_table_ipv6.c b/net/ipv6/netfilter/nf_flow_table_ipv6.c index 207cb35569b1..2d6652146bba 100644 --- a/net/ipv6/netfilter/nf_flow_table_ipv6.c +++ b/net/ipv6/netfilter/nf_flow_table_ipv6.c @@ -243,6 +243,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, skb->dev = outdev; nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6); + skb_dst_set_noref(skb, &rt->dst); neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb); return NF_STOLEN; -- 2.17.1

7 years, 5 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror