* [PATCH AUTOSEL 3.18 2/6] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
2019-05-16 11:41 [PATCH AUTOSEL 3.18 1/6] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
@ 2019-05-16 11:41 ` Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 3/6] vti4: ipip tunnel deregistration fixes Sasha Levin
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2019-05-16 11:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Su Yanjun, Herbert Xu, Steffen Klassert, Sasha Levin, netdev
From: Su Yanjun <suyj.fnst@cn.fujitsu.com>
[ Upstream commit 6ee02a54ef990a71bf542b6f0a4e3321de9d9c66 ]
When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly
frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the
xfrm6_tunnel_spi, so need to wait it.
Fixes: 91cc3bb0b04ff("xfrm6_tunnel: RCU conversion")
Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/xfrm6_tunnel.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 56b72cada346f..f9d493c59d6c1 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -391,6 +391,10 @@ static void __exit xfrm6_tunnel_fini(void)
xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
unregister_pernet_subsys(&xfrm6_tunnel_net_ops);
+ /* Someone maybe has gotten the xfrm6_tunnel_spi.
+ * So need to wait it.
+ */
+ rcu_barrier();
kmem_cache_destroy(xfrm6_tunnel_spi_kmem);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 3.18 3/6] vti4: ipip tunnel deregistration fixes.
2019-05-16 11:41 [PATCH AUTOSEL 3.18 1/6] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 2/6] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Sasha Levin
@ 2019-05-16 11:41 ` Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 4/6] mac80211: Fix kernel panic due to use of txq after free Sasha Levin
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2019-05-16 11:41 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jeremy Sowden, Steffen Klassert, Sasha Levin, netdev
From: Jeremy Sowden <jeremy@azazel.net>
[ Upstream commit 5483844c3fc18474de29f5d6733003526e0a9f78 ]
If tunnel registration failed during module initialization, the module
would fail to deregister the IPPROTO_COMP protocol and would attempt to
deregister the tunnel.
The tunnel was not deregistered during module-exit.
Fixes: dd9ee3444014e ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_vti.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index e224ca2ea1c06..ed6c6695912a2 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -618,9 +618,9 @@ static int __init vti_init(void)
return err;
rtnl_link_failed:
- xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
-xfrm_tunnel_failed:
xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
+xfrm_tunnel_failed:
+ xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
xfrm_proto_comp_failed:
xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
xfrm_proto_ah_failed:
@@ -635,6 +635,7 @@ static int __init vti_init(void)
static void __exit vti_fini(void)
{
rtnl_link_unregister(&vti_link_ops);
+ xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
xfrm4_protocol_deregister(&vti_esp4_protocol, IPPROTO_ESP);
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 3.18 4/6] mac80211: Fix kernel panic due to use of txq after free
2019-05-16 11:41 [PATCH AUTOSEL 3.18 1/6] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 2/6] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 3/6] vti4: ipip tunnel deregistration fixes Sasha Levin
@ 2019-05-16 11:41 ` Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 5/6] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 6/6] perf bench numa: Add define for RUSAGE_THREAD if not present Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2019-05-16 11:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Bhagavathi Perumal S, Toke Høiland-Jørgensen,
Johannes Berg, Sasha Levin, linux-wireless, netdev
From: Bhagavathi Perumal S <bperumal@codeaurora.org>
[ Upstream commit f1267cf3c01b12e0f843fb6a7450a7f0b2efab8a ]
The txq of vif is added to active_txqs list for ATF TXQ scheduling
in the function ieee80211_queue_skb(), but it was not properly removed
before freeing the txq object. It was causing use after free of the txq
objects from the active_txqs list, result was kernel panic
due to invalid memory access.
Fix kernel invalid memory access by properly removing txq object
from active_txqs list before free the object.
Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/iface.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index f4ce34670fa83..e052c11d8900a 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1764,6 +1764,9 @@ void ieee80211_if_remove(struct ieee80211_sub_if_data *sdata)
list_del_rcu(&sdata->list);
mutex_unlock(&sdata->local->iflist_mtx);
+ if (sdata->vif.txq)
+ ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq));
+
synchronize_rcu();
if (sdata->dev) {
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 3.18 5/6] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
2019-05-16 11:41 [PATCH AUTOSEL 3.18 1/6] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
` (2 preceding siblings ...)
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 4/6] mac80211: Fix kernel panic due to use of txq after free Sasha Levin
@ 2019-05-16 11:41 ` Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 6/6] perf bench numa: Add define for RUSAGE_THREAD if not present Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2019-05-16 11:41 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Al Viro, Sasha Levin
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 4e9036042fedaffcd868d7f7aa948756c48c637d ]
To choose whether to pick the GID from the old (16bit) or new (32bit)
field, we should check if the old gid field is set to 0xffff. Mainline
checks the old *UID* field instead - cut'n'paste from the corresponding
code in ufs_get_inode_uid().
Fixes: 252e211e90ce
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ufs/util.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ufs/util.h b/fs/ufs/util.h
index 9541759282409..ff25b83c16ceb 100644
--- a/fs/ufs/util.h
+++ b/fs/ufs/util.h
@@ -228,7 +228,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode)
case UFS_UID_44BSD:
return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);
case UFS_UID_EFT:
- if (inode->ui_u1.oldids.ui_suid == 0xFFFF)
+ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)
return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);
/* Fall through */
default:
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 3.18 6/6] perf bench numa: Add define for RUSAGE_THREAD if not present
2019-05-16 11:41 [PATCH AUTOSEL 3.18 1/6] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
` (3 preceding siblings ...)
2019-05-16 11:41 ` [PATCH AUTOSEL 3.18 5/6] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Sasha Levin
@ 2019-05-16 11:41 ` Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2019-05-16 11:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Arnaldo Carvalho de Melo, Arnd Bergmann, Jiri Olsa,
linux-snps-arc, Namhyung Kim, Vineet Gupta, Sasha Levin
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit bf561d3c13423fc54daa19b5d49dc15fafdb7acc ]
While cross building perf to the ARC architecture on a fedora 30 host,
we were failing with:
CC /tmp/build/perf/bench/numa.o
bench/numa.c: In function ‘worker_thread’:
bench/numa.c:1261:12: error: ‘RUSAGE_THREAD’ undeclared (first use in this function); did you mean ‘SIGEV_THREAD’?
getrusage(RUSAGE_THREAD, &rusage);
^~~~~~~~~~~~~
SIGEV_THREAD
bench/numa.c:1261:12: note: each undeclared identifier is reported only once for each function it appears in
[perfbuilder@60d5802468f6 perf]$ /arc_gnu_2019.03-rc1_prebuilt_uclibc_le_archs_linux_install/bin/arc-linux-gcc --version | head -1
arc-linux-gcc (ARCv2 ISA Linux uClibc toolchain 2019.03-rc1) 8.3.1 20190225
[perfbuilder@60d5802468f6 perf]$
Trying to reproduce a report by Vineet, I noticed that, with just
cross-built zlib and numactl libraries, I ended up with the above
failure.
So, since RUSAGE_THREAD is available as a define, check for that and
numactl libraries, I ended up with the above failure.
So, since RUSAGE_THREAD is available as a define in the system headers,
check if it is defined in the 'perf bench numa' sources and define it if
not.
Now it builds and I have to figure out if the problem reported by Vineet
only takes place if we have libelf or some other library available.
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: linux-snps-arc@lists.infradead.org
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Link: https://lkml.kernel.org/n/tip-2wb4r1gir9xrevbpq7qp0amk@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/bench/numa.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
index 90d416ba76475..c00919df69172 100644
--- a/tools/perf/bench/numa.c
+++ b/tools/perf/bench/numa.c
@@ -30,6 +30,10 @@
#include <numa.h>
#include <numaif.h>
+#ifndef RUSAGE_THREAD
+# define RUSAGE_THREAD 1
+#endif
+
/*
* Regular printout to the terminal, supressed if -q is specified:
*/
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread