Merge "omap non-urgent fixes for v3.20, part 2" from Tony Lindgren:
Non-critical fixes for omap hwmod code via Paul Walmsley <paul@pwsan.com>:
First set of OMAP2+ hwmod patches for Linux v3.20. These are mostly
fixes for warnings, although there's one DRA7xx patch that fixes
CONFIG_DEBUG_LL for AM572x/DRA7xx SoCs that use UART3 for console,
such as the BeagleBoard-X15.
These patches entered Linux-next starting with the next-20150121 tag.
Basic build, boot, and PM test results can be found here:
http://www.pwsan.com/omap/testlogs/omap-hwmod-a-for-v3.20/20150121142621/
* tag 'omap-for-v3.20/fixes-not-urgent-pt2' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3
ARM: OMAP: DRA7: hwmod: Make gpmc software supervised as the smart idle is broken
ARM: AM43xx: hwmod: set DSS submodule parent hwmods
ARM: OMAP2+: hwmod: print error if wait_target_ready() failed
MAINTAINERS: add maintainer for OMAP hwmod data
Signed-off-by: Olof Johansson <olof@lixom.net>
Merge "at91: dt for 3.20 #2" from Nicolas Ferre:
Second DT batch for 3.20:
- correct some pin configuration for at91sam9x5ek
- add pioD on sama5d4 following a modification of pinctrl driver
- add more precise nand compatibility string for sama5d4
- audio modifications for wm8904 or ac97
* tag 'at91-dt2' of git://git.kernel.org/pub/scm/linux/kernel/git/nferre/linux-at91:
ARM: at91/dt: sam9263: Add ac97 device node
dt: atmel_ac97c: Add device tree documentation
ARM: at91: at91sam9n12ek/dt: use dt ids for wm8904
ARM: at91: sama5d3xek/dt: use dt ids for wm8904
ARM: at91: sama5d4: dts: change the nand compatible string
ARM: at91/dt: sama5d4: add pioD controller
ARM: at91/dt: disable pull-up on vbus-gpio (PB16) to reduce power consumption
Signed-off-by: Olof Johansson <olof@lixom.net>
Merge "Allwinner device tree changes for 3.20" from Maxime Ripard:
A lot of changes to the device tree for the 3.20 merge window, mostly with:
- More DT license convertions, only two DTS and two DTSI are still uncertain
and have not been converted yet
- Use the C-preprocessor includes in the device trees.
- Add support for the A31s SoC and improve the A80 support
- Add IR receiver, lradc, PS/2 support
- Add cpufreq support for all SoCs but the A23 and A80.
- And a lot of new boards
* tag 'sunxi-dt-for-3.20' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux: (64 commits)
ARM: dts: sun5i: Enable axp209 support on A13-OLinuxIno
ARM: sunxi: dts: Add A10/A20 PS2 pin muxing options
ARM: sunxi: dts: Add PS2 nodes to dtsi for A10,A20
ARM: dts: sun6i: Add resistive touchscreen controller node to dtsi
ARM: dts: sun4i: Add Hyundau A7HD board
ARM: dts: sun4i: Add Marsboard A10 board
ARM: dts: sun9i: Enable mmc2 on A80 Optimus Board
ARM: dts: sun9i: Add 8 bit mmc pinmux setting for mmc2
ARM: dts: sun9i: Enable mmc0 on A80 Optimus Board
ARM: dts: sun9i: Convert a80 optimus board dts to label referencing
ARM: dts: sun9i: Add mmc controller nodes to the A80 dtsi
ARM: dts: sun9i: Add mmc config clock nodes
ARM: dts: sunxi: Add missing mdio label
ARM: dts: sun5i: Add mk802_a10s board
ARM: dts: sun4i: Add mk802ii board
ARM: dts: sun4i: Add mk802 board
ARM: dts: sun4i: Add dts file for Chuwi V7 CW0825 tablet
ARM: dts: sun7i: Add dts file for Bananapro board
ARM: sun6i: Enable ARM arch timers
ARM: dts: sun6i: Convert hummingbird a31 dts to label references
...
Signed-off-by: Olof Johansson <olof@lixom.net>
Merge "Allwinner core changes for 3.20" from Maxime Ripard:
- Support for the A31s
- Adding support for cpufreq using cpufreq-dt
* tag 'sunxi-core-for-3.20' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux:
ARM: sunxi: Register cpufreq-dt for sun[45678]i
ARM: sunxi: Add "allwinner,sun6i-a31s" to mach-sunxi
Signed-off-by: Olof Johansson <olof@lixom.net>
Merge "Allwinner defconfig changes for 3.20" from Maxime Ripard:
Defconfig changes for both sunxi and multi_v7 defconfig in order to add the
cpufreq-related drivers and the PMIC drivers.
* tag 'sunxi-defconfig-for-3.20' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux:
ARM: sunxi: Add AXP20x support multi_v7_defconfig
ARM: sunxi: Add AXP20x support in defconfig
ARM: multi_v7_defconfig: Enable TOUCHSCREEN_SUN4I, CPU_THERMAL
ARM: sunxi_defconfig: Enable TOUCHSCREEN_SUN4I, CPUFREQ_DT, CPU_THERMAL
Signed-off-by: Olof Johansson <olof@lixom.net>
Merge "Allwinner fixes for 3.19" from Maxime Ripard:
Allwinner fixes for 3.19
A few minor fixes for the 3.19 kernel:
- The 8250 uart driver now respects the aliases, which pointed out that we
were using them wrong. Fixed them.
- The simplefb pipeline that was used on the A10 caused flickering and
tearing, and rendered it pretty much useless. Added a new simplefb node
with another pipeline that removes this issue. Note that we need to keep
the old node because u-boot 2015.01 uses it.
- Added a fix for the USB phy node on sun4i/sun5i
* tag 'sunxi-fixes-for-3.19' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux:
ARM: sunxi: dt: Fix aliases
ARM: dts: sun4i: Add simplefb node with de_fe0-de_be0-lcd0-hdmi pipeline
ARM: dts: sun6i: ippo-q8h-v5: Fix serial0 alias
ARM: dts: sunxi: Fix usb-phy support for sun4i/sun5i
Signed-off-by: Olof Johansson <olof@lixom.net>
Chanwoo writes:
Update extcon for v3.20
This patchset fix minor issue of extcon driver.
Detailed description for patchset:
- Remove duplicate header file in extcon-class.c and add 'const' keyword for
array in extcon-max77693.c.
- Release iio channel when executing *_remove() function in extcon-adc-jack.c
Felipe writes:
usb: fixes for v3.19-rc6
Just two fixes pending. A fix USB PHY for non-OF case and
a fix for dwc2 running on samsung SoC.
Signed-off-by: Felipe Balbi <balbi@ti.com>
When CONFIG_PRINTK=n, log_buf_addr_get() returns NULL and log_buf_len_get()
return 0. Check for these return values and skip registering the dump buffer.
Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
Reviewed-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
RTAS events require arguments be passed in big endian while hypercalls
have their arguments passed in registers and the values should therefore
be in CPU endian.
The "ibm,suspend_me" 'RTAS' call makes a sequence of hypercalls to setup
one true RTAS call. This means that "ibm,suspend_me" is handled
specially in the ppc_rtas() syscall.
The ppc_rtas() syscall has its arguments in big endian and can therefore
pass these arguments directly to the RTAS call. "ibm,suspend_me" is
handled specially from within ppc_rtas() (by calling rtas_ibm_suspend_me())
which has left an endian bug on little endian systems due to the
requirement of hypercalls. The return value from rtas_ibm_suspend_me()
gets returned in cpu endian, and is left unconverted, also a bug on
little endian systems.
rtas_ibm_suspend_me() does not actually make use of the rtas_args that
it is passed. This patch removes the convoluted use of the rtas_args
struct to pass params to rtas_ibm_suspend_me() in favour of passing what
it needs as actual arguments. This patch also ensures the two callers of
rtas_ibm_suspend_me() pass function parameters in cpu endian and in the
case of ppc_rtas(), converts the return value.
migrate_store() (the other caller of rtas_ibm_suspend_me()) is from a
sysfs file which deals with everything in cpu endian so this function
only underwent cleanup.
This patch has been tested with KVM both LE and BE and on PowerVM both
LE and BE. Under QEMU/KVM the migration happens without touching these
code pathes.
For PowerVM there is no obvious regression on BE and the LE code path
now provides the correct parameters to the hypervisor.
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Merge "Samsung DT updates for v3.20" from Kukjin Kim:
- exynos3250
: add exynos_usbphy node and hsotg nodes
- exynos3250-rinato
: enable usb
: cleanup and use macro for gpio-keys
: add fimd and Panel devices support
- exynos3250-monk
: enable usb
: cleanup and use macro for gpio-keys
- exynos5250-snow
: add power and lid gpio-keys pinctrl
- exynos5420-peach-pit and exynos5800-peach-pi
: configure regulators for suspend
: set always on for USB webCam regulators
: add lid GPIO key device
- exynos5422
: add support new board Odroid XU3
- dt-bindings
: add exynos-chipid
* tag 'samsung-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung:
ARM: dts: Configure regulators for suspend on exynos Peach boards
ARM: dts: Set Peach boards USB WebCam regulators to always on
ARM: dts: Add lid GPIO key device node for Peach boards
ARM: dts: Add power and lid GPIO keys pinctrl for exynos5250-snow
Documentation: dt-bindings: add exynos-chipid binding information
ARM: dts: add Panel device support for exynos3250-rinato
ARM: dts: add fimd device support for exynos3250-rinato
ARM: dts: use macro in gpio keys for exynos3250 boards
ARM: dts: remove unnecessary gpio-key nodes for exynos3250 boards
ARM: dts: Enable USB node for exynos3250-monk
ARM: dts: Enable USB node for exynos3250-rinato
ARM: dts: Add hsotg node for exynos3250
ARM: dts: Add exynos_usbphy node for exynos3250
ARM: dts: Add dts file for Odroid XU3 board
Signed-off-by: Olof Johansson <olof@lixom.net>
Merge "at91: cleanup/soc for 3.20 #3 (bis) from Nicolas Ferre:
Third batch of cleanup/soc for 3.20:
- several fixes and adjustments following the last cleanup batch
- removal of some unused Kconfig options
- slight PM and pm_idle rework to ease future rework
- removal of unneeded mach/system_rev.h
* tag 'at91-cleanup3' of git://git.kernel.org/pub/scm/linux/kernel/git/nferre/linux-at91:
ARM: at91: pm: remove warning to remove SOC_AT91SAM9263 usage
ARM: at91: remove unused mach/system_rev.h
ARM: at91: stop using HAVE_AT91_DBGUx
ARM: at91: fix ordering of SRAM and PM initialization
ARM: at91: sam9: set arm_pm_idle from sam9_dt_device_init
ARM: at91: fix sam9n12 and sam9x5 arm_pm_idle
ARM: at91: mark const init data with __initconst instead of __initdata
ARM: at91: fix PM initialization for newer SoCs
ARM: at91: fix Kconfig.debug by adding DEBUG_AT91_UART option
Signed-off-by: Olof Johansson <olof@lixom.net>
The entries are separated as ARM V4/V5 and ARM V7 as some other per-SoC config
options may be removed in the near future.
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
If CONFIG_CIFS_WEAK_PW_HASH is not set, CIFSSEC_MUST_LANMAN
and CIFSSEC_MUST_PLNTXT is defined as 0.
When setting new SecurityFlags without any MUST flags,
your flags would be overwritten with CIFSSEC_MUST_LANMAN (0).
Signed-off-by: Niklas Cassel <niklass@axis.com>
Signed-off-by: Steve French <steve.french@primarydata.com>
Another set of last-minute fixes:
* fix station double-removal when suspending while associating
* fix the HT (802.11n) header length calculation
* fix the CCK radiotap flag used for monitoring, a pretty
old regression but a simple one-liner
* fix per-station group-key handling
Signed-off-by: David S. Miller <davem@davemloft.net>
Not caching dst_entries which cause redirects could be exploited by hosts
on the same subnet, causing a severe DoS attack. This effect aggravated
since commit f886497212 ("ipv4: fix dst race in sk_dst_get()").
Lookups causing redirects will be allocated with DST_NOCACHE set which
will force dst_release to free them via RCU. Unfortunately waiting for
RCU grace period just takes too long, we can end up with >1M dst_entries
waiting to be released and the system will run OOM. rcuos threads cannot
catch up under high softirq load.
Attaching the flag to emit a redirect later on to the specific skb allows
us to cache those dst_entries thus reducing the pressure on allocation
and deallocation.
This issue was discovered by Marcelo Leitner.
Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Arnaud Ebalard <arno@natisbad.org>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Arnaud Ebalard <arno@natisbad.org>
Acked-by: Benoit Masson <yahoo@perenite.com>
Acked-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Marcin Wojtas <mw@semihalf.com>
Acked-by: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The current GPL only licensing on the device tree makes it very
impractical for other software components licensed under another
license.
In order to make it easier for them to reuse our device trees,
relicense our device trees under a GPL/X11 dual-license.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Acked-by: Arnaud Ebalard <arno@natisbad.org>
Fix compilation warning:
drivers/net/ethernet/cadence/macb.c:2415:12: warning: 'macb_suspend'
defined but not used [-Wunused-function]
static int macb_suspend(struct device *dev)
drivers/net/ethernet/cadence/macb.c:2432:12: warning: 'macb_resume'
defined but not used [-Wunused-function]
static int macb_resume(struct device *dev)
when CONFIG_PM=y, CONFIG_PM_SLEEP=n are used.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexei Starovoitov says:
====================
bpf: fix two bugs
Michael Holzheu caught two issues (in bpf syscall and in the test).
Fix them. Details in corresponding patches.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
hash map is unordered, so get_next_key() iterator shouldn't
rely on particular order of elements. So relax this test.
Fixes: ffb65f27a1 ("bpf: add a testsuite for eBPF maps")
Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
BUG: sleeping function called from invalid context at mm/memory.c:3732
in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps
1 lock held by test_maps/671:
#0: (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260
Call Trace:
([<0000000000115b7e>] show_trace+0x12e/0x150)
[<0000000000115c40>] show_stack+0xa0/0x100
[<00000000009b163c>] dump_stack+0x74/0xc8
[<000000000017424a>] ___might_sleep+0x23a/0x248
[<00000000002b58e8>] might_fault+0x70/0xe8
[<0000000000264230>] map_lookup_elem+0x188/0x260
[<0000000000264716>] SyS_bpf+0x20e/0x840
Fix it by allocating temporary buffer to store map element value.
Fixes: db20fd2b01 ("bpf: add lookup/update/delete/iterate methods to BPF maps")
Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The driver is trying to acquire clocks which maybe
are not available yet. Allow the driver to request
deffered probe by providing a probe function and
registering it with module_platform_driver. [1]
This patch is based on 3.19-rc5.
[1] https://lkml.org/lkml/2013/9/23/118
Signed-off-by: Nicolae Rosia <nicolae.rosia@certsign.ro>
Signed-off-by: David S. Miller <davem@davemloft.net>
When hitting an INIT collision case during the 4WHS with AUTH enabled, as
already described in detail in commit 1be9a950c6 ("net: sctp: inherit
auth_capable on INIT collisions"), it can happen that we occasionally
still remotely trigger the following panic on server side which seems to
have been uncovered after the fix from commit 1be9a950c6 ...
[ 533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
[ 533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
[ 533.940559] PGD 5030f2067 PUD 0
[ 533.957104] Oops: 0000 [#1] SMP
[ 533.974283] Modules linked in: sctp mlx4_en [...]
[ 534.939704] Call Trace:
[ 534.951833] [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
[ 534.984213] [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
[ 535.015025] [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
[ 535.045661] [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
[ 535.074593] [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
[ 535.105239] [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
[ 535.138606] [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
[ 535.166848] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
... or depending on the the application, for example this one:
[ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
[ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
[ 1370.054568] PGD 633c94067 PUD 0
[ 1370.070446] Oops: 0000 [#1] SMP
[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
[ 1370.963431] Call Trace:
[ 1370.974632] [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
[ 1371.000863] [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
[ 1371.027154] [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
[ 1371.054679] [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
[ 1371.080183] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
With slab debugging enabled, we can see that the poison has been overwritten:
[ 669.826368] BUG kmalloc-128 (Tainted: G W ): Poison overwritten
[ 669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
[ 669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
[ 669.826424] __slab_alloc+0x4bf/0x566
[ 669.826433] __kmalloc+0x280/0x310
[ 669.826453] sctp_auth_create_key+0x23/0x50 [sctp]
[ 669.826471] sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
[ 669.826488] sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
[ 669.826505] sctp_do_sm+0x29d/0x17c0 [sctp] [...]
[ 669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
[ 669.826635] __slab_free+0x39/0x2a8
[ 669.826643] kfree+0x1d6/0x230
[ 669.826650] kzfree+0x31/0x40
[ 669.826666] sctp_auth_key_put+0x19/0x20 [sctp]
[ 669.826681] sctp_assoc_update+0x1ee/0x2d0 [sctp]
[ 669.826695] sctp_do_sm+0x674/0x17c0 [sctp]
Since this only triggers in some collision-cases with AUTH, the problem at
heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
when having refcnt 1, once directly in sctp_assoc_update() and yet again
from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
the already kzfree'd memory, which is also consistent with the observation
of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
at a later point in time when poison is checked on new allocation).
Reference counting of auth keys revisited:
Shared keys for AUTH chunks are being stored in endpoints and associations
in endpoint_shared_keys list. On endpoint creation, a null key is being
added; on association creation, all endpoint shared keys are being cached
and thus cloned over to the association. struct sctp_shared_key only holds
a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
keeps track of users internally through refcounting. Naturally, on assoc
or enpoint destruction, sctp_shared_key are being destroyed directly and
the reference on sctp_auth_bytes dropped.
User space can add keys to either list via setsockopt(2) through struct
sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
with refcount 1 and in case of replacement drops the reference on the old
sctp_auth_bytes. A key can be set active from user space through setsockopt()
on the id via sctp_auth_set_active_key(), which iterates through either
endpoint_shared_keys and in case of an assoc, invokes (one of various places)
sctp_auth_asoc_init_active_key().
sctp_auth_asoc_init_active_key() computes the actual secret from local's
and peer's random, hmac and shared key parameters and returns a new key
directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
the reference if there was a previous one. The secret, which where we
eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
intitial refcount of 1, which also stays unchanged eventually in
sctp_assoc_update(). This key is later being used for crypto layer to
set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
To close the loop: asoc->asoc_shared_key is freshly allocated secret
material and independant of the sctp_shared_key management keeping track
of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a
("net: sctp: fix memory leak in auth key management") is independant of
this bug here since it concerns a different layer (though same structures
being used eventually). asoc->asoc_shared_key is reference dropped correctly
on assoc destruction in sctp_association_free() and when active keys are
being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
to remove that sctp_auth_key_put() from there which fixes these panics.
Fixes: 730fc3d05c ("[SCTP]: Implete SCTP-AUTH parameter processing")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The flows are hashed on the sending node address, which allows us
to spread out the TIPC link processing to RPS enabled cores. There
is no point to include the destination address in the hash as that
will always be the same for all inbound links. We have experimented
with a 3-tuple hash over [srcnode, sport, dport], but this showed to
give slightly lower performance because of increased lock contention
when the same link was handled by multiple cores.
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
