From: Greg Kroah-Hartman Date: Mon, 30 Apr 2018 18:36:55 +0000 (-0700) Subject: 4.14-stable patches X-Git-Tag: v4.16.7~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2890fa2d93fc181417352846423dfb8a62398f80;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: net-don-t-call-update_pmtu-unconditionally.patch powerpc-eeh-fix-race-with-driver-un-bind.patch --- diff --git a/queue-4.14/net-don-t-call-update_pmtu-unconditionally.patch b/queue-4.14/net-don-t-call-update_pmtu-unconditionally.patch new file mode 100644 index 00000000000..41d46d75c89 --- /dev/null +++ b/queue-4.14/net-don-t-call-update_pmtu-unconditionally.patch @@ -0,0 +1,152 @@ +From f15ca723c1ebe6c1a06bc95fda6b62cd87b44559 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Thu, 25 Jan 2018 19:03:03 +0100 +Subject: net: don't call update_pmtu unconditionally + +From: Nicolas Dichtel + +commit f15ca723c1ebe6c1a06bc95fda6b62cd87b44559 upstream. + +Some dst_ops (e.g. md_dst_ops)) doesn't set this handler. It may result to: +"BUG: unable to handle kernel NULL pointer dereference at (null)" + +Let's add a helper to check if update_pmtu is available before calling it. + +Fixes: 52a589d51f10 ("geneve: update skb dst pmtu on tx path") +Fixes: a93bf0ff4490 ("vxlan: update skb dst pmtu on tx path") +CC: Roman Kapl +CC: Xin Long +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +[backport to 4.14.y by thomas] +Cc: Thomas Deutschmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/ipoib/ipoib_cm.c | 3 +-- + drivers/net/vxlan.c | 6 ++---- + include/net/dst.h | 8 ++++++++ + net/ipv4/ip_tunnel.c | 3 +-- + net/ipv4/ip_vti.c | 2 +- + net/ipv6/ip6_tunnel.c | 5 ++--- + net/ipv6/ip6_vti.c | 2 +- + net/ipv6/sit.c | 4 ++-- + 8 files changed, 18 insertions(+), 15 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c +@@ -1447,8 +1447,7 @@ void ipoib_cm_skb_too_long(struct net_de + struct ipoib_dev_priv *priv = ipoib_priv(dev); + int e = skb_queue_empty(&priv->cm.skb_queue); + +- if (skb_dst(skb)) +- skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); ++ skb_dst_update_pmtu(skb, mtu); + + skb_queue_tail(&priv->cm.skb_queue, skb); + if (e) +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2158,8 +2158,7 @@ static void vxlan_xmit_one(struct sk_buf + if (skb_dst(skb)) { + int mtu = dst_mtu(ndst) - VXLAN_HEADROOM; + +- skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, +- skb, mtu); ++ skb_dst_update_pmtu(skb, mtu); + } + + tos = ip_tunnel_ecn_encap(tos, old_iph, skb); +@@ -2200,8 +2199,7 @@ static void vxlan_xmit_one(struct sk_buf + if (skb_dst(skb)) { + int mtu = dst_mtu(ndst) - VXLAN6_HEADROOM; + +- skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, +- skb, mtu); ++ skb_dst_update_pmtu(skb, mtu); + } + + tos = ip_tunnel_ecn_encap(tos, old_iph, skb); +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -520,4 +520,12 @@ static inline struct xfrm_state *dst_xfr + } + #endif + ++static inline void skb_dst_update_pmtu(struct sk_buff *skb, u32 mtu) ++{ ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (dst && dst->ops->update_pmtu) ++ dst->ops->update_pmtu(dst, NULL, skb, mtu); ++} ++ + #endif /* _NET_DST_H */ +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -521,8 +521,7 @@ static int tnl_update_pmtu(struct net_de + else + mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu; + +- if (skb_dst(skb)) +- skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); ++ skb_dst_update_pmtu(skb, mtu); + + if (skb->protocol == htons(ETH_P_IP)) { + if (!skb_is_gso(skb) && +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -209,7 +209,7 @@ static netdev_tx_t vti_xmit(struct sk_bu + + mtu = dst_mtu(dst); + if (skb->len > mtu) { +- skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); ++ skb_dst_update_pmtu(skb, mtu); + if (skb->protocol == htons(ETH_P_IP)) { + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, + htonl(mtu)); +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -652,7 +652,7 @@ ip4ip6_err(struct sk_buff *skb, struct i + if (rel_info > dst_mtu(skb_dst(skb2))) + goto out; + +- skb_dst(skb2)->ops->update_pmtu(skb_dst(skb2), NULL, skb2, rel_info); ++ skb_dst_update_pmtu(skb2, rel_info); + } + if (rel_type == ICMP_REDIRECT) + skb_dst(skb2)->ops->redirect(skb_dst(skb2), NULL, skb2); +@@ -1141,8 +1141,7 @@ route_lookup: + mtu = 576; + } + +- if (skb_dst(skb) && !t->parms.collect_md) +- skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); ++ skb_dst_update_pmtu(skb, mtu); + if (skb->len - t->tun_hlen - eth_hlen > mtu && !skb_is_gso(skb)) { + *pmtu = mtu; + err = -EMSGSIZE; +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -486,7 +486,7 @@ vti6_xmit(struct sk_buff *skb, struct ne + + mtu = dst_mtu(dst); + if (!skb->ignore_df && skb->len > mtu) { +- skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu); ++ skb_dst_update_pmtu(skb, mtu); + + if (skb->protocol == htons(ETH_P_IPV6)) { + if (mtu < IPV6_MIN_MTU) +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -925,8 +925,8 @@ static netdev_tx_t ipip6_tunnel_xmit(str + df = 0; + } + +- if (tunnel->parms.iph.daddr && skb_dst(skb)) +- skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); ++ if (tunnel->parms.iph.daddr) ++ skb_dst_update_pmtu(skb, mtu); + + if (skb->len > mtu && !skb_is_gso(skb)) { + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); diff --git a/queue-4.14/powerpc-eeh-fix-race-with-driver-un-bind.patch b/queue-4.14/powerpc-eeh-fix-race-with-driver-un-bind.patch new file mode 100644 index 00000000000..992b2790a34 --- /dev/null +++ b/queue-4.14/powerpc-eeh-fix-race-with-driver-un-bind.patch @@ -0,0 +1,247 @@ +From f0295e047fcf52ccb42561fb7de6942f5201b676 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Mon, 26 Mar 2018 15:17:07 +1100 +Subject: powerpc/eeh: Fix race with driver un/bind + +From: Michael Neuling + +commit f0295e047fcf52ccb42561fb7de6942f5201b676 upstream. + +The current EEH callbacks can race with a driver unbind. This can +result in a backtraces like this: + + EEH: Frozen PHB#0-PE#1fc detected + EEH: PE location: S000009, PHB location: N/A + CPU: 2 PID: 2312 Comm: kworker/u258:3 Not tainted 4.15.6-openpower1 #2 + Workqueue: nvme-wq nvme_reset_work [nvme] + Call Trace: + dump_stack+0x9c/0xd0 (unreliable) + eeh_dev_check_failure+0x420/0x470 + eeh_check_failure+0xa0/0xa4 + nvme_reset_work+0x138/0x1414 [nvme] + process_one_work+0x1ec/0x328 + worker_thread+0x2e4/0x3a8 + kthread+0x14c/0x154 + ret_from_kernel_thread+0x5c/0xc8 + nvme nvme1: Removing after probe failure status: -19 + + cpu 0x23: Vector: 300 (Data Access) at [c000000ff50f3800] + pc: c0080000089a0eb0: nvme_error_detected+0x4c/0x90 [nvme] + lr: c000000000026564: eeh_report_error+0xe0/0x110 + sp: c000000ff50f3a80 + msr: 9000000000009033 + dar: 400 + dsisr: 40000000 + current = 0xc000000ff507c000 + paca = 0xc00000000fdc9d80 softe: 0 irq_happened: 0x01 + pid = 782, comm = eehd + Linux version 4.15.6-openpower1 (smc@smc-desktop) (gcc version 6.4.0 (Buildroot 2017.11.2-00008-g4b6188e)) #2 SM P Tue Feb 27 12:33:27 PST 2018 + enter ? for help + eeh_report_error+0xe0/0x110 + eeh_pe_dev_traverse+0xc0/0xdc + eeh_handle_normal_event+0x184/0x4c4 + eeh_handle_event+0x30/0x288 + eeh_event_handler+0x124/0x170 + kthread+0x14c/0x154 + ret_from_kernel_thread+0x5c/0xc8 + +The first part is an EEH (on boot), the second half is the resulting +crash. nvme probe starts the nvme_reset_work() worker thread. This +worker thread starts touching the device which see a device error +(EEH) and hence queues up an event in the powerpc EEH worker +thread. nvme_reset_work() then continues and runs +nvme_remove_dead_ctrl_work() which results in unbinding the driver +from the device and hence releases all resources. At the same time, +the EEH worker thread starts doing the EEH .error_detected() driver +callback, which no longer works since the resources have been freed. + +This fixes the problem in the same way the generic PCIe AER code (in +drivers/pci/pcie/aer/aerdrv_core.c) does. It makes the EEH code hold +the device_lock() while performing the driver EEH callbacks and +associated code. This ensures either the callbacks are no longer +register, or if they are registered the driver will not be removed +from underneath us. + +This has been broken forever. The EEH call backs were first introduced +in 2005 (in 77bd7415610) but it's not clear if a lock was needed back +then. + +Fixes: 77bd74156101 ("[PATCH] powerpc: PCI Error Recovery: PPC64 core recovery routines") +Cc: stable@vger.kernel.org # v2.6.16+ +Signed-off-by: Michael Neuling +Reviewed-by: Benjamin Herrenschmidt +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh_driver.c | 61 ++++++++++++++++++++++++--------------- + 1 file changed, 38 insertions(+), 23 deletions(-) + +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -207,18 +207,18 @@ static void *eeh_report_error(void *data + + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; ++ ++ device_lock(&dev->dev); + dev->error_state = pci_channel_io_frozen; + + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + eeh_disable_irq(dev); + + if (!driver->err_handler || +- !driver->err_handler->error_detected) { +- eeh_pcid_put(dev); +- return NULL; +- } ++ !driver->err_handler->error_detected) ++ goto out; + + rc = driver->err_handler->error_detected(dev, pci_channel_io_frozen); + +@@ -227,7 +227,10 @@ static void *eeh_report_error(void *data + if (*res == PCI_ERS_RESULT_NONE) *res = rc; + + edev->in_error = true; ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + +@@ -250,15 +253,14 @@ static void *eeh_report_mmio_enabled(voi + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; + ++ device_lock(&dev->dev); + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + if (!driver->err_handler || + !driver->err_handler->mmio_enabled || +- (edev->mode & EEH_DEV_NO_HANDLER)) { +- eeh_pcid_put(dev); +- return NULL; +- } ++ (edev->mode & EEH_DEV_NO_HANDLER)) ++ goto out; + + rc = driver->err_handler->mmio_enabled(dev); + +@@ -266,7 +268,10 @@ static void *eeh_report_mmio_enabled(voi + if (rc == PCI_ERS_RESULT_NEED_RESET) *res = rc; + if (*res == PCI_ERS_RESULT_NONE) *res = rc; + ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + +@@ -289,20 +294,20 @@ static void *eeh_report_reset(void *data + + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; ++ ++ device_lock(&dev->dev); + dev->error_state = pci_channel_io_normal; + + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + eeh_enable_irq(dev); + + if (!driver->err_handler || + !driver->err_handler->slot_reset || + (edev->mode & EEH_DEV_NO_HANDLER) || +- (!edev->in_error)) { +- eeh_pcid_put(dev); +- return NULL; +- } ++ (!edev->in_error)) ++ goto out; + + rc = driver->err_handler->slot_reset(dev); + if ((*res == PCI_ERS_RESULT_NONE) || +@@ -310,7 +315,10 @@ static void *eeh_report_reset(void *data + if (*res == PCI_ERS_RESULT_DISCONNECT && + rc == PCI_ERS_RESULT_NEED_RESET) *res = rc; + ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + +@@ -361,10 +369,12 @@ static void *eeh_report_resume(void *dat + + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; ++ ++ device_lock(&dev->dev); + dev->error_state = pci_channel_io_normal; + + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + was_in_error = edev->in_error; + edev->in_error = false; +@@ -374,13 +384,15 @@ static void *eeh_report_resume(void *dat + !driver->err_handler->resume || + (edev->mode & EEH_DEV_NO_HANDLER) || !was_in_error) { + edev->mode &= ~EEH_DEV_NO_HANDLER; +- eeh_pcid_put(dev); +- return NULL; ++ goto out; + } + + driver->err_handler->resume(dev); + ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + +@@ -400,22 +412,25 @@ static void *eeh_report_failure(void *da + + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; ++ ++ device_lock(&dev->dev); + dev->error_state = pci_channel_io_perm_failure; + + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + eeh_disable_irq(dev); + + if (!driver->err_handler || +- !driver->err_handler->error_detected) { +- eeh_pcid_put(dev); +- return NULL; +- } ++ !driver->err_handler->error_detected) ++ goto out; + + driver->err_handler->error_detected(dev, pci_channel_io_perm_failure); + ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + diff --git a/queue-4.14/series b/queue-4.14/series index 239a864cd49..405da929ad5 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -87,3 +87,5 @@ x86-microcode-intel-save-microcode-patch-unconditionally.patch x86-microcode-do-not-exit-early-from-__reload_late.patch tick-sched-do-not-mess-with-an-enqueued-hrtimer.patch arm-arm64-kvm-add-psci-version-selection-api.patch +powerpc-eeh-fix-race-with-driver-un-bind.patch +net-don-t-call-update_pmtu-unconditionally.patch