Zetsu bou #17
Open
Zetsu bou #17
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… support"" This reverts commit d5d677e. Conflicts: drivers/media/radio/radio-iris-transport.c Change-Id: If93d31bd69f12fe9a89c037c2a450892f695fb48
…ort"" This reverts commit 783b819. Change-Id: I23afcb94995d114f1c96da2a08c2be76f22973b2
…ing support""" This reverts commit 376853e.
… loading support""" This reverts commit 32ad035.
This reverts commit 610cdaa.
This reverts commit eded934.
Change-Id: I09b82dac174c1cff4eafee9adadb8a0ccd2361c4
Change-Id: I8d82b031f65401656704271e6583fee0ba82b503
* Their changes mostly already here for a long time, extracted from Lollipop kernel boot image when their source not available yet. * I believe Wingtech developer inspired by WT88047 project. Their device tree structure much better now. Change-Id: Ic24ea7e6c039152f236f904230a3cfddd323bf5d
* It's true, L source update already here for ages. In binary level, this is just 4 lines difference. * And my own r61308 panel still hate esd-check-enabled. Change-Id: I39ae8b023dd18c1ad1943f1258a52a7a600b9af5
Change-Id: I1bfb877e56c47cb2cd748e310fcabb69caf7fbc3
* Set battery status to discharge when usb is unplugged from Chao Chen <[email protected]> * Without Wingtech device tree parsing white space error * I have found 54 white space error in their original L source and 9 here. Change-Id: Ibfb70354d936e24c9add18f7ff76e478bad2d049
* From L source drop, without their white space error Change-Id: I3ac5e44b863b4433c82b2af3f5221ca0a37c2afe
Creation of procfs cpu/vfp_bounce fails because we're initialized too early. Fix this by creating it on rootfs_initcall as before the NEON patches. [ 0.018452] VFP support v0.3: implementor 41 architecture 3 part 40 variant 3 rev 0 [ 0.018472] ------------[ cut here ]------------ [ 0.018492] WARNING: at fs/proc/generic.c:102 __xlate_proc_name+0xa0/0xb4() [ 0.018498] name 'cpu/vfp_bounce' [ 0.018535] [<c010af30>] (unwind_backtrace+0x0/0xe0) from [<c0109368>] (show_stack+0x10/0x14) [ 0.018552] [<c0109368>] (show_stack+0x10/0x14) from [<c012013c>] (warn_slowpath_common+0x48/0x68) [ 0.018568] [<c012013c>] (warn_slowpath_common+0x48/0x68) from [<c01201b4>] (warn_slowpath_fmt+0x2c/0x3c) [ 0.018585] [<c01201b4>] (warn_slowpath_fmt+0x2c/0x3c) from [<c0239bd0>] (__xlate_proc_name+0xa0/0xb4) [ 0.018604] [<c0239bd0>] (__xlate_proc_name+0xa0/0xb4) from [<c0239c30>] (__proc_create+0x4c/0xdc) [ 0.018622] [<c0239c30>] (__proc_create+0x4c/0xdc) from [<c023a118>] (proc_create_data+0x58/0x98) [ 0.018639] [<c023a118>] (proc_create_data+0x58/0x98) from [<c1102ee0>] (vfp_init+0x16c/0x1d8) [ 0.018656] [<c1102ee0>] (vfp_init+0x16c/0x1d8) from [<c1100ad8>] (do_one_initcall+0x8c/0x12c) [ 0.018675] [<c1100ad8>] (do_one_initcall+0x8c/0x12c) from [<c1100cf4>] (kernel_init_freeable+0x17c/0x244) [ 0.018695] [<c1100cf4>] (kernel_init_freeable+0x17c/0x244) from [<c0b69c2c>] (kernel_init+0x8/0xe4) [ 0.018715] [<c0b69c2c>] (kernel_init+0x8/0xe4) from [<c0105b58>] (ret_from_fork+0x14/0x3c) [ 0.018744] ---[ end trace 1b75b31a2719ed1c ]--- [ 0.018750] Failed to create procfs node for VFP bounce reporting Change-Id: Ic6904efc800f3c03d7226e7b035177c5c00ac26a Signed-off-by: Paul Reioux <[email protected]>
This is a wakeup-enabled interrupt, so IRQF_NO_SUSPEND should be used in order to avoid delays during system suspend/resume and unbalanced IRQ enable. [10421.974049] ------------[ cut here ]------------ [10421.974071] WARNING: at kernel/irq/manage.c:459 resume_irqs+0x6c/0x84() [10421.974077] Unbalanced enable for IRQ 61 [10421.974125] [<c010af30>] (unwind_backtrace+0x0/0xe0) from [<c0109368>] (show_stack+0x10/0x14) [10421.974150] [<c0109368>] (show_stack+0x10/0x14) from [<c012013c>] (warn_slowpath_common+0x48/0x68) [10421.974175] [<c012013c>] (warn_slowpath_common+0x48/0x68) from [<c01201b4>] (warn_slowpath_fmt+0x2c/0x3c) [10421.974198] [<c01201b4>] (warn_slowpath_fmt+0x2c/0x3c) from [<c0169f90>] (resume_irqs+0x6c/0x84) [10421.974227] [<c0169f90>] (resume_irqs+0x6c/0x84) from [<c0489fcc>] (dpm_resume_noirq+0x1e4/0x200) [10421.974259] [<c0489fcc>] (dpm_resume_noirq+0x1e4/0x200) from [<c048a1f0>] (dpm_resume_start+0xc/0x18) [10421.974287] [<c048a1f0>] (dpm_resume_start+0xc/0x18) from [<c0163a80>] (suspend_devices_and_enter+0x2dc/0x3fc) [10421.974314] [<c0163a80>] (suspend_devices_and_enter+0x2dc/0x3fc) from [<c0163c60>] (pm_suspend+0xc0/0x1b4) [10421.974337] [<c0163c60>] (pm_suspend+0xc0/0x1b4) from [<c0162da0>] (state_store+0x40/0x68) [10421.974362] [<c0162da0>] (state_store+0x40/0x68) from [<c036eed4>] (kobj_attr_store+0x14/0x20) [10421.974390] [<c036eed4>] (kobj_attr_store+0x14/0x20) from [<c0240fd0>] (sysfs_write_file+0x104/0x148) [10421.974418] [<c0240fd0>] (sysfs_write_file+0x104/0x148) from [<c01ef454>] (vfs_write+0xd0/0x180) [10421.974443] [<c01ef454>] (vfs_write+0xd0/0x180) from [<c01ef5a4>] (SyS_write+0x38/0x68) [10421.974469] [<c01ef5a4>] (SyS_write+0x38/0x68) from [<c0105ac0>] (ret_fast_syscall+0x0/0x30) [10421.974478] ---[ end trace 1b75b31a2719eea6 ]--- Referenced https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?h=LA.BF.1.1.1.c3&id=66e0a4bf1d86782fc68291194086f3e0b198b2ee Change-Id: I99ed884f03e6d3811a83e314d3073416a813e736
Change-Id: I242470f9d59176dfbabb6b185a06c58cb8ff520b
* Restore previous pmx_mdss and mdss_dsi config * Use default MSM8916 modem and pheripheral memory region Change-Id: I20ac9268427cc36c2fb96960044c0511c4a166ba
* Write to RTC register trigger kernel crash Change-Id: I9a89e0367274315a3d418c7bfc9a6c1a92f79a8c
* Remove unnecessary XiaoMi copyright * Clean up, formatting fix, and remove vendor debug codes * Fix incorrect property strings, don't end-up as a buggy driver Change-Id: I521821bdf99800c8bdb81ef02f5fc333b896586d
New Android CDD suggest that sensor event should synchronize with SystemClock.elapsedRealtimeNano() clock. Send boot time alone with sensor events to represent the time the event happened as many as possible and synchronize with that clock. Adapted from Bingzhe Cai <[email protected]> patch Change-Id: I6e988f63768f23c587693037f1bdafc76ee7bd86
Change-Id: Ia5a090ca62d5e38dea78bac694ec5fc85dfd65d2
Change-Id: Ie39c11032552c4202d9807fe6939eaa88d477ee0
Change-Id: I18f8829e651b7e99bec9b707f6ab7b9ee2350f08
* Send boot time alone with sensor events New Android CDD suggest that sensor event should synchronize with SystemClock.elapsedRealtimeNano() clock. Send boot time alone with sensor events to represent the time the event happened as many as possible and synchronize with that clock. Adapted from Bingzhe Cai <[email protected]> patch * Lower ambient light scaling value, same as stock * Change device name, compatible to the current userspace sensor HAL Change-Id: I3e567c0673dca849122b14f00343fddc3e70f695
Change-Id: Ib59bfb02089e7c88f54eddec738d41baf2fcfb18
…el_cyanogen_msm8916 into HEAD Conflicts: arch/arm/boot/dts/qcom/Makefile drivers/platform/Kconfig drivers/platform/wingtech/Kconfig sound/soc/msm/msm8x16.c Change-Id: Ibc9c6ed739ea62a9b912e2706715b758af0fdd8f
Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT on the devices currently using this kernel, to disallow all unpriv perf event use. Issue: CYNGNOS-3257 Change-Id: I6c116dcd097a3150ed310563b4d41f2e70990dc2
* And enable FiiO USB DAC Amp and N-Trig touch screen support Change-Id: I1325a68aa0d1986fe1817d83bf35f340f9a68d15
…el_cyanogen_msm8916 into HEAD Conflicts: fs/f2fs/data.c fs/f2fs/f2fs.h fs/f2fs/super.c Change-Id: I2a706839da7925e5be78aa98d77b8b014df02222
commit bd2cba07381a6dba60bc1c87ed8b37931d244da1 upstream (net-next). This command is missing. Change-Id: Ida52130382e42355e5f3b39134aa61a1ea98026d Fixes: 3a2dfbe ("xfrm: Notify changes in UDP encapsulation via netlink") CC: Martin Willi <[email protected]> Reported-by: Stephen Smalley <[email protected]> Signed-off-by: Nicolas Dichtel <[email protected]> Signed-off-by: David S. Miller <[email protected]>
commit 6436a123a147db51a0b06024a8350f4c230e73ff upstream. Return a negative error value like the rest of the entries in this function. Signed-off-by: Joe Perches <[email protected]> Acked-by: Stephen Smalley <[email protected]> [PM: tweaked subject line] Signed-off-by: Paul Moore <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
upstream commit 6f29997f4a3117169eeabd41dbea4c1bd94a739c Add support for per-file labeling of debugfs files so that we can distinguish them in policy. This is particularly important in Android where certain debugfs files have to be writable by apps and therefore the debugfs directory tree can be read and searched by all. Since debugfs is entirely kernel-generated, the directory tree is immutable by userspace, and the inodes are pinned in memory, we can simply use the same approach as with proc and label the inodes from policy based on pathname from the root of the debugfs filesystem. Generalize the existing labeling support used for proc and reuse it for debugfs too. [sds: Back-ported to 3.10. superblock_security_struct flags field is only unsigned char in 3.10 so we have to redefine SE_SBGENFS. However, this definition is kernel-private, not exposed to userspace or stored anywhere persistent.] Change-Id: I6460fbed6bb6bd36eb8554ac8c4fdd574edf3b07 Signed-off-by: Stephen Smalley <[email protected]>
Support per-file labeling of sysfs and pstore files based on genfscon policy entries. This is safe because the sysfs and pstore directory tree cannot be manipulated by userspace, except to unlink pstore entries. This provides an alternative method of assigning per-file labeling to sysfs or pstore files without needing to set the labels from userspace on each boot. The advantages of this approach are that the labels are assigned as soon as the dentry is first instantiated and userspace does not need to walk the sysfs or pstore tree and set the labels on each boot. The limitations of this approach are that the labels can only be assigned based on pathname prefix matching. You can initially assign labels using this mechanism and then change them at runtime via setxattr if allowed to do so by policy. Change-Id: If5999785fdc1d24d869b23ae35cd302311e94562 Signed-off-by: Stephen Smalley <[email protected]> Suggested-by: Dominick Grift <[email protected]>
Add proper OC frequency of 620MHz and remove 550MHz. 930/1.5 = 630 where 930MHz is the max rate 0f gpll2
This reverts commit 53917bb.
Signed-off-by: Francisco Franco <[email protected]>
Signed-off-by: Pranav Vashi <[email protected]>
* Completely re-written to work smoothly along with state notifier. * Compatible with Kernel Adiutor Mod. * This driver hotplugs based on frequency of the online cores. Signed-off-by: Pranav Vashi <[email protected]>
* Rebased for crackling * CleanUp DTS * Renamed 'l8150' to 'crackling' for practical purposes * Full work * Tested
* Not tested
ottmi
pushed a commit
to ottmi/android_kernel_cyanogen_msm8916
that referenced
this pull request
Apr 11, 2017
Once we failed to merge inline data into inode page during flushing inline inode, we will skip invoking inode_dec_dirty_pages, which makes dirty page count incorrect, result in panic in ->evict_inode, Fix it. ------------[ cut here ]------------ kernel BUG at /home/yuchao/git/devf2fs/inode.c:336! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 3 PID: 10004 Comm: umount Tainted: G O 4.6.0-rc5+ CyanogenMod#17 Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 task: f0c33000 ti: c5212000 task.ti: c5212000 EIP: 0060:[<f89aacb5>] EFLAGS: 00010202 CPU: 3 EIP is at f2fs_evict_inode+0x85/0x490 [f2fs] EAX: 00000001 EBX: c4529ea0 ECX: 00000001 EDX: 00000000 ESI: c0131000 EDI: f89dd0a0 EBP: c5213e9c ESP: c5213e78 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 CR0: 80050033 CR2: b75878c0 CR3: 1a36a700 CR4: 000406f0 Stack: c4529ea0 c4529ef4 c5213e8c c176d45c c4529ef4 00000000 c4529ea0 c4529fac f89dd0a0 c5213eb0 c1204a68 c5213ed8 c452a2b4 c6680930 c5213ec0 c1204b64 c6680d44 c6680620 c5213eec c120588 ee84b000 ee84b5c0 c5214000 ee84b5e0 Call Trace: [<c176d45c>] ? _raw_spin_unlock+0x2c/0x50 [<c1204a68>] evict+0xa8/0x170 [<c1204b64>] dispose_list+0x34/0x50 [<c120588d>] evict_inodes+0x10d/0x130 [<c11ea941>] generic_shutdown_super+0x41/0xe0 [<c1185190>] ? unregister_shrinker+0x40/0x50 [<c1185190>] ? unregister_shrinker+0x40/0x50 [<c11eac52>] kill_block_super+0x22/0x70 [<f89af23e>] kill_f2fs_super+0x1e/0x20 [f2fs] [<c11eae1d>] deactivate_locked_super+0x3d/0x70 [<c11eb383>] deactivate_super+0x43/0x60 [<c1208ec9>] cleanup_mnt+0x39/0x80 [<c1208f50>] __cleanup_mnt+0x10/0x20 [<c107d091>] task_work_run+0x71/0x90 [<c105725a>] exit_to_usermode_loop+0x72/0x9e [<c1001c7c>] do_fast_syscall_32+0x19c/0x1c0 [<c176dd48>] sysenter_past_esp+0x45/0x74 EIP: [<f89aacb5>] f2fs_evict_inode+0x85/0x490 [f2fs] SS:ESP 0068:c5213e78 ---[ end trace d30536330b7fdc58 ]--- Signed-off-by: Chao Yu <[email protected]> Signed-off-by: Jaegeuk Kim <[email protected]>
beroid
pushed a commit
to beroid/android_kernel_cyanogen_msm8916
that referenced
this pull request
Jun 18, 2017
commit 45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: CyanogenMod#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . CyanogenMod#9 [] tcp_rcv_established at ffffffff81580b64 CyanogenMod#10 [] tcp_v4_do_rcv at ffffffff8158b54a CyanogenMod#11 [] tcp_v4_rcv at ffffffff8158cd02 CyanogenMod#12 [] ip_local_deliver_finish at ffffffff815668f4 CyanogenMod#13 [] ip_local_deliver at ffffffff81566bd9 CyanogenMod#14 [] ip_rcv_finish at ffffffff8156656d CyanogenMod#15 [] ip_rcv at ffffffff81566f06 CyanogenMod#16 [] __netif_receive_skb_core at ffffffff8152b3a2 CyanogenMod#17 [] __netif_receive_skb at ffffffff8152b608 CyanogenMod#18 [] netif_receive_skb at ffffffff8152b690 CyanogenMod#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] #20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] #21 [] net_rx_action at ffffffff8152bac2 #22 [] __do_softirq at ffffffff81084b4f #23 [] call_softirq at ffffffff8164845c #24 [] do_softirq at ffffffff81016fc5 #25 [] irq_exit at ffffffff81084ee5 #26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)� 225 {� 226 � const struct inet_connection_sock *icsk = inet_csk(sk);� 227 � const struct dst_entry *dst = __sk_dst_get(sk);� 228 � 229 � return (dst && dst_metric(dst, RTAX_QUICKACK)) ||� 230 � � (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);� 231 }� But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <[email protected]> Cc: Hannes Sowa <[email protected]> Signed-off-by: Jon Maxwell <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Willy Tarreau <[email protected]>
beroid
pushed a commit
to beroid/android_kernel_cyanogen_msm8916
that referenced
this pull request
Jun 19, 2017
commit 45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: CyanogenMod#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . CyanogenMod#9 [] tcp_rcv_established at ffffffff81580b64 CyanogenMod#10 [] tcp_v4_do_rcv at ffffffff8158b54a CyanogenMod#11 [] tcp_v4_rcv at ffffffff8158cd02 CyanogenMod#12 [] ip_local_deliver_finish at ffffffff815668f4 CyanogenMod#13 [] ip_local_deliver at ffffffff81566bd9 CyanogenMod#14 [] ip_rcv_finish at ffffffff8156656d CyanogenMod#15 [] ip_rcv at ffffffff81566f06 CyanogenMod#16 [] __netif_receive_skb_core at ffffffff8152b3a2 CyanogenMod#17 [] __netif_receive_skb at ffffffff8152b608 CyanogenMod#18 [] netif_receive_skb at ffffffff8152b690 CyanogenMod#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] #20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] #21 [] net_rx_action at ffffffff8152bac2 #22 [] __do_softirq at ffffffff81084b4f #23 [] call_softirq at ffffffff8164845c #24 [] do_softirq at ffffffff81016fc5 #25 [] irq_exit at ffffffff81084ee5 #26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)� 225 {� 226 � const struct inet_connection_sock *icsk = inet_csk(sk);� 227 � const struct dst_entry *dst = __sk_dst_get(sk);� 228 � 229 � return (dst && dst_metric(dst, RTAX_QUICKACK)) ||� 230 � � (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);� 231 }� But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <[email protected]> Cc: Hannes Sowa <[email protected]> Signed-off-by: Jon Maxwell <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Willy Tarreau <[email protected]>
beroid
pushed a commit
to beroid/android_kernel_cyanogen_msm8916
that referenced
this pull request
Jun 19, 2017
commit 45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: CyanogenMod#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . CyanogenMod#9 [] tcp_rcv_established at ffffffff81580b64 CyanogenMod#10 [] tcp_v4_do_rcv at ffffffff8158b54a CyanogenMod#11 [] tcp_v4_rcv at ffffffff8158cd02 CyanogenMod#12 [] ip_local_deliver_finish at ffffffff815668f4 CyanogenMod#13 [] ip_local_deliver at ffffffff81566bd9 CyanogenMod#14 [] ip_rcv_finish at ffffffff8156656d CyanogenMod#15 [] ip_rcv at ffffffff81566f06 CyanogenMod#16 [] __netif_receive_skb_core at ffffffff8152b3a2 CyanogenMod#17 [] __netif_receive_skb at ffffffff8152b608 CyanogenMod#18 [] netif_receive_skb at ffffffff8152b690 CyanogenMod#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] #20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] #21 [] net_rx_action at ffffffff8152bac2 #22 [] __do_softirq at ffffffff81084b4f #23 [] call_softirq at ffffffff8164845c #24 [] do_softirq at ffffffff81016fc5 #25 [] irq_exit at ffffffff81084ee5 #26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)� 225 {� 226 � const struct inet_connection_sock *icsk = inet_csk(sk);� 227 � const struct dst_entry *dst = __sk_dst_get(sk);� 228 � 229 � return (dst && dst_metric(dst, RTAX_QUICKACK)) ||� 230 � � (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);� 231 }� But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <[email protected]> Cc: Hannes Sowa <[email protected]> Signed-off-by: Jon Maxwell <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Willy Tarreau <[email protected]>
beroid
pushed a commit
to beroid/android_kernel_cyanogen_msm8916
that referenced
this pull request
Jun 20, 2017
commit 45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: CyanogenMod#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . CyanogenMod#9 [] tcp_rcv_established at ffffffff81580b64 CyanogenMod#10 [] tcp_v4_do_rcv at ffffffff8158b54a CyanogenMod#11 [] tcp_v4_rcv at ffffffff8158cd02 CyanogenMod#12 [] ip_local_deliver_finish at ffffffff815668f4 CyanogenMod#13 [] ip_local_deliver at ffffffff81566bd9 CyanogenMod#14 [] ip_rcv_finish at ffffffff8156656d CyanogenMod#15 [] ip_rcv at ffffffff81566f06 CyanogenMod#16 [] __netif_receive_skb_core at ffffffff8152b3a2 CyanogenMod#17 [] __netif_receive_skb at ffffffff8152b608 CyanogenMod#18 [] netif_receive_skb at ffffffff8152b690 CyanogenMod#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] #20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] #21 [] net_rx_action at ffffffff8152bac2 #22 [] __do_softirq at ffffffff81084b4f #23 [] call_softirq at ffffffff8164845c #24 [] do_softirq at ffffffff81016fc5 #25 [] irq_exit at ffffffff81084ee5 #26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)� 225 {� 226 � const struct inet_connection_sock *icsk = inet_csk(sk);� 227 � const struct dst_entry *dst = __sk_dst_get(sk);� 228 � 229 � return (dst && dst_metric(dst, RTAX_QUICKACK)) ||� 230 � � (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);� 231 }� But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <[email protected]> Cc: Hannes Sowa <[email protected]> Signed-off-by: Jon Maxwell <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Willy Tarreau <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.