1. 12 11月, 2014 2 次提交
  2. 07 11月, 2014 1 次提交
    • Y
      PCI/MSI: Add pci_msi_ignore_mask to prevent writes to MSI/MSI-X Mask Bits · 38737d82
      Yijing Wang 提交于
      MSI-X vector Mask Bits are in MSI-X Tables in PCI memory space.  Xen PV
      guests can't write to those tables.  MSI vector Mask Bits are in PCI
      configuration space.  Xen PV guests can write to config space, but those
      writes are ignored.
      
      Commit 0e4ccb15 ("PCI: Add x86_msi.msi_mask_irq() and
      msix_mask_irq()") added a way to override default_mask_msi_irqs() and
      default_mask_msix_irqs() so they can be no-ops in Xen guests, but this is
      more complicated than necessary.
      
      Add "pci_msi_ignore_mask" in the core PCI MSI code.  If set,
      default_mask_msi_irqs() and default_mask_msix_irqs() return without doing
      anything.  This is less flexible, but much simpler.
      
      [bhelgaas: changelog]
      Signed-off-by: NYijing Wang <wangyijing@huawei.com>
      Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: NDavid Vrabel <david.vrabel@citrix.com>
      CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      CC: xen-devel@lists.xenproject.org
      38737d82
  3. 19 10月, 2014 1 次提交
  4. 18 10月, 2014 4 次提交
  5. 17 10月, 2014 1 次提交
  6. 16 10月, 2014 5 次提交
  7. 15 10月, 2014 17 次提交
    • A
      dmaengine: dw: export probe()/remove() and Co to users · 2a52f6e4
      Andy Shevchenko 提交于
      The driver library functions can be used directly by the compound devices such
      as ADSP or serial driver where DesignWare DMA IP is privately attached to the
      main hardware.
      
      Instead of creating a new platform device leaf they may call dw_dma_probe()
      with given struct dw_dma_chip directly and make sure that the main device is
      DMA capable.
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NVinod Koul <vinod.koul@intel.com>
      2a52f6e4
    • A
      dmaengine: dw: split dma-dw.h to platform and private parts · 3d588f83
      Andy Shevchenko 提交于
      The introduced include/linux/dma/dw.h is going to contain the private
      extensions and structures which are shared for dw_dmac users in the kernel.
      Meanwhile include/linux/platform_data/dma-dw.h keeps only platform related data
      types and definitions.
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NVinod Koul <vinod.koul@intel.com>
      3d588f83
    • A
      dmaengine: dw: move private definitions to regs.h · 46e8c83c
      Andy Shevchenko 提交于
      Since we don't allow user to set registers directly through private slave
      configuration we may move definitions to the regs.h because they are not used
      anywhere except core.c part.
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NVinod Koul <vinod.koul@intel.com>
      46e8c83c
    • M
      virtio: add API to enable VQs early · 3569db59
      Michael S. Tsirkin 提交于
      virtio spec 0.9.X requires DRIVER_OK to be set before
      VQs are used, but some drivers use VQs before probe
      function returns.
      Since DRIVER_OK is set after probe, this violates the spec.
      
      Even though under virtio 1.0 transitional devices support this
      behaviour, we want to make it possible for those early callers to become
      spec compliant and eventually support non-transitional devices.
      
      Add API for drivers to call before using VQs.
      
      Sets DRIVER_OK internally.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      3569db59
    • M
      virtio: defer config changed notifications · 22b7050a
      Michael S. Tsirkin 提交于
      Defer config changed notifications that arrive during
      probe/scan/freeze/restore.
      
      This will allow drivers to set DRIVER_OK earlier, without worrying about
      racing with config change interrupts.
      
      This change will also benefit old hypervisors (before 2009)
      that send interrupts without checking DRIVER_OK: previously,
      the callback could race with driver-specific initialization.
      
      This will also help simplify drivers.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com>
      Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (cosmetic changes)
      22b7050a
    • M
      virtio-pci: move freeze/restore to virtio core · c6716bae
      Michael S. Tsirkin 提交于
      This is in preparation to extending config changed event handling
      in core.
      Wrapping these in an API also seems to make for a cleaner code.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      c6716bae
    • M
      virtio: unify config_changed handling · 016c98c6
      Michael S. Tsirkin 提交于
      Replace duplicated code in all transports with a single wrapper in
      virtio.c.
      
      The only functional change is in virtio_mmio.c: if a buggy device sends
      us an interrupt before driver is set, we previously returned IRQ_NONE,
      now we return IRQ_HANDLED.
      
      As this must not happen in practice, this does not look like a big deal.
      
      See also commit 3fff0179
      	virtio-pci: do not oops on config change if driver not loaded.
      for the original motivation behind the driver check.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      016c98c6
    • M
      genl_magic: Resolve logical-op warnings · db404b13
      Mark Rustad 提交于
      Resolve "logical 'and' applied to non-boolean constant" warnings"
      that appear in W=2 builds by adding !! to a bit test.
      Signed-off-by: NMark Rustad <mark.d.rustad@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db404b13
    • A
      net: filter: move common defines into bpf_common.h · c15952dc
      Alexei Starovoitov 提交于
      userspace programs that use eBPF instruction macros need to include two files:
      uapi/linux/filter.h and uapi/linux/bpf.h
      Move common macro definitions that are shared between classic BPF and eBPF
      into uapi/linux/bpf_common.h, so that user app can include only one bpf.h file
      
      Cc: Daniel Borkmann <dborkman@redhat.com>
      Signed-off-by: NAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c15952dc
    • I
      libceph: sync osd op definitions in rados.h · 70b5bfa3
      Ilya Dryomov 提交于
      Bring in missing osd ops and strings, use macros to eliminate multiple
      points of maintenance.
      Signed-off-by: NIlya Dryomov <idryomov@redhat.com>
      Reviewed-by: NSage Weil <sage@redhat.com>
      70b5bfa3
    • F
      libceph: remove redundant declaration · eb179d39
      Fabian Frederick 提交于
      ceph_release_page_vector was defined twice in libceph.h
      Signed-off-by: NFabian Frederick <fabf@skynet.be>
      Signed-off-by: NIlya Dryomov <idryomov@redhat.com>
      eb179d39
    • Y
      libceph: reference counting pagelist · e4339d28
      Yan, Zheng 提交于
      this allow pagelist to present data that may be sent multiple times.
      Signed-off-by: NYan, Zheng <zyan@redhat.com>
      Reviewed-by: NSage Weil <sage@redhat.com>
      e4339d28
    • T
      isdn/capi: correct capi20_manufacturer argument type mismatch · 9ea8aa8d
      Tilman Schmidt 提交于
      Function capi20_manufacturer() is declared with unsigned int cmd
      argument but called with unsigned long.
      Fix by correcting the function prototype since the actual argument
      is part of the user visible API.
      
      Spotted with Coverity.
      Signed-off-by: NTilman Schmidt <tilman@imap.cc>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9ea8aa8d
    • L
      ipv6: remove aca_lock spinlock from struct ifacaddr6 · 02ea8074
      Li RongQing 提交于
      no user uses this lock.
      Signed-off-by: NLi RongQing <roy.qing.li@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      02ea8074
    • A
      skbuff: fix ftrace handling in skb_unshare · 31eff81e
      Alexander Aring 提交于
      If the skb is not dropped afterwards we should run consume_skb instead
      kfree_skb. Inside of function skb_unshare we do always a kfree_skb,
      doesn't depend if skb_copy failed or was successful.
      
      This patch switch this behaviour like skb_share_check, if allocation of
      sk_buff failed we use kfree_skb otherwise consume_skb.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      31eff81e
    • D
      net: sctp: fix panic on duplicate ASCONF chunks · b69040d8
      Daniel Borkmann 提交于
      When receiving a e.g. semi-good formed connection scan in the
      form of ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ---------------- ASCONF_a; ASCONF_b ----------------->
      
      ... where ASCONF_a equals ASCONF_b chunk (at least both serials
      need to be equal), we panic an SCTP server!
      
      The problem is that good-formed ASCONF chunks that we reply with
      ASCONF_ACK chunks are cached per serial. Thus, when we receive a
      same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
      not need to process them again on the server side (that was the
      idea, also proposed in the RFC). Instead, we know it was cached
      and we just resend the cached chunk instead. So far, so good.
      
      Where things get nasty is in SCTP's side effect interpreter, that
      is, sctp_cmd_interpreter():
      
      While incoming ASCONF_a (chunk = event_arg) is being marked
      !end_of_packet and !singleton, and we have an association context,
      we do not flush the outqueue the first time after processing the
      ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
      queued up, although we set local_cork to 1. Commit 2e3216cd
      changed the precedence, so that as long as we get bundled, incoming
      chunks we try possible bundling on outgoing queue as well. Before
      this commit, we would just flush the output queue.
      
      Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
      continue to process the same ASCONF_b chunk from the packet. As
      we have cached the previous ASCONF_ACK, we find it, grab it and
      do another SCTP_CMD_REPLY command on it. So, effectively, we rip
      the chunk->list pointers and requeue the same ASCONF_ACK chunk
      another time. Since we process ASCONF_b, it's correctly marked
      with end_of_packet and we enforce an uncork, and thus flush, thus
      crashing the kernel.
      
      Fix it by testing if the ASCONF_ACK is currently pending and if
      that is the case, do not requeue it. When flushing the output
      queue we may relink the chunk for preparing an outgoing packet,
      but eventually unlink it when it's copied into the skb right
      before transmission.
      
      Joint work with Vlad Yasevich.
      
      Fixes: 2e3216cd ("sctp: Follow security requirement of responding with 1 packet")
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: NVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b69040d8
    • D
      net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks · 9de7922b
      Daniel Borkmann 提交于
      Commit 6f4c618d ("SCTP : Add paramters validity check for
      ASCONF chunk") added basic verification of ASCONF chunks, however,
      it is still possible to remotely crash a server by sending a
      special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
      
      skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
       head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
       end:0x440 dev:<NULL>
       ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:129!
      [...]
      Call Trace:
       <IRQ>
       [<ffffffff8144fb1c>] skb_put+0x5c/0x70
       [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
       [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
       [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
       [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
       [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
       [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
       [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
       [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
       [<ffffffff81496ac5>] ip_rcv+0x275/0x350
       [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
       [<ffffffff81460588>] netif_receive_skb+0x58/0x60
      
      This can be triggered e.g., through a simple scripted nmap
      connection scan injecting the chunk after the handshake, for
      example, ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ------------------ ASCONF; UNKNOWN ------------------>
      
      ... where ASCONF chunk of length 280 contains 2 parameters ...
      
        1) Add IP address parameter (param length: 16)
        2) Add/del IP address parameter (param length: 255)
      
      ... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
      Address Parameter in the ASCONF chunk is even missing, too.
      This is just an example and similarly-crafted ASCONF chunks
      could be used just as well.
      
      The ASCONF chunk passes through sctp_verify_asconf() as all
      parameters passed sanity checks, and after walking, we ended
      up successfully at the chunk end boundary, and thus may invoke
      sctp_process_asconf(). Parameter walking is done with
      WORD_ROUND() to take padding into account.
      
      In sctp_process_asconf()'s TLV processing, we may fail in
      sctp_process_asconf_param() e.g., due to removal of the IP
      address that is also the source address of the packet containing
      the ASCONF chunk, and thus we need to add all TLVs after the
      failure to our ASCONF response to remote via helper function
      sctp_add_asconf_response(), which basically invokes a
      sctp_addto_chunk() adding the error parameters to the given
      skb.
      
      When walking to the next parameter this time, we proceed
      with ...
      
        length = ntohs(asconf_param->param_hdr.length);
        asconf_param = (void *)asconf_param + length;
      
      ... instead of the WORD_ROUND()'ed length, thus resulting here
      in an off-by-one that leads to reading the follow-up garbage
      parameter length of 12336, and thus throwing an skb_over_panic
      for the reply when trying to sctp_addto_chunk() next time,
      which implicitly calls the skb_put() with that length.
      
      Fix it by using sctp_walk_params() [ which is also used in
      INIT parameter processing ] macro in the verification *and*
      in ASCONF processing: it will make sure we don't spill over,
      that we walk parameters WORD_ROUND()'ed. Moreover, we're being
      more defensive and guard against unknown parameter types and
      missized addresses.
      
      Joint work with Vlad Yasevich.
      
      Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: NVlad Yasevich <vyasevich@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9de7922b
  8. 14 10月, 2014 9 次提交