1. 23 7月, 2015 8 次提交
    • A
      kvm/x86: move Hyper-V MSR's/hypercall code into hyperv.c file · e83d5887
      Andrey Smetanin 提交于
      This patch introduce Hyper-V related source code file - hyperv.c and
      per vm and per vcpu hyperv context structures.
      All Hyper-V MSR's and hypercall code moved into hyperv.c.
      All Hyper-V kvm/vcpu fields moved into appropriate hyperv context
      structures. Copyrights and authors information copied from x86.c
      to hyperv.c.
      Signed-off-by: NAndrey Smetanin <asmetanin@virtuozzo.com>
      Signed-off-by: NDenis V. Lunev <den@openvz.org>
      Reviewed-by: NPeter Hornyack <peterhornyack@google.com>
      CC: Paolo Bonzini <pbonzini@redhat.com>
      CC: Gleb Natapov <gleb@kernel.org>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      e83d5887
    • E
      KVM: nVMX: VMX instructions: add checks for #GP/#SS exceptions · f9eb4af6
      Eugene Korenevsky 提交于
      According to Intel SDM several checks must be applied for memory operands
      of VMX instructions.
      
      Long mode: #GP(0) or #SS(0) depending on the segment must be thrown
      if the memory address is in a non-canonical form.
      
      Protected mode, checks in chronological order:
      - The segment type must be checked with access type (read or write) taken
      into account.
      	For write access: #GP(0) must be generated if the destination operand
      		is located in a read-only data segment or any code segment.
      	For read access: #GP(0) must be generated if if the source operand is
      		located in an execute-only code segment.
      - Usability of the segment must be checked. #GP(0) or #SS(0) depending on the
      	segment must be thrown if the segment is unusable.
      - Limit check. #GP(0) or #SS(0) depending on the segment must be
      	thrown if the memory operand effective address is outside the segment
      	limit.
      Signed-off-by: NEugene Korenevsky <ekorenevsky@gmail.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      f9eb4af6
    • P
      KVM: x86: rename quirk constants to KVM_X86_QUIRK_* · 0da029ed
      Paolo Bonzini 提交于
      Make them clearly architecture-dependent; the capability is valid for
      all architectures, but the argument is not.
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      0da029ed
    • X
      KVM: vmx: obey KVM_QUIRK_CD_NW_CLEARED · fb279950
      Xiao Guangrong 提交于
      OVMF depends on WB to boot fast, because it only clears caches after
      it has set up MTRRs---which is too late.
      
      Let's do writeback if CR0.CD is set to make it happy, similar to what
      SVM is already doing.
      Signed-off-by: NXiao Guangrong <guangrong.xiao@intel.com>
      Tested-by: NAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      fb279950
    • P
      KVM: x86: introduce kvm_check_has_quirk · 41dbc6bc
      Paolo Bonzini 提交于
      The logic of the disabled_quirks field usually results in a double
      negation.  Wrap it in a simple function that checks the bit and
      negates it.
      
      Based on a patch from Xiao Guangrong.
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      41dbc6bc
    • X
      KVM: MTRR: simplify kvm_mtrr_get_guest_memory_type · 3e5d2fdc
      Xiao Guangrong 提交于
      kvm_mtrr_get_guest_memory_type never returns -1 which is implied
      in the current code since if @type = -1 (means no MTRR contains the
      range), iter.partial_map must be true
      
      Simplify the code to indicate this fact
      Signed-off-by: NXiao Guangrong <guangrong.xiao@intel.com>
      Tested-by: NAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      3e5d2fdc
    • X
      KVM: MTRR: fix memory type handling if MTRR is completely disabled · 10dc331f
      Xiao Guangrong 提交于
      Currently code uses default memory type if MTRR is fully disabled,
      fix it by using UC instead.
      Signed-off-by: NXiao Guangrong <guangrong.xiao@intel.com>
      Tested-by: NAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      10dc331f
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · c5dfd654
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Don't use shared bluetooth antenna in iwlwifi driver for management
          frames, from Emmanuel Grumbach.
      
       2) Fix device ID check in ath9k driver, from Felix Fietkau.
      
       3) Off by one in xen-netback BUG checks, from Dan Carpenter.
      
       4) Fix IFLA_VF_PORT netlink attribute validation, from Daniel Borkmann.
      
       5) Fix races in setting peeked bit flag in SKBs during datagram
          receive.  If it's shared we have to clone it otherwise the value can
          easily be corrupted.  Fix from Herbert Xu.
      
       6) Revert fec clock handling change, causes regressions.  From Fabio
          Estevam.
      
       7) Fix use after free in fq_codel and sfq packet schedulers, from WANG
          Cong.
      
       8) ipvlan bug fixes (memory leaks, missing rcu_dereference_bh, etc.)
          from WANG Cong and Konstantin Khlebnikov.
      
       9) Memory leak in act_bpf packet action, from Alexei Starovoitov.
      
      10) ARM bpf JIT bug fixes from Nicolas Schichan.
      
      11) Fix backwards compat of ANY_LAYOUT in virtio_net driver, from
          Michael S Tsirkin.
      
      12) Destruction of bond with different ARP header types not handled
          correctly, fix from Nikolay Aleksandrov.
      
      13) Revert GRO receive support in ipv6 SIT tunnel driver, causes
          regressions because the GRO packets created cannot be processed
          properly on the GSO side if we forward the frame.  From Herbert Xu.
      
      14) TCCR update race and other fixes to ravb driver from Sergei
          Shtylyov.
      
      15) Fix SKB leaks in caif_queue_rcv_skb(), from Eric Dumazet.
      
      16) Fix panics on packet scheduler filter replace, from Daniel Borkmann.
      
      17) Make sure AF_PACKET sees properly IP headers in defragmented frames
          (via PACKET_FANOUT_FLAG_DEFRAG option), from Edward Hyunkoo Jee.
      
      18) AF_NETLINK cannot hold mutex in RCU callback, fix from Florian
          Westphal.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (84 commits)
        ravb: fix ring memory allocation
        net: phy: dp83867: Fix warning check for setting the internal delay
        openvswitch: allocate nr_node_ids flow_stats instead of num_possible_nodes
        netlink: don't hold mutex in rcu callback when releasing mmapd ring
        ARM: net: fix vlan access instructions in ARM JIT.
        ARM: net: handle negative offsets in BPF JIT.
        ARM: net: fix condition for load_order > 0 when translating load instructions.
        tcp: suppress a division by zero warning
        drivers: net: cpsw: remove tx event processing in rx napi poll
        inet: frags: fix defragmented packet's IP header for af_packet
        net: mvneta: fix refilling for Rx DMA buffers
        stmmac: fix setting of driver data in stmmac_dvr_probe
        sched: cls_flow: fix panic on filter replace
        sched: cls_flower: fix panic on filter replace
        sched: cls_bpf: fix panic on filter replace
        net/mdio: fix mdio_bus_match for c45 PHY
        net: ratelimit warnings about dst entry refcount underflow or overflow
        caif: fix leaks and race in caif_queue_rcv_skb()
        qmi_wwan: add the second QMI/network interface for Sierra Wireless MC7305/MC7355
        ravb: fix race updating TCCR
        ...
      c5dfd654
  2. 22 7月, 2015 19 次提交
  3. 21 7月, 2015 13 次提交
    • S
      net: mvneta: fix refilling for Rx DMA buffers · a84e3289
      Simon Guinot 提交于
      With the actual code, if a memory allocation error happens while
      refilling a Rx descriptor, then the original Rx buffer is both passed
      to the networking stack (in a SKB) and let in the Rx ring. This leads
      to various kernel oops and crashes.
      
      As a fix, this patch moves Rx descriptor refilling ahead of building
      SKB with the associated Rx buffer. In case of a memory allocation
      failure, data is dropped and the original DMA buffer is put back into
      the Rx ring.
      Signed-off-by: NSimon Guinot <simon.guinot@sequanux.org>
      Fixes: c5aff182 ("net: mvneta: driver for Marvell Armada 370/XP network unit")
      Cc: <stable@vger.kernel.org> # v3.8+
      Tested-by: NYoann Sculo <yoann@sculo.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a84e3289
    • J
      stmmac: fix setting of driver data in stmmac_dvr_probe · a7a62685
      Joachim Eastwood 提交于
      Commit 803f8fc4 ("stmmac: move driver data setting into
      stmmac_dvr_probe") mistakenly set priv and not priv->dev as
      driver data. This meant that the remove, resume and suspend
      callbacks that fetched and tried to use this data would most
      likely explode. Fix the issue by using the correct variable.
      
      Fixes: 803f8fc4 ("stmmac: move driver data setting into stmmac_dvr_probe")
      Signed-off-by: NJoachim Eastwood <manabian@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a7a62685
    • D
      Merge branch 'sch_panic' · 053c26f3
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      Couple of classifier fixes
      
      This fixes a couple of panics in the form of (analogous for
      cls_flow{,er}):
      
      [  912.759276] BUG: unable to handle kernel NULL pointer dereference at (null)
      [  912.759373] IP: [<ffffffffa09d4d6d>] cls_bpf_change+0x23d/0x268 [cls_bpf]
      [  912.759441] PGD 8783c067 PUD 5f684067 PMD 0
      [  912.759491] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
      [  912.759543] Modules linked in: cls_bpf(E) act_gact [...]
      [  912.772734] CPU: 3 PID: 10489 Comm: tc Tainted: G        W   E   4.2.0-rc2+ #73
      [  912.775004] Hardware name: Apple Inc. MacBookAir5,1/Mac-66F35F19FE2A0D05, BIOS MBA51.88Z.00EF.B02.1211271028 11/27/2012
      [  912.777327] task: ffff88025eaa8000 ti: ffff88005f734000 task.ti: ffff88005f734000
      [  912.779662] RIP: 0010:[<ffffffffa09d4d6d>]  [<ffffffffa09d4d6d>] cls_bpf_change+0x23d/0x268 [cls_bpf]
      [  912.781991] RSP: 0018:ffff88005f7379c8  EFLAGS: 00010286
      [  912.784183] RAX: ffff880201d64e48 RBX: 0000000000000000 RCX: ffff880201d64e40
      [  912.786402] RDX: 0000000000000000 RSI: ffffffffa09d51c0 RDI: ffffffffa09d51a6
      [  912.788625] RBP: ffff88005f737a68 R08: 0000000000000000 R09: 0000000000000000
      [  912.790854] R10: 0000000000000001 R11: 0000000000000001 R12: ffff880078ab5a80
      [  912.793082] R13: ffff880232b31570 R14: ffff88005f737ae0 R15: ffff8801e215d1d0
      [  912.795181] FS:  00007f3c0c80d740(0000) GS:ffff880265400000(0000) knlGS:0000000000000000
      [  912.797281] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  912.799402] CR2: 0000000000000000 CR3: 000000005460f000 CR4: 00000000001407e0
      [  912.799403] Stack:
      [  912.799407]  ffffffff00000000 ffff88023ea18000 000000005f737a08 0000000000000000
      [  912.799415]  ffffffff81f06140 ffff880201d64e40 0000000000000000 ffff88023ea1804c
      [  912.799418]  0000000000000000 ffff88023ea18044 ffff88023ea18030 ffff88023ea18038
      [  912.799418] Call Trace:
      [  912.799437]  [<ffffffff816d5685>] tc_ctl_tfilter+0x335/0x910
      [  912.799443]  [<ffffffff813622a8>] ? security_capable+0x48/0x60
      [  912.799448]  [<ffffffff816b90e5>] rtnetlink_rcv_msg+0x95/0x240
      [  912.799454]  [<ffffffff810f612d>] ? trace_hardirqs_on+0xd/0x10
      [  912.799456]  [<ffffffff816b902f>] ? rtnetlink_rcv+0x1f/0x40
      [  912.799459]  [<ffffffff816b902f>] ? rtnetlink_rcv+0x1f/0x40
      [  912.799461]  [<ffffffff816b9050>] ? rtnetlink_rcv+0x40/0x40
      [  912.799464]  [<ffffffff816df38f>] netlink_rcv_skb+0xaf/0xc0
      [  912.799467]  [<ffffffff816b903e>] rtnetlink_rcv+0x2e/0x40
      [  912.799469]  [<ffffffff816deaef>] netlink_unicast+0xef/0x1b0
      [  912.799471]  [<ffffffff816defa0>] netlink_sendmsg+0x3f0/0x620
      [  912.799476]  [<ffffffff81687028>] sock_sendmsg+0x38/0x50
      [  912.799479]  [<ffffffff81687938>] ___sys_sendmsg+0x288/0x290
      [  912.799482]  [<ffffffff810f7852>] ? __lock_acquire+0x572/0x2050
      [  912.799488]  [<ffffffff810265db>] ? native_sched_clock+0x2b/0x90
      [  912.799493]  [<ffffffff8116135f>] ? __audit_syscall_entry+0xaf/0x100
      [  912.799497]  [<ffffffff8116135f>] ? __audit_syscall_entry+0xaf/0x100
      [  912.799501]  [<ffffffff8112aa19>] ? current_kernel_time+0x69/0xd0
      [  912.799505]  [<ffffffff81266f16>] ? __fget_light+0x66/0x90
      [  912.799508]  [<ffffffff81688812>] __sys_sendmsg+0x42/0x80
      [  912.799510]  [<ffffffff81688862>] SyS_sendmsg+0x12/0x20
      [  912.799515]  [<ffffffff817f9a6e>] entry_SYSCALL_64_fastpath+0x12/0x76
      [  912.799540] Code: 4d 88 49 8b 57 08 48 89 51 08 49 8b 57 10 48 89 c8 48 83 c0 08 48
                           89 51 10 48 8b 51 10 48 c7 c6 c0 51 9d a0 48 c7 c7 a6 51 9d a0 <48>
                           89 02 48 8b 51 08 48 89 42 08 48 b8 00 02 20 00 00 00 ad de
      [  912.799544] RIP  [<ffffffffa09d4d6d>] cls_bpf_change+0x23d/0x268 [cls_bpf]
      [  912.799544]  RSP <ffff88005f7379c8>
      [  912.799545] CR2: 0000000000000000
      [  912.807380] ---[ end trace a6440067cfdc7c29 ]---
      
      I've split them into 3 patches, so they can be backported easier
      when needed.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      053c26f3
    • D
      sched: cls_flow: fix panic on filter replace · 32b2f4b1
      Daniel Borkmann 提交于
      The following test case causes a NULL pointer dereference in cls_flow:
      
        tc filter add dev foo parent 1: handle 0x1 flow hash keys dst action ok
        tc filter replace dev foo parent 1: pref 49152 handle 0x1 \
                  flow hash keys mark action drop
      
      To be more precise, actually two different panics are fixed, the first
      occurs because tcf_exts_init() is not called on the newly allocated
      filter when we do a replace. And the second panic uncovered after that
      happens since the arguments of list_replace_rcu() are swapped, the old
      element needs to be the first argument and the new element the second.
      
      Fixes: 70da9f0b ("net: sched: cls_flow use RCU")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NJohn Fastabend <john.r.fastabend@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      32b2f4b1
    • D
      sched: cls_flower: fix panic on filter replace · ff3532f2
      Daniel Borkmann 提交于
      The following test case causes a NULL pointer dereference in cls_flower:
      
        tc filter add dev foo parent 1: flower eth_type ipv4 action ok flowid 1:1
        tc filter replace dev foo parent 1: pref 49152 handle 0x1 \
                  flower eth_type ipv6 action ok flowid 1:1
      
      The problem is that commit 77b9900e ("tc: introduce Flower classifier")
      accidentally swapped the arguments of list_replace_rcu(), the old
      element needs to be the first argument and the new element the second.
      
      Fixes: 77b9900e ("tc: introduce Flower classifier")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NJiri Pirko <jiri@resnulli.us>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ff3532f2
    • D
      sched: cls_bpf: fix panic on filter replace · f6bfc46d
      Daniel Borkmann 提交于
      The following test case causes a NULL pointer dereference in cls_bpf:
      
        FOO="1,6 0 0 4294967295,"
        tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 action ok
        tc filter replace dev foo parent 1: pref 49152 handle 0x1 \
                  bpf bytecode "$FOO" flowid 1:1 action drop
      
      The problem is that commit 1f947bf1 ("net: sched: rcu'ify cls_bpf")
      accidentally swapped the arguments of list_replace_rcu(), the old
      element needs to be the first argument and the new element the second.
      
      Fixes: 1f947bf1 ("net: sched: rcu'ify cls_bpf")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NJohn Fastabend <john.r.fastabend@intel.com>
      Acked-by: NAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f6bfc46d
    • D
      Merge tag 'mac80211-for-davem-2015-07-17' of... · 27dfead1
      David S. Miller 提交于
      Merge tag 'mac80211-for-davem-2015-07-17' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Some fixes for the current cycle:
      
       1. Arik introduced an rtnl-locked regulatory API to be able
          to differentiate between place do/don't have the RTNL;
          this fixes missing locking in some of the code paths
      
       2. Two small mesh bugfixes from Bob, one to avoid treating
          a certain malformed over-the-air frame and one to avoid
          sending a garbage field over the air.
      
       3. A fix for powersave during WoWLAN suspend from Krishna Chaitanya.
      
       4. A fix for a powersave vs. aggregation teardown race, from Michal.
      
       5. Thomas reduced the loglevel of CRDA messages to avoid spamming
          the kernel log with mostly irrelevant information.
      
       6. Tom fixed a dangling debugfs directory pointer that could cause
          crashes if subsequent addition of the same interface to debugfs
          failed for some reason.
      
       7. A fix from myself for a list corruption issue in mac80211 during
          combined interface shutdown/removal - shut down interfaces first
          and only then remove them to avoid that.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      27dfead1
    • S
      net/mdio: fix mdio_bus_match for c45 PHY · e0536cd9
      Shaohui Xie 提交于
      We store c45 PHY's id information in c45_ids, so it should be used to
      check the matching between PHY driver and PHY device for c45 PHY.
      Signed-off-by: NShaohui Xie <Shaohui.Xie@freescale.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e0536cd9
    • K
      net: ratelimit warnings about dst entry refcount underflow or overflow · 8bf4ada2
      Konstantin Khlebnikov 提交于
      Kernel generates a lot of warnings when dst entry reference counter
      overflows and becomes negative. That bug was seen several times at
      machines with outdated 3.10.y kernels. Most like it's already fixed
      in upstream. Anyway that flood completely kills machine and makes
      further debugging impossible.
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8bf4ada2
    • E
      caif: fix leaks and race in caif_queue_rcv_skb() · b8a23e8d
      Eric Dumazet 提交于
      1) If sk_filter() is applied, skb was leaked (not freed)
      2) Testing SOCK_DEAD twice is racy :
         packet could be freed while already queued.
      3) Remove obsolete comment about caching skb->len
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b8a23e8d
    • R
      qmi_wwan: add the second QMI/network interface for Sierra Wireless MC7305/MC7355 · e3426ca7
      Reinhard Speyerer 提交于
      Sierra Wireless MC7305/MC7355 with USB ID 1199:9041 also provide a
      second QMI/network interface like the MC73xx with USB ID 1199:68c0 on
      USB interface #10 when used in the appropriate USB configuration.
      Add the corresponding QMI_FIXED_INTF entry to the qmi_wwan driver.
      
      Please note that the second QMI/network interface is not working for
      early MC73xx firmware versions like 01.08.x as the device does not
      respond to QMI messages on the second /dev/cdc-wdm port.
      Signed-off-by: NReinhard Speyerer <rspmn@arcor.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e3426ca7
    • S
      ravb: fix race updating TCCR · 06613e38
      Sergei Shtylyov 提交于
      The TCCR.TSRQn bit may get clearead after TCCR gets read, so that TCCR write
      would get skipped. We don't need to check this bit before setting.
      Signed-off-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      06613e38
    • K
      net: netcp: fix improper initialization in netcp_ndo_open() · 194ac06e
      Karicheri, Muralidharan 提交于
      The keystone qmss will raise interrupt when packet arrive at the
      receive queue. Only control available to avoid interrupt from happening
      is to keep the free descriptor queue (FDQ) empty in the receive side.
      So the filling of descriptors into the FDQ has to happen after
      request_irq() call is made as part of knav_queue_enable_notify(). So
      move the function netcp_rxpool_refill() after this call.
      Signed-off-by: NMurali Karicheri <m-karicheri2@ti.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      194ac06e