Update to 3.10.4
svn path=/dists/sid/linux/; revision=20436
This commit is contained in:
parent
da54fee357
commit
95df84931f
|
@ -1,10 +1,38 @@
|
|||
linux (3.10.3-2) UNRELEASED; urgency=low
|
||||
linux (3.10.4-1) UNRELEASED; urgency=low
|
||||
|
||||
* New upstream stable update:
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.4
|
||||
- ipv6,mcast: always hold idev->lock before mca_lock
|
||||
- ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET
|
||||
pending data (CVE-2013-4162)
|
||||
- ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
|
||||
(CVE-2013-4163)
|
||||
- sunvnet: vnet_port_remove must call unregister_netdev
|
||||
- ipv6: only static routes qualify for equal cost multipathing
|
||||
(CVE-2013-4125)
|
||||
- atl1e: fix dma mapping warnings
|
||||
- atl1e: unmap partially mapped skb on dma error and free skb
|
||||
- vlan: mask vlan prio bits
|
||||
- vlan: fix a race in egress prio management
|
||||
- fuse: readdirplus: fix dentry leak
|
||||
- fuse: readdirplus: fix instantiate
|
||||
- fuse: readdirplus: sanity checks
|
||||
- bcache: Fix a dumb race
|
||||
- bcache: Advertise that flushes are supported
|
||||
- bcache: Shutdown fix (possibly fixes #715019)
|
||||
- bcache: Fix a sysfs splat on shutdown
|
||||
- bcache: Journal replay fix
|
||||
- ext4: fix error handling in ext4_ext_truncate()
|
||||
- media: saa7134: Fix unlocked snd_pcm_stop() call
|
||||
- media: dmxdev: remove dvb_ringbuffer_flush() on writer side
|
||||
- lockd: protect nlm_blocked access in nlmsvc_retry_blocked
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [sparc] cpufreq: Convince genksyms that the ABI didn't change
|
||||
(fixes FTBFS)
|
||||
* [hppa] udeb: Add core-modules package (Closes: #718270)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 29 Jul 2013 00:11:35 +0100
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 30 Jul 2013 18:09:20 +0200
|
||||
|
||||
linux (3.10.3-1) unstable; urgency=low
|
||||
|
||||
|
|
|
@ -1,73 +0,0 @@
|
|||
From: Sasha Levin <sasha.levin@oracle.com>
|
||||
Date: Thu, 11 Jul 2013 13:16:54 -0400
|
||||
Subject: 9p: fix off by one causing access violations and memory corruption
|
||||
Origin: https://git.kernel.org/linus/110ecd69a9feea82a152bbf9b12aba57e6396883
|
||||
|
||||
p9_release_pages() would attempt to dereference one value past the end of
|
||||
pages[]. This would cause the following crashes:
|
||||
|
||||
[ 6293.171817] BUG: unable to handle kernel paging request at ffff8807c96f3000
|
||||
[ 6293.174146] IP: [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
|
||||
[ 6293.176447] PGD 79c5067 PUD 82c1e3067 PMD 82c197067 PTE 80000007c96f3060
|
||||
[ 6293.180060] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
|
||||
[ 6293.180060] Modules linked in:
|
||||
[ 6293.180060] CPU: 62 PID: 174043 Comm: modprobe Tainted: G W 3.10.0-next-20130710-sasha #3954
|
||||
[ 6293.180060] task: ffff8807b803b000 ti: ffff880787dde000 task.ti: ffff880787dde000
|
||||
[ 6293.180060] RIP: 0010:[<ffffffff8412793b>] [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
|
||||
[ 6293.214316] RSP: 0000:ffff880787ddfc28 EFLAGS: 00010202
|
||||
[ 6293.214316] RAX: 0000000000000001 RBX: ffff8807c96f2ff8 RCX: 0000000000000000
|
||||
[ 6293.222017] RDX: ffff8807b803b000 RSI: 0000000000000001 RDI: ffffea001c7e3d40
|
||||
[ 6293.222017] RBP: ffff880787ddfc48 R08: 0000000000000000 R09: 0000000000000000
|
||||
[ 6293.222017] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001
|
||||
[ 6293.222017] R13: 0000000000000001 R14: ffff8807cc50c070 R15: ffff8807cc50c070
|
||||
[ 6293.222017] FS: 00007f572641d700(0000) GS:ffff8807f3600000(0000) knlGS:0000000000000000
|
||||
[ 6293.256784] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
|
||||
[ 6293.256784] CR2: ffff8807c96f3000 CR3: 00000007c8e81000 CR4: 00000000000006e0
|
||||
[ 6293.256784] Stack:
|
||||
[ 6293.256784] ffff880787ddfcc8 ffff880787ddfcc8 0000000000000000 ffff880787ddfcc8
|
||||
[ 6293.256784] ffff880787ddfd48 ffffffff84128be8 ffff880700000002 0000000000000001
|
||||
[ 6293.256784] ffff8807b803b000 ffff880787ddfce0 0000100000000000 0000000000000000
|
||||
[ 6293.256784] Call Trace:
|
||||
[ 6293.256784] [<ffffffff84128be8>] p9_virtio_zc_request+0x598/0x630
|
||||
[ 6293.256784] [<ffffffff8115c610>] ? wake_up_bit+0x40/0x40
|
||||
[ 6293.256784] [<ffffffff841209b1>] p9_client_zc_rpc+0x111/0x3a0
|
||||
[ 6293.256784] [<ffffffff81174b78>] ? sched_clock_cpu+0x108/0x120
|
||||
[ 6293.256784] [<ffffffff84122a21>] p9_client_read+0xe1/0x2c0
|
||||
[ 6293.256784] [<ffffffff81708a90>] v9fs_file_read+0x90/0xc0
|
||||
[ 6293.256784] [<ffffffff812bd073>] vfs_read+0xc3/0x130
|
||||
[ 6293.256784] [<ffffffff811a78bd>] ? trace_hardirqs_on+0xd/0x10
|
||||
[ 6293.256784] [<ffffffff812bd5a2>] SyS_read+0x62/0xa0
|
||||
[ 6293.256784] [<ffffffff841a1a00>] tracesys+0xdd/0xe2
|
||||
[ 6293.256784] Code: 66 90 48 89 fb 41 89 f5 48 8b 3f 48 85 ff 74 29 85 f6 74 25 45 31 e4 66 0f 1f 84 00 00 00 00 00 e8 eb 14 12 fd 41 ff c4 49 63 c4 <48> 8b 3c c3 48 85 ff 74 05 45 39 e5 75 e7 48 83 c4 08 5b 41 5c
|
||||
[ 6293.256784] RIP [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
|
||||
[ 6293.256784] RSP <ffff880787ddfc28>
|
||||
[ 6293.256784] CR2: ffff8807c96f3000
|
||||
[ 6293.256784] ---[ end trace 50822ee72cd360fc ]---
|
||||
|
||||
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/9p/trans_common.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c
|
||||
index de8df95..2ee3879 100644
|
||||
--- a/net/9p/trans_common.c
|
||||
+++ b/net/9p/trans_common.c
|
||||
@@ -24,11 +24,11 @@
|
||||
*/
|
||||
void p9_release_pages(struct page **pages, int nr_pages)
|
||||
{
|
||||
- int i = 0;
|
||||
- while (pages[i] && nr_pages--) {
|
||||
- put_page(pages[i]);
|
||||
- i++;
|
||||
- }
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < nr_pages; i++)
|
||||
+ if (pages[i])
|
||||
+ put_page(pages[i]);
|
||||
}
|
||||
EXPORT_SYMBOL(p9_release_pages);
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From: Maarten Lankhorst <maarten.lankhorst@canonical.com>
|
||||
Date: Thu, 11 Jul 2013 15:53:21 +0200
|
||||
Subject: [8/8] alx: fix lockdep annotation
|
||||
Origin: https://git.kernel.org/linus/a8798a5c77c9981e88caef1373a3310bf8aed219
|
||||
|
||||
Move spin_lock_init to be called before the spinlocks are used, preventing a lockdep splat.
|
||||
|
||||
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/ethernet/atheros/alx/main.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
|
||||
index 0e0b242..027398e 100644
|
||||
--- a/drivers/net/ethernet/atheros/alx/main.c
|
||||
+++ b/drivers/net/ethernet/atheros/alx/main.c
|
||||
@@ -1245,6 +1245,8 @@ static int alx_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
|
||||
|
||||
SET_NETDEV_DEV(netdev, &pdev->dev);
|
||||
alx = netdev_priv(netdev);
|
||||
+ spin_lock_init(&alx->hw.mdio_lock);
|
||||
+ spin_lock_init(&alx->irq_lock);
|
||||
alx->dev = netdev;
|
||||
alx->hw.pdev = pdev;
|
||||
alx->msg_enable = NETIF_MSG_LINK | NETIF_MSG_HW | NETIF_MSG_IFUP |
|
||||
@@ -1327,9 +1329,6 @@ static int alx_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
|
||||
|
||||
INIT_WORK(&alx->link_check_wk, alx_link_check);
|
||||
INIT_WORK(&alx->reset_wk, alx_reset);
|
||||
- spin_lock_init(&alx->hw.mdio_lock);
|
||||
- spin_lock_init(&alx->irq_lock);
|
||||
-
|
||||
netif_carrier_off(netdev);
|
||||
|
||||
err = register_netdev(netdev);
|
|
@ -1,46 +0,0 @@
|
|||
From: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
|
||||
Date: Tue, 16 Jul 2013 12:44:02 +0530
|
||||
Subject: be2net: Fix to avoid hardware workaround when not needed
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=52fe29e4bb614367c108b717c6d7fe5953eb7af3
|
||||
|
||||
Hardware workaround requesting hardware to skip vlan insertion is necessary
|
||||
only when umc or qnq is enabled. Enabling this workaround in other scenarios
|
||||
could cause controller to stall.
|
||||
|
||||
Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/ethernet/emulex/benet/be_main.c | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
|
||||
index 2df48bb..181edb5 100644
|
||||
--- a/drivers/net/ethernet/emulex/benet/be_main.c
|
||||
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
|
||||
@@ -782,16 +782,22 @@ static struct sk_buff *be_insert_vlan_in_pkt(struct be_adapter *adapter,
|
||||
|
||||
if (vlan_tx_tag_present(skb))
|
||||
vlan_tag = be_get_tx_vlan_tag(adapter, skb);
|
||||
- else if (qnq_async_evt_rcvd(adapter) && adapter->pvid)
|
||||
- vlan_tag = adapter->pvid;
|
||||
+
|
||||
+ if (qnq_async_evt_rcvd(adapter) && adapter->pvid) {
|
||||
+ if (!vlan_tag)
|
||||
+ vlan_tag = adapter->pvid;
|
||||
+ /* f/w workaround to set skip_hw_vlan = 1, informs the F/W to
|
||||
+ * skip VLAN insertion
|
||||
+ */
|
||||
+ if (skip_hw_vlan)
|
||||
+ *skip_hw_vlan = true;
|
||||
+ }
|
||||
|
||||
if (vlan_tag) {
|
||||
skb = __vlan_put_tag(skb, htons(ETH_P_8021Q), vlan_tag);
|
||||
if (unlikely(!skb))
|
||||
return skb;
|
||||
skb->vlan_tci = 0;
|
||||
- if (skip_hw_vlan)
|
||||
- *skip_hw_vlan = true;
|
||||
}
|
||||
|
||||
/* Insert the outer VLAN, if any */
|
|
@ -1,95 +0,0 @@
|
|||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Wed, 10 Jul 2013 23:00:57 +0200
|
||||
Subject: ipv6: in case of link failure remove route directly instead of
|
||||
letting it expire
|
||||
Origin: https://git.kernel.org/linus/1eb4f758286884e7566627164bca4c4a16952a83
|
||||
|
||||
We could end up expiring a route which is part of an ecmp route set. Doing
|
||||
so would invalidate the rt->rt6i_nsiblings calculations and could provoke
|
||||
the following panic:
|
||||
|
||||
[ 80.144667] ------------[ cut here ]------------
|
||||
[ 80.145172] kernel BUG at net/ipv6/ip6_fib.c:733!
|
||||
[ 80.145172] invalid opcode: 0000 [#1] SMP
|
||||
[ 80.145172] Modules linked in: 8021q nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables
|
||||
+snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc snd_timer virtio_balloon snd soundcore i2c_piix4 i2c_core virtio_net virtio_blk
|
||||
[ 80.145172] CPU: 1 PID: 786 Comm: ping6 Not tainted 3.10.0+ #118
|
||||
[ 80.145172] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
|
||||
[ 80.145172] task: ffff880117fa0000 ti: ffff880118770000 task.ti: ffff880118770000
|
||||
[ 80.145172] RIP: 0010:[<ffffffff815f3b5d>] [<ffffffff815f3b5d>] fib6_add+0x75d/0x830
|
||||
[ 80.145172] RSP: 0018:ffff880118771798 EFLAGS: 00010202
|
||||
[ 80.145172] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011350e480
|
||||
[ 80.145172] RDX: ffff88011350e238 RSI: 0000000000000004 RDI: ffff88011350f738
|
||||
[ 80.145172] RBP: ffff880118771848 R08: ffff880117903280 R09: 0000000000000001
|
||||
[ 80.145172] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88011350f680
|
||||
[ 80.145172] R13: ffff880117903280 R14: ffff880118771890 R15: ffff88011350ef90
|
||||
[ 80.145172] FS: 00007f02b5127740(0000) GS:ffff88011fd00000(0000) knlGS:0000000000000000
|
||||
[ 80.145172] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
|
||||
[ 80.145172] CR2: 00007f981322a000 CR3: 00000001181b1000 CR4: 00000000000006e0
|
||||
[ 80.145172] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
|
||||
[ 80.145172] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
|
||||
[ 80.145172] Stack:
|
||||
[ 80.145172] 0000000000000001 ffff880100000000 ffff880100000000 ffff880117903280
|
||||
[ 80.145172] 0000000000000000 ffff880119a4cf00 0000000000000400 00000000000007fa
|
||||
[ 80.145172] 0000000000000000 0000000000000000 0000000000000000 ffff88011350f680
|
||||
[ 80.145172] Call Trace:
|
||||
[ 80.145172] [<ffffffff815eeceb>] ? rt6_bind_peer+0x4b/0x90
|
||||
[ 80.145172] [<ffffffff815ed985>] __ip6_ins_rt+0x45/0x70
|
||||
[ 80.145172] [<ffffffff815eee35>] ip6_ins_rt+0x35/0x40
|
||||
[ 80.145172] [<ffffffff815ef1e4>] ip6_pol_route.isra.44+0x3a4/0x4b0
|
||||
[ 80.145172] [<ffffffff815ef34a>] ip6_pol_route_output+0x2a/0x30
|
||||
[ 80.145172] [<ffffffff81616077>] fib6_rule_action+0xd7/0x210
|
||||
[ 80.145172] [<ffffffff815ef320>] ? ip6_pol_route_input+0x30/0x30
|
||||
[ 80.145172] [<ffffffff81553026>] fib_rules_lookup+0xc6/0x140
|
||||
[ 80.145172] [<ffffffff81616374>] fib6_rule_lookup+0x44/0x80
|
||||
[ 80.145172] [<ffffffff815ef320>] ? ip6_pol_route_input+0x30/0x30
|
||||
[ 80.145172] [<ffffffff815edea3>] ip6_route_output+0x73/0xb0
|
||||
[ 80.145172] [<ffffffff815dfdf3>] ip6_dst_lookup_tail+0x2c3/0x2e0
|
||||
[ 80.145172] [<ffffffff813007b1>] ? list_del+0x11/0x40
|
||||
[ 80.145172] [<ffffffff81082a4c>] ? remove_wait_queue+0x3c/0x50
|
||||
[ 80.145172] [<ffffffff815dfe4d>] ip6_dst_lookup_flow+0x3d/0xa0
|
||||
[ 80.145172] [<ffffffff815fda77>] rawv6_sendmsg+0x267/0xc20
|
||||
[ 80.145172] [<ffffffff815a8a83>] inet_sendmsg+0x63/0xb0
|
||||
[ 80.145172] [<ffffffff8128eb93>] ? selinux_socket_sendmsg+0x23/0x30
|
||||
[ 80.145172] [<ffffffff815218d6>] sock_sendmsg+0xa6/0xd0
|
||||
[ 80.145172] [<ffffffff81524a68>] SYSC_sendto+0x128/0x180
|
||||
[ 80.145172] [<ffffffff8109825c>] ? update_curr+0xec/0x170
|
||||
[ 80.145172] [<ffffffff81041d09>] ? kvm_clock_get_cycles+0x9/0x10
|
||||
[ 80.145172] [<ffffffff810afd1e>] ? __getnstimeofday+0x3e/0xd0
|
||||
[ 80.145172] [<ffffffff8152509e>] SyS_sendto+0xe/0x10
|
||||
[ 80.145172] [<ffffffff8164efd9>] system_call_fastpath+0x16/0x1b
|
||||
[ 80.145172] Code: fe ff ff 41 f6 45 2a 06 0f 85 ca fe ff ff 49 8b 7e 08 4c 89 ee e8 94 ef ff ff e9 b9 fe ff ff 48 8b 82 28 05 00 00 e9 01 ff ff ff <0f> 0b 49 8b 54 24 30 0d 00 00 40 00 89 83 14 01 00 00 48 89 53
|
||||
[ 80.145172] RIP [<ffffffff815f3b5d>] fib6_add+0x75d/0x830
|
||||
[ 80.145172] RSP <ffff880118771798>
|
||||
[ 80.387413] ---[ end trace 02f20b7a8b81ed95 ]---
|
||||
[ 80.390154] Kernel panic - not syncing: Fatal exception in interrupt
|
||||
|
||||
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
|
||||
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/route.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
|
||||
index bd5fd70..5b127e0 100644
|
||||
--- a/net/ipv6/route.c
|
||||
+++ b/net/ipv6/route.c
|
||||
@@ -1080,10 +1080,13 @@ static void ip6_link_failure(struct sk_buff *skb)
|
||||
|
||||
rt = (struct rt6_info *) skb_dst(skb);
|
||||
if (rt) {
|
||||
- if (rt->rt6i_flags & RTF_CACHE)
|
||||
- rt6_update_expires(rt, 0);
|
||||
- else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT))
|
||||
+ if (rt->rt6i_flags & RTF_CACHE) {
|
||||
+ dst_hold(&rt->dst);
|
||||
+ if (ip6_del_rt(rt))
|
||||
+ dst_free(&rt->dst);
|
||||
+ } else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) {
|
||||
rt->rt6i_node->fn_sernum = -1;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
From: Jason Wang <jasowang@redhat.com>
|
||||
Date: Wed, 10 Jul 2013 13:43:28 +0800
|
||||
Subject: macvtap: correctly linearize skb when zerocopy is used
|
||||
Origin: https://git.kernel.org/linus/61d46bf979d5cd7c164709a80ad5676a35494aae
|
||||
|
||||
Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to
|
||||
linearize parts of the skb to let the rest of iov to be fit in
|
||||
the frags, we need count copylen into linear when calling macvtap_alloc_skb()
|
||||
instead of partly counting it into data_len. Since this breaks
|
||||
zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should
|
||||
be zero at beginning. This cause nr_frags to be increased wrongly without
|
||||
setting the correct frags.
|
||||
|
||||
This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73
|
||||
(macvtap: zerocopy: validate vectors before building skb).
|
||||
|
||||
Cc: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/macvtap.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
|
||||
index f2c4a3b..876c722 100644
|
||||
--- a/drivers/net/macvtap.c
|
||||
+++ b/drivers/net/macvtap.c
|
||||
@@ -712,6 +712,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
|
||||
int vnet_hdr_len = 0;
|
||||
int copylen = 0;
|
||||
bool zerocopy = false;
|
||||
+ size_t linear;
|
||||
|
||||
if (q->flags & IFF_VNET_HDR) {
|
||||
vnet_hdr_len = q->vnet_hdr_sz;
|
||||
@@ -766,11 +767,14 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
|
||||
copylen = vnet_hdr.hdr_len;
|
||||
if (!copylen)
|
||||
copylen = GOODCOPY_LEN;
|
||||
- } else
|
||||
+ linear = copylen;
|
||||
+ } else {
|
||||
copylen = len;
|
||||
+ linear = vnet_hdr.hdr_len;
|
||||
+ }
|
||||
|
||||
skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen,
|
||||
- vnet_hdr.hdr_len, noblock, &err);
|
||||
+ linear, noblock, &err);
|
||||
if (!skb)
|
||||
goto err;
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
|
||||
Date: Wed, 21 Nov 2012 09:54:48 +0100
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Subject: [PATCH] megaraid_sas: fix memory leak if SGL has zero length entries
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Forwarded: http://thread.gmane.org/gmane.linux.scsi/78850
|
||||
|
||||
commit 98cb7e44 ([SCSI] megaraid_sas: Sanity check user
|
||||
supplied length before passing it to dma_alloc_coherent())
|
||||
introduced a memory leak. Memory allocated for entries
|
||||
following zero length SGL entries will not be freed.
|
||||
|
||||
Reference: http://bugs.debian.org/688198
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Bjørn Mork <bjorn@mork.no>
|
||||
Acked-by: Adam Radford <aradford@gmail.com>
|
||||
---
|
||||
drivers/scsi/megaraid/megaraid_sas_base.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
|
||||
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
|
||||
@@ -4886,10 +4886,12 @@ megasas_mgmt_fw_ioctl(struct megasas_ins
|
||||
sense, sense_handle);
|
||||
}
|
||||
|
||||
- for (i = 0; i < ioc->sge_count && kbuff_arr[i]; i++) {
|
||||
- dma_free_coherent(&instance->pdev->dev,
|
||||
- kern_sge32[i].length,
|
||||
- kbuff_arr[i], kern_sge32[i].phys_addr);
|
||||
+ for (i = 0; i < ioc->sge_count; i++) {
|
||||
+ if (kbuff_arr[i])
|
||||
+ dma_free_coherent(&instance->pdev->dev,
|
||||
+ kern_sge32[i].length,
|
||||
+ kbuff_arr[i],
|
||||
+ kern_sge32[i].phys_addr);
|
||||
}
|
||||
|
||||
megasas_return_cmd(instance, cmd);
|
|
@ -1,75 +0,0 @@
|
|||
From: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
Date: Fri, 28 Jun 2013 02:37:42 -0700
|
||||
Subject: neighbour: fix a race in neigh_destroy()
|
||||
Origin: https://git.kernel.org/linus/c9ab4d85de222f3390c67aedc9c18a50e767531e
|
||||
|
||||
There is a race in neighbour code, because neigh_destroy() uses
|
||||
skb_queue_purge(&neigh->arp_queue) without holding neighbour lock,
|
||||
while other parts of the code assume neighbour rwlock is what
|
||||
protects arp_queue
|
||||
|
||||
Convert all skb_queue_purge() calls to the __skb_queue_purge() variant
|
||||
|
||||
Use __skb_queue_head_init() instead of skb_queue_head_init()
|
||||
to make clear we do not use arp_queue.lock
|
||||
|
||||
And hold neigh->lock in neigh_destroy() to close the race.
|
||||
|
||||
Reported-by: Joe Jin <joe.jin@oracle.com>
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/core/neighbour.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
|
||||
index 2569ab2..b7de821 100644
|
||||
--- a/net/core/neighbour.c
|
||||
+++ b/net/core/neighbour.c
|
||||
@@ -231,7 +231,7 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev)
|
||||
we must kill timers etc. and move
|
||||
it to safe state.
|
||||
*/
|
||||
- skb_queue_purge(&n->arp_queue);
|
||||
+ __skb_queue_purge(&n->arp_queue);
|
||||
n->arp_queue_len_bytes = 0;
|
||||
n->output = neigh_blackhole;
|
||||
if (n->nud_state & NUD_VALID)
|
||||
@@ -286,7 +286,7 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, struct net_device
|
||||
if (!n)
|
||||
goto out_entries;
|
||||
|
||||
- skb_queue_head_init(&n->arp_queue);
|
||||
+ __skb_queue_head_init(&n->arp_queue);
|
||||
rwlock_init(&n->lock);
|
||||
seqlock_init(&n->ha_lock);
|
||||
n->updated = n->used = now;
|
||||
@@ -708,7 +708,9 @@ void neigh_destroy(struct neighbour *neigh)
|
||||
if (neigh_del_timer(neigh))
|
||||
pr_warn("Impossible event\n");
|
||||
|
||||
- skb_queue_purge(&neigh->arp_queue);
|
||||
+ write_lock_bh(&neigh->lock);
|
||||
+ __skb_queue_purge(&neigh->arp_queue);
|
||||
+ write_unlock_bh(&neigh->lock);
|
||||
neigh->arp_queue_len_bytes = 0;
|
||||
|
||||
if (dev->netdev_ops->ndo_neigh_destroy)
|
||||
@@ -858,7 +860,7 @@ static void neigh_invalidate(struct neighbour *neigh)
|
||||
neigh->ops->error_report(neigh, skb);
|
||||
write_lock(&neigh->lock);
|
||||
}
|
||||
- skb_queue_purge(&neigh->arp_queue);
|
||||
+ __skb_queue_purge(&neigh->arp_queue);
|
||||
neigh->arp_queue_len_bytes = 0;
|
||||
}
|
||||
|
||||
@@ -1210,7 +1212,7 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
|
||||
|
||||
write_lock_bh(&neigh->lock);
|
||||
}
|
||||
- skb_queue_purge(&neigh->arp_queue);
|
||||
+ __skb_queue_purge(&neigh->arp_queue);
|
||||
neigh->arp_queue_len_bytes = 0;
|
||||
}
|
||||
out:
|
|
@ -1,83 +0,0 @@
|
|||
From: Ben Hutchings <bhutchings@solarflare.com>
|
||||
Date: Thu, 4 Jul 2013 23:48:46 +0100
|
||||
Subject: sfc: Fix memory leak when discarding scattered packets
|
||||
Origin: https://git.kernel.org/linus/734d4e159b283a4ae4d007b7e7a91d84398ccb92
|
||||
|
||||
Commit 2768935a4660 ('sfc: reuse pages to avoid DMA mapping/unmapping
|
||||
costs') did not fully take account of DMA scattering which was
|
||||
introduced immediately before. If a received packet is invalid and
|
||||
must be discarded, we only drop a reference to the first buffer's
|
||||
page, but we need to drop a reference for each buffer the packet
|
||||
used.
|
||||
|
||||
I think this bug was missed partly because efx_recycle_rx_buffers()
|
||||
was not renamed and so no longer does what its name says. It does not
|
||||
change the state of buffers, but only prepares the underlying pages
|
||||
for recycling. Rename it accordingly.
|
||||
|
||||
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/ethernet/sfc/rx.c | 27 ++++++++++++++++++++-------
|
||||
1 file changed, 20 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/ethernet/sfc/rx.c b/drivers/net/ethernet/sfc/rx.c
|
||||
index 65646cd..6af9cfd 100644
|
||||
--- a/drivers/net/ethernet/sfc/rx.c
|
||||
+++ b/drivers/net/ethernet/sfc/rx.c
|
||||
@@ -282,9 +282,9 @@ static void efx_fini_rx_buffer(struct efx_rx_queue *rx_queue,
|
||||
}
|
||||
|
||||
/* Recycle the pages that are used by buffers that have just been received. */
|
||||
-static void efx_recycle_rx_buffers(struct efx_channel *channel,
|
||||
- struct efx_rx_buffer *rx_buf,
|
||||
- unsigned int n_frags)
|
||||
+static void efx_recycle_rx_pages(struct efx_channel *channel,
|
||||
+ struct efx_rx_buffer *rx_buf,
|
||||
+ unsigned int n_frags)
|
||||
{
|
||||
struct efx_rx_queue *rx_queue = efx_channel_get_rx_queue(channel);
|
||||
|
||||
@@ -294,6 +294,20 @@ static void efx_recycle_rx_buffers(struct efx_channel *channel,
|
||||
} while (--n_frags);
|
||||
}
|
||||
|
||||
+static void efx_discard_rx_packet(struct efx_channel *channel,
|
||||
+ struct efx_rx_buffer *rx_buf,
|
||||
+ unsigned int n_frags)
|
||||
+{
|
||||
+ struct efx_rx_queue *rx_queue = efx_channel_get_rx_queue(channel);
|
||||
+
|
||||
+ efx_recycle_rx_pages(channel, rx_buf, n_frags);
|
||||
+
|
||||
+ do {
|
||||
+ efx_free_rx_buffer(rx_buf);
|
||||
+ rx_buf = efx_rx_buf_next(rx_queue, rx_buf);
|
||||
+ } while (--n_frags);
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* efx_fast_push_rx_descriptors - push new RX descriptors quickly
|
||||
* @rx_queue: RX descriptor queue
|
||||
@@ -533,8 +547,7 @@ void efx_rx_packet(struct efx_rx_queue *rx_queue, unsigned int index,
|
||||
*/
|
||||
if (unlikely(rx_buf->flags & EFX_RX_PKT_DISCARD)) {
|
||||
efx_rx_flush_packet(channel);
|
||||
- put_page(rx_buf->page);
|
||||
- efx_recycle_rx_buffers(channel, rx_buf, n_frags);
|
||||
+ efx_discard_rx_packet(channel, rx_buf, n_frags);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -570,9 +583,9 @@ void efx_rx_packet(struct efx_rx_queue *rx_queue, unsigned int index,
|
||||
efx_sync_rx_buffer(efx, rx_buf, rx_buf->len);
|
||||
}
|
||||
|
||||
- /* All fragments have been DMA-synced, so recycle buffers and pages. */
|
||||
+ /* All fragments have been DMA-synced, so recycle pages. */
|
||||
rx_buf = efx_rx_buffer(rx_queue, index);
|
||||
- efx_recycle_rx_buffers(channel, rx_buf, n_frags);
|
||||
+ efx_recycle_rx_pages(channel, rx_buf, n_frags);
|
||||
|
||||
/* Pipeline receives so that we give time for packet headers to be
|
||||
* prefetched into cache.
|
|
@ -1,53 +0,0 @@
|
|||
From: Jason Wang <jasowang@redhat.com>
|
||||
Date: Wed, 10 Jul 2013 13:43:27 +0800
|
||||
Subject: tuntap: correctly linearize skb when zerocopy is used
|
||||
Origin: https://git.kernel.org/linus/3dd5c3308e8b671e8e8882ba972f51cefbe9fd0d
|
||||
|
||||
Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to
|
||||
linearize parts of the skb to let the rest of iov to be fit in
|
||||
the frags, we need count copylen into linear when calling tun_alloc_skb()
|
||||
instead of partly counting it into data_len. Since this breaks
|
||||
zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should
|
||||
be zero at beginning. This cause nr_frags to be increased wrongly without
|
||||
setting the correct frags.
|
||||
|
||||
This bug were introduced from 0690899b4d4501b3505be069b9a687e68ccbe15b
|
||||
(tun: experimental zero copy tx support)
|
||||
|
||||
Cc: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/tun.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
|
||||
index 7eab5fc..5cdcf92 100644
|
||||
--- a/drivers/net/tun.c
|
||||
+++ b/drivers/net/tun.c
|
||||
@@ -1042,7 +1042,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
|
||||
{
|
||||
struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) };
|
||||
struct sk_buff *skb;
|
||||
- size_t len = total_len, align = NET_SKB_PAD;
|
||||
+ size_t len = total_len, align = NET_SKB_PAD, linear;
|
||||
struct virtio_net_hdr gso = { 0 };
|
||||
int offset = 0;
|
||||
int copylen;
|
||||
@@ -1106,10 +1106,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
|
||||
copylen = gso.hdr_len;
|
||||
if (!copylen)
|
||||
copylen = GOODCOPY_LEN;
|
||||
- } else
|
||||
+ linear = copylen;
|
||||
+ } else {
|
||||
copylen = len;
|
||||
+ linear = gso.hdr_len;
|
||||
+ }
|
||||
|
||||
- skb = tun_alloc_skb(tfile, align, copylen, gso.hdr_len, noblock);
|
||||
+ skb = tun_alloc_skb(tfile, align, copylen, linear, noblock);
|
||||
if (IS_ERR(skb)) {
|
||||
if (PTR_ERR(skb) != -EAGAIN)
|
||||
tun->dev->stats.rx_dropped++;
|
|
@ -1,56 +0,0 @@
|
|||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Tue, 25 Jun 2013 17:29:46 +0300
|
||||
Subject: vhost-net: fix use-after-free in vhost_net_flush
|
||||
Origin: https://git.kernel.org/linus/c38e39c378f46f00ce922dd40a91043a9925c28d
|
||||
|
||||
vhost_net_ubuf_put_and_wait has a confusing name:
|
||||
it will actually also free it's argument.
|
||||
Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
|
||||
"vhost-net: flush outstanding DMAs on memory change"
|
||||
vhost_net_flush tries to use the argument after passing it
|
||||
to vhost_net_ubuf_put_and_wait, this results
|
||||
in use after free.
|
||||
To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
|
||||
add an new API for callers that want to free ubufs.
|
||||
|
||||
Acked-by: Asias He <asias@redhat.com>
|
||||
Acked-by: Jason Wang <jasowang@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
---
|
||||
drivers/vhost/net.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
|
||||
index f80d3dd..8ca5ac7 100644
|
||||
--- a/drivers/vhost/net.c
|
||||
+++ b/drivers/vhost/net.c
|
||||
@@ -150,6 +150,11 @@ static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs)
|
||||
{
|
||||
kref_put(&ubufs->kref, vhost_net_zerocopy_done_signal);
|
||||
wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount));
|
||||
+}
|
||||
+
|
||||
+static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs)
|
||||
+{
|
||||
+ vhost_net_ubuf_put_and_wait(ubufs);
|
||||
kfree(ubufs);
|
||||
}
|
||||
|
||||
@@ -948,7 +953,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
|
||||
mutex_unlock(&vq->mutex);
|
||||
|
||||
if (oldubufs) {
|
||||
- vhost_net_ubuf_put_and_wait(oldubufs);
|
||||
+ vhost_net_ubuf_put_wait_and_free(oldubufs);
|
||||
mutex_lock(&vq->mutex);
|
||||
vhost_zerocopy_signal_used(n, vq);
|
||||
mutex_unlock(&vq->mutex);
|
||||
@@ -966,7 +971,7 @@ err_used:
|
||||
rcu_assign_pointer(vq->private_data, oldsock);
|
||||
vhost_net_enable_vq(n, vq);
|
||||
if (ubufs)
|
||||
- vhost_net_ubuf_put_and_wait(ubufs);
|
||||
+ vhost_net_ubuf_put_wait_and_free(ubufs);
|
||||
err_ubufs:
|
||||
fput(sock->file);
|
||||
err_vq:
|
|
@ -1,119 +0,0 @@
|
|||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Tue, 9 Jul 2013 13:19:18 +0300
|
||||
Subject: virtio: support unlocked queue poll
|
||||
Origin: https://git.kernel.org/linus/cc229884d3f77ec3b1240e467e0236c3e0647c0c
|
||||
|
||||
This adds a way to check ring empty state after enable_cb outside any
|
||||
locks. Will be used by virtio_net.
|
||||
|
||||
Note: there's room for more optimization: caller is likely to have a
|
||||
memory barrier already, which means we might be able to get rid of a
|
||||
barrier here. Deferring this optimization until we do some
|
||||
benchmarking.
|
||||
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/virtio/virtio_ring.c | 56 ++++++++++++++++++++++++++++++++++----------
|
||||
include/linux/virtio.h | 4 ++++
|
||||
2 files changed, 48 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
|
||||
index 5217baf..37d58f8 100644
|
||||
--- a/drivers/virtio/virtio_ring.c
|
||||
+++ b/drivers/virtio/virtio_ring.c
|
||||
@@ -607,19 +607,21 @@ void virtqueue_disable_cb(struct virtqueue *_vq)
|
||||
EXPORT_SYMBOL_GPL(virtqueue_disable_cb);
|
||||
|
||||
/**
|
||||
- * virtqueue_enable_cb - restart callbacks after disable_cb.
|
||||
+ * virtqueue_enable_cb_prepare - restart callbacks after disable_cb
|
||||
* @vq: the struct virtqueue we're talking about.
|
||||
*
|
||||
- * This re-enables callbacks; it returns "false" if there are pending
|
||||
- * buffers in the queue, to detect a possible race between the driver
|
||||
- * checking for more work, and enabling callbacks.
|
||||
+ * This re-enables callbacks; it returns current queue state
|
||||
+ * in an opaque unsigned value. This value should be later tested by
|
||||
+ * virtqueue_poll, to detect a possible race between the driver checking for
|
||||
+ * more work, and enabling callbacks.
|
||||
*
|
||||
* Caller must ensure we don't call this with other virtqueue
|
||||
* operations at the same time (except where noted).
|
||||
*/
|
||||
-bool virtqueue_enable_cb(struct virtqueue *_vq)
|
||||
+unsigned virtqueue_enable_cb_prepare(struct virtqueue *_vq)
|
||||
{
|
||||
struct vring_virtqueue *vq = to_vvq(_vq);
|
||||
+ u16 last_used_idx;
|
||||
|
||||
START_USE(vq);
|
||||
|
||||
@@ -629,15 +631,45 @@ bool virtqueue_enable_cb(struct virtqueue *_vq)
|
||||
* either clear the flags bit or point the event index at the next
|
||||
* entry. Always do both to keep code simple. */
|
||||
vq->vring.avail->flags &= ~VRING_AVAIL_F_NO_INTERRUPT;
|
||||
- vring_used_event(&vq->vring) = vq->last_used_idx;
|
||||
+ vring_used_event(&vq->vring) = last_used_idx = vq->last_used_idx;
|
||||
+ END_USE(vq);
|
||||
+ return last_used_idx;
|
||||
+}
|
||||
+EXPORT_SYMBOL_GPL(virtqueue_enable_cb_prepare);
|
||||
+
|
||||
+/**
|
||||
+ * virtqueue_poll - query pending used buffers
|
||||
+ * @vq: the struct virtqueue we're talking about.
|
||||
+ * @last_used_idx: virtqueue state (from call to virtqueue_enable_cb_prepare).
|
||||
+ *
|
||||
+ * Returns "true" if there are pending used buffers in the queue.
|
||||
+ *
|
||||
+ * This does not need to be serialized.
|
||||
+ */
|
||||
+bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx)
|
||||
+{
|
||||
+ struct vring_virtqueue *vq = to_vvq(_vq);
|
||||
+
|
||||
virtio_mb(vq->weak_barriers);
|
||||
- if (unlikely(more_used(vq))) {
|
||||
- END_USE(vq);
|
||||
- return false;
|
||||
- }
|
||||
+ return (u16)last_used_idx != vq->vring.used->idx;
|
||||
+}
|
||||
+EXPORT_SYMBOL_GPL(virtqueue_poll);
|
||||
|
||||
- END_USE(vq);
|
||||
- return true;
|
||||
+/**
|
||||
+ * virtqueue_enable_cb - restart callbacks after disable_cb.
|
||||
+ * @vq: the struct virtqueue we're talking about.
|
||||
+ *
|
||||
+ * This re-enables callbacks; it returns "false" if there are pending
|
||||
+ * buffers in the queue, to detect a possible race between the driver
|
||||
+ * checking for more work, and enabling callbacks.
|
||||
+ *
|
||||
+ * Caller must ensure we don't call this with other virtqueue
|
||||
+ * operations at the same time (except where noted).
|
||||
+ */
|
||||
+bool virtqueue_enable_cb(struct virtqueue *_vq)
|
||||
+{
|
||||
+ unsigned last_used_idx = virtqueue_enable_cb_prepare(_vq);
|
||||
+ return !virtqueue_poll(_vq, last_used_idx);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(virtqueue_enable_cb);
|
||||
|
||||
diff --git a/include/linux/virtio.h b/include/linux/virtio.h
|
||||
index 9ff8645..72398ee 100644
|
||||
--- a/include/linux/virtio.h
|
||||
+++ b/include/linux/virtio.h
|
||||
@@ -70,6 +70,10 @@ void virtqueue_disable_cb(struct virtqueue *vq);
|
||||
|
||||
bool virtqueue_enable_cb(struct virtqueue *vq);
|
||||
|
||||
+unsigned virtqueue_enable_cb_prepare(struct virtqueue *vq);
|
||||
+
|
||||
+bool virtqueue_poll(struct virtqueue *vq, unsigned);
|
||||
+
|
||||
bool virtqueue_enable_cb_delayed(struct virtqueue *vq);
|
||||
|
||||
void *virtqueue_detach_unused_buf(struct virtqueue *vq);
|
|
@ -1,56 +0,0 @@
|
|||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Tue, 9 Jul 2013 08:13:04 +0300
|
||||
Subject: virtio_net: fix race in RX VQ processing
|
||||
Origin: https://git.kernel.org/linus/cbdadbbf0c790f79350a8f36029208944c5487d0
|
||||
|
||||
virtio net called virtqueue_enable_cq on RX path after napi_complete, so
|
||||
with NAPI_STATE_SCHED clear - outside the implicit napi lock.
|
||||
This violates the requirement to synchronize virtqueue_enable_cq wrt
|
||||
virtqueue_add_buf. In particular, used event can move backwards,
|
||||
causing us to lose interrupts.
|
||||
In a debug build, this can trigger panic within START_USE.
|
||||
|
||||
Jason Wang reports that he can trigger the races artificially,
|
||||
by adding udelay() in virtqueue_enable_cb() after virtio_mb().
|
||||
|
||||
However, we must call napi_complete to clear NAPI_STATE_SCHED before
|
||||
polling the virtqueue for used buffers, otherwise napi_schedule_prep in
|
||||
a callback will fail, causing us to lose RX events.
|
||||
|
||||
To fix, call virtqueue_enable_cb_prepare with NAPI_STATE_SCHED
|
||||
set (under napi lock), later call virtqueue_poll with
|
||||
NAPI_STATE_SCHED clear (outside the lock).
|
||||
|
||||
Reported-by: Jason Wang <jasowang@redhat.com>
|
||||
Tested-by: Jason Wang <jasowang@redhat.com>
|
||||
Acked-by: Jason Wang <jasowang@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/virtio_net.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
|
||||
index c9e0038..42d670a 100644
|
||||
--- a/drivers/net/virtio_net.c
|
||||
+++ b/drivers/net/virtio_net.c
|
||||
@@ -602,7 +602,7 @@ static int virtnet_poll(struct napi_struct *napi, int budget)
|
||||
container_of(napi, struct receive_queue, napi);
|
||||
struct virtnet_info *vi = rq->vq->vdev->priv;
|
||||
void *buf;
|
||||
- unsigned int len, received = 0;
|
||||
+ unsigned int r, len, received = 0;
|
||||
|
||||
again:
|
||||
while (received < budget &&
|
||||
@@ -619,8 +619,9 @@ again:
|
||||
|
||||
/* Out of packets? */
|
||||
if (received < budget) {
|
||||
+ r = virtqueue_enable_cb_prepare(rq->vq);
|
||||
napi_complete(napi);
|
||||
- if (unlikely(!virtqueue_enable_cb(rq->vq)) &&
|
||||
+ if (unlikely(virtqueue_poll(rq->vq, r)) &&
|
||||
napi_schedule_prep(napi)) {
|
||||
virtqueue_disable_cb(rq->vq);
|
||||
__napi_schedule(napi);
|
|
@ -1,55 +0,0 @@
|
|||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Fri, 28 Jun 2013 16:04:02 +0200
|
||||
Subject: writeback: Fix periodic writeback after fs mount
|
||||
Origin: https://git.kernel.org/linus/a5faeaf9109578e65e1a32e2a3e76c8b47e7dcb6
|
||||
|
||||
Code in blkdev.c moves a device inode to default_backing_dev_info when
|
||||
the last reference to the device is put and moves the device inode back
|
||||
to its bdi when the first reference is acquired. This includes moving to
|
||||
wb.b_dirty list if the device inode is dirty. The code however doesn't
|
||||
setup timer to wake corresponding flusher thread and while wb.b_dirty
|
||||
list is non-empty __mark_inode_dirty() will not set it up either. Thus
|
||||
periodic writeback is effectively disabled until a sync(2) call which can
|
||||
lead to unexpected data loss in case of crash or power failure.
|
||||
|
||||
Fix the problem by setting up a timer for periodic writeback in case we
|
||||
add the first dirty inode to wb.b_dirty list in bdev_inode_switch_bdi().
|
||||
|
||||
Reported-by: Bert De Jonghe <Bert.DeJonghe@amplidata.com>
|
||||
CC: stable@vger.kernel.org # >= 3.0
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||
---
|
||||
fs/block_dev.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fs/block_dev.c b/fs/block_dev.c
|
||||
index 2091db8..85f5c85 100644
|
||||
--- a/fs/block_dev.c
|
||||
+++ b/fs/block_dev.c
|
||||
@@ -58,17 +58,24 @@ static void bdev_inode_switch_bdi(struct inode *inode,
|
||||
struct backing_dev_info *dst)
|
||||
{
|
||||
struct backing_dev_info *old = inode->i_data.backing_dev_info;
|
||||
+ bool wakeup_bdi = false;
|
||||
|
||||
if (unlikely(dst == old)) /* deadlock avoidance */
|
||||
return;
|
||||
bdi_lock_two(&old->wb, &dst->wb);
|
||||
spin_lock(&inode->i_lock);
|
||||
inode->i_data.backing_dev_info = dst;
|
||||
- if (inode->i_state & I_DIRTY)
|
||||
+ if (inode->i_state & I_DIRTY) {
|
||||
+ if (bdi_cap_writeback_dirty(dst) && !wb_has_dirty_io(&dst->wb))
|
||||
+ wakeup_bdi = true;
|
||||
list_move(&inode->i_wb_list, &dst->wb.b_dirty);
|
||||
+ }
|
||||
spin_unlock(&inode->i_lock);
|
||||
spin_unlock(&old->wb.list_lock);
|
||||
spin_unlock(&dst->wb.list_lock);
|
||||
+
|
||||
+ if (wakeup_bdi)
|
||||
+ bdi_wakeup_thread_delayed(dst);
|
||||
}
|
||||
|
||||
/* Kill _all_ buffers and pagecache , dirty or not.. */
|
|
@ -66,7 +66,6 @@ bugfix/mips/disable-advansys.patch
|
|||
bugfix/powerpc/lpar-console.patch
|
||||
bugfix/all/dm-Deal-with-merge_bvec_fn-in-component-devices-bett.patch
|
||||
bugfix/arm/ixp4xx_iobe.patch
|
||||
bugfix/all/megaraid_sas-fix-memory-leak-if-SGL-has-zero-length-entries.patch
|
||||
bugfix/all/ath6kl-do-not-use-virt_addr_valid.patch
|
||||
features/all/cpu-devices/Partially-revert-cpufreq-Add-support-for-x86-cpuinfo.patch
|
||||
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
|
||||
|
@ -103,26 +102,12 @@ bugfix/all/alx-separate-link-speed-duplex-fields.patch
|
|||
bugfix/all/alx-fix-MAC-address-alignment-problem.patch
|
||||
bugfix/all/alx-fix-ethtool-support-code.patch
|
||||
bugfix/all/alx-remove-WoL-support.patch
|
||||
bugfix/all/alx-fix-lockdep-annotation.patch
|
||||
|
||||
bugfix/all/xen-blkback-Check-device-permissions-before-allowing.patch
|
||||
bugfix/all/be2net-Fix-to-avoid-hardware-workaround-when-not-nee.patch
|
||||
features/all/iwlwifi-mvm-support-BSS-only.patch
|
||||
features/all/iwlwifi-mvm-adjust-firmware-D3-configuration-API.patch
|
||||
features/all/iwlwifi-bump-required-firmware-API-version-for-3160-.patch
|
||||
|
||||
# Cherry-picked fixes from 3.10.4-rc1
|
||||
bugfix/all/writeback-Fix-periodic-writeback-after-fs-mount.patch
|
||||
bugfix/all/sfc-Fix-memory-leak-when-discarding-scattered-packet.patch
|
||||
bugfix/all/neighbour-fix-a-race-in-neigh_destroy.patch
|
||||
bugfix/all/virtio-support-unlocked-queue-poll.patch
|
||||
bugfix/all/virtio_net-fix-race-in-RX-VQ-processing.patch
|
||||
bugfix/all/vhost-net-fix-use-after-free-in-vhost_net_flush.patch
|
||||
bugfix/all/tuntap-correctly-linearize-skb-when-zerocopy-is-used.patch
|
||||
bugfix/all/macvtap-correctly-linearize-skb-when-zerocopy-is-use.patch
|
||||
bugfix/all/ipv6-in-case-of-link-failure-remove-route-directly-i.patch
|
||||
bugfix/all/9p-fix-off-by-one-causing-access-violations-and-memo.patch
|
||||
|
||||
# m68k Kconfig bugfix
|
||||
bugfix/m68k/ethernat-kconfig.patch
|
||||
|
||||
|
|
Loading…
Reference in New Issue