-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJZUiosAAoJEE44bZycYXAvcHYP/1OKMYQB/3G7GfEhMXdlpV31
VjdzUg5X1JOE60anYNopvWQJgDFXMy9mTceUI3axDkfYb5iDFUpRBFEh70ggDL04
bGB/J4n2Linjkj35u+S5P3fK6qBfg9+VDpTfUYPZGB5YjOjmaD06E8InBF8iUuC3
6pkMtQKOptmKOc2hw84PsB3qm9ER2MMa92Lrs1rtcOihEqQMyKjkI/kzogs8XGje
5gMt31VweScZed3d7i1r9tl/DTmzGcpEyVpz/x8gI7Xwi69FeeLy6cWbhK0VOsLA
u7ul9mDa77bUC/jpBzJmIkS8fhzaTyUw8NQbtol9RSSIfzb+mvXyx9Vr7o4LYK2B
P6AekC16x6R8KUED1hfxKdagguRACDfKf91bMAxDCN/PXqITVbk3RxxxH6wHAvOx
Ihf4G5h800/ks6X1oMBYZcbFFbNCUHZjyL7V1M/iy1TrKuRhEtou4Ft3X+gOauLS
CG8VR9Jo1/BAvMaJmy5Hg9RPNoxEMstDi6x3ugD0wH57XHSZ5QmFMBzCbuWR6hWM
q1DvBK/I54BXlsdYU9WySn1hm2gKCNPZ+zGzLTo1l426vme+YjhC5911V7Tv+WHm
lc5FTXWtXGhoAZuNSIGDrlv3Dyq44iMNrqXrhlPmJjWD3Hx4hFGGp2GyHOpK+5+7
7egPk9m1WrhUKzA9m1/M
=InCr
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqfQUACgkQmXOSYMts
txZNghAApD/SW4fTOx6RZFCPVjAP70FfXvZsQYf3Zfp44Ytm2Kax3GIABPuknlI+
IZRAPnXb6KP8DNDdCyGcJ0avI5uw96sXyeZWlDZyeS1WHHizJq3+BLB09zzdegSk
K1dJrobXCYNESmcQMT5diGwqLYkdOs3hh7Ehqut29njwCzVzNG3n43H9F15o9cUZ
6lAM8/Zb6ai+0KgVgwC40QJneVltDEFfXVr6wo/IJXnYNaRCPKQM5lsG09pxxopG
NVSsmUyeJI5bPWEm5vbuBL2JVhaCcMtTfAPHflqbtykE8eSVEWdTeCWPuGWcATB+
2sGp3cVR2W7+4CHpbcnrXolmP/OI3jXHbG1LvyRqg4Iw1jgtZ8wwjCEkdsPz3fED
g2+EtSYl/NLW7N8P4KQV9jzihYIfELBj9HQsEs5aPOstyjyxl12RxJvjw835v5ts
oa7qKQAHIwZsuaB34qK+DjI5coNeKRvDMy5mm0GL3TqmLLFEzSVpaTceGpdvNLi0
6k3RkuJzU0TwAoTShWyYu6AbV+8aHniBQbjzYs5sufRgDy9pjnfWzDqtUM+chTsm
WaxwhpHdpOomwAfZr8/Zaf0xIxP/M99SFKevntE04Ft93P8dKuLqFcNAjQkMdibY
UHrJ67nBllmDtlH8yGO9j4FD89O0QaBX4J3qGyIu5eE73/iibvo=
=J7vi
-----END PGP SIGNATURE-----
Merge 3.10.107 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.107: (270 commits)
Revert "Btrfs: don't delay inode ref updates during log, replay"
Btrfs: fix memory leak in reading btree blocks
ext4: use more strict checks for inodes_per_block on mount
ext4: fix in-superblock mount options processing
ext4: add sanity checking to count_overhead()
ext4: validate s_first_meta_bg at mount time
jbd2: don't leak modified metadata buffers on an aborted journal
ext4: fix fencepost in s_first_meta_bg validation
ext4: trim allocation requests to group size
ext4: preserve the needs_recovery flag when the journal is aborted
ext4: return EROFS if device is r/o and journal replay is needed
ext4: fix inode checksum calculation problem if i_extra_size is small
block: fix use-after-free in sys_ioprio_get()
block: allow WRITE_SAME commands with the SG_IO ioctl
block: fix del_gendisk() vs blkdev_ioctl crash
dm crypt: mark key as invalid until properly loaded
dm space map metadata: fix 'struct sm_metadata' leak on failed create
md/raid5: limit request size according to implementation limits
md:raid1: fix a dead loop when read from a WriteMostly disk
md linear: fix a race between linear_add() and linear_congested()
CIFS: Fix a possible memory corruption during reconnect
CIFS: Fix missing nls unload in smb2_reconnect()
CIFS: Fix a possible memory corruption in push locks
CIFS: remove bad_network_name flag
fs/cifs: make share unaccessible at root level mountable
cifs: Do not send echoes before Negotiate is complete
ocfs2: fix crash caused by stale lvb with fsdlm plugin
ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed()
can: raw: raw_setsockopt: limit number of can_filter that can be set
can: peak: fix bad memory access and free sequence
can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer
can: ti_hecc: add missing prepare and unprepare of the clock
can: bcm: fix hrtimer/tasklet termination in bcm op removal
can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
ALSA: hda - Fix up GPIO for ASUS ROG Ranger
ALSA: seq: Fix race at creating a queue
ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
ALSA: timer: Reject user params with too small ticks
ALSA: seq: Fix link corruption by event error handling
ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
ALSA: seq: Fix race during FIFO resize
ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks
usb: gadgetfs: restrict upper bound on device configuration size
USB: gadgetfs: fix unbounded memory allocation bug
USB: gadgetfs: fix use-after-free bug
USB: gadgetfs: fix checks of wTotalLength in config descriptors
xhci: free xhci virtual devices with leaf nodes first
USB: serial: io_ti: bind to interface after fw download
usb: gadget: composite: always set ep->mult to a sensible value
USB: cdc-acm: fix double usb_autopm_put_interface() in acm_port_activate()
USB: cdc-acm: fix open and suspend race
USB: cdc-acm: fix failed open not being detected
usb: dwc3: gadget: make Set Endpoint Configuration macros safe
usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers
usb: dwc3: gadget: delay unmap of bounced requests
usb: hub: Wait for connection to be reestablished after port reset
usb: gadget: composite: correctly initialize ep->maxpacket
USB: UHCI: report non-PME wakeup signalling for Intel hardware
arm/xen: Use alloc_percpu rather than __alloc_percpu
xfs: set AGI buffer type in xlog_recover_clear_agi_bucket
xfs: clear _XBF_PAGES from buffers when readahead page
ssb: Fix error routine when fallback SPROM fails
drivers/gpu/drm/ast: Fix infinite loop if read fails
scsi: avoid a permanent stop of the scsi device's request queue
scsi: move the nr_phys_segments assert into scsi_init_io
scsi: don't BUG_ON() empty DMA transfers
scsi: storvsc: properly handle SRB_ERROR when sense message is present
scsi: storvsc: properly set residual data length on errors
target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export
scsi: lpfc: Add shutdown method for kexec
scsi: sr: Sanity check returned mode data
scsi: sd: Fix capacity calculation with 32-bit sector_t
s390/vmlogrdr: fix IUCV buffer allocation
libceph: verify authorize reply on connect
nfs_write_end(): fix handling of short copies
powerpc/ps3: Fix system hang with GCC 5 builds
sg_write()/bsg_write() is not fit to be called under KERNEL_DS
ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it
cred/userns: define current_user_ns() as a function
net: ti: cpmac: Fix compiler warning due to type confusion
tick/broadcast: Prevent NULL pointer dereference
netvsc: reduce maximum GSO size
drop_monitor: add missing call to genlmsg_end
drop_monitor: consider inserted data in genlmsg_end
igmp: Make igmp group member RFC 3376 compliant
HID: hid-cypress: validate length of report
Input: xpad - use correct product id for x360w controllers
Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000
Input: iforce - validate number of endpoints before using them
Input: kbtab - validate number of endpoints before using them
Input: joydev - do not report stale values on first open
Input: tca8418 - use the interrupt trigger from the device tree
Input: mpr121 - handle multiple bits change of status register
Input: mpr121 - set missing event capability
Input: i8042 - add Clevo P650RS to the i8042 reset list
i2c: fix kernel memory disclosure in dev interface
vme: Fix wrong pointer utilization in ca91cx42_slave_get
sysrq: attach sysrq handler correctly for 32-bit kernel
pinctrl: sh-pfc: Do not unconditionally support PIN_CONFIG_BIAS_DISABLE
x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
qla2xxx: Fix crash due to null pointer access
ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
ARM: dts: da850-evm: fix read access to SPI flash
NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT
vmxnet3: Wake queue from reset work
Fix memory leaks in cifs_do_mount()
Compare prepaths when comparing superblocks
Move check for prefix path to within cifs_get_root()
Fix regression which breaks DFS mounting
apparmor: fix uninitialized lsm_audit member
apparmor: exec should not be returning ENOENT when it denies
apparmor: fix disconnected bind mnts reconnection
apparmor: internal paths should be treated as disconnected
apparmor: check that xindex is in trans_table bounds
apparmor: add missing id bounds check on dfa verification
apparmor: don't check for vmalloc_addr if kvzalloc() failed
apparmor: fix oops in profile_unpack() when policy_db is not present
apparmor: fix module parameters can be changed after policy is locked
apparmor: do not expose kernel stack
vfio/pci: Fix integer overflows, bitmask check
bna: Add synchronization for tx ring.
sg: Fix double-free when drives detach during SG_IO
move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon)
serial: 8250_pci: Detach low-level driver during PCI error recovery
bnx2x: Correct ringparam estimate when DOWN
tile/ptrace: Preserve previous registers for short regset write
sysctl: fix proc_doulongvec_ms_jiffies_minmax()
ISDN: eicon: silence misleading array-bounds warning
ARC: [arcompact] handle unaligned access delay slot corner case
parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header
nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
af_unix: move unix_mknod() out of bindlock
drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval
crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
ata: sata_mv:- Handle return value of devm_ioremap.
mm/memory_hotplug.c: check start_pfn in test_pages_in_a_zone()
mm, fs: check for fatal signals in do_generic_file_read()
ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
sched/debug: Don't dump sched debug info in SysRq-W
tcp: fix 0 divide in __tcp_select_window()
macvtap: read vnet_hdr_size once
packet: round up linear to header len
vfs: fix uninitialized flags in splice_to_pipe()
siano: make it work again with CONFIG_VMAP_STACK
futex: Move futex_init() to core_initcall
rtc: interface: ignore expired timers when enqueuing new timers
irda: Fix lockdep annotations in hashbin_delete().
tty: serial: msm: Fix module autoload
rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down
af_packet: remove a stray tab in packet_set_ring()
MIPS: Fix special case in 64 bit IP checksumming.
mm: vmpressure: fix sending wrong events on underflow
ipc/shm: Fix shmat mmap nil-page protection
sd: get disk reference in sd_check_events()
samples/seccomp: fix 64-bit comparison macros
ath5k: drop bogus warning on drv_set_key with unsupported cipher
rdma_cm: fail iwarp accepts w/o connection params
NFSv4: fix getacl ERANGE for some ACL buffer sizes
bcma: use (get|put)_device when probing/removing device driver
powerpc/xmon: Fix data-breakpoint
KVM: VMX: use correct vmcs_read/write for guest segment selector/base
KVM: PPC: Book3S PR: Fix illegal opcode emulation
KVM: s390: fix task size check
s390: TASK_SIZE for kernel threads
xtensa: move parse_tag_fdt out of #ifdef CONFIG_BLK_DEV_INITRD
mac80211: flush delayed work when entering suspend
drm/ast: Fix test for VGA enabled
drm/ttm: Make sure BOs being swapped out are cacheable
fat: fix using uninitialized fields of fat_inode/fsinfo_inode
drivers: hv: Turn off write permission on the hypercall page
xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers
crypto: improve gcc optimization flags for serpent and wp512
mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
cpmac: remove hopeless #warning
mvsas: fix misleading indentation
l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
net: don't call strlen() on the user buffer in packet_bind_spkt()
dccp: Unlock sock before calling sk_free()
tcp: fix various issues for sockets morphing to listen state
uapi: fix linux/packet_diag.h userspace compilation error
ipv6: avoid write to a possibly cloned skb
dccp: fix memory leak during tear-down of unsuccessful connection request
futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
futex: Add missing error handling to FUTEX_REQUEUE_PI
give up on gcc ilog2() constant optimizations
cancel the setfilesize transation when io error happen
crypto: ghash-clmulni - Fix load failure
crypto: cryptd - Assign statesize properly
ACPI / video: skip evaluating _DOD when it does not exist
Drivers: hv: balloon: don't crash when memory is added in non-sorted order
s390/pci: fix use after free in dma_init
cpufreq: Fix and clean up show_cpuinfo_cur_freq()
igb: Workaround for igb i210 firmware issue
igb: add i211 to i210 PHY workaround
ipv4: provide stronger user input validation in nl_fib_input()
tcp: initialize icsk_ack.lrcvtime at session start time
ACM gadget: fix endianness in notifications
mmc: sdhci: Do not disable interrupts while waiting for clock
uvcvideo: uvc_scan_fallback() for webcams with broken chain
fbcon: Fix vc attr at deinit
crypto: algif_hash - avoid zero-sized array
virtio_balloon: init 1st buffer in stats vq
c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
sparc/ptrace: Preserve previous registers for short regset write
metag/ptrace: Preserve previous registers for short regset write
metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
metag/ptrace: Reject partial NT_METAG_RPIPE writes
libceph: force GFP_NOIO for socket allocations
ACPI: Fix incompatibility with mcount-based function graph tracing
ACPI / power: Avoid maybe-uninitialized warning
rtc: s35390a: make sure all members in the output are set
rtc: s35390a: implement reset routine as suggested by the reference
rtc: s35390a: improve irq handling
padata: avoid race in reordering
HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2
HID: i2c-hid: Add sleep between POWER ON and RESET
drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl()
drm/vmwgfx: Remove getparam error message
drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
Reset TreeId to zero on SMB2 TREE_CONNECT
metag/usercopy: Drop unused macros
metag/usercopy: Zero rest of buffer from copy_from_user
powerpc: Don't try to fix up misaligned load-with-reservation instructions
mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
mtd: bcm47xxpart: fix parsing first block after aligned TRX
net/packet: fix overflow in check for priv area size
x86/vdso: Plug race between mapping and ELF header setup
iscsi-target: Fix TMR reference leak during session shutdown
iscsi-target: Drop work-around for legacy GlobalSAN initiator
xen, fbfront: fix connecting to backend
char: lack of bool string made CONFIG_DEVPORT always on
platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event
platform/x86: acer-wmi: setup accelerometer when ACPI device was found
mm: Tighten x86 /dev/mem with zeroing reads
virtio-console: avoid DMA from stack
catc: Combine failure cleanup code in catc_probe()
catc: Use heap buffer for memory size test
net: ipv6: check route protocol when deleting routes
Drivers: hv: don't leak memory in vmbus_establish_gpadl()
Drivers: hv: get rid of timeout in vmbus_open()
ubi/upd: Always flush after prepared for an update
x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
powerpc: Reject binutils 2.24 when building little endian
net/packet: fix overflow in check for tp_frame_nr
net/packet: fix overflow in check for tp_reserve
tty: nozomi: avoid a harmless gcc warning
hostap: avoid uninitialized variable use in hfa384x_get_rid
gfs2: avoid uninitialized variable warning
net: neigh: guard against NULL solicit() method
sctp: listen on the sock only when it's state is listening or closed
ip6mr: fix notification device destruction
MIPS: Fix crash registers on non-crashing CPUs
RDS: Fix the atomicity for congestion map update
xen/x86: don't lose event interrupts
p9_client_readdir() fix
nfsd: check for oversized NFSv2/v3 arguments
ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)
tun: read vnet_hdr_sz once
printk: use rcuidle console tracepoint
ipv6: check raw payload size correctly in ioctl
x86: standardize mmap_rnd() usage
x86/mm/32: Enable full randomization on i386 and X86_32
mm: larger stack guard gap, between vmas
mm: fix new crash in unmapped_area_topdown()
Allow stack to grow up to address space limit
Linux 3.10.107
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
arch/x86/mm/mmap.c
drivers/mmc/host/sdhci.c
drivers/usb/host/xhci-plat.c
fs/ext4/super.c
kernel/sched/core.c
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJZQspmAAoJEE44bZycYXAvLXMP/3Uqx7K7dGjHvvhGA4DhnzSp
bGLpjeP1sXXnnd932PN+qkGbl2j/NPjS74DobDqGWnrwxKRzQ21F4YkWJGtb4Pe2
JKcY7y2rbKGcwhpS9qDMkSWuaUKJWF5MAsH08LnCWqlGphGwAH/uPTdqS4iI/CJM
aQvaaITe5SVzvpvpyoCVdHqu8K+Ukraf91mvt7hlmrn9OnqO9us9MWulw5sSXQcd
pM8ZbRkBDE5OFeVnPKJDBY+cR2ML41wekMMwvJWt7uRyrX2i5c7oQVXYoeYE4MKx
Pueb7aG7LQwBUzNJCiZA6PAEFQPwNPCoxHZbAax0D6/JyDWOZukappquzjd6gLDM
+U7mxeFTeNZJ5v9tUcUIOb4GaaFcccS3wdDP23V2N8iM88hFVwJn0RSy/pksX37+
ZNDiEyDeJBjz3kh/Kf40zhFIIrABMozFeX3tpSRVVqXb+T6P9l8Y88O2LGY5FCXK
QBbAC+jC4X4YI+4v+QWImg9mkfTwzZyjyAlfyjPlHVSK9KDP9M6LXpr2+jKS7jOc
ievMOh9ku0HIVuSWGUKZSqjvcF01Bh99tFlX+KqipomwNTwa4hKCLmnOVflF1BPE
8sfD9hvenA0e949kXrURUmqpg6Ujkrbb/lXuD7e2CakCu+XjEMf317R11TyTsHNG
10hsmPsGDVcwbyFOFHS3
=mvzl
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqfEUACgkQmXOSYMts
txbJOQ/+Pce1eBSgjESWKuz0OP9BfAe9RpWFi7lBZ/EgRwJVYEx6jau9EYXAQ7YT
roCIsV6eufhMplYGHJz6EHxK2Hieb1zG9ooX9ss9GxiB6qmqeqC0Slm9EQE15yGT
px3fVz9r86edqjtj7UKK0/n8DJUaFh5LWOymLD3d3/115RYQsl/GowugH9F79PvN
pR+OyXq7srtfCmwdhZ65012Ef10RXqBRv0fCYBH6r+jkMqb7uSDFzdR39Z7k3QFk
AM4+3lTm6EEZ4xZkcMyX3GuQWslpPAlvFdEx43TjdCbseXAqURoppmxvz+Izum75
fy0oOdKl5OSpyZArRkUfZ0MnL6BHGcKxwYV4u1LupwvqPyaUT4yiT5VEUdy9EqJo
Syrr0oSR2lrXqQESdxKkmOZVXyul0nF3Fh1p5QlU1/Id9oskMLYqcXegFyhr2Wyp
+A4ZozljEQ4AGm4dYFdH3w8TcNDttjztYoKf8OXnaCOj3p/SEq84tk4Hm3vpoPvh
5OzsZC3UB9gJ1mXsKOVKLJFCPzmg61KOvwhopfAcC6cyiIIf/MPCneZeOzsavtQX
J+atSNcLVNE3jmrXvUrwxSpZ3KCc3Ti5Q8pD9ni6/B6st2+LO8EXPrS6n2+28nvu
hVpjyCXLbghdmn1mjOGW9lvMQEg/Dupj/ocpCPHJnXpbpM8Mcjo=
=3eAv
-----END PGP SIGNATURE-----
Merge 3.10.106 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.106: (252 commits)
packet: fix race condition in packet_set_ring
crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks
EVM: Use crypto_memneq() for digest comparisons
libceph: don't set weight to IN when OSD is destroyed
KVM: x86: fix emulation of "MOV SS, null selector"
KVM: x86: Introduce segmented_write_std
posix_acl: Clear SGID bit when setting file permissions
tmpfs: clear S_ISGID when setting posix ACLs
fbdev: color map copying bounds checking
selinux: fix off-by-one in setprocattr
tcp: avoid infinite loop in tcp_splice_read()
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
KEYS: Change the name of the dead type to ".dead" to prevent user access
KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
ext4: fix data exposure after a crash
locking/rtmutex: Prevent dequeue vs. unlock race
m68k: Fix ndelay() macro
hotplug: Make register and unregister notifier API symmetric
Btrfs: fix tree search logic when replaying directory entry deletes
USB: serial: kl5kusb105: fix open error path
block_dev: don't test bdev->bd_contains when it is not stable
crypto: caam - fix AEAD givenc descriptors
ext4: fix mballoc breakage with 64k block size
ext4: fix stack memory corruption with 64k block size
ext4: reject inodes with negative size
ext4: return -ENOMEM instead of success
f2fs: set ->owner for debugfs status file's file_operations
block: protect iterate_bdevs() against concurrent close
scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
scsi: zfcp: do not trace pure benign residual HBA responses at default level
scsi: zfcp: fix rport unblock race with LUN recovery
ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it
IB/mad: Fix an array index check
IB/multicast: Check ib_find_pkey() return value
powerpc: Convert cmp to cmpd in idle enter sequence
usb: gadget: composite: Test get_alt() presence instead of set_alt()
USB: serial: omninet: fix NULL-derefs at open and disconnect
USB: serial: quatech2: fix sleep-while-atomic in close
USB: serial: pl2303: fix NULL-deref at open
USB: serial: keyspan_pda: verify endpoints at probe
USB: serial: spcp8x5: fix NULL-deref at open
USB: serial: io_ti: fix NULL-deref at open
USB: serial: io_ti: fix another NULL-deref at open
USB: serial: iuu_phoenix: fix NULL-deref at open
USB: serial: garmin_gps: fix memory leak on failed URB submit
USB: serial: ti_usb_3410_5052: fix NULL-deref at open
USB: serial: io_edgeport: fix NULL-deref at open
USB: serial: oti6858: fix NULL-deref at open
USB: serial: cyberjack: fix NULL-deref at open
USB: serial: kobil_sct: fix NULL-deref in write
USB: serial: mos7840: fix NULL-deref at open
USB: serial: mos7720: fix NULL-deref at open
USB: serial: mos7720: fix use-after-free on probe errors
USB: serial: mos7720: fix parport use-after-free on probe errors
USB: serial: mos7720: fix parallel probe
usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
usb: musb: Fix trying to free already-free IRQ 4
ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
USB: serial: kl5kusb105: abort on open exception path
staging: iio: ad7606: fix improper setting of oversampling pins
usb: dwc3: gadget: always unmap EP0 requests
cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected
hwmon: (ds620) Fix overflows seen when writing temperature limits
clk: clk-wm831x: fix a logic error
iommu/amd: Fix the left value check of cmd buffer
scsi: mvsas: fix command_active typo
target/iscsi: Fix double free in lio_target_tiqn_addtpg()
mmc: mmc_test: Uninitialized return value
powerpc/pci/rpadlpar: Fix device reference leaks
ser_gigaset: return -ENOMEM on error instead of success
net, sched: fix soft lockup in tc_classify
net: stmmac: Fix race between stmmac_drv_probe and stmmac_open
gro: Enter slow-path if there is no tailroom
gro: use min_t() in skb_gro_reset_offset()
gro: Disable frag0 optimization on IPv6 ext headers
powerpc: Fix build warning on 32-bit PPC
Input: i8042 - add Pegatron touchpad to noloop table
mm/hugetlb.c: fix reservation race when freeing surplus pages
USB: serial: kl5kusb105: fix line-state error handling
USB: serial: ch341: fix initial modem-control state
USB: serial: ch341: fix open error handling
USB: serial: ch341: fix control-message error handling
USB: serial: ch341: fix open and resume after B0
USB: serial: ch341: fix resume after reset
USB: serial: ch341: fix modem-control and B0 handling
x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option
NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
powerpc/ibmebus: Fix further device reference leaks
powerpc/ibmebus: Fix device reference leaks in sysfs interface
IB/mlx4: Set traffic class in AH
IB/mlx4: Fix port query for 56Gb Ethernet links
perf scripting: Avoid leaking the scripting_context variable
ARM: dts: imx31: fix clock control module interrupts description
svcrpc: don't leak contexts on PROC_DESTROY
mmc: mxs-mmc: Fix additional cycles after transmission stop
mtd: nand: xway: disable module support
ubifs: Fix journal replay wrt. xattr nodes
arm64/ptrace: Preserve previous registers for short regset write
arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation
ite-cir: initialize use_demodulator before using it
fuse: do not use iocb after it may have been freed
crypto: caam - fix non-hmac hashes
drm/i915: Don't leak edid in intel_crt_detect_ddc()
s5k4ecgx: select CRC32 helper
platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT
net: fix harmonize_features() vs NETIF_F_HIGHDMA
tcp: initialize max window for a new fastopen socket
svcrpc: fix oops in absence of krb5 module
ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
mac80211: Fix adding of mesh vendor IEs
scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send
drm/i915: fix use-after-free in page_flip_completed()
net: use a work queue to defer net_disable_timestamp() work
ipv4: keep skb->dst around in presence of IP options
netlabel: out of bound access in cipso_v4_validate()
ip6_gre: fix ip6gre_err() invalid reads
ping: fix a null pointer dereference
l2tp: do not use udp_ioctl()
packet: fix races in fanout_add()
packet: Do not call fanout_release from atomic contexts
net: socket: fix recvmmsg not returning error from sock_error
USB: serial: mos7840: fix another NULL-deref at open
USB: serial: ftdi_sio: fix modem-status error handling
USB: serial: ftdi_sio: fix extreme low-latency setting
USB: serial: ftdi_sio: fix line-status over-reporting
USB: serial: spcp8x5: fix modem-status handling
USB: serial: opticon: fix CTS retrieval at open
USB: serial: ark3116: fix register-accessor error handling
x86/platform/goldfish: Prevent unconditional loading
goldfish: Sanitize the broken interrupt handler
ocfs2: do not write error flag to user structure we cannot copy from/to
mfd: pm8921: Potential NULL dereference in pm8921_remove()
drm/nv50/disp: min/max are reversed in nv50_crtc_gamma_set()
net: 6lowpan: fix lowpan_header_create non-compression memcpy call
vti4: Don't count header length twice.
net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
MIPS: OCTEON: Fix copy_from_user fault handling for large buffers
MIPS: Clear ISA bit correctly in get_frame_info()
MIPS: Prevent unaligned accesses during stack unwinding
MIPS: Fix get_frame_info() handling of microMIPS function size
MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions
MIPS: Calculate microMIPS ra properly when unwinding the stack
MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
uvcvideo: Fix a wrong macro
scsi: aacraid: Reorder Adapter status check
ath9k: use correct OTP register offsets for the AR9340 and AR9550
fuse: add missing FR_FORCE
RDMA/core: Fix incorrect structure packing for booleans
NFSv4: fix getacl head length estimation
s390/qdio: clear DSCI prior to scanning multiple input queues
IB/ipoib: Fix deadlock between rmmod and set_mode
ktest: Fix child exit code processing
nlm: Ensure callback code also checks that the files match
dm: flush queued bios when process blocks to avoid deadlock
USB: serial: digi_acceleport: fix OOB data sanity check
USB: serial: digi_acceleport: fix OOB-event processing
MIPS: ip27: Disable qlge driver in defconfig
tracing: Add #undef to fix compile error
USB: serial: safe_serial: fix information leak in completion handler
USB: serial: omninet: fix reference leaks at open
USB: iowarrior: fix NULL-deref at probe
USB: iowarrior: fix NULL-deref in write
USB: serial: io_ti: fix NULL-deref in interrupt callback
USB: serial: io_ti: fix information leak in completion handler
vxlan: correctly validate VXLAN ID against VXLAN_N_VID
ipv4: mask tos for input route
locking/static_keys: Add static_key_{en,dis}able() helpers
net: net_enable_timestamp() can be called from irq contexts
dccp/tcp: fix routing redirect race
net sched actions: decrement module reference count after table flush.
perf/core: Fix event inheritance on fork()
isdn/gigaset: fix NULL-deref at probe
xen: do not re-use pirq number cached in pci device msi msg data
net: properly release sk_frag.page
net: unix: properly re-increment inflight counter of GC discarded candidates
Input: ims-pcu - validate number of endpoints before using them
Input: hanwang - validate number of endpoints before using them
Input: yealink - validate number of endpoints before using them
Input: cm109 - validate number of endpoints before using them
USB: uss720: fix NULL-deref at probe
USB: idmouse: fix NULL-deref at probe
USB: wusbcore: fix NULL-deref at probe
uwb: i1480-dfu: fix NULL-deref at probe
uwb: hwa-rc: fix NULL-deref at probe
mmc: ushc: fix NULL-deref at probe
ext4: mark inode dirty after converting inline directory
scsi: libsas: fix ata xfer length
ALSA: ctxfi: Fallback DMA mask to 32bit
ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
ACPI / PNP: Avoid conflicting resource reservations
ACPI / resources: free memory on error in add_region_before()
ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage
USB: OHCI: Fix race between ED unlink and URB submission
i2c: at91: manage unexpected RXRDY flag when starting a transfer
ipv4: igmp: Allow removing groups from a removed interface
ptrace: fix PTRACE_LISTEN race corrupting task->state
ring-buffer: Fix return value check in test_ringbuffer()
metag/usercopy: Fix alignment error checking
metag/usercopy: Add early abort to copy_to_user
metag/usercopy: Set flags before ADDZ
metag/usercopy: Fix src fixup in from user rapf loops
metag/usercopy: Add missing fixups
s390/decompressor: fix initrd corruption caused by bss clear
net/mlx4_en: Fix bad WQE issue
net/mlx4_core: Fix racy CQ (Completion Queue) free
char: Drop bogus dependency of DEVPORT on !M68K
powerpc: Disable HFSCR[TM] if TM is not supported
pegasus: Use heap buffers for all register access
rtl8150: Use heap buffers for all register access
tracing: Allocate the snapshot buffer before enabling probe
ring-buffer: Have ring_buffer_iter_empty() return true when empty
netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel
net: phy: handle state correctly in phy_stop_machine
l2tp: take reference on sessions being dumped
MIPS: KGDB: Use kernel context for sleeping threads
ARM: dts: imx31: move CCM device node to AIPS2 bus devices
ARM: dts: imx31: fix AVIC base address
tun: Fix TUN_PKT_STRIP setting
Staging: vt6655-6: potential NULL dereference in hostap_disable_hostapd()
net: sctp: rework multihoming retransmission path selection to rfc4960
perf trace: Use the syscall raw_syscalls:sys_enter timestamp
USB: usbtmc: add missing endpoint sanity check
ping: implement proper locking
USB: fix problems with duplicate endpoint addresses
USB: dummy-hcd: fix bug in stop_activity (handle ep0)
mm/init: fix zone boundary creation
can: Fix kernel panic at security_sock_rcv_skb
Drivers: hv: avoid vfree() on crash
xc2028: avoid use after free
xc2028: unlock on error in xc2028_set_config()
xc2028: Fix use-after-free bug properly
ipv6: fix ip6_tnl_parse_tlv_enc_lim()
ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
ipv6: fix the use of pcpu_tstats in ip6_tunnel
sctp: avoid BUG_ON on sctp_wait_for_sndbuf
sctp: deny peeloff operation on asocs with threads sleeping on it
KVM: x86: clear bus pointer when destroyed
kvm: exclude ioeventfd from counting kvm_io_range limit
KVM: kvm_io_bus_unregister_dev() should never fail
TTY: n_hdlc, fix lockdep false positive
tty: n_hdlc: get rid of racy n_hdlc.tbuf
ipv6: handle -EFAULT from skb_copy_bits
fs: exec: apply CLOEXEC before changing dumpable task flags
mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
dccp/tcp: do not inherit mc_list from parent
char: lp: fix possible integer overflow in lp_setup()
dccp: fix freeing skb too early for IPV6_RECVPKTINFO
Linux 3.10.106
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
drivers/mfd/pm8921-core.c
include/linux/cpu.h
kernel/cpu.c
net/ipv4/inet_connection_sock.c
net/ipv4/ping.c
commit e1edab87faf6ca30cd137e0795bc73aa9a9a22ec upstream.
When IFF_VNET_HDR is enabled, a virtio_net header must precede data.
Data length is verified to be greater than or equal to expected header
length tun->vnet_hdr_sz before copying.
Read this value once and cache locally, as it can be updated between
the test and use (TOCTOU).
[js] we have TUN_VNET_HDR in 3.12
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
CC: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
[wt: s/READ_ONCE/ACCESS_ONCE]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 2eb783c43e7cf807a45899c10ed556b6dc116625 upstream.
We set the flag TUN_PKT_STRIP if the user buffer provided is too
small to contain the entire packet plus meta-data. However, this
has been broken ever since we added GSO meta-data. VLAN acceleration
also has the same problem.
This patch fixes this by taking both into account when setting the
TUN_PKT_STRIP flag.
The fact that this has been broken for six years without anyone
realising means that nobody actually uses this flag.
Fixes: f43798c276 ("tun: Allow GSO using virtio_net_hdr")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[wt: no tuntap VLAN offloading in 3.10]
Signed-off-by: Willy Tarreau <w@1wt.eu>
The following commits have been reverted from this merge, as they are
known to introduce new bugs and are currently incompatible with our
audio implementation. Investigation of these commits is ongoing, and
they are expected to be brought in at a later time:
86e6de7 ALSA: compress: fix drain calls blocking other compress functions (v6)
16442d4 ALSA: compress: fix drain calls blocking other compress functions
This merge commit also includes a change in block, necessary for
compilation. Upstream has modified elevator_init_fn to prevent race
conditions, requring updates to row_init_queue and test_init_queue.
* commit 'v3.10.28': (1964 commits)
Linux 3.10.28
ARM: 7938/1: OMAP4/highbank: Flush L2 cache before disabling
drm/i915: Don't grab crtc mutexes in intel_modeset_gem_init()
serial: amba-pl011: use port lock to guard control register access
mm: Make {,set}page_address() static inline if WANT_PAGE_VIRTUAL
md/raid5: Fix possible confusion when multiple write errors occur.
md/raid10: fix two bugs in handling of known-bad-blocks.
md/raid10: fix bug when raid10 recovery fails to recover a block.
md: fix problem when adding device to read-only array with bitmap.
drm/i915: fix DDI PLLs HW state readout code
nilfs2: fix segctor bug that causes file system corruption
thp: fix copy_page_rep GPF by testing is_huge_zero_pmd once only
ftrace/x86: Load ftrace_ops in parameter not the variable holding it
SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()
writeback: Fix data corruption on NFS
hwmon: (coretemp) Fix truncated name of alarm attributes
vfs: In d_path don't call d_dname on a mount point
staging: comedi: adl_pci9111: fix incorrect irq passed to request_irq()
staging: comedi: addi_apci_1032: fix subdevice type/flags bug
mm/memory-failure.c: recheck PageHuge() after hugetlb page migrate successfully
GFS2: Increase i_writecount during gfs2_setattr_chown
perf/x86/amd/ibs: Fix waking up from S3 for AMD family 10h
perf scripting perl: Fix build error on Fedora 12
ARM: 7815/1: kexec: offline non panic CPUs on Kdump panic
Linux 3.10.27
sched: Guarantee new group-entities always have weight
sched: Fix hrtimer_cancel()/rq->lock deadlock
sched: Fix cfs_bandwidth misuse of hrtimer_expires_remaining
sched: Fix race on toggling cfs_bandwidth_used
x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround
netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper
SCSI: sd: Reduce buffer size for vpd request
intel_pstate: Add X86_FEATURE_APERFMPERF to cpu match parameters.
mac80211: move "bufferable MMPDU" check to fix AP mode scan
ACPI / Battery: Add a _BIX quirk for NEC LZ750/LS
ACPI / TPM: fix memory leak when walking ACPI namespace
mfd: rtsx_pcr: Disable interrupts before cancelling delayed works
clk: exynos5250: fix sysmmu_mfc{l,r} gate clocks
clk: samsung: exynos5250: Add CLK_IGNORE_UNUSED flag for the sysreg clock
clk: samsung: exynos4: Correct SRC_MFC register
clk: clk-divider: fix divisor > 255 bug
ahci: add PCI ID for Marvell 88SE9170 SATA controller
parisc: Ensure full cache coherency for kmap/kunmap
drm/nouveau/bios: make jump conditional
ARM: shmobile: mackerel: Fix coherent DMA mask
ARM: shmobile: armadillo: Fix coherent DMA mask
ARM: shmobile: kzm9g: Fix coherent DMA mask
ARM: dts: exynos5250: Fix MDMA0 clock number
ARM: fix "bad mode in ... handler" message for undefined instructions
ARM: fix footbridge clockevent device
net: Loosen constraints for recalculating checksum in skb_segment()
bridge: use spin_lock_bh() in br_multicast_set_hash_max
netpoll: Fix missing TXQ unlock and and OOPS.
net: llc: fix use after free in llc_ui_recvmsg
virtio-net: fix refill races during restore
virtio_net: don't leak memory or block when too many frags
virtio-net: make all RX paths handle errors consistently
virtio_net: fix error handling for mergeable buffers
vlan: Fix header ops passthru when doing TX VLAN offload.
net: rose: restore old recvmsg behavior
rds: prevent dereference of a NULL device
ipv6: always set the new created dst's from in ip6_rt_copy
net: fec: fix potential use after free
hamradio/yam: fix info leak in ioctl
drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
net: inet_diag: zero out uninitialized idiag_{src,dst} fields
ip_gre: fix msg_name parsing for recvfrom/recvmsg
net: unix: allow bind to fail on mutex lock
ipv6: fix illegal mac_header comparison on 32bit
netvsc: don't flush peers notifying work during setting mtu
tg3: Initialize REG_BASE_ADDR at PCI config offset 120 to 0
net: unix: allow set_peek_off to fail
net: drop_monitor: fix the value of maxattr
ipv6: don't count addrconf generated routes against gc limit
packet: fix send path when running with proto == 0
virtio: delete napi structures from netdev before releasing memory
macvtap: signal truncated packets
tun: update file current position
macvtap: update file current position
macvtap: Do not double-count received packets
rds: prevent BUG_ON triggered on congestion update to loopback
net: do not pretend FRAGLIST support
IPv6: Fixed support for blackhole and prohibit routes
HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue""
gpio-rcar: R-Car GPIO IRQ share interrupt
clocksource: em_sti: Set cpu_possible_mask to fix SMP broadcast
irqchip: renesas-irqc: Fix irqc_probe error handling
Linux 3.10.26
sh: add EXPORT_SYMBOL(min_low_pfn) and EXPORT_SYMBOL(max_low_pfn) to sh_ksyms_32.c
ext4: fix bigalloc regression
arm64: Use Normal NonCacheable memory for writecombine
arm64: Do not flush the D-cache for anonymous pages
arm64: Avoid cache flushing in flush_dcache_page()
ARM: KVM: arch_timers: zero CNTVOFF upon return to host
ARM: hyp: initialize CNTVOFF to zero
clocksource: arch_timer: use virtual counters
arm64: Remove unused cpu_name ascii in arch/arm64/mm/proc.S
arm64: dts: Reserve the memory used for secondary CPU release address
arm64: check for number of arguments in syscall_get/set_arguments()
arm64: fix possible invalid FPSIMD initialization state
...
Change-Id: Ia0e5d71b536ab49ec3a1179d59238c05bdd03106
Signed-off-by: Ian Maund <imaund@codeaurora.org>
[ Upstream commit 96f8d9ecf227638c89f98ccdcdd50b569891976c ]
We currently use hdr_len as a hint of head length which is advertised by
guest. But when guest advertise a very big value, it can lead to an 64K+
allocating of kmalloc() which has a very high possibility of failure when host
memory is fragmented or under heavy stress. The huge hdr_len also reduce the
effect of zerocopy or even disable if a gso skb is linearized in guest.
To solves those issues, this patch introduces an upper limit (PAGE_SIZE) of the
head, which guarantees an order 0 allocation each time.
Signed-off-by: Jason Wang <jasowang@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 662ca437e714caaab855b12415d6ffd815985bc0 ]
Commit c8d68e6be1
(tuntap: multiqueue support) only call free_netdev() on error in
tun_set_iff(). This causes several issues:
- memory of tun security were leaked
- use after free since the flow gc timer was not deleted and the tfile
were not detached
This patch solves the above issues.
Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 15718ea0d844e4816dbd95d57a8a0e3e264ba90e ]
The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
not totally correct. Because "len" and "sizeof()" are size_t type, that
means they are never less than zero.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 885291761dba2bfe04df4c0f7bb75e4c920ab82e ]
We try to linearize part of the skb when the number of iov is greater than
MAX_SKB_FRAGS. This is not enough since each single vector may occupy more than
one pages, so zerocopy_sg_fromiovec() may still fail and may break the guest
network.
Solve this problem by calculate the pages needed for iov before trying to do
zerocopy and switch to use copy instead of zerocopy if it needs more than
MAX_SKB_FRAGS.
This is done through introducing a new helper to count the pages for iov, and
call uarg->callback() manually when switching from zerocopy to copy to notify
vhost.
We can do further optimization on top.
The bug were introduced from commit 0690899b4d
(tun: experimental zero copy tx support)
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 3dd5c3308e8b671e8e8882ba972f51cefbe9fd0d ]
Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to
linearize parts of the skb to let the rest of iov to be fit in
the frags, we need count copylen into linear when calling tun_alloc_skb()
instead of partly counting it into data_len. Since this breaks
zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should
be zero at beginning. This cause nr_frags to be increased wrongly without
setting the correct frags.
This bug were introduced from 0690899b4d
(tun: experimental zero copy tx support)
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
get user pages might fail partially in tun zero copy
mode. To recover we need to put all pages that we got,
but code used a wrong index resulting in double-free
errors.
Reported-by: Brad Hubbard <bhubbard@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 54f968d6ef
(tuntap: move socket to tun_file) forgets to set SOCK_ZEROCOPY flag, which will
prevent vhost_net from doing zercopy w/ tap. This patch fixes this by setting
it during file open.
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Complier may generate codes that re-read the tun->numqueues during
tun_select_queue(). This may be a race if vlan->numqueues were changed in the
same time and can lead unexpected result (e.g. very huge value).
We need prevent the compiler from generating such codes by adding an
ACCESS_ONCE() to make sure tun->numqueues were only read once.
Bug were introduced by commit c8d68e6be1
(tuntap: multiqueue support).
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We currently allow changing the mq flag (IFF_MULTI_QUEUE) for a persistent
device. This will result a mismatch between the number the queues in netdev and
tuntap. This is because we only allocate a 1q netdevice when IFF_MULTI_QUEUE was
not specified, so when we set the IFF_MULTI_QUEUE and try to attach more queues
later, netif_set_real_num_tx_queues() may fail which result a single queue
netdevice with multiple sockets attached.
Solve this by disallowing changing the mq flag for persistent device.
Bug was introduced by commit edfb6a148c
(tuntap: reduce memory using of queues).
Reported-by: Sriram Narasimhan <sriram.narasimhan@hp.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
drivers/net/ethernet/emulex/benet/be.h
include/net/tcp.h
net/mac802154/mac802154.h
Most conflicts were minor overlapping stuff.
The be2net driver brought in some fixes that added __vlan_put_tag
calls, which in net-next take an additional argument.
Signed-off-by: David S. Miller <davem@davemloft.net>
We forget to release the reference of tun device in tun_recvmsg.
bug introduced in commit 54f968d6ef
(tuntap: move socket to tun_file)
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit (3be8fbab tuntap: fix error return code in tun_set_iff()) breaks the
creation of multiqueue tuntap since it forbids to create more than one queues
for a multiqueue tuntap device. We need return 0 instead -EBUSY here since we
don't want to re-initialize the device when one or more queues has been already
attached. Add a comment and correct the return value to zero.
Reported-by: Jerry Chu <hkchu@google.com>
Cc: Jerry Chu <hkchu@google.com>
Cc: Wei Yongjun <weiyj.lk@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Jerry Chu <hkchu@google.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
drivers/net/ethernet/emulex/benet/be_main.c
drivers/net/ethernet/intel/igb/igb_main.c
drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
include/net/scm.h
net/batman-adv/routing.c
net/ipv4/tcp_input.c
The e{uid,gid} --> {uid,gid} credentials fix conflicted with the
cleanup in net-next to now pass cred structs around.
The be2net driver had a bug fix in 'net' that overlapped with the VLAN
interface changes by Patrick McHardy in net-next.
An IGB conflict existed because in 'net' the build_skb() support was
reverted, and in 'net-next' there was a comment style fix within that
code.
Several batman-adv conflicts were resolved by making sure that all
calls to batadv_is_my_mac() are changed to have a new bat_priv first
argument.
Eric Dumazet's TS ECR fix in TCP in 'net' conflicted with the F-RTO
rewrite in 'net-next', mostly overlapping changes.
Thanks to Stephen Rothwell and Antonio Quartulli for help with several
of these merge resolutions.
Signed-off-by: David S. Miller <davem@davemloft.net>
Fix to return a negative error code from the error handling
case instead of 0, as returned elsewhere in this function.
[ Bug added in linux-3.8 , commit 4008e97f86
("tuntap: fix ambigious multiqueue API") ]
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The vlan_features was zero which prevents vlan GSO packets to be transmitted to
userspace. This is suboptimal so enable this by initialize vlan_features for
tuntap.
Netperf shows better performance of guest receiving since vlan TSO works for
tuntap:
before:
netperf -H 192.168.5.4
MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 192.168.5.4 ()
port 0 AF_INET : demo
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec
87380 16384 16384 10.01 2786.67
after:
netperf -H 192.168.5.4
MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 192.168.5.4 ()
port 0 AF_INET : demo
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec
87380 16384 16384 10.00 8085.49
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Switch to use the new help skb_probe_transport_header() to do the l4 header
probing for untrusted sources. For packets with partial csum, the header should
already been set by skb_partial_csum_set().
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Currently, for the packets receives from tuntap, before doing header check,
kernel just reset the transport header in netif_receive_skb() which pretends no
l4 header. This is suboptimal for precise packet length estimation (introduced
in 1def9238) which needs correct l4 header for gso packets.
So this patch set the transport header to csum_start for partial checksum
packets, otherwise it first try skb_flow_dissect(), if it fails, just reset the
transport header.
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The variable dev is initialized but never used
otherwise, so remove the unused variable.
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Patch cef401de7b (net: fix possible wrong checksum
generation) fixed wrong checksum calculation but it broke TSO by
defining new GSO type but not a netdev feature for that type.
net_gso_ok() would not allow hardware checksum/segmentation
offload of such packets without the feature.
Following patch fixes TSO and wrong checksum. This patch uses
same logic that Eric Dumazet used. Patch introduces new flag
SKBTX_SHARED_FRAG if at least one frag can be modified by
the user. but SKBTX_SHARED_FRAG flag is kept in skb shared
info tx_flags rather than gso_type.
tx_flags is better compared to gso_type since we can have skb with
shared frag without gso packet. It does not link SHARED_FRAG to
GSO, So there is no need to define netdev feature for this.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
drivers/net/ethernet/intel/e1000e/ethtool.c
drivers/net/vmxnet3/vmxnet3_drv.c
drivers/net/wireless/iwlwifi/dvm/tx.c
net/ipv6/route.c
The ipv6 route.c conflict is simple, just ignore the 'net' side change
as we fixed the same problem in 'net-next' by eliminating cached
neighbours from ipv6 routes.
The e1000e conflict is an addition of a new statistic in the ethtool
code, trivial.
The vmxnet3 conflict is about one change in 'net' removing a guarding
conditional, whilst in 'net-next' we had a netdev_info() conversion.
The iwlwifi conflict is dealing with a WARN_ON() conversion in
'net-next' vs. a revert happening in 'net'.
Signed-off-by: David S. Miller <davem@davemloft.net>
We forbid polling, writing and reading when the file were detached, this may
complex the user in several cases:
- when guest pass some buffers to vhost/qemu and then disable some queues,
host/qemu needs to do its own cleanup on those buffers which is complex
sometimes. We can do this simply by allowing a user can still write to an
disabled queue. Write to an disabled queue will cause the packet pass to the
kernel and read will get nothing.
- align the polling behavior with macvtap which never fails when the queue is
created. This can simplify the polling errors handling of its user (e.g vhost)
We can simply achieve this by don't assign NULL to tfile->tun when detached.
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit c8d68e6be1 removed carrier off call
from tun_detach since it's now called on queue disable and not only on
tun close. This confuses userspace which used this flag to detect a
free tun. To fix, put this back but under if (clean).
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Jason Wang <jasowang@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Tested-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bring in the 'net' tree so that we can get some ipv4/ipv6 bug
fixes that some net-next work will build upon.
Signed-off-by: David S. Miller <davem@davemloft.net>
Pravin Shelar mentioned that GSO could potentially generate
wrong TX checksum if skb has fragments that are overwritten
by the user between the checksum computation and transmit.
He suggested to linearize skbs but this extra copy can be
avoided for normal tcp skbs cooked by tcp_sendmsg().
This patch introduces a new SKB_GSO_SHARED_FRAG flag, set
in skb_shinfo(skb)->gso_type if at least one frag can be
modified by the user.
Typical sources of such possible overwrites are {vm}splice(),
sendfile(), and macvtap/tun/virtio_net drivers.
Tested:
$ netperf -H 7.7.8.84
MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to
7.7.8.84 () port 0 AF_INET
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec
87380 16384 16384 10.00 3959.52
$ netperf -H 7.7.8.84 -t TCP_SENDFILE
TCP SENDFILE TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 7.7.8.84 ()
port 0 AF_INET
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec
87380 16384 16384 10.00 3216.80
Performance of the SENDFILE is impacted by the extra allocation and
copy, and because we use order-0 pages, while the TCP_STREAM uses
bigger pages.
Reported-by: Pravin Shelar <pshelar@nicira.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We create new flow caches when a new flow is identified by tuntap, This may lead
some issues:
- userspace may produce a huge amount of short live flows to exhaust host memory
- the unlimited number of flow caches may produce a long list which increase the
time in the linear searching
Solve this by introducing a limit of total number of flow caches.
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
A MAX_TAP_QUEUES(1024) queues of tuntap device is always allocated
unconditionally even userspace only requires a single queue device. This is
unnecessary and will lead a very high order of page allocation when has a high
possibility to fail. Solving this by creating a one queue net device when
userspace only use one queue and also reduce MAX_TAP_QUEUES to
DEFAULT_MAX_NUM_RSS_QUEUES which can guarantee the success of
the allocation.
Reported-by: Dirk Hohndel <dirk@hohndel.org>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch corrects some problems with LSM/SELinux that were introduced
with the multiqueue patchset. The problem stems from the fact that the
multiqueue work changed the relationship between the tun device and its
associated socket; before the socket persisted for the life of the
device, however after the multiqueue changes the socket only persisted
for the life of the userspace connection (fd open). For non-persistent
devices this is not an issue, but for persistent devices this can cause
the tun device to lose its SELinux label.
We correct this problem by adding an opaque LSM security blob to the
tun device struct which allows us to have the LSM security state, e.g.
SELinux labeling information, persist for the lifetime of the tun
device. In the process we tweak the LSM hooks to work with this new
approach to TUN device/socket labeling and introduce a new LSM hook,
security_tun_dev_attach_queue(), to approve requests to attach to a
TUN queue via TUNSETQUEUE.
The SELinux code has been adjusted to match the new LSM hooks, the
other LSMs do not make use of the LSM TUN controls. This patch makes
use of the recently added "tun_socket:attach_queue" permission to
restrict access to the TUNSETQUEUE operation. On older SELinux
policies which do not define the "tun_socket:attach_queue" permission
the access control decision for TUNSETQUEUE will be handled according
to the SELinux policy's unknown permission setting.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Eric Paris <eparis@parisplace.org>
Tested-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reference count leaking of both module and sock were found:
- When a detached file were closed, its sock refcnt from device were not
released, solving this by add the sock_put().
- The module were hold or drop unconditionally in TUNSETPERSIST, which means we
if we set the persist flag for N times, we need unset it for another N
times. Solving this by only hold or drop an reference when there's a flag
change and also drop the reference count when the persist device is deleted.
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael points out that even after Stefan's fix the TUNSETIFF is still allowed
to create a new tap device. This because we only check tfile->tun but the
tfile->detached were introduced. Fix this by failing early in tun_set_iff() if
the file is detached. After this fix, there's no need to do the check again in
tun_set_iff(), so this patch removes it.
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Switch to use rtnl_dereference() instead of the open code, suggested by Eric.
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
At the moment, we check owner when we enable queue in tun.
This seems redundant and will break some valid uses
where fd is passed around: I think TUNSETOWNER is there
to prevent others from attaching to a persistent device not
owned by them. Here the fd is already attached,
enabling/disabling queue is more like read/write.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Multiqueue tun devices support detaching a tun_file from its tun_struct
and re-attaching at a later point in time. This allows users to disable
a specific queue temporarily.
ioctl(TUNSETIFF) allows the user to specify the network interface to
attach by name. This means the user can attempt to attach to interface
"B" after detaching from interface "A".
The driver is not designed to support this so check we are re-attaching
to the right tun_struct. Failure to do so may lead to oops.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 96442e4242 (tuntap: choose the txq based on rxq)
added a per tun_struct kmem_cache.
As soon as several tun_struct are used, we get an error
because two caches cannot have same name.
Use the default kmalloc()/kfree_rcu(), as it reduce code
size and doesn't have performance impact here.
Reported-by: Paul Moore <pmoore@redhat.com>
Tested-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Make tun_enable_queue() static to fix the sparse warning:
drivers/net/tun.c:399:19: sparse: symbol 'tun_enable_queue' was not declared. Should it be static?
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 499744209b (tuntap: dont use skb after netif_rx_ni(skb))
introduced another bug.
skb_get_rxhash() needs to access the network header, and it was
set for us in netif_rx_ni().
We need to reset network header or else skb_flow_dissect() behavior
is out of control.
Reported-and-tested-by: Kirill A. Shutemov <kirill@shutemov.name>
Tested-by: Daniel Borkmann <daniel.borkmann@tik.ee.ethz.ch>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The current multiqueue API is ambigious which may confuse both user and LSM to
do things correctly:
- Both TUNSETIFF and TUNSETQUEUE could be used to create the queues of a tuntap
device.
- TUNSETQUEUE were used to disable and enable a specific queue of the
device. But since the state of tuntap were completely removed from the queue,
it could be used to attach to another device (there's no such kind of
requirement currently, and it needs new kind of LSM policy.
- TUNSETQUEUE could be used to attach to a persistent device without any
queues. This kind of attching bypass the necessary checking during TUNSETIFF
and may lead unexpected result.
So this patch tries to make a cleaner and simpler API by:
- Only allow TUNSETIFF to create queues.
- TUNSETQUEUE could be only used to disable and enabled the queues of a device,
and the state of the tuntap device were not detachd from the queues when it
was disabled, so TUNSETQUEUE could be only used after TUNSETIFF and with the
same device.
This is done by introducing a list which keeps track of all queues which were
disabled. The queue would be moved between this list and tfiles[] array when it
was enabled/disabled. A pointer of the tun_struct were also introdued to track
the device it belongs to when it was disabled.
After the change, the isolation between management and application could be done
through: TUNSETIFF were only called by management software and TUNSETQUEUE were
only called by application.For LSM/SELinux, the things left is to do proper
check during tun_set_queue() if needed.
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This is a pure software device, and ok with live address change.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
On error, the error code from tun_flow_init() is lost inside
tun_set_iff(), this patch fixes this by assigning the tun_flow_init()
error code to the "err" variable which is returned by
the tun_flow_init() function on error.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Historically tun supported two modes of operation:
- in default mode, a small number of packets would get queued
at the device, the rest would be queued in qdisc
- in one queue mode, all packets would get queued at the device
This might have made sense up to a point where we made the
queue depth for both modes the same and set it to
a huge value (500) so unless the consumer
is stuck the chance of losing packets is small.
Thus in practice both modes behave the same, but the
default mode has some problems:
- if packets are never consumed, fragments are never orphaned
which cases a DOS for sender using zero copy transmit
- overrun errors are hard to diagnose: fifo error is incremented
only once so you can not distinguish between
userspace that is stuck and a transient failure,
tcpdump on the device does not show any traffic
Userspace solves this simply by enabling IFF_ONE_QUEUE
but there seems to be little point in not doing the
right thing for everyone, by default.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We attach queue 0 after registering netdevice currently. This leads to call
netif_set_real_num_{tx|rx}_queues() after registering the netdevice. Since we
allow tun/tap has a maximum of 1024 queues, this may lead a huge number of
uevents to be injected to userspace since we create 2048 kobjects and then
remove 2046. Solve this problem by attaching queue 0 and set the real number of
queues before registering netdevice.
Reported-by: Jiri Slaby <jslaby@suse.cz>
Tested-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>