cd ${KERNEL_SRC}; patch -p1 <../fix-idr-header-for-drbd-compilation.patch
cd ${KERNEL_SRC}; patch -p1 <../kvm-x86-ignore-ioapic-polarity.patch
cd ${KERNEL_SRC}; patch -p1 <../fix-jfs-compile-error.patch
- cd ${KERNEL_SRC}; patch -p1 <../infinite-loop-fix.patch
- # fix veth checksum errors
- cd ${KERNEL_SRC}; patch -p1 <../veth-do-not-modify-ip_summed.patch
sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
touch $@
* bump kernel API to 46-pve
+ * remove infinite-loop-fix.patch (upstream)
+
+ * remove veth-do-not-modify-ip_summed.patch (upstream)
+
-- Proxmox Support Team <support@proxmox.com> Thu, 02 Jun 2016 11:49:32 +0200
pve-kernel-2.6.32 (2.6.32-174) unstable; urgency=low
+++ /dev/null
-commit 54a20552e1eae07aa240fa370a0293e006b5faed
-Author: Eric Northup <digitaleric@google.com>
-Date: Tue Nov 3 18:03:53 2015 +0100
-
- KVM: x86: work around infinite loop in microcode when #AC is delivered
-
- It was found that a guest can DoS a host by triggering an infinite
- stream of "alignment check" (#AC) exceptions. This causes the
- microcode to enter an infinite loop where the core never receives
- another interrupt. The host kernel panics pretty quickly due to the
- effects (CVE-2015-5307).
-
- Signed-off-by: Eric Northup <digitaleric@google.com>
- Cc: stable@vger.kernel.org
- Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-diff --git a/arch/x86/include/asm/kvm.h b/arch/x86/include/asm/kvm.h
---- a/arch/x86/include/asm/kvm.h
-+++ b/arch/x86/include/asm/kvm.h
-@@ -23,6 +23,7 @@
- #define GP_VECTOR 13
- #define PF_VECTOR 14
- #define MF_VECTOR 16
-+#define AC_VECTOR 17
- #define MC_VECTOR 18
-
- /* Select x86 specific features in <linux/kvm.h> */
-diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h
-index b5d7640..8a4add8 100644
---- a/arch/x86/include/asm/svm.h
-+++ b/arch/x86/include/asm/svm.h
-@@ -100,6 +100,7 @@
- { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \
- { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \
- { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \
-+ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \
- { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \
- { SVM_EXIT_INTR, "interrupt" }, \
- { SVM_EXIT_NMI, "nmi" }, \
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index f2ba919..1839264 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1019,7 +1019,8 @@ static void init_vmcb(struct vcpu_svm *svm)
-
- control->intercept_exceptions = (1 << PF_VECTOR) |
- (1 << UD_VECTOR) |
-- (1 << MC_VECTOR);
-+ (1 << MC_VECTOR) |
-+ (1 << AC_VECTOR);
-
- control->intercept = (1ULL << INTERCEPT_INTR) |
- (1ULL << INTERCEPT_NMI) |
-@@ -1707,6 +1708,12 @@ static int ud_interception(struct vcpu_svm *svm)
- return 1;
- }
-
-+static int ac_interception(struct vcpu_svm *svm)
-+{
-+ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
-+ return 1;
-+}
-+
- static int nm_interception(struct vcpu_svm *svm)
- {
- svm->vmcb->control.intercept_exceptions &= ~(1 << NM_VECTOR);
-@@ -3270,6 +3277,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = {
- [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
- [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
- [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
-+ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
- [SVM_EXIT_INTR] = intr_interception,
- [SVM_EXIT_NMI] = nmi_interception,
- [SVM_EXIT_SMI] = nop_on_interception,
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index b765b03..89aaedd 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -1639,7 +1639,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu)
- u32 eb;
-
- eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR)
-- | (1u << NM_VECTOR);
-+ | (1u << NM_VECTOR) | (1u << AC_VECTOR);
- /*
- * Unconditionally intercept #DB so we can maintain dr6 without
- * reading it every exit.
-@@ -5261,6 +5261,9 @@ static int handle_exception(struct kvm_vcpu *vcpu)
- return handle_rmode_exception(vcpu, ex_no, error_code);
-
- switch (ex_no) {
-+ case AC_VECTOR:
-+ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
-+ return 1;
- case DB_VECTOR:
- dr6 = vmcs_readl(EXIT_QUALIFICATION);
- if (!(vcpu->guest_debug &
+++ /dev/null
-From ce8c839b74e3017996fad4e1b7ba2e2625ede82f Mon Sep 17 00:00:00 2001
-From: Vijay Pandurangan <vijayp@vijayp.ca>
-Date: Fri, 18 Dec 2015 14:34:59 -0500
-Subject: =?UTF-8?q?veth:=20don=E2=80=99t=20modify=20ip=5Fsummed;=20doing?=
- =?UTF-8?q?=20so=20treats=20packets=20with=20bad=20checksums=20as=20good.?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Packets that arrive from real hardware devices have ip_summed ==
-CHECKSUM_UNNECESSARY if the hardware verified the checksums, or
-CHECKSUM_NONE if the packet is bad or it was unable to verify it. The
-current version of veth will replace CHECKSUM_NONE with
-CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to
-a veth device to be delivered to the application. This caused applications
-at Twitter to receive corrupt data when network hardware was corrupting
-packets.
-
-We believe this was added as an optimization to skip computing and
-verifying checksums for communication between containers. However, locally
-generated packets have ip_summed == CHECKSUM_PARTIAL, so the code as
-written does nothing for them. As far as we can tell, after removing this
-code, these packets are transmitted from one stack to another unmodified
-(tcpdump shows invalid checksums on both sides, as expected), and they are
-delivered correctly to applications. We didn’t test every possible network
-configuration, but we tried a few common ones such as bridging containers,
-using NAT between the host and a container, and routing from hardware
-devices to containers. We have effectively deployed this in production at
-Twitter (by disabling RX checksum offloading on veth devices).
-
-This code dates back to the first version of the driver, commit
-<e314dbdc1c0dc6a548ecf> ("[NET]: Virtual ethernet device driver"), so I
-suspect this bug occurred mostly because the driver API has evolved
-significantly since then. Commit <0b7967503dc97864f283a> ("net/veth: Fix
-packet checksumming") (in December 2010) fixed this for packets that get
-created locally and sent to hardware devices, by not changing
-CHECKSUM_PARTIAL. However, the same issue still occurs for packets coming
-in from hardware devices.
-
-Co-authored-by: Evan Jones <ej@evanjones.ca>
-Signed-off-by: Evan Jones <ej@evanjones.ca>
-Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
-Cc: Phil Sutter <phil@nwl.cc>
-Cc: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
-Cc: netdev@vger.kernel.org
-Cc: linux-kernel@vger.kernel.org
-Signed-off-by: Vijay Pandurangan <vijayp@vijayp.ca>
-Acked-by: Cong Wang <cwang@twopensource.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/veth.c | 6 ------
- 1 file changed, 6 deletions(-)
-
-diff --git a/drivers/net/veth.c b/drivers/net/veth.c
-index 0ef4a5a..ba21d07 100644
---- a/drivers/net/veth.c
-+++ b/drivers/net/veth.c
-@@ -117,12 +117,6 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
- kfree_skb(skb);
- goto drop;
- }
-- /* don't change ip_summed == CHECKSUM_PARTIAL, as that
-- * will cause bad checksum on forwarded packets
-- */
-- if (skb->ip_summed == CHECKSUM_NONE &&
-- rcv->features & NETIF_F_RXCSUM)
-- skb->ip_summed = CHECKSUM_UNNECESSARY;
-
- if (likely(dev_forward_skb(rcv, skb) == NET_RX_SUCCESS)) {
- struct pcpu_vstats *stats = this_cpu_ptr(dev->vstats);
---
-cgit v0.12
-
projects / pve-kernel-2.6.32.git / commitdiff