Linux kernel source tree https://git.amat.us/linux/atom/?h=v3.9.5 2013-06-07T19:54:00Z 2013-06-07T19:54:00Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-06-07T19:54:00Z urn:sha1:5dd2e9869de2d28fc7e5c274ff9c12af4361ba86 2013-06-07T19:53:37Z Wei Liu wei.liu2@citrix.com 2013-05-02T00:43:59Z urn:sha1:a12c866cc1665ea4800eb6c171f44e14d7df16d9 commit 376414945d15aa636e65f7e773c1e398b7a21cb9 upstream. This patch only changes some names to avoid confusion. In this patch we have: MAX_SKB_SLOTS_DEFAULT -> FATAL_SKB_SLOTS_DEFAULT max_skb_slots -> fatal_skb_slots #define XEN_NETBK_LEGACY_SLOTS_MAX XEN_NETIF_NR_SLOTS_MIN The fatal_skb_slots is the threshold to determine whether a packet is malicious. XEN_NETBK_LEGACY_SLOTS_MAX is the maximum slots a valid packet can have at this point. It is defined to be XEN_NETIF_NR_SLOTS_MIN because that's guaranteed to be supported by all backends. Suggested-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-07T19:53:37Z Johannes Berg johannes.berg@intel.com 2013-05-23T20:24:11Z urn:sha1:b113898f2cfe280aaf3fc0743eb798778dedaee0 Unfortunately, advertising P2P_DEVICE support was a little premature, a number of issues came up in testing and have been fixed for 3.10. Rather than try to backport all the different fixes, disable P2P_DEVICE support in the drivers using it. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-07T19:53:36Z Johannes Berg johannes.berg@intel.com 2013-05-23T20:24:31Z urn:sha1:2e8a935b639356f8397d39b118ac914d99b55871 Unfortunately, advertising P2P_DEVICE support was a little premature, a number of issues came up in testing and have been fixed for 3.10. Rather than try to backport all the different fixes, disable P2P_DEVICE support in the drivers using it. For iwlmvm that implies disabling P2P completely as it can't support P2P operation w/o P2P Device. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-07T19:53:36Z Wei Liu wei.liu2@citrix.com 2013-04-22T02:20:41Z urn:sha1:539f197a06fd6eb2d1211bac9133e8c903fcc70c commit 9ecd1a75d977e2e8c48139c7d3efed183f898d94 upstream. The maximum packet including header that can be handled by netfront / netback wire format is 65535. Reduce gso_max_size accordingly. Drop skb and print warning when skb->len > 65535. This can 1) save the effort to send malformed packet to netback, 2) help spotting misconfiguration of netfront in the future. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-07T19:53:36Z Wei Liu wei.liu2@citrix.com 2013-05-02T00:43:58Z urn:sha1:d05a2b14b1b8263ab7467076cdf842b673695267 commit 59ccb4ebbc35e36a3c143f2d1355deb75c2e628f upstream. Tune xen_netbk_count_requests to not touch working array beyond limit, so that we can make working array size constant. Suggested-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-07T19:53:36Z Wei Liu wei.liu2@citrix.com 2013-05-02T00:43:57Z urn:sha1:8660ef055e202b6f383fd7300a6cbc49c08eba89 commit ac69c26e7accb04ae2cb9ab0872068983a42b3c8 upstream. Tracking down from the caller, first_idx is always equal to vif->tx.req_cons. Remove it to avoid confusion. Suggested-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-07T19:53:36Z Wei Liu wei.liu2@citrix.com 2013-04-22T02:20:43Z urn:sha1:7ba65651e0c75fa221d8ca41aec99843b4055304 commit 03393fd5cc2b6cdeec32b704ecba64dbb0feae3c upstream. Some frontend drivers are sending packets > 64 KiB in length. This length overflows the length field in the first slot making the following slots have an invalid length. Turn this error back into a non-fatal error by dropping the packet. To avoid having the following slots having fatal errors, consume all slots in the packet. This does not reopen the security hole in XSA-39 as if the packet as an invalid number of slots it will still hit fatal error case. Signed-off-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-07T19:53:36Z Wei Liu wei.liu2@citrix.com 2013-04-22T02:20:42Z urn:sha1:c34e3784b94f9eef8860bb142ca56fddb3c5951f commit 2810e5b9a7731ca5fce22bfbe12c96e16ac44b6f upstream. This patch tries to coalesce tx requests when constructing grant copy structures. It enables netback to deal with situation when frontend's MAX_SKB_FRAGS is larger than backend's MAX_SKB_FRAGS. With the help of coalescing, this patch tries to address two regressions avoid reopening the security hole in XSA-39. Regression 1. The reduction of the number of supported ring entries (slots) per packet (from 18 to 17). This regression has been around for some time but remains unnoticed until XSA-39 security fix. This is fixed by coalescing slots. Regression 2. The XSA-39 security fix turning "too many frags" errors from just dropping the packet to a fatal error and disabling the VIF. This is fixed by coalescing slots (handling 18 slots when backend's MAX_SKB_FRAGS is 17) which rules out false positive (using 18 slots is legit) and dropping packets using 19 to `max_skb_slots` slots. To avoid reopening security hole in XSA-39, frontend sending packet using more than max_skb_slots is considered malicious. The behavior of netback for packet is thus: 1-18 slots: valid 19-max_skb_slots slots: drop and respond with an error max_skb_slots+ slots: fatal error max_skb_slots is configurable by admin, default value is 20. Also change variable name from "frags" to "slots" in netbk_count_requests. Please note that RX path still has dependency on MAX_SKB_FRAGS. This will be fixed with separate patch. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-07T19:53:36Z Timo Teräs timo.teras@iki.f 2013-05-17T07:48:39Z urn:sha1:900477d9933b56aa813120e7ead831cfe8f21a47 commit 803d19d57a042e86e9e9b685bbc3f4a0a751040f upstream. This reverts commit a99d76f (leds: leds-gpio: use gpio_request_one) and commit 2d7c22f (leds: leds-gpio: set devm_gpio_request_one() flags param correctly) which was a fix of the first one. The conversion to devm_gpio_request in commit e3b1d44c (leds: leds-gpio: use devm_gpio_request_one) is not reverted. The problem is that gpio_cansleep() and gpio_get_value_cansleep() calls can crash if the gpio is not first reserved. Incidentally this same bug existed earlier and was fixed similarly in commit d95cbe61 (leds: Fix potential leds-gpio oops). But the OOPS is real. It happens when GPIOs are provided by module which is not yet loaded. So this fixes the following BUG during my ALIX boot (3.9.2-vanilla): BUG: unable to handle kernel NULL pointer dereference at 0000004c IP: [<c11287d6>] __gpio_cansleep+0xe/0x1a *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: leds_gpio(+) via_rhine mii cs5535_mfd mfd_core geode_rng rng_core geode_aes isofs nls_utf8 nls_cp437 vfat fat ata_generic pata_amd pata_cs5536 pata_acpi libata ehci_pci ehci_hcd ohci_hcd usb_storage usbcore usb_common sd_mod scsi_mod squashfs loop Pid: 881, comm: modprobe Not tainted 3.9.2 #1-Alpine EIP: 0060:[<c11287d6>] EFLAGS: 00010282 CPU: 0 EIP is at __gpio_cansleep+0xe/0x1a EAX: 00000000 EBX: cf364018 ECX: c132b8b9 EDX: 00000000 ESI: c13993a4 EDI: c1399370 EBP: cded9dbc ESP: cded9dbc DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 CR0: 8005003b CR2: 0000004c CR3: 0f0c4000 CR4: 00000090 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: ffff0ff0 DR7: 00000400 Process modprobe (pid: 881, ti=cded8000 task=cf094aa0 task.ti=cded8000) Stack: cded9de0 d09471cb 00000000 c1399260 cf364014 00000000 c1399260 c1399254 d0949014 cded9df4 c118cd59 c1399260 d0949014 d0949014 cded9e08 c118ba47 c1399260 d0949014 c1399294 cded9e1c c118bb75 cded9e24 d0949014 00000000 Call Trace: [<d09471cb>] gpio_led_probe+0xba/0x203 [leds_gpio] [<c118cd59>] platform_drv_probe+0x26/0x48 [<c118ba47>] driver_probe_device+0x75/0x15c [<c118bb75>] __driver_attach+0x47/0x63 [<c118a727>] bus_for_each_dev+0x3c/0x66 [<c118b6f9>] driver_attach+0x14/0x16 [<c118bb2e>] ? driver_probe_device+0x15c/0x15c [<c118b3d5>] bus_add_driver+0xbd/0x1bc [<d08b4000>] ? 0xd08b3fff [<d08b4000>] ? 0xd08b3fff [<c118bffc>] driver_register+0x74/0xec [<d08b4000>] ? 0xd08b3fff [<c118c8e8>] platform_driver_register+0x38/0x3a [<d08b400d>] gpio_led_driver_init+0xd/0x1000 [leds_gpio] [<c100116c>] do_one_initcall+0x6b/0x10f [<d08b4000>] ? 0xd08b3fff [<c105e918>] load_module+0x1631/0x1907 [<c10975d6>] ? insert_vmalloc_vmlist+0x14/0x43 [<c1098d5b>] ? __vmalloc_node_range+0x13e/0x15f [<c105ec50>] sys_init_module+0x62/0x77 [<c1257888>] syscall_call+0x7/0xb EIP: [<c11287d6>] __gpio_cansleep+0xe/0x1a SS:ESP 0068:cded9dbc CR2: 000000000000004c ---[ end trace 5308fb20d2514822 ]--- Signed-off-by: Timo Teräs <timo.teras@iki.f> Cc: Sachin Kamat <sachin.kamat@linaro.org> Cc: Raphael Assenat <raph@8d.com> Cc: Trent Piepho <tpiepho@freescale.com> Cc: Javier Martinez Canillas <javier.martinez@collabora.co.uk> Cc: Arnaud Patard <arnaud.patard@rtp-net.org> Cc: Ezequiel Garcia <ezequiel.garcia@free-electrons.com> Acked-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: Bryan Wu <cooloney@gmail.com> Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>