1. 05 May, 2014 20 commits
  2. 25 Apr, 2014 6 commits
    • Jay Cornwall's avatar
      iommu/amd: Fix PASID format in INVALIDATE_IOTLB_PAGES command · 81528093
      Jay Cornwall authored
      commit e8d2d82d upstream.
      
      This patch corrects the PASID format in the INVALIDATE_IOTLB_PAGES
      command, which was caused by incorrect information in
      the AMD IOMMU Architectural Specification v2.01 document.
      
          Incorrect format:
               cmd->data[0][16:23] = PASID[7:0]
               cmd->data[1][16:27] = PASID[19:8]
      
           Correct format:
               cmd->data[0][16:23] = PASID[15:8]
               cmd->data[1][16:23] = PASID[7:0]
      
      However, this does not affect the IOMMUv2 hardware implementation,
      and has been corrected since version 2.02 of the specification
      (available through AMD NDA).
      Signed-off-by: default avatarJay Cornwall <jay.cornwall@amd.com>
      Reviewed-by: default avatarSuravee Suthikulpanit <suravee.suthikulpanit@amd.com>
      Signed-off-by: default avatarJoerg Roedel <joro@8bytes.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      81528093
    • Tedd Ho-Jeong An's avatar
      Bluetooth: Add support for Intel Bluetooth device [8087:0a2a] · d4527ea4
      Tedd Ho-Jeong An authored
      commit ef4e5e4a upstream.
      
      This patch adds support for new Intel Bluetooth device.
      
      T:  Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  4 Spd=12   MxCh= 0
      D:  Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=8087 ProdID=0a2a Rev= 0.01
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  64 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: default avatarTedd Ho-Jeong An <tedd.an@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d4527ea4
    • Ingo Molnar's avatar
      drivers/net: tulip_remove_one needs to call pci_disable_device() · 831bb557
      Ingo Molnar authored
      commit c321f7d7 upstream.
      
      Otherwise the device is not completely shut down.
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      831bb557
    • Petr Tesarik's avatar
      /dev/mem: handle out-of-bounds read/write · 3566e03b
      Petr Tesarik authored
      commit 08d2d00b upstream.
      
      The loff_t type may be wider than phys_addr_t (e.g. on 32-bit systems).
      Consequently, the file offset may be truncated in the assignment.
      Currently, /dev/mem wraps around, which may cause applications to read
      or write incorrect regions of memory by accident.
      
      Let's follow POSIX file semantics here and return 0 when reading from
      and -EFBIG when writing to an offset that cannot be represented by a
      phys_addr_t.
      
      Note that the conditional is optimized out by the compiler if loff_t
      has the same size as phys_addr_t.
      Signed-off-by: default avatarPetr Tesarik <ptesarik@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3566e03b
    • Emil Goode's avatar
      brcmsmac: fix deadlock on missing firmware · de0b7b0d
      Emil Goode authored
      commit 8fc1e8c2 upstream.
      
      When brcm80211 firmware is not installed networking hangs.
      A deadlock happens because we call ieee80211_unregister_hw()
      from the .start callback of struct ieee80211_ops. When .start
      is called we are under rtnl lock and ieee80211_unregister_hw()
      tries to take it again.
      
      Function call stack:
      
      dev_change_flags()
      	__dev_change_flags()
      		__dev_open()
      			ASSERT_RTNL() <-- Assert rtnl lock
      			ops->ndo_open()
      
      .ndo_open = ieee80211_open,
      
      ieee80211_open()
      	ieee80211_do_open()
      		drv_start()
      			local->ops->start()
      
      .start = brcms_ops_start,
      
      brcms_ops_start()
      	brcms_remove()
      		ieee80211_unregister_hw()
      			rtnl_lock() <-- Here we deadlock
      
      Introduced by:
      commit 25b5632f
      ("brcmsmac: request firmware in .start() callback")
      
      This patch fixes the bug by removing the call to brcms_remove()
      and moves the brcms_request_fw() call to the top of the .start
      callback to not initiate anything unless firmware is installed.
      Signed-off-by: default avatarEmil Goode <emilgoode@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      de0b7b0d
    • Alexei Starovoitov's avatar
      openvswitch: fix vport-netdev unregister · 7d4f4737
      Alexei Starovoitov authored
      commit b07c2651 upstream.
      
      The combination of two commits:
      commit 8e4e1713
      ("openvswitch: Simplify datapath locking.")
      commit 2537b4dd
      ("openvswitch:: link upper device for port devices")
      
      introduced a bug where upper_dev wasn't unlinked upon
      netdev_unregister notification
      
      The following steps:
      
        modprobe openvswitch
        ovs-dpctl add-dp test
        ip tuntap add dev tap1 mode tap
        ovs-dpctl add-if test tap1
        ip tuntap del dev tap1 mode tap
      
      are causing multiple warnings:
      
      [   62.747557] gre: GRE over IPv4 demultiplexor driver
      [   62.749579] openvswitch: Open vSwitch switching datapath
      [   62.755087] device test entered promiscuous mode
      [   62.765911] device tap1 entered promiscuous mode
      [   62.766033] IPv6: ADDRCONF(NETDEV_UP): tap1: link is not ready
      [   62.769017] ------------[ cut here ]------------
      [   62.769022] WARNING: CPU: 1 PID: 3267 at net/core/dev.c:5501 rollback_registered_many+0x20f/0x240()
      [   62.769023] Modules linked in: openvswitch gre vxlan ip_tunnel libcrc32c ip6table_filter ip6_tables ebtable_nat ebtables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack xt_CHECKSUM iptable_mangle ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc vhost_net macvtap macvlan vhost kvm_intel kvm dm_crypt iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi hid_generic mxm_wmi eeepc_wmi asus_wmi sparse_keymap dm_multipath psmouse serio_raw usbhid hid parport_pc ppdev firewire_ohci lpc_ich firewire_core e1000e crc_itu_t binfmt_misc igb dca ptp pps_core mac_hid wmi lp parport i2o_config i2o_block video
      [   62.769051] CPU: 1 PID: 3267 Comm: ip Not tainted 3.12.0-rc3+ #60
      [   62.769052] Hardware name: System manufacturer System Product Name/P8Z77 WS, BIOS 3007 07/26/2012
      [   62.769053]  0000000000000009 ffff8807f25cbd28 ffffffff8175e575 0000000000000006
      [   62.769055]  0000000000000000 ffff8807f25cbd68 ffffffff8105314c ffff8807f25cbd58
      [   62.769057]  ffff8807f2634000 ffff8807f25cbdc8 ffff8807f25cbd88 ffff8807f25cbdc8
      [   62.769059] Call Trace:
      [   62.769062]  [<ffffffff8175e575>] dump_stack+0x55/0x76
      [   62.769065]  [<ffffffff8105314c>] warn_slowpath_common+0x8c/0xc0
      [   62.769067]  [<ffffffff8105319a>] warn_slowpath_null+0x1a/0x20
      [   62.769069]  [<ffffffff8162a04f>] rollback_registered_many+0x20f/0x240
      [   62.769071]  [<ffffffff8162a101>] rollback_registered+0x31/0x40
      [   62.769073]  [<ffffffff8162a488>] unregister_netdevice_queue+0x58/0x90
      [   62.769075]  [<ffffffff8154f900>] __tun_detach+0x140/0x340
      [   62.769077]  [<ffffffff8154fb36>] tun_chr_close+0x36/0x60
      [   62.769080]  [<ffffffff811bddaf>] __fput+0xff/0x260
      [   62.769082]  [<ffffffff811bdf5e>] ____fput+0xe/0x10
      [   62.769084]  [<ffffffff8107b515>] task_work_run+0xb5/0xe0
      [   62.769087]  [<ffffffff810029b9>] do_notify_resume+0x59/0x80
      [   62.769089]  [<ffffffff813a41fe>] ? trace_hardirqs_on_thunk+0x3a/0x3f
      [   62.769091]  [<ffffffff81770f5a>] int_signal+0x12/0x17
      [   62.769093] ---[ end trace 838756c62e156ffb ]---
      [   62.769481] ------------[ cut here ]------------
      [   62.769485] WARNING: CPU: 1 PID: 92 at fs/sysfs/inode.c:325 sysfs_hash_and_remove+0xa9/0xb0()
      [   62.769486] sysfs: can not remove 'master', no directory
      [   62.769486] Modules linked in: openvswitch gre vxlan ip_tunnel libcrc32c ip6table_filter ip6_tables ebtable_nat ebtables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack xt_CHECKSUM iptable_mangle ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc vhost_net macvtap macvlan vhost kvm_intel kvm dm_crypt iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi hid_generic mxm_wmi eeepc_wmi asus_wmi sparse_keymap dm_multipath psmouse serio_raw usbhid hid parport_pc ppdev firewire_ohci lpc_ich firewire_core e1000e crc_itu_t binfmt_misc igb dca ptp pps_core mac_hid wmi lp parport i2o_config i2o_block video
      [   62.769514] CPU: 1 PID: 92 Comm: kworker/1:2 Tainted: G        W    3.12.0-rc3+ #60
      [   62.769515] Hardware name: System manufacturer System Product Name/P8Z77 WS, BIOS 3007 07/26/2012
      [   62.769518] Workqueue: events ovs_dp_notify_wq [openvswitch]
      [   62.769519]  0000000000000009 ffff880807ad3ac8 ffffffff8175e575 0000000000000006
      [   62.769521]  ffff880807ad3b18 ffff880807ad3b08 ffffffff8105314c ffff880807ad3b28
      [   62.769523]  0000000000000000 ffffffff81a87a1f ffff8807f2634000 ffff880037038500
      [   62.769525] Call Trace:
      [   62.769528]  [<ffffffff8175e575>] dump_stack+0x55/0x76
      [   62.769529]  [<ffffffff8105314c>] warn_slowpath_common+0x8c/0xc0
      [   62.769531]  [<ffffffff81053236>] warn_slowpath_fmt+0x46/0x50
      [   62.769533]  [<ffffffff8123e7e9>] sysfs_hash_and_remove+0xa9/0xb0
      [   62.769535]  [<ffffffff81240e96>] sysfs_remove_link+0x26/0x30
      [   62.769538]  [<ffffffff81631ef7>] __netdev_adjacent_dev_remove+0xf7/0x150
      [   62.769540]  [<ffffffff81632037>] __netdev_adjacent_dev_unlink_lists+0x27/0x50
      [   62.769542]  [<ffffffff8163213a>] __netdev_adjacent_dev_unlink_neighbour+0x3a/0x50
      [   62.769544]  [<ffffffff8163218d>] netdev_upper_dev_unlink+0x3d/0x140
      [   62.769548]  [<ffffffffa033c2db>] netdev_destroy+0x4b/0x80 [openvswitch]
      [   62.769550]  [<ffffffffa033b696>] ovs_vport_del+0x46/0x60 [openvswitch]
      [   62.769552]  [<ffffffffa0335314>] ovs_dp_detach_port+0x44/0x60 [openvswitch]
      [   62.769555]  [<ffffffffa0336574>] ovs_dp_notify_wq+0xb4/0x150 [openvswitch]
      [   62.769557]  [<ffffffff81075c28>] process_one_work+0x1d8/0x6a0
      [   62.769559]  [<ffffffff81075bc8>] ? process_one_work+0x178/0x6a0
      [   62.769562]  [<ffffffff8107659b>] worker_thread+0x11b/0x370
      [   62.769564]  [<ffffffff81076480>] ? rescuer_thread+0x350/0x350
      [   62.769566]  [<ffffffff8107f44a>] kthread+0xea/0xf0
      [   62.769568]  [<ffffffff8107f360>] ? flush_kthread_worker+0x150/0x150
      [   62.769570]  [<ffffffff81770bac>] ret_from_fork+0x7c/0xb0
      [   62.769572]  [<ffffffff8107f360>] ? flush_kthread_worker+0x150/0x150
      [   62.769573] ---[ end trace 838756c62e156ffc ]---
      [   62.769574] ------------[ cut here ]------------
      [   62.769576] WARNING: CPU: 1 PID: 92 at fs/sysfs/inode.c:325 sysfs_hash_and_remove+0xa9/0xb0()
      [   62.769577] sysfs: can not remove 'upper_test', no directory
      [   62.769577] Modules linked in: openvswitch gre vxlan ip_tunnel libcrc32c ip6table_filter ip6_tables ebtable_nat ebtables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack xt_CHECKSUM iptable_mangle ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc vhost_net macvtap macvlan vhost kvm_intel kvm dm_crypt iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi hid_generic mxm_wmi eeepc_wmi asus_wmi sparse_keymap dm_multipath psmouse serio_raw usbhid hid parport_pc ppdev firewire_ohci lpc_ich firewire_core e1000e crc_itu_t binfmt_misc igb dca ptp pps_core mac_hid wmi lp parport i2o_config i2o_block video
      [   62.769603] CPU: 1 PID: 92 Comm: kworker/1:2 Tainted: G        W    3.12.0-rc3+ #60
      [   62.769604] Hardware name: System manufacturer System Product Name/P8Z77 WS, BIOS 3007 07/26/2012
      [   62.769606] Workqueue: events ovs_dp_notify_wq [openvswitch]
      [   62.769607]  0000000000000009 ffff880807ad3ac8 ffffffff8175e575 0000000000000006
      [   62.769609]  ffff880807ad3b18 ffff880807ad3b08 ffffffff8105314c ffff880807ad3b58
      [   62.769611]  0000000000000000 ffff880807ad3bd9 ffff8807f2634000 ffff880037038500
      [   62.769613] Call Trace:
      [   62.769615]  [<ffffffff8175e575>] dump_stack+0x55/0x76
      [   62.769617]  [<ffffffff8105314c>] warn_slowpath_common+0x8c/0xc0
      [   62.769619]  [<ffffffff81053236>] warn_slowpath_fmt+0x46/0x50
      [   62.769621]  [<ffffffff8123e7e9>] sysfs_hash_and_remove+0xa9/0xb0
      [   62.769622]  [<ffffffff81240e96>] sysfs_remove_link+0x26/0x30
      [   62.769624]  [<ffffffff81631f22>] __netdev_adjacent_dev_remove+0x122/0x150
      [   62.769627]  [<ffffffff81632037>] __netdev_adjacent_dev_unlink_lists+0x27/0x50
      [   62.769629]  [<ffffffff8163213a>] __netdev_adjacent_dev_unlink_neighbour+0x3a/0x50
      [   62.769631]  [<ffffffff8163218d>] netdev_upper_dev_unlink+0x3d/0x140
      [   62.769633]  [<ffffffffa033c2db>] netdev_destroy+0x4b/0x80 [openvswitch]
      [   62.769636]  [<ffffffffa033b696>] ovs_vport_del+0x46/0x60 [openvswitch]
      [   62.769638]  [<ffffffffa0335314>] ovs_dp_detach_port+0x44/0x60 [openvswitch]
      [   62.769640]  [<ffffffffa0336574>] ovs_dp_notify_wq+0xb4/0x150 [openvswitch]
      [   62.769642]  [<ffffffff81075c28>] process_one_work+0x1d8/0x6a0
      [   62.769644]  [<ffffffff81075bc8>] ? process_one_work+0x178/0x6a0
      [   62.769646]  [<ffffffff8107659b>] worker_thread+0x11b/0x370
      [   62.769648]  [<ffffffff81076480>] ? rescuer_thread+0x350/0x350
      [   62.769650]  [<ffffffff8107f44a>] kthread+0xea/0xf0
      [   62.769652]  [<ffffffff8107f360>] ? flush_kthread_worker+0x150/0x150
      [   62.769654]  [<ffffffff81770bac>] ret_from_fork+0x7c/0xb0
      [   62.769656]  [<ffffffff8107f360>] ? flush_kthread_worker+0x150/0x150
      [   62.769657] ---[ end trace 838756c62e156ffd ]---
      [   62.769724] device tap1 left promiscuous mode
      
      This patch also affects moving devices between net namespaces.
      
      OVS used to ignore netns move notifications which caused problems.
      Like:
        ovs-dpctl add-if test tap1
        ip link set tap1 netns 3512
      and then removing tap1 inside the namespace will cause hang on missing dev_put.
      
      With this patch OVS will detach dev upon receiving netns move event.
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: default avatarJesse Gross <jesse@nicira.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7d4f4737
  3. 18 Apr, 2014 14 commits
    • Jiri Slaby's avatar
      Linux 3.12.18 · ae2a5e12
      Jiri Slaby authored
      ae2a5e12
    • Ard Biesheuvel's avatar
      crypto: ghash-clmulni-intel - use C implementation for setkey() · a9149a36
      Ard Biesheuvel authored
      commit 8ceee728 upstream.
      
      The GHASH setkey() function uses SSE registers but fails to call
      kernel_fpu_begin()/kernel_fpu_end(). Instead of adding these calls, and
      then having to deal with the restriction that they cannot be called from
      interrupt context, move the setkey() implementation to the C domain.
      
      Note that setkey() does not use any particular SSE features and is not
      expected to become a performance bottleneck.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Fixes: 0e1227d3 (crypto: ghash - Add PCLMULQDQ accelerated implementation)
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a9149a36
    • Vineet Gupta's avatar
      ARC: [nsimosci] Unbork console · 9fc22da2
      Vineet Gupta authored
      commit 61fb4bfc upstream.
      
      Despite the switch to right UART driver (prev patch), serial console
      still doesn't work due to missing CONFIG_SERIAL_OF_PLATFORM
      
      Also fix the default cmdline in DT to not refer to out-of-tree
      ARC framebuffer driver for console.
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Cc: Francois Bedard <Francois.Bedard@synopsys.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9fc22da2
    • Mischa Jonker's avatar
      ARC: [nsimosci] Change .dts to use generic 8250 UART · 83380df6
      Mischa Jonker authored
      commit 6eda477b upstream.
      
      The Synopsys APB DW UART has a couple of special features that are not
      in the System C model. In 3.8, the 8250_dw driver didn't really use these
      features, but from 3.9 onwards, the 8250_dw driver has become incompatible
      with our model.
      Signed-off-by: default avatarMischa Jonker <mjonker@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Cc: Francois Bedard <Francois.Bedard@synopsys.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      83380df6
    • Sasha Levin's avatar
      rds: prevent dereference of a NULL device in rds_iw_laddr_check · 64005923
      Sasha Levin authored
      [ Upstream commit bf39b424 ]
      
      Binding might result in a NULL device which is later dereferenced
      without checking.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      64005923
    • Dan Carpenter's avatar
      isdnloop: several buffer overflows · f11c98ee
      Dan Carpenter authored
      [ Upstream commit 7563487c ]
      
      There are three buffer overflows addressed in this patch.
      
      1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
      then copy it into a 60 character buffer.  I have made the destination
      buffer 64 characters and I'm changed the sprintf() to a snprintf().
      
      2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
      character buffer so we have 54 characters.  The ->eazlist[] is 11
      characters long.  I have modified the code to return if the source
      buffer is too long.
      
      3) In isdnloop_command() the cbuf[] array was 60 characters long but the
      max length of the string then can be up to 79 characters.  I made the
      cbuf array 80 characters long and changed the sprintf() to snprintf().
      I also removed the temporary "dial" buffer and changed it to use "p"
      directly.
      
      Unfortunately, we pass the "cbuf" string from isdnloop_command() to
      isdnloop_writecmd() which truncates anything over 60 characters to make
      it fit in card->omsg[].  (It can accept values up to 255 characters so
      long as there is a '\n' character every 60 characters).  For now I have
      just fixed the memory corruption bug and left the other problems in this
      driver alone.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f11c98ee
    • YOSHIFUJI Hideaki's avatar
      isdnloop: Validate NUL-terminated strings from user. · 2d6c1221
      YOSHIFUJI Hideaki authored
      [ Upstream commit 77bc6bed ]
      
      Return -EINVAL unless all of user-given strings are correctly
      NUL-terminated.
      Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2d6c1221
    • Mike Rapoport's avatar
      net: vxlan: fix crash when interface is created with no group · 362bc7e2
      Mike Rapoport authored
      [ Upstream commit 5933a7bb ]
      
      If the vxlan interface is created without explicit group definition,
      there are corner cases which may cause kernel panic.
      
      For instance, in the following scenario:
      
      node A:
      $ ip link add dev vxlan42  address 2c:c2:60:00:10:20 type vxlan id 42
      $ ip addr add dev vxlan42 10.0.0.1/24
      $ ip link set up dev vxlan42
      $ arp -i vxlan42 -s 10.0.0.2 2c:c2:60:00:01:02
      $ bridge fdb add dev vxlan42 to 2c:c2:60:00:01:02 dst <IPv4 address>
      $ ping 10.0.0.2
      
      node B:
      $ ip link add dev vxlan42 address 2c:c2:60:00:01:02 type vxlan id 42
      $ ip addr add dev vxlan42 10.0.0.2/24
      $ ip link set up dev vxlan42
      $ arp -i vxlan42 -s 10.0.0.1 2c:c2:60:00:10:20
      
      node B crashes:
      
       vxlan42: 2c:c2:60:00:10:20 migrated from 4011:eca4:c0a8:6466:c0a8:6415:8e09:2118 to (invalid address)
       vxlan42: 2c:c2:60:00:10:20 migrated from 4011:eca4:c0a8:6466:c0a8:6415:8e09:2118 to (invalid address)
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000046
       IP: [<ffffffff8143c459>] ip6_route_output+0x58/0x82
       PGD 7bd89067 PUD 7bd4e067 PMD 0
       Oops: 0000 [#1] SMP
       Modules linked in:
       CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.14.0-rc8-hvx-xen-00019-g97a5221f-dirty #154
       Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
       task: ffff88007c774f50 ti: ffff88007c79c000 task.ti: ffff88007c79c000
       RIP: 0010:[<ffffffff8143c459>]  [<ffffffff8143c459>] ip6_route_output+0x58/0x82
       RSP: 0018:ffff88007fd03668  EFLAGS: 00010282
       RAX: 0000000000000000 RBX: ffffffff8186a000 RCX: 0000000000000040
       RDX: 0000000000000000 RSI: ffff88007b0e4a80 RDI: ffff88007fd03754
       RBP: ffff88007fd03688 R08: ffff88007b0e4a80 R09: 0000000000000000
       R10: 0200000a0100000a R11: 0001002200000000 R12: ffff88007fd03740
       R13: ffff88007b0e4a80 R14: ffff88007b0e4a80 R15: ffff88007bba0c50
       FS:  0000000000000000(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
       CR2: 0000000000000046 CR3: 000000007bb60000 CR4: 00000000000006e0
       Stack:
        0000000000000000 ffff88007fd037a0 ffffffff8186a000 ffff88007fd03740
        ffff88007fd036c8 ffffffff814320bb 0000000000006e49 ffff88007b8b7360
        ffff88007bdbf200 ffff88007bcbc000 ffff88007b8b7000 ffff88007b8b7360
       Call Trace:
        <IRQ>
        [<ffffffff814320bb>] ip6_dst_lookup_tail+0x2d/0xa4
        [<ffffffff814322a5>] ip6_dst_lookup+0x10/0x12
        [<ffffffff81323b4e>] vxlan_xmit_one+0x32a/0x68c
        [<ffffffff814a325a>] ? _raw_spin_unlock_irqrestore+0x12/0x14
        [<ffffffff8104c551>] ? lock_timer_base.isra.23+0x26/0x4b
        [<ffffffff8132451a>] vxlan_xmit+0x66a/0x6a8
        [<ffffffff8141a365>] ? ipt_do_table+0x35f/0x37e
        [<ffffffff81204ba2>] ? selinux_ip_postroute+0x41/0x26e
        [<ffffffff8139d0c1>] dev_hard_start_xmit+0x2ce/0x3ce
        [<ffffffff8139d491>] __dev_queue_xmit+0x2d0/0x392
        [<ffffffff813b380f>] ? eth_header+0x28/0xb5
        [<ffffffff8139d569>] dev_queue_xmit+0xb/0xd
        [<ffffffff813a5aa6>] neigh_resolve_output+0x134/0x152
        [<ffffffff813db741>] ip_finish_output2+0x236/0x299
        [<ffffffff813dc074>] ip_finish_output+0x98/0x9d
        [<ffffffff813dc749>] ip_output+0x62/0x67
        [<ffffffff813da9f2>] dst_output+0xf/0x11
        [<ffffffff813dc11c>] ip_local_out+0x1b/0x1f
        [<ffffffff813dcf1b>] ip_send_skb+0x11/0x37
        [<ffffffff813dcf70>] ip_push_pending_frames+0x2f/0x33
        [<ffffffff813ff732>] icmp_push_reply+0x106/0x115
        [<ffffffff813ff9e4>] icmp_reply+0x142/0x164
        [<ffffffff813ffb3b>] icmp_echo.part.16+0x46/0x48
        [<ffffffff813c1d30>] ? nf_iterate+0x43/0x80
        [<ffffffff813d8037>] ? xfrm4_policy_check.constprop.11+0x52/0x52
        [<ffffffff813ffb62>] icmp_echo+0x25/0x27
        [<ffffffff814005f7>] icmp_rcv+0x1d2/0x20a
        [<ffffffff813d8037>] ? xfrm4_policy_check.constprop.11+0x52/0x52
        [<ffffffff813d810d>] ip_local_deliver_finish+0xd6/0x14f
        [<ffffffff813d8037>] ? xfrm4_policy_check.constprop.11+0x52/0x52
        [<ffffffff813d7fde>] NF_HOOK.constprop.10+0x4c/0x53
        [<ffffffff813d82bf>] ip_local_deliver+0x4a/0x4f
        [<ffffffff813d7f7b>] ip_rcv_finish+0x253/0x26a
        [<ffffffff813d7d28>] ? inet_add_protocol+0x3e/0x3e
        [<ffffffff813d7fde>] NF_HOOK.constprop.10+0x4c/0x53
        [<ffffffff813d856a>] ip_rcv+0x2a6/0x2ec
        [<ffffffff8139a9a0>] __netif_receive_skb_core+0x43e/0x478
        [<ffffffff812a346f>] ? virtqueue_poll+0x16/0x27
        [<ffffffff8139aa2f>] __netif_receive_skb+0x55/0x5a
        [<ffffffff8139aaaa>] process_backlog+0x76/0x12f
        [<ffffffff8139add8>] net_rx_action+0xa2/0x1ab
        [<ffffffff81047847>] __do_softirq+0xca/0x1d1
        [<ffffffff81047ace>] irq_exit+0x3e/0x85
        [<ffffffff8100b98b>] do_IRQ+0xa9/0xc4
        [<ffffffff814a37ad>] common_interrupt+0x6d/0x6d
        <EOI>
        [<ffffffff810378db>] ? native_safe_halt+0x6/0x8
        [<ffffffff810110c7>] default_idle+0x9/0xd
        [<ffffffff81011694>] arch_cpu_idle+0x13/0x1c
        [<ffffffff8107480d>] cpu_startup_entry+0xbc/0x137
        [<ffffffff8102e741>] start_secondary+0x1a0/0x1a5
       Code: 24 14 e8 f1 e5 01 00 31 d2 a8 32 0f 95 c2 49 8b 44 24 2c 49 0b 44 24 24 74 05 83 ca 04 eb 1c 4d 85 ed 74 17 49 8b 85 a8 02 00 00 <66> 8b 40 46 66 c1 e8 07 83 e0 07 c1 e0 03 09 c2 4c 89 e6 48 89
       RIP  [<ffffffff8143c459>] ip6_route_output+0x58/0x82
        RSP <ffff88007fd03668>
       CR2: 0000000000000046
       ---[ end trace 4612329caab37efd ]---
      
      When vxlan interface is created without explicit group definition, the
      default_dst protocol family is initialiazed to AF_UNSPEC and the driver
      assumes IPv4 configuration. On the other side, the default_dst protocol
      family is used to differentiate between IPv4 and IPv6 cases and, since,
      AF_UNSPEC != AF_INET, the processing takes the IPv6 path.
      
      Making the IPv4 assumption explicit by settting default_dst protocol
      family to AF_INET4 and preventing mixing of IPv4 and IPv6 addresses in
      snooped fdb entries fixes the corner case crashes.
      Signed-off-by: default avatarMike Rapoport <mike.rapoport@ravellosystems.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      362bc7e2
    • Wei Liu's avatar
      xen-netback: disable rogue vif in kthread context · 699dfec4
      Wei Liu authored
      [ Upstream commit e9d8b2c2 ]
      
      When netback discovers frontend is sending malformed packet it will
      disables the interface which serves that frontend.
      
      However disabling a network interface involving taking a mutex which
      cannot be done in softirq context, so we need to defer this process to
      kthread context.
      
      This patch does the following:
      1. introduce a flag to indicate the interface is disabled.
      2. check that flag in TX path, don't do any work if it's true.
      3. check that flag in RX path, turn off that interface if it's true.
      
      The reason to disable it in RX path is because RX uses kthread. After
      this change the behavior of netback is still consistent -- it won't do
      any TX work for a rogue frontend, and the interface will be eventually
      turned off.
      
      Also change a "continue" to "break" after xenvif_fatal_tx_err, as it
      doesn't make sense to continue processing packets if frontend is rogue.
      
      This is a fix for XSA-90.
      Reported-by: default avatarTörök Edwin <edwin@etorok.net>
      Signed-off-by: default avatarWei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Acked-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      699dfec4
    • Pablo Neira's avatar
      netlink: don't compare the nul-termination in nla_strcmp · 066bde36
      Pablo Neira authored
      [ Upstream commit 8b7b9324 ]
      
      nla_strcmp compares the string length plus one, so it's implicitly
      including the nul-termination in the comparison.
      
       int nla_strcmp(const struct nlattr *nla, const char *str)
       {
              int len = strlen(str) + 1;
              ...
                      d = memcmp(nla_data(nla), str, len);
      
      However, if NLA_STRING is used, userspace can send us a string without
      the nul-termination. This is a problem since the string
      comparison will not match as the last byte may be not the
      nul-termination.
      
      Fix this by skipping the comparison of the nul-termination if the
      attribute data is nul-terminated. Suggested by Thomas Graf.
      
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      066bde36
    • Hannes Frederic Sowa's avatar
      ipv6: some ipv6 statistic counters failed to disable bh · 60fe3f63
      Hannes Frederic Sowa authored
      [ Upstream commit 43a43b60 ]
      
      After commit c15b1cca ("ipv6: move DAD and addrconf_verify
      processing to workqueue") some counters are now updated in process context
      and thus need to disable bh before doing so, otherwise deadlocks can
      happen on 32-bit archs. Fabio Estevam noticed this while while mounting
      a NFS volume on an ARM board.
      
      As a compensation for missing this I looked after the other *_STATS_BH
      and found three other calls which need updating:
      
      1) icmp6_send: ip6_fragment -> icmpv6_send -> icmp6_send (error handling)
      2) ip6_push_pending_frames: rawv6_sendmsg -> rawv6_push_pending_frames -> ...
         (only in case of icmp protocol with raw sockets in error handling)
      3) ping6_v6_sendmsg (error handling)
      
      Fixes: c15b1cca ("ipv6: move DAD and addrconf_verify processing to workqueue")
      Reported-by: default avatarFabio Estevam <festevam@gmail.com>
      Tested-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      60fe3f63
    • Paul Durrant's avatar
      xen-netback: remove pointless clause from if statement · 63273418
      Paul Durrant authored
      [ Upstream commit 0576eddf ]
      
      This patch removes a test in start_new_rx_buffer() that checks whether
      a copy operation is less than MAX_BUFFER_OFFSET in length, since
      MAX_BUFFER_OFFSET is defined to be PAGE_SIZE and the only caller of
      start_new_rx_buffer() already limits copy operations to PAGE_SIZE or less.
      Signed-off-by: default avatarPaul Durrant <paul.durrant@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: Wei Liu <wei.liu2@citrix.com>
      Cc: Sander Eikelenboom <linux@eikelenboom.it>
      Reported-By: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Tested-By: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      63273418
    • Michael S. Tsirkin's avatar
      vhost: validate vhost_get_vq_desc return value · a2a366eb
      Michael S. Tsirkin authored
      [ Upstream commit a39ee449 ]
      
      vhost fails to validate negative error code
      from vhost_get_vq_desc causing
      a crash: we are using -EFAULT which is 0xfffffff2
      as vector size, which exceeds the allocated size.
      
      The code in question was introduced in commit
      8dd014ad
          vhost-net: mergeable buffers support
      
      CVE-2014-0055
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a2a366eb
    • Michael S. Tsirkin's avatar
      vhost: fix total length when packets are too short · c6663594
      Michael S. Tsirkin authored
      [ Upstream commit d8316f39 ]
      
      When mergeable buffers are disabled, and the
      incoming packet is too large for the rx buffer,
      get_rx_bufs returns success.
      
      This was intentional in order for make recvmsg
      truncate the packet and then handle_rx would
      detect err != sock_len and drop it.
      
      Unfortunately we pass the original sock_len to
      recvmsg - which means we use parts of iov not fully
      validated.
      
      Fix this up by detecting this overrun and doing packet drop
      immediately.
      
      CVE-2014-0077
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c6663594