From: Greg Kroah-Hartman Date: Thu, 14 Nov 2013 02:48:37 +0000 (+0900) Subject: 3.4-stable patches X-Git-Tag: v3.4.70~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=976be301c7efb76935ca010a19d1bb0294dcd32c;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch net-flow_dissector-fail-on-evil-iph-ihl.patch xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch --- diff --git a/queue-3.4/cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch b/queue-3.4/cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch new file mode 100644 index 00000000000..27c74820294 --- /dev/null +++ b/queue-3.4/cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch @@ -0,0 +1,45 @@ +From 5e6ba9f656b9ece3d0473f6cdca66b665f72eb36 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 27 Oct 2013 21:02:39 +0000 +Subject: cxgb3: Fix length calculation in write_ofld_wr() on 32-bit architectures + +From: Ben Hutchings + +[ Upstream commit 262e827fe745642589450ae241b7afd3912c3f25 ] + +The length calculation here is now invalid on 32-bit architectures, +since sk_buff::tail is a pointer and sk_buff::transport_header is +an integer offset: + +drivers/net/ethernet/chelsio/cxgb3/sge.c: In function 'write_ofld_wr': +drivers/net/ethernet/chelsio/cxgb3/sge.c:1603:9: warning: passing argument 4 of 'make_sgl' makes integer from pointer without a cast [enabled by default] + adap->pdev); + ^ +drivers/net/ethernet/chelsio/cxgb3/sge.c:964:28: note: expected 'unsigned int' but argument is of type 'sk_buff_data_t' + static inline unsigned int make_sgl(const struct sk_buff *skb, + ^ + +Use the appropriate skb accessor functions. + +Compile-tested only. + +Signed-off-by: Ben Hutchings +Fixes: 1a37e412a022 ('net: Use 16bits for *_headers fields of struct skbuff') +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb3/sge.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb3/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/sge.c +@@ -1600,7 +1600,8 @@ static void write_ofld_wr(struct adapter + flits = skb_transport_offset(skb) / 8; + sgp = ndesc == 1 ? (struct sg_ent *)&d->flit[flits] : sgl; + sgl_flits = make_sgl(skb, sgp, skb_transport_header(skb), +- skb->tail - skb->transport_header, ++ skb_tail_pointer(skb) - ++ skb_transport_header(skb), + adap->pdev); + if (need_skb_unmap()) { + setup_deferred_unmapping(skb, adap->pdev, sgp, sgl_flits); diff --git a/queue-3.4/net-flow_dissector-fail-on-evil-iph-ihl.patch b/queue-3.4/net-flow_dissector-fail-on-evil-iph-ihl.patch new file mode 100644 index 00000000000..97aba1b09f9 --- /dev/null +++ b/queue-3.4/net-flow_dissector-fail-on-evil-iph-ihl.patch @@ -0,0 +1,39 @@ +From fca443b873af2dbd7e92b23aa40b47d00d880ad2 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 1 Nov 2013 15:01:10 +0800 +Subject: net: flow_dissector: fail on evil iph->ihl + +From: Jason Wang + +[ Upstream commit 6f092343855a71e03b8d209815d8c45bf3a27fcd ] + +We don't validate iph->ihl which may lead a dead loop if we meet a IPIP +skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl +is evil (less than 5). + +This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae +(rps: support IPIP encapsulation). + +Signed-off-by: Jason Wang +Cc: Eric Dumazet +Cc: Petr Matousek +Cc: Michael S. Tsirkin +Cc: Daniel Borkmann +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/flow_dissector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -35,7 +35,7 @@ again: + struct iphdr _iph; + ip: + iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); +- if (!iph) ++ if (!iph || iph->ihl < 5) + return false; + + if (ip_is_fragment(iph)) diff --git a/queue-3.4/series b/queue-3.4/series new file mode 100644 index 00000000000..84a4995a8ba --- /dev/null +++ b/queue-3.4/series @@ -0,0 +1,3 @@ +cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch +xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch +net-flow_dissector-fail-on-evil-iph-ihl.patch diff --git a/queue-3.4/xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch b/queue-3.4/xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch new file mode 100644 index 00000000000..72dacba5b61 --- /dev/null +++ b/queue-3.4/xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch @@ -0,0 +1,87 @@ +From d6ae66b2acce797afbe0b87c2ab887de80ea3a72 Mon Sep 17 00:00:00 2001 +From: Wei Liu +Date: Mon, 28 Oct 2013 12:07:57 +0000 +Subject: xen-netback: use jiffies_64 value to calculate credit timeout + +From: Wei Liu + +[ Upstream commit 059dfa6a93b779516321e5112db9d7621b1367ba ] + +time_after_eq() only works if the delta is < MAX_ULONG/2. + +For a 32bit Dom0, if netfront sends packets at a very low rate, the time +between subsequent calls to tx_credit_exceeded() may exceed MAX_ULONG/2 +and the test for timer_after_eq() will be incorrect. Credit will not be +replenished and the guest may become unable to send packets (e.g., if +prior to the long gap, all credit was exhausted). + +Use jiffies_64 variant to mitigate this problem for 32bit Dom0. + +Suggested-by: Jan Beulich +Signed-off-by: Wei Liu +Reviewed-by: David Vrabel +Cc: Ian Campbell +Cc: Jason Luan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/common.h | 1 + + drivers/net/xen-netback/interface.c | 3 +-- + drivers/net/xen-netback/netback.c | 10 +++++----- + 3 files changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -88,6 +88,7 @@ struct xenvif { + unsigned long credit_usec; + unsigned long remaining_credit; + struct timer_list credit_timeout; ++ u64 credit_window_start; + + /* Statistics */ + unsigned long rx_gso_checksum_fixup; +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -273,8 +273,7 @@ struct xenvif *xenvif_alloc(struct devic + vif->credit_bytes = vif->remaining_credit = ~0UL; + vif->credit_usec = 0UL; + init_timer(&vif->credit_timeout); +- /* Initialize 'expires' now: it's used to track the credit window. */ +- vif->credit_timeout.expires = jiffies; ++ vif->credit_window_start = get_jiffies_64(); + + dev->netdev_ops = &xenvif_netdev_ops; + dev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_TSO; +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1197,9 +1197,8 @@ out: + + static bool tx_credit_exceeded(struct xenvif *vif, unsigned size) + { +- unsigned long now = jiffies; +- unsigned long next_credit = +- vif->credit_timeout.expires + ++ u64 now = get_jiffies_64(); ++ u64 next_credit = vif->credit_window_start + + msecs_to_jiffies(vif->credit_usec / 1000); + + /* Timer could already be pending in rare cases. */ +@@ -1207,8 +1206,8 @@ static bool tx_credit_exceeded(struct xe + return true; + + /* Passed the point where we can replenish credit? */ +- if (time_after_eq(now, next_credit)) { +- vif->credit_timeout.expires = now; ++ if (time_after_eq64(now, next_credit)) { ++ vif->credit_window_start = now; + tx_add_credit(vif); + } + +@@ -1220,6 +1219,7 @@ static bool tx_credit_exceeded(struct xe + tx_credit_callback; + mod_timer(&vif->credit_timeout, + next_credit); ++ vif->credit_window_start = next_credit; + + return true; + }