From: Greg Kroah-Hartman Date: Thu, 27 Sep 2012 17:32:13 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.44~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c602868337f0ba554e0642359c902b46baaf1cbe;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: bluetooth-add-support-for-apple-vendor-specific-devices.patch bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch bluetooth-change-signature-of-smp_conn_security.patch bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch bluetooth-fix-use-after-free-bug-in-smp.patch bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch macvtap-zerocopy-fix-offset-calculation-when-building-skb.patch macvtap-zerocopy-fix-truesize-underestimation.patch macvtap-zerocopy-put-page-when-fail-to-get-all-requested-user-pages.patch macvtap-zerocopy-set-skbtx_dev_zerocopy-only-when-skb-is-built-successfully.patch --- diff --git a/queue-3.4/bluetooth-add-support-for-apple-vendor-specific-devices.patch b/queue-3.4/bluetooth-add-support-for-apple-vendor-specific-devices.patch new file mode 100644 index 00000000000..a4d0c5b7736 --- /dev/null +++ b/queue-3.4/bluetooth-add-support-for-apple-vendor-specific-devices.patch @@ -0,0 +1,39 @@ +From 1fa6535faf055cd71311ab887e94fc234f04ee18 Mon Sep 17 00:00:00 2001 +From: Henrik Rydberg +Date: Sat, 25 Aug 2012 19:28:06 +0200 +Subject: Bluetooth: Add support for Apple vendor-specific devices + +From: Henrik Rydberg + +commit 1fa6535faf055cd71311ab887e94fc234f04ee18 upstream. + +As pointed out by Gustavo and Marcel, all Apple-specific Broadcom +devices seen so far have the same interface class, subclass and +protocol numbers. This patch adds an entry which matches all of them, +using the new USB_VENDOR_AND_INTERFACE_INFO() macro. + +In particular, this patch adds support for the MacBook Pro Retina +(05ac:8286), which is not in the present list. + +Signed-off-by: Henrik Rydberg +Tested-by: Shea Levy +Acked-by: Marcel Holtmann +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -60,6 +60,9 @@ static struct usb_device_id btusb_table[ + /* Generic Bluetooth USB device */ + { USB_DEVICE_INFO(0xe0, 0x01, 0x01) }, + ++ /* Apple-specific (Broadcom) devices */ ++ { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) }, ++ + /* Broadcom SoftSailing reporting vendor specific */ + { USB_DEVICE(0x0a5c, 0x21e1) }, + diff --git a/queue-3.4/bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch b/queue-3.4/bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch new file mode 100644 index 00000000000..48127676663 --- /dev/null +++ b/queue-3.4/bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch @@ -0,0 +1,56 @@ +From 61c964ba1748e984cb232b431582815899bf10fe Mon Sep 17 00:00:00 2001 +From: Manoj Iyer +Date: Tue, 10 Jul 2012 14:07:38 -0500 +Subject: Bluetooth: btusb: Add vendor specific ID (0a5c:21f4) BCM20702A0 + +From: Manoj Iyer + +commit 61c964ba1748e984cb232b431582815899bf10fe upstream. + +Patch adds support for BCM20702A0 device id (0a5c:21f4). + +usb-devices after patch was applied: +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0a5c ProdID=21f4 Rev=01.12 +S: Manufacturer=Broadcom Corp +S: Product=BCM20702A0 +S: SerialNumber=E4D53DF154D6 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) + +usb-devices before patch was applied: +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0a5c ProdID=21f4 Rev=01.12 +S: Manufacturer=Broadcom Corp +S: Product=BCM20702A0 +S: SerialNumber=E4D53DF154D6 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none) +I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none) +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) + +Signed-off-by: Manoj Iyer +Tested-by: Chris Gagnon +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -106,6 +106,7 @@ static struct usb_device_id btusb_table[ + { USB_DEVICE(0x0a5c, 0x21e6) }, + { USB_DEVICE(0x0a5c, 0x21e8) }, + { USB_DEVICE(0x0a5c, 0x21f3) }, ++ { USB_DEVICE(0x0a5c, 0x21f4) }, + { USB_DEVICE(0x413c, 0x8197) }, + + /* Foxconn - Hon Hai */ diff --git a/queue-3.4/bluetooth-change-signature-of-smp_conn_security.patch b/queue-3.4/bluetooth-change-signature-of-smp_conn_security.patch new file mode 100644 index 00000000000..0b4b692ea2c --- /dev/null +++ b/queue-3.4/bluetooth-change-signature-of-smp_conn_security.patch @@ -0,0 +1,94 @@ +From cc110922da7e902b62d18641a370fec01a9fa794 Mon Sep 17 00:00:00 2001 +From: Vinicius Costa Gomes +Date: Thu, 23 Aug 2012 21:32:43 -0300 +Subject: Bluetooth: Change signature of smp_conn_security() + +From: Vinicius Costa Gomes + +commit cc110922da7e902b62d18641a370fec01a9fa794 upstream. + +To make it clear that it may be called from contexts that may not have +any knowledge of L2CAP, we change the connection parameter, to receive +a hci_conn. + +This also makes it clear that it is checking the security of the link. + +Signed-off-by: Vinicius Costa Gomes +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/bluetooth/smp.h | 2 +- + net/bluetooth/l2cap_core.c | 11 ++++++----- + net/bluetooth/l2cap_sock.c | 2 +- + net/bluetooth/smp.c | 4 ++-- + 4 files changed, 10 insertions(+), 9 deletions(-) + +--- a/include/net/bluetooth/smp.h ++++ b/include/net/bluetooth/smp.h +@@ -136,7 +136,7 @@ struct smp_chan { + }; + + /* SMP Commands */ +-int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level); ++int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); + int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb); + int smp_distribute_keys(struct l2cap_conn *conn, __u8 force); + int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey); +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -937,14 +937,15 @@ static void l2cap_chan_ready(struct l2ca + static void l2cap_conn_ready(struct l2cap_conn *conn) + { + struct l2cap_chan *chan; ++ struct hci_conn *hcon = conn->hcon; + + BT_DBG("conn %p", conn); + +- if (!conn->hcon->out && conn->hcon->type == LE_LINK) ++ if (!hcon->out && hcon->type == LE_LINK) + l2cap_le_conn_ready(conn); + +- if (conn->hcon->out && conn->hcon->type == LE_LINK) +- smp_conn_security(conn, conn->hcon->pending_sec_level); ++ if (hcon->out && hcon->type == LE_LINK) ++ smp_conn_security(hcon, hcon->pending_sec_level); + + mutex_lock(&conn->chan_lock); + +@@ -952,8 +953,8 @@ static void l2cap_conn_ready(struct l2ca + + l2cap_chan_lock(chan); + +- if (conn->hcon->type == LE_LINK) { +- if (smp_conn_security(conn, chan->sec_level)) ++ if (hcon->type == LE_LINK) { ++ if (smp_conn_security(hcon, chan->sec_level)) + l2cap_chan_ready(chan); + + } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -588,7 +588,7 @@ static int l2cap_sock_setsockopt(struct + break; + } + +- if (smp_conn_security(conn, sec.level)) ++ if (smp_conn_security(conn->hcon, sec.level)) + break; + sk->sk_state = BT_CONFIG; + chan->state = BT_CONFIG; +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -753,9 +753,9 @@ static u8 smp_cmd_security_req(struct l2 + return 0; + } + +-int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level) ++int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) + { +- struct hci_conn *hcon = conn->hcon; ++ struct l2cap_conn *conn = hcon->l2cap_data; + struct smp_chan *smp = conn->smp_chan; + __u8 authreq; + diff --git a/queue-3.4/bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch b/queue-3.4/bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch new file mode 100644 index 00000000000..c65f2fef7f0 --- /dev/null +++ b/queue-3.4/bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch @@ -0,0 +1,42 @@ +From d8343f125710fb596f7a88cd756679f14f4e77b9 Mon Sep 17 00:00:00 2001 +From: Vinicius Costa Gomes +Date: Thu, 23 Aug 2012 21:32:44 -0300 +Subject: Bluetooth: Fix sending a HCI Authorization Request over LE links + +From: Vinicius Costa Gomes + +commit d8343f125710fb596f7a88cd756679f14f4e77b9 upstream. + +In the case that the link is already in the connected state and a +Pairing request arrives from the mgmt interface, hci_conn_security() +would be called but it was not considering LE links. + +Reported-by: João Paulo Rechi Vita +Signed-off-by: Vinicius Costa Gomes +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_conn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -42,6 +42,7 @@ + + #include + #include ++#include + + static void hci_le_connect(struct hci_conn *conn) + { +@@ -661,6 +662,9 @@ int hci_conn_security(struct hci_conn *c + { + BT_DBG("conn %p", conn); + ++ if (conn->type == LE_LINK) ++ return smp_conn_security(conn, sec_level); ++ + /* For sdp we don't need the link key. */ + if (sec_level == BT_SECURITY_SDP) + return 1; diff --git a/queue-3.4/bluetooth-fix-use-after-free-bug-in-smp.patch b/queue-3.4/bluetooth-fix-use-after-free-bug-in-smp.patch new file mode 100644 index 00000000000..8685ea40f0b --- /dev/null +++ b/queue-3.4/bluetooth-fix-use-after-free-bug-in-smp.patch @@ -0,0 +1,76 @@ +From 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 Mon Sep 17 00:00:00 2001 +From: Andre Guedes +Date: Wed, 1 Aug 2012 20:34:15 -0300 +Subject: Bluetooth: Fix use-after-free bug in SMP + +From: Andre Guedes + +commit 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 upstream. + +If SMP fails, we should always cancel security_timer delayed work. +Otherwise, security_timer function may run after l2cap_conn object +has been freed. + +This patch fixes the following warning reported by ODEBUG: + +WARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d() +Hardware name: Bochs +ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x27 +Modules linked in: btusb bluetooth +Pid: 440, comm: kworker/u:2 Not tainted 3.5.0-rc1+ #4 +Call Trace: + [] ? free_obj_work+0x4a/0x7f + [] warn_slowpath_common+0x7e/0x97 + [] warn_slowpath_fmt+0x41/0x43 + [] debug_print_object+0x7c/0x8d + [] ? __queue_work+0x241/0x241 + [] debug_check_no_obj_freed+0x92/0x159 + [] slab_free_hook+0x6f/0x77 + [] ? l2cap_conn_del+0x148/0x157 [bluetooth] + [] kfree+0x59/0xac + [] l2cap_conn_del+0x148/0x157 [bluetooth] + [] l2cap_recv_frame+0xa77/0xfa4 [bluetooth] + [] ? trace_hardirqs_on_caller+0x112/0x1ad + [] l2cap_recv_acldata+0xe2/0x264 [bluetooth] + [] hci_rx_work+0x235/0x33c [bluetooth] + [] ? process_one_work+0x126/0x2fe + [] process_one_work+0x185/0x2fe + [] ? process_one_work+0x126/0x2fe + [] ? lock_acquired+0x1b5/0x1cf + [] ? le_scan_work+0x11d/0x11d [bluetooth] + [] ? spin_lock_irq+0x9/0xb + [] worker_thread+0xcf/0x175 + [] ? rescuer_thread+0x175/0x175 + [] kthread+0x95/0x9d + [] kernel_threadi_helper+0x4/0x10 + [] ? retint_restore_args+0x13/0x13 + [] ? flush_kthread_worker+0xdb/0xdb + [] ? gs_change+0x13/0x13 + +This bug can be reproduced using hctool lecc or l2test tools and +bluetoothd not running. + +Signed-off-by: Andre Guedes +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/smp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -266,10 +266,10 @@ static void smp_failure(struct l2cap_con + mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type, + hcon->dst_type, reason); + +- if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) { +- cancel_delayed_work_sync(&conn->security_timer); ++ cancel_delayed_work_sync(&conn->security_timer); ++ ++ if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) + smp_chan_destroy(conn); +- } + } + + #define JUST_WORKS 0x00 diff --git a/queue-3.4/bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch b/queue-3.4/bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch new file mode 100644 index 00000000000..7344383ef62 --- /dev/null +++ b/queue-3.4/bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch @@ -0,0 +1,44 @@ +From 92c385f46b30f4954e9dd2d2005c12d233b479ea Mon Sep 17 00:00:00 2001 +From: Gustavo Padovan +Date: Mon, 6 Aug 2012 15:36:49 -0300 +Subject: Bluetooth: Use USB_VENDOR_AND_INTERFACE() for Broadcom devices + +From: Gustavo Padovan + +commit 92c385f46b30f4954e9dd2d2005c12d233b479ea upstream. + +Many Broadcom devices has a vendor specific devices class, with this rule +we match all existent and future controllers with this behavior. + +We also remove old rules to that matches product id for Broadcom devices. + +Tested-by: John Hommel +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -102,16 +102,14 @@ static struct usb_device_id btusb_table[ + + /* Broadcom BCM20702A0 */ + { USB_DEVICE(0x0489, 0xe042) }, +- { USB_DEVICE(0x0a5c, 0x21e3) }, +- { USB_DEVICE(0x0a5c, 0x21e6) }, +- { USB_DEVICE(0x0a5c, 0x21e8) }, +- { USB_DEVICE(0x0a5c, 0x21f3) }, +- { USB_DEVICE(0x0a5c, 0x21f4) }, + { USB_DEVICE(0x413c, 0x8197) }, + + /* Foxconn - Hon Hai */ + { USB_DEVICE(0x0489, 0xe033) }, + ++ /*Broadcom devices with vendor specific id */ ++ { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) }, ++ + { } /* Terminating entry */ + }; + diff --git a/queue-3.4/macvtap-zerocopy-fix-offset-calculation-when-building-skb.patch b/queue-3.4/macvtap-zerocopy-fix-offset-calculation-when-building-skb.patch new file mode 100644 index 00000000000..cadb8bb08ef --- /dev/null +++ b/queue-3.4/macvtap-zerocopy-fix-offset-calculation-when-building-skb.patch @@ -0,0 +1,65 @@ +From 3afc9621f15701c557e60f61eba9242bac2771dd Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 2 May 2012 11:41:30 +0800 +Subject: macvtap: zerocopy: fix offset calculation when building skb + +From: Jason Wang + +commit 3afc9621f15701c557e60f61eba9242bac2771dd upstream. + +This patch fixes the offset calculation when building skb: + +- offset1 were used as skb data offset not vector offset +- reset offset to zero only when we advance to next vector + +Signed-off-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/macvtap.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -506,10 +506,11 @@ static int zerocopy_sg_from_iovec(struct + if (copy > size) { + ++from; + --count; +- } ++ offset = 0; ++ } else ++ offset += size; + copy -= size; + offset1 += size; +- offset = 0; + } + + if (len == offset1) +@@ -520,13 +521,13 @@ static int zerocopy_sg_from_iovec(struct + int num_pages; + unsigned long base; + +- len = from->iov_len - offset1; ++ len = from->iov_len - offset; + if (!len) { +- offset1 = 0; ++ offset = 0; + ++from; + continue; + } +- base = (unsigned long)from->iov_base + offset1; ++ base = (unsigned long)from->iov_base + offset; + size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; + if (i + size > MAX_SKB_FRAGS) + return -EMSGSIZE; +@@ -548,7 +549,7 @@ static int zerocopy_sg_from_iovec(struct + len -= size; + i++; + } +- offset1 = 0; ++ offset = 0; + ++from; + } + return 0; diff --git a/queue-3.4/macvtap-zerocopy-fix-truesize-underestimation.patch b/queue-3.4/macvtap-zerocopy-fix-truesize-underestimation.patch new file mode 100644 index 00000000000..261ed316db3 --- /dev/null +++ b/queue-3.4/macvtap-zerocopy-fix-truesize-underestimation.patch @@ -0,0 +1,45 @@ +From 4ef67ebedffa44ed9939b34708ac2fee06d2f65f Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 2 May 2012 11:41:44 +0800 +Subject: macvtap: zerocopy: fix truesize underestimation + +From: Jason Wang + +commit 4ef67ebedffa44ed9939b34708ac2fee06d2f65f upstream. + +As the skb fragment were pinned/built from user pages, we should +account the page instead of length for truesize. + +Signed-off-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/macvtap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -520,6 +520,7 @@ static int zerocopy_sg_from_iovec(struct + struct page *page[MAX_SKB_FRAGS]; + int num_pages; + unsigned long base; ++ unsigned long truesize; + + len = from->iov_len - offset; + if (!len) { +@@ -535,10 +536,11 @@ static int zerocopy_sg_from_iovec(struct + if (num_pages != size) + /* put_page is in skb free */ + return -EFAULT; ++ truesize = size * PAGE_SIZE; + skb->data_len += len; + skb->len += len; +- skb->truesize += len; +- atomic_add(len, &skb->sk->sk_wmem_alloc); ++ skb->truesize += truesize; ++ atomic_add(truesize, &skb->sk->sk_wmem_alloc); + while (len) { + int off = base & ~PAGE_MASK; + int size = min_t(int, len, PAGE_SIZE - off); diff --git a/queue-3.4/macvtap-zerocopy-put-page-when-fail-to-get-all-requested-user-pages.patch b/queue-3.4/macvtap-zerocopy-put-page-when-fail-to-get-all-requested-user-pages.patch new file mode 100644 index 00000000000..2f61304d616 --- /dev/null +++ b/queue-3.4/macvtap-zerocopy-put-page-when-fail-to-get-all-requested-user-pages.patch @@ -0,0 +1,38 @@ +From 02ce04bb3d28c3333231f43bca677228dbc686fe Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 2 May 2012 11:41:58 +0800 +Subject: macvtap: zerocopy: put page when fail to get all requested user pages + +From: Jason Wang + +commit 02ce04bb3d28c3333231f43bca677228dbc686fe upstream. + +When get_user_pages_fast() fails to get all requested pages, we could not use +kfree_skb() to free it as it has not been put in the skb fragments. So we need +to call put_page() instead. + +Signed-off-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/macvtap.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -533,9 +533,10 @@ static int zerocopy_sg_from_iovec(struct + if (i + size > MAX_SKB_FRAGS) + return -EMSGSIZE; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); +- if (num_pages != size) +- /* put_page is in skb free */ +- return -EFAULT; ++ if (num_pages != size) { ++ for (i = 0; i < num_pages; i++) ++ put_page(page[i]); ++ } + truesize = size * PAGE_SIZE; + skb->data_len += len; + skb->len += len; diff --git a/queue-3.4/macvtap-zerocopy-set-skbtx_dev_zerocopy-only-when-skb-is-built-successfully.patch b/queue-3.4/macvtap-zerocopy-set-skbtx_dev_zerocopy-only-when-skb-is-built-successfully.patch new file mode 100644 index 00000000000..ef221157f21 --- /dev/null +++ b/queue-3.4/macvtap-zerocopy-set-skbtx_dev_zerocopy-only-when-skb-is-built-successfully.patch @@ -0,0 +1,51 @@ +From 01d6657b388438def19c8baaea28e742b6ed32ec Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 2 May 2012 11:42:06 +0800 +Subject: macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb is built successfully + +From: Jason Wang + +commit 01d6657b388438def19c8baaea28e742b6ed32ec upstream. + +Current the SKBTX_DEV_ZEROCOPY is set unconditionally after +zerocopy_sg_from_iovec(), this would lead NULL pointer when macvtap +fails to build zerocopy skb because destructor_arg was not +initialized. Solve this by set this flag after the skb were built +successfully. + +Signed-off-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/macvtap.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -716,10 +716,9 @@ static ssize_t macvtap_get_user(struct m + if (!skb) + goto err; + +- if (zerocopy) { ++ if (zerocopy) + err = zerocopy_sg_from_iovec(skb, iv, vnet_hdr_len, count); +- skb_shinfo(skb)->tx_flags |= SKBTX_DEV_ZEROCOPY; +- } else ++ else + err = skb_copy_datagram_from_iovec(skb, 0, iv, vnet_hdr_len, + len); + if (err) +@@ -738,8 +737,10 @@ static ssize_t macvtap_get_user(struct m + rcu_read_lock_bh(); + vlan = rcu_dereference_bh(q->vlan); + /* copy skb_ubuf_info for callback when skb has no error */ +- if (zerocopy) ++ if (zerocopy) { + skb_shinfo(skb)->destructor_arg = m->msg_control; ++ skb_shinfo(skb)->tx_flags |= SKBTX_DEV_ZEROCOPY; ++ } + if (vlan) + macvlan_start_xmit(skb, vlan->dev); + else diff --git a/queue-3.4/series b/queue-3.4/series index 5b8d8c3733d..383bb5d64a0 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -164,3 +164,13 @@ drm-i915-hdmi-clear-audio-enable-bit-for-hot-plug.patch md-raid10-fix-problem-with-on-stack-allocation-of-r10bio-structure.patch workqueue-unbound-rebind-morphing-in-rebind_workers-should-be-atomic.patch x86-fix-boot-on-twinhead-h12y.patch +macvtap-zerocopy-fix-offset-calculation-when-building-skb.patch +macvtap-zerocopy-fix-truesize-underestimation.patch +macvtap-zerocopy-put-page-when-fail-to-get-all-requested-user-pages.patch +macvtap-zerocopy-set-skbtx_dev_zerocopy-only-when-skb-is-built-successfully.patch +bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch +bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch +bluetooth-add-support-for-apple-vendor-specific-devices.patch +bluetooth-fix-use-after-free-bug-in-smp.patch +bluetooth-change-signature-of-smp_conn_security.patch +bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch