From 4293b9e9df8d42114172d43a385638b9545e74a0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 8 May 2013 15:39:35 -0700 Subject: [PATCH] 3.4-stable patches added patches: ipvs-ip_vs_sip_fill_param-bug-bad-check-of-return-value.patch net-eth-ibmveth-fixup-retrieval-of-mac-address.patch perf-x86-intel-lbr-demand-proper-privileges-for-perf_sample_branch_kernel.patch perf-x86-intel-lbr-fix-lbr-filter.patch xhci-don-t-warn-on-empty-ring-for-suspended-devices.patch --- ..._param-bug-bad-check-of-return-value.patch | 80 +++++++++++++++++++ ...mveth-fixup-retrieval-of-mac-address.patch | 77 ++++++++++++++++++ ...ileges-for-perf_sample_branch_kernel.patch | 69 ++++++++++++++++ .../perf-x86-intel-lbr-fix-lbr-filter.patch | 51 ++++++++++++ queue-3.4/series | 5 ++ ...-on-empty-ring-for-suspended-devices.patch | 58 ++++++++++++++ 6 files changed, 340 insertions(+) create mode 100644 queue-3.4/ipvs-ip_vs_sip_fill_param-bug-bad-check-of-return-value.patch create mode 100644 queue-3.4/net-eth-ibmveth-fixup-retrieval-of-mac-address.patch create mode 100644 queue-3.4/perf-x86-intel-lbr-demand-proper-privileges-for-perf_sample_branch_kernel.patch create mode 100644 queue-3.4/perf-x86-intel-lbr-fix-lbr-filter.patch create mode 100644 queue-3.4/xhci-don-t-warn-on-empty-ring-for-suspended-devices.patch diff --git a/queue-3.4/ipvs-ip_vs_sip_fill_param-bug-bad-check-of-return-value.patch b/queue-3.4/ipvs-ip_vs_sip_fill_param-bug-bad-check-of-return-value.patch new file mode 100644 index 00000000000..04b594d2c07 --- /dev/null +++ b/queue-3.4/ipvs-ip_vs_sip_fill_param-bug-bad-check-of-return-value.patch @@ -0,0 +1,80 @@ +From f7a1dd6e3ad59f0cfd51da29dfdbfd54122c5916 Mon Sep 17 00:00:00 2001 +From: Hans Schillstrom +Date: Sat, 27 Apr 2013 20:06:14 +0200 +Subject: ipvs: ip_vs_sip_fill_param() BUG: bad check of return value + +From: Hans Schillstrom + +commit f7a1dd6e3ad59f0cfd51da29dfdbfd54122c5916 upstream. + +The reason for this patch is crash in kmemdup +caused by returning from get_callid with uniialized +matchoff and matchlen. + +Removing Zero check of matchlen since it's done by ct_sip_get_header() + +BUG: unable to handle kernel paging request at ffff880457b5763f +IP: [] kmemdup+0x2e/0x35 +PGD 27f6067 PUD 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: xt_state xt_helper nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle xt_connmark xt_conntrack ip6_tables nf_conntrack_ftp ip_vs_ftp nf_nat xt_tcpudp iptable_mangle xt_mark ip_tables x_tables ip_vs_rr ip_vs_lblcr ip_vs_pe_sip ip_vs nf_conntrack_sip nf_conntrack bonding igb i2c_algo_bit i2c_core +CPU 5 +Pid: 0, comm: swapper/5 Not tainted 3.9.0-rc5+ #5 /S1200KP +RIP: 0010:[] [] kmemdup+0x2e/0x35 +RSP: 0018:ffff8803fea03648 EFLAGS: 00010282 +RAX: ffff8803d61063e0 RBX: 0000000000000003 RCX: 0000000000000003 +RDX: 0000000000000003 RSI: ffff880457b5763f RDI: ffff8803d61063e0 +RBP: ffff8803fea03658 R08: 0000000000000008 R09: 0000000000000011 +R10: 0000000000000011 R11: 00ffffffff81a8a3 R12: ffff880457b5763f +R13: ffff8803d67f786a R14: ffff8803fea03730 R15: ffffffffa0098e90 +FS: 0000000000000000(0000) GS:ffff8803fea00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffff880457b5763f CR3: 0000000001a0c000 CR4: 00000000001407e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process swapper/5 (pid: 0, threadinfo ffff8803ee18c000, task ffff8803ee18a480) +Stack: + ffff8803d822a080 000000000000001c ffff8803fea036c8 ffffffffa000937a + ffffffff81f0d8a0 000000038135fdd5 ffff880300000014 ffff880300110000 + ffffffff150118ac ffff8803d7e8a000 ffff88031e0118ac 0000000000000000 +Call Trace: + + + [] ip_vs_sip_fill_param+0x13a/0x187 [ip_vs_pe_sip] + [] ip_vs_sched_persist+0x2c6/0x9c3 [ip_vs] + [] ? __lock_acquire+0x677/0x1697 + [] ? native_sched_clock+0x3c/0x7d + [] ? native_sched_clock+0x3c/0x7d + [] ? sched_clock_cpu+0x43/0xcf + [] ip_vs_schedule+0x181/0x4ba [ip_vs] +... + +Signed-off-by: Hans Schillstrom +Acked-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Cc: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_pe_sip.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_pe_sip.c ++++ b/net/netfilter/ipvs/ip_vs_pe_sip.c +@@ -37,14 +37,10 @@ static int get_callid(const char *dptr, + if (ret > 0) + break; + if (!ret) +- return 0; ++ return -EINVAL; + dataoff += *matchoff; + } + +- /* Empty callid is useless */ +- if (!*matchlen) +- return -EINVAL; +- + /* Too large is useless */ + if (*matchlen > IP_VS_PEDATA_MAXLEN) + return -EINVAL; diff --git a/queue-3.4/net-eth-ibmveth-fixup-retrieval-of-mac-address.patch b/queue-3.4/net-eth-ibmveth-fixup-retrieval-of-mac-address.patch new file mode 100644 index 00000000000..b69f1bad197 --- /dev/null +++ b/queue-3.4/net-eth-ibmveth-fixup-retrieval-of-mac-address.patch @@ -0,0 +1,77 @@ +From 13f85203e1060da83d9ec1c1c5a63343eaab8de4 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Fri, 3 May 2013 17:19:01 +0000 +Subject: net/eth/ibmveth: Fixup retrieval of MAC address + +From: Benjamin Herrenschmidt + +commit 13f85203e1060da83d9ec1c1c5a63343eaab8de4 upstream. + +Some ancient pHyp versions used to create a 8 bytes local-mac-address +property in the device-tree instead of a 6 bytes one for veth. + +The Linux driver code to deal with that is an insane hack which also +happens to break with some choices of MAC addresses in qemu by testing +for a bit in the address rather than just looking at the size of the +property. + +Sanitize this by doing the latter instead. + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/ibm/ibmveth.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1327,7 +1327,7 @@ static const struct net_device_ops ibmve + static int __devinit ibmveth_probe(struct vio_dev *dev, + const struct vio_device_id *id) + { +- int rc, i; ++ int rc, i, mac_len; + struct net_device *netdev; + struct ibmveth_adapter *adapter; + unsigned char *mac_addr_p; +@@ -1337,11 +1337,19 @@ static int __devinit ibmveth_probe(struc + dev->unit_address); + + mac_addr_p = (unsigned char *)vio_get_attribute(dev, VETH_MAC_ADDR, +- NULL); ++ &mac_len); + if (!mac_addr_p) { + dev_err(&dev->dev, "Can't find VETH_MAC_ADDR attribute\n"); + return -EINVAL; + } ++ /* Workaround for old/broken pHyp */ ++ if (mac_len == 8) ++ mac_addr_p += 2; ++ else if (mac_len != 6) { ++ dev_err(&dev->dev, "VETH_MAC_ADDR attribute wrong len %d\n", ++ mac_len); ++ return -EINVAL; ++ } + + mcastFilterSize_p = (unsigned int *)vio_get_attribute(dev, + VETH_MCAST_FILTER_SIZE, NULL); +@@ -1366,17 +1374,6 @@ static int __devinit ibmveth_probe(struc + + netif_napi_add(netdev, &adapter->napi, ibmveth_poll, 16); + +- /* +- * Some older boxes running PHYP non-natively have an OF that returns +- * a 8-byte local-mac-address field (and the first 2 bytes have to be +- * ignored) while newer boxes' OF return a 6-byte field. Note that +- * IEEE 1275 specifies that local-mac-address must be a 6-byte field. +- * The RPA doc specifies that the first byte must be 10b, so we'll +- * just look for it to solve this 8 vs. 6 byte field issue +- */ +- if ((*mac_addr_p & 0x3) != 0x02) +- mac_addr_p += 2; +- + adapter->mac_addr = 0; + memcpy(&adapter->mac_addr, mac_addr_p, 6); + diff --git a/queue-3.4/perf-x86-intel-lbr-demand-proper-privileges-for-perf_sample_branch_kernel.patch b/queue-3.4/perf-x86-intel-lbr-demand-proper-privileges-for-perf_sample_branch_kernel.patch new file mode 100644 index 00000000000..7381ebb799c --- /dev/null +++ b/queue-3.4/perf-x86-intel-lbr-demand-proper-privileges-for-perf_sample_branch_kernel.patch @@ -0,0 +1,69 @@ +From 7cc23cd6c0c7d7f4bee057607e7ce01568925717 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 3 May 2013 14:11:25 +0200 +Subject: perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL + +From: Peter Zijlstra + +commit 7cc23cd6c0c7d7f4bee057607e7ce01568925717 upstream. + +We should always have proper privileges when requesting kernel +data. + +Signed-off-by: Peter Zijlstra +Cc: Andi Kleen +Cc: eranian@google.com +Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl +[ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] +Signed-off-by: Ingo Molnar +Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel_lbr.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_lbr.c +@@ -310,7 +310,7 @@ void intel_pmu_lbr_read(void) + * - in case there is no HW filter + * - in case the HW filter has errata or limitations + */ +-static void intel_pmu_setup_sw_lbr_filter(struct perf_event *event) ++static int intel_pmu_setup_sw_lbr_filter(struct perf_event *event) + { + u64 br_type = event->attr.branch_sample_type; + int mask = 0; +@@ -318,8 +318,11 @@ static void intel_pmu_setup_sw_lbr_filte + if (br_type & PERF_SAMPLE_BRANCH_USER) + mask |= X86_BR_USER; + +- if (br_type & PERF_SAMPLE_BRANCH_KERNEL) ++ if (br_type & PERF_SAMPLE_BRANCH_KERNEL) { ++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) ++ return -EACCES; + mask |= X86_BR_KERNEL; ++ } + + /* we ignore BRANCH_HV here */ + +@@ -339,6 +342,8 @@ static void intel_pmu_setup_sw_lbr_filte + * be used by fixup code for some CPU + */ + event->hw.branch_reg.reg = mask; ++ ++ return 0; + } + + /* +@@ -386,7 +391,9 @@ int intel_pmu_setup_lbr_filter(struct pe + /* + * setup SW LBR filter + */ +- intel_pmu_setup_sw_lbr_filter(event); ++ ret = intel_pmu_setup_sw_lbr_filter(event); ++ if (ret) ++ return ret; + + /* + * setup HW LBR filter, if any diff --git a/queue-3.4/perf-x86-intel-lbr-fix-lbr-filter.patch b/queue-3.4/perf-x86-intel-lbr-fix-lbr-filter.patch new file mode 100644 index 00000000000..f00eb7b0c9e --- /dev/null +++ b/queue-3.4/perf-x86-intel-lbr-fix-lbr-filter.patch @@ -0,0 +1,51 @@ +From 6e15eb3ba6c0249c9e8c783517d131b47db995ca Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 3 May 2013 14:11:24 +0200 +Subject: perf/x86/intel/lbr: Fix LBR filter + +From: Peter Zijlstra + +commit 6e15eb3ba6c0249c9e8c783517d131b47db995ca upstream. + +The LBR 'from' adddress is under full userspace control; ensure +we validate it before reading from it. + +Note: is_module_text_address() can potentially be quite +expensive; for those running into that with high overhead +in modules optimize it using an RCU backed rb-tree. + +Reported-by: Andi Kleen +Signed-off-by: Peter Zijlstra +Cc: eranian@google.com +Link: http://lkml.kernel.org/r/20130503121256.158211806@chello.nl +Signed-off-by: Ingo Molnar +Link: http://lkml.kernel.org/n/tip-mk8i82ffzax01cnqo829iy1q@git.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perf_event_intel_lbr.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel_lbr.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_lbr.c +@@ -442,8 +442,18 @@ static int branch_type(unsigned long fro + return X86_BR_NONE; + + addr = buf; +- } else +- addr = (void *)from; ++ } else { ++ /* ++ * The LBR logs any address in the IP, even if the IP just ++ * faulted. This means userspace can control the from address. ++ * Ensure we don't blindy read any address by validating it is ++ * a known text address. ++ */ ++ if (kernel_text_address(from)) ++ addr = (void *)from; ++ else ++ return X86_BR_NONE; ++ } + + /* + * decoder needs to know the ABI especially diff --git a/queue-3.4/series b/queue-3.4/series index c3eb822b119..f6848280bfa 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -1,3 +1,8 @@ powerpc-emulate-non-privileged-dscr-read-and-write.patch powerpc-fix-numa-distance-for-form0-device-tree.patch autofs-remove-autofs-dentry-mount-check.patch +net-eth-ibmveth-fixup-retrieval-of-mac-address.patch +perf-x86-intel-lbr-fix-lbr-filter.patch +perf-x86-intel-lbr-demand-proper-privileges-for-perf_sample_branch_kernel.patch +xhci-don-t-warn-on-empty-ring-for-suspended-devices.patch +ipvs-ip_vs_sip_fill_param-bug-bad-check-of-return-value.patch diff --git a/queue-3.4/xhci-don-t-warn-on-empty-ring-for-suspended-devices.patch b/queue-3.4/xhci-don-t-warn-on-empty-ring-for-suspended-devices.patch new file mode 100644 index 00000000000..ed30237b769 --- /dev/null +++ b/queue-3.4/xhci-don-t-warn-on-empty-ring-for-suspended-devices.patch @@ -0,0 +1,58 @@ +From a83d6755814e4614ba77e15d82796af0f695c6b8 Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Mon, 18 Mar 2013 10:19:51 -0700 +Subject: xhci: Don't warn on empty ring for suspended devices. + +From: Sarah Sharp + +commit a83d6755814e4614ba77e15d82796af0f695c6b8 upstream. + +When a device attached to the roothub is suspended, the endpoint rings +are stopped. The host may generate a completion event with the +completion code set to 'Stopped' or 'Stopped Invalid' when the ring is +halted. The current xHCI code prints a warning in that case, which can +be really annoying if the USB device is coming into and out of suspend. + +Remove the unnecessary warning. + +Signed-off-by: Sarah Sharp +Tested-by: Stephen Hemminger +Cc: Luis Henriques +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2459,14 +2459,21 @@ static int handle_tx_event(struct xhci_h + * TD list. + */ + if (list_empty(&ep_ring->td_list)) { +- xhci_warn(xhci, "WARN Event TRB for slot %d ep %d " +- "with no TDs queued?\n", +- TRB_TO_SLOT_ID(le32_to_cpu(event->flags)), +- ep_index); +- xhci_dbg(xhci, "Event TRB with TRB type ID %u\n", +- (le32_to_cpu(event->flags) & +- TRB_TYPE_BITMASK)>>10); +- xhci_print_trb_offsets(xhci, (union xhci_trb *) event); ++ /* ++ * A stopped endpoint may generate an extra completion ++ * event if the device was suspended. Don't print ++ * warnings. ++ */ ++ if (!(trb_comp_code == COMP_STOP || ++ trb_comp_code == COMP_STOP_INVAL)) { ++ xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n", ++ TRB_TO_SLOT_ID(le32_to_cpu(event->flags)), ++ ep_index); ++ xhci_dbg(xhci, "Event TRB with TRB type ID %u\n", ++ (le32_to_cpu(event->flags) & ++ TRB_TYPE_BITMASK)>>10); ++ xhci_print_trb_offsets(xhci, (union xhci_trb *) event); ++ } + if (ep->skip) { + ep->skip = false; + xhci_dbg(xhci, "td_list is empty while skip " -- 2.47.3