From 74112b9726b8fbf0f347913b092e65c1cc705ba5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 27 Jun 2013 12:19:20 -0700 Subject: [PATCH] 3.4-stable patches added patches: bluetooth-fix-crash-in-l2cap_build_cmd-with-small-mtu.patch bluetooth-fix-invalid-length-check-in-l2cap_information_rsp.patch dlci-acquire-rtnl_lock-before-calling-__dev_get_by_name.patch dlci-validate-the-net-device-in-dlci_del.patch hw_breakpoint-use-cpu_possible_mask-in-reserve-release-_bp_slot.patch net-tg3-avoid-delay-during-mmio-access.patch --- ...sh-in-l2cap_build_cmd-with-small-mtu.patch | 90 +++++++++++++ ...ength-check-in-l2cap_information_rsp.patch | 48 +++++++ ...ock-before-calling-__dev_get_by_name.patch | 60 +++++++++ ...-validate-the-net-device-in-dlci_del.patch | 67 ++++++++++ ...ble_mask-in-reserve-release-_bp_slot.patch | 55 ++++++++ ...t-tg3-avoid-delay-during-mmio-access.patch | 121 ++++++++++++++++++ queue-3.4/series | 6 + 7 files changed, 447 insertions(+) create mode 100644 queue-3.4/bluetooth-fix-crash-in-l2cap_build_cmd-with-small-mtu.patch create mode 100644 queue-3.4/bluetooth-fix-invalid-length-check-in-l2cap_information_rsp.patch create mode 100644 queue-3.4/dlci-acquire-rtnl_lock-before-calling-__dev_get_by_name.patch create mode 100644 queue-3.4/dlci-validate-the-net-device-in-dlci_del.patch create mode 100644 queue-3.4/hw_breakpoint-use-cpu_possible_mask-in-reserve-release-_bp_slot.patch create mode 100644 queue-3.4/net-tg3-avoid-delay-during-mmio-access.patch diff --git a/queue-3.4/bluetooth-fix-crash-in-l2cap_build_cmd-with-small-mtu.patch b/queue-3.4/bluetooth-fix-crash-in-l2cap_build_cmd-with-small-mtu.patch new file mode 100644 index 00000000000..40cf36ae16d --- /dev/null +++ b/queue-3.4/bluetooth-fix-crash-in-l2cap_build_cmd-with-small-mtu.patch @@ -0,0 +1,90 @@ +From 300b962e5244a1ea010df7e88595faa0085b461d Mon Sep 17 00:00:00 2001 +From: Anderson Lizardo +Date: Sun, 2 Jun 2013 16:30:40 -0400 +Subject: Bluetooth: Fix crash in l2cap_build_cmd() with small MTU + +From: Anderson Lizardo + +commit 300b962e5244a1ea010df7e88595faa0085b461d upstream. + +If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus +controller, memory corruption happens due to a memcpy() call with +negative length. + +Fix this crash on either incoming or outgoing connections with a MTU +smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: + +[ 46.885433] BUG: unable to handle kernel paging request at f56ad000 +[ 46.888037] IP: [] memcpy+0x1d/0x40 +[ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 +[ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC +[ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common +[ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 +[ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 +[ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] +[ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 +[ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 +[ 46.888037] EIP is at memcpy+0x1d/0x40 +[ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 +[ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c +[ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +[ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 +[ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 +[ 46.888037] DR6: ffff0ff0 DR7: 00000400 +[ 46.888037] Stack: +[ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 +[ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 +[ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 +[ 46.888037] Call Trace: +[ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] +[ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] +[ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] +[ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 +[ 46.888037] [] ? mark_held_locks+0x68/0x110 +[ 46.888037] [] ? mutex_lock_nested+0x280/0x360 +[ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 +[ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 +[ 46.888037] [] ? mutex_lock_nested+0x268/0x360 +[ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 +[ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] +[ 46.888037] [] ? mark_held_locks+0x68/0x110 +[ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 +[ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 +[ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] +[ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] +[ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] +[ 46.888037] [] process_one_work+0x1a9/0x600 +[ 46.888037] [] ? process_one_work+0x12b/0x600 +[ 46.888037] [] ? worker_thread+0x19e/0x320 +[ 46.888037] [] ? worker_thread+0x19e/0x320 +[ 46.888037] [] worker_thread+0xf7/0x320 +[ 46.888037] [] ? rescuer_thread+0x290/0x290 +[ 46.888037] [] kthread+0xa8/0xb0 +[ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 +[ 46.888037] [] ? flush_kthread_worker+0x120/0x120 +[ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 +[ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c +[ 46.888037] CR2: 00000000f56ad000 +[ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- + +Signed-off-by: Anderson Lizardo +Signed-off-by: Gustavo Padovan +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/l2cap_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1880,6 +1880,9 @@ static struct sk_buff *l2cap_build_cmd(s + BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d", + conn, code, ident, dlen); + ++ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) ++ return NULL; ++ + len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; + count = min_t(unsigned int, conn->mtu, len); + diff --git a/queue-3.4/bluetooth-fix-invalid-length-check-in-l2cap_information_rsp.patch b/queue-3.4/bluetooth-fix-invalid-length-check-in-l2cap_information_rsp.patch new file mode 100644 index 00000000000..d43822e90fc --- /dev/null +++ b/queue-3.4/bluetooth-fix-invalid-length-check-in-l2cap_information_rsp.patch @@ -0,0 +1,48 @@ +From 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 Mon Sep 17 00:00:00 2001 +From: Jaganath Kanakkassery +Date: Fri, 21 Jun 2013 19:55:11 +0530 +Subject: Bluetooth: Fix invalid length check in l2cap_information_rsp() + +From: Jaganath Kanakkassery + +commit 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 upstream. + +The length check is invalid since the length varies with type of +info response. + +This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 + +Because of this, l2cap info rsp is not handled and command reject is sent. + +> ACL data: handle 11 flags 0x02 dlen 16 + L2CAP(s): Info rsp: type 2 result 0 + Extended feature mask 0x00b8 + Enhanced Retransmission mode + Streaming mode + FCS Option + Fixed Channels +< ACL data: handle 11 flags 0x00 dlen 10 + L2CAP(s): Command rej: reason 0 + Command not understood + +Signed-off-by: Jaganath Kanakkassery +Signed-off-by: Chan-Yeol Park +Acked-by: Johan Hedberg +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/l2cap_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3399,7 +3399,7 @@ static inline int l2cap_move_channel_con + struct l2cap_move_chan_cfm_rsp *rsp = data; + u16 icid; + +- if (cmd_len != sizeof(*rsp)) ++ if (cmd_len < sizeof(*rsp)) + return -EPROTO; + + icid = le16_to_cpu(rsp->icid); diff --git a/queue-3.4/dlci-acquire-rtnl_lock-before-calling-__dev_get_by_name.patch b/queue-3.4/dlci-acquire-rtnl_lock-before-calling-__dev_get_by_name.patch new file mode 100644 index 00000000000..c26f6439ed8 --- /dev/null +++ b/queue-3.4/dlci-acquire-rtnl_lock-before-calling-__dev_get_by_name.patch @@ -0,0 +1,60 @@ +From 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 Mon Sep 17 00:00:00 2001 +From: Zefan Li +Date: Wed, 26 Jun 2013 15:29:54 +0800 +Subject: dlci: acquire rtnl_lock before calling __dev_get_by_name() + +From: Zefan Li + +commit 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 upstream. + +Otherwise the net device returned can be freed at anytime. + +Signed-off-by: Li Zefan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wan/dlci.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/net/wan/dlci.c ++++ b/drivers/net/wan/dlci.c +@@ -385,20 +385,24 @@ static int dlci_del(struct dlci_add *dlc + struct net_device *master, *slave; + int err; + ++ rtnl_lock(); ++ + /* validate slave device */ + master = __dev_get_by_name(&init_net, dlci->devname); +- if (!master) +- return -ENODEV; ++ if (!master) { ++ err = -ENODEV; ++ goto out; ++ } + + if (netif_running(master)) { +- return -EBUSY; ++ err = -EBUSY; ++ goto out; + } + + dlp = netdev_priv(master); + slave = dlp->slave; + flp = netdev_priv(slave); + +- rtnl_lock(); + err = (*flp->deassoc)(slave, master); + if (!err) { + list_del(&dlp->list); +@@ -407,8 +411,8 @@ static int dlci_del(struct dlci_add *dlc + + dev_put(slave); + } ++out: + rtnl_unlock(); +- + return err; + } + diff --git a/queue-3.4/dlci-validate-the-net-device-in-dlci_del.patch b/queue-3.4/dlci-validate-the-net-device-in-dlci_del.patch new file mode 100644 index 00000000000..e6aa1c11e01 --- /dev/null +++ b/queue-3.4/dlci-validate-the-net-device-in-dlci_del.patch @@ -0,0 +1,67 @@ +From 578a1310f2592ba90c5674bca21c1dbd1adf3f0a Mon Sep 17 00:00:00 2001 +From: Zefan Li +Date: Wed, 26 Jun 2013 15:31:58 +0800 +Subject: dlci: validate the net device in dlci_del() + +From: Zefan Li + +commit 578a1310f2592ba90c5674bca21c1dbd1adf3f0a upstream. + +We triggered an oops while running trinity with 3.4 kernel: + +BUG: unable to handle kernel paging request at 0000000100000d07 +IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] +PGD 640c0d067 PUD 0 +Oops: 0000 [#1] PREEMPT SMP +CPU 3 +... +Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA +RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] +... +Call Trace: + [] sock_ioctl+0x153/0x280 + [] do_vfs_ioctl+0xa4/0x5e0 + [] ? fget_light+0x3ea/0x490 + [] sys_ioctl+0x4f/0x80 + [] system_call_fastpath+0x16/0x1b +... + +It's because the net device is not a dlci device. + +Reported-by: Li Jinyue +Signed-off-by: Li Zefan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wan/dlci.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/net/wan/dlci.c ++++ b/drivers/net/wan/dlci.c +@@ -384,6 +384,7 @@ static int dlci_del(struct dlci_add *dlc + struct frad_local *flp; + struct net_device *master, *slave; + int err; ++ bool found = false; + + rtnl_lock(); + +@@ -393,6 +394,17 @@ static int dlci_del(struct dlci_add *dlc + err = -ENODEV; + goto out; + } ++ ++ list_for_each_entry(dlp, &dlci_devs, list) { ++ if (dlp->master == master) { ++ found = true; ++ break; ++ } ++ } ++ if (!found) { ++ err = -ENODEV; ++ goto out; ++ } + + if (netif_running(master)) { + err = -EBUSY; diff --git a/queue-3.4/hw_breakpoint-use-cpu_possible_mask-in-reserve-release-_bp_slot.patch b/queue-3.4/hw_breakpoint-use-cpu_possible_mask-in-reserve-release-_bp_slot.patch new file mode 100644 index 00000000000..3ebc2e6fd15 --- /dev/null +++ b/queue-3.4/hw_breakpoint-use-cpu_possible_mask-in-reserve-release-_bp_slot.patch @@ -0,0 +1,55 @@ +From c790b0ad23f427c7522ffed264706238c57c007e Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Thu, 20 Jun 2013 17:50:09 +0200 +Subject: hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot() + +From: Oleg Nesterov + +commit c790b0ad23f427c7522ffed264706238c57c007e upstream. + +fetch_bp_busy_slots() and toggle_bp_slot() use +for_each_online_cpu(), this is obviously wrong wrt cpu_up() or +cpu_down(), we can over/under account the per-cpu numbers. + +For example: + + # echo 0 >> /sys/devices/system/cpu/cpu1/online + # perf record -e mem:0x10 -p 1 & + # echo 1 >> /sys/devices/system/cpu/cpu1/online + # perf record -e mem:0x10,mem:0x10,mem:0x10,mem:0x10 -C1 -a & + # taskset -p 0x2 1 + +triggers the same WARN_ONCE("Can't find any breakpoint slot") in +arch_install_hw_breakpoint(). + +Reported-by: Vince Weaver +Signed-off-by: Oleg Nesterov +Acked-by: Frederic Weisbecker +Link: http://lkml.kernel.org/r/20130620155009.GA6327@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/hw_breakpoint.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/events/hw_breakpoint.c ++++ b/kernel/events/hw_breakpoint.c +@@ -147,7 +147,7 @@ fetch_bp_busy_slots(struct bp_busy_slots + return; + } + +- for_each_online_cpu(cpu) { ++ for_each_possible_cpu(cpu) { + unsigned int nr; + + nr = per_cpu(nr_cpu_bp_pinned[type], cpu); +@@ -233,7 +233,7 @@ toggle_bp_slot(struct perf_event *bp, bo + if (cpu >= 0) { + toggle_bp_task_slot(bp, cpu, enable, type, weight); + } else { +- for_each_online_cpu(cpu) ++ for_each_possible_cpu(cpu) + toggle_bp_task_slot(bp, cpu, enable, type, weight); + } + diff --git a/queue-3.4/net-tg3-avoid-delay-during-mmio-access.patch b/queue-3.4/net-tg3-avoid-delay-during-mmio-access.patch new file mode 100644 index 00000000000..13720ca21fc --- /dev/null +++ b/queue-3.4/net-tg3-avoid-delay-during-mmio-access.patch @@ -0,0 +1,121 @@ +From 6d446ec32f169c6a5d9bc90684a8082a6cbe90f6 Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Tue, 25 Jun 2013 15:24:32 +0800 +Subject: net/tg3: Avoid delay during MMIO access + +From: Gavin Shan + +commit 6d446ec32f169c6a5d9bc90684a8082a6cbe90f6 upstream. + +When the EEH error is the result of a fenced host bridge, MMIO accesses +can be very slow (milliseconds) to timeout and return all 1's, +thus causing the driver various timeout loops to take way too long and +trigger soft-lockup warnings (in addition to taking minutes to recover). + +It might be worthwhile to check if for any of these cases, ffffffff is +a valid possible value, and if not, bail early since that means the HW +is either gone or isolated. In the meantime, checking that the PCI channel +is offline would be workaround of the problem. + +Signed-off-by: Gavin Shan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/tg3.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -689,6 +689,9 @@ static int tg3_ape_lock(struct tg3 *tp, + status = tg3_ape_read32(tp, gnt + off); + if (status == bit) + break; ++ if (pci_channel_offline(tp->pdev)) ++ break; ++ + udelay(10); + } + +@@ -1466,6 +1469,9 @@ static void tg3_wait_for_event_ack(struc + for (i = 0; i < delay_cnt; i++) { + if (!(tr32(GRC_RX_CPU_EVENT) & GRC_RX_CPU_DRIVER_EVENT)) + break; ++ if (pci_channel_offline(tp->pdev)) ++ break; ++ + udelay(8); + } + } +@@ -1636,6 +1642,9 @@ static int tg3_poll_fw(struct tg3 *tp) + for (i = 0; i < 200; i++) { + if (tr32(VCPU_STATUS) & VCPU_STATUS_INIT_DONE) + return 0; ++ if (pci_channel_offline(tp->pdev)) ++ return -ENODEV; ++ + udelay(100); + } + return -ENODEV; +@@ -1646,6 +1655,15 @@ static int tg3_poll_fw(struct tg3 *tp) + tg3_read_mem(tp, NIC_SRAM_FIRMWARE_MBOX, &val); + if (val == ~NIC_SRAM_FIRMWARE_MBOX_MAGIC1) + break; ++ if (pci_channel_offline(tp->pdev)) { ++ if (!tg3_flag(tp, NO_FWARE_REPORTED)) { ++ tg3_flag_set(tp, NO_FWARE_REPORTED); ++ netdev_info(tp->dev, "No firmware running\n"); ++ } ++ ++ break; ++ } ++ + udelay(10); + } + +@@ -3204,6 +3222,8 @@ static int tg3_nvram_write_block_buffere + ret = tg3_nvram_exec_cmd(tp, nvram_cmd); + if (ret) + break; ++ if (pci_channel_offline(tp->pdev)) ++ return -EBUSY; + } + return ret; + } +@@ -7674,6 +7694,14 @@ static int tg3_stop_block(struct tg3 *tp + tw32_f(ofs, val); + + for (i = 0; i < MAX_WAIT_CNT; i++) { ++ if (pci_channel_offline(tp->pdev)) { ++ dev_err(&tp->pdev->dev, ++ "tg3_stop_block device offline, " ++ "ofs=%lx enable_bit=%x\n", ++ ofs, enable_bit); ++ return -ENODEV; ++ } ++ + udelay(100); + val = tr32(ofs); + if ((val & enable_bit) == 0) +@@ -7697,6 +7725,13 @@ static int tg3_abort_hw(struct tg3 *tp, + + tg3_disable_ints(tp); + ++ if (pci_channel_offline(tp->pdev)) { ++ tp->rx_mode &= ~(RX_MODE_ENABLE | TX_MODE_ENABLE); ++ tp->mac_mode &= ~MAC_MODE_TDE_ENABLE; ++ err = -ENODEV; ++ goto err_no_dev; ++ } ++ + tp->rx_mode &= ~RX_MODE_ENABLE; + tw32_f(MAC_RX_MODE, tp->rx_mode); + udelay(10); +@@ -7745,6 +7780,7 @@ static int tg3_abort_hw(struct tg3 *tp, + err |= tg3_stop_block(tp, BUFMGR_MODE, BUFMGR_MODE_ENABLE, silent); + err |= tg3_stop_block(tp, MEMARB_MODE, MEMARB_MODE_ENABLE, silent); + ++err_no_dev: + for (i = 0; i < tp->irq_cnt; i++) { + struct tg3_napi *tnapi = &tp->napi[i]; + if (tnapi->hw_status) diff --git a/queue-3.4/series b/queue-3.4/series index 8c0d932927b..959821766c4 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -1,2 +1,8 @@ arm-7755-1-handle-user-space-mapped-pages-in-flush_kernel_dcache_page.patch arm-7772-1-fix-missing-flush_kernel_dcache_page-for-nommu.patch +bluetooth-fix-crash-in-l2cap_build_cmd-with-small-mtu.patch +bluetooth-fix-invalid-length-check-in-l2cap_information_rsp.patch +hw_breakpoint-use-cpu_possible_mask-in-reserve-release-_bp_slot.patch +dlci-acquire-rtnl_lock-before-calling-__dev_get_by_name.patch +dlci-validate-the-net-device-in-dlci_del.patch +net-tg3-avoid-delay-during-mmio-access.patch -- 2.47.3