--- /dev/null
+From f7a1dd6e3ad59f0cfd51da29dfdbfd54122c5916 Mon Sep 17 00:00:00 2001
+From: Hans Schillstrom <hans@schillstrom.com>
+Date: Sat, 27 Apr 2013 20:06:14 +0200
+Subject: ipvs: ip_vs_sip_fill_param() BUG: bad check of return value
+
+From: Hans Schillstrom <hans@schillstrom.com>
+
+commit f7a1dd6e3ad59f0cfd51da29dfdbfd54122c5916 upstream.
+
+The reason for this patch is crash in kmemdup
+caused by returning from get_callid with uniialized
+matchoff and matchlen.
+
+Removing Zero check of matchlen since it's done by ct_sip_get_header()
+
+BUG: unable to handle kernel paging request at ffff880457b5763f
+IP: [<ffffffff810df7fc>] kmemdup+0x2e/0x35
+PGD 27f6067 PUD 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in: xt_state xt_helper nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle xt_connmark xt_conntrack ip6_tables nf_conntrack_ftp ip_vs_ftp nf_nat xt_tcpudp iptable_mangle xt_mark ip_tables x_tables ip_vs_rr ip_vs_lblcr ip_vs_pe_sip ip_vs nf_conntrack_sip nf_conntrack bonding igb i2c_algo_bit i2c_core
+CPU 5
+Pid: 0, comm: swapper/5 Not tainted 3.9.0-rc5+ #5 /S1200KP
+RIP: 0010:[<ffffffff810df7fc>] [<ffffffff810df7fc>] kmemdup+0x2e/0x35
+RSP: 0018:ffff8803fea03648 EFLAGS: 00010282
+RAX: ffff8803d61063e0 RBX: 0000000000000003 RCX: 0000000000000003
+RDX: 0000000000000003 RSI: ffff880457b5763f RDI: ffff8803d61063e0
+RBP: ffff8803fea03658 R08: 0000000000000008 R09: 0000000000000011
+R10: 0000000000000011 R11: 00ffffffff81a8a3 R12: ffff880457b5763f
+R13: ffff8803d67f786a R14: ffff8803fea03730 R15: ffffffffa0098e90
+FS: 0000000000000000(0000) GS:ffff8803fea00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffff880457b5763f CR3: 0000000001a0c000 CR4: 00000000001407e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process swapper/5 (pid: 0, threadinfo ffff8803ee18c000, task ffff8803ee18a480)
+Stack:
+ ffff8803d822a080 000000000000001c ffff8803fea036c8 ffffffffa000937a
+ ffffffff81f0d8a0 000000038135fdd5 ffff880300000014 ffff880300110000
+ ffffffff150118ac ffff8803d7e8a000 ffff88031e0118ac 0000000000000000
+Call Trace:
+ <IRQ>
+
+ [<ffffffffa000937a>] ip_vs_sip_fill_param+0x13a/0x187 [ip_vs_pe_sip]
+ [<ffffffffa007b209>] ip_vs_sched_persist+0x2c6/0x9c3 [ip_vs]
+ [<ffffffff8107dc53>] ? __lock_acquire+0x677/0x1697
+ [<ffffffff8100972e>] ? native_sched_clock+0x3c/0x7d
+ [<ffffffff8100972e>] ? native_sched_clock+0x3c/0x7d
+ [<ffffffff810649bc>] ? sched_clock_cpu+0x43/0xcf
+ [<ffffffffa007bb1e>] ip_vs_schedule+0x181/0x4ba [ip_vs]
+...
+
+Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_pe_sip.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
++++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
+@@ -37,14 +37,10 @@ static int get_callid(const char *dptr,
+ if (ret > 0)
+ break;
+ if (!ret)
+- return 0;
++ return -EINVAL;
+ dataoff += *matchoff;
+ }
+
+- /* Empty callid is useless */
+- if (!*matchlen)
+- return -EINVAL;
+-
+ /* Too large is useless */
+ if (*matchlen > IP_VS_PEDATA_MAXLEN)
+ return -EINVAL;
--- /dev/null
+From 13f85203e1060da83d9ec1c1c5a63343eaab8de4 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Fri, 3 May 2013 17:19:01 +0000
+Subject: net/eth/ibmveth: Fixup retrieval of MAC address
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 13f85203e1060da83d9ec1c1c5a63343eaab8de4 upstream.
+
+Some ancient pHyp versions used to create a 8 bytes local-mac-address
+property in the device-tree instead of a 6 bytes one for veth.
+
+The Linux driver code to deal with that is an insane hack which also
+happens to break with some choices of MAC addresses in qemu by testing
+for a bit in the address rather than just looking at the size of the
+property.
+
+Sanitize this by doing the latter instead.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1327,7 +1327,7 @@ static const struct net_device_ops ibmve
+ static int __devinit ibmveth_probe(struct vio_dev *dev,
+ const struct vio_device_id *id)
+ {
+- int rc, i;
++ int rc, i, mac_len;
+ struct net_device *netdev;
+ struct ibmveth_adapter *adapter;
+ unsigned char *mac_addr_p;
+@@ -1337,11 +1337,19 @@ static int __devinit ibmveth_probe(struc
+ dev->unit_address);
+
+ mac_addr_p = (unsigned char *)vio_get_attribute(dev, VETH_MAC_ADDR,
+- NULL);
++ &mac_len);
+ if (!mac_addr_p) {
+ dev_err(&dev->dev, "Can't find VETH_MAC_ADDR attribute\n");
+ return -EINVAL;
+ }
++ /* Workaround for old/broken pHyp */
++ if (mac_len == 8)
++ mac_addr_p += 2;
++ else if (mac_len != 6) {
++ dev_err(&dev->dev, "VETH_MAC_ADDR attribute wrong len %d\n",
++ mac_len);
++ return -EINVAL;
++ }
+
+ mcastFilterSize_p = (unsigned int *)vio_get_attribute(dev,
+ VETH_MCAST_FILTER_SIZE, NULL);
+@@ -1366,17 +1374,6 @@ static int __devinit ibmveth_probe(struc
+
+ netif_napi_add(netdev, &adapter->napi, ibmveth_poll, 16);
+
+- /*
+- * Some older boxes running PHYP non-natively have an OF that returns
+- * a 8-byte local-mac-address field (and the first 2 bytes have to be
+- * ignored) while newer boxes' OF return a 6-byte field. Note that
+- * IEEE 1275 specifies that local-mac-address must be a 6-byte field.
+- * The RPA doc specifies that the first byte must be 10b, so we'll
+- * just look for it to solve this 8 vs. 6 byte field issue
+- */
+- if ((*mac_addr_p & 0x3) != 0x02)
+- mac_addr_p += 2;
+-
+ adapter->mac_addr = 0;
+ memcpy(&adapter->mac_addr, mac_addr_p, 6);
+
--- /dev/null
+From 7cc23cd6c0c7d7f4bee057607e7ce01568925717 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri, 3 May 2013 14:11:25 +0200
+Subject: perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
+
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+
+commit 7cc23cd6c0c7d7f4bee057607e7ce01568925717 upstream.
+
+We should always have proper privileges when requesting kernel
+data.
+
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: eranian@google.com
+Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
+[ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/perf_event_intel_lbr.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_lbr.c
+@@ -310,7 +310,7 @@ void intel_pmu_lbr_read(void)
+ * - in case there is no HW filter
+ * - in case the HW filter has errata or limitations
+ */
+-static void intel_pmu_setup_sw_lbr_filter(struct perf_event *event)
++static int intel_pmu_setup_sw_lbr_filter(struct perf_event *event)
+ {
+ u64 br_type = event->attr.branch_sample_type;
+ int mask = 0;
+@@ -318,8 +318,11 @@ static void intel_pmu_setup_sw_lbr_filte
+ if (br_type & PERF_SAMPLE_BRANCH_USER)
+ mask |= X86_BR_USER;
+
+- if (br_type & PERF_SAMPLE_BRANCH_KERNEL)
++ if (br_type & PERF_SAMPLE_BRANCH_KERNEL) {
++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
++ return -EACCES;
+ mask |= X86_BR_KERNEL;
++ }
+
+ /* we ignore BRANCH_HV here */
+
+@@ -339,6 +342,8 @@ static void intel_pmu_setup_sw_lbr_filte
+ * be used by fixup code for some CPU
+ */
+ event->hw.branch_reg.reg = mask;
++
++ return 0;
+ }
+
+ /*
+@@ -386,7 +391,9 @@ int intel_pmu_setup_lbr_filter(struct pe
+ /*
+ * setup SW LBR filter
+ */
+- intel_pmu_setup_sw_lbr_filter(event);
++ ret = intel_pmu_setup_sw_lbr_filter(event);
++ if (ret)
++ return ret;
+
+ /*
+ * setup HW LBR filter, if any
--- /dev/null
+From 6e15eb3ba6c0249c9e8c783517d131b47db995ca Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri, 3 May 2013 14:11:24 +0200
+Subject: perf/x86/intel/lbr: Fix LBR filter
+
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+
+commit 6e15eb3ba6c0249c9e8c783517d131b47db995ca upstream.
+
+The LBR 'from' adddress is under full userspace control; ensure
+we validate it before reading from it.
+
+Note: is_module_text_address() can potentially be quite
+expensive; for those running into that with high overhead
+in modules optimize it using an RCU backed rb-tree.
+
+Reported-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: eranian@google.com
+Link: http://lkml.kernel.org/r/20130503121256.158211806@chello.nl
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: http://lkml.kernel.org/n/tip-mk8i82ffzax01cnqo829iy1q@git.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/perf_event_intel_lbr.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_lbr.c
+@@ -442,8 +442,18 @@ static int branch_type(unsigned long fro
+ return X86_BR_NONE;
+
+ addr = buf;
+- } else
+- addr = (void *)from;
++ } else {
++ /*
++ * The LBR logs any address in the IP, even if the IP just
++ * faulted. This means userspace can control the from address.
++ * Ensure we don't blindy read any address by validating it is
++ * a known text address.
++ */
++ if (kernel_text_address(from))
++ addr = (void *)from;
++ else
++ return X86_BR_NONE;
++ }
+
+ /*
+ * decoder needs to know the ABI especially
powerpc-emulate-non-privileged-dscr-read-and-write.patch
powerpc-fix-numa-distance-for-form0-device-tree.patch
autofs-remove-autofs-dentry-mount-check.patch
+net-eth-ibmveth-fixup-retrieval-of-mac-address.patch
+perf-x86-intel-lbr-fix-lbr-filter.patch
+perf-x86-intel-lbr-demand-proper-privileges-for-perf_sample_branch_kernel.patch
+xhci-don-t-warn-on-empty-ring-for-suspended-devices.patch
+ipvs-ip_vs_sip_fill_param-bug-bad-check-of-return-value.patch
--- /dev/null
+From a83d6755814e4614ba77e15d82796af0f695c6b8 Mon Sep 17 00:00:00 2001
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Date: Mon, 18 Mar 2013 10:19:51 -0700
+Subject: xhci: Don't warn on empty ring for suspended devices.
+
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+
+commit a83d6755814e4614ba77e15d82796af0f695c6b8 upstream.
+
+When a device attached to the roothub is suspended, the endpoint rings
+are stopped. The host may generate a completion event with the
+completion code set to 'Stopped' or 'Stopped Invalid' when the ring is
+halted. The current xHCI code prints a warning in that case, which can
+be really annoying if the USB device is coming into and out of suspend.
+
+Remove the unnecessary warning.
+
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Tested-by: Stephen Hemminger <stephen@networkplumber.org>
+Cc: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2459,14 +2459,21 @@ static int handle_tx_event(struct xhci_h
+ * TD list.
+ */
+ if (list_empty(&ep_ring->td_list)) {
+- xhci_warn(xhci, "WARN Event TRB for slot %d ep %d "
+- "with no TDs queued?\n",
+- TRB_TO_SLOT_ID(le32_to_cpu(event->flags)),
+- ep_index);
+- xhci_dbg(xhci, "Event TRB with TRB type ID %u\n",
+- (le32_to_cpu(event->flags) &
+- TRB_TYPE_BITMASK)>>10);
+- xhci_print_trb_offsets(xhci, (union xhci_trb *) event);
++ /*
++ * A stopped endpoint may generate an extra completion
++ * event if the device was suspended. Don't print
++ * warnings.
++ */
++ if (!(trb_comp_code == COMP_STOP ||
++ trb_comp_code == COMP_STOP_INVAL)) {
++ xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n",
++ TRB_TO_SLOT_ID(le32_to_cpu(event->flags)),
++ ep_index);
++ xhci_dbg(xhci, "Event TRB with TRB type ID %u\n",
++ (le32_to_cpu(event->flags) &
++ TRB_TYPE_BITMASK)>>10);
++ xhci_print_trb_offsets(xhci, (union xhci_trb *) event);
++ }
+ if (ep->skip) {
+ ep->skip = false;
+ xhci_dbg(xhci, "td_list is empty while skip "
projects / thirdparty / kernel / stable-queue.git / commitdiff
