Linux v3.10-rc6
This commit is contained in:
parent
575de6c9a6
commit
542e360438
@ -1,228 +0,0 @@
|
|||||||
To fix /dev/kmsg, let's compare the existing interfaces and what they allow:
|
|
||||||
|
|
||||||
- /proc/kmsg allows:
|
|
||||||
- open (SYSLOG_ACTION_OPEN) if CAP_SYSLOG since it uses a destructive
|
|
||||||
single-reader interface (SYSLOG_ACTION_READ).
|
|
||||||
- everything, after an open.
|
|
||||||
|
|
||||||
- syslog syscall allows:
|
|
||||||
- anything, if CAP_SYSLOG.
|
|
||||||
- SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER, if dmesg_restrict==0.
|
|
||||||
- nothing else (EPERM).
|
|
||||||
|
|
||||||
The use-cases were:
|
|
||||||
- dmesg(1) needs to do non-destructive SYSLOG_ACTION_READ_ALLs.
|
|
||||||
- sysklog(1) needs to open /proc/kmsg, drop privs, and still issue the
|
|
||||||
destructive SYSLOG_ACTION_READs.
|
|
||||||
|
|
||||||
AIUI, dmesg(1) is moving to /dev/kmsg, and systemd-journald doesn't
|
|
||||||
clear the ring buffer.
|
|
||||||
|
|
||||||
Based on the comments in devkmsg_llseek, it sounds like actions besides
|
|
||||||
reading aren't going to be supported by /dev/kmsg (i.e. SYSLOG_ACTION_CLEAR),
|
|
||||||
so we have a strict subset of the non-destructive syslog syscall actions.
|
|
||||||
|
|
||||||
To this end, move the check as Josh had done, but also rename the constants
|
|
||||||
to reflect their new uses (SYSLOG_FROM_CALL becomes SYSLOG_FROM_READER, and
|
|
||||||
SYSLOG_FROM_FILE becomes SYSLOG_FROM_PROC). SYSLOG_FROM_READER allows
|
|
||||||
non-destructive actions, and SYSLOG_FROM_PROC allows destructive actions
|
|
||||||
after a capabilities-constrained SYSLOG_ACTION_OPEN check.
|
|
||||||
|
|
||||||
- /dev/kmsg allows:
|
|
||||||
- open if CAP_SYSLOG or dmesg_restrict==0
|
|
||||||
- reading/polling, after open
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Reported-by: Christian Kujau <lists@nerdbynature.de>
|
|
||||||
Cc: Josh Boyer <jwboyer@redhat.com>
|
|
||||||
Cc: Kay Sievers <kay@vrfy.org>
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
---
|
|
||||||
fs/proc/kmsg.c | 10 +++---
|
|
||||||
include/linux/syslog.h | 4 +--
|
|
||||||
kernel/printk.c | 91 ++++++++++++++++++++++++++----------------------
|
|
||||||
3 files changed, 57 insertions(+), 48 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/fs/proc/kmsg.c b/fs/proc/kmsg.c
|
|
||||||
index bd4b5a7..bdfabda 100644
|
|
||||||
--- a/fs/proc/kmsg.c
|
|
||||||
+++ b/fs/proc/kmsg.c
|
|
||||||
@@ -21,12 +21,12 @@ extern wait_queue_head_t log_wait;
|
|
||||||
|
|
||||||
static int kmsg_open(struct inode * inode, struct file * file)
|
|
||||||
{
|
|
||||||
- return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_FILE);
|
|
||||||
+ return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_PROC);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int kmsg_release(struct inode * inode, struct file * file)
|
|
||||||
{
|
|
||||||
- (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_FILE);
|
|
||||||
+ (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_PROC);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -34,15 +34,15 @@ static ssize_t kmsg_read(struct file *file, char __user *buf,
|
|
||||||
size_t count, loff_t *ppos)
|
|
||||||
{
|
|
||||||
if ((file->f_flags & O_NONBLOCK) &&
|
|
||||||
- !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE))
|
|
||||||
+ !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC))
|
|
||||||
return -EAGAIN;
|
|
||||||
- return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_FILE);
|
|
||||||
+ return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_PROC);
|
|
||||||
}
|
|
||||||
|
|
||||||
static unsigned int kmsg_poll(struct file *file, poll_table *wait)
|
|
||||||
{
|
|
||||||
poll_wait(file, &log_wait, wait);
|
|
||||||
- if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE))
|
|
||||||
+ if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC))
|
|
||||||
return POLLIN | POLLRDNORM;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
diff --git a/include/linux/syslog.h b/include/linux/syslog.h
|
|
||||||
index 3891139..98a3153 100644
|
|
||||||
--- a/include/linux/syslog.h
|
|
||||||
+++ b/include/linux/syslog.h
|
|
||||||
@@ -44,8 +44,8 @@
|
|
||||||
/* Return size of the log buffer */
|
|
||||||
#define SYSLOG_ACTION_SIZE_BUFFER 10
|
|
||||||
|
|
||||||
-#define SYSLOG_FROM_CALL 0
|
|
||||||
-#define SYSLOG_FROM_FILE 1
|
|
||||||
+#define SYSLOG_FROM_READER 0
|
|
||||||
+#define SYSLOG_FROM_PROC 1
|
|
||||||
|
|
||||||
int do_syslog(int type, char __user *buf, int count, bool from_file);
|
|
||||||
|
|
||||||
diff --git a/kernel/printk.c b/kernel/printk.c
|
|
||||||
index abbdd9e..53b5c5e 100644
|
|
||||||
--- a/kernel/printk.c
|
|
||||||
+++ b/kernel/printk.c
|
|
||||||
@@ -368,6 +368,53 @@ static void log_store(int facility, int level,
|
|
||||||
log_next_seq++;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef CONFIG_SECURITY_DMESG_RESTRICT
|
|
||||||
+int dmesg_restrict = 1;
|
|
||||||
+#else
|
|
||||||
+int dmesg_restrict;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+static int syslog_action_restricted(int type)
|
|
||||||
+{
|
|
||||||
+ if (dmesg_restrict)
|
|
||||||
+ return 1;
|
|
||||||
+ /*
|
|
||||||
+ * Unless restricted, we allow "read all" and "get buffer size"
|
|
||||||
+ * for everybody.
|
|
||||||
+ */
|
|
||||||
+ return type != SYSLOG_ACTION_READ_ALL &&
|
|
||||||
+ type != SYSLOG_ACTION_SIZE_BUFFER;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int check_syslog_permissions(int type, bool from_file)
|
|
||||||
+{
|
|
||||||
+ /*
|
|
||||||
+ * If this is from /proc/kmsg and we've already opened it, then we've
|
|
||||||
+ * already done the capabilities checks at open time.
|
|
||||||
+ */
|
|
||||||
+ if (from_file && type != SYSLOG_ACTION_OPEN)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (syslog_action_restricted(type)) {
|
|
||||||
+ if (capable(CAP_SYSLOG))
|
|
||||||
+ return 0;
|
|
||||||
+ /*
|
|
||||||
+ * For historical reasons, accept CAP_SYS_ADMIN too, with
|
|
||||||
+ * a warning.
|
|
||||||
+ */
|
|
||||||
+ if (capable(CAP_SYS_ADMIN)) {
|
|
||||||
+ printk_once(KERN_WARNING "%s (%d): "
|
|
||||||
+ "Attempt to access syslog with CAP_SYS_ADMIN "
|
|
||||||
+ "but no CAP_SYSLOG (deprecated).\n",
|
|
||||||
+ current->comm, task_pid_nr(current));
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ return -EPERM;
|
|
||||||
+ }
|
|
||||||
+ return security_syslog(type);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
/* /dev/kmsg - userspace message inject/listen interface */
|
|
||||||
struct devkmsg_user {
|
|
||||||
u64 seq;
|
|
||||||
@@ -624,7 +671,8 @@ static int devkmsg_open(struct inode *inode, struct file *file)
|
|
||||||
if ((file->f_flags & O_ACCMODE) == O_WRONLY)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
- err = security_syslog(SYSLOG_ACTION_READ_ALL);
|
|
||||||
+ err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL,
|
|
||||||
+ SYSLOG_FROM_READER);
|
|
||||||
if (err)
|
|
||||||
return err;
|
|
||||||
|
|
||||||
@@ -817,45 +865,6 @@ static inline void boot_delay_msec(int level)
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#ifdef CONFIG_SECURITY_DMESG_RESTRICT
|
|
||||||
-int dmesg_restrict = 1;
|
|
||||||
-#else
|
|
||||||
-int dmesg_restrict;
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
-static int syslog_action_restricted(int type)
|
|
||||||
-{
|
|
||||||
- if (dmesg_restrict)
|
|
||||||
- return 1;
|
|
||||||
- /* Unless restricted, we allow "read all" and "get buffer size" for everybody */
|
|
||||||
- return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static int check_syslog_permissions(int type, bool from_file)
|
|
||||||
-{
|
|
||||||
- /*
|
|
||||||
- * If this is from /proc/kmsg and we've already opened it, then we've
|
|
||||||
- * already done the capabilities checks at open time.
|
|
||||||
- */
|
|
||||||
- if (from_file && type != SYSLOG_ACTION_OPEN)
|
|
||||||
- return 0;
|
|
||||||
-
|
|
||||||
- if (syslog_action_restricted(type)) {
|
|
||||||
- if (capable(CAP_SYSLOG))
|
|
||||||
- return 0;
|
|
||||||
- /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
|
|
||||||
- if (capable(CAP_SYS_ADMIN)) {
|
|
||||||
- printk_once(KERN_WARNING "%s (%d): "
|
|
||||||
- "Attempt to access syslog with CAP_SYS_ADMIN "
|
|
||||||
- "but no CAP_SYSLOG (deprecated).\n",
|
|
||||||
- current->comm, task_pid_nr(current));
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
- return -EPERM;
|
|
||||||
- }
|
|
||||||
- return 0;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
#if defined(CONFIG_PRINTK_TIME)
|
|
||||||
static bool printk_time = 1;
|
|
||||||
#else
|
|
||||||
@@ -1253,7 +1262,7 @@ out:
|
|
||||||
|
|
||||||
SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)
|
|
||||||
{
|
|
||||||
- return do_syslog(type, buf, len, SYSLOG_FROM_CALL);
|
|
||||||
+ return do_syslog(type, buf, len, SYSLOG_FROM_READER);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
--
|
|
||||||
1.7.9.5
|
|
||||||
|
|
||||||
|
|
||||||
--
|
|
||||||
Kees Cook
|
|
||||||
Chrome OS Security
|
|
@ -1,384 +0,0 @@
|
|||||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
|
||||||
To: rja@sgi.com
|
|
||||||
Cc: mingo@kernel.org, torvalds@linux-foundation.org, bp@alien8.de,
|
|
||||||
jkosina@suse.cz, jlee@suse.com, matt.fleming@intel.com,
|
|
||||||
linux-efi@vger.kernel.org, x86@kernel.org,
|
|
||||||
linux-kernel@vger.kernel.org, tglx@linutronix.de, hpa@linux.intel.com,
|
|
||||||
akpm@linux-foundation.org,
|
|
||||||
Matthew Garrett <matthew.garrett@nebula.com>
|
|
||||||
Subject: [PATCH] Modify UEFI anti-bricking code
|
|
||||||
Date: Sat, 1 Jun 2013 16:06:20 -0400
|
|
||||||
Message-Id: <1370117180-1712-1-git-send-email-matthew.garrett@nebula.com>
|
|
||||||
|
|
||||||
This patch reworks the UEFI anti-bricking code, including an effective
|
|
||||||
reversion of cc5a080c and 31ff2f20. It turns out that calling
|
|
||||||
QueryVariableInfo() from boot services results in some firmware
|
|
||||||
implementations jumping to physical addresses even after entering virtual
|
|
||||||
mode, so until we have 1:1 mappings for UEFI runtime space this isn't
|
|
||||||
going to work so well.
|
|
||||||
|
|
||||||
Reverting these gets us back to the situation where we'd refuse to create
|
|
||||||
variables on some systems because they classify deleted variables as "used"
|
|
||||||
until the firmware triggers a garbage collection run, which they won't do
|
|
||||||
until they reach a lower threshold. This results in it being impossible to
|
|
||||||
install a bootloader, which is unhelpful.
|
|
||||||
|
|
||||||
Feedback from Samsung indicates that the firmware doesn't need more than
|
|
||||||
5KB of storage space for its own purposes, so that seems like a reasonable
|
|
||||||
threshold. However, there's still no guarantee that a platform will attempt
|
|
||||||
garbage collection merely because it drops below this threshold. It seems
|
|
||||||
that this is often only triggered if an attempt to write generates a
|
|
||||||
genuine EFI_OUT_OF_RESOURCES error. We can force that by attempting to
|
|
||||||
create a variable larger than the remaining space. This should fail, but if
|
|
||||||
it somehow succeeds we can then immediately delete it.
|
|
||||||
|
|
||||||
I've tested this on the UEFI machines I have available, but I don't have
|
|
||||||
a Samsung and so can't verify that it avoids the bricking problem.
|
|
||||||
|
|
||||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
||||||
---
|
|
||||||
arch/x86/boot/compressed/eboot.c | 47 ----------
|
|
||||||
arch/x86/include/asm/efi.h | 7 --
|
|
||||||
arch/x86/include/uapi/asm/bootparam.h | 1 -
|
|
||||||
arch/x86/platform/efi/efi.c | 169 +++++++++-------------------------
|
|
||||||
4 files changed, 45 insertions(+), 179 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
|
||||||
index 35ee62f..c205035 100644
|
|
||||||
--- a/arch/x86/boot/compressed/eboot.c
|
|
||||||
+++ b/arch/x86/boot/compressed/eboot.c
|
|
||||||
@@ -251,51 +251,6 @@ static void find_bits(unsigned long mask, u8 *pos, u8 *size)
|
|
||||||
*size = len;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static efi_status_t setup_efi_vars(struct boot_params *params)
|
|
||||||
-{
|
|
||||||
- struct setup_data *data;
|
|
||||||
- struct efi_var_bootdata *efidata;
|
|
||||||
- u64 store_size, remaining_size, var_size;
|
|
||||||
- efi_status_t status;
|
|
||||||
-
|
|
||||||
- if (sys_table->runtime->hdr.revision < EFI_2_00_SYSTEM_TABLE_REVISION)
|
|
||||||
- return EFI_UNSUPPORTED;
|
|
||||||
-
|
|
||||||
- data = (struct setup_data *)(unsigned long)params->hdr.setup_data;
|
|
||||||
-
|
|
||||||
- while (data && data->next)
|
|
||||||
- data = (struct setup_data *)(unsigned long)data->next;
|
|
||||||
-
|
|
||||||
- status = efi_call_phys4((void *)sys_table->runtime->query_variable_info,
|
|
||||||
- EFI_VARIABLE_NON_VOLATILE |
|
|
||||||
- EFI_VARIABLE_BOOTSERVICE_ACCESS |
|
|
||||||
- EFI_VARIABLE_RUNTIME_ACCESS, &store_size,
|
|
||||||
- &remaining_size, &var_size);
|
|
||||||
-
|
|
||||||
- if (status != EFI_SUCCESS)
|
|
||||||
- return status;
|
|
||||||
-
|
|
||||||
- status = efi_call_phys3(sys_table->boottime->allocate_pool,
|
|
||||||
- EFI_LOADER_DATA, sizeof(*efidata), &efidata);
|
|
||||||
-
|
|
||||||
- if (status != EFI_SUCCESS)
|
|
||||||
- return status;
|
|
||||||
-
|
|
||||||
- efidata->data.type = SETUP_EFI_VARS;
|
|
||||||
- efidata->data.len = sizeof(struct efi_var_bootdata) -
|
|
||||||
- sizeof(struct setup_data);
|
|
||||||
- efidata->data.next = 0;
|
|
||||||
- efidata->store_size = store_size;
|
|
||||||
- efidata->remaining_size = remaining_size;
|
|
||||||
- efidata->max_var_size = var_size;
|
|
||||||
-
|
|
||||||
- if (data)
|
|
||||||
- data->next = (unsigned long)efidata;
|
|
||||||
- else
|
|
||||||
- params->hdr.setup_data = (unsigned long)efidata;
|
|
||||||
-
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static efi_status_t setup_efi_pci(struct boot_params *params)
|
|
||||||
{
|
|
||||||
efi_pci_io_protocol *pci;
|
|
||||||
@@ -1202,8 +1157,6 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
|
|
||||||
|
|
||||||
setup_graphics(boot_params);
|
|
||||||
|
|
||||||
- setup_efi_vars(boot_params);
|
|
||||||
-
|
|
||||||
setup_efi_pci(boot_params);
|
|
||||||
|
|
||||||
status = efi_call_phys3(sys_table->boottime->allocate_pool,
|
|
||||||
diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
|
|
||||||
index 2fb5d58..60c89f3 100644
|
|
||||||
--- a/arch/x86/include/asm/efi.h
|
|
||||||
+++ b/arch/x86/include/asm/efi.h
|
|
||||||
@@ -102,13 +102,6 @@ extern void efi_call_phys_epilog(void);
|
|
||||||
extern void efi_unmap_memmap(void);
|
|
||||||
extern void efi_memory_uc(u64 addr, unsigned long size);
|
|
||||||
|
|
||||||
-struct efi_var_bootdata {
|
|
||||||
- struct setup_data data;
|
|
||||||
- u64 store_size;
|
|
||||||
- u64 remaining_size;
|
|
||||||
- u64 max_var_size;
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
#ifdef CONFIG_EFI
|
|
||||||
|
|
||||||
static inline bool efi_is_native(void)
|
|
||||||
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
|
|
||||||
index 0874424..c15ddaf 100644
|
|
||||||
--- a/arch/x86/include/uapi/asm/bootparam.h
|
|
||||||
+++ b/arch/x86/include/uapi/asm/bootparam.h
|
|
||||||
@@ -6,7 +6,6 @@
|
|
||||||
#define SETUP_E820_EXT 1
|
|
||||||
#define SETUP_DTB 2
|
|
||||||
#define SETUP_PCI 3
|
|
||||||
-#define SETUP_EFI_VARS 4
|
|
||||||
|
|
||||||
/* ram_size flags */
|
|
||||||
#define RAMDISK_IMAGE_START_MASK 0x07FF
|
|
||||||
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
|
|
||||||
index 82089d8..63e167a 100644
|
|
||||||
--- a/arch/x86/platform/efi/efi.c
|
|
||||||
+++ b/arch/x86/platform/efi/efi.c
|
|
||||||
@@ -42,7 +42,6 @@
|
|
||||||
#include <linux/io.h>
|
|
||||||
#include <linux/reboot.h>
|
|
||||||
#include <linux/bcd.h>
|
|
||||||
-#include <linux/ucs2_string.h>
|
|
||||||
|
|
||||||
#include <asm/setup.h>
|
|
||||||
#include <asm/efi.h>
|
|
||||||
@@ -54,13 +53,6 @@
|
|
||||||
|
|
||||||
#define EFI_DEBUG 1
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * There's some additional metadata associated with each
|
|
||||||
- * variable. Intel's reference implementation is 60 bytes - bump that
|
|
||||||
- * to account for potential alignment constraints
|
|
||||||
- */
|
|
||||||
-#define VAR_METADATA_SIZE 64
|
|
||||||
-
|
|
||||||
struct efi __read_mostly efi = {
|
|
||||||
.mps = EFI_INVALID_TABLE_ADDR,
|
|
||||||
.acpi = EFI_INVALID_TABLE_ADDR,
|
|
||||||
@@ -79,13 +71,6 @@ struct efi_memory_map memmap;
|
|
||||||
static struct efi efi_phys __initdata;
|
|
||||||
static efi_system_table_t efi_systab __initdata;
|
|
||||||
|
|
||||||
-static u64 efi_var_store_size;
|
|
||||||
-static u64 efi_var_remaining_size;
|
|
||||||
-static u64 efi_var_max_var_size;
|
|
||||||
-static u64 boot_used_size;
|
|
||||||
-static u64 boot_var_size;
|
|
||||||
-static u64 active_size;
|
|
||||||
-
|
|
||||||
unsigned long x86_efi_facility;
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -188,53 +173,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,
|
|
||||||
efi_char16_t *name,
|
|
||||||
efi_guid_t *vendor)
|
|
||||||
{
|
|
||||||
- efi_status_t status;
|
|
||||||
- static bool finished = false;
|
|
||||||
- static u64 var_size;
|
|
||||||
-
|
|
||||||
- status = efi_call_virt3(get_next_variable,
|
|
||||||
- name_size, name, vendor);
|
|
||||||
-
|
|
||||||
- if (status == EFI_NOT_FOUND) {
|
|
||||||
- finished = true;
|
|
||||||
- if (var_size < boot_used_size) {
|
|
||||||
- boot_var_size = boot_used_size - var_size;
|
|
||||||
- active_size += boot_var_size;
|
|
||||||
- } else {
|
|
||||||
- printk(KERN_WARNING FW_BUG "efi: Inconsistent initial sizes\n");
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (boot_used_size && !finished) {
|
|
||||||
- unsigned long size = 0;
|
|
||||||
- u32 attr;
|
|
||||||
- efi_status_t s;
|
|
||||||
- void *tmp;
|
|
||||||
-
|
|
||||||
- s = virt_efi_get_variable(name, vendor, &attr, &size, NULL);
|
|
||||||
-
|
|
||||||
- if (s != EFI_BUFFER_TOO_SMALL || !size)
|
|
||||||
- return status;
|
|
||||||
-
|
|
||||||
- tmp = kmalloc(size, GFP_ATOMIC);
|
|
||||||
-
|
|
||||||
- if (!tmp)
|
|
||||||
- return status;
|
|
||||||
-
|
|
||||||
- s = virt_efi_get_variable(name, vendor, &attr, &size, tmp);
|
|
||||||
-
|
|
||||||
- if (s == EFI_SUCCESS && (attr & EFI_VARIABLE_NON_VOLATILE)) {
|
|
||||||
- var_size += size;
|
|
||||||
- var_size += ucs2_strsize(name, 1024);
|
|
||||||
- active_size += size;
|
|
||||||
- active_size += VAR_METADATA_SIZE;
|
|
||||||
- active_size += ucs2_strsize(name, 1024);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- kfree(tmp);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return status;
|
|
||||||
+ return efi_call_virt3(get_next_variable,
|
|
||||||
+ name_size, name, vendor);
|
|
||||||
}
|
|
||||||
|
|
||||||
static efi_status_t virt_efi_set_variable(efi_char16_t *name,
|
|
||||||
@@ -243,34 +183,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,
|
|
||||||
unsigned long data_size,
|
|
||||||
void *data)
|
|
||||||
{
|
|
||||||
- efi_status_t status;
|
|
||||||
- u32 orig_attr = 0;
|
|
||||||
- unsigned long orig_size = 0;
|
|
||||||
-
|
|
||||||
- status = virt_efi_get_variable(name, vendor, &orig_attr, &orig_size,
|
|
||||||
- NULL);
|
|
||||||
-
|
|
||||||
- if (status != EFI_BUFFER_TOO_SMALL)
|
|
||||||
- orig_size = 0;
|
|
||||||
-
|
|
||||||
- status = efi_call_virt5(set_variable,
|
|
||||||
- name, vendor, attr,
|
|
||||||
- data_size, data);
|
|
||||||
-
|
|
||||||
- if (status == EFI_SUCCESS) {
|
|
||||||
- if (orig_size) {
|
|
||||||
- active_size -= orig_size;
|
|
||||||
- active_size -= ucs2_strsize(name, 1024);
|
|
||||||
- active_size -= VAR_METADATA_SIZE;
|
|
||||||
- }
|
|
||||||
- if (data_size) {
|
|
||||||
- active_size += data_size;
|
|
||||||
- active_size += ucs2_strsize(name, 1024);
|
|
||||||
- active_size += VAR_METADATA_SIZE;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return status;
|
|
||||||
+ return efi_call_virt5(set_variable,
|
|
||||||
+ name, vendor, attr,
|
|
||||||
+ data_size, data);
|
|
||||||
}
|
|
||||||
|
|
||||||
static efi_status_t virt_efi_query_variable_info(u32 attr,
|
|
||||||
@@ -786,9 +701,6 @@ void __init efi_init(void)
|
|
||||||
char vendor[100] = "unknown";
|
|
||||||
int i = 0;
|
|
||||||
void *tmp;
|
|
||||||
- struct setup_data *data;
|
|
||||||
- struct efi_var_bootdata *efi_var_data;
|
|
||||||
- u64 pa_data;
|
|
||||||
|
|
||||||
#ifdef CONFIG_X86_32
|
|
||||||
if (boot_params.efi_info.efi_systab_hi ||
|
|
||||||
@@ -806,22 +718,6 @@ void __init efi_init(void)
|
|
||||||
if (efi_systab_init(efi_phys.systab))
|
|
||||||
return;
|
|
||||||
|
|
||||||
- pa_data = boot_params.hdr.setup_data;
|
|
||||||
- while (pa_data) {
|
|
||||||
- data = early_ioremap(pa_data, sizeof(*efi_var_data));
|
|
||||||
- if (data->type == SETUP_EFI_VARS) {
|
|
||||||
- efi_var_data = (struct efi_var_bootdata *)data;
|
|
||||||
-
|
|
||||||
- efi_var_store_size = efi_var_data->store_size;
|
|
||||||
- efi_var_remaining_size = efi_var_data->remaining_size;
|
|
||||||
- efi_var_max_var_size = efi_var_data->max_var_size;
|
|
||||||
- }
|
|
||||||
- pa_data = data->next;
|
|
||||||
- early_iounmap(data, sizeof(*efi_var_data));
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- boot_used_size = efi_var_store_size - efi_var_remaining_size;
|
|
||||||
-
|
|
||||||
set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1141,28 +1037,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size)
|
|
||||||
if (status != EFI_SUCCESS)
|
|
||||||
return status;
|
|
||||||
|
|
||||||
- if (!max_size && remaining_size > size)
|
|
||||||
- printk_once(KERN_ERR FW_BUG "Broken EFI implementation"
|
|
||||||
- " is returning MaxVariableSize=0\n");
|
|
||||||
/*
|
|
||||||
* Some firmware implementations refuse to boot if there's insufficient
|
|
||||||
* space in the variable store. We account for that by refusing the
|
|
||||||
* write if permitting it would reduce the available space to under
|
|
||||||
- * 50%. However, some firmware won't reclaim variable space until
|
|
||||||
- * after the used (not merely the actively used) space drops below
|
|
||||||
- * a threshold. We can approximate that case with the value calculated
|
|
||||||
- * above. If both the firmware and our calculations indicate that the
|
|
||||||
- * available space would drop below 50%, refuse the write.
|
|
||||||
+ * 5KB. This figure was provided by Samsung, so should be safe.
|
|
||||||
*/
|
|
||||||
+ if ((remaining_size - size < 5120) && !efi_no_storage_paranoia) {
|
|
||||||
+ /*
|
|
||||||
+ * Triggering garbage collection may require that the firmware
|
|
||||||
+ * generate a real EFI_OUT_OF_RESOURCES error. We can force
|
|
||||||
+ * that by attempting to use more space than is available.
|
|
||||||
+ */
|
|
||||||
+ unsigned long dummy_size = remaining_size + 1024;
|
|
||||||
+ void *dummy = kmalloc(dummy_size, GFP_ATOMIC);
|
|
||||||
+ efi_char16_t efi_name[6] = { 'D', 'U', 'M', 'M', 'Y', 0 };
|
|
||||||
+ efi_guid_t guid = EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e,
|
|
||||||
+ 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92,
|
|
||||||
+ 0xa9);
|
|
||||||
+
|
|
||||||
+ status = efi.set_variable(efi_name, &guid, attributes,
|
|
||||||
+ dummy_size, dummy);
|
|
||||||
+
|
|
||||||
+ if (status == EFI_SUCCESS) {
|
|
||||||
+ /*
|
|
||||||
+ * This should have failed, so if it didn't make sure
|
|
||||||
+ * that we delete it...
|
|
||||||
+ */
|
|
||||||
+ efi.set_variable(efi_name, &guid, attributes, 0,
|
|
||||||
+ dummy);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if (!storage_size || size > remaining_size ||
|
|
||||||
- (max_size && size > max_size))
|
|
||||||
- return EFI_OUT_OF_RESOURCES;
|
|
||||||
+ /*
|
|
||||||
+ * The runtime code may now have triggered a garbage collection
|
|
||||||
+ * run, so check the variable info again
|
|
||||||
+ */
|
|
||||||
+ status = efi.query_variable_info(attributes, &storage_size,
|
|
||||||
+ &remaining_size, &max_size);
|
|
||||||
|
|
||||||
- if (!efi_no_storage_paranoia &&
|
|
||||||
- ((active_size + size + VAR_METADATA_SIZE > storage_size / 2) &&
|
|
||||||
- (remaining_size - size < storage_size / 2)))
|
|
||||||
- return EFI_OUT_OF_RESOURCES;
|
|
||||||
+ if (status != EFI_SUCCESS)
|
|
||||||
+ return status;
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * There still isn't enough room, so return an error
|
|
||||||
+ */
|
|
||||||
+ if (remaining_size - size < 5120)
|
|
||||||
+ return EFI_OUT_OF_RESOURCES;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.8.1.4
|
|
||||||
|
|
||||||
--
|
|
||||||
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
|
|
||||||
the body of a message to majordomo@vger.kernel.org
|
|
||||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Fri, 10 May 2013 21:48:21 +0000
|
|
||||||
Subject: b43: stop format string leaking into error msgs
|
|
||||||
|
|
||||||
The module parameter "fwpostfix" is userspace controllable, unfiltered,
|
|
||||||
and is used to define the firmware filename. b43_do_request_fw() populates
|
|
||||||
ctx->errors[] on error, containing the firmware filename. b43err()
|
|
||||||
parses its arguments as a format string. For systems with b43 hardware,
|
|
||||||
this could lead to a uid-0 to ring-0 escalation.
|
|
||||||
|
|
||||||
CVE-2013-2852
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
||||||
---
|
|
||||||
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
|
|
||||||
index 6dd07e2..a95b77a 100644
|
|
||||||
--- a/drivers/net/wireless/b43/main.c
|
|
||||||
+++ b/drivers/net/wireless/b43/main.c
|
|
||||||
@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work)
|
|
||||||
for (i = 0; i < B43_NR_FWTYPES; i++) {
|
|
||||||
errmsg = ctx->errors[i];
|
|
||||||
if (strlen(errmsg))
|
|
||||||
- b43err(dev->wl, errmsg);
|
|
||||||
+ b43err(dev->wl, "%s", errmsg);
|
|
||||||
}
|
|
||||||
b43_print_fw_helptext(dev->wl, 1);
|
|
||||||
goto out;
|
|
||||||
--
|
|
||||||
cgit v0.9.2
|
|
@ -1554,7 +1554,7 @@ CONFIG_ATH9K_DEBUGFS=y
|
|||||||
CONFIG_ATH9K_HTC=m
|
CONFIG_ATH9K_HTC=m
|
||||||
CONFIG_ATH9K_BTCOEX_SUPPORT=y
|
CONFIG_ATH9K_BTCOEX_SUPPORT=y
|
||||||
# CONFIG_ATH9K_HTC_DEBUGFS is not set
|
# CONFIG_ATH9K_HTC_DEBUGFS is not set
|
||||||
CONFIG_ATH9K_RATE_CONTROL=y
|
# CONFIG_ATH9K_LEGACY_RATE_CONTROL is not set
|
||||||
CONFIG_WIL6210=m
|
CONFIG_WIL6210=m
|
||||||
CONFIG_WIL6210_ISR_COR=y
|
CONFIG_WIL6210_ISR_COR=y
|
||||||
CONFIG_CARL9170=m
|
CONFIG_CARL9170=m
|
||||||
|
31
kernel.spec
31
kernel.spec
@ -93,7 +93,7 @@ Summary: The Linux kernel
|
|||||||
# The next upstream release sublevel (base_sublevel+1)
|
# The next upstream release sublevel (base_sublevel+1)
|
||||||
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
|
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
|
||||||
# The rc snapshot level
|
# The rc snapshot level
|
||||||
%define rcrev 5
|
%define rcrev 6
|
||||||
# The git snapshot level
|
# The git snapshot level
|
||||||
%define gitrev 0
|
%define gitrev 0
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
@ -744,9 +744,6 @@ Patch21242: criu-no-expert.patch
|
|||||||
#rhbz 892811
|
#rhbz 892811
|
||||||
Patch21247: ath9k_rx_dma_stop_check.patch
|
Patch21247: ath9k_rx_dma_stop_check.patch
|
||||||
|
|
||||||
#rhbz 903192
|
|
||||||
Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
|
|
||||||
|
|
||||||
Patch22000: weird-root-dentry-name-debug.patch
|
Patch22000: weird-root-dentry-name-debug.patch
|
||||||
|
|
||||||
#selinux ptrace child permissions
|
#selinux ptrace child permissions
|
||||||
@ -758,9 +755,6 @@ Patch23006: fix-child-thread-introspection.patch
|
|||||||
#rhbz 948262
|
#rhbz 948262
|
||||||
Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
||||||
|
|
||||||
#rhbz 964335
|
|
||||||
Patch25026: Modify-UEFI-anti-bricking-code.patch
|
|
||||||
|
|
||||||
#CVE-2013-2140 rhbz 971146 971148
|
#CVE-2013-2140 rhbz 971146 971148
|
||||||
Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch
|
Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch
|
||||||
|
|
||||||
@ -770,19 +764,12 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
|
|||||||
#CVE-2013-2148 rhbz 971258 971261
|
#CVE-2013-2148 rhbz 971258 971261
|
||||||
Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
|
Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
|
||||||
|
|
||||||
#CVE-2013-2852 rhbz 969518 971665
|
|
||||||
Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
|
|
||||||
|
|
||||||
#CVE-2013-2851 rhbz 969515 971662
|
#CVE-2013-2851 rhbz 969515 971662
|
||||||
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
|
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
|
||||||
|
|
||||||
#CVE-2013-2164 rhbz 973100 973109
|
#CVE-2013-2164 rhbz 973100 973109
|
||||||
Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
|
Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
|
||||||
|
|
||||||
#rhbz 954181
|
|
||||||
Patch25039: vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch
|
|
||||||
Patch25040: tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch
|
|
||||||
|
|
||||||
#rhbz 973185
|
#rhbz 973185
|
||||||
Patch25041: x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch
|
Patch25041: x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch
|
||||||
Patch25042: x86-range-make-add_range-use-blank-slot.patch
|
Patch25042: x86-range-make-add_range-use-blank-slot.patch
|
||||||
@ -1470,18 +1457,12 @@ ApplyPatch criu-no-expert.patch
|
|||||||
#rhbz 892811
|
#rhbz 892811
|
||||||
ApplyPatch ath9k_rx_dma_stop_check.patch
|
ApplyPatch ath9k_rx_dma_stop_check.patch
|
||||||
|
|
||||||
#rhbz 903192
|
|
||||||
ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
|
|
||||||
|
|
||||||
#rhbz 927469
|
#rhbz 927469
|
||||||
ApplyPatch fix-child-thread-introspection.patch
|
ApplyPatch fix-child-thread-introspection.patch
|
||||||
|
|
||||||
#rhbz 948262
|
#rhbz 948262
|
||||||
ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
||||||
|
|
||||||
#rhbz 964335
|
|
||||||
ApplyPatch Modify-UEFI-anti-bricking-code.patch
|
|
||||||
|
|
||||||
#CVE-2013-2140 rhbz 971146 971148
|
#CVE-2013-2140 rhbz 971146 971148
|
||||||
ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch
|
ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch
|
||||||
|
|
||||||
@ -1491,19 +1472,12 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
|
|||||||
#CVE-2013-2148 rhbz 971258 971261
|
#CVE-2013-2148 rhbz 971258 971261
|
||||||
ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
|
ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
|
||||||
|
|
||||||
#CVE-2013-2852 rhbz 969518 971665
|
|
||||||
ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
|
|
||||||
|
|
||||||
#CVE-2013-2851 rhbz 969515 971662
|
#CVE-2013-2851 rhbz 969515 971662
|
||||||
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
|
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
|
||||||
|
|
||||||
#CVE-2013-2164 rhbz 973100 973109
|
#CVE-2013-2164 rhbz 973100 973109
|
||||||
ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
|
ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
|
||||||
|
|
||||||
#rhbz 954181
|
|
||||||
ApplyPatch vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch
|
|
||||||
ApplyPatch tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch
|
|
||||||
|
|
||||||
#rhbz 973185
|
#rhbz 973185
|
||||||
ApplyPatch x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch
|
ApplyPatch x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch
|
||||||
ApplyPatch x86-range-make-add_range-use-blank-slot.patch
|
ApplyPatch x86-range-make-add_range-use-blank-slot.patch
|
||||||
@ -2310,6 +2284,9 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 17 2013 Josh Boyer <jwboyer@redhat.com> - 3.10.0-0.rc6.git0.1
|
||||||
|
- Linux v3.10-rc6
|
||||||
|
|
||||||
* Fri Jun 14 2013 Kyle McMartin <kyle@redhat.com>
|
* Fri Jun 14 2013 Kyle McMartin <kyle@redhat.com>
|
||||||
- ARM64 support (config-arm64)
|
- ARM64 support (config-arm64)
|
||||||
Split out some config-armv7-generic options common between 32-bit and 64-bit
|
Split out some config-armv7-generic options common between 32-bit and 64-bit
|
||||||
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
|||||||
4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
|
4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
|
||||||
e421ee4d1379ba381bccc5c6bfe54385 patch-3.10-rc5.xz
|
b364407a81f244408835c93ea3e23478 patch-3.10-rc6.xz
|
||||||
|
@ -1,26 +0,0 @@
|
|||||||
tuntap: set SOCK_ZEROCOPY flag during open
|
|
||||||
|
|
||||||
Commit 54f968d6efdbf7dec36faa44fc11f01b0e4d1990
|
|
||||||
(tuntap: move socket to tun_file) forgets to set SOCK_ZEROCOPY flag, which will
|
|
||||||
prevent vhost_net from doing zercopy w/ tap. This patch fixes this by setting
|
|
||||||
it during file open.
|
|
||||||
|
|
||||||
Cc: Michael S. Tsirkin <mst@redhat.com>
|
|
||||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
|
|
||||||
index 89776c5..ff5312d 100644
|
|
||||||
--- a/drivers/net/tun.c
|
|
||||||
+++ b/drivers/net/tun.c
|
|
||||||
@@ -2159,6 +2159,8 @@ static int tun_chr_open(struct inode *inode, struct file * file)
|
|
||||||
set_bit(SOCK_EXTERNALLY_ALLOCATED, &tfile->socket.flags);
|
|
||||||
INIT_LIST_HEAD(&tfile->next);
|
|
||||||
|
|
||||||
+ sock_set_flag(&tfile->sk, SOCK_ZEROCOPY);
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
From 4364d5f96eed7994a2c625bd9216656e55fba0cb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jason Wang <jasowang@redhat.com>
|
|
||||||
Date: Wed, 05 Jun 2013 07:40:46 +0000
|
|
||||||
Subject: vhost_net: clear msg.control for non-zerocopy case during tx
|
|
||||||
|
|
||||||
When we decide not use zero-copy, msg.control should be set to NULL otherwise
|
|
||||||
macvtap/tap may set zerocopy callbacks which may decrease the kref of ubufs
|
|
||||||
wrongly.
|
|
||||||
|
|
||||||
Bug were introduced by commit cedb9bdce099206290a2bdd02ce47a7b253b6a84
|
|
||||||
(vhost-net: skip head management if no outstanding).
|
|
||||||
|
|
||||||
This solves the following warnings:
|
|
||||||
|
|
||||||
WARNING: at include/linux/kref.h:47 handle_tx+0x477/0x4b0 [vhost_net]()
|
|
||||||
Modules linked in: vhost_net macvtap macvlan tun nfsd exportfs bridge stp llc openvswitch kvm_amd kvm bnx2 megaraid_sas [last unloaded: tun]
|
|
||||||
CPU: 5 PID: 8670 Comm: vhost-8668 Not tainted 3.10.0-rc2+ #1566
|
|
||||||
Hardware name: Dell Inc. PowerEdge R715/00XHKG, BIOS 1.5.2 04/19/2011
|
|
||||||
ffffffffa0198323 ffff88007c9ebd08 ffffffff81796b73 ffff88007c9ebd48
|
|
||||||
ffffffff8103d66b 000000007b773e20 ffff8800779f0000 ffff8800779f43f0
|
|
||||||
ffff8800779f8418 000000000000015c 0000000000000062 ffff88007c9ebd58
|
|
||||||
Call Trace:
|
|
||||||
[<ffffffff81796b73>] dump_stack+0x19/0x1e
|
|
||||||
[<ffffffff8103d66b>] warn_slowpath_common+0x6b/0xa0
|
|
||||||
[<ffffffff8103d6b5>] warn_slowpath_null+0x15/0x20
|
|
||||||
[<ffffffffa0197627>] handle_tx+0x477/0x4b0 [vhost_net]
|
|
||||||
[<ffffffffa0197690>] handle_tx_kick+0x10/0x20 [vhost_net]
|
|
||||||
[<ffffffffa019541e>] vhost_worker+0xfe/0x1a0 [vhost_net]
|
|
||||||
[<ffffffffa0195320>] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net]
|
|
||||||
[<ffffffffa0195320>] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net]
|
|
||||||
[<ffffffff81061f46>] kthread+0xc6/0xd0
|
|
||||||
[<ffffffff81061e80>] ? kthread_freezable_should_stop+0x70/0x70
|
|
||||||
[<ffffffff817a1aec>] ret_from_fork+0x7c/0xb0
|
|
||||||
[<ffffffff81061e80>] ? kthread_freezable_should_stop+0x70/0x70
|
|
||||||
|
|
||||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
|
|
||||||
index 2b51e23..b07d96b 100644
|
|
||||||
--- a/drivers/vhost/net.c
|
|
||||||
+++ b/drivers/vhost/net.c
|
|
||||||
@@ -436,7 +436,8 @@ static void handle_tx(struct vhost_net *net)
|
|
||||||
kref_get(&ubufs->kref);
|
|
||||||
}
|
|
||||||
nvq->upend_idx = (nvq->upend_idx + 1) % UIO_MAXIOV;
|
|
||||||
- }
|
|
||||||
+ } else
|
|
||||||
+ msg.msg_control = NULL;
|
|
||||||
/* TODO: Check specific error and bomb out unless ENOBUFS? */
|
|
||||||
err = sock->ops->sendmsg(NULL, sock, &msg, len);
|
|
||||||
if (unlikely(err < 0)) {
|
|
||||||
--
|
|
||||||
cgit v0.9.2
|
|
Loading…
Reference in New Issue
Block a user