[PATCH 4/6] iwlwifi: mvm: protect rate scaling against non-mvm IBSS stations
From: Johannes Berg johannes.b...@intel.com When the driver callback returns that it's out of space for new stations, the mac80211 IBSS code still keeps the station so it doesn't try to add it over and over again. Since the rate scaling algorithm is separate in mac80211, it also invokes the rate scaling algorithm for such stations. It doesn't know that our rate scaling algorithm is tightly integrated with the MVM code and relies on those data structures, and it cannot as the abstraction doesn't allow for it. This leads to crashes when the rate scaling algorithm tries to use uninitialized data, notably the mvmsta-vif pointer. Protect against this in the rate scaling algorithm. We cannot get good rates with such peers anyway since the firmware cannot do anything with them. This should fix https://bugzilla.kernel.org/show_bug.cgi?id=93461 CC: stable@vger.kernel.org Reported-by: Richard Taylor rjt-ker...@thegrindstone.me.uk Signed-off-by: Johannes Berg johannes.b...@intel.com Signed-off-by: Emmanuel Grumbach emmanuel.grumb...@intel.com --- drivers/net/wireless/iwlwifi/mvm/rs.c | 24 ++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/iwlwifi/mvm/rs.c b/drivers/net/wireless/iwlwifi/mvm/rs.c index efa9688..078f24c 100644 --- a/drivers/net/wireless/iwlwifi/mvm/rs.c +++ b/drivers/net/wireless/iwlwifi/mvm/rs.c @@ -1278,6 +1278,9 @@ static void rs_mac80211_tx_status(void *mvm_r, struct iwl_mvm *mvm = IWL_OP_MODE_GET_MVM(op_mode); struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + if (!iwl_mvm_sta_from_mac80211(sta)-vif) + return; + if (!ieee80211_is_data(hdr-frame_control) || info-flags IEEE80211_TX_CTL_NO_ACK) return; @@ -2511,6 +2514,14 @@ static void rs_get_rate(void *mvm_r, struct ieee80211_sta *sta, void *mvm_sta, struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); struct iwl_lq_sta *lq_sta = mvm_sta; + if (sta !iwl_mvm_sta_from_mac80211(sta)-vif) { + /* if vif isn't initialized mvm doesn't know about +* this station, so don't do anything with the it +*/ + sta = NULL; + mvm_sta = NULL; + } + /* TODO: handle rate_idx_mask and rate_idx_mcs_mask */ /* Treat uninitialized rate scaling data same as non-existing. */ @@ -2827,6 +2838,9 @@ static void rs_rate_update(void *mvm_r, (struct iwl_op_mode *)mvm_r; struct iwl_mvm *mvm = IWL_OP_MODE_GET_MVM(op_mode); + if (!iwl_mvm_sta_from_mac80211(sta)-vif) + return; + /* Stop any ongoing aggregations as rs starts off assuming no agg */ for (tid = 0; tid IWL_MAX_TID_COUNT; tid++) ieee80211_stop_tx_ba_session(sta, tid); @@ -3587,9 +3601,15 @@ static ssize_t iwl_dbgfs_ss_force_write(struct iwl_lq_sta *lq_sta, char *buf, MVM_DEBUGFS_READ_WRITE_FILE_OPS(ss_force, 32); -static void rs_add_debugfs(void *mvm, void *mvm_sta, struct dentry *dir) +static void rs_add_debugfs(void *mvm, void *priv_sta, struct dentry *dir) { - struct iwl_lq_sta *lq_sta = mvm_sta; + struct iwl_lq_sta *lq_sta = priv_sta; + struct iwl_mvm_sta *mvmsta; + + mvmsta = container_of(lq_sta, struct iwl_mvm_sta, lq_sta); + + if (!mvmsta-vif) + return; debugfs_create_file(rate_scale_table, S_IRUSR | S_IWUSR, dir, lq_sta, rs_sta_dbgfs_scale_table_ops); -- 1.9.1 -- To unsubscribe from this list: send the line unsubscribe stable in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/6] iwlwifi: dvm: run INIT firmware again upon .start()
The assumption before this patch was that we don't need to run again the INIT firmware after the system booted. The INIT firmware runs calibrations which impact the physical layer's behavior. Users reported that it may be helpful to run these calibrations again every time the interface is brought up. The penatly is minimal, since the calibrations run fast. This fixes: https://bugzilla.kernel.org/show_bug.cgi?id=94341 CC: stable@vger.kernel.org Signed-off-by: Emmanuel Grumbach emmanuel.grumb...@intel.com --- drivers/net/wireless/iwlwifi/dvm/dev.h | 1 - drivers/net/wireless/iwlwifi/dvm/ucode.c | 5 - 2 files changed, 6 deletions(-) diff --git a/drivers/net/wireless/iwlwifi/dvm/dev.h b/drivers/net/wireless/iwlwifi/dvm/dev.h index a6f22c3..3811878 100644 --- a/drivers/net/wireless/iwlwifi/dvm/dev.h +++ b/drivers/net/wireless/iwlwifi/dvm/dev.h @@ -708,7 +708,6 @@ struct iwl_priv { unsigned long reload_jiffies; int reload_count; bool ucode_loaded; - bool init_ucode_run;/* Don't run init uCode again */ u8 plcp_delta_threshold; diff --git a/drivers/net/wireless/iwlwifi/dvm/ucode.c b/drivers/net/wireless/iwlwifi/dvm/ucode.c index 4dbef7e..5244e43 100644 --- a/drivers/net/wireless/iwlwifi/dvm/ucode.c +++ b/drivers/net/wireless/iwlwifi/dvm/ucode.c @@ -418,9 +418,6 @@ int iwl_run_init_ucode(struct iwl_priv *priv) if (!priv-fw-img[IWL_UCODE_INIT].sec[0].len) return 0; - if (priv-init_ucode_run) - return 0; - iwl_init_notification_wait(priv-notif_wait, calib_wait, calib_complete, ARRAY_SIZE(calib_complete), iwlagn_wait_calib, priv); @@ -440,8 +437,6 @@ int iwl_run_init_ucode(struct iwl_priv *priv) */ ret = iwl_wait_notification(priv-notif_wait, calib_wait, UCODE_CALIB_TIMEOUT); - if (!ret) - priv-init_ucode_run = true; goto out; -- 1.9.1 -- To unsubscribe from this list: send the line unsubscribe stable in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2] of: handle both '/' and ':' in path strings
On Tue, Mar 17, 2015 at 2:30 PM, Brian Norris computersforpe...@gmail.com wrote: Commit 106937e8ccdc (of: fix handling of '/' in options for of_find_node_by_path()) caused a regression in OF handling of stdout-path. While it fixes some cases which have '/' after the ':', it breaks cases where there is more than one '/' *before* the ':'. For example, it breaks this boot string stdout-path = /rdb/serial@f040ab00:115200; So rather than doing sequentialized checks (first for '/', then for ':'; or vice versa), to get the correct behavior we need to check for the first occurrence of either one of them. It so happens that the handy strcspn() helper can do just that. Fixes: 106937e8ccdc (of: fix handling of '/' in options for of_find_node_by_path()) Signed-off-by: Brian Norris computersforpe...@gmail.com Cc: stable@vger.kernel.org Thanks. Applied both and in Linus' tree now. Rob -- To unsubscribe from this list: send the line unsubscribe stable in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: nft 0.4, crash on list
On 22.03, Pablo Neira Ayuso wrote: On Sun, Mar 22, 2015 at 10:05:10AM +0200, Denys Fedoryshchenko wrote: On 2015-03-22 07:33, Patrick McHardy wrote: On 22.03, Denys Fedoryshchenko wrote: Sorry for noise, seems git version working fine! Still this shouldn't be happening. Just to confirm, you were using an unpatched kernel and by git you mean nftables git? Yes, correct. I tested on 3.18.8 and 3.19.2 vanilla kernels (x86_64). On nftables 0.4 it does crash, on nftables git it doesn't. I sent this fix to -stable by March 10th but this doesn't show up in 3.18.x and 3.19.x yet. [ upstream commit 02263db00b6cb98701332aa257c07ca549c2324b ] I think this is actually a different problem. We're using set-dtype for uninit of the element's data, but unless it's NFT_DATA_VERDICT, its holding the user encoding of the type. Basically all the types except NFT_DATA_RESERVED_MASK map to NFT_DATA_VALUE, and it seems we're not properly handling it in that path. We have several problems in this path: 1) There is a use-after-free when removing individual elements from the commit path. 2) We have to uninit() the data part of the element from the abort path to avoid a chain refcount leak. 3) We have to check for set-flags to see if there's a mapping, instead of the element flags. 4) We have to check for !(flags NFT_SET_ELEM_INTERVAL_END) to skip elements that are part of the interval that have no data part, so they don't need to be uninit(). Cc: stable@vger.kernel.org # 3.18.x Cc: stable@vger.kernel.org # 3.19.x Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org On 2015-03-22 00:49, Denys Fedoryshchenko wrote: Additionally, if i will do nft flush table mangle , with this table added i will get this: [ 42.800078] [ cut here ] [ 42.800092] WARNING: CPU: 3 PID: 2868 at net/netfilter/nf_tables_api.c:4122 nft_data_uninit+0x35/0x50 [nf_tables]() -- To unsubscribe from this list: send the line unsubscribe stable in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 6/7] can: flexcan: fix bus-off error state handling.
From: Andri Yngvason andri.yngva...@marel.com Making sure that the bus-off state gets passed to can_change_state(). Signed-off-by: Andri Yngvason andri.yngva...@marel.com Cc: linux-stable stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde m...@pengutronix.de --- drivers/net/can/flexcan.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c index 80c46ad4cee4..ee944ae6bb96 100644 --- a/drivers/net/can/flexcan.c +++ b/drivers/net/can/flexcan.c @@ -592,13 +592,12 @@ static int flexcan_poll_state(struct net_device *dev, u32 reg_esr) rx_state = unlikely(reg_esr FLEXCAN_ESR_RX_WRN) ? CAN_STATE_ERROR_WARNING : CAN_STATE_ERROR_ACTIVE; new_state = max(tx_state, rx_state); - } else if (unlikely(flt == FLEXCAN_ESR_FLT_CONF_PASSIVE)) { + } else { __flexcan_get_berr_counter(dev, bec); - new_state = CAN_STATE_ERROR_PASSIVE; + new_state = flt == FLEXCAN_ESR_FLT_CONF_PASSIVE ? + CAN_STATE_ERROR_PASSIVE : CAN_STATE_BUS_OFF; rx_state = bec.rxerr = bec.txerr ? new_state : 0; tx_state = bec.rxerr = bec.txerr ? new_state : 0; - } else { - new_state = CAN_STATE_BUS_OFF; } /* state hasn't changed */ -- 2.1.4 -- To unsubscribe from this list: send the line unsubscribe stable in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 7/7] can: flexcan: Deferred on Regulator return EPROBE_DEFER
From: Andreas Werner ker...@andy89.org Return EPROBE_DEFER if Regulator returns EPROBE_DEFER If the Flexcan driver is built into kernel and a regulator is used to enable the CAN transceiver, the Flexcan driver may not use the regulator. When initializing the Flexcan device with a regulator defined in the device tree, but not initialized, the regulator subsystem returns EPROBE_DEFER, hence the Flexcan init fails. The solution for this is to return EPROBE_DEFER if regulator is not initialized and wait until the regulator is initialized. Signed-off-by: Andreas Werner ker...@andy89.org Cc: linux-stable stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde m...@pengutronix.de --- drivers/net/can/flexcan.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c index ee944ae6bb96..ad0a7e8c2c2b 100644 --- a/drivers/net/can/flexcan.c +++ b/drivers/net/can/flexcan.c @@ -1157,12 +1157,19 @@ static int flexcan_probe(struct platform_device *pdev) const struct flexcan_devtype_data *devtype_data; struct net_device *dev; struct flexcan_priv *priv; + struct regulator *reg_xceiver; struct resource *mem; struct clk *clk_ipg = NULL, *clk_per = NULL; void __iomem *base; int err, irq; u32 clock_freq = 0; + reg_xceiver = devm_regulator_get(pdev-dev, xceiver); + if (PTR_ERR(reg_xceiver) == -EPROBE_DEFER) + return -EPROBE_DEFER; + else if (IS_ERR(reg_xceiver)) + reg_xceiver = NULL; + if (pdev-dev.of_node) of_property_read_u32(pdev-dev.of_node, clock-frequency, clock_freq); @@ -1223,9 +1230,7 @@ static int flexcan_probe(struct platform_device *pdev) priv-pdata = dev_get_platdata(pdev-dev); priv-devtype_data = devtype_data; - priv-reg_xceiver = devm_regulator_get(pdev-dev, xceiver); - if (IS_ERR(priv-reg_xceiver)) - priv-reg_xceiver = NULL; + priv-reg_xceiver = reg_xceiver; netif_napi_add(dev, priv-napi, flexcan_poll, FLEXCAN_NAPI_WEIGHT); -- 2.1.4 -- To unsubscribe from this list: send the line unsubscribe stable in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: nft 0.4, crash on list
On Sun, Mar 22, 2015 at 10:05:10AM +0200, Denys Fedoryshchenko wrote: On 2015-03-22 07:33, Patrick McHardy wrote: On 22.03, Denys Fedoryshchenko wrote: Sorry for noise, seems git version working fine! Still this shouldn't be happening. Just to confirm, you were using an unpatched kernel and by git you mean nftables git? Yes, correct. I tested on 3.18.8 and 3.19.2 vanilla kernels (x86_64). On nftables 0.4 it does crash, on nftables git it doesn't. I sent this fix to -stable by March 10th but this doesn't show up in 3.18.x and 3.19.x yet. [ upstream commit 02263db00b6cb98701332aa257c07ca549c2324b ] We have several problems in this path: 1) There is a use-after-free when removing individual elements from the commit path. 2) We have to uninit() the data part of the element from the abort path to avoid a chain refcount leak. 3) We have to check for set-flags to see if there's a mapping, instead of the element flags. 4) We have to check for !(flags NFT_SET_ELEM_INTERVAL_END) to skip elements that are part of the interval that have no data part, so they don't need to be uninit(). Cc: stable@vger.kernel.org # 3.18.x Cc: stable@vger.kernel.org # 3.19.x Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org On 2015-03-22 00:49, Denys Fedoryshchenko wrote: Additionally, if i will do nft flush table mangle , with this table added i will get this: [ 42.800078] [ cut here ] [ 42.800092] WARNING: CPU: 3 PID: 2868 at net/netfilter/nf_tables_api.c:4122 nft_data_uninit+0x35/0x50 [nf_tables]() -- To unsubscribe from this list: send the line unsubscribe stable in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write
Add cc to Al. On 2015/3/20 17:18, Willy Tarreau wrote: Hi Greg, On Fri, Mar 20, 2015 at 10:05:00AM +0100, Greg KH wrote: On Fri, Mar 20, 2015 at 04:59:42PM +0800, Zhang Zhen wrote: We need to check the position and size of file writes against various limits, using generic_write_check(). This was not being done for the splice write path. It was fixed upstream by commit 8d0207652cbe (-splice_write() via -write_iter()) but we can't apply that. CVE-2014-7822 Signed-off-by: Ben Hutchings b...@decadent.org.uk [Ben fixed it in 3.2 stable, i ported it to 3.10 stable] Signed-off-by: Zhang Zhen zhenzhang.zh...@huawei.com --- fs/ocfs2/file.c | 8 +--- fs/splice.c | 8 ++-- 2 files changed, 11 insertions(+), 5 deletions(-) What is the git commit id of this in Linus's tree? The commit message refers to this one : commit 8d0207652cbe27d1f962050737848e5ad4671958 Author: Al Viro v...@zeniv.linux.org.uk Date: Sat Apr 5 04:27:08 2014 -0400 -splice_write() via -write_iter() iter_file_splice_write() - a -splice_write() instance that gathers the pipe buffers, builds a bio_vec-based iov_iter covering those and feeds it to -write_iter(). A bunch of simple cases coverted to that... [AV: fixed the braino spotted by Cyrill] Signed-off-by: Al Viro v...@zeniv.linux.org.uk However the fix is very different here, I think it would be prudent to get Al's Ack on this one, especially after it's been ported from another version. Willy . -- To unsubscribe from this list: send the line unsubscribe stable in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[no subject]
Внимание,.rtf Description: RTF file
Re: [PATCH v2 0/4] pci: fix unhandled interrupt on shutdown
On Thu, 03/19 19:57, Michael S. Tsirkin wrote: Fam Zheng noticed that pci shutdown disables msi and msix of a device while device is still active. This was intended to fix kexec with fusion devices but had the unintended effect of breaking even regular shutdown when using virtio. Series: Reviewed-by: Fam Zheng f...@redhat.com The same problem would affect any driver which doesn't register a level interrupt handler when using msix. I think the fix is to avoid touching device on shutdown: we clear bus master anyway, so we won't get any more msi interrupts, and bus reset will clear the msi/msix state eventually anyway. The patches seems to all work well for me. Given they affect all pci devices, and the bug has been there since 2.6 times, I think there's no rush: we can merge them for 4.1. At the same time, once merged, they will likely make a good stable candidate. Michael S. Tsirkin (4): pci: disable msi/msix at probe time pci: don't disable msi/msix at shutdown pci: make msi/msix shutdown functions static virtio_pci: drop msi_off on probe include/linux/pci.h| 4 drivers/pci/msi.c | 4 ++-- drivers/pci/pci-driver.c | 8 ++-- drivers/virtio/virtio_pci_common.c | 3 --- 4 files changed, 8 insertions(+), 11 deletions(-) -- MST -- To unsubscribe from this list: send the line unsubscribe stable in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html