From 5b9366d603bd9aa7b8c9fc919f94441ae98f5c95 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Nov 26 2013 18:59:34 +0000 Subject: Fix crash in via-velocity driver (rhbz 1022733) --- diff --git a/kernel.spec b/kernel.spec index 4d51140..a6a1bf9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -821,6 +821,9 @@ Patch25156: aacraid-prevent-invalid-pointer-dereference.patch #CVE-2013-6382 rhbz 1033603 1034670 Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch +#rhbz 1022733 +Patch25158: via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch + # END OF PATCH DEFINITIONS %endif @@ -1579,6 +1582,9 @@ ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch #CVE-2013-6382 rhbz 1033603 1034670 ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch +#rhbz 1022733 +ApplyPatch via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch + # END OF PATCH APPLICATIONS %endif @@ -2421,6 +2427,7 @@ fi # || || %changelog * Tue Nov 26 2013 Josh Boyer +- Fix crash in via-velocity driver (rhbz 1022733) - CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670) * Mon Nov 25 2013 Josh Boyer diff --git a/via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch b/via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch new file mode 100644 index 0000000..820f470 --- /dev/null +++ b/via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch @@ -0,0 +1,121 @@ +Bugzilla: 1022733 +Upstream: Submitted for 3.13 and 3.12.y stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.104.107 with SMTP id gd11csp116929oab; + Mon, 25 Nov 2013 15:45:36 -0800 (PST) +X-Received: by 10.68.254.105 with SMTP id ah9mr20726084pbd.87.1385423136297; + Mon, 25 Nov 2013 15:45:36 -0800 (PST) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id am2si28999873pad.96.2013.11.25.15.44.53 + for ; + Mon, 25 Nov 2013 15:45:36 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=netdev-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753536Ab3KYXl6 (ORCPT + 99 others); + Mon, 25 Nov 2013 18:41:58 -0500 +Received: from violet.fr.zoreil.com ([92.243.8.30]:57806 "EHLO + violet.fr.zoreil.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751913Ab3KYXlz (ORCPT + ); Mon, 25 Nov 2013 18:41:55 -0500 +Received: from violet.fr.zoreil.com (localhost [127.0.0.1]) + by violet.fr.zoreil.com (8.14.5/8.14.5) with ESMTP id rAPNewrt012676; + Tue, 26 Nov 2013 00:40:58 +0100 +Received: (from romieu@localhost) + by violet.fr.zoreil.com (8.14.5/8.14.5/Submit) id rAPNewbX012675; + Tue, 26 Nov 2013 00:40:58 +0100 +Date: Tue, 26 Nov 2013 00:40:58 +0100 +From: Francois Romieu +To: netdev@vger.kernel.org +Cc: David Miller , + "Alex A. Schmidt" , + Michele Baldessari , + Jamie Heilman , + Julia Lawall +Subject: [PATCH net 1/1] via-velocity: fix netif_receive_skb use in irq + disabled section. +Message-ID: <20131125234058.GA12566@electric-eye.fr.zoreil.com> +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +X-Organisation: Land of Sunshine Inc. +User-Agent: Mutt/1.5.21 (2010-09-15) +Sender: netdev-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: netdev@vger.kernel.org + +2fdac010bdcf10a30711b6924612dfc40daf19b8 ("via-velocity.c: update napi +implementation") overlooked an irq disabling spinlock when the Rx part +of the NAPI poll handler was converted from netif_rx to netif_receive_skb. + +NAPI Rx processing can be taken out of the locked section with a pair of +napi_{disable / enable} since it only races with the MTU change function. + +An heavier rework of the NAPI locking would be able to perform NAPI Tx +before Rx where I simply removed one of velocity_tx_srv calls. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1022733 +Fixes: 2fdac010bdcf (via-velocity.c: update napi implementation) +Signed-off-by: Francois Romieu +Tested-by: Alex A. Schmidt +Cc: Jamie Heilman +Cc: Michele Baldessari +Cc: Julia Lawall +--- + + It is relevant for stable 3.11.x and 3.12.y. + + drivers/net/ethernet/via/via-velocity.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/via/via-velocity.c b/drivers/net/ethernet/via/via-velocity.c +index d022bf9..ad61d26 100644 +--- a/drivers/net/ethernet/via/via-velocity.c ++++ b/drivers/net/ethernet/via/via-velocity.c +@@ -2172,16 +2172,13 @@ static int velocity_poll(struct napi_struct *napi, int budget) + unsigned int rx_done; + unsigned long flags; + +- spin_lock_irqsave(&vptr->lock, flags); + /* + * Do rx and tx twice for performance (taken from the VIA + * out-of-tree driver). + */ +- rx_done = velocity_rx_srv(vptr, budget / 2); +- velocity_tx_srv(vptr); +- rx_done += velocity_rx_srv(vptr, budget - rx_done); ++ rx_done = velocity_rx_srv(vptr, budget); ++ spin_lock_irqsave(&vptr->lock, flags); + velocity_tx_srv(vptr); +- + /* If budget not fully consumed, exit the polling mode */ + if (rx_done < budget) { + napi_complete(napi); +@@ -2342,6 +2339,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu) + if (ret < 0) + goto out_free_tmp_vptr_1; + ++ napi_disable(&vptr->napi); ++ + spin_lock_irqsave(&vptr->lock, flags); + + netif_stop_queue(dev); +@@ -2362,6 +2361,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu) + + velocity_give_many_rx_descs(vptr); + ++ napi_enable(&vptr->napi); ++ + mac_enable_int(vptr->mac_regs); + netif_start_queue(dev); + +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe netdev" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html