Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.16.76 2019-10-31T22:14:57+00:00 2019-10-31T22:14:57+00:00 Vishnu DASA vdasa@vmware.com 2019-05-24T15:13:10+00:00 urn:sha1:40e148c0888c95d49dad797ec045f96ade8ed4a1 commit 1c2eb5b2853c9f513690ba6b71072d8eb65da16a upstream. The VMCI handle array has an integer overflow in vmci_handle_arr_append_entry when it tries to expand the array. This can be triggered from a guest, since the doorbell link hypercall doesn't impose a limit on the number of doorbell handles that a VM can create in the hypervisor, and these handles are stored in a handle array. In this change, we introduce a mandatory max capacity for handle arrays/lists to avoid excessive memory usage. Signed-off-by: Vishnu Dasa <vdasa@vmware.com> Reviewed-by: Adit Ranadive <aditr@vmware.com> Reviewed-by: Jorgen Hansen <jhansen@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-02-11T17:53:25+00:00 Jorgen Hansen jhansen@vmware.com 2018-09-21T07:31:05+00:00 urn:sha1:1fa1940f02afca5712f066fa91aacc9f03d43ddc commit 11924ba5e671d6caef1516923e2bd8c72929a3fe upstream. When adding a VMCI resource, the check for an existing entry would ignore that the new entry could be a wildcard. This could result in multiple resource entries that would match a given handle. One disastrous outcome of this is that the refcounting used to ensure that delayed callbacks for VMCI datagrams have run before the datagram is destroyed can be wrong, since the refcount could be increased on the duplicate entry. This in turn leads to a use after free bug. This issue was discovered by Hangbin Liu using KASAN and syzkaller. Fixes: bc63dedb7d46 ("VMCI: resource object implementation") Reported-by: Hangbin Liu <liuhangbin@gmail.com> Reviewed-by: Adit Ranadive <aditr@vmware.com> Reviewed-by: Vishnu Dasa <vdasa@vmware.com> Signed-off-by: Jorgen Hansen <jhansen@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [bwh: Backported to 3.16: Drop the version change.] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2018-12-16T22:08:12+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-07-04T09:33:34+00:00 urn:sha1:57a7debcebba9afb6b49967f6c954e8f8771161c commit 7fb2fd4e25fc1fb10dcb30b5519de257cfeae84c upstream. The problem is that if get_user_pages_fast() fails and returns a negative error code, it gets type promoted to a high positive value and treated as a success. Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2014-02-28T23:24:32+00:00 Alexander Gordeev agordeev@redhat.com 2014-02-23T06:50:41+00:00 urn:sha1:e0117521e555224ec8938e69832b0b4c69954d54 As result of deprecation of MSI-X/MSI enablement functions pci_enable_msix() and pci_enable_msi_block() all drivers using these two interfaces need to be updated to use the new pci_enable_msi_range() or pci_enable_msi_exact() and pci_enable_msix_range() or pci_enable_msix_exact() interfaces. Signed-off-by: Alexander Gordeev <agordeev@redhat.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Andy King <acking@vmware.com> Cc: Dmitry Torokhov <dtor@vmware.com> Cc: linux-pci@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-01-10T00:16:15+00:00 Dmitry Torokhov dtor@vmware.com 2014-01-10T00:02:33+00:00 urn:sha1:782f24453536460482f9dd14d3677ade910b1fd1 When host capabilities check failed or when we were unable to register doorbell bitmap we were forgetting to set error code and were returning 0 which would make upper layers believe that probe was successful. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Acked-by: Andy King <acking@vmware.com> Signed-off-by: Dmitry Torokhov <dtor@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-10-06T01:04:55+00:00 Jan Kara jack@suse.cz 2013-10-02T14:27:47+00:00 urn:sha1:240ddd495a9e72073d11b1b7c2ec9ea14e7015cb Convert vmci_host_setup_notify() and qp_host_get_user_memory() to use get_user_pages_fast() instead of get_user_pages(). Note that qp_host_get_user_memory() was using mmap_sem for writing without an apparent reason. CC: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26T20:47:36+00:00 Wei Yongjun yongjun_wei@trendmicro.com.cn 2013-09-06T06:39:28+00:00 urn:sha1:9089e3be60b13a1114e8afdc37c605e75cfc4a26 free_irq() expects the same device identity that was passed to corresponding request_irq(), otherwise the IRQ is not freed. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: Dmitry Torokhov <dtor@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-08-28T04:42:12+00:00 Andy King acking@vmware.com 2013-08-23T16:22:14+00:00 urn:sha1:6d6dfb4f4aa9ee352a199b5379942350bdd26e64 This patch adds support for virtual IOMMU to the vmci module. We switch to DMA consistent mappings for guest queuepair and doorbell pages that are passed to the device. We still allocate each page individually, since there's no guarantee that we'll get a contiguous block of physical for an entire queuepair (especially since we allow up to 128 MiB!). Also made the split between guest and host in the kernelIf struct much clearer. Now it's obvious which fields are which. Acked-by: George Zhang <georgezhang@vmware.com> Acked-by: Aditya Sarwade <asarwade@vmware.com> Signed-off-by: Andy King <acking@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-08-28T04:42:12+00:00 Andy King acking@vmware.com 2013-08-23T16:22:13+00:00 urn:sha1:45412befe8fee657effc15112af05ca9dbea61fc We added this for a special case that doesn't exist on Linux. Remove the non-blocking/pinned queuepair code and simplify the driver in preparation for adding virtual IOMMU support. Acked-by: Aditya Sarwade <asarwade@vmware.com> Signed-off-by: Andy King <acking@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-05-20T00:54:22+00:00 Rusty Russell rusty@rustcorp.com.au 2013-05-16T23:35:21+00:00 urn:sha1:d2f83e9078b8114e3b9d09082856c1aac299aa37 ERROR: "memcpy_fromiovec" [drivers/vhost/vhost_scsi.ko] undefined! That function is only present with CONFIG_NET. Turns out that crypto/algif_skcipher.c also uses that outside net, but it actually needs sockets anyway. In addition, commit 6d4f0139d642c45411a47879325891ce2a7c164a added CONFIG_NET dependency to CONFIG_VMCI for memcpy_toiovec, so hoist that function and revert that commit too. socket.h already includes uio.h, so no callers need updating; trying only broke things fo x86_64 randconfig (thanks Fengguang!). Reported-by: Randy Dunlap <rdunlap@infradead.org> Acked-by: David S. Miller <davem@davemloft.net> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>