linux-toradex.git/drivers/xen, branch tegra Linux kernel for Apalis and Colibri modules xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. 2012-01-18T15:31:57+00:00 Ian Campbell Ian.Campbell@citrix.com 2012-01-04T09:34:49+00:00 efac38b1b6965dd9d16b3e2c91118e583b66e128 commit 9e7860cee18241633eddb36a4c34c7b61d8cecbc upstream. Haogang Chen found out that: There is a potential integer overflow in process_msg() that could result in cross-domain attack. body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH); When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent call to xb_read() would write to a zero-length buffer. The other end of this connection is always the xenstore backend daemon so there is no guest (malicious or otherwise) which can do this. The xenstore daemon is a trusted component in the system. However this seem like a reasonable robustness improvement so we should have it. And Ian when read the API docs found that: The payload length (len field of the header) is limited to 4096 (XENSTORE_PAYLOAD_MAX) in both directions. If a client exceeds the limit, its xenstored connection will be immediately killed by xenstored, which is usually catastrophic from the client's point of view. Clients (particularly domains, which cannot just reconnect) should avoid this. so this patch checks against that instead. This also avoids a potential integer overflow pointed out by Haogang Chen. Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Cc: Haogang Chen <haogangchen@gmail.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 9e7860cee18241633eddb36a4c34c7b61d8cecbc upstream.

Haogang Chen found out that:

 There is a potential integer overflow in process_msg() that could result
 in cross-domain attack.

 	body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);

 When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent
 call to xb_read() would write to a zero-length buffer.

 The other end of this connection is always the xenstore backend daemon
 so there is no guest (malicious or otherwise) which can do this. The
 xenstore daemon is a trusted component in the system.

 However this seem like a reasonable robustness improvement so we should
 have it.

And Ian when read the API docs found that:
        The payload length (len field of the header) is limited to 4096
        (XENSTORE_PAYLOAD_MAX) in both directions.  If a client exceeds the
        limit, its xenstored connection will be immediately killed by
        xenstored, which is usually catastrophic from the client's point of
        view.  Clients (particularly domains, which cannot just reconnect)
        should avoid this.

so this patch checks against that instead.

This also avoids a potential integer overflow pointed out by Haogang Chen.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
xen-gntalloc: signedness bug in add_grefs() 2011-11-21T22:35:26+00:00 Dan Carpenter dan.carpenter@oracle.com 2011-11-04T18:24:36+00:00 8bb72ab63d58957270b2dc31e6c9bcfa38470d2c commit 99cb2ddcc617f43917e94a4147aa3ccdb2bcd77e upstream. gref->gref_id is unsigned so the error handling didn't work. gnttab_grant_foreign_access() returns an int type, so we can add a cast here, and it doesn't cause any problems. gnttab_grant_foreign_access() can return a variety of errors including -ENOSPC, -ENOSYS and -ENOMEM. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 99cb2ddcc617f43917e94a4147aa3ccdb2bcd77e upstream.

gref->gref_id is unsigned so the error handling didn't work.
gnttab_grant_foreign_access() returns an int type, so we can add a
cast here, and it doesn't cause any problems.
gnttab_grant_foreign_access() can return a variety of errors
including -ENOSPC, -ENOSYS and -ENOMEM.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
xen-gntalloc: integer overflow in gntalloc_ioctl_alloc() 2011-11-21T22:35:26+00:00 Dan Carpenter dan.carpenter@oracle.com 2011-11-04T18:24:08+00:00 1b4f3a211878328065ee7ae79a380241bedaef5a commit 21643e69a4c06f7ef155fbc70e3fba13fba4a756 upstream. On 32 bit systems a high value of op.count could lead to an integer overflow in the kzalloc() and gref_ids would be smaller than expected. If the you triggered another integer overflow in "if (gref_size + op.count > limit)" then you'd probably get memory corruption inside add_grefs(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 21643e69a4c06f7ef155fbc70e3fba13fba4a756 upstream.

On 32 bit systems a high value of op.count could lead to an integer
overflow in the kzalloc() and gref_ids would be smaller than
expected.  If the you triggered another integer overflow in
"if (gref_size + op.count > limit)" then you'd probably get memory
corruption inside add_grefs().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
genirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier 2011-11-11T17:43:13+00:00 Ian Campbell ian.campbell@citrix.com 2011-10-03T14:37:00+00:00 cce574ff161d0f5e4263ed28a4a3785220802922 commit 9bab0b7fbaceec47d32db51cd9e59c82fb071f5a upstream. This adds a mechanism to resume selected IRQs during syscore_resume instead of dpm_resume_noirq. Under Xen we need to resume IRQs associated with IPIs early enough that the resched IPI is unmasked and we can therefore schedule ourselves out of the stop_machine where the suspend/resume takes place. This issue was introduced by 676dc3cf5bc3 "xen: Use IRQF_FORCE_RESUME". Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Cc: Rafael J. Wysocki <rjw@sisk.pl> Cc: Jeremy Fitzhardinge <Jeremy.Fitzhardinge@citrix.com> Cc: xen-devel <xen-devel@lists.xensource.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Link: http://lkml.kernel.org/r/1318713254.11016.52.camel@dagon.hellion.org.uk Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 9bab0b7fbaceec47d32db51cd9e59c82fb071f5a upstream.

This adds a mechanism to resume selected IRQs during syscore_resume
instead of dpm_resume_noirq.

Under Xen we need to resume IRQs associated with IPIs early enough
that the resched IPI is unmasked and we can therefore schedule
ourselves out of the stop_machine where the suspend/resume takes
place.

This issue was introduced by 676dc3cf5bc3 "xen: Use IRQF_FORCE_RESUME".

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Cc: Jeremy Fitzhardinge <Jeremy.Fitzhardinge@citrix.com>
Cc: xen-devel <xen-devel@lists.xensource.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Link: http://lkml.kernel.org/r/1318713254.11016.52.camel@dagon.hellion.org.uk
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
xen-swiotlb: Fix wrong panic. 2011-11-11T17:42:48+00:00 Konrad Rzeszutek Wilk konrad.wilk@oracle.com 2011-07-22T16:51:48+00:00 3401c775a446527091f720a6c65a1ecc7644776a commit ab2a47bd242d6cdcf6b2b64797f271c6f0a6d338 upstream. Propagate the baremetal git commit "swiotlb: fix wrong panic" (fba99fa38b023224680308a482e12a0eca87e4e1) in the Xen-SWIOTLB version. wherein swiotlb's map_page wrongly calls panic() when it can't find a buffer fit for device's dma mask. It should return an error instead. Devices with an odd dma mask (i.e. under 4G) like b44 network card hit this bug (the system crashes): http://marc.info/?l=linux-kernel&m=129648943830106&w=2 If xen-swiotlb returns an error, b44 driver can use the own bouncing mechanism. Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit ab2a47bd242d6cdcf6b2b64797f271c6f0a6d338 upstream.

Propagate the baremetal git commit "swiotlb: fix wrong panic"
(fba99fa38b023224680308a482e12a0eca87e4e1) in the Xen-SWIOTLB version.
wherein swiotlb's map_page wrongly calls panic() when it can't find
a buffer fit for device's dma mask.  It should return an error instead.

Devices with an odd dma mask (i.e.  under 4G) like b44 network card hit
this bug (the system crashes):

http://marc.info/?l=linux-kernel&m=129648943830106&w=2

If xen-swiotlb returns an error, b44 driver can use the own bouncing
mechanism.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
xen/irq: Alter the locking to use a mutex instead of a spinlock. 2011-09-15T08:32:02+00:00 Konrad Rzeszutek Wilk konrad.wilk@oracle.com 2011-09-14T09:10:00+00:00 773659483685d652970583384a0294948e57f8b3 When we allocate/change the IRQ informations, we do not need to use spinlocks. We can use a mutex (which is what the generic IRQ code does for allocations/changes). Fixes a slew of: BUG: sleeping function called from invalid context at /linux/kernel/mutex.c:271 in_atomic(): 1, irqs_disabled(): 0, pid: 3216, name: xenstored 2 locks held by xenstored/3216: #0: (&u->bind_mutex){......}, at: [<ffffffffa02e0920>] evtchn_ioctl+0x30/0x3a0 [xen_evtchn] #1: (irq_mapping_update_lock){......}, at: [<ffffffff8138b274>] bind_evtchn_to_irq+0x24/0x90 Pid: 3216, comm: xenstored Not tainted 3.1.0-rc6-00021-g437a3d1 #2 Call Trace: [<ffffffff81088d10>] __might_sleep+0x100/0x130 [<ffffffff81645c2f>] mutex_lock_nested+0x2f/0x50 [<ffffffff81627529>] __irq_alloc_descs+0x49/0x200 [<ffffffffa02e0920>] ? evtchn_ioctl+0x30/0x3a0 [xen_evtchn] [<ffffffff8138b214>] xen_allocate_irq_dynamic+0x34/0x70 [<ffffffff8138b2ad>] bind_evtchn_to_irq+0x5d/0x90 [<ffffffffa02e03c0>] ? evtchn_bind_to_user+0x60/0x60 [xen_evtchn] [<ffffffff8138c282>] bind_evtchn_to_irqhandler+0x32/0x80 [<ffffffffa02e03a9>] evtchn_bind_to_user+0x49/0x60 [xen_evtchn] [<ffffffffa02e0a34>] evtchn_ioctl+0x144/0x3a0 [xen_evtchn] [<ffffffff811b4070>] ? vfsmount_lock_local_unlock+0x50/0x80 [<ffffffff811a6a1a>] do_vfs_ioctl+0x9a/0x5e0 [<ffffffff811b476f>] ? mntput+0x1f/0x30 [<ffffffff81196259>] ? fput+0x199/0x240 [<ffffffff811a7001>] sys_ioctl+0xa1/0xb0 [<ffffffff8164ea82>] system_call_fastpath+0x16/0x1b Reported-by: Jim Burns <jim_burn@bellsouth.net> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> 
When we allocate/change the IRQ informations, we do not
need to use spinlocks. We can use a mutex (which is
what the generic IRQ code does for allocations/changes).
Fixes a slew of:

BUG: sleeping function called from invalid context at /linux/kernel/mutex.c:271
in_atomic(): 1, irqs_disabled(): 0, pid: 3216, name: xenstored
2 locks held by xenstored/3216:
 #0:  (&u->bind_mutex){......}, at: [<ffffffffa02e0920>] evtchn_ioctl+0x30/0x3a0 [xen_evtchn]
 #1:  (irq_mapping_update_lock){......}, at: [<ffffffff8138b274>] bind_evtchn_to_irq+0x24/0x90
Pid: 3216, comm: xenstored Not tainted 3.1.0-rc6-00021-g437a3d1 #2
Call Trace:
 [<ffffffff81088d10>] __might_sleep+0x100/0x130
 [<ffffffff81645c2f>] mutex_lock_nested+0x2f/0x50
 [<ffffffff81627529>] __irq_alloc_descs+0x49/0x200
 [<ffffffffa02e0920>] ? evtchn_ioctl+0x30/0x3a0 [xen_evtchn]
 [<ffffffff8138b214>] xen_allocate_irq_dynamic+0x34/0x70
 [<ffffffff8138b2ad>] bind_evtchn_to_irq+0x5d/0x90
 [<ffffffffa02e03c0>] ? evtchn_bind_to_user+0x60/0x60 [xen_evtchn]
 [<ffffffff8138c282>] bind_evtchn_to_irqhandler+0x32/0x80
 [<ffffffffa02e03a9>] evtchn_bind_to_user+0x49/0x60 [xen_evtchn]
 [<ffffffffa02e0a34>] evtchn_ioctl+0x144/0x3a0 [xen_evtchn]
 [<ffffffff811b4070>] ? vfsmount_lock_local_unlock+0x50/0x80
 [<ffffffff811a6a1a>] do_vfs_ioctl+0x9a/0x5e0
 [<ffffffff811b476f>] ? mntput+0x1f/0x30
 [<ffffffff81196259>] ? fput+0x199/0x240
 [<ffffffff811a7001>] sys_ioctl+0xa1/0xb0
 [<ffffffff8164ea82>] system_call_fastpath+0x16/0x1b

Reported-by: Jim Burns <jim_burn@bellsouth.net>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen: xen-selfballoon.c needs more header files 2011-08-10T19:21:46+00:00 Randy Dunlap rdunlap@xenotime.net 2011-08-10T18:22:42+00:00 30eefc95841ce51c3281876f0b954dd1d3c0bd5f Fix build errors (found when CONFIG_SYSFS is not enabled): drivers/xen/xen-selfballoon.c:446: warning: data definition has no type or storage class drivers/xen/xen-selfballoon.c:446: warning: type defaults to 'int' in declaration of 'EXPORT_SYMBOL' drivers/xen/xen-selfballoon.c:446: warning: parameter names (without types) in function declaration drivers/xen/xen-selfballoon.c:485: error: expected declaration specifiers or '...' before string constant drivers/xen/xen-selfballoon.c:485: warning: data definition has no type or storage class drivers/xen/xen-selfballoon.c:485: warning: type defaults to 'int' in declaration of 'MODULE_LICENSE' drivers/xen/xen-selfballoon.c:485: warning: function declaration isn't a prototype Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> 
Fix build errors (found when CONFIG_SYSFS is not enabled):

drivers/xen/xen-selfballoon.c:446: warning: data definition has no type or storage class
drivers/xen/xen-selfballoon.c:446: warning: type defaults to 'int' in declaration of 'EXPORT_SYMBOL'
drivers/xen/xen-selfballoon.c:446: warning: parameter names (without types) in function declaration
drivers/xen/xen-selfballoon.c:485: error: expected declaration specifiers or '...' before string constant
drivers/xen/xen-selfballoon.c:485: warning: data definition has no type or storage class
drivers/xen/xen-selfballoon.c:485: warning: type defaults to 'int' in declaration of 'MODULE_LICENSE'
drivers/xen/xen-selfballoon.c:485: warning: function declaration isn't a prototype

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/self-balloon: Add dependency on tmem. 2011-08-03T18:34:57+00:00 Konrad Rzeszutek Wilk konrad.wilk@oracle.com 2011-07-30T15:21:09+00:00 65d4b248114e18b3d805c7ecb88d9ea64dd978e4 Without enabling CONFIG_XEN_TMEM we get this: drivers/xen/xen-selfballoon.c:461: undefined reference to `tmem_enabled' Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> 
Without enabling CONFIG_XEN_TMEM we get this:

drivers/xen/xen-selfballoon.c:461: undefined reference to `tmem_enabled'

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/balloon: Fix compile errors - missing header files. 2011-08-03T18:34:55+00:00 Konrad Rzeszutek Wilk konrad.wilk@oracle.com 2011-07-22T18:01:16+00:00 61077b2c50476ac85ced8a56fc6b5aaa3aa9c980 With a specific enough .config file compile errors show for missing workqueue declarations. Reported-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> 
With a specific enough .config file compile errors show
for missing workqueue declarations.

Reported-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/grant: Fix compile warning. 2011-08-03T18:34:53+00:00 Konrad Rzeszutek Wilk konrad.wilk@oracle.com 2011-07-22T18:00:06+00:00 f24144c0c397fe3697b5b563c4a86d4f1fb185cc drivers/xen/grant-table.c:85: warning: ‘rc’ may be used uninitialized in this function Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> 
drivers/xen/grant-table.c:85: warning: ‘rc’ may be used uninitialized in this function

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>