mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-04 08:08:54 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Yoshihiro YUNOMAE 68c034fefe virtio/console: Quit from splice_write if pipe->nrbufs is 0 
Quit from splice_write if pipe->nrbufs is 0 for avoiding oops in virtio-serial.

When an application was doing splice from a kernel buffer to virtio-serial on
a guest, the application received signal(SIGINT). This situation will normally
happen, but the kernel executed a kernel panic by oops as follows:

 BUG: unable to handle kernel paging request at ffff882071c8ef28
 IP: [<ffffffff812de48f>] sg_init_table+0x2f/0x50
 PGD 1fac067 PUD 0
 Oops: 0000 [#1] SMP
 Modules linked in: lockd sunrpc bnep bluetooth rfkill ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_timer snd microcode virtio_balloon virtio_net pcspkr soundcore i2c_piix4 i2c_core uinput floppy
 CPU: 1 PID: 908 Comm: trace-cmd Not tainted 3.10.0+ #49
 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
 task: ffff880071c64650 ti: ffff88007bf24000 task.ti: ffff88007bf24000
 RIP: 0010:[<ffffffff812de48f>]  [<ffffffff812de48f>] sg_init_table+0x2f/0x50
 RSP: 0018:ffff88007bf25dd8  EFLAGS: 00010286
 RAX: 0000001fffffffe0 RBX: ffff882071c8ef28 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880071c8ef48
 RBP: ffff88007bf25de8 R08: ffff88007fd15d40 R09: ffff880071c8ef48
 R10: ffffea0001c71040 R11: ffffffff8139c555 R12: 0000000000000000
 R13: ffff88007506a3c0 R14: ffff88007c862500 R15: ffff880071c8ef00
 FS:  00007f0a3646c740(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffff882071c8ef28 CR3: 000000007acbb000 CR4: 00000000000006e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 Stack:
  ffff880071c8ef48 ffff88007bf25e20 ffff88007bf25e88 ffffffff8139d6fa
  ffff88007bf25e28 ffffffff8127a3f4 0000000000000000 0000000000000000
  ffff880071c8ef48 0000100000000000 0000000000000003 ffff88007bf25e08
 Call Trace:
  [<ffffffff8139d6fa>] port_fops_splice_write+0xaa/0x130
  [<ffffffff8127a3f4>] ? selinux_file_permission+0xc4/0x120
  [<ffffffff8139d650>] ? wait_port_writable+0x1b0/0x1b0
  [<ffffffff811a6fe0>] do_splice_from+0xa0/0x110
  [<ffffffff811a951f>] SyS_splice+0x5ff/0x6b0
  [<ffffffff8161f8c2>] system_call_fastpath+0x16/0x1b
 Code: c1 e2 05 48 89 e5 48 83 ec 10 4c 89 65 f8 41 89 f4 31 f6 48 89 5d f0 48 89 fb e8 8d ce ff ff 41 8d 44 24 ff 48 c1 e0 05 48 01 c3 <48> 8b 03 48 83 e0 fe 48 83 c8 02 48 89 03 48 8b 5d f0 4c 8b 65
 RIP  [<ffffffff812de48f>] sg_init_table+0x2f/0x50
  RSP <ffff88007bf25dd8>
 CR2: ffff882071c8ef28
 ---[ end trace 86323505eb42ea8f ]---

It seems to induce pagefault in sg_init_tabel() when pipe->nrbufs is equal to
zero. This may happen in a following situation:

(1) The application normally does splice(read) from a kernel buffer, then does
    splice(write) to virtio-serial.
(2) The application receives SIGINT when is doing splice(read), so splice(read)
    is failed by EINTR. However, the application does not finish the operation.
(3) The application tries to do splice(write) without pipe->nrbufs.
(4) The virtio-console driver tries to touch scatterlist structure sgl in
    sg_init_table(), but the region is out of bound.

To avoid the case, a kernel should check whether pipe->nrbufs is empty or not
when splice_write is executed in the virtio-console driver.

V3: Add Reviewed-by lines and stable@ line in sign-off area.

Signed-off-by: Yoshihiro YUNOMAE <yoshihiro.yunomae.ez@hitachi.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Reviewed-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Amit Shah <amit.shah@redhat.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2013-07-23 12:15:25 +09:30
..
accessibility
acpi ACPI video support fixes for 3.11 2013-07-21 10:11:04 -07:00
amba
ata Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
atm
auxdisplay
base Driver core patches for 3.11-rc2 2013-07-18 12:48:40 -07:00
bcma
block Merge branch 'next' of git://git.monstr.eu/linux-2.6-microblaze 2013-07-10 10:16:07 -07:00
bluetooth
bus ARM SoC device tree changes 2013-07-02 14:23:01 -07:00
cdrom drivers/cdrom/cdrom.c: use kzalloc() for failing hardware 2013-07-03 16:07:25 -07:00
char virtio/console: Quit from splice_write if pipe->nrbufs is 0 2013-07-23 12:15:25 +09:30
clk Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
clocksource clocksource+irqchip: delete __cpuinit usage from all related files 2013-07-14 19:36:57 -04:00
connector
cpufreq Power management and ACPI fixes for 3.11-rc2 2013-07-19 09:59:06 -07:00
cpuidle Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
crypto crypto: talitos: use sg_pcopy_to_buffer() 2013-07-09 10:33:30 -07:00
dca
devfreq Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
dio
dma drivers/dma/iop-adma.c: fix new warnings 2013-07-09 10:33:19 -07:00
edac Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
eisa
extcon drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
firewire
firmware efivars: check for EFI_RUNTIME_SERVICES 2013-07-11 11:00:31 +01:00
fmc
gpio Power management and ACPI updates for 3.11-rc1 2013-07-03 14:35:40 -07:00
gpu ACPI video support fixes for 3.11 2013-07-21 10:11:04 -07:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2013-07-04 15:35:08 -07:00
hsi drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
hv
hwmon Single patch to staticize a local variable 2013-07-18 11:32:36 -07:00
hwspinlock
i2c Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2013-07-10 18:15:41 -07:00
idle
iio The first round of IIO fixes for the 3.11 cycle. 2013-07-16 22:41:38 -07:00
infiniband Main batch of InfiniBand/RDMA changes for 3.11 merge window: 2013-07-13 12:57:21 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2013-07-13 18:05:13 -07:00
iommu IOMMU Updates for Linux 3.11 2013-07-10 14:46:40 -07:00
ipack
irqchip clocksource+irqchip: delete __cpuinit usage from all related files 2013-07-14 19:36:57 -04:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
leds leds: mc13783: Fix "uninitialized variable" warning 2013-07-02 08:44:02 -07:00
lguest Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-07-04 11:40:58 -07:00
macintosh macintosh/windfarm: Remove obsolete cleanup for clientdata 2013-07-01 11:46:56 +10:00
mailbox
md md/raid1: fix bio handling problems in process_checks() 2013-07-18 14:18:04 +10:00
media [media] saa7134: Fix unlocked snd_pcm_stop() call 2013-07-15 21:25:14 +02:00
memory
memstick drivers/memstick/host/r592.c: convert to module_pci_driver 2013-07-03 16:08:06 -07:00
message drivers: avoid format strings in names passed to alloc_workqueue() 2013-07-03 16:07:41 -07:00
mfd For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00
misc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-07-04 11:40:58 -07:00
mmc MMC highlights for 3.11: 2013-07-10 11:16:00 -07:00
mtd A couple of fixes and clean-ups, allow for assigning user-defined 2013-07-05 12:09:48 -07:00
net macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS 2013-07-18 13:04:25 -07:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
ntb
nubus
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-07-09 18:24:39 -07:00
oprofile drivers: delete __cpuinit usage from all remaining drivers files 2013-07-14 19:36:59 -04:00
parisc parisc: fix LMMIO mismatch between PAT length and MASK register 2013-07-09 22:09:16 +02:00
parport Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
pci Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
pcmcia Driver core patches for 3.11-rc1 2013-07-02 11:44:19 -07:00
pinctrl Pin control changes for the v3.11 kernel cycle: 2013-07-03 11:48:03 -07:00
platform x86 platform drivers: fix gpio leak 2013-07-10 15:42:51 -04:00
pnp PNP / ACPI: avoid garbage in resource name 2013-07-18 01:38:59 +02:00
power Nothing exciting this time, just assorted fixes and cleanups. 2013-07-10 11:13:00 -07:00
pps pps-gpio: add device-tree binding and support 2013-07-03 16:08:06 -07:00
ps3
ptp
pwm
rapidio Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
regulator For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00
remoteproc Trivial remoteproc fixes by Suman Anna, Wei Yongjun and Thomas Meyer. 2013-07-11 12:35:09 -07:00
reset
rpmsg
rtc For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00
s390 s390/zcrypt: Alias for new zcrypt device driver base module 2013-07-19 08:37:39 +02:00
sbus
scsi SCSI for-linus on 20130713 2013-07-13 17:41:21 -07:00
sfi
sh
sn
spi Merge remote-tracking branch 'spi/fix/xilinx' into spi-linus 2013-07-15 11:46:16 +01:00
ssb Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
staging Staging tree fixes for 3.11-rc2 2013-07-20 15:42:38 -07:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2013-07-11 12:57:19 -07:00
tc
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2013-07-11 12:26:08 -07:00
tty Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
uio uio: use vma_pages() to replace (vm_end - vm_start) >> PAGE_SHIFT 2013-07-03 16:07:26 -07:00
usb Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
uwb drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
vfio vfio Updates for v3.11 2013-07-10 14:50:08 -07:00
vhost Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2013-07-11 12:57:19 -07:00
video uvesafb: Really allow mtrr being 0, as documented and warn()ed 2013-07-16 10:24:28 +10:00
virt
virtio No real surprises. 2013-07-10 14:50:58 -07:00
vlynq
vme
w1 drivers/w1/slaves/w1_ds2408.c: add magic sequence to disable P0 test mode 2013-07-03 16:08:06 -07:00
watchdog Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-13 14:52:21 -07:00
xen drivers: delete __cpuinit usage from all remaining drivers files 2013-07-14 19:36:59 -04:00
zorro zorro: switch to fixed_size_llseek() 2013-06-29 12:57:28 +04:00
Kconfig For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00
Makefile For the 3.11 merge we only have one new MFD driver for the Kontron PLD. 2013-07-10 11:10:27 -07:00