Merge branch 'netback'

Ian Campbell says: ==================== The Xen netback implementation contains a couple of flaws which can allow a guest to cause a DoS in the backend domain, potentially affecting other domains in the system. CVE-2013-0216 is a failure to sanity check the ring producer/consumer pointers which can allow a guest to cause netback to loop for an extended period preventing other work from occurring. CVE-2013-0217 is a memory leak on an error path which is guest triggerable. The following series contains the fixes for these issues, as previously included in Xen Security Advisory 39: http://lists.xen.org/archives/html/xen-announce/2013-02/msg00001.html Changes in v2: - Typo and block comment format fixes - Added stable Cc ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-02-07 23:31:47 -0500
committer: David S. Miller <davem@davemloft.net> 2013-02-07 23:31:47 -0500
commit: 0c35565b460ff99f973fb4a9ec63fbcb4176d2e6 (patch)
tree: f0293db254c3db8dfee6c624bba307e3308162f7 /drivers/net/xen-netback/interface.c
parent: e21b9d031fa184632c373eedc12e3c296e1aa65b (diff)
parent: b9149729ebdcfce63f853aa54a404c6a8f6ebbf3 (diff)
1 files changed, 14 insertions, 9 deletions
diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
index b7d41f8c338a..b8c5193bd420 100644
--- a/drivers/net/xen-netback/interface.c
+++ b/drivers/net/xen-netback/interface.c
@@ -343,17 +343,22 @@ err:
        return err;
 }
-void xenvif_disconnect(struct xenvif *vif)
+void xenvif_carrier_off(struct xenvif *vif)
 {
        struct net_device *dev = vif->dev;
-        if (netif_carrier_ok(dev)) {
-                rtnl_lock();
+        rtnl_lock();
-                netif_carrier_off(dev); /* discard queued packets */
+        netif_carrier_off(dev); /* discard queued packets */
-                if (netif_running(dev))
+        if (netif_running(dev))
-                        xenvif_down(vif);
+                xenvif_down(vif);
-                rtnl_unlock();
+        rtnl_unlock();
-                xenvif_put(vif);
+        xenvif_put(vif);
-        }
+}
+void xenvif_disconnect(struct xenvif *vif)
+{
+        if (netif_carrier_ok(vif->dev))
+                xenvif_carrier_off(vif);
        atomic_dec(&vif->refcnt);
        wait_event(vif->waiting_to_free, atomic_read(&vif->refcnt) == 0);
author	David S. Miller <davem@davemloft.net>	2013-02-07 23:31:47 -0500
committer	David S. Miller <davem@davemloft.net>	2013-02-07 23:31:47 -0500
commit	0c35565b460ff99f973fb4a9ec63fbcb4176d2e6 (patch)
tree	f0293db254c3db8dfee6c624bba307e3308162f7 /drivers/net/xen-netback/interface.c
parent	e21b9d031fa184632c373eedc12e3c296e1aa65b (diff)
parent	b9149729ebdcfce63f853aa54a404c6a8f6ebbf3 (diff)

diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c index b7d41f8c338a..b8c5193bd420 100644 --- a/drivers/net/xen-netback/interface.c +++ b/drivers/net/xen-netback/interface.c
@@ -343,17 +343,22 @@ err:
343	return err;	343	return err;
344	}	344	}
345		345
346	void xenvif_disconnect(struct xenvif *vif)	346	void xenvif_carrier_off(struct xenvif *vif)
347	{	347	{
348	struct net_device *dev = vif->dev;	348	struct net_device *dev = vif->dev;
349	if (netif_carrier_ok(dev)) {	349
350	rtnl_lock();	350	rtnl_lock();
351	netif_carrier_off(dev); /* discard queued packets */	351	netif_carrier_off(dev); /* discard queued packets */
352	if (netif_running(dev))	352	if (netif_running(dev))
353	xenvif_down(vif);	353	xenvif_down(vif);
354	rtnl_unlock();	354	rtnl_unlock();
355	xenvif_put(vif);	355	xenvif_put(vif);
356	}	356	}
		357
		358	void xenvif_disconnect(struct xenvif *vif)
		359	{
		360	if (netif_carrier_ok(vif->dev))
		361	xenvif_carrier_off(vif);
357		362
358	atomic_dec(&vif->refcnt);	363	atomic_dec(&vif->refcnt);
359	wait_event(vif->waiting_to_free, atomic_read(&vif->refcnt) == 0);	364	wait_event(vif->waiting_to_free, atomic_read(&vif->refcnt) == 0);