--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Wed, 16 Dec 2015 20:09:25 +0000
+Subject: af_unix: Revert 'lock_interruptible' in stream receive code
+Status: RO
+Content-Length: 2049
+Lines: 58
+
+From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+
+[ Upstream commit 3822b5c2fc62e3de8a0f33806ff279fb7df92432 ]
+
+With b3ca9b02b00704053a38bfe4c31dbbb9c13595d0, the AF_UNIX SOCK_STREAM
+receive code was changed from using mutex_lock(&u->readlock) to
+mutex_lock_interruptible(&u->readlock) to prevent signals from being
+delayed for an indefinite time if a thread sleeping on the mutex
+happened to be selected for handling the signal. But this was never a
+problem with the stream receive code (as opposed to its datagram
+counterpart) as that never went to sleep waiting for new messages with the
+mutex held and thus, wouldn't cause secondary readers to block on the
+mutex waiting for the sleeping primary reader. As the interruptible
+locking makes the code more complicated in exchange for no benefit,
+change it back to using mutex_lock.
+
+Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2090,14 +2090,7 @@ static int unix_stream_recvmsg(struct ki
+ memset(&tmp_scm, 0, sizeof(tmp_scm));
+ }
+
+- err = mutex_lock_interruptible(&u->readlock);
+- if (unlikely(err)) {
+- /* recvmsg() in non blocking mode is supposed to return -EAGAIN
+- * sk_rcvtimeo is not honored by mutex_lock_interruptible()
+- */
+- err = noblock ? -EAGAIN : -ERESTARTSYS;
+- goto out;
+- }
++ mutex_lock(&u->readlock);
+
+ if (flags & MSG_PEEK)
+ skip = sk_peek_offset(sk, flags);
+@@ -2138,12 +2131,12 @@ again:
+
+ timeo = unix_stream_data_wait(sk, timeo, last);
+
+- if (signal_pending(current)
+- || mutex_lock_interruptible(&u->readlock)) {
++ if (signal_pending(current)) {
+ err = sock_intr_errno(timeo);
+ goto out;
+ }
+
++ mutex_lock(&u->readlock);
+ continue;
+ unlock:
+ unix_state_unlock(sk);
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Pavel Machek <pavel@ucw.cz>
+Date: Fri, 4 Dec 2015 09:50:00 +0100
+Subject: atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
+Status: RO
+Content-Length: 1553
+Lines: 40
+
+From: Pavel Machek <pavel@ucw.cz>
+
+[ Upstream commit f2a3771ae8aca879c32336c76ad05a017629bae2 ]
+
+atl1c driver is doing order-4 allocation with GFP_ATOMIC
+priority. That often breaks networking after resume. Switch to
+GFP_KERNEL. Still not ideal, but should be significantly better.
+
+atl1c_setup_ring_resources() is called from .open() function, and
+already uses GFP_KERNEL, so this change is safe.
+
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+@@ -1018,13 +1018,12 @@ static int atl1c_setup_ring_resources(st
+ sizeof(struct atl1c_recv_ret_status) * rx_desc_count +
+ 8 * 4;
+
+- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size,
+- &ring_header->dma);
++ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size,
++ &ring_header->dma, GFP_KERNEL);
+ if (unlikely(!ring_header->desc)) {
+- dev_err(&pdev->dev, "pci_alloc_consistend failed\n");
++ dev_err(&pdev->dev, "could not get memory for DMA buffer\n");
+ goto err_nomem;
+ }
+- memset(ring_header->desc, 0, ring_header->size);
+ /* init TPD ring */
+
+ tpd_ring[0].dma = roundup(ring_header->dma, 8);
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: "David S. Miller" <davem@davemloft.net>
+Date: Tue, 15 Dec 2015 15:39:08 -0500
+Subject: bluetooth: Validate socket address length in sco_sock_bind().
+Status: RO
+Content-Length: 619
+Lines: 24
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ]
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/sco.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -459,6 +459,9 @@ static int sco_sock_bind(struct socket *
+ if (!addr || addr->sa_family != AF_BLUETOOTH)
+ return -EINVAL;
+
++ if (addr_len < sizeof(struct sockaddr_sco))
++ return -EINVAL;
++
+ lock_sock(sk);
+
+ if (sk->sk_state != BT_OPEN) {
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Thu, 3 Dec 2015 17:21:50 +0100
+Subject: gre6: allow to update all parameters via rtnl
+Status: RO
+Content-Length: 1091
+Lines: 38
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit 6a61d4dbf4f54b5683e0f1e58d873cecca7cb977 ]
+
+Parameters were updated only if the kernel was unable to find the tunnel
+with the new parameters, ie only if core pamareters were updated (keys,
+addr, link, type).
+Now it's possible to update ttl, hoplimit, flowinfo and flags.
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1558,13 +1558,11 @@ static int ip6gre_changelink(struct net_
+ return -EEXIST;
+ } else {
+ t = nt;
+-
+- ip6gre_tunnel_unlink(ign, t);
+- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
+- ip6gre_tunnel_link(ign, t);
+- netdev_state_change(dev);
+ }
+
++ ip6gre_tunnel_unlink(ign, t);
++ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
++ ip6gre_tunnel_link(ign, t);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 9 Dec 2015 07:25:06 -0800
+Subject: ipv6: sctp: clone options to avoid use after free
+Status: RO
+Content-Length: 1365
+Lines: 47
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9470e24f35ab81574da54e69df90c1eb4a96b43f ]
+
+SCTP is lacking proper np->opt cloning at accept() time.
+
+TCP and DCCP use ipv6_dup_options() helper, do the same
+in SCTP.
+
+We might later factorize this code in a common helper to avoid
+future mistakes.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -638,6 +638,7 @@ static struct sock *sctp_v6_create_accep
+ struct sock *newsk;
+ struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
+ struct sctp6_sock *newsctp6sk;
++ struct ipv6_txoptions *opt;
+
+ newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot);
+ if (!newsk)
+@@ -657,6 +658,13 @@ static struct sock *sctp_v6_create_accep
+
+ memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+
++ rcu_read_lock();
++ opt = rcu_dereference(np->opt);
++ if (opt)
++ opt = ipv6_dup_options(newsk, opt);
++ RCU_INIT_POINTER(newnp->opt, opt);
++ rcu_read_unlock();
++
+ /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname()
+ * and getpeername().
+ */
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 14 Dec 2015 22:03:39 +0100
+Subject: net: add validation for the socket syscall protocol argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Status: RO
+Content-Length: 4097
+Lines: 133
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ]
+
+郭永刚 reported that one could simply crash the kernel as root by
+using a simple program:
+
+ int socket_fd;
+ struct sockaddr_in addr;
+ addr.sin_port = 0;
+ addr.sin_addr.s_addr = INADDR_ANY;
+ addr.sin_family = 10;
+
+ socket_fd = socket(10,3,0x40000000);
+ connect(socket_fd , &addr,16);
+
+AF_INET, AF_INET6 sockets actually only support 8-bit protocol
+identifiers. inet_sock's skc_protocol field thus is sized accordingly,
+thus larger protocol identifiers simply cut off the higher bits and
+store a zero in the protocol fields.
+
+This could lead to e.g. NULL function pointer because as a result of
+the cut off inet_num is zero and we call down to inet_autobind, which
+is NULL for raw sockets.
+
+kernel: Call Trace:
+kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
+kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
+kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
+kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
+kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
+kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
+kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
+
+I found no particular commit which introduced this problem.
+
+CVE: CVE-2015-8543
+Cc: Cong Wang <cwang@twopensource.com>
+Reported-by: 郭永刚 <guoyonggang@360.cn>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 1 +
+ net/ax25/af_ax25.c | 3 +++
+ net/decnet/af_decnet.c | 3 +++
+ net/ipv4/af_inet.c | 3 +++
+ net/ipv6/af_inet6.c | 3 +++
+ net/irda/af_irda.c | 3 +++
+ 6 files changed, 16 insertions(+)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -374,6 +374,7 @@ struct sock {
+ sk_no_check : 2,
+ sk_userlocks : 4,
+ sk_protocol : 8,
++#define SK_PROTOCOL_MAX U8_MAX
+ sk_type : 16;
+ kmemcheck_bitfield_end(flags);
+ int sk_wmem_queued;
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -806,6 +806,9 @@ static int ax25_create(struct net *net,
+ struct sock *sk;
+ ax25_cb *ax25;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (!net_eq(net, &init_net))
+ return -EAFNOSUPPORT;
+
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -677,6 +677,9 @@ static int dn_create(struct net *net, st
+ {
+ struct sock *sk;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (!net_eq(net, &init_net))
+ return -EAFNOSUPPORT;
+
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -260,6 +260,9 @@ static int inet_create(struct net *net,
+ int try_loading_module = 0;
+ int err;
+
++ if (protocol < 0 || protocol >= IPPROTO_MAX)
++ return -EINVAL;
++
+ sock->state = SS_UNCONNECTED;
+
+ /* Look for the requested type/protocol pair. */
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -110,6 +110,9 @@ static int inet6_create(struct net *net,
+ int try_loading_module = 0;
+ int err;
+
++ if (protocol < 0 || protocol >= IPPROTO_MAX)
++ return -EINVAL;
++
+ /* Look for the requested type/protocol pair. */
+ lookup_protocol:
+ err = -ESOCKTNOSUPPORT;
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1103,6 +1103,9 @@ static int irda_create(struct net *net,
+
+ IRDA_DEBUG(2, "%s()\n", __func__);
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (net != &init_net)
+ return -EAFNOSUPPORT;
+
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon, 14 Dec 2015 13:48:36 -0800
+Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
+Status: RO
+Content-Length: 993
+Lines: 36
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ]
+
+Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pptp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -420,6 +420,9 @@ static int pptp_bind(struct socket *sock
+ struct pptp_opt *opt = &po->proto.pptp;
+ int error = 0;
+
++ if (sockaddr_len < sizeof(struct sockaddr_pppox))
++ return -EINVAL;
++
+ lock_sock(sk);
+
+ opt->src_addr = sp->sa_addr.pptp;
+@@ -441,6 +444,9 @@ static int pptp_connect(struct socket *s
+ struct flowi4 fl4;
+ int error = 0;
+
++ if (sockaddr_len < sizeof(struct sockaddr_pppox))
++ return -EINVAL;
++
+ if (sp->sa_protocol != PX_PROTO_PPTP)
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri, 4 Dec 2015 15:14:04 -0200
+Subject: sctp: update the netstamp_needed counter when copying sockets
+Status: RO
+Content-Length: 2148
+Lines: 66
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 01ce63c90170283a9855d1db4fe81934dddce648 ]
+
+Dmitry Vyukov reported that SCTP was triggering a WARN on socket destroy
+related to disabling sock timestamp.
+
+When SCTP accepts an association or peel one off, it copies sock flags
+but forgot to call net_enable_timestamp() if a packet timestamping flag
+was copied, leading to extra calls to net_disable_timestamp() whenever
+such clones were closed.
+
+The fix is to call net_enable_timestamp() whenever we copy a sock with
+that flag on, like tcp does.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 2 ++
+ net/core/sock.c | 2 --
+ net/sctp/socket.c | 3 +++
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -700,6 +700,8 @@ enum sock_flags {
+ SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */
+ };
+
++#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
++
+ static inline void sock_copy_flags(struct sock *nsk, struct sock *osk)
+ {
+ nsk->sk_flags = osk->sk_flags;
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -422,8 +422,6 @@ static void sock_warn_obsolete_bsdism(co
+ }
+ }
+
+-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
+-
+ static void sock_disable_timestamp(struct sock *sk, unsigned long flags)
+ {
+ if (sk->sk_flags & flags) {
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -6985,6 +6985,9 @@ void sctp_copy_sock(struct sock *newsk,
+ newinet->mc_ttl = 1;
+ newinet->mc_index = 0;
+ newinet->mc_list = NULL;
++
++ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
++ net_enable_timestamp();
+ }
+
+ static inline void sctp_copy_descendant(struct sock *sk_to,
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri, 4 Dec 2015 15:14:03 -0200
+Subject: sctp: use the same clock as if sock source timestamps were on
+Status: RO
+Content-Length: 1646
+Lines: 46
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit cb5e173ed7c03a0d4630ce68a95a186cce3cc872 ]
+
+SCTP echoes a cookie o INIT ACK chunks that contains a timestamp, for
+detecting stale cookies. This cookie is echoed back to the server by the
+client and then that timestamp is checked.
+
+Thing is, if the listening socket is using packet timestamping, the
+cookie is encoded with ktime_get() value and checked against
+ktime_get_real(), as done by __net_timestamp().
+
+The fix is to sctp also use ktime_get_real(), so we can compare bananas
+with bananas later no matter if packet timestamping was enabled or not.
+
+Fixes: 52db882f3fc2 ("net: sctp: migrate cookie life from timeval to ktime")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_co
+
+ /* Set an expiration time for the cookie. */
+ cookie->c.expiration = ktime_add(asoc->cookie_life,
+- ktime_get());
++ ktime_get_real());
+
+ /* Copy the peer's init packet. */
+ memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr,
+@@ -1780,7 +1780,7 @@ no_hmac:
+ if (sock_flag(ep->base.sk, SOCK_TIMESTAMP))
+ kt = skb_get_ktime(skb);
+ else
+- kt = ktime_get();
++ kt = ktime_get_real();
+
+ if (!asoc && ktime_compare(bear_cookie->expiration, kt) < 0) {
+ /*
usb-add-quirk-for-devices-with-broken-lpm.patch
usb-whci-hcd-add-check-for-dma-mapping-error.patch
usb-use-the-usb_ss_mult-macro-to-decode-burst-multiplier-for-log-message.patch
+gre6-allow-to-update-all-parameters-via-rtnl.patch
+atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch
+sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch
+sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch
+ipv6-sctp-clone-options-to-avoid-use-after-free.patch
+net-add-validation-for-the-socket-syscall-protocol-argument.patch
+sh_eth-fix-kernel-oops-in-skb_put.patch
+vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch
+skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch
+pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch
+bluetooth-validate-socket-address-length-in-sco_sock_bind.patch
+af_unix-revert-lock_interruptible-in-stream-receive-code.patch
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Fri, 4 Dec 2015 01:45:40 +0300
+Subject: sh_eth: fix kernel oops in skb_put()
+Status: RO
+Content-Length: 2307
+Lines: 61
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit 248be83dcb3feb3f6332eb3d010a016402138484 ]
+
+In a low memory situation the following kernel oops occurs:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000050
+pgd = 8490c000
+[00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000
+Internal error: Oops: 17 [#1] PREEMPT ARM
+Modules linked in:
+CPU: 0 Not tainted (3.4-at16 #9)
+PC is at skb_put+0x10/0x98
+LR is at sh_eth_poll+0x2c8/0xa10
+pc : [<8035f780>] lr : [<8028bf50>] psr: 60000113
+sp : 84eb1a90 ip : 84eb1ac8 fp : 84eb1ac4
+r10: 0000003f r9 : 000005ea r8 : 00000000
+r7 : 00000000 r6 : 940453b0 r5 : 00030000 r4 : 9381b180
+r3 : 00000000 r2 : 00000000 r1 : 000005ea r0 : 00000000
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 10c53c7d Table: 4248c059 DAC: 00000015
+Process klogd (pid: 2046, stack limit = 0x84eb02e8)
+[...]
+
+This is because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left
+NULL but sh_eth_rx() later uses it without checking. Add such check...
+
+Reported-by: Yasushi SHOJI <yashi@atmark-techno.com>
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -1424,6 +1424,7 @@ static int sh_eth_rx(struct net_device *
+ if (mdp->cd->shift_rd0)
+ desc_status >>= 16;
+
++ skb = mdp->rx_skbuff[entry];
+ if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 |
+ RD_RFS5 | RD_RFS6 | RD_RFS10)) {
+ ndev->stats.rx_errors++;
+@@ -1439,12 +1440,11 @@ static int sh_eth_rx(struct net_device *
+ ndev->stats.rx_missed_errors++;
+ if (desc_status & RD_RFS10)
+ ndev->stats.rx_over_errors++;
+- } else {
++ } else if (skb) {
+ if (!mdp->cd->hw_swap)
+ sh_eth_soft_swap(
+ phys_to_virt(ALIGN(rxdesc->addr, 4)),
+ pkt_len + 2);
+- skb = mdp->rx_skbuff[entry];
+ mdp->rx_skbuff[entry] = NULL;
+ if (mdp->cd->rpadir)
+ skb_reserve(skb, NET_IP_ALIGN);
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Vlad Yasevich <vyasevich@gmail.com>
+Date: Mon, 14 Dec 2015 17:44:10 -0500
+Subject: skbuff: Fix offset error in skb_reorder_vlan_header
+Status: RO
+Content-Length: 1169
+Lines: 34
+
+From: Vlad Yasevich <vyasevich@gmail.com>
+
+[ Upstream commit f654861569872d10dcb79d9d7ca219b316f94ff0 ]
+
+skb_reorder_vlan_header is called after the vlan header has
+been pulled. As a result the offset of the begining of
+the mac header has been incrased by 4 bytes (VLAN_HLEN).
+When moving the mac addresses, include this incrase in
+the offset calcualation so that the mac addresses are
+copied correctly.
+
+Fixes: a6e18ff1117 (vlan: Fix untag operations of stacked vlans with REORDER_HEADER off)
+CC: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+CC: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Vladislav Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3997,7 +3997,7 @@ static struct sk_buff *skb_reorder_vlan_
+ return NULL;
+ }
+
+- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len,
++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
+ 2 * ETH_ALEN);
+ skb->mac_header += VLAN_HLEN;
+ return skb;
--- /dev/null
+From foo@baz Mon Jan 18 21:17:42 PST 2016
+From: Vlad Yasevich <vyasevich@gmail.com>
+Date: Mon, 16 Nov 2015 15:43:44 -0500
+Subject: vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
+Status: RO
+Content-Length: 1704
+Lines: 46
+
+From: Vlad Yasevich <vyasevich@gmail.com>
+
+[ Upstream commit a6e18ff111701b4ff6947605bfbe9594ec42a6e8 ]
+
+When we have multiple stacked vlan devices all of which have
+turned off REORDER_HEADER flag, the untag operation does not
+locate the ethernet addresses correctly for nested vlans.
+The reason is that in case of REORDER_HEADER flag being off,
+the outer vlan headers are put back and the mac_len is adjusted
+to account for the presense of the header. Then, the subsequent
+untag operation, for the next level vlan, always use VLAN_ETH_HLEN
+to locate the begining of the ethernet header and that ends up
+being a multiple of 4 bytes short of the actuall beginning
+of the mac header (the multiple depending on the how many vlan
+encapsulations ethere are).
+
+As a reslult, if there are multiple levles of vlan devices
+with REODER_HEADER being off, the recevied packets end up
+being dropped.
+
+To solve this, we use skb->mac_len as the offset. The value
+is always set on receive path and starts out as a ETH_HLEN.
+The value is also updated when the vlan header manupations occur
+so we know it will be correct.
+
+Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3997,7 +3997,8 @@ static struct sk_buff *skb_reorder_vlan_
+ return NULL;
+ }
+
+- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN);
++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len,
++ 2 * ETH_ALEN);
+ skb->mac_header += VLAN_HLEN;
+ return skb;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
