--- /dev/null
+From nicolas.dichtel@6wind.com Wed Dec 18 12:35:05 2013
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 13 Dec 2013 10:06:35 +0100
+Subject: [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev
+To: netdev@vger.kernel.org, davem@davemloft.net
+Cc: gregkh@linuxfoundation.org, rostedt@goodmis.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, williams@redhat.com, linux-rt-users@vger.kernel.org, lclaudio@uudg.org, Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Message-ID: <1386925595-4995-1-git-send-email-nicolas.dichtel@6wind.com>
+
+
+The upstream commit bb8140947a24 ("ip6tnl: allow to use rtnl ops on fb tunnel")
+(backported into linux-3.10.y) left a bug which was fixed upstream by commit
+1e9f3d6f1c40 ("ip6tnl: fix use after free of fb_tnl_dev").
+
+The problem is a bit different in linux-3.10.y, because there is no x-netns
+support (upstream commit 0bd8762824e7 ("ip6tnl: add x-netns support")).
+When ip6_tunnel.ko is unloaded, FB device is deleted by rtnl_link_unregister()
+and then we try to delete it again in ip6_tnl_destroy_tunnels().
+
+This patch removes the second deletion.
+
+Reported-by: Steven Rostedt <rostedt@goodmis.org>
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1711,8 +1711,6 @@ static void __net_exit ip6_tnl_destroy_t
+ }
+ }
+
+- t = rtnl_dereference(ip6n->tnls_wc[0]);
+- unregister_netdevice_queue(t->dev, &list);
+ unregister_netdevice_many(&list);
+ }
+
--- /dev/null
+From 4a82fd7c4e78a1b7a224f9ae8bb7e1fd95f670e0 Mon Sep 17 00:00:00 2001
+From: Andy Adamson <andros@netapp.com>
+Date: Fri, 15 Nov 2013 16:36:16 -0500
+Subject: NFSv4 wait on recovery for async session errors
+
+From: Andy Adamson <andros@netapp.com>
+
+commit 4a82fd7c4e78a1b7a224f9ae8bb7e1fd95f670e0 upstream.
+
+When the state manager is processing the NFS4CLNT_DELEGRETURN flag, session
+draining is off, but DELEGRETURN can still get a session error.
+The async handler calls nfs4_schedule_session_recovery returns -EAGAIN, and
+the DELEGRETURN done then restarts the RPC task in the prepare state.
+With the state manager still processing the NFS4CLNT_DELEGRETURN flag with
+session draining off, these DELEGRETURNs will cycle with errors filling up the
+session slots.
+
+This prevents OPEN reclaims (from nfs_delegation_claim_opens) required by the
+NFS4CLNT_DELEGRETURN state manager processing from completing, hanging the
+state manager in the __rpc_wait_for_completion_task in nfs4_run_open_task
+as seen in this kernel thread dump:
+
+kernel: 4.12.32.53-ma D 0000000000000000 0 3393 2 0x00000000
+kernel: ffff88013995fb60 0000000000000046 ffff880138cc5400 ffff88013a9df140
+kernel: ffff8800000265c0 ffffffff8116eef0 ffff88013fc10080 0000000300000001
+kernel: ffff88013a4ad058 ffff88013995ffd8 000000000000fbc8 ffff88013a4ad058
+kernel: Call Trace:
+kernel: [<ffffffff8116eef0>] ? cache_alloc_refill+0x1c0/0x240
+kernel: [<ffffffffa0358110>] ? rpc_wait_bit_killable+0x0/0xa0 [sunrpc]
+kernel: [<ffffffffa0358152>] rpc_wait_bit_killable+0x42/0xa0 [sunrpc]
+kernel: [<ffffffff8152914f>] __wait_on_bit+0x5f/0x90
+kernel: [<ffffffffa0358110>] ? rpc_wait_bit_killable+0x0/0xa0 [sunrpc]
+kernel: [<ffffffff815291f8>] out_of_line_wait_on_bit+0x78/0x90
+kernel: [<ffffffff8109b520>] ? wake_bit_function+0x0/0x50
+kernel: [<ffffffffa035810d>] __rpc_wait_for_completion_task+0x2d/0x30 [sunrpc]
+kernel: [<ffffffffa040d44c>] nfs4_run_open_task+0x11c/0x160 [nfs]
+kernel: [<ffffffffa04114e7>] nfs4_open_recover_helper+0x87/0x120 [nfs]
+kernel: [<ffffffffa0411646>] nfs4_open_recover+0xc6/0x150 [nfs]
+kernel: [<ffffffffa040cc6f>] ? nfs4_open_recoverdata_alloc+0x2f/0x60 [nfs]
+kernel: [<ffffffffa0414e1a>] nfs4_open_delegation_recall+0x6a/0xa0 [nfs]
+kernel: [<ffffffffa0424020>] nfs_end_delegation_return+0x120/0x2e0 [nfs]
+kernel: [<ffffffff8109580f>] ? queue_work+0x1f/0x30
+kernel: [<ffffffffa0424347>] nfs_client_return_marked_delegations+0xd7/0x110 [nfs]
+kernel: [<ffffffffa04225d8>] nfs4_run_state_manager+0x548/0x620 [nfs]
+kernel: [<ffffffffa0422090>] ? nfs4_run_state_manager+0x0/0x620 [nfs]
+kernel: [<ffffffff8109b0f6>] kthread+0x96/0xa0
+kernel: [<ffffffff8100c20a>] child_rip+0xa/0x20
+kernel: [<ffffffff8109b060>] ? kthread+0x0/0xa0
+kernel: [<ffffffff8100c200>] ? child_rip+0x0/0x20
+
+The state manager can not therefore process the DELEGRETURN session errors.
+Change the async handler to wait for recovery on session errors.
+
+Signed-off-by: Andy Adamson <andros@netapp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4222,8 +4222,7 @@ nfs4_async_handle_error(struct rpc_task
+ dprintk("%s ERROR %d, Reset session\n", __func__,
+ task->tk_status);
+ nfs4_schedule_session_recovery(clp->cl_session, task->tk_status);
+- task->tk_status = 0;
+- return -EAGAIN;
++ goto wait_on_recovery;
+ #endif /* CONFIG_NFS_V4_1 */
+ case -NFS4ERR_DELAY:
+ nfs_inc_server_stats(server, NFSIOS_DELAY);
--- /dev/null
+From foo@baz Wed Dec 18 12:40:45 PST 2013
+Date: Wed, 18 Dec 2013 12:40:45 -0800
+To: Greg KH <gregkh@linuxfoundation.org>
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Subject: Revert "net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST"
+
+It turns out that commit: d3f7d56a7a4671d395e8af87071068a195257bf6 was
+applied to the tree twice, which didn't hurt anything, but it's good to
+fix this up.
+
+Reported-by: Veaceslav Falico <veaceslav@falico.eu>
+
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Shawn Landden <shawnlandden@gmail.com>
+Cc: Tom Herbert <therbert@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_hash.c | 3 ---
+ crypto/algif_skcipher.c | 3 ---
+ net/ipv4/udp.c | 3 ---
+ 3 files changed, 9 deletions(-)
+
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -117,9 +117,6 @@ static ssize_t hash_sendpage(struct sock
+ if (flags & MSG_SENDPAGE_NOTLAST)
+ flags |= MSG_MORE;
+
+- if (flags & MSG_SENDPAGE_NOTLAST)
+- flags |= MSG_MORE;
+-
+ lock_sock(sk);
+ sg_init_table(ctx->sgl.sg, 1);
+ sg_set_page(ctx->sgl.sg, page, size, offset);
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -381,9 +381,6 @@ static ssize_t skcipher_sendpage(struct
+ if (flags & MSG_SENDPAGE_NOTLAST)
+ flags |= MSG_MORE;
+
+- if (flags & MSG_SENDPAGE_NOTLAST)
+- flags |= MSG_MORE;
+-
+ lock_sock(sk);
+ if (!ctx->more && ctx->used)
+ goto unlock;
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1073,9 +1073,6 @@ int udp_sendpage(struct sock *sk, struct
+ if (flags & MSG_SENDPAGE_NOTLAST)
+ flags |= MSG_MORE;
+
+- if (flags & MSG_SENDPAGE_NOTLAST)
+- flags |= MSG_MORE;
+-
+ if (!up->pending) {
+ struct msghdr msg = { .msg_flags = flags|MSG_MORE };
+
--- /dev/null
+From dace8bbfccfd9e4fcccfffcfbd82881fda3e756f Mon Sep 17 00:00:00 2001
+From: Alan <gnomes@lxorguk.ukuu.org.uk>
+Date: Wed, 4 Dec 2013 15:31:52 +0000
+Subject: sc1200_wdt: Fix oops
+
+From: Alan <gnomes@lxorguk.ukuu.org.uk>
+
+commit dace8bbfccfd9e4fcccfffcfbd82881fda3e756f upstream.
+
+If loaded with isapnp = 0 the driver explodes. This is catching
+people out now and then. What should happen in the working case is
+a complete mystery and the code appears terminally confused, but we
+can at least make the error path work properly.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Partially-Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=53991
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/sc1200wdt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/watchdog/sc1200wdt.c
++++ b/drivers/watchdog/sc1200wdt.c
+@@ -409,8 +409,9 @@ static int __init sc1200wdt_init(void)
+ #if defined CONFIG_PNP
+ /* now that the user has specified an IO port and we haven't detected
+ * any devices, disable pnp support */
++ if (isapnp)
++ pnp_unregister_driver(&scl200wdt_pnp_driver);
+ isapnp = 0;
+- pnp_unregister_driver(&scl200wdt_pnp_driver);
+ #endif
+
+ if (!request_region(io, io_len, SC1200_MODULE_NAME)) {
staging-comedi-pcmuio-fix-possible-null-deref-on-detach.patch
staging-comedi-drivers-use-comedi_dio_update_state-for-simple-cases.patch
staging-comedi-ssv_dnp-use-comedi_dio_update_state.patch
+sc1200_wdt-fix-oops.patch
+nfsv4-wait-on-recovery-for-async-session-errors.patch
+ip6tnl-fix-use-after-free-of-fb_tnl_dev.patch
+revert-net-update-consumers-of-msg_more-to-recognize-msg_sendpage_notlast.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
