--- /dev/null
+From foo@baz Wed Dec 3 17:07:11 PST 2014
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 15 Nov 2014 02:11:59 +0300
+Subject: ieee802154: fix error handling in ieee802154fake_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit 8c2dd54485ccee7fc4086611e188478584758c8d ]
+
+In case of any failure ieee802154fake_probe() just calls unregister_netdev().
+But it does not look safe to unregister netdevice before it was registered.
+
+The patch implements straightforward resource deallocation in case of
+failure in ieee802154fake_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/fakehard.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ieee802154/fakehard.c
++++ b/drivers/net/ieee802154/fakehard.c
+@@ -376,17 +376,20 @@ static int ieee802154fake_probe(struct p
+
+ err = wpan_phy_register(phy);
+ if (err)
+- goto out;
++ goto err_phy_reg;
+
+ err = register_netdev(dev);
+- if (err < 0)
+- goto out;
++ if (err)
++ goto err_netdev_reg;
+
+ dev_info(&pdev->dev, "Added ieee802154 HardMAC hardware\n");
+ return 0;
+
+-out:
+- unregister_netdev(dev);
++err_netdev_reg:
++ wpan_phy_unregister(phy);
++err_phy_reg:
++ free_netdev(dev);
++ wpan_phy_free(phy);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Wed Dec 3 17:07:11 PST 2014
+From: Vincent BENAYOUN <vincent.benayoun@trust-in-soft.com>
+Date: Thu, 13 Nov 2014 13:47:26 +0100
+Subject: inetdevice: fixed signed integer overflow
+
+From: Vincent BENAYOUN <vincent.benayoun@trust-in-soft.com>
+
+[ Upstream commit 84bc88688e3f6ef843aa8803dbcd90168bb89faf ]
+
+There could be a signed overflow in the following code.
+
+The expression, (32-logmask) is comprised between 0 and 31 included.
+It may be equal to 31.
+In such a case the left shift will produce a signed integer overflow.
+According to the C99 Standard, this is an undefined behavior.
+A simple fix is to replace the signed int 1 with the unsigned int 1U.
+
+Signed-off-by: Vincent BENAYOUN <vincent.benayoun@trust-in-soft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/inetdevice.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/inetdevice.h
++++ b/include/linux/inetdevice.h
+@@ -261,7 +261,7 @@ static inline void in_dev_put(struct in_
+ static __inline__ __be32 inet_make_mask(int logmask)
+ {
+ if (logmask)
+- return htonl(~((1<<(32-logmask))-1));
++ return htonl(~((1U<<(32-logmask))-1));
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Wed Dec 3 17:07:11 PST 2014
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Fri, 14 Nov 2014 13:14:32 +0200
+Subject: ipv4: Fix incorrect error code when adding an unreachable route
+
+From: Panu Matilainen <pmatilai@redhat.com>
+
+[ Upstream commit 49dd18ba4615eaa72f15c9087dea1c2ab4744cf5 ]
+
+Trying to add an unreachable route incorrectly returns -ESRCH if
+if custom FIB rules are present:
+
+[root@localhost ~]# ip route add 74.125.31.199 dev eth0 via 1.2.3.4
+RTNETLINK answers: Network is unreachable
+[root@localhost ~]# ip rule add to 55.66.77.88 table 200
+[root@localhost ~]# ip route add 74.125.31.199 dev eth0 via 1.2.3.4
+RTNETLINK answers: No such process
+[root@localhost ~]#
+
+Commit 83886b6b636173b206f475929e58fac75c6f2446 ("[NET]: Change "not found"
+return value for rule lookup") changed fib_rules_lookup()
+to use -ESRCH as a "not found" code internally, but for user space it
+should be translated into -ENETUNREACH. Handle the translation centrally in
+ipv4-specific fib_lookup(), leaving the DECnet case alone.
+
+On a related note, commit b7a71b51ee37d919e4098cd961d59a883fd272d8
+("ipv4: removed redundant conditional") removed a similar translation from
+ip_route_input_slow() prematurely AIUI.
+
+Fixes: b7a71b51ee37 ("ipv4: removed redundant conditional")
+Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_rules.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv4/fib_rules.c
++++ b/net/ipv4/fib_rules.c
+@@ -62,6 +62,10 @@ int __fib_lookup(struct net *net, struct
+ else
+ res->tclassid = 0;
+ #endif
++
++ if (err == -ESRCH)
++ err = -ENETUNREACH;
++
+ return err;
+ }
+ EXPORT_SYMBOL_GPL(__fib_lookup);
--- /dev/null
+From foo@baz Wed Dec 3 17:07:11 PST 2014
+From: Jiri Bohac <jbohac@suse.cz>
+Date: Wed, 19 Nov 2014 23:05:49 +0100
+Subject: ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg
+
+From: Jiri Bohac <jbohac@suse.cz>
+
+[ Upstream commit 01462405f0c093b2f8dfddafcadcda6c9e4c5cdf ]
+
+This fixes an old regression introduced by commit
+b0d0d915 (ipx: remove the BKL).
+
+When a recvmsg syscall blocks waiting for new data, no data can be sent on the
+same socket with sendmsg because ipx_recvmsg() sleeps with the socket locked.
+
+This breaks mars-nwe (NetWare emulator):
+- the ncpserv process reads the request using recvmsg
+- ncpserv forks and spawns nwconn
+- ncpserv calls a (blocking) recvmsg and waits for new requests
+- nwconn deadlocks in sendmsg on the same socket
+
+Commit b0d0d915 has simply replaced BKL locking with
+lock_sock/release_sock. Unlike now, BKL got unlocked while
+sleeping, so a blocking recvmsg did not block a concurrent
+sendmsg.
+
+Only keep the socket locked while actually working with the socket data and
+release it prior to calling skb_recv_datagram().
+
+Signed-off-by: Jiri Bohac <jbohac@suse.cz>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipx/af_ipx.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/ipx/af_ipx.c
++++ b/net/ipx/af_ipx.c
+@@ -1778,6 +1778,7 @@ static int ipx_recvmsg(struct kiocb *ioc
+ struct ipxhdr *ipx = NULL;
+ struct sk_buff *skb;
+ int copied, rc;
++ bool locked = true;
+
+ lock_sock(sk);
+ /* put the autobinding in */
+@@ -1804,6 +1805,8 @@ static int ipx_recvmsg(struct kiocb *ioc
+ if (sock_flag(sk, SOCK_ZAPPED))
+ goto out;
+
++ release_sock(sk);
++ locked = false;
+ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &rc);
+ if (!skb)
+@@ -1837,7 +1840,8 @@ static int ipx_recvmsg(struct kiocb *ioc
+ out_free:
+ skb_free_datagram(sk, skb);
+ out:
+- release_sock(sk);
++ if (locked)
++ release_sock(sk);
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Wed Dec 3 17:07:11 PST 2014
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 19 Nov 2014 18:05:26 +0100
+Subject: pptp: fix stack info leak in pptp_getname()
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit a5f6fc28d6e6cc379c6839f21820e62262419584 ]
+
+pptp_getname() only partially initializes the stack variable sa,
+particularly only fills the pptp part of the sa_addr union. The code
+thereby discloses 16 bytes of kernel stack memory via getsockname().
+
+Fix this by memset(0)'ing the union before.
+
+Cc: Dmitry Kozlov <xeb@mail.ru>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pptp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -506,7 +506,9 @@ static int pptp_getname(struct socket *s
+ int len = sizeof(struct sockaddr_pppox);
+ struct sockaddr_pppox sp;
+
+- sp.sa_family = AF_PPPOX;
++ memset(&sp.sa_addr, 0, sizeof(sp.sa_addr));
++
++ sp.sa_family = AF_PPPOX;
+ sp.sa_protocol = PX_PROTO_PPTP;
+ sp.sa_addr.pptp = pppox_sk(sock->sk)->proto.pptp.src_addr;
+
--- /dev/null
+From foo@baz Wed Dec 3 17:07:11 PST 2014
+From: Martin Hauke <mardnh@gmx.de>
+Date: Sun, 16 Nov 2014 19:55:25 +0100
+Subject: qmi_wwan: Add support for HP lt4112 LTE/HSPA+ Gobi 4G Modem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Hauke <mardnh@gmx.de>
+
+[ Upstream commit bb2bdeb83fb125c95e47fc7eca2a3e8f868e2a74 ]
+
+Added the USB VID/PID for the HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e)
+
+Signed-off-by: Martin Hauke <mardnh@gmx.de>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -756,6 +756,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x413c, 0x81a4, 8)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
+ {QMI_FIXED_INTF(0x413c, 0x81a8, 8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */
+ {QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
++ {QMI_FIXED_INTF(0x03f0, 0x581d, 4)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Module (Huawei me906e) */
+
+ /* 4. Gobi 1000 devices */
+ {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
x86-require-exact-match-for-noxsave-command-line-option.patch
x86-mm-set-nx-across-entire-pmd-at-boot.patch
uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch
+sparc64-fix-constraints-on-swab-helpers.patch
+inetdevice-fixed-signed-integer-overflow.patch
+ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch
+ieee802154-fix-error-handling-in-ieee802154fake_probe.patch
+qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch
+pptp-fix-stack-info-leak-in-pptp_getname.patch
+ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch
--- /dev/null
+From 5a2b59d3993e8ca4f7788a48a23e5cb303f26954 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Sun, 16 Nov 2014 13:19:32 -0800
+Subject: sparc64: Fix constraints on swab helpers.
+
+[ Upstream commit 5a2b59d3993e8ca4f7788a48a23e5cb303f26954 ]
+
+We are reading the memory location, so we have to have a memory
+constraint in there purely for the sake of showing the data flow
+to the compiler.
+
+Reported-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/include/uapi/asm/swab.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/sparc/include/uapi/asm/swab.h
++++ b/arch/sparc/include/uapi/asm/swab.h
+@@ -9,9 +9,9 @@ static inline __u16 __arch_swab16p(const
+ {
+ __u16 ret;
+
+- __asm__ __volatile__ ("lduha [%1] %2, %0"
++ __asm__ __volatile__ ("lduha [%2] %3, %0"
+ : "=r" (ret)
+- : "r" (addr), "i" (ASI_PL));
++ : "m" (*addr), "r" (addr), "i" (ASI_PL));
+ return ret;
+ }
+ #define __arch_swab16p __arch_swab16p
+@@ -20,9 +20,9 @@ static inline __u32 __arch_swab32p(const
+ {
+ __u32 ret;
+
+- __asm__ __volatile__ ("lduwa [%1] %2, %0"
++ __asm__ __volatile__ ("lduwa [%2] %3, %0"
+ : "=r" (ret)
+- : "r" (addr), "i" (ASI_PL));
++ : "m" (*addr), "r" (addr), "i" (ASI_PL));
+ return ret;
+ }
+ #define __arch_swab32p __arch_swab32p
+@@ -31,9 +31,9 @@ static inline __u64 __arch_swab64p(const
+ {
+ __u64 ret;
+
+- __asm__ __volatile__ ("ldxa [%1] %2, %0"
++ __asm__ __volatile__ ("ldxa [%2] %3, %0"
+ : "=r" (ret)
+- : "r" (addr), "i" (ASI_PL));
++ : "m" (*addr), "r" (addr), "i" (ASI_PL));
+ return ret;
+ }
+ #define __arch_swab64p __arch_swab64p
projects / thirdparty / kernel / stable-queue.git / commitdiff
