3.10-stable patches

added patches:
	arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch
	arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch
	arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch
	ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch
	irda-precedence-bug-in-irlmp_seq_hb_idx.patch
	net-avoid-null-deref-in-inet_ctl_sock_destroy.patch
	net-fix-a-race-in-dst_release.patch
	net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch
	ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch
	rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch
	rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch
	series
	stmmac-correctly-report-ptp-capabilities.patch
	virtio-net-drop-netif_f_fraglist.patch

diff --git a/queue-3.10/arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch b/queue-3.10/arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch
new file mode 100644 (file)
index 0000000..1bc2ad4
--- /dev/null
+++ b/queue-3.10/arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch
@@ -0,0 +1,42 @@
+From 371f0f085f629fc0f66695f572373ca4445a67ad Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Fri, 28 Aug 2015 09:41:39 +0100
+Subject: ARM: 8426/1: dma-mapping: add missing range check in dma_mmap()
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 371f0f085f629fc0f66695f572373ca4445a67ad upstream.
+
+dma_mmap() function in IOMMU-based dma-mapping implementation lacked
+a check for valid range of mmap parameters (offset and buffer size), what
+might have caused access beyond the allocated buffer. This patch fixes
+this issue.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/dma-mapping.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -1355,12 +1355,17 @@ static int arm_iommu_mmap_attrs(struct d
+       unsigned long uaddr = vma->vm_start;
+       unsigned long usize = vma->vm_end - vma->vm_start;
+       struct page **pages = __iommu_get_pages(cpu_addr, attrs);
++      unsigned long nr_pages = PAGE_ALIGN(size) >> PAGE_SHIFT;
++      unsigned long off = vma->vm_pgoff;
+ 
+       vma->vm_page_prot = __get_dma_pgprot(attrs, vma->vm_page_prot);
+ 
+       if (!pages)
+               return -ENXIO;
+ 
++      if (off >= nr_pages || (usize >> PAGE_SHIFT) > nr_pages - off)
++              return -ENXIO;
++
+       do {
+               int ret = vm_insert_page(vma, uaddr, *pages++);
+               if (ret) {

diff --git a/queue-3.10/arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch b/queue-3.10/arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch
new file mode 100644 (file)
index 0000000..dfdb3c7
--- /dev/null
+++ b/queue-3.10/arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch
@@ -0,0 +1,33 @@
+From 7e31210349e9e03a9a4dff31ab5f2bc83e8e84f5 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Fri, 28 Aug 2015 09:42:09 +0100
+Subject: ARM: 8427/1: dma-mapping: add support for offset parameter in dma_mmap()
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 7e31210349e9e03a9a4dff31ab5f2bc83e8e84f5 upstream.
+
+IOMMU-based dma_mmap() implementation lacked proper support for offset
+parameter used in mmap call (it always assumed that mapping starts from
+offset zero). This patch adds support for offset parameter to IOMMU-based
+implementation.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/dma-mapping.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -1366,6 +1366,8 @@ static int arm_iommu_mmap_attrs(struct d
+       if (off >= nr_pages || (usize >> PAGE_SHIFT) > nr_pages - off)
+               return -ENXIO;
+ 
++      pages += off;
++
+       do {
+               int ret = vm_insert_page(vma, uaddr, *pages++);
+               if (ret) {

diff --git a/queue-3.10/arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch b/queue-3.10/arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch
new file mode 100644 (file)
index 0000000..17a8b65
--- /dev/null
+++ b/queue-3.10/arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch
@@ -0,0 +1,36 @@
+From d836ace65ee98d7079bc3c5afdbcc0e27dca20a3 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sat, 3 Oct 2015 13:03:47 -0700
+Subject: ARM: orion: Fix DSA platform device after mvmdio conversion
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit d836ace65ee98d7079bc3c5afdbcc0e27dca20a3 upstream.
+
+DSA expects the host_dev pointer to be the device structure associated
+with the MDIO bus controller driver. First commit breaking that was
+c3a07134e6aa ("mv643xx_eth: convert to use the Marvell Orion MDIO
+driver"), and then, it got completely under the radar for a while.
+
+Reported-by: Frans van de Wiel <fvdw@fvdw.eu>
+Fixes: c3a07134e6aa ("mv643xx_eth: convert to use the Marvell Orion MDIO driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/arm/plat-orion/common.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/plat-orion/common.c
++++ b/arch/arm/plat-orion/common.c
+@@ -498,7 +498,7 @@ void __init orion_ge00_switch_init(struc
+ 
+       d->netdev = &orion_ge00.dev;
+       for (i = 0; i < d->nr_chips; i++)
+-              d->chip[i].mii_bus = &orion_ge00_shared.dev;
++              d->chip[i].mii_bus = &orion_ge_mvmdio.dev;
+       orion_switch_device.dev.platform_data = d;
+ 
+       platform_device_register(&orion_switch_device);

diff --git a/queue-3.10/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch b/queue-3.10/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch
new file mode 100644 (file)
index 0000000..2f6958c
--- /dev/null
+++ b/queue-3.10/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch
@@ -0,0 +1,75 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Ani Sinha <ani@arista.com>
+Date: Fri, 30 Oct 2015 16:54:31 -0700
+Subject: ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context.
+
+From: Ani Sinha <ani@arista.com>
+
+[ Upstream commit 44f49dd8b5a606870a1f21101522a0f9c4414784 ]
+
+Fixes the following kernel BUG :
+
+BUG: using __this_cpu_add() in preemptible [00000000] code: bash/2758
+caller is __this_cpu_preempt_check+0x13/0x15
+CPU: 0 PID: 2758 Comm: bash Tainted: P           O   3.18.19 #2
+ ffffffff8170eaca ffff880110d1b788 ffffffff81482b2a 0000000000000000
+ 0000000000000000 ffff880110d1b7b8 ffffffff812010ae ffff880007cab800
+ ffff88001a060800 ffff88013a899108 ffff880108b84240 ffff880110d1b7c8
+Call Trace:
+[<ffffffff81482b2a>] dump_stack+0x52/0x80
+[<ffffffff812010ae>] check_preemption_disabled+0xce/0xe1
+[<ffffffff812010d4>] __this_cpu_preempt_check+0x13/0x15
+[<ffffffff81419d60>] ipmr_queue_xmit+0x647/0x70c
+[<ffffffff8141a154>] ip_mr_forward+0x32f/0x34e
+[<ffffffff8141af76>] ip_mroute_setsockopt+0xe03/0x108c
+[<ffffffff810553fc>] ? get_parent_ip+0x11/0x42
+[<ffffffff810e6974>] ? pollwake+0x4d/0x51
+[<ffffffff81058ac0>] ? default_wake_function+0x0/0xf
+[<ffffffff810553fc>] ? get_parent_ip+0x11/0x42
+[<ffffffff810613d9>] ? __wake_up_common+0x45/0x77
+[<ffffffff81486ea9>] ? _raw_spin_unlock_irqrestore+0x1d/0x32
+[<ffffffff810618bc>] ? __wake_up_sync_key+0x4a/0x53
+[<ffffffff8139a519>] ? sock_def_readable+0x71/0x75
+[<ffffffff813dd226>] do_ip_setsockopt+0x9d/0xb55
+[<ffffffff81429818>] ? unix_seqpacket_sendmsg+0x3f/0x41
+[<ffffffff813963fe>] ? sock_sendmsg+0x6d/0x86
+[<ffffffff813959d4>] ? sockfd_lookup_light+0x12/0x5d
+[<ffffffff8139650a>] ? SyS_sendto+0xf3/0x11b
+[<ffffffff810d5738>] ? new_sync_read+0x82/0xaa
+[<ffffffff813ddd19>] compat_ip_setsockopt+0x3b/0x99
+[<ffffffff813fb24a>] compat_raw_setsockopt+0x11/0x32
+[<ffffffff81399052>] compat_sock_common_setsockopt+0x18/0x1f
+[<ffffffff813c4d05>] compat_SyS_setsockopt+0x1a9/0x1cf
+[<ffffffff813c4149>] compat_SyS_socketcall+0x180/0x1e3
+[<ffffffff81488ea1>] cstar_dispatch+0x7/0x1e
+
+Signed-off-by: Ani Sinha <ani@arista.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ipmr.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -1672,8 +1672,8 @@ static inline int ipmr_forward_finish(st
+ {
+       struct ip_options *opt = &(IPCB(skb)->opt);
+ 
+-      IP_INC_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS);
+-      IP_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len);
++      IP_INC_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS);
++      IP_ADD_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len);
+ 
+       if (unlikely(opt->optlen))
+               ip_forward_options(skb);
+@@ -1735,7 +1735,7 @@ static void ipmr_queue_xmit(struct net *
+                * to blackhole.
+                */
+ 
+-              IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_FRAGFAILS);
++              IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS);
+               ip_rt_put(rt);
+               goto out_free;
+       }

diff --git a/queue-3.10/irda-precedence-bug-in-irlmp_seq_hb_idx.patch b/queue-3.10/irda-precedence-bug-in-irlmp_seq_hb_idx.patch
new file mode 100644 (file)
index 0000000..82389ab
--- /dev/null
+++ b/queue-3.10/irda-precedence-bug-in-irlmp_seq_hb_idx.patch
@@ -0,0 +1,34 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 19 Oct 2015 13:16:49 +0300
+Subject: irda: precedence bug in irlmp_seq_hb_idx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 50010c20597d14667eff0fdb628309986f195230 ]
+
+This is decrementing the pointer, instead of the value stored in the
+pointer.  KASan detects it as an out of bounds reference.
+
+Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/irda/irlmp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/irda/irlmp.c
++++ b/net/irda/irlmp.c
+@@ -1876,7 +1876,7 @@ static void *irlmp_seq_hb_idx(struct irl
+       for (element = hashbin_get_first(iter->hashbin);
+            element != NULL;
+            element = hashbin_get_next(iter->hashbin)) {
+-              if (!off || *off-- == 0) {
++              if (!off || (*off)-- == 0) {
+                       /* NB: hashbin left locked */
+                       return element;
+               }

diff --git a/queue-3.10/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch b/queue-3.10/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch
new file mode 100644 (file)
index 0000000..c1dd04c
--- /dev/null
+++ b/queue-3.10/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch
@@ -0,0 +1,33 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 2 Nov 2015 07:50:07 -0800
+Subject: net: avoid NULL deref in inet_ctl_sock_destroy()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8fa677d2706d325d71dab91bf6e6512c05214e37 ]
+
+Under low memory conditions, tcp_sk_init() and icmp_sk_init()
+can both iterate on all possible cpus and call inet_ctl_sock_destroy(),
+with eventual NULL pointer.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet_common.h |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/net/inet_common.h
++++ b/include/net/inet_common.h
+@@ -40,7 +40,8 @@ extern int inet_ctl_sock_create(struct s
+ 
+ static inline void inet_ctl_sock_destroy(struct sock *sk)
+ {
+-      sk_release_kernel(sk);
++      if (sk)
++              sk_release_kernel(sk);
+ }
+ 
+ #endif

diff --git a/queue-3.10/net-fix-a-race-in-dst_release.patch b/queue-3.10/net-fix-a-race-in-dst_release.patch
new file mode 100644 (file)
index 0000000..dcad437
--- /dev/null
+++ b/queue-3.10/net-fix-a-race-in-dst_release.patch
@@ -0,0 +1,34 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 9 Nov 2015 17:51:23 -0800
+Subject: net: fix a race in dst_release()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d69bbf88c8d0b367cf3e3a052f6daadf630ee566 ]
+
+Only cpu seeing dst refcount going to 0 can safely
+dereference dst->flags.
+
+Otherwise an other cpu might already have freed the dst.
+
+Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
+Reported-by: Greg Thelen <gthelen@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dst.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -283,7 +283,7 @@ void dst_release(struct dst_entry *dst)
+ 
+               newrefcnt = atomic_dec_return(&dst->__refcnt);
+               WARN_ON(newrefcnt < 0);
+-              if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt)
++              if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE))
+                       call_rcu(&dst->rcu_head, dst_destroy_rcu);
+       }
+ }

diff --git a/queue-3.10/net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch b/queue-3.10/net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch
new file mode 100644 (file)
index 0000000..db8b014
--- /dev/null
+++ b/queue-3.10/net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch
@@ -0,0 +1,62 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Carol L Soto <clsoto@linux.vnet.ibm.com>
+Date: Tue, 27 Oct 2015 17:36:20 +0200
+Subject: net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes
+
+From: Carol L Soto <clsoto@linux.vnet.ibm.com>
+
+[ Upstream commit c02b05011fadf8e409e41910217ca689f2fc9d91 ]
+
+When doing memcpy/memset of EQEs, we should use sizeof struct
+mlx4_eqe as the base size and not caps.eqe_size which could be bigger.
+
+If caps.eqe_size is bigger than the struct mlx4_eqe then we corrupt
+data in the master context.
+
+When using a 64 byte stride, the memcpy copied over 63 bytes to the
+slave_eq structure.  This resulted in copying over the entire eqe of
+interest, including its ownership bit -- and also 31 bytes of garbage
+into the next WQE in the slave EQ -- which did NOT include the ownership
+bit (and therefore had no impact).
+
+However, once the stride is increased to 128, we are overwriting the
+ownership bits of *three* eqes in the slave_eq struct.  This results
+in an incorrect ownership bit for those eqes, which causes the eq to
+seem to be full. The issue therefore surfaced only once 128-byte EQEs
+started being used in SRIOV and (overarchitectures that have 128/256
+byte cache-lines such as PPC) - e.g after commit 77507aa249ae
+"net/mlx4_core: Enable CQE/EQE stride support".
+
+Fixes: 08ff32352d6f ('mlx4: 64-byte CQE/EQE support')
+Signed-off-by: Carol L Soto <clsoto@linux.vnet.ibm.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/cmd.c |    2 +-
+ drivers/net/ethernet/mellanox/mlx4/eq.c  |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
+@@ -1836,7 +1836,7 @@ int mlx4_multi_func_init(struct mlx4_dev
+                       spin_lock_init(&s_state->lock);
+               }
+ 
+-              memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size);
++              memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe));
+               priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD;
+               INIT_WORK(&priv->mfunc.master.comm_work,
+                         mlx4_master_comm_channel);
+--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
+@@ -183,7 +183,7 @@ static void slave_event(struct mlx4_dev
+               return;
+       }
+ 
+-      memcpy(s_eqe, eqe, dev->caps.eqe_size - 1);
++      memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1);
+       s_eqe->slave_id = slave;
+       /* ensure all information is written before setting the ownersip bit */
+       wmb();

diff --git a/queue-3.10/ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch b/queue-3.10/ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch
new file mode 100644 (file)
index 0000000..d1cf6d1
--- /dev/null
+++ b/queue-3.10/ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch
@@ -0,0 +1,37 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Thu, 22 Oct 2015 16:57:10 +0200
+Subject: ppp: fix pppoe_dev deletion condition in pppoe_release()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit 1acea4f6ce1b1c0941438aca75dd2e5c6b09db60 ]
+
+We can't rely on PPPOX_ZOMBIE to decide whether to clear po->pppoe_dev.
+PPPOX_ZOMBIE can be set by pppoe_disc_rcv() even when po->pppoe_dev is
+NULL. So we have no guarantee that (sk->sk_state & PPPOX_ZOMBIE) implies
+(po->pppoe_dev != NULL).
+Since we're releasing a PPPoE socket, we want to release the pppoe_dev
+if it exists and reset sk_state to PPPOX_DEAD, no matter the previous
+value of sk_state. So we can just check for po->pppoe_dev and avoid any
+assumption on sk->sk_state.
+
+Fixes: 2b018d57ff18 ("pppoe: drop PPPOX_ZOMBIEs in pppoe_release")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pppoe.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -569,7 +569,7 @@ static int pppoe_release(struct socket *
+ 
+       po = pppox_sk(sk);
+ 
+-      if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) {
++      if (po->pppoe_dev) {
+               dev_put(po->pppoe_dev);
+               po->pppoe_dev = NULL;
+       }

diff --git a/queue-3.10/rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch b/queue-3.10/rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch
new file mode 100644 (file)
index 0000000..6de2826
--- /dev/null
+++ b/queue-3.10/rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch
@@ -0,0 +1,47 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Date: Mon, 26 Oct 2015 12:46:37 -0400
+Subject: RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv
+
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+
+[ Upstream commit 8ce675ff39b9958d1c10f86cf58e357efaafc856 ]
+
+Either of pskb_pull() or pskb_trim() may fail under low memory conditions.
+If rds_tcp_data_recv() ignores such failures, the application will
+receive corrupted data because the skb has not been correctly
+carved to the RDS datagram size.
+
+Avoid this by handling pskb_pull/pskb_trim failure in the same
+manner as the skb_clone failure: bail out of rds_tcp_data_recv(), and
+retry via the deferred call to rds_send_worker() that gets set up on
+ENOMEM from rds_tcp_read_sock()
+
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/tcp_recv.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/rds/tcp_recv.c
++++ b/net/rds/tcp_recv.c
+@@ -234,8 +234,15 @@ static int rds_tcp_data_recv(read_descri
+                       }
+ 
+                       to_copy = min(tc->t_tinc_data_rem, left);
+-                      pskb_pull(clone, offset);
+-                      pskb_trim(clone, to_copy);
++                      if (!pskb_pull(clone, offset) ||
++                          pskb_trim(clone, to_copy)) {
++                              pr_warn("rds_tcp_data_recv: pull/trim failed "
++                                      "left %zu data_rem %zu skb_len %d\n",
++                                      left, tc->t_tinc_data_rem, skb->len);
++                              kfree_skb(clone);
++                              desc->error = -ENOMEM;
++                              goto out;
++                      }
+                       skb_queue_tail(&tinc->ti_skb_list, clone);
+ 
+                       rdsdebug("skb %p data %p len %d off %u to_copy %zu -> "

diff --git a/queue-3.10/rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch b/queue-3.10/rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch
new file mode 100644 (file)
index 0000000..ab11617
--- /dev/null
+++ b/queue-3.10/rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch
@@ -0,0 +1,78 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Tue, 8 Sep 2015 10:53:40 -0400
+Subject: RDS: verify the underlying transport exists before creating a connection
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+[ Upstream commit 74e98eb085889b0d2d4908f59f6e00026063014f ]
+
+There was no verification that an underlying transport exists when creating
+a connection, this would cause dereferencing a NULL ptr.
+
+It might happen on sockets that weren't properly bound before attempting to
+send a message, which will cause a NULL ptr deref:
+
+[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
+[135546.051270] Modules linked in:
+[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
+[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
+[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
+[135546.055666] RSP: 0018:ffff8800bc70fab0  EFLAGS: 00010202
+[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
+[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
+[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
+[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
+[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
+[135546.061668] FS:  00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
+[135546.062836] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
+[135546.064723] Stack:
+[135546.065048]  ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
+[135546.066247]  0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
+[135546.067438]  1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
+[135546.068629] Call Trace:
+[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
+[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
+[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
+[135546.071981] rds_sendmsg (net/rds/send.c:1058)
+[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
+[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
+[135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
+[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
+[135546.076349] ? __might_fault (mm/memory.c:3795)
+[135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
+[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
+[135546.078856] SYSC_sendto (net/socket.c:1657)
+[135546.079596] ? SYSC_connect (net/socket.c:1628)
+[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
+[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
+[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
+[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
+[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
+
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/connection.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/rds/connection.c
++++ b/net/rds/connection.c
+@@ -177,6 +177,12 @@ static struct rds_connection *__rds_conn
+               }
+       }
+ 
++      if (trans == NULL) {
++              kmem_cache_free(rds_conn_slab, conn);
++              conn = ERR_PTR(-ENODEV);
++              goto out;
++      }
++
+       conn->c_trans = trans;
+ 
+       ret = trans->conn_alloc(conn, gfp);

diff --git a/queue-3.10/series b/queue-3.10/series
new file mode 100644 (file)
index 0000000..d9e7c56
--- /dev/null
+++ b/queue-3.10/series
@@ -0,0 +1,13 @@
+irda-precedence-bug-in-irlmp_seq_hb_idx.patch
+ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch
+rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch
+net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch
+stmmac-correctly-report-ptp-capabilities.patch
+ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch
+net-avoid-null-deref-in-inet_ctl_sock_destroy.patch
+net-fix-a-race-in-dst_release.patch
+virtio-net-drop-netif_f_fraglist.patch
+rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch
+arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch
+arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch
+arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch

diff --git a/queue-3.10/stmmac-correctly-report-ptp-capabilities.patch b/queue-3.10/stmmac-correctly-report-ptp-capabilities.patch
new file mode 100644 (file)
index 0000000..c4e61db
--- /dev/null
+++ b/queue-3.10/stmmac-correctly-report-ptp-capabilities.patch
@@ -0,0 +1,39 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Phil Reid <preid@electromag.com.au>
+Date: Fri, 30 Oct 2015 16:43:55 +0800
+Subject: stmmac: Correctly report PTP capabilities.
+
+From: Phil Reid <preid@electromag.com.au>
+
+[ Upstream commit e6dbe1eb2db0d7a14991c06278dd3030c45fb825 ]
+
+priv->hwts_*_en indicate if timestamping is enabled/disabled at run
+time. But  priv->dma_cap.time_stamp  and priv->dma_cap.atime_stamp
+indicates HW is support for PTPv1/PTPv2.
+
+Signed-off-by: Phil Reid <preid@electromag.com.au>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -731,10 +731,13 @@ static int stmmac_get_ts_info(struct net
+ {
+       struct stmmac_priv *priv = netdev_priv(dev);
+ 
+-      if ((priv->hwts_tx_en) && (priv->hwts_rx_en)) {
++      if ((priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) {
+ 
+-              info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE |
++              info->so_timestamping = SOF_TIMESTAMPING_TX_SOFTWARE |
++                                      SOF_TIMESTAMPING_TX_HARDWARE |
++                                      SOF_TIMESTAMPING_RX_SOFTWARE |
+                                       SOF_TIMESTAMPING_RX_HARDWARE |
++                                      SOF_TIMESTAMPING_SOFTWARE |
+                                       SOF_TIMESTAMPING_RAW_HARDWARE;
+ 
+               if (priv->ptp_clock)

diff --git a/queue-3.10/virtio-net-drop-netif_f_fraglist.patch b/queue-3.10/virtio-net-drop-netif_f_fraglist.patch
new file mode 100644 (file)
index 0000000..9c7fc10
--- /dev/null
+++ b/queue-3.10/virtio-net-drop-netif_f_fraglist.patch
@@ -0,0 +1,41 @@
+From foo@baz Sat Dec  5 21:18:34 PST 2015
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 5 Aug 2015 10:34:04 +0800
+Subject: virtio-net: drop NETIF_F_FRAGLIST
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 ]
+
+virtio declares support for NETIF_F_FRAGLIST, but assumes
+that there are at most MAX_SKB_FRAGS + 2 fragments which isn't
+always true with a fraglist.
+
+A longer fraglist in the skb will make the call to skb_to_sgvec overflow
+the sg array, leading to memory corruption.
+
+Drop NETIF_F_FRAGLIST so we only get what we can handle.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1545,9 +1545,9 @@ static int virtnet_probe(struct virtio_d
+       /* Do we support "hardware" checksums? */
+       if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) {
+               /* This opens up the world of extra features. */
+-              dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
++              dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_SG;
+               if (csum)
+-                      dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
++                      dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG;
+ 
+               if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) {
+                       dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO