From: Greg Kroah-Hartman Date: Sun, 17 Apr 2016 09:49:32 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.14.67~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a41e360fe119b7f0e020d1adbc76d5ca41aabaa;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: ath9k-fix-buffer-overrun-for-ar9287.patch cdc_ncm-toggle-altsetting-to-force-reset-before-setup.patch farsync-fix-off-by-one-bug-in-fst_add_one.patch ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch ipv4-fix-broadcast-packets-reception.patch ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch ipv6-re-enable-fragment-header-matching-in-ipv6_find_hdr.patch net-fix-use-after-free-in-the-recvmmsg-exit-path.patch net-jme-fix-suspend-resume-on-jmc260.patch ppp-take-reference-on-channels-netns.patch qlge-fix-receive-packets-drop.patch qmi_wwan-add-d-link-dwm-221-b1-device-id.patch sctp-lack-the-check-for-ports-in-sctp_v6_cmp_addr.patch sh_eth-fix-null-pointer-dereference-in-sh_eth_ring_format.patch udp6-fix-udp-ipv6-encap-resubmit-path.patch usbnet-cleanup-after-bind-in-probe.patch --- diff --git a/queue-3.14/ath9k-fix-buffer-overrun-for-ar9287.patch b/queue-3.14/ath9k-fix-buffer-overrun-for-ar9287.patch new file mode 100644 index 00000000000..8f757eb0207 --- /dev/null +++ b/queue-3.14/ath9k-fix-buffer-overrun-for-ar9287.patch @@ -0,0 +1,71 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Arnd Bergmann +Date: Mon, 14 Mar 2016 15:18:36 +0100 +Subject: ath9k: fix buffer overrun for ar9287 +Status: RO +Content-Length: 2787 +Lines: 65 + +From: Arnd Bergmann + +[ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ] + +Code that was added back in 2.6.38 has an obvious overflow +when accessing a static array, and at the time it was added +only a code comment was put in front of it as a reminder +to have it reviewed properly. + +This has not happened, but gcc-6 now points to the specific +overflow: + +drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs': +drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds] + maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; + ~~~~~~~~~~~~~~~~~~~~~~~~~^~~ + +It turns out that the correct array length exists in the local +'intercepts' variable of this function, so we can just use that +instead of hardcoding '4', so this patch changes all three +instances to use that variable. The other two instances were +already correct, but it's more consistent this way. + +Signed-off-by: Arnd Bergmann +Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/eeprom.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/eeprom.c ++++ b/drivers/net/wireless/ath/ath9k/eeprom.c +@@ -408,10 +408,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs + + if (match) { + if (AR_SREV_9287(ah)) { +- /* FIXME: array overrun? */ + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_9287[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_9287[idxL].pwrPdg[i], + data_9287[idxL].vpdPdg[i], +@@ -421,7 +420,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs + } else if (eeprom_4k) { + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_4k[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_4k[idxL].pwrPdg[i], + data_4k[idxL].vpdPdg[i], +@@ -431,7 +430,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs + } else { + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_def[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_def[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_def[idxL].pwrPdg[i], + data_def[idxL].vpdPdg[i], diff --git a/queue-3.14/cdc_ncm-toggle-altsetting-to-force-reset-before-setup.patch b/queue-3.14/cdc_ncm-toggle-altsetting-to-force-reset-before-setup.patch new file mode 100644 index 00000000000..25c18575a07 --- /dev/null +++ b/queue-3.14/cdc_ncm-toggle-altsetting-to-force-reset-before-setup.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Thu, 3 Mar 2016 22:20:53 +0100 +Subject: cdc_ncm: toggle altsetting to force reset before setup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Status: RO +Content-Length: 1321 +Lines: 38 + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 48906f62c96cc2cd35753e59310cb70eb08cc6a5 ] + +Some devices will silently fail setup unless they are reset first. +This is necessary even if the data interface is already in +altsetting 0, which it will be when the device is probed for the +first time. Briefly toggling the altsetting forces a function +reset regardless of the initial state. + +This fixes a setup problem observed on a number of Huawei devices, +appearing to operate in NTB-32 mode even if we explicitly set them +to NTB-16 mode. + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -423,7 +423,11 @@ advance: + + iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber; + +- /* reset data interface */ ++ /* Reset data interface. Some devices will not reset properly ++ * unless they are configured first. Toggle the altsetting to ++ * force a reset ++ */ ++ usb_set_interface(dev->udev, iface_no, data_altsetting); + temp = usb_set_interface(dev->udev, iface_no, 0); + if (temp) { + dev_dbg(&intf->dev, "set interface failed\n"); diff --git a/queue-3.14/farsync-fix-off-by-one-bug-in-fst_add_one.patch b/queue-3.14/farsync-fix-off-by-one-bug-in-fst_add_one.patch new file mode 100644 index 00000000000..50984b5983f --- /dev/null +++ b/queue-3.14/farsync-fix-off-by-one-bug-in-fst_add_one.patch @@ -0,0 +1,57 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Arnd Bergmann +Date: Mon, 14 Mar 2016 15:18:35 +0100 +Subject: farsync: fix off-by-one bug in fst_add_one +Status: RO +Content-Length: 2352 +Lines: 51 + +From: Arnd Bergmann + +[ Upstream commit e725a66c0202b5f36c2f9d59d26a65c53bbf21f7 ] + +gcc-6 finds an out of bounds access in the fst_add_one function +when calculating the end of the mmio area: + +drivers/net/wan/farsync.c: In function 'fst_add_one': +drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds] + #define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X)) + ^ +include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof' + __builtin_offsetof(a, b) + ^ +drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof' + #define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X)) + ^~~~~~~~ +drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET' + + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]); + ^~~~~~~~~~ + +The warning is correct, but not critical because this appears +to be a write-only variable that is set by each WAN driver but +never accessed afterwards. + +I'm taking the minimal fix here, using the correct pointer by +pointing 'mem_end' to the last byte inside of the register area +as all other WAN drivers do, rather than the first byte outside of +it. An alternative would be to just remove the mem_end member +entirely. + +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/farsync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -2545,7 +2545,7 @@ fst_add_one(struct pci_dev *pdev, const + dev->mem_start = card->phys_mem + + BUF_OFFSET ( txBuffer[i][0][0]); + dev->mem_end = card->phys_mem +- + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]); ++ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER - 1][LEN_RX_BUFFER - 1]); + dev->base_addr = card->pci_conf; + dev->irq = card->irq; + diff --git a/queue-3.14/ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch b/queue-3.14/ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch new file mode 100644 index 00000000000..89d83483088 --- /dev/null +++ b/queue-3.14/ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 1 Apr 2016 17:17:50 -0300 +Subject: ip6_tunnel: set rtnl_link_ops before calling register_netdevice +Status: RO +Content-Length: 1146 +Lines: 37 + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit b6ee376cb0b7fb4e7e07d6cd248bd40436fb9ba6 ] + +When creating an ip6tnl tunnel with ip tunnel, rtnl_link_ops is not set +before ip6_tnl_create2 is called. When register_netdevice is called, there +is no linkinfo attribute in the NEWLINK message because of that. + +Setting rtnl_link_ops before calling register_netdevice fixes that. + +Fixes: 0b112457229d ("ip6tnl: add support of link creation via rtnl") +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -273,12 +273,12 @@ static int ip6_tnl_create2(struct net_de + + t = netdev_priv(dev); + ++ dev->rtnl_link_ops = &ip6_link_ops; + err = register_netdevice(dev); + if (err < 0) + goto out; + + strcpy(t->parms.name, dev->name); +- dev->rtnl_link_ops = &ip6_link_ops; + + dev_hold(dev); + ip6_tnl_link(ip6n, t); diff --git a/queue-3.14/ipv4-fix-broadcast-packets-reception.patch b/queue-3.14/ipv4-fix-broadcast-packets-reception.patch new file mode 100644 index 00000000000..b2d5da116db --- /dev/null +++ b/queue-3.14/ipv4-fix-broadcast-packets-reception.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Paolo Abeni +Date: Tue, 22 Mar 2016 09:19:38 +0100 +Subject: ipv4: fix broadcast packets reception +Status: RO +Content-Length: 1329 +Lines: 43 + +From: Paolo Abeni + +[ Upstream commit ad0ea1989cc4d5905941d0a9e62c63ad6d859cef ] + +Currently, ingress ipv4 broadcast datagrams are dropped since, +in udp_v4_early_demux(), ip_check_mc_rcu() is invoked even on +bcast packets. + +This patch addresses the issue, invoking ip_check_mc_rcu() +only for mcast packets. + +Fixes: 6e5403093261 ("ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()") +Signed-off-by: Paolo Abeni +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1939,10 +1939,14 @@ void udp_v4_early_demux(struct sk_buff * + if (!in_dev) + return; + +- ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr, +- iph->protocol); +- if (!ours) +- return; ++ /* we are supposed to accept bcast packets */ ++ if (skb->pkt_type == PACKET_MULTICAST) { ++ ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr, ++ iph->protocol); ++ if (!ours) ++ return; ++ } ++ + sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr, + uh->source, iph->saddr, dif); + } else if (skb->pkt_type == PACKET_HOST) { diff --git a/queue-3.14/ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch b/queue-3.14/ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch new file mode 100644 index 00000000000..e81b09f6c1c --- /dev/null +++ b/queue-3.14/ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Haishuang Yan +Date: Sun, 3 Apr 2016 22:09:23 +0800 +Subject: ipv4: l2tp: fix a potential issue in l2tp_ip_recv +Status: RO +Content-Length: 1135 +Lines: 43 + +From: Haishuang Yan + +[ Upstream commit 5745b8232e942abd5e16e85fa9b27cc21324acf0 ] + +pskb_may_pull() can change skb->data, so we have to load ptr/optr at the +right place. + +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ip.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -123,12 +123,11 @@ static int l2tp_ip_recv(struct sk_buff * + struct l2tp_tunnel *tunnel = NULL; + int length; + +- /* Point to L2TP header */ +- optr = ptr = skb->data; +- + if (!pskb_may_pull(skb, 4)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; + session_id = ntohl(*((__be32 *) ptr)); + ptr += 4; + +@@ -156,6 +155,9 @@ static int l2tp_ip_recv(struct sk_buff * + if (!pskb_may_pull(skb, length)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; ++ ptr += 4; + pr_debug("%s: ip recv\n", tunnel->name); + print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); + } diff --git a/queue-3.14/ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch b/queue-3.14/ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch new file mode 100644 index 00000000000..53a45244ca4 --- /dev/null +++ b/queue-3.14/ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Haishuang Yan +Date: Sun, 3 Apr 2016 22:09:24 +0800 +Subject: ipv6: l2tp: fix a potential issue in l2tp_ip6_recv +Status: RO +Content-Length: 1142 +Lines: 43 + +From: Haishuang Yan + +[ Upstream commit be447f305494e019dfc37ea4cdf3b0e4200b4eba ] + +pskb_may_pull() can change skb->data, so we have to load ptr/optr at the +right place. + +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ip6.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -135,12 +135,11 @@ static int l2tp_ip6_recv(struct sk_buff + struct l2tp_tunnel *tunnel = NULL; + int length; + +- /* Point to L2TP header */ +- optr = ptr = skb->data; +- + if (!pskb_may_pull(skb, 4)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; + session_id = ntohl(*((__be32 *) ptr)); + ptr += 4; + +@@ -168,6 +167,9 @@ static int l2tp_ip6_recv(struct sk_buff + if (!pskb_may_pull(skb, length)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; ++ ptr += 4; + pr_debug("%s: ip recv\n", tunnel->name); + print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); + } diff --git a/queue-3.14/ipv6-re-enable-fragment-header-matching-in-ipv6_find_hdr.patch b/queue-3.14/ipv6-re-enable-fragment-header-matching-in-ipv6_find_hdr.patch new file mode 100644 index 00000000000..3f2861ac5a2 --- /dev/null +++ b/queue-3.14/ipv6-re-enable-fragment-header-matching-in-ipv6_find_hdr.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Florian Westphal +Date: Tue, 1 Mar 2016 16:15:16 +0100 +Subject: ipv6: re-enable fragment header matching in ipv6_find_hdr +Status: RO +Content-Length: 1469 +Lines: 44 + +From: Florian Westphal + +[ Upstream commit 5d150a985520bbe3cb2aa1ceef24a7e32f20c15f ] + +When ipv6_find_hdr is used to find a fragment header +(caller specifies target NEXTHDR_FRAGMENT) we erronously return +-ENOENT for all fragments with nonzero offset. + +Before commit 9195bb8e381d, when target was specified, we did not +enter the exthdr walk loop as nexthdr == target so this used to work. + +Now we do (so we can skip empty route headers). When we then stumble upon +a frag with nonzero frag_off we must return -ENOENT ("header not found") +only if the caller did not specifically request NEXTHDR_FRAGMENT. + +This allows nfables exthdr expression to match ipv6 fragments, e.g. via + +nft add rule ip6 filter input frag frag-off gt 0 + +Fixes: 9195bb8e381d ("ipv6: improve ipv6_find_hdr() to skip empty routing headers") +Signed-off-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/exthdrs_core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipv6/exthdrs_core.c ++++ b/net/ipv6/exthdrs_core.c +@@ -257,7 +257,11 @@ int ipv6_find_hdr(const struct sk_buff * + *fragoff = _frag_off; + return hp->nexthdr; + } +- return -ENOENT; ++ if (!found) ++ return -ENOENT; ++ if (fragoff) ++ *fragoff = _frag_off; ++ break; + } + hdrlen = 8; + } else if (nexthdr == NEXTHDR_AUTH) { diff --git a/queue-3.14/net-fix-use-after-free-in-the-recvmmsg-exit-path.patch b/queue-3.14/net-fix-use-after-free-in-the-recvmmsg-exit-path.patch new file mode 100644 index 00000000000..97b32ecba5d --- /dev/null +++ b/queue-3.14/net-fix-use-after-free-in-the-recvmmsg-exit-path.patch @@ -0,0 +1,94 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Arnaldo Carvalho de Melo +Date: Mon, 14 Mar 2016 09:56:35 -0300 +Subject: net: Fix use after free in the recvmmsg exit path +Status: RO +Content-Length: 2726 +Lines: 88 + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ] + +The syzkaller fuzzer hit the following use-after-free: + + Call Trace: + [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295 + [] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261 + [< inline >] SYSC_recvmmsg net/socket.c:2281 + [] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270 + [] entry_SYSCALL_64_fastpath+0x16/0x7a + arch/x86/entry/entry_64.S:185 + +And, as Dmitry rightly assessed, that is because we can drop the +reference and then touch it when the underlying recvmsg calls return +some packets and then hit an error, which will make recvmmsg to set +sock->sk->sk_err, oops, fix it. + +Reported-and-Tested-by: Dmitry Vyukov +Cc: Alexander Potapenko +Cc: Eric Dumazet +Cc: Kostya Serebryany +Cc: Sasha Levin +Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall") +http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -2400,31 +2400,31 @@ int __sys_recvmmsg(int fd, struct mmsghd + break; + } + +-out_put: +- fput_light(sock->file, fput_needed); +- + if (err == 0) +- return datagrams; ++ goto out_put; ++ ++ if (datagrams == 0) { ++ datagrams = err; ++ goto out_put; ++ } + +- if (datagrams != 0) { ++ /* ++ * We may return less entries than requested (vlen) if the ++ * sock is non block and there aren't enough datagrams... ++ */ ++ if (err != -EAGAIN) { + /* +- * We may return less entries than requested (vlen) if the +- * sock is non block and there aren't enough datagrams... ++ * ... or if recvmsg returns an error after we ++ * received some datagrams, where we record the ++ * error to return on the next call or if the ++ * app asks about it using getsockopt(SO_ERROR). + */ +- if (err != -EAGAIN) { +- /* +- * ... or if recvmsg returns an error after we +- * received some datagrams, where we record the +- * error to return on the next call or if the +- * app asks about it using getsockopt(SO_ERROR). +- */ +- sock->sk->sk_err = -err; +- } +- +- return datagrams; ++ sock->sk->sk_err = -err; + } ++out_put: ++ fput_light(sock->file, fput_needed); + +- return err; ++ return datagrams; + } + + SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, diff --git a/queue-3.14/net-jme-fix-suspend-resume-on-jmc260.patch b/queue-3.14/net-jme-fix-suspend-resume-on-jmc260.patch new file mode 100644 index 00000000000..4e7df6c42e2 --- /dev/null +++ b/queue-3.14/net-jme-fix-suspend-resume-on-jmc260.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Diego Viola +Date: Tue, 23 Feb 2016 12:04:04 -0300 +Subject: net: jme: fix suspend/resume on JMC260 +Status: RO +Content-Length: 1085 +Lines: 40 + +From: Diego Viola + +[ Upstream commit ee50c130c82175eaa0820c96b6d3763928af2241 ] + +The JMC260 network card fails to suspend/resume because the call to +jme_start_irq() was too early, moving the call to jme_start_irq() after +the call to jme_reset_link() makes it work. + +Prior this change suspend/resume would fail unless /sys/power/pm_async=0 +was explicitly specified. + +Relevant bug report: https://bugzilla.kernel.org/show_bug.cgi?id=112351 + +Signed-off-by: Diego Viola +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/jme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/jme.c ++++ b/drivers/net/ethernet/jme.c +@@ -3287,13 +3287,14 @@ jme_resume(struct device *dev) + jme_reset_phy_processor(jme); + jme_phy_calibration(jme); + jme_phy_setEA(jme); +- jme_start_irq(jme); + netif_device_attach(netdev); + + atomic_inc(&jme->link_changing); + + jme_reset_link(jme); + ++ jme_start_irq(jme); ++ + return 0; + } + diff --git a/queue-3.14/ppp-take-reference-on-channels-netns.patch b/queue-3.14/ppp-take-reference-on-channels-netns.patch new file mode 100644 index 00000000000..5c4a11244a0 --- /dev/null +++ b/queue-3.14/ppp-take-reference-on-channels-netns.patch @@ -0,0 +1,152 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Guillaume Nault +Date: Wed, 23 Mar 2016 16:38:55 +0100 +Subject: ppp: take reference on channels netns +Status: RO +Content-Length: 8705 +Lines: 146 + +From: Guillaume Nault + +[ Upstream commit 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 ] + +Let channels hold a reference on their network namespace. +Some channel types, like ppp_async and ppp_synctty, can have their +userspace controller running in a different namespace. Therefore they +can't rely on them to preclude their netns from being removed from +under them. + +================================================================== +BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at +addr ffff880064e217e0 +Read of size 8 by task syz-executor/11581 +============================================================================= +BUG net_namespace (Not tainted): kasan: bad access detected +----------------------------------------------------------------------------- + +Disabling lock debugging due to kernel taint +INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906 +[< none >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440 +[< none >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469 +[< inline >] slab_alloc_node kernel/mm/slub.c:2532 +[< inline >] slab_alloc kernel/mm/slub.c:2574 +[< none >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579 +[< inline >] kmem_cache_zalloc kernel/include/linux/slab.h:597 +[< inline >] net_alloc kernel/net/core/net_namespace.c:325 +[< none >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360 +[< none >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95 +[< none >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150 +[< none >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451 +[< inline >] copy_process kernel/kernel/fork.c:1274 +[< none >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723 +[< inline >] SYSC_clone kernel/kernel/fork.c:1832 +[< none >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826 +[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185 + +INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631 +[< none >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650 +[< inline >] slab_free kernel/mm/slub.c:2805 +[< none >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814 +[< inline >] net_free kernel/net/core/net_namespace.c:341 +[< none >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348 +[< none >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448 +[< none >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036 +[< none >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170 +[< none >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303 +[< none >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468 +INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000 +flags=0x5fffc0000004080 +INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200 + +CPU: 1 PID: 11581 Comm: syz-executor Tainted: G B 4.4.0+ +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 + 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300 + ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054 + ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000 +Call Trace: + [< inline >] __dump_stack kernel/lib/dump_stack.c:15 + [] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50 + [] print_trailer+0xf4/0x150 kernel/mm/slub.c:654 + [] object_err+0x2f/0x40 kernel/mm/slub.c:661 + [< inline >] print_address_description kernel/mm/kasan/report.c:138 + [] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236 + [< inline >] kasan_report kernel/mm/kasan/report.c:259 + [] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280 + [< inline >] ? ppp_pernet kernel/include/linux/compiler.h:218 + [] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392 + [< inline >] ppp_pernet kernel/include/linux/compiler.h:218 + [] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392 + [< inline >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293 + [] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392 + [] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241 + [] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000 + [] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478 + [] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744 + [] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772 + [] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901 + [] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688 + [] __fput+0x236/0x780 kernel/fs/file_table.c:208 + [] ____fput+0x15/0x20 kernel/fs/file_table.c:244 + [] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115 + [< inline >] exit_task_work kernel/include/linux/task_work.h:21 + [] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750 + [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 + [] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357 + [] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550 + [] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145 + [] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880 + [] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307 + [< inline >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113 + [] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158 + [] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712 + [] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655 + [] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165 + [] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692 + [< inline >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099 + [] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678 + [< inline >] ? context_switch kernel/kernel/sched/core.c:2807 + [] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283 + [] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247 + [< inline >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282 + [] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344 + [] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281 +Memory state around the buggy address: + ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2") +Reported-by: Baozeng Ding +Signed-off-by: Guillaume Nault +Reviewed-by: Cyrill Gorcunov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/ppp_generic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -2220,7 +2220,7 @@ int ppp_register_net_channel(struct net + + pch->ppp = NULL; + pch->chan = chan; +- pch->chan_net = net; ++ pch->chan_net = get_net(net); + chan->ppp = pch; + init_ppp_file(&pch->file, CHANNEL); + pch->file.hdrlen = chan->hdrlen; +@@ -2317,6 +2317,8 @@ ppp_unregister_channel(struct ppp_channe + spin_lock_bh(&pn->all_channels_lock); + list_del(&pch->list); + spin_unlock_bh(&pn->all_channels_lock); ++ put_net(pch->chan_net); ++ pch->chan_net = NULL; + + pch->file.dead = 1; + wake_up_interruptible(&pch->file.rwait); diff --git a/queue-3.14/qlge-fix-receive-packets-drop.patch b/queue-3.14/qlge-fix-receive-packets-drop.patch new file mode 100644 index 00000000000..e31b6cee9a7 --- /dev/null +++ b/queue-3.14/qlge-fix-receive-packets-drop.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Manish Chopra +Date: Tue, 15 Mar 2016 07:13:45 -0400 +Subject: qlge: Fix receive packets drop. +Status: RO +Content-Length: 1438 +Lines: 40 + +From: Manish Chopra + +[ Upstream commit 2c9a266afefe137bff06bbe0fc48b4d3b3cb348c ] + +When running small packets [length < 256 bytes] traffic, packets were +being dropped due to invalid data in those packets which were +delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu +ensures copying latest and updated data into skb from the receive buffer. + +Signed-off-by: Sony Chacko +Signed-off-by: Manish Chopra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlge/qlge_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c +@@ -1648,7 +1648,18 @@ static void ql_process_mac_rx_skb(struct + return; + } + skb_reserve(new_skb, NET_IP_ALIGN); ++ ++ pci_dma_sync_single_for_cpu(qdev->pdev, ++ dma_unmap_addr(sbq_desc, mapaddr), ++ dma_unmap_len(sbq_desc, maplen), ++ PCI_DMA_FROMDEVICE); ++ + memcpy(skb_put(new_skb, length), skb->data, length); ++ ++ pci_dma_sync_single_for_device(qdev->pdev, ++ dma_unmap_addr(sbq_desc, mapaddr), ++ dma_unmap_len(sbq_desc, maplen), ++ PCI_DMA_FROMDEVICE); + skb = new_skb; + + /* Frame error, so drop the packet. */ diff --git a/queue-3.14/qmi_wwan-add-d-link-dwm-221-b1-device-id.patch b/queue-3.14/qmi_wwan-add-d-link-dwm-221-b1-device-id.patch new file mode 100644 index 00000000000..b4a8b30c18a --- /dev/null +++ b/queue-3.14/qmi_wwan-add-d-link-dwm-221-b1-device-id.patch @@ -0,0 +1,58 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Mon, 28 Mar 2016 22:38:16 +0200 +Subject: qmi_wwan: add "D-Link DWM-221 B1" device id +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Status: RO +Content-Length: 1807 +Lines: 49 + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit e84810c7b85a2d7897797b3ad3e879168a8e032a ] + +Thomas reports: +"Windows: + +00 diagnostics +01 modem +02 at-port +03 nmea +04 nic + +Linux: + +T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2001 ProdID=7e19 Rev=02.32 +S: Manufacturer=Mobile Connect +S: Product=Mobile Connect +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage" + +Reported-by: Thomas Schäfer +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -737,6 +737,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */ + {QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */ + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ ++ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ diff --git a/queue-3.14/sctp-lack-the-check-for-ports-in-sctp_v6_cmp_addr.patch b/queue-3.14/sctp-lack-the-check-for-ports-in-sctp_v6_cmp_addr.patch new file mode 100644 index 00000000000..cd82f0c78ea --- /dev/null +++ b/queue-3.14/sctp-lack-the-check-for-ports-in-sctp_v6_cmp_addr.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Xin Long +Date: Sun, 28 Feb 2016 10:03:51 +0800 +Subject: sctp: lack the check for ports in sctp_v6_cmp_addr +Status: RO +Content-Length: 1078 +Lines: 34 + +From: Xin Long + +[ Upstream commit 40b4f0fd74e46c017814618d67ec9127ff20f157 ] + +As the member .cmp_addr of sctp_af_inet6, sctp_v6_cmp_addr should also check +the port of addresses, just like sctp_v4_cmp_addr, cause it's invoked by +sctp_cmp_addr_exact(). + +Now sctp_v6_cmp_addr just check the port when two addresses have different +family, and lack the port check for two ipv6 addresses. that will make +sctp_hash_cmp() cannot work well. + +so fix it by adding ports comparison in sctp_v6_cmp_addr(). + +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -519,6 +519,8 @@ static int sctp_v6_cmp_addr(const union + } + return 0; + } ++ if (addr1->v6.sin6_port != addr2->v6.sin6_port) ++ return 0; + if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) + return 0; + /* If this is a linklocal address, compare the scope_id. */ diff --git a/queue-3.14/series b/queue-3.14/series index 5e5d805bcf8..ccc0cfc843e 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -6,3 +6,20 @@ mm-fix-invalid-node-in-alloc_migrate_target.patch drm-radeon-add-a-dpm-quirk-for-sapphire-dual-x-r7-370-2g-d5.patch drm-radeon-add-a-dpm-quirk-for-all-r7-370-parts.patch xen-events-mask-a-moving-irq.patch +net-jme-fix-suspend-resume-on-jmc260.patch +sctp-lack-the-check-for-ports-in-sctp_v6_cmp_addr.patch +ipv6-re-enable-fragment-header-matching-in-ipv6_find_hdr.patch +cdc_ncm-toggle-altsetting-to-force-reset-before-setup.patch +usbnet-cleanup-after-bind-in-probe.patch +udp6-fix-udp-ipv6-encap-resubmit-path.patch +sh_eth-fix-null-pointer-dereference-in-sh_eth_ring_format.patch +net-fix-use-after-free-in-the-recvmmsg-exit-path.patch +farsync-fix-off-by-one-bug-in-fst_add_one.patch +ath9k-fix-buffer-overrun-for-ar9287.patch +qlge-fix-receive-packets-drop.patch +ipv4-fix-broadcast-packets-reception.patch +ppp-take-reference-on-channels-netns.patch +qmi_wwan-add-d-link-dwm-221-b1-device-id.patch +ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch +ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch +ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch diff --git a/queue-3.14/sh_eth-fix-null-pointer-dereference-in-sh_eth_ring_format.patch b/queue-3.14/sh_eth-fix-null-pointer-dereference-in-sh_eth_ring_format.patch new file mode 100644 index 00000000000..2c0e869d9fc --- /dev/null +++ b/queue-3.14/sh_eth-fix-null-pointer-dereference-in-sh_eth_ring_format.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Sergei Shtylyov +Date: Tue, 8 Mar 2016 01:36:28 +0300 +Subject: sh_eth: fix NULL pointer dereference in sh_eth_ring_format() +Status: RO +Content-Length: 1101 +Lines: 30 + +From: Sergei Shtylyov + +[ Upstream commit c1b7fca65070bfadca94dd53a4e6b71cd4f69715 ] + +In a low memory situation, if netdev_alloc_skb() fails on a first RX ring +loop iteration in sh_eth_ring_format(), 'rxdesc' is still NULL. Avoid +kernel oops by adding the 'rxdesc' check after the loop. + +Reported-by: Wolfram Sang +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1156,7 +1156,8 @@ static void sh_eth_ring_format(struct ne + mdp->dirty_rx = (u32) (i - mdp->num_rx_ring); + + /* Mark the last entry as wrapping the ring. */ +- rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); ++ if (rxdesc) ++ rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); + + memset(mdp->tx_ring, 0, tx_ringsize); + diff --git a/queue-3.14/udp6-fix-udp-ipv6-encap-resubmit-path.patch b/queue-3.14/udp6-fix-udp-ipv6-encap-resubmit-path.patch new file mode 100644 index 00000000000..790943ddc91 --- /dev/null +++ b/queue-3.14/udp6-fix-udp-ipv6-encap-resubmit-path.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Bill Sommerfeld +Date: Fri, 4 Mar 2016 14:47:21 -0800 +Subject: udp6: fix UDP/IPv6 encap resubmit path +Status: RO +Content-Length: 1318 +Lines: 40 + +From: Bill Sommerfeld + +[ Upstream commit 59dca1d8a6725a121dae6c452de0b2611d5865dc ] + +IPv4 interprets a negative return value from a protocol handler as a +request to redispatch to a new protocol. In contrast, IPv6 interprets a +negative value as an error, and interprets a positive value as a request +for redispatch. + +UDP for IPv6 was unaware of this difference. Change __udp6_lib_rcv() to +return a positive value for redispatch. Note that the socket's +encap_rcv hook still needs to return a negative value to request +dispatch, and in the case of IPv6 packets, adjust IP6CB(skb)->nhoff to +identify the byte containing the next protocol. + +Signed-off-by: Bill Sommerfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/udp.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -868,11 +868,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, + ret = udpv6_queue_rcv_skb(sk, skb); + sock_put(sk); + +- /* a return value > 0 means to resubmit the input, but +- * it wants the return to be -protocol, or 0 +- */ ++ /* a return value > 0 means to resubmit the input */ + if (ret > 0) +- return -ret; ++ return ret; + + return 0; + } diff --git a/queue-3.14/usbnet-cleanup-after-bind-in-probe.patch b/queue-3.14/usbnet-cleanup-after-bind-in-probe.patch new file mode 100644 index 00000000000..f391f43157e --- /dev/null +++ b/queue-3.14/usbnet-cleanup-after-bind-in-probe.patch @@ -0,0 +1,42 @@ +From foo@baz Sat Apr 16 22:36:37 PDT 2016 +From: Oliver Neukum +Date: Mon, 7 Mar 2016 11:31:10 +0100 +Subject: usbnet: cleanup after bind() in probe() +Status: RO +Content-Length: 1136 +Lines: 36 + +From: Oliver Neukum + +[ Upstream commit 1666984c8625b3db19a9abc298931d35ab7bc64b ] + +In case bind() works, but a later error forces bailing +in probe() in error cases work and a timer may be scheduled. +They must be killed. This fixes an error case related to +the double free reported in +http://www.spinics.net/lists/netdev/msg367669.html +and needs to go on top of Linus' fix to cdc-ncm. + +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1718,6 +1718,13 @@ out3: + if (info->unbind) + info->unbind (dev, udev); + out1: ++ /* subdrivers must undo all they did in bind() if they ++ * fail it, but we may fail later and a deferred kevent ++ * may trigger an error resubmitting itself and, worse, ++ * schedule a timer. So we kill it all just in case. ++ */ ++ cancel_work_sync(&dev->kevent); ++ del_timer_sync(&dev->delay); + free_netdev(net); + out: + return status;