From: Greg Kroah-Hartman Date: Thu, 29 Mar 2018 07:24:06 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.15.15~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=201b1fbe3ee38777455ba6a30c262ce96ad396d0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch l2tp-do-not-accept-arbitrary-sockets.patch net-ethernet-arc-fix-a-potential-memory-leak-if-an-optional-regulator-is-deferred.patch net-ethernet-ti-cpsw-add-check-for-in-band-mode-setting-with-rgmii-phy-interface.patch net-fec-fix-unbalanced-pm-runtime-calls.patch net-fix-hlist-corruptions-in-inet_evict_bucket.patch net-iucv-free-memory-obtained-by-kzalloc.patch net-only-honor-ifindex-in-ip_pktinfo-if-non-0.patch net-systemport-rewrite-__bcm_sysport_tx_reclaim.patch netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch s390-qeth-free-netdevice-when-removing-a-card.patch s390-qeth-lock-read-device-while-queueing-next-buffer.patch s390-qeth-on-channel-error-reject-further-cmd-requests.patch s390-qeth-when-thread-completes-wake-up-all-waiters.patch skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch team-fix-double-free-in-error-path.patch --- diff --git a/queue-4.4/dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch b/queue-4.4/dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch new file mode 100644 index 00000000000..543628f5150 --- /dev/null +++ b/queue-4.4/dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Alexey Kodanev +Date: Tue, 6 Mar 2018 22:57:01 +0300 +Subject: dccp: check sk for closed state in dccp_sendmsg() + +From: Alexey Kodanev + + +[ Upstream commit 67f93df79aeefc3add4e4b31a752600f834236e2 ] + +dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL, +therefore if DCCP socket is disconnected and dccp_sendmsg() is +called after it, it will cause a NULL pointer dereference in +dccp_write_xmit(). + +This crash and the reproducer was reported by syzbot. Looks like +it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824: +use-after-free in DCCP code") is applied. + +Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com +Signed-off-by: Alexey Kodanev +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/proto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -789,6 +789,11 @@ int dccp_sendmsg(struct sock *sk, struct + if (skb == NULL) + goto out_release; + ++ if (sk->sk_state == DCCP_CLOSED) { ++ rc = -ENOTCONN; ++ goto out_discard; ++ } ++ + skb_reserve(skb, sk->sk_prot->max_header); + rc = memcpy_from_msg(skb_put(skb, len), msg, len); + if (rc != 0) diff --git a/queue-4.4/ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch b/queue-4.4/ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch new file mode 100644 index 00000000000..0d58929fea6 --- /dev/null +++ b/queue-4.4/ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Eric Dumazet +Date: Mon, 5 Mar 2018 08:51:03 -0800 +Subject: ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() + +From: Eric Dumazet + + +[ Upstream commit ca0edb131bdf1e6beaeb2b8289fd6b374b74147d ] + +A tun device type can trivially be set to arbitrary value using +TUNSETLINK ioctl(). + +Therefore, lowpan_device_event() must really check that ieee802154_ptr +is not NULL. + +Fixes: 2c88b5283f60d ("ieee802154: 6lowpan: remove check on null") +Signed-off-by: Eric Dumazet +Cc: Alexander Aring +Cc: Stefan Schmidt +Reported-by: syzbot +Acked-by: Stefan Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/6lowpan/core.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ieee802154/6lowpan/core.c ++++ b/net/ieee802154/6lowpan/core.c +@@ -206,9 +206,13 @@ static inline void lowpan_netlink_fini(v + static int lowpan_device_event(struct notifier_block *unused, + unsigned long event, void *ptr) + { +- struct net_device *wdev = netdev_notifier_info_to_dev(ptr); ++ struct net_device *ndev = netdev_notifier_info_to_dev(ptr); ++ struct wpan_dev *wpan_dev; + +- if (wdev->type != ARPHRD_IEEE802154) ++ if (ndev->type != ARPHRD_IEEE802154) ++ return NOTIFY_DONE; ++ wpan_dev = ndev->ieee802154_ptr; ++ if (!wpan_dev) + goto out; + + switch (event) { +@@ -217,8 +221,8 @@ static int lowpan_device_event(struct no + * also delete possible lowpan interfaces which belongs + * to the wpan interface. + */ +- if (wdev->ieee802154_ptr->lowpan_dev) +- lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL); ++ if (wpan_dev->lowpan_dev) ++ lowpan_dellink(wpan_dev->lowpan_dev, NULL); + break; + default: + break; diff --git a/queue-4.4/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch b/queue-4.4/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch new file mode 100644 index 00000000000..685e2a7b4dd --- /dev/null +++ b/queue-4.4/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch @@ -0,0 +1,121 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Lorenzo Bianconi +Date: Thu, 8 Mar 2018 17:00:02 +0100 +Subject: ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() + +From: Lorenzo Bianconi + + +[ Upstream commit 9f62c15f28b0d1d746734666d88a79f08ba1e43e ] + +Fix the following slab-out-of-bounds kasan report in +ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not +linear and the accessed data are not in the linear data region of orig_skb. + +[ 1503.122508] ================================================================== +[ 1503.122832] BUG: KASAN: slab-out-of-bounds in ndisc_send_redirect+0x94e/0x990 +[ 1503.123036] Read of size 1184 at addr ffff8800298ab6b0 by task netperf/1932 + +[ 1503.123220] CPU: 0 PID: 1932 Comm: netperf Not tainted 4.16.0-rc2+ #124 +[ 1503.123347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-2.fc27 04/01/2014 +[ 1503.123527] Call Trace: +[ 1503.123579] +[ 1503.123638] print_address_description+0x6e/0x280 +[ 1503.123849] kasan_report+0x233/0x350 +[ 1503.123946] memcpy+0x1f/0x50 +[ 1503.124037] ndisc_send_redirect+0x94e/0x990 +[ 1503.125150] ip6_forward+0x1242/0x13b0 +[...] +[ 1503.153890] Allocated by task 1932: +[ 1503.153982] kasan_kmalloc+0x9f/0xd0 +[ 1503.154074] __kmalloc_track_caller+0xb5/0x160 +[ 1503.154198] __kmalloc_reserve.isra.41+0x24/0x70 +[ 1503.154324] __alloc_skb+0x130/0x3e0 +[ 1503.154415] sctp_packet_transmit+0x21a/0x1810 +[ 1503.154533] sctp_outq_flush+0xc14/0x1db0 +[ 1503.154624] sctp_do_sm+0x34e/0x2740 +[ 1503.154715] sctp_primitive_SEND+0x57/0x70 +[ 1503.154807] sctp_sendmsg+0xaa6/0x1b10 +[ 1503.154897] sock_sendmsg+0x68/0x80 +[ 1503.154987] ___sys_sendmsg+0x431/0x4b0 +[ 1503.155078] __sys_sendmsg+0xa4/0x130 +[ 1503.155168] do_syscall_64+0x171/0x3f0 +[ 1503.155259] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +[ 1503.155436] Freed by task 1932: +[ 1503.155527] __kasan_slab_free+0x134/0x180 +[ 1503.155618] kfree+0xbc/0x180 +[ 1503.155709] skb_release_data+0x27f/0x2c0 +[ 1503.155800] consume_skb+0x94/0xe0 +[ 1503.155889] sctp_chunk_put+0x1aa/0x1f0 +[ 1503.155979] sctp_inq_pop+0x2f8/0x6e0 +[ 1503.156070] sctp_assoc_bh_rcv+0x6a/0x230 +[ 1503.156164] sctp_inq_push+0x117/0x150 +[ 1503.156255] sctp_backlog_rcv+0xdf/0x4a0 +[ 1503.156346] __release_sock+0x142/0x250 +[ 1503.156436] release_sock+0x80/0x180 +[ 1503.156526] sctp_sendmsg+0xbb0/0x1b10 +[ 1503.156617] sock_sendmsg+0x68/0x80 +[ 1503.156708] ___sys_sendmsg+0x431/0x4b0 +[ 1503.156799] __sys_sendmsg+0xa4/0x130 +[ 1503.156889] do_syscall_64+0x171/0x3f0 +[ 1503.156980] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +[ 1503.157158] The buggy address belongs to the object at ffff8800298ab600 + which belongs to the cache kmalloc-1024 of size 1024 +[ 1503.157444] The buggy address is located 176 bytes inside of + 1024-byte region [ffff8800298ab600, ffff8800298aba00) +[ 1503.157702] The buggy address belongs to the page: +[ 1503.157820] page:ffffea0000a62a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 +[ 1503.158053] flags: 0x4000000000008100(slab|head) +[ 1503.158171] raw: 4000000000008100 0000000000000000 0000000000000000 00000001800e000e +[ 1503.158350] raw: dead000000000100 dead000000000200 ffff880036002600 0000000000000000 +[ 1503.158523] page dumped because: kasan: bad access detected + +[ 1503.158698] Memory state around the buggy address: +[ 1503.158816] ffff8800298ab900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 1503.158988] ffff8800298ab980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 1503.159165] >ffff8800298aba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 1503.159338] ^ +[ 1503.159436] ffff8800298aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1503.159610] ffff8800298abb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1503.159785] ================================================================== +[ 1503.159964] Disabling lock debugging due to kernel taint + +The test scenario to trigger the issue consists of 4 devices: +- H0: data sender, connected to LAN0 +- H1: data receiver, connected to LAN1 +- GW0 and GW1: routers between LAN0 and LAN1. Both of them have an + ethernet connection on LAN0 and LAN1 +On H{0,1} set GW0 as default gateway while on GW0 set GW1 as next hop for +data from LAN0 to LAN1. +Moreover create an ip6ip6 tunnel between H0 and H1 and send 3 concurrent +data streams (TCP/UDP/SCTP) from H0 to H1 through ip6ip6 tunnel (send +buffer size is set to 16K). While data streams are active flush the route +cache on HA multiple times. +I have not been able to identify a given commit that introduced the issue +since, using the reproducer described above, the kasan report has been +triggered from 4.14 and I have not gone back further. + +Reported-by: Jianlin Shi +Reviewed-by: Stefano Brivio +Reviewed-by: Eric Dumazet +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1478,7 +1478,8 @@ static void ndisc_fill_redirect_hdr_opti + *(opt++) = (rd_len >> 3); + opt += 6; + +- memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8); ++ skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt, ++ rd_len - 8); + } + + void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target) diff --git a/queue-4.4/l2tp-do-not-accept-arbitrary-sockets.patch b/queue-4.4/l2tp-do-not-accept-arbitrary-sockets.patch new file mode 100644 index 00000000000..49642e5d082 --- /dev/null +++ b/queue-4.4/l2tp-do-not-accept-arbitrary-sockets.patch @@ -0,0 +1,77 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Eric Dumazet +Date: Tue, 6 Mar 2018 07:54:53 -0800 +Subject: l2tp: do not accept arbitrary sockets + +From: Eric Dumazet + + +[ Upstream commit 17cfe79a65f98abe535261856c5aef14f306dff7 ] + +syzkaller found an issue caused by lack of sufficient checks +in l2tp_tunnel_create() + +RAW sockets can not be considered as UDP ones for instance. + +In another patch, we shall replace all pr_err() by less intrusive +pr_debug() so that syzkaller can find other bugs faster. +Acked-by: Guillaume Nault +Acked-by: James Chapman + +================================================================== +BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69 +dst_release: dst:00000000d53d0d0f refcnt:-1 +Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242 + +CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x24d lib/dump_stack.c:53 + print_address_description+0x73/0x250 mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report+0x23b/0x360 mm/kasan/report.c:412 + __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435 + setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69 + l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596 + pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707 + SYSC_connect+0x213/0x4a0 net/socket.c:1640 + SyS_connect+0x24/0x30 net/socket.c:1621 + do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1518,9 +1518,14 @@ int l2tp_tunnel_create(struct net *net, + encap = cfg->encap; + + /* Quick sanity checks */ ++ err = -EPROTONOSUPPORT; ++ if (sk->sk_type != SOCK_DGRAM) { ++ pr_debug("tunl %hu: fd %d wrong socket type\n", ++ tunnel_id, fd); ++ goto err; ++ } + switch (encap) { + case L2TP_ENCAPTYPE_UDP: +- err = -EPROTONOSUPPORT; + if (sk->sk_protocol != IPPROTO_UDP) { + pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", + tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP); +@@ -1528,7 +1533,6 @@ int l2tp_tunnel_create(struct net *net, + } + break; + case L2TP_ENCAPTYPE_IP: +- err = -EPROTONOSUPPORT; + if (sk->sk_protocol != IPPROTO_L2TP) { + pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", + tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP); diff --git a/queue-4.4/net-ethernet-arc-fix-a-potential-memory-leak-if-an-optional-regulator-is-deferred.patch b/queue-4.4/net-ethernet-arc-fix-a-potential-memory-leak-if-an-optional-regulator-is-deferred.patch new file mode 100644 index 00000000000..f521ee6b376 --- /dev/null +++ b/queue-4.4/net-ethernet-arc-fix-a-potential-memory-leak-if-an-optional-regulator-is-deferred.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Christophe JAILLET +Date: Sun, 18 Mar 2018 23:59:36 +0100 +Subject: net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred + +From: Christophe JAILLET + + +[ Upstream commit 00777fac28ba3e126b9e63e789a613e8bd2cab25 ] + +If the optional regulator is deferred, we must release some resources. +They will be re-allocated when the probe function will be called again. + +Fixes: 6eacf31139bf ("ethernet: arc: Add support for Rockchip SoC layer device tree bindings") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/arc/emac_rockchip.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/arc/emac_rockchip.c ++++ b/drivers/net/ethernet/arc/emac_rockchip.c +@@ -150,8 +150,10 @@ static int emac_rockchip_probe(struct pl + /* Optional regulator for PHY */ + priv->regulator = devm_regulator_get_optional(dev, "phy"); + if (IS_ERR(priv->regulator)) { +- if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) +- return -EPROBE_DEFER; ++ if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) { ++ err = -EPROBE_DEFER; ++ goto out_clk_disable; ++ } + dev_err(dev, "no regulator found\n"); + priv->regulator = NULL; + } diff --git a/queue-4.4/net-ethernet-ti-cpsw-add-check-for-in-band-mode-setting-with-rgmii-phy-interface.patch b/queue-4.4/net-ethernet-ti-cpsw-add-check-for-in-band-mode-setting-with-rgmii-phy-interface.patch new file mode 100644 index 00000000000..02f42bcaa28 --- /dev/null +++ b/queue-4.4/net-ethernet-ti-cpsw-add-check-for-in-band-mode-setting-with-rgmii-phy-interface.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: "SZ Lin (林上智)" +Date: Fri, 16 Mar 2018 00:56:01 +0800 +Subject: net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface + +From: "SZ Lin (林上智)" + + +[ Upstream commit f9db50691db4a7d860fce985f080bb3fc23a7ede ] + +According to AM335x TRM[1] 14.3.6.2, AM437x TRM[2] 15.3.6.2 and +DRA7 TRM[3] 24.11.4.8.7.3.3, in-band mode in EXT_EN(bit18) register is only +available when PHY is configured in RGMII mode with 10Mbps speed. It will +cause some networking issues without RGMII mode, such as carrier sense +errors and low throughput. TI also mentioned this issue in their forum[4]. + +This patch adds the check mechanism for PHY interface with RGMII interface +type, the in-band mode can only be set in RGMII mode with 10Mbps speed. + +References: +[1]: https://www.ti.com/lit/ug/spruh73p/spruh73p.pdf +[2]: http://www.ti.com/lit/ug/spruhl7h/spruhl7h.pdf +[3]: http://www.ti.com/lit/ug/spruic2b/spruic2b.pdf +[4]: https://e2e.ti.com/support/arm/sitara_arm/f/791/p/640765/2392155 + +Suggested-by: Holsety Chen (陳憲輝) +Signed-off-by: SZ Lin (林上智) +Signed-off-by: Schuyler Patton +Reviewed-by: Grygorii Strashko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -878,7 +878,8 @@ static void _cpsw_adjust_link(struct cps + /* set speed_in input in case RMII mode is used in 100Mbps */ + if (phy->speed == 100) + mac_control |= BIT(15); +- else if (phy->speed == 10) ++ /* in band mode only works in 10Mbps RGMII mode */ ++ else if ((phy->speed == 10) && phy_interface_is_rgmii(phy)) + mac_control |= BIT(18); /* In Band mode */ + + if (priv->rx_pause) diff --git a/queue-4.4/net-fec-fix-unbalanced-pm-runtime-calls.patch b/queue-4.4/net-fec-fix-unbalanced-pm-runtime-calls.patch new file mode 100644 index 00000000000..c0c2ff233c1 --- /dev/null +++ b/queue-4.4/net-fec-fix-unbalanced-pm-runtime-calls.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Florian Fainelli +Date: Sun, 18 Mar 2018 12:49:51 -0700 +Subject: net: fec: Fix unbalanced PM runtime calls + +From: Florian Fainelli + + +[ Upstream commit a069215cf5985f3aa1bba550264907d6bd05c5f7 ] + +When unbinding/removing the driver, we will run into the following warnings: + +[ 259.655198] fec 400d1000.ethernet: 400d1000.ethernet supply phy not found, using dummy regulator +[ 259.665065] fec 400d1000.ethernet: Unbalanced pm_runtime_enable! +[ 259.672770] fec 400d1000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00 +[ 259.683062] fec 400d1000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: f2:3e:93:b7:29:c1 +[ 259.696239] libphy: fec_enet_mii_bus: probed + +Avoid these warnings by balancing the runtime PM calls during fec_drv_remove(). + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3539,6 +3539,8 @@ fec_drv_remove(struct platform_device *p + fec_enet_mii_remove(fep); + if (fep->reg_phy) + regulator_disable(fep->reg_phy); ++ pm_runtime_put(&pdev->dev); ++ pm_runtime_disable(&pdev->dev); + of_node_put(fep->phy_node); + free_netdev(ndev); + diff --git a/queue-4.4/net-fix-hlist-corruptions-in-inet_evict_bucket.patch b/queue-4.4/net-fix-hlist-corruptions-in-inet_evict_bucket.patch new file mode 100644 index 00000000000..cf4de446a66 --- /dev/null +++ b/queue-4.4/net-fix-hlist-corruptions-in-inet_evict_bucket.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Kirill Tkhai +Date: Tue, 6 Mar 2018 18:46:39 +0300 +Subject: net: Fix hlist corruptions in inet_evict_bucket() + +From: Kirill Tkhai + + +[ Upstream commit a560002437d3646dafccecb1bf32d1685112ddda ] + +inet_evict_bucket() iterates global list, and +several tasks may call it in parallel. All of +them hash the same fq->list_evictor to different +lists, which leads to list corruption. + +This patch makes fq be hashed to expired list +only if this has not been made yet by another +task. Since inet_frag_alloc() allocates fq +using kmem_cache_zalloc(), we may rely on +list_evictor is initially unhashed. + +The problem seems to exist before async +pernet_operations, as there was possible to have +exit method to be executed in parallel with +inet_frags::frags_work, so I add two Fixes tags. +This also may go to stable. + +Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor" +Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()" +Signed-off-by: Kirill Tkhai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_fragment.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -119,6 +119,9 @@ out: + + static bool inet_fragq_should_evict(const struct inet_frag_queue *q) + { ++ if (!hlist_unhashed(&q->list_evictor)) ++ return false; ++ + return q->net->low_thresh == 0 || + frag_mem_limit(q->net) >= q->net->low_thresh; + } diff --git a/queue-4.4/net-iucv-free-memory-obtained-by-kzalloc.patch b/queue-4.4/net-iucv-free-memory-obtained-by-kzalloc.patch new file mode 100644 index 00000000000..2758c8135db --- /dev/null +++ b/queue-4.4/net-iucv-free-memory-obtained-by-kzalloc.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Arvind Yadav +Date: Tue, 13 Mar 2018 16:50:06 +0100 +Subject: net/iucv: Free memory obtained by kzalloc + +From: Arvind Yadav + + +[ Upstream commit fa6a91e9b907231d2e38ea5ed89c537b3525df3d ] + +Free memory by calling put_device(), if afiucv_iucv_init is not +successful. + +Signed-off-by: Arvind Yadav +Reviewed-by: Cornelia Huck +Signed-off-by: Ursula Braun +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/iucv/af_iucv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -2381,9 +2381,11 @@ static int afiucv_iucv_init(void) + af_iucv_dev->driver = &af_iucv_driver; + err = device_register(af_iucv_dev); + if (err) +- goto out_driver; ++ goto out_iucv_dev; + return 0; + ++out_iucv_dev: ++ put_device(af_iucv_dev); + out_driver: + driver_unregister(&af_iucv_driver); + out_iucv: diff --git a/queue-4.4/net-only-honor-ifindex-in-ip_pktinfo-if-non-0.patch b/queue-4.4/net-only-honor-ifindex-in-ip_pktinfo-if-non-0.patch new file mode 100644 index 00000000000..8a277564a49 --- /dev/null +++ b/queue-4.4/net-only-honor-ifindex-in-ip_pktinfo-if-non-0.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: David Ahern +Date: Fri, 16 Feb 2018 11:03:03 -0800 +Subject: net: Only honor ifindex in IP_PKTINFO if non-0 + +From: David Ahern + + +[ Upstream commit 2cbb4ea7de167b02ffa63e9cdfdb07a7e7094615 ] + +Only allow ifindex from IP_PKTINFO to override SO_BINDTODEVICE settings +if the index is actually set in the message. + +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_sockglue.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -241,7 +241,8 @@ int ip_cmsg_send(struct net *net, struct + src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg); + if (!ipv6_addr_v4mapped(&src_info->ipi6_addr)) + return -EINVAL; +- ipc->oif = src_info->ipi6_ifindex; ++ if (src_info->ipi6_ifindex) ++ ipc->oif = src_info->ipi6_ifindex; + ipc->addr = src_info->ipi6_addr.s6_addr32[3]; + continue; + } +@@ -264,7 +265,8 @@ int ip_cmsg_send(struct net *net, struct + if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo))) + return -EINVAL; + info = (struct in_pktinfo *)CMSG_DATA(cmsg); +- ipc->oif = info->ipi_ifindex; ++ if (info->ipi_ifindex) ++ ipc->oif = info->ipi_ifindex; + ipc->addr = info->ipi_spec_dst.s_addr; + break; + } diff --git a/queue-4.4/net-systemport-rewrite-__bcm_sysport_tx_reclaim.patch b/queue-4.4/net-systemport-rewrite-__bcm_sysport_tx_reclaim.patch new file mode 100644 index 00000000000..310dc7a45d5 --- /dev/null +++ b/queue-4.4/net-systemport-rewrite-__bcm_sysport_tx_reclaim.patch @@ -0,0 +1,120 @@ +From foo@baz Wed Mar 28 20:16:33 CEST 2018 +From: Florian Fainelli +Date: Tue, 13 Mar 2018 14:45:07 -0700 +Subject: net: systemport: Rewrite __bcm_sysport_tx_reclaim() + +From: Florian Fainelli + + +[ Upstream commit 484d802d0f2f29c335563fcac2a8facf174a1bbc ] + +There is no need for complex checking between the last consumed index +and current consumed index, a simple subtraction will do. + +This also eliminates the possibility of a permanent transmit queue stall +under the following conditions: + +- one CPU bursts ring->size worth of traffic (up to 256 buffers), to the + point where we run out of free descriptors, so we stop the transmit + queue at the end of bcm_sysport_xmit() + +- because of our locking, we have the transmit process disable + interrupts which means we can be blocking the TX reclamation process + +- when TX reclamation finally runs, we will be computing the difference + between ring->c_index (last consumed index by SW) and what the HW + reports through its register + +- this register is masked with (ring->size - 1) = 0xff, which will lead + to stripping the upper bits of the index (register is 16-bits wide) + +- we will be computing last_tx_cn as 0, which means there is no work to + be done, and we never wake-up the transmit queue, leaving it + permanently disabled + +A practical example is e.g: ring->c_index aka last_c_index = 12, we +pushed 256 entries, HW consumer index = 268, we mask it with 0xff = 12, +so last_tx_cn == 0, nothing happens. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 33 +++++++++++++---------------- + drivers/net/ethernet/broadcom/bcmsysport.h | 2 - + 2 files changed, 16 insertions(+), 19 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -729,37 +729,33 @@ static unsigned int __bcm_sysport_tx_rec + struct bcm_sysport_tx_ring *ring) + { + struct net_device *ndev = priv->netdev; +- unsigned int c_index, last_c_index, last_tx_cn, num_tx_cbs; + unsigned int pkts_compl = 0, bytes_compl = 0; ++ unsigned int txbds_processed = 0; + struct bcm_sysport_cb *cb; ++ unsigned int txbds_ready; ++ unsigned int c_index; + u32 hw_ind; + + /* Compute how many descriptors have been processed since last call */ + hw_ind = tdma_readl(priv, TDMA_DESC_RING_PROD_CONS_INDEX(ring->index)); + c_index = (hw_ind >> RING_CONS_INDEX_SHIFT) & RING_CONS_INDEX_MASK; +- ring->p_index = (hw_ind & RING_PROD_INDEX_MASK); +- +- last_c_index = ring->c_index; +- num_tx_cbs = ring->size; +- +- c_index &= (num_tx_cbs - 1); +- +- if (c_index >= last_c_index) +- last_tx_cn = c_index - last_c_index; +- else +- last_tx_cn = num_tx_cbs - last_c_index + c_index; ++ txbds_ready = (c_index - ring->c_index) & RING_CONS_INDEX_MASK; + + netif_dbg(priv, tx_done, ndev, +- "ring=%d c_index=%d last_tx_cn=%d last_c_index=%d\n", +- ring->index, c_index, last_tx_cn, last_c_index); ++ "ring=%d old_c_index=%u c_index=%u txbds_ready=%u\n", ++ ring->index, ring->c_index, c_index, txbds_ready); + +- while (last_tx_cn-- > 0) { +- cb = ring->cbs + last_c_index; ++ while (txbds_processed < txbds_ready) { ++ cb = &ring->cbs[ring->clean_index]; + bcm_sysport_tx_reclaim_one(priv, cb, &bytes_compl, &pkts_compl); + + ring->desc_count++; +- last_c_index++; +- last_c_index &= (num_tx_cbs - 1); ++ txbds_processed++; ++ ++ if (likely(ring->clean_index < ring->size - 1)) ++ ring->clean_index++; ++ else ++ ring->clean_index = 0; + } + + ring->c_index = c_index; +@@ -1229,6 +1225,7 @@ static int bcm_sysport_init_tx_ring(stru + netif_napi_add(priv->netdev, &ring->napi, bcm_sysport_tx_poll, 64); + ring->index = index; + ring->size = size; ++ ring->clean_index = 0; + ring->alloc_size = ring->size; + ring->desc_cpu = p; + ring->desc_count = ring->size; +--- a/drivers/net/ethernet/broadcom/bcmsysport.h ++++ b/drivers/net/ethernet/broadcom/bcmsysport.h +@@ -638,7 +638,7 @@ struct bcm_sysport_tx_ring { + unsigned int desc_count; /* Number of descriptors */ + unsigned int curr_desc; /* Current descriptor */ + unsigned int c_index; /* Last consumer index */ +- unsigned int p_index; /* Current producer index */ ++ unsigned int clean_index; /* Current clean index */ + struct bcm_sysport_cb *cbs; /* Transmit control blocks */ + struct dma_desc *desc_cpu; /* CPU view of the descriptor */ + struct bcm_sysport_priv *priv; /* private context backpointer */ diff --git a/queue-4.4/netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch b/queue-4.4/netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch new file mode 100644 index 00000000000..3c480c10b18 --- /dev/null +++ b/queue-4.4/netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Nicolas Dichtel +Date: Wed, 14 Mar 2018 21:10:23 +0100 +Subject: netlink: avoid a double skb free in genlmsg_mcast() + +From: Nicolas Dichtel + + +[ Upstream commit 02a2385f37a7c6594c9d89b64c4a1451276f08eb ] + +nlmsg_multicast() consumes always the skb, thus the original skb must be +freed only when this function is called with a clone. + +Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in genlmsg_multicast_allns()") +Reported-by: Ben Hutchings +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/genetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1143,7 +1143,7 @@ static int genlmsg_mcast(struct sk_buff + if (!err) + delivered = true; + else if (err != -ESRCH) +- goto error; ++ return err; + return delivered ? 0 : -ESRCH; + error: + kfree_skb(skb); diff --git a/queue-4.4/s390-qeth-free-netdevice-when-removing-a-card.patch b/queue-4.4/s390-qeth-free-netdevice-when-removing-a-card.patch new file mode 100644 index 00000000000..3113a9812b1 --- /dev/null +++ b/queue-4.4/s390-qeth-free-netdevice-when-removing-a-card.patch @@ -0,0 +1,73 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Julian Wiedmann +Date: Tue, 20 Mar 2018 07:59:12 +0100 +Subject: s390/qeth: free netdevice when removing a card + +From: Julian Wiedmann + + +[ Upstream commit 6be687395b3124f002a653c1a50b3260222b3cd7 ] + +On removal, a qeth card's netdevice is currently not properly freed +because the call chain looks as follows: + +qeth_core_remove_device(card) + lx_remove_device(card) + unregister_netdev(card->dev) + card->dev = NULL !!! + qeth_core_free_card(card) + if (card->dev) !!! + free_netdev(card->dev) + +Fix it by free'ing the netdev straight after unregistering. This also +fixes the sysfs-driven layer switch case (qeth_dev_layer2_store()), +where the need to free the current netdevice was not considered at all. + +Note that free_netdev() takes care of the netif_napi_del() for us too. + +Fixes: 4a71df50047f ("qeth: new qeth device driver") +Signed-off-by: Julian Wiedmann +Reviewed-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 2 -- + drivers/s390/net/qeth_l2_main.c | 2 +- + drivers/s390/net/qeth_l3_main.c | 2 +- + 3 files changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -4969,8 +4969,6 @@ static void qeth_core_free_card(struct q + QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *)); + qeth_clean_channel(&card->read); + qeth_clean_channel(&card->write); +- if (card->dev) +- free_netdev(card->dev); + kfree(card->ip_tbd_list); + qeth_free_qdio_buffers(card); + unregister_service_level(&card->qeth_service_level); +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -1062,8 +1062,8 @@ static void qeth_l2_remove_device(struct + qeth_l2_set_offline(cgdev); + + if (card->dev) { +- netif_napi_del(&card->napi); + unregister_netdev(card->dev); ++ free_netdev(card->dev); + card->dev = NULL; + } + return; +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -3243,8 +3243,8 @@ static void qeth_l3_remove_device(struct + qeth_l3_set_offline(cgdev); + + if (card->dev) { +- netif_napi_del(&card->napi); + unregister_netdev(card->dev); ++ free_netdev(card->dev); + card->dev = NULL; + } + diff --git a/queue-4.4/s390-qeth-lock-read-device-while-queueing-next-buffer.patch b/queue-4.4/s390-qeth-lock-read-device-while-queueing-next-buffer.patch new file mode 100644 index 00000000000..3f85904318e --- /dev/null +++ b/queue-4.4/s390-qeth-lock-read-device-while-queueing-next-buffer.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Julian Wiedmann +Date: Tue, 20 Mar 2018 07:59:14 +0100 +Subject: s390/qeth: lock read device while queueing next buffer + +From: Julian Wiedmann + + +[ Upstream commit 17bf8c9b3d499d5168537c98b61eb7a1fcbca6c2 ] + +For calling ccw_device_start(), issue_next_read() needs to hold the +device's ccwlock. +This is satisfied for the IRQ handler path (where qeth_irq() gets called +under the ccwlock), but we need explicit locking for the initial call by +the MPC initialization. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -517,8 +517,7 @@ static inline int qeth_is_cq(struct qeth + queue == card->qdio.no_in_queues - 1; + } + +- +-static int qeth_issue_next_read(struct qeth_card *card) ++static int __qeth_issue_next_read(struct qeth_card *card) + { + int rc; + struct qeth_cmd_buffer *iob; +@@ -549,6 +548,17 @@ static int qeth_issue_next_read(struct q + return rc; + } + ++static int qeth_issue_next_read(struct qeth_card *card) ++{ ++ int ret; ++ ++ spin_lock_irq(get_ccwdev_lock(CARD_RDEV(card))); ++ ret = __qeth_issue_next_read(card); ++ spin_unlock_irq(get_ccwdev_lock(CARD_RDEV(card))); ++ ++ return ret; ++} ++ + static struct qeth_reply *qeth_alloc_reply(struct qeth_card *card) + { + struct qeth_reply *reply; +@@ -1174,7 +1184,7 @@ static void qeth_irq(struct ccw_device * + return; + if (channel == &card->read && + channel->state == CH_STATE_UP) +- qeth_issue_next_read(card); ++ __qeth_issue_next_read(card); + + iob = channel->iob; + index = channel->buf_no; diff --git a/queue-4.4/s390-qeth-on-channel-error-reject-further-cmd-requests.patch b/queue-4.4/s390-qeth-on-channel-error-reject-further-cmd-requests.patch new file mode 100644 index 00000000000..a03d61f162f --- /dev/null +++ b/queue-4.4/s390-qeth-on-channel-error-reject-further-cmd-requests.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Julian Wiedmann +Date: Tue, 20 Mar 2018 07:59:15 +0100 +Subject: s390/qeth: on channel error, reject further cmd requests + +From: Julian Wiedmann + + +[ Upstream commit a6c3d93963e4b333c764fde69802c3ea9eaa9d5c ] + +When the IRQ handler determines that one of the cmd IO channels has +failed and schedules recovery, block any further cmd requests from +being submitted. The request would inevitably stall, and prevent the +recovery from making progress until the request times out. + +This sort of error was observed after Live Guest Relocation, where +the pending IO on the READ channel intentionally gets terminated to +kick-start recovery. Simultaneously the guest executed SIOCETHTOOL, +triggering qeth to issue a QUERY CARD INFO command. The command +then stalled in the inoperabel WRITE channel. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -1166,6 +1166,7 @@ static void qeth_irq(struct ccw_device * + } + rc = qeth_get_problem(cdev, irb); + if (rc) { ++ card->read_or_write_problem = 1; + qeth_clear_ipacmd_list(card); + qeth_schedule_recovery(card); + goto out; diff --git a/queue-4.4/s390-qeth-when-thread-completes-wake-up-all-waiters.patch b/queue-4.4/s390-qeth-when-thread-completes-wake-up-all-waiters.patch new file mode 100644 index 00000000000..02831702c24 --- /dev/null +++ b/queue-4.4/s390-qeth-when-thread-completes-wake-up-all-waiters.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Julian Wiedmann +Date: Tue, 20 Mar 2018 07:59:13 +0100 +Subject: s390/qeth: when thread completes, wake up all waiters + +From: Julian Wiedmann + + +[ Upstream commit 1063e432bb45be209427ed3f1ca3908e4aa3c7d7 ] + +qeth_wait_for_threads() is potentially called by multiple users, make +sure to notify all of them after qeth_clear_thread_running_bit() +adjusted the thread_running_mask. With no timeout, callers would +otherwise stall. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -952,7 +952,7 @@ void qeth_clear_thread_running_bit(struc + spin_lock_irqsave(&card->thread_mask_lock, flags); + card->thread_running_mask &= ~thread; + spin_unlock_irqrestore(&card->thread_mask_lock, flags); +- wake_up(&card->wait_q); ++ wake_up_all(&card->wait_q); + } + EXPORT_SYMBOL_GPL(qeth_clear_thread_running_bit); + diff --git a/queue-4.4/series b/queue-4.4/series index 853dea4b3c6..a8dcc0ede95 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,2 +1,20 @@ scsi-sg-don-t-return-bogus-sg_requests.patch genirq-track-whether-the-trigger-type-has-been-set.patch +net-fix-hlist-corruptions-in-inet_evict_bucket.patch +dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch +ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch +l2tp-do-not-accept-arbitrary-sockets.patch +net-ethernet-arc-fix-a-potential-memory-leak-if-an-optional-regulator-is-deferred.patch +net-ethernet-ti-cpsw-add-check-for-in-band-mode-setting-with-rgmii-phy-interface.patch +net-iucv-free-memory-obtained-by-kzalloc.patch +netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch +net-only-honor-ifindex-in-ip_pktinfo-if-non-0.patch +skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch +team-fix-double-free-in-error-path.patch +s390-qeth-free-netdevice-when-removing-a-card.patch +s390-qeth-when-thread-completes-wake-up-all-waiters.patch +s390-qeth-lock-read-device-while-queueing-next-buffer.patch +s390-qeth-on-channel-error-reject-further-cmd-requests.patch +ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch +net-fec-fix-unbalanced-pm-runtime-calls.patch +net-systemport-rewrite-__bcm_sysport_tx_reclaim.patch diff --git a/queue-4.4/skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch b/queue-4.4/skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch new file mode 100644 index 00000000000..dea2cbb42e4 --- /dev/null +++ b/queue-4.4/skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Vinicius Costa Gomes +Date: Wed, 14 Mar 2018 13:32:09 -0700 +Subject: skbuff: Fix not waking applications when errors are enqueued + +From: Vinicius Costa Gomes + + +[ Upstream commit 6e5d58fdc9bedd0255a8781b258f10bbdc63e975 ] + +When errors are enqueued to the error queue via sock_queue_err_skb() +function, it is possible that the waiting application is not notified. + +Calling 'sk->sk_data_ready()' would not notify applications that +selected only POLLERR events in poll() (for example). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Randy E. Witt +Reviewed-by: Eric Dumazet +Signed-off-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3571,7 +3571,7 @@ int sock_queue_err_skb(struct sock *sk, + + skb_queue_tail(&sk->sk_error_queue, skb); + if (!sock_flag(sk, SOCK_DEAD)) +- sk->sk_data_ready(sk); ++ sk->sk_error_report(sk); + return 0; + } + EXPORT_SYMBOL(sock_queue_err_skb); diff --git a/queue-4.4/team-fix-double-free-in-error-path.patch b/queue-4.4/team-fix-double-free-in-error-path.patch new file mode 100644 index 00000000000..7e0d19b13a3 --- /dev/null +++ b/queue-4.4/team-fix-double-free-in-error-path.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Mar 29 08:33:08 CEST 2018 +From: Arkadi Sharshevsky +Date: Thu, 8 Mar 2018 12:42:10 +0200 +Subject: team: Fix double free in error path + +From: Arkadi Sharshevsky + + +[ Upstream commit cbcc607e18422555db569b593608aec26111cb0b ] + +The __send_and_alloc_skb() receives a skb ptr as a parameter but in +case it fails the skb is not valid: +- Send failed and released the skb internally. +- Allocation failed. + +The current code tries to release the skb in case of failure which +causes redundant freeing. + +Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers") +Signed-off-by: Arkadi Sharshevsky +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2380,7 +2380,7 @@ send_done: + if (!nlh) { + err = __send_and_alloc_skb(&skb, team, portid, send_func); + if (err) +- goto errout; ++ return err; + goto send_done; + } + +@@ -2660,7 +2660,7 @@ send_done: + if (!nlh) { + err = __send_and_alloc_skb(&skb, team, portid, send_func); + if (err) +- goto errout; ++ return err; + goto send_done; + } +