From: Greg Kroah-Hartman Date: Sat, 12 Mar 2016 07:03:54 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v4.4.6~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=241ffb2b61a5d6745b8f6dda0de344e94c5c76a3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch kvm-vmx-disable-pebs-before-a-guest-entry.patch mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch powerpc-fix-dedotify-for-binutils-2.26.patch tracing-fix-check-for-cpu-online-when-event-is-disabled.patch wext-fix-message-delay-ordering.patch --- diff --git a/queue-3.10/asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch b/queue-3.10/asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch new file mode 100644 index 00000000000..83fb7787139 --- /dev/null +++ b/queue-3.10/asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch @@ -0,0 +1,60 @@ +From d0784829ae3b0beeb69b476f017d5c8a2eb95198 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 29 Feb 2016 18:01:12 +0100 +Subject: ASoC: wm8958: Fix enum ctl accesses in a wrong type + +From: Takashi Iwai + +commit d0784829ae3b0beeb69b476f017d5c8a2eb95198 upstream. + +"MBC Mode", "VSS Mode", "VSS HPF Mode" and "Enhanced EQ Mode" ctls in +wm8958 codec driver are enum, while the current driver accesses +wrongly via value.integer.value[]. They have to be via +value.enumerated.item[] instead. + +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8958-dsp2.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/soc/codecs/wm8958-dsp2.c ++++ b/sound/soc/codecs/wm8958-dsp2.c +@@ -459,7 +459,7 @@ static int wm8958_put_mbc_enum(struct sn + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +@@ -549,7 +549,7 @@ static int wm8958_put_vss_enum(struct sn + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +@@ -582,7 +582,7 @@ static int wm8958_put_vss_hpf_enum(struc + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +@@ -749,7 +749,7 @@ static int wm8958_put_enh_eq_enum(struct + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ diff --git a/queue-3.10/asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch b/queue-3.10/asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch new file mode 100644 index 00000000000..8948ae50024 --- /dev/null +++ b/queue-3.10/asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch @@ -0,0 +1,42 @@ +From 8019c0b37cd5a87107808300a496388b777225bf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 29 Feb 2016 18:01:15 +0100 +Subject: ASoC: wm8994: Fix enum ctl accesses in a wrong type + +From: Takashi Iwai + +commit 8019c0b37cd5a87107808300a496388b777225bf upstream. + +The DRC Mode like "AIF1DRC1 Mode" and EQ Mode like "AIF1.1 EQ Mode" in +wm8994 codec driver are enum ctls, while the current driver accesses +wrongly via value.integer.value[]. They have to be via +value.enumerated.item[] instead. + +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8994.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/wm8994.c ++++ b/sound/soc/codecs/wm8994.c +@@ -361,7 +361,7 @@ static int wm8994_put_drc_enum(struct sn + struct wm8994 *control = wm8994->wm8994; + struct wm8994_pdata *pdata = &control->pdata; + int drc = wm8994_get_drc(kcontrol->id.name); +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + + if (drc < 0) + return drc; +@@ -468,7 +468,7 @@ static int wm8994_put_retune_mobile_enum + struct wm8994 *control = wm8994->wm8994; + struct wm8994_pdata *pdata = &control->pdata; + int block = wm8994_get_retune_mobile_block(kcontrol->id.name); +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + + if (block < 0) + return block; diff --git a/queue-3.10/iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch b/queue-3.10/iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch new file mode 100644 index 00000000000..fc3ca029229 --- /dev/null +++ b/queue-3.10/iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch @@ -0,0 +1,47 @@ +From fb896c44f88a75843a072cd6961b1615732f7811 Mon Sep 17 00:00:00 2001 +From: Liad Kaufman +Date: Sun, 14 Feb 2016 15:32:58 +0200 +Subject: iwlwifi: mvm: inc pending frames counter also when txing non-sta + +From: Liad Kaufman + +commit fb896c44f88a75843a072cd6961b1615732f7811 upstream. + +Until this patch, when TXing non-sta the pending_frames counter +wasn't increased, but it WAS decreased in +iwl_mvm_rx_tx_cmd_single(), what makes it negative in certain +conditions. This in turn caused much trouble when we need to +remove the station since we won't be waiting forever until +pending_frames gets 0. In certain cases, we were exhausting +the station table even in BSS mode, because we had a lot of +stale stations. + +Increase the counter also in iwl_mvm_tx_skb_non_sta() after a +successful TX to avoid this outcome. + +Signed-off-by: Liad Kaufman +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/tx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/iwlwifi/mvm/tx.c +@@ -340,6 +340,15 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv + return -1; + } + ++ /* ++ * Increase the pending frames counter, so that later when a reply comes ++ * in and the counter is decreased - we don't start getting negative ++ * values. ++ * Note that we don't need to make sure it isn't agg'd, since we're ++ * TXing non-sta ++ */ ++ atomic_inc(&mvm->pending_frames[sta_id]); ++ + return 0; + } + diff --git a/queue-3.10/kvm-vmx-disable-pebs-before-a-guest-entry.patch b/queue-3.10/kvm-vmx-disable-pebs-before-a-guest-entry.patch new file mode 100644 index 00000000000..38b7ff5259a --- /dev/null +++ b/queue-3.10/kvm-vmx-disable-pebs-before-a-guest-entry.patch @@ -0,0 +1,76 @@ +From 7099e2e1f4d9051f31bbfa5803adf954bb5d76ef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Fri, 4 Mar 2016 15:08:42 +0100 +Subject: KVM: VMX: disable PEBS before a guest entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Radim Krčmář + +commit 7099e2e1f4d9051f31bbfa5803adf954bb5d76ef upstream. + +Linux guests on Haswell (and also SandyBridge and Broadwell, at least) +would crash if you decided to run a host command that uses PEBS, like + perf record -e 'cpu/mem-stores/pp' -a + +This happens because KVM is using VMX MSR switching to disable PEBS, but +SDM [2015-12] 18.4.4.4 Re-configuring PEBS Facilities explains why it +isn't safe: + When software needs to reconfigure PEBS facilities, it should allow a + quiescent period between stopping the prior event counting and setting + up a new PEBS event. The quiescent period is to allow any latent + residual PEBS records to complete its capture at their previously + specified buffer address (provided by IA32_DS_AREA). + +There might not be a quiescent period after the MSR switch, so a CPU +ends up using host's MSR_IA32_DS_AREA to access an area in guest's +memory. (Or MSR switching is just buggy on some models.) + +The guest can learn something about the host this way: +If the guest doesn't map address pointed by MSR_IA32_DS_AREA, it results +in #PF where we leak host's MSR_IA32_DS_AREA through CR2. + +After that, a malicious guest can map and configure memory where +MSR_IA32_DS_AREA is pointing and can therefore get an output from +host's tracing. + +This is not a critical leak as the host must initiate with PEBS tracing +and I have not been able to get a record from more than one instruction +before vmentry in vmx_vcpu_run() (that place has most registers already +overwritten with guest's). + +We could disable PEBS just few instructions before vmentry, but +disabling it earlier shouldn't affect host tracing too much. +We also don't need to switch MSR_IA32_PEBS_ENABLE on VMENTRY, but that +optimization isn't worth its code, IMO. + +(If you are implementing PEBS for guests, be sure to handle the case + where both host and guest enable PEBS, because this patch doesn't.) + +Fixes: 26a4f3c08de4 ("perf/x86: disable PEBS on a guest entry.") +Reported-by: Jiří Olša +Signed-off-by: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1487,6 +1487,13 @@ static void add_atomic_switch_msr(struct + return; + } + break; ++ case MSR_IA32_PEBS_ENABLE: ++ /* PEBS needs a quiescent period after being disabled (to write ++ * a record). Disabling PEBS through VMX MSR swapping doesn't ++ * provide that period, so a CPU could write host's record into ++ * guest's memory. ++ */ ++ wrmsrl(MSR_IA32_PEBS_ENABLE, 0); + } + + for (i = 0; i < m->nr; ++i) diff --git a/queue-3.10/mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch b/queue-3.10/mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch new file mode 100644 index 00000000000..bfa160244be --- /dev/null +++ b/queue-3.10/mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch @@ -0,0 +1,52 @@ +From f39ea2690bd61efec97622c48323f40ed6e16317 Mon Sep 17 00:00:00 2001 +From: Chris Bainbridge +Date: Wed, 27 Jan 2016 15:46:18 +0000 +Subject: mac80211: fix use of uninitialised values in RX aggregation + +From: Chris Bainbridge + +commit f39ea2690bd61efec97622c48323f40ed6e16317 upstream. + +Use kzalloc instead of kmalloc for struct tid_ampdu_rx to +initialize the "removed" field (all others are initialized +manually). That fixes: + +UBSAN: Undefined behaviour in net/mac80211/rx.c:932:29 +load of value 2 is not a valid value for type '_Bool' +CPU: 3 PID: 1134 Comm: kworker/u16:7 Not tainted 4.5.0-rc1+ #265 +Workqueue: phy0 rt2x00usb_work_rxdone + 0000000000000004 ffff880254a7ba50 ffffffff8181d866 0000000000000007 + ffff880254a7ba78 ffff880254a7ba68 ffffffff8188422d ffffffff8379b500 + ffff880254a7bab8 ffffffff81884747 0000000000000202 0000000348620032 +Call Trace: + [] dump_stack+0x45/0x5f + [] ubsan_epilogue+0xd/0x40 + [] __ubsan_handle_load_invalid_value+0x67/0x70 + [] ieee80211_sta_reorder_release.isra.16+0x5ed/0x730 + [] ieee80211_prepare_and_rx_handle+0xd04/0x1c00 + [] __ieee80211_rx_handle_packet+0x1f3/0x750 + [] ieee80211_rx_napi+0x447/0x990 + +While at it, convert to use sizeof(*tid_agg_rx) instead. + +Fixes: 788211d81bfdf ("mac80211: fix RX A-MPDU session reorder timer deletion") +Signed-off-by: Chris Bainbridge +[reword commit message, use sizeof(*tid_agg_rx)] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/agg-rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -290,7 +290,7 @@ void ieee80211_process_addba_request(str + } + + /* prepare A-MPDU MLME for Rx aggregation */ +- tid_agg_rx = kmalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL); ++ tid_agg_rx = kzalloc(sizeof(*tid_agg_rx), GFP_KERNEL); + if (!tid_agg_rx) + goto end; + diff --git a/queue-3.10/mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch b/queue-3.10/mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch new file mode 100644 index 00000000000..ca232ed2f7d --- /dev/null +++ b/queue-3.10/mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch @@ -0,0 +1,40 @@ +From 7a36b930e6ed4702c866dc74a5ad07318a57c688 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 18 Feb 2016 19:49:18 +0100 +Subject: mac80211: minstrel_ht: set default tx aggregation timeout to 0 + +From: Felix Fietkau + +commit 7a36b930e6ed4702c866dc74a5ad07318a57c688 upstream. + +The value 5000 was put here with the addition of the timeout field to +ieee80211_start_tx_ba_session. It was originally added in mac80211 to +save resources for drivers like iwlwifi, which only supports a limited +number of concurrent aggregation sessions. + +Since iwlwifi does not use minstrel_ht and other drivers don't need +this, 0 is a better default - especially since there have been +recent reports of aggregation setup related issues reproduced with +ath9k. This should improve stability without causing any adverse +effects. + +Acked-by: Avery Pennarun +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_minstrel_ht.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rc80211_minstrel_ht.c ++++ b/net/mac80211/rc80211_minstrel_ht.c +@@ -454,7 +454,7 @@ minstrel_aggr_check(struct ieee80211_sta + if (skb_get_queue_mapping(skb) == IEEE80211_AC_VO) + return; + +- ieee80211_start_tx_ba_session(pubsta, tid, 5000); ++ ieee80211_start_tx_ba_session(pubsta, tid, 0); + } + + static void diff --git a/queue-3.10/powerpc-fix-dedotify-for-binutils-2.26.patch b/queue-3.10/powerpc-fix-dedotify-for-binutils-2.26.patch new file mode 100644 index 00000000000..e6fb486b206 --- /dev/null +++ b/queue-3.10/powerpc-fix-dedotify-for-binutils-2.26.patch @@ -0,0 +1,37 @@ +From f15838e9cac8f78f0cc506529bb9d3b9fa589c1f Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Fri, 5 Feb 2016 19:50:03 +0100 +Subject: powerpc: Fix dedotify for binutils >= 2.26 + +From: Andreas Schwab + +commit f15838e9cac8f78f0cc506529bb9d3b9fa589c1f upstream. + +Since binutils 2.26 BFD is doing suffix merging on STRTAB sections. But +dedotify modifies the symbol names in place, which can also modify +unrelated symbols with a name that matches a suffix of a dotted name. To +remove the leading dot of a symbol name we can just increment the pointer +into the STRTAB section instead. + +Backport to all stables to avoid breakage when people update their +binutils - mpe. + +Signed-off-by: Andreas Schwab +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/module_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/module_64.c ++++ b/arch/powerpc/kernel/module_64.c +@@ -192,7 +192,7 @@ static void dedotify(Elf64_Sym *syms, un + if (syms[i].st_shndx == SHN_UNDEF) { + char *name = strtab + syms[i].st_name; + if (name[0] == '.') +- memmove(name, name+1, strlen(name)); ++ syms[i].st_name++; + } + } + } diff --git a/queue-3.10/series b/queue-3.10/series new file mode 100644 index 00000000000..7a202d94632 --- /dev/null +++ b/queue-3.10/series @@ -0,0 +1,9 @@ +kvm-vmx-disable-pebs-before-a-guest-entry.patch +tracing-fix-check-for-cpu-online-when-event-is-disabled.patch +asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch +asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch +wext-fix-message-delay-ordering.patch +iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch +mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch +mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch +powerpc-fix-dedotify-for-binutils-2.26.patch diff --git a/queue-3.10/tracing-fix-check-for-cpu-online-when-event-is-disabled.patch b/queue-3.10/tracing-fix-check-for-cpu-online-when-event-is-disabled.patch new file mode 100644 index 00000000000..e3df672030f --- /dev/null +++ b/queue-3.10/tracing-fix-check-for-cpu-online-when-event-is-disabled.patch @@ -0,0 +1,72 @@ +From dc17147de328a74bbdee67c1bf37d2f1992de756 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Wed, 9 Mar 2016 11:58:41 -0500 +Subject: tracing: Fix check for cpu online when event is disabled + +From: Steven Rostedt (Red Hat) + +commit dc17147de328a74bbdee67c1bf37d2f1992de756 upstream. + +Commit f37755490fe9b ("tracepoints: Do not trace when cpu is offline") added +a check to make sure that tracepoints only get called when the cpu is +online, as it uses rcu_read_lock_sched() for protection. + +Commit 3a630178fd5f3 ("tracing: generate RCU warnings even when tracepoints +are disabled") added lockdep checks (including rcu checks) for events that +are not enabled to catch possible RCU issues that would only be triggered if +a trace event was enabled. Commit f37755490fe9b only stopped the warnings +when the trace event was enabled but did not prevent warnings if the trace +event was called when disabled. + +To fix this, the cpu online check is moved to where the condition is added +to the trace event. This will place the cpu online check in all places that +it may be used now and in the future. + +Fixes: f37755490fe9b ("tracepoints: Do not trace when cpu is offline") +Fixes: 3a630178fd5f3 ("tracing: generate RCU warnings even when tracepoints are disabled") +Reported-by: Sudeep Holla +Tested-by: Sudeep Holla +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/tracepoint.h | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/include/linux/tracepoint.h ++++ b/include/linux/tracepoint.h +@@ -129,9 +129,6 @@ static inline void tracepoint_synchroniz + void *it_func; \ + void *__data; \ + \ +- if (!cpu_online(raw_smp_processor_id())) \ +- return; \ +- \ + if (!(cond)) \ + return; \ + prercu; \ +@@ -265,15 +262,19 @@ static inline void tracepoint_synchroniz + * "void *__data, proto" as the callback prototype. + */ + #define DECLARE_TRACE_NOARGS(name) \ +- __DECLARE_TRACE(name, void, , 1, void *__data, __data) ++ __DECLARE_TRACE(name, void, , \ ++ cpu_online(raw_smp_processor_id()), \ ++ void *__data, __data) + + #define DECLARE_TRACE(name, proto, args) \ +- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), 1, \ +- PARAMS(void *__data, proto), \ +- PARAMS(__data, args)) ++ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ ++ cpu_online(raw_smp_processor_id()), \ ++ PARAMS(void *__data, proto), \ ++ PARAMS(__data, args)) + + #define DECLARE_TRACE_CONDITION(name, proto, args, cond) \ +- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), PARAMS(cond), \ ++ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ ++ cpu_online(raw_smp_processor_id()) && (PARAMS(cond)), \ + PARAMS(void *__data, proto), \ + PARAMS(__data, args)) + diff --git a/queue-3.10/wext-fix-message-delay-ordering.patch b/queue-3.10/wext-fix-message-delay-ordering.patch new file mode 100644 index 00000000000..a683e9919f7 --- /dev/null +++ b/queue-3.10/wext-fix-message-delay-ordering.patch @@ -0,0 +1,122 @@ +From 8bf862739a7786ae72409220914df960a0aa80d8 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 27 Jan 2016 12:37:52 +0100 +Subject: wext: fix message delay/ordering + +From: Johannes Berg + +commit 8bf862739a7786ae72409220914df960a0aa80d8 upstream. + +Beniamino reported that he was getting an RTM_NEWLINK message for a +given interface, after the RTM_DELLINK for it. It turns out that the +message is a wireless extensions message, which was sent because the +interface had been connected and disconnection while it was deleted +caused a wext message. + +For its netlink messages, wext uses RTM_NEWLINK, but the message is +without all the regular rtnetlink attributes, so "ip monitor link" +prints just rudimentary information: + +5: wlan1: mtu 1500 qdisc mq state DOWN group default + link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff +Deleted 5: wlan1: mtu 1500 qdisc noop state DOWN group default + link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff +5: wlan1: + link/ether +(from my hwsim reproduction) + +This can cause userspace to get confused since it doesn't expect an +RTM_NEWLINK message after RTM_DELLINK. + +The reason for this is that wext schedules a worker to send out the +messages, and the scheduling delay can cause the messages to get out +to userspace in different order. + +To fix this, have wext register a netdevice notifier and flush out +any pending messages when netdevice state changes. This fixes any +ordering whenever the original message wasn't sent by a notifier +itself. + +Reported-by: Beniamino Galvani +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-core.c | 51 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 40 insertions(+), 11 deletions(-) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -342,6 +342,39 @@ static const int compat_event_type_size[ + + /* IW event code */ + ++static void wireless_nlevent_flush(void) ++{ ++ struct sk_buff *skb; ++ struct net *net; ++ ++ ASSERT_RTNL(); ++ ++ for_each_net(net) { ++ while ((skb = skb_dequeue(&net->wext_nlevents))) ++ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, ++ GFP_KERNEL); ++ } ++} ++ ++static int wext_netdev_notifier_call(struct notifier_block *nb, ++ unsigned long state, void *ptr) ++{ ++ /* ++ * When a netdev changes state in any way, flush all pending messages ++ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after ++ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() ++ * or similar - all of which could otherwise happen due to delays from ++ * schedule_work(). ++ */ ++ wireless_nlevent_flush(); ++ ++ return NOTIFY_OK; ++} ++ ++static struct notifier_block wext_netdev_notifier = { ++ .notifier_call = wext_netdev_notifier_call, ++}; ++ + static int __net_init wext_pernet_init(struct net *net) + { + skb_queue_head_init(&net->wext_nlevents); +@@ -360,7 +393,12 @@ static struct pernet_operations wext_per + + static int __init wireless_nlevent_init(void) + { +- return register_pernet_subsys(&wext_pernet_ops); ++ int err = register_pernet_subsys(&wext_pernet_ops); ++ ++ if (err) ++ return err; ++ ++ return register_netdevice_notifier(&wext_netdev_notifier); + } + + subsys_initcall(wireless_nlevent_init); +@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init); + /* Process events generated by the wireless layer or the driver. */ + static void wireless_nlevent_process(struct work_struct *work) + { +- struct sk_buff *skb; +- struct net *net; +- + rtnl_lock(); +- +- for_each_net(net) { +- while ((skb = skb_dequeue(&net->wext_nlevents))) +- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, +- GFP_KERNEL); +- } +- ++ wireless_nlevent_flush(); + rtnl_unlock(); + } + diff --git a/queue-3.14/series b/queue-3.14/series new file mode 100644 index 00000000000..1ea95521b32 --- /dev/null +++ b/queue-3.14/series @@ -0,0 +1,10 @@ +kvm-vmx-disable-pebs-before-a-guest-entry.patch +kvm-ppc-book3s-hv-sanitize-special-purpose-register-values-on-guest-exit.patch +tracing-fix-check-for-cpu-online-when-event-is-disabled.patch +asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch +asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch +wext-fix-message-delay-ordering.patch +iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch +mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch +mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch +powerpc-fix-dedotify-for-binutils-2.26.patch diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..e0325e4487c --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,42 @@ +arm64-account-for-sparsemem-section-alignment-when-choosing-vmemmap-offset.patch +arm-mvebu-fix-overlap-of-crypto-sram-with-pcie-memory-window.patch +arm-dts-dra7-do-not-gate-cpsw-clock-due-to-errata-i877.patch +arm-omap2-hwmod-introduce-ti-no-idle-dt-property.patch +pci-allow-a-null-parent-pointer-in-pci_bus_assign_domain_nr.patch +kvm-cap-halt-polling-at-exactly-halt_poll_ns.patch +kvm-vmx-disable-pebs-before-a-guest-entry.patch +kvm-s390-correct-fprs-on-sigp-stop-and-store-status.patch +kvm-ppc-book3s-hv-sanitize-special-purpose-register-values-on-guest-exit.patch +kvm-mmu-fix-ept-0-pte.u-1-pte.w-0-cr0.wp-0-cr4.smep-1-efer.nx-0-combo.patch +kvm-mmu-fix-reserved-bit-check-for-ept-0-cr0.wp-0-cr4.smep-1-efer.nx-0.patch +s390-mm-four-page-table-levels-vs.-fork.patch +s390-dasd-fix-diag-0x250-inline-assembly.patch +tracing-fix-check-for-cpu-online-when-event-is-disabled.patch +dmaengine-at_xdmac-fix-residue-computation.patch +jffs2-reduce-the-breakage-on-recovery-from-halfway-failed-rename.patch +ncpfs-fix-a-braino-in-oom-handling-in-ncp_fill_cache.patch +asoc-dapm-fix-ctl-value-accesses-in-a-wrong-type.patch +asoc-samsung-use-irq-safe-spin-lock-calls.patch +asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch +asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch +ovl-ignore-lower-entries-when-checking-purity-of-non-directory-entries.patch +ovl-fix-working-on-distributed-fs-as-lower-layer.patch +wext-fix-message-delay-ordering.patch +cfg80211-wext-fix-message-ordering.patch +can-gs_usb-fixed-disconnect-bug-by-removing-erroneous-use-of-kfree.patch +iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch +mac80211-minstrel-change-expected-throughput-unit-back-to-kbps.patch +mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch +mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch +mac80211-minstrel_ht-fix-a-logic-error-in-rts-cts-handling.patch +mac80211-check-pn-correctly-for-gcmp-encrypted-fragmented-mpdus.patch +mac80211-fix-public-action-frame-rx-in-ap-mode.patch +gpu-ipu-v3-do-not-bail-out-on-missing-optional-port-nodes.patch +x86-mm-fix-slow_virt_to_phys-for-x86_pae-again.patch +revert-drm-radeon-call-hpd_irq_event-on-resume.patch +drm-amdgpu-fix-error-handling-in-amdgpu_flip_work_func.patch +drm-radeon-fix-error-handling-in-radeon_flip_work_func.patch +revert-drm-radeon-pm-adjust-display-configuration-after-powerstate.patch +powerpc-fix-dedotify-for-binutils-2.26.patch +powerpc-powernv-add-a-kmsg_dumper-that-flushes-console-output-on-panic.patch +powerpc-powernv-fix-opal_console_flush-prototype-and-usages.patch