From: Greg Kroah-Hartman Date: Tue, 17 Nov 2015 22:40:24 +0000 (-0800) Subject: 4.2-stable patches X-Git-Tag: v3.10.94~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e3b2f827d42eec106b3158df5de41d859086f6d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.2-stable patches added patches: amd-xgbe-fix-race-between-access-of-desc-and-desc-index.patch amd-xgbe-use-wmb-before-updating-current-descriptor-count.patch bonding-fix-panic-on-non-arphrd_ether-enslave-failure.patch fib_trie-leaf_walk_rcu-should-not-compute-key-if-key-is-less-than-pn-key.patch ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch ipv4-disable-bh-when-changing-ip-local-port-range.patch ipv4-fix-to-not-remove-local-route-on-link-down.patch ipv4-update-rtnh_f_linkdown-flag-on-up-event.patch ipv6-clean-up-dev_snmp6-proc-entry-when-we-fail-to-initialize-inet6_dev.patch ipv6-gre-support-sit-encapsulation.patch irda-precedence-bug-in-irlmp_seq_hb_idx.patch macvtap-unbreak-receiving-of-gro-skb-with-frag-list.patch net-avoid-null-deref-in-inet_ctl_sock_destroy.patch net-fec-normalize-return-value-of-pm_runtime_get_sync-in-mdio-write.patch net-fec-remove-unneeded-use-of-is_err_value-macro.patch net-fix-a-race-in-dst_release.patch net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch netlink-fix-locking-around-netlink_list_memberships.patch packet-race-condition-in-packet_bind.patch ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch qmi_wwan-add-sierra-wireless-mc74xx-em74xx.patch qmi_wwan-fix-entry-for-hp-lt4112-lte-hspa-gobi-4g-module.patch rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch sfc-push-partner-queue-for-skb-xmit_more.patch sit-fix-sit0-percpu-double-allocations.patch stmmac-correctly-report-ptp-capabilities.patch tcp-remove-improper-preemption-check-in-tcp_xmit_probe_skb.patch tipc-allow-non-linear-first-fragment-buffer.patch tipc-linearize-arriving-name_distr-and-link_proto-buffers.patch --- diff --git a/queue-4.2/amd-xgbe-fix-race-between-access-of-desc-and-desc-index.patch b/queue-4.2/amd-xgbe-fix-race-between-access-of-desc-and-desc-index.patch new file mode 100644 index 00000000000..617433f28d2 --- /dev/null +++ b/queue-4.2/amd-xgbe-fix-race-between-access-of-desc-and-desc-index.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: "Lendacky, Thomas" +Date: Mon, 26 Oct 2015 17:13:54 -0500 +Subject: amd-xgbe: Fix race between access of desc and desc index + +From: "Lendacky, Thomas" + +[ Upstream commit 20986ed826cbb36bb8f2d77f872e3c52d8d30647 ] + +During Tx cleanup it's still possible for the descriptor data to be +read ahead of the descriptor index. A memory barrier is required between +the read of the descriptor index and the start of the Tx cleanup loop. +This allows a change to a lighter-weight barrier in the Tx transmit +routine just before updating the current descriptor index. + +Since the memory barrier does result in extra overhead on arm64, keep +the previous change to not chase the current descriptor value. This +prevents the execution of the barrier for each loop performed. + +Suggested-by: Alexander Duyck +Signed-off-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 2 +- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -1595,7 +1595,7 @@ static void xgbe_dev_xmit(struct xgbe_ch + packet->rdesc_count, 1); + + /* Make sure ownership is written to the descriptor */ +- wmb(); ++ smp_wmb(); + + ring->cur = cur_index + 1; + if (!packet->skb->xmit_more || +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1816,6 +1816,10 @@ static int xgbe_tx_poll(struct xgbe_chan + return 0; + + cur = ring->cur; ++ ++ /* Be sure we get ring->cur before accessing descriptor data */ ++ smp_rmb(); ++ + txq = netdev_get_tx_queue(netdev, channel->queue_index); + + while ((processed < XGBE_TX_DESC_MAX_PROC) && diff --git a/queue-4.2/amd-xgbe-use-wmb-before-updating-current-descriptor-count.patch b/queue-4.2/amd-xgbe-use-wmb-before-updating-current-descriptor-count.patch new file mode 100644 index 00000000000..e0b0f64e2f0 --- /dev/null +++ b/queue-4.2/amd-xgbe-use-wmb-before-updating-current-descriptor-count.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: "Lendacky, Thomas" +Date: Wed, 21 Oct 2015 15:37:05 -0500 +Subject: amd-xgbe: Use wmb before updating current descriptor count + +From: "Lendacky, Thomas" + +[ Upstream commit 20a41fba679d665cdae2808e2b9cae97c073351f ] + +The code currently uses the lightweight dma_wmb barrier before updating +the current descriptor count. Under heavy load, the Tx cleanup routine +was seeing the updated current descriptor count before the updated +descriptor information. As a result, the Tx descriptor was being cleaned +up before it was used because it was not "owned" by the hardware yet, +resulting in a Tx queue hang. + +Using the wmb barrier insures that the descriptor is updated before the +descriptor counter preventing the Tx queue hang. For extra insurance, +the Tx cleanup routine is changed to grab the current decriptor count on +entry and uses that initial value in the processing loop rather than +trying to chase the current value. + +Signed-off-by: Tom Lendacky +Tested-by: Christoffer Dall +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 2 +- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -1595,7 +1595,7 @@ static void xgbe_dev_xmit(struct xgbe_ch + packet->rdesc_count, 1); + + /* Make sure ownership is written to the descriptor */ +- dma_wmb(); ++ wmb(); + + ring->cur = cur_index + 1; + if (!packet->skb->xmit_more || +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1807,6 +1807,7 @@ static int xgbe_tx_poll(struct xgbe_chan + struct netdev_queue *txq; + int processed = 0; + unsigned int tx_packets = 0, tx_bytes = 0; ++ unsigned int cur; + + DBGPR("-->xgbe_tx_poll\n"); + +@@ -1814,10 +1815,11 @@ static int xgbe_tx_poll(struct xgbe_chan + if (!ring) + return 0; + ++ cur = ring->cur; + txq = netdev_get_tx_queue(netdev, channel->queue_index); + + while ((processed < XGBE_TX_DESC_MAX_PROC) && +- (ring->dirty != ring->cur)) { ++ (ring->dirty != cur)) { + rdata = XGBE_GET_DESC_DATA(ring, ring->dirty); + rdesc = rdata->rdesc; + diff --git a/queue-4.2/bonding-fix-panic-on-non-arphrd_ether-enslave-failure.patch b/queue-4.2/bonding-fix-panic-on-non-arphrd_ether-enslave-failure.patch new file mode 100644 index 00000000000..e1c441f9b60 --- /dev/null +++ b/queue-4.2/bonding-fix-panic-on-non-arphrd_ether-enslave-failure.patch @@ -0,0 +1,44 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Jay Vosburgh +Date: Fri, 6 Nov 2015 17:23:23 -0800 +Subject: bonding: fix panic on non-ARPHRD_ETHER enslave failure + +From: Jay Vosburgh + +[ Upstream commit 40baec225765c54eefa870530dd613bad9829bb7 ] + +Since commit 7d5cd2ce529b, when bond_enslave fails on devices that +are not ARPHRD_ETHER, if needed, it resets the bonding device back to +ARPHRD_ETHER by calling ether_setup. + + Unfortunately, ether_setup clobbers dev->flags, clearing IFF_UP +if the bond device is up, leaving it in a quasi-down state without +having actually gone through dev_close. For bonding, if any periodic +work queue items are active (miimon, arp_interval, etc), those will +remain running, as they are stopped by bond_close. At this point, if +the bonding module is unloaded or the bond is deleted, the system will +panic when the work function is called. + + This panic is resolved by calling dev_close on the bond itself +prior to calling ether_setup. + +Cc: Nikolay Aleksandrov +Signed-off-by: Jay Vosburgh +Fixes: 7d5cd2ce5292 ("bonding: correctly handle bonding type change on enslave failure") +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1751,6 +1751,7 @@ err_undo_flags: + slave_dev->dev_addr)) + eth_hw_addr_random(bond_dev); + if (bond_dev->type != ARPHRD_ETHER) { ++ dev_close(bond_dev); + ether_setup(bond_dev); + bond_dev->flags |= IFF_MASTER; + bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; diff --git a/queue-4.2/fib_trie-leaf_walk_rcu-should-not-compute-key-if-key-is-less-than-pn-key.patch b/queue-4.2/fib_trie-leaf_walk_rcu-should-not-compute-key-if-key-is-less-than-pn-key.patch new file mode 100644 index 00000000000..6faecefb27a --- /dev/null +++ b/queue-4.2/fib_trie-leaf_walk_rcu-should-not-compute-key-if-key-is-less-than-pn-key.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Alexander Duyck +Date: Tue, 27 Oct 2015 15:06:45 -0700 +Subject: fib_trie: leaf_walk_rcu should not compute key if key is less than pn->key + +From: Alexander Duyck + +[ Upstream commit c2229fe1430d4e1c70e36520229dd64a87802b20 ] + +We were computing the child index in cases where the key value we were +looking for was actually less than the base key of the tnode. As a result +we were getting incorrect index values that would cause us to skip over +some children. + +To fix this I have added a test that will force us to use child index 0 if +the key we are looking for is less than the key of the current tnode. + +Fixes: 8be33e955cb9 ("fib_trie: Fib walk rcu should take a tnode and key instead of a trie and a leaf") +Reported-by: Brian Rak +Signed-off-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_trie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1561,7 +1561,7 @@ static struct key_vector *leaf_walk_rcu( + do { + /* record parent and next child index */ + pn = n; +- cindex = key ? get_index(key, pn) : 0; ++ cindex = (key > pn->key) ? get_index(key, pn) : 0; + + if (cindex >> pn->bits) + break; diff --git a/queue-4.2/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch b/queue-4.2/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch new file mode 100644 index 00000000000..ec12aeece1a --- /dev/null +++ b/queue-4.2/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch @@ -0,0 +1,75 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Ani Sinha +Date: Fri, 30 Oct 2015 16:54:31 -0700 +Subject: ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context. + +From: Ani Sinha + +[ Upstream commit 44f49dd8b5a606870a1f21101522a0f9c4414784 ] + +Fixes the following kernel BUG : + +BUG: using __this_cpu_add() in preemptible [00000000] code: bash/2758 +caller is __this_cpu_preempt_check+0x13/0x15 +CPU: 0 PID: 2758 Comm: bash Tainted: P O 3.18.19 #2 + ffffffff8170eaca ffff880110d1b788 ffffffff81482b2a 0000000000000000 + 0000000000000000 ffff880110d1b7b8 ffffffff812010ae ffff880007cab800 + ffff88001a060800 ffff88013a899108 ffff880108b84240 ffff880110d1b7c8 +Call Trace: +[] dump_stack+0x52/0x80 +[] check_preemption_disabled+0xce/0xe1 +[] __this_cpu_preempt_check+0x13/0x15 +[] ipmr_queue_xmit+0x647/0x70c +[] ip_mr_forward+0x32f/0x34e +[] ip_mroute_setsockopt+0xe03/0x108c +[] ? get_parent_ip+0x11/0x42 +[] ? pollwake+0x4d/0x51 +[] ? default_wake_function+0x0/0xf +[] ? get_parent_ip+0x11/0x42 +[] ? __wake_up_common+0x45/0x77 +[] ? _raw_spin_unlock_irqrestore+0x1d/0x32 +[] ? __wake_up_sync_key+0x4a/0x53 +[] ? sock_def_readable+0x71/0x75 +[] do_ip_setsockopt+0x9d/0xb55 +[] ? unix_seqpacket_sendmsg+0x3f/0x41 +[] ? sock_sendmsg+0x6d/0x86 +[] ? sockfd_lookup_light+0x12/0x5d +[] ? SyS_sendto+0xf3/0x11b +[] ? new_sync_read+0x82/0xaa +[] compat_ip_setsockopt+0x3b/0x99 +[] compat_raw_setsockopt+0x11/0x32 +[] compat_sock_common_setsockopt+0x18/0x1f +[] compat_SyS_setsockopt+0x1a9/0x1cf +[] compat_SyS_socketcall+0x180/0x1e3 +[] cstar_dispatch+0x7/0x1e + +Signed-off-by: Ani Sinha +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipmr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1683,8 +1683,8 @@ static inline int ipmr_forward_finish(st + { + struct ip_options *opt = &(IPCB(skb)->opt); + +- IP_INC_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); +- IP_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); ++ IP_INC_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); ++ IP_ADD_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); + + if (unlikely(opt->optlen)) + ip_forward_options(skb); +@@ -1746,7 +1746,7 @@ static void ipmr_queue_xmit(struct net * + * to blackhole. + */ + +- IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_FRAGFAILS); ++ IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS); + ip_rt_put(rt); + goto out_free; + } diff --git a/queue-4.2/ipv4-disable-bh-when-changing-ip-local-port-range.patch b/queue-4.2/ipv4-disable-bh-when-changing-ip-local-port-range.patch new file mode 100644 index 00000000000..d95beb93ad2 --- /dev/null +++ b/queue-4.2/ipv4-disable-bh-when-changing-ip-local-port-range.patch @@ -0,0 +1,66 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: WANG Cong +Date: Tue, 3 Nov 2015 14:32:57 -0800 +Subject: ipv4: disable BH when changing ip local port range + +From: WANG Cong + +[ Upstream commit 4ee3bd4a8c7463cdef0b82ebc33fc94a9170a7e0 ] + +This fixes the following lockdep warning: + + [ INFO: inconsistent lock state ] + 4.3.0-rc7+ #1197 Not tainted + --------------------------------- + inconsistent {IN-SOFTIRQ-R} -> {SOFTIRQ-ON-W} usage. + sysctl/1019 [HC0[0]:SC0[0]:HE1:SE1] takes: + (&(&net->ipv4.ip_local_ports.lock)->seqcount){+.+-..}, at: [] ipv4_local_port_range+0xb4/0x12a + {IN-SOFTIRQ-R} state was registered at: + [] __lock_acquire+0x2f6/0xdf0 + [] lock_acquire+0x11c/0x1a4 + [] inet_get_local_port_range+0x4e/0xae + [] udp_flow_src_port.constprop.40+0x23/0x116 + [] vxlan_xmit_one+0x219/0xa6a + [] vxlan_xmit+0xa6b/0xaa5 + [] dev_hard_start_xmit+0x2ae/0x465 + [] __dev_queue_xmit+0x531/0x633 + [] dev_queue_xmit_sk+0x13/0x15 + [] neigh_resolve_output+0x12f/0x14d + [] ip6_finish_output2+0x344/0x39f + [] ip6_finish_output+0x88/0x8e + [] ip6_output+0x91/0xe5 + [] dst_output_sk+0x47/0x4c + [] NF_HOOK_THRESH.constprop.30+0x38/0x82 + [] mld_sendpack+0x189/0x266 + [] mld_ifc_timer_expire+0x1ef/0x223 + [] call_timer_fn+0xfb/0x28c + [] run_timer_softirq+0x1c7/0x1f1 + +Fixes: b8f1a55639e6 ("udp: Add function to make source port for UDP tunnels") +Cc: Tom Herbert +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/sysctl_net_ipv4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -47,14 +47,14 @@ static void set_local_port_range(struct + { + bool same_parity = !((range[0] ^ range[1]) & 1); + +- write_seqlock(&net->ipv4.ip_local_ports.lock); ++ write_seqlock_bh(&net->ipv4.ip_local_ports.lock); + if (same_parity && !net->ipv4.ip_local_ports.warned) { + net->ipv4.ip_local_ports.warned = true; + pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); + } + net->ipv4.ip_local_ports.range[0] = range[0]; + net->ipv4.ip_local_ports.range[1] = range[1]; +- write_sequnlock(&net->ipv4.ip_local_ports.lock); ++ write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); + } + + /* Validate changes from /proc interface. */ diff --git a/queue-4.2/ipv4-fix-to-not-remove-local-route-on-link-down.patch b/queue-4.2/ipv4-fix-to-not-remove-local-route-on-link-down.patch new file mode 100644 index 00000000000..48050fdafea --- /dev/null +++ b/queue-4.2/ipv4-fix-to-not-remove-local-route-on-link-down.patch @@ -0,0 +1,120 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Julian Anastasov +Date: Fri, 30 Oct 2015 10:23:33 +0200 +Subject: ipv4: fix to not remove local route on link down + +From: Julian Anastasov + +[ Upstream commit 4f823defdd5b106a5e89745ee8b163c71855de1e ] + +When fib_netdev_event calls fib_disable_ip on NETDEV_DOWN event +we should not delete the local routes if the local address +is still present. The confusion comes from the fact that both +fib_netdev_event and fib_inetaddr_event use the NETDEV_DOWN +constant. Fix it by returning back the variable 'force'. + +Steps to reproduce: +modprobe dummy +ifconfig dummy0 192.168.168.1 up +ifconfig dummy0 down +ip route list table local | grep dummy | grep host +local 192.168.168.1 dev dummy0 proto kernel scope host src 192.168.168.1 + +Fixes: 8a3d03166f19 ("net: track link-status of ipv4 nexthops") +Signed-off-by: Julian Anastasov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip_fib.h | 2 +- + net/ipv4/fib_frontend.c | 13 +++++++------ + net/ipv4/fib_semantics.c | 11 ++++++++--- + 3 files changed, 16 insertions(+), 10 deletions(-) + +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -306,7 +306,7 @@ void fib_flush_external(struct net *net) + + /* Exported by fib_semantics.c */ + int ip_fib_check_default(__be32 gw, struct net_device *dev); +-int fib_sync_down_dev(struct net_device *dev, unsigned long event); ++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force); + int fib_sync_down_addr(struct net *net, __be32 local); + int fib_sync_up(struct net_device *dev, unsigned int nh_flags); + void fib_select_multipath(struct fib_result *res); +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1063,9 +1063,10 @@ static void nl_fib_lookup_exit(struct ne + net->ipv4.fibnl = NULL; + } + +-static void fib_disable_ip(struct net_device *dev, unsigned long event) ++static void fib_disable_ip(struct net_device *dev, unsigned long event, ++ bool force) + { +- if (fib_sync_down_dev(dev, event)) ++ if (fib_sync_down_dev(dev, event, force)) + fib_flush(dev_net(dev)); + rt_cache_flush(dev_net(dev)); + arp_ifdown(dev); +@@ -1093,7 +1094,7 @@ static int fib_inetaddr_event(struct not + /* Last address was deleted from this interface. + * Disable IP. + */ +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, true); + } else { + rt_cache_flush(dev_net(dev)); + } +@@ -1110,7 +1111,7 @@ static int fib_netdev_event(struct notif + unsigned int flags; + + if (event == NETDEV_UNREGISTER) { +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, true); + rt_flush_dev(dev); + return NOTIFY_DONE; + } +@@ -1131,14 +1132,14 @@ static int fib_netdev_event(struct notif + rt_cache_flush(net); + break; + case NETDEV_DOWN: +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, false); + break; + case NETDEV_CHANGE: + flags = dev_get_flags(dev); + if (flags & (IFF_RUNNING | IFF_LOWER_UP)) + fib_sync_up(dev, RTNH_F_LINKDOWN); + else +- fib_sync_down_dev(dev, event); ++ fib_sync_down_dev(dev, event, false); + /* fall through */ + case NETDEV_CHANGEMTU: + rt_cache_flush(net); +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1132,7 +1132,13 @@ int fib_sync_down_addr(struct net *net, + return ret; + } + +-int fib_sync_down_dev(struct net_device *dev, unsigned long event) ++/* Event force Flags Description ++ * NETDEV_CHANGE 0 LINKDOWN Carrier OFF, not for scope host ++ * NETDEV_DOWN 0 LINKDOWN|DEAD Link down, not for scope host ++ * NETDEV_DOWN 1 LINKDOWN|DEAD Last address removed ++ * NETDEV_UNREGISTER 1 LINKDOWN|DEAD Device removed ++ */ ++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force) + { + int ret = 0; + int scope = RT_SCOPE_NOWHERE; +@@ -1141,8 +1147,7 @@ int fib_sync_down_dev(struct net_device + struct hlist_head *head = &fib_info_devhash[hash]; + struct fib_nh *nh; + +- if (event == NETDEV_UNREGISTER || +- event == NETDEV_DOWN) ++ if (force) + scope = -1; + + hlist_for_each_entry(nh, head, nh_hash) { diff --git a/queue-4.2/ipv4-update-rtnh_f_linkdown-flag-on-up-event.patch b/queue-4.2/ipv4-update-rtnh_f_linkdown-flag-on-up-event.patch new file mode 100644 index 00000000000..33a49460f93 --- /dev/null +++ b/queue-4.2/ipv4-update-rtnh_f_linkdown-flag-on-up-event.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Julian Anastasov +Date: Fri, 30 Oct 2015 10:23:34 +0200 +Subject: ipv4: update RTNH_F_LINKDOWN flag on UP event + +From: Julian Anastasov + +[ Upstream commit c9b3292eeb52c6834e972eb5b8fe38914771ed12 ] + +When nexthop is part of multipath route we should clear the +LINKDOWN flag when link goes UP or when first address is added. +This is needed because we always set LINKDOWN flag when DEAD flag +was set but now on UP the nexthop is not dead anymore. Examples when +LINKDOWN bit can be forgotten when no NETDEV_CHANGE is delivered: + +- link goes down (LINKDOWN is set), then link goes UP and device +shows carrier OK but LINKDOWN remains set + +- last address is deleted (LINKDOWN is set), then address is +added and device shows carrier OK but LINKDOWN remains set + +Steps to reproduce: +modprobe dummy +ifconfig dummy0 192.168.168.1 up + +here add a multipath route where one nexthop is for dummy0: + +ip route add 1.2.3.4 nexthop dummy0 nexthop SOME_OTHER_DEVICE +ifconfig dummy0 down +ifconfig dummy0 up + +now ip route shows nexthop that is not dead. Now set the sysctl var: + +echo 1 > /proc/sys/net/ipv4/conf/dummy0/ignore_routes_with_linkdown + +now ip route will show a dead nexthop because the forgotten +RTNH_F_LINKDOWN is propagated as RTNH_F_DEAD. + +Fixes: 8a3d03166f19 ("net: track link-status of ipv4 nexthops") +Signed-off-by: Julian Anastasov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_semantics.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1296,6 +1296,13 @@ int fib_sync_up(struct net_device *dev, + if (!(dev->flags & IFF_UP)) + return 0; + ++ if (nh_flags & RTNH_F_DEAD) { ++ unsigned int flags = dev_get_flags(dev); ++ ++ if (flags & (IFF_RUNNING | IFF_LOWER_UP)) ++ nh_flags |= RTNH_F_LINKDOWN; ++ } ++ + prev_fi = NULL; + hash = fib_devindex_hashfn(dev->ifindex); + head = &fib_info_devhash[hash]; diff --git a/queue-4.2/ipv6-clean-up-dev_snmp6-proc-entry-when-we-fail-to-initialize-inet6_dev.patch b/queue-4.2/ipv6-clean-up-dev_snmp6-proc-entry-when-we-fail-to-initialize-inet6_dev.patch new file mode 100644 index 00000000000..08bf0e071dc --- /dev/null +++ b/queue-4.2/ipv6-clean-up-dev_snmp6-proc-entry-when-we-fail-to-initialize-inet6_dev.patch @@ -0,0 +1,32 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Sabrina Dubroca +Date: Wed, 4 Nov 2015 14:47:53 +0100 +Subject: ipv6: clean up dev_snmp6 proc entry when we fail to initialize inet6_dev + +From: Sabrina Dubroca + +[ Upstream commit 2a189f9e57650e9f310ddf4aad75d66c1233a064 ] + +In ipv6_add_dev, when addrconf_sysctl_register fails, we do not clean up +the dev_snmp6 entry that we have already registered for this device. +Call snmp6_unregister_dev in this case. + +Fixes: a317a2f19da7d ("ipv6: fail early when creating netdev named all or default") +Reported-by: Dmitry Vyukov +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -411,6 +411,7 @@ static struct inet6_dev *ipv6_add_dev(st + if (err) { + ipv6_mc_destroy_dev(ndev); + del_timer(&ndev->regen_timer); ++ snmp6_unregister_dev(ndev); + goto err_release; + } + /* protected by rtnl_lock */ diff --git a/queue-4.2/ipv6-gre-support-sit-encapsulation.patch b/queue-4.2/ipv6-gre-support-sit-encapsulation.patch new file mode 100644 index 00000000000..8e93a39a76a --- /dev/null +++ b/queue-4.2/ipv6-gre-support-sit-encapsulation.patch @@ -0,0 +1,31 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Eric Dumazet +Date: Sat, 24 Oct 2015 05:47:44 -0700 +Subject: ipv6: gre: support SIT encapsulation + +From: Eric Dumazet + +[ Upstream commit 7e3b6e7423d5f994257c1de88e06b509673fdbcf ] + +gre_gso_segment() chokes if SIT frames were aggregated by GRO engine. + +Fixes: 61c1db7fae21e ("ipv6: sit: add GSO/TSO support") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/gre_offload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/gre_offload.c ++++ b/net/ipv4/gre_offload.c +@@ -36,7 +36,8 @@ static struct sk_buff *gre_gso_segment(s + SKB_GSO_TCP_ECN | + SKB_GSO_GRE | + SKB_GSO_GRE_CSUM | +- SKB_GSO_IPIP))) ++ SKB_GSO_IPIP | ++ SKB_GSO_SIT))) + goto out; + + if (!skb->encapsulation) diff --git a/queue-4.2/irda-precedence-bug-in-irlmp_seq_hb_idx.patch b/queue-4.2/irda-precedence-bug-in-irlmp_seq_hb_idx.patch new file mode 100644 index 00000000000..d8d82dbd466 --- /dev/null +++ b/queue-4.2/irda-precedence-bug-in-irlmp_seq_hb_idx.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Dan Carpenter +Date: Mon, 19 Oct 2015 13:16:49 +0300 +Subject: irda: precedence bug in irlmp_seq_hb_idx() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit 50010c20597d14667eff0fdb628309986f195230 ] + +This is decrementing the pointer, instead of the value stored in the +pointer. KASan detects it as an out of bounds reference. + +Reported-by: "Berry Cheng 程君(成淼)" +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/irda/irlmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/irda/irlmp.c ++++ b/net/irda/irlmp.c +@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irl + for (element = hashbin_get_first(iter->hashbin); + element != NULL; + element = hashbin_get_next(iter->hashbin)) { +- if (!off || *off-- == 0) { ++ if (!off || (*off)-- == 0) { + /* NB: hashbin left locked */ + return element; + } diff --git a/queue-4.2/macvtap-unbreak-receiving-of-gro-skb-with-frag-list.patch b/queue-4.2/macvtap-unbreak-receiving-of-gro-skb-with-frag-list.patch new file mode 100644 index 00000000000..12be8340c16 --- /dev/null +++ b/queue-4.2/macvtap-unbreak-receiving-of-gro-skb-with-frag-list.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Jason Wang +Date: Fri, 23 Oct 2015 00:57:05 -0400 +Subject: macvtap: unbreak receiving of gro skb with frag list + +From: Jason Wang + +[ Upstream commit f23d538bc24a83c16127c2eb82c9cf1adc2b5149 ] + +We don't have fraglist support in TAP_FEATURES. This will lead +software segmentation of gro skb with frag list. Fixes by having +frag list support in TAP_FEATURES. + +With this patch single session of netperf receiving were restored from +about 5Gb/s to about 12Gb/s on mlx4. + +Fixes a567dd6252 ("macvtap: simplify usage of tap_features") +Cc: Vlad Yasevich +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvtap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -137,7 +137,7 @@ static const struct proto_ops macvtap_so + #define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \ + NETIF_F_TSO6 | NETIF_F_UFO) + #define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO) +-#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG) ++#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG | NETIF_F_FRAGLIST) + + static struct macvlan_dev *macvtap_get_vlan_rcu(const struct net_device *dev) + { diff --git a/queue-4.2/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch b/queue-4.2/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch new file mode 100644 index 00000000000..a1d81bd56a2 --- /dev/null +++ b/queue-4.2/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Eric Dumazet +Date: Mon, 2 Nov 2015 07:50:07 -0800 +Subject: net: avoid NULL deref in inet_ctl_sock_destroy() + +From: Eric Dumazet + +[ Upstream commit 8fa677d2706d325d71dab91bf6e6512c05214e37 ] + +Under low memory conditions, tcp_sk_init() and icmp_sk_init() +can both iterate on all possible cpus and call inet_ctl_sock_destroy(), +with eventual NULL pointer. + +Signed-off-by: Eric Dumazet +Reported-by: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_common.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/inet_common.h ++++ b/include/net/inet_common.h +@@ -41,7 +41,8 @@ int inet_recv_error(struct sock *sk, str + + static inline void inet_ctl_sock_destroy(struct sock *sk) + { +- sock_release(sk->sk_socket); ++ if (sk) ++ sock_release(sk->sk_socket); + } + + #endif diff --git a/queue-4.2/net-fec-normalize-return-value-of-pm_runtime_get_sync-in-mdio-write.patch b/queue-4.2/net-fec-normalize-return-value-of-pm_runtime_get_sync-in-mdio-write.patch new file mode 100644 index 00000000000..6a545c79f3b --- /dev/null +++ b/queue-4.2/net-fec-normalize-return-value-of-pm_runtime_get_sync-in-mdio-write.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: "Maciej S. Szmigiero" +Date: Thu, 3 Sep 2015 21:38:30 +0200 +Subject: net: fec: normalize return value of pm_runtime_get_sync() in MDIO write + +From: "Maciej S. Szmigiero" + +[ Upstream commit 42ea4457aea7aaeddf0c0b06724f297608f5e9d2 ] + +If fec MDIO write method succeeds its return value comes from +call to pm_runtime_get_sync(). +But pm_runtime_get_sync() can also return 1. + +In case of Micrel KSZ9031 PHY this value will then +be returned along the call chain of phy_write() -> +ksz9031_extended_write() -> ksz9031_center_flp_timing() -> +ksz9031_config_init() -> phy_init_hw() -> phy_attach_direct() -> +phy_connect_direct(). + +Then phy_connect() will cast it into a pointer using ERR_PTR(), +which then fec_enet_mii_probe() will try to dereference +resulting in an oops. + +Fix it by normalizing return value of pm_runtime_get_sync() +to be zero if positive in MDIO write method. + +Fixes: 8fff755e9f8d ("net: fec: Ensure clocks are enabled while using mdio bus") +Signed-off-by: Maciej Szmigiero +Acked-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1811,11 +1811,13 @@ static int fec_enet_mdio_write(struct mi + struct fec_enet_private *fep = bus->priv; + struct device *dev = &fep->pdev->dev; + unsigned long time_left; +- int ret = 0; ++ int ret; + + ret = pm_runtime_get_sync(dev); + if (ret < 0) + return ret; ++ else ++ ret = 0; + + fep->mii_timeout = 0; + reinit_completion(&fep->mdio_done); diff --git a/queue-4.2/net-fec-remove-unneeded-use-of-is_err_value-macro.patch b/queue-4.2/net-fec-remove-unneeded-use-of-is_err_value-macro.patch new file mode 100644 index 00000000000..17f49b99844 --- /dev/null +++ b/queue-4.2/net-fec-remove-unneeded-use-of-is_err_value-macro.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Fabio Estevam +Date: Wed, 12 Aug 2015 12:10:23 -0300 +Subject: net: fec: Remove unneeded use of IS_ERR_VALUE() macro + +From: Fabio Estevam + +[ Upstream commit b0c6ce24911fcb64715de9569f0f7b4f54d1d045 ] + +There is no need to use the IS_ERR_VALUE() macro for checking +the return value from pm_runtime_* functions. + +Just do a simple negative test instead. + +The semantic patch that makes this change is available +in scripts/coccinelle/api/pm_runtime.cocci. + +Signed-off-by: Fabio Estevam +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1775,7 +1775,7 @@ static int fec_enet_mdio_read(struct mii + int ret = 0; + + ret = pm_runtime_get_sync(dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; + + fep->mii_timeout = 0; +@@ -1814,7 +1814,7 @@ static int fec_enet_mdio_write(struct mi + int ret = 0; + + ret = pm_runtime_get_sync(dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; + + fep->mii_timeout = 0; +@@ -2866,7 +2866,7 @@ fec_enet_open(struct net_device *ndev) + int ret; + + ret = pm_runtime_get_sync(&fep->pdev->dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; + + pinctrl_pm_select_default_state(&fep->pdev->dev); diff --git a/queue-4.2/net-fix-a-race-in-dst_release.patch b/queue-4.2/net-fix-a-race-in-dst_release.patch new file mode 100644 index 00000000000..c8c9714a623 --- /dev/null +++ b/queue-4.2/net-fix-a-race-in-dst_release.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Eric Dumazet +Date: Mon, 9 Nov 2015 17:51:23 -0800 +Subject: net: fix a race in dst_release() + +From: Eric Dumazet + +[ Upstream commit d69bbf88c8d0b367cf3e3a052f6daadf630ee566 ] + +Only cpu seeing dst refcount going to 0 can safely +dereference dst->flags. + +Otherwise an other cpu might already have freed the dst. + +Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst") +Reported-by: Greg Thelen +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -287,7 +287,7 @@ void dst_release(struct dst_entry *dst) + if (unlikely(newrefcnt < 0)) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) ++ if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) + call_rcu(&dst->rcu_head, dst_destroy_rcu); + } + } diff --git a/queue-4.2/net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch b/queue-4.2/net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch new file mode 100644 index 00000000000..35943ca7e34 --- /dev/null +++ b/queue-4.2/net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Carol L Soto +Date: Tue, 27 Oct 2015 17:36:20 +0200 +Subject: net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes + +From: Carol L Soto + +[ Upstream commit c02b05011fadf8e409e41910217ca689f2fc9d91 ] + +When doing memcpy/memset of EQEs, we should use sizeof struct +mlx4_eqe as the base size and not caps.eqe_size which could be bigger. + +If caps.eqe_size is bigger than the struct mlx4_eqe then we corrupt +data in the master context. + +When using a 64 byte stride, the memcpy copied over 63 bytes to the +slave_eq structure. This resulted in copying over the entire eqe of +interest, including its ownership bit -- and also 31 bytes of garbage +into the next WQE in the slave EQ -- which did NOT include the ownership +bit (and therefore had no impact). + +However, once the stride is increased to 128, we are overwriting the +ownership bits of *three* eqes in the slave_eq struct. This results +in an incorrect ownership bit for those eqes, which causes the eq to +seem to be full. The issue therefore surfaced only once 128-byte EQEs +started being used in SRIOV and (overarchitectures that have 128/256 +byte cache-lines such as PPC) - e.g after commit 77507aa249ae +"net/mlx4_core: Enable CQE/EQE stride support". + +Fixes: 08ff32352d6f ('mlx4: 64-byte CQE/EQE support') +Signed-off-by: Carol L Soto +Signed-off-by: Jack Morgenstein +Signed-off-by: Or Gerlitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/cmd.c | 2 +- + drivers/net/ethernet/mellanox/mlx4/eq.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c +@@ -2398,7 +2398,7 @@ int mlx4_multi_func_init(struct mlx4_dev + } + } + +- memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size); ++ memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe)); + priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD; + INIT_WORK(&priv->mfunc.master.comm_work, + mlx4_master_comm_channel); +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c +@@ -196,7 +196,7 @@ static void slave_event(struct mlx4_dev + return; + } + +- memcpy(s_eqe, eqe, dev->caps.eqe_size - 1); ++ memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1); + s_eqe->slave_id = slave; + /* ensure all information is written before setting the ownersip bit */ + dma_wmb(); diff --git a/queue-4.2/netlink-fix-locking-around-netlink_list_memberships.patch b/queue-4.2/netlink-fix-locking-around-netlink_list_memberships.patch new file mode 100644 index 00000000000..a5e7d6e285f --- /dev/null +++ b/queue-4.2/netlink-fix-locking-around-netlink_list_memberships.patch @@ -0,0 +1,54 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: David Herrmann +Date: Wed, 21 Oct 2015 11:47:43 +0200 +Subject: netlink: fix locking around NETLINK_LIST_MEMBERSHIPS + +From: David Herrmann + +[ Upstream commit 47191d65b647af5eb5c82ede70ed4c24b1e93ef4 ] + +Currently, NETLINK_LIST_MEMBERSHIPS grabs the netlink table while copying +the membership state to user-space. However, grabing the netlink table is +effectively a write_lock_irq(), and as such we should not be triggering +page-faults in the critical section. + +This can be easily reproduced by the following snippet: + int s = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); + void *p = mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); + int r = getsockopt(s, 0x10e, 9, p, (void*)((char*)p + 4092)); + +This should work just fine, but currently triggers EFAULT and a possible +WARN_ON below handle_mm_fault(). + +Fix this by reducing locking of NETLINK_LIST_MEMBERSHIPS to a read-side +lock. The write-lock was overkill in the first place, and the read-lock +allows page-faults just fine. + +Reported-by: Dmitry Vyukov +Signed-off-by: David Herrmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2346,7 +2346,7 @@ static int netlink_getsockopt(struct soc + int pos, idx, shift; + + err = 0; +- netlink_table_grab(); ++ netlink_lock_table(); + for (pos = 0; pos * 8 < nlk->ngroups; pos += sizeof(u32)) { + if (len - pos < sizeof(u32)) + break; +@@ -2361,7 +2361,7 @@ static int netlink_getsockopt(struct soc + } + if (put_user(ALIGN(nlk->ngroups / 8, sizeof(u32)), optlen)) + err = -EFAULT; +- netlink_table_ungrab(); ++ netlink_unlock_table(); + break; + } + default: diff --git a/queue-4.2/packet-race-condition-in-packet_bind.patch b/queue-4.2/packet-race-condition-in-packet_bind.patch new file mode 100644 index 00000000000..f8c4649a520 --- /dev/null +++ b/queue-4.2/packet-race-condition-in-packet_bind.patch @@ -0,0 +1,231 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Francesco Ruggeri +Date: Thu, 5 Nov 2015 08:16:14 -0800 +Subject: packet: race condition in packet_bind + +From: Francesco Ruggeri + +[ Upstream commit 30f7ea1c2b5f5fb7462c5ae44fe2e40cb2d6a474 ] + +There is a race conditions between packet_notifier and packet_bind{_spkt}. + +It happens if packet_notifier(NETDEV_UNREGISTER) executes between the +time packet_bind{_spkt} takes a reference on the new netdevice and the +time packet_do_bind sets po->ifindex. +In this case the notification can be missed. +If this happens during a dev_change_net_namespace this can result in the +netdevice to be moved to the new namespace while the packet_sock in the +old namespace still holds a reference on it. When the netdevice is later +deleted in the new namespace the deletion hangs since the packet_sock +is not found in the new namespace' &net->packet.sklist. +It can be reproduced with the script below. + +This patch makes packet_do_bind check again for the presence of the +netdevice in the packet_sock's namespace after the synchronize_net +in unregister_prot_hook. +More in general it also uses the rcu lock for the duration of the bind +to stop dev_change_net_namespace/rollback_registered_many from +going past the synchronize_net following unlist_netdevice, so that +no NETDEV_UNREGISTER notifications can happen on the new netdevice +while the bind is executing. In order to do this some code from +packet_bind{_spkt} is consolidated into packet_do_dev. + +import socket, os, time, sys +proto=7 +realDev='em1' +vlanId=400 +if len(sys.argv) > 1: + vlanId=int(sys.argv[1]) +dev='vlan%d' % vlanId + +os.system('taskset -p 0x10 %d' % os.getpid()) + +s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, proto) +os.system('ip link add link %s name %s type vlan id %d' % + (realDev, dev, vlanId)) +os.system('ip netns add dummy') + +pid=os.fork() + +if pid == 0: + # dev should be moved while packet_do_bind is in synchronize net + os.system('taskset -p 0x20000 %d' % os.getpid()) + os.system('ip link set %s netns dummy' % dev) + os.system('ip netns exec dummy ip link del %s' % dev) + s.close() + sys.exit(0) + +time.sleep(.004) +try: + s.bind(('%s' % dev, proto+1)) +except: + print 'Could not bind socket' + s.close() + os.system('ip netns del dummy') + sys.exit(0) + +os.waitpid(pid, 0) +s.close() +os.system('ip netns del dummy') +sys.exit(0) + +Signed-off-by: Francesco Ruggeri +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 80 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 49 insertions(+), 31 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2784,22 +2784,40 @@ static int packet_release(struct socket + * Attach a packet hook. + */ + +-static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) ++static int packet_do_bind(struct sock *sk, const char *name, int ifindex, ++ __be16 proto) + { + struct packet_sock *po = pkt_sk(sk); + struct net_device *dev_curr; + __be16 proto_curr; + bool need_rehook; ++ struct net_device *dev = NULL; ++ int ret = 0; ++ bool unlisted = false; + +- if (po->fanout) { +- if (dev) +- dev_put(dev); +- ++ if (po->fanout) + return -EINVAL; +- } + + lock_sock(sk); + spin_lock(&po->bind_lock); ++ rcu_read_lock(); ++ ++ if (name) { ++ dev = dev_get_by_name_rcu(sock_net(sk), name); ++ if (!dev) { ++ ret = -ENODEV; ++ goto out_unlock; ++ } ++ } else if (ifindex) { ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex); ++ if (!dev) { ++ ret = -ENODEV; ++ goto out_unlock; ++ } ++ } ++ ++ if (dev) ++ dev_hold(dev); + + proto_curr = po->prot_hook.type; + dev_curr = po->prot_hook.dev; +@@ -2807,14 +2825,29 @@ static int packet_do_bind(struct sock *s + need_rehook = proto_curr != proto || dev_curr != dev; + + if (need_rehook) { +- unregister_prot_hook(sk, true); ++ if (po->running) { ++ rcu_read_unlock(); ++ __unregister_prot_hook(sk, true); ++ rcu_read_lock(); ++ dev_curr = po->prot_hook.dev; ++ if (dev) ++ unlisted = !dev_get_by_index_rcu(sock_net(sk), ++ dev->ifindex); ++ } + + po->num = proto; + po->prot_hook.type = proto; +- po->prot_hook.dev = dev; + +- po->ifindex = dev ? dev->ifindex : 0; +- packet_cached_dev_assign(po, dev); ++ if (unlikely(unlisted)) { ++ dev_put(dev); ++ po->prot_hook.dev = NULL; ++ po->ifindex = -1; ++ packet_cached_dev_reset(po); ++ } else { ++ po->prot_hook.dev = dev; ++ po->ifindex = dev ? dev->ifindex : 0; ++ packet_cached_dev_assign(po, dev); ++ } + } + if (dev_curr) + dev_put(dev_curr); +@@ -2822,7 +2855,7 @@ static int packet_do_bind(struct sock *s + if (proto == 0 || !need_rehook) + goto out_unlock; + +- if (!dev || (dev->flags & IFF_UP)) { ++ if (!unlisted && (!dev || (dev->flags & IFF_UP))) { + register_prot_hook(sk); + } else { + sk->sk_err = ENETDOWN; +@@ -2831,9 +2864,10 @@ static int packet_do_bind(struct sock *s + } + + out_unlock: ++ rcu_read_unlock(); + spin_unlock(&po->bind_lock); + release_sock(sk); +- return 0; ++ return ret; + } + + /* +@@ -2845,8 +2879,6 @@ static int packet_bind_spkt(struct socke + { + struct sock *sk = sock->sk; + char name[15]; +- struct net_device *dev; +- int err = -ENODEV; + + /* + * Check legality +@@ -2856,19 +2888,13 @@ static int packet_bind_spkt(struct socke + return -EINVAL; + strlcpy(name, uaddr->sa_data, sizeof(name)); + +- dev = dev_get_by_name(sock_net(sk), name); +- if (dev) +- err = packet_do_bind(sk, dev, pkt_sk(sk)->num); +- return err; ++ return packet_do_bind(sk, name, 0, pkt_sk(sk)->num); + } + + static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + { + struct sockaddr_ll *sll = (struct sockaddr_ll *)uaddr; + struct sock *sk = sock->sk; +- struct net_device *dev = NULL; +- int err; +- + + /* + * Check legality +@@ -2879,16 +2905,8 @@ static int packet_bind(struct socket *so + if (sll->sll_family != AF_PACKET) + return -EINVAL; + +- if (sll->sll_ifindex) { +- err = -ENODEV; +- dev = dev_get_by_index(sock_net(sk), sll->sll_ifindex); +- if (dev == NULL) +- goto out; +- } +- err = packet_do_bind(sk, dev, sll->sll_protocol ? : pkt_sk(sk)->num); +- +-out: +- return err; ++ return packet_do_bind(sk, NULL, sll->sll_ifindex, ++ sll->sll_protocol ? : pkt_sk(sk)->num); + } + + static struct proto packet_proto = { diff --git a/queue-4.2/ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch b/queue-4.2/ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch new file mode 100644 index 00000000000..49c5628cbbd --- /dev/null +++ b/queue-4.2/ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Guillaume Nault +Date: Thu, 22 Oct 2015 16:57:10 +0200 +Subject: ppp: fix pppoe_dev deletion condition in pppoe_release() + +From: Guillaume Nault + +[ Upstream commit 1acea4f6ce1b1c0941438aca75dd2e5c6b09db60 ] + +We can't rely on PPPOX_ZOMBIE to decide whether to clear po->pppoe_dev. +PPPOX_ZOMBIE can be set by pppoe_disc_rcv() even when po->pppoe_dev is +NULL. So we have no guarantee that (sk->sk_state & PPPOX_ZOMBIE) implies +(po->pppoe_dev != NULL). +Since we're releasing a PPPoE socket, we want to release the pppoe_dev +if it exists and reset sk_state to PPPOX_DEAD, no matter the previous +value of sk_state. So we can just check for po->pppoe_dev and avoid any +assumption on sk->sk_state. + +Fixes: 2b018d57ff18 ("pppoe: drop PPPOX_ZOMBIEs in pppoe_release") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -589,7 +589,7 @@ static int pppoe_release(struct socket * + + po = pppox_sk(sk); + +- if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) { ++ if (po->pppoe_dev) { + dev_put(po->pppoe_dev); + po->pppoe_dev = NULL; + } diff --git a/queue-4.2/qmi_wwan-add-sierra-wireless-mc74xx-em74xx.patch b/queue-4.2/qmi_wwan-add-sierra-wireless-mc74xx-em74xx.patch new file mode 100644 index 00000000000..ed977d30046 --- /dev/null +++ b/queue-4.2/qmi_wwan-add-sierra-wireless-mc74xx-em74xx.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Thu, 22 Oct 2015 14:15:58 +0200 +Subject: qmi_wwan: add Sierra Wireless MC74xx/EM74xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 0db65fcfcded76fe4f74e3ca9f4e2baf67b683ef ] + +New device IDs shamelessly lifted from the vendor driver. + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -765,6 +765,10 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1199, 0x9056, 8)}, /* Sierra Wireless Modem */ + {QMI_FIXED_INTF(0x1199, 0x9057, 8)}, + {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */ ++ {QMI_FIXED_INTF(0x1199, 0x9070, 8)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9070, 10)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx/EM74xx */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ diff --git a/queue-4.2/qmi_wwan-fix-entry-for-hp-lt4112-lte-hspa-gobi-4g-module.patch b/queue-4.2/qmi_wwan-fix-entry-for-hp-lt4112-lte-hspa-gobi-4g-module.patch new file mode 100644 index 00000000000..b605d3efcb6 --- /dev/null +++ b/queue-4.2/qmi_wwan-fix-entry-for-hp-lt4112-lte-hspa-gobi-4g-module.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Sun, 1 Nov 2015 01:34:50 +0100 +Subject: qmi_wwan: fix entry for HP lt4112 LTE/HSPA+ Gobi 4G Module +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 70910791731b5956171e1bfcad707766b8e18fee ] + +The lt4112 is a HP branded Huawei me906e modem. Like other Huawei +modems, it does not have a fixed interface to function mapping. +Instead it uses a Huawei specific scheme: functions are mapped by +subclass and protocol. + +However, the HP vendor ID is used for modems from many different +manufacturers using different schemes, so we cannot apply a generic +vendor rule like we do for the Huawei vendor ID. + +Replace the previous lt4112 entry pointing to an arbitrary interface +number with a device specific subclass + protocol match. + +Reported-and-tested-by: Muri Nicanor +Tested-by: Martin Hauke +Fixes: bb2bdeb83fb1 ("qmi_wwan: Add support for HP lt4112 LTE/HSPA+ Gobi 4G Modem") +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -539,6 +539,10 @@ static const struct usb_device_id produc + USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&qmi_wwan_info, + }, ++ { /* HP lt4112 LTE/HSPA+ Gobi 4G Module (Huawei me906e) */ ++ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x581d, USB_CLASS_VENDOR_SPEC, 1, 7), ++ .driver_info = (unsigned long)&qmi_wwan_info, ++ }, + + /* 3. Combined interface devices matching on interface number */ + {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */ +@@ -790,7 +794,6 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81a8, 8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ + {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */ +- {QMI_FIXED_INTF(0x03f0, 0x581d, 4)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Module (Huawei me906e) */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ diff --git a/queue-4.2/rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch b/queue-4.2/rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch new file mode 100644 index 00000000000..36f5b536283 --- /dev/null +++ b/queue-4.2/rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Sowmini Varadhan +Date: Mon, 26 Oct 2015 12:46:37 -0400 +Subject: RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv + +From: Sowmini Varadhan + +[ Upstream commit 8ce675ff39b9958d1c10f86cf58e357efaafc856 ] + +Either of pskb_pull() or pskb_trim() may fail under low memory conditions. +If rds_tcp_data_recv() ignores such failures, the application will +receive corrupted data because the skb has not been correctly +carved to the RDS datagram size. + +Avoid this by handling pskb_pull/pskb_trim failure in the same +manner as the skb_clone failure: bail out of rds_tcp_data_recv(), and +retry via the deferred call to rds_send_worker() that gets set up on +ENOMEM from rds_tcp_read_sock() + +Signed-off-by: Sowmini Varadhan +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/tcp_recv.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/rds/tcp_recv.c ++++ b/net/rds/tcp_recv.c +@@ -214,8 +214,15 @@ static int rds_tcp_data_recv(read_descri + } + + to_copy = min(tc->t_tinc_data_rem, left); +- pskb_pull(clone, offset); +- pskb_trim(clone, to_copy); ++ if (!pskb_pull(clone, offset) || ++ pskb_trim(clone, to_copy)) { ++ pr_warn("rds_tcp_data_recv: pull/trim failed " ++ "left %zu data_rem %zu skb_len %d\n", ++ left, tc->t_tinc_data_rem, skb->len); ++ kfree_skb(clone); ++ desc->error = -ENOMEM; ++ goto out; ++ } + skb_queue_tail(&tinc->ti_skb_list, clone); + + rdsdebug("skb %p data %p len %d off %u to_copy %zu -> " diff --git a/queue-4.2/rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch b/queue-4.2/rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch new file mode 100644 index 00000000000..15c7fb5e9f5 --- /dev/null +++ b/queue-4.2/rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch @@ -0,0 +1,78 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Sasha Levin +Date: Tue, 8 Sep 2015 10:53:40 -0400 +Subject: RDS: verify the underlying transport exists before creating a connection + +From: Sasha Levin + +[ Upstream commit 74e98eb085889b0d2d4908f59f6e00026063014f ] + +There was no verification that an underlying transport exists when creating +a connection, this would cause dereferencing a NULL ptr. + +It might happen on sockets that weren't properly bound before attempting to +send a message, which will cause a NULL ptr deref: + +[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN +[135546.051270] Modules linked in: +[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527 +[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000 +[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194) +[135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202 +[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000 +[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038 +[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000 +[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000 +[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000 +[135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000 +[135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0 +[135546.064723] Stack: +[135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008 +[135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342 +[135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00 +[135546.068629] Call Trace: +[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134) +[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298) +[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278) +[135546.071981] rds_sendmsg (net/rds/send.c:1058) +[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38) +[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298) +[135546.074577] ? rds_send_drop_to (net/rds/send.c:976) +[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795) +[135546.076349] ? __might_fault (mm/memory.c:3795) +[135546.077179] ? rds_send_drop_to (net/rds/send.c:976) +[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620) +[135546.078856] SYSC_sendto (net/socket.c:1657) +[135546.079596] ? SYSC_connect (net/socket.c:1628) +[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926) +[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674) +[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749) +[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16) +[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16) +[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749) +[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1 + +Acked-by: Santosh Shilimkar +Signed-off-by: Sasha Levin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/connection.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -187,6 +187,12 @@ new_conn: + } + } + ++ if (trans == NULL) { ++ kmem_cache_free(rds_conn_slab, conn); ++ conn = ERR_PTR(-ENODEV); ++ goto out; ++ } ++ + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); diff --git a/queue-4.2/sfc-push-partner-queue-for-skb-xmit_more.patch b/queue-4.2/sfc-push-partner-queue-for-skb-xmit_more.patch new file mode 100644 index 00000000000..79ed16b8e28 --- /dev/null +++ b/queue-4.2/sfc-push-partner-queue-for-skb-xmit_more.patch @@ -0,0 +1,137 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Martin Habets +Date: Mon, 2 Nov 2015 12:51:31 +0000 +Subject: sfc: push partner queue for skb->xmit_more + +From: Martin Habets + +[ Upstream commit b2663a4f30e85ec606b806f5135413e6d5c78d1e ] + +When the IP stack passes SKBs the sfc driver puts them in 2 different TX +queues (called partners), one for checksummed and one for not checksummed. +If the SKB has xmit_more set the driver will delay pushing the work to the +NIC. + +When later it does decide to push the buffers this patch ensures it also +pushes the partner queue, if that also has any delayed work. Before this +fix the work in the partner queue would be left for a long time and cause +a netdev watchdog. + +Fixes: 70b33fb ("sfc: add support for skb->xmit_more") +Reported-by: Jianlin Shi +Signed-off-by: Martin Habets +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/ef10.c | 4 +++- + drivers/net/ethernet/sfc/farch.c | 4 +++- + drivers/net/ethernet/sfc/net_driver.h | 2 ++ + drivers/net/ethernet/sfc/tx.c | 30 ++++++++++++++++++++++++++++-- + 4 files changed, 36 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -1809,7 +1809,9 @@ static void efx_ef10_tx_write(struct efx + unsigned int write_ptr; + efx_qword_t *txd; + +- BUG_ON(tx_queue->write_count == tx_queue->insert_count); ++ tx_queue->xmit_more_available = false; ++ if (unlikely(tx_queue->write_count == tx_queue->insert_count)) ++ return; + + do { + write_ptr = tx_queue->write_count & tx_queue->ptr_mask; +--- a/drivers/net/ethernet/sfc/farch.c ++++ b/drivers/net/ethernet/sfc/farch.c +@@ -321,7 +321,9 @@ void efx_farch_tx_write(struct efx_tx_qu + unsigned write_ptr; + unsigned old_write_count = tx_queue->write_count; + +- BUG_ON(tx_queue->write_count == tx_queue->insert_count); ++ tx_queue->xmit_more_available = false; ++ if (unlikely(tx_queue->write_count == tx_queue->insert_count)) ++ return; + + do { + write_ptr = tx_queue->write_count & tx_queue->ptr_mask; +--- a/drivers/net/ethernet/sfc/net_driver.h ++++ b/drivers/net/ethernet/sfc/net_driver.h +@@ -219,6 +219,7 @@ struct efx_tx_buffer { + * @tso_packets: Number of packets via the TSO xmit path + * @pushes: Number of times the TX push feature has been used + * @pio_packets: Number of times the TX PIO feature has been used ++ * @xmit_more_available: Are any packets waiting to be pushed to the NIC + * @empty_read_count: If the completion path has seen the queue as empty + * and the transmission path has not yet checked this, the value of + * @read_count bitwise-added to %EFX_EMPTY_COUNT_VALID; otherwise 0. +@@ -253,6 +254,7 @@ struct efx_tx_queue { + unsigned int tso_packets; + unsigned int pushes; + unsigned int pio_packets; ++ bool xmit_more_available; + /* Statistics to supplement MAC stats */ + unsigned long tx_packets; + +--- a/drivers/net/ethernet/sfc/tx.c ++++ b/drivers/net/ethernet/sfc/tx.c +@@ -431,8 +431,20 @@ finish_packet: + efx_tx_maybe_stop_queue(tx_queue); + + /* Pass off to hardware */ +- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) ++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) { ++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue); ++ ++ /* There could be packets left on the partner queue if those ++ * SKBs had skb->xmit_more set. If we do not push those they ++ * could be left for a long time and cause a netdev watchdog. ++ */ ++ if (txq2->xmit_more_available) ++ efx_nic_push_buffers(txq2); ++ + efx_nic_push_buffers(tx_queue); ++ } else { ++ tx_queue->xmit_more_available = skb->xmit_more; ++ } + + tx_queue->tx_packets++; + +@@ -722,6 +734,7 @@ void efx_init_tx_queue(struct efx_tx_que + tx_queue->read_count = 0; + tx_queue->old_read_count = 0; + tx_queue->empty_read_count = 0 | EFX_EMPTY_COUNT_VALID; ++ tx_queue->xmit_more_available = false; + + /* Set up TX descriptor ring */ + efx_nic_init_tx(tx_queue); +@@ -747,6 +760,7 @@ void efx_fini_tx_queue(struct efx_tx_que + + ++tx_queue->read_count; + } ++ tx_queue->xmit_more_available = false; + netdev_tx_reset_queue(tx_queue->core_txq); + } + +@@ -1302,8 +1316,20 @@ static int efx_enqueue_skb_tso(struct ef + efx_tx_maybe_stop_queue(tx_queue); + + /* Pass off to hardware */ +- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) ++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) { ++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue); ++ ++ /* There could be packets left on the partner queue if those ++ * SKBs had skb->xmit_more set. If we do not push those they ++ * could be left for a long time and cause a netdev watchdog. ++ */ ++ if (txq2->xmit_more_available) ++ efx_nic_push_buffers(txq2); ++ + efx_nic_push_buffers(tx_queue); ++ } else { ++ tx_queue->xmit_more_available = skb->xmit_more; ++ } + + tx_queue->tso_bursts++; + return NETDEV_TX_OK; diff --git a/queue-4.2/sit-fix-sit0-percpu-double-allocations.patch b/queue-4.2/sit-fix-sit0-percpu-double-allocations.patch new file mode 100644 index 00000000000..1f9c21aa950 --- /dev/null +++ b/queue-4.2/sit-fix-sit0-percpu-double-allocations.patch @@ -0,0 +1,96 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Eric Dumazet +Date: Mon, 2 Nov 2015 17:08:19 -0800 +Subject: sit: fix sit0 percpu double allocations + +From: Eric Dumazet + +[ Upstream commit 4ece9009774596ee3df0acba65a324b7ea79387c ] + +sit0 device allocates its percpu storage twice : +- One time in ipip6_tunnel_init() +- One time in ipip6_fb_tunnel_init() + +Thus we leak 48 bytes per possible cpu per network namespace dismantle. + +ipip6_fb_tunnel_init() can be much simpler and does not +return an error, and should be called after register_netdev() + +Note that ipip6_tunnel_clone_6rd() also needs to be called +after register_netdev() (calling ipip6_tunnel_init()) + +Fixes: ebe084aafb7e ("sit: Use ipip6_tunnel_init as the ndo_init function.") +Signed-off-by: Eric Dumazet +Reported-by: Dmitry Vyukov +Cc: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 26 ++++---------------------- + 1 file changed, 4 insertions(+), 22 deletions(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1394,34 +1394,20 @@ static int ipip6_tunnel_init(struct net_ + return 0; + } + +-static int __net_init ipip6_fb_tunnel_init(struct net_device *dev) ++static void __net_init ipip6_fb_tunnel_init(struct net_device *dev) + { + struct ip_tunnel *tunnel = netdev_priv(dev); + struct iphdr *iph = &tunnel->parms.iph; + struct net *net = dev_net(dev); + struct sit_net *sitn = net_generic(net, sit_net_id); + +- tunnel->dev = dev; +- tunnel->net = dev_net(dev); +- + iph->version = 4; + iph->protocol = IPPROTO_IPV6; + iph->ihl = 5; + iph->ttl = 64; + +- dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); +- if (!dev->tstats) +- return -ENOMEM; +- +- tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst); +- if (!tunnel->dst_cache) { +- free_percpu(dev->tstats); +- return -ENOMEM; +- } +- + dev_hold(dev); + rcu_assign_pointer(sitn->tunnels_wc[0], tunnel); +- return 0; + } + + static int ipip6_validate(struct nlattr *tb[], struct nlattr *data[]) +@@ -1831,23 +1817,19 @@ static int __net_init sit_init_net(struc + */ + sitn->fb_tunnel_dev->features |= NETIF_F_NETNS_LOCAL; + +- err = ipip6_fb_tunnel_init(sitn->fb_tunnel_dev); +- if (err) +- goto err_dev_free; +- +- ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn); + err = register_netdev(sitn->fb_tunnel_dev); + if (err) + goto err_reg_dev; + ++ ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn); ++ ipip6_fb_tunnel_init(sitn->fb_tunnel_dev); ++ + t = netdev_priv(sitn->fb_tunnel_dev); + + strcpy(t->parms.name, sitn->fb_tunnel_dev->name); + return 0; + + err_reg_dev: +- dev_put(sitn->fb_tunnel_dev); +-err_dev_free: + ipip6_dev_free(sitn->fb_tunnel_dev); + err_alloc_dev: + return err; diff --git a/queue-4.2/stmmac-correctly-report-ptp-capabilities.patch b/queue-4.2/stmmac-correctly-report-ptp-capabilities.patch new file mode 100644 index 00000000000..028cd1a2a3b --- /dev/null +++ b/queue-4.2/stmmac-correctly-report-ptp-capabilities.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Phil Reid +Date: Fri, 30 Oct 2015 16:43:55 +0800 +Subject: stmmac: Correctly report PTP capabilities. + +From: Phil Reid + +[ Upstream commit e6dbe1eb2db0d7a14991c06278dd3030c45fb825 ] + +priv->hwts_*_en indicate if timestamping is enabled/disabled at run +time. But priv->dma_cap.time_stamp and priv->dma_cap.atime_stamp +indicates HW is support for PTPv1/PTPv2. + +Signed-off-by: Phil Reid +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -721,10 +721,13 @@ static int stmmac_get_ts_info(struct net + { + struct stmmac_priv *priv = netdev_priv(dev); + +- if ((priv->hwts_tx_en) && (priv->hwts_rx_en)) { ++ if ((priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) { + +- info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE | ++ info->so_timestamping = SOF_TIMESTAMPING_TX_SOFTWARE | ++ SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_RX_SOFTWARE | + SOF_TIMESTAMPING_RX_HARDWARE | ++ SOF_TIMESTAMPING_SOFTWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; + + if (priv->ptp_clock) diff --git a/queue-4.2/tcp-remove-improper-preemption-check-in-tcp_xmit_probe_skb.patch b/queue-4.2/tcp-remove-improper-preemption-check-in-tcp_xmit_probe_skb.patch new file mode 100644 index 00000000000..80a96f8863a --- /dev/null +++ b/queue-4.2/tcp-remove-improper-preemption-check-in-tcp_xmit_probe_skb.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Renato Westphal +Date: Mon, 19 Oct 2015 18:51:34 -0200 +Subject: tcp: remove improper preemption check in tcp_xmit_probe_skb() + +From: Renato Westphal + +[ Upstream commit e2e8009ff72ad2a795b67785f3238af152146368 ] + +Commit e520af48c7e5a introduced the following bug when setting the +TCP_REPAIR sockoption: + +[ 2860.657036] BUG: using __this_cpu_add() in preemptible [00000000] code: daemon/12164 +[ 2860.657045] caller is __this_cpu_preempt_check+0x13/0x20 +[ 2860.657049] CPU: 1 PID: 12164 Comm: daemon Not tainted 4.2.3 #1 +[ 2860.657051] Hardware name: Dell Inc. PowerEdge R210 II/0JP7TR, BIOS 2.0.5 03/13/2012 +[ 2860.657054] ffffffff81c7f071 ffff880231e9fdf8 ffffffff8185d765 0000000000000002 +[ 2860.657058] 0000000000000001 ffff880231e9fe28 ffffffff8146ed91 ffff880231e9fe18 +[ 2860.657062] ffffffff81cd1a5d ffff88023534f200 ffff8800b9811000 ffff880231e9fe38 +[ 2860.657065] Call Trace: +[ 2860.657072] [] dump_stack+0x4f/0x7b +[ 2860.657075] [] check_preemption_disabled+0xe1/0xf0 +[ 2860.657078] [] __this_cpu_preempt_check+0x13/0x20 +[ 2860.657082] [] tcp_xmit_probe_skb+0xc7/0x100 +[ 2860.657085] [] tcp_send_window_probe+0x2d/0x30 +[ 2860.657089] [] do_tcp_setsockopt.isra.29+0x74c/0x830 +[ 2860.657093] [] tcp_setsockopt+0x2c/0x30 +[ 2860.657097] [] sock_common_setsockopt+0x14/0x20 +[ 2860.657100] [] SyS_setsockopt+0x71/0xc0 +[ 2860.657104] [] entry_SYSCALL_64_fastpath+0x16/0x75 + +Since tcp_xmit_probe_skb() can be called from process context, use +NET_INC_STATS() instead of NET_INC_STATS_BH(). + +Fixes: e520af48c7e5 ("tcp: add TCPWinProbe and TCPKeepAlive SNMP counters") +Signed-off-by: Renato Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3406,7 +3406,7 @@ static int tcp_xmit_probe_skb(struct soc + */ + tcp_init_nondata_skb(skb, tp->snd_una - !urgent, TCPHDR_ACK); + skb_mstamp_get(&skb->skb_mstamp); +- NET_INC_STATS_BH(sock_net(sk), mib); ++ NET_INC_STATS(sock_net(sk), mib); + return tcp_transmit_skb(sk, skb, 0, GFP_ATOMIC); + } + diff --git a/queue-4.2/tipc-allow-non-linear-first-fragment-buffer.patch b/queue-4.2/tipc-allow-non-linear-first-fragment-buffer.patch new file mode 100644 index 00000000000..de295716b1a --- /dev/null +++ b/queue-4.2/tipc-allow-non-linear-first-fragment-buffer.patch @@ -0,0 +1,63 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Jon Paul Maloy +Date: Mon, 19 Oct 2015 11:33:00 -0400 +Subject: tipc: allow non-linear first fragment buffer + +From: Jon Paul Maloy + +[ Upstream commit 45c8b7b175ceb2d542e0fe15247377bf3bce29ec ] + +The current code for message reassembly is erroneously assuming that +the the first arriving fragment buffer always is linear, and then goes +ahead resetting the fragment list of that buffer in anticipation of +more arriving fragments. + +However, if the buffer already happens to be non-linear, we will +inadvertently drop the already attached fragment list, and later +on trig a BUG() in __pskb_pull_tail(). + +We see this happen when running fragmented TIPC multicast across UDP, +something made possible since +commit d0f91938bede ("tipc: add ip/udp media type") + +We fix this by not resetting the fragment list when the buffer is non- +linear, and by initiatlizing our private fragment list tail pointer to +the tail of the existing fragment list. + +Fixes: commit d0f91938bede ("tipc: add ip/udp media type") +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/msg.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -121,7 +121,7 @@ int tipc_buf_append(struct sk_buff **hea + { + struct sk_buff *head = *headbuf; + struct sk_buff *frag = *buf; +- struct sk_buff *tail; ++ struct sk_buff *tail = NULL; + struct tipc_msg *msg; + u32 fragid; + int delta; +@@ -141,9 +141,15 @@ int tipc_buf_append(struct sk_buff **hea + if (unlikely(skb_unclone(frag, GFP_ATOMIC))) + goto err; + head = *headbuf = frag; +- skb_frag_list_init(head); +- TIPC_SKB_CB(head)->tail = NULL; + *buf = NULL; ++ TIPC_SKB_CB(head)->tail = NULL; ++ if (skb_is_nonlinear(head)) { ++ skb_walk_frags(head, tail) { ++ TIPC_SKB_CB(head)->tail = tail; ++ } ++ } else { ++ skb_frag_list_init(head); ++ } + return 0; + } + diff --git a/queue-4.2/tipc-linearize-arriving-name_distr-and-link_proto-buffers.patch b/queue-4.2/tipc-linearize-arriving-name_distr-and-link_proto-buffers.patch new file mode 100644 index 00000000000..d04c2b71a61 --- /dev/null +++ b/queue-4.2/tipc-linearize-arriving-name_distr-and-link_proto-buffers.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Nov 17 14:34:38 PST 2015 +From: Jon Paul Maloy +Date: Wed, 28 Oct 2015 13:09:53 -0400 +Subject: tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers + +From: Jon Paul Maloy + +[ Upstream commit 5cbb28a4bf65c7e4daa6c25b651fed8eb888c620 ] + +Testing of the new UDP bearer has revealed that reception of +NAME_DISTRIBUTOR, LINK_PROTOCOL/RESET and LINK_PROTOCOL/ACTIVATE +message buffers is not prepared for the case that those may be +non-linear. + +We now linearize all such buffers before they are delivered up to the +generic reception layer. + +In order for the commit to apply cleanly to 'net' and 'stable', we do +the change in the function tipc_udp_recv() for now. Later, we will post +a commit to 'net-next' moving the linearization to generic code, in +tipc_named_rcv() and tipc_link_proto_rcv(). + +Fixes: commit d0f91938bede ("tipc: add ip/udp media type") +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/udp_media.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -48,6 +48,7 @@ + #include + #include "core.h" + #include "bearer.h" ++#include "msg.h" + + /* IANA assigned UDP port */ + #define UDP_PORT_DEFAULT 6118 +@@ -216,6 +217,10 @@ static int tipc_udp_recv(struct sock *sk + { + struct udp_bearer *ub; + struct tipc_bearer *b; ++ int usr = msg_user(buf_msg(skb)); ++ ++ if ((usr == LINK_PROTOCOL) || (usr == NAME_DISTRIBUTOR)) ++ skb_linearize(skb); + + ub = rcu_dereference_sk_user_data(sk); + if (!ub) {