From: Greg Kroah-Hartman Date: Tue, 7 Aug 2012 21:25:22 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.5.1~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4f6c411c384aca3bb6eefe3802fb6c350da22d89;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: bnx2-fix-bug-in-bnx2_free_tx_skbs.patch caif-fix-access-to-freed-pernet-memory.patch caif-fix-null-pointer-check.patch cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch net-tun-fix-ioctl-based-info-leaks.patch sch_sfb-fix-missing-null-check.patch sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch tcp-add-tcp_user_timeout-negative-value-check.patch tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch wanmain-comparing-array-with-null.patch --- diff --git a/queue-3.0/bnx2-fix-bug-in-bnx2_free_tx_skbs.patch b/queue-3.0/bnx2-fix-bug-in-bnx2_free_tx_skbs.patch new file mode 100644 index 00000000000..995469637fd --- /dev/null +++ b/queue-3.0/bnx2-fix-bug-in-bnx2_free_tx_skbs.patch @@ -0,0 +1,45 @@ +From de0e843d1feb6feca47e723b0de29496439025ed Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Tue, 10 Jul 2012 10:04:40 +0000 +Subject: bnx2: Fix bug in bnx2_free_tx_skbs(). + + +From: Michael Chan + +[ Upstream commit c1f5163de417dab01fa9daaf09a74bbb19303f3c ] + +In rare cases, bnx2x_free_tx_skbs() can unmap the wrong DMA address +when it gets to the last entry of the tx ring. We were not using +the proper macro to skip the last entry when advancing the tx index. + +Reported-by: Zongyun Lai +Reviewed-by: Jeffrey Huang +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bnx2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/bnx2.c ++++ b/drivers/net/bnx2.c +@@ -5310,7 +5310,7 @@ bnx2_free_tx_skbs(struct bnx2 *bp) + int k, last; + + if (skb == NULL) { +- j++; ++ j = NEXT_TX_BD(j); + continue; + } + +@@ -5322,8 +5322,8 @@ bnx2_free_tx_skbs(struct bnx2 *bp) + tx_buf->skb = NULL; + + last = tx_buf->nr_frags; +- j++; +- for (k = 0; k < last; k++, j++) { ++ j = NEXT_TX_BD(j); ++ for (k = 0; k < last; k++, j = NEXT_TX_BD(j)) { + tx_buf = &txr->tx_buf_ring[TX_RING_IDX(j)]; + dma_unmap_page(&bp->pdev->dev, + dma_unmap_addr(tx_buf, mapping), diff --git a/queue-3.0/caif-fix-access-to-freed-pernet-memory.patch b/queue-3.0/caif-fix-access-to-freed-pernet-memory.patch new file mode 100644 index 00000000000..71db92fde81 --- /dev/null +++ b/queue-3.0/caif-fix-access-to-freed-pernet-memory.patch @@ -0,0 +1,47 @@ +From 5df4edecb73b2e4406ce8236d461a2be610f72c6 Mon Sep 17 00:00:00 2001 +From: Sjur Brændeland +Date: Sun, 15 Jul 2012 10:10:14 +0000 +Subject: caif: Fix access to freed pernet memory + + +From: Sjur Brændeland + +[ Upstream commit 96f80d123eff05c3cd4701463786b87952a6c3ac ] + +unregister_netdevice_notifier() must be called before +unregister_pernet_subsys() to avoid accessing already freed +pernet memory. This fixes the following oops when doing rmmod: + +Call Trace: + [] caif_device_notify+0x4d/0x5a0 [caif] + [] unregister_netdevice_notifier+0xb9/0x100 + [] caif_device_exit+0x1c/0x250 [caif] + [] sys_delete_module+0x1a4/0x300 + [] ? trace_hardirqs_on_caller+0x15d/0x1e0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3 + [] system_call_fastpath+0x1a/0x1f + +RIP + [] caif_get+0x51/0xb0 [caif] + +Signed-off-by: Sjur Brændeland +Acked-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/caif/caif_dev.c ++++ b/net/caif/caif_dev.c +@@ -424,9 +424,9 @@ static int __init caif_device_init(void) + + static void __exit caif_device_exit(void) + { +- unregister_pernet_subsys(&caif_net_ops); + unregister_netdevice_notifier(&caif_device_notifier); + dev_remove_pack(&caif_packet_type); ++ unregister_pernet_subsys(&caif_net_ops); + } + + module_init(caif_device_init); diff --git a/queue-3.0/caif-fix-null-pointer-check.patch b/queue-3.0/caif-fix-null-pointer-check.patch new file mode 100644 index 00000000000..4ad5e170e82 --- /dev/null +++ b/queue-3.0/caif-fix-null-pointer-check.patch @@ -0,0 +1,31 @@ +From 9b19693fb723a0b184c71e9a96cbacf588126a36 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Tue, 24 Jul 2012 02:42:14 +0000 +Subject: caif: fix NULL pointer check + + +From: Alan Cox + +[ Upstream commit c66b9b7d365444b433307ebb18734757cb668a02 ] + +Reported-by: +Resolves-bug: http://bugzilla.kernel.org/show_bug?44441 +Signed-off-by: Alan Cox +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/caif/caif_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -325,6 +325,9 @@ static int ldisc_open(struct tty_struct + + sprintf(name, "cf%s", tty->name); + dev = alloc_netdev(sizeof(*ser), name, caifdev_setup); ++ if (!dev) ++ return -ENOMEM; ++ + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); + ser->dev = dev; diff --git a/queue-3.0/cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch b/queue-3.0/cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch new file mode 100644 index 00000000000..ef9ad9da62c --- /dev/null +++ b/queue-3.0/cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch @@ -0,0 +1,92 @@ +From f930989bc1e72e766749f893091e9b1feb5ee309 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Tue, 17 Jul 2012 11:07:47 +0000 +Subject: cipso: don't follow a NULL pointer when setsockopt() is called + + +From: Paul Moore + +[ Upstream commit 89d7ae34cdda4195809a5a987f697a517a2a3177 ] + +As reported by Alan Cox, and verified by Lin Ming, when a user +attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL +tag the kernel dies a terrible death when it attempts to follow a NULL +pointer (the skb argument to cipso_v4_validate() is NULL when called via +the setsockopt() syscall). + +This patch fixes this by first checking to ensure that the skb is +non-NULL before using it to find the incoming network interface. In +the unlikely case where the skb is NULL and the user attempts to add +a CIPSO option with the _TAG_LOCAL tag we return an error as this is +not something we want to allow. + +A simple reproducer, kindly supplied by Lin Ming, although you must +have the CIPSO DOI #3 configure on the system first or you will be +caught early in cipso_v4_validate(): + + #include + #include + #include + #include + #include + + struct local_tag { + char type; + char length; + char info[4]; + }; + + struct cipso { + char type; + char length; + char doi[4]; + struct local_tag local; + }; + + int main(int argc, char **argv) + { + int sockfd; + struct cipso cipso = { + .type = IPOPT_CIPSO, + .length = sizeof(struct cipso), + .local = { + .type = 128, + .length = sizeof(struct local_tag), + }, + }; + + memset(cipso.doi, 0, 4); + cipso.doi[3] = 3; + + sockfd = socket(AF_INET, SOCK_DGRAM, 0); + #define SOL_IP 0 + setsockopt(sockfd, SOL_IP, IP_OPTIONS, + &cipso, sizeof(struct cipso)); + + return 0; + } + +CC: Lin Ming +Reported-by: Alan Cox +Signed-off-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/cipso_ipv4.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1725,8 +1725,10 @@ int cipso_v4_validate(const struct sk_bu + case CIPSO_V4_TAG_LOCAL: + /* This is a non-standard tag that we only allow for + * local connections, so if the incoming interface is +- * not the loopback device drop the packet. */ +- if (!(skb->dev->flags & IFF_LOOPBACK)) { ++ * not the loopback device drop the packet. Further, ++ * there is no legitimate reason for setting this from ++ * userspace so reject it if skb is NULL. */ ++ if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) { + err_offset = opt_iter; + goto validate_return_locked; + } diff --git a/queue-3.0/net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch b/queue-3.0/net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch new file mode 100644 index 00000000000..97ed39cd6c0 --- /dev/null +++ b/queue-3.0/net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch @@ -0,0 +1,57 @@ +From 032f2f5faa82cabb5459c3a6c7bbc75fbf22f9d0 Mon Sep 17 00:00:00 2001 +From: Jiri Benc +Date: Fri, 27 Jul 2012 02:58:22 +0000 +Subject: net: fix rtnetlink IFF_PROMISC and IFF_ALLMULTI handling + + +From: Jiri Benc + +[ Upstream commit b1beb681cba5358f62e6187340660ade226a5fcc ] + +When device flags are set using rtnetlink, IFF_PROMISC and IFF_ALLMULTI +flags are handled specially. Function dev_change_flags sets IFF_PROMISC and +IFF_ALLMULTI bits in dev->gflags according to the passed value but +do_setlink passes a result of rtnl_dev_combine_flags which takes those bits +from dev->flags. + +This can be easily trigerred by doing: + +tcpdump -i eth0 & +ip l s up eth0 + +ip sets IFF_UP flag in ifi_flags and ifi_change, which is combined with +IFF_PROMISC by rtnl_dev_combine_flags, causing __dev_change_flags to set +IFF_PROMISC in gflags. + +Reported-by: Max Matveev +Signed-off-by: Jiri Benc +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -647,6 +647,12 @@ static void set_operstate(struct net_dev + } + } + ++static unsigned int rtnl_dev_get_flags(const struct net_device *dev) ++{ ++ return (dev->flags & ~(IFF_PROMISC | IFF_ALLMULTI)) | ++ (dev->gflags & (IFF_PROMISC | IFF_ALLMULTI)); ++} ++ + static unsigned int rtnl_dev_combine_flags(const struct net_device *dev, + const struct ifinfomsg *ifm) + { +@@ -655,7 +661,7 @@ static unsigned int rtnl_dev_combine_fla + /* bugwards compatibility: ifi_change == 0 is treated as ~0 */ + if (ifm->ifi_change) + flags = (flags & ifm->ifi_change) | +- (dev->flags & ~ifm->ifi_change); ++ (rtnl_dev_get_flags(dev) & ~ifm->ifi_change); + + return flags; + } diff --git a/queue-3.0/net-tun-fix-ioctl-based-info-leaks.patch b/queue-3.0/net-tun-fix-ioctl-based-info-leaks.patch new file mode 100644 index 00000000000..04b673f3e63 --- /dev/null +++ b/queue-3.0/net-tun-fix-ioctl-based-info-leaks.patch @@ -0,0 +1,39 @@ +From d85ec052dc477d6b7d579cf454f18b0bf8a0de7a Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 29 Jul 2012 19:45:14 +0000 +Subject: net/tun: fix ioctl() based info leaks + + +From: Mathias Krause + +[ Upstream commits a117dacde0288f3ec60b6e5bcedae8fa37ee0dfc + and 8bbb181308bc348e02bfdbebdedd4e4ec9d452ce ] + +The tun module leaks up to 36 bytes of memory by not fully initializing +a structure located on the stack that gets copied to user memory by the +TUNGETIFF and SIOCGIFHWADDR ioctl()s. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1239,10 +1239,12 @@ static long __tun_chr_ioctl(struct file + int vnet_hdr_sz; + int ret; + +- if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) ++ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) { + if (copy_from_user(&ifr, argp, ifreq_len)) + return -EFAULT; +- ++ } else { ++ memset(&ifr, 0, sizeof(ifr)); ++ } + if (cmd == TUNGETFEATURES) { + /* Currently this just means: "what IFF flags are valid?". + * This is needed because we never checked for invalid flags on diff --git a/queue-3.0/sch_sfb-fix-missing-null-check.patch b/queue-3.0/sch_sfb-fix-missing-null-check.patch new file mode 100644 index 00000000000..a4ac173da6d --- /dev/null +++ b/queue-3.0/sch_sfb-fix-missing-null-check.patch @@ -0,0 +1,31 @@ +From b41d7b4779e76ae90aa193ee848303ac47c68e74 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Thu, 12 Jul 2012 03:39:11 +0000 +Subject: sch_sfb: Fix missing NULL check + + +From: Alan Cox + +[ Upstream commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d ] + +Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=44461 + +Signed-off-by: Alan Cox +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_sfb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/sch_sfb.c ++++ b/net/sched/sch_sfb.c +@@ -556,6 +556,8 @@ static int sfb_dump(struct Qdisc *sch, s + + sch->qstats.backlog = q->qdisc->qstats.backlog; + opts = nla_nest_start(skb, TCA_OPTIONS); ++ if (opts == NULL) ++ goto nla_put_failure; + NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt); + return nla_nest_end(skb, opts); + diff --git a/queue-3.0/sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch b/queue-3.0/sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch new file mode 100644 index 00000000000..715eface6ec --- /dev/null +++ b/queue-3.0/sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch @@ -0,0 +1,183 @@ +From 01036d0ee5b8be881661295d1a97085e1270d81e Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Mon, 16 Jul 2012 09:13:51 +0000 +Subject: sctp: Fix list corruption resulting from freeing an association on a list + + +From: Neil Horman + +[ Upstream commit 2eebc1e188e9e45886ee00662519849339884d6d ] + +A few days ago Dave Jones reported this oops: + +[22766.294255] general protection fault: 0000 [#1] PREEMPT SMP +[22766.295376] CPU 0 +[22766.295384] Modules linked in: +[22766.387137] ffffffffa169f292 6b6b6b6b6b6b6b6b ffff880147c03a90 +ffff880147c03a74 +[22766.387135] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000 +[22766.387136] Process trinity-watchdo (pid: 10896, threadinfo ffff88013e7d2000, +[22766.387137] Stack: +[22766.387140] ffff880147c03a10 +[22766.387140] ffffffffa169f2b6 +[22766.387140] ffff88013ed95728 +[22766.387143] 0000000000000002 +[22766.387143] 0000000000000000 +[22766.387143] ffff880003fad062 +[22766.387144] ffff88013c120000 +[22766.387144] +[22766.387145] Call Trace: +[22766.387145] +[22766.387150] [] ? __sctp_lookup_association+0x62/0xd0 +[sctp] +[22766.387154] [] __sctp_lookup_association+0x86/0xd0 [sctp] +[22766.387157] [] sctp_rcv+0x207/0xbb0 [sctp] +[22766.387161] [] ? trace_hardirqs_off_caller+0x28/0xd0 +[22766.387163] [] ? nf_hook_slow+0x133/0x210 +[22766.387166] [] ? ip_local_deliver_finish+0x4c/0x4c0 +[22766.387168] [] ip_local_deliver_finish+0x18d/0x4c0 +[22766.387169] [] ? ip_local_deliver_finish+0x4c/0x4c0 +[22766.387171] [] ip_local_deliver+0x47/0x80 +[22766.387172] [] ip_rcv_finish+0x150/0x680 +[22766.387174] [] ip_rcv+0x214/0x320 +[22766.387176] [] __netif_receive_skb+0x7b7/0x910 +[22766.387178] [] ? __netif_receive_skb+0x11c/0x910 +[22766.387180] [] ? put_lock_stats.isra.25+0xe/0x40 +[22766.387182] [] netif_receive_skb+0x23/0x1f0 +[22766.387183] [] ? dev_gro_receive+0x139/0x440 +[22766.387185] [] napi_skb_finish+0x70/0xa0 +[22766.387187] [] napi_gro_receive+0xf5/0x130 +[22766.387218] [] e1000_receive_skb+0x59/0x70 [e1000e] +[22766.387242] [] e1000_clean_rx_irq+0x28b/0x460 [e1000e] +[22766.387266] [] e1000e_poll+0x78/0x430 [e1000e] +[22766.387268] [] net_rx_action+0x1aa/0x3d0 +[22766.387270] [] ? account_system_vtime+0x10f/0x130 +[22766.387273] [] __do_softirq+0xe0/0x420 +[22766.387275] [] call_softirq+0x1c/0x30 +[22766.387278] [] do_softirq+0xd5/0x110 +[22766.387279] [] irq_exit+0xd5/0xe0 +[22766.387281] [] do_IRQ+0x63/0xd0 +[22766.387283] [] common_interrupt+0x6f/0x6f +[22766.387283] +[22766.387284] +[22766.387285] [] ? retint_swapgs+0x13/0x1b +[22766.387285] Code: c0 90 5d c3 66 0f 1f 44 00 00 4c 89 c8 5d c3 0f 1f 00 55 48 +89 e5 48 83 +ec 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 <0f> b7 87 98 00 00 00 +48 89 fb +49 89 f5 66 c1 c0 08 66 39 46 02 +[22766.387307] +[22766.387307] RIP +[22766.387311] [] sctp_assoc_is_match+0x19/0x90 [sctp] +[22766.387311] RSP +[22766.387142] ffffffffa16ab120 +[22766.599537] ---[ end trace 3f6dae82e37b17f5 ]--- +[22766.601221] Kernel panic - not syncing: Fatal exception in interrupt + +It appears from his analysis and some staring at the code that this is likely +occuring because an association is getting freed while still on the +sctp_assoc_hashtable. As a result, we get a gpf when traversing the hashtable +while a freed node corrupts part of the list. + +Nominally I would think that an mibalanced refcount was responsible for this, +but I can't seem to find any obvious imbalance. What I did note however was +that the two places where we create an association using +sctp_primitive_ASSOCIATE (__sctp_connect and sctp_sendmsg), have failure paths +which free a newly created association after calling sctp_primitive_ASSOCIATE. +sctp_primitive_ASSOCIATE brings us into the sctp_sf_do_prm_asoc path, which +issues a SCTP_CMD_NEW_ASOC side effect, which in turn adds a new association to +the aforementioned hash table. the sctp command interpreter that process side +effects has not way to unwind previously processed commands, so freeing the +association from the __sctp_connect or sctp_sendmsg error path would lead to a +freed association remaining on this hash table. + +I've fixed this but modifying sctp_[un]hash_established to use hlist_del_init, +which allows us to proerly use hlist_unhashed to check if the node is on a +hashlist safely during a delete. That in turn alows us to safely call +sctp_unhash_established in the __sctp_connect and sctp_sendmsg error paths +before freeing them, regardles of what the associations state is on the hash +list. + +I noted, while I was doing this, that the __sctp_unhash_endpoint was using +hlist_unhsashed in a simmilar fashion, but never nullified any removed nodes +pointers to make that function work properly, so I fixed that up in a simmilar +fashion. + +I attempted to test this using a virtual guest running the SCTP_RR test from +netperf in a loop while running the trinity fuzzer, both in a loop. I wasn't +able to recreate the problem prior to this fix, nor was I able to trigger the +failure after (neither of which I suppose is suprising). Given the trace above +however, I think its likely that this is what we hit. + +Signed-off-by: Neil Horman +Reported-by: davej@redhat.com +CC: davej@redhat.com +CC: "David S. Miller" +CC: Vlad Yasevich +CC: Sridhar Samudrala +CC: linux-sctp@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/input.c | 7 ++----- + net/sctp/socket.c | 12 ++++++++++-- + 2 files changed, 12 insertions(+), 7 deletions(-) + +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -737,15 +737,12 @@ static void __sctp_unhash_endpoint(struc + + epb = &ep->base; + +- if (hlist_unhashed(&epb->node)) +- return; +- + epb->hashent = sctp_ep_hashfn(epb->bind_addr.port); + + head = &sctp_ep_hashtable[epb->hashent]; + + sctp_write_lock(&head->lock); +- __hlist_del(&epb->node); ++ hlist_del_init(&epb->node); + sctp_write_unlock(&head->lock); + } + +@@ -826,7 +823,7 @@ static void __sctp_unhash_established(st + head = &sctp_assoc_hashtable[epb->hashent]; + + sctp_write_lock(&head->lock); +- __hlist_del(&epb->node); ++ hlist_del_init(&epb->node); + sctp_write_unlock(&head->lock); + } + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1160,8 +1160,14 @@ out_free: + SCTP_DEBUG_PRINTK("About to exit __sctp_connect() free asoc: %p" + " kaddrs: %p err: %d\n", + asoc, kaddrs, err); +- if (asoc) ++ if (asoc) { ++ /* sctp_primitive_ASSOCIATE may have added this association ++ * To the hash table, try to unhash it, just in case, its a noop ++ * if it wasn't hashed so we're safe ++ */ ++ sctp_unhash_established(asoc); + sctp_association_free(asoc); ++ } + return err; + } + +@@ -1871,8 +1877,10 @@ SCTP_STATIC int sctp_sendmsg(struct kioc + goto out_unlock; + + out_free: +- if (new_asoc) ++ if (new_asoc) { ++ sctp_unhash_established(asoc); + sctp_association_free(asoc); ++ } + out_unlock: + sctp_release_sock(sk); + diff --git a/queue-3.0/series b/queue-3.0/series index e0a95d53309..70d473c8e17 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -25,3 +25,15 @@ nfsd4-our-filesystems-are-normally-case-sensitive.patch nfs-skip-commit-in-releasepage-if-we-re-freeing-memory-for-fs-related-reasons.patch ext4-pass-a-char-to-ext4_count_free-instead-of-a-buffer_head-ptr.patch ext4-don-t-let-i_reserved_meta_blocks-go-negative.patch +bnx2-fix-bug-in-bnx2_free_tx_skbs.patch +sch_sfb-fix-missing-null-check.patch +sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch +caif-fix-access-to-freed-pernet-memory.patch +cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch +caif-fix-null-pointer-check.patch +wanmain-comparing-array-with-null.patch +tcp-add-tcp_user_timeout-negative-value-check.patch +usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch +net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch +tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch +net-tun-fix-ioctl-based-info-leaks.patch diff --git a/queue-3.0/tcp-add-tcp_user_timeout-negative-value-check.patch b/queue-3.0/tcp-add-tcp_user_timeout-negative-value-check.patch new file mode 100644 index 00000000000..0f69ae62845 --- /dev/null +++ b/queue-3.0/tcp-add-tcp_user_timeout-negative-value-check.patch @@ -0,0 +1,37 @@ +From e1a1ee222ec5396d300b37683be440c12a614b64 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Thu, 26 Jul 2012 22:52:21 +0000 +Subject: tcp: Add TCP_USER_TIMEOUT negative value check + + +From: Hangbin Liu + +[ Upstream commit 42493570100b91ef663c4c6f0c0fdab238f9d3c2 ] + +TCP_USER_TIMEOUT is a TCP level socket option that takes an unsigned int. But +patch "tcp: Add TCP_USER_TIMEOUT socket option"(dca43c75) didn't check the negative +values. If a user assign -1 to it, the socket will set successfully and wait +for 4294967295 miliseconds. This patch add a negative value check to avoid +this issue. + +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2394,7 +2394,10 @@ static int do_tcp_setsockopt(struct sock + /* Cap the max timeout in ms TCP will retry/retrans + * before giving up and aborting (ETIMEDOUT) a connection. + */ +- icsk->icsk_user_timeout = msecs_to_jiffies(val); ++ if (val < 0) ++ err = -EINVAL; ++ else ++ icsk->icsk_user_timeout = msecs_to_jiffies(val); + break; + default: + err = -ENOPROTOOPT; diff --git a/queue-3.0/tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch b/queue-3.0/tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch new file mode 100644 index 00000000000..b3801e093c0 --- /dev/null +++ b/queue-3.0/tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch @@ -0,0 +1,54 @@ +From bc46d9b438e2c0c49b90c7b3e46ad6c7f01d4102 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Fri, 27 Jul 2012 10:38:50 +0000 +Subject: tcp: perform DMA to userspace only if there is a task waiting for it + + +From: Jiri Kosina + +[ Upstream commit 59ea33a68a9083ac98515e4861c00e71efdc49a1 ] + +Back in 2006, commit 1a2449a87b ("[I/OAT]: TCP recv offload to I/OAT") +added support for receive offloading to IOAT dma engine if available. + +The code in tcp_rcv_established() tries to perform early DMA copy if +applicable. It however does so without checking whether the userspace +task is actually expecting the data in the buffer. + +This is not a problem under normal circumstances, but there is a corner +case where this doesn't work -- and that's when MSG_TRUNC flag to +recvmsg() is used. + +If the IOAT dma engine is not used, the code properly checks whether +there is a valid ucopy.task and the socket is owned by userspace, but +misses the check in the dmaengine case. + +This problem can be observed in real trivially -- for example 'tbench' is a +good reproducer, as it makes a heavy use of MSG_TRUNC. On systems utilizing +IOAT, you will soon find tbench waiting indefinitely in sk_wait_data(), as they +have been already early-copied in tcp_rcv_established() using dma engine. + +This patch introduces the same check we are performing in the simple +iovec copy case to the IOAT case as well. It fixes the indefinite +recvmsg(MSG_TRUNC) hangs. + +Signed-off-by: Jiri Kosina +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5340,7 +5340,9 @@ int tcp_rcv_established(struct sock *sk, + if (tp->copied_seq == tp->rcv_nxt && + len - tcp_header_len <= tp->ucopy.len) { + #ifdef CONFIG_NET_DMA +- if (tcp_dma_try_early_copy(sk, skb, tcp_header_len)) { ++ if (tp->ucopy.task == current && ++ sock_owned_by_user(sk) && ++ tcp_dma_try_early_copy(sk, skb, tcp_header_len)) { + copied_early = 1; + eaten = 1; + } diff --git a/queue-3.0/usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch b/queue-3.0/usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch new file mode 100644 index 00000000000..4585f005267 --- /dev/null +++ b/queue-3.0/usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch @@ -0,0 +1,38 @@ +From 32a2b80371e48f11c6316b18009a1020641287b0 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 27 Jul 2012 01:46:51 +0000 +Subject: USB: kaweth.c: use GFP_ATOMIC under spin_lock + + +From: Dan Carpenter + +[ Upstream commit e4c7f259c5be99dcfc3d98f913590663b0305bf8 ] + +The problem is that we call this with a spin lock held. The call tree +is: + kaweth_start_xmit() holds kaweth->device_lock. + -> kaweth_async_set_rx_mode() + -> kaweth_control() + -> kaweth_internal_control_msg() + +The kaweth_internal_control_msg() function is only called from +kaweth_control() which used GFP_ATOMIC for its allocations. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/kaweth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/kaweth.c ++++ b/drivers/net/usb/kaweth.c +@@ -1308,7 +1308,7 @@ static int kaweth_internal_control_msg(s + int retv; + int length = 0; /* shut up GCC */ + +- urb = usb_alloc_urb(0, GFP_NOIO); ++ urb = usb_alloc_urb(0, GFP_ATOMIC); + if (!urb) + return -ENOMEM; + diff --git a/queue-3.0/wanmain-comparing-array-with-null.patch b/queue-3.0/wanmain-comparing-array-with-null.patch new file mode 100644 index 00000000000..001b1ed757d --- /dev/null +++ b/queue-3.0/wanmain-comparing-array-with-null.patch @@ -0,0 +1,82 @@ +From a3fa345f8fdc23941caeed59c1a05110a843b3ae Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Tue, 24 Jul 2012 08:16:25 +0000 +Subject: wanmain: comparing array with NULL + + +From: Alan Cox + +[ Upstream commit 8b72ff6484fe303e01498b58621810a114f3cf09 ] + +gcc really should warn about these ! + +Signed-off-by: Alan Cox +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/wanrouter/wanmain.c | 53 +++++++++++++++++++++--------------------------- + 1 file changed, 24 insertions(+), 29 deletions(-) + +--- a/net/wanrouter/wanmain.c ++++ b/net/wanrouter/wanmain.c +@@ -602,36 +602,31 @@ static int wanrouter_device_new_if(struc + * successfully, add it to the interface list. + */ + +- if (dev->name == NULL) { +- err = -EINVAL; +- } else { +- +- #ifdef WANDEBUG +- printk(KERN_INFO "%s: registering interface %s...\n", +- wanrouter_modname, dev->name); +- #endif +- +- err = register_netdev(dev); +- if (!err) { +- struct net_device *slave = NULL; +- unsigned long smp_flags=0; +- +- lock_adapter_irq(&wandev->lock, &smp_flags); +- +- if (wandev->dev == NULL) { +- wandev->dev = dev; +- } else { +- for (slave=wandev->dev; +- DEV_TO_SLAVE(slave); +- slave = DEV_TO_SLAVE(slave)) +- DEV_TO_SLAVE(slave) = dev; +- } +- ++wandev->ndev; +- +- unlock_adapter_irq(&wandev->lock, &smp_flags); +- err = 0; /* done !!! */ +- goto out; ++#ifdef WANDEBUG ++ printk(KERN_INFO "%s: registering interface %s...\n", ++ wanrouter_modname, dev->name); ++#endif ++ ++ err = register_netdev(dev); ++ if (!err) { ++ struct net_device *slave = NULL; ++ unsigned long smp_flags=0; ++ ++ lock_adapter_irq(&wandev->lock, &smp_flags); ++ ++ if (wandev->dev == NULL) { ++ wandev->dev = dev; ++ } else { ++ for (slave=wandev->dev; ++ DEV_TO_SLAVE(slave); ++ slave = DEV_TO_SLAVE(slave)) ++ DEV_TO_SLAVE(slave) = dev; + } ++ ++wandev->ndev; ++ ++ unlock_adapter_irq(&wandev->lock, &smp_flags); ++ err = 0; /* done !!! */ ++ goto out; + } + if (wandev->del_if) + wandev->del_if(wandev, dev);