From: Greg Kroah-Hartman Date: Wed, 11 Mar 2015 10:46:14 +0000 (+0100) Subject: 3.10-stable patches X-Git-Tag: v3.10.72~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4f88cfadecc545e61e44f8a04c27281a42471070;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: ematch-fix-auto-loading-of-ematch-modules.patch gen_stats.c-duplicate-xstats-buffer-for-later-use.patch ipv4-ip_check_defrag-should-correctly-check-return-value-of-skb_copy_bits.patch ipv4-ip_check_defrag-should-not-assume-that-skb_network_offset-is-zero.patch ipv6-fix-ipv6_cow_metrics-for-non-dst_host-case.patch macvtap-make-sure-neighbour-code-can-push-ethernet-header.patch net-compat-ignore-msg_cmsg_compat-in-compat_sys_-send-recv-msg.patch net-phy-fix-verification-of-eee-support-in-phy_init_eee.patch net-reject-creation-of-netdev-names-with-colons.patch rtnetlink-call-dellink-on-failure-when-newlink-exists.patch rtnetlink-ifla_vf_policy-fix-misuses-of-nla_binary.patch team-don-t-traverse-port-list-using-rcu-in-team_set_mac_address.patch team-fix-possible-null-pointer-dereference-in-team_handle_frame.patch udp-only-allow-ufo-for-packets-from-sock_dgram-sockets.patch usb-plusb-add-support-for-national-instruments-host-to-host-cable.patch --- diff --git a/queue-3.10/ematch-fix-auto-loading-of-ematch-modules.patch b/queue-3.10/ematch-fix-auto-loading-of-ematch-modules.patch new file mode 100644 index 00000000000..a2cf5fd6dee --- /dev/null +++ b/queue-3.10/ematch-fix-auto-loading-of-ematch-modules.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: =?UTF-8?q?Ignacy=20Gaw=C4=99dzki?= + +Date: Tue, 17 Feb 2015 20:15:20 +0100 +Subject: ematch: Fix auto-loading of ematch modules. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Ignacy=20Gaw=C4=99dzki?= + +[ Upstream commit 34eea79e2664b314cab6a30fc582fdfa7a1bb1df ] + +In tcf_em_validate(), after calling request_module() to load the +kind-specific module, set em->ops to NULL before returning -EAGAIN, so +that module_put() is not called again by tcf_em_tree_destroy(). + +Signed-off-by: Ignacy Gawędzki +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/ematch.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/ematch.c ++++ b/net/sched/ematch.c +@@ -227,6 +227,7 @@ static int tcf_em_validate(struct tcf_pr + * to replay the request. + */ + module_put(em->ops->owner); ++ em->ops = NULL; + err = -EAGAIN; + } + #endif diff --git a/queue-3.10/gen_stats.c-duplicate-xstats-buffer-for-later-use.patch b/queue-3.10/gen_stats.c-duplicate-xstats-buffer-for-later-use.patch new file mode 100644 index 00000000000..e97dd2d03af --- /dev/null +++ b/queue-3.10/gen_stats.c-duplicate-xstats-buffer-for-later-use.patch @@ -0,0 +1,74 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: =?UTF-8?q?Ignacy=20Gaw=C4=99dzki?= + +Date: Fri, 13 Feb 2015 14:47:05 -0800 +Subject: gen_stats.c: Duplicate xstats buffer for later use +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Ignacy=20Gaw=C4=99dzki?= + +[ Upstream commit 1c4cff0cf55011792125b6041bc4e9713e46240f ] + +The gnet_stats_copy_app() function gets called, more often than not, with its +second argument a pointer to an automatic variable in the caller's stack. +Therefore, to avoid copying garbage afterwards when calling +gnet_stats_finish_copy(), this data is better copied to a dynamically allocated +memory that gets freed after use. + +[xiyou.wangcong@gmail.com: remove a useless kfree()] + +Signed-off-by: Ignacy Gawędzki +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/gen_stats.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/net/core/gen_stats.c ++++ b/net/core/gen_stats.c +@@ -32,6 +32,9 @@ gnet_stats_copy(struct gnet_dump *d, int + return 0; + + nla_put_failure: ++ kfree(d->xstats); ++ d->xstats = NULL; ++ d->xstats_len = 0; + spin_unlock_bh(d->lock); + return -1; + } +@@ -205,7 +208,9 @@ int + gnet_stats_copy_app(struct gnet_dump *d, void *st, int len) + { + if (d->compat_xstats) { +- d->xstats = st; ++ d->xstats = kmemdup(st, len, GFP_ATOMIC); ++ if (!d->xstats) ++ goto err_out; + d->xstats_len = len; + } + +@@ -213,6 +218,11 @@ gnet_stats_copy_app(struct gnet_dump *d, + return gnet_stats_copy(d, TCA_STATS_APP, st, len); + + return 0; ++ ++err_out: ++ d->xstats_len = 0; ++ spin_unlock_bh(d->lock); ++ return -1; + } + EXPORT_SYMBOL(gnet_stats_copy_app); + +@@ -245,6 +255,9 @@ gnet_stats_finish_copy(struct gnet_dump + return -1; + } + ++ kfree(d->xstats); ++ d->xstats = NULL; ++ d->xstats_len = 0; + spin_unlock_bh(d->lock); + return 0; + } diff --git a/queue-3.10/ipv4-ip_check_defrag-should-correctly-check-return-value-of-skb_copy_bits.patch b/queue-3.10/ipv4-ip_check_defrag-should-correctly-check-return-value-of-skb_copy_bits.patch new file mode 100644 index 00000000000..62bcec453fb --- /dev/null +++ b/queue-3.10/ipv4-ip_check_defrag-should-correctly-check-return-value-of-skb_copy_bits.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Alexander Drozdov +Date: Tue, 17 Feb 2015 13:33:46 +0300 +Subject: ipv4: ip_check_defrag should correctly check return value of skb_copy_bits + +From: Alexander Drozdov + +[ Upstream commit fba04a9e0c869498889b6445fd06cbe7da9bb834 ] + +skb_copy_bits() returns zero on success and negative value on error, +so it is needed to invert the condition in ip_check_defrag(). + +Fixes: 1bf3751ec90c ("ipv4: ip_check_defrag must not modify skb before unsharing") +Signed-off-by: Alexander Drozdov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_fragment.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -683,7 +683,7 @@ struct sk_buff *ip_check_defrag(struct s + if (skb->protocol != htons(ETH_P_IP)) + return skb; + +- if (!skb_copy_bits(skb, 0, &iph, sizeof(iph))) ++ if (skb_copy_bits(skb, 0, &iph, sizeof(iph)) < 0) + return skb; + + if (iph.ihl < 5 || iph.version != 4) diff --git a/queue-3.10/ipv4-ip_check_defrag-should-not-assume-that-skb_network_offset-is-zero.patch b/queue-3.10/ipv4-ip_check_defrag-should-not-assume-that-skb_network_offset-is-zero.patch new file mode 100644 index 00000000000..4b208bde120 --- /dev/null +++ b/queue-3.10/ipv4-ip_check_defrag-should-not-assume-that-skb_network_offset-is-zero.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Alexander Drozdov +Date: Thu, 5 Mar 2015 10:29:39 +0300 +Subject: ipv4: ip_check_defrag should not assume that skb_network_offset is zero + +From: Alexander Drozdov + +[ Upstream commit 3e32e733d1bbb3f227259dc782ef01d5706bdae0 ] + +ip_check_defrag() may be used by af_packet to defragment outgoing packets. +skb_network_offset() of af_packet's outgoing packets is not zero. + +Signed-off-by: Alexander Drozdov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_fragment.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -678,27 +678,30 @@ EXPORT_SYMBOL(ip_defrag); + struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user) + { + struct iphdr iph; ++ int netoff; + u32 len; + + if (skb->protocol != htons(ETH_P_IP)) + return skb; + +- if (skb_copy_bits(skb, 0, &iph, sizeof(iph)) < 0) ++ netoff = skb_network_offset(skb); ++ ++ if (skb_copy_bits(skb, netoff, &iph, sizeof(iph)) < 0) + return skb; + + if (iph.ihl < 5 || iph.version != 4) + return skb; + + len = ntohs(iph.tot_len); +- if (skb->len < len || len < (iph.ihl * 4)) ++ if (skb->len < netoff + len || len < (iph.ihl * 4)) + return skb; + + if (ip_is_fragment(&iph)) { + skb = skb_share_check(skb, GFP_ATOMIC); + if (skb) { +- if (!pskb_may_pull(skb, iph.ihl*4)) ++ if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) + return skb; +- if (pskb_trim_rcsum(skb, len)) ++ if (pskb_trim_rcsum(skb, netoff + len)) + return skb; + memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); + if (ip_defrag(skb, user)) diff --git a/queue-3.10/ipv6-fix-ipv6_cow_metrics-for-non-dst_host-case.patch b/queue-3.10/ipv6-fix-ipv6_cow_metrics-for-non-dst_host-case.patch new file mode 100644 index 00000000000..5662dfafee5 --- /dev/null +++ b/queue-3.10/ipv6-fix-ipv6_cow_metrics-for-non-dst_host-case.patch @@ -0,0 +1,64 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Martin KaFai Lau +Date: Thu, 12 Feb 2015 16:14:08 -0800 +Subject: ipv6: fix ipv6_cow_metrics for non DST_HOST case + +From: Martin KaFai Lau + +[ Upstream commit 3b4711757d7903ab6fa88a9e7ab8901b8227da60 ] + +ipv6_cow_metrics() currently assumes only DST_HOST routes require +dynamic metrics allocation from inetpeer. The assumption breaks +when ndisc discovered router with RTAX_MTU and RTAX_HOPLIMIT metric. +Refer to ndisc_router_discovery() in ndisc.c and note that dst_metric_set() +is called after the route is created. + +This patch creates the metrics array (by calling dst_cow_metrics_generic) in +ipv6_cow_metrics(). + +Test: +radvd.conf: +interface qemubr0 +{ + AdvLinkMTU 1300; + AdvCurHopLimit 30; + + prefix fd00:face:face:face::/64 + { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + }; +}; + +Before: +[root@qemu1 ~]# ip -6 r show | egrep -v unreachable +fd00:face:face:face::/64 dev eth0 proto kernel metric 256 expires 27sec +fe80::/64 dev eth0 proto kernel metric 256 +default via fe80::74df:d0ff:fe23:8ef2 dev eth0 proto ra metric 1024 expires 27sec + +After: +[root@qemu1 ~]# ip -6 r show | egrep -v unreachable +fd00:face:face:face::/64 dev eth0 proto kernel metric 256 expires 27sec mtu 1300 +fe80::/64 dev eth0 proto kernel metric 256 mtu 1300 +default via fe80::74df:d0ff:fe23:8ef2 dev eth0 proto ra metric 1024 expires 27sec mtu 1300 hoplimit 30 + +Fixes: 8e2ec639173f325 (ipv6: don't use inetpeer to store metrics for routes.) +Signed-off-by: Martin KaFai Lau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -109,7 +109,7 @@ static u32 *ipv6_cow_metrics(struct dst_ + u32 *p = NULL; + + if (!(rt->dst.flags & DST_HOST)) +- return NULL; ++ return dst_cow_metrics_generic(dst, old); + + peer = rt6_get_peer_create(rt); + if (peer) { diff --git a/queue-3.10/macvtap-make-sure-neighbour-code-can-push-ethernet-header.patch b/queue-3.10/macvtap-make-sure-neighbour-code-can-push-ethernet-header.patch new file mode 100644 index 00000000000..1829feebce9 --- /dev/null +++ b/queue-3.10/macvtap-make-sure-neighbour-code-can-push-ethernet-header.patch @@ -0,0 +1,64 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Eric Dumazet +Date: Fri, 27 Feb 2015 18:35:35 -0800 +Subject: macvtap: make sure neighbour code can push ethernet header + +From: Eric Dumazet + +[ Upstream commit 2f1d8b9e8afa5a833d96afcd23abcb8cdf8d83ab ] + +Brian reported crashes using IPv6 traffic with macvtap/veth combo. + +I tracked the crashes in neigh_hh_output() + +-> memcpy(skb->data - HH_DATA_MOD, hh->hh_data, HH_DATA_MOD); + +Neighbour code assumes headroom to push Ethernet header is +at least 16 bytes. + +It appears macvtap has only 14 bytes available on arches +where NET_IP_ALIGN is 0 (like x86) + +Effect is a corruption of 2 bytes right before skb->head, +and possible crashes if accessing non existing memory. + +This fix should also increase IPv4 performance, as paranoid code +in ip_finish_output2() wont have to call skb_realloc_headroom() + +Reported-by: Brian Rak +Tested-by: Brian Rak +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvtap.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -658,12 +658,15 @@ static unsigned long iov_pages(const str + return pages; + } + ++/* Neighbour code has some assumptions on HH_DATA_MOD alignment */ ++#define MACVTAP_RESERVE HH_DATA_OFF(ETH_HLEN) ++ + /* Get packet from user space buffer */ + static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, + const struct iovec *iv, unsigned long total_len, + size_t count, int noblock) + { +- int good_linear = SKB_MAX_HEAD(NET_IP_ALIGN); ++ int good_linear = SKB_MAX_HEAD(MACVTAP_RESERVE); + struct sk_buff *skb; + struct macvlan_dev *vlan; + unsigned long len = total_len; +@@ -722,7 +725,7 @@ static ssize_t macvtap_get_user(struct m + linear = vnet_hdr.hdr_len; + } + +- skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen, ++ skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen, + linear, noblock, &err); + if (!skb) + goto err; diff --git a/queue-3.10/net-compat-ignore-msg_cmsg_compat-in-compat_sys_-send-recv-msg.patch b/queue-3.10/net-compat-ignore-msg_cmsg_compat-in-compat_sys_-send-recv-msg.patch new file mode 100644 index 00000000000..9d3fcbb5849 --- /dev/null +++ b/queue-3.10/net-compat-ignore-msg_cmsg_compat-in-compat_sys_-send-recv-msg.patch @@ -0,0 +1,75 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Catalin Marinas +Date: Mon, 23 Feb 2015 18:12:56 +0000 +Subject: net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg + +From: Catalin Marinas + +[ Upstream commit d720d8cec563ce4e4fa44a613d4f2dcb1caf2998 ] + +With commit a7526eb5d06b (net: Unbreak compat_sys_{send,recv}msg), the +MSG_CMSG_COMPAT flag is blocked at the compat syscall entry points, +changing the kernel compat behaviour from the one before the commit it +was trying to fix (1be374a0518a, net: Block MSG_CMSG_COMPAT in +send(m)msg and recv(m)msg). + +On 32-bit kernels (!CONFIG_COMPAT), MSG_CMSG_COMPAT is 0 and the native +32-bit sys_sendmsg() allows flag 0x80000000 to be set (it is ignored by +the kernel). However, on a 64-bit kernel, the compat ABI is different +with commit a7526eb5d06b. + +This patch changes the compat_sys_{send,recv}msg behaviour to the one +prior to commit 1be374a0518a. + +The problem was found running 32-bit LTP (sendmsg01) binary on an arm64 +kernel. Arguably, LTP should not pass 0xffffffff as flags to sendmsg() +but the general rule is not to break user ABI (even when the user +behaviour is not entirely sane). + +Fixes: a7526eb5d06b (net: Unbreak compat_sys_{send,recv}msg) +Cc: Andy Lutomirski +Cc: David S. Miller +Signed-off-by: Catalin Marinas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/compat.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/net/compat.c ++++ b/net/compat.c +@@ -738,24 +738,18 @@ static unsigned char nas[21] = { + + asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) + { +- if (flags & MSG_CMSG_COMPAT) +- return -EINVAL; + return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); + } + + asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags) + { +- if (flags & MSG_CMSG_COMPAT) +- return -EINVAL; + return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT); + } + + asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) + { +- if (flags & MSG_CMSG_COMPAT) +- return -EINVAL; + return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); + } + +@@ -778,9 +772,6 @@ asmlinkage long compat_sys_recvmmsg(int + int datagrams; + struct timespec ktspec; + +- if (flags & MSG_CMSG_COMPAT) +- return -EINVAL; +- + if (timeout == NULL) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, NULL); diff --git a/queue-3.10/net-phy-fix-verification-of-eee-support-in-phy_init_eee.patch b/queue-3.10/net-phy-fix-verification-of-eee-support-in-phy_init_eee.patch new file mode 100644 index 00000000000..8007b0d41e3 --- /dev/null +++ b/queue-3.10/net-phy-fix-verification-of-eee-support-in-phy_init_eee.patch @@ -0,0 +1,75 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Guenter Roeck +Date: Tue, 17 Feb 2015 09:36:22 -0800 +Subject: net: phy: Fix verification of EEE support in phy_init_eee + +From: Guenter Roeck + +[ Upstream commit 54da5a8be3c1e924c35480eb44c6e9b275f6444e ] + +phy_init_eee uses phy_find_setting(phydev->speed, phydev->duplex) +to find a valid entry in the settings array for the given speed +and duplex value. For full duplex 1000baseT, this will return +the first matching entry, which is the entry for 1000baseKX_Full. + +If the phy eee does not support 1000baseKX_Full, this entry will not +match, causing phy_init_eee to fail for no good reason. + +Fixes: 9a9c56cb34e6 ("net: phy: fix a bug when verify the EEE support") +Fixes: 3e7077067e80c ("phy: Expand phy speed/duplex settings array") +Cc: Giuseppe Cavallaro +Signed-off-by: Guenter Roeck +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -203,6 +203,25 @@ static inline int phy_find_valid(int idx + } + + /** ++ * phy_check_valid - check if there is a valid PHY setting which matches ++ * speed, duplex, and feature mask ++ * @speed: speed to match ++ * @duplex: duplex to match ++ * @features: A mask of the valid settings ++ * ++ * Description: Returns true if there is a valid setting, false otherwise. ++ */ ++static inline bool phy_check_valid(int speed, int duplex, u32 features) ++{ ++ unsigned int idx; ++ ++ idx = phy_find_valid(phy_find_setting(speed, duplex), features); ++ ++ return settings[idx].speed == speed && settings[idx].duplex == duplex && ++ (settings[idx].setting & features); ++} ++ ++/** + * phy_sanitize_settings - make sure the PHY is set to supported speed and duplex + * @phydev: the target phy_device struct + * +@@ -1011,7 +1030,7 @@ int phy_init_eee(struct phy_device *phyd + (phydev->interface == PHY_INTERFACE_MODE_RGMII))) { + int eee_lp, eee_cap, eee_adv; + u32 lp, cap, adv; +- int idx, status; ++ int status; + + /* Read phy status to properly get the right settings */ + status = phy_read_status(phydev); +@@ -1043,8 +1062,7 @@ int phy_init_eee(struct phy_device *phyd + + adv = mmd_eee_adv_to_ethtool_adv_t(eee_adv); + lp = mmd_eee_adv_to_ethtool_adv_t(eee_lp); +- idx = phy_find_setting(phydev->speed, phydev->duplex); +- if (!(lp & adv & settings[idx].setting)) ++ if (!phy_check_valid(phydev->speed, phydev->duplex, lp & adv)) + goto eee_exit; + + if (clk_stop_enable) { diff --git a/queue-3.10/net-reject-creation-of-netdev-names-with-colons.patch b/queue-3.10/net-reject-creation-of-netdev-names-with-colons.patch new file mode 100644 index 00000000000..f80fcf80838 --- /dev/null +++ b/queue-3.10/net-reject-creation-of-netdev-names-with-colons.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Matthew Thode +Date: Tue, 17 Feb 2015 18:31:57 -0600 +Subject: net: reject creation of netdev names with colons + +From: Matthew Thode + +[ Upstream commit a4176a9391868bfa87705bcd2e3b49e9b9dd2996 ] + +colons are used as a separator in netdev device lookup in dev_ioctl.c + +Specific functions are SIOCGIFTXQLEN SIOCETHTOOL SIOCSIFNAME + +Signed-off-by: Matthew Thode +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -927,7 +927,7 @@ bool dev_valid_name(const char *name) + return false; + + while (*name) { +- if (*name == '/' || isspace(*name)) ++ if (*name == '/' || *name == ':' || isspace(*name)) + return false; + name++; + } diff --git a/queue-3.10/rtnetlink-call-dellink-on-failure-when-newlink-exists.patch b/queue-3.10/rtnetlink-call-dellink-on-failure-when-newlink-exists.patch new file mode 100644 index 00000000000..aba3fa68ae6 --- /dev/null +++ b/queue-3.10/rtnetlink-call-dellink-on-failure-when-newlink-exists.patch @@ -0,0 +1,52 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: WANG Cong +Date: Fri, 13 Feb 2015 13:56:53 -0800 +Subject: rtnetlink: call ->dellink on failure when ->newlink exists + +From: WANG Cong + +[ Upstream commit 7afb8886a05be68e376655539a064ec672de8a8e ] + +Ignacy reported that when eth0 is down and add a vlan device +on top of it like: + + ip link add link eth0 name eth0.1 up type vlan id 1 + +We will get a refcount leak: + + unregister_netdevice: waiting for eth0.1 to become free. Usage count = 2 + +The problem is when rtnl_configure_link() fails in rtnl_newlink(), +we simply call unregister_device(), but for stacked device like vlan, +we almost do nothing when we unregister the upper device, more work +is done when we unregister the lower device, so call its ->dellink(). + +Reported-by: Ignacy Gawedzki +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1851,8 +1851,16 @@ replay: + goto out; + + err = rtnl_configure_link(dev, ifm); +- if (err < 0) +- unregister_netdevice(dev); ++ if (err < 0) { ++ if (ops->newlink) { ++ LIST_HEAD(list_kill); ++ ++ ops->dellink(dev, &list_kill); ++ unregister_netdevice_many(&list_kill); ++ } else { ++ unregister_netdevice(dev); ++ } ++ } + out: + put_net(dest_net); + return err; diff --git a/queue-3.10/rtnetlink-ifla_vf_policy-fix-misuses-of-nla_binary.patch b/queue-3.10/rtnetlink-ifla_vf_policy-fix-misuses-of-nla_binary.patch new file mode 100644 index 00000000000..ecce76a492a --- /dev/null +++ b/queue-3.10/rtnetlink-ifla_vf_policy-fix-misuses-of-nla_binary.patch @@ -0,0 +1,52 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Daniel Borkmann +Date: Thu, 5 Feb 2015 18:44:04 +0100 +Subject: rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY + +From: Daniel Borkmann + +[ Upstream commit 364d5716a7adb91b731a35765d369602d68d2881 ] + +ifla_vf_policy[] is wrong in advertising its individual member types as +NLA_BINARY since .type = NLA_BINARY in combination with .len declares the +len member as *max* attribute length [0, len]. + +The issue is that when do_setvfinfo() is being called to set up a VF +through ndo handler, we could set corrupted data if the attribute length +is less than the size of the related structure itself. + +The intent is exactly the opposite, namely to make sure to pass at least +data of minimum size of len. + +Fixes: ebc08a6f47ee ("rtnetlink: Add VF config code to rtnetlink") +Cc: Mitch Williams +Cc: Jeff Kirsher +Signed-off-by: Daniel Borkmann +Acked-by: Thomas Graf +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1138,14 +1138,10 @@ static const struct nla_policy ifla_vfin + }; + + static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = { +- [IFLA_VF_MAC] = { .type = NLA_BINARY, +- .len = sizeof(struct ifla_vf_mac) }, +- [IFLA_VF_VLAN] = { .type = NLA_BINARY, +- .len = sizeof(struct ifla_vf_vlan) }, +- [IFLA_VF_TX_RATE] = { .type = NLA_BINARY, +- .len = sizeof(struct ifla_vf_tx_rate) }, +- [IFLA_VF_SPOOFCHK] = { .type = NLA_BINARY, +- .len = sizeof(struct ifla_vf_spoofchk) }, ++ [IFLA_VF_MAC] = { .len = sizeof(struct ifla_vf_mac) }, ++ [IFLA_VF_VLAN] = { .len = sizeof(struct ifla_vf_vlan) }, ++ [IFLA_VF_TX_RATE] = { .len = sizeof(struct ifla_vf_tx_rate) }, ++ [IFLA_VF_SPOOFCHK] = { .len = sizeof(struct ifla_vf_spoofchk) }, + }; + + static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = { diff --git a/queue-3.10/series b/queue-3.10/series new file mode 100644 index 00000000000..8574c40a164 --- /dev/null +++ b/queue-3.10/series @@ -0,0 +1,15 @@ +rtnetlink-ifla_vf_policy-fix-misuses-of-nla_binary.patch +ipv6-fix-ipv6_cow_metrics-for-non-dst_host-case.patch +rtnetlink-call-dellink-on-failure-when-newlink-exists.patch +gen_stats.c-duplicate-xstats-buffer-for-later-use.patch +ipv4-ip_check_defrag-should-correctly-check-return-value-of-skb_copy_bits.patch +ipv4-ip_check_defrag-should-not-assume-that-skb_network_offset-is-zero.patch +net-phy-fix-verification-of-eee-support-in-phy_init_eee.patch +ematch-fix-auto-loading-of-ematch-modules.patch +net-reject-creation-of-netdev-names-with-colons.patch +team-fix-possible-null-pointer-dereference-in-team_handle_frame.patch +net-compat-ignore-msg_cmsg_compat-in-compat_sys_-send-recv-msg.patch +macvtap-make-sure-neighbour-code-can-push-ethernet-header.patch +usb-plusb-add-support-for-national-instruments-host-to-host-cable.patch +udp-only-allow-ufo-for-packets-from-sock_dgram-sockets.patch +team-don-t-traverse-port-list-using-rcu-in-team_set_mac_address.patch diff --git a/queue-3.10/team-don-t-traverse-port-list-using-rcu-in-team_set_mac_address.patch b/queue-3.10/team-don-t-traverse-port-list-using-rcu-in-team_set_mac_address.patch new file mode 100644 index 00000000000..121250fb852 --- /dev/null +++ b/queue-3.10/team-don-t-traverse-port-list-using-rcu-in-team_set_mac_address.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Jiri Pirko +Date: Wed, 4 Mar 2015 08:36:31 +0100 +Subject: team: don't traverse port list using rcu in team_set_mac_address + +From: Jiri Pirko + +[ Upstream commit 9215f437b85da339a7dfe3db6e288637406f88b2 ] + +Currently the list is traversed using rcu variant. That is not correct +since dev_set_mac_address can be called which eventually calls +rtmsg_ifinfo_build_skb and there, skb allocation can sleep. So fix this +by remove the rcu usage here. + +Fixes: 3d249d4ca7 "net: introduce ethernet teaming device" +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1521,11 +1521,11 @@ static int team_set_mac_address(struct n + if (dev->type == ARPHRD_ETHER && !is_valid_ether_addr(addr->sa_data)) + return -EADDRNOTAVAIL; + memcpy(dev->dev_addr, addr->sa_data, dev->addr_len); +- rcu_read_lock(); +- list_for_each_entry_rcu(port, &team->port_list, list) ++ mutex_lock(&team->lock); ++ list_for_each_entry(port, &team->port_list, list) + if (team->ops.port_change_dev_addr) + team->ops.port_change_dev_addr(team, port); +- rcu_read_unlock(); ++ mutex_unlock(&team->lock); + return 0; + } + diff --git a/queue-3.10/team-fix-possible-null-pointer-dereference-in-team_handle_frame.patch b/queue-3.10/team-fix-possible-null-pointer-dereference-in-team_handle_frame.patch new file mode 100644 index 00000000000..7e0531ba111 --- /dev/null +++ b/queue-3.10/team-fix-possible-null-pointer-dereference-in-team_handle_frame.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Jiri Pirko +Date: Mon, 23 Feb 2015 14:02:54 +0100 +Subject: team: fix possible null pointer dereference in team_handle_frame + +From: Jiri Pirko + +[ Upstream commit 57e595631904c827cfa1a0f7bbd7cc9a49da5745 ] + +Currently following race is possible in team: + +CPU0 CPU1 + team_port_del + team_upper_dev_unlink + priv_flags &= ~IFF_TEAM_PORT +team_handle_frame + team_port_get_rcu + team_port_exists + priv_flags & IFF_TEAM_PORT == 0 + return NULL (instead of port got + from rx_handler_data) + netdev_rx_handler_unregister + +The thing is that the flag is removed before rx_handler is unregistered. +If team_handle_frame is called in between, team_port_exists returns 0 +and team_port_get_rcu will return NULL. +So do not check the flag here. It is guaranteed by netdev_rx_handler_unregister +that team_handle_frame will always see valid rx_handler_data pointer. + +Signed-off-by: Jiri Pirko +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -42,9 +42,7 @@ + + static struct team_port *team_port_get_rcu(const struct net_device *dev) + { +- struct team_port *port = rcu_dereference(dev->rx_handler_data); +- +- return team_port_exists(dev) ? port : NULL; ++ return rcu_dereference(dev->rx_handler_data); + } + + static struct team_port *team_port_get_rtnl(const struct net_device *dev) diff --git a/queue-3.10/udp-only-allow-ufo-for-packets-from-sock_dgram-sockets.patch b/queue-3.10/udp-only-allow-ufo-for-packets-from-sock_dgram-sockets.patch new file mode 100644 index 00000000000..3cec12a3dfd --- /dev/null +++ b/queue-3.10/udp-only-allow-ufo-for-packets-from-sock_dgram-sockets.patch @@ -0,0 +1,57 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= +Date: Mon, 2 Mar 2015 18:27:11 +0100 +Subject: udp: only allow UFO for packets from SOCK_DGRAM sockets + +From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= + +[ Upstream commit acf8dd0a9d0b9e4cdb597c2f74802f79c699e802 ] + +If an over-MTU UDP datagram is sent through a SOCK_RAW socket to a +UFO-capable device, ip_ufo_append_data() sets skb->ip_summed to +CHECKSUM_PARTIAL unconditionally as all GSO code assumes transport layer +checksum is to be computed on segmentation. However, in this case, +skb->csum_start and skb->csum_offset are never set as raw socket +transmit path bypasses udp_send_skb() where they are usually set. As a +result, driver may access invalid memory when trying to calculate the +checksum and store the result (as observed in virtio_net driver). + +Moreover, the very idea of modifying the userspace provided UDP header +is IMHO against raw socket semantics (I wasn't able to find a document +clearly stating this or the opposite, though). And while allowing +CHECKSUM_NONE in the UFO case would be more efficient, it would be a bit +too intrusive change just to handle a corner case like this. Therefore +disallowing UFO for packets from SOCK_DGRAM seems to be the best option. + +Signed-off-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 3 ++- + net/ipv6/ip6_output.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -845,7 +845,8 @@ static int __ip_append_data(struct sock + cork->length += length; + if (((length > mtu) || (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && +- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) { ++ (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && ++ (sk->sk_type == SOCK_DGRAM)) { + err = ip_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, transhdrlen, + maxfraglen, flags); +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1286,7 +1286,8 @@ int ip6_append_data(struct sock *sk, int + if (((length > mtu) || + (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && +- (rt->dst.dev->features & NETIF_F_UFO)) { ++ (rt->dst.dev->features & NETIF_F_UFO) && ++ (sk->sk_type == SOCK_DGRAM)) { + err = ip6_ufo_append_data(sk, getfrag, from, length, + hh_len, fragheaderlen, + transhdrlen, mtu, flags, rt); diff --git a/queue-3.10/usb-plusb-add-support-for-national-instruments-host-to-host-cable.patch b/queue-3.10/usb-plusb-add-support-for-national-instruments-host-to-host-cable.patch new file mode 100644 index 00000000000..36991d61905 --- /dev/null +++ b/queue-3.10/usb-plusb-add-support-for-national-instruments-host-to-host-cable.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Mar 11 11:37:09 CET 2015 +From: Ben Shelton +Date: Mon, 16 Feb 2015 13:47:06 -0600 +Subject: usb: plusb: Add support for National Instruments host-to-host cable + +From: Ben Shelton + +[ Upstream commit 42c972a1f390e3bc51ca1e434b7e28764992067f ] + +The National Instruments USB Host-to-Host Cable is based on the Prolific +PL-25A1 chipset. Add its VID/PID so the plusb driver will recognize it. + +Signed-off-by: Ben Shelton +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/plusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/usb/plusb.c ++++ b/drivers/net/usb/plusb.c +@@ -136,6 +136,11 @@ static const struct usb_device_id produc + }, { + USB_DEVICE(0x050d, 0x258a), /* Belkin F5U258/F5U279 (PL-25A1) */ + .driver_info = (unsigned long) &prolific_info, ++}, { ++ USB_DEVICE(0x3923, 0x7825), /* National Instruments USB ++ * Host-to-Host Cable ++ */ ++ .driver_info = (unsigned long) &prolific_info, + }, + + { }, // END diff --git a/queue-3.14/series b/queue-3.14/series new file mode 100644 index 00000000000..205b28b2fdd --- /dev/null +++ b/queue-3.14/series @@ -0,0 +1,17 @@ +pktgen-fix-udp-checksum-computation.patch +rtnetlink-ifla_vf_policy-fix-misuses-of-nla_binary.patch +ipv6-fix-ipv6_cow_metrics-for-non-dst_host-case.patch +rtnetlink-call-dellink-on-failure-when-newlink-exists.patch +gen_stats.c-duplicate-xstats-buffer-for-later-use.patch +ipv4-ip_check_defrag-should-correctly-check-return-value-of-skb_copy_bits.patch +ipv4-ip_check_defrag-should-not-assume-that-skb_network_offset-is-zero.patch +net-phy-fix-verification-of-eee-support-in-phy_init_eee.patch +ematch-fix-auto-loading-of-ematch-modules.patch +net-reject-creation-of-netdev-names-with-colons.patch +team-fix-possible-null-pointer-dereference-in-team_handle_frame.patch +net-compat-ignore-msg_cmsg_compat-in-compat_sys_-send-recv-msg.patch +macvtap-make-sure-neighbour-code-can-push-ethernet-header.patch +usb-plusb-add-support-for-national-instruments-host-to-host-cable.patch +udp-only-allow-ufo-for-packets-from-sock_dgram-sockets.patch +net-ping-return-eafnosupport-when-appropriate.patch +team-don-t-traverse-port-list-using-rcu-in-team_set_mac_address.patch diff --git a/queue-3.19/series b/queue-3.19/series new file mode 100644 index 00000000000..faa08ae67cd --- /dev/null +++ b/queue-3.19/series @@ -0,0 +1,30 @@ +flowcache-fix-kernel-panic-in-flow_cache_flush_task.patch +ipv6-addrconf-add-missing-validate_link_af-handler.patch +pktgen-fix-udp-checksum-computation.patch +rtnetlink-ifla_vf_policy-fix-misuses-of-nla_binary.patch +ipv6-fix-fragment-id-assignment-on-le-arches.patch +ipv6-make-__ipv6_select_ident-static.patch +tcp-make-sure-skb-is-not-shared-before-using-skb_get.patch +ipv6-fix-ipv6_cow_metrics-for-non-dst_host-case.patch +rtnetlink-call-dellink-on-failure-when-newlink-exists.patch +gen_stats.c-duplicate-xstats-buffer-for-later-use.patch +ipv4-ip_check_defrag-should-correctly-check-return-value-of-skb_copy_bits.patch +ipv4-ip_check_defrag-should-not-assume-that-skb_network_offset-is-zero.patch +net-phy-fix-verification-of-eee-support-in-phy_init_eee.patch +ematch-fix-auto-loading-of-ematch-modules.patch +openvswitch-fix-net-exit.patch +sock-sock_dequeue_err_skb-needs-hard-irq-safety.patch +net-reject-creation-of-netdev-names-with-colons.patch +revert-r8169-add-support-for-byte-queue-limits.patch +net-pktgen-disable-xmit_clone-on-virtual-devices.patch +team-fix-possible-null-pointer-dereference-in-team_handle_frame.patch +net-compat-ignore-msg_cmsg_compat-in-compat_sys_-send-recv-msg.patch +macvtap-make-sure-neighbour-code-can-push-ethernet-header.patch +net-bcmgenet-fix-throughtput-regression.patch +net-bcmgenet-fix-software-maintained-statistics.patch +sh_eth-fix-lost-mac-address-on-kexec.patch +net-do-not-use-rcu-in-rtnl_dump_ifinfo.patch +usb-plusb-add-support-for-national-instruments-host-to-host-cable.patch +udp-only-allow-ufo-for-packets-from-sock_dgram-sockets.patch +net-ping-return-eafnosupport-when-appropriate.patch +team-don-t-traverse-port-list-using-rcu-in-team_set_mac_address.patch