From: Greg Kroah-Hartman Date: Thu, 31 Dec 2015 03:53:06 +0000 (-0800) Subject: 4.1-stable patches X-Git-Tag: v3.10.95~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b192fa41e4c2ff81278024e817c08f3719ad774;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: af_unix-revert-lock_interruptible-in-stream-receive-code.patch atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch bluetooth-validate-socket-address-length-in-sco_sock_bind.patch fou-clean-up-socket-with-kfree_rcu.patch gre6-allow-to-update-all-parameters-via-rtnl.patch ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch ipv6-sctp-clone-options-to-avoid-use-after-free.patch net-add-validation-for-the-socket-syscall-protocol-argument.patch net-check-both-type-and-procotol-for-tcp-sockets.patch net-fix-ip-early-demux-races.patch net-fix-uninitialized-variable-issue.patch net-qca_spi-fix-transmit-queue-timeout-handling.patch net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch pppoe-fix-memory-corruption-in-padt-work-structure.patch pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch r8152-fix-lockup-when-runtime-pm-is-enabled.patch rhashtable-enforce-minimum-size-on-initial-hash-table.patch rhashtable-fix-walker-list-corruption.patch sctp-also-copy-sk_tsflags-when-copying-the-socket.patch sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch sh_eth-fix-kernel-oops-in-skb_put.patch skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch tcp-restore-fastopen-with-no-data-in-syn-packet.patch vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch --- diff --git a/queue-4.1/af_unix-revert-lock_interruptible-in-stream-receive-code.patch b/queue-4.1/af_unix-revert-lock_interruptible-in-stream-receive-code.patch new file mode 100644 index 00000000000..5fe8310a3b9 --- /dev/null +++ b/queue-4.1/af_unix-revert-lock_interruptible-in-stream-receive-code.patch @@ -0,0 +1,62 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Rainer Weikusat +Date: Wed, 16 Dec 2015 20:09:25 +0000 +Subject: af_unix: Revert 'lock_interruptible' in stream receive code + +From: Rainer Weikusat + +[ Upstream commit 3822b5c2fc62e3de8a0f33806ff279fb7df92432 ] + +With b3ca9b02b00704053a38bfe4c31dbbb9c13595d0, the AF_UNIX SOCK_STREAM +receive code was changed from using mutex_lock(&u->readlock) to +mutex_lock_interruptible(&u->readlock) to prevent signals from being +delayed for an indefinite time if a thread sleeping on the mutex +happened to be selected for handling the signal. But this was never a +problem with the stream receive code (as opposed to its datagram +counterpart) as that never went to sleep waiting for new messages with the +mutex held and thus, wouldn't cause secondary readers to block on the +mutex waiting for the sleeping primary reader. As the interruptible +locking makes the code more complicated in exchange for no benefit, +change it back to using mutex_lock. + +Signed-off-by: Rainer Weikusat +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2072,14 +2072,7 @@ static int unix_stream_recvmsg(struct so + + memset(&scm, 0, sizeof(scm)); + +- err = mutex_lock_interruptible(&u->readlock); +- if (unlikely(err)) { +- /* recvmsg() in non blocking mode is supposed to return -EAGAIN +- * sk_rcvtimeo is not honored by mutex_lock_interruptible() +- */ +- err = noblock ? -EAGAIN : -ERESTARTSYS; +- goto out; +- } ++ mutex_lock(&u->readlock); + + if (flags & MSG_PEEK) + skip = sk_peek_offset(sk, flags); +@@ -2120,12 +2113,12 @@ again: + + timeo = unix_stream_data_wait(sk, timeo, last); + +- if (signal_pending(current) +- || mutex_lock_interruptible(&u->readlock)) { ++ if (signal_pending(current)) { + err = sock_intr_errno(timeo); + goto out; + } + ++ mutex_lock(&u->readlock); + continue; + unlock: + unix_state_unlock(sk); diff --git a/queue-4.1/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch b/queue-4.1/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch new file mode 100644 index 00000000000..a1f0da10b5d --- /dev/null +++ b/queue-4.1/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch @@ -0,0 +1,43 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Pavel Machek +Date: Fri, 4 Dec 2015 09:50:00 +0100 +Subject: atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation + +From: Pavel Machek + +[ Upstream commit f2a3771ae8aca879c32336c76ad05a017629bae2 ] + +atl1c driver is doing order-4 allocation with GFP_ATOMIC +priority. That often breaks networking after resume. Switch to +GFP_KERNEL. Still not ideal, but should be significantly better. + +atl1c_setup_ring_resources() is called from .open() function, and +already uses GFP_KERNEL, so this change is safe. + +Signed-off-by: Pavel Machek +Acked-by: Michal Hocko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -1014,13 +1014,12 @@ static int atl1c_setup_ring_resources(st + sizeof(struct atl1c_recv_ret_status) * rx_desc_count + + 8 * 4; + +- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size, +- &ring_header->dma); ++ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size, ++ &ring_header->dma, GFP_KERNEL); + if (unlikely(!ring_header->desc)) { +- dev_err(&pdev->dev, "pci_alloc_consistend failed\n"); ++ dev_err(&pdev->dev, "could not get memory for DMA buffer\n"); + goto err_nomem; + } +- memset(ring_header->desc, 0, ring_header->size); + /* init TPD ring */ + + tpd_ring[0].dma = roundup(ring_header->dma, 8); diff --git a/queue-4.1/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch b/queue-4.1/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch new file mode 100644 index 00000000000..4b49efa848a --- /dev/null +++ b/queue-4.1/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch @@ -0,0 +1,27 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: "David S. Miller" +Date: Tue, 15 Dec 2015 15:39:08 -0500 +Subject: bluetooth: Validate socket address length in sco_sock_bind(). + +From: "David S. Miller" + +[ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ] + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/sco.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -520,6 +520,9 @@ static int sco_sock_bind(struct socket * + if (!addr || addr->sa_family != AF_BLUETOOTH) + return -EINVAL; + ++ if (addr_len < sizeof(struct sockaddr_sco)) ++ return -EINVAL; ++ + lock_sock(sk); + + if (sk->sk_state != BT_OPEN) { diff --git a/queue-4.1/fou-clean-up-socket-with-kfree_rcu.patch b/queue-4.1/fou-clean-up-socket-with-kfree_rcu.patch new file mode 100644 index 00000000000..2c594b361ba --- /dev/null +++ b/queue-4.1/fou-clean-up-socket-with-kfree_rcu.patch @@ -0,0 +1,43 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Hannes Frederic Sowa +Date: Tue, 15 Dec 2015 21:01:53 +0100 +Subject: fou: clean up socket with kfree_rcu + +From: Hannes Frederic Sowa + +[ Upstream commit 3036facbb7be3a169e35be3b271162b0fa564a2d ] + +fou->udp_offloads is managed by RCU. As it is actually included inside +the fou sockets, we cannot let the memory go out of scope before a grace +period. We either can synchronize_rcu or switch over to kfree_rcu to +manage the sockets. kfree_rcu seems appropriate as it is used by vxlan +and geneve. + +Fixes: 23461551c00628c ("fou: Support for foo-over-udp RX path") +Cc: Tom Herbert +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fou.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -24,6 +24,7 @@ struct fou { + u16 type; + struct udp_offload udp_offloads; + struct list_head list; ++ struct rcu_head rcu; + }; + + #define FOU_F_REMCSUM_NOPARTIAL BIT(0) +@@ -421,7 +422,7 @@ static void fou_release(struct fou *fou) + list_del(&fou->list); + udp_tunnel_sock_release(sock); + +- kfree(fou); ++ kfree_rcu(fou, rcu); + } + + static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg) diff --git a/queue-4.1/gre6-allow-to-update-all-parameters-via-rtnl.patch b/queue-4.1/gre6-allow-to-update-all-parameters-via-rtnl.patch new file mode 100644 index 00000000000..bde2dfe0a61 --- /dev/null +++ b/queue-4.1/gre6-allow-to-update-all-parameters-via-rtnl.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Nicolas Dichtel +Date: Thu, 3 Dec 2015 17:21:50 +0100 +Subject: gre6: allow to update all parameters via rtnl + +From: Nicolas Dichtel + +[ Upstream commit 6a61d4dbf4f54b5683e0f1e58d873cecca7cb977 ] + +Parameters were updated only if the kernel was unable to find the tunnel +with the new parameters, ie only if core pamareters were updated (keys, +addr, link, type). +Now it's possible to update ttl, hoplimit, flowinfo and flags. + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1553,13 +1553,11 @@ static int ip6gre_changelink(struct net_ + return -EEXIST; + } else { + t = nt; +- +- ip6gre_tunnel_unlink(ign, t); +- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); +- ip6gre_tunnel_link(ign, t); +- netdev_state_change(dev); + } + ++ ip6gre_tunnel_unlink(ign, t); ++ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); ++ ip6gre_tunnel_link(ign, t); + return 0; + } + diff --git a/queue-4.1/ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch b/queue-4.1/ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch new file mode 100644 index 00000000000..742e3aa49a3 --- /dev/null +++ b/queue-4.1/ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Hannes Frederic Sowa +Date: Tue, 15 Dec 2015 22:59:12 +0100 +Subject: ipv6: automatically enable stable privacy mode if stable_secret set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hannes Frederic Sowa + +[ Upstream commit 9b29c6962b70f232cde4076b1020191e1be0889d ] + +Bjørn reported that while we switch all interfaces to privacy stable mode +when setting the secret, we don't set this mode for new interfaces. This +does not make sense, so change this behaviour. + +Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf") +Reported-by: Bjørn Mork +Cc: Bjørn Mork +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -343,6 +343,12 @@ static struct inet6_dev *ipv6_add_dev(st + setup_timer(&ndev->rs_timer, addrconf_rs_timer, + (unsigned long)ndev); + memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf)); ++ ++ if (ndev->cnf.stable_secret.initialized) ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; ++ else ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64; ++ + ndev->cnf.mtu6 = dev->mtu; + ndev->cnf.sysctl = NULL; + ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl); diff --git a/queue-4.1/ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch b/queue-4.1/ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch new file mode 100644 index 00000000000..3547f6dac25 --- /dev/null +++ b/queue-4.1/ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 4 Dec 2015 14:15:08 +0100 +Subject: ipv6: keep existing flags when setting IFA_F_OPTIMISTIC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 9a1ec4612c9bfc94d4185e3459055a37a685e575 ] + +Commit 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag") +failed to update the setting of the IFA_F_OPTIMISTIC flag, causing +the IFA_F_STABLE_PRIVACY flag to be lost if IFA_F_OPTIMISTIC is set. + +Cc: Erik Kline +Cc: Fernando Gont +Cc: Lorenzo Colitti +Cc: YOSHIFUJI Hideaki/吉藤英明 +Cc: Hannes Frederic Sowa +Fixes: 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag") +Signed-off-by: Bjørn Mork +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2384,7 +2384,7 @@ ok: + #ifdef CONFIG_IPV6_OPTIMISTIC_DAD + if (in6_dev->cnf.optimistic_dad && + !net->ipv6.devconf_all->forwarding && sllao) +- addr_flags = IFA_F_OPTIMISTIC; ++ addr_flags |= IFA_F_OPTIMISTIC; + #endif + + /* Do not allow to create too much of autoconfigured diff --git a/queue-4.1/ipv6-sctp-clone-options-to-avoid-use-after-free.patch b/queue-4.1/ipv6-sctp-clone-options-to-avoid-use-after-free.patch new file mode 100644 index 00000000000..e8e10f7727a --- /dev/null +++ b/queue-4.1/ipv6-sctp-clone-options-to-avoid-use-after-free.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Eric Dumazet +Date: Wed, 9 Dec 2015 07:25:06 -0800 +Subject: ipv6: sctp: clone options to avoid use after free + +From: Eric Dumazet + +[ Upstream commit 9470e24f35ab81574da54e69df90c1eb4a96b43f ] + +SCTP is lacking proper np->opt cloning at accept() time. + +TCP and DCCP use ipv6_dup_options() helper, do the same +in SCTP. + +We might later factorize this code in a common helper to avoid +future mistakes. + +Reported-by: Dmitry Vyukov +Signed-off-by: Eric Dumazet +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -634,6 +634,7 @@ static struct sock *sctp_v6_create_accep + struct sock *newsk; + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); + struct sctp6_sock *newsctp6sk; ++ struct ipv6_txoptions *opt; + + newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot); + if (!newsk) +@@ -653,6 +654,13 @@ static struct sock *sctp_v6_create_accep + + memcpy(newnp, np, sizeof(struct ipv6_pinfo)); + ++ rcu_read_lock(); ++ opt = rcu_dereference(np->opt); ++ if (opt) ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ rcu_read_unlock(); ++ + /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname() + * and getpeername(). + */ diff --git a/queue-4.1/net-add-validation-for-the-socket-syscall-protocol-argument.patch b/queue-4.1/net-add-validation-for-the-socket-syscall-protocol-argument.patch new file mode 100644 index 00000000000..5571fd2b3e1 --- /dev/null +++ b/queue-4.1/net-add-validation-for-the-socket-syscall-protocol-argument.patch @@ -0,0 +1,129 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Hannes Frederic Sowa +Date: Mon, 14 Dec 2015 22:03:39 +0100 +Subject: net: add validation for the socket syscall protocol argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hannes Frederic Sowa + +[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ] + +郭永刚 reported that one could simply crash the kernel as root by +using a simple program: + + int socket_fd; + struct sockaddr_in addr; + addr.sin_port = 0; + addr.sin_addr.s_addr = INADDR_ANY; + addr.sin_family = 10; + + socket_fd = socket(10,3,0x40000000); + connect(socket_fd , &addr,16); + +AF_INET, AF_INET6 sockets actually only support 8-bit protocol +identifiers. inet_sock's skc_protocol field thus is sized accordingly, +thus larger protocol identifiers simply cut off the higher bits and +store a zero in the protocol fields. + +This could lead to e.g. NULL function pointer because as a result of +the cut off inet_num is zero and we call down to inet_autobind, which +is NULL for raw sockets. + +kernel: Call Trace: +kernel: [] ? inet_autobind+0x2e/0x70 +kernel: [] inet_dgram_connect+0x54/0x80 +kernel: [] SYSC_connect+0xd9/0x110 +kernel: [] ? ptrace_notify+0x5b/0x80 +kernel: [] ? syscall_trace_enter_phase2+0x108/0x200 +kernel: [] SyS_connect+0xe/0x10 +kernel: [] tracesys_phase2+0x84/0x89 + +I found no particular commit which introduced this problem. + +CVE: CVE-2015-8543 +Cc: Cong Wang +Reported-by: 郭永刚 +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 1 + + net/ax25/af_ax25.c | 3 +++ + net/decnet/af_decnet.c | 3 +++ + net/ipv4/af_inet.c | 3 +++ + net/ipv6/af_inet6.c | 3 +++ + net/irda/af_irda.c | 3 +++ + 6 files changed, 16 insertions(+) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -386,6 +386,7 @@ struct sock { + sk_no_check_rx : 1, + sk_userlocks : 4, + sk_protocol : 8, ++#define SK_PROTOCOL_MAX U8_MAX + sk_type : 16; + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -806,6 +806,9 @@ static int ax25_create(struct net *net, + struct sock *sk; + ax25_cb *ax25; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -678,6 +678,9 @@ static int dn_create(struct net *net, st + { + struct sock *sk; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -259,6 +259,9 @@ static int inet_create(struct net *net, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, + struct sock *sk; + struct irda_sock *self; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (net != &init_net) + return -EAFNOSUPPORT; + diff --git a/queue-4.1/net-check-both-type-and-procotol-for-tcp-sockets.patch b/queue-4.1/net-check-both-type-and-procotol-for-tcp-sockets.patch new file mode 100644 index 00000000000..197baa00a2c --- /dev/null +++ b/queue-4.1/net-check-both-type-and-procotol-for-tcp-sockets.patch @@ -0,0 +1,62 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: WANG Cong +Date: Wed, 16 Dec 2015 23:39:04 -0800 +Subject: net: check both type and procotol for tcp sockets + +From: WANG Cong + +[ Upstream commit ac5cc977991d2dce85fc734a6c71ddb33f6fe3c1 ] + +Dmitry reported the following out-of-bound access: + +Call Trace: + [] __asan_report_load4_noabort+0x3e/0x40 +mm/kasan/report.c:294 + [] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880 + [< inline >] SYSC_setsockopt net/socket.c:1746 + [] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729 + [] entry_SYSCALL_64_fastpath+0x16/0x7a +arch/x86/entry/entry_64.S:185 + +This is because we mistake a raw socket as a tcp socket. +We should check both sk->sk_type and sk->sk_protocol to ensure +it is a tcp socket. + +Willem points out __skb_complete_tx_timestamp() needs to fix as well. + +Reported-by: Dmitry Vyukov +Cc: Willem de Bruijn +Cc: Eric Dumazet +Signed-off-by: Cong Wang +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 3 ++- + net/core/sock.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3661,7 +3661,8 @@ static void __skb_complete_tx_timestamp( + serr->ee.ee_info = tstype; + if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { + serr->ee.ee_data = skb_shinfo(skb)->tskey; +- if (sk->sk_protocol == IPPROTO_TCP) ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) + serr->ee.ee_data -= sk->sk_tskey; + } + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -859,7 +859,8 @@ set_rcvbuf: + + if (val & SOF_TIMESTAMPING_OPT_ID && + !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) { +- if (sk->sk_protocol == IPPROTO_TCP) { ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) { + if (sk->sk_state != TCP_ESTABLISHED) { + ret = -EINVAL; + break; diff --git a/queue-4.1/net-fix-ip-early-demux-races.patch b/queue-4.1/net-fix-ip-early-demux-races.patch new file mode 100644 index 00000000000..41ca9fdc678 --- /dev/null +++ b/queue-4.1/net-fix-ip-early-demux-races.patch @@ -0,0 +1,147 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Eric Dumazet +Date: Mon, 14 Dec 2015 14:08:53 -0800 +Subject: net: fix IP early demux races + +From: Eric Dumazet + +[ Upstream commit 5037e9ef9454917b047f9f3a19b4dd179fbf7cd4 ] + +David Wilder reported crashes caused by dst reuse. + + + I am seeing a crash on a distro V4.2.3 kernel caused by a double + release of a dst_entry. In ipv4_dst_destroy() the call to + list_empty() finds a poisoned next pointer, indicating the dst_entry + has already been removed from the list and freed. The crash occurs + 18 to 24 hours into a run of a network stress exerciser. + + +Thanks to his detailed report and analysis, we were able to understand +the core issue. + +IP early demux can associate a dst to skb, after a lookup in TCP/UDP +sockets. + +When socket cache is not properly set, we want to store into +sk->sk_dst_cache the dst for future IP early demux lookups, +by acquiring a stable refcount on the dst. + +Problem is this acquisition is simply using an atomic_inc(), +which works well, unless the dst was queued for destruction from +dst_release() noticing dst refcount went to zero, if DST_NOCACHE +was set on dst. + +We need to make sure current refcount is not zero before incrementing +it, or risk double free as David reported. + +This patch, being a stable candidate, adds two new helpers, and use +them only from IP early demux problematic paths. + +It might be possible to merge in net-next skb_dst_force() and +skb_dst_force_safe(), but I prefer having the smallest patch for stable +kernels : Maybe some skb_dst_force() callers do not expect skb->dst +can suddenly be cleared. + +Can probably be backported back to linux-3.6 kernels + +Reported-by: David J. Wilder +Tested-by: David J. Wilder +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/dst.h | 33 +++++++++++++++++++++++++++++++++ + include/net/sock.h | 2 +- + net/ipv4/tcp_ipv4.c | 5 ++--- + net/ipv6/tcp_ipv6.c | 3 +-- + 4 files changed, 37 insertions(+), 6 deletions(-) + +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -312,6 +312,39 @@ static inline void skb_dst_force(struct + } + } + ++/** ++ * dst_hold_safe - Take a reference on a dst if possible ++ * @dst: pointer to dst entry ++ * ++ * This helper returns false if it could not safely ++ * take a reference on a dst. ++ */ ++static inline bool dst_hold_safe(struct dst_entry *dst) ++{ ++ if (dst->flags & DST_NOCACHE) ++ return atomic_inc_not_zero(&dst->__refcnt); ++ dst_hold(dst); ++ return true; ++} ++ ++/** ++ * skb_dst_force_safe - makes sure skb dst is refcounted ++ * @skb: buffer ++ * ++ * If dst is not yet refcounted and not destroyed, grab a ref on it. ++ */ ++static inline void skb_dst_force_safe(struct sk_buff *skb) ++{ ++ if (skb_dst_is_noref(skb)) { ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (!dst_hold_safe(dst)) ++ dst = NULL; ++ ++ skb->_skb_refdst = (unsigned long)dst; ++ } ++} ++ + + /** + * __skb_tunnel_rx - prepare skb for rx reinsert +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -799,7 +799,7 @@ void sk_stream_write_space(struct sock * + static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb) + { + /* dont let skb dst not refcounted, we are going to leave rcu lock */ +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + if (!sk->sk_backlog.tail) + sk->sk_backlog.head = skb; +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struc + if (likely(sk->sk_rx_dst)) + skb_dst_drop(skb); + else +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + __skb_queue_tail(&tp->ucopy.prequeue, skb); + tp->ucopy.memory += skb->truesize; +@@ -1714,8 +1714,7 @@ void inet_sk_rx_dst_set(struct sock *sk, + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { +- dst_hold(dst); ++ if (dst && dst_hold_safe(dst)) { + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + } +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct s + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { ++ if (dst && dst_hold_safe(dst)) { + const struct rt6_info *rt = (const struct rt6_info *)dst; + +- dst_hold(dst); + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + if (rt->rt6i_node) diff --git a/queue-4.1/net-fix-uninitialized-variable-issue.patch b/queue-4.1/net-fix-uninitialized-variable-issue.patch new file mode 100644 index 00000000000..d37a8a02151 --- /dev/null +++ b/queue-4.1/net-fix-uninitialized-variable-issue.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: "tadeusz.struk@intel.com" +Date: Tue, 15 Dec 2015 10:46:17 -0800 +Subject: net: fix uninitialized variable issue + +From: "tadeusz.struk@intel.com" + +[ Upstream commit 130ed5d105dde141e7fe60d5440aa53e0a84f13b ] + +msg_iocb needs to be initialized on the recv/recvfrom path. +Otherwise afalg will wrongly interpret it as an async call. + +Cc: stable@vger.kernel.org +Reported-by: Harald Freudenberger +Signed-off-by: Tadeusz Struk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1705,6 +1705,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void + msg.msg_name = addr ? (struct sockaddr *)&address : NULL; + /* We assume all kernel code knows the size of sockaddr_storage */ + msg.msg_namelen = 0; ++ msg.msg_iocb = NULL; + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags); diff --git a/queue-4.1/net-qca_spi-fix-transmit-queue-timeout-handling.patch b/queue-4.1/net-qca_spi-fix-transmit-queue-timeout-handling.patch new file mode 100644 index 00000000000..44f86718bcf --- /dev/null +++ b/queue-4.1/net-qca_spi-fix-transmit-queue-timeout-handling.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Stefan Wahren +Date: Fri, 4 Dec 2015 16:29:10 +0100 +Subject: net: qca_spi: fix transmit queue timeout handling + +From: Stefan Wahren + +[ Upstream commit ed7d42e24effbd3681e909711a7a2119a85e9217 ] + +In case of a tx queue timeout every transmit is blocked until the +QCA7000 resets himself and triggers a sync which makes the driver +flushs the tx ring. So avoid this blocking situation by triggering +the sync immediately after the timeout. Waking the queue doesn't +make sense in this situation. + +Signed-off-by: Stefan Wahren +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_devi + netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n", + jiffies, jiffies - dev->trans_start); + qca->net_dev->stats.tx_errors++; +- /* wake the queue if there is room */ +- if (qcaspi_tx_ring_has_space(&qca->txr)) +- netif_wake_queue(dev); ++ /* Trigger tx queue flush and QCA7000 reset */ ++ qca->sync = QCASPI_SYNC_UNKNOWN; + } + + static int diff --git a/queue-4.1/net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch b/queue-4.1/net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch new file mode 100644 index 00000000000..778b9c60ab6 --- /dev/null +++ b/queue-4.1/net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Eric Dumazet +Date: Tue, 15 Dec 2015 09:43:12 -0800 +Subject: net_sched: make qdisc_tree_decrease_qlen() work for non mq + +From: Eric Dumazet + +[ Upstream commit 225734de70cd0a9e0b978f3583a4a87939271d5e ] + +Stas Nichiporovich reported a regression in his HFSC qdisc setup +on a non multi queue device. + +It turns out I mistakenly added a TCQ_F_NOPARENT flag on all qdisc +allocated in qdisc_create() for non multi queue devices, which was +rather buggy. I was clearly mislead by the TCQ_F_ONETXQUEUE that is +also set here for no good reason, since it only matters for the root +qdisc. + +Fixes: 4eaf3b84f288 ("net_sched: fix qdisc_tree_decrease_qlen() races") +Reported-by: Stas Nichiporovich +Tested-by: Stas Nichiporovich +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, str + } + lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock); + if (!netif_is_multiqueue(dev)) +- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; ++ sch->flags |= TCQ_F_ONETXQUEUE; + } + + sch->handle = handle; diff --git a/queue-4.1/pppoe-fix-memory-corruption-in-padt-work-structure.patch b/queue-4.1/pppoe-fix-memory-corruption-in-padt-work-structure.patch new file mode 100644 index 00000000000..62679281005 --- /dev/null +++ b/queue-4.1/pppoe-fix-memory-corruption-in-padt-work-structure.patch @@ -0,0 +1,90 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Guillaume Nault +Date: Thu, 3 Dec 2015 16:49:32 +0100 +Subject: pppoe: fix memory corruption in padt work structure + +From: Guillaume Nault + +[ Upstream commit fe53985aaac83d516b38358d4f39921d9942a0e2 ] + +pppoe_connect() mustn't touch the padt_work field of pppoe sockets +because that work could be already pending. + +[ 21.473147] BUG: unable to handle kernel NULL pointer dereference at 00000004 +[ 21.474523] IP: [] process_one_work+0x29/0x31c +[ 21.475164] *pde = 00000000 +[ 21.475513] Oops: 0000 [#1] SMP +[ 21.475910] Modules linked in: pppoe pppox ppp_generic slhc crc32c_intel aesni_intel virtio_net xts aes_i586 lrw gf128mul ablk_helper cryptd evdev acpi_cpufreq processor serio_raw button ext4 crc16 mbcache jbd2 virtio_blk virtio_pci virtio_ring virtio +[ 21.476168] CPU: 2 PID: 164 Comm: kworker/2:2 Not tainted 4.4.0-rc1 #1 +[ 21.476168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014 +[ 21.476168] task: f5f83c00 ti: f5e28000 task.ti: f5e28000 +[ 21.476168] EIP: 0060:[] EFLAGS: 00010046 CPU: 2 +[ 21.476168] EIP is at process_one_work+0x29/0x31c +[ 21.484082] EAX: 00000000 EBX: f678b2a0 ECX: 00000004 EDX: 00000000 +[ 21.484082] ESI: f6c69940 EDI: f5e29ef0 EBP: f5e29f0c ESP: f5e29edc +[ 21.484082] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 +[ 21.484082] CR0: 80050033 CR2: 000000a4 CR3: 317ad000 CR4: 00040690 +[ 21.484082] Stack: +[ 21.484082] 00000000 f6c69950 00000000 f6c69940 c0042338 f5e29f0c c1327945 00000000 +[ 21.484082] 00000008 f678b2a0 f6c69940 f678b2b8 f5e29f30 c1043984 f5f83c00 f6c69970 +[ 21.484082] f678b2a0 c10437d3 f6775e80 f678b2a0 c10437d3 f5e29fac c1047059 f5e29f74 +[ 21.484082] Call Trace: +[ 21.484082] [] ? _raw_spin_lock_irq+0x28/0x30 +[ 21.484082] [] worker_thread+0x1b1/0x244 +[ 21.484082] [] ? rescuer_thread+0x229/0x229 +[ 21.484082] [] ? rescuer_thread+0x229/0x229 +[ 21.484082] [] kthread+0x8f/0x94 +[ 21.484082] [] ? _raw_spin_unlock_irq+0x22/0x26 +[ 21.484082] [] ret_from_kernel_thread+0x21/0x38 +[ 21.484082] [] ? kthread_parkme+0x19/0x19 +[ 21.496082] Code: 5d c3 55 89 e5 57 56 53 89 c3 83 ec 24 89 d0 89 55 e0 8d 7d e4 e8 6c d8 ff ff b9 04 00 00 00 89 45 d8 8b 43 24 89 45 dc 8b 45 d8 <8b> 40 04 8b 80 e0 00 00 00 c1 e8 05 24 01 88 45 d7 8b 45 e0 8d +[ 21.496082] EIP: [] process_one_work+0x29/0x31c SS:ESP 0068:f5e29edc +[ 21.496082] CR2: 0000000000000004 +[ 21.496082] ---[ end trace e362cc9cf10dae89 ]--- + +Reported-by: Andrew +Fixes: 287f3a943fef ("pppoe: Use workqueue to die properly when a PADT is received") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, + sk->sk_family = PF_PPPOX; + sk->sk_protocol = PX_PROTO_OE; + ++ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work, ++ pppoe_unbind_sock_work); ++ + return 0; + } + +@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket * + + lock_sock(sk); + +- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work); +- + error = -EINVAL; + if (sp->sa_protocol != PX_PROTO_OE) + goto end; +@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket * + po->pppoe_dev = NULL; + } + +- memset(sk_pppox(po) + 1, 0, +- sizeof(struct pppox_sock) - sizeof(struct sock)); ++ po->pppoe_ifindex = 0; ++ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa)); ++ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay)); ++ memset(&po->chan, 0, sizeof(po->chan)); ++ po->next = NULL; ++ po->num = 0; ++ + sk->sk_state = PPPOX_NONE; + } + diff --git a/queue-4.1/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch b/queue-4.1/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch new file mode 100644 index 00000000000..338f73b34ba --- /dev/null +++ b/queue-4.1/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: WANG Cong +Date: Mon, 14 Dec 2015 13:48:36 -0800 +Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect() + +From: WANG Cong + +[ Upstream commit 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ] + +Reported-by: Dmitry Vyukov +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pptp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -420,6 +420,9 @@ static int pptp_bind(struct socket *sock + struct pptp_opt *opt = &po->proto.pptp; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + lock_sock(sk); + + opt->src_addr = sp->sa_addr.pptp; +@@ -441,6 +444,9 @@ static int pptp_connect(struct socket *s + struct flowi4 fl4; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + if (sp->sa_protocol != PX_PROTO_PPTP) + return -EINVAL; + diff --git a/queue-4.1/r8152-fix-lockup-when-runtime-pm-is-enabled.patch b/queue-4.1/r8152-fix-lockup-when-runtime-pm-is-enabled.patch new file mode 100644 index 00000000000..5f6bcc8d973 --- /dev/null +++ b/queue-4.1/r8152-fix-lockup-when-runtime-pm-is-enabled.patch @@ -0,0 +1,86 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Peter Wu +Date: Tue, 8 Dec 2015 12:17:42 +0100 +Subject: r8152: fix lockup when runtime PM is enabled + +From: Peter Wu + +[ Upstream commit 90186af404ada5a47b875bf3c16d0b02bb023ea0 ] + +When an interface is brought up which was previously suspended (via +runtime PM), it would hang. This happens because napi_disable is called +before napi_enable. + +Solve this by avoiding napi_enable in the resume during open function +(netif_running is true when open is called, IFF_UP is set after a +successful open; netif_running is false when close is called, but IFF_UP +is then still set). + +While at it, remove WORK_ENABLE check from rtl8152_open (introduced with +the original change) because it cannot happen: + + - After this patch, runtime resume will not set it during rtl8152_open. + - When link is up, rtl8152_open is not called. + - When link is down during system/auto suspend/resume, it is not set. + +Fixes: 41cec84cf285 ("r8152: don't enable napi before rx ready") +Link: https://lkml.kernel.org/r/20151205105912.GA1766@al +Signed-off-by: Peter Wu +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 21 +++------------------ + 1 file changed, 3 insertions(+), 18 deletions(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3006,17 +3006,6 @@ static int rtl8152_open(struct net_devic + + mutex_lock(&tp->control); + +- /* The WORK_ENABLE may be set when autoresume occurs */ +- if (test_bit(WORK_ENABLE, &tp->flags)) { +- clear_bit(WORK_ENABLE, &tp->flags); +- usb_kill_urb(tp->intr_urb); +- cancel_delayed_work_sync(&tp->schedule); +- +- /* disable the tx/rx, if the workqueue has enabled them. */ +- if (netif_carrier_ok(netdev)) +- tp->rtl_ops.disable(tp); +- } +- + tp->rtl_ops.up(tp); + + rtl8152_set_speed(tp, AUTONEG_ENABLE, +@@ -3063,12 +3052,6 @@ static int rtl8152_close(struct net_devi + } else { + mutex_lock(&tp->control); + +- /* The autosuspend may have been enabled and wouldn't +- * be disable when autoresume occurs, because the +- * netif_running() would be false. +- */ +- rtl_runtime_suspend_enable(tp, false); +- + tp->rtl_ops.down(tp); + + mutex_unlock(&tp->control); +@@ -3369,7 +3352,7 @@ static int rtl8152_resume(struct usb_int + netif_device_attach(tp->netdev); + } + +- if (netif_running(tp->netdev)) { ++ if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) { + if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { + rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); +@@ -3387,6 +3370,8 @@ static int rtl8152_resume(struct usb_int + } + usb_submit_urb(tp->intr_urb, GFP_KERNEL); + } else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { ++ if (tp->netdev->flags & IFF_UP) ++ rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); + } + diff --git a/queue-4.1/rhashtable-enforce-minimum-size-on-initial-hash-table.patch b/queue-4.1/rhashtable-enforce-minimum-size-on-initial-hash-table.patch new file mode 100644 index 00000000000..19168644e13 --- /dev/null +++ b/queue-4.1/rhashtable-enforce-minimum-size-on-initial-hash-table.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Herbert Xu +Date: Wed, 16 Dec 2015 18:13:14 +0800 +Subject: rhashtable: Enforce minimum size on initial hash table + +From: Herbert Xu + +[ Upstream commit 3a324606bbabfc30084ce9d08169910773ba9a92 ] + +William Hua wrote: +> +> I wasn't aware there was an enforced minimum size. I simply set the +> nelem_hint in the rhastable_params struct to 1, expecting it to grow as +> needed. This caused a segfault afterwards when trying to insert an +> element. + +OK we're doing the size computation before we enforce the limit +on min_size. + +---8<--- +We need to do the initial hash table size computation after we +have obtained the correct min_size/max_size parameters. Otherwise +we may end up with a hash table whose size is outside the allowed +envelope. + +Fixes: a998f712f77e ("rhashtable: Round up/down min/max_size to...") +Reported-by: William Hua +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + lib/rhashtable.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -730,9 +730,6 @@ int rhashtable_init(struct rhashtable *h + if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT)) + return -EINVAL; + +- if (params->nelem_hint) +- size = rounded_hashtable_size(params); +- + memset(ht, 0, sizeof(*ht)); + mutex_init(&ht->mutex); + spin_lock_init(&ht->lock); +@@ -752,6 +749,9 @@ int rhashtable_init(struct rhashtable *h + + ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE); + ++ if (params->nelem_hint) ++ size = rounded_hashtable_size(&ht->p); ++ + /* The maximum (not average) chain length grows with the + * size of the hash table, at a rate of (log N)/(log log N). + * The value of 16 is selected so that even if the hash diff --git a/queue-4.1/rhashtable-fix-walker-list-corruption.patch b/queue-4.1/rhashtable-fix-walker-list-corruption.patch new file mode 100644 index 00000000000..58b7785af75 --- /dev/null +++ b/queue-4.1/rhashtable-fix-walker-list-corruption.patch @@ -0,0 +1,79 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Herbert Xu +Date: Wed, 16 Dec 2015 16:45:54 +0800 +Subject: rhashtable: Fix walker list corruption + +From: Herbert Xu + +[ Upstream commit c6ff5268293ef98e48a99597e765ffc417e39fa5 ] + +The commit ba7c95ea3870fe7b847466d39a049ab6f156aa2c ("rhashtable: +Fix sleeping inside RCU critical section in walk_stop") introduced +a new spinlock for the walker list. However, it did not convert +all existing users of the list over to the new spin lock. Some +continued to use the old mutext for this purpose. This obviously +led to corruption of the list. + +The fix is to use the spin lock everywhere where we touch the list. + +This also allows us to do rcu_rad_lock before we take the lock in +rhashtable_walk_start. With the old mutex this would've deadlocked +but it's safe with the new spin lock. + +Fixes: ba7c95ea3870 ("rhashtable: Fix sleeping inside RCU...") +Reported-by: Colin Ian King +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + lib/rhashtable.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -506,10 +506,11 @@ int rhashtable_walk_init(struct rhashtab + if (!iter->walker) + return -ENOMEM; + +- mutex_lock(&ht->mutex); +- iter->walker->tbl = rht_dereference(ht->tbl, ht); ++ spin_lock(&ht->lock); ++ iter->walker->tbl = ++ rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock)); + list_add(&iter->walker->list, &iter->walker->tbl->walkers); +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + return 0; + } +@@ -523,10 +524,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init); + */ + void rhashtable_walk_exit(struct rhashtable_iter *iter) + { +- mutex_lock(&iter->ht->mutex); ++ spin_lock(&iter->ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- mutex_unlock(&iter->ht->mutex); ++ spin_unlock(&iter->ht->lock); + kfree(iter->walker); + } + EXPORT_SYMBOL_GPL(rhashtable_walk_exit); +@@ -550,14 +551,12 @@ int rhashtable_walk_start(struct rhashta + { + struct rhashtable *ht = iter->ht; + +- mutex_lock(&ht->mutex); ++ rcu_read_lock(); + ++ spin_lock(&ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- +- rcu_read_lock(); +- +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + if (!iter->walker->tbl) { + iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht); diff --git a/queue-4.1/sctp-also-copy-sk_tsflags-when-copying-the-socket.patch b/queue-4.1/sctp-also-copy-sk_tsflags-when-copying-the-socket.patch new file mode 100644 index 00000000000..4a9222dced3 --- /dev/null +++ b/queue-4.1/sctp-also-copy-sk_tsflags-when-copying-the-socket.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Marcelo Ricardo Leitner +Date: Fri, 4 Dec 2015 15:14:05 -0200 +Subject: sctp: also copy sk_tsflags when copying the socket + +From: Marcelo Ricardo Leitner + +[ Upstream commit 50a5ffb1ef535e3c6989711c51b5d61b543a3b45 ] + +As we are keeping timestamps on when copying the socket, we also have to +copy sk_tsflags. + +This is needed since b9f40e21ef42 ("net-timestamp: move timestamp flags +out of sk_flags"). + +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7175,6 +7175,7 @@ void sctp_copy_sock(struct sock *newsk, + newsk->sk_type = sk->sk_type; + newsk->sk_bound_dev_if = sk->sk_bound_dev_if; + newsk->sk_flags = sk->sk_flags; ++ newsk->sk_tsflags = sk->sk_tsflags; + newsk->sk_no_check_tx = sk->sk_no_check_tx; + newsk->sk_no_check_rx = sk->sk_no_check_rx; + newsk->sk_reuse = sk->sk_reuse; diff --git a/queue-4.1/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch b/queue-4.1/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch new file mode 100644 index 00000000000..0e7021b752b --- /dev/null +++ b/queue-4.1/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch @@ -0,0 +1,65 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Marcelo Ricardo Leitner +Date: Fri, 4 Dec 2015 15:14:04 -0200 +Subject: sctp: update the netstamp_needed counter when copying sockets + +From: Marcelo Ricardo Leitner + +[ Upstream commit 01ce63c90170283a9855d1db4fe81934dddce648 ] + +Dmitry Vyukov reported that SCTP was triggering a WARN on socket destroy +related to disabling sock timestamp. + +When SCTP accepts an association or peel one off, it copies sock flags +but forgot to call net_enable_timestamp() if a packet timestamping flag +was copied, leading to extra calls to net_disable_timestamp() whenever +such clones were closed. + +The fix is to call net_enable_timestamp() whenever we copy a sock with +that flag on, like tcp does. + +Reported-by: Dmitry Vyukov +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 2 ++ + net/core/sock.c | 2 -- + net/sctp/socket.c | 3 +++ + 3 files changed, 5 insertions(+), 2 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -722,6 +722,8 @@ enum sock_flags { + SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */ + }; + ++#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) ++ + static inline void sock_copy_flags(struct sock *nsk, struct sock *osk) + { + nsk->sk_flags = osk->sk_flags; +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -421,8 +421,6 @@ static void sock_warn_obsolete_bsdism(co + } + } + +-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) +- + static void sock_disable_timestamp(struct sock *sk, unsigned long flags) + { + if (sk->sk_flags & flags) { +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7207,6 +7207,9 @@ void sctp_copy_sock(struct sock *newsk, + newinet->mc_ttl = 1; + newinet->mc_index = 0; + newinet->mc_list = NULL; ++ ++ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) ++ net_enable_timestamp(); + } + + static inline void sctp_copy_descendant(struct sock *sk_to, diff --git a/queue-4.1/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch b/queue-4.1/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch new file mode 100644 index 00000000000..36ef1a01b89 --- /dev/null +++ b/queue-4.1/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Marcelo Ricardo Leitner +Date: Fri, 4 Dec 2015 15:14:03 -0200 +Subject: sctp: use the same clock as if sock source timestamps were on + +From: Marcelo Ricardo Leitner + +[ Upstream commit cb5e173ed7c03a0d4630ce68a95a186cce3cc872 ] + +SCTP echoes a cookie o INIT ACK chunks that contains a timestamp, for +detecting stale cookies. This cookie is echoed back to the server by the +client and then that timestamp is checked. + +Thing is, if the listening socket is using packet timestamping, the +cookie is encoded with ktime_get() value and checked against +ktime_get_real(), as done by __net_timestamp(). + +The fix is to sctp also use ktime_get_real(), so we can compare bananas +with bananas later no matter if packet timestamping was enabled or not. + +Fixes: 52db882f3fc2 ("net: sctp: migrate cookie life from timeval to ktime") +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_make_chunk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_co + + /* Set an expiration time for the cookie. */ + cookie->c.expiration = ktime_add(asoc->cookie_life, +- ktime_get()); ++ ktime_get_real()); + + /* Copy the peer's init packet. */ + memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr, +@@ -1780,7 +1780,7 @@ no_hmac: + if (sock_flag(ep->base.sk, SOCK_TIMESTAMP)) + kt = skb_get_ktime(skb); + else +- kt = ktime_get(); ++ kt = ktime_get_real(); + + if (!asoc && ktime_before(bear_cookie->expiration, kt)) { + /* diff --git a/queue-4.1/series b/queue-4.1/series index 615d09bfa65..c0f8671aa0c 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -10,3 +10,30 @@ usb-gadget-pxa27x-fix-suspend-callback.patch usb-musb-usb_ti_cppi41_dma-requires-dmaengine-support.patch usb-core-hub-fix-bos-null-pointer-kernel-panic.patch usb-use-the-usb_ss_mult-macro-to-decode-burst-multiplier-for-log-message.patch +pppoe-fix-memory-corruption-in-padt-work-structure.patch +gre6-allow-to-update-all-parameters-via-rtnl.patch +atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch +ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch +vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch +sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch +sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch +sctp-also-copy-sk_tsflags-when-copying-the-socket.patch +net-qca_spi-fix-transmit-queue-timeout-handling.patch +r8152-fix-lockup-when-runtime-pm-is-enabled.patch +ipv6-sctp-clone-options-to-avoid-use-after-free.patch +net-add-validation-for-the-socket-syscall-protocol-argument.patch +sh_eth-fix-kernel-oops-in-skb_put.patch +net-fix-ip-early-demux-races.patch +pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch +vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch +skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch +net-check-both-type-and-procotol-for-tcp-sockets.patch +net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch +bluetooth-validate-socket-address-length-in-sco_sock_bind.patch +net-fix-uninitialized-variable-issue.patch +ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch +rhashtable-enforce-minimum-size-on-initial-hash-table.patch +fou-clean-up-socket-with-kfree_rcu.patch +af_unix-revert-lock_interruptible-in-stream-receive-code.patch +tcp-restore-fastopen-with-no-data-in-syn-packet.patch +rhashtable-fix-walker-list-corruption.patch diff --git a/queue-4.1/sh_eth-fix-kernel-oops-in-skb_put.patch b/queue-4.1/sh_eth-fix-kernel-oops-in-skb_put.patch new file mode 100644 index 00000000000..8a2a35c0420 --- /dev/null +++ b/queue-4.1/sh_eth-fix-kernel-oops-in-skb_put.patch @@ -0,0 +1,64 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Sergei Shtylyov +Date: Fri, 4 Dec 2015 01:45:40 +0300 +Subject: sh_eth: fix kernel oops in skb_put() + +From: Sergei Shtylyov + +[ Upstream commit 248be83dcb3feb3f6332eb3d010a016402138484 ] + +In a low memory situation the following kernel oops occurs: + +Unable to handle kernel NULL pointer dereference at virtual address 00000050 +pgd = 8490c000 +[00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000 +Internal error: Oops: 17 [#1] PREEMPT ARM +Modules linked in: +CPU: 0 Not tainted (3.4-at16 #9) +PC is at skb_put+0x10/0x98 +LR is at sh_eth_poll+0x2c8/0xa10 +pc : [<8035f780>] lr : [<8028bf50>] psr: 60000113 +sp : 84eb1a90 ip : 84eb1ac8 fp : 84eb1ac4 +r10: 0000003f r9 : 000005ea r8 : 00000000 +r7 : 00000000 r6 : 940453b0 r5 : 00030000 r4 : 9381b180 +r3 : 00000000 r2 : 00000000 r1 : 000005ea r0 : 00000000 +Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 10c53c7d Table: 4248c059 DAC: 00000015 +Process klogd (pid: 2046, stack limit = 0x84eb02e8) +[...] + +This is because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left +NULL but sh_eth_rx() later uses it without checking. Add such check... + +Reported-by: Yasushi SHOJI +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device * + if (mdp->cd->shift_rd0) + desc_status >>= 16; + ++ skb = mdp->rx_skbuff[entry]; + if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 | + RD_RFS5 | RD_RFS6 | RD_RFS10)) { + ndev->stats.rx_errors++; +@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device * + ndev->stats.rx_missed_errors++; + if (desc_status & RD_RFS10) + ndev->stats.rx_over_errors++; +- } else { ++ } else if (skb) { + if (!mdp->cd->hw_swap) + sh_eth_soft_swap( + phys_to_virt(ALIGN(rxdesc->addr, 4)), + pkt_len + 2); +- skb = mdp->rx_skbuff[entry]; + mdp->rx_skbuff[entry] = NULL; + if (mdp->cd->rpadir) + skb_reserve(skb, NET_IP_ALIGN); diff --git a/queue-4.1/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch b/queue-4.1/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch new file mode 100644 index 00000000000..de092602f0c --- /dev/null +++ b/queue-4.1/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Vlad Yasevich +Date: Mon, 14 Dec 2015 17:44:10 -0500 +Subject: skbuff: Fix offset error in skb_reorder_vlan_header + +From: Vlad Yasevich + +[ Upstream commit f654861569872d10dcb79d9d7ca219b316f94ff0 ] + +skb_reorder_vlan_header is called after the vlan header has +been pulled. As a result the offset of the begining of +the mac header has been incrased by 4 bytes (VLAN_HLEN). +When moving the mac addresses, include this incrase in +the offset calcualation so that the mac addresses are +copied correctly. + +Fixes: a6e18ff1117 (vlan: Fix untag operations of stacked vlans with REORDER_HEADER off) +CC: Nicolas Dichtel +CC: Patrick McHardy +Signed-off-by: Vladislav Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4200,7 +4200,7 @@ static struct sk_buff *skb_reorder_vlan_ + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len, ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, + 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; diff --git a/queue-4.1/tcp-restore-fastopen-with-no-data-in-syn-packet.patch b/queue-4.1/tcp-restore-fastopen-with-no-data-in-syn-packet.patch new file mode 100644 index 00000000000..e3540ed7c45 --- /dev/null +++ b/queue-4.1/tcp-restore-fastopen-with-no-data-in-syn-packet.patch @@ -0,0 +1,65 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Eric Dumazet +Date: Wed, 16 Dec 2015 13:53:10 -0800 +Subject: tcp: restore fastopen with no data in SYN packet + +From: Eric Dumazet + +[ Upstream commit 07e100f984975cb0417a7d5e626d0409efbad478 ] + +Yuchung tracked a regression caused by commit 57be5bdad759 ("ip: convert +tcp_sendmsg() to iov_iter primitives") for TCP Fast Open. + +Some Fast Open users do not actually add any data in the SYN packet. + +Fixes: 57be5bdad759 ("ip: convert tcp_sendmsg() to iov_iter primitives") +Reported-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Cc: Al Viro +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3143,7 +3143,7 @@ static int tcp_send_syn_data(struct sock + { + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_fastopen_request *fo = tp->fastopen_req; +- int syn_loss = 0, space, err = 0, copied; ++ int syn_loss = 0, space, err = 0; + unsigned long last_syn_loss = 0; + struct sk_buff *syn_data; + +@@ -3181,17 +3181,18 @@ static int tcp_send_syn_data(struct sock + goto fallback; + syn_data->ip_summed = CHECKSUM_PARTIAL; + memcpy(syn_data->cb, syn->cb, sizeof(syn->cb)); +- copied = copy_from_iter(skb_put(syn_data, space), space, +- &fo->data->msg_iter); +- if (unlikely(!copied)) { +- kfree_skb(syn_data); +- goto fallback; +- } +- if (copied != space) { +- skb_trim(syn_data, copied); +- space = copied; ++ if (space) { ++ int copied = copy_from_iter(skb_put(syn_data, space), space, ++ &fo->data->msg_iter); ++ if (unlikely(!copied)) { ++ kfree_skb(syn_data); ++ goto fallback; ++ } ++ if (copied != space) { ++ skb_trim(syn_data, copied); ++ space = copied; ++ } + } +- + /* No more data pending in inet_wait_for_connect() */ + if (space == fo->size) + fo->data = NULL; diff --git a/queue-4.1/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch b/queue-4.1/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch new file mode 100644 index 00000000000..f99c8fc2554 --- /dev/null +++ b/queue-4.1/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Vlad Yasevich +Date: Mon, 16 Nov 2015 15:43:44 -0500 +Subject: vlan: Fix untag operations of stacked vlans with REORDER_HEADER off + +From: Vlad Yasevich + +[ Upstream commit a6e18ff111701b4ff6947605bfbe9594ec42a6e8 ] + +When we have multiple stacked vlan devices all of which have +turned off REORDER_HEADER flag, the untag operation does not +locate the ethernet addresses correctly for nested vlans. +The reason is that in case of REORDER_HEADER flag being off, +the outer vlan headers are put back and the mac_len is adjusted +to account for the presense of the header. Then, the subsequent +untag operation, for the next level vlan, always use VLAN_ETH_HLEN +to locate the begining of the ethernet header and that ends up +being a multiple of 4 bytes short of the actuall beginning +of the mac header (the multiple depending on the how many vlan +encapsulations ethere are). + +As a reslult, if there are multiple levles of vlan devices +with REODER_HEADER being off, the recevied packets end up +being dropped. + +To solve this, we use skb->mac_len as the offset. The value +is always set on receive path and starts out as a ETH_HLEN. +The value is also updated when the vlan header manupations occur +so we know it will be correct. + +Signed-off-by: Vladislav Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4200,7 +4200,8 @@ static struct sk_buff *skb_reorder_vlan_ + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len, ++ 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; + } diff --git a/queue-4.1/vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch b/queue-4.1/vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch new file mode 100644 index 00000000000..d30477f4f62 --- /dev/null +++ b/queue-4.1/vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Dec 30 19:52:45 PST 2015 +From: Jiri Benc +Date: Fri, 4 Dec 2015 13:54:03 +0100 +Subject: vxlan: fix incorrect RCO bit in VXLAN header + +From: Jiri Benc + +[ Upstream commit c5fb8caaf91ea6a92920cf24db10cfc94d58de0f ] + +Commit 3511494ce2f3d ("vxlan: Group Policy extension") changed definition of +VXLAN_HF_RCO from 0x00200000 to BIT(24). This is obviously incorrect. It's +also in violation with the RFC draft. + +Fixes: 3511494ce2f3d ("vxlan: Group Policy extension") +Cc: Thomas Graf +Cc: Tom Herbert +Signed-off-by: Jiri Benc +Acked-by: Tom Herbert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/vxlan.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/vxlan.h ++++ b/include/net/vxlan.h +@@ -78,7 +78,7 @@ struct vxlanhdr { + }; + + /* VXLAN header flags. */ +-#define VXLAN_HF_RCO BIT(24) ++#define VXLAN_HF_RCO BIT(21) + #define VXLAN_HF_VNI BIT(27) + #define VXLAN_HF_GBP BIT(31) +