From: Greg Kroah-Hartman Date: Mon, 12 Nov 2012 06:08:20 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.0.52~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b6590c6734f2bee8b05187e08c2eb98995c0eee;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: af-packet-fix-oops-when-socket-is-not-present.patch drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch ipv6-set-default-hoplimit-as-zero.patch l2tp-fix-oops-in-l2tp_eth_create-error-path.patch net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch netlink-use-kfree_rcu-in-netlink_release.patch net-usb-fix-memory-leak-on-tx-data-path.patch sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch tcp-fix-fionread-siocinq.patch --- diff --git a/queue-3.4/af-packet-fix-oops-when-socket-is-not-present.patch b/queue-3.4/af-packet-fix-oops-when-socket-is-not-present.patch new file mode 100644 index 00000000000..d6a88a52373 --- /dev/null +++ b/queue-3.4/af-packet-fix-oops-when-socket-is-not-present.patch @@ -0,0 +1,47 @@ +From 8febcfeffe07f11fd9414d54c1681ba711cfeb04 Mon Sep 17 00:00:00 2001 +From: Eric Leblond +Date: Tue, 6 Nov 2012 02:10:10 +0000 +Subject: af-packet: fix oops when socket is not present + + +From: Eric Leblond + +[ Upstream commit a3d744e995d2b936c500585ae39d99ee251c89b4 ] + +Due to a NULL dereference, the following patch is causing oops +in normal trafic condition: + +commit c0de08d04215031d68fa13af36f347a6cfa252ca +Author: Eric Leblond +Date:   Thu Aug 16 22:02:58 2012 +0000 + +    af_packet: don't emit packet on orig fanout group + +This buggy patch was a feature fix and has reached most stable +branches. + +When skb->sk is NULL and when packet fanout is used, there is a +crash in match_fanout_group where skb->sk is accessed. +This patch fixes the issue by returning false as soon as the +socket is NULL: this correspond to the wanted behavior because +the kernel as to resend the skb to all the listening socket in +this case. + +Signed-off-by: Eric Leblond +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1643,7 +1643,7 @@ static inline int deliver_skb(struct sk_ + + static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb) + { +- if (ptype->af_packet_priv == NULL) ++ if (!ptype->af_packet_priv || !skb->sk) + return false; + + if (ptype->id_match) diff --git a/queue-3.4/drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch b/queue-3.4/drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch new file mode 100644 index 00000000000..e678acc3a05 --- /dev/null +++ b/queue-3.4/drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch @@ -0,0 +1,45 @@ +From 23a8e85d95e93dae69b7da8cdf560afc431957ae Mon Sep 17 00:00:00 2001 +From: Peter Senna Tschudin +Date: Sun, 28 Oct 2012 06:12:00 +0000 +Subject: drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free + + +From: Peter Senna Tschudin + +[ Upstream commit 57c10b61c84bfed68b1b317d6f507a392724b9c4 ] + +Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0 + +Calling mdiobus_free without calling mdiobus_unregister causes +BUG_ON(). This patch fixes the issue. + +The semantic patch that found this issue(http://coccinelle.lip6.fr/): +// +@@ +expression E; +@@ + ... when != mdiobus_unregister(E); + ++ mdiobus_unregister(E); + mdiobus_free(E); +// + +Signed-off-by: Peter Senna Tschudin +Tested-by: Roland Stigge +Tested-by: Alexandre Pereira da Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/nxp/lpc_eth.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -1523,6 +1523,7 @@ static int lpc_eth_drv_remove(struct pla + pldat->dma_buff_base_p); + free_irq(ndev->irq, ndev); + iounmap(pldat->net_base); ++ mdiobus_unregister(pldat->mii_bus); + mdiobus_free(pldat->mii_bus); + clk_disable(pldat->clk); + clk_put(pldat->clk); diff --git a/queue-3.4/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch b/queue-3.4/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch new file mode 100644 index 00000000000..de1fbf797e8 --- /dev/null +++ b/queue-3.4/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch @@ -0,0 +1,43 @@ +From 111f54cfd6727b18a032e5434e7b4c425f428c34 Mon Sep 17 00:00:00 2001 +From: Peter Senna Tschudin +Date: Sun, 28 Oct 2012 06:12:01 +0000 +Subject: drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free + + +From: Peter Senna Tschudin + +[ Upstream commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e ] + +Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0 + +Calling mdiobus_free without calling mdiobus_unregister causes +BUG_ON(). This patch fixes the issue. + +The semantic patch that found this issue(http://coccinelle.lip6.fr/): +// +@@ +expression E; +@@ + ... when != mdiobus_unregister(E); + ++ mdiobus_unregister(E); + mdiobus_free(E); +// + +Signed-off-by: Peter Senna Tschudin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-bitbang.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/mdio-bitbang.c ++++ b/drivers/net/phy/mdio-bitbang.c +@@ -234,6 +234,7 @@ void free_mdio_bitbang(struct mii_bus *b + struct mdiobb_ctrl *ctrl = bus->priv; + + module_put(ctrl->ops->owner); ++ mdiobus_unregister(bus); + mdiobus_free(bus); + } + EXPORT_SYMBOL(free_mdio_bitbang); diff --git a/queue-3.4/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch b/queue-3.4/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch new file mode 100644 index 00000000000..2aa3059b106 --- /dev/null +++ b/queue-3.4/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch @@ -0,0 +1,40 @@ +From 619bfd7ed4d4273c58ab898c951206f05973013f Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 6 Nov 2012 16:18:41 +0000 +Subject: ipv6: send unsolicited neighbour advertisements to all-nodes + + +From: Hannes Frederic Sowa + +[ Upstream commit 60713a0ca7fd6651b951cc1b4dbd528d1fc0281b ] + +As documented in RFC4861 (Neighbor Discovery for IP version 6) 7.2.6., +unsolicited neighbour advertisements should be sent to the all-nodes +multicast address. + +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -593,7 +593,7 @@ static void ndisc_send_unsol_na(struct n + { + struct inet6_dev *idev; + struct inet6_ifaddr *ifa; +- struct in6_addr mcaddr; ++ struct in6_addr mcaddr = IN6ADDR_LINKLOCAL_ALLNODES_INIT; + + idev = in6_dev_get(dev); + if (!idev) +@@ -601,7 +601,6 @@ static void ndisc_send_unsol_na(struct n + + read_lock_bh(&idev->lock); + list_for_each_entry(ifa, &idev->addr_list, if_list) { +- addrconf_addr_solict_mult(&ifa->addr, &mcaddr); + ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr, + /*router=*/ !!idev->cnf.forwarding, + /*solicited=*/ false, /*override=*/ true, diff --git a/queue-3.4/ipv6-set-default-hoplimit-as-zero.patch b/queue-3.4/ipv6-set-default-hoplimit-as-zero.patch new file mode 100644 index 00000000000..849d9f12709 --- /dev/null +++ b/queue-3.4/ipv6-set-default-hoplimit-as-zero.patch @@ -0,0 +1,45 @@ +From 7b333cd7dda5263431eced5b21842836369b7f27 Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Wed, 24 Oct 2012 14:01:18 +0800 +Subject: ipv6: Set default hoplimit as zero. + + +From: Li RongQing + +[ Upstream commit 14edd87dc67311556f1254a8f29cf4dd6cb5b7d1 ] + +Commit a02e4b7dae4551(Demark default hoplimit as zero) only changes the +hoplimit checking condition and default value in ip6_dst_hoplimit, not +zeros all hoplimit default value. + +Keep the zeroing ip6_template_metrics[RTAX_HOPLIMIT - 1] to force it as +const, cause as a37e6e344910(net: force dst_default_metrics to const +section) + +Signed-off-by: Li RongQing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -203,7 +203,7 @@ static struct dst_ops ip6_dst_blackhole_ + }; + + static const u32 ip6_template_metrics[RTAX_MAX] = { +- [RTAX_HOPLIMIT - 1] = 255, ++ [RTAX_HOPLIMIT - 1] = 0, + }; + + static struct rt6_info ip6_null_entry_template = { +@@ -1135,7 +1135,7 @@ struct dst_entry *icmp6_dst_alloc(struct + rt->rt6i_dst.addr = fl6->daddr; + rt->rt6i_dst.plen = 128; + rt->rt6i_idev = idev; +- dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255); ++ dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 0); + + spin_lock_bh(&icmp6_dst_lock); + rt->dst.next = icmp6_dst_gc_list; diff --git a/queue-3.4/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch b/queue-3.4/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch new file mode 100644 index 00000000000..036867b4960 --- /dev/null +++ b/queue-3.4/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch @@ -0,0 +1,36 @@ +From 24d9d3f94bccfb3ee9eb85260d34033e3e2d247d Mon Sep 17 00:00:00 2001 +From: Tom Parkin +Date: Mon, 29 Oct 2012 23:41:48 +0000 +Subject: l2tp: fix oops in l2tp_eth_create() error path + + +From: Tom Parkin + +[ Upstream commit 789336360e0a2aeb9750c16ab704a02cbe035e9e ] + +When creating an L2TPv3 Ethernet session, if register_netdev() should fail for +any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the +32k-interface limit), the netdev is freed in the error path. However, the +l2tp_eth_sess structure's dev pointer is left uncleared, and this results in +l2tp_eth_delete() then attempting to unregister the same netdev later in the +session teardown. This results in an oops. + +To avoid this, clear the session dev pointer in the error path. + +Signed-off-by: Tom Parkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_eth.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/l2tp/l2tp_eth.c ++++ b/net/l2tp/l2tp_eth.c +@@ -269,6 +269,7 @@ static int l2tp_eth_create(struct net *n + + out_del_dev: + free_netdev(dev); ++ spriv->dev = NULL; + out_del_session: + l2tp_session_delete(session); + out: diff --git a/queue-3.4/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch b/queue-3.4/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch new file mode 100644 index 00000000000..a22ca0f4eaf --- /dev/null +++ b/queue-3.4/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch @@ -0,0 +1,67 @@ +From d0d72c2878b3d7a77e2ec93362179adaf8e27779 Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Wed, 31 Oct 2012 02:45:32 +0000 +Subject: net: fix divide by zero in tcp algorithm illinois + + +From: Jesper Dangaard Brouer + +[ Upstream commit 8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664 ] + +Reading TCP stats when using TCP Illinois congestion control algorithm +can cause a divide by zero kernel oops. + +The division by zero occur in tcp_illinois_info() at: + do_div(t, ca->cnt_rtt); +where ca->cnt_rtt can become zero (when rtt_reset is called) + +Steps to Reproduce: + 1. Register tcp_illinois: + # sysctl -w net.ipv4.tcp_congestion_control=illinois + 2. Monitor internal TCP information via command "ss -i" + # watch -d ss -i + 3. Establish new TCP conn to machine + +Either it fails at the initial conn, or else it needs to wait +for a loss or a reset. + +This is only related to reading stats. The function avg_delay() also +performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its +calling point in update_params(). Thus, simply fix tcp_illinois_info(). + +Function tcp_illinois_info() / get_info() is called without +socket lock. Thus, eliminate any race condition on ca->cnt_rtt +by using a local stack variable. Simply reuse info.tcpv_rttcnt, +as its already set to ca->cnt_rtt. +Function avg_delay() is not affected by this race condition, as +its called with the socket lock. + +Cc: Petr Matousek +Signed-off-by: Jesper Dangaard Brouer +Acked-by: Eric Dumazet +Acked-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_illinois.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct soc + .tcpv_rttcnt = ca->cnt_rtt, + .tcpv_minrtt = ca->base_rtt, + }; +- u64 t = ca->sum_rtt; + +- do_div(t, ca->cnt_rtt); +- info.tcpv_rtt = t; ++ if (info.tcpv_rttcnt > 0) { ++ u64 t = ca->sum_rtt; + ++ do_div(t, info.tcpv_rttcnt); ++ info.tcpv_rtt = t; ++ } + nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); + } + } diff --git a/queue-3.4/net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch b/queue-3.4/net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch new file mode 100644 index 00000000000..8411ac8cb23 --- /dev/null +++ b/queue-3.4/net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch @@ -0,0 +1,50 @@ +From 7515bbf9e7722c1f3cb75bc931f6b9a2b5533231 Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov +Date: Sat, 3 Nov 2012 09:30:34 +0000 +Subject: net: inet_diag -- Return error code if protocol handler is missed + + +From: Cyrill Gorcunov + +[ Upstream commit cacb6ba0f36ab14a507f4ee7697e8332899015d2 ] + +We've observed that in case if UDP diag module is not +supported in kernel the netlink returns NLMSG_DONE without +notifying a caller that handler is missed. + +This patch makes __inet_diag_dump to return error code instead. + +So as example it become possible to detect such situation +and handle it gracefully on userspace level. + +Signed-off-by: Cyrill Gorcunov +CC: David Miller +CC: Eric Dumazet +CC: Pavel Emelyanov +Acked-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_diag.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -875,13 +875,16 @@ static int __inet_diag_dump(struct sk_bu + struct inet_diag_req_v2 *r, struct nlattr *bc) + { + const struct inet_diag_handler *handler; ++ int err = 0; + + handler = inet_diag_lock_handler(r->sdiag_protocol); + if (!IS_ERR(handler)) + handler->dump(skb, cb, r, bc); ++ else ++ err = PTR_ERR(handler); + inet_diag_unlock_handler(handler); + +- return skb->len; ++ return err ? : skb->len; + } + + static int inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) diff --git a/queue-3.4/net-usb-fix-memory-leak-on-tx-data-path.patch b/queue-3.4/net-usb-fix-memory-leak-on-tx-data-path.patch new file mode 100644 index 00000000000..11307bc1f41 --- /dev/null +++ b/queue-3.4/net-usb-fix-memory-leak-on-tx-data-path.patch @@ -0,0 +1,50 @@ +From f8584e697469d706728e0ce61617b913da6ff44c Mon Sep 17 00:00:00 2001 +From: Hemant Kumar +Date: Thu, 25 Oct 2012 18:17:54 +0000 +Subject: net: usb: Fix memory leak on Tx data path + + +From: Hemant Kumar + +[ Upstream commit 39707c2a3ba5011038b363f84d37c8a98d2d9db1 ] + +Driver anchors the tx urbs and defers the urb submission if +a transmit request comes when the interface is suspended. +Anchoring urb increments the urb reference count. These +deferred urbs are later accessed by calling usb_get_from_anchor() +for submission during interface resume. usb_get_from_anchor() +unanchors the urb but urb reference count remains same. +This causes the urb reference count to remain non-zero +after usb_free_urb() gets called and urb never gets freed. +Hence call usb_put_urb() after anchoring the urb to properly +balance the reference count for these deferred urbs. Also, +unanchor these deferred urbs during disconnect, to free them +up. + +Signed-off-by: Hemant Kumar +Acked-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1158,6 +1158,7 @@ netdev_tx_t usbnet_start_xmit (struct sk + usb_anchor_urb(urb, &dev->deferred); + /* no use to process more packets */ + netif_stop_queue(net); ++ usb_put_urb(urb); + spin_unlock_irqrestore(&dev->txq.lock, flags); + netdev_dbg(dev->net, "Delaying transmission for resumption\n"); + goto deferred; +@@ -1299,6 +1300,8 @@ void usbnet_disconnect (struct usb_inter + + cancel_work_sync(&dev->kevent); + ++ usb_scuttle_anchored_urbs(&dev->deferred); ++ + if (dev->driver_info->unbind) + dev->driver_info->unbind (dev, intf); + diff --git a/queue-3.4/netlink-use-kfree_rcu-in-netlink_release.patch b/queue-3.4/netlink-use-kfree_rcu-in-netlink_release.patch new file mode 100644 index 00000000000..6099ae13ee1 --- /dev/null +++ b/queue-3.4/netlink-use-kfree_rcu-in-netlink_release.patch @@ -0,0 +1,102 @@ +From 57c219abab9d8d40257a2575f19e394414c33692 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 18 Oct 2012 03:21:55 +0000 +Subject: netlink: use kfree_rcu() in netlink_release() + + +From: Eric Dumazet + +[ Upstream commit 6d772ac5578f711d1ce7b03535d1c95bffb21dff ] + +On some suspend/resume operations involving wimax device, we have +noticed some intermittent memory corruptions in netlink code. + +Stéphane Marchesin tracked this corruption in netlink_update_listeners() +and suggested a patch. + +It appears netlink_release() should use kfree_rcu() instead of kfree() +for the listeners structure as it may be used by other cpus using RCU +protection. + +netlink_release() must set to NULL the listeners pointer when +it is about to be freed. + +Also have to protect netlink_update_listeners() and +netlink_has_listeners() if listeners is NULL. + +Add a nl_deref_protected() lockdep helper to properly document which +locks protects us. + +Reported-by: Jonathan Kliegman +Signed-off-by: Eric Dumazet +Cc: Stéphane Marchesin +Cc: Sam Leffler +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -137,6 +137,8 @@ static void netlink_destroy_callback(str + static DEFINE_RWLOCK(nl_table_lock); + static atomic_t nl_table_users = ATOMIC_INIT(0); + ++#define nl_deref_protected(X) rcu_dereference_protected(X, lockdep_is_held(&nl_table_lock)); ++ + static ATOMIC_NOTIFIER_HEAD(netlink_chain); + + static inline u32 netlink_group_mask(u32 group) +@@ -332,6 +334,11 @@ netlink_update_listeners(struct sock *sk + struct hlist_node *node; + unsigned long mask; + unsigned int i; ++ struct listeners *listeners; ++ ++ listeners = nl_deref_protected(tbl->listeners); ++ if (!listeners) ++ return; + + for (i = 0; i < NLGRPLONGS(tbl->groups); i++) { + mask = 0; +@@ -339,7 +346,7 @@ netlink_update_listeners(struct sock *sk + if (i < NLGRPLONGS(nlk_sk(sk)->ngroups)) + mask |= nlk_sk(sk)->groups[i]; + } +- tbl->listeners->masks[i] = mask; ++ listeners->masks[i] = mask; + } + /* this function is only called with the netlink table "grabbed", which + * makes sure updates are visible before bind or setsockopt return. */ +@@ -520,7 +527,11 @@ static int netlink_release(struct socket + if (netlink_is_kernel(sk)) { + BUG_ON(nl_table[sk->sk_protocol].registered == 0); + if (--nl_table[sk->sk_protocol].registered == 0) { +- kfree(nl_table[sk->sk_protocol].listeners); ++ struct listeners *old; ++ ++ old = nl_deref_protected(nl_table[sk->sk_protocol].listeners); ++ RCU_INIT_POINTER(nl_table[sk->sk_protocol].listeners, NULL); ++ kfree_rcu(old, rcu); + nl_table[sk->sk_protocol].module = NULL; + nl_table[sk->sk_protocol].registered = 0; + } +@@ -950,7 +961,7 @@ int netlink_has_listeners(struct sock *s + rcu_read_lock(); + listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners); + +- if (group - 1 < nl_table[sk->sk_protocol].groups) ++ if (listeners && group - 1 < nl_table[sk->sk_protocol].groups) + res = test_bit(group - 1, listeners->masks); + + rcu_read_unlock(); +@@ -1582,7 +1593,7 @@ int __netlink_change_ngroups(struct sock + new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC); + if (!new) + return -ENOMEM; +- old = rcu_dereference_protected(tbl->listeners, 1); ++ old = nl_deref_protected(tbl->listeners); + memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups)); + rcu_assign_pointer(tbl->listeners, new); + diff --git a/queue-3.4/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch b/queue-3.4/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch new file mode 100644 index 00000000000..cef06f4c07d --- /dev/null +++ b/queue-3.4/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch @@ -0,0 +1,35 @@ +From 9f1a81c4425f74362671fa4d49a95519669c4160 Mon Sep 17 00:00:00 2001 +From: Zijie Pan +Date: Mon, 15 Oct 2012 03:56:39 +0000 +Subject: sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter() + + +From: Zijie Pan + +[ Upstream commit f6e80abeab928b7c47cc1fbf53df13b4398a2bec ] + +Bug introduced by commit edfee0339e681a784ebacec7e8c2dc97dc6d2839 +(sctp: check src addr when processing SACK to update transport state) + +Signed-off-by: Zijie Pan +Signed-off-by: Nicolas Dichtel +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_sideeffect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -1610,8 +1610,9 @@ static int sctp_cmd_interpreter(sctp_eve + asoc->outqueue.outstanding_bytes; + sackh.num_gap_ack_blocks = 0; + sackh.num_dup_tsns = 0; ++ chunk->subh.sack_hdr = &sackh; + sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, +- SCTP_SACKH(&sackh)); ++ SCTP_CHUNK(chunk)); + break; + + case SCTP_CMD_DISCARD_PACKET: diff --git a/queue-3.4/series b/queue-3.4/series index 4813da5c5cc..148ee905c90 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -34,3 +34,15 @@ alsa-usb-audio-use-rwsem-for-disconnect-protection.patch alsa-usb-audio-fix-races-at-disconnection-in-mixer_quirks.c.patch alsa-add-a-reference-counter-to-card-instance.patch alsa-avoid-endless-sleep-after-disconnect.patch +sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch +netlink-use-kfree_rcu-in-netlink_release.patch +tcp-fix-fionread-siocinq.patch +ipv6-set-default-hoplimit-as-zero.patch +net-usb-fix-memory-leak-on-tx-data-path.patch +net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch +drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch +drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch +l2tp-fix-oops-in-l2tp_eth_create-error-path.patch +net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch +af-packet-fix-oops-when-socket-is-not-present.patch +ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch diff --git a/queue-3.4/tcp-fix-fionread-siocinq.patch b/queue-3.4/tcp-fix-fionread-siocinq.patch new file mode 100644 index 00000000000..26c406e225e --- /dev/null +++ b/queue-3.4/tcp-fix-fionread-siocinq.patch @@ -0,0 +1,48 @@ +From c4708f8f66bb6d3507350a1cdf09ea4c4c1b5b59 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 18 Oct 2012 09:14:12 +0000 +Subject: tcp: fix FIONREAD/SIOCINQ + + +From: Eric Dumazet + +[ Upstream commit a3374c42aa5f7237e87ff3b0622018636b0c847e ] + +tcp_ioctl() tries to take into account if tcp socket received a FIN +to report correct number bytes in receive queue. + +But its flaky because if the application ate the last skb, +we return 1 instead of 0. + +Correct way to detect that FIN was received is to test SOCK_DONE. + +Reported-by: Elliot Hughes +Signed-off-by: Eric Dumazet +Cc: Neal Cardwell +Cc: Tom Herbert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -481,14 +481,12 @@ int tcp_ioctl(struct sock *sk, int cmd, + !tp->urg_data || + before(tp->urg_seq, tp->copied_seq) || + !before(tp->urg_seq, tp->rcv_nxt)) { +- struct sk_buff *skb; + + answ = tp->rcv_nxt - tp->copied_seq; + +- /* Subtract 1, if FIN is in queue. */ +- skb = skb_peek_tail(&sk->sk_receive_queue); +- if (answ && skb) +- answ -= tcp_hdr(skb)->fin; ++ /* Subtract 1, if FIN was received */ ++ if (answ && sock_flag(sk, SOCK_DONE)) ++ answ--; + } else + answ = tp->urg_seq - tp->copied_seq; + release_sock(sk);