From: Greg Kroah-Hartman Date: Wed, 18 Dec 2013 20:42:26 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.4.75~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=731f9f2c3c085961b3de0439a7f74bf8502f2bdb;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: ip6tnl-fix-use-after-free-of-fb_tnl_dev.patch nfsv4-wait-on-recovery-for-async-session-errors.patch revert-net-update-consumers-of-msg_more-to-recognize-msg_sendpage_notlast.patch sc1200_wdt-fix-oops.patch --- diff --git a/queue-3.10/ip6tnl-fix-use-after-free-of-fb_tnl_dev.patch b/queue-3.10/ip6tnl-fix-use-after-free-of-fb_tnl_dev.patch new file mode 100644 index 00000000000..23a17f7906e --- /dev/null +++ b/queue-3.10/ip6tnl-fix-use-after-free-of-fb_tnl_dev.patch @@ -0,0 +1,40 @@ +From nicolas.dichtel@6wind.com Wed Dec 18 12:35:05 2013 +From: Nicolas Dichtel +Date: Fri, 13 Dec 2013 10:06:35 +0100 +Subject: [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev +To: netdev@vger.kernel.org, davem@davemloft.net +Cc: gregkh@linuxfoundation.org, rostedt@goodmis.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, williams@redhat.com, linux-rt-users@vger.kernel.org, lclaudio@uudg.org, Nicolas Dichtel +Message-ID: <1386925595-4995-1-git-send-email-nicolas.dichtel@6wind.com> + + +The upstream commit bb8140947a24 ("ip6tnl: allow to use rtnl ops on fb tunnel") +(backported into linux-3.10.y) left a bug which was fixed upstream by commit +1e9f3d6f1c40 ("ip6tnl: fix use after free of fb_tnl_dev"). + +The problem is a bit different in linux-3.10.y, because there is no x-netns +support (upstream commit 0bd8762824e7 ("ip6tnl: add x-netns support")). +When ip6_tunnel.ko is unloaded, FB device is deleted by rtnl_link_unregister() +and then we try to delete it again in ip6_tnl_destroy_tunnels(). + +This patch removes the second deletion. + +Reported-by: Steven Rostedt +Suggested-by: Steven Rostedt +Signed-off-by: Nicolas Dichtel +Cc: David Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1711,8 +1711,6 @@ static void __net_exit ip6_tnl_destroy_t + } + } + +- t = rtnl_dereference(ip6n->tnls_wc[0]); +- unregister_netdevice_queue(t->dev, &list); + unregister_netdevice_many(&list); + } + diff --git a/queue-3.10/nfsv4-wait-on-recovery-for-async-session-errors.patch b/queue-3.10/nfsv4-wait-on-recovery-for-async-session-errors.patch new file mode 100644 index 00000000000..4244f44dea0 --- /dev/null +++ b/queue-3.10/nfsv4-wait-on-recovery-for-async-session-errors.patch @@ -0,0 +1,73 @@ +From 4a82fd7c4e78a1b7a224f9ae8bb7e1fd95f670e0 Mon Sep 17 00:00:00 2001 +From: Andy Adamson +Date: Fri, 15 Nov 2013 16:36:16 -0500 +Subject: NFSv4 wait on recovery for async session errors + +From: Andy Adamson + +commit 4a82fd7c4e78a1b7a224f9ae8bb7e1fd95f670e0 upstream. + +When the state manager is processing the NFS4CLNT_DELEGRETURN flag, session +draining is off, but DELEGRETURN can still get a session error. +The async handler calls nfs4_schedule_session_recovery returns -EAGAIN, and +the DELEGRETURN done then restarts the RPC task in the prepare state. +With the state manager still processing the NFS4CLNT_DELEGRETURN flag with +session draining off, these DELEGRETURNs will cycle with errors filling up the +session slots. + +This prevents OPEN reclaims (from nfs_delegation_claim_opens) required by the +NFS4CLNT_DELEGRETURN state manager processing from completing, hanging the +state manager in the __rpc_wait_for_completion_task in nfs4_run_open_task +as seen in this kernel thread dump: + +kernel: 4.12.32.53-ma D 0000000000000000 0 3393 2 0x00000000 +kernel: ffff88013995fb60 0000000000000046 ffff880138cc5400 ffff88013a9df140 +kernel: ffff8800000265c0 ffffffff8116eef0 ffff88013fc10080 0000000300000001 +kernel: ffff88013a4ad058 ffff88013995ffd8 000000000000fbc8 ffff88013a4ad058 +kernel: Call Trace: +kernel: [] ? cache_alloc_refill+0x1c0/0x240 +kernel: [] ? rpc_wait_bit_killable+0x0/0xa0 [sunrpc] +kernel: [] rpc_wait_bit_killable+0x42/0xa0 [sunrpc] +kernel: [] __wait_on_bit+0x5f/0x90 +kernel: [] ? rpc_wait_bit_killable+0x0/0xa0 [sunrpc] +kernel: [] out_of_line_wait_on_bit+0x78/0x90 +kernel: [] ? wake_bit_function+0x0/0x50 +kernel: [] __rpc_wait_for_completion_task+0x2d/0x30 [sunrpc] +kernel: [] nfs4_run_open_task+0x11c/0x160 [nfs] +kernel: [] nfs4_open_recover_helper+0x87/0x120 [nfs] +kernel: [] nfs4_open_recover+0xc6/0x150 [nfs] +kernel: [] ? nfs4_open_recoverdata_alloc+0x2f/0x60 [nfs] +kernel: [] nfs4_open_delegation_recall+0x6a/0xa0 [nfs] +kernel: [] nfs_end_delegation_return+0x120/0x2e0 [nfs] +kernel: [] ? queue_work+0x1f/0x30 +kernel: [] nfs_client_return_marked_delegations+0xd7/0x110 [nfs] +kernel: [] nfs4_run_state_manager+0x548/0x620 [nfs] +kernel: [] ? nfs4_run_state_manager+0x0/0x620 [nfs] +kernel: [] kthread+0x96/0xa0 +kernel: [] child_rip+0xa/0x20 +kernel: [] ? kthread+0x0/0xa0 +kernel: [] ? child_rip+0x0/0x20 + +The state manager can not therefore process the DELEGRETURN session errors. +Change the async handler to wait for recovery on session errors. + +Signed-off-by: Andy Adamson +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4222,8 +4222,7 @@ nfs4_async_handle_error(struct rpc_task + dprintk("%s ERROR %d, Reset session\n", __func__, + task->tk_status); + nfs4_schedule_session_recovery(clp->cl_session, task->tk_status); +- task->tk_status = 0; +- return -EAGAIN; ++ goto wait_on_recovery; + #endif /* CONFIG_NFS_V4_1 */ + case -NFS4ERR_DELAY: + nfs_inc_server_stats(server, NFSIOS_DELAY); diff --git a/queue-3.10/revert-net-update-consumers-of-msg_more-to-recognize-msg_sendpage_notlast.patch b/queue-3.10/revert-net-update-consumers-of-msg_more-to-recognize-msg_sendpage_notlast.patch new file mode 100644 index 00000000000..31635e59269 --- /dev/null +++ b/queue-3.10/revert-net-update-consumers-of-msg_more-to-recognize-msg_sendpage_notlast.patch @@ -0,0 +1,61 @@ +From foo@baz Wed Dec 18 12:40:45 PST 2013 +Date: Wed, 18 Dec 2013 12:40:45 -0800 +To: Greg KH +From: Greg Kroah-Hartman +Subject: Revert "net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST" + +It turns out that commit: d3f7d56a7a4671d395e8af87071068a195257bf6 was +applied to the tree twice, which didn't hurt anything, but it's good to +fix this up. + +Reported-by: Veaceslav Falico + +Cc: David S. Miller +Cc: Eric Dumazet +Cc: Richard Weinberger +Cc: Shawn Landden +Cc: Tom Herbert +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algif_hash.c | 3 --- + crypto/algif_skcipher.c | 3 --- + net/ipv4/udp.c | 3 --- + 3 files changed, 9 deletions(-) + +--- a/crypto/algif_hash.c ++++ b/crypto/algif_hash.c +@@ -117,9 +117,6 @@ static ssize_t hash_sendpage(struct sock + if (flags & MSG_SENDPAGE_NOTLAST) + flags |= MSG_MORE; + +- if (flags & MSG_SENDPAGE_NOTLAST) +- flags |= MSG_MORE; +- + lock_sock(sk); + sg_init_table(ctx->sgl.sg, 1); + sg_set_page(ctx->sgl.sg, page, size, offset); +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -381,9 +381,6 @@ static ssize_t skcipher_sendpage(struct + if (flags & MSG_SENDPAGE_NOTLAST) + flags |= MSG_MORE; + +- if (flags & MSG_SENDPAGE_NOTLAST) +- flags |= MSG_MORE; +- + lock_sock(sk); + if (!ctx->more && ctx->used) + goto unlock; +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1073,9 +1073,6 @@ int udp_sendpage(struct sock *sk, struct + if (flags & MSG_SENDPAGE_NOTLAST) + flags |= MSG_MORE; + +- if (flags & MSG_SENDPAGE_NOTLAST) +- flags |= MSG_MORE; +- + if (!up->pending) { + struct msghdr msg = { .msg_flags = flags|MSG_MORE }; + diff --git a/queue-3.10/sc1200_wdt-fix-oops.patch b/queue-3.10/sc1200_wdt-fix-oops.patch new file mode 100644 index 00000000000..4440c12b385 --- /dev/null +++ b/queue-3.10/sc1200_wdt-fix-oops.patch @@ -0,0 +1,37 @@ +From dace8bbfccfd9e4fcccfffcfbd82881fda3e756f Mon Sep 17 00:00:00 2001 +From: Alan +Date: Wed, 4 Dec 2013 15:31:52 +0000 +Subject: sc1200_wdt: Fix oops + +From: Alan + +commit dace8bbfccfd9e4fcccfffcfbd82881fda3e756f upstream. + +If loaded with isapnp = 0 the driver explodes. This is catching +people out now and then. What should happen in the working case is +a complete mystery and the code appears terminally confused, but we +can at least make the error path work properly. + +Signed-off-by: Alan Cox +Reviewed-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Partially-Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=53991 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/watchdog/sc1200wdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/sc1200wdt.c ++++ b/drivers/watchdog/sc1200wdt.c +@@ -409,8 +409,9 @@ static int __init sc1200wdt_init(void) + #if defined CONFIG_PNP + /* now that the user has specified an IO port and we haven't detected + * any devices, disable pnp support */ ++ if (isapnp) ++ pnp_unregister_driver(&scl200wdt_pnp_driver); + isapnp = 0; +- pnp_unregister_driver(&scl200wdt_pnp_driver); + #endif + + if (!request_region(io, io_len, SC1200_MODULE_NAME)) { diff --git a/queue-3.10/series b/queue-3.10/series index a58d0fb6129..759696fb2c8 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -68,3 +68,7 @@ sched-avoid-throttle_cfs_rq-racing-with-period_timer-stopping.patch staging-comedi-pcmuio-fix-possible-null-deref-on-detach.patch staging-comedi-drivers-use-comedi_dio_update_state-for-simple-cases.patch staging-comedi-ssv_dnp-use-comedi_dio_update_state.patch +sc1200_wdt-fix-oops.patch +nfsv4-wait-on-recovery-for-async-session-errors.patch +ip6tnl-fix-use-after-free-of-fb_tnl_dev.patch +revert-net-update-consumers-of-msg_more-to-recognize-msg_sendpage_notlast.patch