From: Greg Kroah-Hartman Date: Wed, 19 Nov 2014 01:48:16 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.61~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=761252ad03ec5cfe2355059428ccac4ef60431be;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: arm-correct-bug-assembly-to-ensure-it-is-endian-agnostic.patch arm-probes-fix-instruction-fetch-order-with-asm-opcodes.h.patch br-fix-use-of-rx_handler_data-in-code-executed-on-non-rx_handler-path.patch clocksource-remove-weak-from-clocksource_default_clock-declaration.patch dell-wmi-fix-access-out-of-memory.patch ipc-always-handle-a-new-value-of-auto_msgmni.patch kgdb-remove-weak-from-kgdb_arch_pc-declaration.patch mei-bus-fix-possible-boundaries-violation.patch mips-fix-forgotten-preempt_enable-when-cpu-has-inclusive.patch net-mlx4_en-fix-blueflame-race.patch netfilter-nf_log-account-for-size-of-nlmsg_done-attribute.patch netfilter-nf_log-release-skbuff-on-nlmsg-put-failure.patch netfilter-nf_nat-fix-oops-on-netns-removal.patch netfilter-nfnetlink_log-fix-maximum-packet-length-logged-to-userspace.patch netfilter-xt_bpf-add-mising-opaque-struct-sk_filter-definition.patch perf-handle-compat-ioctl.patch perf-x86-intel-use-proper-dtlb-load-misses-event-on-ivybridge.patch scsi-hpsa-fix-a-race-in-cmd_free-scsi_done.patch --- diff --git a/queue-3.10/arm-correct-bug-assembly-to-ensure-it-is-endian-agnostic.patch b/queue-3.10/arm-correct-bug-assembly-to-ensure-it-is-endian-agnostic.patch new file mode 100644 index 00000000000..e45b8092873 --- /dev/null +++ b/queue-3.10/arm-correct-bug-assembly-to-ensure-it-is-endian-agnostic.patch @@ -0,0 +1,94 @@ +From 63328070eff2f4fd730c86966a0dbc976147c39f Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Thu, 25 Jul 2013 14:38:03 +0100 +Subject: ARM: Correct BUG() assembly to ensure it is endian-agnostic + +From: Ben Dooks + +commit 63328070eff2f4fd730c86966a0dbc976147c39f upstream. + +Currently BUG() uses .word or .hword to create the necessary illegal +instructions. However if we are building BE8 then these get swapped +by the linker into different illegal instructions in the text. This +means that the BUG() macro does not get trapped properly. + +Change to using to provide the necessary ARM instruction +building as we cannot rely on gcc/gas having the `.inst` instructions +which where added to try and resolve this issue (reported by Dave Martin +). + +Signed-off-by: Ben Dooks +Reviewed-by: Dave Martin +Cc: Wang Nan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/bug.h | 10 ++++++---- + arch/arm/kernel/traps.c | 8 +++++--- + 2 files changed, 11 insertions(+), 7 deletions(-) + +--- a/arch/arm/include/asm/bug.h ++++ b/arch/arm/include/asm/bug.h +@@ -2,6 +2,8 @@ + #define _ASMARM_BUG_H + + #include ++#include ++#include + + #ifdef CONFIG_BUG + +@@ -12,10 +14,10 @@ + */ + #ifdef CONFIG_THUMB2_KERNEL + #define BUG_INSTR_VALUE 0xde02 +-#define BUG_INSTR_TYPE ".hword " ++#define BUG_INSTR(__value) __inst_thumb16(__value) + #else + #define BUG_INSTR_VALUE 0xe7f001f2 +-#define BUG_INSTR_TYPE ".word " ++#define BUG_INSTR(__value) __inst_arm(__value) + #endif + + +@@ -33,7 +35,7 @@ + + #define __BUG(__file, __line, __value) \ + do { \ +- asm volatile("1:\t" BUG_INSTR_TYPE #__value "\n" \ ++ asm volatile("1:\t" BUG_INSTR(__value) "\n" \ + ".pushsection .rodata.str, \"aMS\", %progbits, 1\n" \ + "2:\t.asciz " #__file "\n" \ + ".popsection\n" \ +@@ -48,7 +50,7 @@ do { \ + + #define __BUG(__file, __line, __value) \ + do { \ +- asm volatile(BUG_INSTR_TYPE #__value); \ ++ asm volatile(BUG_INSTR(__value) "\n"); \ + unreachable(); \ + } while (0) + #endif /* CONFIG_DEBUG_BUGVERBOSE */ +--- a/arch/arm/kernel/traps.c ++++ b/arch/arm/kernel/traps.c +@@ -347,15 +347,17 @@ void arm_notify_die(const char *str, str + int is_valid_bugaddr(unsigned long pc) + { + #ifdef CONFIG_THUMB2_KERNEL +- unsigned short bkpt; ++ u16 bkpt; ++ u16 insn = __opcode_to_mem_thumb16(BUG_INSTR_VALUE); + #else +- unsigned long bkpt; ++ u32 bkpt; ++ u32 insn = __opcode_to_mem_arm(BUG_INSTR_VALUE); + #endif + + if (probe_kernel_address((unsigned *)pc, bkpt)) + return 0; + +- return bkpt == BUG_INSTR_VALUE; ++ return bkpt == insn; + } + + #endif diff --git a/queue-3.10/arm-probes-fix-instruction-fetch-order-with-asm-opcodes.h.patch b/queue-3.10/arm-probes-fix-instruction-fetch-order-with-asm-opcodes.h.patch new file mode 100644 index 00000000000..613042515d2 --- /dev/null +++ b/queue-3.10/arm-probes-fix-instruction-fetch-order-with-asm-opcodes.h.patch @@ -0,0 +1,172 @@ +From 888be25402021a425da3e85e2d5a954d7509286e Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Fri, 8 Nov 2013 18:29:25 +0000 +Subject: ARM: probes: fix instruction fetch order with + +From: Ben Dooks + +commit 888be25402021a425da3e85e2d5a954d7509286e upstream. + +If we are running BE8, the data and instruction endianness do not +match, so use to correctly translate memory accesses +into ARM instructions. + +Acked-by: Jon Medhurst +Signed-off-by: Ben Dooks +[taras.kondratiuk@linaro.org: fixed Thumb instruction fetch order] +Signed-off-by: Taras Kondratiuk +[wangnan: backport to 3.10 and 3.14: + - adjust context + - backport all changes on arch/arm/kernel/probes.c to + arch/arm/kernel/kprobes-common.c since we don't have + commit c18377c303787ded44b7decd7dee694db0f205e9. + - After the above adjustments, becomes same to Taras Kondratiuk's + original patch: + http://lists.linaro.org/pipermail/linaro-kernel/2014-January/010346.html +] +Signed-off-by: Wang Nan +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/kprobes-common.c | 19 +++++++++++-------- + arch/arm/kernel/kprobes-thumb.c | 20 ++++++++++++-------- + arch/arm/kernel/kprobes.c | 9 +++++---- + 3 files changed, 28 insertions(+), 20 deletions(-) + +--- a/arch/arm/kernel/kprobes-common.c ++++ b/arch/arm/kernel/kprobes-common.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include "kprobes.h" + +@@ -305,7 +306,8 @@ kprobe_decode_ldmstm(kprobe_opcode_t ins + + if (handler) { + /* We can emulate the instruction in (possibly) modified form */ +- asi->insn[0] = (insn & 0xfff00000) | (rn << 16) | reglist; ++ asi->insn[0] = __opcode_to_mem_arm((insn & 0xfff00000) | ++ (rn << 16) | reglist); + asi->insn_handler = handler; + return INSN_GOOD; + } +@@ -334,13 +336,14 @@ prepare_emulated_insn(kprobe_opcode_t in + #ifdef CONFIG_THUMB2_KERNEL + if (thumb) { + u16 *thumb_insn = (u16 *)asi->insn; +- thumb_insn[1] = 0x4770; /* Thumb bx lr */ +- thumb_insn[2] = 0x4770; /* Thumb bx lr */ ++ /* Thumb bx lr */ ++ thumb_insn[1] = __opcode_to_mem_thumb16(0x4770); ++ thumb_insn[2] = __opcode_to_mem_thumb16(0x4770); + return insn; + } +- asi->insn[1] = 0xe12fff1e; /* ARM bx lr */ ++ asi->insn[1] = __opcode_to_mem_arm(0xe12fff1e); /* ARM bx lr */ + #else +- asi->insn[1] = 0xe1a0f00e; /* mov pc, lr */ ++ asi->insn[1] = __opcode_to_mem_arm(0xe1a0f00e); /* mov pc, lr */ + #endif + /* Make an ARM instruction unconditional */ + if (insn < 0xe0000000) +@@ -360,12 +363,12 @@ set_emulated_insn(kprobe_opcode_t insn, + if (thumb) { + u16 *ip = (u16 *)asi->insn; + if (is_wide_instruction(insn)) +- *ip++ = insn >> 16; +- *ip++ = insn; ++ *ip++ = __opcode_to_mem_thumb16(insn >> 16); ++ *ip++ = __opcode_to_mem_thumb16(insn); + return; + } + #endif +- asi->insn[0] = insn; ++ asi->insn[0] = __opcode_to_mem_arm(insn); + } + + /* +--- a/arch/arm/kernel/kprobes-thumb.c ++++ b/arch/arm/kernel/kprobes-thumb.c +@@ -163,9 +163,9 @@ t32_decode_ldmstm(kprobe_opcode_t insn, + enum kprobe_insn ret = kprobe_decode_ldmstm(insn, asi); + + /* Fixup modified instruction to have halfwords in correct order...*/ +- insn = asi->insn[0]; +- ((u16 *)asi->insn)[0] = insn >> 16; +- ((u16 *)asi->insn)[1] = insn & 0xffff; ++ insn = __mem_to_opcode_arm(asi->insn[0]); ++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(insn >> 16); ++ ((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0xffff); + + return ret; + } +@@ -1153,7 +1153,7 @@ t16_decode_hiregs(kprobe_opcode_t insn, + { + insn &= ~0x00ff; + insn |= 0x001; /* Set Rdn = R1 and Rm = R0 */ +- ((u16 *)asi->insn)[0] = insn; ++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(insn); + asi->insn_handler = t16_emulate_hiregs; + return INSN_GOOD; + } +@@ -1182,8 +1182,10 @@ t16_decode_push(kprobe_opcode_t insn, st + * and call it with R9=SP and LR in the register list represented + * by R8. + */ +- ((u16 *)asi->insn)[0] = 0xe929; /* 1st half STMDB R9!,{} */ +- ((u16 *)asi->insn)[1] = insn & 0x1ff; /* 2nd half (register list) */ ++ /* 1st half STMDB R9!,{} */ ++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(0xe929); ++ /* 2nd half (register list) */ ++ ((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0x1ff); + asi->insn_handler = t16_emulate_push; + return INSN_GOOD; + } +@@ -1232,8 +1234,10 @@ t16_decode_pop(kprobe_opcode_t insn, str + * and call it with R9=SP and PC in the register list represented + * by R8. + */ +- ((u16 *)asi->insn)[0] = 0xe8b9; /* 1st half LDMIA R9!,{} */ +- ((u16 *)asi->insn)[1] = insn & 0x1ff; /* 2nd half (register list) */ ++ /* 1st half LDMIA R9!,{} */ ++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(0xe8b9); ++ /* 2nd half (register list) */ ++ ((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0x1ff); + asi->insn_handler = insn & 0x100 ? t16_emulate_pop_pc + : t16_emulate_pop_nopc; + return INSN_GOOD; +--- a/arch/arm/kernel/kprobes.c ++++ b/arch/arm/kernel/kprobes.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + #include "kprobes.h" +@@ -62,10 +63,10 @@ int __kprobes arch_prepare_kprobe(struct + #ifdef CONFIG_THUMB2_KERNEL + thumb = true; + addr &= ~1; /* Bit 0 would normally be set to indicate Thumb code */ +- insn = ((u16 *)addr)[0]; ++ insn = __mem_to_opcode_thumb16(((u16 *)addr)[0]); + if (is_wide_instruction(insn)) { +- insn <<= 16; +- insn |= ((u16 *)addr)[1]; ++ u16 inst2 = __mem_to_opcode_thumb16(((u16 *)addr)[1]); ++ insn = __opcode_thumb32_compose(insn, inst2); + decode_insn = thumb32_kprobe_decode_insn; + } else + decode_insn = thumb16_kprobe_decode_insn; +@@ -73,7 +74,7 @@ int __kprobes arch_prepare_kprobe(struct + thumb = false; + if (addr & 0x3) + return -EINVAL; +- insn = *p->addr; ++ insn = __mem_to_opcode_arm(*p->addr); + decode_insn = arm_kprobe_decode_insn; + #endif + diff --git a/queue-3.10/br-fix-use-of-rx_handler_data-in-code-executed-on-non-rx_handler-path.patch b/queue-3.10/br-fix-use-of-rx_handler_data-in-code-executed-on-non-rx_handler-path.patch new file mode 100644 index 00000000000..17320cf7f5a --- /dev/null +++ b/queue-3.10/br-fix-use-of-rx_handler_data-in-code-executed-on-non-rx_handler-path.patch @@ -0,0 +1,79 @@ +From 859828c0ea476b42f3a93d69d117aaba90994b6f Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Thu, 5 Dec 2013 16:27:37 +0100 +Subject: br: fix use of ->rx_handler_data in code executed on non-rx_handler path + +From: Jiri Pirko + +commit 859828c0ea476b42f3a93d69d117aaba90994b6f upstream. + +br_stp_rcv() is reached by non-rx_handler path. That means there is no +guarantee that dev is bridge port and therefore simple NULL check of +->rx_handler_data is not enough. There is need to check if dev is really +bridge port and since only rcu read lock is held here, do it by checking +->rx_handler pointer. + +Note that synchronize_net() in netdev_rx_handler_unregister() ensures +this approach as valid. + +Introduced originally by: +commit f350a0a87374418635689471606454abc7beaa3a + "bridge: use rx_handler_data pointer to store net_bridge_port pointer" + +Fixed but not in the best way by: +commit b5ed54e94d324f17c97852296d61a143f01b227a + "bridge: fix RCU races with bridge port" + +Reintroduced by: +commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2 + "bridge: fix NULL pointer deref of br_port_get_rcu" + +Please apply to stable trees as well. Thanks. + +RH bugzilla reference: https://bugzilla.redhat.com/show_bug.cgi?id=1025770 + +Reported-by: Laine Stump +Debugged-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Jiri Pirko +Acked-by: Michael S. Tsirkin +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Cc: Andrew Collins +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_private.h | 10 ++++++++++ + net/bridge/br_stp_bpdu.c | 2 +- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -429,6 +429,16 @@ extern netdev_features_t br_features_rec + extern int br_handle_frame_finish(struct sk_buff *skb); + extern rx_handler_result_t br_handle_frame(struct sk_buff **pskb); + ++static inline bool br_rx_handler_check_rcu(const struct net_device *dev) ++{ ++ return rcu_dereference(dev->rx_handler) == br_handle_frame; ++} ++ ++static inline struct net_bridge_port *br_port_get_check_rcu(const struct net_device *dev) ++{ ++ return br_rx_handler_check_rcu(dev) ? br_port_get_rcu(dev) : NULL; ++} ++ + /* br_ioctl.c */ + extern int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd); + extern int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *arg); +--- a/net/bridge/br_stp_bpdu.c ++++ b/net/bridge/br_stp_bpdu.c +@@ -153,7 +153,7 @@ void br_stp_rcv(const struct stp_proto * + if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0) + goto err; + +- p = br_port_get_rcu(dev); ++ p = br_port_get_check_rcu(dev); + if (!p) + goto err; + diff --git a/queue-3.10/clocksource-remove-weak-from-clocksource_default_clock-declaration.patch b/queue-3.10/clocksource-remove-weak-from-clocksource_default_clock-declaration.patch new file mode 100644 index 00000000000..3c5c57e89f7 --- /dev/null +++ b/queue-3.10/clocksource-remove-weak-from-clocksource_default_clock-declaration.patch @@ -0,0 +1,43 @@ +From 96a2adbc6f501996418da9f7afe39bf0e4d006a9 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Mon, 13 Oct 2014 18:59:09 -0600 +Subject: clocksource: Remove "weak" from clocksource_default_clock() declaration + +From: Bjorn Helgaas + +commit 96a2adbc6f501996418da9f7afe39bf0e4d006a9 upstream. + +kernel/time/jiffies.c provides a default clocksource_default_clock() +definition explicitly marked "weak". arch/s390 provides its own definition +intended to override the default, but the "weak" attribute on the +declaration applied to the s390 definition as well, so the linker chose one +based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from +pcibios_get_phb_of_node decl")). + +Remove the "weak" attribute from the clocksource_default_clock() +declaration so we always prefer a non-weak definition over the weak one, +independent of link order. + +Fixes: f1b82746c1e9 ("clocksource: Cleanup clocksource selection") +Signed-off-by: Bjorn Helgaas +Acked-by: John Stultz +Acked-by: Ingo Molnar +CC: Daniel Lezcano +CC: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/clocksource.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/clocksource.h ++++ b/include/linux/clocksource.h +@@ -285,7 +285,7 @@ extern struct clocksource* clocksource_g + extern void clocksource_change_rating(struct clocksource *cs, int rating); + extern void clocksource_suspend(void); + extern void clocksource_resume(void); +-extern struct clocksource * __init __weak clocksource_default_clock(void); ++extern struct clocksource * __init clocksource_default_clock(void); + extern void clocksource_mark_unstable(struct clocksource *cs); + + extern void diff --git a/queue-3.10/dell-wmi-fix-access-out-of-memory.patch b/queue-3.10/dell-wmi-fix-access-out-of-memory.patch new file mode 100644 index 00000000000..1ac2a439ad7 --- /dev/null +++ b/queue-3.10/dell-wmi-fix-access-out-of-memory.patch @@ -0,0 +1,55 @@ +From a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Mon, 29 Sep 2014 15:10:51 +0200 +Subject: dell-wmi: Fix access out of memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= + +commit a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959 upstream. + +Without this patch, dell-wmi is trying to access elements of dynamically +allocated array without checking the array size. This can lead to memory +corruption or a kernel panic. This patch adds the missing checks for +array size. + +Signed-off-by: Pali Rohár +Signed-off-by: Darren Hart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/dell-wmi.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/dell-wmi.c ++++ b/drivers/platform/x86/dell-wmi.c +@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, v + const struct key_entry *key; + int reported_key; + u16 *buffer_entry = (u16 *)obj->buffer.pointer; ++ int buffer_size = obj->buffer.length/2; + +- if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { ++ if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) { + pr_info("Received unknown WMI event (0x%x)\n", + buffer_entry[1]); + kfree(obj); + return; + } + +- if (dell_new_hk_type || buffer_entry[1] == 0x0) ++ if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0)) + reported_key = (int)buffer_entry[2]; +- else ++ else if (buffer_size >= 2) + reported_key = (int)buffer_entry[1] & 0xffff; ++ else { ++ pr_info("Received unknown WMI event\n"); ++ kfree(obj); ++ return; ++ } + + key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, + reported_key); diff --git a/queue-3.10/ipc-always-handle-a-new-value-of-auto_msgmni.patch b/queue-3.10/ipc-always-handle-a-new-value-of-auto_msgmni.patch new file mode 100644 index 00000000000..cc078c6ab89 --- /dev/null +++ b/queue-3.10/ipc-always-handle-a-new-value-of-auto_msgmni.patch @@ -0,0 +1,63 @@ +From 1195d94e006b23c6292e78857e154872e33b6d7e Mon Sep 17 00:00:00 2001 +From: Andrey Vagin +Date: Mon, 13 Oct 2014 15:54:10 -0700 +Subject: ipc: always handle a new value of auto_msgmni + +From: Andrey Vagin + +commit 1195d94e006b23c6292e78857e154872e33b6d7e upstream. + +proc_dointvec_minmax() returns zero if a new value has been set. So we +don't need to check all charecters have been handled. + +Below you can find two examples. In the new value has not been handled +properly. + +$ strace ./a.out +open("/proc/sys/kernel/auto_msgmni", O_WRONLY) = 3 +write(3, "0\n\0", 3) = 2 +close(3) = 0 +exit_group(0) +$ cat /sys/kernel/debug/tracing/trace + +$strace ./a.out +open("/proc/sys/kernel/auto_msgmni", O_WRONLY) = 3 +write(3, "0\n", 2) = 2 +close(3) = 0 + +$ cat /sys/kernel/debug/tracing/trace +a.out-697 [000] .... 3280.998235: unregister_ipcns_notifier <-proc_ipcauto_dointvec_minmax + +Fixes: 9eefe520c814 ("ipc: do not use a negative value to re-enable msgmni automatic recomputin") +Signed-off-by: Andrey Vagin +Cc: Mathias Krause +Cc: Manfred Spraul +Cc: Joe Perches +Cc: Davidlohr Bueso +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/ipc_sysctl.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/ipc/ipc_sysctl.c ++++ b/ipc/ipc_sysctl.c +@@ -123,7 +123,6 @@ static int proc_ipcauto_dointvec_minmax( + void __user *buffer, size_t *lenp, loff_t *ppos) + { + struct ctl_table ipc_table; +- size_t lenp_bef = *lenp; + int oldval; + int rc; + +@@ -133,7 +132,7 @@ static int proc_ipcauto_dointvec_minmax( + + rc = proc_dointvec_minmax(&ipc_table, write, buffer, lenp, ppos); + +- if (write && !rc && lenp_bef == *lenp) { ++ if (write && !rc) { + int newval = *((int *)(ipc_table.data)); + /* + * The file "auto_msgmni" has correctly been set. diff --git a/queue-3.10/kgdb-remove-weak-from-kgdb_arch_pc-declaration.patch b/queue-3.10/kgdb-remove-weak-from-kgdb_arch_pc-declaration.patch new file mode 100644 index 00000000000..c9993efe153 --- /dev/null +++ b/queue-3.10/kgdb-remove-weak-from-kgdb_arch_pc-declaration.patch @@ -0,0 +1,40 @@ +From 107bcc6d566cb40184068d888637f9aefe6252dd Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Mon, 13 Oct 2014 19:00:25 -0600 +Subject: kgdb: Remove "weak" from kgdb_arch_pc() declaration + +From: Bjorn Helgaas + +commit 107bcc6d566cb40184068d888637f9aefe6252dd upstream. + +kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition +explicitly marked "weak". Several architectures provide their own +definitions intended to override the default, but the "weak" attribute on +the declaration applied to the arch definitions as well, so the linker +chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak +annotation from pcibios_get_phb_of_node decl")). + +Remove the "weak" attribute from the declaration so we always prefer a +non-weak definition over the weak one, independent of link order. + +Fixes: 688b744d8bc8 ("kgdb: fix signedness mixmatches, add statics, add declaration to header") +Tested-by: Vineet Gupta # for ARC build +Signed-off-by: Bjorn Helgaas +Reviewed-by: Harvey Harrison +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kgdb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/kgdb.h ++++ b/include/linux/kgdb.h +@@ -283,7 +283,7 @@ struct kgdb_io { + + extern struct kgdb_arch arch_kgdb_ops; + +-extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs); ++extern unsigned long kgdb_arch_pc(int exception, struct pt_regs *regs); + + #ifdef CONFIG_SERIAL_KGDB_NMI + extern int kgdb_register_nmi_console(void); diff --git a/queue-3.10/mei-bus-fix-possible-boundaries-violation.patch b/queue-3.10/mei-bus-fix-possible-boundaries-violation.patch new file mode 100644 index 00000000000..32c33be5392 --- /dev/null +++ b/queue-3.10/mei-bus-fix-possible-boundaries-violation.patch @@ -0,0 +1,34 @@ +From cfda2794b5afe7ce64ee9605c64bef0e56a48125 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Mon, 25 Aug 2014 16:46:53 +0300 +Subject: mei: bus: fix possible boundaries violation + +From: Alexander Usyskin + +commit cfda2794b5afe7ce64ee9605c64bef0e56a48125 upstream. + +function 'strncpy' will fill whole buffer 'id.name' of fixed size (32) +with string value and will not leave place for NULL-terminator. +Possible buffer boundaries violation in following string operations. +Replace strncpy with strlcpy. + +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/misc/mei/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/mei/bus.c ++++ b/drivers/misc/mei/bus.c +@@ -71,7 +71,7 @@ static int mei_cl_device_probe(struct de + + dev_dbg(dev, "Device probe\n"); + +- strncpy(id.name, dev_name(dev), MEI_CL_NAME_SIZE); ++ strlcpy(id.name, dev_name(dev), sizeof(id.name)); + + return driver->probe(device, &id); + } diff --git a/queue-3.10/mips-fix-forgotten-preempt_enable-when-cpu-has-inclusive.patch b/queue-3.10/mips-fix-forgotten-preempt_enable-when-cpu-has-inclusive.patch new file mode 100644 index 00000000000..11df4dcb92e --- /dev/null +++ b/queue-3.10/mips-fix-forgotten-preempt_enable-when-cpu-has-inclusive.patch @@ -0,0 +1,75 @@ +From 5596b0b245fb9d2cefb5023b11061050351c1398 Mon Sep 17 00:00:00 2001 +From: Yoichi Yuasa +Date: Wed, 2 Oct 2013 15:03:03 +0900 +Subject: MIPS: Fix forgotten preempt_enable() when CPU has inclusive + pcaches + +From: Yoichi Yuasa + +commit 5596b0b245fb9d2cefb5023b11061050351c1398 upstream. + +[ 1.904000] BUG: scheduling while atomic: swapper/1/0x00000002 +[ 1.908000] Modules linked in: +[ 1.916000] CPU: 0 PID: 1 Comm: swapper Not tainted 3.12.0-rc2-lemote-los.git-5318619-dirty #1 +[ 1.920000] Stack : 0000000031aac000 ffffffff810d0000 0000000000000052 ffffffff802730a4 + 0000000000000000 0000000000000001 ffffffff810cdf90 ffffffff810d0000 + ffffffff8068b968 ffffffff806f5537 ffffffff810cdf90 980000009f0782e8 + 0000000000000001 ffffffff80720000 ffffffff806b0000 980000009f078000 + 980000009f290000 ffffffff805f312c 980000009f05b5d8 ffffffff80233518 + 980000009f05b5e8 ffffffff80274b7c 980000009f078000 ffffffff8068b968 + 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + 0000000000000000 980000009f05b520 0000000000000000 ffffffff805f2f6c + 0000000000000000 ffffffff80700000 ffffffff80700000 ffffffff806fc758 + ffffffff80700000 ffffffff8020be98 ffffffff806fceb0 ffffffff805f2f6c + ... +[ 2.028000] Call Trace: +[ 2.032000] [] show_stack+0x80/0x98 +[ 2.036000] [] __schedule_bug+0x44/0x6c +[ 2.040000] [] __schedule+0x518/0x5b0 +[ 2.044000] [] schedule_timeout+0x128/0x1f0 +[ 2.048000] [] msleep+0x3c/0x60 +[ 2.052000] [] do_probe+0x238/0x3a8 +[ 2.056000] [] ide_probe_port+0x340/0x7e8 +[ 2.060000] [] ide_host_register+0x2d0/0x7a8 +[ 2.064000] [] ide_pci_init_two+0x4e4/0x790 +[ 2.068000] [] amd74xx_probe+0x148/0x2c8 +[ 2.072000] [] pci_device_probe+0xc4/0x130 +[ 2.076000] [] driver_probe_device+0x98/0x270 +[ 2.080000] [] __driver_attach+0xe0/0xe8 +[ 2.084000] [] bus_for_each_dev+0x78/0xe0 +[ 2.088000] [] bus_add_driver+0x230/0x310 +[ 2.092000] [] driver_register+0x84/0x158 +[ 2.096000] [] do_one_initcall+0x104/0x160 + +Signed-off-by: Yoichi Yuasa +Reported-by: Aaro Koskinen +Tested-by: Aaro Koskinen +Cc: linux-mips@linux-mips.org +Cc: Linux Kernel Mailing List +Patchwork: https://patchwork.linux-mips.org/patch/5941/ +Signed-off-by: Ralf Baechle +Cc: Alexandre Oliva +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/c-r4k.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -608,6 +608,7 @@ static void r4k_dma_cache_wback_inv(unsi + r4k_blast_scache(); + else + blast_scache_range(addr, addr + size); ++ preempt_enable(); + __sync(); + return; + } +@@ -649,6 +650,7 @@ static void r4k_dma_cache_inv(unsigned l + */ + blast_inv_scache_range(addr, addr + size); + } ++ preempt_enable(); + __sync(); + return; + } diff --git a/queue-3.10/net-mlx4_en-fix-blueflame-race.patch b/queue-3.10/net-mlx4_en-fix-blueflame-race.patch new file mode 100644 index 00000000000..5cb239b148d --- /dev/null +++ b/queue-3.10/net-mlx4_en-fix-blueflame-race.patch @@ -0,0 +1,150 @@ +From 2d4b646613d6b12175b017aca18113945af1faf3 Mon Sep 17 00:00:00 2001 +From: Eugenia Emantayev +Date: Thu, 25 Jul 2013 19:21:23 +0300 +Subject: net/mlx4_en: Fix BlueFlame race + +From: Eugenia Emantayev + +commit 2d4b646613d6b12175b017aca18113945af1faf3 upstream. + +Fix a race between BlueFlame flow and stamping in post send flow. +Example: + SW: Build WQE 0 on the TX buffer, except the ownership bit + SW: Set ownership for WQE 0 on the TX buffer + SW: Ring doorbell for WQE 0 + SW: Build WQE 1 on the TX buffer, except the ownership bit + SW: Set ownership for WQE 1 on the TX buffer + HW: Read WQE 0 and then WQE 1, before doorbell was rung/BF was done for WQE 1 + HW: Produce CQEs for WQE 0 and WQE 1 + SW: Process the CQEs, and stamp WQE 0 and WQE 1 accordingly (on the TX buffer) + SW: Copy WQE 1 from the TX buffer to the BF register - ALREADY STAMPED! + HW: CQE error with index 0xFFFF - the BF WQE's control segment is STAMPED, + so the BF index is 0xFFFF. Error: Invalid Opcode. +As a result QP enters the error state and no traffic can be sent. + +Solution: +When stamping - do not stamp last completed wqe. + +Signed-off-by: Eugenia Emantayev +Signed-off-by: Amir Vadai +Signed-off-by: David S. Miller +Cc: Vinson Lee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx4/en_tx.c | 61 +++++++++++++++++++---------- + 1 file changed, 42 insertions(+), 19 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +@@ -191,6 +191,39 @@ void mlx4_en_deactivate_tx_ring(struct m + MLX4_QP_STATE_RST, NULL, 0, 0, &ring->qp); + } + ++static void mlx4_en_stamp_wqe(struct mlx4_en_priv *priv, ++ struct mlx4_en_tx_ring *ring, int index, ++ u8 owner) ++{ ++ __be32 stamp = cpu_to_be32(STAMP_VAL | (!!owner << STAMP_SHIFT)); ++ struct mlx4_en_tx_desc *tx_desc = ring->buf + index * TXBB_SIZE; ++ struct mlx4_en_tx_info *tx_info = &ring->tx_info[index]; ++ void *end = ring->buf + ring->buf_size; ++ __be32 *ptr = (__be32 *)tx_desc; ++ int i; ++ ++ /* Optimize the common case when there are no wraparounds */ ++ if (likely((void *)tx_desc + tx_info->nr_txbb * TXBB_SIZE <= end)) { ++ /* Stamp the freed descriptor */ ++ for (i = 0; i < tx_info->nr_txbb * TXBB_SIZE; ++ i += STAMP_STRIDE) { ++ *ptr = stamp; ++ ptr += STAMP_DWORDS; ++ } ++ } else { ++ /* Stamp the freed descriptor */ ++ for (i = 0; i < tx_info->nr_txbb * TXBB_SIZE; ++ i += STAMP_STRIDE) { ++ *ptr = stamp; ++ ptr += STAMP_DWORDS; ++ if ((void *)ptr >= end) { ++ ptr = ring->buf; ++ stamp ^= cpu_to_be32(0x80000000); ++ } ++ } ++ } ++} ++ + + static u32 mlx4_en_free_tx_desc(struct mlx4_en_priv *priv, + struct mlx4_en_tx_ring *ring, +@@ -205,8 +238,6 @@ static u32 mlx4_en_free_tx_desc(struct m + void *end = ring->buf + ring->buf_size; + int frags = skb_shinfo(skb)->nr_frags; + int i; +- __be32 *ptr = (__be32 *)tx_desc; +- __be32 stamp = cpu_to_be32(STAMP_VAL | (!!owner << STAMP_SHIFT)); + struct skb_shared_hwtstamps hwts; + + if (timestamp) { +@@ -232,12 +263,6 @@ static u32 mlx4_en_free_tx_desc(struct m + skb_frag_size(frag), PCI_DMA_TODEVICE); + } + } +- /* Stamp the freed descriptor */ +- for (i = 0; i < tx_info->nr_txbb * TXBB_SIZE; i += STAMP_STRIDE) { +- *ptr = stamp; +- ptr += STAMP_DWORDS; +- } +- + } else { + if (!tx_info->inl) { + if ((void *) data >= end) { +@@ -263,16 +288,6 @@ static u32 mlx4_en_free_tx_desc(struct m + ++data; + } + } +- /* Stamp the freed descriptor */ +- for (i = 0; i < tx_info->nr_txbb * TXBB_SIZE; i += STAMP_STRIDE) { +- *ptr = stamp; +- ptr += STAMP_DWORDS; +- if ((void *) ptr >= end) { +- ptr = ring->buf; +- stamp ^= cpu_to_be32(0x80000000); +- } +- } +- + } + dev_kfree_skb_any(skb); + return tx_info->nr_txbb; +@@ -318,8 +333,9 @@ static void mlx4_en_process_tx_cq(struct + struct mlx4_en_tx_ring *ring = &priv->tx_ring[cq->ring]; + struct mlx4_cqe *cqe; + u16 index; +- u16 new_index, ring_index; ++ u16 new_index, ring_index, stamp_index; + u32 txbbs_skipped = 0; ++ u32 txbbs_stamp = 0; + u32 cons_index = mcq->cons_index; + int size = cq->size; + u32 size_mask = ring->size_mask; +@@ -335,6 +351,7 @@ static void mlx4_en_process_tx_cq(struct + index = cons_index & size_mask; + cqe = &buf[(index << factor) + factor]; + ring_index = ring->cons & size_mask; ++ stamp_index = ring_index; + + /* Process all completed CQEs */ + while (XNOR(cqe->owner_sr_opcode & MLX4_CQE_OWNER_MASK, +@@ -359,6 +376,12 @@ static void mlx4_en_process_tx_cq(struct + priv, ring, ring_index, + !!((ring->cons + txbbs_skipped) & + ring->size), timestamp); ++ ++ mlx4_en_stamp_wqe(priv, ring, stamp_index, ++ !!((ring->cons + txbbs_stamp) & ++ ring->size)); ++ stamp_index = ring_index; ++ txbbs_stamp = txbbs_skipped; + packets++; + bytes += ring->tx_info[ring_index].nr_bytes; + } while (ring_index != new_index); diff --git a/queue-3.10/netfilter-nf_log-account-for-size-of-nlmsg_done-attribute.patch b/queue-3.10/netfilter-nf_log-account-for-size-of-nlmsg_done-attribute.patch new file mode 100644 index 00000000000..61ddc257664 --- /dev/null +++ b/queue-3.10/netfilter-nf_log-account-for-size-of-nlmsg_done-attribute.patch @@ -0,0 +1,47 @@ +From 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 23 Oct 2014 10:36:06 +0200 +Subject: netfilter: nf_log: account for size of NLMSG_DONE attribute + +From: Florian Westphal + +commit 9dfa1dfe4d5e5e66a991321ab08afe69759d797a upstream. + +We currently neither account for the nlattr size, nor do we consider +the size of the trailing NLMSG_DONE when allocating nlmsg skb. + +This can result in nflog to stop working, as __nfulnl_send() re-tries +sending forever if it failed to append NLMSG_DONE (which will never +work if buffer is not large enough). + +Reported-by: Houcheng Lin +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -647,7 +647,8 @@ nfulnl_log_packet(struct net *net, + + nla_total_size(sizeof(u_int32_t)) /* gid */ + + nla_total_size(plen) /* prefix */ + + nla_total_size(sizeof(struct nfulnl_msg_packet_hw)) +- + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp)); ++ + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp)) ++ + nla_total_size(sizeof(struct nfgenmsg)); /* NLMSG_DONE */ + + if (in && skb_mac_header_was_set(skb)) { + size += nla_total_size(skb->dev->hard_header_len) +@@ -690,8 +691,7 @@ nfulnl_log_packet(struct net *net, + goto unlock_and_release; + } + +- if (inst->skb && +- size > skb_tailroom(inst->skb) - sizeof(struct nfgenmsg)) { ++ if (inst->skb && size > skb_tailroom(inst->skb)) { + /* either the queue len is too high or we don't have + * enough room in the skb left. flush to userspace. */ + __nfulnl_flush(inst); diff --git a/queue-3.10/netfilter-nf_log-release-skbuff-on-nlmsg-put-failure.patch b/queue-3.10/netfilter-nf_log-release-skbuff-on-nlmsg-put-failure.patch new file mode 100644 index 00000000000..8b861f0b2ff --- /dev/null +++ b/queue-3.10/netfilter-nf_log-release-skbuff-on-nlmsg-put-failure.patch @@ -0,0 +1,66 @@ +From b51d3fa364885a2c1e1668f88776c67c95291820 Mon Sep 17 00:00:00 2001 +From: Houcheng Lin +Date: Thu, 23 Oct 2014 10:36:08 +0200 +Subject: netfilter: nf_log: release skbuff on nlmsg put failure + +From: Houcheng Lin + +commit b51d3fa364885a2c1e1668f88776c67c95291820 upstream. + +The kernel should reserve enough room in the skb so that the DONE +message can always be appended. However, in case of e.g. new attribute +erronously not being size-accounted for, __nfulnl_send() will still +try to put next nlmsg into this full skbuf, causing the skb to be stuck +forever and blocking delivery of further messages. + +Fix issue by releasing skb immediately after nlmsg_put error and +WARN() so we can track down the cause of such size mismatch. + +[ fw@strlen.de: add tailroom/len info to WARN ] + +Signed-off-by: Houcheng Lin +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -348,26 +348,25 @@ nfulnl_alloc_skb(u32 peer_portid, unsign + return skb; + } + +-static int ++static void + __nfulnl_send(struct nfulnl_instance *inst) + { +- int status = -1; +- + if (inst->qlen > 1) { + struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, + NLMSG_DONE, + sizeof(struct nfgenmsg), + 0); +- if (!nlh) ++ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", ++ inst->skb->len, skb_tailroom(inst->skb))) { ++ kfree_skb(inst->skb); + goto out; ++ } + } +- status = nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, +- MSG_DONTWAIT); +- ++ nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, ++ MSG_DONTWAIT); ++out: + inst->qlen = 0; + inst->skb = NULL; +-out: +- return status; + } + + static void diff --git a/queue-3.10/netfilter-nf_nat-fix-oops-on-netns-removal.patch b/queue-3.10/netfilter-nf_nat-fix-oops-on-netns-removal.patch new file mode 100644 index 00000000000..918f15bb4be --- /dev/null +++ b/queue-3.10/netfilter-nf_nat-fix-oops-on-netns-removal.patch @@ -0,0 +1,98 @@ +From 945b2b2d259d1a4364a2799e80e8ff32f8c6ee6f Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 7 Jun 2014 21:17:04 +0200 +Subject: netfilter: nf_nat: fix oops on netns removal + +From: Florian Westphal + +commit 945b2b2d259d1a4364a2799e80e8ff32f8c6ee6f upstream. + +Quoting Samu Kallio: + + Basically what's happening is, during netns cleanup, + nf_nat_net_exit gets called before ipv4_net_exit. As I understand + it, nf_nat_net_exit is supposed to kill any conntrack entries which + have NAT context (through nf_ct_iterate_cleanup), but for some + reason this doesn't happen (perhaps something else is still holding + refs to those entries?). + + When ipv4_net_exit is called, conntrack entries (including those + with NAT context) are cleaned up, but the + nat_bysource hashtable is long gone - freed in nf_nat_net_exit. The + bug happens when attempting to free a conntrack entry whose NAT hash + 'prev' field points to a slot in the freed hash table (head for that + bin). + +We ignore conntracks with null nat bindings. But this is wrong, +as these are in bysource hash table as well. + +Restore nat-cleaning for the netns-is-being-removed case. + +bug: +https://bugzilla.kernel.org/show_bug.cgi?id=65191 + +Fixes: c2d421e1718 ('netfilter: nf_nat: fix race when unloading protocol modules') +Reported-by: Samu Kallio +Debugged-by: Samu Kallio +Signed-off-by: Florian Westphal +Tested-by: Samu Kallio +Signed-off-by: Pablo Neira Ayuso +[samu.kallio@aberdeencloud.com: backport to 3.10-stable] +Signed-off-by: Samu Kallio +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_nat_core.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_nat_core.c ++++ b/net/netfilter/nf_nat_core.c +@@ -487,6 +487,39 @@ static int nf_nat_proto_remove(struct nf + return i->status & IPS_NAT_MASK ? 1 : 0; + } + ++static int nf_nat_proto_clean(struct nf_conn *ct, void *data) ++{ ++ struct nf_conn_nat *nat = nfct_nat(ct); ++ ++ if (nf_nat_proto_remove(ct, data)) ++ return 1; ++ ++ if (!nat || !nat->ct) ++ return 0; ++ ++ /* This netns is being destroyed, and conntrack has nat null binding. ++ * Remove it from bysource hash, as the table will be freed soon. ++ * ++ * Else, when the conntrack is destoyed, nf_nat_cleanup_conntrack() ++ * will delete entry from already-freed table. ++ */ ++ if (!del_timer(&ct->timeout)) ++ return 1; ++ ++ spin_lock_bh(&nf_nat_lock); ++ hlist_del_rcu(&nat->bysource); ++ ct->status &= ~IPS_NAT_DONE_MASK; ++ nat->ct = NULL; ++ spin_unlock_bh(&nf_nat_lock); ++ ++ add_timer(&ct->timeout); ++ ++ /* don't delete conntrack. Although that would make things a lot ++ * simpler, we'd end up flushing all conntracks on nat rmmod. ++ */ ++ return 0; ++} ++ + static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto) + { + struct nf_nat_proto_clean clean = { +@@ -749,7 +782,7 @@ static void __net_exit nf_nat_net_exit(s + { + struct nf_nat_proto_clean clean = {}; + +- nf_ct_iterate_cleanup(net, &nf_nat_proto_remove, &clean); ++ nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean); + synchronize_rcu(); + nf_ct_free_hashtable(net->ct.nat_bysource, net->ct.nat_htable_size); + } diff --git a/queue-3.10/netfilter-nfnetlink_log-fix-maximum-packet-length-logged-to-userspace.patch b/queue-3.10/netfilter-nfnetlink_log-fix-maximum-packet-length-logged-to-userspace.patch new file mode 100644 index 00000000000..da06da9b13b --- /dev/null +++ b/queue-3.10/netfilter-nfnetlink_log-fix-maximum-packet-length-logged-to-userspace.patch @@ -0,0 +1,55 @@ +From c1e7dc91eed0ed1a51c9b814d648db18bf8fc6e9 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 23 Oct 2014 10:36:07 +0200 +Subject: netfilter: nfnetlink_log: fix maximum packet length logged to userspace + +From: Florian Westphal + +commit c1e7dc91eed0ed1a51c9b814d648db18bf8fc6e9 upstream. + +don't try to queue payloads > 0xffff - NLA_HDRLEN, it does not work. +The nla length includes the size of the nla struct, so anything larger +results in u16 integer overflow. + +This patch is similar to +9cefbbc9c8f9abe (netfilter: nfnetlink_queue: cleanup copy_range usage). + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -45,7 +45,8 @@ + #define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE + #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ + #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ +-#define NFULNL_COPY_RANGE_MAX 0xFFFF /* max packet size is limited by 16-bit struct nfattr nfa_len field */ ++/* max packet size is limited by 16-bit struct nfattr nfa_len field */ ++#define NFULNL_COPY_RANGE_MAX (0xFFFF - NLA_HDRLEN) + + #define PRINTR(x, args...) do { if (net_ratelimit()) \ + printk(x, ## args); } while (0); +@@ -255,6 +256,8 @@ nfulnl_set_mode(struct nfulnl_instance * + + case NFULNL_COPY_PACKET: + inst->copy_mode = mode; ++ if (range == 0) ++ range = NFULNL_COPY_RANGE_MAX; + inst->copy_range = min_t(unsigned int, + range, NFULNL_COPY_RANGE_MAX); + break; +@@ -677,8 +680,7 @@ nfulnl_log_packet(struct net *net, + break; + + case NFULNL_COPY_PACKET: +- if (inst->copy_range == 0 +- || inst->copy_range > skb->len) ++ if (inst->copy_range > skb->len) + data_len = skb->len; + else + data_len = inst->copy_range; diff --git a/queue-3.10/netfilter-xt_bpf-add-mising-opaque-struct-sk_filter-definition.patch b/queue-3.10/netfilter-xt_bpf-add-mising-opaque-struct-sk_filter-definition.patch new file mode 100644 index 00000000000..5521b94d457 --- /dev/null +++ b/queue-3.10/netfilter-xt_bpf-add-mising-opaque-struct-sk_filter-definition.patch @@ -0,0 +1,34 @@ +From e10038a8ec06ac819b7552bb67aaa6d2d6f850c1 Mon Sep 17 00:00:00 2001 +From: Pablo Neira +Date: Tue, 29 Jul 2014 18:12:15 +0200 +Subject: netfilter: xt_bpf: add mising opaque struct sk_filter definition + +From: Pablo Neira + +commit e10038a8ec06ac819b7552bb67aaa6d2d6f850c1 upstream. + +This structure is not exposed to userspace, so fix this by defining +struct sk_filter; so we skip the casting in kernelspace. This is safe +since userspace has no way to lurk with that internal pointer. + +Fixes: e6f30c7 ("netfilter: x_tables: add xt_bpf match") +Signed-off-by: Pablo Neira Ayuso +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/netfilter/xt_bpf.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/uapi/linux/netfilter/xt_bpf.h ++++ b/include/uapi/linux/netfilter/xt_bpf.h +@@ -6,6 +6,8 @@ + + #define XT_BPF_MAX_NUM_INSTR 64 + ++struct sk_filter; ++ + struct xt_bpf_info { + __u16 bpf_program_num_elem; + struct sock_filter bpf_program[XT_BPF_MAX_NUM_INSTR]; diff --git a/queue-3.10/perf-handle-compat-ioctl.patch b/queue-3.10/perf-handle-compat-ioctl.patch new file mode 100644 index 00000000000..b93b87b10fd --- /dev/null +++ b/queue-3.10/perf-handle-compat-ioctl.patch @@ -0,0 +1,79 @@ +From b3f207855f57b9c8f43a547a801340bb5cbc59e5 Mon Sep 17 00:00:00 2001 +From: Pawel Moll +Date: Fri, 13 Jun 2014 16:03:32 +0100 +Subject: perf: Handle compat ioctl + +From: Pawel Moll + +commit b3f207855f57b9c8f43a547a801340bb5cbc59e5 upstream. + +When running a 32-bit userspace on a 64-bit kernel (eg. i386 +application on x86_64 kernel or 32-bit arm userspace on arm64 +kernel) some of the perf ioctls must be treated with special +care, as they have a pointer size encoded in the command. + +For example, PERF_EVENT_IOC_ID in 32-bit world will be encoded +as 0x80042407, but 64-bit kernel will expect 0x80082407. In +result the ioctl will fail returning -ENOTTY. + +This patch solves the problem by adding code fixing up the +size as compat_ioctl file operation. + +Reported-by: Drew Richardson +Signed-off-by: Pawel Moll +Signed-off-by: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Link: http://lkml.kernel.org/r/1402671812-9078-1-git-send-email-pawel.moll@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: David Ahern +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + + #include "internal.h" + +@@ -3490,6 +3491,25 @@ static long perf_ioctl(struct file *file + return 0; + } + ++#ifdef CONFIG_COMPAT ++static long perf_compat_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (_IOC_NR(cmd)) { ++ case _IOC_NR(PERF_EVENT_IOC_SET_FILTER): ++ /* Fix up pointer size (usually 4 -> 8 in 32-on-64-bit case */ ++ if (_IOC_SIZE(cmd) == sizeof(compat_uptr_t)) { ++ cmd &= ~IOCSIZE_MASK; ++ cmd |= sizeof(void *) << IOCSIZE_SHIFT; ++ } ++ break; ++ } ++ return perf_ioctl(file, cmd, arg); ++} ++#else ++# define perf_compat_ioctl NULL ++#endif ++ + int perf_event_task_enable(void) + { + struct perf_event *event; +@@ -3961,7 +3981,7 @@ static const struct file_operations perf + .read = perf_read, + .poll = perf_poll, + .unlocked_ioctl = perf_ioctl, +- .compat_ioctl = perf_ioctl, ++ .compat_ioctl = perf_compat_ioctl, + .mmap = perf_mmap, + .fasync = perf_fasync, + }; diff --git a/queue-3.10/perf-x86-intel-use-proper-dtlb-load-misses-event-on-ivybridge.patch b/queue-3.10/perf-x86-intel-use-proper-dtlb-load-misses-event-on-ivybridge.patch new file mode 100644 index 00000000000..d3efe6fc67b --- /dev/null +++ b/queue-3.10/perf-x86-intel-use-proper-dtlb-load-misses-event-on-ivybridge.patch @@ -0,0 +1,44 @@ +From 1996388e9f4e3444db8273bc08d25164d2967c21 Mon Sep 17 00:00:00 2001 +From: Vince Weaver +Date: Mon, 14 Jul 2014 15:33:25 -0400 +Subject: perf/x86/intel: Use proper dTLB-load-misses event on IvyBridge + +From: Vince Weaver + +commit 1996388e9f4e3444db8273bc08d25164d2967c21 upstream. + +This was discussed back in February: + + https://lkml.org/lkml/2014/2/18/956 + +But I never saw a patch come out of it. + +On IvyBridge we share the SandyBridge cache event tables, but the +dTLB-load-miss event is not compatible. Patch it up after +the fact to the proper DTLB_LOAD_MISSES.DEMAND_LD_MISS_CAUSES_A_WALK + +Signed-off-by: Vince Weaver +Signed-off-by: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: Linus Torvalds +Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1407141528200.17214@vincent-weaver-1.umelst.maine.edu +Signed-off-by: Ingo Molnar +Cc: Hou Pengyang +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perf_event_intel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/cpu/perf_event_intel.c ++++ b/arch/x86/kernel/cpu/perf_event_intel.c +@@ -2172,6 +2172,9 @@ __init int intel_pmu_init(void) + case 62: /* IvyBridge EP */ + memcpy(hw_cache_event_ids, snb_hw_cache_event_ids, + sizeof(hw_cache_event_ids)); ++ /* dTLB-load-misses on IVB is different than SNB */ ++ hw_cache_event_ids[C(DTLB)][C(OP_READ)][C(RESULT_MISS)] = 0x8108; /* DTLB_LOAD_MISSES.DEMAND_LD_MISS_CAUSES_A_WALK */ ++ + memcpy(hw_cache_extra_regs, snb_hw_cache_extra_regs, + sizeof(hw_cache_extra_regs)); + diff --git a/queue-3.10/scsi-hpsa-fix-a-race-in-cmd_free-scsi_done.patch b/queue-3.10/scsi-hpsa-fix-a-race-in-cmd_free-scsi_done.patch new file mode 100644 index 00000000000..94f459a82e8 --- /dev/null +++ b/queue-3.10/scsi-hpsa-fix-a-race-in-cmd_free-scsi_done.patch @@ -0,0 +1,47 @@ +From 2cc5bfaf854463d9d1aa52091f60110fbf102a96 Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Thu, 1 Aug 2013 15:14:00 +0200 +Subject: SCSI: hpsa: fix a race in cmd_free/scsi_done + +From: Tomas Henzl + +commit 2cc5bfaf854463d9d1aa52091f60110fbf102a96 upstream. + +When the driver calls scsi_done and after that frees it's internal +preallocated memory it can happen that a new job is enqueud before +the memory is freed. The allocation fails and the message +"cmd_alloc returned NULL" is shown. +Patch below fixes it by moving cmd->scsi_done after cmd_free. + +Signed-off-by: Tomas Henzl +Acked-by: Stephen M. Cameron +Signed-off-by: James Bottomley +Cc: Masoud Sharbiani +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/hpsa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -1206,8 +1206,8 @@ static void complete_scsi_command(struct + scsi_set_resid(cmd, ei->ResidualCnt); + + if (ei->CommandStatus == 0) { +- cmd->scsi_done(cmd); + cmd_free(h, cp); ++ cmd->scsi_done(cmd); + return; + } + +@@ -1380,8 +1380,8 @@ static void complete_scsi_command(struct + dev_warn(&h->pdev->dev, "cp %p returned unknown status %x\n", + cp, ei->CommandStatus); + } +- cmd->scsi_done(cmd); + cmd_free(h, cp); ++ cmd->scsi_done(cmd); + } + + static void hpsa_pci_unmap(struct pci_dev *pdev, diff --git a/queue-3.10/series b/queue-3.10/series index 18246c37467..8f0a657d2ce 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -37,3 +37,21 @@ nfs-don-t-try-to-reclaim-delegation-open-state-if-recovery-failed.patch nfs-fix-use-of-uninitialized-variable-in-nfs_getattr.patch nfsv4-fix-races-between-nfs_remove_bad_delegation-and-delegation-return.patch media-ttusb-dec-buffer-overflow-in-ioctl.patch +kgdb-remove-weak-from-kgdb_arch_pc-declaration.patch +clocksource-remove-weak-from-clocksource_default_clock-declaration.patch +ipc-always-handle-a-new-value-of-auto_msgmni.patch +netfilter-nf_log-account-for-size-of-nlmsg_done-attribute.patch +netfilter-nfnetlink_log-fix-maximum-packet-length-logged-to-userspace.patch +netfilter-nf_log-release-skbuff-on-nlmsg-put-failure.patch +netfilter-xt_bpf-add-mising-opaque-struct-sk_filter-definition.patch +netfilter-nf_nat-fix-oops-on-netns-removal.patch +br-fix-use-of-rx_handler_data-in-code-executed-on-non-rx_handler-path.patch +arm-probes-fix-instruction-fetch-order-with-asm-opcodes.h.patch +dell-wmi-fix-access-out-of-memory.patch +mips-fix-forgotten-preempt_enable-when-cpu-has-inclusive.patch +perf-handle-compat-ioctl.patch +mei-bus-fix-possible-boundaries-violation.patch +perf-x86-intel-use-proper-dtlb-load-misses-event-on-ivybridge.patch +arm-correct-bug-assembly-to-ensure-it-is-endian-agnostic.patch +net-mlx4_en-fix-blueflame-race.patch +scsi-hpsa-fix-a-race-in-cmd_free-scsi_done.patch