From: Greg Kroah-Hartman Date: Tue, 27 Jan 2015 23:46:22 +0000 (-0800) Subject: 3.18-stable patches X-Git-Tag: v3.10.67~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=849c2cd98483f2e7282e7c52f93c7e023e973bb5;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: ipvs-uninitialized-data-with-ip_vs_ipv6.patch mm-get-rid-of-radix-tree-gfp-mask-for-pagecache_get_page.patch netfilter-conntrack-fix-race-between-confirmation-and-flush.patch netfilter-nf_tables-fix-flush-ruleset-chain-dependencies.patch netfilter-nfnetlink-relax-strict-multicast-group-check-from-netlink_bind.patch netfilter-nfnetlink-validate-nfnetlink-header-from-batch.patch revert-swiotlb-xen-pass-dev_addr-to-swiotlb_tbl_unmap_single.patch --- diff --git a/queue-3.18/ipvs-uninitialized-data-with-ip_vs_ipv6.patch b/queue-3.18/ipvs-uninitialized-data-with-ip_vs_ipv6.patch new file mode 100644 index 00000000000..5ebc6aa55d4 --- /dev/null +++ b/queue-3.18/ipvs-uninitialized-data-with-ip_vs_ipv6.patch @@ -0,0 +1,64 @@ +From 3b05ac3824ed9648c0d9c02d51d9b54e4e7e874f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 6 Dec 2014 16:49:24 +0300 +Subject: ipvs: uninitialized data with IP_VS_IPV6 + +From: Dan Carpenter + +commit 3b05ac3824ed9648c0d9c02d51d9b54e4e7e874f upstream. + +The app_tcp_pkt_out() function expects "*diff" to be set and ends up +using uninitialized data if CONFIG_IP_VS_IPV6 is turned on. + +The same issue is there in app_tcp_pkt_in(). Thanks to Julian Anastasov +for noticing that. + +Signed-off-by: Dan Carpenter +Acked-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_ftp.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_ftp.c ++++ b/net/netfilter/ipvs/ip_vs_ftp.c +@@ -183,6 +183,8 @@ static int ip_vs_ftp_out(struct ip_vs_ap + struct nf_conn *ct; + struct net *net; + ++ *diff = 0; ++ + #ifdef CONFIG_IP_VS_IPV6 + /* This application helper doesn't work with IPv6 yet, + * so turn this into a no-op for IPv6 packets +@@ -191,8 +193,6 @@ static int ip_vs_ftp_out(struct ip_vs_ap + return 1; + #endif + +- *diff = 0; +- + /* Only useful for established sessions */ + if (cp->state != IP_VS_TCP_S_ESTABLISHED) + return 1; +@@ -322,6 +322,9 @@ static int ip_vs_ftp_in(struct ip_vs_app + struct ip_vs_conn *n_cp; + struct net *net; + ++ /* no diff required for incoming packets */ ++ *diff = 0; ++ + #ifdef CONFIG_IP_VS_IPV6 + /* This application helper doesn't work with IPv6 yet, + * so turn this into a no-op for IPv6 packets +@@ -330,9 +333,6 @@ static int ip_vs_ftp_in(struct ip_vs_app + return 1; + #endif + +- /* no diff required for incoming packets */ +- *diff = 0; +- + /* Only useful for established sessions */ + if (cp->state != IP_VS_TCP_S_ESTABLISHED) + return 1; diff --git a/queue-3.18/mm-get-rid-of-radix-tree-gfp-mask-for-pagecache_get_page.patch b/queue-3.18/mm-get-rid-of-radix-tree-gfp-mask-for-pagecache_get_page.patch new file mode 100644 index 00000000000..472fb5a2454 --- /dev/null +++ b/queue-3.18/mm-get-rid-of-radix-tree-gfp-mask-for-pagecache_get_page.patch @@ -0,0 +1,171 @@ +From 45f87de57f8fad59302fd263dd81ffa4843b5b24 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Mon, 29 Dec 2014 20:30:35 +0100 +Subject: mm: get rid of radix tree gfp mask for pagecache_get_page + +From: Michal Hocko + +commit 45f87de57f8fad59302fd263dd81ffa4843b5b24 upstream. + +Commit 2457aec63745 ("mm: non-atomically mark page accessed during page +cache allocation where possible") has added a separate parameter for +specifying gfp mask for radix tree allocations. + +Not only this is less than optimal from the API point of view because it +is error prone, it is also buggy currently because +grab_cache_page_write_begin is using GFP_KERNEL for radix tree and if +fgp_flags doesn't contain FGP_NOFS (mostly controlled by fs by +AOP_FLAG_NOFS flag) but the mapping_gfp_mask has __GFP_FS cleared then +the radix tree allocation wouldn't obey the restriction and might +recurse into filesystem and cause deadlocks. This is the case for most +filesystems unfortunately because only ext4 and gfs2 are using +AOP_FLAG_NOFS. + +Let's simply remove radix_gfp_mask parameter because the allocation +context is same for both page cache and for the radix tree. Just make +sure that the radix tree gets only the sane subset of the mask (e.g. do +not pass __GFP_WRITE). + +Long term it is more preferable to convert remaining users of +AOP_FLAG_NOFS to use mapping_gfp_mask instead and simplify this +interface even further. + +Reported-by: Dave Chinner +Signed-off-by: Michal Hocko +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/pagemap.h | 13 ++++++------- + mm/filemap.c | 29 ++++++++++++----------------- + 2 files changed, 18 insertions(+), 24 deletions(-) + +--- a/include/linux/pagemap.h ++++ b/include/linux/pagemap.h +@@ -251,7 +251,7 @@ pgoff_t page_cache_prev_hole(struct addr + #define FGP_NOWAIT 0x00000020 + + struct page *pagecache_get_page(struct address_space *mapping, pgoff_t offset, +- int fgp_flags, gfp_t cache_gfp_mask, gfp_t radix_gfp_mask); ++ int fgp_flags, gfp_t cache_gfp_mask); + + /** + * find_get_page - find and get a page reference +@@ -266,13 +266,13 @@ struct page *pagecache_get_page(struct a + static inline struct page *find_get_page(struct address_space *mapping, + pgoff_t offset) + { +- return pagecache_get_page(mapping, offset, 0, 0, 0); ++ return pagecache_get_page(mapping, offset, 0, 0); + } + + static inline struct page *find_get_page_flags(struct address_space *mapping, + pgoff_t offset, int fgp_flags) + { +- return pagecache_get_page(mapping, offset, fgp_flags, 0, 0); ++ return pagecache_get_page(mapping, offset, fgp_flags, 0); + } + + /** +@@ -292,7 +292,7 @@ static inline struct page *find_get_page + static inline struct page *find_lock_page(struct address_space *mapping, + pgoff_t offset) + { +- return pagecache_get_page(mapping, offset, FGP_LOCK, 0, 0); ++ return pagecache_get_page(mapping, offset, FGP_LOCK, 0); + } + + /** +@@ -319,7 +319,7 @@ static inline struct page *find_or_creat + { + return pagecache_get_page(mapping, offset, + FGP_LOCK|FGP_ACCESSED|FGP_CREAT, +- gfp_mask, gfp_mask & GFP_RECLAIM_MASK); ++ gfp_mask); + } + + /** +@@ -340,8 +340,7 @@ static inline struct page *grab_cache_pa + { + return pagecache_get_page(mapping, index, + FGP_LOCK|FGP_CREAT|FGP_NOFS|FGP_NOWAIT, +- mapping_gfp_mask(mapping), +- GFP_NOFS); ++ mapping_gfp_mask(mapping)); + } + + struct page *find_get_entry(struct address_space *mapping, pgoff_t offset); +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -1046,8 +1046,7 @@ EXPORT_SYMBOL(find_lock_entry); + * @mapping: the address_space to search + * @offset: the page index + * @fgp_flags: PCG flags +- * @cache_gfp_mask: gfp mask to use for the page cache data page allocation +- * @radix_gfp_mask: gfp mask to use for radix tree node allocation ++ * @gfp_mask: gfp mask to use for the page cache data page allocation + * + * Looks up the page cache slot at @mapping & @offset. + * +@@ -1056,11 +1055,9 @@ EXPORT_SYMBOL(find_lock_entry); + * FGP_ACCESSED: the page will be marked accessed + * FGP_LOCK: Page is return locked + * FGP_CREAT: If page is not present then a new page is allocated using +- * @cache_gfp_mask and added to the page cache and the VM's LRU +- * list. If radix tree nodes are allocated during page cache +- * insertion then @radix_gfp_mask is used. The page is returned +- * locked and with an increased refcount. Otherwise, %NULL is +- * returned. ++ * @gfp_mask and added to the page cache and the VM's LRU ++ * list. The page is returned locked and with an increased ++ * refcount. Otherwise, %NULL is returned. + * + * If FGP_LOCK or FGP_CREAT are specified then the function may sleep even + * if the GFP flags specified for FGP_CREAT are atomic. +@@ -1068,7 +1065,7 @@ EXPORT_SYMBOL(find_lock_entry); + * If there is a page cache page, it is returned with an increased refcount. + */ + struct page *pagecache_get_page(struct address_space *mapping, pgoff_t offset, +- int fgp_flags, gfp_t cache_gfp_mask, gfp_t radix_gfp_mask) ++ int fgp_flags, gfp_t gfp_mask) + { + struct page *page; + +@@ -1105,13 +1102,11 @@ no_page: + if (!page && (fgp_flags & FGP_CREAT)) { + int err; + if ((fgp_flags & FGP_WRITE) && mapping_cap_account_dirty(mapping)) +- cache_gfp_mask |= __GFP_WRITE; +- if (fgp_flags & FGP_NOFS) { +- cache_gfp_mask &= ~__GFP_FS; +- radix_gfp_mask &= ~__GFP_FS; +- } ++ gfp_mask |= __GFP_WRITE; ++ if (fgp_flags & FGP_NOFS) ++ gfp_mask &= ~__GFP_FS; + +- page = __page_cache_alloc(cache_gfp_mask); ++ page = __page_cache_alloc(gfp_mask); + if (!page) + return NULL; + +@@ -1122,7 +1117,8 @@ no_page: + if (fgp_flags & FGP_ACCESSED) + __SetPageReferenced(page); + +- err = add_to_page_cache_lru(page, mapping, offset, radix_gfp_mask); ++ err = add_to_page_cache_lru(page, mapping, offset, ++ gfp_mask & GFP_RECLAIM_MASK); + if (unlikely(err)) { + page_cache_release(page); + page = NULL; +@@ -2443,8 +2439,7 @@ struct page *grab_cache_page_write_begin + fgp_flags |= FGP_NOFS; + + page = pagecache_get_page(mapping, index, fgp_flags, +- mapping_gfp_mask(mapping), +- GFP_KERNEL); ++ mapping_gfp_mask(mapping)); + if (page) + wait_for_stable_page(page); + diff --git a/queue-3.18/netfilter-conntrack-fix-race-between-confirmation-and-flush.patch b/queue-3.18/netfilter-conntrack-fix-race-between-confirmation-and-flush.patch new file mode 100644 index 00000000000..fee6ae8c7b3 --- /dev/null +++ b/queue-3.18/netfilter-conntrack-fix-race-between-confirmation-and-flush.patch @@ -0,0 +1,85 @@ +From 8ca3f5e974f2b4b7f711589f4abff920db36637a Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 25 Nov 2014 00:14:47 +0100 +Subject: netfilter: conntrack: fix race between confirmation and flush + +From: Pablo Neira Ayuso + +commit 8ca3f5e974f2b4b7f711589f4abff920db36637a upstream. + +Commit 5195c14c8b27c ("netfilter: conntrack: fix race in +__nf_conntrack_confirm against get_next_corpse") aimed to resolve the +race condition between the confirmation (packet path) and the flush +command (from control plane). However, it introduced a crash when +several packets race to add a new conntrack, which seems easier to +reproduce when nf_queue is in place. + +Fix this race, in __nf_conntrack_confirm(), by removing the CT +from unconfirmed list before checking the DYING bit. In case +race occured, re-add the CT to the dying list + +This patch also changes the verdict from NF_ACCEPT to NF_DROP when +we lose race. Basically, the confirmation happens for the first packet +that we see in a flow. If you just invoked conntrack -F once (which +should be the common case), then this is likely to be the first packet +of the flow (unless you already called flush anytime soon in the past). +This should be hard to trigger, but better drop this packet, otherwise +we leave things in inconsistent state since the destination will likely +reply to this packet, but it will find no conntrack, unless the origin +retransmits. + +The change of the verdict has been discussed in: +https://www.marc.info/?l=linux-netdev&m=141588039530056&w=2 + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_core.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -611,16 +611,15 @@ __nf_conntrack_confirm(struct sk_buff *s + */ + NF_CT_ASSERT(!nf_ct_is_confirmed(ct)); + pr_debug("Confirming conntrack %p\n", ct); +- /* We have to check the DYING flag inside the lock to prevent +- a race against nf_ct_get_next_corpse() possibly called from +- user context, else we insert an already 'dead' hash, blocking +- further use of that particular connection -JM */ +- +- if (unlikely(nf_ct_is_dying(ct))) { +- nf_conntrack_double_unlock(hash, reply_hash); +- local_bh_enable(); +- return NF_ACCEPT; +- } ++ /* We have to check the DYING flag after unlink to prevent ++ * a race against nf_ct_get_next_corpse() possibly called from ++ * user context, else we insert an already 'dead' hash, blocking ++ * further use of that particular connection -JM. ++ */ ++ nf_ct_del_from_dying_or_unconfirmed_list(ct); ++ ++ if (unlikely(nf_ct_is_dying(ct))) ++ goto out; + + /* See if there's one in the list already, including reverse: + NAT could have grabbed it without realizing, since we're +@@ -636,8 +635,6 @@ __nf_conntrack_confirm(struct sk_buff *s + zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h))) + goto out; + +- nf_ct_del_from_dying_or_unconfirmed_list(ct); +- + /* Timer relative to confirmation time, not original + setting time, otherwise we'd get timer wrap in + weird delay cases. */ +@@ -673,6 +670,7 @@ __nf_conntrack_confirm(struct sk_buff *s + return NF_ACCEPT; + + out: ++ nf_ct_add_to_dying_list(ct); + nf_conntrack_double_unlock(hash, reply_hash); + NF_CT_STAT_INC(net, insert_failed); + local_bh_enable(); diff --git a/queue-3.18/netfilter-nf_tables-fix-flush-ruleset-chain-dependencies.patch b/queue-3.18/netfilter-nf_tables-fix-flush-ruleset-chain-dependencies.patch new file mode 100644 index 00000000000..57f77a41f6e --- /dev/null +++ b/queue-3.18/netfilter-nf_tables-fix-flush-ruleset-chain-dependencies.patch @@ -0,0 +1,83 @@ +From a2f18db0c68fec96631c10cad9384c196e9008ac Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sun, 4 Jan 2015 15:14:22 +0100 +Subject: netfilter: nf_tables: fix flush ruleset chain dependencies + +From: Pablo Neira Ayuso + +commit a2f18db0c68fec96631c10cad9384c196e9008ac upstream. + +Jumping between chains doesn't mix well with flush ruleset. Rules +from a different chain and set elements may still refer to us. + +[ 353.373791] ------------[ cut here ]------------ +[ 353.373845] kernel BUG at net/netfilter/nf_tables_api.c:1159! +[ 353.373896] invalid opcode: 0000 [#1] SMP +[ 353.373942] Modules linked in: intel_powerclamp uas iwldvm iwlwifi +[ 353.374017] CPU: 0 PID: 6445 Comm: 31c3.nft Not tainted 3.18.0 #98 +[ 353.374069] Hardware name: LENOVO 5129CTO/5129CTO, BIOS 6QET47WW (1.17 ) 07/14/2010 +[...] +[ 353.375018] Call Trace: +[ 353.375046] [] ? nf_tables_commit+0x381/0x540 +[ 353.375101] [] nfnetlink_rcv+0x3d8/0x4b0 +[ 353.375150] [] netlink_unicast+0x105/0x1a0 +[ 353.375200] [] netlink_sendmsg+0x32e/0x790 +[ 353.375253] [] sock_sendmsg+0x8e/0xc0 +[ 353.375300] [] ? move_addr_to_kernel.part.20+0x19/0x70 +[ 353.375357] [] ? move_addr_to_kernel+0x19/0x30 +[ 353.375410] [] ? verify_iovec+0x42/0xd0 +[ 353.375459] [] ___sys_sendmsg+0x3f0/0x400 +[ 353.375510] [] ? native_sched_clock+0x2a/0x90 +[ 353.375563] [] ? acct_account_cputime+0x17/0x20 +[ 353.375616] [] ? account_user_time+0x88/0xa0 +[ 353.375667] [] __sys_sendmsg+0x3d/0x80 +[ 353.375719] [] ? int_check_syscall_exit_work+0x34/0x3d +[ 353.375776] [] SyS_sendmsg+0xd/0x20 +[ 353.375823] [] system_call_fastpath+0x16/0x1b + +Release objects in this order: rules -> sets -> chains -> tables, to +make sure no references to chains are held anymore. + +Reported-by: Asbjoern Sloth Toennesen +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -713,16 +713,12 @@ static int nft_flush_table(struct nft_ct + struct nft_chain *chain, *nc; + struct nft_set *set, *ns; + +- list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { ++ list_for_each_entry(chain, &ctx->table->chains, list) { + ctx->chain = chain; + + err = nft_delrule_by_chain(ctx); + if (err < 0) + goto out; +- +- err = nft_delchain(ctx); +- if (err < 0) +- goto out; + } + + list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { +@@ -734,6 +730,14 @@ static int nft_flush_table(struct nft_ct + if (err < 0) + goto out; + } ++ ++ list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { ++ ctx->chain = chain; ++ ++ err = nft_delchain(ctx); ++ if (err < 0) ++ goto out; ++ } + + err = nft_deltable(ctx); + out: diff --git a/queue-3.18/netfilter-nfnetlink-relax-strict-multicast-group-check-from-netlink_bind.patch b/queue-3.18/netfilter-nfnetlink-relax-strict-multicast-group-check-from-netlink_bind.patch new file mode 100644 index 00000000000..6ce70cd663b --- /dev/null +++ b/queue-3.18/netfilter-nfnetlink-relax-strict-multicast-group-check-from-netlink_bind.patch @@ -0,0 +1,34 @@ +From 62924af247e95de7041a6d6f2d06cdd05152e2dc Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sun, 4 Jan 2015 15:20:41 +0100 +Subject: netfilter: nfnetlink: relax strict multicast group check from netlink_bind + +From: Pablo Neira Ayuso + +commit 62924af247e95de7041a6d6f2d06cdd05152e2dc upstream. + +Relax the checking that was introduced in 97840cb ("netfilter: +nfnetlink: fix insufficient validation in nfnetlink_bind") when the +subscription bitmask is used. Existing userspace code code may request +to listen to all of the existing netlink groups by setting an all to one +subscription group bitmask. Netlink already validates subscription via +setsockopt() for us. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -470,7 +470,7 @@ static int nfnetlink_bind(int group) + int type; + + if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX) +- return -EINVAL; ++ return 0; + + type = nfnl_group2type[group]; + diff --git a/queue-3.18/netfilter-nfnetlink-validate-nfnetlink-header-from-batch.patch b/queue-3.18/netfilter-nfnetlink-validate-nfnetlink-header-from-batch.patch new file mode 100644 index 00000000000..7b1bc3da530 --- /dev/null +++ b/queue-3.18/netfilter-nfnetlink-validate-nfnetlink-header-from-batch.patch @@ -0,0 +1,32 @@ +From 9ea2aa8b7dba9e99544c4187cc298face254569f Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sun, 4 Jan 2015 15:20:29 +0100 +Subject: netfilter: nfnetlink: validate nfnetlink header from batch + +From: Pablo Neira Ayuso + +commit 9ea2aa8b7dba9e99544c4187cc298face254569f upstream. + +Make sure there is enough room for the nfnetlink header in the +netlink messages that are part of the batch. There is a similar +check in netlink_rcv_skb(). + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -321,7 +321,8 @@ replay: + nlh = nlmsg_hdr(skb); + err = 0; + +- if (nlh->nlmsg_len < NLMSG_HDRLEN) { ++ if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) || ++ skb->len < nlh->nlmsg_len) { + err = -EINVAL; + goto ack; + } diff --git a/queue-3.18/revert-swiotlb-xen-pass-dev_addr-to-swiotlb_tbl_unmap_single.patch b/queue-3.18/revert-swiotlb-xen-pass-dev_addr-to-swiotlb_tbl_unmap_single.patch new file mode 100644 index 00000000000..59fd0700b59 --- /dev/null +++ b/queue-3.18/revert-swiotlb-xen-pass-dev_addr-to-swiotlb_tbl_unmap_single.patch @@ -0,0 +1,34 @@ +From dbdd74763f1faf799fbb9ed30423182e92919378 Mon Sep 17 00:00:00 2001 +From: David Vrabel +Date: Wed, 10 Dec 2014 14:48:43 +0000 +Subject: Revert "swiotlb-xen: pass dev_addr to swiotlb_tbl_unmap_single" + +From: David Vrabel + +commit dbdd74763f1faf799fbb9ed30423182e92919378 upstream. + +This reverts commit 2c3fc8d26dd09b9d7069687eead849ee81c78e46. + +This commit broke on x86 PV because entries in the generic SWIOTLB are +indexed using (pseudo-)physical address not DMA address and these are +not the same in a x86 PV guest. + +Signed-off-by: David Vrabel +Reviewed-by: Stefano Stabellini +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/swiotlb-xen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -449,7 +449,7 @@ static void xen_unmap_single(struct devi + + /* NOTE: We use dev_addr here, not paddr! */ + if (is_xen_swiotlb_buffer(dev_addr)) { +- swiotlb_tbl_unmap_single(hwdev, dev_addr, size, dir); ++ swiotlb_tbl_unmap_single(hwdev, paddr, size, dir); + return; + } + diff --git a/queue-3.18/series b/queue-3.18/series index b21ab6dbcbf..c908c8ea311 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -47,3 +47,10 @@ x86-apic-re-enable-pci_msi-support-for-non-smp-x86_32.patch sata_dwc_460ex-fix-resource-leak-on-error-path.patch ahci_xgene-fix-the-endianess-issue-in-apm-x-gene-soc-ahci-sata-controller-driver.patch keys-close-race-between-key-lookup-and-freeing.patch +mm-get-rid-of-radix-tree-gfp-mask-for-pagecache_get_page.patch +netfilter-nfnetlink-validate-nfnetlink-header-from-batch.patch +netfilter-nf_tables-fix-flush-ruleset-chain-dependencies.patch +netfilter-nfnetlink-relax-strict-multicast-group-check-from-netlink_bind.patch +netfilter-conntrack-fix-race-between-confirmation-and-flush.patch +ipvs-uninitialized-data-with-ip_vs_ipv6.patch +revert-swiotlb-xen-pass-dev_addr-to-swiotlb_tbl_unmap_single.patch