From: Greg Kroah-Hartman Date: Tue, 7 Aug 2012 21:24:39 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.5.1~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9b11538489da8eb5a191877bfe918e197131581d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: atl1c-fix-issue-of-transmit-queue-0-timed-out.patch bnx2-fix-bug-in-bnx2_free_tx_skbs.patch caif-fix-access-to-freed-pernet-memory.patch caif-fix-null-pointer-check.patch cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch gianfar-fix-potential-sk_wmem_alloc-imbalance.patch netem-add-limitation-to-reordered-packets.patch net-fix-memory-leak-vlan_info-struct.patch net-fix-references-to-out-of-scope-variables-in-put_cmsg_compat.patch net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch net-tun-fix-ioctl-based-info-leaks.patch r8169-revert-add-byte-queue-limit-support.patch sch_sfb-fix-missing-null-check.patch sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch tcp-add-tcp_user_timeout-negative-value-check.patch tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch wanmain-comparing-array-with-null.patch --- diff --git a/queue-3.4/atl1c-fix-issue-of-transmit-queue-0-timed-out.patch b/queue-3.4/atl1c-fix-issue-of-transmit-queue-0-timed-out.patch new file mode 100644 index 00000000000..ddce96194aa --- /dev/null +++ b/queue-3.4/atl1c-fix-issue-of-transmit-queue-0-timed-out.patch @@ -0,0 +1,40 @@ +From 2bda4a47e439d617c9723573c4957a707074d8be Mon Sep 17 00:00:00 2001 +From: Cloud Ren +Date: Tue, 3 Jul 2012 16:51:48 +0000 +Subject: atl1c: fix issue of transmit queue 0 timed out + + +From: Cloud Ren + +[ Upstream commit b94e52f62683dc0b00c6d1b58b80929a078c0fd5 ] + +some people report atl1c could cause system hang with following +kernel trace info: +--------------------------------------- +WARNING: at.../net/sched/sch_generic.c:258 dev_watchdog+0x1db/0x1d0() +... +NETDEV WATCHDOG: eth0 (atl1c): transmit queue 0 timed out +... +--------------------------------------- +This is caused by netif_stop_queue calling when cable Link is down. +So remove netif_stop_queue, because link_watch will take it over. + +Signed-off-by: xiong +Cc: stable +Signed-off-by: Cloud Ren +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -267,7 +267,6 @@ static void atl1c_check_link_status(stru + dev_warn(&pdev->dev, "stop mac failed\n"); + atl1c_set_aspm(hw, false); + netif_carrier_off(netdev); +- netif_stop_queue(netdev); + atl1c_phy_reset(hw); + atl1c_phy_init(&adapter->hw); + } else { diff --git a/queue-3.4/bnx2-fix-bug-in-bnx2_free_tx_skbs.patch b/queue-3.4/bnx2-fix-bug-in-bnx2_free_tx_skbs.patch new file mode 100644 index 00000000000..14915eadec1 --- /dev/null +++ b/queue-3.4/bnx2-fix-bug-in-bnx2_free_tx_skbs.patch @@ -0,0 +1,45 @@ +From 91d75a10a7ad795a6f0009807b8086320a269d24 Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Tue, 10 Jul 2012 10:04:40 +0000 +Subject: bnx2: Fix bug in bnx2_free_tx_skbs(). + + +From: Michael Chan + +[ Upstream commit c1f5163de417dab01fa9daaf09a74bbb19303f3c ] + +In rare cases, bnx2x_free_tx_skbs() can unmap the wrong DMA address +when it gets to the last entry of the tx ring. We were not using +the proper macro to skip the last entry when advancing the tx index. + +Reported-by: Zongyun Lai +Reviewed-by: Jeffrey Huang +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2.c ++++ b/drivers/net/ethernet/broadcom/bnx2.c +@@ -5372,7 +5372,7 @@ bnx2_free_tx_skbs(struct bnx2 *bp) + int k, last; + + if (skb == NULL) { +- j++; ++ j = NEXT_TX_BD(j); + continue; + } + +@@ -5384,8 +5384,8 @@ bnx2_free_tx_skbs(struct bnx2 *bp) + tx_buf->skb = NULL; + + last = tx_buf->nr_frags; +- j++; +- for (k = 0; k < last; k++, j++) { ++ j = NEXT_TX_BD(j); ++ for (k = 0; k < last; k++, j = NEXT_TX_BD(j)) { + tx_buf = &txr->tx_buf_ring[TX_RING_IDX(j)]; + dma_unmap_page(&bp->pdev->dev, + dma_unmap_addr(tx_buf, mapping), diff --git a/queue-3.4/caif-fix-access-to-freed-pernet-memory.patch b/queue-3.4/caif-fix-access-to-freed-pernet-memory.patch new file mode 100644 index 00000000000..bf8f584819f --- /dev/null +++ b/queue-3.4/caif-fix-access-to-freed-pernet-memory.patch @@ -0,0 +1,47 @@ +From d1e6373442e667e2a5625339b956d7774c8527e1 Mon Sep 17 00:00:00 2001 +From: Sjur Brændeland +Date: Sun, 15 Jul 2012 10:10:14 +0000 +Subject: caif: Fix access to freed pernet memory + + +From: Sjur Brændeland + +[ Upstream commit 96f80d123eff05c3cd4701463786b87952a6c3ac ] + +unregister_netdevice_notifier() must be called before +unregister_pernet_subsys() to avoid accessing already freed +pernet memory. This fixes the following oops when doing rmmod: + +Call Trace: + [] caif_device_notify+0x4d/0x5a0 [caif] + [] unregister_netdevice_notifier+0xb9/0x100 + [] caif_device_exit+0x1c/0x250 [caif] + [] sys_delete_module+0x1a4/0x300 + [] ? trace_hardirqs_on_caller+0x15d/0x1e0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3 + [] system_call_fastpath+0x1a/0x1f + +RIP + [] caif_get+0x51/0xb0 [caif] + +Signed-off-by: Sjur Brændeland +Acked-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/caif/caif_dev.c ++++ b/net/caif/caif_dev.c +@@ -562,9 +562,9 @@ static int __init caif_device_init(void) + + static void __exit caif_device_exit(void) + { +- unregister_pernet_subsys(&caif_net_ops); + unregister_netdevice_notifier(&caif_device_notifier); + dev_remove_pack(&caif_packet_type); ++ unregister_pernet_subsys(&caif_net_ops); + } + + module_init(caif_device_init); diff --git a/queue-3.4/caif-fix-null-pointer-check.patch b/queue-3.4/caif-fix-null-pointer-check.patch new file mode 100644 index 00000000000..812daea5613 --- /dev/null +++ b/queue-3.4/caif-fix-null-pointer-check.patch @@ -0,0 +1,31 @@ +From 38fe7d774a34e41eaa6ef6d2676b343b6f6a862a Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Tue, 24 Jul 2012 02:42:14 +0000 +Subject: caif: fix NULL pointer check + + +From: Alan Cox + +[ Upstream commit c66b9b7d365444b433307ebb18734757cb668a02 ] + +Reported-by: +Resolves-bug: http://bugzilla.kernel.org/show_bug?44441 +Signed-off-by: Alan Cox +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/caif/caif_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -325,6 +325,9 @@ static int ldisc_open(struct tty_struct + + sprintf(name, "cf%s", tty->name); + dev = alloc_netdev(sizeof(*ser), name, caifdev_setup); ++ if (!dev) ++ return -ENOMEM; ++ + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); + ser->dev = dev; diff --git a/queue-3.4/cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch b/queue-3.4/cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch new file mode 100644 index 00000000000..d9a09a934e0 --- /dev/null +++ b/queue-3.4/cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch @@ -0,0 +1,92 @@ +From da13bdb3e4cbadb8a93970fdb2cb5fbf33a9a8cc Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Tue, 17 Jul 2012 11:07:47 +0000 +Subject: cipso: don't follow a NULL pointer when setsockopt() is called + + +From: Paul Moore + +[ Upstream commit 89d7ae34cdda4195809a5a987f697a517a2a3177 ] + +As reported by Alan Cox, and verified by Lin Ming, when a user +attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL +tag the kernel dies a terrible death when it attempts to follow a NULL +pointer (the skb argument to cipso_v4_validate() is NULL when called via +the setsockopt() syscall). + +This patch fixes this by first checking to ensure that the skb is +non-NULL before using it to find the incoming network interface. In +the unlikely case where the skb is NULL and the user attempts to add +a CIPSO option with the _TAG_LOCAL tag we return an error as this is +not something we want to allow. + +A simple reproducer, kindly supplied by Lin Ming, although you must +have the CIPSO DOI #3 configure on the system first or you will be +caught early in cipso_v4_validate(): + + #include + #include + #include + #include + #include + + struct local_tag { + char type; + char length; + char info[4]; + }; + + struct cipso { + char type; + char length; + char doi[4]; + struct local_tag local; + }; + + int main(int argc, char **argv) + { + int sockfd; + struct cipso cipso = { + .type = IPOPT_CIPSO, + .length = sizeof(struct cipso), + .local = { + .type = 128, + .length = sizeof(struct local_tag), + }, + }; + + memset(cipso.doi, 0, 4); + cipso.doi[3] = 3; + + sockfd = socket(AF_INET, SOCK_DGRAM, 0); + #define SOL_IP 0 + setsockopt(sockfd, SOL_IP, IP_OPTIONS, + &cipso, sizeof(struct cipso)); + + return 0; + } + +CC: Lin Ming +Reported-by: Alan Cox +Signed-off-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/cipso_ipv4.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1725,8 +1725,10 @@ int cipso_v4_validate(const struct sk_bu + case CIPSO_V4_TAG_LOCAL: + /* This is a non-standard tag that we only allow for + * local connections, so if the incoming interface is +- * not the loopback device drop the packet. */ +- if (!(skb->dev->flags & IFF_LOOPBACK)) { ++ * not the loopback device drop the packet. Further, ++ * there is no legitimate reason for setting this from ++ * userspace so reject it if skb is NULL. */ ++ if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) { + err_offset = opt_iter; + goto validate_return_locked; + } diff --git a/queue-3.4/gianfar-fix-potential-sk_wmem_alloc-imbalance.patch b/queue-3.4/gianfar-fix-potential-sk_wmem_alloc-imbalance.patch new file mode 100644 index 00000000000..7096491ad7c --- /dev/null +++ b/queue-3.4/gianfar-fix-potential-sk_wmem_alloc-imbalance.patch @@ -0,0 +1,47 @@ +From a80e8d2e59d8ffa5d559c7e37005180f425095ea Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 5 Jul 2012 11:45:13 +0000 +Subject: gianfar: fix potential sk_wmem_alloc imbalance + + +From: Eric Dumazet + +[ Upstream commit 313b037cf054ec908de92fb4c085403ffd7420d4 ] + +commit db83d136d7f753 (gianfar: Fix missing sock reference when +processing TX time stamps) added a potential sk_wmem_alloc imbalance + +If the new skb has a different truesize than old one, we can get a +negative sk_wmem_alloc once new skb is orphaned at TX completion. + +Now we no longer early orphan skbs in dev_hard_start_xmit(), this +probably can lead to fatal bugs. + +Signed-off-by: Eric Dumazet +Tested-by: Paul Gortmaker +Cc: Manfred Rudigier +Cc: Claudiu Manoil +Cc: Jiajun Wu +Cc: Andy Fleming +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2065,10 +2065,9 @@ static int gfar_start_xmit(struct sk_buf + return NETDEV_TX_OK; + } + +- /* Steal sock reference for processing TX time stamps */ +- swap(skb_new->sk, skb->sk); +- swap(skb_new->destructor, skb->destructor); +- kfree_skb(skb); ++ if (skb->sk) ++ skb_set_owner_w(skb_new, skb->sk); ++ consume_skb(skb); + skb = skb_new; + } + diff --git a/queue-3.4/net-fix-memory-leak-vlan_info-struct.patch b/queue-3.4/net-fix-memory-leak-vlan_info-struct.patch new file mode 100644 index 00000000000..0041bfd460b --- /dev/null +++ b/queue-3.4/net-fix-memory-leak-vlan_info-struct.patch @@ -0,0 +1,39 @@ +From df19f687fe20a1dc89c5cc0ecadb0ff2019f65b2 Mon Sep 17 00:00:00 2001 +From: Amir Hanania +Date: Mon, 9 Jul 2012 20:47:19 +0000 +Subject: net: Fix memory leak - vlan_info struct + + +From: Amir Hanania + +[ Upstream commit efc73f4bbc238d4f579fb612c04c8e1dd8a82979 ] + +In driver reload test there is a memory leak. +The structure vlan_info was not freed when the driver was removed. +It was not released since the nr_vids var is one after last vlan was removed. +The nr_vids is one, since vlan zero is added to the interface when the interface +is being set, but the vlan zero is not deleted at unregister. +Fix - delete vlan zero when we unregister the device. + +Signed-off-by: Amir Hanania +Acked-by: John Fastabend +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -403,6 +403,9 @@ static int vlan_device_event(struct noti + break; + + case NETDEV_DOWN: ++ if (dev->features & NETIF_F_HW_VLAN_FILTER) ++ vlan_vid_del(dev, 0); ++ + /* Put all VLANs for this dev in the down state too. */ + for (i = 0; i < VLAN_N_VID; i++) { + vlandev = vlan_group_get_device(grp, i); diff --git a/queue-3.4/net-fix-references-to-out-of-scope-variables-in-put_cmsg_compat.patch b/queue-3.4/net-fix-references-to-out-of-scope-variables-in-put_cmsg_compat.patch new file mode 100644 index 00000000000..7eed6a95550 --- /dev/null +++ b/queue-3.4/net-fix-references-to-out-of-scope-variables-in-put_cmsg_compat.patch @@ -0,0 +1,48 @@ +From 881ae72880363758105c4492c4d8bd435860d322 Mon Sep 17 00:00:00 2001 +From: Jesper Juhl +Date: Sun, 22 Jul 2012 11:37:20 +0000 +Subject: net: Fix references to out-of-scope variables in put_cmsg_compat() + + +From: Jesper Juhl + +[ Upstream commit 818810472b129004c16fc51bf0a570b60776bfb7 ] + +In net/compat.c::put_cmsg_compat() we may assign 'data' the address of +either the 'ctv' or 'cts' local variables inside the 'if +(!COMPAT_USE_64BIT_TIME)' branch. + +Those variables go out of scope at the end of the 'if' statement, so +when we use 'data' further down in 'copy_to_user(CMSG_COMPAT_DATA(cm), +data, cmlen - sizeof(struct compat_cmsghdr))' there's no telling what +it may be refering to - not good. + +Fix the problem by simply giving 'ctv' and 'cts' function scope. + +Signed-off-by: Jesper Juhl +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/compat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/compat.c ++++ b/net/compat.c +@@ -221,6 +221,8 @@ int put_cmsg_compat(struct msghdr *kmsg, + { + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control; + struct compat_cmsghdr cmhdr; ++ struct compat_timeval ctv; ++ struct compat_timespec cts[3]; + int cmlen; + + if (cm == NULL || kmsg->msg_controllen < sizeof(*cm)) { +@@ -229,8 +231,6 @@ int put_cmsg_compat(struct msghdr *kmsg, + } + + if (!COMPAT_USE_64BIT_TIME) { +- struct compat_timeval ctv; +- struct compat_timespec cts[3]; + if (level == SOL_SOCKET && type == SCM_TIMESTAMP) { + struct timeval *tv = (struct timeval *)data; + ctv.tv_sec = tv->tv_sec; diff --git a/queue-3.4/net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch b/queue-3.4/net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch new file mode 100644 index 00000000000..465d8d4d2ed --- /dev/null +++ b/queue-3.4/net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch @@ -0,0 +1,57 @@ +From 56df7d65ac82e3f82208d7acd456e05f4f0b5a4d Mon Sep 17 00:00:00 2001 +From: Jiri Benc +Date: Fri, 27 Jul 2012 02:58:22 +0000 +Subject: net: fix rtnetlink IFF_PROMISC and IFF_ALLMULTI handling + + +From: Jiri Benc + +[ Upstream commit b1beb681cba5358f62e6187340660ade226a5fcc ] + +When device flags are set using rtnetlink, IFF_PROMISC and IFF_ALLMULTI +flags are handled specially. Function dev_change_flags sets IFF_PROMISC and +IFF_ALLMULTI bits in dev->gflags according to the passed value but +do_setlink passes a result of rtnl_dev_combine_flags which takes those bits +from dev->flags. + +This can be easily trigerred by doing: + +tcpdump -i eth0 & +ip l s up eth0 + +ip sets IFF_UP flag in ifi_flags and ifi_change, which is combined with +IFF_PROMISC by rtnl_dev_combine_flags, causing __dev_change_flags to set +IFF_PROMISC in gflags. + +Reported-by: Max Matveev +Signed-off-by: Jiri Benc +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -671,6 +671,12 @@ static void set_operstate(struct net_dev + } + } + ++static unsigned int rtnl_dev_get_flags(const struct net_device *dev) ++{ ++ return (dev->flags & ~(IFF_PROMISC | IFF_ALLMULTI)) | ++ (dev->gflags & (IFF_PROMISC | IFF_ALLMULTI)); ++} ++ + static unsigned int rtnl_dev_combine_flags(const struct net_device *dev, + const struct ifinfomsg *ifm) + { +@@ -679,7 +685,7 @@ static unsigned int rtnl_dev_combine_fla + /* bugwards compatibility: ifi_change == 0 is treated as ~0 */ + if (ifm->ifi_change) + flags = (flags & ifm->ifi_change) | +- (dev->flags & ~ifm->ifi_change); ++ (rtnl_dev_get_flags(dev) & ~ifm->ifi_change); + + return flags; + } diff --git a/queue-3.4/net-tun-fix-ioctl-based-info-leaks.patch b/queue-3.4/net-tun-fix-ioctl-based-info-leaks.patch new file mode 100644 index 00000000000..c09829f55d2 --- /dev/null +++ b/queue-3.4/net-tun-fix-ioctl-based-info-leaks.patch @@ -0,0 +1,39 @@ +From ae4531f8cbfc6d2c5ca25c0f093630a01a9726ed Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 29 Jul 2012 19:45:14 +0000 +Subject: net/tun: fix ioctl() based info leaks + + +From: Mathias Krause + +[ Upstream commits a117dacde0288f3ec60b6e5bcedae8fa37ee0dfc + and 8bbb181308bc348e02bfdbebdedd4e4ec9d452ce ] + +The tun module leaks up to 36 bytes of memory by not fully initializing +a structure located on the stack that gets copied to user memory by the +TUNGETIFF and SIOCGIFHWADDR ioctl()s. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1255,10 +1255,12 @@ static long __tun_chr_ioctl(struct file + int vnet_hdr_sz; + int ret; + +- if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) ++ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) { + if (copy_from_user(&ifr, argp, ifreq_len)) + return -EFAULT; +- ++ } else { ++ memset(&ifr, 0, sizeof(ifr)); ++ } + if (cmd == TUNGETFEATURES) { + /* Currently this just means: "what IFF flags are valid?". + * This is needed because we never checked for invalid flags on diff --git a/queue-3.4/netem-add-limitation-to-reordered-packets.patch b/queue-3.4/netem-add-limitation-to-reordered-packets.patch new file mode 100644 index 00000000000..5f69f901bbc --- /dev/null +++ b/queue-3.4/netem-add-limitation-to-reordered-packets.patch @@ -0,0 +1,118 @@ +From 61de5110ac1a66ae39907b4c509e694988a3bb05 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 3 Jul 2012 20:55:21 +0000 +Subject: netem: add limitation to reordered packets + + +From: Eric Dumazet + +[ Upstream commit 960fb66e520a405dde39ff883f17ff2669c13d85 ] + +Fix two netem bugs : + +1) When a frame was dropped by tfifo_enqueue(), drop counter + was incremented twice. + +2) When reordering is triggered, we enqueue a packet without + checking queue limit. This can OOM pretty fast when this + is repeated enough, since skbs are orphaned, no socket limit + can help in this situation. + +Signed-off-by: Eric Dumazet +Cc: Mark Gordon +Cc: Andreas Terzis +Cc: Yuchung Cheng +Cc: Hagen Paul Pfeifer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_netem.c | 42 +++++++++++++++--------------------------- + 1 file changed, 15 insertions(+), 27 deletions(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -329,29 +329,22 @@ static psched_time_t packet_len_2_sched_ + return PSCHED_NS2TICKS(ticks); + } + +-static int tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch) ++static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch) + { + struct sk_buff_head *list = &sch->q; + psched_time_t tnext = netem_skb_cb(nskb)->time_to_send; +- struct sk_buff *skb; ++ struct sk_buff *skb = skb_peek_tail(list); + +- if (likely(skb_queue_len(list) < sch->limit)) { +- skb = skb_peek_tail(list); +- /* Optimize for add at tail */ +- if (likely(!skb || tnext >= netem_skb_cb(skb)->time_to_send)) +- return qdisc_enqueue_tail(nskb, sch); +- +- skb_queue_reverse_walk(list, skb) { +- if (tnext >= netem_skb_cb(skb)->time_to_send) +- break; +- } ++ /* Optimize for add at tail */ ++ if (likely(!skb || tnext >= netem_skb_cb(skb)->time_to_send)) ++ return __skb_queue_tail(list, nskb); + +- __skb_queue_after(list, skb, nskb); +- sch->qstats.backlog += qdisc_pkt_len(nskb); +- return NET_XMIT_SUCCESS; ++ skb_queue_reverse_walk(list, skb) { ++ if (tnext >= netem_skb_cb(skb)->time_to_send) ++ break; + } + +- return qdisc_reshape_fail(nskb, sch); ++ __skb_queue_after(list, skb, nskb); + } + + /* +@@ -366,7 +359,6 @@ static int netem_enqueue(struct sk_buff + /* We don't fill cb now as skb_unshare() may invalidate it */ + struct netem_skb_cb *cb; + struct sk_buff *skb2; +- int ret; + int count = 1; + + /* Random duplication */ +@@ -414,6 +406,11 @@ static int netem_enqueue(struct sk_buff + skb->data[net_random() % skb_headlen(skb)] ^= 1<<(net_random() % 8); + } + ++ if (unlikely(skb_queue_len(&sch->q) >= sch->limit)) ++ return qdisc_reshape_fail(skb, sch); ++ ++ sch->qstats.backlog += qdisc_pkt_len(skb); ++ + cb = netem_skb_cb(skb); + if (q->gap == 0 || /* not doing reordering */ + q->counter < q->gap - 1 || /* inside last reordering gap */ +@@ -445,7 +442,7 @@ static int netem_enqueue(struct sk_buff + + cb->time_to_send = now + delay; + ++q->counter; +- ret = tfifo_enqueue(skb, sch); ++ tfifo_enqueue(skb, sch); + } else { + /* + * Do re-ordering by putting one out of N packets at the front +@@ -455,16 +452,7 @@ static int netem_enqueue(struct sk_buff + q->counter = 0; + + __skb_queue_head(&sch->q, skb); +- sch->qstats.backlog += qdisc_pkt_len(skb); + sch->qstats.requeues++; +- ret = NET_XMIT_SUCCESS; +- } +- +- if (ret != NET_XMIT_SUCCESS) { +- if (net_xmit_drop_count(ret)) { +- sch->qstats.drops++; +- return ret; +- } + } + + return NET_XMIT_SUCCESS; diff --git a/queue-3.4/r8169-revert-add-byte-queue-limit-support.patch b/queue-3.4/r8169-revert-add-byte-queue-limit-support.patch new file mode 100644 index 00000000000..b50bd4a9e28 --- /dev/null +++ b/queue-3.4/r8169-revert-add-byte-queue-limit-support.patch @@ -0,0 +1,92 @@ +From 0269a4e38c90050f8b704137a5fa8fc44178aa50 Mon Sep 17 00:00:00 2001 +From: Francois Romieu +Date: Mon, 23 Jul 2012 22:55:55 +0200 +Subject: r8169: revert "add byte queue limit support". + + +From: Francois Romieu + +[ Upstream commit 17bcb684f08649a2ab6a7dcd8288332e72d208f1 ] + +This reverts commit 036dafa28da1e2565a8529de2ae663c37b7a0060. + +First it appears in bisection, then reverting it solves the usual +netdev watchdog problem for different people. I don't have a proper +fix yet so get rid of it. + +Bisected-and-reported-by: Alex Villacís Lasso +Signed-off-by: Francois Romieu +Cc: Josh Boyer +Cc: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 27 +++++---------------------- + 1 file changed, 5 insertions(+), 22 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -5000,7 +5000,6 @@ static void rtl8169_tx_clear(struct rtl8 + { + rtl8169_tx_clear_range(tp, tp->dirty_tx, NUM_TX_DESC); + tp->cur_tx = tp->dirty_tx = 0; +- netdev_reset_queue(tp->dev); + } + + static void rtl_reset_work(struct rtl8169_private *tp) +@@ -5155,8 +5154,6 @@ static netdev_tx_t rtl8169_start_xmit(st + + txd->opts2 = cpu_to_le32(opts[1]); + +- netdev_sent_queue(dev, skb->len); +- + skb_tx_timestamp(skb); + + wmb(); +@@ -5253,16 +5250,9 @@ static void rtl8169_pcierr_interrupt(str + rtl_schedule_task(tp, RTL_FLAG_TASK_RESET_PENDING); + } + +-struct rtl_txc { +- int packets; +- int bytes; +-}; +- + static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp) + { +- struct rtl8169_stats *tx_stats = &tp->tx_stats; + unsigned int dirty_tx, tx_left; +- struct rtl_txc txc = { 0, 0 }; + + dirty_tx = tp->dirty_tx; + smp_rmb(); +@@ -5281,24 +5271,17 @@ static void rtl_tx(struct net_device *de + rtl8169_unmap_tx_skb(&tp->pci_dev->dev, tx_skb, + tp->TxDescArray + entry); + if (status & LastFrag) { +- struct sk_buff *skb = tx_skb->skb; +- +- txc.packets++; +- txc.bytes += skb->len; +- dev_kfree_skb(skb); ++ u64_stats_update_begin(&tp->tx_stats.syncp); ++ tp->tx_stats.packets++; ++ tp->tx_stats.bytes += tx_skb->skb->len; ++ u64_stats_update_end(&tp->tx_stats.syncp); ++ dev_kfree_skb(tx_skb->skb); + tx_skb->skb = NULL; + } + dirty_tx++; + tx_left--; + } + +- u64_stats_update_begin(&tx_stats->syncp); +- tx_stats->packets += txc.packets; +- tx_stats->bytes += txc.bytes; +- u64_stats_update_end(&tx_stats->syncp); +- +- netdev_completed_queue(dev, txc.packets, txc.bytes); +- + if (tp->dirty_tx != dirty_tx) { + tp->dirty_tx = dirty_tx; + /* Sync with rtl8169_start_xmit: diff --git a/queue-3.4/sch_sfb-fix-missing-null-check.patch b/queue-3.4/sch_sfb-fix-missing-null-check.patch new file mode 100644 index 00000000000..52f36ff5512 --- /dev/null +++ b/queue-3.4/sch_sfb-fix-missing-null-check.patch @@ -0,0 +1,31 @@ +From 8ccf8eccc2efdfd6e081890a5c117360aeffd48b Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Thu, 12 Jul 2012 03:39:11 +0000 +Subject: sch_sfb: Fix missing NULL check + + +From: Alan Cox + +[ Upstream commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d ] + +Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=44461 + +Signed-off-by: Alan Cox +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_sfb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/sch_sfb.c ++++ b/net/sched/sch_sfb.c +@@ -570,6 +570,8 @@ static int sfb_dump(struct Qdisc *sch, s + + sch->qstats.backlog = q->qdisc->qstats.backlog; + opts = nla_nest_start(skb, TCA_OPTIONS); ++ if (opts == NULL) ++ goto nla_put_failure; + NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt); + return nla_nest_end(skb, opts); + diff --git a/queue-3.4/sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch b/queue-3.4/sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch new file mode 100644 index 00000000000..0fd4e85fde7 --- /dev/null +++ b/queue-3.4/sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch @@ -0,0 +1,183 @@ +From 6f5bee7370837f3aa55cbd8eb53059fba5b9e276 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Mon, 16 Jul 2012 09:13:51 +0000 +Subject: sctp: Fix list corruption resulting from freeing an association on a list + + +From: Neil Horman + +[ Upstream commit 2eebc1e188e9e45886ee00662519849339884d6d ] + +A few days ago Dave Jones reported this oops: + +[22766.294255] general protection fault: 0000 [#1] PREEMPT SMP +[22766.295376] CPU 0 +[22766.295384] Modules linked in: +[22766.387137] ffffffffa169f292 6b6b6b6b6b6b6b6b ffff880147c03a90 +ffff880147c03a74 +[22766.387135] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000 +[22766.387136] Process trinity-watchdo (pid: 10896, threadinfo ffff88013e7d2000, +[22766.387137] Stack: +[22766.387140] ffff880147c03a10 +[22766.387140] ffffffffa169f2b6 +[22766.387140] ffff88013ed95728 +[22766.387143] 0000000000000002 +[22766.387143] 0000000000000000 +[22766.387143] ffff880003fad062 +[22766.387144] ffff88013c120000 +[22766.387144] +[22766.387145] Call Trace: +[22766.387145] +[22766.387150] [] ? __sctp_lookup_association+0x62/0xd0 +[sctp] +[22766.387154] [] __sctp_lookup_association+0x86/0xd0 [sctp] +[22766.387157] [] sctp_rcv+0x207/0xbb0 [sctp] +[22766.387161] [] ? trace_hardirqs_off_caller+0x28/0xd0 +[22766.387163] [] ? nf_hook_slow+0x133/0x210 +[22766.387166] [] ? ip_local_deliver_finish+0x4c/0x4c0 +[22766.387168] [] ip_local_deliver_finish+0x18d/0x4c0 +[22766.387169] [] ? ip_local_deliver_finish+0x4c/0x4c0 +[22766.387171] [] ip_local_deliver+0x47/0x80 +[22766.387172] [] ip_rcv_finish+0x150/0x680 +[22766.387174] [] ip_rcv+0x214/0x320 +[22766.387176] [] __netif_receive_skb+0x7b7/0x910 +[22766.387178] [] ? __netif_receive_skb+0x11c/0x910 +[22766.387180] [] ? put_lock_stats.isra.25+0xe/0x40 +[22766.387182] [] netif_receive_skb+0x23/0x1f0 +[22766.387183] [] ? dev_gro_receive+0x139/0x440 +[22766.387185] [] napi_skb_finish+0x70/0xa0 +[22766.387187] [] napi_gro_receive+0xf5/0x130 +[22766.387218] [] e1000_receive_skb+0x59/0x70 [e1000e] +[22766.387242] [] e1000_clean_rx_irq+0x28b/0x460 [e1000e] +[22766.387266] [] e1000e_poll+0x78/0x430 [e1000e] +[22766.387268] [] net_rx_action+0x1aa/0x3d0 +[22766.387270] [] ? account_system_vtime+0x10f/0x130 +[22766.387273] [] __do_softirq+0xe0/0x420 +[22766.387275] [] call_softirq+0x1c/0x30 +[22766.387278] [] do_softirq+0xd5/0x110 +[22766.387279] [] irq_exit+0xd5/0xe0 +[22766.387281] [] do_IRQ+0x63/0xd0 +[22766.387283] [] common_interrupt+0x6f/0x6f +[22766.387283] +[22766.387284] +[22766.387285] [] ? retint_swapgs+0x13/0x1b +[22766.387285] Code: c0 90 5d c3 66 0f 1f 44 00 00 4c 89 c8 5d c3 0f 1f 00 55 48 +89 e5 48 83 +ec 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 <0f> b7 87 98 00 00 00 +48 89 fb +49 89 f5 66 c1 c0 08 66 39 46 02 +[22766.387307] +[22766.387307] RIP +[22766.387311] [] sctp_assoc_is_match+0x19/0x90 [sctp] +[22766.387311] RSP +[22766.387142] ffffffffa16ab120 +[22766.599537] ---[ end trace 3f6dae82e37b17f5 ]--- +[22766.601221] Kernel panic - not syncing: Fatal exception in interrupt + +It appears from his analysis and some staring at the code that this is likely +occuring because an association is getting freed while still on the +sctp_assoc_hashtable. As a result, we get a gpf when traversing the hashtable +while a freed node corrupts part of the list. + +Nominally I would think that an mibalanced refcount was responsible for this, +but I can't seem to find any obvious imbalance. What I did note however was +that the two places where we create an association using +sctp_primitive_ASSOCIATE (__sctp_connect and sctp_sendmsg), have failure paths +which free a newly created association after calling sctp_primitive_ASSOCIATE. +sctp_primitive_ASSOCIATE brings us into the sctp_sf_do_prm_asoc path, which +issues a SCTP_CMD_NEW_ASOC side effect, which in turn adds a new association to +the aforementioned hash table. the sctp command interpreter that process side +effects has not way to unwind previously processed commands, so freeing the +association from the __sctp_connect or sctp_sendmsg error path would lead to a +freed association remaining on this hash table. + +I've fixed this but modifying sctp_[un]hash_established to use hlist_del_init, +which allows us to proerly use hlist_unhashed to check if the node is on a +hashlist safely during a delete. That in turn alows us to safely call +sctp_unhash_established in the __sctp_connect and sctp_sendmsg error paths +before freeing them, regardles of what the associations state is on the hash +list. + +I noted, while I was doing this, that the __sctp_unhash_endpoint was using +hlist_unhsashed in a simmilar fashion, but never nullified any removed nodes +pointers to make that function work properly, so I fixed that up in a simmilar +fashion. + +I attempted to test this using a virtual guest running the SCTP_RR test from +netperf in a loop while running the trinity fuzzer, both in a loop. I wasn't +able to recreate the problem prior to this fix, nor was I able to trigger the +failure after (neither of which I suppose is suprising). Given the trace above +however, I think its likely that this is what we hit. + +Signed-off-by: Neil Horman +Reported-by: davej@redhat.com +CC: davej@redhat.com +CC: "David S. Miller" +CC: Vlad Yasevich +CC: Sridhar Samudrala +CC: linux-sctp@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/input.c | 7 ++----- + net/sctp/socket.c | 12 ++++++++++-- + 2 files changed, 12 insertions(+), 7 deletions(-) + +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -736,15 +736,12 @@ static void __sctp_unhash_endpoint(struc + + epb = &ep->base; + +- if (hlist_unhashed(&epb->node)) +- return; +- + epb->hashent = sctp_ep_hashfn(epb->bind_addr.port); + + head = &sctp_ep_hashtable[epb->hashent]; + + sctp_write_lock(&head->lock); +- __hlist_del(&epb->node); ++ hlist_del_init(&epb->node); + sctp_write_unlock(&head->lock); + } + +@@ -825,7 +822,7 @@ static void __sctp_unhash_established(st + head = &sctp_assoc_hashtable[epb->hashent]; + + sctp_write_lock(&head->lock); +- __hlist_del(&epb->node); ++ hlist_del_init(&epb->node); + sctp_write_unlock(&head->lock); + } + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1231,8 +1231,14 @@ out_free: + SCTP_DEBUG_PRINTK("About to exit __sctp_connect() free asoc: %p" + " kaddrs: %p err: %d\n", + asoc, kaddrs, err); +- if (asoc) ++ if (asoc) { ++ /* sctp_primitive_ASSOCIATE may have added this association ++ * To the hash table, try to unhash it, just in case, its a noop ++ * if it wasn't hashed so we're safe ++ */ ++ sctp_unhash_established(asoc); + sctp_association_free(asoc); ++ } + return err; + } + +@@ -1942,8 +1948,10 @@ SCTP_STATIC int sctp_sendmsg(struct kioc + goto out_unlock; + + out_free: +- if (new_asoc) ++ if (new_asoc) { ++ sctp_unhash_established(asoc); + sctp_association_free(asoc); ++ } + out_unlock: + sctp_release_sock(sk); + diff --git a/queue-3.4/series b/queue-3.4/series index ad040545f13..ecc2d114d9e 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -74,3 +74,21 @@ ext4-fix-overhead-calculation-used-by-ext4_statfs.patch ext4-fix-hole-punch-failure-when-depth-is-greater-than-0.patch ext4-don-t-let-i_reserved_meta_blocks-go-negative.patch ext4-undo-ext4_calc_metadata_amount-if-we-fail-to-claim-space.patch +atl1c-fix-issue-of-transmit-queue-0-timed-out.patch +netem-add-limitation-to-reordered-packets.patch +gianfar-fix-potential-sk_wmem_alloc-imbalance.patch +net-fix-memory-leak-vlan_info-struct.patch +bnx2-fix-bug-in-bnx2_free_tx_skbs.patch +sch_sfb-fix-missing-null-check.patch +sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch +caif-fix-access-to-freed-pernet-memory.patch +cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch +net-fix-references-to-out-of-scope-variables-in-put_cmsg_compat.patch +r8169-revert-add-byte-queue-limit-support.patch +caif-fix-null-pointer-check.patch +wanmain-comparing-array-with-null.patch +tcp-add-tcp_user_timeout-negative-value-check.patch +usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch +net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch +tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch +net-tun-fix-ioctl-based-info-leaks.patch diff --git a/queue-3.4/tcp-add-tcp_user_timeout-negative-value-check.patch b/queue-3.4/tcp-add-tcp_user_timeout-negative-value-check.patch new file mode 100644 index 00000000000..5a45cba0852 --- /dev/null +++ b/queue-3.4/tcp-add-tcp_user_timeout-negative-value-check.patch @@ -0,0 +1,37 @@ +From a89ac47dc392484140f0f41d6372141f1e05a159 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Thu, 26 Jul 2012 22:52:21 +0000 +Subject: tcp: Add TCP_USER_TIMEOUT negative value check + + +From: Hangbin Liu + +[ Upstream commit 42493570100b91ef663c4c6f0c0fdab238f9d3c2 ] + +TCP_USER_TIMEOUT is a TCP level socket option that takes an unsigned int. But +patch "tcp: Add TCP_USER_TIMEOUT socket option"(dca43c75) didn't check the negative +values. If a user assign -1 to it, the socket will set successfully and wait +for 4294967295 miliseconds. This patch add a negative value check to avoid +this issue. + +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2408,7 +2408,10 @@ static int do_tcp_setsockopt(struct sock + /* Cap the max timeout in ms TCP will retry/retrans + * before giving up and aborting (ETIMEDOUT) a connection. + */ +- icsk->icsk_user_timeout = msecs_to_jiffies(val); ++ if (val < 0) ++ err = -EINVAL; ++ else ++ icsk->icsk_user_timeout = msecs_to_jiffies(val); + break; + default: + err = -ENOPROTOOPT; diff --git a/queue-3.4/tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch b/queue-3.4/tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch new file mode 100644 index 00000000000..7d211957451 --- /dev/null +++ b/queue-3.4/tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch @@ -0,0 +1,54 @@ +From 5e837fb360c207e0839fdd38bbf7ec175192bd29 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Fri, 27 Jul 2012 10:38:50 +0000 +Subject: tcp: perform DMA to userspace only if there is a task waiting for it + + +From: Jiri Kosina + +[ Upstream commit 59ea33a68a9083ac98515e4861c00e71efdc49a1 ] + +Back in 2006, commit 1a2449a87b ("[I/OAT]: TCP recv offload to I/OAT") +added support for receive offloading to IOAT dma engine if available. + +The code in tcp_rcv_established() tries to perform early DMA copy if +applicable. It however does so without checking whether the userspace +task is actually expecting the data in the buffer. + +This is not a problem under normal circumstances, but there is a corner +case where this doesn't work -- and that's when MSG_TRUNC flag to +recvmsg() is used. + +If the IOAT dma engine is not used, the code properly checks whether +there is a valid ucopy.task and the socket is owned by userspace, but +misses the check in the dmaengine case. + +This problem can be observed in real trivially -- for example 'tbench' is a +good reproducer, as it makes a heavy use of MSG_TRUNC. On systems utilizing +IOAT, you will soon find tbench waiting indefinitely in sk_wait_data(), as they +have been already early-copied in tcp_rcv_established() using dma engine. + +This patch introduces the same check we are performing in the simple +iovec copy case to the IOAT case as well. It fixes the indefinite +recvmsg(MSG_TRUNC) hangs. + +Signed-off-by: Jiri Kosina +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5441,7 +5441,9 @@ int tcp_rcv_established(struct sock *sk, + if (tp->copied_seq == tp->rcv_nxt && + len - tcp_header_len <= tp->ucopy.len) { + #ifdef CONFIG_NET_DMA +- if (tcp_dma_try_early_copy(sk, skb, tcp_header_len)) { ++ if (tp->ucopy.task == current && ++ sock_owned_by_user(sk) && ++ tcp_dma_try_early_copy(sk, skb, tcp_header_len)) { + copied_early = 1; + eaten = 1; + } diff --git a/queue-3.4/usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch b/queue-3.4/usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch new file mode 100644 index 00000000000..87eddc362ef --- /dev/null +++ b/queue-3.4/usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch @@ -0,0 +1,38 @@ +From 780bb6dee5412fb52cfeb6bc45cf8b6884bda16f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 27 Jul 2012 01:46:51 +0000 +Subject: USB: kaweth.c: use GFP_ATOMIC under spin_lock + + +From: Dan Carpenter + +[ Upstream commit e4c7f259c5be99dcfc3d98f913590663b0305bf8 ] + +The problem is that we call this with a spin lock held. The call tree +is: + kaweth_start_xmit() holds kaweth->device_lock. + -> kaweth_async_set_rx_mode() + -> kaweth_control() + -> kaweth_internal_control_msg() + +The kaweth_internal_control_msg() function is only called from +kaweth_control() which used GFP_ATOMIC for its allocations. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/kaweth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/kaweth.c ++++ b/drivers/net/usb/kaweth.c +@@ -1302,7 +1302,7 @@ static int kaweth_internal_control_msg(s + int retv; + int length = 0; /* shut up GCC */ + +- urb = usb_alloc_urb(0, GFP_NOIO); ++ urb = usb_alloc_urb(0, GFP_ATOMIC); + if (!urb) + return -ENOMEM; + diff --git a/queue-3.4/wanmain-comparing-array-with-null.patch b/queue-3.4/wanmain-comparing-array-with-null.patch new file mode 100644 index 00000000000..1d09b68ed67 --- /dev/null +++ b/queue-3.4/wanmain-comparing-array-with-null.patch @@ -0,0 +1,82 @@ +From 2c0d1d0fa3e03ad99738d44186c42d3585acabd3 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Tue, 24 Jul 2012 08:16:25 +0000 +Subject: wanmain: comparing array with NULL + + +From: Alan Cox + +[ Upstream commit 8b72ff6484fe303e01498b58621810a114f3cf09 ] + +gcc really should warn about these ! + +Signed-off-by: Alan Cox +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/wanrouter/wanmain.c | 53 +++++++++++++++++++++--------------------------- + 1 file changed, 24 insertions(+), 29 deletions(-) + +--- a/net/wanrouter/wanmain.c ++++ b/net/wanrouter/wanmain.c +@@ -602,36 +602,31 @@ static int wanrouter_device_new_if(struc + * successfully, add it to the interface list. + */ + +- if (dev->name == NULL) { +- err = -EINVAL; +- } else { +- +- #ifdef WANDEBUG +- printk(KERN_INFO "%s: registering interface %s...\n", +- wanrouter_modname, dev->name); +- #endif +- +- err = register_netdev(dev); +- if (!err) { +- struct net_device *slave = NULL; +- unsigned long smp_flags=0; +- +- lock_adapter_irq(&wandev->lock, &smp_flags); +- +- if (wandev->dev == NULL) { +- wandev->dev = dev; +- } else { +- for (slave=wandev->dev; +- DEV_TO_SLAVE(slave); +- slave = DEV_TO_SLAVE(slave)) +- DEV_TO_SLAVE(slave) = dev; +- } +- ++wandev->ndev; +- +- unlock_adapter_irq(&wandev->lock, &smp_flags); +- err = 0; /* done !!! */ +- goto out; ++#ifdef WANDEBUG ++ printk(KERN_INFO "%s: registering interface %s...\n", ++ wanrouter_modname, dev->name); ++#endif ++ ++ err = register_netdev(dev); ++ if (!err) { ++ struct net_device *slave = NULL; ++ unsigned long smp_flags=0; ++ ++ lock_adapter_irq(&wandev->lock, &smp_flags); ++ ++ if (wandev->dev == NULL) { ++ wandev->dev = dev; ++ } else { ++ for (slave=wandev->dev; ++ DEV_TO_SLAVE(slave); ++ slave = DEV_TO_SLAVE(slave)) ++ DEV_TO_SLAVE(slave) = dev; + } ++ ++wandev->ndev; ++ ++ unlock_adapter_irq(&wandev->lock, &smp_flags); ++ err = 0; /* done !!! */ ++ goto out; + } + if (wandev->del_if) + wandev->del_if(wandev, dev);