From: Greg Kroah-Hartman Date: Wed, 24 Jul 2013 17:53:29 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.10.3~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a631bf233a36d90ef09f49bb84cbe6a860846c22;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: 9p-fix-off-by-one-causing-access-violations-and-memory-corruption.patch af_key-fix-info-leaks-in-notify-messages.patch atl1e-fix-dma-mapping-warnings.patch atl1e-unmap-partially-mapped-skb-on-dma-error-and-free-skb.patch bridge-fix-switched-interval-for-mld-query-types.patch dummy-fix-oops-when-loading-the-dummy-failed.patch ifb-fix-oops-when-loading-the-ifb-failed.patch ifb-fix-rcu_sched-self-detected-stalls.patch ipv4-fixed-md5-key-lookups-when-adding-removing-md5-to-from-tcp-sockets.patch ipv6-call-udp_push_pending_frames-when-uncorking-a-socket-with-af_inet-pending-data.patch ipv6-don-t-call-addrconf_dst_alloc-again-when-enable-lo.patch ipv6-in-case-of-link-failure-remove-route-directly-instead-of-letting-it-expire.patch ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and-frag_size.patch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch ipv6-mcast-always-hold-idev-lock-before-mca_lock.patch l2tp-add-missing-.owner-to-struct-pppox_proto.patch macvtap-correctly-linearize-skb-when-zerocopy-is-used.patch macvtap-fix-recovery-from-gup-errors.patch neighbour-fix-a-race-in-neigh_destroy.patch net-swap-ver-and-type-in-pppoe_hdr.patch net-tg3-avoid-delay-during-mmio-access.patch sh_eth-fix-unhandled-rfe-interrupt.patch sunvnet-vnet_port_remove-must-call-unregister_netdev.patch vlan-fix-a-race-in-egress-prio-management.patch x25-fix-broken-locking-in-ioctl-error-paths.patch --- diff --git a/queue-3.4/9p-fix-off-by-one-causing-access-violations-and-memory-corruption.patch b/queue-3.4/9p-fix-off-by-one-causing-access-violations-and-memory-corruption.patch new file mode 100644 index 00000000000..ad0fd1c3256 --- /dev/null +++ b/queue-3.4/9p-fix-off-by-one-causing-access-violations-and-memory-corruption.patch @@ -0,0 +1,76 @@ +From a5b6aee89011b07fc499c791d6cff9361d895c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2013 13:16:54 -0400 +Subject: 9p: fix off by one causing access violations and memory corruption + +From: Sasha Levin + +[ Upstream commit 110ecd69a9feea82a152bbf9b12aba57e6396883 ] + +p9_release_pages() would attempt to dereference one value past the end of +pages[]. This would cause the following crashes: + +[ 6293.171817] BUG: unable to handle kernel paging request at ffff8807c96f3000 +[ 6293.174146] IP: [] p9_release_pages+0x3b/0x60 +[ 6293.176447] PGD 79c5067 PUD 82c1e3067 PMD 82c197067 PTE 80000007c96f3060 +[ 6293.180060] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC +[ 6293.180060] Modules linked in: +[ 6293.180060] CPU: 62 PID: 174043 Comm: modprobe Tainted: G W 3.10.0-next-20130710-sasha #3954 +[ 6293.180060] task: ffff8807b803b000 ti: ffff880787dde000 task.ti: ffff880787dde000 +[ 6293.180060] RIP: 0010:[] [] p9_release_pages+0x3b/0x60 +[ 6293.214316] RSP: 0000:ffff880787ddfc28 EFLAGS: 00010202 +[ 6293.214316] RAX: 0000000000000001 RBX: ffff8807c96f2ff8 RCX: 0000000000000000 +[ 6293.222017] RDX: ffff8807b803b000 RSI: 0000000000000001 RDI: ffffea001c7e3d40 +[ 6293.222017] RBP: ffff880787ddfc48 R08: 0000000000000000 R09: 0000000000000000 +[ 6293.222017] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001 +[ 6293.222017] R13: 0000000000000001 R14: ffff8807cc50c070 R15: ffff8807cc50c070 +[ 6293.222017] FS: 00007f572641d700(0000) GS:ffff8807f3600000(0000) knlGS:0000000000000000 +[ 6293.256784] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 6293.256784] CR2: ffff8807c96f3000 CR3: 00000007c8e81000 CR4: 00000000000006e0 +[ 6293.256784] Stack: +[ 6293.256784] ffff880787ddfcc8 ffff880787ddfcc8 0000000000000000 ffff880787ddfcc8 +[ 6293.256784] ffff880787ddfd48 ffffffff84128be8 ffff880700000002 0000000000000001 +[ 6293.256784] ffff8807b803b000 ffff880787ddfce0 0000100000000000 0000000000000000 +[ 6293.256784] Call Trace: +[ 6293.256784] [] p9_virtio_zc_request+0x598/0x630 +[ 6293.256784] [] ? wake_up_bit+0x40/0x40 +[ 6293.256784] [] p9_client_zc_rpc+0x111/0x3a0 +[ 6293.256784] [] ? sched_clock_cpu+0x108/0x120 +[ 6293.256784] [] p9_client_read+0xe1/0x2c0 +[ 6293.256784] [] v9fs_file_read+0x90/0xc0 +[ 6293.256784] [] vfs_read+0xc3/0x130 +[ 6293.256784] [] ? trace_hardirqs_on+0xd/0x10 +[ 6293.256784] [] SyS_read+0x62/0xa0 +[ 6293.256784] [] tracesys+0xdd/0xe2 +[ 6293.256784] Code: 66 90 48 89 fb 41 89 f5 48 8b 3f 48 85 ff 74 29 85 f6 74 25 45 31 e4 66 0f 1f 84 00 00 00 00 00 e8 eb 14 12 fd 41 ff c4 49 63 c4 <48> 8b 3c c3 48 85 ff 74 05 45 39 e5 75 e7 48 83 c4 08 5b 41 5c +[ 6293.256784] RIP [] p9_release_pages+0x3b/0x60 +[ 6293.256784] RSP +[ 6293.256784] CR2: ffff8807c96f3000 +[ 6293.256784] ---[ end trace 50822ee72cd360fc ]--- + +Signed-off-by: Sasha Levin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/trans_common.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/9p/trans_common.c ++++ b/net/9p/trans_common.c +@@ -24,11 +24,11 @@ + */ + void p9_release_pages(struct page **pages, int nr_pages) + { +- int i = 0; +- while (pages[i] && nr_pages--) { +- put_page(pages[i]); +- i++; +- } ++ int i; ++ ++ for (i = 0; i < nr_pages; i++) ++ if (pages[i]) ++ put_page(pages[i]); + } + EXPORT_SYMBOL(p9_release_pages); + diff --git a/queue-3.4/af_key-fix-info-leaks-in-notify-messages.patch b/queue-3.4/af_key-fix-info-leaks-in-notify-messages.patch new file mode 100644 index 00000000000..23269581718 --- /dev/null +++ b/queue-3.4/af_key-fix-info-leaks-in-notify-messages.patch @@ -0,0 +1,41 @@ +From 2e95b29e6a3034847536cd937448341ac952c612 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Wed, 26 Jun 2013 23:52:30 +0200 +Subject: af_key: fix info leaks in notify messages + +From: Mathias Krause + +[ Upstream commit a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887 ] + +key_notify_sa_flush() and key_notify_policy_flush() miss to initialize +the sadb_msg_reserved member of the broadcasted message and thereby +leak 2 bytes of heap memory to listeners. Fix that. + +Signed-off-by: Mathias Krause +Cc: Steffen Klassert +Cc: "David S. Miller" +Cc: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/key/af_key.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1705,6 +1705,7 @@ static int key_notify_sa_flush(const str + hdr->sadb_msg_version = PF_KEY_V2; + hdr->sadb_msg_errno = (uint8_t) 0; + hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t)); ++ hdr->sadb_msg_reserved = 0; + + pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net); + +@@ -2686,6 +2687,7 @@ static int key_notify_policy_flush(const + hdr->sadb_msg_version = PF_KEY_V2; + hdr->sadb_msg_errno = (uint8_t) 0; + hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t)); ++ hdr->sadb_msg_reserved = 0; + pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net); + return 0; + diff --git a/queue-3.4/atl1e-fix-dma-mapping-warnings.patch b/queue-3.4/atl1e-fix-dma-mapping-warnings.patch new file mode 100644 index 00000000000..4a36ed0d9f5 --- /dev/null +++ b/queue-3.4/atl1e-fix-dma-mapping-warnings.patch @@ -0,0 +1,150 @@ +From 0de186aaa4fe5c05d1485ea2457c4f8d52609a50 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Fri, 12 Jul 2013 10:58:48 -0400 +Subject: atl1e: fix dma mapping warnings + +From: Neil Horman + +[ Upstream commit 352900b583b2852152a1e05ea0e8b579292e731e ] + +Recently had this backtrace reported: +WARNING: at lib/dma-debug.c:937 check_unmap+0x47d/0x930() +Hardware name: System Product Name +ATL1E 0000:02:00.0: DMA-API: device driver failed to check map error[device +address=0x00000000cbfd1000] [size=90 bytes] [mapped as single] +Modules linked in: xt_conntrack nf_conntrack ebtable_filter ebtables +ip6table_filter ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek iTCO_wdt +iTCO_vendor_support snd_hda_intel acpi_cpufreq mperf coretemp btrfs zlib_deflate +snd_hda_codec snd_hwdep microcode raid6_pq libcrc32c snd_seq usblp serio_raw xor +snd_seq_device joydev snd_pcm snd_page_alloc snd_timer snd lpc_ich i2c_i801 +soundcore mfd_core atl1e asus_atk0110 ata_generic pata_acpi radeon i2c_algo_bit +drm_kms_helper ttm drm i2c_core pata_marvell uinput +Pid: 314, comm: systemd-journal Not tainted 3.9.0-0.rc6.git2.3.fc19.x86_64 #1 +Call Trace: + [] warn_slowpath_common+0x66/0x80 + [] warn_slowpath_fmt+0x4c/0x50 + [] check_unmap+0x47d/0x930 + [] ? sched_clock_cpu+0xa8/0x100 + [] debug_dma_unmap_page+0x5f/0x70 + [] ? unmap_single+0x20/0x30 + [] atl1e_intr+0x3a1/0x5b0 [atl1e] + [] ? trace_hardirqs_off+0xd/0x10 + [] handle_irq_event_percpu+0x56/0x390 + [] handle_irq_event+0x3d/0x60 + [] handle_fasteoi_irq+0x5a/0x100 + [] handle_irq+0xbf/0x150 + [] ? file_sb_list_del+0x3f/0x50 + [] ? irq_enter+0x50/0xa0 + [] do_IRQ+0x4d/0xc0 + [] ? file_sb_list_del+0x3f/0x50 + [] common_interrupt+0x72/0x72 + [] ? lock_release+0xc2/0x310 + [] lg_local_unlock_cpu+0x24/0x50 + [] file_sb_list_del+0x3f/0x50 + [] fput+0x2d/0xc0 + [] filp_close+0x61/0x90 + [] __close_fd+0x8d/0x150 + [] sys_close+0x20/0x50 + [] system_call_fastpath+0x16/0x1b + +The usual straighforward failure to check for dma_mapping_error after a map +operation is completed. + +This patch should fix it, the reporter wandered off after filing this bz: +https://bugzilla.redhat.com/show_bug.cgi?id=954170 + +and I don't have hardware to test, but the fix is pretty straightforward, so I +figured I'd post it for review. + +Signed-off-by: Neil Horman +CC: Jay Cliburn +CC: Chris Snook +CC: "David S. Miller" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 28 +++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -1688,8 +1688,8 @@ check_sum: + return 0; + } + +-static void atl1e_tx_map(struct atl1e_adapter *adapter, +- struct sk_buff *skb, struct atl1e_tpd_desc *tpd) ++static int atl1e_tx_map(struct atl1e_adapter *adapter, ++ struct sk_buff *skb, struct atl1e_tpd_desc *tpd) + { + struct atl1e_tpd_desc *use_tpd = NULL; + struct atl1e_tx_buffer *tx_buffer = NULL; +@@ -1700,6 +1700,7 @@ static void atl1e_tx_map(struct atl1e_ad + u16 nr_frags; + u16 f; + int segment; ++ int ring_start = adapter->tx_ring.next_to_use; + + nr_frags = skb_shinfo(skb)->nr_frags; + segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK; +@@ -1712,6 +1713,9 @@ static void atl1e_tx_map(struct atl1e_ad + tx_buffer->length = map_len; + tx_buffer->dma = pci_map_single(adapter->pdev, + skb->data, hdr_len, PCI_DMA_TODEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) ++ return -ENOSPC; ++ + ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE); + mapped_len += map_len; + use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); +@@ -1738,6 +1742,13 @@ static void atl1e_tx_map(struct atl1e_ad + tx_buffer->dma = + pci_map_single(adapter->pdev, skb->data + mapped_len, + map_len, PCI_DMA_TODEVICE); ++ ++ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { ++ /* Reset the tx rings next pointer */ ++ adapter->tx_ring.next_to_use = ring_start; ++ return -ENOSPC; ++ } ++ + ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE); + mapped_len += map_len; + use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); +@@ -1773,6 +1784,13 @@ static void atl1e_tx_map(struct atl1e_ad + (i * MAX_TX_BUF_LEN), + tx_buffer->length, + DMA_TO_DEVICE); ++ ++ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { ++ /* Reset the ring next to use pointer */ ++ adapter->tx_ring.next_to_use = ring_start; ++ return -ENOSPC; ++ } ++ + ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_PAGE); + use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); + use_tpd->word2 = (use_tpd->word2 & (~TPD_BUFLEN_MASK)) | +@@ -1790,6 +1808,7 @@ static void atl1e_tx_map(struct atl1e_ad + /* The last buffer info contain the skb address, + so it will be free after unmap */ + tx_buffer->skb = skb; ++ return 0; + } + + static void atl1e_tx_queue(struct atl1e_adapter *adapter, u16 count, +@@ -1857,10 +1876,13 @@ static netdev_tx_t atl1e_xmit_frame(stru + return NETDEV_TX_OK; + } + +- atl1e_tx_map(adapter, skb, tpd); ++ if (atl1e_tx_map(adapter, skb, tpd)) ++ goto out; ++ + atl1e_tx_queue(adapter, tpd_req, tpd); + + netdev->trans_start = jiffies; /* NETIF_F_LLTX driver :( */ ++out: + spin_unlock_irqrestore(&adapter->tx_lock, flags); + return NETDEV_TX_OK; + } diff --git a/queue-3.4/atl1e-unmap-partially-mapped-skb-on-dma-error-and-free-skb.patch b/queue-3.4/atl1e-unmap-partially-mapped-skb-on-dma-error-and-free-skb.patch new file mode 100644 index 00000000000..37092690774 --- /dev/null +++ b/queue-3.4/atl1e-unmap-partially-mapped-skb-on-dma-error-and-free-skb.patch @@ -0,0 +1,86 @@ +From 807f13ef60d75e0cb4cbd7d4b853f037bdd55145 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Tue, 16 Jul 2013 10:49:41 -0400 +Subject: atl1e: unmap partially mapped skb on dma error and free skb + +From: Neil Horman + +[ Upstream commit 584ec4355355ffac43571b02a314d43eb2f7fcbf ] + +Ben Hutchings pointed out that my recent update to atl1e +in commit 352900b583b2852152a1e05ea0e8b579292e731e +("atl1e: fix dma mapping warnings") was missing a bit of code. + +Specifically it reset the hardware tx ring to its origional state when +we hit a dma error, but didn't unmap any exiting mappings from the +operation. This patch fixes that up. It also remembers to free the +skb in the event that an error occurs, so we don't leak. Untested, as +I don't have hardware. I think its pretty straightforward, but please +review closely. + +Signed-off-by: Neil Horman +CC: Ben Hutchings +CC: Jay Cliburn +CC: Chris Snook +CC: "David S. Miller" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -1701,6 +1701,7 @@ static int atl1e_tx_map(struct atl1e_ada + u16 f; + int segment; + int ring_start = adapter->tx_ring.next_to_use; ++ int ring_end; + + nr_frags = skb_shinfo(skb)->nr_frags; + segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK; +@@ -1744,6 +1745,15 @@ static int atl1e_tx_map(struct atl1e_ada + map_len, PCI_DMA_TODEVICE); + + if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { ++ /* We need to unwind the mappings we've done */ ++ ring_end = adapter->tx_ring.next_to_use; ++ adapter->tx_ring.next_to_use = ring_start; ++ while (adapter->tx_ring.next_to_use != ring_end) { ++ tpd = atl1e_get_tpd(adapter); ++ tx_buffer = atl1e_get_tx_buffer(adapter, tpd); ++ pci_unmap_single(adapter->pdev, tx_buffer->dma, ++ tx_buffer->length, PCI_DMA_TODEVICE); ++ } + /* Reset the tx rings next pointer */ + adapter->tx_ring.next_to_use = ring_start; + return -ENOSPC; +@@ -1786,6 +1796,16 @@ static int atl1e_tx_map(struct atl1e_ada + DMA_TO_DEVICE); + + if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { ++ /* We need to unwind the mappings we've done */ ++ ring_end = adapter->tx_ring.next_to_use; ++ adapter->tx_ring.next_to_use = ring_start; ++ while (adapter->tx_ring.next_to_use != ring_end) { ++ tpd = atl1e_get_tpd(adapter); ++ tx_buffer = atl1e_get_tx_buffer(adapter, tpd); ++ dma_unmap_page(&adapter->pdev->dev, tx_buffer->dma, ++ tx_buffer->length, DMA_TO_DEVICE); ++ } ++ + /* Reset the ring next to use pointer */ + adapter->tx_ring.next_to_use = ring_start; + return -ENOSPC; +@@ -1876,8 +1896,10 @@ static netdev_tx_t atl1e_xmit_frame(stru + return NETDEV_TX_OK; + } + +- if (atl1e_tx_map(adapter, skb, tpd)) ++ if (atl1e_tx_map(adapter, skb, tpd)) { ++ dev_kfree_skb_any(skb); + goto out; ++ } + + atl1e_tx_queue(adapter, tpd_req, tpd); + diff --git a/queue-3.4/bridge-fix-switched-interval-for-mld-query-types.patch b/queue-3.4/bridge-fix-switched-interval-for-mld-query-types.patch new file mode 100644 index 00000000000..fb1e90164ad --- /dev/null +++ b/queue-3.4/bridge-fix-switched-interval-for-mld-query-types.patch @@ -0,0 +1,36 @@ +From 25eb5406b6fe44be17919ab95bf620d4ad0816df Mon Sep 17 00:00:00 2001 +From: Linus Lüssing +Date: Sun, 16 Jun 2013 23:20:34 +0200 +Subject: bridge: fix switched interval for MLD Query types + +From: Linus Lüssing + +[ Upstream commit 32de868cbc6bee010d2cee95b5071b25ecbec8c3 ] + +General Queries (the one with the Multicast Address field +set to zero / '::') are supposed to have a Maximum Response Delay +of [Query Response Interval], while for Multicast-Address-Specific +Queries it is [Last Listener Query Interval] - not the other way +round. (see RFC2710, section 7.3+7.8) + +Signed-off-by: Linus Lüssing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -467,8 +467,9 @@ static struct sk_buff *br_ip6_multicast_ + skb_set_transport_header(skb, skb->len); + mldq = (struct mld_msg *) icmp6_hdr(skb); + +- interval = ipv6_addr_any(group) ? br->multicast_last_member_interval : +- br->multicast_query_response_interval; ++ interval = ipv6_addr_any(group) ? ++ br->multicast_query_response_interval : ++ br->multicast_last_member_interval; + + mldq->mld_type = ICMPV6_MGM_QUERY; + mldq->mld_code = 0; diff --git a/queue-3.4/dummy-fix-oops-when-loading-the-dummy-failed.patch b/queue-3.4/dummy-fix-oops-when-loading-the-dummy-failed.patch new file mode 100644 index 00000000000..41dad823724 --- /dev/null +++ b/queue-3.4/dummy-fix-oops-when-loading-the-dummy-failed.patch @@ -0,0 +1,87 @@ +From a6d55637b6b08267b7841332aae1c5c76b58614f Mon Sep 17 00:00:00 2001 +From: dingtianhong +Date: Thu, 11 Jul 2013 19:04:02 +0800 +Subject: dummy: fix oops when loading the dummy failed + +From: dingtianhong + +[ Upstream commit 2c8a01894a12665d8059fad8f0a293c98a264121 ] + +We rename the dummy in modprobe.conf like this: + +install dummy0 /sbin/modprobe -o dummy0 --ignore-install dummy +install dummy1 /sbin/modprobe -o dummy1 --ignore-install dummy + +We got oops when we run the command: + +modprobe dummy0 +modprobe dummy1 + +------------[ cut here ]------------ + +[ 3302.187584] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +[ 3302.195411] IP: [] __rtnl_link_unregister+0x9a/0xd0 +[ 3302.201844] PGD 85c94a067 PUD 8517bd067 PMD 0 +[ 3302.206305] Oops: 0002 [#1] SMP +[ 3302.299737] task: ffff88105ccea300 ti: ffff880eba4a0000 task.ti: ffff880eba4a0000 +[ 3302.307186] RIP: 0010:[] [] __rtnl_link_unregister+0x9a/0xd0 +[ 3302.316044] RSP: 0018:ffff880eba4a1dd8 EFLAGS: 00010246 +[ 3302.321332] RAX: 0000000000000000 RBX: ffffffff81a9d738 RCX: 0000000000000002 +[ 3302.328436] RDX: 0000000000000000 RSI: ffffffffa04d602c RDI: ffff880eba4a1dd8 +[ 3302.335541] RBP: ffff880eba4a1e18 R08: dead000000200200 R09: dead000000100100 +[ 3302.342644] R10: 0000000000000080 R11: 0000000000000003 R12: ffffffff81a9d788 +[ 3302.349748] R13: ffffffffa04d7020 R14: ffffffff81a9d670 R15: ffff880eba4a1dd8 +[ 3302.364910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3302.370630] CR2: 0000000000000008 CR3: 000000085e15e000 CR4: 00000000000427e0 +[ 3302.377734] DR0: 0000000000000003 DR1: 00000000000000b0 DR2: 0000000000000001 +[ 3302.384838] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 3302.391940] Stack: +[ 3302.393944] ffff880eba4a1dd8 ffff880eba4a1dd8 ffff880eba4a1e18 ffffffffa04d70c0 +[ 3302.401350] 00000000ffffffef ffffffffa01a8000 0000000000000000 ffffffff816111c8 +[ 3302.408758] ffff880eba4a1e48 ffffffffa01a80be ffff880eba4a1e48 ffffffffa04d70c0 +[ 3302.416164] Call Trace: +[ 3302.418605] [] ? 0xffffffffa01a7fff +[ 3302.423727] [] dummy_init_module+0xbe/0x1000 [dummy0] +[ 3302.430405] [] ? 0xffffffffa01a7fff +[ 3302.435535] [] do_one_initcall+0x152/0x1b0 +[ 3302.441263] [] do_init_module+0x7b/0x200 +[ 3302.446824] [] load_module+0x4e2/0x530 +[ 3302.452215] [] ? ddebug_dyndbg_boot_param_cb+0x60/0x60 +[ 3302.458979] [] SyS_init_module+0xd1/0x130 +[ 3302.464627] [] system_call_fastpath+0x16/0x1b +[ 3302.490090] RIP [] __rtnl_link_unregister+0x9a/0xd0 +[ 3302.496607] RSP +[ 3302.500084] CR2: 0000000000000008 +[ 3302.503466] ---[ end trace 8342d49cd49f78ed ]--- + +The reason is that when loading dummy, if __rtnl_link_register() return failed, +the init_module should return and avoid take the wrong path. + +Signed-off-by: Tan Xiaojun +Signed-off-by: Ding Tianhong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dummy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/dummy.c ++++ b/drivers/net/dummy.c +@@ -186,6 +186,8 @@ static int __init dummy_init_module(void + + rtnl_lock(); + err = __rtnl_link_register(&dummy_link_ops); ++ if (err < 0) ++ goto out; + + for (i = 0; i < numdummies && !err; i++) { + err = dummy_init_one(); +@@ -193,6 +195,8 @@ static int __init dummy_init_module(void + } + if (err < 0) + __rtnl_link_unregister(&dummy_link_ops); ++ ++out: + rtnl_unlock(); + + return err; diff --git a/queue-3.4/ifb-fix-oops-when-loading-the-ifb-failed.patch b/queue-3.4/ifb-fix-oops-when-loading-the-ifb-failed.patch new file mode 100644 index 00000000000..4e4fd4b2518 --- /dev/null +++ b/queue-3.4/ifb-fix-oops-when-loading-the-ifb-failed.patch @@ -0,0 +1,39 @@ +From cbe23ee3115067ce5bf47fca69e53926ea171596 Mon Sep 17 00:00:00 2001 +From: dingtianhong +Date: Thu, 11 Jul 2013 19:04:06 +0800 +Subject: ifb: fix oops when loading the ifb failed + +From: dingtianhong + +[ Upstream commit f2966cd5691058b8674a20766525bedeaea9cbcf ] + +If __rtnl_link_register() return faild when loading the ifb, it will +take the wrong path and get oops, so fix it just like dummy. + +Signed-off-by: Ding Tianhong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ifb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ifb.c ++++ b/drivers/net/ifb.c +@@ -290,6 +290,8 @@ static int __init ifb_init_module(void) + + rtnl_lock(); + err = __rtnl_link_register(&ifb_link_ops); ++ if (err < 0) ++ goto out; + + for (i = 0; i < numifbs && !err; i++) { + err = ifb_init_one(i); +@@ -297,6 +299,8 @@ static int __init ifb_init_module(void) + } + if (err) + __rtnl_link_unregister(&ifb_link_ops); ++ ++out: + rtnl_unlock(); + + return err; diff --git a/queue-3.4/ifb-fix-rcu_sched-self-detected-stalls.patch b/queue-3.4/ifb-fix-rcu_sched-self-detected-stalls.patch new file mode 100644 index 00000000000..9abdc919a8a --- /dev/null +++ b/queue-3.4/ifb-fix-rcu_sched-self-detected-stalls.patch @@ -0,0 +1,44 @@ +From 7398bbbc81ad70c664ded751b7fd3417bc944414 Mon Sep 17 00:00:00 2001 +From: dingtianhong +Date: Wed, 10 Jul 2013 12:04:02 +0800 +Subject: ifb: fix rcu_sched self-detected stalls + +From: dingtianhong + +[ Upstream commit 440d57bc5ff55ec1efb3efc9cbe9420b4bbdfefa ] + +According to the commit 16b0dc29c1af9df341428f4c49ada4f626258082 +(dummy: fix rcu_sched self-detected stalls) + +Eric Dumazet fix the problem in dummy, but the ifb will occur the +same problem like the dummy modules. + +Trying to "modprobe ifb numifbs=30000" triggers : + +INFO: rcu_sched self-detected stall on CPU + +After this splat, RTNL is locked and reboot is needed. + +We must call cond_resched() to avoid this, even holding RTNL. + +Signed-off-by: Ding Tianhong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ifb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ifb.c ++++ b/drivers/net/ifb.c +@@ -291,8 +291,10 @@ static int __init ifb_init_module(void) + rtnl_lock(); + err = __rtnl_link_register(&ifb_link_ops); + +- for (i = 0; i < numifbs && !err; i++) ++ for (i = 0; i < numifbs && !err; i++) { + err = ifb_init_one(i); ++ cond_resched(); ++ } + if (err) + __rtnl_link_unregister(&ifb_link_ops); + rtnl_unlock(); diff --git a/queue-3.4/ipv4-fixed-md5-key-lookups-when-adding-removing-md5-to-from-tcp-sockets.patch b/queue-3.4/ipv4-fixed-md5-key-lookups-when-adding-removing-md5-to-from-tcp-sockets.patch new file mode 100644 index 00000000000..1c851365ce3 --- /dev/null +++ b/queue-3.4/ipv4-fixed-md5-key-lookups-when-adding-removing-md5-to-from-tcp-sockets.patch @@ -0,0 +1,43 @@ +From 7ffc6947279d932705a604f7e5a73f38c5cd83a4 Mon Sep 17 00:00:00 2001 +From: Aydin Arik +Date: Fri, 14 Jun 2013 18:56:31 +1200 +Subject: ipv4: Fixed MD5 key lookups when adding/ removing MD5 to/ from TCP sockets. + +From: Aydin Arik + +[ Upstream commit c0353c7b5da4cbd2ab8227e84bbc9c79890f24ce ] + +MD5 key lookups on a given TCP socket were being performed +incorrectly. This fix alters parameter inputs to the MD5 +lookup function tcp_md5_do_lookup, which is called by functions +tcp_md5_do_add and tcp_md5_do_del. Specifically, the change now +inputs the correct address and address family required to make +a proper lookup. + +Signed-off-by: Aydin Arik +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -974,7 +974,7 @@ int tcp_md5_do_add(struct sock *sk, cons + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_md5sig_info *md5sig; + +- key = tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&addr, AF_INET); ++ key = tcp_md5_do_lookup(sk, addr, family); + if (key) { + /* Pre-existing entry - just update that one. */ + memcpy(key->key, newkey, newkeylen); +@@ -1019,7 +1019,7 @@ int tcp_md5_do_del(struct sock *sk, cons + struct tcp_md5sig_key *key; + struct tcp_md5sig_info *md5sig; + +- key = tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&addr, AF_INET); ++ key = tcp_md5_do_lookup(sk, addr, family); + if (!key) + return -ENOENT; + hlist_del_rcu(&key->node); diff --git a/queue-3.4/ipv6-call-udp_push_pending_frames-when-uncorking-a-socket-with-af_inet-pending-data.patch b/queue-3.4/ipv6-call-udp_push_pending_frames-when-uncorking-a-socket-with-af_inet-pending-data.patch new file mode 100644 index 00000000000..2494a3189f3 --- /dev/null +++ b/queue-3.4/ipv6-call-udp_push_pending_frames-when-uncorking-a-socket-with-af_inet-pending-data.patch @@ -0,0 +1,122 @@ +From 3e5fbc0f41aab931d8d1ef785331a213d16adba2 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Mon, 1 Jul 2013 20:21:30 +0200 +Subject: ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data + +From: Hannes Frederic Sowa + +[ Upstream commit 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ] + +We accidentally call down to ip6_push_pending_frames when uncorking +pending AF_INET data on a ipv6 socket. This results in the following +splat (from Dave Jones): + +skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: +------------[ cut here ]------------ +kernel BUG at net/core/skbuff.c:126! +invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC +Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth ++netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c +CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 +task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 +RIP: 0010:[] [] skb_panic+0x63/0x65 +RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 +RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 +RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 +RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 +R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 +FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 +Stack: + ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 + ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 + ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 +Call Trace: + [] skb_push+0x3a/0x40 + [] ip6_push_pending_frames+0x1f6/0x4d0 + [] ? mark_held_locks+0xbb/0x140 + [] udp_v6_push_pending_frames+0x2b9/0x3d0 + [] ? udplite_getfrag+0x20/0x20 + [] udp_lib_setsockopt+0x1aa/0x1f0 + [] ? fget_light+0x387/0x4f0 + [] udpv6_setsockopt+0x34/0x40 + [] sock_common_setsockopt+0x14/0x20 + [] SyS_setsockopt+0x71/0xd0 + [] tracesys+0xdd/0xe2 +Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 +RIP [] skb_panic+0x63/0x65 + RSP + +This patch adds a check if the pending data is of address family AF_INET +and directly calls udp_push_ending_frames from udp_v6_push_pending_frames +if that is the case. + +This bug was found by Dave Jones with trinity. + +(Also move the initialization of fl6 below the AF_INET check, even if +not strictly necessary.) + +Signed-off-by: Hannes Frederic Sowa +Cc: Dave Jones +Cc: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/udp.h | 1 + + net/ipv4/udp.c | 3 ++- + net/ipv6/udp.c | 7 ++++++- + 3 files changed, 9 insertions(+), 2 deletions(-) + +--- a/include/net/udp.h ++++ b/include/net/udp.h +@@ -181,6 +181,7 @@ extern int udp_get_port(struct sock *sk, + extern void udp_err(struct sk_buff *, u32); + extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk, + struct msghdr *msg, size_t len); ++extern int udp_push_pending_frames(struct sock *sk); + extern void udp_flush_pending_frames(struct sock *sk); + extern int udp_rcv(struct sk_buff *skb); + extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg); +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -768,7 +768,7 @@ send: + /* + * Push out all pending data as one UDP datagram. Socket is locked. + */ +-static int udp_push_pending_frames(struct sock *sk) ++int udp_push_pending_frames(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + struct inet_sock *inet = inet_sk(sk); +@@ -787,6 +787,7 @@ out: + up->pending = 0; + return err; + } ++EXPORT_SYMBOL(udp_push_pending_frames); + + int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + size_t len) +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -895,11 +895,16 @@ static int udp_v6_push_pending_frames(st + struct udphdr *uh; + struct udp_sock *up = udp_sk(sk); + struct inet_sock *inet = inet_sk(sk); +- struct flowi6 *fl6 = &inet->cork.fl.u.ip6; ++ struct flowi6 *fl6; + int err = 0; + int is_udplite = IS_UDPLITE(sk); + __wsum csum = 0; + ++ if (up->pending == AF_INET) ++ return udp_push_pending_frames(sk); ++ ++ fl6 = &inet->cork.fl.u.ip6; ++ + /* Grab the skbuff where UDP header space exists. */ + if ((skb = skb_peek(&sk->sk_write_queue)) == NULL) + goto out; diff --git a/queue-3.4/ipv6-don-t-call-addrconf_dst_alloc-again-when-enable-lo.patch b/queue-3.4/ipv6-don-t-call-addrconf_dst_alloc-again-when-enable-lo.patch new file mode 100644 index 00000000000..e9590e1d22d --- /dev/null +++ b/queue-3.4/ipv6-don-t-call-addrconf_dst_alloc-again-when-enable-lo.patch @@ -0,0 +1,39 @@ +From cb6bdbd023b7275fd30f88bfd6c3531f677850b1 Mon Sep 17 00:00:00 2001 +From: Gao feng +Date: Sun, 16 Jun 2013 11:14:30 +0800 +Subject: ipv6: don't call addrconf_dst_alloc again when enable lo + +From: Gao feng + +[ Upstream commit a881ae1f625c599b460cc8f8a7fcb1c438f699ad ] + +If we disable all of the net interfaces, and enable +un-lo interface before lo interface, we already allocated +the addrconf dst in ipv6_add_addr. So we shouldn't allocate +it again when we enable lo interface. + +Otherwise the message below will be triggered. +unregister_netdevice: waiting for sit1 to become free. Usage count = 1 + +This problem is introduced by commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f +"net IPv6 : Fix broken IPv6 routing table after loopback down-up" + +Signed-off-by: Gao feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2429,6 +2429,9 @@ static void init_loopback(struct net_dev + if (sp_ifa->flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE)) + continue; + ++ if (sp_ifa->rt) ++ continue; ++ + sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0); + + /* Failure cases are ignored */ diff --git a/queue-3.4/ipv6-in-case-of-link-failure-remove-route-directly-instead-of-letting-it-expire.patch b/queue-3.4/ipv6-in-case-of-link-failure-remove-route-directly-instead-of-letting-it-expire.patch new file mode 100644 index 00000000000..3eab7e4ae19 --- /dev/null +++ b/queue-3.4/ipv6-in-case-of-link-failure-remove-route-directly-instead-of-letting-it-expire.patch @@ -0,0 +1,97 @@ +From d29ee4b5c0d7b39dcf13139e8748cfdb6371fb1f Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Wed, 10 Jul 2013 23:00:57 +0200 +Subject: ipv6: in case of link failure remove route directly instead of letting it expire + +From: Hannes Frederic Sowa + +[ Upstream commit 1eb4f758286884e7566627164bca4c4a16952a83 ] + +We could end up expiring a route which is part of an ecmp route set. Doing +so would invalidate the rt->rt6i_nsiblings calculations and could provoke +the following panic: + +[ 80.144667] ------------[ cut here ]------------ +[ 80.145172] kernel BUG at net/ipv6/ip6_fib.c:733! +[ 80.145172] invalid opcode: 0000 [#1] SMP +[ 80.145172] Modules linked in: 8021q nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables ++snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc snd_timer virtio_balloon snd soundcore i2c_piix4 i2c_core virtio_net virtio_blk +[ 80.145172] CPU: 1 PID: 786 Comm: ping6 Not tainted 3.10.0+ #118 +[ 80.145172] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +[ 80.145172] task: ffff880117fa0000 ti: ffff880118770000 task.ti: ffff880118770000 +[ 80.145172] RIP: 0010:[] [] fib6_add+0x75d/0x830 +[ 80.145172] RSP: 0018:ffff880118771798 EFLAGS: 00010202 +[ 80.145172] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011350e480 +[ 80.145172] RDX: ffff88011350e238 RSI: 0000000000000004 RDI: ffff88011350f738 +[ 80.145172] RBP: ffff880118771848 R08: ffff880117903280 R09: 0000000000000001 +[ 80.145172] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88011350f680 +[ 80.145172] R13: ffff880117903280 R14: ffff880118771890 R15: ffff88011350ef90 +[ 80.145172] FS: 00007f02b5127740(0000) GS:ffff88011fd00000(0000) knlGS:0000000000000000 +[ 80.145172] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 80.145172] CR2: 00007f981322a000 CR3: 00000001181b1000 CR4: 00000000000006e0 +[ 80.145172] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 80.145172] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 80.145172] Stack: +[ 80.145172] 0000000000000001 ffff880100000000 ffff880100000000 ffff880117903280 +[ 80.145172] 0000000000000000 ffff880119a4cf00 0000000000000400 00000000000007fa +[ 80.145172] 0000000000000000 0000000000000000 0000000000000000 ffff88011350f680 +[ 80.145172] Call Trace: +[ 80.145172] [] ? rt6_bind_peer+0x4b/0x90 +[ 80.145172] [] __ip6_ins_rt+0x45/0x70 +[ 80.145172] [] ip6_ins_rt+0x35/0x40 +[ 80.145172] [] ip6_pol_route.isra.44+0x3a4/0x4b0 +[ 80.145172] [] ip6_pol_route_output+0x2a/0x30 +[ 80.145172] [] fib6_rule_action+0xd7/0x210 +[ 80.145172] [] ? ip6_pol_route_input+0x30/0x30 +[ 80.145172] [] fib_rules_lookup+0xc6/0x140 +[ 80.145172] [] fib6_rule_lookup+0x44/0x80 +[ 80.145172] [] ? ip6_pol_route_input+0x30/0x30 +[ 80.145172] [] ip6_route_output+0x73/0xb0 +[ 80.145172] [] ip6_dst_lookup_tail+0x2c3/0x2e0 +[ 80.145172] [] ? list_del+0x11/0x40 +[ 80.145172] [] ? remove_wait_queue+0x3c/0x50 +[ 80.145172] [] ip6_dst_lookup_flow+0x3d/0xa0 +[ 80.145172] [] rawv6_sendmsg+0x267/0xc20 +[ 80.145172] [] inet_sendmsg+0x63/0xb0 +[ 80.145172] [] ? selinux_socket_sendmsg+0x23/0x30 +[ 80.145172] [] sock_sendmsg+0xa6/0xd0 +[ 80.145172] [] SYSC_sendto+0x128/0x180 +[ 80.145172] [] ? update_curr+0xec/0x170 +[ 80.145172] [] ? kvm_clock_get_cycles+0x9/0x10 +[ 80.145172] [] ? __getnstimeofday+0x3e/0xd0 +[ 80.145172] [] SyS_sendto+0xe/0x10 +[ 80.145172] [] system_call_fastpath+0x16/0x1b +[ 80.145172] Code: fe ff ff 41 f6 45 2a 06 0f 85 ca fe ff ff 49 8b 7e 08 4c 89 ee e8 94 ef ff ff e9 b9 fe ff ff 48 8b 82 28 05 00 00 e9 01 ff ff ff <0f> 0b 49 8b 54 24 30 0d 00 00 40 00 89 83 14 01 00 00 48 89 53 +[ 80.145172] RIP [] fib6_add+0x75d/0x830 +[ 80.145172] RSP +[ 80.387413] ---[ end trace 02f20b7a8b81ed95 ]--- +[ 80.390154] Kernel panic - not syncing: Fatal exception in interrupt + +Signed-off-by: Hannes Frederic Sowa +Cc: Nicolas Dichtel +Cc: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1032,10 +1032,13 @@ static void ip6_link_failure(struct sk_b + + rt = (struct rt6_info *) skb_dst(skb); + if (rt) { +- if (rt->rt6i_flags & RTF_CACHE) +- rt6_update_expires(rt, 0); +- else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) ++ if (rt->rt6i_flags & RTF_CACHE) { ++ dst_hold(&rt->dst); ++ if (ip6_del_rt(rt)) ++ dst_free(&rt->dst); ++ } else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) { + rt->rt6i_node->fn_sernum = -1; ++ } + } + } + diff --git a/queue-3.4/ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and-frag_size.patch b/queue-3.4/ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and-frag_size.patch new file mode 100644 index 00000000000..772d01adc37 --- /dev/null +++ b/queue-3.4/ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and-frag_size.patch @@ -0,0 +1,135 @@ +From 33dcf975875563ee57769861f3ec9c02d1f3de97 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 2 Jul 2013 08:04:05 +0200 +Subject: ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size + +From: Hannes Frederic Sowa + +[ Upstream commit 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ] + +If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track +of this when appending the second frame on a corked socket. This results +in the following splat: + +[37598.993962] ------------[ cut here ]------------ +[37598.994008] kernel BUG at net/core/skbuff.c:2064! +[37598.994008] invalid opcode: 0000 [#1] SMP +[37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat ++nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi ++scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm +[37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc ++dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video +[37598.994008] CPU 0 +[37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG +[37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 +[37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 +[37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 +[37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 +[37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 +[37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 +[37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 +[37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 +[37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 +[37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) +[37598.994008] Stack: +[37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 +[37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 +[37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 +[37598.994008] Call Trace: +[37598.994008] [] ip6_append_data+0xccf/0xfe0 +[37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 +[37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 +[37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 +[37598.994008] [] ? sock_has_perm+0x75/0x90 +[37598.994008] [] inet_sendmsg+0x63/0xb0 +[37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 +[37598.994008] [] sock_sendmsg+0xb0/0xe0 +[37598.994008] [] ? __switch_to+0x181/0x4a0 +[37598.994008] [] sys_sendto+0x12d/0x180 +[37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 +[37598.994008] [] ? syscall_trace_enter+0x231/0x240 +[37598.994008] [] tracesys+0xdd/0xe2 +[37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 +[37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 +[37598.994008] RSP +[37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- + +While there, also check if path mtu discovery is activated for this +socket. The logic was adapted from ip6_append_data when first writing +on the corked socket. + +This bug was introduced with commit +0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec +fragment"). + +v2: +a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. +b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao + feng, thanks!). +c) Change mtu to unsigned int, else we get a warning about + non-matching types because of the min()-macro type-check. + +Acked-by: Gao feng +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1187,11 +1187,12 @@ static inline struct ipv6_rt_hdr *ip6_rt + return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL; + } + +-static void ip6_append_data_mtu(int *mtu, ++static void ip6_append_data_mtu(unsigned int *mtu, + int *maxfraglen, + unsigned int fragheaderlen, + struct sk_buff *skb, +- struct rt6_info *rt) ++ struct rt6_info *rt, ++ bool pmtuprobe) + { + if (!(rt->dst.flags & DST_XFRM_TUNNEL)) { + if (skb == NULL) { +@@ -1203,7 +1204,9 @@ static void ip6_append_data_mtu(int *mtu + * this fragment is not first, the headers + * space is regarded as data space. + */ +- *mtu = dst_mtu(rt->dst.path); ++ *mtu = min(*mtu, pmtuprobe ? ++ rt->dst.dev->mtu : ++ dst_mtu(rt->dst.path)); + } + *maxfraglen = ((*mtu - fragheaderlen) & ~7) + + fragheaderlen - sizeof(struct frag_hdr); +@@ -1220,11 +1223,10 @@ int ip6_append_data(struct sock *sk, int + struct ipv6_pinfo *np = inet6_sk(sk); + struct inet_cork *cork; + struct sk_buff *skb, *skb_prev = NULL; +- unsigned int maxfraglen, fragheaderlen; ++ unsigned int maxfraglen, fragheaderlen, mtu; + int exthdrlen; + int dst_exthdrlen; + int hh_len; +- int mtu; + int copy; + int err; + int offset = 0; +@@ -1387,7 +1389,9 @@ alloc_new_skb: + /* update mtu and maxfraglen if necessary */ + if (skb == NULL || skb_prev == NULL) + ip6_append_data_mtu(&mtu, &maxfraglen, +- fragheaderlen, skb, rt); ++ fragheaderlen, skb, rt, ++ np->pmtudisc == ++ IPV6_PMTUDISC_PROBE); + + skb_prev = skb; + diff --git a/queue-3.4/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch b/queue-3.4/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch new file mode 100644 index 00000000000..85d76b42aa3 --- /dev/null +++ b/queue-3.4/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch @@ -0,0 +1,52 @@ +From c27b83b129110f60c614324c5e33f9ccbfd49238 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 26 Jun 2013 04:15:07 -0700 +Subject: ipv6: ip6_sk_dst_check() must not assume ipv6 dst + +From: Eric Dumazet + +[ Upstream commit a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ] + +It's possible to use AF_INET6 sockets and to connect to an IPv4 +destination. After this, socket dst cache is a pointer to a rtable, +not rt6_info. + +ip6_sk_dst_check() should check the socket dst cache is IPv6, or else +various corruptions/crashes can happen. + +Dave Jones can reproduce immediate crash with +trinity -q -l off -n -c sendmsg -c connect + +With help from Hannes Frederic Sowa + +Reported-by: Dave Jones +Reported-by: Hannes Frederic Sowa +Signed-off-by: Eric Dumazet +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -912,11 +912,17 @@ static struct dst_entry *ip6_sk_dst_chec + const struct flowi6 *fl6) + { + struct ipv6_pinfo *np = inet6_sk(sk); +- struct rt6_info *rt = (struct rt6_info *)dst; ++ struct rt6_info *rt; + + if (!dst) + goto out; + ++ if (dst->ops->family != AF_INET6) { ++ dst_release(dst); ++ return NULL; ++ } ++ ++ rt = (struct rt6_info *)dst; + /* Yes, checking route validity in not connected + * case is not very simple. Take into account, + * that we do not support routing by source, TOS, diff --git a/queue-3.4/ipv6-mcast-always-hold-idev-lock-before-mca_lock.patch b/queue-3.4/ipv6-mcast-always-hold-idev-lock-before-mca_lock.patch new file mode 100644 index 00000000000..b39f53c212f --- /dev/null +++ b/queue-3.4/ipv6-mcast-always-hold-idev-lock-before-mca_lock.patch @@ -0,0 +1,239 @@ +From 47efd75b3dbaea5c2b3f26a8706f1b6062e822ef Mon Sep 17 00:00:00 2001 +From: Amerigo Wang +Date: Sat, 29 Jun 2013 21:30:49 +0800 +Subject: ipv6,mcast: always hold idev->lock before mca_lock + +From: Amerigo Wang + +[ Upstream commit 8965779d2c0e6ab246c82a405236b1fb2adae6b2, with + some bits from commit b7b1bfce0bb68bd8f6e62a28295922785cc63781 + ("ipv6: split duplicate address detection and router solicitation timer") + to get the __ipv6_get_lladdr() used by this patch. ] + +dingtianhong reported the following deadlock detected by lockdep: + + ====================================================== + [ INFO: possible circular locking dependency detected ] + 3.4.24.05-0.1-default #1 Not tainted + ------------------------------------------------------- + ksoftirqd/0/3 is trying to acquire lock: + (&ndev->lock){+.+...}, at: [] ipv6_get_lladdr+0x74/0x120 + + but task is already holding lock: + (&mc->mca_lock){+.+...}, at: [] mld_send_report+0x40/0x150 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&mc->mca_lock){+.+...}: + [] validate_chain+0x637/0x730 + [] __lock_acquire+0x2f7/0x500 + [] lock_acquire+0x114/0x150 + [] rt_spin_lock+0x4a/0x60 + [] igmp6_group_added+0x3b/0x120 + [] ipv6_mc_up+0x38/0x60 + [] ipv6_find_idev+0x3d/0x80 + [] addrconf_notify+0x3d5/0x4b0 + [] notifier_call_chain+0x3f/0x80 + [] raw_notifier_call_chain+0x11/0x20 + [] call_netdevice_notifiers+0x32/0x60 + [] __dev_notify_flags+0x34/0x80 + [] dev_change_flags+0x40/0x70 + [] do_setlink+0x237/0x8a0 + [] rtnl_newlink+0x3ec/0x600 + [] rtnetlink_rcv_msg+0x160/0x310 + [] netlink_rcv_skb+0x89/0xb0 + [] rtnetlink_rcv+0x27/0x40 + [] netlink_unicast+0x140/0x180 + [] netlink_sendmsg+0x33e/0x380 + [] sock_sendmsg+0x112/0x130 + [] __sys_sendmsg+0x44e/0x460 + [] sys_sendmsg+0x44/0x70 + [] system_call_fastpath+0x16/0x1b + + -> #0 (&ndev->lock){+.+...}: + [] check_prev_add+0x3de/0x440 + [] validate_chain+0x637/0x730 + [] __lock_acquire+0x2f7/0x500 + [] lock_acquire+0x114/0x150 + [] rt_read_lock+0x42/0x60 + [] ipv6_get_lladdr+0x74/0x120 + [] mld_newpack+0xb6/0x160 + [] add_grhead+0xab/0xc0 + [] add_grec+0x3ab/0x460 + [] mld_send_report+0x5a/0x150 + [] igmp6_timer_handler+0x4e/0xb0 + [] call_timer_fn+0xca/0x1d0 + [] run_timer_softirq+0x1df/0x2e0 + [] handle_pending_softirqs+0xf7/0x1f0 + [] __do_softirq_common+0x7b/0xf0 + [] __thread_do_softirq+0x1af/0x210 + [] run_ksoftirqd+0xe1/0x1f0 + [] kthread+0xae/0xc0 + [] kernel_thread_helper+0x4/0x10 + +actually we can just hold idev->lock before taking pmc->mca_lock, +and avoid taking idev->lock again when iterating idev->addr_list, +since the upper callers of mld_newpack() already take +read_lock_bh(&idev->lock). + +Reported-by: dingtianhong +Cc: dingtianhong +Cc: Hideaki YOSHIFUJI +Cc: David S. Miller +Cc: Hannes Frederic Sowa +Tested-by: Ding Tianhong +Tested-by: Chen Weilong +Signed-off-by: Cong Wang +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/addrconf.h | 3 +++ + net/ipv6/addrconf.c | 28 ++++++++++++++++++---------- + net/ipv6/mcast.c | 18 ++++++++++-------- + 3 files changed, 31 insertions(+), 18 deletions(-) + +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -81,6 +81,9 @@ extern int ipv6_dev_get_saddr(struct n + const struct in6_addr *daddr, + unsigned int srcprefs, + struct in6_addr *saddr); ++extern int __ipv6_get_lladdr(struct inet6_dev *idev, ++ struct in6_addr *addr, ++ unsigned char banned_flags); + extern int ipv6_get_lladdr(struct net_device *dev, + struct in6_addr *addr, + unsigned char banned_flags); +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1233,6 +1233,23 @@ try_nextdev: + } + EXPORT_SYMBOL(ipv6_dev_get_saddr); + ++int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr, ++ unsigned char banned_flags) ++{ ++ struct inet6_ifaddr *ifp; ++ int err = -EADDRNOTAVAIL; ++ ++ list_for_each_entry(ifp, &idev->addr_list, if_list) { ++ if (ifp->scope == IFA_LINK && ++ !(ifp->flags & banned_flags)) { ++ *addr = ifp->addr; ++ err = 0; ++ break; ++ } ++ } ++ return err; ++} ++ + int ipv6_get_lladdr(struct net_device *dev, struct in6_addr *addr, + unsigned char banned_flags) + { +@@ -1242,17 +1259,8 @@ int ipv6_get_lladdr(struct net_device *d + rcu_read_lock(); + idev = __in6_dev_get(dev); + if (idev) { +- struct inet6_ifaddr *ifp; +- + read_lock_bh(&idev->lock); +- list_for_each_entry(ifp, &idev->addr_list, if_list) { +- if (ifp->scope == IFA_LINK && +- !(ifp->flags & banned_flags)) { +- *addr = ifp->addr; +- err = 0; +- break; +- } +- } ++ err = __ipv6_get_lladdr(idev, addr, banned_flags); + read_unlock_bh(&idev->lock); + } + rcu_read_unlock(); +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1334,8 +1334,9 @@ mld_scount(struct ifmcaddr6 *pmc, int ty + return scount; + } + +-static struct sk_buff *mld_newpack(struct net_device *dev, int size) ++static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size) + { ++ struct net_device *dev = idev->dev; + struct net *net = dev_net(dev); + struct sock *sk = net->ipv6.igmp_sk; + struct sk_buff *skb; +@@ -1360,7 +1361,7 @@ static struct sk_buff *mld_newpack(struc + + skb_reserve(skb, hlen); + +- if (ipv6_get_lladdr(dev, &addr_buf, IFA_F_TENTATIVE)) { ++ if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) { + /* : + * use unspecified address as the source address + * when a valid link-local address is not available. +@@ -1456,7 +1457,7 @@ static struct sk_buff *add_grhead(struct + struct mld2_grec *pgr; + + if (!skb) +- skb = mld_newpack(dev, dev->mtu); ++ skb = mld_newpack(pmc->idev, dev->mtu); + if (!skb) + return NULL; + pgr = (struct mld2_grec *)skb_put(skb, sizeof(struct mld2_grec)); +@@ -1476,7 +1477,8 @@ static struct sk_buff *add_grhead(struct + static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + int type, int gdeleted, int sdeleted) + { +- struct net_device *dev = pmc->idev->dev; ++ struct inet6_dev *idev = pmc->idev; ++ struct net_device *dev = idev->dev; + struct mld2_report *pmr; + struct mld2_grec *pgr = NULL; + struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list; +@@ -1505,7 +1507,7 @@ static struct sk_buff *add_grec(struct s + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) { + if (skb) + mld_sendpack(skb); +- skb = mld_newpack(dev, dev->mtu); ++ skb = mld_newpack(idev, dev->mtu); + } + } + first = 1; +@@ -1532,7 +1534,7 @@ static struct sk_buff *add_grec(struct s + pgr->grec_nsrcs = htons(scount); + if (skb) + mld_sendpack(skb); +- skb = mld_newpack(dev, dev->mtu); ++ skb = mld_newpack(idev, dev->mtu); + first = 1; + scount = 0; + } +@@ -1587,8 +1589,8 @@ static void mld_send_report(struct inet6 + struct sk_buff *skb = NULL; + int type; + ++ read_lock_bh(&idev->lock); + if (!pmc) { +- read_lock_bh(&idev->lock); + for (pmc=idev->mc_list; pmc; pmc=pmc->next) { + if (pmc->mca_flags & MAF_NOREPORT) + continue; +@@ -1600,7 +1602,6 @@ static void mld_send_report(struct inet6 + skb = add_grec(skb, pmc, type, 0, 0); + spin_unlock_bh(&pmc->mca_lock); + } +- read_unlock_bh(&idev->lock); + } else { + spin_lock_bh(&pmc->mca_lock); + if (pmc->mca_sfcount[MCAST_EXCLUDE]) +@@ -1610,6 +1611,7 @@ static void mld_send_report(struct inet6 + skb = add_grec(skb, pmc, type, 0, 0); + spin_unlock_bh(&pmc->mca_lock); + } ++ read_unlock_bh(&idev->lock); + if (skb) + mld_sendpack(skb); + } diff --git a/queue-3.4/l2tp-add-missing-.owner-to-struct-pppox_proto.patch b/queue-3.4/l2tp-add-missing-.owner-to-struct-pppox_proto.patch new file mode 100644 index 00000000000..1edc7ae0ec7 --- /dev/null +++ b/queue-3.4/l2tp-add-missing-.owner-to-struct-pppox_proto.patch @@ -0,0 +1,31 @@ +From 9b0516325a5ca314ad186c12045d02dfe8571cd3 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 2 Jul 2013 09:02:07 +0800 +Subject: l2tp: add missing .owner to struct pppox_proto + +From: Wei Yongjun + +[ Upstream commit e1558a93b61962710733dc8c11a2bc765607f1cd ] + +Add missing .owner of struct pppox_proto. This prevents the +module from being removed from underneath its users. + +Signed-off-by: Wei Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1778,7 +1778,8 @@ static const struct proto_ops pppol2tp_o + + static const struct pppox_proto pppol2tp_proto = { + .create = pppol2tp_create, +- .ioctl = pppol2tp_ioctl ++ .ioctl = pppol2tp_ioctl, ++ .owner = THIS_MODULE, + }; + + #ifdef CONFIG_L2TP_V3 diff --git a/queue-3.4/macvtap-correctly-linearize-skb-when-zerocopy-is-used.patch b/queue-3.4/macvtap-correctly-linearize-skb-when-zerocopy-is-used.patch new file mode 100644 index 00000000000..ad4636fbaf1 --- /dev/null +++ b/queue-3.4/macvtap-correctly-linearize-skb-when-zerocopy-is-used.patch @@ -0,0 +1,56 @@ +From 2c2017d0d3e8b8b7f3056aa204196a9bf27b1268 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 10 Jul 2013 13:43:28 +0800 +Subject: macvtap: correctly linearize skb when zerocopy is used + +From: Jason Wang + +[ Upstream commit 61d46bf979d5cd7c164709a80ad5676a35494aae ] + +Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to +linearize parts of the skb to let the rest of iov to be fit in +the frags, we need count copylen into linear when calling macvtap_alloc_skb() +instead of partly counting it into data_len. Since this breaks +zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should +be zero at beginning. This cause nr_frags to be increased wrongly without +setting the correct frags. + +This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73 +(macvtap: zerocopy: validate vectors before building skb). + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvtap.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -656,6 +656,7 @@ static ssize_t macvtap_get_user(struct m + int vnet_hdr_len = 0; + int copylen = 0; + bool zerocopy = false; ++ size_t linear; + + if (q->flags & IFF_VNET_HDR) { + vnet_hdr_len = q->vnet_hdr_sz; +@@ -710,11 +711,14 @@ static ssize_t macvtap_get_user(struct m + copylen = vnet_hdr.hdr_len; + if (!copylen) + copylen = GOODCOPY_LEN; +- } else ++ linear = copylen; ++ } else { + copylen = len; ++ linear = vnet_hdr.hdr_len; ++ } + + skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen, +- vnet_hdr.hdr_len, noblock, &err); ++ linear, noblock, &err); + if (!skb) + goto err; + diff --git a/queue-3.4/macvtap-fix-recovery-from-gup-errors.patch b/queue-3.4/macvtap-fix-recovery-from-gup-errors.patch new file mode 100644 index 00000000000..95ec2985029 --- /dev/null +++ b/queue-3.4/macvtap-fix-recovery-from-gup-errors.patch @@ -0,0 +1,38 @@ +From b716ef2d9113847c893a292d9624a53b8b0d472f Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Sun, 23 Jun 2013 17:26:58 +0300 +Subject: macvtap: fix recovery from gup errors + +From: "Michael S. Tsirkin" + +[ Upstream commit 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 ] + +get user pages might fail partially in macvtap zero copy +mode. To recover we need to put all pages that we got, +but code used a wrong index resulting in double-free +errors. + +Reported-by: Brad Hubbard +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvtap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -534,8 +534,10 @@ static int zerocopy_sg_from_iovec(struct + return -EMSGSIZE; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if (num_pages != size) { +- for (i = 0; i < num_pages; i++) +- put_page(page[i]); ++ int j; ++ ++ for (j = 0; j < num_pages; j++) ++ put_page(page[i + j]); + } + truesize = size * PAGE_SIZE; + skb->data_len += len; diff --git a/queue-3.4/neighbour-fix-a-race-in-neigh_destroy.patch b/queue-3.4/neighbour-fix-a-race-in-neigh_destroy.patch new file mode 100644 index 00000000000..232ffc0c84e --- /dev/null +++ b/queue-3.4/neighbour-fix-a-race-in-neigh_destroy.patch @@ -0,0 +1,78 @@ +From c7035ea2b52ca2c60fa22c2fe24f582aa6c755e1 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 28 Jun 2013 02:37:42 -0700 +Subject: neighbour: fix a race in neigh_destroy() + +From: Eric Dumazet + +[ Upstream commit c9ab4d85de222f3390c67aedc9c18a50e767531e ] + +There is a race in neighbour code, because neigh_destroy() uses +skb_queue_purge(&neigh->arp_queue) without holding neighbour lock, +while other parts of the code assume neighbour rwlock is what +protects arp_queue + +Convert all skb_queue_purge() calls to the __skb_queue_purge() variant + +Use __skb_queue_head_init() instead of skb_queue_head_init() +to make clear we do not use arp_queue.lock + +And hold neigh->lock in neigh_destroy() to close the race. + +Reported-by: Joe Jin +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -237,7 +237,7 @@ static void neigh_flush_dev(struct neigh + we must kill timers etc. and move + it to safe state. + */ +- skb_queue_purge(&n->arp_queue); ++ __skb_queue_purge(&n->arp_queue); + n->arp_queue_len_bytes = 0; + n->output = neigh_blackhole; + if (n->nud_state & NUD_VALID) +@@ -300,7 +300,7 @@ static struct neighbour *neigh_alloc(str + if (!n) + goto out_entries; + +- skb_queue_head_init(&n->arp_queue); ++ __skb_queue_head_init(&n->arp_queue); + rwlock_init(&n->lock); + seqlock_init(&n->ha_lock); + n->updated = n->used = now; +@@ -721,7 +721,9 @@ void neigh_destroy(struct neighbour *nei + if (neigh_del_timer(neigh)) + printk(KERN_WARNING "Impossible event.\n"); + +- skb_queue_purge(&neigh->arp_queue); ++ write_lock_bh(&neigh->lock); ++ __skb_queue_purge(&neigh->arp_queue); ++ write_unlock_bh(&neigh->lock); + neigh->arp_queue_len_bytes = 0; + + if (dev->netdev_ops->ndo_neigh_destroy) +@@ -867,7 +869,7 @@ static void neigh_invalidate(struct neig + neigh->ops->error_report(neigh, skb); + write_lock(&neigh->lock); + } +- skb_queue_purge(&neigh->arp_queue); ++ __skb_queue_purge(&neigh->arp_queue); + neigh->arp_queue_len_bytes = 0; + } + +@@ -1206,7 +1208,7 @@ int neigh_update(struct neighbour *neigh + + write_lock_bh(&neigh->lock); + } +- skb_queue_purge(&neigh->arp_queue); ++ __skb_queue_purge(&neigh->arp_queue); + neigh->arp_queue_len_bytes = 0; + } + out: diff --git a/queue-3.4/net-swap-ver-and-type-in-pppoe_hdr.patch b/queue-3.4/net-swap-ver-and-type-in-pppoe_hdr.patch new file mode 100644 index 00000000000..837649bd5b2 --- /dev/null +++ b/queue-3.4/net-swap-ver-and-type-in-pppoe_hdr.patch @@ -0,0 +1,34 @@ +From ad7070e878780ed4334456229d4cd1bc8fe3bedc Mon Sep 17 00:00:00 2001 +From: Changli Gao +Date: Sat, 29 Jun 2013 00:15:51 +0800 +Subject: net: Swap ver and type in pppoe_hdr + +From: Changli Gao + +[ Upstream commit b1a5a34bd0b8767ea689e68f8ea513e9710b671e ] + +Ver and type in pppoe_hdr should be swapped as defined by RFC2516 +section-4. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/if_pppox.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/if_pppox.h ++++ b/include/linux/if_pppox.h +@@ -128,11 +128,11 @@ struct pppoe_tag { + + struct pppoe_hdr { + #if defined(__LITTLE_ENDIAN_BITFIELD) +- __u8 ver : 4; + __u8 type : 4; ++ __u8 ver : 4; + #elif defined(__BIG_ENDIAN_BITFIELD) +- __u8 type : 4; + __u8 ver : 4; ++ __u8 type : 4; + #else + #error "Please fix " + #endif diff --git a/queue-3.4/net-tg3-avoid-delay-during-mmio-access.patch b/queue-3.4/net-tg3-avoid-delay-during-mmio-access.patch new file mode 100644 index 00000000000..b0551670b92 --- /dev/null +++ b/queue-3.4/net-tg3-avoid-delay-during-mmio-access.patch @@ -0,0 +1,120 @@ +From 8684b4f0dadba8d920360be134a68b452ab1d713 Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Tue, 25 Jun 2013 15:24:32 +0800 +Subject: net/tg3: Avoid delay during MMIO access + +From: Gavin Shan + +[ Upstream commit 6d446ec32f169c6a5d9bc90684a8082a6cbe90f6 ] + +When the EEH error is the result of a fenced host bridge, MMIO accesses +can be very slow (milliseconds) to timeout and return all 1's, +thus causing the driver various timeout loops to take way too long and +trigger soft-lockup warnings (in addition to taking minutes to recover). + +It might be worthwhile to check if for any of these cases, ffffffff is +a valid possible value, and if not, bail early since that means the HW +is either gone or isolated. In the meantime, checking that the PCI channel +is offline would be workaround of the problem. + +Signed-off-by: Gavin Shan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -689,6 +689,9 @@ static int tg3_ape_lock(struct tg3 *tp, + status = tg3_ape_read32(tp, gnt + off); + if (status == bit) + break; ++ if (pci_channel_offline(tp->pdev)) ++ break; ++ + udelay(10); + } + +@@ -1466,6 +1469,9 @@ static void tg3_wait_for_event_ack(struc + for (i = 0; i < delay_cnt; i++) { + if (!(tr32(GRC_RX_CPU_EVENT) & GRC_RX_CPU_DRIVER_EVENT)) + break; ++ if (pci_channel_offline(tp->pdev)) ++ break; ++ + udelay(8); + } + } +@@ -1636,6 +1642,9 @@ static int tg3_poll_fw(struct tg3 *tp) + for (i = 0; i < 200; i++) { + if (tr32(VCPU_STATUS) & VCPU_STATUS_INIT_DONE) + return 0; ++ if (pci_channel_offline(tp->pdev)) ++ return -ENODEV; ++ + udelay(100); + } + return -ENODEV; +@@ -1646,6 +1655,15 @@ static int tg3_poll_fw(struct tg3 *tp) + tg3_read_mem(tp, NIC_SRAM_FIRMWARE_MBOX, &val); + if (val == ~NIC_SRAM_FIRMWARE_MBOX_MAGIC1) + break; ++ if (pci_channel_offline(tp->pdev)) { ++ if (!tg3_flag(tp, NO_FWARE_REPORTED)) { ++ tg3_flag_set(tp, NO_FWARE_REPORTED); ++ netdev_info(tp->dev, "No firmware running\n"); ++ } ++ ++ break; ++ } ++ + udelay(10); + } + +@@ -3204,6 +3222,8 @@ static int tg3_nvram_write_block_buffere + ret = tg3_nvram_exec_cmd(tp, nvram_cmd); + if (ret) + break; ++ if (pci_channel_offline(tp->pdev)) ++ return -EBUSY; + } + return ret; + } +@@ -7674,6 +7694,14 @@ static int tg3_stop_block(struct tg3 *tp + tw32_f(ofs, val); + + for (i = 0; i < MAX_WAIT_CNT; i++) { ++ if (pci_channel_offline(tp->pdev)) { ++ dev_err(&tp->pdev->dev, ++ "tg3_stop_block device offline, " ++ "ofs=%lx enable_bit=%x\n", ++ ofs, enable_bit); ++ return -ENODEV; ++ } ++ + udelay(100); + val = tr32(ofs); + if ((val & enable_bit) == 0) +@@ -7697,6 +7725,13 @@ static int tg3_abort_hw(struct tg3 *tp, + + tg3_disable_ints(tp); + ++ if (pci_channel_offline(tp->pdev)) { ++ tp->rx_mode &= ~(RX_MODE_ENABLE | TX_MODE_ENABLE); ++ tp->mac_mode &= ~MAC_MODE_TDE_ENABLE; ++ err = -ENODEV; ++ goto err_no_dev; ++ } ++ + tp->rx_mode &= ~RX_MODE_ENABLE; + tw32_f(MAC_RX_MODE, tp->rx_mode); + udelay(10); +@@ -7745,6 +7780,7 @@ static int tg3_abort_hw(struct tg3 *tp, + err |= tg3_stop_block(tp, BUFMGR_MODE, BUFMGR_MODE_ENABLE, silent); + err |= tg3_stop_block(tp, MEMARB_MODE, MEMARB_MODE_ENABLE, silent); + ++err_no_dev: + for (i = 0; i < tp->irq_cnt; i++) { + struct tg3_napi *tnapi = &tp->napi[i]; + if (tnapi->hw_status) diff --git a/queue-3.4/series b/queue-3.4/series index 48546652dee..2175cb0a0c7 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -15,3 +15,28 @@ perf-fix-perf_lock_task_context-vs-rcu.patch sparc32-vm_area_struct-access-for-old-sun-sparcs.patch sparc64-address-congruence-property.patch sparc-tsb-must-be-flushed-before-tlb.patch +bridge-fix-switched-interval-for-mld-query-types.patch +ipv4-fixed-md5-key-lookups-when-adding-removing-md5-to-from-tcp-sockets.patch +ipv6-don-t-call-addrconf_dst_alloc-again-when-enable-lo.patch +macvtap-fix-recovery-from-gup-errors.patch +net-tg3-avoid-delay-during-mmio-access.patch +ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch +af_key-fix-info-leaks-in-notify-messages.patch +sh_eth-fix-unhandled-rfe-interrupt.patch +neighbour-fix-a-race-in-neigh_destroy.patch +x25-fix-broken-locking-in-ioctl-error-paths.patch +net-swap-ver-and-type-in-pppoe_hdr.patch +ipv6-mcast-always-hold-idev-lock-before-mca_lock.patch +l2tp-add-missing-.owner-to-struct-pppox_proto.patch +ipv6-call-udp_push_pending_frames-when-uncorking-a-socket-with-af_inet-pending-data.patch +ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and-frag_size.patch +sunvnet-vnet_port_remove-must-call-unregister_netdev.patch +ifb-fix-rcu_sched-self-detected-stalls.patch +macvtap-correctly-linearize-skb-when-zerocopy-is-used.patch +ipv6-in-case-of-link-failure-remove-route-directly-instead-of-letting-it-expire.patch +9p-fix-off-by-one-causing-access-violations-and-memory-corruption.patch +dummy-fix-oops-when-loading-the-dummy-failed.patch +ifb-fix-oops-when-loading-the-ifb-failed.patch +atl1e-fix-dma-mapping-warnings.patch +atl1e-unmap-partially-mapped-skb-on-dma-error-and-free-skb.patch +vlan-fix-a-race-in-egress-prio-management.patch diff --git a/queue-3.4/sh_eth-fix-unhandled-rfe-interrupt.patch b/queue-3.4/sh_eth-fix-unhandled-rfe-interrupt.patch new file mode 100644 index 00000000000..f0fea0a2bb4 --- /dev/null +++ b/queue-3.4/sh_eth-fix-unhandled-rfe-interrupt.patch @@ -0,0 +1,78 @@ +From 7d22b5702289e3cf2d1c8bbad28929d495d9f93f Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Fri, 21 Jun 2013 01:12:21 +0400 +Subject: sh_eth: fix unhandled RFE interrupt + +From: Sergei Shtylyov + +[ Upstream commit ca8c35852138ee0585eaffe6b9f10a5261ea7771 ] + +EESR.RFE (receive FIFO overflow) interrupt is enabled by the driver on all SoCs +and sh_eth_error() handles it but it's not present in any initializer/assignment +of the 'eesr_err_check' field of 'struct sh_eth_cpu_data'. This leads to that +interrupt not being handled and cleared, and finally to disabling IRQ and the +driver being non-functional. + +Modify DEFAULT_EESR_ERR_CHECK macro and all explicit initializers of the above +mentioned field to contain the EESR.RFE bit. Remove useless backslashes from the +initializers, while at it. + +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 17 +++++++++-------- + drivers/net/ethernet/renesas/sh_eth.h | 2 +- + 2 files changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -137,8 +137,9 @@ static struct sh_eth_cpu_data sh_eth_my_ + .rmcr_value = 0x00000001, + + .tx_check = EESR_FTC | EESR_CND | EESR_DLC | EESR_CD | EESR_RTO, +- .eesr_err_check = EESR_TWB | EESR_TABT | EESR_RABT | EESR_RDE | +- EESR_RFRMER | EESR_TFE | EESR_TDE | EESR_ECI, ++ .eesr_err_check = EESR_TWB | EESR_TABT | EESR_RABT | EESR_RFE | ++ EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE | ++ EESR_ECI, + .tx_error_check = EESR_TWB | EESR_TABT | EESR_TDE | EESR_TFE, + + .apr = 1, +@@ -252,9 +253,9 @@ static struct sh_eth_cpu_data sh_eth_my_ + .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff, + + .tx_check = EESR_TC1 | EESR_FTC, +- .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | \ +- EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE | \ +- EESR_ECI, ++ .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | ++ EESR_RFE | EESR_RDE | EESR_RFRMER | EESR_TFE | ++ EESR_TDE | EESR_ECI, + .tx_error_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_TDE | \ + EESR_TFE, + .fdr_value = 0x0000072f, +@@ -361,9 +362,9 @@ static struct sh_eth_cpu_data sh_eth_my_ + .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff, + + .tx_check = EESR_TC1 | EESR_FTC, +- .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | \ +- EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE | \ +- EESR_ECI, ++ .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | ++ EESR_RFE | EESR_RDE | EESR_RFRMER | EESR_TFE | ++ EESR_TDE | EESR_ECI, + .tx_error_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_TDE | \ + EESR_TFE, + +--- a/drivers/net/ethernet/renesas/sh_eth.h ++++ b/drivers/net/ethernet/renesas/sh_eth.h +@@ -467,7 +467,7 @@ enum EESR_BIT { + + #define DEFAULT_TX_CHECK (EESR_FTC | EESR_CND | EESR_DLC | EESR_CD | \ + EESR_RTO) +-#define DEFAULT_EESR_ERR_CHECK (EESR_TWB | EESR_TABT | EESR_RABT | \ ++#define DEFAULT_EESR_ERR_CHECK (EESR_TWB | EESR_TABT | EESR_RABT | EESR_RFE | \ + EESR_RDE | EESR_RFRMER | EESR_ADE | \ + EESR_TFE | EESR_TDE | EESR_ECI) + #define DEFAULT_TX_ERROR_CHECK (EESR_TWB | EESR_TABT | EESR_ADE | EESR_TDE | \ diff --git a/queue-3.4/sunvnet-vnet_port_remove-must-call-unregister_netdev.patch b/queue-3.4/sunvnet-vnet_port_remove-must-call-unregister_netdev.patch new file mode 100644 index 00000000000..0843348e0c6 --- /dev/null +++ b/queue-3.4/sunvnet-vnet_port_remove-must-call-unregister_netdev.patch @@ -0,0 +1,30 @@ +From 798b483877ed2d341e824511e5d4a430680f640c Mon Sep 17 00:00:00 2001 +From: Dave Kleikamp +Date: Mon, 1 Jul 2013 16:49:22 -0500 +Subject: sunvnet: vnet_port_remove must call unregister_netdev + +From: Dave Kleikamp + +[ Upstream commit aabb9875d02559ab9b928cd6f259a5cc4c21a589 ] + +The missing call to unregister_netdev() leaves the interface active +after the driver is unloaded by rmmod. + +Signed-off-by: Dave Kleikamp +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sun/sunvnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -1243,6 +1243,8 @@ static int vnet_port_remove(struct vio_d + dev_set_drvdata(&vdev->dev, NULL); + + kfree(port); ++ ++ unregister_netdev(vp->dev); + } + return 0; + } diff --git a/queue-3.4/vlan-fix-a-race-in-egress-prio-management.patch b/queue-3.4/vlan-fix-a-race-in-egress-prio-management.patch new file mode 100644 index 00000000000..d7404b31ad1 --- /dev/null +++ b/queue-3.4/vlan-fix-a-race-in-egress-prio-management.patch @@ -0,0 +1,47 @@ +From 13283a8c109808988467f5a7f9adb8e29a54a94f Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 18 Jul 2013 09:35:10 -0700 +Subject: vlan: fix a race in egress prio management + +From: Eric Dumazet + +[ Upstream commit 3e3aac497513c669e1c62c71e1d552ea85c1d974 ] + +egress_priority_map[] hash table updates are protected by rtnl, +and we never remove elements until device is dismantled. + +We have to make sure that before inserting an new element in hash table, +all its fields are committed to memory or else another cpu could +find corrupt values and crash. + +Signed-off-by: Eric Dumazet +Cc: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -73,6 +73,8 @@ vlan_dev_get_egress_qos_mask(struct net_ + { + struct vlan_priority_tci_mapping *mp; + ++ smp_rmb(); /* coupled with smp_wmb() in vlan_dev_set_egress_priority() */ ++ + mp = vlan_dev_priv(dev)->egress_priority_map[(skb->priority & 0xF)]; + while (mp) { + if (mp->priority == skb->priority) { +@@ -235,6 +237,11 @@ int vlan_dev_set_egress_priority(const s + np->next = mp; + np->priority = skb_prio; + np->vlan_qos = vlan_qos; ++ /* Before inserting this element in hash table, make sure all its fields ++ * are committed to memory. ++ * coupled with smp_rmb() in vlan_dev_get_egress_qos_mask() ++ */ ++ smp_wmb(); + vlan->egress_priority_map[skb_prio & 0xF] = np; + if (vlan_qos) + vlan->nr_egress_mappings++; diff --git a/queue-3.4/x25-fix-broken-locking-in-ioctl-error-paths.patch b/queue-3.4/x25-fix-broken-locking-in-ioctl-error-paths.patch new file mode 100644 index 00000000000..0c654f83174 --- /dev/null +++ b/queue-3.4/x25-fix-broken-locking-in-ioctl-error-paths.patch @@ -0,0 +1,64 @@ +From 5b1332df6784cfb72bf8df79caf874fce021f965 Mon Sep 17 00:00:00 2001 +From: Dave Jones +Date: Fri, 28 Jun 2013 12:13:52 -0400 +Subject: x25: Fix broken locking in ioctl error paths. + +From: Dave Jones + +[ Upstream commit 4ccb93ce7439b63c31bc7597bfffd13567fa483d ] + +Two of the x25 ioctl cases have error paths that break out of the function without +unlocking the socket, leading to this warning: + +================================================ +[ BUG: lock held when returning to user space! ] +3.10.0-rc7+ #36 Not tainted +------------------------------------------------ +trinity-child2/31407 is leaving the kernel with locks still held! +1 lock held by trinity-child2/31407: + #0: (sk_lock-AF_X25){+.+.+.}, at: [] x25_ioctl+0x8a/0x740 [x25] + +Signed-off-by: Dave Jones +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/x25/af_x25.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1586,11 +1586,11 @@ out_cud_release: + case SIOCX25CALLACCPTAPPRV: { + rc = -EINVAL; + lock_sock(sk); +- if (sk->sk_state != TCP_CLOSE) +- break; +- clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags); ++ if (sk->sk_state == TCP_CLOSE) { ++ clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags); ++ rc = 0; ++ } + release_sock(sk); +- rc = 0; + break; + } + +@@ -1598,14 +1598,15 @@ out_cud_release: + rc = -EINVAL; + lock_sock(sk); + if (sk->sk_state != TCP_ESTABLISHED) +- break; ++ goto out_sendcallaccpt_release; + /* must call accptapprv above */ + if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags)) +- break; ++ goto out_sendcallaccpt_release; + x25_write_internal(sk, X25_CALL_ACCEPTED); + x25->state = X25_STATE_3; +- release_sock(sk); + rc = 0; ++out_sendcallaccpt_release: ++ release_sock(sk); + break; + } +