From: Greg Kroah-Hartman Date: Sat, 26 Oct 2013 17:46:30 +0000 (+0100) Subject: 3.4-stable patches X-Git-Tag: v3.4.68~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a9d899b812e8c4b64412e75ba75ce3da2261ee7b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: bnx2x-record-rx-queue-for-lro-packets.patch bridge-correctly-clamp-max-forward_delay-when-enabling-stp.patch can-dev-fix-nlmsg-size-calculation-in-can_get_size.patch connector-use-nlmsg_len-to-check-message-length.patch davinci_emac.c-fix-iff_allmulti-setup.patch farsync-fix-info-leak-in-ioctl.patch inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch ipv4-fix-ineffective-source-address-selection.patch ipv6-restrict-neighbor-entry-creation-to-output-flow.patch l2tp-must-disable-bh-before-calling-l2tp_xmit_skb.patch net-do-not-call-sock_put-on-timewait-sockets.patch net-dst-provide-accessor-function-to-dst-xfrm.patch net-fix-cipso-packet-validation-when-netlabel.patch net-heap-overflow-in-__audit_sockaddr.patch net-mv643xx_eth-fix-orphaned-statistics-timer-crash.patch net-mv643xx_eth-update-statistics-timer-from-timer-context-only.patch net-unix-inherit-sock_pass-cred-sec-flags-from-socket-to-fix-race.patch net-vlan-fix-nlmsg-size-calculation-in-vlan_get_size.patch proc-connector-fix-info-leaks.patch sctp-perform-software-checksum-if-packet-has-to-be-fragmented.patch sctp-use-software-crc32-checksum-when-xfrm-transform-will-happen.patch tcp-do-not-forget-fin-in-tcp_shifted_skb.patch tcp-must-unclone-packets-before-mangling-them.patch unix_diag-fix-info-leak.patch wanxl-fix-info-leak-in-ioctl.patch --- diff --git a/queue-3.4/bnx2x-record-rx-queue-for-lro-packets.patch b/queue-3.4/bnx2x-record-rx-queue-for-lro-packets.patch new file mode 100644 index 00000000000..b11e48c5b71 --- /dev/null +++ b/queue-3.4/bnx2x-record-rx-queue-for-lro-packets.patch @@ -0,0 +1,50 @@ +From a57d317b332165a84b020006af9d2c158cf267fc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 12 Oct 2013 14:08:34 -0700 +Subject: bnx2x: record rx queue for LRO packets + +From: Eric Dumazet + +[ Upstream commit 60e66fee56b2256dcb1dc2ea1b2ddcb6e273857d ] + +RPS support is kind of broken on bnx2x, because only non LRO packets +get proper rx queue information. This triggers reorders, as it seems +bnx2x like to generate a non LRO packet for segment including TCP PUSH +flag : (this might be pure coincidence, but all the reorders I've +seen involve segments with a PUSH) + +11:13:34.335847 IP A > B: . 415808:447136(31328) ack 1 win 457 +11:13:34.335992 IP A > B: . 447136:448560(1424) ack 1 win 457 +11:13:34.336391 IP A > B: . 448560:479888(31328) ack 1 win 457 +11:13:34.336425 IP A > B: P 511216:512640(1424) ack 1 win 457 +11:13:34.336423 IP A > B: . 479888:511216(31328) ack 1 win 457 +11:13:34.336924 IP A > B: . 512640:543968(31328) ack 1 win 457 +11:13:34.336963 IP A > B: . 543968:575296(31328) ack 1 win 457 + +We must call skb_record_rx_queue() to properly give to RPS (and more +generally for TX queue selection on forward path) the receive queue +information. + +Similar fix is needed for skb_mark_napi_id(), but will be handled +in a separate patch to ease stable backports. + +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Cc: Eilon Greenstein +Acked-by: Dmitry Kravkov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -547,6 +547,7 @@ static inline void bnx2x_tpa_stop(struct + skb, cqe, cqe_idx)) { + if (tpa_info->parsing_flags & PARSING_FLAGS_VLAN) + __vlan_hwaccel_put_tag(skb, tpa_info->vlan_tag); ++ skb_record_rx_queue(skb, fp->rx_queue); + napi_gro_receive(&fp->napi, skb); + } else { + DP(NETIF_MSG_RX_STATUS, diff --git a/queue-3.4/bridge-correctly-clamp-max-forward_delay-when-enabling-stp.patch b/queue-3.4/bridge-correctly-clamp-max-forward_delay-when-enabling-stp.patch new file mode 100644 index 00000000000..6beea61fdeb --- /dev/null +++ b/queue-3.4/bridge-correctly-clamp-max-forward_delay-when-enabling-stp.patch @@ -0,0 +1,39 @@ +From 49b5fdb265cd3b947e27bd8434c4070dc7ef6d2e Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Tue, 15 Oct 2013 14:57:45 -0400 +Subject: bridge: Correctly clamp MAX forward_delay when enabling STP + +From: Vlad Yasevich + +[ Upstream commit 4b6c7879d84ad06a2ac5b964808ed599187a188d ] + +Commit be4f154d5ef0ca147ab6bcd38857a774133f5450 + bridge: Clamp forward_delay when enabling STP +had a typo when attempting to clamp maximum forward delay. + +It is possible to set bridge_forward_delay to be higher then +permitted maximum when STP is off. When turning STP on, the +higher then allowed delay has to be clamed down to max value. + +Signed-off-by: Vlad Yasevich +CC: Herbert Xu +CC: Stephen Hemminger +Reviewed-by: Veaceslav Falico +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_stp_if.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -134,7 +134,7 @@ static void br_stp_start(struct net_brid + + if (br->bridge_forward_delay < BR_MIN_FORWARD_DELAY) + __br_set_forward_delay(br, BR_MIN_FORWARD_DELAY); +- else if (br->bridge_forward_delay < BR_MAX_FORWARD_DELAY) ++ else if (br->bridge_forward_delay > BR_MAX_FORWARD_DELAY) + __br_set_forward_delay(br, BR_MAX_FORWARD_DELAY); + + if (r == 0) { diff --git a/queue-3.4/can-dev-fix-nlmsg-size-calculation-in-can_get_size.patch b/queue-3.4/can-dev-fix-nlmsg-size-calculation-in-can_get_size.patch new file mode 100644 index 00000000000..ab1460d744b --- /dev/null +++ b/queue-3.4/can-dev-fix-nlmsg-size-calculation-in-can_get_size.patch @@ -0,0 +1,41 @@ +From 87534b7959309129f7f6be19e23805aed8eb912c Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 5 Oct 2013 21:25:17 +0200 +Subject: can: dev: fix nlmsg size calculation in can_get_size() + +From: Marc Kleine-Budde + +[ Upstream commit fe119a05f8ca481623a8d02efcc984332e612528 ] + +This patch fixes the calculation of the nlmsg size, by adding the missing +nla_total_size(). + +Signed-off-by: Marc Kleine-Budde +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -665,14 +665,14 @@ static size_t can_get_size(const struct + size_t size; + + size = nla_total_size(sizeof(u32)); /* IFLA_CAN_STATE */ +- size += sizeof(struct can_ctrlmode); /* IFLA_CAN_CTRLMODE */ ++ size += nla_total_size(sizeof(struct can_ctrlmode)); /* IFLA_CAN_CTRLMODE */ + size += nla_total_size(sizeof(u32)); /* IFLA_CAN_RESTART_MS */ +- size += sizeof(struct can_bittiming); /* IFLA_CAN_BITTIMING */ +- size += sizeof(struct can_clock); /* IFLA_CAN_CLOCK */ ++ size += nla_total_size(sizeof(struct can_bittiming)); /* IFLA_CAN_BITTIMING */ ++ size += nla_total_size(sizeof(struct can_clock)); /* IFLA_CAN_CLOCK */ + if (priv->do_get_berr_counter) /* IFLA_CAN_BERR_COUNTER */ +- size += sizeof(struct can_berr_counter); ++ size += nla_total_size(sizeof(struct can_berr_counter)); + if (priv->bittiming_const) /* IFLA_CAN_BITTIMING_CONST */ +- size += sizeof(struct can_bittiming_const); ++ size += nla_total_size(sizeof(struct can_bittiming_const)); + + return size; + } diff --git a/queue-3.4/connector-use-nlmsg_len-to-check-message-length.patch b/queue-3.4/connector-use-nlmsg_len-to-check-message-length.patch new file mode 100644 index 00000000000..8c9b870213f --- /dev/null +++ b/queue-3.4/connector-use-nlmsg_len-to-check-message-length.patch @@ -0,0 +1,45 @@ +From 6167e136d789ca819387fcdeebdb79a6ec89cf39 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:03:07 +0200 +Subject: connector: use nlmsg_len() to check message length + +From: Mathias Krause + +[ Upstream commit 162b2bedc084d2d908a04c93383ba02348b648b0 ] + +The current code tests the length of the whole netlink message to be +at least as long to fit a cn_msg. This is wrong as nlmsg_len includes +the length of the netlink message header. Use nlmsg_len() instead to +fix this "off-by-NLMSG_HDRLEN" size check. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/connector/connector.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/connector/connector.c ++++ b/drivers/connector/connector.c +@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_bu + static void cn_rx_skb(struct sk_buff *__skb) + { + struct nlmsghdr *nlh; +- int err; + struct sk_buff *skb; ++ int len, err; + + skb = skb_get(__skb); + + if (skb->len >= NLMSG_SPACE(0)) { + nlh = nlmsg_hdr(skb); ++ len = nlmsg_len(nlh); + +- if (nlh->nlmsg_len < sizeof(struct cn_msg) || ++ if (len < (int)sizeof(struct cn_msg) || + skb->len < nlh->nlmsg_len || +- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) { ++ len > CONNECTOR_MAX_MSG_SIZE) { + kfree_skb(skb); + return; + } diff --git a/queue-3.4/davinci_emac.c-fix-iff_allmulti-setup.patch b/queue-3.4/davinci_emac.c-fix-iff_allmulti-setup.patch new file mode 100644 index 00000000000..90410e7fdf7 --- /dev/null +++ b/queue-3.4/davinci_emac.c-fix-iff_allmulti-setup.patch @@ -0,0 +1,42 @@ +From 8aa5adcf6908d835e5ef6ead5c09068e537ee484 Mon Sep 17 00:00:00 2001 +From: Mariusz Ceier +Date: Mon, 21 Oct 2013 19:45:04 +0200 +Subject: davinci_emac.c: Fix IFF_ALLMULTI setup + +From: Mariusz Ceier + +[ Upstream commit d69e0f7ea95fef8059251325a79c004bac01f018 ] + +When IFF_ALLMULTI flag is set on interface and IFF_PROMISC isn't, +emac_dev_mcast_set should only enable RX of multicasts and reset +MACHASH registers. + +It does this, but afterwards it either sets up multicast MACs +filtering or disables RX of multicasts and resets MACHASH registers +again, rendering IFF_ALLMULTI flag useless. + +This patch fixes emac_dev_mcast_set, so that multicast MACs filtering and +disabling of RX of multicasts are skipped when IFF_ALLMULTI flag is set. + +Tested with kernel 2.6.37. + +Signed-off-by: Mariusz Ceier +Acked-by: Mugunthan V N +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/davinci_emac.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -875,8 +875,7 @@ static void emac_dev_mcast_set(struct ne + netdev_mc_count(ndev) > EMAC_DEF_MAX_MULTICAST_ADDRESSES) { + mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST); + emac_add_mcast(priv, EMAC_ALL_MULTI_SET, NULL); +- } +- if (!netdev_mc_empty(ndev)) { ++ } else if (!netdev_mc_empty(ndev)) { + struct netdev_hw_addr *ha; + + mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST); diff --git a/queue-3.4/farsync-fix-info-leak-in-ioctl.patch b/queue-3.4/farsync-fix-info-leak-in-ioctl.patch new file mode 100644 index 00000000000..1b918a689d0 --- /dev/null +++ b/queue-3.4/farsync-fix-info-leak-in-ioctl.patch @@ -0,0 +1,30 @@ +From bc614f7f8b6c78edf425608f2cde7a3d561d9e45 Mon Sep 17 00:00:00 2001 +From: Salva Peiró +Date: Fri, 11 Oct 2013 12:50:03 +0300 +Subject: farsync: fix info leak in ioctl + +From: Salva Peiró + +[ Upstream commit 96b340406724d87e4621284ebac5e059d67b2194 ] + +The fst_get_iface() code fails to initialize the two padding bytes of +struct sync_serial_settings after the ->loopback member. Add an explicit +memset(0) before filling the structure to avoid the info leak. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/farsync.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -1972,6 +1972,7 @@ fst_get_iface(struct fst_card_info *card + } + + i = port->index; ++ memset(&sync, 0, sizeof(sync)); + sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed); + /* Lucky card and linux use same encoding here */ + sync.clock_type = FST_RDB(card, portConfig[i].internalClock) == diff --git a/queue-3.4/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch b/queue-3.4/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch new file mode 100644 index 00000000000..1031b38060d --- /dev/null +++ b/queue-3.4/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch @@ -0,0 +1,76 @@ +From 1d0a87b6347d4854cd0eadaa59c47c77d7171cad Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 22 Oct 2013 00:07:47 +0200 +Subject: inet: fix possible memory corruption with UDP_CORK and UFO + +From: Hannes Frederic Sowa + +[ This is a simplified -stable version of a set of upstream commits. ] + +This is a replacement patch only for stable which does fix the problems +handled by the following two commits in -net: + +"ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) +"ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) + +Three frames are written on a corked udp socket for which the output +netdevice has UFO enabled. If the first and third frame are smaller than +the mtu and the second one is bigger, we enqueue the second frame with +skb_append_datato_frags without initializing the gso fields. This leads +to the third frame appended regulary and thus constructing an invalid skb. + +This fixes the problem by always using skb_append_datato_frags as soon +as the first frag got enqueued to the skb without marking the packet +as SKB_GSO_UDP. + +The problem with only two frames for ipv6 was fixed by "ipv6: udp +packets following an UFO enqueued packet need also be handled by UFO" +(2811ebac2521ceac84f2bdae402455baa6a7fb47). + +Cc: Jiri Pirko +Cc: Eric Dumazet +Cc: David Miller +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 5 +++++ + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 3 files changed, 7 insertions(+), 2 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1208,6 +1208,11 @@ static inline int skb_pagelen(const stru + return len + skb_headlen(skb); + } + ++static inline bool skb_has_frags(const struct sk_buff *skb) ++{ ++ return skb_shinfo(skb)->nr_frags; ++} ++ + /** + * __skb_fill_page_desc - initialise a paged fragment in an skb + * @skb: buffer containing fragment to be initialised +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -846,7 +846,7 @@ static int __ip_append_data(struct sock + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if (((length > mtu) || (skb && skb_is_gso(skb))) && ++ if (((length > mtu) || (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) { + err = ip_ufo_append_data(sk, queue, getfrag, from, length, +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1345,7 +1345,7 @@ int ip6_append_data(struct sock *sk, int + skb = skb_peek_tail(&sk->sk_write_queue); + cork->length += length; + if (((length > mtu) || +- (skb && skb_is_gso(skb))) && ++ (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO)) { + err = ip6_ufo_append_data(sk, getfrag, from, length, diff --git a/queue-3.4/ipv4-fix-ineffective-source-address-selection.patch b/queue-3.4/ipv4-fix-ineffective-source-address-selection.patch new file mode 100644 index 00000000000..a935fcb5c9b --- /dev/null +++ b/queue-3.4/ipv4-fix-ineffective-source-address-selection.patch @@ -0,0 +1,33 @@ +From 91a8ae09a6eb2abee1b1c2a612f548c194b810af Mon Sep 17 00:00:00 2001 +From: Jiri Benc +Date: Fri, 4 Oct 2013 17:04:48 +0200 +Subject: ipv4: fix ineffective source address selection + +From: Jiri Benc + +[ Upstream commit 0a7e22609067ff524fc7bbd45c6951dd08561667 ] + +When sending out multicast messages, the source address in inet->mc_addr is +ignored and rewritten by an autoselected one. This is caused by a typo in +commit 813b3b5db831 ("ipv4: Use caller's on-stack flowi as-is in output +route lookups"). + +Signed-off-by: Jiri Benc +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2713,7 +2713,7 @@ static struct rtable *ip_route_output_sl + RT_SCOPE_LINK); + goto make_route; + } +- if (fl4->saddr) { ++ if (!fl4->saddr) { + if (ipv4_is_multicast(fl4->daddr)) + fl4->saddr = inet_select_addr(dev_out, 0, + fl4->flowi4_scope); diff --git a/queue-3.4/ipv6-restrict-neighbor-entry-creation-to-output-flow.patch b/queue-3.4/ipv6-restrict-neighbor-entry-creation-to-output-flow.patch new file mode 100644 index 00000000000..0035597deac --- /dev/null +++ b/queue-3.4/ipv6-restrict-neighbor-entry-creation-to-output-flow.patch @@ -0,0 +1,93 @@ +From fad2fa08df45a84bd4e0a97ac7d6acad8c90c9fa Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner +Date: Tue, 8 Oct 2013 16:41:13 +0200 +Subject: ipv6: restrict neighbor entry creation to output flow + +From: Marcelo Ricardo Leitner + +This patch is based on 3.2.y branch, the one used by reporter. Please let me +know if it should be different. Thanks. + +The patch which introduced the regression was applied on stables: +3.0.64 3.4.31 3.7.8 3.2.39 + +The patch which introduced the regression was for stable trees only. + +---8<--- + +Commit 0d6a77079c475033cb622c07c5a880b392ef664e "ipv6: do not create +neighbor entries for local delivery" introduced a regression on +which routes to local delivery would not work anymore. Like this: + + $ ip -6 route add local 2001::/64 dev lo + $ ping6 -c1 2001::9 + PING 2001::9(2001::9) 56 data bytes + ping: sendmsg: Invalid argument + +As this is a local delivery, that commit would not allow the creation of a +neighbor entry and thus the packet cannot be sent. + +But as TPROXY scenario actually needs to avoid the neighbor entry creation only +for input flow, this patch now limits previous patch to input flow, keeping +output as before that patch. + +Reported-by: Debabrata Banerjee +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: Jiri Pirko +Acked-by: Hannes Frederic Sowa +CC: Hannes Frederic Sowa +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -818,7 +818,7 @@ static struct rt6_info *rt6_alloc_clone( + } + + static struct rt6_info *ip6_pol_route(struct net *net, struct fib6_table *table, int oif, +- struct flowi6 *fl6, int flags) ++ struct flowi6 *fl6, int flags, bool input) + { + struct fib6_node *fn; + struct rt6_info *rt, *nrt; +@@ -826,8 +826,11 @@ static struct rt6_info *ip6_pol_route(st + int attempts = 3; + int err; + int reachable = net->ipv6.devconf_all->forwarding ? 0 : RT6_LOOKUP_F_REACHABLE; ++ int local = RTF_NONEXTHOP; + + strict |= flags & RT6_LOOKUP_F_IFACE; ++ if (input) ++ local |= RTF_LOCAL; + + relookup: + read_lock_bh(&table->tb6_lock); +@@ -847,7 +850,7 @@ restart: + read_unlock_bh(&table->tb6_lock); + + if (!dst_get_neighbour_noref_raw(&rt->dst) && +- !(rt->rt6i_flags & (RTF_NONEXTHOP | RTF_LOCAL))) ++ !(rt->rt6i_flags & local)) + nrt = rt6_alloc_cow(rt, &fl6->daddr, &fl6->saddr); + else if (!(rt->dst.flags & DST_HOST)) + nrt = rt6_alloc_clone(rt, &fl6->daddr); +@@ -891,7 +894,7 @@ out2: + static struct rt6_info *ip6_pol_route_input(struct net *net, struct fib6_table *table, + struct flowi6 *fl6, int flags) + { +- return ip6_pol_route(net, table, fl6->flowi6_iif, fl6, flags); ++ return ip6_pol_route(net, table, fl6->flowi6_iif, fl6, flags, true); + } + + static struct dst_entry *ip6_route_input_lookup(struct net *net, +@@ -924,7 +927,7 @@ void ip6_route_input(struct sk_buff *skb + static struct rt6_info *ip6_pol_route_output(struct net *net, struct fib6_table *table, + struct flowi6 *fl6, int flags) + { +- return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags); ++ return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags, false); + } + + struct dst_entry * ip6_route_output(struct net *net, const struct sock *sk, diff --git a/queue-3.4/l2tp-must-disable-bh-before-calling-l2tp_xmit_skb.patch b/queue-3.4/l2tp-must-disable-bh-before-calling-l2tp_xmit_skb.patch new file mode 100644 index 00000000000..02b304787dc --- /dev/null +++ b/queue-3.4/l2tp-must-disable-bh-before-calling-l2tp_xmit_skb.patch @@ -0,0 +1,201 @@ +From 3c1e2fcbfe9c5bd21e0968f229b4f0e535ad1c17 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 10 Oct 2013 06:30:09 -0700 +Subject: l2tp: must disable bh before calling l2tp_xmit_skb() + +From: Eric Dumazet + +[ Upstream commit 455cc32bf128e114455d11ad919321ab89a2c312 ] + +François Cachereul made a very nice bug report and suspected +the bh_lock_sock() / bh_unlok_sock() pair used in l2tp_xmit_skb() from +process context was not good. + +This problem was added by commit 6af88da14ee284aaad6e4326da09a89191ab6165 +("l2tp: Fix locking in l2tp_core.c"). + +l2tp_eth_dev_xmit() runs from BH context, so we must disable BH +from other l2tp_xmit_skb() users. + +[ 452.060011] BUG: soft lockup - CPU#1 stuck for 23s! [accel-pppd:6662] +[ 452.061757] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppoe pppox +ppp_generic slhc ipv6 ext3 mbcache jbd virtio_balloon xfs exportfs dm_mod +virtio_blk ata_generic virtio_net floppy ata_piix libata virtio_pci virtio_ring virtio [last unloaded: scsi_wait_scan] +[ 452.064012] CPU 1 +[ 452.080015] BUG: soft lockup - CPU#2 stuck for 23s! [accel-pppd:6643] +[ 452.080015] CPU 2 +[ 452.080015] +[ 452.080015] Pid: 6643, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs +[ 452.080015] RIP: 0010:[] [] do_raw_spin_lock+0x17/0x1f +[ 452.080015] RSP: 0018:ffff88007125fc18 EFLAGS: 00000293 +[ 452.080015] RAX: 000000000000aba9 RBX: ffffffff811d0703 RCX: 0000000000000000 +[ 452.080015] RDX: 00000000000000ab RSI: ffff8800711f6896 RDI: ffff8800745c8110 +[ 452.080015] RBP: ffff88007125fc18 R08: 0000000000000020 R09: 0000000000000000 +[ 452.080015] R10: 0000000000000000 R11: 0000000000000280 R12: 0000000000000286 +[ 452.080015] R13: 0000000000000020 R14: 0000000000000240 R15: 0000000000000000 +[ 452.080015] FS: 00007fdc0cc24700(0000) GS:ffff8800b6f00000(0000) knlGS:0000000000000000 +[ 452.080015] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 452.080015] CR2: 00007fdb054899b8 CR3: 0000000074404000 CR4: 00000000000006a0 +[ 452.080015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 452.080015] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 452.080015] Process accel-pppd (pid: 6643, threadinfo ffff88007125e000, task ffff8800b27e6dd0) +[ 452.080015] Stack: +[ 452.080015] ffff88007125fc28 ffffffff81256559 ffff88007125fc98 ffffffffa01b2bd1 +[ 452.080015] ffff88007125fc58 000000000000000c 00000000029490d0 0000009c71dbe25e +[ 452.080015] 000000000000005c 000000080000000e 0000000000000000 ffff880071170600 +[ 452.080015] Call Trace: +[ 452.080015] [] _raw_spin_lock+0xe/0x10 +[ 452.080015] [] l2tp_xmit_skb+0x189/0x4ac [l2tp_core] +[ 452.080015] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] +[ 452.080015] [] __sock_sendmsg_nosec+0x22/0x24 +[ 452.080015] [] sock_sendmsg+0xa1/0xb6 +[ 452.080015] [] ? __schedule+0x5c1/0x616 +[ 452.080015] [] ? __dequeue_signal+0xb7/0x10c +[ 452.080015] [] ? fget_light+0x75/0x89 +[ 452.080015] [] ? sockfd_lookup_light+0x20/0x56 +[ 452.080015] [] sys_sendto+0x10c/0x13b +[ 452.080015] [] system_call_fastpath+0x16/0x1b +[ 452.080015] Code: 81 48 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 <8a> 07 eb f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 +[ 452.080015] Call Trace: +[ 452.080015] [] _raw_spin_lock+0xe/0x10 +[ 452.080015] [] l2tp_xmit_skb+0x189/0x4ac [l2tp_core] +[ 452.080015] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] +[ 452.080015] [] __sock_sendmsg_nosec+0x22/0x24 +[ 452.080015] [] sock_sendmsg+0xa1/0xb6 +[ 452.080015] [] ? __schedule+0x5c1/0x616 +[ 452.080015] [] ? __dequeue_signal+0xb7/0x10c +[ 452.080015] [] ? fget_light+0x75/0x89 +[ 452.080015] [] ? sockfd_lookup_light+0x20/0x56 +[ 452.080015] [] sys_sendto+0x10c/0x13b +[ 452.080015] [] system_call_fastpath+0x16/0x1b +[ 452.064012] +[ 452.064012] Pid: 6662, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs +[ 452.064012] RIP: 0010:[] [] do_raw_spin_lock+0x19/0x1f +[ 452.064012] RSP: 0018:ffff8800b6e83ba0 EFLAGS: 00000297 +[ 452.064012] RAX: 000000000000aaa9 RBX: ffff8800b6e83b40 RCX: 0000000000000002 +[ 452.064012] RDX: 00000000000000aa RSI: 000000000000000a RDI: ffff8800745c8110 +[ 452.064012] RBP: ffff8800b6e83ba0 R08: 000000000000c802 R09: 000000000000001c +[ 452.064012] R10: ffff880071096c4e R11: 0000000000000006 R12: ffff8800b6e83b18 +[ 452.064012] R13: ffffffff8125d51e R14: ffff8800b6e83ba0 R15: ffff880072a589c0 +[ 452.064012] FS: 00007fdc0b81e700(0000) GS:ffff8800b6e80000(0000) knlGS:0000000000000000 +[ 452.064012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 452.064012] CR2: 0000000000625208 CR3: 0000000074404000 CR4: 00000000000006a0 +[ 452.064012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 452.064012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 452.064012] Process accel-pppd (pid: 6662, threadinfo ffff88007129a000, task ffff8800744f7410) +[ 452.064012] Stack: +[ 452.064012] ffff8800b6e83bb0 ffffffff81256559 ffff8800b6e83bc0 ffffffff8121c64a +[ 452.064012] ffff8800b6e83bf0 ffffffff8121ec7a ffff880072a589c0 ffff880071096c62 +[ 452.064012] 0000000000000011 ffffffff81430024 ffff8800b6e83c80 ffffffff8121f276 +[ 452.064012] Call Trace: +[ 452.064012] +[ 452.064012] [] _raw_spin_lock+0xe/0x10 +[ 452.064012] [] spin_lock+0x9/0xb +[ 452.064012] [] udp_queue_rcv_skb+0x186/0x269 +[ 452.064012] [] __udp4_lib_rcv+0x297/0x4ae +[ 452.064012] [] ? raw_rcv+0xe9/0xf0 +[ 452.064012] [] udp_rcv+0x1a/0x1c +[ 452.064012] [] ip_local_deliver_finish+0x12b/0x1a5 +[ 452.064012] [] ip_local_deliver+0x53/0x84 +[ 452.064012] [] ip_rcv_finish+0x2bc/0x2f3 +[ 452.064012] [] ip_rcv+0x210/0x269 +[ 452.064012] [] ? kvm_clock_get_cycles+0x9/0xb +[ 452.064012] [] __netif_receive_skb+0x3a5/0x3f7 +[ 452.064012] [] netif_receive_skb+0x57/0x5e +[ 452.064012] [] ? __netdev_alloc_skb+0x1f/0x3b +[ 452.064012] [] virtnet_poll+0x4ba/0x5a4 [virtio_net] +[ 452.064012] [] net_rx_action+0x73/0x184 +[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] +[ 452.064012] [] __do_softirq+0xc3/0x1a8 +[ 452.064012] [] ? ack_APIC_irq+0x10/0x12 +[ 452.064012] [] ? _raw_spin_lock+0xe/0x10 +[ 452.064012] [] call_softirq+0x1c/0x26 +[ 452.064012] [] do_softirq+0x45/0x82 +[ 452.064012] [] irq_exit+0x42/0x9c +[ 452.064012] [] do_IRQ+0x8e/0xa5 +[ 452.064012] [] common_interrupt+0x6e/0x6e +[ 452.064012] +[ 452.064012] [] ? kfree+0x8a/0xa3 +[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] +[ 452.064012] [] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core] +[ 452.064012] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] +[ 452.064012] [] __sock_sendmsg_nosec+0x22/0x24 +[ 452.064012] [] sock_sendmsg+0xa1/0xb6 +[ 452.064012] [] ? __schedule+0x5c1/0x616 +[ 452.064012] [] ? __dequeue_signal+0xb7/0x10c +[ 452.064012] [] ? fget_light+0x75/0x89 +[ 452.064012] [] ? sockfd_lookup_light+0x20/0x56 +[ 452.064012] [] sys_sendto+0x10c/0x13b +[ 452.064012] [] system_call_fastpath+0x16/0x1b +[ 452.064012] Code: 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 8a 07 f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 55 48 +[ 452.064012] Call Trace: +[ 452.064012] [] _raw_spin_lock+0xe/0x10 +[ 452.064012] [] spin_lock+0x9/0xb +[ 452.064012] [] udp_queue_rcv_skb+0x186/0x269 +[ 452.064012] [] __udp4_lib_rcv+0x297/0x4ae +[ 452.064012] [] ? raw_rcv+0xe9/0xf0 +[ 452.064012] [] udp_rcv+0x1a/0x1c +[ 452.064012] [] ip_local_deliver_finish+0x12b/0x1a5 +[ 452.064012] [] ip_local_deliver+0x53/0x84 +[ 452.064012] [] ip_rcv_finish+0x2bc/0x2f3 +[ 452.064012] [] ip_rcv+0x210/0x269 +[ 452.064012] [] ? kvm_clock_get_cycles+0x9/0xb +[ 452.064012] [] __netif_receive_skb+0x3a5/0x3f7 +[ 452.064012] [] netif_receive_skb+0x57/0x5e +[ 452.064012] [] ? __netdev_alloc_skb+0x1f/0x3b +[ 452.064012] [] virtnet_poll+0x4ba/0x5a4 [virtio_net] +[ 452.064012] [] net_rx_action+0x73/0x184 +[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] +[ 452.064012] [] __do_softirq+0xc3/0x1a8 +[ 452.064012] [] ? ack_APIC_irq+0x10/0x12 +[ 452.064012] [] ? _raw_spin_lock+0xe/0x10 +[ 452.064012] [] call_softirq+0x1c/0x26 +[ 452.064012] [] do_softirq+0x45/0x82 +[ 452.064012] [] irq_exit+0x42/0x9c +[ 452.064012] [] do_IRQ+0x8e/0xa5 +[ 452.064012] [] common_interrupt+0x6e/0x6e +[ 452.064012] [] ? kfree+0x8a/0xa3 +[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] +[ 452.064012] [] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core] +[ 452.064012] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] +[ 452.064012] [] __sock_sendmsg_nosec+0x22/0x24 +[ 452.064012] [] sock_sendmsg+0xa1/0xb6 +[ 452.064012] [] ? __schedule+0x5c1/0x616 +[ 452.064012] [] ? __dequeue_signal+0xb7/0x10c +[ 452.064012] [] ? fget_light+0x75/0x89 +[ 452.064012] [] ? sockfd_lookup_light+0x20/0x56 +[ 452.064012] [] sys_sendto+0x10c/0x13b +[ 452.064012] [] system_call_fastpath+0x16/0x1b + +Reported-by: François Cachereul +Tested-by: François Cachereul +Signed-off-by: Eric Dumazet +Cc: James Chapman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -357,7 +357,9 @@ static int pppol2tp_sendmsg(struct kiocb + goto error_put_sess_tun; + } + ++ local_bh_disable(); + l2tp_xmit_skb(session, skb, session->hdr_len); ++ local_bh_enable(); + + sock_put(ps->tunnel_sock); + sock_put(sk); +@@ -432,7 +434,9 @@ static int pppol2tp_xmit(struct ppp_chan + skb->data[0] = ppph[0]; + skb->data[1] = ppph[1]; + ++ local_bh_disable(); + l2tp_xmit_skb(session, skb, session->hdr_len); ++ local_bh_enable(); + + sock_put(sk_tun); + sock_put(sk); diff --git a/queue-3.4/net-do-not-call-sock_put-on-timewait-sockets.patch b/queue-3.4/net-do-not-call-sock_put-on-timewait-sockets.patch new file mode 100644 index 00000000000..78e9a0cb635 --- /dev/null +++ b/queue-3.4/net-do-not-call-sock_put-on-timewait-sockets.patch @@ -0,0 +1,44 @@ +From f7ce17797edc31ceda97040dbfe8e47b72344618 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 1 Oct 2013 21:04:11 -0700 +Subject: net: do not call sock_put() on TIMEWAIT sockets + +From: Eric Dumazet + +[ Upstream commit 80ad1d61e72d626e30ebe8529a0455e660ca4693 ] + +commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / +hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. + +We should instead use inet_twsk_put() + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_hashtables.c | 2 +- + net/ipv6/inet6_hashtables.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -268,7 +268,7 @@ begintw: + } + if (unlikely(!INET_TW_MATCH(sk, net, hash, acookie, + saddr, daddr, ports, dif))) { +- sock_put(sk); ++ inet_twsk_put(inet_twsk(sk)); + goto begintw; + } + goto out; +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -110,7 +110,7 @@ begintw: + goto out; + } + if (!INET6_TW_MATCH(sk, net, hash, saddr, daddr, ports, dif)) { +- sock_put(sk); ++ inet_twsk_put(inet_twsk(sk)); + goto begintw; + } + goto out; diff --git a/queue-3.4/net-dst-provide-accessor-function-to-dst-xfrm.patch b/queue-3.4/net-dst-provide-accessor-function-to-dst-xfrm.patch new file mode 100644 index 00000000000..3b523400c53 --- /dev/null +++ b/queue-3.4/net-dst-provide-accessor-function-to-dst-xfrm.patch @@ -0,0 +1,45 @@ +From 0bcc2bad7fea496c21fb7095d5b1ffa47036b5ce Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Tue, 15 Oct 2013 22:01:29 -0400 +Subject: net: dst: provide accessor function to dst->xfrm + +From: Vlad Yasevich + +[ Upstream commit e87b3998d795123b4139bc3f25490dd236f68212 ] + +dst->xfrm is conditionally defined. Provide accessor funtion that +is always available. + +Signed-off-by: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/dst.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -464,10 +464,22 @@ static inline struct dst_entry *xfrm_loo + { + return dst_orig; + } ++ ++static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) ++{ ++ return NULL; ++} ++ + #else + extern struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, + const struct flowi *fl, struct sock *sk, + int flags); ++ ++/* skb attached with this dst needs transformation if dst->xfrm is valid */ ++static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) ++{ ++ return dst->xfrm; ++} + #endif + + #endif /* _NET_DST_H */ diff --git a/queue-3.4/net-fix-cipso-packet-validation-when-netlabel.patch b/queue-3.4/net-fix-cipso-packet-validation-when-netlabel.patch new file mode 100644 index 00000000000..f7add13c7c7 --- /dev/null +++ b/queue-3.4/net-fix-cipso-packet-validation-when-netlabel.patch @@ -0,0 +1,54 @@ +From 08414cb6947bb04badfb47c97c082166a6e029cb Mon Sep 17 00:00:00 2001 +From: Seif Mazareeb +Date: Thu, 17 Oct 2013 20:33:21 -0700 +Subject: net: fix cipso packet validation when !NETLABEL + +From: Seif Mazareeb + +[ Upstream commit f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b ] + +When CONFIG_NETLABEL is disabled, the cipso_v4_validate() function could loop +forever in the main loop if opt[opt_iter +1] == 0, this will causing a kernel +crash in an SMP system, since the CPU executing this function will +stall /not respond to IPIs. + +This problem can be reproduced by running the IP Stack Integrity Checker +(http://isic.sourceforge.net) using the following command on a Linux machine +connected to DUT: + +"icmpsic -s rand -d -r 123456" +wait (1-2 min) + +Signed-off-by: Seif Mazareeb +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/cipso_ipv4.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/include/net/cipso_ipv4.h ++++ b/include/net/cipso_ipv4.h +@@ -290,6 +290,7 @@ static inline int cipso_v4_validate(cons + unsigned char err_offset = 0; + u8 opt_len = opt[1]; + u8 opt_iter; ++ u8 tag_len; + + if (opt_len < 8) { + err_offset = 1; +@@ -302,11 +303,12 @@ static inline int cipso_v4_validate(cons + } + + for (opt_iter = 6; opt_iter < opt_len;) { +- if (opt[opt_iter + 1] > (opt_len - opt_iter)) { ++ tag_len = opt[opt_iter + 1]; ++ if ((tag_len == 0) || (opt[opt_iter + 1] > (opt_len - opt_iter))) { + err_offset = opt_iter + 1; + goto out; + } +- opt_iter += opt[opt_iter + 1]; ++ opt_iter += tag_len; + } + + out: diff --git a/queue-3.4/net-heap-overflow-in-__audit_sockaddr.patch b/queue-3.4/net-heap-overflow-in-__audit_sockaddr.patch new file mode 100644 index 00000000000..bf185cc2b24 --- /dev/null +++ b/queue-3.4/net-heap-overflow-in-__audit_sockaddr.patch @@ -0,0 +1,86 @@ +From c868e4afb84b7fe6c502d7f059bd21492cf932a5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 3 Oct 2013 00:27:20 +0300 +Subject: net: heap overflow in __audit_sockaddr() + +From: Dan Carpenter + +[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ] + +We need to cap ->msg_namelen or it leads to a buffer overflow when we +to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to +exploit this bug. + +The call tree is: +___sys_recvmsg() + move_addr_to_user() + audit_sockaddr() + __audit_sockaddr() + +Reported-by: Jüri Aedla +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/compat.c | 2 ++ + net/socket.c | 24 ++++++++++++++++++++---- + 2 files changed, 22 insertions(+), 4 deletions(-) + +--- a/net/compat.c ++++ b/net/compat.c +@@ -71,6 +71,8 @@ int get_compat_msghdr(struct msghdr *kms + __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) ++ return -EINVAL; + kmsg->msg_name = compat_ptr(tmp1); + kmsg->msg_iov = compat_ptr(tmp2); + kmsg->msg_control = compat_ptr(tmp3); +--- a/net/socket.c ++++ b/net/socket.c +@@ -1899,6 +1899,16 @@ struct used_address { + unsigned int name_len; + }; + ++static int copy_msghdr_from_user(struct msghdr *kmsg, ++ struct msghdr __user *umsg) ++{ ++ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) ++ return -EFAULT; ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) ++ return -EINVAL; ++ return 0; ++} ++ + static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, + struct msghdr *msg_sys, unsigned flags, + struct used_address *used_address) +@@ -1917,8 +1927,11 @@ static int ___sys_sendmsg(struct socket + if (MSG_CMSG_COMPAT & flags) { + if (get_compat_msghdr(msg_sys, msg_compat)) + return -EFAULT; +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr))) +- return -EFAULT; ++ } else { ++ err = copy_msghdr_from_user(msg_sys, msg); ++ if (err) ++ return err; ++ } + + /* do not move before msg_sys is valid */ + err = -EMSGSIZE; +@@ -2129,8 +2142,11 @@ static int ___sys_recvmsg(struct socket + if (MSG_CMSG_COMPAT & flags) { + if (get_compat_msghdr(msg_sys, msg_compat)) + return -EFAULT; +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr))) +- return -EFAULT; ++ } else { ++ err = copy_msghdr_from_user(msg_sys, msg); ++ if (err) ++ return err; ++ } + + err = -EMSGSIZE; + if (msg_sys->msg_iovlen > UIO_MAXIOV) diff --git a/queue-3.4/net-mv643xx_eth-fix-orphaned-statistics-timer-crash.patch b/queue-3.4/net-mv643xx_eth-fix-orphaned-statistics-timer-crash.patch new file mode 100644 index 00000000000..4386dbe5f46 --- /dev/null +++ b/queue-3.4/net-mv643xx_eth-fix-orphaned-statistics-timer-crash.patch @@ -0,0 +1,41 @@ +From d55f1ab4348a82471e38614a8183bca97d3bb2aa Mon Sep 17 00:00:00 2001 +From: Sebastian Hesselbarth +Date: Wed, 2 Oct 2013 12:57:21 +0200 +Subject: net: mv643xx_eth: fix orphaned statistics timer crash + +From: Sebastian Hesselbarth + +[ Upstream commit f564412c935111c583b787bcc18157377b208e2e ] + +The periodic statistics timer gets started at port _probe() time, but +is stopped on _stop() only. In a modular environment, this can cause +the timer to access already deallocated memory, if the module is unloaded +without starting the eth device. To fix this, we add the timer right +before the port is started, instead of at _probe() time. + +Signed-off-by: Sebastian Hesselbarth +Acked-by: Jason Cooper +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2368,6 +2368,7 @@ static int mv643xx_eth_open(struct net_d + mp->int_mask |= INT_TX_END_0 << i; + } + ++ add_timer(&mp->mib_counters_timer); + port_start(mp); + + wrlp(mp, INT_MASK_EXT, INT_EXT_LINK_PHY | INT_EXT_TX); +@@ -2909,7 +2910,6 @@ static int mv643xx_eth_probe(struct plat + mp->mib_counters_timer.data = (unsigned long)mp; + mp->mib_counters_timer.function = mib_counters_timer_wrapper; + mp->mib_counters_timer.expires = jiffies + 30 * HZ; +- add_timer(&mp->mib_counters_timer); + + spin_lock_init(&mp->mib_counters_lock); + diff --git a/queue-3.4/net-mv643xx_eth-update-statistics-timer-from-timer-context-only.patch b/queue-3.4/net-mv643xx_eth-update-statistics-timer-from-timer-context-only.patch new file mode 100644 index 00000000000..309a965a77b --- /dev/null +++ b/queue-3.4/net-mv643xx_eth-update-statistics-timer-from-timer-context-only.patch @@ -0,0 +1,41 @@ +From b6f073a85799fc00d41250c4fc254d499d59d51f Mon Sep 17 00:00:00 2001 +From: Sebastian Hesselbarth +Date: Wed, 2 Oct 2013 12:57:20 +0200 +Subject: net: mv643xx_eth: update statistics timer from timer context only + +From: Sebastian Hesselbarth + +[ Upstream commit 041b4ddb84989f06ff1df0ca869b950f1ee3cb1c ] + +Each port driver installs a periodic timer to update port statistics +by calling mib_counters_update. As mib_counters_update is also called +from non-timer context, we should not reschedule the timer there but +rather move it to timer-only context. + +Signed-off-by: Sebastian Hesselbarth +Acked-by: Jason Cooper +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -1274,15 +1274,13 @@ static void mib_counters_update(struct m + p->rx_discard += rdlp(mp, RX_DISCARD_FRAME_CNT); + p->rx_overrun += rdlp(mp, RX_OVERRUN_FRAME_CNT); + spin_unlock_bh(&mp->mib_counters_lock); +- +- mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ); + } + + static void mib_counters_timer_wrapper(unsigned long _mp) + { + struct mv643xx_eth_private *mp = (void *)_mp; +- + mib_counters_update(mp); ++ mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ); + } + + diff --git a/queue-3.4/net-unix-inherit-sock_pass-cred-sec-flags-from-socket-to-fix-race.patch b/queue-3.4/net-unix-inherit-sock_pass-cred-sec-flags-from-socket-to-fix-race.patch new file mode 100644 index 00000000000..e8ae75ab972 --- /dev/null +++ b/queue-3.4/net-unix-inherit-sock_pass-cred-sec-flags-from-socket-to-fix-race.patch @@ -0,0 +1,87 @@ +From dd70abfaaea5edbf4e54205fff1118f51507012d Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Thu, 17 Oct 2013 22:51:31 +0200 +Subject: net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race + +From: Daniel Borkmann + +[ Upstream commit 90c6bd34f884cd9cee21f1d152baf6c18bcac949 ] + +In the case of credentials passing in unix stream sockets (dgram +sockets seem not affected), we get a rather sparse race after +commit 16e5726 ("af_unix: dont send SCM_CREDENTIALS by default"). + +We have a stream server on receiver side that requests credential +passing from senders (e.g. nc -U). Since we need to set SO_PASSCRED +on each spawned/accepted socket on server side to 1 first (as it's +not inherited), it can happen that in the time between accept() and +setsockopt() we get interrupted, the sender is being scheduled and +continues with passing data to our receiver. At that time SO_PASSCRED +is neither set on sender nor receiver side, hence in cmsg's +SCM_CREDENTIALS we get eventually pid:0, uid:65534, gid:65534 +(== overflow{u,g}id) instead of what we actually would like to see. + +On the sender side, here nc -U, the tests in maybe_add_creds() +invoked through unix_stream_sendmsg() would fail, as at that exact +time, as mentioned, the sender has neither SO_PASSCRED on his side +nor sees it on the server side, and we have a valid 'other' socket +in place. Thus, sender believes it would just look like a normal +connection, not needing/requesting SO_PASSCRED at that time. + +As reverting 16e5726 would not be an option due to the significant +performance regression reported when having creds always passed, +one way/trade-off to prevent that would be to set SO_PASSCRED on +the listener socket and allow inheriting these flags to the spawned +socket on server side in accept(). It seems also logical to do so +if we'd tell the listener socket to pass those flags onwards, and +would fix the race. + +Before, strace: + +recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}], + msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, + cmsg_type=SCM_CREDENTIALS{pid=0, uid=65534, gid=65534}}, + msg_flags=0}, 0) = 5 + +After, strace: + +recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}], + msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, + cmsg_type=SCM_CREDENTIALS{pid=11580, uid=1000, gid=1000}}, + msg_flags=0}, 0) = 5 + +Signed-off-by: Daniel Borkmann +Cc: Eric Dumazet +Cc: Eric W. Biederman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1247,6 +1247,15 @@ static int unix_socketpair(struct socket + return 0; + } + ++static void unix_sock_inherit_flags(const struct socket *old, ++ struct socket *new) ++{ ++ if (test_bit(SOCK_PASSCRED, &old->flags)) ++ set_bit(SOCK_PASSCRED, &new->flags); ++ if (test_bit(SOCK_PASSSEC, &old->flags)) ++ set_bit(SOCK_PASSSEC, &new->flags); ++} ++ + static int unix_accept(struct socket *sock, struct socket *newsock, int flags) + { + struct sock *sk = sock->sk; +@@ -1281,6 +1290,7 @@ static int unix_accept(struct socket *so + /* attach accepted sock to socket */ + unix_state_lock(tsk); + newsock->state = SS_CONNECTED; ++ unix_sock_inherit_flags(sock, newsock); + sock_graft(tsk, newsock); + unix_state_unlock(tsk); + return 0; diff --git a/queue-3.4/net-vlan-fix-nlmsg-size-calculation-in-vlan_get_size.patch b/queue-3.4/net-vlan-fix-nlmsg-size-calculation-in-vlan_get_size.patch new file mode 100644 index 00000000000..bbdb05014ee --- /dev/null +++ b/queue-3.4/net-vlan-fix-nlmsg-size-calculation-in-vlan_get_size.patch @@ -0,0 +1,31 @@ +From 9f5ee4f8175bb385f2450e334ddec2a6cdd1edbe Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 7 Oct 2013 23:19:58 +0200 +Subject: net: vlan: fix nlmsg size calculation in vlan_get_size() + +From: Marc Kleine-Budde + +[ Upstream commit c33a39c575068c2ea9bffb22fd6de2df19c74b89 ] + +This patch fixes the calculation of the nlmsg size, by adding the missing +nla_total_size(). + +Cc: Patrick McHardy +Signed-off-by: Marc Kleine-Budde +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -152,7 +152,7 @@ static size_t vlan_get_size(const struct + struct vlan_dev_priv *vlan = vlan_dev_priv(dev); + + return nla_total_size(2) + /* IFLA_VLAN_ID */ +- sizeof(struct ifla_vlan_flags) + /* IFLA_VLAN_FLAGS */ ++ nla_total_size(sizeof(struct ifla_vlan_flags)) + /* IFLA_VLAN_FLAGS */ + vlan_qos_map_size(vlan->nr_ingress_mappings) + + vlan_qos_map_size(vlan->nr_egress_mappings); + } diff --git a/queue-3.4/proc-connector-fix-info-leaks.patch b/queue-3.4/proc-connector-fix-info-leaks.patch new file mode 100644 index 00000000000..c0f9a38ae65 --- /dev/null +++ b/queue-3.4/proc-connector-fix-info-leaks.patch @@ -0,0 +1,151 @@ +From 5a26a90514e24502d3ec53596ece466899aa4d95 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:03:06 +0200 +Subject: proc connector: fix info leaks + +From: Mathias Krause + +[ Upstream commit e727ca82e0e9616ab4844301e6bae60ca7327682 ] + +Initialize event_data for all possible message types to prevent leaking +kernel stack contents to userland (up to 20 bytes). Also set the flags +member of the connector message to 0 to prevent leaking two more stack +bytes this way. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/connector/cn_proc.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/connector/cn_proc.c ++++ b/drivers/connector/cn_proc.c +@@ -64,6 +64,7 @@ void proc_fork_connector(struct task_str + + msg = (struct cn_msg*)buffer; + ev = (struct proc_event*)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -79,6 +80,7 @@ void proc_fork_connector(struct task_str + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + /* If cn_netlink_send() failed, the data is not sent */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } +@@ -95,6 +97,7 @@ void proc_exec_connector(struct task_str + + msg = (struct cn_msg*)buffer; + ev = (struct proc_event*)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -105,6 +108,7 @@ void proc_exec_connector(struct task_str + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -121,6 +125,7 @@ void proc_id_connector(struct task_struc + + msg = (struct cn_msg*)buffer; + ev = (struct proc_event*)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + ev->what = which_id; + ev->event_data.id.process_pid = task->pid; + ev->event_data.id.process_tgid = task->tgid; +@@ -144,6 +149,7 @@ void proc_id_connector(struct task_struc + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -159,6 +165,7 @@ void proc_sid_connector(struct task_stru + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -169,6 +176,7 @@ void proc_sid_connector(struct task_stru + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -184,6 +192,7 @@ void proc_ptrace_connector(struct task_s + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -202,6 +211,7 @@ void proc_ptrace_connector(struct task_s + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -217,6 +227,7 @@ void proc_comm_connector(struct task_str + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -228,6 +239,7 @@ void proc_comm_connector(struct task_str + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -243,6 +255,7 @@ void proc_exit_connector(struct task_str + + msg = (struct cn_msg*)buffer; + ev = (struct proc_event*)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -255,6 +268,7 @@ void proc_exit_connector(struct task_str + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -278,6 +292,7 @@ static void cn_proc_ack(int err, int rcv + + msg = (struct cn_msg*)buffer; + ev = (struct proc_event*)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + msg->seq = rcvd_seq; + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -287,6 +302,7 @@ static void cn_proc_ack(int err, int rcv + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = rcvd_ack + 1; + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + diff --git a/queue-3.4/sctp-perform-software-checksum-if-packet-has-to-be-fragmented.patch b/queue-3.4/sctp-perform-software-checksum-if-packet-has-to-be-fragmented.patch new file mode 100644 index 00000000000..ebce014427d --- /dev/null +++ b/queue-3.4/sctp-perform-software-checksum-if-packet-has-to-be-fragmented.patch @@ -0,0 +1,37 @@ +From dfda90b72cc54dc1166005c49d844f4ee055c039 Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Tue, 15 Oct 2013 22:01:31 -0400 +Subject: sctp: Perform software checksum if packet has to be fragmented. + +From: Vlad Yasevich + +[ Upstream commit d2dbbba77e95dff4b4f901fee236fef6d9552072 ] + +IP/IPv6 fragmentation knows how to compute only TCP/UDP checksum. +This causes problems if SCTP packets has to be fragmented and +ipsummed has been set to PARTIAL due to checksum offload support. +This condition can happen when retransmitting after MTU discover, +or when INIT or other control chunks are larger then MTU. +Check for the rare fragmentation condition in SCTP and use software +checksum calculation in this case. + +CC: Fan Du +Signed-off-by: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/output.c ++++ b/net/sctp/output.c +@@ -519,7 +519,7 @@ int sctp_packet_transmit(struct sctp_pac + */ + if (!sctp_checksum_disable) { + if (!(dst->dev->features & NETIF_F_SCTP_CSUM) || +- (dst_xfrm(dst) != NULL)) { ++ (dst_xfrm(dst) != NULL) || packet->ipfragok) { + __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len); + + /* 3) Put the resultant value into the checksum field in the diff --git a/queue-3.4/sctp-use-software-crc32-checksum-when-xfrm-transform-will-happen.patch b/queue-3.4/sctp-use-software-crc32-checksum-when-xfrm-transform-will-happen.patch new file mode 100644 index 00000000000..208daca58de --- /dev/null +++ b/queue-3.4/sctp-use-software-crc32-checksum-when-xfrm-transform-will-happen.patch @@ -0,0 +1,38 @@ +From 8039b7fa7a658a8035e6b9b371d1754b6f2b4cac Mon Sep 17 00:00:00 2001 +From: Fan Du +Date: Tue, 15 Oct 2013 22:01:30 -0400 +Subject: sctp: Use software crc32 checksum when xfrm transform will happen. + +From: Fan Du + +[ Upstream commit 27127a82561a2a3ed955ce207048e1b066a80a2a ] + +igb/ixgbe have hardware sctp checksum support, when this feature is enabled +and also IPsec is armed to protect sctp traffic, ugly things happened as +xfrm_output checks CHECKSUM_PARTIAL to do checksum operation(sum every thing +up and pack the 16bits result in the checksum field). The result is fail +establishment of sctp communication. + +Signed-off-by: Fan Du +Cc: Neil Horman +Cc: Steffen Klassert +Signed-off-by: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/output.c ++++ b/net/sctp/output.c +@@ -518,7 +518,8 @@ int sctp_packet_transmit(struct sctp_pac + * by CRC32-C as described in . + */ + if (!sctp_checksum_disable) { +- if (!(dst->dev->features & NETIF_F_SCTP_CSUM)) { ++ if (!(dst->dev->features & NETIF_F_SCTP_CSUM) || ++ (dst_xfrm(dst) != NULL)) { + __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len); + + /* 3) Put the resultant value into the checksum field in the diff --git a/queue-3.4/series b/queue-3.4/series new file mode 100644 index 00000000000..3bca56faf86 --- /dev/null +++ b/queue-3.4/series @@ -0,0 +1,25 @@ +tcp-must-unclone-packets-before-mangling-them.patch +tcp-do-not-forget-fin-in-tcp_shifted_skb.patch +net-do-not-call-sock_put-on-timewait-sockets.patch +net-mv643xx_eth-update-statistics-timer-from-timer-context-only.patch +net-mv643xx_eth-fix-orphaned-statistics-timer-crash.patch +net-heap-overflow-in-__audit_sockaddr.patch +proc-connector-fix-info-leaks.patch +ipv4-fix-ineffective-source-address-selection.patch +can-dev-fix-nlmsg-size-calculation-in-can_get_size.patch +ipv6-restrict-neighbor-entry-creation-to-output-flow.patch +bridge-correctly-clamp-max-forward_delay-when-enabling-stp.patch +net-vlan-fix-nlmsg-size-calculation-in-vlan_get_size.patch +l2tp-must-disable-bh-before-calling-l2tp_xmit_skb.patch +farsync-fix-info-leak-in-ioctl.patch +unix_diag-fix-info-leak.patch +connector-use-nlmsg_len-to-check-message-length.patch +bnx2x-record-rx-queue-for-lro-packets.patch +net-dst-provide-accessor-function-to-dst-xfrm.patch +sctp-use-software-crc32-checksum-when-xfrm-transform-will-happen.patch +sctp-perform-software-checksum-if-packet-has-to-be-fragmented.patch +wanxl-fix-info-leak-in-ioctl.patch +net-unix-inherit-sock_pass-cred-sec-flags-from-socket-to-fix-race.patch +net-fix-cipso-packet-validation-when-netlabel.patch +inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch +davinci_emac.c-fix-iff_allmulti-setup.patch diff --git a/queue-3.4/tcp-do-not-forget-fin-in-tcp_shifted_skb.patch b/queue-3.4/tcp-do-not-forget-fin-in-tcp_shifted_skb.patch new file mode 100644 index 00000000000..385b6690338 --- /dev/null +++ b/queue-3.4/tcp-do-not-forget-fin-in-tcp_shifted_skb.patch @@ -0,0 +1,76 @@ +From d12c3a9e07f6412fd62482be0f143cd30d88e573 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 4 Oct 2013 10:31:41 -0700 +Subject: tcp: do not forget FIN in tcp_shifted_skb() + +From: Eric Dumazet + +[ Upstream commit 5e8a402f831dbe7ee831340a91439e46f0d38acd ] + +Yuchung found following problem : + + There are bugs in the SACK processing code, merging part in + tcp_shift_skb_data(), that incorrectly resets or ignores the sacked + skbs FIN flag. When a receiver first SACK the FIN sequence, and later + throw away ofo queue (e.g., sack-reneging), the sender will stop + retransmitting the FIN flag, and hangs forever. + +Following packetdrill test can be used to reproduce the bug. + +$ cat sack-merge-bug.pkt +`sysctl -q net.ipv4.tcp_fack=0` + +// Establish a connection and send 10 MSS. +0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 ++.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 ++.000 bind(3, ..., ...) = 0 ++.000 listen(3, 1) = 0 + ++.050 < S 0:0(0) win 32792 ++.000 > S. 0:0(0) ack 1 ++.001 < . 1:1(0) ack 1 win 1024 ++.000 accept(3, ..., ...) = 4 + ++.100 write(4, ..., 12000) = 12000 ++.000 shutdown(4, SHUT_WR) = 0 ++.000 > . 1:10001(10000) ack 1 ++.050 < . 1:1(0) ack 2001 win 257 ++.000 > FP. 10001:12001(2000) ack 1 ++.050 < . 1:1(0) ack 2001 win 257 ++.050 < . 1:1(0) ack 2001 win 257 +// SACK reneg ++.050 < . 1:1(0) ack 12001 win 257 ++0 %{ print "unacked: ",tcpi_unacked }% ++5 %{ print "" }% + +First, a typo inverted left/right of one OR operation, then +code forgot to advance end_seq if the merged skb carried FIN. + +Bug was added in 2.6.29 by commit 832d11c5cd076ab +("tcp: Try to restore large SKBs while SACK processing") + +Signed-off-by: Eric Dumazet +Signed-off-by: Yuchung Cheng +Acked-by: Neal Cardwell +Cc: Ilpo Järvinen +Acked-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1468,7 +1468,10 @@ static int tcp_shifted_skb(struct sock * + tp->lost_cnt_hint -= tcp_skb_pcount(prev); + } + +- TCP_SKB_CB(skb)->tcp_flags |= TCP_SKB_CB(prev)->tcp_flags; ++ TCP_SKB_CB(prev)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags; ++ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) ++ TCP_SKB_CB(prev)->end_seq++; ++ + if (skb == tcp_highest_sack(sk)) + tcp_advance_highest_sack(sk, skb); + diff --git a/queue-3.4/tcp-must-unclone-packets-before-mangling-them.patch b/queue-3.4/tcp-must-unclone-packets-before-mangling-them.patch new file mode 100644 index 00000000000..f0d088b51e9 --- /dev/null +++ b/queue-3.4/tcp-must-unclone-packets-before-mangling-them.patch @@ -0,0 +1,88 @@ +From 65a3d75c70aeedfcd83259465780171b0449f3cc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 15 Oct 2013 11:54:30 -0700 +Subject: tcp: must unclone packets before mangling them + +From: Eric Dumazet + +[ Upstream commit c52e2421f7368fd36cbe330d2cf41b10452e39a9 ] + +TCP stack should make sure it owns skbs before mangling them. + +We had various crashes using bnx2x, and it turned out gso_size +was cleared right before bnx2x driver was populating TC descriptor +of the _previous_ packet send. TCP stack can sometime retransmit +packets that are still in Qdisc. + +Of course we could make bnx2x driver more robust (using +ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack. + +We have identified two points where skb_unclone() was needed. + +This patch adds a WARN_ON_ONCE() to warn us if we missed another +fix of this kind. + +Kudos to Neal for finding the root cause of this bug. Its visible +using small MSS. + +Signed-off-by: Eric Dumazet +Signed-off-by: Neal Cardwell +Cc: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 10 ++++++++++ + net/ipv4/tcp_output.c | 9 ++++++--- + 2 files changed, 16 insertions(+), 3 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -760,6 +760,16 @@ static inline int skb_cloned(const struc + (atomic_read(&skb_shinfo(skb)->dataref) & SKB_DATAREF_MASK) != 1; + } + ++static inline int skb_unclone(struct sk_buff *skb, gfp_t pri) ++{ ++ might_sleep_if(pri & __GFP_WAIT); ++ ++ if (skb_cloned(skb)) ++ return pskb_expand_head(skb, 0, 0, pri); ++ ++ return 0; ++} ++ + /** + * skb_header_cloned - is the header a clone + * @skb: buffer to check +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -933,6 +933,9 @@ static void tcp_queue_skb(struct sock *s + static void tcp_set_skb_tso_segs(const struct sock *sk, struct sk_buff *skb, + unsigned int mss_now) + { ++ /* Make sure we own this skb before messing gso_size/gso_segs */ ++ WARN_ON_ONCE(skb_cloned(skb)); ++ + if (skb->len <= mss_now || !sk_can_gso(sk) || + skb->ip_summed == CHECKSUM_NONE) { + /* Avoid the costly divide in the normal +@@ -1014,9 +1017,7 @@ int tcp_fragment(struct sock *sk, struct + if (nsize < 0) + nsize = 0; + +- if (skb_cloned(skb) && +- skb_is_nonlinear(skb) && +- pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) ++ if (skb_unclone(skb, GFP_ATOMIC)) + return -ENOMEM; + + /* Get a new skb... force flag on. */ +@@ -2129,6 +2130,8 @@ int tcp_retransmit_skb(struct sock *sk, + int oldpcount = tcp_skb_pcount(skb); + + if (unlikely(oldpcount > 1)) { ++ if (skb_unclone(skb, GFP_ATOMIC)) ++ return -ENOMEM; + tcp_init_tso_segs(sk, skb, cur_mss); + tcp_adjust_pcount(sk, skb, oldpcount - tcp_skb_pcount(skb)); + } diff --git a/queue-3.4/unix_diag-fix-info-leak.patch b/queue-3.4/unix_diag-fix-info-leak.patch new file mode 100644 index 00000000000..1bfe752a647 --- /dev/null +++ b/queue-3.4/unix_diag-fix-info-leak.patch @@ -0,0 +1,30 @@ +From 5702013cb615a6431f1549670c7d9a613c06886e Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:05:40 +0200 +Subject: unix_diag: fix info leak + +From: Mathias Krause + +[ Upstream commit 6865d1e834be84ddd5808d93d5035b492346c64a ] + +When filling the netlink message we miss to wipe the pad field, +therefore leak one byte of heap memory to userland. Fix this by +setting pad to 0. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/diag.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -134,6 +134,7 @@ static int sk_diag_fill(struct sock *sk, + rep->udiag_family = AF_UNIX; + rep->udiag_type = sk->sk_type; + rep->udiag_state = sk->sk_state; ++ rep->pad = 0; + rep->udiag_ino = sk_ino; + sock_diag_save_cookie(sk, rep->udiag_cookie); + diff --git a/queue-3.4/wanxl-fix-info-leak-in-ioctl.patch b/queue-3.4/wanxl-fix-info-leak-in-ioctl.patch new file mode 100644 index 00000000000..4a6668b57ff --- /dev/null +++ b/queue-3.4/wanxl-fix-info-leak-in-ioctl.patch @@ -0,0 +1,30 @@ +From da4e1ebe28ac504f3b5b8e988a4eec608df630a7 Mon Sep 17 00:00:00 2001 +From: Salva Peiró +Date: Wed, 16 Oct 2013 12:46:50 +0200 +Subject: wanxl: fix info leak in ioctl + +From: Salva Peiró + +[ Upstream commit 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 ] + +The wanxl_ioctl() code fails to initialize the two padding bytes of +struct sync_serial_settings after the ->loopback member. Add an explicit +memset(0) before filling the structure to avoid the info leak. + +Signed-off-by: Salva Peiró +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/wanxl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wan/wanxl.c ++++ b/drivers/net/wan/wanxl.c +@@ -355,6 +355,7 @@ static int wanxl_ioctl(struct net_device + ifr->ifr_settings.size = size; /* data size wanted */ + return -ENOBUFS; + } ++ memset(&line, 0, sizeof(line)); + line.clock_type = get_status(port)->clocking; + line.clock_rate = 0; + line.loopback = 0;