From: Greg Kroah-Hartman Date: Thu, 16 Nov 2017 16:51:25 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.82~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cca7f369d71cba3eba5c5556bccc8f893f69c198;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: brcmfmac-remove-setting-ibss-mode-when-stopping-ap.patch security-keys-add-config_keys_compat-to-kconfig.patch target-fix-node_acl-demo-mode-uncached-dynamic-shutdown-regression.patch target-iscsi-fix-iscsi-task-reassignment-handling.patch tipc-fix-link-attribute-propagation-bug.patch --- diff --git a/queue-4.4/brcmfmac-remove-setting-ibss-mode-when-stopping-ap.patch b/queue-4.4/brcmfmac-remove-setting-ibss-mode-when-stopping-ap.patch new file mode 100644 index 00000000000..f5f5641def4 --- /dev/null +++ b/queue-4.4/brcmfmac-remove-setting-ibss-mode-when-stopping-ap.patch @@ -0,0 +1,41 @@ +From 9029679f66d976f8c720eb03c4898274803c9923 Mon Sep 17 00:00:00 2001 +From: Chi-hsien Lin +Date: Thu, 18 May 2017 17:22:19 +0800 +Subject: brcmfmac: remove setting IBSS mode when stopping AP + +From: Chi-hsien Lin + +commit 9029679f66d976f8c720eb03c4898274803c9923 upstream. + +Upon stopping an AP interface the driver disable INFRA mode effectively +setting the interface in IBSS mode. However, this may affect other +interfaces running in INFRA mode. For instance, if user creates and stops +hostap daemon on virtual interface, then association cannot work on +primary interface because default BSS has been set to IBSS mode in +firmware side. The IBSS mode should be set when cfg80211 changes the +interface. + +Reviewed-by: Wright Feng +Signed-off-by: Chi-hsien Lin +[kvalo@codeaurora.org: rephased commit log based on discussion] +Signed-off-by: Wright Feng +Signed-off-by: Kalle Valo +Cc: Philipp Rosenberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +@@ -4295,9 +4295,6 @@ static int brcmf_cfg80211_stop_ap(struct + err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_AP, 0); + if (err < 0) + brcmf_err("setting AP mode failed %d\n", err); +- err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 0); +- if (err < 0) +- brcmf_err("setting INFRA mode failed %d\n", err); + if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS)) + brcmf_fil_iovar_int_set(ifp, "mbss", 0); + err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY, diff --git a/queue-4.4/security-keys-add-config_keys_compat-to-kconfig.patch b/queue-4.4/security-keys-add-config_keys_compat-to-kconfig.patch new file mode 100644 index 00000000000..c473a85791a --- /dev/null +++ b/queue-4.4/security-keys-add-config_keys_compat-to-kconfig.patch @@ -0,0 +1,102 @@ +From 47b2c3fff4932e6fc17ce13d51a43c6969714e20 Mon Sep 17 00:00:00 2001 +From: Bilal Amarni +Date: Thu, 8 Jun 2017 14:47:26 +0100 +Subject: security/keys: add CONFIG_KEYS_COMPAT to Kconfig + +From: Bilal Amarni + +commit 47b2c3fff4932e6fc17ce13d51a43c6969714e20 upstream. + +CONFIG_KEYS_COMPAT is defined in arch-specific Kconfigs and is missing for +several 64-bit architectures : mips, parisc, tile. + +At the moment and for those architectures, calling in 32-bit userspace the +keyctl syscall would return an ENOSYS error. + +This patch moves the CONFIG_KEYS_COMPAT option to security/keys/Kconfig, to +make sure the compatibility wrapper is registered by default for any 64-bit +architecture as long as it is configured with CONFIG_COMPAT. + +[DH: Modified to remove arm64 compat enablement also as requested by Eric + Biggers] + +Signed-off-by: Bilal Amarni +Signed-off-by: David Howells +Reviewed-by: Arnd Bergmann +cc: Eric Biggers +Signed-off-by: James Morris +Cc: James Cowgill +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/Kconfig | 5 ----- + arch/s390/Kconfig | 3 --- + arch/sparc/Kconfig | 3 --- + arch/x86/Kconfig | 4 ---- + security/keys/Kconfig | 4 ++++ + 5 files changed, 4 insertions(+), 15 deletions(-) + +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -1082,11 +1082,6 @@ source "arch/powerpc/Kconfig.debug" + + source "security/Kconfig" + +-config KEYS_COMPAT +- bool +- depends on COMPAT && KEYS +- default y +- + source "crypto/Kconfig" + + config PPC_LIB_RHEAP +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -346,9 +346,6 @@ config COMPAT + config SYSVIPC_COMPAT + def_bool y if COMPAT && SYSVIPC + +-config KEYS_COMPAT +- def_bool y if COMPAT && KEYS +- + config SMP + def_bool y + prompt "Symmetric multi-processing support" +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -549,9 +549,6 @@ config SYSVIPC_COMPAT + depends on COMPAT && SYSVIPC + default y + +-config KEYS_COMPAT +- def_bool y if COMPAT && KEYS +- + endmenu + + source "net/Kconfig" +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2641,10 +2641,6 @@ config COMPAT_FOR_U64_ALIGNMENT + config SYSVIPC_COMPAT + def_bool y + depends on SYSVIPC +- +-config KEYS_COMPAT +- def_bool y +- depends on KEYS + endif + + endmenu +--- a/security/keys/Kconfig ++++ b/security/keys/Kconfig +@@ -20,6 +20,10 @@ config KEYS + + If you are unsure as to whether this is required, answer N. + ++config KEYS_COMPAT ++ def_bool y ++ depends on COMPAT && KEYS ++ + config PERSISTENT_KEYRINGS + bool "Enable register of persistent per-UID keyrings" + depends on KEYS diff --git a/queue-4.4/series b/queue-4.4/series index 88a8dc13b6f..e687e3c706a 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -20,3 +20,8 @@ ipip-only-increase-err_count-for-some-certain-type-icmp-in-ipip_err.patch tcp-dccp-fix-ireq-opt-races.patch tcp-dccp-fix-lockdep-splat-in-inet_csk_route_req.patch tcp-dccp-fix-other-lockdep-splats-accessing-ireq_opt.patch +security-keys-add-config_keys_compat-to-kconfig.patch +tipc-fix-link-attribute-propagation-bug.patch +brcmfmac-remove-setting-ibss-mode-when-stopping-ap.patch +target-iscsi-fix-iscsi-task-reassignment-handling.patch +target-fix-node_acl-demo-mode-uncached-dynamic-shutdown-regression.patch diff --git a/queue-4.4/target-fix-node_acl-demo-mode-uncached-dynamic-shutdown-regression.patch b/queue-4.4/target-fix-node_acl-demo-mode-uncached-dynamic-shutdown-regression.patch new file mode 100644 index 00000000000..22ca451a783 --- /dev/null +++ b/queue-4.4/target-fix-node_acl-demo-mode-uncached-dynamic-shutdown-regression.patch @@ -0,0 +1,117 @@ +From 6f48655facfd7f7ccfe6d252ac0fe319ab02e4dd Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sun, 6 Aug 2017 16:10:03 -0700 +Subject: target: Fix node_acl demo-mode + uncached dynamic shutdown regression + +From: Nicholas Bellinger + +commit 6f48655facfd7f7ccfe6d252ac0fe319ab02e4dd upstream. + +This patch fixes a generate_node_acls = 1 + cache_dynamic_acls = 0 +regression, that was introduced by + + commit 01d4d673558985d9a118e1e05026633c3e2ade9b + Author: Nicholas Bellinger + Date: Wed Dec 7 12:55:54 2016 -0800 + +which originally had the proper list_del_init() usage, but was +dropped during list review as it was thought unnecessary by HCH. + +However, list_del_init() usage is required during the special +generate_node_acls = 1 + cache_dynamic_acls = 0 case when +transport_free_session() does a list_del(&se_nacl->acl_list), +followed by target_complete_nacl() doing the same thing. + +This was manifesting as a general protection fault as reported +by Justin: + +kernel: general protection fault: 0000 [#1] SMP +kernel: Modules linked in: +kernel: CPU: 0 PID: 11047 Comm: iscsi_ttx Not tainted 4.13.0-rc2.x86_64.1+ #20 +kernel: Hardware name: Intel Corporation S5500BC/S5500BC, BIOS S5500.86B.01.00.0064.050520141428 05/05/2014 +kernel: task: ffff88026939e800 task.stack: ffffc90007884000 +kernel: RIP: 0010:target_put_nacl+0x49/0xb0 +kernel: RSP: 0018:ffffc90007887d70 EFLAGS: 00010246 +kernel: RAX: dead000000000200 RBX: ffff8802556ca000 RCX: 0000000000000000 +kernel: RDX: dead000000000100 RSI: 0000000000000246 RDI: ffff8802556ce028 +kernel: RBP: ffffc90007887d88 R08: 0000000000000001 R09: 0000000000000000 +kernel: R10: ffffc90007887df8 R11: ffffea0009986900 R12: ffff8802556ce020 +kernel: R13: ffff8802556ce028 R14: ffff8802556ce028 R15: ffffffff88d85540 +kernel: FS: 0000000000000000(0000) GS:ffff88027fc00000(0000) knlGS:0000000000000000 +kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +kernel: CR2: 00007fffe36f5f94 CR3: 0000000009209000 CR4: 00000000003406f0 +kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +kernel: Call Trace: +kernel: transport_free_session+0x67/0x140 +kernel: transport_deregister_session+0x7a/0xc0 +kernel: iscsit_close_session+0x92/0x210 +kernel: iscsit_close_connection+0x5f9/0x840 +kernel: iscsit_take_action_for_connection_exit+0xfe/0x110 +kernel: iscsi_target_tx_thread+0x140/0x1e0 +kernel: ? wait_woken+0x90/0x90 +kernel: kthread+0x124/0x160 +kernel: ? iscsit_thread_get_cpumask+0x90/0x90 +kernel: ? kthread_create_on_node+0x40/0x40 +kernel: ret_from_fork+0x22/0x30 +kernel: Code: 00 48 89 fb 4c 8b a7 48 01 00 00 74 68 4d 8d 6c 24 08 4c +89 ef e8 e8 28 43 00 48 8b 93 20 04 00 00 48 8b 83 28 04 00 00 4c 89 +ef <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 20 +kernel: RIP: target_put_nacl+0x49/0xb0 RSP: ffffc90007887d70 +kernel: ---[ end trace f12821adbfd46fed ]--- + +To address this, go ahead and use proper list_del_list() for all +cases of se_nacl->acl_list deletion. + +Reported-by: Justin Maggard +Tested-by: Justin Maggard +Cc: Justin Maggard +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/target/target_core_tpg.c | 4 ++-- + drivers/target/target_core_transport.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/target/target_core_tpg.c ++++ b/drivers/target/target_core_tpg.c +@@ -350,7 +350,7 @@ void core_tpg_del_initiator_node_acl(str + if (acl->dynamic_node_acl) { + acl->dynamic_node_acl = 0; + } +- list_del(&acl->acl_list); ++ list_del_init(&acl->acl_list); + tpg->num_node_acls--; + mutex_unlock(&tpg->acl_node_mutex); + +@@ -572,7 +572,7 @@ int core_tpg_deregister(struct se_portal + * in transport_deregister_session(). + */ + list_for_each_entry_safe(nacl, nacl_tmp, &node_list, acl_list) { +- list_del(&nacl->acl_list); ++ list_del_init(&nacl->acl_list); + se_tpg->num_node_acls--; + + core_tpg_wait_for_nacl_pr_ref(nacl); +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -431,7 +431,7 @@ static void target_complete_nacl(struct + } + + mutex_lock(&se_tpg->acl_node_mutex); +- list_del(&nacl->acl_list); ++ list_del_init(&nacl->acl_list); + mutex_unlock(&se_tpg->acl_node_mutex); + + core_tpg_wait_for_nacl_pr_ref(nacl); +@@ -503,7 +503,7 @@ void transport_free_session(struct se_se + spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags); + + if (se_nacl->dynamic_stop) +- list_del(&se_nacl->acl_list); ++ list_del_init(&se_nacl->acl_list); + } + mutex_unlock(&se_tpg->acl_node_mutex); + diff --git a/queue-4.4/target-iscsi-fix-iscsi-task-reassignment-handling.patch b/queue-4.4/target-iscsi-fix-iscsi-task-reassignment-handling.patch new file mode 100644 index 00000000000..6642ed81ec4 --- /dev/null +++ b/queue-4.4/target-iscsi-fix-iscsi-task-reassignment-handling.patch @@ -0,0 +1,70 @@ +From 59b6986dbfcdab96a971f9663221849de79a7556 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 5 Jan 2017 12:39:57 +0100 +Subject: target/iscsi: Fix iSCSI task reassignment handling + +From: Bart Van Assche + +commit 59b6986dbfcdab96a971f9663221849de79a7556 upstream. + +Allocate a task management request structure for all task management +requests, including task reassignment. This change avoids that the +se_tmr->response assignment dereferences an uninitialized se_tmr +pointer. + +Reported-by: Moshe David +Signed-off-by: Bart Van Assche +Reviewed-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Cc: Moshe David +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -1759,7 +1759,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ + struct iscsi_tm *hdr; + int out_of_order_cmdsn = 0, ret; + bool sess_ref = false; +- u8 function; ++ u8 function, tcm_function = TMR_UNKNOWN; + + hdr = (struct iscsi_tm *) buf; + hdr->flags &= ~ISCSI_FLAG_CMD_FINAL; +@@ -1805,10 +1805,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ + * LIO-Target $FABRIC_MOD + */ + if (function != ISCSI_TM_FUNC_TASK_REASSIGN) { +- +- u8 tcm_function; +- int ret; +- + transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops, + conn->sess->se_sess, 0, DMA_NONE, + TCM_SIMPLE_TAG, cmd->sense_buffer + 2); +@@ -1844,15 +1840,14 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ + return iscsit_add_reject_cmd(cmd, + ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); + } +- +- ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, +- tcm_function, GFP_KERNEL); +- if (ret < 0) +- return iscsit_add_reject_cmd(cmd, ++ } ++ ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, tcm_function, ++ GFP_KERNEL); ++ if (ret < 0) ++ return iscsit_add_reject_cmd(cmd, + ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); + +- cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req; +- } ++ cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req; + + cmd->iscsi_opcode = ISCSI_OP_SCSI_TMFUNC; + cmd->i_state = ISTATE_SEND_TASKMGTRSP; diff --git a/queue-4.4/tipc-fix-link-attribute-propagation-bug.patch b/queue-4.4/tipc-fix-link-attribute-propagation-bug.patch new file mode 100644 index 00000000000..81c2e7454ef --- /dev/null +++ b/queue-4.4/tipc-fix-link-attribute-propagation-bug.patch @@ -0,0 +1,115 @@ +From d01332f1acacc0cb43a61f4244dd2b846d4cd585 Mon Sep 17 00:00:00 2001 +From: Richard Alpe +Date: Mon, 1 Feb 2016 08:19:56 +0100 +Subject: tipc: fix link attribute propagation bug + +From: Richard Alpe + +commit d01332f1acacc0cb43a61f4244dd2b846d4cd585 upstream. + +Changing certain link attributes (link tolerance and link priority) +from the TIPC management tool is supposed to automatically take +effect at both endpoints of the affected link. + +Currently the media address is not instantiated for the link and is +used uninstantiated when crafting protocol messages designated for the +peer endpoint. This means that changing a link property currently +results in the property being changed on the local machine but the +protocol message designated for the peer gets lost. Resulting in +property discrepancy between the endpoints. + +In this patch we resolve this by using the media address from the +link entry and using the bearer transmit function to send it. Hence, +we can now eliminate the redundant function tipc_link_prot_xmit() and +the redundant field tipc_link::media_addr. + +Fixes: 2af5ae372a4b (tipc: clean up unused code and structures) +Reviewed-by: Jon Maloy +Reported-by: Jason Hu +Signed-off-by: Richard Alpe +Signed-off-by: David S. Miller +[backported to 4.4 by Tommi Rantala] +Signed-off-by: Tommi Rantala +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/link.c | 28 ++++++---------------------- + net/tipc/link.h | 1 - + 2 files changed, 6 insertions(+), 23 deletions(-) + +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -1084,25 +1084,6 @@ drop: + return rc; + } + +-/* +- * Send protocol message to the other endpoint. +- */ +-void tipc_link_proto_xmit(struct tipc_link *l, u32 msg_typ, int probe_msg, +- u32 gap, u32 tolerance, u32 priority) +-{ +- struct sk_buff *skb = NULL; +- struct sk_buff_head xmitq; +- +- __skb_queue_head_init(&xmitq); +- tipc_link_build_proto_msg(l, msg_typ, probe_msg, gap, +- tolerance, priority, &xmitq); +- skb = __skb_dequeue(&xmitq); +- if (!skb) +- return; +- tipc_bearer_xmit_skb(l->net, l->bearer_id, skb, l->media_addr); +- l->rcv_unacked = 0; +-} +- + static void tipc_link_build_proto_msg(struct tipc_link *l, int mtyp, bool probe, + u16 rcvgap, int tolerance, int priority, + struct sk_buff_head *xmitq) +@@ -1636,9 +1617,12 @@ int tipc_nl_link_set(struct sk_buff *skb + char *name; + struct tipc_link *link; + struct tipc_node *node; ++ struct sk_buff_head xmitq; + struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1]; + struct net *net = sock_net(skb->sk); + ++ __skb_queue_head_init(&xmitq); ++ + if (!info->attrs[TIPC_NLA_LINK]) + return -EINVAL; + +@@ -1683,14 +1667,14 @@ int tipc_nl_link_set(struct sk_buff *skb + + tol = nla_get_u32(props[TIPC_NLA_PROP_TOL]); + link->tolerance = tol; +- tipc_link_proto_xmit(link, STATE_MSG, 0, 0, tol, 0); ++ tipc_link_build_proto_msg(link, STATE_MSG, 0, 0, tol, 0, &xmitq); + } + if (props[TIPC_NLA_PROP_PRIO]) { + u32 prio; + + prio = nla_get_u32(props[TIPC_NLA_PROP_PRIO]); + link->priority = prio; +- tipc_link_proto_xmit(link, STATE_MSG, 0, 0, 0, prio); ++ tipc_link_build_proto_msg(link, STATE_MSG, 0, 0, 0, prio, &xmitq); + } + if (props[TIPC_NLA_PROP_WIN]) { + u32 win; +@@ -1702,7 +1686,7 @@ int tipc_nl_link_set(struct sk_buff *skb + + out: + tipc_node_unlock(node); +- ++ tipc_bearer_xmit(net, bearer_id, &xmitq, &node->links[bearer_id].maddr); + return res; + } + +--- a/net/tipc/link.h ++++ b/net/tipc/link.h +@@ -153,7 +153,6 @@ struct tipc_stats { + struct tipc_link { + u32 addr; + char name[TIPC_MAX_LINK_NAME]; +- struct tipc_media_addr *media_addr; + struct net *net; + + /* Management and link supervision data */