From: Greg Kroah-Hartman Date: Thu, 4 Dec 2014 01:08:40 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.62~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce4c2cdae97e3e0b437a71bddc9def027963d653;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: bonding-fix-curr_active_slave-carrier-with-loadbalance-arp-monitoring.patch ieee802154-fix-error-handling-in-ieee802154fake_probe.patch inetdevice-fixed-signed-integer-overflow.patch ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch pptp-fix-stack-info-leak-in-pptp_getname.patch qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch sparc64-fix-constraints-on-swab-helpers.patch --- diff --git a/queue-3.14/bonding-fix-curr_active_slave-carrier-with-loadbalance-arp-monitoring.patch b/queue-3.14/bonding-fix-curr_active_slave-carrier-with-loadbalance-arp-monitoring.patch new file mode 100644 index 00000000000..e4a607e981c --- /dev/null +++ b/queue-3.14/bonding-fix-curr_active_slave-carrier-with-loadbalance-arp-monitoring.patch @@ -0,0 +1,93 @@ +From foo@baz Wed Dec 3 17:06:53 PST 2014 +From: Nikolay Aleksandrov +Date: Tue, 18 Nov 2014 15:14:44 +0100 +Subject: bonding: fix curr_active_slave/carrier with loadbalance arp monitoring + +From: Nikolay Aleksandrov + +[ Upstream commit b8e4500f42fe4464a33a887579147050bed8fcef ] + +Since commit 6fde8f037e60 ("bonding: fix locking in +bond_loadbalance_arp_mon()") we can have a stale bond carrier state and +stale curr_active_slave when using arp monitoring in loadbalance modes. The +reason is that in bond_loadbalance_arp_mon() we can't have +do_failover == true but slave_state_changed == false, whenever do_failover +is true then slave_state_changed is also true. Then the following piece +from bond_loadbalance_arp_mon(): + if (slave_state_changed) { + bond_slave_state_change(bond); + if (BOND_MODE(bond) == BOND_MODE_XOR) + bond_update_slave_arr(bond, NULL); + } else if (do_failover) { + block_netpoll_tx(); + bond_select_active_slave(bond); + unblock_netpoll_tx(); + } + +will execute only the first branch, always and regardless of do_failover. +Since these two events aren't related in such way, we need to decouple and +consider them separately. + +For example this issue could lead to the following result: +Bonding Mode: load balancing (round-robin) +*MII Status: down* +MII Polling Interval (ms): 0 +Up Delay (ms): 0 +Down Delay (ms): 0 +ARP Polling Interval (ms): 100 +ARP IP target/s (n.n.n.n form): 192.168.9.2 + +Slave Interface: ens12 +*MII Status: up* +Speed: 10000 Mbps +Duplex: full +Link Failure Count: 2 +Permanent HW addr: 00:0f:53:01:42:2c +Slave queue ID: 0 + +Slave Interface: eth1 +*MII Status: up* +Speed: Unknown +Duplex: Unknown +Link Failure Count: 70 +Permanent HW addr: 52:54:00:2f:0f:8e +Slave queue ID: 0 + +Since some interfaces are up, then the status of the bond should also be +up, but it will never change unless something invokes bond_set_carrier() +(i.e. enslave, bond_select_active_slave etc). Now, if I force the +calling of bond_select_active_slave via for example changing +primary_reselect (it can change in any mode), then the MII status goes to +"up" because it calls bond_select_active_slave() which should've been done +from bond_loadbalance_arp_mon() itself. + +CC: Veaceslav Falico +CC: Jay Vosburgh +CC: Andy Gospodarek +CC: Ding Tianhong + +Fixes: 6fde8f037e60 ("bonding: fix locking in bond_loadbalance_arp_mon()") +Signed-off-by: Nikolay Aleksandrov +Acked-by: Veaceslav Falico +Acked-by: Andy Gospodarek +Acked-by: Ding Tianhong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2450,9 +2450,9 @@ static void bond_loadbalance_arp_mon(str + if (!rtnl_trylock()) + goto re_arm; + +- if (slave_state_changed) { ++ if (slave_state_changed) + bond_slave_state_change(bond); +- } else if (do_failover) { ++ if (do_failover) { + /* the bond_select_active_slave must hold RTNL + * and curr_slave_lock for write. + */ diff --git a/queue-3.14/ieee802154-fix-error-handling-in-ieee802154fake_probe.patch b/queue-3.14/ieee802154-fix-error-handling-in-ieee802154fake_probe.patch new file mode 100644 index 00000000000..9b09428e5b3 --- /dev/null +++ b/queue-3.14/ieee802154-fix-error-handling-in-ieee802154fake_probe.patch @@ -0,0 +1,52 @@ +From foo@baz Wed Dec 3 17:06:53 PST 2014 +From: Alexey Khoroshilov +Date: Sat, 15 Nov 2014 02:11:59 +0300 +Subject: ieee802154: fix error handling in ieee802154fake_probe() + +From: Alexey Khoroshilov + +[ Upstream commit 8c2dd54485ccee7fc4086611e188478584758c8d ] + +In case of any failure ieee802154fake_probe() just calls unregister_netdev(). +But it does not look safe to unregister netdevice before it was registered. + +The patch implements straightforward resource deallocation in case of +failure in ieee802154fake_probe(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/fakehard.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/ieee802154/fakehard.c ++++ b/drivers/net/ieee802154/fakehard.c +@@ -376,17 +376,20 @@ static int ieee802154fake_probe(struct p + + err = wpan_phy_register(phy); + if (err) +- goto out; ++ goto err_phy_reg; + + err = register_netdev(dev); +- if (err < 0) +- goto out; ++ if (err) ++ goto err_netdev_reg; + + dev_info(&pdev->dev, "Added ieee802154 HardMAC hardware\n"); + return 0; + +-out: +- unregister_netdev(dev); ++err_netdev_reg: ++ wpan_phy_unregister(phy); ++err_phy_reg: ++ free_netdev(dev); ++ wpan_phy_free(phy); + return err; + } + diff --git a/queue-3.14/inetdevice-fixed-signed-integer-overflow.patch b/queue-3.14/inetdevice-fixed-signed-integer-overflow.patch new file mode 100644 index 00000000000..14019311215 --- /dev/null +++ b/queue-3.14/inetdevice-fixed-signed-integer-overflow.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Dec 3 17:06:53 PST 2014 +From: Vincent BENAYOUN +Date: Thu, 13 Nov 2014 13:47:26 +0100 +Subject: inetdevice: fixed signed integer overflow + +From: Vincent BENAYOUN + +[ Upstream commit 84bc88688e3f6ef843aa8803dbcd90168bb89faf ] + +There could be a signed overflow in the following code. + +The expression, (32-logmask) is comprised between 0 and 31 included. +It may be equal to 31. +In such a case the left shift will produce a signed integer overflow. +According to the C99 Standard, this is an undefined behavior. +A simple fix is to replace the signed int 1 with the unsigned int 1U. + +Signed-off-by: Vincent BENAYOUN +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/inetdevice.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/inetdevice.h ++++ b/include/linux/inetdevice.h +@@ -242,7 +242,7 @@ static inline void in_dev_put(struct in_ + static __inline__ __be32 inet_make_mask(int logmask) + { + if (logmask) +- return htonl(~((1<<(32-logmask))-1)); ++ return htonl(~((1U<<(32-logmask))-1)); + return 0; + } + diff --git a/queue-3.14/ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch b/queue-3.14/ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch new file mode 100644 index 00000000000..f0ae756d351 --- /dev/null +++ b/queue-3.14/ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Dec 3 17:06:53 PST 2014 +From: Panu Matilainen +Date: Fri, 14 Nov 2014 13:14:32 +0200 +Subject: ipv4: Fix incorrect error code when adding an unreachable route + +From: Panu Matilainen + +[ Upstream commit 49dd18ba4615eaa72f15c9087dea1c2ab4744cf5 ] + +Trying to add an unreachable route incorrectly returns -ESRCH if +if custom FIB rules are present: + +[root@localhost ~]# ip route add 74.125.31.199 dev eth0 via 1.2.3.4 +RTNETLINK answers: Network is unreachable +[root@localhost ~]# ip rule add to 55.66.77.88 table 200 +[root@localhost ~]# ip route add 74.125.31.199 dev eth0 via 1.2.3.4 +RTNETLINK answers: No such process +[root@localhost ~]# + +Commit 83886b6b636173b206f475929e58fac75c6f2446 ("[NET]: Change "not found" +return value for rule lookup") changed fib_rules_lookup() +to use -ESRCH as a "not found" code internally, but for user space it +should be translated into -ENETUNREACH. Handle the translation centrally in +ipv4-specific fib_lookup(), leaving the DECnet case alone. + +On a related note, commit b7a71b51ee37d919e4098cd961d59a883fd272d8 +("ipv4: removed redundant conditional") removed a similar translation from +ip_route_input_slow() prematurely AIUI. + +Fixes: b7a71b51ee37 ("ipv4: removed redundant conditional") +Signed-off-by: Panu Matilainen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_rules.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv4/fib_rules.c ++++ b/net/ipv4/fib_rules.c +@@ -62,6 +62,10 @@ int __fib_lookup(struct net *net, struct + else + res->tclassid = 0; + #endif ++ ++ if (err == -ESRCH) ++ err = -ENETUNREACH; ++ + return err; + } + EXPORT_SYMBOL_GPL(__fib_lookup); diff --git a/queue-3.14/ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch b/queue-3.14/ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch new file mode 100644 index 00000000000..99e5b3088c1 --- /dev/null +++ b/queue-3.14/ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch @@ -0,0 +1,66 @@ +From foo@baz Wed Dec 3 17:06:53 PST 2014 +From: Jiri Bohac +Date: Wed, 19 Nov 2014 23:05:49 +0100 +Subject: ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg + +From: Jiri Bohac + +[ Upstream commit 01462405f0c093b2f8dfddafcadcda6c9e4c5cdf ] + +This fixes an old regression introduced by commit +b0d0d915 (ipx: remove the BKL). + +When a recvmsg syscall blocks waiting for new data, no data can be sent on the +same socket with sendmsg because ipx_recvmsg() sleeps with the socket locked. + +This breaks mars-nwe (NetWare emulator): +- the ncpserv process reads the request using recvmsg +- ncpserv forks and spawns nwconn +- ncpserv calls a (blocking) recvmsg and waits for new requests +- nwconn deadlocks in sendmsg on the same socket + +Commit b0d0d915 has simply replaced BKL locking with +lock_sock/release_sock. Unlike now, BKL got unlocked while +sleeping, so a blocking recvmsg did not block a concurrent +sendmsg. + +Only keep the socket locked while actually working with the socket data and +release it prior to calling skb_recv_datagram(). + +Signed-off-by: Jiri Bohac +Reviewed-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipx/af_ipx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipx/af_ipx.c ++++ b/net/ipx/af_ipx.c +@@ -1763,6 +1763,7 @@ static int ipx_recvmsg(struct kiocb *ioc + struct ipxhdr *ipx = NULL; + struct sk_buff *skb; + int copied, rc; ++ bool locked = true; + + lock_sock(sk); + /* put the autobinding in */ +@@ -1789,6 +1790,8 @@ static int ipx_recvmsg(struct kiocb *ioc + if (sock_flag(sk, SOCK_ZAPPED)) + goto out; + ++ release_sock(sk); ++ locked = false; + skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, + flags & MSG_DONTWAIT, &rc); + if (!skb) +@@ -1822,7 +1825,8 @@ static int ipx_recvmsg(struct kiocb *ioc + out_free: + skb_free_datagram(sk, skb); + out: +- release_sock(sk); ++ if (locked) ++ release_sock(sk); + return rc; + } + diff --git a/queue-3.14/pptp-fix-stack-info-leak-in-pptp_getname.patch b/queue-3.14/pptp-fix-stack-info-leak-in-pptp_getname.patch new file mode 100644 index 00000000000..e5a19a2532f --- /dev/null +++ b/queue-3.14/pptp-fix-stack-info-leak-in-pptp_getname.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Dec 3 17:06:53 PST 2014 +From: Mathias Krause +Date: Wed, 19 Nov 2014 18:05:26 +0100 +Subject: pptp: fix stack info leak in pptp_getname() + +From: Mathias Krause + +[ Upstream commit a5f6fc28d6e6cc379c6839f21820e62262419584 ] + +pptp_getname() only partially initializes the stack variable sa, +particularly only fills the pptp part of the sa_addr union. The code +thereby discloses 16 bytes of kernel stack memory via getsockname(). + +Fix this by memset(0)'ing the union before. + +Cc: Dmitry Kozlov +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pptp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -506,7 +506,9 @@ static int pptp_getname(struct socket *s + int len = sizeof(struct sockaddr_pppox); + struct sockaddr_pppox sp; + +- sp.sa_family = AF_PPPOX; ++ memset(&sp.sa_addr, 0, sizeof(sp.sa_addr)); ++ ++ sp.sa_family = AF_PPPOX; + sp.sa_protocol = PX_PROTO_PPTP; + sp.sa_addr.pptp = pppox_sk(sock->sk)->proto.pptp.src_addr; + diff --git a/queue-3.14/qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch b/queue-3.14/qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch new file mode 100644 index 00000000000..91fb5a6302f --- /dev/null +++ b/queue-3.14/qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Dec 3 17:06:53 PST 2014 +From: Martin Hauke +Date: Sun, 16 Nov 2014 19:55:25 +0100 +Subject: qmi_wwan: Add support for HP lt4112 LTE/HSPA+ Gobi 4G Modem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Hauke + +[ Upstream commit bb2bdeb83fb125c95e47fc7eca2a3e8f868e2a74 ] + +Added the USB VID/PID for the HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) + +Signed-off-by: Martin Hauke +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -769,6 +769,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81a4, 8)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81a8, 8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ ++ {QMI_FIXED_INTF(0x03f0, 0x581d, 4)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Module (Huawei me906e) */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ diff --git a/queue-3.14/series b/queue-3.14/series index a3c0c2b5cfe..e52d79a0795 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -7,3 +7,11 @@ x86-require-exact-match-for-noxsave-command-line-option.patch x86-mm-set-nx-across-entire-pmd-at-boot.patch x86-kaslr-handle-gold-linker-for-finding-bss-brk.patch uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch +sparc64-fix-constraints-on-swab-helpers.patch +inetdevice-fixed-signed-integer-overflow.patch +ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch +ieee802154-fix-error-handling-in-ieee802154fake_probe.patch +qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch +bonding-fix-curr_active_slave-carrier-with-loadbalance-arp-monitoring.patch +pptp-fix-stack-info-leak-in-pptp_getname.patch +ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch diff --git a/queue-3.14/sparc64-fix-constraints-on-swab-helpers.patch b/queue-3.14/sparc64-fix-constraints-on-swab-helpers.patch new file mode 100644 index 00000000000..dee4e7adf80 --- /dev/null +++ b/queue-3.14/sparc64-fix-constraints-on-swab-helpers.patch @@ -0,0 +1,56 @@ +From 5a2b59d3993e8ca4f7788a48a23e5cb303f26954 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Sun, 16 Nov 2014 13:19:32 -0800 +Subject: sparc64: Fix constraints on swab helpers. + +[ Upstream commit 5a2b59d3993e8ca4f7788a48a23e5cb303f26954 ] + +We are reading the memory location, so we have to have a memory +constraint in there purely for the sake of showing the data flow +to the compiler. + +Reported-by: Martin K. Petersen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/uapi/asm/swab.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/sparc/include/uapi/asm/swab.h ++++ b/arch/sparc/include/uapi/asm/swab.h +@@ -9,9 +9,9 @@ static inline __u16 __arch_swab16p(const + { + __u16 ret; + +- __asm__ __volatile__ ("lduha [%1] %2, %0" ++ __asm__ __volatile__ ("lduha [%2] %3, %0" + : "=r" (ret) +- : "r" (addr), "i" (ASI_PL)); ++ : "m" (*addr), "r" (addr), "i" (ASI_PL)); + return ret; + } + #define __arch_swab16p __arch_swab16p +@@ -20,9 +20,9 @@ static inline __u32 __arch_swab32p(const + { + __u32 ret; + +- __asm__ __volatile__ ("lduwa [%1] %2, %0" ++ __asm__ __volatile__ ("lduwa [%2] %3, %0" + : "=r" (ret) +- : "r" (addr), "i" (ASI_PL)); ++ : "m" (*addr), "r" (addr), "i" (ASI_PL)); + return ret; + } + #define __arch_swab32p __arch_swab32p +@@ -31,9 +31,9 @@ static inline __u64 __arch_swab64p(const + { + __u64 ret; + +- __asm__ __volatile__ ("ldxa [%1] %2, %0" ++ __asm__ __volatile__ ("ldxa [%2] %3, %0" + : "=r" (ret) +- : "r" (addr), "i" (ASI_PL)); ++ : "m" (*addr), "r" (addr), "i" (ASI_PL)); + return ret; + } + #define __arch_swab64p __arch_swab64p