From: Greg Kroah-Hartman Date: Tue, 18 Nov 2014 18:53:30 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.61~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d6d790928cecf29d9c0dcc427660f16355bdab49;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: audit-audit_feature_change-message-format-missing-delimiting-space.patch audit-correct-audit_get_feature-return-message-type.patch audit-keep-inode-pinned.patch crypto-caam-fix-missing-dma-unmap-on-error-path.patch crypto-caam-remove-duplicated-sg-copy-functions.patch hwrng-pseries-port-to-new-read-api-and-fix-stack-corruption.patch tun-fix-csum_start-with-vlan-acceleration.patch x86-x32-audit-fix-x32-s-audit_arch-wrt-audit.patch --- diff --git a/queue-3.14/audit-audit_feature_change-message-format-missing-delimiting-space.patch b/queue-3.14/audit-audit_feature_change-message-format-missing-delimiting-space.patch new file mode 100644 index 00000000000..7ee797f7ec6 --- /dev/null +++ b/queue-3.14/audit-audit_feature_change-message-format-missing-delimiting-space.patch @@ -0,0 +1,30 @@ +From 897f1acbb6702ddaa953e8d8436eee3b12016c7e Mon Sep 17 00:00:00 2001 +From: Richard Guy Briggs +Date: Thu, 30 Oct 2014 11:22:53 -0400 +Subject: audit: AUDIT_FEATURE_CHANGE message format missing delimiting space + +From: Richard Guy Briggs + +commit 897f1acbb6702ddaa953e8d8436eee3b12016c7e upstream. + +Add a space between subj= and feature= fields to make them parsable. + +Signed-off-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -702,7 +702,7 @@ static void audit_log_feature_change(int + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); + audit_log_task_info(ab, current); +- audit_log_format(ab, "feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", ++ audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", + audit_feature_names[which], !!old_feature, !!new_feature, + !!old_lock, !!new_lock, res); + audit_log_end(ab); diff --git a/queue-3.14/audit-correct-audit_get_feature-return-message-type.patch b/queue-3.14/audit-correct-audit_get_feature-return-message-type.patch new file mode 100644 index 00000000000..9ba79d1bf3f --- /dev/null +++ b/queue-3.14/audit-correct-audit_get_feature-return-message-type.patch @@ -0,0 +1,35 @@ +From 9ef91514774a140e468f99d73d7593521e6d25dc Mon Sep 17 00:00:00 2001 +From: Richard Guy Briggs +Date: Sun, 24 Aug 2014 20:37:52 -0400 +Subject: audit: correct AUDIT_GET_FEATURE return message type + +From: Richard Guy Briggs + +commit 9ef91514774a140e468f99d73d7593521e6d25dc upstream. + +When an AUDIT_GET_FEATURE message is sent from userspace to the kernel, it +should reply with a message tagged as an AUDIT_GET_FEATURE type with a struct +audit_feature. The current reply is a message tagged as an AUDIT_GET +type with a struct audit_feature. + +This appears to have been a cut-and-paste-eo in commit b0fed40. + +Reported-by: Steve Grubb +Signed-off-by: Richard Guy Briggs +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -687,7 +687,7 @@ static int audit_get_feature(struct sk_b + + seq = nlmsg_hdr(skb)->nlmsg_seq; + +- audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &af, sizeof(af)); ++ audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af)); + + return 0; + } diff --git a/queue-3.14/audit-keep-inode-pinned.patch b/queue-3.14/audit-keep-inode-pinned.patch new file mode 100644 index 00000000000..411ac2ebf80 --- /dev/null +++ b/queue-3.14/audit-keep-inode-pinned.patch @@ -0,0 +1,37 @@ +From 799b601451b21ebe7af0e6e8f6e2ccd4683c5064 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 4 Nov 2014 11:27:12 +0100 +Subject: audit: keep inode pinned + +From: Miklos Szeredi + +commit 799b601451b21ebe7af0e6e8f6e2ccd4683c5064 upstream. + +Audit rules disappear when an inode they watch is evicted from the cache. +This is likely not what we want. + +The guilty commit is "fsnotify: allow marks to not pin inodes in core", +which didn't take into account that audit_tree adds watches with a zero +mask. + +Adding any mask should fix this. + +Fixes: 90b1e7a57880 ("fsnotify: allow marks to not pin inodes in core") +Signed-off-by: Miklos Szeredi +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit_tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/audit_tree.c ++++ b/kernel/audit_tree.c +@@ -154,6 +154,7 @@ static struct audit_chunk *alloc_chunk(i + chunk->owners[i].index = i; + } + fsnotify_init_mark(&chunk->mark, audit_tree_destroy_watch); ++ chunk->mark.mask = FS_IN_IGNORED; + return chunk; + } + diff --git a/queue-3.14/crypto-caam-fix-missing-dma-unmap-on-error-path.patch b/queue-3.14/crypto-caam-fix-missing-dma-unmap-on-error-path.patch new file mode 100644 index 00000000000..348e4eda4cb --- /dev/null +++ b/queue-3.14/crypto-caam-fix-missing-dma-unmap-on-error-path.patch @@ -0,0 +1,87 @@ +From 738459e3f88538f2ece263424dafe5d91799e46b Mon Sep 17 00:00:00 2001 +From: Cristian Stoica +Date: Thu, 30 Oct 2014 14:40:22 +0200 +Subject: crypto: caam - fix missing dma unmap on error path + +From: Cristian Stoica + +commit 738459e3f88538f2ece263424dafe5d91799e46b upstream. + +If dma mapping for dma_addr_out fails, the descriptor memory is freed +but the previous dma mapping for dma_addr_in remains. +This patch resolves the missing dma unmap and groups resource +allocations at function start. + +Signed-off-by: Cristian Stoica +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/key_gen.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +--- a/drivers/crypto/caam/key_gen.c ++++ b/drivers/crypto/caam/key_gen.c +@@ -51,23 +51,29 @@ int gen_split_key(struct device *jrdev, + u32 *desc; + struct split_key_result result; + dma_addr_t dma_addr_in, dma_addr_out; +- int ret = 0; ++ int ret = -ENOMEM; + + desc = kmalloc(CAAM_CMD_SZ * 6 + CAAM_PTR_SZ * 2, GFP_KERNEL | GFP_DMA); + if (!desc) { + dev_err(jrdev, "unable to allocate key input memory\n"); +- return -ENOMEM; ++ return ret; + } + +- init_job_desc(desc, 0); +- + dma_addr_in = dma_map_single(jrdev, (void *)key_in, keylen, + DMA_TO_DEVICE); + if (dma_mapping_error(jrdev, dma_addr_in)) { + dev_err(jrdev, "unable to map key input memory\n"); +- kfree(desc); +- return -ENOMEM; ++ goto out_free; + } ++ ++ dma_addr_out = dma_map_single(jrdev, key_out, split_key_pad_len, ++ DMA_FROM_DEVICE); ++ if (dma_mapping_error(jrdev, dma_addr_out)) { ++ dev_err(jrdev, "unable to map key output memory\n"); ++ goto out_unmap_in; ++ } ++ ++ init_job_desc(desc, 0); + append_key(desc, dma_addr_in, keylen, CLASS_2 | KEY_DEST_CLASS_REG); + + /* Sets MDHA up into an HMAC-INIT */ +@@ -84,13 +90,6 @@ int gen_split_key(struct device *jrdev, + * FIFO_STORE with the explicit split-key content store + * (0x26 output type) + */ +- dma_addr_out = dma_map_single(jrdev, key_out, split_key_pad_len, +- DMA_FROM_DEVICE); +- if (dma_mapping_error(jrdev, dma_addr_out)) { +- dev_err(jrdev, "unable to map key output memory\n"); +- kfree(desc); +- return -ENOMEM; +- } + append_fifo_store(desc, dma_addr_out, split_key_len, + LDST_CLASS_2_CCB | FIFOST_TYPE_SPLIT_KEK); + +@@ -118,10 +117,10 @@ int gen_split_key(struct device *jrdev, + + dma_unmap_single(jrdev, dma_addr_out, split_key_pad_len, + DMA_FROM_DEVICE); ++out_unmap_in: + dma_unmap_single(jrdev, dma_addr_in, keylen, DMA_TO_DEVICE); +- ++out_free: + kfree(desc); +- + return ret; + } + EXPORT_SYMBOL(gen_split_key); diff --git a/queue-3.14/crypto-caam-remove-duplicated-sg-copy-functions.patch b/queue-3.14/crypto-caam-remove-duplicated-sg-copy-functions.patch new file mode 100644 index 00000000000..8df1ce01739 --- /dev/null +++ b/queue-3.14/crypto-caam-remove-duplicated-sg-copy-functions.patch @@ -0,0 +1,184 @@ +From 307fd543f3d23f8f56850eca1b27b1be2fe71017 Mon Sep 17 00:00:00 2001 +From: Cristian Stoica +Date: Thu, 14 Aug 2014 13:51:56 +0300 +Subject: crypto: caam - remove duplicated sg copy functions + +From: Cristian Stoica + +commit 307fd543f3d23f8f56850eca1b27b1be2fe71017 upstream. + +Replace equivalent (and partially incorrect) scatter-gather functions +with ones from crypto-API. + +The replacement is motivated by page-faults in sg_copy_part triggered +by successive calls to crypto_hash_update. The following fault appears +after calling crypto_ahash_update twice, first with 13 and then +with 285 bytes: + +Unable to handle kernel paging request for data at address 0x00000008 +Faulting instruction address: 0xf9bf9a8c +Oops: Kernel access of bad area, sig: 11 [#1] +SMP NR_CPUS=8 CoreNet Generic +Modules linked in: tcrypt(+) caamhash caam_jr caam tls +CPU: 6 PID: 1497 Comm: cryptomgr_test Not tainted +3.12.19-rt30-QorIQ-SDK-V1.6+g9fda9f2 #75 +task: e9308530 ti: e700e000 task.ti: e700e000 +NIP: f9bf9a8c LR: f9bfcf28 CTR: c0019ea0 +REGS: e700fb80 TRAP: 0300 Not tainted +(3.12.19-rt30-QorIQ-SDK-V1.6+g9fda9f2) +MSR: 00029002 CR: 44f92024 XER: 20000000 +DEAR: 00000008, ESR: 00000000 + +GPR00: f9bfcf28 e700fc30 e9308530 e70b1e55 00000000 ffffffdd e70b1e54 0bebf888 +GPR08: 902c7ef5 c0e771e2 00000002 00000888 c0019ea0 00000000 00000000 c07a4154 +GPR16: c08d0000 e91a8f9c 00000001 e98fb400 00000100 e9c83028 e70b1e08 e70b1d48 +GPR24: e992ce10 e70b1dc8 f9bfe4f4 e70b1e55 ffffffdd e70b1ce0 00000000 00000000 +NIP [f9bf9a8c] sg_copy+0x1c/0x100 [caamhash] +LR [f9bfcf28] ahash_update_no_ctx+0x628/0x660 [caamhash] +Call Trace: +[e700fc30] [f9bf9c50] sg_copy_part+0xe0/0x160 [caamhash] (unreliable) +[e700fc50] [f9bfcf28] ahash_update_no_ctx+0x628/0x660 [caamhash] +[e700fcb0] [f954e19c] crypto_tls_genicv+0x13c/0x300 [tls] +[e700fd10] [f954e65c] crypto_tls_encrypt+0x5c/0x260 [tls] +[e700fd40] [c02250ec] __test_aead.constprop.9+0x2bc/0xb70 +[e700fe40] [c02259f0] alg_test_aead+0x50/0xc0 +[e700fe60] [c02241e4] alg_test+0x114/0x2e0 +[e700fee0] [c022276c] cryptomgr_test+0x4c/0x60 +[e700fef0] [c004f658] kthread+0x98/0xa0 +[e700ff40] [c000fd04] ret_from_kernel_thread+0x5c/0x64 + +Signed-off-by: Herbert Xu +Cc: Cristian Stoica +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamhash.c | 22 ++++++++++----- + drivers/crypto/caam/sg_sw_sec4.h | 54 --------------------------------------- + 2 files changed, 14 insertions(+), 62 deletions(-) + +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -835,8 +835,9 @@ static int ahash_update_ctx(struct ahash + edesc->sec4_sg + sec4_sg_src_index, + chained); + if (*next_buflen) { +- sg_copy_part(next_buf, req->src, to_hash - +- *buflen, req->nbytes); ++ scatterwalk_map_and_copy(next_buf, req->src, ++ to_hash - *buflen, ++ *next_buflen, 0); + state->current_buf = !state->current_buf; + } + } else { +@@ -869,7 +870,8 @@ static int ahash_update_ctx(struct ahash + kfree(edesc); + } + } else if (*next_buflen) { +- sg_copy(buf + *buflen, req->src, req->nbytes); ++ scatterwalk_map_and_copy(buf + *buflen, req->src, 0, ++ req->nbytes, 0); + *buflen = *next_buflen; + *next_buflen = last_buflen; + } +@@ -1216,8 +1218,9 @@ static int ahash_update_no_ctx(struct ah + src_map_to_sec4_sg(jrdev, req->src, src_nents, + edesc->sec4_sg + 1, chained); + if (*next_buflen) { +- sg_copy_part(next_buf, req->src, to_hash - *buflen, +- req->nbytes); ++ scatterwalk_map_and_copy(next_buf, req->src, ++ to_hash - *buflen, ++ *next_buflen, 0); + state->current_buf = !state->current_buf; + } + +@@ -1248,7 +1251,8 @@ static int ahash_update_no_ctx(struct ah + kfree(edesc); + } + } else if (*next_buflen) { +- sg_copy(buf + *buflen, req->src, req->nbytes); ++ scatterwalk_map_and_copy(buf + *buflen, req->src, 0, ++ req->nbytes, 0); + *buflen = *next_buflen; + *next_buflen = 0; + } +@@ -1405,7 +1409,8 @@ static int ahash_update_first(struct aha + } + + if (*next_buflen) +- sg_copy_part(next_buf, req->src, to_hash, req->nbytes); ++ scatterwalk_map_and_copy(next_buf, req->src, to_hash, ++ *next_buflen, 0); + + sh_len = desc_len(sh_desc); + desc = edesc->hw_desc; +@@ -1438,7 +1443,8 @@ static int ahash_update_first(struct aha + state->update = ahash_update_no_ctx; + state->finup = ahash_finup_no_ctx; + state->final = ahash_final_no_ctx; +- sg_copy(next_buf, req->src, req->nbytes); ++ scatterwalk_map_and_copy(next_buf, req->src, 0, ++ req->nbytes, 0); + } + #ifdef DEBUG + print_hex_dump(KERN_ERR, "next buf@"__stringify(__LINE__)": ", +--- a/drivers/crypto/caam/sg_sw_sec4.h ++++ b/drivers/crypto/caam/sg_sw_sec4.h +@@ -116,57 +116,3 @@ static int dma_unmap_sg_chained(struct d + } + return nents; + } +- +-/* Map SG page in kernel virtual address space and copy */ +-static inline void sg_map_copy(u8 *dest, struct scatterlist *sg, +- int len, int offset) +-{ +- u8 *mapped_addr; +- +- /* +- * Page here can be user-space pinned using get_user_pages +- * Same must be kmapped before use and kunmapped subsequently +- */ +- mapped_addr = kmap_atomic(sg_page(sg)); +- memcpy(dest, mapped_addr + offset, len); +- kunmap_atomic(mapped_addr); +-} +- +-/* Copy from len bytes of sg to dest, starting from beginning */ +-static inline void sg_copy(u8 *dest, struct scatterlist *sg, unsigned int len) +-{ +- struct scatterlist *current_sg = sg; +- int cpy_index = 0, next_cpy_index = current_sg->length; +- +- while (next_cpy_index < len) { +- sg_map_copy(dest + cpy_index, current_sg, current_sg->length, +- current_sg->offset); +- current_sg = scatterwalk_sg_next(current_sg); +- cpy_index = next_cpy_index; +- next_cpy_index += current_sg->length; +- } +- if (cpy_index < len) +- sg_map_copy(dest + cpy_index, current_sg, len-cpy_index, +- current_sg->offset); +-} +- +-/* Copy sg data, from to_skip to end, to dest */ +-static inline void sg_copy_part(u8 *dest, struct scatterlist *sg, +- int to_skip, unsigned int end) +-{ +- struct scatterlist *current_sg = sg; +- int sg_index, cpy_index, offset; +- +- sg_index = current_sg->length; +- while (sg_index <= to_skip) { +- current_sg = scatterwalk_sg_next(current_sg); +- sg_index += current_sg->length; +- } +- cpy_index = sg_index - to_skip; +- offset = current_sg->offset + current_sg->length - cpy_index; +- sg_map_copy(dest, current_sg, cpy_index, offset); +- if (end - sg_index) { +- current_sg = scatterwalk_sg_next(current_sg); +- sg_copy(dest + cpy_index, current_sg, end - sg_index); +- } +-} diff --git a/queue-3.14/hwrng-pseries-port-to-new-read-api-and-fix-stack-corruption.patch b/queue-3.14/hwrng-pseries-port-to-new-read-api-and-fix-stack-corruption.patch new file mode 100644 index 00000000000..39e70db7d08 --- /dev/null +++ b/queue-3.14/hwrng-pseries-port-to-new-read-api-and-fix-stack-corruption.patch @@ -0,0 +1,73 @@ +From 24c65bc7037e7d0f362c0df70d17dd72ee64b8b9 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Fri, 31 Oct 2014 07:50:11 +0100 +Subject: hwrng: pseries - port to new read API and fix stack corruption + +From: Greg Kurz + +commit 24c65bc7037e7d0f362c0df70d17dd72ee64b8b9 upstream. + +The add_early_randomness() function in drivers/char/hw_random/core.c passes +a 16-byte buffer to pseries_rng_data_read(). Unfortunately, plpar_hcall() +returns four 64-bit values and trashes 16 bytes on the stack. + +This bug has been lying around for a long time. It got unveiled by: + +commit d3cc7996473a7bdd33256029988ea690754e4e2a +Author: Amit Shah +Date: Thu Jul 10 15:42:34 2014 +0530 + + hwrng: fetch randomness only after device init + +It may trig a oops while loading or unloading the pseries-rng module for both +PowerVM and PowerKVM guests. + +This patch does two things: +- pass an intermediate well sized buffer to plpar_hcall(). This is acceptalbe + since we're not on a hot path. +- move to the new read API so that we know the return buffer size for sure. + +Signed-off-by: Greg Kurz +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/hw_random/pseries-rng.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/char/hw_random/pseries-rng.c ++++ b/drivers/char/hw_random/pseries-rng.c +@@ -25,18 +25,21 @@ + #include + + +-static int pseries_rng_data_read(struct hwrng *rng, u32 *data) ++static int pseries_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) + { ++ u64 buffer[PLPAR_HCALL_BUFSIZE]; ++ size_t size = max < 8 ? max : 8; + int rc; + +- rc = plpar_hcall(H_RANDOM, (unsigned long *)data); ++ rc = plpar_hcall(H_RANDOM, (unsigned long *)buffer); + if (rc != H_SUCCESS) { + pr_err_ratelimited("H_RANDOM call failed %d\n", rc); + return -EIO; + } ++ memcpy(data, buffer, size); + + /* The hypervisor interface returns 64 bits */ +- return 8; ++ return size; + } + + /** +@@ -55,7 +58,7 @@ static unsigned long pseries_rng_get_des + + static struct hwrng pseries_rng = { + .name = KBUILD_MODNAME, +- .data_read = pseries_rng_data_read, ++ .read = pseries_rng_read, + }; + + static int __init pseries_rng_probe(struct vio_dev *dev, diff --git a/queue-3.14/series b/queue-3.14/series index ea617d601f8..e17059e8d10 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -16,3 +16,11 @@ sparc64-fix-crashes-in-schizo_pcierr_intr_other.patch sparc64-do-irq_-enter-exit-around-generic_smp_call_function.patch sparc32-implement-xchg-and-atomic_xchg-using-atomic_hash-locks.patch zram-avoid-kunmap_atomic-of-a-null-pointer.patch +crypto-caam-fix-missing-dma-unmap-on-error-path.patch +crypto-caam-remove-duplicated-sg-copy-functions.patch +hwrng-pseries-port-to-new-read-api-and-fix-stack-corruption.patch +tun-fix-csum_start-with-vlan-acceleration.patch +x86-x32-audit-fix-x32-s-audit_arch-wrt-audit.patch +audit-correct-audit_get_feature-return-message-type.patch +audit-audit_feature_change-message-format-missing-delimiting-space.patch +audit-keep-inode-pinned.patch diff --git a/queue-3.14/tun-fix-csum_start-with-vlan-acceleration.patch b/queue-3.14/tun-fix-csum_start-with-vlan-acceleration.patch new file mode 100644 index 00000000000..c59c24065e6 --- /dev/null +++ b/queue-3.14/tun-fix-csum_start-with-vlan-acceleration.patch @@ -0,0 +1,73 @@ +From a8f9bfdf982e2b1fb9f094e4de9ab08c57f3d2fd Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 3 Nov 2014 04:30:13 +0800 +Subject: tun: Fix csum_start with VLAN acceleration + +From: Herbert Xu + +commit a8f9bfdf982e2b1fb9f094e4de9ab08c57f3d2fd upstream. + +When VLAN acceleration is in use on the xmit path, we end up +setting csum_start to the wrong place. The result is that the +whoever ends up doing the checksum setting will corrupt the packet +instead of writing the checksum to the expected location, usually +this means writing the checksum with an offset of -4. + +This patch fixes this by adjusting csum_start when VLAN acceleration +is detected. + +Fixes: 6680ec68eff4 ("tuntap: hardware vlan tx support") +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tun.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1226,6 +1226,10 @@ static ssize_t tun_put_user(struct tun_s + struct tun_pi pi = { 0, skb->protocol }; + ssize_t total = 0; + int vlan_offset = 0, copied; ++ int vlan_hlen = 0; ++ ++ if (vlan_tx_tag_present(skb)) ++ vlan_hlen = VLAN_HLEN; + + if (!(tun->flags & TUN_NO_PI)) { + if ((len -= sizeof(pi)) < 0) +@@ -1277,7 +1281,8 @@ static ssize_t tun_put_user(struct tun_s + + if (skb->ip_summed == CHECKSUM_PARTIAL) { + gso.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM; +- gso.csum_start = skb_checksum_start_offset(skb); ++ gso.csum_start = skb_checksum_start_offset(skb) + ++ vlan_hlen; + gso.csum_offset = skb->csum_offset; + } else if (skb->ip_summed == CHECKSUM_UNNECESSARY) { + gso.flags = VIRTIO_NET_HDR_F_DATA_VALID; +@@ -1290,10 +1295,9 @@ static ssize_t tun_put_user(struct tun_s + } + + copied = total; +- total += skb->len; +- if (!vlan_tx_tag_present(skb)) { +- len = min_t(int, skb->len, len); +- } else { ++ len = min_t(int, skb->len + vlan_hlen, len); ++ total += skb->len + vlan_hlen; ++ if (vlan_hlen) { + int copy, ret; + struct { + __be16 h_vlan_proto; +@@ -1304,8 +1308,6 @@ static ssize_t tun_put_user(struct tun_s + veth.h_vlan_TCI = htons(vlan_tx_tag_get(skb)); + + vlan_offset = offsetof(struct vlan_ethhdr, h_vlan_proto); +- len = min_t(int, skb->len + VLAN_HLEN, len); +- total += VLAN_HLEN; + + copy = min_t(int, vlan_offset, len); + ret = skb_copy_datagram_const_iovec(skb, 0, iv, copied, copy); diff --git a/queue-3.14/x86-x32-audit-fix-x32-s-audit_arch-wrt-audit.patch b/queue-3.14/x86-x32-audit-fix-x32-s-audit_arch-wrt-audit.patch new file mode 100644 index 00000000000..cb0af06e650 --- /dev/null +++ b/queue-3.14/x86-x32-audit-fix-x32-s-audit_arch-wrt-audit.patch @@ -0,0 +1,52 @@ +From 81f49a8fd7088cfcb588d182eeede862c0e3303e Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Fri, 5 Sep 2014 15:13:52 -0700 +Subject: x86, x32, audit: Fix x32's AUDIT_ARCH wrt audit + +From: Andy Lutomirski + +commit 81f49a8fd7088cfcb588d182eeede862c0e3303e upstream. + +is_compat_task() is the wrong check for audit arch; the check should +be is_ia32_task(): x32 syscalls should be AUDIT_ARCH_X86_64, not +AUDIT_ARCH_I386. + +CONFIG_AUDITSYSCALL is currently incompatible with x32, so this has +no visible effect. + +Signed-off-by: Andy Lutomirski +Link: http://lkml.kernel.org/r/a0138ed8c709882aec06e4acc30bfa9b623b8717.1409954077.git.luto@amacapital.net +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/ptrace.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -1441,15 +1441,6 @@ void send_sigtrap(struct task_struct *ts + force_sig_info(SIGTRAP, &info, tsk); + } + +- +-#ifdef CONFIG_X86_32 +-# define IS_IA32 1 +-#elif defined CONFIG_IA32_EMULATION +-# define IS_IA32 is_compat_task() +-#else +-# define IS_IA32 0 +-#endif +- + /* + * We must return the syscall number to actually look up in the table. + * This can be -1L to skip running any syscall at all. +@@ -1487,7 +1478,7 @@ long syscall_trace_enter(struct pt_regs + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) + trace_sys_enter(regs, regs->orig_ax); + +- if (IS_IA32) ++ if (is_ia32_task()) + audit_syscall_entry(AUDIT_ARCH_I386, + regs->orig_ax, + regs->bx, regs->cx,