From: Greg Kroah-Hartman Date: Sun, 6 Dec 2015 05:51:16 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.94~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec81b41d89e75fba26806eab1bcce7e0e5e315da;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch irda-precedence-bug-in-irlmp_seq_hb_idx.patch net-avoid-null-deref-in-inet_ctl_sock_destroy.patch net-fix-a-race-in-dst_release.patch net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch series stmmac-correctly-report-ptp-capabilities.patch virtio-net-drop-netif_f_fraglist.patch --- diff --git a/queue-3.10/arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch b/queue-3.10/arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch new file mode 100644 index 00000000000..1bc2ad4ad56 --- /dev/null +++ b/queue-3.10/arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch @@ -0,0 +1,42 @@ +From 371f0f085f629fc0f66695f572373ca4445a67ad Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Fri, 28 Aug 2015 09:41:39 +0100 +Subject: ARM: 8426/1: dma-mapping: add missing range check in dma_mmap() + +From: Marek Szyprowski + +commit 371f0f085f629fc0f66695f572373ca4445a67ad upstream. + +dma_mmap() function in IOMMU-based dma-mapping implementation lacked +a check for valid range of mmap parameters (offset and buffer size), what +might have caused access beyond the allocated buffer. This patch fixes +this issue. + +Signed-off-by: Marek Szyprowski +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/dma-mapping.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -1355,12 +1355,17 @@ static int arm_iommu_mmap_attrs(struct d + unsigned long uaddr = vma->vm_start; + unsigned long usize = vma->vm_end - vma->vm_start; + struct page **pages = __iommu_get_pages(cpu_addr, attrs); ++ unsigned long nr_pages = PAGE_ALIGN(size) >> PAGE_SHIFT; ++ unsigned long off = vma->vm_pgoff; + + vma->vm_page_prot = __get_dma_pgprot(attrs, vma->vm_page_prot); + + if (!pages) + return -ENXIO; + ++ if (off >= nr_pages || (usize >> PAGE_SHIFT) > nr_pages - off) ++ return -ENXIO; ++ + do { + int ret = vm_insert_page(vma, uaddr, *pages++); + if (ret) { diff --git a/queue-3.10/arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch b/queue-3.10/arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch new file mode 100644 index 00000000000..dfdb3c74710 --- /dev/null +++ b/queue-3.10/arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch @@ -0,0 +1,33 @@ +From 7e31210349e9e03a9a4dff31ab5f2bc83e8e84f5 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Fri, 28 Aug 2015 09:42:09 +0100 +Subject: ARM: 8427/1: dma-mapping: add support for offset parameter in dma_mmap() + +From: Marek Szyprowski + +commit 7e31210349e9e03a9a4dff31ab5f2bc83e8e84f5 upstream. + +IOMMU-based dma_mmap() implementation lacked proper support for offset +parameter used in mmap call (it always assumed that mapping starts from +offset zero). This patch adds support for offset parameter to IOMMU-based +implementation. + +Signed-off-by: Marek Szyprowski +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/dma-mapping.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -1366,6 +1366,8 @@ static int arm_iommu_mmap_attrs(struct d + if (off >= nr_pages || (usize >> PAGE_SHIFT) > nr_pages - off) + return -ENXIO; + ++ pages += off; ++ + do { + int ret = vm_insert_page(vma, uaddr, *pages++); + if (ret) { diff --git a/queue-3.10/arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch b/queue-3.10/arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch new file mode 100644 index 00000000000..17a8b655b4f --- /dev/null +++ b/queue-3.10/arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch @@ -0,0 +1,36 @@ +From d836ace65ee98d7079bc3c5afdbcc0e27dca20a3 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Sat, 3 Oct 2015 13:03:47 -0700 +Subject: ARM: orion: Fix DSA platform device after mvmdio conversion + +From: Florian Fainelli + +commit d836ace65ee98d7079bc3c5afdbcc0e27dca20a3 upstream. + +DSA expects the host_dev pointer to be the device structure associated +with the MDIO bus controller driver. First commit breaking that was +c3a07134e6aa ("mv643xx_eth: convert to use the Marvell Orion MDIO +driver"), and then, it got completely under the radar for a while. + +Reported-by: Frans van de Wiel +Fixes: c3a07134e6aa ("mv643xx_eth: convert to use the Marvell Orion MDIO driver") +Signed-off-by: Florian Fainelli +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/arm/plat-orion/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/plat-orion/common.c ++++ b/arch/arm/plat-orion/common.c +@@ -498,7 +498,7 @@ void __init orion_ge00_switch_init(struc + + d->netdev = &orion_ge00.dev; + for (i = 0; i < d->nr_chips; i++) +- d->chip[i].mii_bus = &orion_ge00_shared.dev; ++ d->chip[i].mii_bus = &orion_ge_mvmdio.dev; + orion_switch_device.dev.platform_data = d; + + platform_device_register(&orion_switch_device); diff --git a/queue-3.10/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch b/queue-3.10/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch new file mode 100644 index 00000000000..2f6958cea83 --- /dev/null +++ b/queue-3.10/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch @@ -0,0 +1,75 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Ani Sinha +Date: Fri, 30 Oct 2015 16:54:31 -0700 +Subject: ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context. + +From: Ani Sinha + +[ Upstream commit 44f49dd8b5a606870a1f21101522a0f9c4414784 ] + +Fixes the following kernel BUG : + +BUG: using __this_cpu_add() in preemptible [00000000] code: bash/2758 +caller is __this_cpu_preempt_check+0x13/0x15 +CPU: 0 PID: 2758 Comm: bash Tainted: P O 3.18.19 #2 + ffffffff8170eaca ffff880110d1b788 ffffffff81482b2a 0000000000000000 + 0000000000000000 ffff880110d1b7b8 ffffffff812010ae ffff880007cab800 + ffff88001a060800 ffff88013a899108 ffff880108b84240 ffff880110d1b7c8 +Call Trace: +[] dump_stack+0x52/0x80 +[] check_preemption_disabled+0xce/0xe1 +[] __this_cpu_preempt_check+0x13/0x15 +[] ipmr_queue_xmit+0x647/0x70c +[] ip_mr_forward+0x32f/0x34e +[] ip_mroute_setsockopt+0xe03/0x108c +[] ? get_parent_ip+0x11/0x42 +[] ? pollwake+0x4d/0x51 +[] ? default_wake_function+0x0/0xf +[] ? get_parent_ip+0x11/0x42 +[] ? __wake_up_common+0x45/0x77 +[] ? _raw_spin_unlock_irqrestore+0x1d/0x32 +[] ? __wake_up_sync_key+0x4a/0x53 +[] ? sock_def_readable+0x71/0x75 +[] do_ip_setsockopt+0x9d/0xb55 +[] ? unix_seqpacket_sendmsg+0x3f/0x41 +[] ? sock_sendmsg+0x6d/0x86 +[] ? sockfd_lookup_light+0x12/0x5d +[] ? SyS_sendto+0xf3/0x11b +[] ? new_sync_read+0x82/0xaa +[] compat_ip_setsockopt+0x3b/0x99 +[] compat_raw_setsockopt+0x11/0x32 +[] compat_sock_common_setsockopt+0x18/0x1f +[] compat_SyS_setsockopt+0x1a9/0x1cf +[] compat_SyS_socketcall+0x180/0x1e3 +[] cstar_dispatch+0x7/0x1e + +Signed-off-by: Ani Sinha +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipmr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1672,8 +1672,8 @@ static inline int ipmr_forward_finish(st + { + struct ip_options *opt = &(IPCB(skb)->opt); + +- IP_INC_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); +- IP_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); ++ IP_INC_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); ++ IP_ADD_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); + + if (unlikely(opt->optlen)) + ip_forward_options(skb); +@@ -1735,7 +1735,7 @@ static void ipmr_queue_xmit(struct net * + * to blackhole. + */ + +- IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_FRAGFAILS); ++ IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS); + ip_rt_put(rt); + goto out_free; + } diff --git a/queue-3.10/irda-precedence-bug-in-irlmp_seq_hb_idx.patch b/queue-3.10/irda-precedence-bug-in-irlmp_seq_hb_idx.patch new file mode 100644 index 00000000000..82389ab19fc --- /dev/null +++ b/queue-3.10/irda-precedence-bug-in-irlmp_seq_hb_idx.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Dan Carpenter +Date: Mon, 19 Oct 2015 13:16:49 +0300 +Subject: irda: precedence bug in irlmp_seq_hb_idx() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit 50010c20597d14667eff0fdb628309986f195230 ] + +This is decrementing the pointer, instead of the value stored in the +pointer. KASan detects it as an out of bounds reference. + +Reported-by: "Berry Cheng 程君(成淼)" +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/irda/irlmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/irda/irlmp.c ++++ b/net/irda/irlmp.c +@@ -1876,7 +1876,7 @@ static void *irlmp_seq_hb_idx(struct irl + for (element = hashbin_get_first(iter->hashbin); + element != NULL; + element = hashbin_get_next(iter->hashbin)) { +- if (!off || *off-- == 0) { ++ if (!off || (*off)-- == 0) { + /* NB: hashbin left locked */ + return element; + } diff --git a/queue-3.10/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch b/queue-3.10/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch new file mode 100644 index 00000000000..c1dd04c9e2c --- /dev/null +++ b/queue-3.10/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Eric Dumazet +Date: Mon, 2 Nov 2015 07:50:07 -0800 +Subject: net: avoid NULL deref in inet_ctl_sock_destroy() + +From: Eric Dumazet + +[ Upstream commit 8fa677d2706d325d71dab91bf6e6512c05214e37 ] + +Under low memory conditions, tcp_sk_init() and icmp_sk_init() +can both iterate on all possible cpus and call inet_ctl_sock_destroy(), +with eventual NULL pointer. + +Signed-off-by: Eric Dumazet +Reported-by: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_common.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/inet_common.h ++++ b/include/net/inet_common.h +@@ -40,7 +40,8 @@ extern int inet_ctl_sock_create(struct s + + static inline void inet_ctl_sock_destroy(struct sock *sk) + { +- sk_release_kernel(sk); ++ if (sk) ++ sk_release_kernel(sk); + } + + #endif diff --git a/queue-3.10/net-fix-a-race-in-dst_release.patch b/queue-3.10/net-fix-a-race-in-dst_release.patch new file mode 100644 index 00000000000..dcad4377e5a --- /dev/null +++ b/queue-3.10/net-fix-a-race-in-dst_release.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Eric Dumazet +Date: Mon, 9 Nov 2015 17:51:23 -0800 +Subject: net: fix a race in dst_release() + +From: Eric Dumazet + +[ Upstream commit d69bbf88c8d0b367cf3e3a052f6daadf630ee566 ] + +Only cpu seeing dst refcount going to 0 can safely +dereference dst->flags. + +Otherwise an other cpu might already have freed the dst. + +Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst") +Reported-by: Greg Thelen +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -283,7 +283,7 @@ void dst_release(struct dst_entry *dst) + + newrefcnt = atomic_dec_return(&dst->__refcnt); + WARN_ON(newrefcnt < 0); +- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) ++ if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) + call_rcu(&dst->rcu_head, dst_destroy_rcu); + } + } diff --git a/queue-3.10/net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch b/queue-3.10/net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch new file mode 100644 index 00000000000..db8b014ab31 --- /dev/null +++ b/queue-3.10/net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch @@ -0,0 +1,62 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Carol L Soto +Date: Tue, 27 Oct 2015 17:36:20 +0200 +Subject: net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes + +From: Carol L Soto + +[ Upstream commit c02b05011fadf8e409e41910217ca689f2fc9d91 ] + +When doing memcpy/memset of EQEs, we should use sizeof struct +mlx4_eqe as the base size and not caps.eqe_size which could be bigger. + +If caps.eqe_size is bigger than the struct mlx4_eqe then we corrupt +data in the master context. + +When using a 64 byte stride, the memcpy copied over 63 bytes to the +slave_eq structure. This resulted in copying over the entire eqe of +interest, including its ownership bit -- and also 31 bytes of garbage +into the next WQE in the slave EQ -- which did NOT include the ownership +bit (and therefore had no impact). + +However, once the stride is increased to 128, we are overwriting the +ownership bits of *three* eqes in the slave_eq struct. This results +in an incorrect ownership bit for those eqes, which causes the eq to +seem to be full. The issue therefore surfaced only once 128-byte EQEs +started being used in SRIOV and (overarchitectures that have 128/256 +byte cache-lines such as PPC) - e.g after commit 77507aa249ae +"net/mlx4_core: Enable CQE/EQE stride support". + +Fixes: 08ff32352d6f ('mlx4: 64-byte CQE/EQE support') +Signed-off-by: Carol L Soto +Signed-off-by: Jack Morgenstein +Signed-off-by: Or Gerlitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/cmd.c | 2 +- + drivers/net/ethernet/mellanox/mlx4/eq.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c +@@ -1836,7 +1836,7 @@ int mlx4_multi_func_init(struct mlx4_dev + spin_lock_init(&s_state->lock); + } + +- memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size); ++ memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe)); + priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD; + INIT_WORK(&priv->mfunc.master.comm_work, + mlx4_master_comm_channel); +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c +@@ -183,7 +183,7 @@ static void slave_event(struct mlx4_dev + return; + } + +- memcpy(s_eqe, eqe, dev->caps.eqe_size - 1); ++ memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1); + s_eqe->slave_id = slave; + /* ensure all information is written before setting the ownersip bit */ + wmb(); diff --git a/queue-3.10/ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch b/queue-3.10/ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch new file mode 100644 index 00000000000..d1cf6d1524f --- /dev/null +++ b/queue-3.10/ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Guillaume Nault +Date: Thu, 22 Oct 2015 16:57:10 +0200 +Subject: ppp: fix pppoe_dev deletion condition in pppoe_release() + +From: Guillaume Nault + +[ Upstream commit 1acea4f6ce1b1c0941438aca75dd2e5c6b09db60 ] + +We can't rely on PPPOX_ZOMBIE to decide whether to clear po->pppoe_dev. +PPPOX_ZOMBIE can be set by pppoe_disc_rcv() even when po->pppoe_dev is +NULL. So we have no guarantee that (sk->sk_state & PPPOX_ZOMBIE) implies +(po->pppoe_dev != NULL). +Since we're releasing a PPPoE socket, we want to release the pppoe_dev +if it exists and reset sk_state to PPPOX_DEAD, no matter the previous +value of sk_state. So we can just check for po->pppoe_dev and avoid any +assumption on sk->sk_state. + +Fixes: 2b018d57ff18 ("pppoe: drop PPPOX_ZOMBIEs in pppoe_release") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -569,7 +569,7 @@ static int pppoe_release(struct socket * + + po = pppox_sk(sk); + +- if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) { ++ if (po->pppoe_dev) { + dev_put(po->pppoe_dev); + po->pppoe_dev = NULL; + } diff --git a/queue-3.10/rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch b/queue-3.10/rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch new file mode 100644 index 00000000000..6de2826bb57 --- /dev/null +++ b/queue-3.10/rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Sowmini Varadhan +Date: Mon, 26 Oct 2015 12:46:37 -0400 +Subject: RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv + +From: Sowmini Varadhan + +[ Upstream commit 8ce675ff39b9958d1c10f86cf58e357efaafc856 ] + +Either of pskb_pull() or pskb_trim() may fail under low memory conditions. +If rds_tcp_data_recv() ignores such failures, the application will +receive corrupted data because the skb has not been correctly +carved to the RDS datagram size. + +Avoid this by handling pskb_pull/pskb_trim failure in the same +manner as the skb_clone failure: bail out of rds_tcp_data_recv(), and +retry via the deferred call to rds_send_worker() that gets set up on +ENOMEM from rds_tcp_read_sock() + +Signed-off-by: Sowmini Varadhan +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/tcp_recv.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/rds/tcp_recv.c ++++ b/net/rds/tcp_recv.c +@@ -234,8 +234,15 @@ static int rds_tcp_data_recv(read_descri + } + + to_copy = min(tc->t_tinc_data_rem, left); +- pskb_pull(clone, offset); +- pskb_trim(clone, to_copy); ++ if (!pskb_pull(clone, offset) || ++ pskb_trim(clone, to_copy)) { ++ pr_warn("rds_tcp_data_recv: pull/trim failed " ++ "left %zu data_rem %zu skb_len %d\n", ++ left, tc->t_tinc_data_rem, skb->len); ++ kfree_skb(clone); ++ desc->error = -ENOMEM; ++ goto out; ++ } + skb_queue_tail(&tinc->ti_skb_list, clone); + + rdsdebug("skb %p data %p len %d off %u to_copy %zu -> " diff --git a/queue-3.10/rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch b/queue-3.10/rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch new file mode 100644 index 00000000000..ab116178dce --- /dev/null +++ b/queue-3.10/rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch @@ -0,0 +1,78 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Sasha Levin +Date: Tue, 8 Sep 2015 10:53:40 -0400 +Subject: RDS: verify the underlying transport exists before creating a connection + +From: Sasha Levin + +[ Upstream commit 74e98eb085889b0d2d4908f59f6e00026063014f ] + +There was no verification that an underlying transport exists when creating +a connection, this would cause dereferencing a NULL ptr. + +It might happen on sockets that weren't properly bound before attempting to +send a message, which will cause a NULL ptr deref: + +[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN +[135546.051270] Modules linked in: +[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527 +[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000 +[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194) +[135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202 +[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000 +[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038 +[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000 +[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000 +[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000 +[135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000 +[135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0 +[135546.064723] Stack: +[135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008 +[135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342 +[135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00 +[135546.068629] Call Trace: +[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134) +[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298) +[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278) +[135546.071981] rds_sendmsg (net/rds/send.c:1058) +[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38) +[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298) +[135546.074577] ? rds_send_drop_to (net/rds/send.c:976) +[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795) +[135546.076349] ? __might_fault (mm/memory.c:3795) +[135546.077179] ? rds_send_drop_to (net/rds/send.c:976) +[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620) +[135546.078856] SYSC_sendto (net/socket.c:1657) +[135546.079596] ? SYSC_connect (net/socket.c:1628) +[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926) +[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674) +[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749) +[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16) +[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16) +[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749) +[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1 + +Acked-by: Santosh Shilimkar +Signed-off-by: Sasha Levin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/connection.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -177,6 +177,12 @@ static struct rds_connection *__rds_conn + } + } + ++ if (trans == NULL) { ++ kmem_cache_free(rds_conn_slab, conn); ++ conn = ERR_PTR(-ENODEV); ++ goto out; ++ } ++ + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); diff --git a/queue-3.10/series b/queue-3.10/series new file mode 100644 index 00000000000..d9e7c56a70f --- /dev/null +++ b/queue-3.10/series @@ -0,0 +1,13 @@ +irda-precedence-bug-in-irlmp_seq_hb_idx.patch +ppp-fix-pppoe_dev-deletion-condition-in-pppoe_release.patch +rds-tcp-recover-correctly-from-pskb_pull-pksb_trim-failure-in-rds_tcp_data_recv.patch +net-mlx4-copy-set-only-sizeof-struct-mlx4_eqe-bytes.patch +stmmac-correctly-report-ptp-capabilities.patch +ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch +net-avoid-null-deref-in-inet_ctl_sock_destroy.patch +net-fix-a-race-in-dst_release.patch +virtio-net-drop-netif_f_fraglist.patch +rds-verify-the-underlying-transport-exists-before-creating-a-connection.patch +arm-8426-1-dma-mapping-add-missing-range-check-in-dma_mmap.patch +arm-8427-1-dma-mapping-add-support-for-offset-parameter-in-dma_mmap.patch +arm-orion-fix-dsa-platform-device-after-mvmdio-conversion.patch diff --git a/queue-3.10/stmmac-correctly-report-ptp-capabilities.patch b/queue-3.10/stmmac-correctly-report-ptp-capabilities.patch new file mode 100644 index 00000000000..c4e61db7e04 --- /dev/null +++ b/queue-3.10/stmmac-correctly-report-ptp-capabilities.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Phil Reid +Date: Fri, 30 Oct 2015 16:43:55 +0800 +Subject: stmmac: Correctly report PTP capabilities. + +From: Phil Reid + +[ Upstream commit e6dbe1eb2db0d7a14991c06278dd3030c45fb825 ] + +priv->hwts_*_en indicate if timestamping is enabled/disabled at run +time. But priv->dma_cap.time_stamp and priv->dma_cap.atime_stamp +indicates HW is support for PTPv1/PTPv2. + +Signed-off-by: Phil Reid +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -731,10 +731,13 @@ static int stmmac_get_ts_info(struct net + { + struct stmmac_priv *priv = netdev_priv(dev); + +- if ((priv->hwts_tx_en) && (priv->hwts_rx_en)) { ++ if ((priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) { + +- info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE | ++ info->so_timestamping = SOF_TIMESTAMPING_TX_SOFTWARE | ++ SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_RX_SOFTWARE | + SOF_TIMESTAMPING_RX_HARDWARE | ++ SOF_TIMESTAMPING_SOFTWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; + + if (priv->ptp_clock) diff --git a/queue-3.10/virtio-net-drop-netif_f_fraglist.patch b/queue-3.10/virtio-net-drop-netif_f_fraglist.patch new file mode 100644 index 00000000000..9c7fc105810 --- /dev/null +++ b/queue-3.10/virtio-net-drop-netif_f_fraglist.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Dec 5 21:18:34 PST 2015 +From: Jason Wang +Date: Wed, 5 Aug 2015 10:34:04 +0800 +Subject: virtio-net: drop NETIF_F_FRAGLIST + +From: Jason Wang + +[ Upstream commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 ] + +virtio declares support for NETIF_F_FRAGLIST, but assumes +that there are at most MAX_SKB_FRAGS + 2 fragments which isn't +always true with a fraglist. + +A longer fraglist in the skb will make the call to skb_to_sgvec overflow +the sg array, leading to memory corruption. + +Drop NETIF_F_FRAGLIST so we only get what we can handle. + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1545,9 +1545,9 @@ static int virtnet_probe(struct virtio_d + /* Do we support "hardware" checksums? */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { + /* This opens up the world of extra features. */ +- dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_SG; + if (csum) +- dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { + dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO