From 28cd9a8f75cf88232cbe22052a94e07a12ed2c3e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 11 Nov 2012 22:06:07 -0800 Subject: [PATCH] 3.6-stable patches added patches: af-packet-fix-oops-when-socket-is-not-present.patch drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch ipv4-fix-flushing-of-cached-routing-informations.patch ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch ipv6-set-default-hoplimit-as-zero.patch l2tp-fix-oops-in-l2tp_eth_create-error-path.patch net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch net-fix-secpath-kmemleak.patch net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch netlink-use-kfree_rcu-in-netlink_release.patch net-usb-fix-memory-leak-on-tx-data-path.patch sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch tcp-fix-fionread-siocinq.patch tcp-repair-handle-zero-length-data-put-in-rcv-queue.patch --- ...-fix-oops-when-socket-is-not-present.patch | 47 ++++++++ ...iobus_unregister-before-mdiobus_free.patch | 45 ++++++++ ...iobus_unregister-before-mdiobus_free.patch | 43 ++++++++ ...shing-of-cached-routing-informations.patch | 48 +++++++++ ...eighbour-advertisements-to-all-nodes.patch | 40 +++++++ .../ipv6-set-default-hoplimit-as-zero.patch | 45 ++++++++ ...x-oops-in-l2tp_eth_create-error-path.patch | 36 +++++++ ...de-by-zero-in-tcp-algorithm-illinois.patch | 67 ++++++++++++ queue-3.6/net-fix-secpath-kmemleak.patch | 54 ++++++++++ ...r-code-if-protocol-handler-is-missed.patch | 50 +++++++++ ...-usb-fix-memory-leak-on-tx-data-path.patch | 50 +++++++++ ...ink-use-kfree_rcu-in-netlink_release.patch | 102 ++++++++++++++++++ ...process_sack-in-sctp_cmd_interpreter.patch | 35 ++++++ queue-3.6/series | 15 +++ queue-3.6/tcp-fix-fionread-siocinq.patch | 48 +++++++++ ...le-zero-length-data-put-in-rcv-queue.patch | 35 ++++++ 16 files changed, 760 insertions(+) create mode 100644 queue-3.6/af-packet-fix-oops-when-socket-is-not-present.patch create mode 100644 queue-3.6/drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch create mode 100644 queue-3.6/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch create mode 100644 queue-3.6/ipv4-fix-flushing-of-cached-routing-informations.patch create mode 100644 queue-3.6/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch create mode 100644 queue-3.6/ipv6-set-default-hoplimit-as-zero.patch create mode 100644 queue-3.6/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch create mode 100644 queue-3.6/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch create mode 100644 queue-3.6/net-fix-secpath-kmemleak.patch create mode 100644 queue-3.6/net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch create mode 100644 queue-3.6/net-usb-fix-memory-leak-on-tx-data-path.patch create mode 100644 queue-3.6/netlink-use-kfree_rcu-in-netlink_release.patch create mode 100644 queue-3.6/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch create mode 100644 queue-3.6/tcp-fix-fionread-siocinq.patch create mode 100644 queue-3.6/tcp-repair-handle-zero-length-data-put-in-rcv-queue.patch diff --git a/queue-3.6/af-packet-fix-oops-when-socket-is-not-present.patch b/queue-3.6/af-packet-fix-oops-when-socket-is-not-present.patch new file mode 100644 index 00000000000..e7531f262da --- /dev/null +++ b/queue-3.6/af-packet-fix-oops-when-socket-is-not-present.patch @@ -0,0 +1,47 @@ +From 4f7cffea785f9f47ab04e8498de506e2dd65e2ae Mon Sep 17 00:00:00 2001 +From: Eric Leblond +Date: Tue, 6 Nov 2012 02:10:10 +0000 +Subject: af-packet: fix oops when socket is not present + + +From: Eric Leblond + +[ Upstream commit a3d744e995d2b936c500585ae39d99ee251c89b4 ] + +Due to a NULL dereference, the following patch is causing oops +in normal trafic condition: + +commit c0de08d04215031d68fa13af36f347a6cfa252ca +Author: Eric Leblond +Date:   Thu Aug 16 22:02:58 2012 +0000 + +    af_packet: don't emit packet on orig fanout group + +This buggy patch was a feature fix and has reached most stable +branches. + +When skb->sk is NULL and when packet fanout is used, there is a +crash in match_fanout_group where skb->sk is accessed. +This patch fixes the issue by returning false as soon as the +socket is NULL: this correspond to the wanted behavior because +the kernel as to resend the skb to all the listening socket in +this case. + +Signed-off-by: Eric Leblond +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1644,7 +1644,7 @@ static inline int deliver_skb(struct sk_ + + static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb) + { +- if (ptype->af_packet_priv == NULL) ++ if (!ptype->af_packet_priv || !skb->sk) + return false; + + if (ptype->id_match) diff --git a/queue-3.6/drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch b/queue-3.6/drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch new file mode 100644 index 00000000000..a2096e31a37 --- /dev/null +++ b/queue-3.6/drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch @@ -0,0 +1,45 @@ +From 9e8adbe2ac1e83cd3a1973ec31d4d5bc8d8f5d87 Mon Sep 17 00:00:00 2001 +From: Peter Senna Tschudin +Date: Sun, 28 Oct 2012 06:12:00 +0000 +Subject: drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free + + +From: Peter Senna Tschudin + +[ Upstream commit 57c10b61c84bfed68b1b317d6f507a392724b9c4 ] + +Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0 + +Calling mdiobus_free without calling mdiobus_unregister causes +BUG_ON(). This patch fixes the issue. + +The semantic patch that found this issue(http://coccinelle.lip6.fr/): +// +@@ +expression E; +@@ + ... when != mdiobus_unregister(E); + ++ mdiobus_unregister(E); + mdiobus_free(E); +// + +Signed-off-by: Peter Senna Tschudin +Tested-by: Roland Stigge +Tested-by: Alexandre Pereira da Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/nxp/lpc_eth.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -1524,6 +1524,7 @@ static int lpc_eth_drv_remove(struct pla + pldat->dma_buff_base_p); + free_irq(ndev->irq, ndev); + iounmap(pldat->net_base); ++ mdiobus_unregister(pldat->mii_bus); + mdiobus_free(pldat->mii_bus); + clk_disable(pldat->clk); + clk_put(pldat->clk); diff --git a/queue-3.6/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch b/queue-3.6/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch new file mode 100644 index 00000000000..5ce80dd6739 --- /dev/null +++ b/queue-3.6/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch @@ -0,0 +1,43 @@ +From 2c32599a66b7c4d3780fe9195e649844936f1517 Mon Sep 17 00:00:00 2001 +From: Peter Senna Tschudin +Date: Sun, 28 Oct 2012 06:12:01 +0000 +Subject: drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free + + +From: Peter Senna Tschudin + +[ Upstream commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e ] + +Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0 + +Calling mdiobus_free without calling mdiobus_unregister causes +BUG_ON(). This patch fixes the issue. + +The semantic patch that found this issue(http://coccinelle.lip6.fr/): +// +@@ +expression E; +@@ + ... when != mdiobus_unregister(E); + ++ mdiobus_unregister(E); + mdiobus_free(E); +// + +Signed-off-by: Peter Senna Tschudin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-bitbang.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/mdio-bitbang.c ++++ b/drivers/net/phy/mdio-bitbang.c +@@ -234,6 +234,7 @@ void free_mdio_bitbang(struct mii_bus *b + struct mdiobb_ctrl *ctrl = bus->priv; + + module_put(ctrl->ops->owner); ++ mdiobus_unregister(bus); + mdiobus_free(bus); + } + EXPORT_SYMBOL(free_mdio_bitbang); diff --git a/queue-3.6/ipv4-fix-flushing-of-cached-routing-informations.patch b/queue-3.6/ipv4-fix-flushing-of-cached-routing-informations.patch new file mode 100644 index 00000000000..c978ff9b67a --- /dev/null +++ b/queue-3.6/ipv4-fix-flushing-of-cached-routing-informations.patch @@ -0,0 +1,48 @@ +From d0469d7ba38ac653c329264326f234440b1c8866 Mon Sep 17 00:00:00 2001 +From: Steffen Klassert +Date: Wed, 17 Oct 2012 21:17:44 +0000 +Subject: ipv4: Fix flushing of cached routing informations + + +From: Steffen Klassert + +[ Upstream commit 13d82bf50dce632355fcccafa4fe44a9b5e706d8 ] + +Currently we can not flush cached pmtu/redirect informations via +the ipv4_sysctl_rtcache_flush sysctl. We need to check the rt_genid +of the old route and reset the nh exeption if the old route is +expired when we bind a new route to a nh exeption. + +Signed-off-by: Steffen Klassert +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1166,8 +1166,12 @@ static bool rt_bind_exception(struct rta + spin_lock_bh(&fnhe_lock); + + if (daddr == fnhe->fnhe_daddr) { +- struct rtable *orig; +- ++ struct rtable *orig = rcu_dereference(fnhe->fnhe_rth); ++ if (orig && rt_is_expired(orig)) { ++ fnhe->fnhe_gw = 0; ++ fnhe->fnhe_pmtu = 0; ++ fnhe->fnhe_expires = 0; ++ } + if (fnhe->fnhe_pmtu) { + unsigned long expires = fnhe->fnhe_expires; + unsigned long diff = expires - jiffies; +@@ -1184,7 +1188,6 @@ static bool rt_bind_exception(struct rta + } else if (!rt->rt_gateway) + rt->rt_gateway = daddr; + +- orig = rcu_dereference(fnhe->fnhe_rth); + rcu_assign_pointer(fnhe->fnhe_rth, rt); + if (orig) + rt_free(orig); diff --git a/queue-3.6/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch b/queue-3.6/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch new file mode 100644 index 00000000000..ef3c8695250 --- /dev/null +++ b/queue-3.6/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch @@ -0,0 +1,40 @@ +From 6d24c0e3b60f801fa166755ff5f02347b5a23f4a Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 6 Nov 2012 16:18:41 +0000 +Subject: ipv6: send unsolicited neighbour advertisements to all-nodes + + +From: Hannes Frederic Sowa + +[ Upstream commit 60713a0ca7fd6651b951cc1b4dbd528d1fc0281b ] + +As documented in RFC4861 (Neighbor Discovery for IP version 6) 7.2.6., +unsolicited neighbour advertisements should be sent to the all-nodes +multicast address. + +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -535,7 +535,7 @@ static void ndisc_send_unsol_na(struct n + { + struct inet6_dev *idev; + struct inet6_ifaddr *ifa; +- struct in6_addr mcaddr; ++ struct in6_addr mcaddr = IN6ADDR_LINKLOCAL_ALLNODES_INIT; + + idev = in6_dev_get(dev); + if (!idev) +@@ -543,7 +543,6 @@ static void ndisc_send_unsol_na(struct n + + read_lock_bh(&idev->lock); + list_for_each_entry(ifa, &idev->addr_list, if_list) { +- addrconf_addr_solict_mult(&ifa->addr, &mcaddr); + ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr, + /*router=*/ !!idev->cnf.forwarding, + /*solicited=*/ false, /*override=*/ true, diff --git a/queue-3.6/ipv6-set-default-hoplimit-as-zero.patch b/queue-3.6/ipv6-set-default-hoplimit-as-zero.patch new file mode 100644 index 00000000000..b5988283fe3 --- /dev/null +++ b/queue-3.6/ipv6-set-default-hoplimit-as-zero.patch @@ -0,0 +1,45 @@ +From 13ad7e77f1dea4e271c3b9ed8cd438f873f56a9a Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Wed, 24 Oct 2012 14:01:18 +0800 +Subject: ipv6: Set default hoplimit as zero. + + +From: Li RongQing + +[ Upstream commit 14edd87dc67311556f1254a8f29cf4dd6cb5b7d1 ] + +Commit a02e4b7dae4551(Demark default hoplimit as zero) only changes the +hoplimit checking condition and default value in ip6_dst_hoplimit, not +zeros all hoplimit default value. + +Keep the zeroing ip6_template_metrics[RTAX_HOPLIMIT - 1] to force it as +const, cause as a37e6e344910(net: force dst_default_metrics to const +section) + +Signed-off-by: Li RongQing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -219,7 +219,7 @@ static struct dst_ops ip6_dst_blackhole_ + }; + + static const u32 ip6_template_metrics[RTAX_MAX] = { +- [RTAX_HOPLIMIT - 1] = 255, ++ [RTAX_HOPLIMIT - 1] = 0, + }; + + static struct rt6_info ip6_null_entry_template = { +@@ -1241,7 +1241,7 @@ struct dst_entry *icmp6_dst_alloc(struct + rt->rt6i_dst.addr = fl6->daddr; + rt->rt6i_dst.plen = 128; + rt->rt6i_idev = idev; +- dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255); ++ dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 0); + + spin_lock_bh(&icmp6_dst_lock); + rt->dst.next = icmp6_dst_gc_list; diff --git a/queue-3.6/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch b/queue-3.6/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch new file mode 100644 index 00000000000..d266b8461f5 --- /dev/null +++ b/queue-3.6/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch @@ -0,0 +1,36 @@ +From 8b720ea0a90ac0ee5bfc6916c2a7ef6827ded705 Mon Sep 17 00:00:00 2001 +From: Tom Parkin +Date: Mon, 29 Oct 2012 23:41:48 +0000 +Subject: l2tp: fix oops in l2tp_eth_create() error path + + +From: Tom Parkin + +[ Upstream commit 789336360e0a2aeb9750c16ab704a02cbe035e9e ] + +When creating an L2TPv3 Ethernet session, if register_netdev() should fail for +any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the +32k-interface limit), the netdev is freed in the error path. However, the +l2tp_eth_sess structure's dev pointer is left uncleared, and this results in +l2tp_eth_delete() then attempting to unregister the same netdev later in the +session teardown. This results in an oops. + +To avoid this, clear the session dev pointer in the error path. + +Signed-off-by: Tom Parkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_eth.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/l2tp/l2tp_eth.c ++++ b/net/l2tp/l2tp_eth.c +@@ -290,6 +290,7 @@ static int l2tp_eth_create(struct net *n + + out_del_dev: + free_netdev(dev); ++ spriv->dev = NULL; + out_del_session: + l2tp_session_delete(session); + out: diff --git a/queue-3.6/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch b/queue-3.6/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch new file mode 100644 index 00000000000..3a9de01cd99 --- /dev/null +++ b/queue-3.6/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch @@ -0,0 +1,67 @@ +From 30c1c3aa270cfbde60f95fd818b329750ed9b44b Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Wed, 31 Oct 2012 02:45:32 +0000 +Subject: net: fix divide by zero in tcp algorithm illinois + + +From: Jesper Dangaard Brouer + +[ Upstream commit 8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664 ] + +Reading TCP stats when using TCP Illinois congestion control algorithm +can cause a divide by zero kernel oops. + +The division by zero occur in tcp_illinois_info() at: + do_div(t, ca->cnt_rtt); +where ca->cnt_rtt can become zero (when rtt_reset is called) + +Steps to Reproduce: + 1. Register tcp_illinois: + # sysctl -w net.ipv4.tcp_congestion_control=illinois + 2. Monitor internal TCP information via command "ss -i" + # watch -d ss -i + 3. Establish new TCP conn to machine + +Either it fails at the initial conn, or else it needs to wait +for a loss or a reset. + +This is only related to reading stats. The function avg_delay() also +performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its +calling point in update_params(). Thus, simply fix tcp_illinois_info(). + +Function tcp_illinois_info() / get_info() is called without +socket lock. Thus, eliminate any race condition on ca->cnt_rtt +by using a local stack variable. Simply reuse info.tcpv_rttcnt, +as its already set to ca->cnt_rtt. +Function avg_delay() is not affected by this race condition, as +its called with the socket lock. + +Cc: Petr Matousek +Signed-off-by: Jesper Dangaard Brouer +Acked-by: Eric Dumazet +Acked-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_illinois.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct soc + .tcpv_rttcnt = ca->cnt_rtt, + .tcpv_minrtt = ca->base_rtt, + }; +- u64 t = ca->sum_rtt; + +- do_div(t, ca->cnt_rtt); +- info.tcpv_rtt = t; ++ if (info.tcpv_rttcnt > 0) { ++ u64 t = ca->sum_rtt; + ++ do_div(t, info.tcpv_rttcnt); ++ info.tcpv_rtt = t; ++ } + nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); + } + } diff --git a/queue-3.6/net-fix-secpath-kmemleak.patch b/queue-3.6/net-fix-secpath-kmemleak.patch new file mode 100644 index 00000000000..eb7874f9527 --- /dev/null +++ b/queue-3.6/net-fix-secpath-kmemleak.patch @@ -0,0 +1,54 @@ +From aa0dfee5c6f808526f4ca425343a4f95a7c5e6ad Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 22 Oct 2012 09:03:40 +0000 +Subject: net: fix secpath kmemleak + + +From: Eric Dumazet + +[ Upstream commit 3d861f661006606bf159fd6bd973e83dbf21d0f9 ] + +Mike Kazantsev found 3.5 kernels and beyond were leaking memory, +and tracked the faulty commit to a1c7fff7e18f59e ("net: +netdev_alloc_skb() use build_skb()") + +While this commit seems fine, it uncovered a bug introduced +in commit bad43ca8325 ("net: introduce skb_try_coalesce()), in function +kfree_skb_partial()"): + +If head is stolen, we free the sk_buff, +without removing references on secpath (skb->sp). + +So IPsec + IP defrag/reassembly (using skb coalescing), or +TCP coalescing could leak secpath objects. + +Fix this bug by calling skb_release_head_state(skb) to properly +release all possible references to linked objects. + +Reported-by: Mike Kazantsev +Signed-off-by: Eric Dumazet +Bisected-by: Mike Kazantsev +Tested-by: Mike Kazantsev +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3384,10 +3384,12 @@ EXPORT_SYMBOL(__skb_warn_lro_forwarding) + + void kfree_skb_partial(struct sk_buff *skb, bool head_stolen) + { +- if (head_stolen) ++ if (head_stolen) { ++ skb_release_head_state(skb); + kmem_cache_free(skbuff_head_cache, skb); +- else ++ } else { + __kfree_skb(skb); ++ } + } + EXPORT_SYMBOL(kfree_skb_partial); + diff --git a/queue-3.6/net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch b/queue-3.6/net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch new file mode 100644 index 00000000000..13c4a2a232e --- /dev/null +++ b/queue-3.6/net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch @@ -0,0 +1,50 @@ +From d818713ac9938c773964ee368161fa0ac0d04768 Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov +Date: Sat, 3 Nov 2012 09:30:34 +0000 +Subject: net: inet_diag -- Return error code if protocol handler is missed + + +From: Cyrill Gorcunov + +[ Upstream commit cacb6ba0f36ab14a507f4ee7697e8332899015d2 ] + +We've observed that in case if UDP diag module is not +supported in kernel the netlink returns NLMSG_DONE without +notifying a caller that handler is missed. + +This patch makes __inet_diag_dump to return error code instead. + +So as example it become possible to detect such situation +and handle it gracefully on userspace level. + +Signed-off-by: Cyrill Gorcunov +CC: David Miller +CC: Eric Dumazet +CC: Pavel Emelyanov +Acked-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_diag.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -883,13 +883,16 @@ static int __inet_diag_dump(struct sk_bu + struct inet_diag_req_v2 *r, struct nlattr *bc) + { + const struct inet_diag_handler *handler; ++ int err = 0; + + handler = inet_diag_lock_handler(r->sdiag_protocol); + if (!IS_ERR(handler)) + handler->dump(skb, cb, r, bc); ++ else ++ err = PTR_ERR(handler); + inet_diag_unlock_handler(handler); + +- return skb->len; ++ return err ? : skb->len; + } + + static int inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) diff --git a/queue-3.6/net-usb-fix-memory-leak-on-tx-data-path.patch b/queue-3.6/net-usb-fix-memory-leak-on-tx-data-path.patch new file mode 100644 index 00000000000..6875129d1fe --- /dev/null +++ b/queue-3.6/net-usb-fix-memory-leak-on-tx-data-path.patch @@ -0,0 +1,50 @@ +From 8554e0dbfa9d4d1183063682a1fdadb2e5994225 Mon Sep 17 00:00:00 2001 +From: Hemant Kumar +Date: Thu, 25 Oct 2012 18:17:54 +0000 +Subject: net: usb: Fix memory leak on Tx data path + + +From: Hemant Kumar + +[ Upstream commit 39707c2a3ba5011038b363f84d37c8a98d2d9db1 ] + +Driver anchors the tx urbs and defers the urb submission if +a transmit request comes when the interface is suspended. +Anchoring urb increments the urb reference count. These +deferred urbs are later accessed by calling usb_get_from_anchor() +for submission during interface resume. usb_get_from_anchor() +unanchors the urb but urb reference count remains same. +This causes the urb reference count to remain non-zero +after usb_free_urb() gets called and urb never gets freed. +Hence call usb_put_urb() after anchoring the urb to properly +balance the reference count for these deferred urbs. Also, +unanchor these deferred urbs during disconnect, to free them +up. + +Signed-off-by: Hemant Kumar +Acked-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1158,6 +1158,7 @@ netdev_tx_t usbnet_start_xmit (struct sk + usb_anchor_urb(urb, &dev->deferred); + /* no use to process more packets */ + netif_stop_queue(net); ++ usb_put_urb(urb); + spin_unlock_irqrestore(&dev->txq.lock, flags); + netdev_dbg(dev->net, "Delaying transmission for resumption\n"); + goto deferred; +@@ -1310,6 +1311,8 @@ void usbnet_disconnect (struct usb_inter + + cancel_work_sync(&dev->kevent); + ++ usb_scuttle_anchored_urbs(&dev->deferred); ++ + if (dev->driver_info->unbind) + dev->driver_info->unbind (dev, intf); + diff --git a/queue-3.6/netlink-use-kfree_rcu-in-netlink_release.patch b/queue-3.6/netlink-use-kfree_rcu-in-netlink_release.patch new file mode 100644 index 00000000000..75dc9f4185d --- /dev/null +++ b/queue-3.6/netlink-use-kfree_rcu-in-netlink_release.patch @@ -0,0 +1,102 @@ +From adfd10093e7f1cf3e2687e8cfc40855bc4d33041 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 18 Oct 2012 03:21:55 +0000 +Subject: netlink: use kfree_rcu() in netlink_release() + + +From: Eric Dumazet + +[ Upstream commit 6d772ac5578f711d1ce7b03535d1c95bffb21dff ] + +On some suspend/resume operations involving wimax device, we have +noticed some intermittent memory corruptions in netlink code. + +Stéphane Marchesin tracked this corruption in netlink_update_listeners() +and suggested a patch. + +It appears netlink_release() should use kfree_rcu() instead of kfree() +for the listeners structure as it may be used by other cpus using RCU +protection. + +netlink_release() must set to NULL the listeners pointer when +it is about to be freed. + +Also have to protect netlink_update_listeners() and +netlink_has_listeners() if listeners is NULL. + +Add a nl_deref_protected() lockdep helper to properly document which +locks protects us. + +Reported-by: Jonathan Kliegman +Signed-off-by: Eric Dumazet +Cc: Stéphane Marchesin +Cc: Sam Leffler +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -138,6 +138,8 @@ static int netlink_dump(struct sock *sk) + static DEFINE_RWLOCK(nl_table_lock); + static atomic_t nl_table_users = ATOMIC_INIT(0); + ++#define nl_deref_protected(X) rcu_dereference_protected(X, lockdep_is_held(&nl_table_lock)); ++ + static ATOMIC_NOTIFIER_HEAD(netlink_chain); + + static inline u32 netlink_group_mask(u32 group) +@@ -345,6 +347,11 @@ netlink_update_listeners(struct sock *sk + struct hlist_node *node; + unsigned long mask; + unsigned int i; ++ struct listeners *listeners; ++ ++ listeners = nl_deref_protected(tbl->listeners); ++ if (!listeners) ++ return; + + for (i = 0; i < NLGRPLONGS(tbl->groups); i++) { + mask = 0; +@@ -352,7 +359,7 @@ netlink_update_listeners(struct sock *sk + if (i < NLGRPLONGS(nlk_sk(sk)->ngroups)) + mask |= nlk_sk(sk)->groups[i]; + } +- tbl->listeners->masks[i] = mask; ++ listeners->masks[i] = mask; + } + /* this function is only called with the netlink table "grabbed", which + * makes sure updates are visible before bind or setsockopt return. */ +@@ -536,7 +543,11 @@ static int netlink_release(struct socket + if (netlink_is_kernel(sk)) { + BUG_ON(nl_table[sk->sk_protocol].registered == 0); + if (--nl_table[sk->sk_protocol].registered == 0) { +- kfree(nl_table[sk->sk_protocol].listeners); ++ struct listeners *old; ++ ++ old = nl_deref_protected(nl_table[sk->sk_protocol].listeners); ++ RCU_INIT_POINTER(nl_table[sk->sk_protocol].listeners, NULL); ++ kfree_rcu(old, rcu); + nl_table[sk->sk_protocol].module = NULL; + nl_table[sk->sk_protocol].registered = 0; + } +@@ -978,7 +989,7 @@ int netlink_has_listeners(struct sock *s + rcu_read_lock(); + listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners); + +- if (group - 1 < nl_table[sk->sk_protocol].groups) ++ if (listeners && group - 1 < nl_table[sk->sk_protocol].groups) + res = test_bit(group - 1, listeners->masks); + + rcu_read_unlock(); +@@ -1620,7 +1631,7 @@ int __netlink_change_ngroups(struct sock + new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC); + if (!new) + return -ENOMEM; +- old = rcu_dereference_protected(tbl->listeners, 1); ++ old = nl_deref_protected(tbl->listeners); + memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups)); + rcu_assign_pointer(tbl->listeners, new); + diff --git a/queue-3.6/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch b/queue-3.6/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch new file mode 100644 index 00000000000..8f4d177ee31 --- /dev/null +++ b/queue-3.6/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch @@ -0,0 +1,35 @@ +From 7331a3a6f59ebd5a9a93f2d0f8b4f8f97620116a Mon Sep 17 00:00:00 2001 +From: Zijie Pan +Date: Mon, 15 Oct 2012 03:56:39 +0000 +Subject: sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter() + + +From: Zijie Pan + +[ Upstream commit f6e80abeab928b7c47cc1fbf53df13b4398a2bec ] + +Bug introduced by commit edfee0339e681a784ebacec7e8c2dc97dc6d2839 +(sctp: check src addr when processing SACK to update transport state) + +Signed-off-by: Zijie Pan +Signed-off-by: Nicolas Dichtel +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_sideeffect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -1634,8 +1634,9 @@ static int sctp_cmd_interpreter(sctp_eve + asoc->outqueue.outstanding_bytes; + sackh.num_gap_ack_blocks = 0; + sackh.num_dup_tsns = 0; ++ chunk->subh.sack_hdr = &sackh; + sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, +- SCTP_SACKH(&sackh)); ++ SCTP_CHUNK(chunk)); + break; + + case SCTP_CMD_DISCARD_PACKET: diff --git a/queue-3.6/series b/queue-3.6/series index 3cc49bea4c5..ffab1f80c45 100644 --- a/queue-3.6/series +++ b/queue-3.6/series @@ -40,3 +40,18 @@ alsa-usb-audio-use-rwsem-for-disconnect-protection.patch alsa-usb-audio-fix-races-at-disconnection-in-mixer_quirks.c.patch alsa-add-a-reference-counter-to-card-instance.patch alsa-avoid-endless-sleep-after-disconnect.patch +sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch +ipv4-fix-flushing-of-cached-routing-informations.patch +netlink-use-kfree_rcu-in-netlink_release.patch +tcp-fix-fionread-siocinq.patch +net-fix-secpath-kmemleak.patch +ipv6-set-default-hoplimit-as-zero.patch +net-usb-fix-memory-leak-on-tx-data-path.patch +net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch +drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch +drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch +l2tp-fix-oops-in-l2tp_eth_create-error-path.patch +tcp-repair-handle-zero-length-data-put-in-rcv-queue.patch +net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch +af-packet-fix-oops-when-socket-is-not-present.patch +ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch diff --git a/queue-3.6/tcp-fix-fionread-siocinq.patch b/queue-3.6/tcp-fix-fionread-siocinq.patch new file mode 100644 index 00000000000..fc540b37278 --- /dev/null +++ b/queue-3.6/tcp-fix-fionread-siocinq.patch @@ -0,0 +1,48 @@ +From 608e45771402072e2f7f07d41ecb1bd1ca640933 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 18 Oct 2012 09:14:12 +0000 +Subject: tcp: fix FIONREAD/SIOCINQ + + +From: Eric Dumazet + +[ Upstream commit a3374c42aa5f7237e87ff3b0622018636b0c847e ] + +tcp_ioctl() tries to take into account if tcp socket received a FIN +to report correct number bytes in receive queue. + +But its flaky because if the application ate the last skb, +we return 1 instead of 0. + +Correct way to detect that FIN was received is to test SOCK_DONE. + +Reported-by: Elliot Hughes +Signed-off-by: Eric Dumazet +Cc: Neal Cardwell +Cc: Tom Herbert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -548,14 +548,12 @@ int tcp_ioctl(struct sock *sk, int cmd, + !tp->urg_data || + before(tp->urg_seq, tp->copied_seq) || + !before(tp->urg_seq, tp->rcv_nxt)) { +- struct sk_buff *skb; + + answ = tp->rcv_nxt - tp->copied_seq; + +- /* Subtract 1, if FIN is in queue. */ +- skb = skb_peek_tail(&sk->sk_receive_queue); +- if (answ && skb) +- answ -= tcp_hdr(skb)->fin; ++ /* Subtract 1, if FIN was received */ ++ if (answ && sock_flag(sk, SOCK_DONE)) ++ answ--; + } else + answ = tp->urg_seq - tp->copied_seq; + release_sock(sk); diff --git a/queue-3.6/tcp-repair-handle-zero-length-data-put-in-rcv-queue.patch b/queue-3.6/tcp-repair-handle-zero-length-data-put-in-rcv-queue.patch new file mode 100644 index 00000000000..b3d8eca4bdc --- /dev/null +++ b/queue-3.6/tcp-repair-handle-zero-length-data-put-in-rcv-queue.patch @@ -0,0 +1,35 @@ +From 595346d0cfb8f16c971429de4d75dad9929c913a Mon Sep 17 00:00:00 2001 +From: Pavel Emelyanov +Date: Mon, 29 Oct 2012 05:05:33 +0000 +Subject: tcp-repair: Handle zero-length data put in rcv queue + + +From: Pavel Emelyanov + +[ Upstream commit c454e6111d1ef4268fe98e87087216e51c2718c3 ] + +When sending data into a tcp socket in repair state we should check +for the amount of data being 0 explicitly. Otherwise we'll have an skb +with seq == end_seq in rcv queue, but tcp doesn't expect this to happen +(in particular a warn_on in tcp_recvmsg shoots). + +Signed-off-by: Pavel Emelyanov +Reported-by: Giorgos Mavrikas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4556,6 +4556,9 @@ int tcp_send_rcvq(struct sock *sk, struc + struct tcphdr *th; + bool fragstolen; + ++ if (size == 0) ++ return 0; ++ + skb = alloc_skb(size + sizeof(*th), sk->sk_allocation); + if (!skb) + goto err; -- 2.47.3