From 3c60b272f5a6818a81833e6b83ed2ebe328437b6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 Jan 2016 21:20:44 -0800 Subject: [PATCH] 3.14-stable patches added patches: af_unix-revert-lock_interruptible-in-stream-receive-code.patch atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch bluetooth-validate-socket-address-length-in-sco_sock_bind.patch gre6-allow-to-update-all-parameters-via-rtnl.patch ipv6-sctp-clone-options-to-avoid-use-after-free.patch net-add-validation-for-the-socket-syscall-protocol-argument.patch pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch sh_eth-fix-kernel-oops-in-skb_put.patch skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch --- ...interruptible-in-stream-receive-code.patch | 65 +++++++++ ...-to-do-order-4-gfp_atomic-allocation.patch | 46 ++++++ ...cket-address-length-in-sco_sock_bind.patch | 30 ++++ ...ow-to-update-all-parameters-via-rtnl.patch | 44 ++++++ ...lone-options-to-avoid-use-after-free.patch | 53 +++++++ ...the-socket-syscall-protocol-argument.patch | 132 ++++++++++++++++++ ...dr_len-in-pptp_bind-and-pptp_connect.patch | 42 ++++++ ..._needed-counter-when-copying-sockets.patch | 68 +++++++++ ...as-if-sock-source-timestamps-were-on.patch | 52 +++++++ queue-3.14/series | 12 ++ .../sh_eth-fix-kernel-oops-in-skb_put.patch | 67 +++++++++ ...set-error-in-skb_reorder_vlan_header.patch | 40 ++++++ ...tacked-vlans-with-reorder_header-off.patch | 52 +++++++ 13 files changed, 703 insertions(+) create mode 100644 queue-3.14/af_unix-revert-lock_interruptible-in-stream-receive-code.patch create mode 100644 queue-3.14/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch create mode 100644 queue-3.14/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch create mode 100644 queue-3.14/gre6-allow-to-update-all-parameters-via-rtnl.patch create mode 100644 queue-3.14/ipv6-sctp-clone-options-to-avoid-use-after-free.patch create mode 100644 queue-3.14/net-add-validation-for-the-socket-syscall-protocol-argument.patch create mode 100644 queue-3.14/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch create mode 100644 queue-3.14/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch create mode 100644 queue-3.14/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch create mode 100644 queue-3.14/sh_eth-fix-kernel-oops-in-skb_put.patch create mode 100644 queue-3.14/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch create mode 100644 queue-3.14/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch diff --git a/queue-3.14/af_unix-revert-lock_interruptible-in-stream-receive-code.patch b/queue-3.14/af_unix-revert-lock_interruptible-in-stream-receive-code.patch new file mode 100644 index 00000000000..f64f36abdaf --- /dev/null +++ b/queue-3.14/af_unix-revert-lock_interruptible-in-stream-receive-code.patch @@ -0,0 +1,65 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Rainer Weikusat +Date: Wed, 16 Dec 2015 20:09:25 +0000 +Subject: af_unix: Revert 'lock_interruptible' in stream receive code +Status: RO +Content-Length: 2049 +Lines: 58 + +From: Rainer Weikusat + +[ Upstream commit 3822b5c2fc62e3de8a0f33806ff279fb7df92432 ] + +With b3ca9b02b00704053a38bfe4c31dbbb9c13595d0, the AF_UNIX SOCK_STREAM +receive code was changed from using mutex_lock(&u->readlock) to +mutex_lock_interruptible(&u->readlock) to prevent signals from being +delayed for an indefinite time if a thread sleeping on the mutex +happened to be selected for handling the signal. But this was never a +problem with the stream receive code (as opposed to its datagram +counterpart) as that never went to sleep waiting for new messages with the +mutex held and thus, wouldn't cause secondary readers to block on the +mutex waiting for the sleeping primary reader. As the interruptible +locking makes the code more complicated in exchange for no benefit, +change it back to using mutex_lock. + +Signed-off-by: Rainer Weikusat +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2090,14 +2090,7 @@ static int unix_stream_recvmsg(struct ki + memset(&tmp_scm, 0, sizeof(tmp_scm)); + } + +- err = mutex_lock_interruptible(&u->readlock); +- if (unlikely(err)) { +- /* recvmsg() in non blocking mode is supposed to return -EAGAIN +- * sk_rcvtimeo is not honored by mutex_lock_interruptible() +- */ +- err = noblock ? -EAGAIN : -ERESTARTSYS; +- goto out; +- } ++ mutex_lock(&u->readlock); + + if (flags & MSG_PEEK) + skip = sk_peek_offset(sk, flags); +@@ -2138,12 +2131,12 @@ again: + + timeo = unix_stream_data_wait(sk, timeo, last); + +- if (signal_pending(current) +- || mutex_lock_interruptible(&u->readlock)) { ++ if (signal_pending(current)) { + err = sock_intr_errno(timeo); + goto out; + } + ++ mutex_lock(&u->readlock); + continue; + unlock: + unix_state_unlock(sk); diff --git a/queue-3.14/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch b/queue-3.14/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch new file mode 100644 index 00000000000..2bba397f751 --- /dev/null +++ b/queue-3.14/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Pavel Machek +Date: Fri, 4 Dec 2015 09:50:00 +0100 +Subject: atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation +Status: RO +Content-Length: 1553 +Lines: 40 + +From: Pavel Machek + +[ Upstream commit f2a3771ae8aca879c32336c76ad05a017629bae2 ] + +atl1c driver is doing order-4 allocation with GFP_ATOMIC +priority. That often breaks networking after resume. Switch to +GFP_KERNEL. Still not ideal, but should be significantly better. + +atl1c_setup_ring_resources() is called from .open() function, and +already uses GFP_KERNEL, so this change is safe. + +Signed-off-by: Pavel Machek +Acked-by: Michal Hocko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -1018,13 +1018,12 @@ static int atl1c_setup_ring_resources(st + sizeof(struct atl1c_recv_ret_status) * rx_desc_count + + 8 * 4; + +- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size, +- &ring_header->dma); ++ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size, ++ &ring_header->dma, GFP_KERNEL); + if (unlikely(!ring_header->desc)) { +- dev_err(&pdev->dev, "pci_alloc_consistend failed\n"); ++ dev_err(&pdev->dev, "could not get memory for DMA buffer\n"); + goto err_nomem; + } +- memset(ring_header->desc, 0, ring_header->size); + /* init TPD ring */ + + tpd_ring[0].dma = roundup(ring_header->dma, 8); diff --git a/queue-3.14/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch b/queue-3.14/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch new file mode 100644 index 00000000000..d3032e4edd2 --- /dev/null +++ b/queue-3.14/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch @@ -0,0 +1,30 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: "David S. Miller" +Date: Tue, 15 Dec 2015 15:39:08 -0500 +Subject: bluetooth: Validate socket address length in sco_sock_bind(). +Status: RO +Content-Length: 619 +Lines: 24 + +From: "David S. Miller" + +[ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ] + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/sco.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -459,6 +459,9 @@ static int sco_sock_bind(struct socket * + if (!addr || addr->sa_family != AF_BLUETOOTH) + return -EINVAL; + ++ if (addr_len < sizeof(struct sockaddr_sco)) ++ return -EINVAL; ++ + lock_sock(sk); + + if (sk->sk_state != BT_OPEN) { diff --git a/queue-3.14/gre6-allow-to-update-all-parameters-via-rtnl.patch b/queue-3.14/gre6-allow-to-update-all-parameters-via-rtnl.patch new file mode 100644 index 00000000000..b1dc2123c57 --- /dev/null +++ b/queue-3.14/gre6-allow-to-update-all-parameters-via-rtnl.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Nicolas Dichtel +Date: Thu, 3 Dec 2015 17:21:50 +0100 +Subject: gre6: allow to update all parameters via rtnl +Status: RO +Content-Length: 1091 +Lines: 38 + +From: Nicolas Dichtel + +[ Upstream commit 6a61d4dbf4f54b5683e0f1e58d873cecca7cb977 ] + +Parameters were updated only if the kernel was unable to find the tunnel +with the new parameters, ie only if core pamareters were updated (keys, +addr, link, type). +Now it's possible to update ttl, hoplimit, flowinfo and flags. + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1558,13 +1558,11 @@ static int ip6gre_changelink(struct net_ + return -EEXIST; + } else { + t = nt; +- +- ip6gre_tunnel_unlink(ign, t); +- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); +- ip6gre_tunnel_link(ign, t); +- netdev_state_change(dev); + } + ++ ip6gre_tunnel_unlink(ign, t); ++ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); ++ ip6gre_tunnel_link(ign, t); + return 0; + } + diff --git a/queue-3.14/ipv6-sctp-clone-options-to-avoid-use-after-free.patch b/queue-3.14/ipv6-sctp-clone-options-to-avoid-use-after-free.patch new file mode 100644 index 00000000000..0d1858bdbef --- /dev/null +++ b/queue-3.14/ipv6-sctp-clone-options-to-avoid-use-after-free.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Eric Dumazet +Date: Wed, 9 Dec 2015 07:25:06 -0800 +Subject: ipv6: sctp: clone options to avoid use after free +Status: RO +Content-Length: 1365 +Lines: 47 + +From: Eric Dumazet + +[ Upstream commit 9470e24f35ab81574da54e69df90c1eb4a96b43f ] + +SCTP is lacking proper np->opt cloning at accept() time. + +TCP and DCCP use ipv6_dup_options() helper, do the same +in SCTP. + +We might later factorize this code in a common helper to avoid +future mistakes. + +Reported-by: Dmitry Vyukov +Signed-off-by: Eric Dumazet +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -638,6 +638,7 @@ static struct sock *sctp_v6_create_accep + struct sock *newsk; + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); + struct sctp6_sock *newsctp6sk; ++ struct ipv6_txoptions *opt; + + newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot); + if (!newsk) +@@ -657,6 +658,13 @@ static struct sock *sctp_v6_create_accep + + memcpy(newnp, np, sizeof(struct ipv6_pinfo)); + ++ rcu_read_lock(); ++ opt = rcu_dereference(np->opt); ++ if (opt) ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ rcu_read_unlock(); ++ + /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname() + * and getpeername(). + */ diff --git a/queue-3.14/net-add-validation-for-the-socket-syscall-protocol-argument.patch b/queue-3.14/net-add-validation-for-the-socket-syscall-protocol-argument.patch new file mode 100644 index 00000000000..9305fd0b86c --- /dev/null +++ b/queue-3.14/net-add-validation-for-the-socket-syscall-protocol-argument.patch @@ -0,0 +1,132 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Hannes Frederic Sowa +Date: Mon, 14 Dec 2015 22:03:39 +0100 +Subject: net: add validation for the socket syscall protocol argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Status: RO +Content-Length: 4097 +Lines: 133 + +From: Hannes Frederic Sowa + +[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ] + +郭永刚 reported that one could simply crash the kernel as root by +using a simple program: + + int socket_fd; + struct sockaddr_in addr; + addr.sin_port = 0; + addr.sin_addr.s_addr = INADDR_ANY; + addr.sin_family = 10; + + socket_fd = socket(10,3,0x40000000); + connect(socket_fd , &addr,16); + +AF_INET, AF_INET6 sockets actually only support 8-bit protocol +identifiers. inet_sock's skc_protocol field thus is sized accordingly, +thus larger protocol identifiers simply cut off the higher bits and +store a zero in the protocol fields. + +This could lead to e.g. NULL function pointer because as a result of +the cut off inet_num is zero and we call down to inet_autobind, which +is NULL for raw sockets. + +kernel: Call Trace: +kernel: [] ? inet_autobind+0x2e/0x70 +kernel: [] inet_dgram_connect+0x54/0x80 +kernel: [] SYSC_connect+0xd9/0x110 +kernel: [] ? ptrace_notify+0x5b/0x80 +kernel: [] ? syscall_trace_enter_phase2+0x108/0x200 +kernel: [] SyS_connect+0xe/0x10 +kernel: [] tracesys_phase2+0x84/0x89 + +I found no particular commit which introduced this problem. + +CVE: CVE-2015-8543 +Cc: Cong Wang +Reported-by: 郭永刚 +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 1 + + net/ax25/af_ax25.c | 3 +++ + net/decnet/af_decnet.c | 3 +++ + net/ipv4/af_inet.c | 3 +++ + net/ipv6/af_inet6.c | 3 +++ + net/irda/af_irda.c | 3 +++ + 6 files changed, 16 insertions(+) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -374,6 +374,7 @@ struct sock { + sk_no_check : 2, + sk_userlocks : 4, + sk_protocol : 8, ++#define SK_PROTOCOL_MAX U8_MAX + sk_type : 16; + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -806,6 +806,9 @@ static int ax25_create(struct net *net, + struct sock *sk; + ax25_cb *ax25; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -677,6 +677,9 @@ static int dn_create(struct net *net, st + { + struct sock *sk; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -260,6 +260,9 @@ static int inet_create(struct net *net, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -110,6 +110,9 @@ static int inet6_create(struct net *net, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1103,6 +1103,9 @@ static int irda_create(struct net *net, + + IRDA_DEBUG(2, "%s()\n", __func__); + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (net != &init_net) + return -EAFNOSUPPORT; + diff --git a/queue-3.14/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch b/queue-3.14/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch new file mode 100644 index 00000000000..677eadd5ad0 --- /dev/null +++ b/queue-3.14/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: WANG Cong +Date: Mon, 14 Dec 2015 13:48:36 -0800 +Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect() +Status: RO +Content-Length: 993 +Lines: 36 + +From: WANG Cong + +[ Upstream commit 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ] + +Reported-by: Dmitry Vyukov +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pptp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -420,6 +420,9 @@ static int pptp_bind(struct socket *sock + struct pptp_opt *opt = &po->proto.pptp; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + lock_sock(sk); + + opt->src_addr = sp->sa_addr.pptp; +@@ -441,6 +444,9 @@ static int pptp_connect(struct socket *s + struct flowi4 fl4; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + if (sp->sa_protocol != PX_PROTO_PPTP) + return -EINVAL; + diff --git a/queue-3.14/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch b/queue-3.14/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch new file mode 100644 index 00000000000..7b754c6a83c --- /dev/null +++ b/queue-3.14/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Marcelo Ricardo Leitner +Date: Fri, 4 Dec 2015 15:14:04 -0200 +Subject: sctp: update the netstamp_needed counter when copying sockets +Status: RO +Content-Length: 2148 +Lines: 66 + +From: Marcelo Ricardo Leitner + +[ Upstream commit 01ce63c90170283a9855d1db4fe81934dddce648 ] + +Dmitry Vyukov reported that SCTP was triggering a WARN on socket destroy +related to disabling sock timestamp. + +When SCTP accepts an association or peel one off, it copies sock flags +but forgot to call net_enable_timestamp() if a packet timestamping flag +was copied, leading to extra calls to net_disable_timestamp() whenever +such clones were closed. + +The fix is to call net_enable_timestamp() whenever we copy a sock with +that flag on, like tcp does. + +Reported-by: Dmitry Vyukov +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 2 ++ + net/core/sock.c | 2 -- + net/sctp/socket.c | 3 +++ + 3 files changed, 5 insertions(+), 2 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -700,6 +700,8 @@ enum sock_flags { + SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */ + }; + ++#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) ++ + static inline void sock_copy_flags(struct sock *nsk, struct sock *osk) + { + nsk->sk_flags = osk->sk_flags; +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -422,8 +422,6 @@ static void sock_warn_obsolete_bsdism(co + } + } + +-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) +- + static void sock_disable_timestamp(struct sock *sk, unsigned long flags) + { + if (sk->sk_flags & flags) { +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -6985,6 +6985,9 @@ void sctp_copy_sock(struct sock *newsk, + newinet->mc_ttl = 1; + newinet->mc_index = 0; + newinet->mc_list = NULL; ++ ++ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) ++ net_enable_timestamp(); + } + + static inline void sctp_copy_descendant(struct sock *sk_to, diff --git a/queue-3.14/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch b/queue-3.14/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch new file mode 100644 index 00000000000..0f4810c1f21 --- /dev/null +++ b/queue-3.14/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Marcelo Ricardo Leitner +Date: Fri, 4 Dec 2015 15:14:03 -0200 +Subject: sctp: use the same clock as if sock source timestamps were on +Status: RO +Content-Length: 1646 +Lines: 46 + +From: Marcelo Ricardo Leitner + +[ Upstream commit cb5e173ed7c03a0d4630ce68a95a186cce3cc872 ] + +SCTP echoes a cookie o INIT ACK chunks that contains a timestamp, for +detecting stale cookies. This cookie is echoed back to the server by the +client and then that timestamp is checked. + +Thing is, if the listening socket is using packet timestamping, the +cookie is encoded with ktime_get() value and checked against +ktime_get_real(), as done by __net_timestamp(). + +The fix is to sctp also use ktime_get_real(), so we can compare bananas +with bananas later no matter if packet timestamping was enabled or not. + +Fixes: 52db882f3fc2 ("net: sctp: migrate cookie life from timeval to ktime") +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_make_chunk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_co + + /* Set an expiration time for the cookie. */ + cookie->c.expiration = ktime_add(asoc->cookie_life, +- ktime_get()); ++ ktime_get_real()); + + /* Copy the peer's init packet. */ + memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr, +@@ -1780,7 +1780,7 @@ no_hmac: + if (sock_flag(ep->base.sk, SOCK_TIMESTAMP)) + kt = skb_get_ktime(skb); + else +- kt = ktime_get(); ++ kt = ktime_get_real(); + + if (!asoc && ktime_compare(bear_cookie->expiration, kt) < 0) { + /* diff --git a/queue-3.14/series b/queue-3.14/series index 3fa0ce0c0ea..7cca03c9ff8 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -29,3 +29,15 @@ usb-cp210x-remove-cp2110-id-from-compatibility-list.patch usb-add-quirk-for-devices-with-broken-lpm.patch usb-whci-hcd-add-check-for-dma-mapping-error.patch usb-use-the-usb_ss_mult-macro-to-decode-burst-multiplier-for-log-message.patch +gre6-allow-to-update-all-parameters-via-rtnl.patch +atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch +sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch +sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch +ipv6-sctp-clone-options-to-avoid-use-after-free.patch +net-add-validation-for-the-socket-syscall-protocol-argument.patch +sh_eth-fix-kernel-oops-in-skb_put.patch +vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch +skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch +pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch +bluetooth-validate-socket-address-length-in-sco_sock_bind.patch +af_unix-revert-lock_interruptible-in-stream-receive-code.patch diff --git a/queue-3.14/sh_eth-fix-kernel-oops-in-skb_put.patch b/queue-3.14/sh_eth-fix-kernel-oops-in-skb_put.patch new file mode 100644 index 00000000000..264a7357a23 --- /dev/null +++ b/queue-3.14/sh_eth-fix-kernel-oops-in-skb_put.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Sergei Shtylyov +Date: Fri, 4 Dec 2015 01:45:40 +0300 +Subject: sh_eth: fix kernel oops in skb_put() +Status: RO +Content-Length: 2307 +Lines: 61 + +From: Sergei Shtylyov + +[ Upstream commit 248be83dcb3feb3f6332eb3d010a016402138484 ] + +In a low memory situation the following kernel oops occurs: + +Unable to handle kernel NULL pointer dereference at virtual address 00000050 +pgd = 8490c000 +[00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000 +Internal error: Oops: 17 [#1] PREEMPT ARM +Modules linked in: +CPU: 0 Not tainted (3.4-at16 #9) +PC is at skb_put+0x10/0x98 +LR is at sh_eth_poll+0x2c8/0xa10 +pc : [<8035f780>] lr : [<8028bf50>] psr: 60000113 +sp : 84eb1a90 ip : 84eb1ac8 fp : 84eb1ac4 +r10: 0000003f r9 : 000005ea r8 : 00000000 +r7 : 00000000 r6 : 940453b0 r5 : 00030000 r4 : 9381b180 +r3 : 00000000 r2 : 00000000 r1 : 000005ea r0 : 00000000 +Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 10c53c7d Table: 4248c059 DAC: 00000015 +Process klogd (pid: 2046, stack limit = 0x84eb02e8) +[...] + +This is because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left +NULL but sh_eth_rx() later uses it without checking. Add such check... + +Reported-by: Yasushi SHOJI +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1424,6 +1424,7 @@ static int sh_eth_rx(struct net_device * + if (mdp->cd->shift_rd0) + desc_status >>= 16; + ++ skb = mdp->rx_skbuff[entry]; + if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 | + RD_RFS5 | RD_RFS6 | RD_RFS10)) { + ndev->stats.rx_errors++; +@@ -1439,12 +1440,11 @@ static int sh_eth_rx(struct net_device * + ndev->stats.rx_missed_errors++; + if (desc_status & RD_RFS10) + ndev->stats.rx_over_errors++; +- } else { ++ } else if (skb) { + if (!mdp->cd->hw_swap) + sh_eth_soft_swap( + phys_to_virt(ALIGN(rxdesc->addr, 4)), + pkt_len + 2); +- skb = mdp->rx_skbuff[entry]; + mdp->rx_skbuff[entry] = NULL; + if (mdp->cd->rpadir) + skb_reserve(skb, NET_IP_ALIGN); diff --git a/queue-3.14/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch b/queue-3.14/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch new file mode 100644 index 00000000000..f6f801794cf --- /dev/null +++ b/queue-3.14/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Vlad Yasevich +Date: Mon, 14 Dec 2015 17:44:10 -0500 +Subject: skbuff: Fix offset error in skb_reorder_vlan_header +Status: RO +Content-Length: 1169 +Lines: 34 + +From: Vlad Yasevich + +[ Upstream commit f654861569872d10dcb79d9d7ca219b316f94ff0 ] + +skb_reorder_vlan_header is called after the vlan header has +been pulled. As a result the offset of the begining of +the mac header has been incrased by 4 bytes (VLAN_HLEN). +When moving the mac addresses, include this incrase in +the offset calcualation so that the mac addresses are +copied correctly. + +Fixes: a6e18ff1117 (vlan: Fix untag operations of stacked vlans with REORDER_HEADER off) +CC: Nicolas Dichtel +CC: Patrick McHardy +Signed-off-by: Vladislav Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3997,7 +3997,7 @@ static struct sk_buff *skb_reorder_vlan_ + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len, ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, + 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; diff --git a/queue-3.14/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch b/queue-3.14/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch new file mode 100644 index 00000000000..74e7db1990b --- /dev/null +++ b/queue-3.14/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Jan 18 21:17:42 PST 2016 +From: Vlad Yasevich +Date: Mon, 16 Nov 2015 15:43:44 -0500 +Subject: vlan: Fix untag operations of stacked vlans with REORDER_HEADER off +Status: RO +Content-Length: 1704 +Lines: 46 + +From: Vlad Yasevich + +[ Upstream commit a6e18ff111701b4ff6947605bfbe9594ec42a6e8 ] + +When we have multiple stacked vlan devices all of which have +turned off REORDER_HEADER flag, the untag operation does not +locate the ethernet addresses correctly for nested vlans. +The reason is that in case of REORDER_HEADER flag being off, +the outer vlan headers are put back and the mac_len is adjusted +to account for the presense of the header. Then, the subsequent +untag operation, for the next level vlan, always use VLAN_ETH_HLEN +to locate the begining of the ethernet header and that ends up +being a multiple of 4 bytes short of the actuall beginning +of the mac header (the multiple depending on the how many vlan +encapsulations ethere are). + +As a reslult, if there are multiple levles of vlan devices +with REODER_HEADER being off, the recevied packets end up +being dropped. + +To solve this, we use skb->mac_len as the offset. The value +is always set on receive path and starts out as a ETH_HLEN. +The value is also updated when the vlan header manupations occur +so we know it will be correct. + +Signed-off-by: Vladislav Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3997,7 +3997,8 @@ static struct sk_buff *skb_reorder_vlan_ + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len, ++ 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; + } -- 2.47.3