From 739af6f62f1978558bf12cfad4fe3969bdf204a9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 11 Nov 2012 21:40:42 -0800 Subject: [PATCH] 3.0-stable patches added patches: drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch ipv6-set-default-hoplimit-as-zero.patch l2tp-fix-oops-in-l2tp_eth_create-error-path.patch net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch netlink-use-kfree_rcu-in-netlink_release.patch net-usb-fix-memory-leak-on-tx-data-path.patch sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch tcp-fix-fionread-siocinq.patch --- ...iobus_unregister-before-mdiobus_free.patch | 43 ++++++++ ...eighbour-advertisements-to-all-nodes.patch | 40 +++++++ .../ipv6-set-default-hoplimit-as-zero.patch | 45 ++++++++ ...x-oops-in-l2tp_eth_create-error-path.patch | 36 +++++++ ...de-by-zero-in-tcp-algorithm-illinois.patch | 67 ++++++++++++ ...-usb-fix-memory-leak-on-tx-data-path.patch | 50 +++++++++ ...ink-use-kfree_rcu-in-netlink_release.patch | 102 ++++++++++++++++++ ...process_sack-in-sctp_cmd_interpreter.patch | 35 ++++++ queue-3.0/series | 9 ++ queue-3.0/tcp-fix-fionread-siocinq.patch | 48 +++++++++ 10 files changed, 475 insertions(+) create mode 100644 queue-3.0/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch create mode 100644 queue-3.0/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch create mode 100644 queue-3.0/ipv6-set-default-hoplimit-as-zero.patch create mode 100644 queue-3.0/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch create mode 100644 queue-3.0/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch create mode 100644 queue-3.0/net-usb-fix-memory-leak-on-tx-data-path.patch create mode 100644 queue-3.0/netlink-use-kfree_rcu-in-netlink_release.patch create mode 100644 queue-3.0/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch create mode 100644 queue-3.0/tcp-fix-fionread-siocinq.patch diff --git a/queue-3.0/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch b/queue-3.0/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch new file mode 100644 index 00000000000..4630eeb17c4 --- /dev/null +++ b/queue-3.0/drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch @@ -0,0 +1,43 @@ +From 2204849a85383fbde75680aa199142abe504adbb Mon Sep 17 00:00:00 2001 +From: Peter Senna Tschudin +Date: Sun, 28 Oct 2012 06:12:01 +0000 +Subject: drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free + + +From: Peter Senna Tschudin + +[ Upstream commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e ] + +Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0 + +Calling mdiobus_free without calling mdiobus_unregister causes +BUG_ON(). This patch fixes the issue. + +The semantic patch that found this issue(http://coccinelle.lip6.fr/): +// +@@ +expression E; +@@ + ... when != mdiobus_unregister(E); + ++ mdiobus_unregister(E); + mdiobus_free(E); +// + +Signed-off-by: Peter Senna Tschudin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-bitbang.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/mdio-bitbang.c ++++ b/drivers/net/phy/mdio-bitbang.c +@@ -225,6 +225,7 @@ void free_mdio_bitbang(struct mii_bus *b + struct mdiobb_ctrl *ctrl = bus->priv; + + module_put(ctrl->ops->owner); ++ mdiobus_unregister(bus); + mdiobus_free(bus); + } + EXPORT_SYMBOL(free_mdio_bitbang); diff --git a/queue-3.0/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch b/queue-3.0/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch new file mode 100644 index 00000000000..bef1d4c0f5f --- /dev/null +++ b/queue-3.0/ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch @@ -0,0 +1,40 @@ +From ee9910b75ac41ac7e2c83ad4fba6b5b9b079c8fc Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 6 Nov 2012 16:18:41 +0000 +Subject: ipv6: send unsolicited neighbour advertisements to all-nodes + + +From: Hannes Frederic Sowa + +[ Upstream commit 60713a0ca7fd6651b951cc1b4dbd528d1fc0281b ] + +As documented in RFC4861 (Neighbor Discovery for IP version 6) 7.2.6., +unsolicited neighbour advertisements should be sent to the all-nodes +multicast address. + +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -615,7 +615,7 @@ static void ndisc_send_unsol_na(struct n + { + struct inet6_dev *idev; + struct inet6_ifaddr *ifa; +- struct in6_addr mcaddr; ++ struct in6_addr mcaddr = IN6ADDR_LINKLOCAL_ALLNODES_INIT; + + idev = in6_dev_get(dev); + if (!idev) +@@ -623,7 +623,6 @@ static void ndisc_send_unsol_na(struct n + + read_lock_bh(&idev->lock); + list_for_each_entry(ifa, &idev->addr_list, if_list) { +- addrconf_addr_solict_mult(&ifa->addr, &mcaddr); + ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr, + /*router=*/ !!idev->cnf.forwarding, + /*solicited=*/ false, /*override=*/ true, diff --git a/queue-3.0/ipv6-set-default-hoplimit-as-zero.patch b/queue-3.0/ipv6-set-default-hoplimit-as-zero.patch new file mode 100644 index 00000000000..01ea67e47c0 --- /dev/null +++ b/queue-3.0/ipv6-set-default-hoplimit-as-zero.patch @@ -0,0 +1,45 @@ +From 9a1bd63dc9e2735edc026a71bcec34231907e787 Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Wed, 24 Oct 2012 14:01:18 +0800 +Subject: ipv6: Set default hoplimit as zero. + + +From: Li RongQing + +[ Upstream commit 14edd87dc67311556f1254a8f29cf4dd6cb5b7d1 ] + +Commit a02e4b7dae4551(Demark default hoplimit as zero) only changes the +hoplimit checking condition and default value in ip6_dst_hoplimit, not +zeros all hoplimit default value. + +Keep the zeroing ip6_template_metrics[RTAX_HOPLIMIT - 1] to force it as +const, cause as a37e6e344910(net: force dst_default_metrics to const +section) + +Signed-off-by: Li RongQing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -171,7 +171,7 @@ static struct dst_ops ip6_dst_blackhole_ + }; + + static const u32 ip6_template_metrics[RTAX_MAX] = { +- [RTAX_HOPLIMIT - 1] = 255, ++ [RTAX_HOPLIMIT - 1] = 0, + }; + + static struct rt6_info ip6_null_entry_template = { +@@ -1068,7 +1068,7 @@ struct dst_entry *icmp6_dst_alloc(struct + rt->rt6i_idev = idev; + dst_set_neighbour(&rt->dst, neigh); + atomic_set(&rt->dst.__refcnt, 1); +- dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255); ++ dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 0); + rt->dst.output = ip6_output; + + spin_lock_bh(&icmp6_dst_lock); diff --git a/queue-3.0/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch b/queue-3.0/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch new file mode 100644 index 00000000000..ee62e98e8af --- /dev/null +++ b/queue-3.0/l2tp-fix-oops-in-l2tp_eth_create-error-path.patch @@ -0,0 +1,36 @@ +From fd17cb3827982449c3478f58a60d92859682205e Mon Sep 17 00:00:00 2001 +From: Tom Parkin +Date: Mon, 29 Oct 2012 23:41:48 +0000 +Subject: l2tp: fix oops in l2tp_eth_create() error path + + +From: Tom Parkin + +[ Upstream commit 789336360e0a2aeb9750c16ab704a02cbe035e9e ] + +When creating an L2TPv3 Ethernet session, if register_netdev() should fail for +any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the +32k-interface limit), the netdev is freed in the error path. However, the +l2tp_eth_sess structure's dev pointer is left uncleared, and this results in +l2tp_eth_delete() then attempting to unregister the same netdev later in the +session teardown. This results in an oops. + +To avoid this, clear the session dev pointer in the error path. + +Signed-off-by: Tom Parkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_eth.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/l2tp/l2tp_eth.c ++++ b/net/l2tp/l2tp_eth.c +@@ -269,6 +269,7 @@ static int l2tp_eth_create(struct net *n + + out_del_dev: + free_netdev(dev); ++ spriv->dev = NULL; + out_del_session: + l2tp_session_delete(session); + out: diff --git a/queue-3.0/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch b/queue-3.0/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch new file mode 100644 index 00000000000..13e664c76ea --- /dev/null +++ b/queue-3.0/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch @@ -0,0 +1,67 @@ +From 9f4b9052489530c23043a7cbad9752362f03b5bd Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Wed, 31 Oct 2012 02:45:32 +0000 +Subject: net: fix divide by zero in tcp algorithm illinois + + +From: Jesper Dangaard Brouer + +[ Upstream commit 8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664 ] + +Reading TCP stats when using TCP Illinois congestion control algorithm +can cause a divide by zero kernel oops. + +The division by zero occur in tcp_illinois_info() at: + do_div(t, ca->cnt_rtt); +where ca->cnt_rtt can become zero (when rtt_reset is called) + +Steps to Reproduce: + 1. Register tcp_illinois: + # sysctl -w net.ipv4.tcp_congestion_control=illinois + 2. Monitor internal TCP information via command "ss -i" + # watch -d ss -i + 3. Establish new TCP conn to machine + +Either it fails at the initial conn, or else it needs to wait +for a loss or a reset. + +This is only related to reading stats. The function avg_delay() also +performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its +calling point in update_params(). Thus, simply fix tcp_illinois_info(). + +Function tcp_illinois_info() / get_info() is called without +socket lock. Thus, eliminate any race condition on ca->cnt_rtt +by using a local stack variable. Simply reuse info.tcpv_rttcnt, +as its already set to ca->cnt_rtt. +Function avg_delay() is not affected by this race condition, as +its called with the socket lock. + +Cc: Petr Matousek +Signed-off-by: Jesper Dangaard Brouer +Acked-by: Eric Dumazet +Acked-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_illinois.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct soc + .tcpv_rttcnt = ca->cnt_rtt, + .tcpv_minrtt = ca->base_rtt, + }; +- u64 t = ca->sum_rtt; + +- do_div(t, ca->cnt_rtt); +- info.tcpv_rtt = t; ++ if (info.tcpv_rttcnt > 0) { ++ u64 t = ca->sum_rtt; + ++ do_div(t, info.tcpv_rttcnt); ++ info.tcpv_rtt = t; ++ } + nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); + } + } diff --git a/queue-3.0/net-usb-fix-memory-leak-on-tx-data-path.patch b/queue-3.0/net-usb-fix-memory-leak-on-tx-data-path.patch new file mode 100644 index 00000000000..965b16302cb --- /dev/null +++ b/queue-3.0/net-usb-fix-memory-leak-on-tx-data-path.patch @@ -0,0 +1,50 @@ +From de3a096efae4f524ec9c52c54f73c9974fd06c25 Mon Sep 17 00:00:00 2001 +From: Hemant Kumar +Date: Thu, 25 Oct 2012 18:17:54 +0000 +Subject: net: usb: Fix memory leak on Tx data path + + +From: Hemant Kumar + +[ Upstream commit 39707c2a3ba5011038b363f84d37c8a98d2d9db1 ] + +Driver anchors the tx urbs and defers the urb submission if +a transmit request comes when the interface is suspended. +Anchoring urb increments the urb reference count. These +deferred urbs are later accessed by calling usb_get_from_anchor() +for submission during interface resume. usb_get_from_anchor() +unanchors the urb but urb reference count remains same. +This causes the urb reference count to remain non-zero +after usb_free_urb() gets called and urb never gets freed. +Hence call usb_put_urb() after anchoring the urb to properly +balance the reference count for these deferred urbs. Also, +unanchor these deferred urbs during disconnect, to free them +up. + +Signed-off-by: Hemant Kumar +Acked-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1149,6 +1149,7 @@ netdev_tx_t usbnet_start_xmit (struct sk + usb_anchor_urb(urb, &dev->deferred); + /* no use to process more packets */ + netif_stop_queue(net); ++ usb_put_urb(urb); + spin_unlock_irqrestore(&dev->txq.lock, flags); + netdev_dbg(dev->net, "Delaying transmission for resumption\n"); + goto deferred; +@@ -1290,6 +1291,8 @@ void usbnet_disconnect (struct usb_inter + + cancel_work_sync(&dev->kevent); + ++ usb_scuttle_anchored_urbs(&dev->deferred); ++ + if (dev->driver_info->unbind) + dev->driver_info->unbind (dev, intf); + diff --git a/queue-3.0/netlink-use-kfree_rcu-in-netlink_release.patch b/queue-3.0/netlink-use-kfree_rcu-in-netlink_release.patch new file mode 100644 index 00000000000..94e0605af65 --- /dev/null +++ b/queue-3.0/netlink-use-kfree_rcu-in-netlink_release.patch @@ -0,0 +1,102 @@ +From d274bdf66bd75b8b5218455cbba79cdceeba8342 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 18 Oct 2012 03:21:55 +0000 +Subject: netlink: use kfree_rcu() in netlink_release() + + +From: Eric Dumazet + +[ Upstream commit 6d772ac5578f711d1ce7b03535d1c95bffb21dff ] + +On some suspend/resume operations involving wimax device, we have +noticed some intermittent memory corruptions in netlink code. + +Stéphane Marchesin tracked this corruption in netlink_update_listeners() +and suggested a patch. + +It appears netlink_release() should use kfree_rcu() instead of kfree() +for the listeners structure as it may be used by other cpus using RCU +protection. + +netlink_release() must set to NULL the listeners pointer when +it is about to be freed. + +Also have to protect netlink_update_listeners() and +netlink_has_listeners() if listeners is NULL. + +Add a nl_deref_protected() lockdep helper to properly document which +locks protects us. + +Reported-by: Jonathan Kliegman +Signed-off-by: Eric Dumazet +Cc: Stéphane Marchesin +Cc: Sam Leffler +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -137,6 +137,8 @@ static void netlink_destroy_callback(str + static DEFINE_RWLOCK(nl_table_lock); + static atomic_t nl_table_users = ATOMIC_INIT(0); + ++#define nl_deref_protected(X) rcu_dereference_protected(X, lockdep_is_held(&nl_table_lock)); ++ + static ATOMIC_NOTIFIER_HEAD(netlink_chain); + + static u32 netlink_group_mask(u32 group) +@@ -331,6 +333,11 @@ netlink_update_listeners(struct sock *sk + struct hlist_node *node; + unsigned long mask; + unsigned int i; ++ struct listeners *listeners; ++ ++ listeners = nl_deref_protected(tbl->listeners); ++ if (!listeners) ++ return; + + for (i = 0; i < NLGRPLONGS(tbl->groups); i++) { + mask = 0; +@@ -338,7 +345,7 @@ netlink_update_listeners(struct sock *sk + if (i < NLGRPLONGS(nlk_sk(sk)->ngroups)) + mask |= nlk_sk(sk)->groups[i]; + } +- tbl->listeners->masks[i] = mask; ++ listeners->masks[i] = mask; + } + /* this function is only called with the netlink table "grabbed", which + * makes sure updates are visible before bind or setsockopt return. */ +@@ -519,7 +526,11 @@ static int netlink_release(struct socket + if (netlink_is_kernel(sk)) { + BUG_ON(nl_table[sk->sk_protocol].registered == 0); + if (--nl_table[sk->sk_protocol].registered == 0) { +- kfree(nl_table[sk->sk_protocol].listeners); ++ struct listeners *old; ++ ++ old = nl_deref_protected(nl_table[sk->sk_protocol].listeners); ++ RCU_INIT_POINTER(nl_table[sk->sk_protocol].listeners, NULL); ++ kfree_rcu(old, rcu); + nl_table[sk->sk_protocol].module = NULL; + nl_table[sk->sk_protocol].registered = 0; + } +@@ -950,7 +961,7 @@ int netlink_has_listeners(struct sock *s + rcu_read_lock(); + listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners); + +- if (group - 1 < nl_table[sk->sk_protocol].groups) ++ if (listeners && group - 1 < nl_table[sk->sk_protocol].groups) + res = test_bit(group - 1, listeners->masks); + + rcu_read_unlock(); +@@ -1585,7 +1596,7 @@ int __netlink_change_ngroups(struct sock + new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC); + if (!new) + return -ENOMEM; +- old = rcu_dereference_raw(tbl->listeners); ++ old = nl_deref_protected(tbl->listeners); + memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups)); + rcu_assign_pointer(tbl->listeners, new); + diff --git a/queue-3.0/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch b/queue-3.0/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch new file mode 100644 index 00000000000..79c0154be93 --- /dev/null +++ b/queue-3.0/sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch @@ -0,0 +1,35 @@ +From 92705f587157f344fbc5e6ebeb9cacd0263a184a Mon Sep 17 00:00:00 2001 +From: Zijie Pan +Date: Mon, 15 Oct 2012 03:56:39 +0000 +Subject: sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter() + + +From: Zijie Pan + +[ Upstream commit f6e80abeab928b7c47cc1fbf53df13b4398a2bec ] + +Bug introduced by commit edfee0339e681a784ebacec7e8c2dc97dc6d2839 +(sctp: check src addr when processing SACK to update transport state) + +Signed-off-by: Zijie Pan +Signed-off-by: Nicolas Dichtel +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_sideeffect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -1604,8 +1604,9 @@ static int sctp_cmd_interpreter(sctp_eve + asoc->outqueue.outstanding_bytes; + sackh.num_gap_ack_blocks = 0; + sackh.num_dup_tsns = 0; ++ chunk->subh.sack_hdr = &sackh; + sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, +- SCTP_SACKH(&sackh)); ++ SCTP_CHUNK(chunk)); + break; + + case SCTP_CMD_DISCARD_PACKET: diff --git a/queue-3.0/series b/queue-3.0/series index 0af4ff50101..b7ecf4aa272 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -21,3 +21,12 @@ alsa-usb-audio-use-rwsem-for-disconnect-protection.patch alsa-usb-audio-fix-races-at-disconnection-in-mixer_quirks.c.patch alsa-add-a-reference-counter-to-card-instance.patch alsa-avoid-endless-sleep-after-disconnect.patch +sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch +netlink-use-kfree_rcu-in-netlink_release.patch +tcp-fix-fionread-siocinq.patch +ipv6-set-default-hoplimit-as-zero.patch +net-usb-fix-memory-leak-on-tx-data-path.patch +net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch +drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch +l2tp-fix-oops-in-l2tp_eth_create-error-path.patch +ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch diff --git a/queue-3.0/tcp-fix-fionread-siocinq.patch b/queue-3.0/tcp-fix-fionread-siocinq.patch new file mode 100644 index 00000000000..439c712833f --- /dev/null +++ b/queue-3.0/tcp-fix-fionread-siocinq.patch @@ -0,0 +1,48 @@ +From 07fbfd2bbe02ef6d8d6c7ba70870e4b642214b1b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 18 Oct 2012 09:14:12 +0000 +Subject: tcp: fix FIONREAD/SIOCINQ + + +From: Eric Dumazet + +[ Upstream commit a3374c42aa5f7237e87ff3b0622018636b0c847e ] + +tcp_ioctl() tries to take into account if tcp socket received a FIN +to report correct number bytes in receive queue. + +But its flaky because if the application ate the last skb, +we return 1 instead of 0. + +Correct way to detect that FIN was received is to test SOCK_DONE. + +Reported-by: Elliot Hughes +Signed-off-by: Eric Dumazet +Cc: Neal Cardwell +Cc: Tom Herbert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -481,14 +481,12 @@ int tcp_ioctl(struct sock *sk, int cmd, + !tp->urg_data || + before(tp->urg_seq, tp->copied_seq) || + !before(tp->urg_seq, tp->rcv_nxt)) { +- struct sk_buff *skb; + + answ = tp->rcv_nxt - tp->copied_seq; + +- /* Subtract 1, if FIN is in queue. */ +- skb = skb_peek_tail(&sk->sk_receive_queue); +- if (answ && skb) +- answ -= tcp_hdr(skb)->fin; ++ /* Subtract 1, if FIN was received */ ++ if (answ && sock_flag(sk, SOCK_DONE)) ++ answ--; + } else + answ = tp->urg_seq - tp->copied_seq; + release_sock(sk); -- 2.47.3