From bf1a5440ab0e971c5c7f09fb71ce3917fc0f7f72 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 30 Dec 2015 19:53:24 -0800 Subject: [PATCH] 4.3-stable patches added patches: af_unix-revert-lock_interruptible-in-stream-receive-code.patch atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch bluetooth-validate-socket-address-length-in-sco_sock_bind.patch fou-clean-up-socket-with-kfree_rcu.patch gianfar-don-t-enable-rx-filer-if-not-supported.patch gre6-allow-to-update-all-parameters-via-rtnl.patch inet-tcp-fix-inetpeer_set_addr_v4.patch ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch ipv6-sctp-clone-options-to-avoid-use-after-free.patch net-add-validation-for-the-socket-syscall-protocol-argument.patch net-cdc_mbim-add-ndp-to-end-quirk-for-huawei-e3372.patch net-check-both-type-and-procotol-for-tcp-sockets.patch net-fix-ip-early-demux-races.patch net-fix-uninitialized-variable-issue.patch net-qca_spi-fix-transmit-queue-timeout-handling.patch net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch openvswitch-fix-helper-reference-leak.patch openvswitch-respect-conntrack-zone-even-if-invalid.patch phy-micrel-fix-finding-phy-properties-in-mac-node.patch pppoe-fix-memory-corruption-in-padt-work-structure.patch pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch r8152-fix-lockup-when-runtime-pm-is-enabled.patch rhashtable-enforce-minimum-size-on-initial-hash-table.patch rhashtable-fix-walker-list-corruption.patch sctp-also-copy-sk_tsflags-when-copying-the-socket.patch sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch sh_eth-fix-kernel-oops-in-skb_put.patch skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch tcp-restore-fastopen-with-no-data-in-syn-packet.patch uapi-export-ila.h.patch vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch --- ...interruptible-in-stream-receive-code.patch | 62 ++++++++ ...-to-do-order-4-gfp_atomic-allocation.patch | 43 +++++ ...cket-address-length-in-sco_sock_bind.patch | 27 ++++ .../fou-clean-up-socket-with-kfree_rcu.patch | 43 +++++ ...n-t-enable-rx-filer-if-not-supported.patch | 69 ++++++++ ...ow-to-update-all-parameters-via-rtnl.patch | 41 +++++ .../inet-tcp-fix-inetpeer_set_addr_v4.patch | 38 +++++ ...le-privacy-mode-if-stable_secret-set.patch | 41 +++++ ...-flags-when-setting-ifa_f_optimistic.patch | 41 +++++ ...lone-options-to-avoid-use-after-free.patch | 50 ++++++ ...the-socket-syscall-protocol-argument.patch | 129 +++++++++++++++ ...dd-ndp-to-end-quirk-for-huawei-e3372.patch | 104 +++++++++++++ ...th-type-and-procotol-for-tcp-sockets.patch | 62 ++++++++ queue-4.3/net-fix-ip-early-demux-races.patch | 147 ++++++++++++++++++ ...net-fix-uninitialized-variable-issue.patch | 31 ++++ ...-fix-transmit-queue-timeout-handling.patch | 37 +++++ ...c_tree_decrease_qlen-work-for-non-mq.patch | 39 +++++ ...penvswitch-fix-helper-reference-leak.patch | 55 +++++++ ...spect-conntrack-zone-even-if-invalid.patch | 60 +++++++ ...x-finding-phy-properties-in-mac-node.patch | 54 +++++++ ...ry-corruption-in-padt-work-structure.patch | 90 +++++++++++ ...dr_len-in-pptp_bind-and-pptp_connect.patch | 39 +++++ ...ix-lockup-when-runtime-pm-is-enabled.patch | 86 ++++++++++ ...e-minimum-size-on-initial-hash-table.patch | 56 +++++++ ...hashtable-fix-walker-list-corruption.patch | 79 ++++++++++ ...y-sk_tsflags-when-copying-the-socket.patch | 33 ++++ ..._needed-counter-when-copying-sockets.patch | 65 ++++++++ ...as-if-sock-source-timestamps-were-on.patch | 49 ++++++ queue-4.3/series | 34 ++++ .../sh_eth-fix-kernel-oops-in-skb_put.patch | 64 ++++++++ ...set-error-in-skb_reorder_vlan_header.patch | 37 +++++ ...-fastopen-with-no-data-in-syn-packet.patch | 65 ++++++++ queue-4.3/uapi-export-ila.h.patch | 29 ++++ ...tacked-vlans-with-reorder_header-off.patch | 49 ++++++ ...ix-incorrect-rco-bit-in-vxlan-header.patch | 35 +++++ 35 files changed, 1983 insertions(+) create mode 100644 queue-4.3/af_unix-revert-lock_interruptible-in-stream-receive-code.patch create mode 100644 queue-4.3/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch create mode 100644 queue-4.3/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch create mode 100644 queue-4.3/fou-clean-up-socket-with-kfree_rcu.patch create mode 100644 queue-4.3/gianfar-don-t-enable-rx-filer-if-not-supported.patch create mode 100644 queue-4.3/gre6-allow-to-update-all-parameters-via-rtnl.patch create mode 100644 queue-4.3/inet-tcp-fix-inetpeer_set_addr_v4.patch create mode 100644 queue-4.3/ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch create mode 100644 queue-4.3/ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch create mode 100644 queue-4.3/ipv6-sctp-clone-options-to-avoid-use-after-free.patch create mode 100644 queue-4.3/net-add-validation-for-the-socket-syscall-protocol-argument.patch create mode 100644 queue-4.3/net-cdc_mbim-add-ndp-to-end-quirk-for-huawei-e3372.patch create mode 100644 queue-4.3/net-check-both-type-and-procotol-for-tcp-sockets.patch create mode 100644 queue-4.3/net-fix-ip-early-demux-races.patch create mode 100644 queue-4.3/net-fix-uninitialized-variable-issue.patch create mode 100644 queue-4.3/net-qca_spi-fix-transmit-queue-timeout-handling.patch create mode 100644 queue-4.3/net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch create mode 100644 queue-4.3/openvswitch-fix-helper-reference-leak.patch create mode 100644 queue-4.3/openvswitch-respect-conntrack-zone-even-if-invalid.patch create mode 100644 queue-4.3/phy-micrel-fix-finding-phy-properties-in-mac-node.patch create mode 100644 queue-4.3/pppoe-fix-memory-corruption-in-padt-work-structure.patch create mode 100644 queue-4.3/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch create mode 100644 queue-4.3/r8152-fix-lockup-when-runtime-pm-is-enabled.patch create mode 100644 queue-4.3/rhashtable-enforce-minimum-size-on-initial-hash-table.patch create mode 100644 queue-4.3/rhashtable-fix-walker-list-corruption.patch create mode 100644 queue-4.3/sctp-also-copy-sk_tsflags-when-copying-the-socket.patch create mode 100644 queue-4.3/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch create mode 100644 queue-4.3/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch create mode 100644 queue-4.3/sh_eth-fix-kernel-oops-in-skb_put.patch create mode 100644 queue-4.3/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch create mode 100644 queue-4.3/tcp-restore-fastopen-with-no-data-in-syn-packet.patch create mode 100644 queue-4.3/uapi-export-ila.h.patch create mode 100644 queue-4.3/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch create mode 100644 queue-4.3/vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch diff --git a/queue-4.3/af_unix-revert-lock_interruptible-in-stream-receive-code.patch b/queue-4.3/af_unix-revert-lock_interruptible-in-stream-receive-code.patch new file mode 100644 index 00000000000..17d56339553 --- /dev/null +++ b/queue-4.3/af_unix-revert-lock_interruptible-in-stream-receive-code.patch @@ -0,0 +1,62 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Rainer Weikusat +Date: Wed, 16 Dec 2015 20:09:25 +0000 +Subject: af_unix: Revert 'lock_interruptible' in stream receive code + +From: Rainer Weikusat + +[ Upstream commit 3822b5c2fc62e3de8a0f33806ff279fb7df92432 ] + +With b3ca9b02b00704053a38bfe4c31dbbb9c13595d0, the AF_UNIX SOCK_STREAM +receive code was changed from using mutex_lock(&u->readlock) to +mutex_lock_interruptible(&u->readlock) to prevent signals from being +delayed for an indefinite time if a thread sleeping on the mutex +happened to be selected for handling the signal. But this was never a +problem with the stream receive code (as opposed to its datagram +counterpart) as that never went to sleep waiting for new messages with the +mutex held and thus, wouldn't cause secondary readers to block on the +mutex waiting for the sleeping primary reader. As the interruptible +locking makes the code more complicated in exchange for no benefit, +change it back to using mutex_lock. + +Signed-off-by: Rainer Weikusat +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2255,14 +2255,7 @@ static int unix_stream_read_generic(stru + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg + */ +- err = mutex_lock_interruptible(&u->readlock); +- if (unlikely(err)) { +- /* recvmsg() in non blocking mode is supposed to return -EAGAIN +- * sk_rcvtimeo is not honored by mutex_lock_interruptible() +- */ +- err = noblock ? -EAGAIN : -ERESTARTSYS; +- goto out; +- } ++ mutex_lock(&u->readlock); + + if (flags & MSG_PEEK) + skip = sk_peek_offset(sk, flags); +@@ -2306,12 +2299,12 @@ again: + timeo = unix_stream_data_wait(sk, timeo, last, + last_len); + +- if (signal_pending(current) || +- mutex_lock_interruptible(&u->readlock)) { ++ if (signal_pending(current)) { + err = sock_intr_errno(timeo); + goto out; + } + ++ mutex_lock(&u->readlock); + continue; + unlock: + unix_state_unlock(sk); diff --git a/queue-4.3/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch b/queue-4.3/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch new file mode 100644 index 00000000000..f5bb9705984 --- /dev/null +++ b/queue-4.3/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch @@ -0,0 +1,43 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Pavel Machek +Date: Fri, 4 Dec 2015 09:50:00 +0100 +Subject: atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation + +From: Pavel Machek + +[ Upstream commit f2a3771ae8aca879c32336c76ad05a017629bae2 ] + +atl1c driver is doing order-4 allocation with GFP_ATOMIC +priority. That often breaks networking after resume. Switch to +GFP_KERNEL. Still not ideal, but should be significantly better. + +atl1c_setup_ring_resources() is called from .open() function, and +already uses GFP_KERNEL, so this change is safe. + +Signed-off-by: Pavel Machek +Acked-by: Michal Hocko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -1016,13 +1016,12 @@ static int atl1c_setup_ring_resources(st + sizeof(struct atl1c_recv_ret_status) * rx_desc_count + + 8 * 4; + +- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size, +- &ring_header->dma); ++ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size, ++ &ring_header->dma, GFP_KERNEL); + if (unlikely(!ring_header->desc)) { +- dev_err(&pdev->dev, "pci_alloc_consistend failed\n"); ++ dev_err(&pdev->dev, "could not get memory for DMA buffer\n"); + goto err_nomem; + } +- memset(ring_header->desc, 0, ring_header->size); + /* init TPD ring */ + + tpd_ring[0].dma = roundup(ring_header->dma, 8); diff --git a/queue-4.3/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch b/queue-4.3/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch new file mode 100644 index 00000000000..ee3099ceebb --- /dev/null +++ b/queue-4.3/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch @@ -0,0 +1,27 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: "David S. Miller" +Date: Tue, 15 Dec 2015 15:39:08 -0500 +Subject: bluetooth: Validate socket address length in sco_sock_bind(). + +From: "David S. Miller" + +[ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ] + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/sco.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket * + if (!addr || addr->sa_family != AF_BLUETOOTH) + return -EINVAL; + ++ if (addr_len < sizeof(struct sockaddr_sco)) ++ return -EINVAL; ++ + lock_sock(sk); + + if (sk->sk_state != BT_OPEN) { diff --git a/queue-4.3/fou-clean-up-socket-with-kfree_rcu.patch b/queue-4.3/fou-clean-up-socket-with-kfree_rcu.patch new file mode 100644 index 00000000000..c1d5a10a40f --- /dev/null +++ b/queue-4.3/fou-clean-up-socket-with-kfree_rcu.patch @@ -0,0 +1,43 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Hannes Frederic Sowa +Date: Tue, 15 Dec 2015 21:01:53 +0100 +Subject: fou: clean up socket with kfree_rcu + +From: Hannes Frederic Sowa + +[ Upstream commit 3036facbb7be3a169e35be3b271162b0fa564a2d ] + +fou->udp_offloads is managed by RCU. As it is actually included inside +the fou sockets, we cannot let the memory go out of scope before a grace +period. We either can synchronize_rcu or switch over to kfree_rcu to +manage the sockets. kfree_rcu seems appropriate as it is used by vxlan +and geneve. + +Fixes: 23461551c00628c ("fou: Support for foo-over-udp RX path") +Cc: Tom Herbert +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fou.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -24,6 +24,7 @@ struct fou { + u16 type; + struct udp_offload udp_offloads; + struct list_head list; ++ struct rcu_head rcu; + }; + + #define FOU_F_REMCSUM_NOPARTIAL BIT(0) +@@ -417,7 +418,7 @@ static void fou_release(struct fou *fou) + list_del(&fou->list); + udp_tunnel_sock_release(sock); + +- kfree(fou); ++ kfree_rcu(fou, rcu); + } + + static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg) diff --git a/queue-4.3/gianfar-don-t-enable-rx-filer-if-not-supported.patch b/queue-4.3/gianfar-don-t-enable-rx-filer-if-not-supported.patch new file mode 100644 index 00000000000..12008fd9da3 --- /dev/null +++ b/queue-4.3/gianfar-don-t-enable-rx-filer-if-not-supported.patch @@ -0,0 +1,69 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Hamish Martin +Date: Tue, 15 Dec 2015 14:14:50 +1300 +Subject: gianfar: Don't enable RX Filer if not supported + +From: Hamish Martin + +[ Upstream commit 7bff47da1ee23d00d1257905f2944c29594f799d ] + +After commit 15bf176db1fb ("gianfar: Don't enable the Filer w/o the +Parser"), 'TSEC' model controllers (for example as seen on MPC8541E) +always have 8 bytes stripped from the front of received frames. +Only 'eTSEC' gianfar controllers have the RX Filer capability (amongst +other enhancements). Previously this was treated as always enabled +for both 'TSEC' and 'eTSEC' controllers. +In commit 15bf176db1fb ("gianfar: Don't enable the Filer w/o the Parser") +a subtle change was made to the setting of 'uses_rxfcb' to effectively +always set it (since 'rx_filer_enable' was always true). This had the +side-effect of always stripping 8 bytes from the front of received frames +on 'TSEC' type controllers. + +We now only enable the RX Filer capability on controller types that +support it, thereby avoiding the issue for 'TSEC' type controllers. + +Reviewed-by: Chris Packham +Reviewed-by: Mark Tomlinson +Signed-off-by: Hamish Martin +Reviewed-by: Claudiu Manoil +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 8 +++++--- + drivers/net/ethernet/freescale/gianfar.h | 1 + + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -894,7 +894,8 @@ static int gfar_of_init(struct platform_ + FSL_GIANFAR_DEV_HAS_VLAN | + FSL_GIANFAR_DEV_HAS_MAGIC_PACKET | + FSL_GIANFAR_DEV_HAS_EXTENDED_HASH | +- FSL_GIANFAR_DEV_HAS_TIMER; ++ FSL_GIANFAR_DEV_HAS_TIMER | ++ FSL_GIANFAR_DEV_HAS_RX_FILER; + + err = of_property_read_string(np, "phy-connection-type", &ctype); + +@@ -1393,8 +1394,9 @@ static int gfar_probe(struct platform_de + priv->rx_queue[i]->rxic = DEFAULT_RXIC; + } + +- /* always enable rx filer */ +- priv->rx_filer_enable = 1; ++ /* Always enable rx filer if available */ ++ priv->rx_filer_enable = ++ (priv->device_flags & FSL_GIANFAR_DEV_HAS_RX_FILER) ? 1 : 0; + /* Enable most messages by default */ + priv->msg_enable = (NETIF_MSG_IFUP << 1 ) - 1; + /* use pritority h/w tx queue scheduling for single queue devices */ +--- a/drivers/net/ethernet/freescale/gianfar.h ++++ b/drivers/net/ethernet/freescale/gianfar.h +@@ -917,6 +917,7 @@ struct gfar { + #define FSL_GIANFAR_DEV_HAS_BD_STASHING 0x00000200 + #define FSL_GIANFAR_DEV_HAS_BUF_STASHING 0x00000400 + #define FSL_GIANFAR_DEV_HAS_TIMER 0x00000800 ++#define FSL_GIANFAR_DEV_HAS_RX_FILER 0x00002000 + + #if (MAXGROUPS == 2) + #define DEFAULT_MAPPING 0xAA diff --git a/queue-4.3/gre6-allow-to-update-all-parameters-via-rtnl.patch b/queue-4.3/gre6-allow-to-update-all-parameters-via-rtnl.patch new file mode 100644 index 00000000000..ddbda5379f8 --- /dev/null +++ b/queue-4.3/gre6-allow-to-update-all-parameters-via-rtnl.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Nicolas Dichtel +Date: Thu, 3 Dec 2015 17:21:50 +0100 +Subject: gre6: allow to update all parameters via rtnl + +From: Nicolas Dichtel + +[ Upstream commit 6a61d4dbf4f54b5683e0f1e58d873cecca7cb977 ] + +Parameters were updated only if the kernel was unable to find the tunnel +with the new parameters, ie only if core pamareters were updated (keys, +addr, link, type). +Now it's possible to update ttl, hoplimit, flowinfo and flags. + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1571,13 +1571,11 @@ static int ip6gre_changelink(struct net_ + return -EEXIST; + } else { + t = nt; +- +- ip6gre_tunnel_unlink(ign, t); +- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); +- ip6gre_tunnel_link(ign, t); +- netdev_state_change(dev); + } + ++ ip6gre_tunnel_unlink(ign, t); ++ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); ++ ip6gre_tunnel_link(ign, t); + return 0; + } + diff --git a/queue-4.3/inet-tcp-fix-inetpeer_set_addr_v4.patch b/queue-4.3/inet-tcp-fix-inetpeer_set_addr_v4.patch new file mode 100644 index 00000000000..3a560d565f9 --- /dev/null +++ b/queue-4.3/inet-tcp-fix-inetpeer_set_addr_v4.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Eric Dumazet +Date: Tue, 15 Dec 2015 20:56:44 -0800 +Subject: inet: tcp: fix inetpeer_set_addr_v4() + +From: Eric Dumazet + +[ Upstream commit 887dc9f2cef6e98dcccf807da5e6faf4f60ba483 ] + +David Ahern added a vif field in the a4 part of inetpeer_addr struct. + +This broke IPv4 TCP fast open client side and more generally tcp metrics +cache, because inetpeer_addr_cmp() is now comparing two u32 instead of +one. + +inetpeer_set_addr_v4() needs to properly init vif field, otherwise +the comparison result depends on uninitialized data. + +Fixes: 192132b9a034 ("net: Add support for VRFs to inetpeer cache") +Reported-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Cc: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inetpeer.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/net/inetpeer.h ++++ b/include/net/inetpeer.h +@@ -78,6 +78,7 @@ void inet_initpeers(void) __init; + static inline void inetpeer_set_addr_v4(struct inetpeer_addr *iaddr, __be32 ip) + { + iaddr->a4.addr = ip; ++ iaddr->a4.vif = 0; + iaddr->family = AF_INET; + } + diff --git a/queue-4.3/ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch b/queue-4.3/ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch new file mode 100644 index 00000000000..e38a8b34d75 --- /dev/null +++ b/queue-4.3/ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Hannes Frederic Sowa +Date: Tue, 15 Dec 2015 22:59:12 +0100 +Subject: ipv6: automatically enable stable privacy mode if stable_secret set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hannes Frederic Sowa + +[ Upstream commit 9b29c6962b70f232cde4076b1020191e1be0889d ] + +Bjørn reported that while we switch all interfaces to privacy stable mode +when setting the secret, we don't set this mode for new interfaces. This +does not make sense, so change this behaviour. + +Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf") +Reported-by: Bjørn Mork +Cc: Bjørn Mork +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -349,6 +349,12 @@ static struct inet6_dev *ipv6_add_dev(st + setup_timer(&ndev->rs_timer, addrconf_rs_timer, + (unsigned long)ndev); + memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf)); ++ ++ if (ndev->cnf.stable_secret.initialized) ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; ++ else ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64; ++ + ndev->cnf.mtu6 = dev->mtu; + ndev->cnf.sysctl = NULL; + ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl); diff --git a/queue-4.3/ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch b/queue-4.3/ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch new file mode 100644 index 00000000000..0ad9430b122 --- /dev/null +++ b/queue-4.3/ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 4 Dec 2015 14:15:08 +0100 +Subject: ipv6: keep existing flags when setting IFA_F_OPTIMISTIC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 9a1ec4612c9bfc94d4185e3459055a37a685e575 ] + +Commit 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag") +failed to update the setting of the IFA_F_OPTIMISTIC flag, causing +the IFA_F_STABLE_PRIVACY flag to be lost if IFA_F_OPTIMISTIC is set. + +Cc: Erik Kline +Cc: Fernando Gont +Cc: Lorenzo Colitti +Cc: YOSHIFUJI Hideaki/吉藤英明 +Cc: Hannes Frederic Sowa +Fixes: 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag") +Signed-off-by: Bjørn Mork +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2453,7 +2453,7 @@ ok: + #ifdef CONFIG_IPV6_OPTIMISTIC_DAD + if (in6_dev->cnf.optimistic_dad && + !net->ipv6.devconf_all->forwarding && sllao) +- addr_flags = IFA_F_OPTIMISTIC; ++ addr_flags |= IFA_F_OPTIMISTIC; + #endif + + /* Do not allow to create too much of autoconfigured diff --git a/queue-4.3/ipv6-sctp-clone-options-to-avoid-use-after-free.patch b/queue-4.3/ipv6-sctp-clone-options-to-avoid-use-after-free.patch new file mode 100644 index 00000000000..9d7e3da9514 --- /dev/null +++ b/queue-4.3/ipv6-sctp-clone-options-to-avoid-use-after-free.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Eric Dumazet +Date: Wed, 9 Dec 2015 07:25:06 -0800 +Subject: ipv6: sctp: clone options to avoid use after free + +From: Eric Dumazet + +[ Upstream commit 9470e24f35ab81574da54e69df90c1eb4a96b43f ] + +SCTP is lacking proper np->opt cloning at accept() time. + +TCP and DCCP use ipv6_dup_options() helper, do the same +in SCTP. + +We might later factorize this code in a common helper to avoid +future mistakes. + +Reported-by: Dmitry Vyukov +Signed-off-by: Eric Dumazet +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -635,6 +635,7 @@ static struct sock *sctp_v6_create_accep + struct sock *newsk; + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); + struct sctp6_sock *newsctp6sk; ++ struct ipv6_txoptions *opt; + + newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0); + if (!newsk) +@@ -654,6 +655,13 @@ static struct sock *sctp_v6_create_accep + + memcpy(newnp, np, sizeof(struct ipv6_pinfo)); + ++ rcu_read_lock(); ++ opt = rcu_dereference(np->opt); ++ if (opt) ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ rcu_read_unlock(); ++ + /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname() + * and getpeername(). + */ diff --git a/queue-4.3/net-add-validation-for-the-socket-syscall-protocol-argument.patch b/queue-4.3/net-add-validation-for-the-socket-syscall-protocol-argument.patch new file mode 100644 index 00000000000..b38608d4e56 --- /dev/null +++ b/queue-4.3/net-add-validation-for-the-socket-syscall-protocol-argument.patch @@ -0,0 +1,129 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Hannes Frederic Sowa +Date: Mon, 14 Dec 2015 22:03:39 +0100 +Subject: net: add validation for the socket syscall protocol argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hannes Frederic Sowa + +[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ] + +郭永刚 reported that one could simply crash the kernel as root by +using a simple program: + + int socket_fd; + struct sockaddr_in addr; + addr.sin_port = 0; + addr.sin_addr.s_addr = INADDR_ANY; + addr.sin_family = 10; + + socket_fd = socket(10,3,0x40000000); + connect(socket_fd , &addr,16); + +AF_INET, AF_INET6 sockets actually only support 8-bit protocol +identifiers. inet_sock's skc_protocol field thus is sized accordingly, +thus larger protocol identifiers simply cut off the higher bits and +store a zero in the protocol fields. + +This could lead to e.g. NULL function pointer because as a result of +the cut off inet_num is zero and we call down to inet_autobind, which +is NULL for raw sockets. + +kernel: Call Trace: +kernel: [] ? inet_autobind+0x2e/0x70 +kernel: [] inet_dgram_connect+0x54/0x80 +kernel: [] SYSC_connect+0xd9/0x110 +kernel: [] ? ptrace_notify+0x5b/0x80 +kernel: [] ? syscall_trace_enter_phase2+0x108/0x200 +kernel: [] SyS_connect+0xe/0x10 +kernel: [] tracesys_phase2+0x84/0x89 + +I found no particular commit which introduced this problem. + +CVE: CVE-2015-8543 +Cc: Cong Wang +Reported-by: 郭永刚 +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 1 + + net/ax25/af_ax25.c | 3 +++ + net/decnet/af_decnet.c | 3 +++ + net/ipv4/af_inet.c | 3 +++ + net/ipv6/af_inet6.c | 3 +++ + net/irda/af_irda.c | 3 +++ + 6 files changed, 16 insertions(+) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -387,6 +387,7 @@ struct sock { + sk_no_check_rx : 1, + sk_userlocks : 4, + sk_protocol : 8, ++#define SK_PROTOCOL_MAX U8_MAX + sk_type : 16; + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, + struct sock *sk; + ax25_cb *ax25; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -678,6 +678,9 @@ static int dn_create(struct net *net, st + { + struct sock *sk; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -261,6 +261,9 @@ static int inet_create(struct net *net, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, + struct sock *sk; + struct irda_sock *self; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (net != &init_net) + return -EAFNOSUPPORT; + diff --git a/queue-4.3/net-cdc_mbim-add-ndp-to-end-quirk-for-huawei-e3372.patch b/queue-4.3/net-cdc_mbim-add-ndp-to-end-quirk-for-huawei-e3372.patch new file mode 100644 index 00000000000..77d15e72215 --- /dev/null +++ b/queue-4.3/net-cdc_mbim-add-ndp-to-end-quirk-for-huawei-e3372.patch @@ -0,0 +1,104 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Sat, 5 Dec 2015 13:01:50 +0100 +Subject: net: cdc_mbim: add "NDP to end" quirk for Huawei E3372 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit f8c0cfa5eca902d388c0b57c7ca29a1ff2e6d8c6 ] + +The Huawei E3372 (12d1:157d) needs this quirk in MBIM mode +as well. Allow this by forcing the NTB to contain only a +single NDP, and add a device specific entry for this ID. + +Due to the way Huawei use device IDs, this might be applied +to other modems as well. It is assumed that those modems +will be based on the same firmware and will need this quirk +too. If not, it will still not harm normal usage, although +multiplexing performance could be impacted. + +Cc: Enrico Mioso +Reported-by: Sami Farin +Signed-off-by: Bjørn Mork +Acked-By: Enrico Mioso +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_mbim.c | 26 +++++++++++++++++++++++++- + drivers/net/usb/cdc_ncm.c | 10 +++++++++- + 2 files changed, 34 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -158,7 +158,7 @@ static int cdc_mbim_bind(struct usbnet * + if (!cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting)) + goto err; + +- ret = cdc_ncm_bind_common(dev, intf, data_altsetting, 0); ++ ret = cdc_ncm_bind_common(dev, intf, data_altsetting, dev->driver_info->data); + if (ret) + goto err; + +@@ -582,6 +582,26 @@ static const struct driver_info cdc_mbim + .tx_fixup = cdc_mbim_tx_fixup, + }; + ++/* The spefication explicitly allows NDPs to be placed anywhere in the ++ * frame, but some devices fail unless the NDP is placed after the IP ++ * packets. Using the CDC_NCM_FLAG_NDP_TO_END flags to force this ++ * behaviour. ++ * ++ * Note: The current implementation of this feature restricts each NTB ++ * to a single NDP, implying that multiplexed sessions cannot share an ++ * NTB. This might affect performace for multiplexed sessions. ++ */ ++static const struct driver_info cdc_mbim_info_ndp_to_end = { ++ .description = "CDC MBIM", ++ .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN, ++ .bind = cdc_mbim_bind, ++ .unbind = cdc_mbim_unbind, ++ .manage_power = cdc_mbim_manage_power, ++ .rx_fixup = cdc_mbim_rx_fixup, ++ .tx_fixup = cdc_mbim_tx_fixup, ++ .data = CDC_NCM_FLAG_NDP_TO_END, ++}; ++ + static const struct usb_device_id mbim_devs[] = { + /* This duplicate NCM entry is intentional. MBIM devices can + * be disguised as NCM by default, and this is necessary to +@@ -597,6 +617,10 @@ static const struct usb_device_id mbim_d + { USB_VENDOR_AND_INTERFACE_INFO(0x0bdb, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info, + }, ++ /* Huawei E3372 fails unless NDP comes after the IP packets */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x12d1, 0x157d, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&cdc_mbim_info_ndp_to_end, ++ }, + /* default entry */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info_zlp, +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1006,10 +1006,18 @@ static struct usb_cdc_ncm_ndp16 *cdc_ncm + * NTH16 header as we would normally do. NDP isn't written to the SKB yet, and + * the wNdpIndex field in the header is actually not consistent with reality. It will be later. + */ +- if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) ++ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) { + if (ctx->delayed_ndp16->dwSignature == sign) + return ctx->delayed_ndp16; + ++ /* We can only push a single NDP to the end. Return ++ * NULL to send what we've already got and queue this ++ * skb for later. ++ */ ++ else if (ctx->delayed_ndp16->dwSignature) ++ return NULL; ++ } ++ + /* follow the chain of NDPs, looking for a match */ + while (ndpoffset) { + ndp16 = (struct usb_cdc_ncm_ndp16 *)(skb->data + ndpoffset); diff --git a/queue-4.3/net-check-both-type-and-procotol-for-tcp-sockets.patch b/queue-4.3/net-check-both-type-and-procotol-for-tcp-sockets.patch new file mode 100644 index 00000000000..74b8f67014f --- /dev/null +++ b/queue-4.3/net-check-both-type-and-procotol-for-tcp-sockets.patch @@ -0,0 +1,62 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: WANG Cong +Date: Wed, 16 Dec 2015 23:39:04 -0800 +Subject: net: check both type and procotol for tcp sockets + +From: WANG Cong + +[ Upstream commit ac5cc977991d2dce85fc734a6c71ddb33f6fe3c1 ] + +Dmitry reported the following out-of-bound access: + +Call Trace: + [] __asan_report_load4_noabort+0x3e/0x40 +mm/kasan/report.c:294 + [] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880 + [< inline >] SYSC_setsockopt net/socket.c:1746 + [] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729 + [] entry_SYSCALL_64_fastpath+0x16/0x7a +arch/x86/entry/entry_64.S:185 + +This is because we mistake a raw socket as a tcp socket. +We should check both sk->sk_type and sk->sk_protocol to ensure +it is a tcp socket. + +Willem points out __skb_complete_tx_timestamp() needs to fix as well. + +Reported-by: Dmitry Vyukov +Cc: Willem de Bruijn +Cc: Eric Dumazet +Signed-off-by: Cong Wang +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 3 ++- + net/core/sock.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3643,7 +3643,8 @@ static void __skb_complete_tx_timestamp( + serr->ee.ee_info = tstype; + if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { + serr->ee.ee_data = skb_shinfo(skb)->tskey; +- if (sk->sk_protocol == IPPROTO_TCP) ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) + serr->ee.ee_data -= sk->sk_tskey; + } + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -860,7 +860,8 @@ set_rcvbuf: + + if (val & SOF_TIMESTAMPING_OPT_ID && + !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) { +- if (sk->sk_protocol == IPPROTO_TCP) { ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) { + if (sk->sk_state != TCP_ESTABLISHED) { + ret = -EINVAL; + break; diff --git a/queue-4.3/net-fix-ip-early-demux-races.patch b/queue-4.3/net-fix-ip-early-demux-races.patch new file mode 100644 index 00000000000..8855f1a15c4 --- /dev/null +++ b/queue-4.3/net-fix-ip-early-demux-races.patch @@ -0,0 +1,147 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Eric Dumazet +Date: Mon, 14 Dec 2015 14:08:53 -0800 +Subject: net: fix IP early demux races + +From: Eric Dumazet + +[ Upstream commit 5037e9ef9454917b047f9f3a19b4dd179fbf7cd4 ] + +David Wilder reported crashes caused by dst reuse. + + + I am seeing a crash on a distro V4.2.3 kernel caused by a double + release of a dst_entry. In ipv4_dst_destroy() the call to + list_empty() finds a poisoned next pointer, indicating the dst_entry + has already been removed from the list and freed. The crash occurs + 18 to 24 hours into a run of a network stress exerciser. + + +Thanks to his detailed report and analysis, we were able to understand +the core issue. + +IP early demux can associate a dst to skb, after a lookup in TCP/UDP +sockets. + +When socket cache is not properly set, we want to store into +sk->sk_dst_cache the dst for future IP early demux lookups, +by acquiring a stable refcount on the dst. + +Problem is this acquisition is simply using an atomic_inc(), +which works well, unless the dst was queued for destruction from +dst_release() noticing dst refcount went to zero, if DST_NOCACHE +was set on dst. + +We need to make sure current refcount is not zero before incrementing +it, or risk double free as David reported. + +This patch, being a stable candidate, adds two new helpers, and use +them only from IP early demux problematic paths. + +It might be possible to merge in net-next skb_dst_force() and +skb_dst_force_safe(), but I prefer having the smallest patch for stable +kernels : Maybe some skb_dst_force() callers do not expect skb->dst +can suddenly be cleared. + +Can probably be backported back to linux-3.6 kernels + +Reported-by: David J. Wilder +Tested-by: David J. Wilder +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/dst.h | 33 +++++++++++++++++++++++++++++++++ + include/net/sock.h | 2 +- + net/ipv4/tcp_ipv4.c | 5 ++--- + net/ipv6/tcp_ipv6.c | 3 +-- + 4 files changed, 37 insertions(+), 6 deletions(-) + +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -322,6 +322,39 @@ static inline void skb_dst_force(struct + } + } + ++/** ++ * dst_hold_safe - Take a reference on a dst if possible ++ * @dst: pointer to dst entry ++ * ++ * This helper returns false if it could not safely ++ * take a reference on a dst. ++ */ ++static inline bool dst_hold_safe(struct dst_entry *dst) ++{ ++ if (dst->flags & DST_NOCACHE) ++ return atomic_inc_not_zero(&dst->__refcnt); ++ dst_hold(dst); ++ return true; ++} ++ ++/** ++ * skb_dst_force_safe - makes sure skb dst is refcounted ++ * @skb: buffer ++ * ++ * If dst is not yet refcounted and not destroyed, grab a ref on it. ++ */ ++static inline void skb_dst_force_safe(struct sk_buff *skb) ++{ ++ if (skb_dst_is_noref(skb)) { ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (!dst_hold_safe(dst)) ++ dst = NULL; ++ ++ skb->_skb_refdst = (unsigned long)dst; ++ } ++} ++ + + /** + * __skb_tunnel_rx - prepare skb for rx reinsert +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -801,7 +801,7 @@ void sk_stream_write_space(struct sock * + static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb) + { + /* dont let skb dst not refcounted, we are going to leave rcu lock */ +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + if (!sk->sk_backlog.tail) + sk->sk_backlog.head = skb; +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struc + if (likely(sk->sk_rx_dst)) + skb_dst_drop(skb); + else +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + __skb_queue_tail(&tp->ucopy.prequeue, skb); + tp->ucopy.memory += skb->truesize; +@@ -1710,8 +1710,7 @@ void inet_sk_rx_dst_set(struct sock *sk, + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { +- dst_hold(dst); ++ if (dst && dst_hold_safe(dst)) { + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + } +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct s + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { ++ if (dst && dst_hold_safe(dst)) { + const struct rt6_info *rt = (const struct rt6_info *)dst; + +- dst_hold(dst); + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt); diff --git a/queue-4.3/net-fix-uninitialized-variable-issue.patch b/queue-4.3/net-fix-uninitialized-variable-issue.patch new file mode 100644 index 00000000000..7a6202cb66c --- /dev/null +++ b/queue-4.3/net-fix-uninitialized-variable-issue.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: "tadeusz.struk@intel.com" +Date: Tue, 15 Dec 2015 10:46:17 -0800 +Subject: net: fix uninitialized variable issue + +From: "tadeusz.struk@intel.com" + +[ Upstream commit 130ed5d105dde141e7fe60d5440aa53e0a84f13b ] + +msg_iocb needs to be initialized on the recv/recvfrom path. +Otherwise afalg will wrongly interpret it as an async call. + +Cc: stable@vger.kernel.org +Reported-by: Harald Freudenberger +Signed-off-by: Tadeusz Struk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1702,6 +1702,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void + msg.msg_name = addr ? (struct sockaddr *)&address : NULL; + /* We assume all kernel code knows the size of sockaddr_storage */ + msg.msg_namelen = 0; ++ msg.msg_iocb = NULL; + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags); diff --git a/queue-4.3/net-qca_spi-fix-transmit-queue-timeout-handling.patch b/queue-4.3/net-qca_spi-fix-transmit-queue-timeout-handling.patch new file mode 100644 index 00000000000..9356689aa92 --- /dev/null +++ b/queue-4.3/net-qca_spi-fix-transmit-queue-timeout-handling.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Stefan Wahren +Date: Fri, 4 Dec 2015 16:29:10 +0100 +Subject: net: qca_spi: fix transmit queue timeout handling + +From: Stefan Wahren + +[ Upstream commit ed7d42e24effbd3681e909711a7a2119a85e9217 ] + +In case of a tx queue timeout every transmit is blocked until the +QCA7000 resets himself and triggers a sync which makes the driver +flushs the tx ring. So avoid this blocking situation by triggering +the sync immediately after the timeout. Waking the queue doesn't +make sense in this situation. + +Signed-off-by: Stefan Wahren +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_devi + netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n", + jiffies, jiffies - dev->trans_start); + qca->net_dev->stats.tx_errors++; +- /* wake the queue if there is room */ +- if (qcaspi_tx_ring_has_space(&qca->txr)) +- netif_wake_queue(dev); ++ /* Trigger tx queue flush and QCA7000 reset */ ++ qca->sync = QCASPI_SYNC_UNKNOWN; + } + + static int diff --git a/queue-4.3/net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch b/queue-4.3/net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch new file mode 100644 index 00000000000..86e36b0e6ea --- /dev/null +++ b/queue-4.3/net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Eric Dumazet +Date: Tue, 15 Dec 2015 09:43:12 -0800 +Subject: net_sched: make qdisc_tree_decrease_qlen() work for non mq + +From: Eric Dumazet + +[ Upstream commit 225734de70cd0a9e0b978f3583a4a87939271d5e ] + +Stas Nichiporovich reported a regression in his HFSC qdisc setup +on a non multi queue device. + +It turns out I mistakenly added a TCQ_F_NOPARENT flag on all qdisc +allocated in qdisc_create() for non multi queue devices, which was +rather buggy. I was clearly mislead by the TCQ_F_ONETXQUEUE that is +also set here for no good reason, since it only matters for the root +qdisc. + +Fixes: 4eaf3b84f288 ("net_sched: fix qdisc_tree_decrease_qlen() races") +Reported-by: Stas Nichiporovich +Tested-by: Stas Nichiporovich +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, str + } + lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock); + if (!netif_is_multiqueue(dev)) +- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; ++ sch->flags |= TCQ_F_ONETXQUEUE; + } + + sch->handle = handle; diff --git a/queue-4.3/openvswitch-fix-helper-reference-leak.patch b/queue-4.3/openvswitch-fix-helper-reference-leak.patch new file mode 100644 index 00000000000..e62e82773c9 --- /dev/null +++ b/queue-4.3/openvswitch-fix-helper-reference-leak.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Joe Stringer +Date: Wed, 9 Dec 2015 14:07:39 -0800 +Subject: openvswitch: Fix helper reference leak + +From: Joe Stringer + +[ Upstream commit 2f3ab9f9fc23811188b9d07d86e4d99ffee887f4 ] + +If the actions (re)allocation fails, or the actions list is larger than the +maximum size, and the conntrack action is the last action when these +problems are hit, then references to helper modules may be leaked. Fix +the issue. + +Fixes: cae3a2627520 ("openvswitch: Allow attaching helpers to ct action") +Signed-off-by: Joe Stringer +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/conntrack.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -53,6 +53,8 @@ struct ovs_conntrack_info { + struct md_labels labels; + }; + ++static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info); ++ + static u16 key_to_nfproto(const struct sw_flow_key *key) + { + switch (ntohs(key->eth.type)) { +@@ -708,7 +710,7 @@ int ovs_ct_copy_action(struct net *net, + nf_conntrack_get(&ct_info.ct->ct_general); + return 0; + err_free_ct: +- nf_conntrack_free(ct_info.ct); ++ __ovs_ct_free_action(&ct_info); + return err; + } + +@@ -750,6 +752,11 @@ void ovs_ct_free_action(const struct nla + { + struct ovs_conntrack_info *ct_info = nla_data(a); + ++ __ovs_ct_free_action(ct_info); ++} ++ ++static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) ++{ + if (ct_info->helper) + module_put(ct_info->helper->me); + if (ct_info->ct) diff --git a/queue-4.3/openvswitch-respect-conntrack-zone-even-if-invalid.patch b/queue-4.3/openvswitch-respect-conntrack-zone-even-if-invalid.patch new file mode 100644 index 00000000000..3864ba47165 --- /dev/null +++ b/queue-4.3/openvswitch-respect-conntrack-zone-even-if-invalid.patch @@ -0,0 +1,60 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Joe Stringer +Date: Wed, 9 Dec 2015 14:07:40 -0800 +Subject: openvswitch: Respect conntrack zone even if invalid + +From: Joe Stringer + +[ Upstream commit d110986c5ddb1caf576e8576044c0c831e3e7fa4 ] + +If userspace executes ct(zone=1), and the connection tracker determines +that the packet is invalid, then the ct_zone flow key field is populated +with the default zone rather than the zone that was specified. Even +though connection tracking failed, this field should be updated with the +value that the action specified. Fix the issue. + +Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") +Signed-off-by: Joe Stringer +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/conntrack.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -143,6 +143,7 @@ static void __ovs_ct_update_key(struct s + * previously sent the packet to conntrack via the ct action. + */ + static void ovs_ct_update_key(const struct sk_buff *skb, ++ const struct ovs_conntrack_info *info, + struct sw_flow_key *key, bool post_ct) + { + const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt; +@@ -160,13 +161,15 @@ static void ovs_ct_update_key(const stru + zone = nf_ct_zone(ct); + } else if (post_ct) { + state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID; ++ if (info) ++ zone = &info->zone; + } + __ovs_ct_update_key(key, state, zone, ct); + } + + void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) + { +- ovs_ct_update_key(skb, key, false); ++ ovs_ct_update_key(skb, NULL, key, false); + } + + int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb) +@@ -420,7 +423,7 @@ static int __ovs_ct_lookup(struct net *n + } + } + +- ovs_ct_update_key(skb, key, true); ++ ovs_ct_update_key(skb, info, key, true); + + return 0; + } diff --git a/queue-4.3/phy-micrel-fix-finding-phy-properties-in-mac-node.patch b/queue-4.3/phy-micrel-fix-finding-phy-properties-in-mac-node.patch new file mode 100644 index 00000000000..c7306e7ecd4 --- /dev/null +++ b/queue-4.3/phy-micrel-fix-finding-phy-properties-in-mac-node.patch @@ -0,0 +1,54 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Andrew Lunn +Date: Wed, 9 Dec 2015 19:56:31 +0100 +Subject: phy: micrel: Fix finding PHY properties in MAC node. + +From: Andrew Lunn + +[ Upstream commit 651df2183543bc92f5dbcf99cd9e236ead0bc4c5 ] + +commit 8b63ec1837fa ("phylib: Make PHYs children of their MDIO bus, +not the bus' parent.") changed the parenting of PHY devices, making +them a child of the MDIO bus, instead of the MAC device. This broken +the Micrel PHY driver which has a deprecated feature of allowing PHY +properties to be placed into the MAC node. + +In order to find the MAC node, we need to walk up the tree of devices +until we find one with an OF node attached. + +Reported-by: Dinh Nguyen +Suggested-by: David Daney +Acked-by: David Daney +Fixes: 8b63ec1837fa ("phylib: Make PHYs children of their MDIO bus, not the bus' parent.") +Signed-off-by: Andrew Lunn +Tested-by: Dinh Nguyen +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -339,9 +339,18 @@ static int ksz9021_config_init(struct ph + { + const struct device *dev = &phydev->dev; + const struct device_node *of_node = dev->of_node; ++ const struct device *dev_walker; + +- if (!of_node && dev->parent->of_node) +- of_node = dev->parent->of_node; ++ /* The Micrel driver has a deprecated option to place phy OF ++ * properties in the MAC node. Walk up the tree of devices to ++ * find a device with an OF node. ++ */ ++ dev_walker = &phydev->dev; ++ do { ++ of_node = dev_walker->of_node; ++ dev_walker = dev_walker->parent; ++ ++ } while (!of_node && dev_walker); + + if (of_node) { + ksz9021_load_values_from_of(phydev, of_node, diff --git a/queue-4.3/pppoe-fix-memory-corruption-in-padt-work-structure.patch b/queue-4.3/pppoe-fix-memory-corruption-in-padt-work-structure.patch new file mode 100644 index 00000000000..71df5a1afec --- /dev/null +++ b/queue-4.3/pppoe-fix-memory-corruption-in-padt-work-structure.patch @@ -0,0 +1,90 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Guillaume Nault +Date: Thu, 3 Dec 2015 16:49:32 +0100 +Subject: pppoe: fix memory corruption in padt work structure + +From: Guillaume Nault + +[ Upstream commit fe53985aaac83d516b38358d4f39921d9942a0e2 ] + +pppoe_connect() mustn't touch the padt_work field of pppoe sockets +because that work could be already pending. + +[ 21.473147] BUG: unable to handle kernel NULL pointer dereference at 00000004 +[ 21.474523] IP: [] process_one_work+0x29/0x31c +[ 21.475164] *pde = 00000000 +[ 21.475513] Oops: 0000 [#1] SMP +[ 21.475910] Modules linked in: pppoe pppox ppp_generic slhc crc32c_intel aesni_intel virtio_net xts aes_i586 lrw gf128mul ablk_helper cryptd evdev acpi_cpufreq processor serio_raw button ext4 crc16 mbcache jbd2 virtio_blk virtio_pci virtio_ring virtio +[ 21.476168] CPU: 2 PID: 164 Comm: kworker/2:2 Not tainted 4.4.0-rc1 #1 +[ 21.476168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014 +[ 21.476168] task: f5f83c00 ti: f5e28000 task.ti: f5e28000 +[ 21.476168] EIP: 0060:[] EFLAGS: 00010046 CPU: 2 +[ 21.476168] EIP is at process_one_work+0x29/0x31c +[ 21.484082] EAX: 00000000 EBX: f678b2a0 ECX: 00000004 EDX: 00000000 +[ 21.484082] ESI: f6c69940 EDI: f5e29ef0 EBP: f5e29f0c ESP: f5e29edc +[ 21.484082] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 +[ 21.484082] CR0: 80050033 CR2: 000000a4 CR3: 317ad000 CR4: 00040690 +[ 21.484082] Stack: +[ 21.484082] 00000000 f6c69950 00000000 f6c69940 c0042338 f5e29f0c c1327945 00000000 +[ 21.484082] 00000008 f678b2a0 f6c69940 f678b2b8 f5e29f30 c1043984 f5f83c00 f6c69970 +[ 21.484082] f678b2a0 c10437d3 f6775e80 f678b2a0 c10437d3 f5e29fac c1047059 f5e29f74 +[ 21.484082] Call Trace: +[ 21.484082] [] ? _raw_spin_lock_irq+0x28/0x30 +[ 21.484082] [] worker_thread+0x1b1/0x244 +[ 21.484082] [] ? rescuer_thread+0x229/0x229 +[ 21.484082] [] ? rescuer_thread+0x229/0x229 +[ 21.484082] [] kthread+0x8f/0x94 +[ 21.484082] [] ? _raw_spin_unlock_irq+0x22/0x26 +[ 21.484082] [] ret_from_kernel_thread+0x21/0x38 +[ 21.484082] [] ? kthread_parkme+0x19/0x19 +[ 21.496082] Code: 5d c3 55 89 e5 57 56 53 89 c3 83 ec 24 89 d0 89 55 e0 8d 7d e4 e8 6c d8 ff ff b9 04 00 00 00 89 45 d8 8b 43 24 89 45 dc 8b 45 d8 <8b> 40 04 8b 80 e0 00 00 00 c1 e8 05 24 01 88 45 d7 8b 45 e0 8d +[ 21.496082] EIP: [] process_one_work+0x29/0x31c SS:ESP 0068:f5e29edc +[ 21.496082] CR2: 0000000000000004 +[ 21.496082] ---[ end trace e362cc9cf10dae89 ]--- + +Reported-by: Andrew +Fixes: 287f3a943fef ("pppoe: Use workqueue to die properly when a PADT is received") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, + sk->sk_family = PF_PPPOX; + sk->sk_protocol = PX_PROTO_OE; + ++ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work, ++ pppoe_unbind_sock_work); ++ + return 0; + } + +@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket * + + lock_sock(sk); + +- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work); +- + error = -EINVAL; + if (sp->sa_protocol != PX_PROTO_OE) + goto end; +@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket * + po->pppoe_dev = NULL; + } + +- memset(sk_pppox(po) + 1, 0, +- sizeof(struct pppox_sock) - sizeof(struct sock)); ++ po->pppoe_ifindex = 0; ++ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa)); ++ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay)); ++ memset(&po->chan, 0, sizeof(po->chan)); ++ po->next = NULL; ++ po->num = 0; ++ + sk->sk_state = PPPOX_NONE; + } + diff --git a/queue-4.3/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch b/queue-4.3/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch new file mode 100644 index 00000000000..fc9fef6ca3d --- /dev/null +++ b/queue-4.3/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: WANG Cong +Date: Mon, 14 Dec 2015 13:48:36 -0800 +Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect() + +From: WANG Cong + +[ Upstream commit 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ] + +Reported-by: Dmitry Vyukov +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pptp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock + struct pptp_opt *opt = &po->proto.pptp; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + lock_sock(sk); + + opt->src_addr = sp->sa_addr.pptp; +@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *s + struct flowi4 fl4; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + if (sp->sa_protocol != PX_PROTO_PPTP) + return -EINVAL; + diff --git a/queue-4.3/r8152-fix-lockup-when-runtime-pm-is-enabled.patch b/queue-4.3/r8152-fix-lockup-when-runtime-pm-is-enabled.patch new file mode 100644 index 00000000000..0652f0981c4 --- /dev/null +++ b/queue-4.3/r8152-fix-lockup-when-runtime-pm-is-enabled.patch @@ -0,0 +1,86 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Peter Wu +Date: Tue, 8 Dec 2015 12:17:42 +0100 +Subject: r8152: fix lockup when runtime PM is enabled + +From: Peter Wu + +[ Upstream commit 90186af404ada5a47b875bf3c16d0b02bb023ea0 ] + +When an interface is brought up which was previously suspended (via +runtime PM), it would hang. This happens because napi_disable is called +before napi_enable. + +Solve this by avoiding napi_enable in the resume during open function +(netif_running is true when open is called, IFF_UP is set after a +successful open; netif_running is false when close is called, but IFF_UP +is then still set). + +While at it, remove WORK_ENABLE check from rtl8152_open (introduced with +the original change) because it cannot happen: + + - After this patch, runtime resume will not set it during rtl8152_open. + - When link is up, rtl8152_open is not called. + - When link is down during system/auto suspend/resume, it is not set. + +Fixes: 41cec84cf285 ("r8152: don't enable napi before rx ready") +Link: https://lkml.kernel.org/r/20151205105912.GA1766@al +Signed-off-by: Peter Wu +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 21 +++------------------ + 1 file changed, 3 insertions(+), 18 deletions(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3067,17 +3067,6 @@ static int rtl8152_open(struct net_devic + + mutex_lock(&tp->control); + +- /* The WORK_ENABLE may be set when autoresume occurs */ +- if (test_bit(WORK_ENABLE, &tp->flags)) { +- clear_bit(WORK_ENABLE, &tp->flags); +- usb_kill_urb(tp->intr_urb); +- cancel_delayed_work_sync(&tp->schedule); +- +- /* disable the tx/rx, if the workqueue has enabled them. */ +- if (netif_carrier_ok(netdev)) +- tp->rtl_ops.disable(tp); +- } +- + tp->rtl_ops.up(tp); + + rtl8152_set_speed(tp, AUTONEG_ENABLE, +@@ -3124,12 +3113,6 @@ static int rtl8152_close(struct net_devi + } else { + mutex_lock(&tp->control); + +- /* The autosuspend may have been enabled and wouldn't +- * be disable when autoresume occurs, because the +- * netif_running() would be false. +- */ +- rtl_runtime_suspend_enable(tp, false); +- + tp->rtl_ops.down(tp); + + mutex_unlock(&tp->control); +@@ -3512,7 +3495,7 @@ static int rtl8152_resume(struct usb_int + netif_device_attach(tp->netdev); + } + +- if (netif_running(tp->netdev)) { ++ if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) { + if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { + rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); +@@ -3532,6 +3515,8 @@ static int rtl8152_resume(struct usb_int + } + usb_submit_urb(tp->intr_urb, GFP_KERNEL); + } else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { ++ if (tp->netdev->flags & IFF_UP) ++ rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); + } + diff --git a/queue-4.3/rhashtable-enforce-minimum-size-on-initial-hash-table.patch b/queue-4.3/rhashtable-enforce-minimum-size-on-initial-hash-table.patch new file mode 100644 index 00000000000..d12825a0c45 --- /dev/null +++ b/queue-4.3/rhashtable-enforce-minimum-size-on-initial-hash-table.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Herbert Xu +Date: Wed, 16 Dec 2015 18:13:14 +0800 +Subject: rhashtable: Enforce minimum size on initial hash table + +From: Herbert Xu + +[ Upstream commit 3a324606bbabfc30084ce9d08169910773ba9a92 ] + +William Hua wrote: +> +> I wasn't aware there was an enforced minimum size. I simply set the +> nelem_hint in the rhastable_params struct to 1, expecting it to grow as +> needed. This caused a segfault afterwards when trying to insert an +> element. + +OK we're doing the size computation before we enforce the limit +on min_size. + +---8<--- +We need to do the initial hash table size computation after we +have obtained the correct min_size/max_size parameters. Otherwise +we may end up with a hash table whose size is outside the allowed +envelope. + +Fixes: a998f712f77e ("rhashtable: Round up/down min/max_size to...") +Reported-by: William Hua +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + lib/rhashtable.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -723,9 +723,6 @@ int rhashtable_init(struct rhashtable *h + if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT)) + return -EINVAL; + +- if (params->nelem_hint) +- size = rounded_hashtable_size(params); +- + memset(ht, 0, sizeof(*ht)); + mutex_init(&ht->mutex); + spin_lock_init(&ht->lock); +@@ -745,6 +742,9 @@ int rhashtable_init(struct rhashtable *h + + ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE); + ++ if (params->nelem_hint) ++ size = rounded_hashtable_size(&ht->p); ++ + /* The maximum (not average) chain length grows with the + * size of the hash table, at a rate of (log N)/(log log N). + * The value of 16 is selected so that even if the hash diff --git a/queue-4.3/rhashtable-fix-walker-list-corruption.patch b/queue-4.3/rhashtable-fix-walker-list-corruption.patch new file mode 100644 index 00000000000..d7e617163be --- /dev/null +++ b/queue-4.3/rhashtable-fix-walker-list-corruption.patch @@ -0,0 +1,79 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Herbert Xu +Date: Wed, 16 Dec 2015 16:45:54 +0800 +Subject: rhashtable: Fix walker list corruption + +From: Herbert Xu + +[ Upstream commit c6ff5268293ef98e48a99597e765ffc417e39fa5 ] + +The commit ba7c95ea3870fe7b847466d39a049ab6f156aa2c ("rhashtable: +Fix sleeping inside RCU critical section in walk_stop") introduced +a new spinlock for the walker list. However, it did not convert +all existing users of the list over to the new spin lock. Some +continued to use the old mutext for this purpose. This obviously +led to corruption of the list. + +The fix is to use the spin lock everywhere where we touch the list. + +This also allows us to do rcu_rad_lock before we take the lock in +rhashtable_walk_start. With the old mutex this would've deadlocked +but it's safe with the new spin lock. + +Fixes: ba7c95ea3870 ("rhashtable: Fix sleeping inside RCU...") +Reported-by: Colin Ian King +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + lib/rhashtable.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -503,10 +503,11 @@ int rhashtable_walk_init(struct rhashtab + if (!iter->walker) + return -ENOMEM; + +- mutex_lock(&ht->mutex); +- iter->walker->tbl = rht_dereference(ht->tbl, ht); ++ spin_lock(&ht->lock); ++ iter->walker->tbl = ++ rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock)); + list_add(&iter->walker->list, &iter->walker->tbl->walkers); +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + return 0; + } +@@ -520,10 +521,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init); + */ + void rhashtable_walk_exit(struct rhashtable_iter *iter) + { +- mutex_lock(&iter->ht->mutex); ++ spin_lock(&iter->ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- mutex_unlock(&iter->ht->mutex); ++ spin_unlock(&iter->ht->lock); + kfree(iter->walker); + } + EXPORT_SYMBOL_GPL(rhashtable_walk_exit); +@@ -547,14 +548,12 @@ int rhashtable_walk_start(struct rhashta + { + struct rhashtable *ht = iter->ht; + +- mutex_lock(&ht->mutex); ++ rcu_read_lock(); + ++ spin_lock(&ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- +- rcu_read_lock(); +- +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + if (!iter->walker->tbl) { + iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht); diff --git a/queue-4.3/sctp-also-copy-sk_tsflags-when-copying-the-socket.patch b/queue-4.3/sctp-also-copy-sk_tsflags-when-copying-the-socket.patch new file mode 100644 index 00000000000..9aee72e41da --- /dev/null +++ b/queue-4.3/sctp-also-copy-sk_tsflags-when-copying-the-socket.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Marcelo Ricardo Leitner +Date: Fri, 4 Dec 2015 15:14:05 -0200 +Subject: sctp: also copy sk_tsflags when copying the socket + +From: Marcelo Ricardo Leitner + +[ Upstream commit 50a5ffb1ef535e3c6989711c51b5d61b543a3b45 ] + +As we are keeping timestamps on when copying the socket, we also have to +copy sk_tsflags. + +This is needed since b9f40e21ef42 ("net-timestamp: move timestamp flags +out of sk_flags"). + +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7163,6 +7163,7 @@ void sctp_copy_sock(struct sock *newsk, + newsk->sk_type = sk->sk_type; + newsk->sk_bound_dev_if = sk->sk_bound_dev_if; + newsk->sk_flags = sk->sk_flags; ++ newsk->sk_tsflags = sk->sk_tsflags; + newsk->sk_no_check_tx = sk->sk_no_check_tx; + newsk->sk_no_check_rx = sk->sk_no_check_rx; + newsk->sk_reuse = sk->sk_reuse; diff --git a/queue-4.3/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch b/queue-4.3/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch new file mode 100644 index 00000000000..2a2879b735c --- /dev/null +++ b/queue-4.3/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch @@ -0,0 +1,65 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Marcelo Ricardo Leitner +Date: Fri, 4 Dec 2015 15:14:04 -0200 +Subject: sctp: update the netstamp_needed counter when copying sockets + +From: Marcelo Ricardo Leitner + +[ Upstream commit 01ce63c90170283a9855d1db4fe81934dddce648 ] + +Dmitry Vyukov reported that SCTP was triggering a WARN on socket destroy +related to disabling sock timestamp. + +When SCTP accepts an association or peel one off, it copies sock flags +but forgot to call net_enable_timestamp() if a packet timestamping flag +was copied, leading to extra calls to net_disable_timestamp() whenever +such clones were closed. + +The fix is to call net_enable_timestamp() whenever we copy a sock with +that flag on, like tcp does. + +Reported-by: Dmitry Vyukov +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 2 ++ + net/core/sock.c | 2 -- + net/sctp/socket.c | 3 +++ + 3 files changed, 5 insertions(+), 2 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -724,6 +724,8 @@ enum sock_flags { + SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */ + }; + ++#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) ++ + static inline void sock_copy_flags(struct sock *nsk, struct sock *osk) + { + nsk->sk_flags = osk->sk_flags; +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -422,8 +422,6 @@ static void sock_warn_obsolete_bsdism(co + } + } + +-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) +- + static void sock_disable_timestamp(struct sock *sk, unsigned long flags) + { + if (sk->sk_flags & flags) { +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7195,6 +7195,9 @@ void sctp_copy_sock(struct sock *newsk, + newinet->mc_ttl = 1; + newinet->mc_index = 0; + newinet->mc_list = NULL; ++ ++ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) ++ net_enable_timestamp(); + } + + static inline void sctp_copy_descendant(struct sock *sk_to, diff --git a/queue-4.3/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch b/queue-4.3/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch new file mode 100644 index 00000000000..eba1c0759ee --- /dev/null +++ b/queue-4.3/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Marcelo Ricardo Leitner +Date: Fri, 4 Dec 2015 15:14:03 -0200 +Subject: sctp: use the same clock as if sock source timestamps were on + +From: Marcelo Ricardo Leitner + +[ Upstream commit cb5e173ed7c03a0d4630ce68a95a186cce3cc872 ] + +SCTP echoes a cookie o INIT ACK chunks that contains a timestamp, for +detecting stale cookies. This cookie is echoed back to the server by the +client and then that timestamp is checked. + +Thing is, if the listening socket is using packet timestamping, the +cookie is encoded with ktime_get() value and checked against +ktime_get_real(), as done by __net_timestamp(). + +The fix is to sctp also use ktime_get_real(), so we can compare bananas +with bananas later no matter if packet timestamping was enabled or not. + +Fixes: 52db882f3fc2 ("net: sctp: migrate cookie life from timeval to ktime") +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_make_chunk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_co + + /* Set an expiration time for the cookie. */ + cookie->c.expiration = ktime_add(asoc->cookie_life, +- ktime_get()); ++ ktime_get_real()); + + /* Copy the peer's init packet. */ + memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr, +@@ -1780,7 +1780,7 @@ no_hmac: + if (sock_flag(ep->base.sk, SOCK_TIMESTAMP)) + kt = skb_get_ktime(skb); + else +- kt = ktime_get(); ++ kt = ktime_get_real(); + + if (!asoc && ktime_before(bear_cookie->expiration, kt)) { + /* diff --git a/queue-4.3/series b/queue-4.3/series index 75bdc99045f..8c13a592942 100644 --- a/queue-4.3/series +++ b/queue-4.3/series @@ -17,3 +17,37 @@ usb-host-ohci-at91-fix-a-crash-in-ohci_hcd_at91_overcurrent_irq.patch usb-musb-usb_ti_cppi41_dma-requires-dmaengine-support.patch usb-core-hub-fix-bos-null-pointer-kernel-panic.patch usb-use-the-usb_ss_mult-macro-to-decode-burst-multiplier-for-log-message.patch +pppoe-fix-memory-corruption-in-padt-work-structure.patch +gre6-allow-to-update-all-parameters-via-rtnl.patch +atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch +ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch +vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch +sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch +sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch +sctp-also-copy-sk_tsflags-when-copying-the-socket.patch +net-cdc_mbim-add-ndp-to-end-quirk-for-huawei-e3372.patch +net-qca_spi-fix-transmit-queue-timeout-handling.patch +r8152-fix-lockup-when-runtime-pm-is-enabled.patch +ipv6-sctp-clone-options-to-avoid-use-after-free.patch +phy-micrel-fix-finding-phy-properties-in-mac-node.patch +openvswitch-fix-helper-reference-leak.patch +openvswitch-respect-conntrack-zone-even-if-invalid.patch +uapi-export-ila.h.patch +net-add-validation-for-the-socket-syscall-protocol-argument.patch +sh_eth-fix-kernel-oops-in-skb_put.patch +net-fix-ip-early-demux-races.patch +pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch +vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch +skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch +net-check-both-type-and-procotol-for-tcp-sockets.patch +net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch +bluetooth-validate-socket-address-length-in-sco_sock_bind.patch +net-fix-uninitialized-variable-issue.patch +ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch +inet-tcp-fix-inetpeer_set_addr_v4.patch +rhashtable-enforce-minimum-size-on-initial-hash-table.patch +gianfar-don-t-enable-rx-filer-if-not-supported.patch +fou-clean-up-socket-with-kfree_rcu.patch +af_unix-revert-lock_interruptible-in-stream-receive-code.patch +tcp-restore-fastopen-with-no-data-in-syn-packet.patch +rhashtable-fix-walker-list-corruption.patch diff --git a/queue-4.3/sh_eth-fix-kernel-oops-in-skb_put.patch b/queue-4.3/sh_eth-fix-kernel-oops-in-skb_put.patch new file mode 100644 index 00000000000..7125216887a --- /dev/null +++ b/queue-4.3/sh_eth-fix-kernel-oops-in-skb_put.patch @@ -0,0 +1,64 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Sergei Shtylyov +Date: Fri, 4 Dec 2015 01:45:40 +0300 +Subject: sh_eth: fix kernel oops in skb_put() + +From: Sergei Shtylyov + +[ Upstream commit 248be83dcb3feb3f6332eb3d010a016402138484 ] + +In a low memory situation the following kernel oops occurs: + +Unable to handle kernel NULL pointer dereference at virtual address 00000050 +pgd = 8490c000 +[00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000 +Internal error: Oops: 17 [#1] PREEMPT ARM +Modules linked in: +CPU: 0 Not tainted (3.4-at16 #9) +PC is at skb_put+0x10/0x98 +LR is at sh_eth_poll+0x2c8/0xa10 +pc : [<8035f780>] lr : [<8028bf50>] psr: 60000113 +sp : 84eb1a90 ip : 84eb1ac8 fp : 84eb1ac4 +r10: 0000003f r9 : 000005ea r8 : 00000000 +r7 : 00000000 r6 : 940453b0 r5 : 00030000 r4 : 9381b180 +r3 : 00000000 r2 : 00000000 r1 : 000005ea r0 : 00000000 +Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 10c53c7d Table: 4248c059 DAC: 00000015 +Process klogd (pid: 2046, stack limit = 0x84eb02e8) +[...] + +This is because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left +NULL but sh_eth_rx() later uses it without checking. Add such check... + +Reported-by: Yasushi SHOJI +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device * + if (mdp->cd->shift_rd0) + desc_status >>= 16; + ++ skb = mdp->rx_skbuff[entry]; + if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 | + RD_RFS5 | RD_RFS6 | RD_RFS10)) { + ndev->stats.rx_errors++; +@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device * + ndev->stats.rx_missed_errors++; + if (desc_status & RD_RFS10) + ndev->stats.rx_over_errors++; +- } else { ++ } else if (skb) { + if (!mdp->cd->hw_swap) + sh_eth_soft_swap( + phys_to_virt(ALIGN(rxdesc->addr, 4)), + pkt_len + 2); +- skb = mdp->rx_skbuff[entry]; + mdp->rx_skbuff[entry] = NULL; + if (mdp->cd->rpadir) + skb_reserve(skb, NET_IP_ALIGN); diff --git a/queue-4.3/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch b/queue-4.3/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch new file mode 100644 index 00000000000..cddf64032a9 --- /dev/null +++ b/queue-4.3/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Vlad Yasevich +Date: Mon, 14 Dec 2015 17:44:10 -0500 +Subject: skbuff: Fix offset error in skb_reorder_vlan_header + +From: Vlad Yasevich + +[ Upstream commit f654861569872d10dcb79d9d7ca219b316f94ff0 ] + +skb_reorder_vlan_header is called after the vlan header has +been pulled. As a result the offset of the begining of +the mac header has been incrased by 4 bytes (VLAN_HLEN). +When moving the mac addresses, include this incrase in +the offset calcualation so that the mac addresses are +copied correctly. + +Fixes: a6e18ff1117 (vlan: Fix untag operations of stacked vlans with REORDER_HEADER off) +CC: Nicolas Dichtel +CC: Patrick McHardy +Signed-off-by: Vladislav Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4268,7 +4268,7 @@ static struct sk_buff *skb_reorder_vlan_ + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len, ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, + 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; diff --git a/queue-4.3/tcp-restore-fastopen-with-no-data-in-syn-packet.patch b/queue-4.3/tcp-restore-fastopen-with-no-data-in-syn-packet.patch new file mode 100644 index 00000000000..bfa9bcf2e9e --- /dev/null +++ b/queue-4.3/tcp-restore-fastopen-with-no-data-in-syn-packet.patch @@ -0,0 +1,65 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Eric Dumazet +Date: Wed, 16 Dec 2015 13:53:10 -0800 +Subject: tcp: restore fastopen with no data in SYN packet + +From: Eric Dumazet + +[ Upstream commit 07e100f984975cb0417a7d5e626d0409efbad478 ] + +Yuchung tracked a regression caused by commit 57be5bdad759 ("ip: convert +tcp_sendmsg() to iov_iter primitives") for TCP Fast Open. + +Some Fast Open users do not actually add any data in the SYN packet. + +Fixes: 57be5bdad759 ("ip: convert tcp_sendmsg() to iov_iter primitives") +Reported-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Cc: Al Viro +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3147,7 +3147,7 @@ static int tcp_send_syn_data(struct sock + { + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_fastopen_request *fo = tp->fastopen_req; +- int syn_loss = 0, space, err = 0, copied; ++ int syn_loss = 0, space, err = 0; + unsigned long last_syn_loss = 0; + struct sk_buff *syn_data; + +@@ -3185,17 +3185,18 @@ static int tcp_send_syn_data(struct sock + goto fallback; + syn_data->ip_summed = CHECKSUM_PARTIAL; + memcpy(syn_data->cb, syn->cb, sizeof(syn->cb)); +- copied = copy_from_iter(skb_put(syn_data, space), space, +- &fo->data->msg_iter); +- if (unlikely(!copied)) { +- kfree_skb(syn_data); +- goto fallback; +- } +- if (copied != space) { +- skb_trim(syn_data, copied); +- space = copied; ++ if (space) { ++ int copied = copy_from_iter(skb_put(syn_data, space), space, ++ &fo->data->msg_iter); ++ if (unlikely(!copied)) { ++ kfree_skb(syn_data); ++ goto fallback; ++ } ++ if (copied != space) { ++ skb_trim(syn_data, copied); ++ space = copied; ++ } + } +- + /* No more data pending in inet_wait_for_connect() */ + if (space == fo->size) + fo->data = NULL; diff --git a/queue-4.3/uapi-export-ila.h.patch b/queue-4.3/uapi-export-ila.h.patch new file mode 100644 index 00000000000..7f8bb498441 --- /dev/null +++ b/queue-4.3/uapi-export-ila.h.patch @@ -0,0 +1,29 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: stephen hemminger +Date: Thu, 10 Dec 2015 09:14:20 -0800 +Subject: uapi: export ila.h + +From: stephen hemminger + +[ Upstream commit f7fc6bc414121954c45c5f18b70e2a8717d0d5b4 ] + +The file ila.h used for lightweight tunnels is being used by iproute2 +but is not exported yet. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/uapi/linux/Kbuild ++++ b/include/uapi/linux/Kbuild +@@ -186,6 +186,7 @@ header-y += if_tunnel.h + header-y += if_vlan.h + header-y += if_x25.h + header-y += igmp.h ++header-y += ila.h + header-y += in6.h + header-y += inet_diag.h + header-y += in.h diff --git a/queue-4.3/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch b/queue-4.3/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch new file mode 100644 index 00000000000..6947bc6b734 --- /dev/null +++ b/queue-4.3/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Vlad Yasevich +Date: Mon, 16 Nov 2015 15:43:44 -0500 +Subject: vlan: Fix untag operations of stacked vlans with REORDER_HEADER off + +From: Vlad Yasevich + +[ Upstream commit a6e18ff111701b4ff6947605bfbe9594ec42a6e8 ] + +When we have multiple stacked vlan devices all of which have +turned off REORDER_HEADER flag, the untag operation does not +locate the ethernet addresses correctly for nested vlans. +The reason is that in case of REORDER_HEADER flag being off, +the outer vlan headers are put back and the mac_len is adjusted +to account for the presense of the header. Then, the subsequent +untag operation, for the next level vlan, always use VLAN_ETH_HLEN +to locate the begining of the ethernet header and that ends up +being a multiple of 4 bytes short of the actuall beginning +of the mac header (the multiple depending on the how many vlan +encapsulations ethere are). + +As a reslult, if there are multiple levles of vlan devices +with REODER_HEADER being off, the recevied packets end up +being dropped. + +To solve this, we use skb->mac_len as the offset. The value +is always set on receive path and starts out as a ETH_HLEN. +The value is also updated when the vlan header manupations occur +so we know it will be correct. + +Signed-off-by: Vladislav Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4268,7 +4268,8 @@ static struct sk_buff *skb_reorder_vlan_ + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len, ++ 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; + } diff --git a/queue-4.3/vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch b/queue-4.3/vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch new file mode 100644 index 00000000000..5268231ec36 --- /dev/null +++ b/queue-4.3/vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Dec 30 19:48:47 PST 2015 +From: Jiri Benc +Date: Fri, 4 Dec 2015 13:54:03 +0100 +Subject: vxlan: fix incorrect RCO bit in VXLAN header + +From: Jiri Benc + +[ Upstream commit c5fb8caaf91ea6a92920cf24db10cfc94d58de0f ] + +Commit 3511494ce2f3d ("vxlan: Group Policy extension") changed definition of +VXLAN_HF_RCO from 0x00200000 to BIT(24). This is obviously incorrect. It's +also in violation with the RFC draft. + +Fixes: 3511494ce2f3d ("vxlan: Group Policy extension") +Cc: Thomas Graf +Cc: Tom Herbert +Signed-off-by: Jiri Benc +Acked-by: Tom Herbert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/vxlan.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/vxlan.h ++++ b/include/net/vxlan.h +@@ -79,7 +79,7 @@ struct vxlanhdr { + }; + + /* VXLAN header flags. */ +-#define VXLAN_HF_RCO BIT(24) ++#define VXLAN_HF_RCO BIT(21) + #define VXLAN_HF_VNI BIT(27) + #define VXLAN_HF_GBP BIT(31) + -- 2.47.3