From dbd0e9f1570cd6edfbaa016f3a59b9d34476c307 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 May 2016 14:49:11 -0700 Subject: [PATCH] 3.14-stable patches added patches: arm-omap3-fix-booting-with-thumb2-kernel.patch atl2-disable-unimplemented-scatter-gather-feature.patch decnet-do-not-build-routes-to-devices-without-decnet-private-data.patch net-bridge-fix-old-ioctl-unlocked-net-device-walk.patch net-fix-a-kernel-infoleak-in-x25-module.patch net-fix-infoleak-in-llc.patch net-fix-infoleak-in-rtnetlink.patch packet-fix-heap-info-leak-in-packet_diag_mclist-sock_diag-interface.patch route-do-not-cache-fib-route-info-on-local-routes-with-oif.patch vsock-do-not-disconnect-socket-when-peer-has-shutdown-send-only.patch --- ...omap3-fix-booting-with-thumb2-kernel.patch | 91 +++++++++++++++++++ ...unimplemented-scatter-gather-feature.patch | 43 +++++++++ ...-devices-without-decnet-private-data.patch | 56 ++++++++++++ ...x-old-ioctl-unlocked-net-device-walk.patch | 71 +++++++++++++++ ...-fix-a-kernel-infoleak-in-x25-module.patch | 35 +++++++ queue-3.14/net-fix-infoleak-in-llc.patch | 35 +++++++ .../net-fix-infoleak-in-rtnetlink.patch | 53 +++++++++++ ...cket_diag_mclist-sock_diag-interface.patch | 39 ++++++++ ...-route-info-on-local-routes-with-oif.patch | 62 +++++++++++++ queue-3.14/series | 10 ++ ...ket-when-peer-has-shutdown-send-only.patch | 69 ++++++++++++++ 11 files changed, 564 insertions(+) create mode 100644 queue-3.14/arm-omap3-fix-booting-with-thumb2-kernel.patch create mode 100644 queue-3.14/atl2-disable-unimplemented-scatter-gather-feature.patch create mode 100644 queue-3.14/decnet-do-not-build-routes-to-devices-without-decnet-private-data.patch create mode 100644 queue-3.14/net-bridge-fix-old-ioctl-unlocked-net-device-walk.patch create mode 100644 queue-3.14/net-fix-a-kernel-infoleak-in-x25-module.patch create mode 100644 queue-3.14/net-fix-infoleak-in-llc.patch create mode 100644 queue-3.14/net-fix-infoleak-in-rtnetlink.patch create mode 100644 queue-3.14/packet-fix-heap-info-leak-in-packet_diag_mclist-sock_diag-interface.patch create mode 100644 queue-3.14/route-do-not-cache-fib-route-info-on-local-routes-with-oif.patch create mode 100644 queue-3.14/vsock-do-not-disconnect-socket-when-peer-has-shutdown-send-only.patch diff --git a/queue-3.14/arm-omap3-fix-booting-with-thumb2-kernel.patch b/queue-3.14/arm-omap3-fix-booting-with-thumb2-kernel.patch new file mode 100644 index 00000000000..db125fe6c65 --- /dev/null +++ b/queue-3.14/arm-omap3-fix-booting-with-thumb2-kernel.patch @@ -0,0 +1,91 @@ +From d8a50941c91a68da202aaa96a3dacd471ea9c693 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Thu, 28 May 2015 07:22:08 -0700 +Subject: ARM: OMAP3: Fix booting with thumb2 kernel + +From: Tony Lindgren + +commit d8a50941c91a68da202aaa96a3dacd471ea9c693 upstream. + +We get a NULL pointer dereference on omap3 for thumb2 compiled kernels: + +Internal error: Oops: 80000005 [#1] SMP THUMB2 +... +[] (_raw_spin_unlock_irqrestore) from [] +(omap3_enter_idle_bm+0xc5/0x178) +[] (omap3_enter_idle_bm) from [] +(cpuidle_enter_state+0x77/0x27c) +[] (cpuidle_enter_state) from [] +(cpu_startup_entry+0x155/0x23c) +[] (cpu_startup_entry) from [] +(start_kernel+0x32f/0x338) +[] (start_kernel) from [<8000807f>] (0x8000807f) + +The power management related assembly on omaps needs to interact with +ARM mode bootrom code, so we need to keep most of the related assembly +in ARM mode. + +Turns out this error is because of missing ENDPROC for assembly code +as suggested by Stephen Boyd . Let's fix the +problem by adding ENDPROC in two places to sleep34xx.S. + +Let's also remove the now duplicate custom code for mode switching. +This has been unnecessary since commit 6ebbf2ce437b ("ARM: convert +all "mov.* pc, reg" to "bx reg" for ARMv6+"). + +And let's also remove the comments about local variables, they are +now just confusing after the ENDPROC. + +The reason why ENDPROC makes a difference is it sets .type and then +the compiler knows what to do with the thumb bit as explained at: + +https://wiki.ubuntu.com/ARM/Thumb2PortingHowto + +Reported-by: Kevin Hilman +Tested-by: Kevin Hilman +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/sleep34xx.S | 22 ++-------------------- + 1 file changed, 2 insertions(+), 20 deletions(-) + +--- a/arch/arm/mach-omap2/sleep34xx.S ++++ b/arch/arm/mach-omap2/sleep34xx.S +@@ -203,23 +203,8 @@ save_context_wfi: + */ + ldr r1, kernel_flush + blx r1 +- /* +- * The kernel doesn't interwork: v7_flush_dcache_all in particluar will +- * always return in Thumb state when CONFIG_THUMB2_KERNEL is enabled. +- * This sequence switches back to ARM. Note that .align may insert a +- * nop: bx pc needs to be word-aligned in order to work. +- */ +- THUMB( .thumb ) +- THUMB( .align ) +- THUMB( bx pc ) +- THUMB( nop ) +- .arm +- + b omap3_do_wfi +- +-/* +- * Local variables +- */ ++ENDPROC(omap34xx_cpu_suspend) + omap3_do_wfi_sram_addr: + .word omap3_do_wfi_sram + kernel_flush: +@@ -364,10 +349,7 @@ exit_nonoff_modes: + * =================================== + */ + ldmfd sp!, {r4 - r11, pc} @ restore regs and return +- +-/* +- * Local variables +- */ ++ENDPROC(omap3_do_wfi) + sdrc_power: + .word SDRC_POWER_V + cm_idlest1_core: diff --git a/queue-3.14/atl2-disable-unimplemented-scatter-gather-feature.patch b/queue-3.14/atl2-disable-unimplemented-scatter-gather-feature.patch new file mode 100644 index 00000000000..7c9ed0463bb --- /dev/null +++ b/queue-3.14/atl2-disable-unimplemented-scatter-gather-feature.patch @@ -0,0 +1,43 @@ +From foo@baz Mon May 16 14:28:53 PDT 2016 +From: Ben Hutchings +Date: Wed, 20 Apr 2016 23:23:08 +0100 +Subject: atl2: Disable unimplemented scatter/gather feature +Status: RO +Content-Length: 1547 +Lines: 37 + +From: Ben Hutchings + +[ Upstream commit f43bfaeddc79effbf3d0fcb53ca477cca66f3db8 ] + +atl2 includes NETIF_F_SG in hw_features even though it has no support +for non-linear skbs. This bug was originally harmless since the +driver does not claim to implement checksum offload and that used to +be a requirement for SG. + +Now that SG and checksum offload are independent features, if you +explicitly enable SG *and* use one of the rare protocols that can use +SG without checkusm offload, this potentially leaks sensitive +information (before you notice that it just isn't working). Therefore +this obscure bug has been designated CVE-2016-2117. + +Reported-by: Justin Yackoski +Signed-off-by: Ben Hutchings +Fixes: ec5f06156423 ("net: Kill link between CSUM and SG features.") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atlx/atl2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/atheros/atlx/atl2.c ++++ b/drivers/net/ethernet/atheros/atlx/atl2.c +@@ -1413,7 +1413,7 @@ static int atl2_probe(struct pci_dev *pd + + err = -EIO; + +- netdev->hw_features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_RX; ++ netdev->hw_features = NETIF_F_HW_VLAN_CTAG_RX; + netdev->features |= (NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX); + + /* Init PHY as early as possible due to power saving issue */ diff --git a/queue-3.14/decnet-do-not-build-routes-to-devices-without-decnet-private-data.patch b/queue-3.14/decnet-do-not-build-routes-to-devices-without-decnet-private-data.patch new file mode 100644 index 00000000000..d6244c3a89f --- /dev/null +++ b/queue-3.14/decnet-do-not-build-routes-to-devices-without-decnet-private-data.patch @@ -0,0 +1,56 @@ +From foo@baz Mon May 16 14:28:52 PDT 2016 +From: "David S. Miller" +Date: Sun, 10 Apr 2016 23:01:30 -0400 +Subject: decnet: Do not build routes to devices without decnet private data. +Status: RO +Content-Length: 1298 +Lines: 50 + +From: "David S. Miller" + +[ Upstream commit a36a0d4008488fa545c74445d69eaf56377d5d4e ] + +In particular, make sure we check for decnet private presence +for loopback devices. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/decnet/dn_route.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/decnet/dn_route.c ++++ b/net/decnet/dn_route.c +@@ -1030,10 +1030,13 @@ source_ok: + if (!fld.daddr) { + fld.daddr = fld.saddr; + +- err = -EADDRNOTAVAIL; + if (dev_out) + dev_put(dev_out); ++ err = -EINVAL; + dev_out = init_net.loopback_dev; ++ if (!dev_out->dn_ptr) ++ goto out; ++ err = -EADDRNOTAVAIL; + dev_hold(dev_out); + if (!fld.daddr) { + fld.daddr = +@@ -1106,6 +1109,8 @@ source_ok: + if (dev_out == NULL) + goto out; + dn_db = rcu_dereference_raw(dev_out->dn_ptr); ++ if (!dn_db) ++ goto e_inval; + /* Possible improvement - check all devices for local addr */ + if (dn_dev_islocal(dev_out, fld.daddr)) { + dev_put(dev_out); +@@ -1147,6 +1152,8 @@ select_source: + dev_put(dev_out); + dev_out = init_net.loopback_dev; + dev_hold(dev_out); ++ if (!dev_out->dn_ptr) ++ goto e_inval; + fld.flowidn_oif = dev_out->ifindex; + if (res.fi) + dn_fib_info_put(res.fi); diff --git a/queue-3.14/net-bridge-fix-old-ioctl-unlocked-net-device-walk.patch b/queue-3.14/net-bridge-fix-old-ioctl-unlocked-net-device-walk.patch new file mode 100644 index 00000000000..e2dfd5be2fb --- /dev/null +++ b/queue-3.14/net-bridge-fix-old-ioctl-unlocked-net-device-walk.patch @@ -0,0 +1,71 @@ +From foo@baz Mon May 16 14:28:53 PDT 2016 +From: Nikolay Aleksandrov +Date: Wed, 4 May 2016 16:18:45 +0200 +Subject: net: bridge: fix old ioctl unlocked net device walk +Status: RO +Content-Length: 2234 +Lines: 65 + +From: Nikolay Aleksandrov + +[ Upstream commit 31ca0458a61a502adb7ed192bf9716c6d05791a5 ] + +get_bridge_ifindices() is used from the old "deviceless" bridge ioctl +calls which aren't called with rtnl held. The comment above says that it is +called with rtnl but that is not really the case. +Here's a sample output from a test ASSERT_RTNL() which I put in +get_bridge_ifindices and executed "brctl show": +[ 957.422726] RTNL: assertion failed at net/bridge//br_ioctl.c (30) +[ 957.422925] CPU: 0 PID: 1862 Comm: brctl Tainted: G W O +4.6.0-rc4+ #157 +[ 957.423009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS 1.8.1-20150318_183358- 04/01/2014 +[ 957.423009] 0000000000000000 ffff880058adfdf0 ffffffff8138dec5 +0000000000000400 +[ 957.423009] ffffffff81ce8380 ffff880058adfe58 ffffffffa05ead32 +0000000000000001 +[ 957.423009] 00007ffec1a444b0 0000000000000400 ffff880053c19130 +0000000000008940 +[ 957.423009] Call Trace: +[ 957.423009] [] dump_stack+0x85/0xc0 +[ 957.423009] [] +br_ioctl_deviceless_stub+0x212/0x2e0 [bridge] +[ 957.423009] [] sock_ioctl+0x22b/0x290 +[ 957.423009] [] do_vfs_ioctl+0x95/0x700 +[ 957.423009] [] SyS_ioctl+0x79/0x90 +[ 957.423009] [] entry_SYSCALL_64_fastpath+0x23/0xc1 + +Since it only reads bridge ifindices, we can use rcu to safely walk the net +device list. Also remove the wrong rtnl comment above. + +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_ioctl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/bridge/br_ioctl.c ++++ b/net/bridge/br_ioctl.c +@@ -21,18 +21,19 @@ + #include + #include "br_private.h" + +-/* called with RTNL */ + static int get_bridge_ifindices(struct net *net, int *indices, int num) + { + struct net_device *dev; + int i = 0; + +- for_each_netdev(net, dev) { ++ rcu_read_lock(); ++ for_each_netdev_rcu(net, dev) { + if (i >= num) + break; + if (dev->priv_flags & IFF_EBRIDGE) + indices[i++] = dev->ifindex; + } ++ rcu_read_unlock(); + + return i; + } diff --git a/queue-3.14/net-fix-a-kernel-infoleak-in-x25-module.patch b/queue-3.14/net-fix-a-kernel-infoleak-in-x25-module.patch new file mode 100644 index 00000000000..8d778e7a689 --- /dev/null +++ b/queue-3.14/net-fix-a-kernel-infoleak-in-x25-module.patch @@ -0,0 +1,35 @@ +From foo@baz Mon May 16 14:28:53 PDT 2016 +From: Kangjie Lu +Date: Sun, 8 May 2016 12:10:14 -0400 +Subject: net: fix a kernel infoleak in x25 module +Status: RO +Content-Length: 949 +Lines: 29 + +From: Kangjie Lu + +[ Upstream commit 79e48650320e6fba48369fccf13fd045315b19b8 ] + +Stack object "dte_facilities" is allocated in x25_rx_call_request(), +which is supposed to be initialized in x25_negotiate_facilities. +However, 5 fields (8 bytes in total) are not initialized. This +object is then copied to userland via copy_to_user, thus infoleak +occurs. + +Signed-off-by: Kangjie Lu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/x25/x25_facilities.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/x25/x25_facilities.c ++++ b/net/x25/x25_facilities.c +@@ -277,6 +277,7 @@ int x25_negotiate_facilities(struct sk_b + + memset(&theirs, 0, sizeof(theirs)); + memcpy(new, ours, sizeof(*new)); ++ memset(dte, 0, sizeof(*dte)); + + len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask); + if (len < 0) diff --git a/queue-3.14/net-fix-infoleak-in-llc.patch b/queue-3.14/net-fix-infoleak-in-llc.patch new file mode 100644 index 00000000000..14e785d742e --- /dev/null +++ b/queue-3.14/net-fix-infoleak-in-llc.patch @@ -0,0 +1,35 @@ +From foo@baz Mon May 16 14:28:53 PDT 2016 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:35:05 -0400 +Subject: net: fix infoleak in llc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Status: RO +Content-Length: 829 +Lines: 26 + +From: Kangjie Lu + +[ Upstream commit b8670c09f37bdf2847cc44f36511a53afc6161fd ] + +The stack object “info” has a total size of 12 bytes. Its last byte +is padding which is not initialized and leaked via “put_cmsg”. + +Signed-off-by: Kangjie Lu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr * + if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { + struct llc_pktinfo info; + ++ memset(&info, 0, sizeof(info)); + info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; + llc_pdu_decode_dsap(skb, &info.lpi_sap); + llc_pdu_decode_da(skb, info.lpi_mac); diff --git a/queue-3.14/net-fix-infoleak-in-rtnetlink.patch b/queue-3.14/net-fix-infoleak-in-rtnetlink.patch new file mode 100644 index 00000000000..5b96eab4eaf --- /dev/null +++ b/queue-3.14/net-fix-infoleak-in-rtnetlink.patch @@ -0,0 +1,53 @@ +From foo@baz Mon May 16 14:28:53 PDT 2016 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:46:24 -0400 +Subject: net: fix infoleak in rtnetlink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Status: RO +Content-Length: 1317 +Lines: 44 + +From: Kangjie Lu + +[ Upstream commit 5f8e44741f9f216e33736ea4ec65ca9ac03036e6 ] + +The stack object “map” has a total size of 32 bytes. Its last 4 +bytes are padding generated by compiler. These padding bytes are +not initialized and sent out via “nla_put”. + +Signed-off-by: Kangjie Lu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1010,14 +1010,16 @@ static int rtnl_fill_ifinfo(struct sk_bu + goto nla_put_failure; + + if (1) { +- struct rtnl_link_ifmap map = { +- .mem_start = dev->mem_start, +- .mem_end = dev->mem_end, +- .base_addr = dev->base_addr, +- .irq = dev->irq, +- .dma = dev->dma, +- .port = dev->if_port, +- }; ++ struct rtnl_link_ifmap map; ++ ++ memset(&map, 0, sizeof(map)); ++ map.mem_start = dev->mem_start; ++ map.mem_end = dev->mem_end; ++ map.base_addr = dev->base_addr; ++ map.irq = dev->irq; ++ map.dma = dev->dma; ++ map.port = dev->if_port; ++ + if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) + goto nla_put_failure; + } diff --git a/queue-3.14/packet-fix-heap-info-leak-in-packet_diag_mclist-sock_diag-interface.patch b/queue-3.14/packet-fix-heap-info-leak-in-packet_diag_mclist-sock_diag-interface.patch new file mode 100644 index 00000000000..4194fb0af36 --- /dev/null +++ b/queue-3.14/packet-fix-heap-info-leak-in-packet_diag_mclist-sock_diag-interface.patch @@ -0,0 +1,39 @@ +From foo@baz Mon May 16 14:28:53 PDT 2016 +From: Mathias Krause +Date: Sun, 10 Apr 2016 12:52:28 +0200 +Subject: packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface +Status: RO +Content-Length: 1163 +Lines: 33 + +From: Mathias Krause + +[ Upstream commit 309cf37fe2a781279b7675d4bb7173198e532867 ] + +Because we miss to wipe the remainder of i->addr[] in packet_mc_add(), +pdiag_put_mclist() leaks uninitialized heap bytes via the +PACKET_DIAG_MCLIST netlink attribute. + +Fix this by explicitly memset(0)ing the remaining bytes in i->addr[]. + +Fixes: eea68e2f1a00 ("packet: Report socket mclist info via diag module") +Signed-off-by: Mathias Krause +Cc: Eric W. Biederman +Cc: Pavel Emelyanov +Acked-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3153,6 +3153,7 @@ static int packet_mc_add(struct sock *sk + i->ifindex = mreq->mr_ifindex; + i->alen = mreq->mr_alen; + memcpy(i->addr, mreq->mr_address, i->alen); ++ memset(i->addr + i->alen, 0, sizeof(i->addr) - i->alen); + i->count = 1; + i->next = po->mclist; + po->mclist = i; diff --git a/queue-3.14/route-do-not-cache-fib-route-info-on-local-routes-with-oif.patch b/queue-3.14/route-do-not-cache-fib-route-info-on-local-routes-with-oif.patch new file mode 100644 index 00000000000..30f327c48a6 --- /dev/null +++ b/queue-3.14/route-do-not-cache-fib-route-info-on-local-routes-with-oif.patch @@ -0,0 +1,62 @@ +From foo@baz Mon May 16 14:28:52 PDT 2016 +From: Chris Friesen +Date: Fri, 8 Apr 2016 15:21:30 -0600 +Subject: route: do not cache fib route info on local routes with oif +Status: RO +Content-Length: 2273 +Lines: 56 + +From: Chris Friesen + +[ Upstream commit d6d5e999e5df67f8ec20b6be45e2229455ee3699 ] + +For local routes that require a particular output interface we do not want +to cache the result. Caching the result causes incorrect behaviour when +there are multiple source addresses on the interface. The end result +being that if the intended recipient is waiting on that interface for the +packet he won't receive it because it will be delivered on the loopback +interface and the IP_PKTINFO ipi_ifindex will be set to the loopback +interface as well. + +This can be tested by running a program such as "dhcp_release" which +attempts to inject a packet on a particular interface so that it is +received by another program on the same board. The receiving process +should see an IP_PKTINFO ipi_ifndex value of the source interface +(e.g., eth1) instead of the loopback interface (e.g., lo). The packet +will still appear on the loopback interface in tcpdump but the important +aspect is that the CMSG info is correct. + +Sample dhcp_release command line: + + dhcp_release eth1 192.168.204.222 02:11:33:22:44:66 + +Signed-off-by: Allain Legacy +Signed off-by: Chris Friesen +Reviewed-by: Julian Anastasov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1926,6 +1926,18 @@ static struct rtable *__mkroute_output(c + */ + if (fi && res->prefixlen < 4) + fi = NULL; ++ } else if ((type == RTN_LOCAL) && (orig_oif != 0) && ++ (orig_oif != dev_out->ifindex)) { ++ /* For local routes that require a particular output interface ++ * we do not want to cache the result. Caching the result ++ * causes incorrect behaviour when there are multiple source ++ * addresses on the interface, the end result being that if the ++ * intended recipient is waiting on that interface for the ++ * packet he won't receive it because it will be delivered on ++ * the loopback interface and the IP_PKTINFO ipi_ifindex will ++ * be set to the loopback interface as well. ++ */ ++ fi = NULL; + } + + fnhe = NULL; diff --git a/queue-3.14/series b/queue-3.14/series index 58885017bd4..c54dba4a7aa 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -4,3 +4,13 @@ input-max8997-haptic-fix-null-pointer-dereference.patch asmlinkage-pnp-make-variables-used-from-assembler-code-visible.patch drm-radeon-fix-pll-sharing-on-dce6.1-v2.patch drm-i915-bail-out-of-pipe-config-compute-loop-on-lpt.patch +arm-omap3-fix-booting-with-thumb2-kernel.patch +decnet-do-not-build-routes-to-devices-without-decnet-private-data.patch +route-do-not-cache-fib-route-info-on-local-routes-with-oif.patch +packet-fix-heap-info-leak-in-packet_diag_mclist-sock_diag-interface.patch +atl2-disable-unimplemented-scatter-gather-feature.patch +net-fix-infoleak-in-llc.patch +net-fix-infoleak-in-rtnetlink.patch +vsock-do-not-disconnect-socket-when-peer-has-shutdown-send-only.patch +net-bridge-fix-old-ioctl-unlocked-net-device-walk.patch +net-fix-a-kernel-infoleak-in-x25-module.patch diff --git a/queue-3.14/vsock-do-not-disconnect-socket-when-peer-has-shutdown-send-only.patch b/queue-3.14/vsock-do-not-disconnect-socket-when-peer-has-shutdown-send-only.patch new file mode 100644 index 00000000000..b25a5d2a188 --- /dev/null +++ b/queue-3.14/vsock-do-not-disconnect-socket-when-peer-has-shutdown-send-only.patch @@ -0,0 +1,69 @@ +From foo@baz Mon May 16 14:28:53 PDT 2016 +From: Ian Campbell +Date: Wed, 4 May 2016 14:21:53 +0100 +Subject: VSOCK: do not disconnect socket when peer has shutdown SEND only +Status: RO +Content-Length: 2059 +Lines: 63 + +From: Ian Campbell + +[ Upstream commit dedc58e067d8c379a15a8a183c5db318201295bb ] + +The peer may be expecting a reply having sent a request and then done a +shutdown(SHUT_WR), so tearing down the whole socket at this point seems +wrong and breaks for me with a client which does a SHUT_WR. + +Looking at other socket family's stream_recvmsg callbacks doing a shutdown +here does not seem to be the norm and removing it does not seem to have +had any adverse effects that I can see. + +I'm using Stefan's RFC virtio transport patches, I'm unsure of the impact +on the vmci transport. + +Signed-off-by: Ian Campbell +Cc: "David S. Miller" +Cc: Stefan Hajnoczi +Cc: Claudio Imbrenda +Cc: Andy King +Cc: Dmitry Torokhov +Cc: Jorgen Hansen +Cc: Adit Ranadive +Cc: netdev@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 21 +-------------------- + 1 file changed, 1 insertion(+), 20 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1796,27 +1796,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb + else if (sk->sk_shutdown & RCV_SHUTDOWN) + err = 0; + +- if (copied > 0) { +- /* We only do these additional bookkeeping/notification steps +- * if we actually copied something out of the queue pair +- * instead of just peeking ahead. +- */ +- +- if (!(flags & MSG_PEEK)) { +- /* If the other side has shutdown for sending and there +- * is nothing more to read, then modify the socket +- * state. +- */ +- if (vsk->peer_shutdown & SEND_SHUTDOWN) { +- if (vsock_stream_has_data(vsk) <= 0) { +- sk->sk_state = SS_UNCONNECTED; +- sock_set_flag(sk, SOCK_DONE); +- sk->sk_state_change(sk); +- } +- } +- } ++ if (copied > 0) + err = copied; +- } + + out_wait: + finish_wait(sk_sleep(sk), &wait); -- 2.47.2