From e7bf6196e7b84fb038ecf44d0c0e041d421d1f8f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 26 Jul 2014 10:21:09 -0700 Subject: [PATCH] 3.15-stable patches added patches: 8021q-fix-a-potential-memory-leak.patch appletalk-fix-socket-referencing-in-skb.patch be2net-set-eq-db-clear-intr-bit-in-be_open.patch bnx2x-fix-possible-panic-under-memory-stress.patch bonding-fix-ad_select-module-param-check.patch dns_resolver-assure-that-dns_query-result-is-null-terminated.patch dns_resolver-null-terminate-the-right-string.patch drivers-net-cpsw-fix-dual-emac-stall-when-connected-to-same-switch.patch igmp-fix-the-problem-when-mc-leave-group.patch ip_tunnel-fix-ip_tunnel_lookup.patch ipv4-fix-buffer-overflow-in-ip_options_compile.patch ipv4-fix-dst-race-in-sk_dst_get.patch ipv4-icmp-fix-pmtu-handling-for-rare-case.patch ipv4-irq-safe-sk_dst_set-and-ipv4_sk_update_pmtu-fix.patch net-filter-fix-upper-bpf-instruction-limit.patch net-fix-netdev_change-notifier-usage-causing-spurious-arp-flush.patch net-fix-sparse-warning-in-sk_dst_set.patch net-fix-udp-tunnel-gso-of-frag_list-gro-packets.patch net-gre-gro-fix-a-bug-that-breaks-the-forwarding-path.patch net-huawei_cdc_ncm-add-subclass-3-devices.patch net-huawei_cdc_ncm-increase-command-buffer-size.patch net-mlx4_core-fix-the-error-flow-when-probing-with-invalid-vf-configuration.patch net-mlx4_en-don-t-configure-the-hw-vxlan-parser-when-vxlan-offloading-isn-t-set.patch net-mvneta-fix-big-endian-issue-in-mvneta_txq_desc_csum.patch net-mvneta-fix-operation-in-10-mbit-s-mode.patch net-ppp-don-t-call-sk_chk_filter-twice.patch net-ppp-fix-creating-ppp-pass-and-active-filters.patch net-pppoe-use-correct-channel-mtu-when-using-multilink-ppp.patch net-qmi_wwan-add-id-for-telewell-tw-lte-4g-v2.patch net-qmi_wwan-add-two-sierra-wireless-netgear-devices.patch net-sctp-check-proc_dointvec-result-in-proc_sctp_do_auth.patch net-sctp-fix-information-leaks-in-ulpevent-layer.patch net-sctp-propagate-sysctl-errors-from-proc_do-properly.patch netlink-fix-handling-of-error-from-netlink_dump.patch r8152-fix-r8152_csum_workaround-function.patch slcan-port-write_wakeup-deadlock-fix-from-slip.patch slip-fix-deadlock-in-write_wakeup.patch sunvnet-clean-up-objects-created-in-vnet_new-on-vnet_exit.patch tcp-fix-divide-by-zero-when-pushing-during-tcp-repair.patch tcp-fix-false-undo-corner-cases.patch tcp-fix-tcp_match_skb_to_sack-for-unaligned-sack-at-end-of-an-skb.patch tipc-clear-next-pointer-of-message-fragments-before-reassembly.patch vlan-free-percpu-stats-in-device-destructor.patch xen-netback-fix-handling-frag_list-on-grant-op-error-path.patch xen-netback-fix-pointer-incrementation-to-avoid-incorrect-logging.patch xen-netback-fix-releasing-frag_list-skbs-in-error-path.patch xen-netback-fix-releasing-header-slot-on-error-path.patch --- .../8021q-fix-a-potential-memory-leak.patch | 36 +++ ...letalk-fix-socket-referencing-in-skb.patch | 44 +++ ...-set-eq-db-clear-intr-bit-in-be_open.patch | 34 +++ ...x-possible-panic-under-memory-stress.patch | 37 +++ ...ing-fix-ad_select-module-param-check.patch | 39 +++ ...-dns_query-result-is-null-terminated.patch | 35 +++ ...lver-null-terminate-the-right-string.patch | 31 +++ ...-stall-when-connected-to-same-switch.patch | 47 ++++ ...-fix-the-problem-when-mc-leave-group.patch | 84 ++++++ .../ip_tunnel-fix-ip_tunnel_lookup.patch | 95 +++++++ ...uffer-overflow-in-ip_options_compile.patch | 82 ++++++ .../ipv4-fix-dst-race-in-sk_dst_get.patch | 114 ++++++++ ...icmp-fix-pmtu-handling-for-rare-case.patch | 60 ++++ ..._dst_set-and-ipv4_sk_update_pmtu-fix.patch | 122 +++++++++ ...lter-fix-upper-bpf-instruction-limit.patch | 35 +++ ...ier-usage-causing-spurious-arp-flush.patch | 54 ++++ ...net-fix-sparse-warning-in-sk_dst_set.patch | 36 +++ ...-tunnel-gso-of-frag_list-gro-packets.patch | 71 +++++ ...-bug-that-breaks-the-forwarding-path.patch | 85 ++++++ ...uawei_cdc_ncm-add-subclass-3-devices.patch | 64 +++++ ...cdc_ncm-increase-command-buffer-size.patch | 63 +++++ ...robing-with-invalid-vf-configuration.patch | 34 +++ ...rser-when-vxlan-offloading-isn-t-set.patch | 36 +++ ...endian-issue-in-mvneta_txq_desc_csum.patch | 35 +++ ...neta-fix-operation-in-10-mbit-s-mode.patch | 45 +++ ...t-ppp-don-t-call-sk_chk_filter-twice.patch | 93 +++++++ ...creating-ppp-pass-and-active-filters.patch | 117 ++++++++ ...channel-mtu-when-using-multilink-ppp.patch | 129 +++++++++ ...wan-add-id-for-telewell-tw-lte-4g-v2.patch | 33 +++ ...-two-sierra-wireless-netgear-devices.patch | 40 +++ ...dointvec-result-in-proc_sctp_do_auth.patch | 44 +++ ...-information-leaks-in-ulpevent-layer.patch | 256 ++++++++++++++++++ ...-sysctl-errors-from-proc_do-properly.patch | 150 ++++++++++ ...-handling-of-error-from-netlink_dump.patch | 52 ++++ ...2-fix-r8152_csum_workaround-function.patch | 31 +++ queue-3.15/series | 47 ++++ ...-write_wakeup-deadlock-fix-from-slip.patch | 120 ++++++++ .../slip-fix-deadlock-in-write_wakeup.patch | 201 ++++++++++++++ ...cts-created-in-vnet_new-on-vnet_exit.patch | 69 +++++ ...-zero-when-pushing-during-tcp-repair.patch | 130 +++++++++ .../tcp-fix-false-undo-corner-cases.patch | 98 +++++++ ...-for-unaligned-sack-at-end-of-an-skb.patch | 65 +++++ ...-message-fragments-before-reassembly.patch | 41 +++ ...ee-percpu-stats-in-device-destructor.patch | 97 +++++++ ...ing-frag_list-on-grant-op-error-path.patch | 89 ++++++ ...mentation-to-avoid-incorrect-logging.patch | 40 +++ ...leasing-frag_list-skbs-in-error-path.patch | 44 +++ ...-releasing-header-slot-on-error-path.patch | 117 ++++++++ 48 files changed, 3521 insertions(+) create mode 100644 queue-3.15/8021q-fix-a-potential-memory-leak.patch create mode 100644 queue-3.15/appletalk-fix-socket-referencing-in-skb.patch create mode 100644 queue-3.15/be2net-set-eq-db-clear-intr-bit-in-be_open.patch create mode 100644 queue-3.15/bnx2x-fix-possible-panic-under-memory-stress.patch create mode 100644 queue-3.15/bonding-fix-ad_select-module-param-check.patch create mode 100644 queue-3.15/dns_resolver-assure-that-dns_query-result-is-null-terminated.patch create mode 100644 queue-3.15/dns_resolver-null-terminate-the-right-string.patch create mode 100644 queue-3.15/drivers-net-cpsw-fix-dual-emac-stall-when-connected-to-same-switch.patch create mode 100644 queue-3.15/igmp-fix-the-problem-when-mc-leave-group.patch create mode 100644 queue-3.15/ip_tunnel-fix-ip_tunnel_lookup.patch create mode 100644 queue-3.15/ipv4-fix-buffer-overflow-in-ip_options_compile.patch create mode 100644 queue-3.15/ipv4-fix-dst-race-in-sk_dst_get.patch create mode 100644 queue-3.15/ipv4-icmp-fix-pmtu-handling-for-rare-case.patch create mode 100644 queue-3.15/ipv4-irq-safe-sk_dst_set-and-ipv4_sk_update_pmtu-fix.patch create mode 100644 queue-3.15/net-filter-fix-upper-bpf-instruction-limit.patch create mode 100644 queue-3.15/net-fix-netdev_change-notifier-usage-causing-spurious-arp-flush.patch create mode 100644 queue-3.15/net-fix-sparse-warning-in-sk_dst_set.patch create mode 100644 queue-3.15/net-fix-udp-tunnel-gso-of-frag_list-gro-packets.patch create mode 100644 queue-3.15/net-gre-gro-fix-a-bug-that-breaks-the-forwarding-path.patch create mode 100644 queue-3.15/net-huawei_cdc_ncm-add-subclass-3-devices.patch create mode 100644 queue-3.15/net-huawei_cdc_ncm-increase-command-buffer-size.patch create mode 100644 queue-3.15/net-mlx4_core-fix-the-error-flow-when-probing-with-invalid-vf-configuration.patch create mode 100644 queue-3.15/net-mlx4_en-don-t-configure-the-hw-vxlan-parser-when-vxlan-offloading-isn-t-set.patch create mode 100644 queue-3.15/net-mvneta-fix-big-endian-issue-in-mvneta_txq_desc_csum.patch create mode 100644 queue-3.15/net-mvneta-fix-operation-in-10-mbit-s-mode.patch create mode 100644 queue-3.15/net-ppp-don-t-call-sk_chk_filter-twice.patch create mode 100644 queue-3.15/net-ppp-fix-creating-ppp-pass-and-active-filters.patch create mode 100644 queue-3.15/net-pppoe-use-correct-channel-mtu-when-using-multilink-ppp.patch create mode 100644 queue-3.15/net-qmi_wwan-add-id-for-telewell-tw-lte-4g-v2.patch create mode 100644 queue-3.15/net-qmi_wwan-add-two-sierra-wireless-netgear-devices.patch create mode 100644 queue-3.15/net-sctp-check-proc_dointvec-result-in-proc_sctp_do_auth.patch create mode 100644 queue-3.15/net-sctp-fix-information-leaks-in-ulpevent-layer.patch create mode 100644 queue-3.15/net-sctp-propagate-sysctl-errors-from-proc_do-properly.patch create mode 100644 queue-3.15/netlink-fix-handling-of-error-from-netlink_dump.patch create mode 100644 queue-3.15/r8152-fix-r8152_csum_workaround-function.patch create mode 100644 queue-3.15/slcan-port-write_wakeup-deadlock-fix-from-slip.patch create mode 100644 queue-3.15/slip-fix-deadlock-in-write_wakeup.patch create mode 100644 queue-3.15/sunvnet-clean-up-objects-created-in-vnet_new-on-vnet_exit.patch create mode 100644 queue-3.15/tcp-fix-divide-by-zero-when-pushing-during-tcp-repair.patch create mode 100644 queue-3.15/tcp-fix-false-undo-corner-cases.patch create mode 100644 queue-3.15/tcp-fix-tcp_match_skb_to_sack-for-unaligned-sack-at-end-of-an-skb.patch create mode 100644 queue-3.15/tipc-clear-next-pointer-of-message-fragments-before-reassembly.patch create mode 100644 queue-3.15/vlan-free-percpu-stats-in-device-destructor.patch create mode 100644 queue-3.15/xen-netback-fix-handling-frag_list-on-grant-op-error-path.patch create mode 100644 queue-3.15/xen-netback-fix-pointer-incrementation-to-avoid-incorrect-logging.patch create mode 100644 queue-3.15/xen-netback-fix-releasing-frag_list-skbs-in-error-path.patch create mode 100644 queue-3.15/xen-netback-fix-releasing-header-slot-on-error-path.patch diff --git a/queue-3.15/8021q-fix-a-potential-memory-leak.patch b/queue-3.15/8021q-fix-a-potential-memory-leak.patch new file mode 100644 index 00000000000..a2673e06b8e --- /dev/null +++ b/queue-3.15/8021q-fix-a-potential-memory-leak.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Li RongQing +Date: Wed, 18 Jun 2014 13:46:02 +0800 +Subject: 8021q: fix a potential memory leak + +From: Li RongQing + +[ Upstream commit 916c1689a09bc1ca81f2d7a34876f8d35aadd11b ] + +skb_cow called in vlan_reorder_header does not free the skb when it failed, +and vlan_reorder_header returns NULL to reset original skb when it is called +in vlan_untag, lead to a memory leak. + +Signed-off-by: Li RongQing +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -114,8 +114,11 @@ EXPORT_SYMBOL(vlan_dev_vlan_proto); + + static struct sk_buff *vlan_reorder_header(struct sk_buff *skb) + { +- if (skb_cow(skb, skb_headroom(skb)) < 0) ++ if (skb_cow(skb, skb_headroom(skb)) < 0) { ++ kfree_skb(skb); + return NULL; ++ } ++ + memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; diff --git a/queue-3.15/appletalk-fix-socket-referencing-in-skb.patch b/queue-3.15/appletalk-fix-socket-referencing-in-skb.patch new file mode 100644 index 00000000000..d365622cc08 --- /dev/null +++ b/queue-3.15/appletalk-fix-socket-referencing-in-skb.patch @@ -0,0 +1,44 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Andrey Utkin +Date: Mon, 7 Jul 2014 23:22:50 +0300 +Subject: appletalk: Fix socket referencing in skb + +From: Andrey Utkin + +[ Upstream commit 36beddc272c111689f3042bf3d10a64d8a805f93 ] + +Setting just skb->sk without taking its reference and setting a +destructor is invalid. However, in the places where this was done, skb +is used in a way not requiring skb->sk setting. So dropping the setting +of skb->sk. +Thanks to Eric Dumazet for correct solution. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=79441 +Reported-by: Ed Martin +Signed-off-by: Andrey Utkin +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/appletalk/ddp.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1489,8 +1489,6 @@ static int atalk_rcv(struct sk_buff *skb + goto drop; + + /* Queue packet (standard) */ +- skb->sk = sock; +- + if (sock_queue_rcv_skb(sock, skb) < 0) + goto drop; + +@@ -1644,7 +1642,6 @@ static int atalk_sendmsg(struct kiocb *i + if (!skb) + goto out; + +- skb->sk = sk; + skb_reserve(skb, ddp_dl->header_length); + skb_reserve(skb, dev->hard_header_len); + skb->dev = dev; diff --git a/queue-3.15/be2net-set-eq-db-clear-intr-bit-in-be_open.patch b/queue-3.15/be2net-set-eq-db-clear-intr-bit-in-be_open.patch new file mode 100644 index 00000000000..10d77c37d50 --- /dev/null +++ b/queue-3.15/be2net-set-eq-db-clear-intr-bit-in-be_open.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Suresh Reddy +Date: Fri, 11 Jul 2014 14:03:01 +0530 +Subject: be2net: set EQ DB clear-intr bit in be_open() + +From: Suresh Reddy + +[ Upstream commit 4cad9f3b61c7268fa89ab8096e23202300399b5d ] + +On BE3, if the clear-interrupt bit of the EQ doorbell is not set the first +time it is armed, ocassionally we have observed that the EQ doesn't raise +anymore interrupts even if it is in armed state. +This patch fixes this by setting the clear-interrupt bit when EQs are +armed for the first time in be_open(). + +Signed-off-by: Suresh Reddy +Signed-off-by: Sathya Perla +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -2858,7 +2858,7 @@ static int be_open(struct net_device *ne + for_all_evt_queues(adapter, eqo, i) { + napi_enable(&eqo->napi); + be_enable_busy_poll(eqo); +- be_eq_notify(adapter, eqo->q.id, true, false, 0); ++ be_eq_notify(adapter, eqo->q.id, true, true, 0); + } + adapter->flags |= BE_FLAGS_NAPI_ENABLED; + diff --git a/queue-3.15/bnx2x-fix-possible-panic-under-memory-stress.patch b/queue-3.15/bnx2x-fix-possible-panic-under-memory-stress.patch new file mode 100644 index 00000000000..c1bc7478619 --- /dev/null +++ b/queue-3.15/bnx2x-fix-possible-panic-under-memory-stress.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Eric Dumazet +Date: Thu, 26 Jun 2014 00:44:02 -0700 +Subject: bnx2x: fix possible panic under memory stress + +From: Eric Dumazet + +[ Upstream commit 07b0f00964def8af9321cfd6c4a7e84f6362f728 ] + +While it is legal to kfree(NULL), it is not wise to use : +put_page(virt_to_head_page(NULL)) + + BUG: unable to handle kernel paging request at ffffeba400000000 + IP: [] virt_to_head_page+0x36/0x44 [bnx2x] + +Reported-by: Michel Lespinasse +Signed-off-by: Eric Dumazet +Cc: Ariel Elior +Fixes: d46d132cc021 ("bnx2x: use netdev_alloc_frag()") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -797,7 +797,8 @@ static void bnx2x_tpa_stop(struct bnx2x + + return; + } +- bnx2x_frag_free(fp, new_data); ++ if (new_data) ++ bnx2x_frag_free(fp, new_data); + drop: + /* drop the packet and keep the buffer in the bin */ + DP(NETIF_MSG_RX_STATUS, diff --git a/queue-3.15/bonding-fix-ad_select-module-param-check.patch b/queue-3.15/bonding-fix-ad_select-module-param-check.patch new file mode 100644 index 00000000000..f6d3b18d632 --- /dev/null +++ b/queue-3.15/bonding-fix-ad_select-module-param-check.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Nikolay Aleksandrov +Date: Sun, 13 Jul 2014 09:47:47 +0200 +Subject: bonding: fix ad_select module param check + +From: Nikolay Aleksandrov + +[ Upstream commit 548d28bd0eac840d122b691279ce9f4ce6ecbfb6 ] + +Obvious copy/paste error when I converted the ad_select to the new +option API. "lacp_rate" there should be "ad_select" so we can get the +proper value. + +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +CC: David S. Miller + +Fixes: 9e5f5eebe765 ("bonding: convert ad_select to use the new option +API") +Reported-by: Karim Scheik +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4028,7 +4028,7 @@ static int bond_check_params(struct bond + } + + if (ad_select) { +- bond_opt_initstr(&newval, lacp_rate); ++ bond_opt_initstr(&newval, ad_select); + valptr = bond_opt_parse(bond_opt_get(BOND_OPT_AD_SELECT), + &newval); + if (!valptr) { diff --git a/queue-3.15/dns_resolver-assure-that-dns_query-result-is-null-terminated.patch b/queue-3.15/dns_resolver-assure-that-dns_query-result-is-null-terminated.patch new file mode 100644 index 00000000000..1f79e182b81 --- /dev/null +++ b/queue-3.15/dns_resolver-assure-that-dns_query-result-is-null-terminated.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= +Date: Sat, 7 Jun 2014 23:57:25 +0200 +Subject: dns_resolver: assure that dns_query() result is null-terminated +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= + +[ Upstream commit 84a7c0b1db1c17d5ded8d3800228a608e1070b40 ] + +dns_query() credulously assumes that keys are null-terminated and +returns a copy of a memory block that is off by one. + +Signed-off-by: Manuel Schölling +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dns_resolver/dns_query.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/dns_resolver/dns_query.c ++++ b/net/dns_resolver/dns_query.c +@@ -149,7 +149,9 @@ int dns_query(const char *type, const ch + if (!*_result) + goto put; + +- memcpy(*_result, upayload->data, len + 1); ++ memcpy(*_result, upayload->data, len); ++ *_result[len] = '\0'; ++ + if (_expiry) + *_expiry = rkey->expiry; + diff --git a/queue-3.15/dns_resolver-null-terminate-the-right-string.patch b/queue-3.15/dns_resolver-null-terminate-the-right-string.patch new file mode 100644 index 00000000000..8f1b75c76c7 --- /dev/null +++ b/queue-3.15/dns_resolver-null-terminate-the-right-string.patch @@ -0,0 +1,31 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Ben Hutchings +Date: Mon, 21 Jul 2014 00:06:48 +0100 +Subject: dns_resolver: Null-terminate the right string + +From: Ben Hutchings + +[ Upstream commit 640d7efe4c08f06c4ae5d31b79bd8740e7f6790a ] + +*_result[len] is parsed as *(_result[len]) which is not at all what we +want to touch here. + +Signed-off-by: Ben Hutchings +Fixes: 84a7c0b1db1c ("dns_resolver: assure that dns_query() result is null-terminated") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dns_resolver/dns_query.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dns_resolver/dns_query.c ++++ b/net/dns_resolver/dns_query.c +@@ -150,7 +150,7 @@ int dns_query(const char *type, const ch + goto put; + + memcpy(*_result, upayload->data, len); +- *_result[len] = '\0'; ++ (*_result)[len] = '\0'; + + if (_expiry) + *_expiry = rkey->expiry; diff --git a/queue-3.15/drivers-net-cpsw-fix-dual-emac-stall-when-connected-to-same-switch.patch b/queue-3.15/drivers-net-cpsw-fix-dual-emac-stall-when-connected-to-same-switch.patch new file mode 100644 index 00000000000..5f4b1b79f13 --- /dev/null +++ b/queue-3.15/drivers-net-cpsw-fix-dual-emac-stall-when-connected-to-same-switch.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Mugunthan V N +Date: Wed, 18 Jun 2014 17:21:48 +0530 +Subject: drivers: net: cpsw: fix dual EMAC stall when connected to same switch + +From: Mugunthan V N + +[ Upstream commit e6afea0bbf129f88dc3fc39fd0d769f9ff064172 ] + +In commit 629c9a8fd0bbdfc6d702526b327470166ec39c6b (drivers: net: cpsw: Add +default vlan for dual emac case also), api cpsw_add_default_vlan() also +changes the port vlan which is required to seperate the ports which results +in the following behavior + +In Dual EMAC mode, when both the Etnernet connected is connected to same +switch, it creates a loop in the switch and when a broadcast packet is +received it is forwarded to the other port which stalls the whole switch +and needs a reset/power cycle to the switch to recover. So intead of using +the api, add only the default VLAN entry in dual EMAC case. + +Cc: Yegor Yefremov +Cc: Felipe Balbi +Signed-off-by: Mugunthan V N +Tested-by: Yegor Yefremov +Tested-by: Felipe Balbi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -1201,7 +1201,12 @@ static int cpsw_ndo_open(struct net_devi + for_each_slave(priv, cpsw_slave_open, priv); + + /* Add default VLAN */ +- cpsw_add_default_vlan(priv); ++ if (!priv->data.dual_emac) ++ cpsw_add_default_vlan(priv); ++ else ++ cpsw_ale_add_vlan(priv->ale, priv->data.default_vlan, ++ ALE_ALL_PORTS << priv->host_port, ++ ALE_ALL_PORTS << priv->host_port, 0, 0); + + if (!cpsw_common_res_usage_state(priv)) { + /* setup tx dma to fixed prio and zero offset */ diff --git a/queue-3.15/igmp-fix-the-problem-when-mc-leave-group.patch b/queue-3.15/igmp-fix-the-problem-when-mc-leave-group.patch new file mode 100644 index 00000000000..d416abb6156 --- /dev/null +++ b/queue-3.15/igmp-fix-the-problem-when-mc-leave-group.patch @@ -0,0 +1,84 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: dingtianhong +Date: Wed, 2 Jul 2014 13:50:48 +0800 +Subject: igmp: fix the problem when mc leave group + +From: dingtianhong + +[ Upstream commit 52ad353a5344f1f700c5b777175bdfa41d3cd65a ] + +The problem was triggered by these steps: + +1) create socket, bind and then setsockopt for add mc group. + mreq.imr_multiaddr.s_addr = inet_addr("255.0.0.37"); + mreq.imr_interface.s_addr = inet_addr("192.168.1.2"); + setsockopt(sockfd, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mreq, sizeof(mreq)); + +2) drop the mc group for this socket. + mreq.imr_multiaddr.s_addr = inet_addr("255.0.0.37"); + mreq.imr_interface.s_addr = inet_addr("0.0.0.0"); + setsockopt(sockfd, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mreq, sizeof(mreq)); + +3) and then drop the socket, I found the mc group was still used by the dev: + + netstat -g + + Interface RefCnt Group + --------------- ------ --------------------- + eth2 1 255.0.0.37 + +Normally even though the IP_DROP_MEMBERSHIP return error, the mc group still need +to be released for the netdev when drop the socket, but this process was broken when +route default is NULL, the reason is that: + +The ip_mc_leave_group() will choose the in_dev by the imr_interface.s_addr, if input addr +is NULL, the default route dev will be chosen, then the ifindex is got from the dev, +then polling the inet->mc_list and return -ENODEV, but if the default route dev is NULL, +the in_dev and ifIndex is both NULL, when polling the inet->mc_list, the mc group will be +released from the mc_list, but the dev didn't dec the refcnt for this mc group, so +when dropping the socket, the mc_list is NULL and the dev still keep this group. + +v1->v2: According Hideaki's suggestion, we should align with IPv6 (RFC3493) and BSDs, + so I add the checking for the in_dev before polling the mc_list, make sure when + we remove the mc group, dec the refcnt to the real dev which was using the mc address. + The problem would never happened again. + +Signed-off-by: Ding Tianhong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1952,6 +1952,10 @@ int ip_mc_leave_group(struct sock *sk, s + + rtnl_lock(); + in_dev = ip_mc_find_dev(net, imr); ++ if (!in_dev) { ++ ret = -ENODEV; ++ goto out; ++ } + ifindex = imr->imr_ifindex; + for (imlp = &inet->mc_list; + (iml = rtnl_dereference(*imlp)) != NULL; +@@ -1969,16 +1973,14 @@ int ip_mc_leave_group(struct sock *sk, s + + *imlp = iml->next_rcu; + +- if (in_dev) +- ip_mc_dec_group(in_dev, group); ++ ip_mc_dec_group(in_dev, group); + rtnl_unlock(); + /* decrease mem now to avoid the memleak warning */ + atomic_sub(sizeof(*iml), &sk->sk_omem_alloc); + kfree_rcu(iml, rcu); + return 0; + } +- if (!in_dev) +- ret = -ENODEV; ++out: + rtnl_unlock(); + return ret; + } diff --git a/queue-3.15/ip_tunnel-fix-ip_tunnel_lookup.patch b/queue-3.15/ip_tunnel-fix-ip_tunnel_lookup.patch new file mode 100644 index 00000000000..faf9b0331bf --- /dev/null +++ b/queue-3.15/ip_tunnel-fix-ip_tunnel_lookup.patch @@ -0,0 +1,95 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Dmitry Popov +Date: Sat, 5 Jul 2014 02:26:37 +0400 +Subject: ip_tunnel: fix ip_tunnel_lookup + +From: Dmitry Popov + +[ Upstream commit e0056593b61253f1a8a9941dacda22e73b963cdc ] + +This patch fixes 3 similar bugs where incoming packets might be routed into +wrong non-wildcard tunnels: + +1) Consider the following setup: + ip address add 1.1.1.1/24 dev eth0 + ip address add 1.1.1.2/24 dev eth0 + ip tunnel add ipip1 remote 2.2.2.2 local 1.1.1.1 mode ipip dev eth0 + ip link set ipip1 up + +Incoming ipip packets from 2.2.2.2 were routed into ipip1 even if it has dst = +1.1.1.2. Moreover even if there was wildcard tunnel like + ip tunnel add ipip0 remote 2.2.2.2 local any mode ipip dev eth0 +but it was created before explicit one (with local 1.1.1.1), incoming ipip +packets with src = 2.2.2.2 and dst = 1.1.1.2 were still routed into ipip1. + +Same issue existed with all tunnels that use ip_tunnel_lookup (gre, vti) + +2) ip address add 1.1.1.1/24 dev eth0 + ip tunnel add ipip1 remote 2.2.146.85 local 1.1.1.1 mode ipip dev eth0 + ip link set ipip1 up + +Incoming ipip packets with dst = 1.1.1.1 were routed into ipip1, no matter what +src address is. Any remote ip address which has ip_tunnel_hash = 0 raised this +issue, 2.2.146.85 is just an example, there are more than 4 million of them. +And again, wildcard tunnel like + ip tunnel add ipip0 remote any local 1.1.1.1 mode ipip dev eth0 +wouldn't be ever matched if it was created before explicit tunnel like above. + +Gre & vti tunnels had the same issue. + +3) ip address add 1.1.1.1/24 dev eth0 + ip tunnel add gre1 remote 2.2.146.84 local 1.1.1.1 key 1 mode gre dev eth0 + ip link set gre1 up + +Any incoming gre packet with key = 1 were routed into gre1, no matter what +src/dst addresses are. Any remote ip address which has ip_tunnel_hash = 0 raised +the issue, 2.2.146.84 is just an example, there are more than 4 million of them. +Wildcard tunnel like + ip tunnel add gre2 remote any local any key 1 mode gre dev eth0 +wouldn't be ever matched if it was created before explicit tunnel like above. + +All this stuff happened because while looking for a wildcard tunnel we didn't +check that matched tunnel is a wildcard one. Fixed. + +Signed-off-by: Dmitry Popov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -173,6 +173,7 @@ struct ip_tunnel *ip_tunnel_lookup(struc + + hlist_for_each_entry_rcu(t, head, hash_node) { + if (remote != t->parms.iph.daddr || ++ t->parms.iph.saddr != 0 || + !(t->dev->flags & IFF_UP)) + continue; + +@@ -189,10 +190,11 @@ struct ip_tunnel *ip_tunnel_lookup(struc + head = &itn->tunnels[hash]; + + hlist_for_each_entry_rcu(t, head, hash_node) { +- if ((local != t->parms.iph.saddr && +- (local != t->parms.iph.daddr || +- !ipv4_is_multicast(local))) || +- !(t->dev->flags & IFF_UP)) ++ if ((local != t->parms.iph.saddr || t->parms.iph.daddr != 0) && ++ (local != t->parms.iph.daddr || !ipv4_is_multicast(local))) ++ continue; ++ ++ if (!(t->dev->flags & IFF_UP)) + continue; + + if (!ip_tunnel_key_match(&t->parms, flags, key)) +@@ -209,6 +211,8 @@ struct ip_tunnel *ip_tunnel_lookup(struc + + hlist_for_each_entry_rcu(t, head, hash_node) { + if (t->parms.i_key != key || ++ t->parms.iph.saddr != 0 || ++ t->parms.iph.daddr != 0 || + !(t->dev->flags & IFF_UP)) + continue; + diff --git a/queue-3.15/ipv4-fix-buffer-overflow-in-ip_options_compile.patch b/queue-3.15/ipv4-fix-buffer-overflow-in-ip_options_compile.patch new file mode 100644 index 00000000000..0d62072bdfd --- /dev/null +++ b/queue-3.15/ipv4-fix-buffer-overflow-in-ip_options_compile.patch @@ -0,0 +1,82 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Eric Dumazet +Date: Mon, 21 Jul 2014 07:17:42 +0200 +Subject: ipv4: fix buffer overflow in ip_options_compile() + +From: Eric Dumazet + +[ Upstream commit 10ec9472f05b45c94db3c854d22581a20b97db41 ] + +There is a benign buffer overflow in ip_options_compile spotted by +AddressSanitizer[1] : + +Its benign because we always can access one extra byte in skb->head +(because header is followed by struct skb_shared_info), and in this case +this byte is not even used. + +[28504.910798] ================================================================== +[28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile +[28504.913170] Read of size 1 by thread T15843: +[28504.914026] [] ip_options_compile+0x121/0x9c0 +[28504.915394] [] ip_options_get_from_user+0xad/0x120 +[28504.916843] [] do_ip_setsockopt.isra.15+0x8df/0x1630 +[28504.918175] [] ip_setsockopt+0x30/0xa0 +[28504.919490] [] tcp_setsockopt+0x5b/0x90 +[28504.920835] [] sock_common_setsockopt+0x5f/0x70 +[28504.922208] [] SyS_setsockopt+0xa2/0x140 +[28504.923459] [] system_call_fastpath+0x16/0x1b +[28504.924722] +[28504.925106] Allocated by thread T15843: +[28504.925815] [] ip_options_get_from_user+0x35/0x120 +[28504.926884] [] do_ip_setsockopt.isra.15+0x8df/0x1630 +[28504.927975] [] ip_setsockopt+0x30/0xa0 +[28504.929175] [] tcp_setsockopt+0x5b/0x90 +[28504.930400] [] sock_common_setsockopt+0x5f/0x70 +[28504.931677] [] SyS_setsockopt+0xa2/0x140 +[28504.932851] [] system_call_fastpath+0x16/0x1b +[28504.934018] +[28504.934377] The buggy address ffff880026382828 is located 0 bytes to the right +[28504.934377] of 40-byte region [ffff880026382800, ffff880026382828) +[28504.937144] +[28504.937474] Memory state around the buggy address: +[28504.938430] ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr +[28504.939884] ffff880026382400: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr +[28504.941294] ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr +[28504.942504] ffff880026382600: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr +[28504.943483] ffff880026382700: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr +[28504.944511] >ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr +[28504.945573] ^ +[28504.946277] ffff880026382900: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr +[28505.094949] ffff880026382a00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr +[28505.096114] ffff880026382b00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr +[28505.097116] ffff880026382c00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr +[28505.098472] ffff880026382d00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr +[28505.099804] Legend: +[28505.100269] f - 8 freed bytes +[28505.100884] r - 8 redzone bytes +[28505.101649] . - 8 allocated bytes +[28505.102406] x=1..7 - x allocated bytes + (8-x) redzone bytes +[28505.103637] ================================================================== + +[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_options.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv4/ip_options.c ++++ b/net/ipv4/ip_options.c +@@ -288,6 +288,10 @@ int ip_options_compile(struct net *net, + optptr++; + continue; + } ++ if (unlikely(l < 2)) { ++ pp_ptr = optptr; ++ goto error; ++ } + optlen = optptr[1]; + if (optlen < 2 || optlen > l) { + pp_ptr = optptr; diff --git a/queue-3.15/ipv4-fix-dst-race-in-sk_dst_get.patch b/queue-3.15/ipv4-fix-dst-race-in-sk_dst_get.patch new file mode 100644 index 00000000000..87e57fa79c1 --- /dev/null +++ b/queue-3.15/ipv4-fix-dst-race-in-sk_dst_get.patch @@ -0,0 +1,114 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Eric Dumazet +Date: Tue, 24 Jun 2014 10:05:11 -0700 +Subject: ipv4: fix dst race in sk_dst_get() + +From: Eric Dumazet + +[ Upstream commit f88649721268999bdff09777847080a52004f691 ] + +When IP route cache had been removed in linux-3.6, we broke assumption +that dst entries were all freed after rcu grace period. DST_NOCACHE +dst were supposed to be freed from dst_release(). But it appears +we want to keep such dst around, either in UDP sockets or tunnels. + +In sk_dst_get() we need to make sure dst refcount is not 0 +before incrementing it, or else we might end up freeing a dst +twice. + +DST_NOCACHE set on a dst does not mean this dst can not be attached +to a socket or a tunnel. + +Then, before actual freeing, we need to observe a rcu grace period +to make sure all other cpus can catch the fact the dst is no longer +usable. + +Signed-off-by: Eric Dumazet +Reported-by: Dormando +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 4 ++-- + net/core/dst.c | 16 +++++++++++----- + net/ipv4/ip_tunnel.c | 14 +++++--------- + 3 files changed, 18 insertions(+), 16 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1728,8 +1728,8 @@ sk_dst_get(struct sock *sk) + + rcu_read_lock(); + dst = rcu_dereference(sk->sk_dst_cache); +- if (dst) +- dst_hold(dst); ++ if (dst && !atomic_inc_not_zero(&dst->__refcnt)) ++ dst = NULL; + rcu_read_unlock(); + return dst; + } +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -269,6 +269,15 @@ again: + } + EXPORT_SYMBOL(dst_destroy); + ++static void dst_destroy_rcu(struct rcu_head *head) ++{ ++ struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head); ++ ++ dst = dst_destroy(dst); ++ if (dst) ++ __dst_free(dst); ++} ++ + void dst_release(struct dst_entry *dst) + { + if (dst) { +@@ -276,11 +285,8 @@ void dst_release(struct dst_entry *dst) + + newrefcnt = atomic_dec_return(&dst->__refcnt); + WARN_ON(newrefcnt < 0); +- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) { +- dst = dst_destroy(dst); +- if (dst) +- __dst_free(dst); +- } ++ if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) ++ call_rcu(&dst->rcu_head, dst_destroy_rcu); + } + } + EXPORT_SYMBOL(dst_release); +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -73,12 +73,7 @@ static void __tunnel_dst_set(struct ip_t + { + struct dst_entry *old_dst; + +- if (dst) { +- if (dst->flags & DST_NOCACHE) +- dst = NULL; +- else +- dst_clone(dst); +- } ++ dst_clone(dst); + old_dst = xchg((__force struct dst_entry **)&idst->dst, dst); + dst_release(old_dst); + } +@@ -108,13 +103,14 @@ static struct rtable *tunnel_rtable_get( + + rcu_read_lock(); + dst = rcu_dereference(this_cpu_ptr(t->dst_cache)->dst); ++ if (dst && !atomic_inc_not_zero(&dst->__refcnt)) ++ dst = NULL; + if (dst) { + if (dst->obsolete && dst->ops->check(dst, cookie) == NULL) { +- rcu_read_unlock(); + tunnel_dst_reset(t); +- return NULL; ++ dst_release(dst); ++ dst = NULL; + } +- dst_hold(dst); + } + rcu_read_unlock(); + return (struct rtable *)dst; diff --git a/queue-3.15/ipv4-icmp-fix-pmtu-handling-for-rare-case.patch b/queue-3.15/ipv4-icmp-fix-pmtu-handling-for-rare-case.patch new file mode 100644 index 00000000000..c2970d91ebd --- /dev/null +++ b/queue-3.15/ipv4-icmp-fix-pmtu-handling-for-rare-case.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Edward Allcutt +Date: Mon, 30 Jun 2014 16:16:02 +0100 +Subject: ipv4: icmp: Fix pMTU handling for rare case + +From: Edward Allcutt + +[ Upstream commit 68b7107b62983f2cff0948292429d5f5999df096 ] + +Some older router implementations still send Fragmentation Needed +errors with the Next-Hop MTU field set to zero. This is explicitly +described as an eventuality that hosts must deal with by the +standard (RFC 1191) since older standards specified that those +bits must be zero. + +Linux had a generic (for all of IPv4) implementation of the algorithm +described in the RFC for searching a list of MTU plateaus for a good +value. Commit 46517008e116 ("ipv4: Kill ip_rt_frag_needed().") +removed this as part of the changes to remove the routing cache. +Subsequently any Fragmentation Needed packet with a zero Next-Hop +MTU has been discarded without being passed to the per-protocol +handlers or notifying userspace for raw sockets. + +When there is a router which does not implement RFC 1191 on an +MTU limited path then this results in stalled connections since +large packets are discarded and the local protocols are not +notified so they never attempt to lower the pMTU. + +One example I have seen is an OpenBSD router terminating IPSec +tunnels. It's worth pointing out that this case is distinct from +the BSD 4.2 bug which incorrectly calculated the Next-Hop MTU +since the commit in question dismissed that as a valid concern. + +All of the per-protocols handlers implement the simple approach from +RFC 1191 of immediately falling back to the minimum value. Although +this is sub-optimal it is vastly preferable to connections hanging +indefinitely. + +Remove the Next-Hop MTU != 0 check and allow such packets +to follow the normal path. + +Fixes: 46517008e116 ("ipv4: Kill ip_rt_frag_needed().") +Signed-off-by: Edward Allcutt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/icmp.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -732,8 +732,6 @@ static void icmp_unreach(struct sk_buff + /* fall through */ + case 0: + info = ntohs(icmph->un.frag.mtu); +- if (!info) +- goto out; + } + break; + case ICMP_SR_FAILED: diff --git a/queue-3.15/ipv4-irq-safe-sk_dst_set-and-ipv4_sk_update_pmtu-fix.patch b/queue-3.15/ipv4-irq-safe-sk_dst_set-and-ipv4_sk_update_pmtu-fix.patch new file mode 100644 index 00000000000..d3f704e436a --- /dev/null +++ b/queue-3.15/ipv4-irq-safe-sk_dst_set-and-ipv4_sk_update_pmtu-fix.patch @@ -0,0 +1,122 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Eric Dumazet +Date: Mon, 30 Jun 2014 01:26:23 -0700 +Subject: ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix + +From: Eric Dumazet + +[ Upstream commit 7f502361531e9eecb396cf99bdc9e9a59f7ebd7f ] + +We have two different ways to handle changes to sk->sk_dst + +First way (used by TCP) assumes socket lock is owned by caller, and use +no extra lock : __sk_dst_set() & __sk_dst_reset() + +Another way (used by UDP) uses sk_dst_lock because socket lock is not +always taken. Note that sk_dst_lock is not softirq safe. + +These ways are not inter changeable for a given socket type. + +ipv4_sk_update_pmtu(), added in linux-3.8, added a race, as it used +the socket lock as synchronization, but users might be UDP sockets. + +Instead of converting sk_dst_lock to a softirq safe version, use xchg() +as we did for sk_rx_dst in commit e47eb5dfb296b ("udp: ipv4: do not use +sk_dst_lock from softirq context") + +In a follow up patch, we probably can remove sk_dst_lock, as it is +only used in IPv6. + +Signed-off-by: Eric Dumazet +Cc: Steffen Klassert +Fixes: 9cb3a50c5f63e ("ipv4: Invalidate the socket cached route on pmtu events if possible") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 12 ++++++------ + net/ipv4/route.c | 15 ++++++++------- + 2 files changed, 14 insertions(+), 13 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1766,9 +1766,11 @@ __sk_dst_set(struct sock *sk, struct dst + static inline void + sk_dst_set(struct sock *sk, struct dst_entry *dst) + { +- spin_lock(&sk->sk_dst_lock); +- __sk_dst_set(sk, dst); +- spin_unlock(&sk->sk_dst_lock); ++ struct dst_entry *old_dst; ++ ++ sk_tx_queue_clear(sk); ++ old_dst = xchg(&sk->sk_dst_cache, dst); ++ dst_release(old_dst); + } + + static inline void +@@ -1780,9 +1782,7 @@ __sk_dst_reset(struct sock *sk) + static inline void + sk_dst_reset(struct sock *sk) + { +- spin_lock(&sk->sk_dst_lock); +- __sk_dst_reset(sk); +- spin_unlock(&sk->sk_dst_lock); ++ sk_dst_set(sk, NULL); + } + + struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie); +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1022,7 +1022,7 @@ void ipv4_sk_update_pmtu(struct sk_buff + const struct iphdr *iph = (const struct iphdr *) skb->data; + struct flowi4 fl4; + struct rtable *rt; +- struct dst_entry *dst; ++ struct dst_entry *odst = NULL; + bool new = false; + + bh_lock_sock(sk); +@@ -1030,16 +1030,17 @@ void ipv4_sk_update_pmtu(struct sk_buff + if (!ip_sk_accept_pmtu(sk)) + goto out; + +- rt = (struct rtable *) __sk_dst_get(sk); ++ odst = sk_dst_get(sk); + +- if (sock_owned_by_user(sk) || !rt) { ++ if (sock_owned_by_user(sk) || !odst) { + __ipv4_sk_update_pmtu(skb, sk, mtu); + goto out; + } + + __build_flow_key(&fl4, sk, iph, 0, 0, 0, 0, 0); + +- if (!__sk_dst_check(sk, 0)) { ++ rt = (struct rtable *)odst; ++ if (odst->obsolete && odst->ops->check(odst, 0) == NULL) { + rt = ip_route_output_flow(sock_net(sk), &fl4, sk); + if (IS_ERR(rt)) + goto out; +@@ -1049,8 +1050,7 @@ void ipv4_sk_update_pmtu(struct sk_buff + + __ip_rt_update_pmtu((struct rtable *) rt->dst.path, &fl4, mtu); + +- dst = dst_check(&rt->dst, 0); +- if (!dst) { ++ if (!dst_check(&rt->dst, 0)) { + if (new) + dst_release(&rt->dst); + +@@ -1062,10 +1062,11 @@ void ipv4_sk_update_pmtu(struct sk_buff + } + + if (new) +- __sk_dst_set(sk, &rt->dst); ++ sk_dst_set(sk, &rt->dst); + + out: + bh_unlock_sock(sk); ++ dst_release(odst); + } + EXPORT_SYMBOL_GPL(ipv4_sk_update_pmtu); + diff --git a/queue-3.15/net-filter-fix-upper-bpf-instruction-limit.patch b/queue-3.15/net-filter-fix-upper-bpf-instruction-limit.patch new file mode 100644 index 00000000000..6cb7c7fe4e9 --- /dev/null +++ b/queue-3.15/net-filter-fix-upper-bpf-instruction-limit.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Kees Cook +Date: Wed, 18 Jun 2014 15:34:57 -0700 +Subject: net: filter: fix upper BPF instruction limit + +From: Kees Cook + +[ Upstream commit 6f9a093b66ce7cacc110d8737c03686e80ecfda6 ] + +The original checks (via sk_chk_filter) for instruction count uses ">", +not ">=", so changing this in sk_convert_filter has the potential to break +existing seccomp filters that used exactly BPF_MAXINSNS many instructions. + +Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set") +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org # v3.15+ +Acked-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -872,7 +872,7 @@ int sk_convert_filter(struct sock_filter + BUILD_BUG_ON(BPF_MEMWORDS * sizeof(u32) > MAX_BPF_STACK); + BUILD_BUG_ON(FP_REG + 1 != MAX_BPF_REG); + +- if (len <= 0 || len >= BPF_MAXINSNS) ++ if (len <= 0 || len > BPF_MAXINSNS) + return -EINVAL; + + if (new_prog) { diff --git a/queue-3.15/net-fix-netdev_change-notifier-usage-causing-spurious-arp-flush.patch b/queue-3.15/net-fix-netdev_change-notifier-usage-causing-spurious-arp-flush.patch new file mode 100644 index 00000000000..7994dad53b4 --- /dev/null +++ b/queue-3.15/net-fix-netdev_change-notifier-usage-causing-spurious-arp-flush.patch @@ -0,0 +1,54 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Loic Prylli +Date: Tue, 1 Jul 2014 21:39:43 -0700 +Subject: net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush + +From: Loic Prylli + +[ Upstream commit 54951194656e4853e441266fd095f880bc0398f3 ] + +A bug was introduced in NETDEV_CHANGE notifier sequence causing the +arp table to be sometimes spuriously cleared (including manual arp +entries marked permanent), upon network link carrier changes. + +The changed argument for the notifier was applied only to a single +caller of NETDEV_CHANGE, missing among others netdev_state_change(). +So upon net_carrier events induced by the network, which are +triggering a call to netdev_state_change(), arp_netdev_event() would +decide whether to clear or not arp cache based on random/junk stack +values (a kind of read buffer overflow). + +Fixes: be9efd365328 ("net: pass changed flags along with NETDEV_CHANGE event") +Fixes: 6c8b4e3ff81b ("arp: flush arp cache on IFF_NOARP change") +Signed-off-by: Loic Prylli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -148,6 +148,9 @@ struct list_head ptype_all __read_mostly + static struct list_head offload_base __read_mostly; + + static int netif_rx_internal(struct sk_buff *skb); ++static int call_netdevice_notifiers_info(unsigned long val, ++ struct net_device *dev, ++ struct netdev_notifier_info *info); + + /* + * The @dev_base_head list is protected by @dev_base_lock and the rtnl +@@ -1207,7 +1210,11 @@ EXPORT_SYMBOL(netdev_features_change); + void netdev_state_change(struct net_device *dev) + { + if (dev->flags & IFF_UP) { +- call_netdevice_notifiers(NETDEV_CHANGE, dev); ++ struct netdev_notifier_change_info change_info; ++ ++ change_info.flags_changed = 0; ++ call_netdevice_notifiers_info(NETDEV_CHANGE, dev, ++ &change_info.info); + rtmsg_ifinfo(RTM_NEWLINK, dev, 0, GFP_KERNEL); + } + } diff --git a/queue-3.15/net-fix-sparse-warning-in-sk_dst_set.patch b/queue-3.15/net-fix-sparse-warning-in-sk_dst_set.patch new file mode 100644 index 00000000000..0c5d90b3698 --- /dev/null +++ b/queue-3.15/net-fix-sparse-warning-in-sk_dst_set.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Eric Dumazet +Date: Wed, 2 Jul 2014 02:39:38 -0700 +Subject: net: fix sparse warning in sk_dst_set() + +From: Eric Dumazet + +[ Upstream commit 5925a0555bdaf0b396a84318cbc21ba085f6c0d3 ] + +sk_dst_cache has __rcu annotation, so we need a cast to avoid +following sparse error : + +include/net/sock.h:1774:19: warning: incorrect type in initializer (different address spaces) +include/net/sock.h:1774:19: expected struct dst_entry [noderef] *__ret +include/net/sock.h:1774:19: got struct dst_entry *dst + +Signed-off-by: Eric Dumazet +Reported-by: kbuild test robot +Fixes: 7f502361531e ("ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1769,7 +1769,7 @@ sk_dst_set(struct sock *sk, struct dst_e + struct dst_entry *old_dst; + + sk_tx_queue_clear(sk); +- old_dst = xchg(&sk->sk_dst_cache, dst); ++ old_dst = xchg((__force struct dst_entry **)&sk->sk_dst_cache, dst); + dst_release(old_dst); + } + diff --git a/queue-3.15/net-fix-udp-tunnel-gso-of-frag_list-gro-packets.patch b/queue-3.15/net-fix-udp-tunnel-gso-of-frag_list-gro-packets.patch new file mode 100644 index 00000000000..b89b191276f --- /dev/null +++ b/queue-3.15/net-fix-udp-tunnel-gso-of-frag_list-gro-packets.patch @@ -0,0 +1,71 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Wei-Chun Chao +Date: Sun, 8 Jun 2014 23:48:54 -0700 +Subject: net: fix UDP tunnel GSO of frag_list GRO packets + +From: Wei-Chun Chao + +[ Upstream commit 5882a07c72093dc3a18e2d2b129fb200686bb6ee ] + +This patch fixes a kernel BUG_ON in skb_segment. It is hit when +testing two VMs on openvswitch with one VM acting as VXLAN gateway. + +During VXLAN packet GSO, skb_segment is called with skb->data +pointing to inner TCP payload. skb_segment calls skb_network_protocol +to retrieve the inner protocol. skb_network_protocol actually expects +skb->data to point to MAC and it calls pskb_may_pull with ETH_HLEN. +This ends up pulling in ETH_HLEN data from header tail. As a result, +pskb_trim logic is skipped and BUG_ON is hit later. + +Move skb_push in front of skb_network_protocol so that skb->data +lines up properly. + +kernel BUG at net/core/skbuff.c:2999! +Call Trace: +[] tcp_gso_segment+0x122/0x410 +[] inet_gso_segment+0x13c/0x390 +[] skb_mac_gso_segment+0x9b/0x170 +[] skb_udp_tunnel_segment+0xd8/0x390 +[] udp4_ufo_fragment+0x120/0x140 +[] inet_gso_segment+0x13c/0x390 +[] ? default_wake_function+0x12/0x20 +[] skb_mac_gso_segment+0x9b/0x170 +[] __skb_gso_segment+0x60/0xc0 +[] dev_hard_start_xmit+0x183/0x550 +[] sch_direct_xmit+0xfe/0x1d0 +[] __dev_queue_xmit+0x214/0x4f0 +[] dev_queue_xmit+0x10/0x20 +[] ip_finish_output+0x66b/0x890 +[] ip_output+0x58/0x90 +[] ? fib_table_lookup+0x29f/0x350 +[] ip_local_out_sk+0x39/0x50 +[] iptunnel_xmit+0x10d/0x130 +[] vxlan_xmit_skb+0x1d0/0x330 [vxlan] +[] vxlan_tnl_send+0x129/0x1a0 [openvswitch] +[] ovs_vport_send+0x26/0xa0 [openvswitch] +[] do_output+0x2e/0x50 [openvswitch] + +Signed-off-by: Wei-Chun Chao +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2881,12 +2881,13 @@ struct sk_buff *skb_segment(struct sk_bu + int pos; + int dummy; + ++ __skb_push(head_skb, doffset); + proto = skb_network_protocol(head_skb, &dummy); + if (unlikely(!proto)) + return ERR_PTR(-EINVAL); + + csum = !!can_checksum_protocol(features, proto); +- __skb_push(head_skb, doffset); ++ + headroom = skb_headroom(head_skb); + pos = skb_headlen(head_skb); + diff --git a/queue-3.15/net-gre-gro-fix-a-bug-that-breaks-the-forwarding-path.patch b/queue-3.15/net-gre-gro-fix-a-bug-that-breaks-the-forwarding-path.patch new file mode 100644 index 00000000000..33c31cba86c --- /dev/null +++ b/queue-3.15/net-gre-gro-fix-a-bug-that-breaks-the-forwarding-path.patch @@ -0,0 +1,85 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Jerry Chu +Date: Mon, 14 Jul 2014 15:54:46 -0700 +Subject: net-gre-gro: Fix a bug that breaks the forwarding path + +From: Jerry Chu + +[ Upstream commit c3caf1192f904de2f1381211f564537235d50de3 ] + +Fixed a bug that was introduced by my GRE-GRO patch +(bf5a755f5e9186406bbf50f4087100af5bd68e40 net-gre-gro: Add GRE +support to the GRO stack) that breaks the forwarding path +because various GSO related fields were not set. The bug will +cause on the egress path either the GSO code to fail, or a +GRE-TSO capable (NETIF_F_GSO_GRE) NICs to choke. The following +fix has been tested for both cases. + +Signed-off-by: H.K. Jerry Chu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 ++ + net/ipv4/af_inet.c | 3 +++ + net/ipv4/gre_offload.c | 3 +++ + net/ipv4/tcp_offload.c | 2 +- + net/ipv6/tcpv6_offload.c | 2 +- + 5 files changed, 10 insertions(+), 2 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4064,6 +4064,8 @@ static void napi_reuse_skb(struct napi_s + skb->vlan_tci = 0; + skb->dev = napi->dev; + skb->skb_iif = 0; ++ skb->encapsulation = 0; ++ skb_shinfo(skb)->gso_type = 0; + skb->truesize = SKB_TRUESIZE(skb_end_offset(skb)); + + napi->skb = skb; +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1434,6 +1434,9 @@ static int inet_gro_complete(struct sk_b + int proto = iph->protocol; + int err = -ENOSYS; + ++ if (skb->encapsulation) ++ skb_set_inner_network_header(skb, nhoff); ++ + csum_replace2(&iph->check, iph->tot_len, newlen); + iph->tot_len = newlen; + +--- a/net/ipv4/gre_offload.c ++++ b/net/ipv4/gre_offload.c +@@ -255,6 +255,9 @@ static int gre_gro_complete(struct sk_bu + int err = -ENOENT; + __be16 type; + ++ skb->encapsulation = 1; ++ skb_shinfo(skb)->gso_type = SKB_GSO_GRE; ++ + type = greh->protocol; + if (greh->flags & GRE_KEY) + grehlen += GRE_HEADER_SECTION; +--- a/net/ipv4/tcp_offload.c ++++ b/net/ipv4/tcp_offload.c +@@ -310,7 +310,7 @@ static int tcp4_gro_complete(struct sk_b + + th->check = ~tcp_v4_check(skb->len - thoff, iph->saddr, + iph->daddr, 0); +- skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4; ++ skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV4; + + return tcp_gro_complete(skb); + } +--- a/net/ipv6/tcpv6_offload.c ++++ b/net/ipv6/tcpv6_offload.c +@@ -73,7 +73,7 @@ static int tcp6_gro_complete(struct sk_b + + th->check = ~tcp_v6_check(skb->len - thoff, &iph->saddr, + &iph->daddr, 0); +- skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6; ++ skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV6; + + return tcp_gro_complete(skb); + } diff --git a/queue-3.15/net-huawei_cdc_ncm-add-subclass-3-devices.patch b/queue-3.15/net-huawei_cdc_ncm-add-subclass-3-devices.patch new file mode 100644 index 00000000000..95268caee59 --- /dev/null +++ b/queue-3.15/net-huawei_cdc_ncm-add-subclass-3-devices.patch @@ -0,0 +1,64 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Thu, 17 Jul 2014 13:34:09 +0200 +Subject: net: huawei_cdc_ncm: add "subclass 3" devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit c2a6c7813f1ffae636e369b5d7011c9f518d3cd9 ] + +Huawei's usage of the subclass and protocol fields is not 100% +clear to us, but there appears to be a very strict system. + +A device with the "shared" device ID 12d1:1506 and this NCM +function was recently reported (showing only default altsetting): + + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 3 + bInterfaceProtocol 22 + iInterface 8 CDC Network Control Model (NCM) + ** UNRECOGNIZED: 05 24 00 10 01 + ** UNRECOGNIZED: 06 24 1a 00 01 1f + ** UNRECOGNIZED: 0c 24 1b 00 01 00 04 10 14 dc 05 20 + ** UNRECOGNIZED: 0d 24 0f 0a 0f 00 00 00 ea 05 03 00 01 + ** UNRECOGNIZED: 05 24 06 01 01 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x85 EP 5 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0010 1x 16 bytes + bInterval 9 + +Cc: Enrico Mioso +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/huawei_cdc_ncm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/huawei_cdc_ncm.c ++++ b/drivers/net/usb/huawei_cdc_ncm.c +@@ -207,6 +207,9 @@ static const struct usb_device_id huawei + { USB_VENDOR_AND_INTERFACE_INFO(0x12d1, 0xff, 0x02, 0x76), + .driver_info = (unsigned long)&huawei_cdc_ncm_info, + }, ++ { USB_VENDOR_AND_INTERFACE_INFO(0x12d1, 0xff, 0x03, 0x16), ++ .driver_info = (unsigned long)&huawei_cdc_ncm_info, ++ }, + + /* Terminating entry */ + { diff --git a/queue-3.15/net-huawei_cdc_ncm-increase-command-buffer-size.patch b/queue-3.15/net-huawei_cdc_ncm-increase-command-buffer-size.patch new file mode 100644 index 00000000000..52ed6c7f7a0 --- /dev/null +++ b/queue-3.15/net-huawei_cdc_ncm-increase-command-buffer-size.patch @@ -0,0 +1,63 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Wed, 18 Jun 2014 14:21:24 +0200 +Subject: net: huawei_cdc_ncm: increase command buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 3acc74619b0175b7a154cf8dc54813f6faf97aa9 ] + +Messages from the modem exceeding 256 bytes cause communication +failure. + +The WDM protocol is strictly "read on demand", meaning that we only +poll for unread data after receiving a notification from the modem. +Since we have no way to know how much data the modem has to send, +we must make sure that the buffer we provide is "big enough". +Message truncation does not work. Truncated messages are left unread +until the modem has another message to send. Which often won't +happen until the userspace application has given up waiting for the +final part of the last message, and therefore sends another command. + +With a proper CDC WDM function there is a descriptor telling us +which buffer size the modem uses. But with this vendor specific +implementation there is no known way to calculate the exact "big +enough" number. It is an unknown property of the modem firmware. +Experience has shown that 256 is too small. The discussion of +this failure ended up concluding that 512 might be too small as +well. So 1024 seems like a reasonable value for now. + +Fixes: 41c47d8cfd68 ("net: huawei_cdc_ncm: Introduce the huawei_cdc_ncm driver") +Cc: Enrico Mioso +Reported-by: Dan Williams +Signed-off-by: Bjørn Mork +Acked-By: Enrico Mioso +Tested-by: Dan Williams +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/huawei_cdc_ncm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/huawei_cdc_ncm.c ++++ b/drivers/net/usb/huawei_cdc_ncm.c +@@ -84,12 +84,13 @@ static int huawei_cdc_ncm_bind(struct us + ctx = drvstate->ctx; + + if (usbnet_dev->status) +- /* CDC-WMC r1.1 requires wMaxCommand to be "at least 256 +- * decimal (0x100)" ++ /* The wMaxCommand buffer must be big enough to hold ++ * any message from the modem. Experience has shown ++ * that some replies are more than 256 bytes long + */ + subdriver = usb_cdc_wdm_register(ctx->control, + &usbnet_dev->status->desc, +- 256, /* wMaxCommand */ ++ 1024, /* wMaxCommand */ + huawei_cdc_ncm_wdm_manage_power); + if (IS_ERR(subdriver)) { + ret = PTR_ERR(subdriver); diff --git a/queue-3.15/net-mlx4_core-fix-the-error-flow-when-probing-with-invalid-vf-configuration.patch b/queue-3.15/net-mlx4_core-fix-the-error-flow-when-probing-with-invalid-vf-configuration.patch new file mode 100644 index 00000000000..fd37ecd2756 --- /dev/null +++ b/queue-3.15/net-mlx4_core-fix-the-error-flow-when-probing-with-invalid-vf-configuration.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Or Gerlitz +Date: Sun, 22 Jun 2014 13:21:34 +0300 +Subject: net/mlx4_core: Fix the error flow when probing with invalid VF configuration + +From: Or Gerlitz + +[ Upstream commit 960b1f454e1ace6b76718f22828bcc3594a09422 ] + +Single ported VF are currently not supported on configurations where +one or both ports are IB. When we hit this case, the relevant flow in +the driver didn't return error and jumped to the wrong label. Fix that. + +Fixes: dd41cc3 ('net/mlx4: Adapt num_vfs/probed_vf params for single port VF') +Reported-by: Shirley Ma +Signed-off-by: Or Gerlitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -2466,7 +2466,8 @@ slave_start: + "with IB port. Single port VFs syntax" + " is only supported when all ports " + "are configured as ethernet\n"); +- goto err_close; ++ err = -EINVAL; ++ goto err_master_mfunc; + } + for (i = 0; i < sizeof(nvfs)/sizeof(nvfs[0]); i++) { + unsigned j; diff --git a/queue-3.15/net-mlx4_en-don-t-configure-the-hw-vxlan-parser-when-vxlan-offloading-isn-t-set.patch b/queue-3.15/net-mlx4_en-don-t-configure-the-hw-vxlan-parser-when-vxlan-offloading-isn-t-set.patch new file mode 100644 index 00000000000..ae1f149cf96 --- /dev/null +++ b/queue-3.15/net-mlx4_en-don-t-configure-the-hw-vxlan-parser-when-vxlan-offloading-isn-t-set.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Or Gerlitz +Date: Wed, 2 Jul 2014 17:36:23 +0300 +Subject: net/mlx4_en: Don't configure the HW vxlan parser when vxlan offloading isn't set + +From: Or Gerlitz + +[ Upstream commit e326f2f13b209d56782609e833b87cb497e64b3b ] + +The add_vxlan_port ndo driver code was wrongly testing whether HW vxlan offloads +are supported by the device instead of checking if they are currently enabled. + +This causes the driver to configure the HW parser to conduct matching for vxlan +packets but since no steering rules were set, vxlan packets are dropped on RX. + +Fix that by doing the right test, as done in the del_vxlan_port ndo handler. + +Fixes: 1b136de ('net/mlx4: Implement vxlan ndo calls') +Signed-off-by: Or Gerlitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -2303,7 +2303,7 @@ static void mlx4_en_add_vxlan_port(struc + struct mlx4_en_priv *priv = netdev_priv(dev); + __be16 current_port; + +- if (!(priv->mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_VXLAN_OFFLOADS)) ++ if (priv->mdev->dev->caps.tunnel_offload_mode != MLX4_TUNNEL_OFFLOAD_MODE_VXLAN) + return; + + if (sa_family == AF_INET6) diff --git a/queue-3.15/net-mvneta-fix-big-endian-issue-in-mvneta_txq_desc_csum.patch b/queue-3.15/net-mvneta-fix-big-endian-issue-in-mvneta_txq_desc_csum.patch new file mode 100644 index 00000000000..dc2e9ae7a1c --- /dev/null +++ b/queue-3.15/net-mvneta-fix-big-endian-issue-in-mvneta_txq_desc_csum.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Thomas Fitzsimmons +Date: Tue, 8 Jul 2014 19:44:07 -0400 +Subject: net: mvneta: Fix big endian issue in mvneta_txq_desc_csum() + +From: Thomas Fitzsimmons + +[ Upstream commit 0a1985879437d14bda8c90d0dae3455c467d7642 ] + +This commit fixes the command value generated for CSUM calculation +when running in big endian mode. The Ethernet protocol ID for IP was +being unconditionally byte-swapped in the layer 3 protocol check (with +swab16), which caused the mvneta driver to not function correctly in +big endian mode. This patch byte-swaps the ID conditionally with +htons. + +Cc: # v3.13+ +Signed-off-by: Thomas Fitzsimmons +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1189,7 +1189,7 @@ static u32 mvneta_txq_desc_csum(int l3_o + command = l3_offs << MVNETA_TX_L3_OFF_SHIFT; + command |= ip_hdr_len << MVNETA_TX_IP_HLEN_SHIFT; + +- if (l3_proto == swab16(ETH_P_IP)) ++ if (l3_proto == htons(ETH_P_IP)) + command |= MVNETA_TXD_IP_CSUM; + else + command |= MVNETA_TX_L3_IP6; diff --git a/queue-3.15/net-mvneta-fix-operation-in-10-mbit-s-mode.patch b/queue-3.15/net-mvneta-fix-operation-in-10-mbit-s-mode.patch new file mode 100644 index 00000000000..e8008db3adc --- /dev/null +++ b/queue-3.15/net-mvneta-fix-operation-in-10-mbit-s-mode.patch @@ -0,0 +1,45 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Thomas Petazzoni +Date: Tue, 8 Jul 2014 10:49:43 +0200 +Subject: net: mvneta: fix operation in 10 Mbit/s mode + +From: Thomas Petazzoni + +[ Upstream commit 4d12bc63ab5e48c1d78fa13883cf6fefcea3afb1 ] + +As reported by Maggie Mae Roxas, the mvneta driver doesn't behave +properly in 10 Mbit/s mode. This is due to a misconfiguration of the +MVNETA_GMAC_AUTONEG_CONFIG register: bit MVNETA_GMAC_CONFIG_MII_SPEED +must be set for a 100 Mbit/s speed, but cleared for a 10 Mbit/s speed, +which the driver was not properly doing. This commit adjusts that by +setting the MVNETA_GMAC_CONFIG_MII_SPEED bit only in 100 Mbit/s mode, +and relying on the fact that all the speed related bits of this +register are cleared at the beginning of the mvneta_adjust_link() +function. + +This problem exists since c5aff18204da0 ("net: mvneta: driver for +Marvell Armada 370/XP network unit") which is the commit that +introduced the mvneta driver in the kernel. + +Cc: # v3.8+ +Fixes: c5aff18204da0 ("net: mvneta: driver for Marvell Armada 370/XP network unit") +Reported-by: Maggie Mae Roxas +Cc: Maggie Mae Roxas +Signed-off-by: Thomas Petazzoni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -2365,7 +2365,7 @@ static void mvneta_adjust_link(struct ne + + if (phydev->speed == SPEED_1000) + val |= MVNETA_GMAC_CONFIG_GMII_SPEED; +- else ++ else if (phydev->speed == SPEED_100) + val |= MVNETA_GMAC_CONFIG_MII_SPEED; + + mvreg_write(pp, MVNETA_GMAC_AUTONEG_CONFIG, val); diff --git a/queue-3.15/net-ppp-don-t-call-sk_chk_filter-twice.patch b/queue-3.15/net-ppp-don-t-call-sk_chk_filter-twice.patch new file mode 100644 index 00000000000..6472f822ae6 --- /dev/null +++ b/queue-3.15/net-ppp-don-t-call-sk_chk_filter-twice.patch @@ -0,0 +1,93 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Christoph Schulz +Date: Mon, 14 Jul 2014 08:01:10 +0200 +Subject: net: ppp: don't call sk_chk_filter twice + +From: Christoph Schulz + +[ Upstream commit 3916a3192793fd3c11f69d623ef0cdbdbf9ea10a ] + +Commit 568f194e8bd16c353ad50f9ab95d98b20578a39d ("net: ppp: use +sk_unattached_filter api") causes sk_chk_filter() to be called twice when +setting a PPP pass or active filter. This applies to both the generic PPP +subsystem implemented by drivers/net/ppp/ppp_generic.c and the ISDN PPP +subsystem implemented by drivers/isdn/i4l/isdn_ppp.c. The first call is from +within get_filter(). The second one is through the call chain + + ppp_ioctl() or isdn_ppp_ioctl() + --> sk_unattached_filter_create() + --> __sk_prepare_filter() + --> sk_chk_filter() + +The first call from within get_filter() should be deleted as get_filter() is +called just before calling sk_unattached_filter_create() later on, which +eventually calls sk_chk_filter() anyway. + +For 3.15.x, this proposed change is a bugfix rather than a pure optimization as +in that branch, sk_chk_filter() may replace filter codes by other codes which +are not recognized when executing sk_chk_filter() a second time. So with +3.15.x, if sk_chk_filter() is called twice, the second invocation may yield +EINVAL (this depends on the filter codes found in the filter to be set, but +because the replacement is done for frequently used codes, this is almost +always the case). The net effect is that setting pass and/or active PPP filters +does not work anymore, since sk_unattached_filter_create() always returns +EINVAL due to the second call to sk_chk_filter(), regardless whether the filter +was originally sane or not. + +Signed-off-by: Christoph Schulz +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/i4l/isdn_ppp.c | 8 +------- + drivers/net/ppp/ppp_generic.c | 8 +------- + 2 files changed, 2 insertions(+), 14 deletions(-) + +--- a/drivers/isdn/i4l/isdn_ppp.c ++++ b/drivers/isdn/i4l/isdn_ppp.c +@@ -442,7 +442,7 @@ static int get_filter(void __user *arg, + { + struct sock_fprog uprog; + struct sock_filter *code = NULL; +- int len, err; ++ int len; + + if (copy_from_user(&uprog, arg, sizeof(uprog))) + return -EFAULT; +@@ -458,12 +458,6 @@ static int get_filter(void __user *arg, + if (IS_ERR(code)) + return PTR_ERR(code); + +- err = sk_chk_filter(code, uprog.len); +- if (err) { +- kfree(code); +- return err; +- } +- + *p = code; + return uprog.len; + } +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -539,7 +539,7 @@ static int get_filter(void __user *arg, + { + struct sock_fprog uprog; + struct sock_filter *code = NULL; +- int len, err; ++ int len; + + if (copy_from_user(&uprog, arg, sizeof(uprog))) + return -EFAULT; +@@ -554,12 +554,6 @@ static int get_filter(void __user *arg, + if (IS_ERR(code)) + return PTR_ERR(code); + +- err = sk_chk_filter(code, uprog.len); +- if (err) { +- kfree(code); +- return err; +- } +- + *p = code; + return uprog.len; + } diff --git a/queue-3.15/net-ppp-fix-creating-ppp-pass-and-active-filters.patch b/queue-3.15/net-ppp-fix-creating-ppp-pass-and-active-filters.patch new file mode 100644 index 00000000000..3915186706b --- /dev/null +++ b/queue-3.15/net-ppp-fix-creating-ppp-pass-and-active-filters.patch @@ -0,0 +1,117 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Christoph Schulz +Date: Wed, 16 Jul 2014 22:10:29 +0200 +Subject: net: ppp: fix creating PPP pass and active filters + +From: Christoph Schulz + +[ Upstream commit cc25eaae238ddd693aa5eaa73e565d8ff4915f6e ] + +Commit 568f194e8bd16c353ad50f9ab95d98b20578a39d ("net: ppp: use +sk_unattached_filter api") inadvertently changed the logic when setting +PPP pass and active filters. This applies to both the generic PPP subsystem +implemented by drivers/net/ppp/ppp_generic.c and the ISDN PPP subsystem +implemented by drivers/isdn/i4l/isdn_ppp.c. The original code in ppp_ioctl() +(or isdn_ppp_ioctl(), resp.) handling PPPIOCSPASS and PPPIOCSACTIVE allowed to +remove a pass/active filter previously set by using a filter of length zero. +However, with the new code this is not possible anymore as this case is not +explicitly checked for, which leads to passing NULL as a filter to +sk_unattached_filter_create(). This results in returning EINVAL to the caller. + +Additionally, the variables ppp->pass_filter and ppp->active_filter (or +is->pass_filter and is->active_filter, resp.) are not reset to NULL, although +the filters they point to may have been destroyed by +sk_unattached_filter_destroy(), so in this EINVAL case dangling pointers are +left behind (provided the pointers were previously non-NULL). + +This patch corrects both problems by checking whether the filter passed is +empty or non-empty, and prevents sk_unattached_filter_create() from being +called in the first case. Moreover, the pointers are always reset to NULL +as soon as sk_unattached_filter_destroy() returns. + +Signed-off-by: Christoph Schulz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/i4l/isdn_ppp.c | 20 ++++++++++++++++---- + drivers/net/ppp/ppp_generic.c | 22 ++++++++++++++++------ + 2 files changed, 32 insertions(+), 10 deletions(-) + +--- a/drivers/isdn/i4l/isdn_ppp.c ++++ b/drivers/isdn/i4l/isdn_ppp.c +@@ -644,9 +644,15 @@ isdn_ppp_ioctl(int min, struct file *fil + fprog.len = len; + fprog.filter = code; + +- if (is->pass_filter) ++ if (is->pass_filter) { + sk_unattached_filter_destroy(is->pass_filter); +- err = sk_unattached_filter_create(&is->pass_filter, &fprog); ++ is->pass_filter = NULL; ++ } ++ if (fprog.filter != NULL) ++ err = sk_unattached_filter_create(&is->pass_filter, ++ &fprog); ++ else ++ err = 0; + kfree(code); + + return err; +@@ -663,9 +669,15 @@ isdn_ppp_ioctl(int min, struct file *fil + fprog.len = len; + fprog.filter = code; + +- if (is->active_filter) ++ if (is->active_filter) { + sk_unattached_filter_destroy(is->active_filter); +- err = sk_unattached_filter_create(&is->active_filter, &fprog); ++ is->active_filter = NULL; ++ } ++ if (fprog.filter != NULL) ++ err = sk_unattached_filter_create(&is->active_filter, ++ &fprog); ++ else ++ err = 0; + kfree(code); + + return err; +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -763,10 +763,15 @@ static long ppp_ioctl(struct file *file, + }; + + ppp_lock(ppp); +- if (ppp->pass_filter) ++ if (ppp->pass_filter) { + sk_unattached_filter_destroy(ppp->pass_filter); +- err = sk_unattached_filter_create(&ppp->pass_filter, +- &fprog); ++ ppp->pass_filter = NULL; ++ } ++ if (fprog.filter != NULL) ++ err = sk_unattached_filter_create(&ppp->pass_filter, ++ &fprog); ++ else ++ err = 0; + kfree(code); + ppp_unlock(ppp); + } +@@ -784,10 +789,15 @@ static long ppp_ioctl(struct file *file, + }; + + ppp_lock(ppp); +- if (ppp->active_filter) ++ if (ppp->active_filter) { + sk_unattached_filter_destroy(ppp->active_filter); +- err = sk_unattached_filter_create(&ppp->active_filter, +- &fprog); ++ ppp->active_filter = NULL; ++ } ++ if (fprog.filter != NULL) ++ err = sk_unattached_filter_create(&ppp->active_filter, ++ &fprog); ++ else ++ err = 0; + kfree(code); + ppp_unlock(ppp); + } diff --git a/queue-3.15/net-pppoe-use-correct-channel-mtu-when-using-multilink-ppp.patch b/queue-3.15/net-pppoe-use-correct-channel-mtu-when-using-multilink-ppp.patch new file mode 100644 index 00000000000..34483caffce --- /dev/null +++ b/queue-3.15/net-pppoe-use-correct-channel-mtu-when-using-multilink-ppp.patch @@ -0,0 +1,129 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Christoph Schulz +Date: Sun, 13 Jul 2014 00:53:15 +0200 +Subject: net: pppoe: use correct channel MTU when using Multilink PPP + +From: Christoph Schulz + +[ Upstream commit a8a3e41c67d24eb12f9ab9680cbb85e24fcd9711 ] + +The PPP channel MTU is used with Multilink PPP when ppp_mp_explode() (see +ppp_generic module) tries to determine how big a fragment might be. According +to RFC 1661, the MTU excludes the 2-byte PPP protocol field, see the +corresponding comment and code in ppp_mp_explode(): + + /* + * hdrlen includes the 2-byte PPP protocol field, but the + * MTU counts only the payload excluding the protocol field. + * (RFC1661 Section 2) + */ + mtu = pch->chan->mtu - (hdrlen - 2); + +However, the pppoe module *does* include the PPP protocol field in the channel +MTU, which is wrong as it causes the PPP payload to be 1-2 bytes too big under +certain circumstances (one byte if PPP protocol compression is used, two +otherwise), causing the generated Ethernet packets to be dropped. So the pppoe +module has to subtract two bytes from the channel MTU. This error only +manifests itself when using Multilink PPP, as otherwise the channel MTU is not +used anywhere. + +In the following, I will describe how to reproduce this bug. We configure two +pppd instances for multilink PPP over two PPPoE links, say eth2 and eth3, with +a MTU of 1492 bytes for each link and a MRRU of 2976 bytes. (This MRRU is +computed by adding the two link MTUs and subtracting the MP header twice, which +is 4 bytes long.) The necessary pppd statements on both sides are "multilink +mtu 1492 mru 1492 mrru 2976". On the client side, we additionally need "plugin +rp-pppoe.so eth2" and "plugin rp-pppoe.so eth3", respectively; on the server +side, we additionally need to start two pppoe-server instances to be able to +establish two PPPoE sessions, one over eth2 and one over eth3. We set the MTU +of the PPP network interface to the MRRU (2976) on both sides of the connection +in order to make use of the higher bandwidth. (If we didn't do that, IP +fragmentation would kick in, which we want to avoid.) + +Now we send a ICMPv4 echo request with a payload of 2948 bytes from client to +server over the PPP link. This results in the following network packet: + + 2948 (echo payload) + + 8 (ICMPv4 header) + + 20 (IPv4 header) +--------------------- + 2976 (PPP payload) + +These 2976 bytes do not exceed the MTU of the PPP network interface, so the +IP packet is not fragmented. Now the multilink PPP code in ppp_mp_explode() +prepends one protocol byte (0x21 for IPv4), making the packet one byte bigger +than the negotiated MRRU. So this packet would have to be divided in three +fragments. But this does not happen as each link MTU is assumed to be two bytes +larger. So this packet is diveded into two fragments only, one of size 1489 and +one of size 1488. Now we have for that bigger fragment: + + 1489 (PPP payload) + + 4 (MP header) + + 2 (PPP protocol field for the MP payload (0x3d)) + + 6 (PPPoE header) +-------------------------- + 1501 (Ethernet payload) + +This packet exceeds the link MTU and is discarded. + +If one configures the link MTU on the client side to 1501, one can see the +discarded Ethernet frames with tcpdump running on the client. A + +ping -s 2948 -c 1 192.168.15.254 + +leads to the smaller fragment that is correctly received on the server side: + +(tcpdump -vvvne -i eth3 pppoes and ppp proto 0x3d) +52:54:00:ad:87:fd > 52:54:00:79:5c:d0, ethertype PPPoE S (0x8864), + length 1514: PPPoE [ses 0x3] MLPPP (0x003d), length 1494: seq 0x000, + Flags [end], length 1492 + +and to the bigger fragment that is not received on the server side: + +(tcpdump -vvvne -i eth2 pppoes and ppp proto 0x3d) +52:54:00:70:9e:89 > 52:54:00:5d:6f:b0, ethertype PPPoE S (0x8864), + length 1515: PPPoE [ses 0x5] MLPPP (0x003d), length 1495: seq 0x000, + Flags [begin], length 1493 + +With the patch below, we correctly obtain three fragments: + +52:54:00:ad:87:fd > 52:54:00:79:5c:d0, ethertype PPPoE S (0x8864), + length 1514: PPPoE [ses 0x1] MLPPP (0x003d), length 1494: seq 0x000, + Flags [begin], length 1492 +52:54:00:70:9e:89 > 52:54:00:5d:6f:b0, ethertype PPPoE S (0x8864), + length 1514: PPPoE [ses 0x1] MLPPP (0x003d), length 1494: seq 0x000, + Flags [none], length 1492 +52:54:00:ad:87:fd > 52:54:00:79:5c:d0, ethertype PPPoE S (0x8864), + length 27: PPPoE [ses 0x1] MLPPP (0x003d), length 7: seq 0x000, + Flags [end], length 5 + +And the ICMPv4 echo request is successfully received at the server side: + +IP (tos 0x0, ttl 64, id 21925, offset 0, flags [DF], proto ICMP (1), + length 2976) + 192.168.222.2 > 192.168.15.254: ICMP echo request, id 30530, seq 0, + length 2956 + +The bug was introduced in commit c9aa6895371b2a257401f59d3393c9f7ac5a8698 +("[PPPOE]: Advertise PPPoE MTU") from the very beginning. This patch applies +to 3.10 upwards but the fix can be applied (with minor modifications) to +kernels as old as 2.6.32. + +Signed-off-by: Christoph Schulz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -675,7 +675,7 @@ static int pppoe_connect(struct socket * + po->chan.hdrlen = (sizeof(struct pppoe_hdr) + + dev->hard_header_len); + +- po->chan.mtu = dev->mtu - sizeof(struct pppoe_hdr); ++ po->chan.mtu = dev->mtu - sizeof(struct pppoe_hdr) - 2; + po->chan.private = sk; + po->chan.ops = &pppoe_chan_ops; + diff --git a/queue-3.15/net-qmi_wwan-add-id-for-telewell-tw-lte-4g-v2.patch b/queue-3.15/net-qmi_wwan-add-id-for-telewell-tw-lte-4g-v2.patch new file mode 100644 index 00000000000..8ad1c87c4b3 --- /dev/null +++ b/queue-3.15/net-qmi_wwan-add-id-for-telewell-tw-lte-4g-v2.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Bernd Wachter +Date: Tue, 1 Jul 2014 22:01:09 +0300 +Subject: net: qmi_wwan: Add ID for Telewell TW-LTE 4G v2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bernd Wachter + +[ Upstream commit 8dcb4b1526747d8431f9895e153dd478c9d16186 ] + +There's a new version of the Telewell 4G modem working with, but not +recognized by this driver. + +Signed-off-by: Bernd Wachter +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -741,6 +741,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x19d2, 0x1424, 2)}, + {QMI_FIXED_INTF(0x19d2, 0x1425, 2)}, + {QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */ ++ {QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */ + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ diff --git a/queue-3.15/net-qmi_wwan-add-two-sierra-wireless-netgear-devices.patch b/queue-3.15/net-qmi_wwan-add-two-sierra-wireless-netgear-devices.patch new file mode 100644 index 00000000000..1ead9cf9deb --- /dev/null +++ b/queue-3.15/net-qmi_wwan-add-two-sierra-wireless-netgear-devices.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Thu, 17 Jul 2014 13:33:51 +0200 +Subject: net: qmi_wwan: add two Sierra Wireless/Netgear devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 5343330010a892b76a97fd93ad3c455a4a32a7fb ] + +Add two device IDs found in an out-of-tree driver downloadable +from Netgear. + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -667,6 +667,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x9084, 4)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, ++ {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, + {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ + {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */ +@@ -757,6 +758,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1199, 0x9054, 8)}, /* Sierra Wireless Modem */ + {QMI_FIXED_INTF(0x1199, 0x9055, 8)}, /* Netgear AirCard 341U */ + {QMI_FIXED_INTF(0x1199, 0x9056, 8)}, /* Sierra Wireless Modem */ ++ {QMI_FIXED_INTF(0x1199, 0x9057, 8)}, + {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ diff --git a/queue-3.15/net-sctp-check-proc_dointvec-result-in-proc_sctp_do_auth.patch b/queue-3.15/net-sctp-check-proc_dointvec-result-in-proc_sctp_do_auth.patch new file mode 100644 index 00000000000..4579d3431a8 --- /dev/null +++ b/queue-3.15/net-sctp-check-proc_dointvec-result-in-proc_sctp_do_auth.patch @@ -0,0 +1,44 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Daniel Borkmann +Date: Wed, 18 Jun 2014 23:46:31 +0200 +Subject: net: sctp: check proc_dointvec result in proc_sctp_do_auth + +From: Daniel Borkmann + +[ Upstream commit 24599e61b7552673dd85971cf5a35369cd8c119e ] + +When writing to the sysctl field net.sctp.auth_enable, it can well +be that the user buffer we handed over to proc_dointvec() via +proc_sctp_do_auth() handler contains something other than integers. + +In that case, we would set an uninitialized 4-byte value from the +stack to net->sctp.auth_enable that can be leaked back when reading +the sysctl variable, and it can unintentionally turn auth_enable +on/off based on the stack content since auth_enable is interpreted +as a boolean. + +Fix it up by making sure proc_dointvec() returned sucessfully. + +Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint") +Reported-by: Florian Westphal +Signed-off-by: Daniel Borkmann +Acked-by: Neil Horman +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -423,8 +423,7 @@ static int proc_sctp_do_auth(struct ctl_ + tbl.data = &net->sctp.auth_enable; + + ret = proc_dointvec(&tbl, write, buffer, lenp, ppos); +- +- if (write) { ++ if (write && ret == 0) { + struct sock *sk = net->sctp.ctl_sock; + + net->sctp.auth_enable = new_value; diff --git a/queue-3.15/net-sctp-fix-information-leaks-in-ulpevent-layer.patch b/queue-3.15/net-sctp-fix-information-leaks-in-ulpevent-layer.patch new file mode 100644 index 00000000000..556b754c238 --- /dev/null +++ b/queue-3.15/net-sctp-fix-information-leaks-in-ulpevent-layer.patch @@ -0,0 +1,256 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Daniel Borkmann +Date: Sat, 12 Jul 2014 20:30:35 +0200 +Subject: net: sctp: fix information leaks in ulpevent layer + +From: Daniel Borkmann + +[ Upstream commit 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea ] + +While working on some other SCTP code, I noticed that some +structures shared with user space are leaking uninitialized +stack or heap buffer. In particular, struct sctp_sndrcvinfo +has a 2 bytes hole between .sinfo_flags and .sinfo_ppid that +remains unfilled by us in sctp_ulpevent_read_sndrcvinfo() when +putting this into cmsg. But also struct sctp_remote_error +contains a 2 bytes hole that we don't fill but place into a skb +through skb_copy_expand() via sctp_ulpevent_make_remote_error(). + +Both structures are defined by the IETF in RFC6458: + +* Section 5.3.2. SCTP Header Information Structure: + + The sctp_sndrcvinfo structure is defined below: + + struct sctp_sndrcvinfo { + uint16_t sinfo_stream; + uint16_t sinfo_ssn; + uint16_t sinfo_flags; + <-- 2 bytes hole --> + uint32_t sinfo_ppid; + uint32_t sinfo_context; + uint32_t sinfo_timetolive; + uint32_t sinfo_tsn; + uint32_t sinfo_cumtsn; + sctp_assoc_t sinfo_assoc_id; + }; + +* 6.1.3. SCTP_REMOTE_ERROR: + + A remote peer may send an Operation Error message to its peer. + This message indicates a variety of error conditions on an + association. The entire ERROR chunk as it appears on the wire + is included in an SCTP_REMOTE_ERROR event. Please refer to the + SCTP specification [RFC4960] and any extensions for a list of + possible error formats. An SCTP error notification has the + following format: + + struct sctp_remote_error { + uint16_t sre_type; + uint16_t sre_flags; + uint32_t sre_length; + uint16_t sre_error; + <-- 2 bytes hole --> + sctp_assoc_t sre_assoc_id; + uint8_t sre_data[]; + }; + +Fix this by setting both to 0 before filling them out. We also +have other structures shared between user and kernel space in +SCTP that contains holes (e.g. struct sctp_paddrthlds), but we +copy that buffer over from user space first and thus don't need +to care about it in that cases. + +While at it, we can also remove lengthy comments copied from +the draft, instead, we update the comment with the correct RFC +number where one can look it up. + +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ulpevent.c | 122 ++++++---------------------------------------------- + 1 file changed, 15 insertions(+), 107 deletions(-) + +--- a/net/sctp/ulpevent.c ++++ b/net/sctp/ulpevent.c +@@ -366,9 +366,10 @@ fail: + * specification [SCTP] and any extensions for a list of possible + * error formats. + */ +-struct sctp_ulpevent *sctp_ulpevent_make_remote_error( +- const struct sctp_association *asoc, struct sctp_chunk *chunk, +- __u16 flags, gfp_t gfp) ++struct sctp_ulpevent * ++sctp_ulpevent_make_remote_error(const struct sctp_association *asoc, ++ struct sctp_chunk *chunk, __u16 flags, ++ gfp_t gfp) + { + struct sctp_ulpevent *event; + struct sctp_remote_error *sre; +@@ -387,8 +388,7 @@ struct sctp_ulpevent *sctp_ulpevent_make + /* Copy the skb to a new skb with room for us to prepend + * notification with. + */ +- skb = skb_copy_expand(chunk->skb, sizeof(struct sctp_remote_error), +- 0, gfp); ++ skb = skb_copy_expand(chunk->skb, sizeof(*sre), 0, gfp); + + /* Pull off the rest of the cause TLV from the chunk. */ + skb_pull(chunk->skb, elen); +@@ -399,62 +399,21 @@ struct sctp_ulpevent *sctp_ulpevent_make + event = sctp_skb2event(skb); + sctp_ulpevent_init(event, MSG_NOTIFICATION, skb->truesize); + +- sre = (struct sctp_remote_error *) +- skb_push(skb, sizeof(struct sctp_remote_error)); ++ sre = (struct sctp_remote_error *) skb_push(skb, sizeof(*sre)); + + /* Trim the buffer to the right length. */ +- skb_trim(skb, sizeof(struct sctp_remote_error) + elen); ++ skb_trim(skb, sizeof(*sre) + elen); + +- /* Socket Extensions for SCTP +- * 5.3.1.3 SCTP_REMOTE_ERROR +- * +- * sre_type: +- * It should be SCTP_REMOTE_ERROR. +- */ ++ /* RFC6458, Section 6.1.3. SCTP_REMOTE_ERROR */ ++ memset(sre, 0, sizeof(*sre)); + sre->sre_type = SCTP_REMOTE_ERROR; +- +- /* +- * Socket Extensions for SCTP +- * 5.3.1.3 SCTP_REMOTE_ERROR +- * +- * sre_flags: 16 bits (unsigned integer) +- * Currently unused. +- */ + sre->sre_flags = 0; +- +- /* Socket Extensions for SCTP +- * 5.3.1.3 SCTP_REMOTE_ERROR +- * +- * sre_length: sizeof (__u32) +- * +- * This field is the total length of the notification data, +- * including the notification header. +- */ + sre->sre_length = skb->len; +- +- /* Socket Extensions for SCTP +- * 5.3.1.3 SCTP_REMOTE_ERROR +- * +- * sre_error: 16 bits (unsigned integer) +- * This value represents one of the Operational Error causes defined in +- * the SCTP specification, in network byte order. +- */ + sre->sre_error = cause; +- +- /* Socket Extensions for SCTP +- * 5.3.1.3 SCTP_REMOTE_ERROR +- * +- * sre_assoc_id: sizeof (sctp_assoc_t) +- * +- * The association id field, holds the identifier for the association. +- * All notifications for a given association have the same association +- * identifier. For TCP style socket, this field is ignored. +- */ + sctp_ulpevent_set_owner(event, asoc); + sre->sre_assoc_id = sctp_assoc2id(asoc); + + return event; +- + fail: + return NULL; + } +@@ -899,7 +858,9 @@ __u16 sctp_ulpevent_get_notification_typ + return notification->sn_header.sn_type; + } + +-/* Copy out the sndrcvinfo into a msghdr. */ ++/* RFC6458, Section 5.3.2. SCTP Header Information Structure ++ * (SCTP_SNDRCV, DEPRECATED) ++ */ + void sctp_ulpevent_read_sndrcvinfo(const struct sctp_ulpevent *event, + struct msghdr *msghdr) + { +@@ -908,74 +869,21 @@ void sctp_ulpevent_read_sndrcvinfo(const + if (sctp_ulpevent_is_notification(event)) + return; + +- /* Sockets API Extensions for SCTP +- * Section 5.2.2 SCTP Header Information Structure (SCTP_SNDRCV) +- * +- * sinfo_stream: 16 bits (unsigned integer) +- * +- * For recvmsg() the SCTP stack places the message's stream number in +- * this value. +- */ ++ memset(&sinfo, 0, sizeof(sinfo)); + sinfo.sinfo_stream = event->stream; +- /* sinfo_ssn: 16 bits (unsigned integer) +- * +- * For recvmsg() this value contains the stream sequence number that +- * the remote endpoint placed in the DATA chunk. For fragmented +- * messages this is the same number for all deliveries of the message +- * (if more than one recvmsg() is needed to read the message). +- */ + sinfo.sinfo_ssn = event->ssn; +- /* sinfo_ppid: 32 bits (unsigned integer) +- * +- * In recvmsg() this value is +- * the same information that was passed by the upper layer in the peer +- * application. Please note that byte order issues are NOT accounted +- * for and this information is passed opaquely by the SCTP stack from +- * one end to the other. +- */ + sinfo.sinfo_ppid = event->ppid; +- /* sinfo_flags: 16 bits (unsigned integer) +- * +- * This field may contain any of the following flags and is composed of +- * a bitwise OR of these values. +- * +- * recvmsg() flags: +- * +- * SCTP_UNORDERED - This flag is present when the message was sent +- * non-ordered. +- */ + sinfo.sinfo_flags = event->flags; +- /* sinfo_tsn: 32 bit (unsigned integer) +- * +- * For the receiving side, this field holds a TSN that was +- * assigned to one of the SCTP Data Chunks. +- */ + sinfo.sinfo_tsn = event->tsn; +- /* sinfo_cumtsn: 32 bit (unsigned integer) +- * +- * This field will hold the current cumulative TSN as +- * known by the underlying SCTP layer. Note this field is +- * ignored when sending and only valid for a receive +- * operation when sinfo_flags are set to SCTP_UNORDERED. +- */ + sinfo.sinfo_cumtsn = event->cumtsn; +- /* sinfo_assoc_id: sizeof (sctp_assoc_t) +- * +- * The association handle field, sinfo_assoc_id, holds the identifier +- * for the association announced in the COMMUNICATION_UP notification. +- * All notifications for a given association have the same identifier. +- * Ignored for one-to-one style sockets. +- */ + sinfo.sinfo_assoc_id = sctp_assoc2id(event->asoc); +- +- /* context value that is set via SCTP_CONTEXT socket option. */ ++ /* Context value that is set via SCTP_CONTEXT socket option. */ + sinfo.sinfo_context = event->asoc->default_rcv_context; +- + /* These fields are not used while receiving. */ + sinfo.sinfo_timetolive = 0; + + put_cmsg(msghdr, IPPROTO_SCTP, SCTP_SNDRCV, +- sizeof(struct sctp_sndrcvinfo), (void *)&sinfo); ++ sizeof(sinfo), &sinfo); + } + + /* Do accounting for bytes received and hold a reference to the association diff --git a/queue-3.15/net-sctp-propagate-sysctl-errors-from-proc_do-properly.patch b/queue-3.15/net-sctp-propagate-sysctl-errors-from-proc_do-properly.patch new file mode 100644 index 00000000000..5ee81f966a2 --- /dev/null +++ b/queue-3.15/net-sctp-propagate-sysctl-errors-from-proc_do-properly.patch @@ -0,0 +1,150 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Daniel Borkmann +Date: Thu, 19 Jun 2014 01:31:30 +0200 +Subject: net: sctp: propagate sysctl errors from proc_do* properly + +From: Daniel Borkmann + +[ Upstream commit ff5e92c1affe7166b3f6e7073e648ed65a6e2e59 ] + +sysctl handler proc_sctp_do_hmac_alg(), proc_sctp_do_rto_min() and +proc_sctp_do_rto_max() do not properly reflect some error cases +when writing values via sysctl from internal proc functions such +as proc_dointvec() and proc_dostring(). + +In all these cases we pass the test for write != 0 and partially +do additional work just to notice that additional sanity checks +fail and we return with hard-coded -EINVAL while proc_do* +functions might also return different errors. So fix this up by +simply testing a successful return of proc_do* right after +calling it. + +This also allows to propagate its return value onwards to the user. +While touching this, also fix up some minor style issues. + +Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl") +Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic") +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 43 +++++++++++++++++++++++-------------------- + 1 file changed, 23 insertions(+), 20 deletions(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -307,41 +307,40 @@ static int proc_sctp_do_hmac_alg(struct + loff_t *ppos) + { + struct net *net = current->nsproxy->net_ns; +- char tmp[8]; + struct ctl_table tbl; +- int ret; +- int changed = 0; ++ bool changed = false; + char *none = "none"; ++ char tmp[8]; ++ int ret; + + memset(&tbl, 0, sizeof(struct ctl_table)); + + if (write) { + tbl.data = tmp; +- tbl.maxlen = 8; ++ tbl.maxlen = sizeof(tmp); + } else { + tbl.data = net->sctp.sctp_hmac_alg ? : none; + tbl.maxlen = strlen(tbl.data); + } +- ret = proc_dostring(&tbl, write, buffer, lenp, ppos); + +- if (write) { ++ ret = proc_dostring(&tbl, write, buffer, lenp, ppos); ++ if (write && ret == 0) { + #ifdef CONFIG_CRYPTO_MD5 + if (!strncmp(tmp, "md5", 3)) { + net->sctp.sctp_hmac_alg = "md5"; +- changed = 1; ++ changed = true; + } + #endif + #ifdef CONFIG_CRYPTO_SHA1 + if (!strncmp(tmp, "sha1", 4)) { + net->sctp.sctp_hmac_alg = "sha1"; +- changed = 1; ++ changed = true; + } + #endif + if (!strncmp(tmp, "none", 4)) { + net->sctp.sctp_hmac_alg = NULL; +- changed = 1; ++ changed = true; + } +- + if (!changed) + ret = -EINVAL; + } +@@ -354,11 +353,10 @@ static int proc_sctp_do_rto_min(struct c + loff_t *ppos) + { + struct net *net = current->nsproxy->net_ns; +- int new_value; +- struct ctl_table tbl; + unsigned int min = *(unsigned int *) ctl->extra1; + unsigned int max = *(unsigned int *) ctl->extra2; +- int ret; ++ struct ctl_table tbl; ++ int ret, new_value; + + memset(&tbl, 0, sizeof(struct ctl_table)); + tbl.maxlen = sizeof(unsigned int); +@@ -367,12 +365,15 @@ static int proc_sctp_do_rto_min(struct c + tbl.data = &new_value; + else + tbl.data = &net->sctp.rto_min; ++ + ret = proc_dointvec(&tbl, write, buffer, lenp, ppos); +- if (write) { +- if (ret || new_value > max || new_value < min) ++ if (write && ret == 0) { ++ if (new_value > max || new_value < min) + return -EINVAL; ++ + net->sctp.rto_min = new_value; + } ++ + return ret; + } + +@@ -381,11 +382,10 @@ static int proc_sctp_do_rto_max(struct c + loff_t *ppos) + { + struct net *net = current->nsproxy->net_ns; +- int new_value; +- struct ctl_table tbl; + unsigned int min = *(unsigned int *) ctl->extra1; + unsigned int max = *(unsigned int *) ctl->extra2; +- int ret; ++ struct ctl_table tbl; ++ int ret, new_value; + + memset(&tbl, 0, sizeof(struct ctl_table)); + tbl.maxlen = sizeof(unsigned int); +@@ -394,12 +394,15 @@ static int proc_sctp_do_rto_max(struct c + tbl.data = &new_value; + else + tbl.data = &net->sctp.rto_max; ++ + ret = proc_dointvec(&tbl, write, buffer, lenp, ppos); +- if (write) { +- if (ret || new_value > max || new_value < min) ++ if (write && ret == 0) { ++ if (new_value > max || new_value < min) + return -EINVAL; ++ + net->sctp.rto_max = new_value; + } ++ + return ret; + } + diff --git a/queue-3.15/netlink-fix-handling-of-error-from-netlink_dump.patch b/queue-3.15/netlink-fix-handling-of-error-from-netlink_dump.patch new file mode 100644 index 00000000000..933501ddbdb --- /dev/null +++ b/queue-3.15/netlink-fix-handling-of-error-from-netlink_dump.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Ben Pfaff +Date: Wed, 9 Jul 2014 10:31:22 -0700 +Subject: netlink: Fix handling of error from netlink_dump(). + +From: Ben Pfaff + +[ Upstream commit ac30ef832e6af0505b6f0251a6659adcfa74975e ] + +netlink_dump() returns a negative errno value on error. Until now, +netlink_recvmsg() directly recorded that negative value in sk->sk_err, but +that's wrong since sk_err takes positive errno values. (This manifests as +userspace receiving a positive return value from the recv() system call, +falsely indicating success.) This bug was introduced in the commit that +started checking the netlink_dump() return value, commit b44d211 (netlink: +handle errors from netlink_dump()). + +Multithreaded Netlink dumps are one way to trigger this behavior in +practice, as described in the commit message for the userspace workaround +posted here: + http://openvswitch.org/pipermail/dev/2014-June/042339.html + +This commit also fixes the same bug in netlink_poll(), introduced in commit +cd1df525d (netlink: add flow control for memory mapped I/O). + +Signed-off-by: Ben Pfaff +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -636,7 +636,7 @@ static unsigned int netlink_poll(struct + while (nlk->cb_running && netlink_dump_space(nlk)) { + err = netlink_dump(sk); + if (err < 0) { +- sk->sk_err = err; ++ sk->sk_err = -err; + sk->sk_error_report(sk); + break; + } +@@ -2453,7 +2453,7 @@ static int netlink_recvmsg(struct kiocb + atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) { + ret = netlink_dump(sk); + if (ret) { +- sk->sk_err = ret; ++ sk->sk_err = -ret; + sk->sk_error_report(sk); + } + } diff --git a/queue-3.15/r8152-fix-r8152_csum_workaround-function.patch b/queue-3.15/r8152-fix-r8152_csum_workaround-function.patch new file mode 100644 index 00000000000..4d7c1e49c0d --- /dev/null +++ b/queue-3.15/r8152-fix-r8152_csum_workaround-function.patch @@ -0,0 +1,31 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: hayeswang +Date: Fri, 11 Jul 2014 16:48:27 +0800 +Subject: r8152: fix r8152_csum_workaround function + +From: hayeswang + +[ Upstream commit a91d45f1a343188793d6f2bdf1a72c64015a8255 ] + +The transport offset of the IPv4 packet should be fixed and wouldn't +be out of the hw limitation, so the r8152_csum_workaround() should +be used for IPv6 packets. + +Signed-off-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1361,7 +1361,7 @@ static void r8152_csum_workaround(struct + struct sk_buff_head seg_list; + struct sk_buff *segs, *nskb; + +- features &= ~(NETIF_F_IP_CSUM | NETIF_F_SG | NETIF_F_TSO); ++ features &= ~(NETIF_F_SG | NETIF_F_IPV6_CSUM | NETIF_F_TSO6); + segs = skb_gso_segment(skb, features); + if (IS_ERR(segs) || !segs) + goto drop; diff --git a/queue-3.15/series b/queue-3.15/series index 543ce771c41..0ab1c979e4d 100644 --- a/queue-3.15/series +++ b/queue-3.15/series @@ -29,3 +29,50 @@ iwlwifi-dvm-don-t-enable-cts-to-self.patch shmem-fix-faulting-into-a-hole-while-it-s-punched.patch shmem-fix-faulting-into-a-hole-not-taking-i_mutex.patch shmem-fix-splicing-from-a-hole-while-it-s-punched.patch +net-mlx4_core-fix-the-error-flow-when-probing-with-invalid-vf-configuration.patch +net-mlx4_en-don-t-configure-the-hw-vxlan-parser-when-vxlan-offloading-isn-t-set.patch +ip_tunnel-fix-ip_tunnel_lookup.patch +slip-fix-deadlock-in-write_wakeup.patch +slcan-port-write_wakeup-deadlock-fix-from-slip.patch +net-sctp-propagate-sysctl-errors-from-proc_do-properly.patch +net-filter-fix-upper-bpf-instruction-limit.patch +tcp-fix-tcp_match_skb_to_sack-for-unaligned-sack-at-end-of-an-skb.patch +net-sctp-check-proc_dointvec-result-in-proc_sctp_do_auth.patch +8021q-fix-a-potential-memory-leak.patch +drivers-net-cpsw-fix-dual-emac-stall-when-connected-to-same-switch.patch +net-huawei_cdc_ncm-increase-command-buffer-size.patch +net-fix-udp-tunnel-gso-of-frag_list-gro-packets.patch +ipv4-fix-dst-race-in-sk_dst_get.patch +ipv4-irq-safe-sk_dst_set-and-ipv4_sk_update_pmtu-fix.patch +net-fix-sparse-warning-in-sk_dst_set.patch +vlan-free-percpu-stats-in-device-destructor.patch +bnx2x-fix-possible-panic-under-memory-stress.patch +tcp-fix-divide-by-zero-when-pushing-during-tcp-repair.patch +ipv4-icmp-fix-pmtu-handling-for-rare-case.patch +net-qmi_wwan-add-id-for-telewell-tw-lte-4g-v2.patch +net-qmi_wwan-add-two-sierra-wireless-netgear-devices.patch +net-fix-netdev_change-notifier-usage-causing-spurious-arp-flush.patch +igmp-fix-the-problem-when-mc-leave-group.patch +tcp-fix-false-undo-corner-cases.patch +appletalk-fix-socket-referencing-in-skb.patch +net-mvneta-fix-operation-in-10-mbit-s-mode.patch +net-mvneta-fix-big-endian-issue-in-mvneta_txq_desc_csum.patch +netlink-fix-handling-of-error-from-netlink_dump.patch +be2net-set-eq-db-clear-intr-bit-in-be_open.patch +r8152-fix-r8152_csum_workaround-function.patch +tipc-clear-next-pointer-of-message-fragments-before-reassembly.patch +net-sctp-fix-information-leaks-in-ulpevent-layer.patch +net-pppoe-use-correct-channel-mtu-when-using-multilink-ppp.patch +bonding-fix-ad_select-module-param-check.patch +net-gre-gro-fix-a-bug-that-breaks-the-forwarding-path.patch +sunvnet-clean-up-objects-created-in-vnet_new-on-vnet_exit.patch +net-ppp-fix-creating-ppp-pass-and-active-filters.patch +net-huawei_cdc_ncm-add-subclass-3-devices.patch +net-ppp-don-t-call-sk_chk_filter-twice.patch +dns_resolver-assure-that-dns_query-result-is-null-terminated.patch +dns_resolver-null-terminate-the-right-string.patch +ipv4-fix-buffer-overflow-in-ip_options_compile.patch +xen-netback-fix-handling-frag_list-on-grant-op-error-path.patch +xen-netback-fix-releasing-frag_list-skbs-in-error-path.patch +xen-netback-fix-releasing-header-slot-on-error-path.patch +xen-netback-fix-pointer-incrementation-to-avoid-incorrect-logging.patch diff --git a/queue-3.15/slcan-port-write_wakeup-deadlock-fix-from-slip.patch b/queue-3.15/slcan-port-write_wakeup-deadlock-fix-from-slip.patch new file mode 100644 index 00000000000..8272b5b6e08 --- /dev/null +++ b/queue-3.15/slcan-port-write_wakeup-deadlock-fix-from-slip.patch @@ -0,0 +1,120 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Tyler Hall +Date: Sun, 15 Jun 2014 22:23:17 -0400 +Subject: slcan: Port write_wakeup deadlock fix from slip + +From: Tyler Hall + +[ Upstream commit a8e83b17536aad603fbeae4c460f2da0ee9fe6ed ] + +The commit "slip: Fix deadlock in write_wakeup" fixes a deadlock caused +by a change made in both slcan and slip. This is a direct port of that +fix. + +Signed-off-by: Tyler Hall +Cc: Oliver Hartkopp +Cc: Andre Naujoks +Cc: David S. Miller +Cc: linux-kernel@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/slcan.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -52,6 +52,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -85,6 +86,7 @@ struct slcan { + struct tty_struct *tty; /* ptr to TTY structure */ + struct net_device *dev; /* easy for intr handling */ + spinlock_t lock; ++ struct work_struct tx_work; /* Flushes transmit buffer */ + + /* These are pointers to the malloc()ed frame buffers. */ + unsigned char rbuff[SLC_MTU]; /* receiver buffer */ +@@ -309,36 +311,46 @@ static void slc_encaps(struct slcan *sl, + sl->dev->stats.tx_bytes += cf->can_dlc; + } + +-/* +- * Called by the driver when there's room for more data. If we have +- * more packets to send, we send them here. +- */ +-static void slcan_write_wakeup(struct tty_struct *tty) ++/* Write out any remaining transmit buffer. Scheduled when tty is writable */ ++static void slcan_transmit(struct work_struct *work) + { ++ struct slcan *sl = container_of(work, struct slcan, tx_work); + int actual; +- struct slcan *sl = (struct slcan *) tty->disc_data; + ++ spin_lock_bh(&sl->lock); + /* First make sure we're connected. */ +- if (!sl || sl->magic != SLCAN_MAGIC || !netif_running(sl->dev)) ++ if (!sl->tty || sl->magic != SLCAN_MAGIC || !netif_running(sl->dev)) { ++ spin_unlock_bh(&sl->lock); + return; ++ } + +- spin_lock_bh(&sl->lock); + if (sl->xleft <= 0) { + /* Now serial buffer is almost free & we can start + * transmission of another packet */ + sl->dev->stats.tx_packets++; +- clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); ++ clear_bit(TTY_DO_WRITE_WAKEUP, &sl->tty->flags); + spin_unlock_bh(&sl->lock); + netif_wake_queue(sl->dev); + return; + } + +- actual = tty->ops->write(tty, sl->xhead, sl->xleft); ++ actual = sl->tty->ops->write(sl->tty, sl->xhead, sl->xleft); + sl->xleft -= actual; + sl->xhead += actual; + spin_unlock_bh(&sl->lock); + } + ++/* ++ * Called by the driver when there's room for more data. ++ * Schedule the transmit. ++ */ ++static void slcan_write_wakeup(struct tty_struct *tty) ++{ ++ struct slcan *sl = tty->disc_data; ++ ++ schedule_work(&sl->tx_work); ++} ++ + /* Send a can_frame to a TTY queue. */ + static netdev_tx_t slc_xmit(struct sk_buff *skb, struct net_device *dev) + { +@@ -528,6 +540,7 @@ static struct slcan *slc_alloc(dev_t lin + sl->magic = SLCAN_MAGIC; + sl->dev = dev; + spin_lock_init(&sl->lock); ++ INIT_WORK(&sl->tx_work, slcan_transmit); + slcan_devs[i] = dev; + + return sl; +@@ -626,8 +639,12 @@ static void slcan_close(struct tty_struc + if (!sl || sl->magic != SLCAN_MAGIC || sl->tty != tty) + return; + ++ spin_lock_bh(&sl->lock); + tty->disc_data = NULL; + sl->tty = NULL; ++ spin_unlock_bh(&sl->lock); ++ ++ flush_work(&sl->tx_work); + + /* Flush network side */ + unregister_netdev(sl->dev); diff --git a/queue-3.15/slip-fix-deadlock-in-write_wakeup.patch b/queue-3.15/slip-fix-deadlock-in-write_wakeup.patch new file mode 100644 index 00000000000..be669f706d2 --- /dev/null +++ b/queue-3.15/slip-fix-deadlock-in-write_wakeup.patch @@ -0,0 +1,201 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Tyler Hall +Date: Sun, 15 Jun 2014 22:23:16 -0400 +Subject: slip: Fix deadlock in write_wakeup + +From: Tyler Hall + +[ Upstream commit 661f7fda21b15ec52f57fcd397c03370acc28688 ] + +Use schedule_work() to avoid potentially taking the spinlock in +interrupt context. + +Commit cc9fa74e2a ("slip/slcan: added locking in wakeup function") added +necessary locking to the wakeup function and 367525c8c2/ddcde142be ("can: +slcan: Fix spinlock variant") converted it to spin_lock_bh() because the lock +is also taken in timers. + +Disabling softirqs is not sufficient, however, as tty drivers may call +write_wakeup from interrupt context. This driver calls tty->ops->write() with +its spinlock held, which may immediately cause an interrupt on the same CPU and +subsequent spin_bug(). + +Simply converting to spin_lock_irq/irqsave() prevents this deadlock, but +causes lockdep to point out a possible circular locking dependency +between these locks: + +(&(&sl->lock)->rlock){-.....}, at: slip_write_wakeup +(&port_lock_key){-.....}, at: serial8250_handle_irq.part.13 + +The slip transmit is holding the slip spinlock when calling the tty write. +This grabs the port lock. On an interrupt, the handler grabs the port +lock and calls write_wakeup which grabs the slip lock. This could be a +problem if a serial interrupt occurs on another CPU during the slip +transmit. + +To deal with these issues, don't grab the lock in the wakeup function by +deferring the writeout to a workqueue. Also hold the lock during close +when de-assigning the tty pointer to safely disarm the worker and +timers. + +This bug is easily reproducible on the first transmit when slip is +used with the standard 8250 serial driver. + +[] (spin_bug+0x0/0x38) from [] (do_raw_spin_lock+0x60/0x1d0) + r5:eab27000 r4:ec02754c +[] (do_raw_spin_lock+0x0/0x1d0) from [] (_raw_spin_lock+0x28/0x2c) + r10:0000001f r9:eabb814c r8:eabb8140 r7:40070193 r6:ec02754c r5:eab27000 + r4:ec02754c r3:00000000 +[] (_raw_spin_lock+0x0/0x2c) from [] (slip_write_wakeup+0x50/0xe0 [slip]) + r4:ec027540 r3:00000003 +[] (slip_write_wakeup+0x0/0xe0 [slip]) from [] (tty_wakeup+0x48/0x68) + r6:00000000 r5:ea80c480 r4:eab27000 r3:bf3a01d0 +[] (tty_wakeup+0x0/0x68) from [] (uart_write_wakeup+0x2c/0x30) + r5:ed68ea90 r4:c06790d8 +[] (uart_write_wakeup+0x0/0x30) from [] (serial8250_tx_chars+0x114/0x170) +[] (serial8250_tx_chars+0x0/0x170) from [] (serial8250_handle_irq+0xa0/0xbc) + r6:000000c2 r5:00000060 r4:c06790d8 r3:00000000 +[] (serial8250_handle_irq+0x0/0xbc) from [] (dw8250_handle_irq+0x38/0x64) + r7:00000000 r6:edd2f390 r5:000000c2 r4:c06790d8 +[] (dw8250_handle_irq+0x0/0x64) from [] (serial8250_interrupt+0x44/0xc4) + r6:00000000 r5:00000000 r4:c06791c4 r3:c029336c +[] (serial8250_interrupt+0x0/0xc4) from [] (handle_irq_event_percpu+0xb4/0x2b0) + r10:c06790d8 r9:eab27000 r8:00000000 r7:00000000 r6:0000001f r5:edd52980 + r4:ec53b6c0 r3:c028d2b0 +[] (handle_irq_event_percpu+0x0/0x2b0) from [] (handle_irq_event+0x4c/0x6c) + r10:c06790d8 r9:eab27000 r8:c0673ae0 r7:c05c2020 r6:ec53b6c0 r5:edd529d4 + r4:edd52980 +[] (handle_irq_event+0x0/0x6c) from [] (handle_level_irq+0xe8/0x100) + r6:00000000 r5:edd529d4 r4:edd52980 r3:00022000 +[] (handle_level_irq+0x0/0x100) from [] (generic_handle_irq+0x30/0x40) + r5:0000001f r4:0000001f +[] (generic_handle_irq+0x0/0x40) from [] (handle_IRQ+0xd0/0x13c) + r4:ea997b18 r3:000000e0 +[] (handle_IRQ+0x0/0x13c) from [] (armada_370_xp_handle_irq+0x4c/0x118) + r8:000003ff r7:ea997b18 r6:ffffffff r5:60070013 r4:c0674dc0 +[] (armada_370_xp_handle_irq+0x0/0x118) from [] (__irq_svc+0x40/0x70) +Exception stack(0xea997b18 to 0xea997b60) +7b00: 00000001 20070013 +7b20: 00000000 0000000b 20070013 eab27000 20070013 00000000 ed10103e eab27000 +7b40: c06790d8 ea997b74 ea997b60 ea997b60 c04186c0 c04186c8 60070013 ffffffff + r9:eab27000 r8:ed10103e r7:ea997b4c r6:ffffffff r5:60070013 r4:c04186c8 +[] (_raw_spin_unlock_irqrestore+0x0/0x54) from [] (uart_start+0x40/0x44) + r4:c06790d8 r3:c028ddd8 +[] (uart_start+0x0/0x44) from [] (uart_write+0xe4/0xf4) + r6:0000003e r5:00000000 r4:ed68ea90 r3:0000003e +[] (uart_write+0x0/0xf4) from [] (sl_xmit+0x1c4/0x228 [slip]) + r10:ed388e60 r9:0000003c r8:ffffffdd r7:0000003e r6:ec02754c r5:ea717eb8 + r4:ec027000 +[] (sl_xmit+0x0/0x228 [slip]) from [] (dev_hard_start_xmit+0x39c/0x6d0) + r8:eaf163c0 r7:ec027000 r6:ea717eb8 r5:00000000 r4:00000000 + +Signed-off-by: Tyler Hall +Cc: Oliver Hartkopp +Cc: Andre Naujoks +Cc: David S. Miller +Cc: linux-kernel@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/slip/slip.c | 36 ++++++++++++++++++++++++++---------- + drivers/net/slip/slip.h | 1 + + 2 files changed, 27 insertions(+), 10 deletions(-) + +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -83,6 +83,7 @@ + #include + #include + #include ++#include + #include "slip.h" + #ifdef CONFIG_INET + #include +@@ -416,36 +417,46 @@ static void sl_encaps(struct slip *sl, u + #endif + } + +-/* +- * Called by the driver when there's room for more data. If we have +- * more packets to send, we send them here. +- */ +-static void slip_write_wakeup(struct tty_struct *tty) ++/* Write out any remaining transmit buffer. Scheduled when tty is writable */ ++static void slip_transmit(struct work_struct *work) + { ++ struct slip *sl = container_of(work, struct slip, tx_work); + int actual; +- struct slip *sl = tty->disc_data; + ++ spin_lock_bh(&sl->lock); + /* First make sure we're connected. */ +- if (!sl || sl->magic != SLIP_MAGIC || !netif_running(sl->dev)) ++ if (!sl->tty || sl->magic != SLIP_MAGIC || !netif_running(sl->dev)) { ++ spin_unlock_bh(&sl->lock); + return; ++ } + +- spin_lock_bh(&sl->lock); + if (sl->xleft <= 0) { + /* Now serial buffer is almost free & we can start + * transmission of another packet */ + sl->dev->stats.tx_packets++; +- clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); ++ clear_bit(TTY_DO_WRITE_WAKEUP, &sl->tty->flags); + spin_unlock_bh(&sl->lock); + sl_unlock(sl); + return; + } + +- actual = tty->ops->write(tty, sl->xhead, sl->xleft); ++ actual = sl->tty->ops->write(sl->tty, sl->xhead, sl->xleft); + sl->xleft -= actual; + sl->xhead += actual; + spin_unlock_bh(&sl->lock); + } + ++/* ++ * Called by the driver when there's room for more data. ++ * Schedule the transmit. ++ */ ++static void slip_write_wakeup(struct tty_struct *tty) ++{ ++ struct slip *sl = tty->disc_data; ++ ++ schedule_work(&sl->tx_work); ++} ++ + static void sl_tx_timeout(struct net_device *dev) + { + struct slip *sl = netdev_priv(dev); +@@ -749,6 +760,7 @@ static struct slip *sl_alloc(dev_t line) + sl->magic = SLIP_MAGIC; + sl->dev = dev; + spin_lock_init(&sl->lock); ++ INIT_WORK(&sl->tx_work, slip_transmit); + sl->mode = SL_MODE_DEFAULT; + #ifdef CONFIG_SLIP_SMART + /* initialize timer_list struct */ +@@ -872,8 +884,12 @@ static void slip_close(struct tty_struct + if (!sl || sl->magic != SLIP_MAGIC || sl->tty != tty) + return; + ++ spin_lock_bh(&sl->lock); + tty->disc_data = NULL; + sl->tty = NULL; ++ spin_unlock_bh(&sl->lock); ++ ++ flush_work(&sl->tx_work); + + /* VSV = very important to remove timers */ + #ifdef CONFIG_SLIP_SMART +--- a/drivers/net/slip/slip.h ++++ b/drivers/net/slip/slip.h +@@ -53,6 +53,7 @@ struct slip { + struct tty_struct *tty; /* ptr to TTY structure */ + struct net_device *dev; /* easy for intr handling */ + spinlock_t lock; ++ struct work_struct tx_work; /* Flushes transmit buffer */ + + #ifdef SL_INCLUDE_CSLIP + struct slcompress *slcomp; /* for header compression */ diff --git a/queue-3.15/sunvnet-clean-up-objects-created-in-vnet_new-on-vnet_exit.patch b/queue-3.15/sunvnet-clean-up-objects-created-in-vnet_new-on-vnet_exit.patch new file mode 100644 index 00000000000..946c6a6b77e --- /dev/null +++ b/queue-3.15/sunvnet-clean-up-objects-created-in-vnet_new-on-vnet_exit.patch @@ -0,0 +1,69 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Sowmini Varadhan +Date: Wed, 16 Jul 2014 10:02:26 -0400 +Subject: sunvnet: clean up objects created in vnet_new() on vnet_exit() + +From: Sowmini Varadhan + +[ Upstream commit a4b70a07ed12a71131cab7adce2ce91c71b37060 ] + +Nothing cleans up the objects created by +vnet_new(), they are completely leaked. + +vnet_exit(), after doing the vio_unregister_driver() to clean +up ports, should call a helper function that iterates over vnet_list +and cleans up those objects. This includes unregister_netdevice() +as well as free_netdev(). + +Signed-off-by: Sowmini Varadhan +Acked-by: Dave Kleikamp +Reviewed-by: Karl Volz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sun/sunvnet.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -1083,6 +1083,24 @@ static struct vnet *vnet_find_or_create( + return vp; + } + ++static void vnet_cleanup(void) ++{ ++ struct vnet *vp; ++ struct net_device *dev; ++ ++ mutex_lock(&vnet_list_mutex); ++ while (!list_empty(&vnet_list)) { ++ vp = list_first_entry(&vnet_list, struct vnet, list); ++ list_del(&vp->list); ++ dev = vp->dev; ++ /* vio_unregister_driver() should have cleaned up port_list */ ++ BUG_ON(!list_empty(&vp->port_list)); ++ unregister_netdev(dev); ++ free_netdev(dev); ++ } ++ mutex_unlock(&vnet_list_mutex); ++} ++ + static const char *local_mac_prop = "local-mac-address"; + + static struct vnet *vnet_find_parent(struct mdesc_handle *hp, +@@ -1240,7 +1258,6 @@ static int vnet_port_remove(struct vio_d + + kfree(port); + +- unregister_netdev(vp->dev); + } + return 0; + } +@@ -1268,6 +1285,7 @@ static int __init vnet_init(void) + static void __exit vnet_exit(void) + { + vio_unregister_driver(&vnet_port_driver); ++ vnet_cleanup(); + } + + module_init(vnet_init); diff --git a/queue-3.15/tcp-fix-divide-by-zero-when-pushing-during-tcp-repair.patch b/queue-3.15/tcp-fix-divide-by-zero-when-pushing-during-tcp-repair.patch new file mode 100644 index 00000000000..461ba3958a9 --- /dev/null +++ b/queue-3.15/tcp-fix-divide-by-zero-when-pushing-during-tcp-repair.patch @@ -0,0 +1,130 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Christoph Paasch +Date: Sat, 28 Jun 2014 18:26:37 +0200 +Subject: tcp: Fix divide by zero when pushing during tcp-repair + +From: Christoph Paasch + +[ Upstream commit 5924f17a8a30c2ae18d034a86ee7581b34accef6 ] + +When in repair-mode and TCP_RECV_QUEUE is set, we end up calling +tcp_push with mss_now being 0. If data is in the send-queue and +tcp_set_skb_tso_segs gets called, we crash because it will divide by +mss_now: + +[ 347.151939] divide error: 0000 [#1] SMP +[ 347.152907] Modules linked in: +[ 347.152907] CPU: 1 PID: 1123 Comm: packetdrill Not tainted 3.16.0-rc2 #4 +[ 347.152907] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 +[ 347.152907] task: f5b88540 ti: f3c82000 task.ti: f3c82000 +[ 347.152907] EIP: 0060:[] EFLAGS: 00210246 CPU: 1 +[ 347.152907] EIP is at tcp_set_skb_tso_segs+0x49/0xa0 +[ 347.152907] EAX: 00000b67 EBX: f5acd080 ECX: 00000000 EDX: 00000000 +[ 347.152907] ESI: f5a28f40 EDI: f3c88f00 EBP: f3c83d10 ESP: f3c83d00 +[ 347.152907] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 +[ 347.152907] CR0: 80050033 CR2: 083158b0 CR3: 35146000 CR4: 000006b0 +[ 347.152907] Stack: +[ 347.152907] c167f9d9 f5acd080 000005b4 00000002 f3c83d20 c16013e6 f3c88f00 f5acd080 +[ 347.152907] f3c83da0 c1603b5a f3c83d38 c10a0188 00000000 00000000 f3c83d84 c10acc85 +[ 347.152907] c1ad5ec0 00000000 00000000 c1ad679c 010003e0 00000000 00000000 f3c88fc8 +[ 347.152907] Call Trace: +[ 347.152907] [] ? apic_timer_interrupt+0x2d/0x34 +[ 347.152907] [] tcp_init_tso_segs+0x36/0x50 +[ 347.152907] [] tcp_write_xmit+0x7a/0xbf0 +[ 347.152907] [] ? up+0x28/0x40 +[ 347.152907] [] ? console_unlock+0x295/0x480 +[ 347.152907] [] ? vprintk_emit+0x1ef/0x4b0 +[ 347.152907] [] __tcp_push_pending_frames+0x36/0xd0 +[ 347.152907] [] tcp_push+0xf0/0x120 +[ 347.152907] [] tcp_sendmsg+0xf1/0xbf0 +[ 347.152907] [] ? kmem_cache_free+0xf0/0x120 +[ 347.152907] [] ? __sigqueue_free+0x32/0x40 +[ 347.152907] [] ? __sigqueue_free+0x32/0x40 +[ 347.152907] [] ? do_wp_page+0x3e0/0x850 +[ 347.152907] [] inet_sendmsg+0x4a/0xb0 +[ 347.152907] [] ? handle_mm_fault+0x709/0xfb0 +[ 347.152907] [] sock_aio_write+0xbb/0xd0 +[ 347.152907] [] do_sync_write+0x69/0xa0 +[ 347.152907] [] vfs_write+0x123/0x160 +[ 347.152907] [] SyS_write+0x55/0xb0 +[ 347.152907] [] sysenter_do_call+0x12/0x28 + +This can easily be reproduced with the following packetdrill-script (the +"magic" with netem, sk_pacing and limit_output_bytes is done to prevent +the kernel from pushing all segments, because hitting the limit without +doing this is not so easy with packetdrill): + +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 ++0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 + ++0 bind(3, ..., ...) = 0 ++0 listen(3, 1) = 0 + ++0 < S 0:0(0) win 32792 ++0 > S. 0:0(0) ack 1 ++0.1 < . 1:1(0) ack 1 win 65000 + ++0 accept(3, ..., ...) = 4 + +// This forces that not all segments of the snd-queue will be pushed ++0 `tc qdisc add dev tun0 root netem delay 10ms` ++0 `sysctl -w net.ipv4.tcp_limit_output_bytes=2` ++0 setsockopt(4, SOL_SOCKET, 47, [2], 4) = 0 + ++0 write(4,...,10000) = 10000 ++0 write(4,...,10000) = 10000 + +// Set tcp-repair stuff, particularly TCP_RECV_QUEUE ++0 setsockopt(4, SOL_TCP, 19, [1], 4) = 0 ++0 setsockopt(4, SOL_TCP, 20, [1], 4) = 0 + +// This now will make the write push the remaining segments ++0 setsockopt(4, SOL_SOCKET, 47, [20000], 4) = 0 ++0 `sysctl -w net.ipv4.tcp_limit_output_bytes=130000` + +// Now we will crash ++0 write(4,...,1000) = 1000 + +This happens since ec3423257508 (tcp: fix retransmission in repair +mode). Prior to that, the call to tcp_push was prevented by a check for +tp->repair. + +The patch fixes it, by adding the new goto-label out_nopush. When exiting +tcp_sendmsg and a push is not required, which is the case for tp->repair, +we go to this label. + +When repairing and calling send() with TCP_RECV_QUEUE, the data is +actually put in the receive-queue. So, no push is required because no +data has been added to the send-queue. + +Cc: Andrew Vagin +Cc: Pavel Emelyanov +Fixes: ec3423257508 (tcp: fix retransmission in repair mode) +Signed-off-by: Christoph Paasch +Acked-by: Andrew Vagin +Acked-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1108,7 +1108,7 @@ int tcp_sendmsg(struct kiocb *iocb, stru + if (unlikely(tp->repair)) { + if (tp->repair_queue == TCP_RECV_QUEUE) { + copied = tcp_send_rcvq(sk, msg, size); +- goto out; ++ goto out_nopush; + } + + err = -EINVAL; +@@ -1282,6 +1282,7 @@ wait_for_memory: + out: + if (copied) + tcp_push(sk, flags, mss_now, tp->nonagle, size_goal); ++out_nopush: + release_sock(sk); + return copied + copied_syn; + diff --git a/queue-3.15/tcp-fix-false-undo-corner-cases.patch b/queue-3.15/tcp-fix-false-undo-corner-cases.patch new file mode 100644 index 00000000000..44f6d4810ae --- /dev/null +++ b/queue-3.15/tcp-fix-false-undo-corner-cases.patch @@ -0,0 +1,98 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Yuchung Cheng +Date: Wed, 2 Jul 2014 12:07:16 -0700 +Subject: tcp: fix false undo corner cases + +From: Yuchung Cheng + +[ Upstream commit 6e08d5e3c8236e7484229e46fdf92006e1dd4c49 ] + +The undo code assumes that, upon entering loss recovery, TCP +1) always retransmit something +2) the retransmission never fails locally (e.g., qdisc drop) + +so undo_marker is set in tcp_enter_recovery() and undo_retrans is +incremented only when tcp_retransmit_skb() is successful. + +When the assumption is broken because TCP's cwnd is too small to +retransmit or the retransmit fails locally. The next (DUP)ACK +would incorrectly revert the cwnd and the congestion state in +tcp_try_undo_dsack() or tcp_may_undo(). Subsequent (DUP)ACKs +may enter the recovery state. The sender repeatedly enter and +(incorrectly) exit recovery states if the retransmits continue to +fail locally while receiving (DUP)ACKs. + +The fix is to initialize undo_retrans to -1 and start counting on +the first retransmission. Always increment undo_retrans even if the +retransmissions fail locally because they couldn't cause DSACKs to +undo the cwnd reduction. + +Signed-off-by: Yuchung Cheng +Signed-off-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 8 ++++---- + net/ipv4/tcp_output.c | 6 ++++-- + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1106,7 +1106,7 @@ static bool tcp_check_dsack(struct sock + } + + /* D-SACK for already forgotten data... Do dumb counting. */ +- if (dup_sack && tp->undo_marker && tp->undo_retrans && ++ if (dup_sack && tp->undo_marker && tp->undo_retrans > 0 && + !after(end_seq_0, prior_snd_una) && + after(end_seq_0, tp->undo_marker)) + tp->undo_retrans--; +@@ -1187,7 +1187,7 @@ static u8 tcp_sacktag_one(struct sock *s + + /* Account D-SACK for retransmitted packet. */ + if (dup_sack && (sacked & TCPCB_RETRANS)) { +- if (tp->undo_marker && tp->undo_retrans && ++ if (tp->undo_marker && tp->undo_retrans > 0 && + after(end_seq, tp->undo_marker)) + tp->undo_retrans--; + if (sacked & TCPCB_SACKED_ACKED) +@@ -1893,7 +1893,7 @@ static void tcp_clear_retrans_partial(st + tp->lost_out = 0; + + tp->undo_marker = 0; +- tp->undo_retrans = 0; ++ tp->undo_retrans = -1; + } + + void tcp_clear_retrans(struct tcp_sock *tp) +@@ -2664,7 +2664,7 @@ static void tcp_enter_recovery(struct so + + tp->prior_ssthresh = 0; + tp->undo_marker = tp->snd_una; +- tp->undo_retrans = tp->retrans_out; ++ tp->undo_retrans = tp->retrans_out ? : -1; + + if (inet_csk(sk)->icsk_ca_state < TCP_CA_CWR) { + if (!ece_ack) +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2472,8 +2472,6 @@ int tcp_retransmit_skb(struct sock *sk, + if (!tp->retrans_stamp) + tp->retrans_stamp = TCP_SKB_CB(skb)->when; + +- tp->undo_retrans += tcp_skb_pcount(skb); +- + /* snd_nxt is stored to detect loss of retransmitted segment, + * see tcp_input.c tcp_sacktag_write_queue(). + */ +@@ -2481,6 +2479,10 @@ int tcp_retransmit_skb(struct sock *sk, + } else { + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPRETRANSFAIL); + } ++ ++ if (tp->undo_retrans < 0) ++ tp->undo_retrans = 0; ++ tp->undo_retrans += tcp_skb_pcount(skb); + return err; + } + diff --git a/queue-3.15/tcp-fix-tcp_match_skb_to_sack-for-unaligned-sack-at-end-of-an-skb.patch b/queue-3.15/tcp-fix-tcp_match_skb_to_sack-for-unaligned-sack-at-end-of-an-skb.patch new file mode 100644 index 00000000000..e30267c9d85 --- /dev/null +++ b/queue-3.15/tcp-fix-tcp_match_skb_to_sack-for-unaligned-sack-at-end-of-an-skb.patch @@ -0,0 +1,65 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Neal Cardwell +Date: Wed, 18 Jun 2014 21:15:03 -0400 +Subject: tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb + +From: Neal Cardwell + +[ Upstream commit 2cd0d743b05e87445c54ca124a9916f22f16742e ] + +If there is an MSS change (or misbehaving receiver) that causes a SACK +to arrive that covers the end of an skb but is less than one MSS, then +tcp_match_skb_to_sack() was rounding up pkt_len to the full length of +the skb ("Round if necessary..."), then chopping all bytes off the skb +and creating a zero-byte skb in the write queue. + +This was visible now because the recently simplified TLP logic in +bef1909ee3ed1c ("tcp: fixing TLP's FIN recovery") could find that 0-byte +skb at the end of the write queue, and now that we do not check that +skb's length we could send it as a TLP probe. + +Consider the following example scenario: + + mss: 1000 + skb: seq: 0 end_seq: 4000 len: 4000 + SACK: start_seq: 3999 end_seq: 4000 + +The tcp_match_skb_to_sack() code will compute: + + in_sack = false + pkt_len = start_seq - TCP_SKB_CB(skb)->seq = 3999 - 0 = 3999 + new_len = (pkt_len / mss) * mss = (3999/1000)*1000 = 3000 + new_len += mss = 4000 + +Previously we would find the new_len > skb->len check failing, so we +would fall through and set pkt_len = new_len = 4000 and chop off +pkt_len of 4000 from the 4000-byte skb, leaving a 0-byte segment +afterward in the write queue. + +With this new commit, we notice that the new new_len >= skb->len check +succeeds, so that we return without trying to fragment. + +Fixes: adb92db857ee ("tcp: Make SACK code to split only at mss boundaries") +Reported-by: Eric Dumazet +Signed-off-by: Neal Cardwell +Cc: Eric Dumazet +Cc: Yuchung Cheng +Cc: Ilpo Jarvinen +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1162,7 +1162,7 @@ static int tcp_match_skb_to_sack(struct + unsigned int new_len = (pkt_len / mss) * mss; + if (!in_sack && new_len < pkt_len) { + new_len += mss; +- if (new_len > skb->len) ++ if (new_len >= skb->len) + return 0; + } + pkt_len = new_len; diff --git a/queue-3.15/tipc-clear-next-pointer-of-message-fragments-before-reassembly.patch b/queue-3.15/tipc-clear-next-pointer-of-message-fragments-before-reassembly.patch new file mode 100644 index 00000000000..37842b93767 --- /dev/null +++ b/queue-3.15/tipc-clear-next-pointer-of-message-fragments-before-reassembly.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Jon Paul Maloy +Date: Fri, 11 Jul 2014 08:45:27 -0400 +Subject: tipc: clear 'next'-pointer of message fragments before reassembly + +From: Jon Paul Maloy + +[ Upstream commit 999417549c16dd0e3a382aa9f6ae61688db03181 ] + +If the 'next' pointer of the last fragment buffer in a message is not +zeroed before reassembly, we risk ending up with a corrupt message, +since the reassembly function itself isn't doing this. + +Currently, when a buffer is retrieved from the deferred queue of the +broadcast link, the next pointer is not cleared, with the result as +described above. + +This commit corrects this, and thereby fixes a bug that may occur when +long broadcast messages are transmitted across dual interfaces. The bug +has been present since 40ba3cdf542a469aaa9083fa041656e59b109b90 ("tipc: +message reassembly using fragment chain") + +This commit should be applied to both net and net-next. + +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/bcast.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/tipc/bcast.c ++++ b/net/tipc/bcast.c +@@ -536,6 +536,7 @@ receive: + + buf = node->bclink.deferred_head; + node->bclink.deferred_head = buf->next; ++ buf->next = NULL; + node->bclink.deferred_size--; + goto receive; + } diff --git a/queue-3.15/vlan-free-percpu-stats-in-device-destructor.patch b/queue-3.15/vlan-free-percpu-stats-in-device-destructor.patch new file mode 100644 index 00000000000..590071cd3e3 --- /dev/null +++ b/queue-3.15/vlan-free-percpu-stats-in-device-destructor.patch @@ -0,0 +1,97 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Eric Dumazet +Date: Wed, 2 Jul 2014 02:25:15 -0700 +Subject: vlan: free percpu stats in device destructor + +From: Eric Dumazet + +[ Upstream commit a48e5fafecfb9c0c807d7e7284b5ff884dfb7a3a ] + +Madalin-Cristian reported crashs happening after a recent commit +(5a4ae5f6e7d4 "vlan: unnecessary to check if vlan_pcpu_stats is NULL") + +----------------------------------------------------------------------- +root@p5040ds:~# vconfig add eth8 1 +root@p5040ds:~# vconfig rem eth8.1 +Unable to handle kernel paging request for data at address 0x2bc88028 +Faulting instruction address: 0xc058e950 +Oops: Kernel access of bad area, sig: 11 [#1] +SMP NR_CPUS=8 CoreNet Generic +Modules linked in: +CPU: 3 PID: 2167 Comm: vconfig Tainted: G W 3.16.0-rc3-00346-g65e85bf #2 +task: e7264d90 ti: e2c2c000 task.ti: e2c2c000 +NIP: c058e950 LR: c058ea30 CTR: c058e900 +REGS: e2c2db20 TRAP: 0300 Tainted: G W (3.16.0-rc3-00346-g65e85bf) +MSR: 00029002 CR: 48000428 XER: 20000000 +DEAR: 2bc88028 ESR: 00000000 +GPR00: c047299c e2c2dbd0 e7264d90 00000000 2bc88000 00000000 ffffffff 00000000 +GPR08: 0000000f 00000000 000000ff 00000000 28000422 10121928 10100000 10100000 +GPR16: 10100000 00000000 c07c5968 00000000 00000000 00000000 e2c2dc48 e7838000 +GPR24: c07c5bac c07c58a8 e77290cc c07b0000 00000000 c05de6c0 e7838000 e2c2dc48 +NIP [c058e950] vlan_dev_get_stats64+0x50/0x170 +LR [c058ea30] vlan_dev_get_stats64+0x130/0x170 +Call Trace: +[e2c2dbd0] [ffffffea] 0xffffffea (unreliable) +[e2c2dc20] [c047299c] dev_get_stats+0x4c/0x140 +[e2c2dc40] [c0488ca8] rtnl_fill_ifinfo+0x3d8/0x960 +[e2c2dd70] [c0489f4c] rtmsg_ifinfo+0x6c/0x110 +[e2c2dd90] [c04731d4] rollback_registered_many+0x344/0x3b0 +[e2c2ddd0] [c047332c] rollback_registered+0x2c/0x50 +[e2c2ddf0] [c0476058] unregister_netdevice_queue+0x78/0xf0 +[e2c2de00] [c058d800] unregister_vlan_dev+0xc0/0x160 +[e2c2de20] [c058e360] vlan_ioctl_handler+0x1c0/0x550 +[e2c2de90] [c045d11c] sock_ioctl+0x28c/0x2f0 +[e2c2deb0] [c010d070] do_vfs_ioctl+0x90/0x7b0 +[e2c2df20] [c010d7d0] SyS_ioctl+0x40/0x80 +[e2c2df40] [c000f924] ret_from_syscall+0x0/0x3c + +Fix this problem by freeing percpu stats from dev->destructor() instead +of ndo_uninit() + +Reported-by: Madalin-Cristian Bucur +Signed-off-by: Eric Dumazet +Tested-by: Madalin-Cristian Bucur +Fixes: 5a4ae5f6e7d4 ("vlan: unnecessary to check if vlan_pcpu_stats is NULL") +Cc: Li RongQing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -627,8 +627,6 @@ static void vlan_dev_uninit(struct net_d + struct vlan_dev_priv *vlan = vlan_dev_priv(dev); + int i; + +- free_percpu(vlan->vlan_pcpu_stats); +- vlan->vlan_pcpu_stats = NULL; + for (i = 0; i < ARRAY_SIZE(vlan->egress_priority_map); i++) { + while ((pm = vlan->egress_priority_map[i]) != NULL) { + vlan->egress_priority_map[i] = pm->next; +@@ -787,6 +785,15 @@ static const struct net_device_ops vlan_ + .ndo_get_lock_subclass = vlan_dev_get_lock_subclass, + }; + ++static void vlan_dev_free(struct net_device *dev) ++{ ++ struct vlan_dev_priv *vlan = vlan_dev_priv(dev); ++ ++ free_percpu(vlan->vlan_pcpu_stats); ++ vlan->vlan_pcpu_stats = NULL; ++ free_netdev(dev); ++} ++ + void vlan_setup(struct net_device *dev) + { + ether_setup(dev); +@@ -796,7 +803,7 @@ void vlan_setup(struct net_device *dev) + dev->tx_queue_len = 0; + + dev->netdev_ops = &vlan_netdev_ops; +- dev->destructor = free_netdev; ++ dev->destructor = vlan_dev_free; + dev->ethtool_ops = &vlan_ethtool_ops; + + memset(dev->broadcast, 0, ETH_ALEN); diff --git a/queue-3.15/xen-netback-fix-handling-frag_list-on-grant-op-error-path.patch b/queue-3.15/xen-netback-fix-handling-frag_list-on-grant-op-error-path.patch new file mode 100644 index 00000000000..397afdeb803 --- /dev/null +++ b/queue-3.15/xen-netback-fix-handling-frag_list-on-grant-op-error-path.patch @@ -0,0 +1,89 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Zoltan Kiss +Date: Fri, 18 Jul 2014 19:08:02 +0100 +Subject: xen-netback: Fix handling frag_list on grant op error path + +From: Zoltan Kiss + +[ Upstream commit 1a998d3e6bc1e44f4c0bc7509bdedef8ed3845ec ] + +The error handling for skb's with frag_list was completely wrong, it caused +double unmap attempts to happen if the error was on the first skb. Move it to +the right place in the loop. + +Signed-off-by: Zoltan Kiss +Reported-by: Armin Zentai +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: xen-devel@lists.xenproject.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 37 ++++++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 17 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1007,10 +1007,16 @@ static int xenvif_tx_check_gop(struct xe + { + struct gnttab_map_grant_ref *gop_map = *gopp_map; + u16 pending_idx = XENVIF_TX_CB(skb)->pending_idx; ++ /* This always points to the shinfo of the skb being checked, which ++ * could be either the first or the one on the frag_list ++ */ + struct skb_shared_info *shinfo = skb_shinfo(skb); ++ /* If this is non-NULL, we are currently checking the frag_list skb, and ++ * this points to the shinfo of the first one ++ */ ++ struct skb_shared_info *first_shinfo = NULL; + int nr_frags = shinfo->nr_frags; + int i, err; +- struct sk_buff *first_skb = NULL; + + /* Check status of header. */ + err = (*gopp_copy)->status; +@@ -1063,31 +1069,28 @@ check_frags: + xenvif_idx_unmap(vif, pending_idx); + } + ++ /* And if we found the error while checking the frag_list, unmap ++ * the first skb's frags ++ */ ++ if (first_shinfo) { ++ for (j = 0; j < first_shinfo->nr_frags; j++) { ++ pending_idx = frag_get_pending_idx(&first_shinfo->frags[j]); ++ xenvif_idx_unmap(vif, pending_idx); ++ } ++ } ++ + /* Remember the error: invalidate all subsequent fragments. */ + err = newerr; + } + +- if (skb_has_frag_list(skb)) { +- first_skb = skb; +- skb = shinfo->frag_list; +- shinfo = skb_shinfo(skb); ++ if (skb_has_frag_list(skb) && !first_shinfo) { ++ first_shinfo = skb_shinfo(skb); ++ shinfo = skb_shinfo(skb_shinfo(skb)->frag_list); + nr_frags = shinfo->nr_frags; + + goto check_frags; + } + +- /* There was a mapping error in the frag_list skb. We have to unmap +- * the first skb's frags +- */ +- if (first_skb && err) { +- int j; +- shinfo = skb_shinfo(first_skb); +- for (j = 0; j < shinfo->nr_frags; j++) { +- pending_idx = frag_get_pending_idx(&shinfo->frags[j]); +- xenvif_idx_unmap(vif, pending_idx); +- } +- } +- + *gopp_map = gop_map; + return err; + } diff --git a/queue-3.15/xen-netback-fix-pointer-incrementation-to-avoid-incorrect-logging.patch b/queue-3.15/xen-netback-fix-pointer-incrementation-to-avoid-incorrect-logging.patch new file mode 100644 index 00000000000..12827fa1151 --- /dev/null +++ b/queue-3.15/xen-netback-fix-pointer-incrementation-to-avoid-incorrect-logging.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Zoltan Kiss +Date: Fri, 18 Jul 2014 19:08:05 +0100 +Subject: xen-netback: Fix pointer incrementation to avoid incorrect logging + +From: Zoltan Kiss + +[ Upstream commit d8cfbfc4660054150ca1b7c501a8edc0771022f9 ] + +Due to this pointer is increased prematurely, the error log contains rubbish. + +Signed-off-by: Zoltan Kiss +Reported-by: Armin Zentai +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: xen-devel@lists.xenproject.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1022,7 +1022,6 @@ static int xenvif_tx_check_gop(struct xe + + /* Check status of header. */ + err = (*gopp_copy)->status; +- (*gopp_copy)++; + if (unlikely(err)) { + if (net_ratelimit()) + netdev_dbg(vif->dev, +@@ -1035,6 +1034,7 @@ static int xenvif_tx_check_gop(struct xe + xenvif_idx_release(vif, pending_idx, + XEN_NETIF_RSP_ERROR); + } ++ (*gopp_copy)++; + + check_frags: + for (i = 0; i < nr_frags; i++, gop_map++) { diff --git a/queue-3.15/xen-netback-fix-releasing-frag_list-skbs-in-error-path.patch b/queue-3.15/xen-netback-fix-releasing-frag_list-skbs-in-error-path.patch new file mode 100644 index 00000000000..e337d310aa1 --- /dev/null +++ b/queue-3.15/xen-netback-fix-releasing-frag_list-skbs-in-error-path.patch @@ -0,0 +1,44 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Zoltan Kiss +Date: Fri, 18 Jul 2014 19:08:03 +0100 +Subject: xen-netback: Fix releasing frag_list skbs in error path + +From: Zoltan Kiss + +[ Upstream commit b42cc6e421e7bf74e545483aa34b99d2a2ca6d3a ] + +When the grant operations failed, the skb is freed up eventually, and it tries +to release the frags, if there is any. For the main skb nr_frags is set to 0 to +avoid this, but on the frag_list it iterates through the frags array, and tries +to call put_page on the page pointer which contains garbage at that time. + +Signed-off-by: Zoltan Kiss +Reported-by: Armin Zentai +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: xen-devel@lists.xenproject.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1498,7 +1498,16 @@ static int xenvif_tx_submit(struct xenvi + + /* Check the remap error code. */ + if (unlikely(xenvif_tx_check_gop(vif, skb, &gop_map, &gop_copy))) { ++ /* If there was an error, xenvif_tx_check_gop is ++ * expected to release all the frags which were mapped, ++ * so kfree_skb shouldn't do it again ++ */ + skb_shinfo(skb)->nr_frags = 0; ++ if (skb_has_frag_list(skb)) { ++ struct sk_buff *nskb = ++ skb_shinfo(skb)->frag_list; ++ skb_shinfo(nskb)->nr_frags = 0; ++ } + kfree_skb(skb); + continue; + } diff --git a/queue-3.15/xen-netback-fix-releasing-header-slot-on-error-path.patch b/queue-3.15/xen-netback-fix-releasing-header-slot-on-error-path.patch new file mode 100644 index 00000000000..eedc7e824a7 --- /dev/null +++ b/queue-3.15/xen-netback-fix-releasing-header-slot-on-error-path.patch @@ -0,0 +1,117 @@ +From foo@baz Sat Jul 26 10:16:13 PDT 2014 +From: Zoltan Kiss +Date: Fri, 18 Jul 2014 19:08:04 +0100 +Subject: xen-netback: Fix releasing header slot on error path + +From: Zoltan Kiss + +[ Upstream commit 1b860da0404a76af8533099ffe0a965490939369 ] + +This patch makes this function aware that the first frag and the header might +share the same ring slot. That could happen if the first slot is bigger than +PKT_PROT_LEN. Due to this the error path might release that slot twice or never, +depending on the error scenario. +xenvif_idx_release is also removed from xenvif_idx_unmap, and called separately. + +Signed-off-by: Zoltan Kiss +Reported-by: Armin Zentai +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: xen-devel@lists.xenproject.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 38 +++++++++++++++++++++++++++++++++----- + 1 file changed, 33 insertions(+), 5 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1016,6 +1016,8 @@ static int xenvif_tx_check_gop(struct xe + */ + struct skb_shared_info *first_shinfo = NULL; + int nr_frags = shinfo->nr_frags; ++ const bool sharedslot = nr_frags && ++ frag_get_pending_idx(&shinfo->frags[0]) == pending_idx; + int i, err; + + /* Check status of header. */ +@@ -1028,7 +1030,10 @@ static int xenvif_tx_check_gop(struct xe + (*gopp_copy)->status, + pending_idx, + (*gopp_copy)->source.u.ref); +- xenvif_idx_release(vif, pending_idx, XEN_NETIF_RSP_ERROR); ++ /* The first frag might still have this slot mapped */ ++ if (!sharedslot) ++ xenvif_idx_release(vif, pending_idx, ++ XEN_NETIF_RSP_ERROR); + } + + check_frags: +@@ -1045,8 +1050,19 @@ check_frags: + pending_idx, + gop_map->handle); + /* Had a previous error? Invalidate this fragment. */ +- if (unlikely(err)) ++ if (unlikely(err)) { + xenvif_idx_unmap(vif, pending_idx); ++ /* If the mapping of the first frag was OK, but ++ * the header's copy failed, and they are ++ * sharing a slot, send an error ++ */ ++ if (i == 0 && sharedslot) ++ xenvif_idx_release(vif, pending_idx, ++ XEN_NETIF_RSP_ERROR); ++ else ++ xenvif_idx_release(vif, pending_idx, ++ XEN_NETIF_RSP_OKAY); ++ } + continue; + } + +@@ -1058,15 +1074,27 @@ check_frags: + gop_map->status, + pending_idx, + gop_map->ref); ++ + xenvif_idx_release(vif, pending_idx, XEN_NETIF_RSP_ERROR); + + /* Not the first error? Preceding frags already invalidated. */ + if (err) + continue; +- /* First error: invalidate preceding fragments. */ ++ ++ /* First error: if the header haven't shared a slot with the ++ * first frag, release it as well. ++ */ ++ if (!sharedslot) ++ xenvif_idx_release(vif, ++ XENVIF_TX_CB(skb)->pending_idx, ++ XEN_NETIF_RSP_OKAY); ++ ++ /* Invalidate preceding fragments of this skb. */ + for (j = 0; j < i; j++) { + pending_idx = frag_get_pending_idx(&shinfo->frags[j]); + xenvif_idx_unmap(vif, pending_idx); ++ xenvif_idx_release(vif, pending_idx, ++ XEN_NETIF_RSP_OKAY); + } + + /* And if we found the error while checking the frag_list, unmap +@@ -1076,6 +1104,8 @@ check_frags: + for (j = 0; j < first_shinfo->nr_frags; j++) { + pending_idx = frag_get_pending_idx(&first_shinfo->frags[j]); + xenvif_idx_unmap(vif, pending_idx); ++ xenvif_idx_release(vif, pending_idx, ++ XEN_NETIF_RSP_OKAY); + } + } + +@@ -1811,8 +1841,6 @@ void xenvif_idx_unmap(struct xenvif *vif + tx_unmap_op.status); + BUG(); + } +- +- xenvif_idx_release(vif, pending_idx, XEN_NETIF_RSP_OKAY); + } + + static inline int rx_work_todo(struct xenvif *vif) -- 2.47.3