3.0-stable patches

added patches:
	bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch
	bonding-fix-race-condition-in-bonding_store_slaves_active.patch
	irda-sir_dev-fix-copy-paste-typo.patch
	ne2000-add-the-right-platform-device.patch
	sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch
	sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch
	usb-ipheth-add-iphone-5-support.patch

diff --git a/queue-3.0/bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch b/queue-3.0/bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch
new file mode 100644 (file)
index 0000000..a2ca9ba
--- /dev/null
+++ b/queue-3.0/bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch
@@ -0,0 +1,48 @@
+From 93332f2f5d26edaa68a84efce92339022c195cd4 Mon Sep 17 00:00:00 2001
+From: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
+Date: Wed, 21 Nov 2012 04:35:03 +0000
+Subject: bonding: Bonding driver does not consider the gso_max_size/gso_max_segs setting of slave devices.
+
+
+From: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
+
+[ Upstream commit 0e376bd0b791ac6ac6bdb051492df0769c840848 ]
+
+Patch sets the lowest gso_max_size and gso_max_segs values of the slave devices during enslave and detach.
+
+Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1439,6 +1439,8 @@ static void bond_compute_features(struct
+       struct net_device *bond_dev = bond->dev;
+       u32 vlan_features = BOND_VLAN_FEATURES;
+       unsigned short max_hard_header_len = ETH_HLEN;
++      unsigned int gso_max_size = GSO_MAX_SIZE;
++      u16 gso_max_segs = GSO_MAX_SEGS;
+       int i;
+ 
+       read_lock(&bond->lock);
+@@ -1452,11 +1454,16 @@ static void bond_compute_features(struct
+ 
+               if (slave->dev->hard_header_len > max_hard_header_len)
+                       max_hard_header_len = slave->dev->hard_header_len;
++
++              gso_max_size = min(gso_max_size, slave->dev->gso_max_size);
++              gso_max_segs = min(gso_max_segs, slave->dev->gso_max_segs);
+       }
+ 
+ done:
+       bond_dev->vlan_features = vlan_features;
+       bond_dev->hard_header_len = max_hard_header_len;
++      bond_dev->gso_max_segs = gso_max_segs;
++      netif_set_gso_max_size(bond_dev, gso_max_size);
+ 
+       read_unlock(&bond->lock);
+ 

diff --git a/queue-3.0/bonding-fix-race-condition-in-bonding_store_slaves_active.patch b/queue-3.0/bonding-fix-race-condition-in-bonding_store_slaves_active.patch
new file mode 100644 (file)
index 0000000..d98e8a4
--- /dev/null
+++ b/queue-3.0/bonding-fix-race-condition-in-bonding_store_slaves_active.patch
@@ -0,0 +1,44 @@
+From fb1262c567b4b9e69db4b0ebcd16bf088d212b5a Mon Sep 17 00:00:00 2001
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+Date: Thu, 29 Nov 2012 01:37:59 +0000
+Subject: bonding: fix race condition in bonding_store_slaves_active
+
+
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+
+[ Upstream commit e196c0e579902f42cf72414461fb034e5a1ffbf7 ]
+
+Race between bonding_store_slaves_active() and slave manipulation
+ functions. The bond_for_each_slave use in bonding_store_slaves_active()
+ is not protected by any synchronization mechanism.
+ NULL pointer dereference is easy to reach.
+ Fixed by acquiring the bond->lock for the slave walk.
+
+ v2: Make description text < 75 columns
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
+Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_sysfs.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/bonding/bond_sysfs.c
++++ b/drivers/net/bonding/bond_sysfs.c
+@@ -1524,6 +1524,7 @@ static ssize_t bonding_store_slaves_acti
+               goto out;
+       }
+ 
++      read_lock(&bond->lock);
+       bond_for_each_slave(bond, slave, i) {
+               if (!bond_is_active_slave(slave)) {
+                       if (new_value)
+@@ -1532,6 +1533,7 @@ static ssize_t bonding_store_slaves_acti
+                               slave->inactive = 1;
+               }
+       }
++      read_unlock(&bond->lock);
+ out:
+       return ret;
+ }

diff --git a/queue-3.0/irda-sir_dev-fix-copy-paste-typo.patch b/queue-3.0/irda-sir_dev-fix-copy-paste-typo.patch
new file mode 100644 (file)
index 0000000..2cf31d1
--- /dev/null
+++ b/queue-3.0/irda-sir_dev-fix-copy-paste-typo.patch
@@ -0,0 +1,28 @@
+From 067d358b4ca9434ba1a3ea1cd7167658283c900e Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <shc_work@mail.ru>
+Date: Tue, 20 Nov 2012 09:59:11 +0000
+Subject: irda: sir_dev: Fix copy/paste typo
+
+
+From: Alexander Shiyan <shc_work@mail.ru>
+
+[ Upstream commit 2355a62bcbdcc4b567425bab036bfab6ade87eed ]
+
+Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/irda/sir_dev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/irda/sir_dev.c
++++ b/drivers/net/irda/sir_dev.c
+@@ -221,7 +221,7 @@ static void sirdev_config_fsm(struct wor
+                       break;
+ 
+               case SIRDEV_STATE_DONGLE_SPEED:
+-                      if (dev->dongle_drv->reset) {
++                      if (dev->dongle_drv->set_speed) {
+                               ret = dev->dongle_drv->set_speed(dev, fsm->param);
+                               if (ret < 0) {
+                                       fsm->result = ret;

diff --git a/queue-3.0/ne2000-add-the-right-platform-device.patch b/queue-3.0/ne2000-add-the-right-platform-device.patch
new file mode 100644 (file)
index 0000000..0c37b93
--- /dev/null
+++ b/queue-3.0/ne2000-add-the-right-platform-device.patch
@@ -0,0 +1,30 @@
+From 92a857d0f4bf20d532e79bd5b9e856372e7c9050 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Tue, 20 Nov 2012 06:31:57 +0000
+Subject: ne2000: add the right platform device
+
+
+From: Alan Cox <alan@linux.intel.com>
+
+[ Upstream commit da9da01d9199b5bb15289d0859053c9aa3a34ac0 ]
+
+Without this udev doesn't have a way to key the ne device to the platform
+device.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ne.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ne.c
++++ b/drivers/net/ne.c
+@@ -814,6 +814,7 @@ static int __init ne_drv_probe(struct pl
+               dev->irq = irq[this_dev];
+               dev->mem_end = bad[this_dev];
+       }
++      SET_NETDEV_DEV(dev, &pdev->dev);
+       err = do_ne_probe(dev);
+       if (err) {
+               free_netdev(dev);

diff --git a/queue-3.0/sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch b/queue-3.0/sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch
new file mode 100644 (file)
index 0000000..1bd23f5
--- /dev/null
+++ b/queue-3.0/sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch
@@ -0,0 +1,117 @@
+From 3c37dd11fa65c5f2e657a21a77cc09d6d6c55e95 Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tt.rantala@gmail.com>
+Date: Thu, 22 Nov 2012 03:23:16 +0000
+Subject: sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall
+
+
+From: Tommi Rantala <tt.rantala@gmail.com>
+
+[ Upstream commit 6e51fe7572590d8d86e93b547fab6693d305fd0d ]
+
+Consider the following program, that sets the second argument to the
+sendto() syscall incorrectly:
+
+ #include <string.h>
+ #include <arpa/inet.h>
+ #include <sys/socket.h>
+
+ int main(void)
+ {
+         int fd;
+         struct sockaddr_in sa;
+
+         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
+         if (fd < 0)
+                 return 1;
+
+         memset(&sa, 0, sizeof(sa));
+         sa.sin_family = AF_INET;
+         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
+         sa.sin_port = htons(11111);
+
+         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
+
+         return 0;
+ }
+
+We get -ENOMEM:
+
+ $ strace -e sendto ./demo
+ sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)
+
+Propagate the error code from sctp_user_addto_chunk(), so that we will
+tell user space what actually went wrong:
+
+ $ strace -e sendto ./demo
+ sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)
+
+Noticed while running Trinity (the syscall fuzzer).
+
+Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/chunk.c  |   13 +++++++++----
+ net/sctp/socket.c |    4 ++--
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+--- a/net/sctp/chunk.c
++++ b/net/sctp/chunk.c
+@@ -183,7 +183,7 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 
+       msg = sctp_datamsg_new(GFP_KERNEL);
+       if (!msg)
+-              return NULL;
++              return ERR_PTR(-ENOMEM);
+ 
+       /* Note: Calculate this outside of the loop, so that all fragments
+        * have the same expiration.
+@@ -280,8 +280,11 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 
+               chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0);
+ 
+-              if (!chunk)
++              if (!chunk) {
++                      err = -ENOMEM;
+                       goto errout;
++              }
++
+               err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
+               if (err < 0)
+                       goto errout_chunk_free;
+@@ -315,8 +318,10 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 
+               chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0);
+ 
+-              if (!chunk)
++              if (!chunk) {
++                      err = -ENOMEM;
+                       goto errout;
++              }
+ 
+               err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov);
+ 
+@@ -342,7 +347,7 @@ errout:
+               sctp_chunk_free(chunk);
+       }
+       sctp_datamsg_put(msg);
+-      return NULL;
++      return ERR_PTR(err);
+ }
+ 
+ /* Check whether this message has expired. */
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1837,8 +1837,8 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
+ 
+       /* Break the message into multiple chunks of maximum size. */
+       datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len);
+-      if (!datamsg) {
+-              err = -ENOMEM;
++      if (IS_ERR(datamsg)) {
++              err = PTR_ERR(datamsg);
+               goto out_free;
+       }
+ 

diff --git a/queue-3.0/sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch b/queue-3.0/sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch
new file mode 100644 (file)
index 0000000..55e5676
--- /dev/null
+++ b/queue-3.0/sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch
@@ -0,0 +1,77 @@
+From aa65255f855057f042bf0f592e223856eca6394a Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tt.rantala@gmail.com>
+Date: Tue, 27 Nov 2012 04:01:46 +0000
+Subject: sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails
+
+
+From: Tommi Rantala <tt.rantala@gmail.com>
+
+[ Upstream commit be364c8c0f17a3dd42707b5a090b318028538eb9 ]
+
+Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
+reproducible e.g. with the sendto() syscall by passing invalid
+user space pointer in the second argument:
+
+ #include <string.h>
+ #include <arpa/inet.h>
+ #include <sys/socket.h>
+
+ int main(void)
+ {
+         int fd;
+         struct sockaddr_in sa;
+
+         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
+         if (fd < 0)
+                 return 1;
+
+         memset(&sa, 0, sizeof(sa));
+         sa.sin_family = AF_INET;
+         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
+         sa.sin_port = htons(11111);
+
+         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
+
+         return 0;
+ }
+
+As far as I can tell, the leak has been around since ~2003.
+
+Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/chunk.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/chunk.c
++++ b/net/sctp/chunk.c
+@@ -284,7 +284,7 @@ struct sctp_datamsg *sctp_datamsg_from_u
+                       goto errout;
+               err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
+               if (err < 0)
+-                      goto errout;
++                      goto errout_chunk_free;
+ 
+               offset += len;
+ 
+@@ -324,7 +324,7 @@ struct sctp_datamsg *sctp_datamsg_from_u
+               __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr
+                          - (__u8 *)chunk->skb->data);
+               if (err < 0)
+-                      goto errout;
++                      goto errout_chunk_free;
+ 
+               sctp_datamsg_assign(msg, chunk);
+               list_add_tail(&chunk->frag_list, &msg->chunks);
+@@ -332,6 +332,9 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 
+       return msg;
+ 
++errout_chunk_free:
++      sctp_chunk_free(chunk);
++
+ errout:
+       list_for_each_safe(pos, temp, &msg->chunks) {
+               list_del_init(pos);

diff --git a/queue-3.0/series b/queue-3.0/series
new file mode 100644 (file)
index 0000000..b7108e6
--- /dev/null
+++ b/queue-3.0/series
@@ -0,0 +1,7 @@
+bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch
+bonding-fix-race-condition-in-bonding_store_slaves_active.patch
+sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch
+sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch
+ne2000-add-the-right-platform-device.patch
+irda-sir_dev-fix-copy-paste-typo.patch
+usb-ipheth-add-iphone-5-support.patch

diff --git a/queue-3.0/usb-ipheth-add-iphone-5-support.patch b/queue-3.0/usb-ipheth-add-iphone-5-support.patch
new file mode 100644 (file)
index 0000000..aa74166
--- /dev/null
+++ b/queue-3.0/usb-ipheth-add-iphone-5-support.patch
@@ -0,0 +1,44 @@
+From ef066aa2d6a2313410524925cb964038e67a8f23 Mon Sep 17 00:00:00 2001
+From: Jay Purohit <jspurohit@velocitylimitless.com>
+Date: Sun, 14 Oct 2012 07:07:21 +0000
+Subject: usb/ipheth: Add iPhone 5 support
+
+
+From: Jay Purohit <jspurohit@velocitylimitless.com>
+
+[ Upstream commit af1b85e49089f945deb46258b0fc4bc9910afb22 ]
+
+I noticed that the iPhone ethernet driver did not support
+iPhone 5. I quickly added support to it in my kernel, here's
+a patch.
+
+Signed-off-by: Jay Purohit <jspurohit@velocitylimitless.com>
+Acked-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Jan Ceuleers <jan.ceuleers@computer.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ipheth.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -62,6 +62,7 @@
+ #define USB_PRODUCT_IPAD 0x129a
+ #define USB_PRODUCT_IPHONE_4_VZW 0x129c
+ #define USB_PRODUCT_IPHONE_4S 0x12a0
++#define USB_PRODUCT_IPHONE_5  0x12a8
+ 
+ #define IPHETH_USBINTF_CLASS    255
+ #define IPHETH_USBINTF_SUBCLASS 253
+@@ -113,6 +114,10 @@ static struct usb_device_id ipheth_table
+               USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_4S,
+               IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
+               IPHETH_USBINTF_PROTO) },
++      { USB_DEVICE_AND_INTERFACE_INFO(
++              USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_5,
++              IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
++              IPHETH_USBINTF_PROTO) },
+       { }
+ };
+ MODULE_DEVICE_TABLE(usb, ipheth_table);