From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 Dec 2012 20:58:45 +0000 (-0800)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.58~38
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2633c8ca23e24b954f2a8e6176cfcff361a58979;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch
	bonding-fix-race-condition-in-bonding_store_slaves_active.patch
	irda-sir_dev-fix-copy-paste-typo.patch
	ne2000-add-the-right-platform-device.patch
	sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch
	sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch
	usb-ipheth-add-iphone-5-support.patch
---

diff --git a/queue-3.0/bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch b/queue-3.0/bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch
new file mode 100644
index 00000000000..a2ca9badc78
--- /dev/null
+++ b/queue-3.0/bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch
@@ -0,0 +1,48 @@
+From 93332f2f5d26edaa68a84efce92339022c195cd4 Mon Sep 17 00:00:00 2001
+From: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
+Date: Wed, 21 Nov 2012 04:35:03 +0000
+Subject: bonding: Bonding driver does not consider the gso_max_size/gso_max_segs setting of slave devices.
+
+
+From: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
+
+[ Upstream commit 0e376bd0b791ac6ac6bdb051492df0769c840848 ]
+
+Patch sets the lowest gso_max_size and gso_max_segs values of the slave devices during enslave and detach.
+
+Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1439,6 +1439,8 @@ static void bond_compute_features(struct
+ 	struct net_device *bond_dev = bond->dev;
+ 	u32 vlan_features = BOND_VLAN_FEATURES;
+ 	unsigned short max_hard_header_len = ETH_HLEN;
++	unsigned int gso_max_size = GSO_MAX_SIZE;
++	u16 gso_max_segs = GSO_MAX_SEGS;
+ 	int i;
+ 
+ 	read_lock(&bond->lock);
+@@ -1452,11 +1454,16 @@ static void bond_compute_features(struct
+ 
+ 		if (slave->dev->hard_header_len > max_hard_header_len)
+ 			max_hard_header_len = slave->dev->hard_header_len;
++
++		gso_max_size = min(gso_max_size, slave->dev->gso_max_size);
++		gso_max_segs = min(gso_max_segs, slave->dev->gso_max_segs);
+ 	}
+ 
+ done:
+ 	bond_dev->vlan_features = vlan_features;
+ 	bond_dev->hard_header_len = max_hard_header_len;
++	bond_dev->gso_max_segs = gso_max_segs;
++	netif_set_gso_max_size(bond_dev, gso_max_size);
+ 
+ 	read_unlock(&bond->lock);
+ 
diff --git a/queue-3.0/bonding-fix-race-condition-in-bonding_store_slaves_active.patch b/queue-3.0/bonding-fix-race-condition-in-bonding_store_slaves_active.patch
new file mode 100644
index 00000000000..d98e8a4ce31
--- /dev/null
+++ b/queue-3.0/bonding-fix-race-condition-in-bonding_store_slaves_active.patch
@@ -0,0 +1,44 @@
+From fb1262c567b4b9e69db4b0ebcd16bf088d212b5a Mon Sep 17 00:00:00 2001
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+Date: Thu, 29 Nov 2012 01:37:59 +0000
+Subject: bonding: fix race condition in bonding_store_slaves_active
+
+
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+
+[ Upstream commit e196c0e579902f42cf72414461fb034e5a1ffbf7 ]
+
+Race between bonding_store_slaves_active() and slave manipulation
+ functions. The bond_for_each_slave use in bonding_store_slaves_active()
+ is not protected by any synchronization mechanism.
+ NULL pointer dereference is easy to reach.
+ Fixed by acquiring the bond->lock for the slave walk.
+
+ v2: Make description text < 75 columns
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
+Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_sysfs.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/bonding/bond_sysfs.c
++++ b/drivers/net/bonding/bond_sysfs.c
+@@ -1524,6 +1524,7 @@ static ssize_t bonding_store_slaves_acti
+ 		goto out;
+ 	}
+ 
++	read_lock(&bond->lock);
+ 	bond_for_each_slave(bond, slave, i) {
+ 		if (!bond_is_active_slave(slave)) {
+ 			if (new_value)
+@@ -1532,6 +1533,7 @@ static ssize_t bonding_store_slaves_acti
+ 				slave->inactive = 1;
+ 		}
+ 	}
++	read_unlock(&bond->lock);
+ out:
+ 	return ret;
+ }
diff --git a/queue-3.0/irda-sir_dev-fix-copy-paste-typo.patch b/queue-3.0/irda-sir_dev-fix-copy-paste-typo.patch
new file mode 100644
index 00000000000..2cf31d1b6e2
--- /dev/null
+++ b/queue-3.0/irda-sir_dev-fix-copy-paste-typo.patch
@@ -0,0 +1,28 @@
+From 067d358b4ca9434ba1a3ea1cd7167658283c900e Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <shc_work@mail.ru>
+Date: Tue, 20 Nov 2012 09:59:11 +0000
+Subject: irda: sir_dev: Fix copy/paste typo
+
+
+From: Alexander Shiyan <shc_work@mail.ru>
+
+[ Upstream commit 2355a62bcbdcc4b567425bab036bfab6ade87eed ]
+
+Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/irda/sir_dev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/irda/sir_dev.c
++++ b/drivers/net/irda/sir_dev.c
+@@ -221,7 +221,7 @@ static void sirdev_config_fsm(struct wor
+ 			break;
+ 
+ 		case SIRDEV_STATE_DONGLE_SPEED:
+-			if (dev->dongle_drv->reset) {
++			if (dev->dongle_drv->set_speed) {
+ 				ret = dev->dongle_drv->set_speed(dev, fsm->param);
+ 				if (ret < 0) {
+ 					fsm->result = ret;
diff --git a/queue-3.0/ne2000-add-the-right-platform-device.patch b/queue-3.0/ne2000-add-the-right-platform-device.patch
new file mode 100644
index 00000000000..0c37b93e695
--- /dev/null
+++ b/queue-3.0/ne2000-add-the-right-platform-device.patch
@@ -0,0 +1,30 @@
+From 92a857d0f4bf20d532e79bd5b9e856372e7c9050 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Tue, 20 Nov 2012 06:31:57 +0000
+Subject: ne2000: add the right platform device
+
+
+From: Alan Cox <alan@linux.intel.com>
+
+[ Upstream commit da9da01d9199b5bb15289d0859053c9aa3a34ac0 ]
+
+Without this udev doesn't have a way to key the ne device to the platform
+device.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ne.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ne.c
++++ b/drivers/net/ne.c
+@@ -814,6 +814,7 @@ static int __init ne_drv_probe(struct pl
+ 		dev->irq = irq[this_dev];
+ 		dev->mem_end = bad[this_dev];
+ 	}
++	SET_NETDEV_DEV(dev, &pdev->dev);
+ 	err = do_ne_probe(dev);
+ 	if (err) {
+ 		free_netdev(dev);
diff --git a/queue-3.0/sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch b/queue-3.0/sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch
new file mode 100644
index 00000000000..1bd23f505f2
--- /dev/null
+++ b/queue-3.0/sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch
@@ -0,0 +1,117 @@
+From 3c37dd11fa65c5f2e657a21a77cc09d6d6c55e95 Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tt.rantala@gmail.com>
+Date: Thu, 22 Nov 2012 03:23:16 +0000
+Subject: sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall
+
+
+From: Tommi Rantala <tt.rantala@gmail.com>
+
+[ Upstream commit 6e51fe7572590d8d86e93b547fab6693d305fd0d ]
+
+Consider the following program, that sets the second argument to the
+sendto() syscall incorrectly:
+
+ #include <string.h>
+ #include <arpa/inet.h>
+ #include <sys/socket.h>
+
+ int main(void)
+ {
+         int fd;
+         struct sockaddr_in sa;
+
+         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
+         if (fd < 0)
+                 return 1;
+
+         memset(&sa, 0, sizeof(sa));
+         sa.sin_family = AF_INET;
+         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
+         sa.sin_port = htons(11111);
+
+         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
+
+         return 0;
+ }
+
+We get -ENOMEM:
+
+ $ strace -e sendto ./demo
+ sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)
+
+Propagate the error code from sctp_user_addto_chunk(), so that we will
+tell user space what actually went wrong:
+
+ $ strace -e sendto ./demo
+ sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)
+
+Noticed while running Trinity (the syscall fuzzer).
+
+Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/chunk.c  |   13 +++++++++----
+ net/sctp/socket.c |    4 ++--
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+--- a/net/sctp/chunk.c
++++ b/net/sctp/chunk.c
+@@ -183,7 +183,7 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 
+ 	msg = sctp_datamsg_new(GFP_KERNEL);
+ 	if (!msg)
+-		return NULL;
++		return ERR_PTR(-ENOMEM);
+ 
+ 	/* Note: Calculate this outside of the loop, so that all fragments
+ 	 * have the same expiration.
+@@ -280,8 +280,11 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 
+ 		chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0);
+ 
+-		if (!chunk)
++		if (!chunk) {
++			err = -ENOMEM;
+ 			goto errout;
++		}
++
+ 		err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
+ 		if (err < 0)
+ 			goto errout_chunk_free;
+@@ -315,8 +318,10 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 
+ 		chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0);
+ 
+-		if (!chunk)
++		if (!chunk) {
++			err = -ENOMEM;
+ 			goto errout;
++		}
+ 
+ 		err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov);
+ 
+@@ -342,7 +347,7 @@ errout:
+ 		sctp_chunk_free(chunk);
+ 	}
+ 	sctp_datamsg_put(msg);
+-	return NULL;
++	return ERR_PTR(err);
+ }
+ 
+ /* Check whether this message has expired. */
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1837,8 +1837,8 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
+ 
+ 	/* Break the message into multiple chunks of maximum size. */
+ 	datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len);
+-	if (!datamsg) {
+-		err = -ENOMEM;
++	if (IS_ERR(datamsg)) {
++		err = PTR_ERR(datamsg);
+ 		goto out_free;
+ 	}
+ 
diff --git a/queue-3.0/sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch b/queue-3.0/sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch
new file mode 100644
index 00000000000..55e56767c4c
--- /dev/null
+++ b/queue-3.0/sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch
@@ -0,0 +1,77 @@
+From aa65255f855057f042bf0f592e223856eca6394a Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tt.rantala@gmail.com>
+Date: Tue, 27 Nov 2012 04:01:46 +0000
+Subject: sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails
+
+
+From: Tommi Rantala <tt.rantala@gmail.com>
+
+[ Upstream commit be364c8c0f17a3dd42707b5a090b318028538eb9 ]
+
+Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
+reproducible e.g. with the sendto() syscall by passing invalid
+user space pointer in the second argument:
+
+ #include <string.h>
+ #include <arpa/inet.h>
+ #include <sys/socket.h>
+
+ int main(void)
+ {
+         int fd;
+         struct sockaddr_in sa;
+
+         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
+         if (fd < 0)
+                 return 1;
+
+         memset(&sa, 0, sizeof(sa));
+         sa.sin_family = AF_INET;
+         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
+         sa.sin_port = htons(11111);
+
+         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
+
+         return 0;
+ }
+
+As far as I can tell, the leak has been around since ~2003.
+
+Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/chunk.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/chunk.c
++++ b/net/sctp/chunk.c
+@@ -284,7 +284,7 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 			goto errout;
+ 		err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
+ 		if (err < 0)
+-			goto errout;
++			goto errout_chunk_free;
+ 
+ 		offset += len;
+ 
+@@ -324,7 +324,7 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 		__skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr
+ 			   - (__u8 *)chunk->skb->data);
+ 		if (err < 0)
+-			goto errout;
++			goto errout_chunk_free;
+ 
+ 		sctp_datamsg_assign(msg, chunk);
+ 		list_add_tail(&chunk->frag_list, &msg->chunks);
+@@ -332,6 +332,9 @@ struct sctp_datamsg *sctp_datamsg_from_u
+ 
+ 	return msg;
+ 
++errout_chunk_free:
++	sctp_chunk_free(chunk);
++
+ errout:
+ 	list_for_each_safe(pos, temp, &msg->chunks) {
+ 		list_del_init(pos);
diff --git a/queue-3.0/series b/queue-3.0/series
new file mode 100644
index 00000000000..b7108e6a9b9
--- /dev/null
+++ b/queue-3.0/series
@@ -0,0 +1,7 @@
+bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch
+bonding-fix-race-condition-in-bonding_store_slaves_active.patch
+sctp-fix-memory-leak-in-sctp_datamsg_from_user-when-copy-from-user-space-fails.patch
+sctp-fix-enomem-result-with-invalid-user-space-pointer-in-sendto-syscall.patch
+ne2000-add-the-right-platform-device.patch
+irda-sir_dev-fix-copy-paste-typo.patch
+usb-ipheth-add-iphone-5-support.patch
diff --git a/queue-3.0/usb-ipheth-add-iphone-5-support.patch b/queue-3.0/usb-ipheth-add-iphone-5-support.patch
new file mode 100644
index 00000000000..aa741666fed
--- /dev/null
+++ b/queue-3.0/usb-ipheth-add-iphone-5-support.patch
@@ -0,0 +1,44 @@
+From ef066aa2d6a2313410524925cb964038e67a8f23 Mon Sep 17 00:00:00 2001
+From: Jay Purohit <jspurohit@velocitylimitless.com>
+Date: Sun, 14 Oct 2012 07:07:21 +0000
+Subject: usb/ipheth: Add iPhone 5 support
+
+
+From: Jay Purohit <jspurohit@velocitylimitless.com>
+
+[ Upstream commit af1b85e49089f945deb46258b0fc4bc9910afb22 ]
+
+I noticed that the iPhone ethernet driver did not support
+iPhone 5. I quickly added support to it in my kernel, here's
+a patch.
+
+Signed-off-by: Jay Purohit <jspurohit@velocitylimitless.com>
+Acked-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Jan Ceuleers <jan.ceuleers@computer.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ipheth.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -62,6 +62,7 @@
+ #define USB_PRODUCT_IPAD 0x129a
+ #define USB_PRODUCT_IPHONE_4_VZW 0x129c
+ #define USB_PRODUCT_IPHONE_4S	0x12a0
++#define USB_PRODUCT_IPHONE_5	0x12a8
+ 
+ #define IPHETH_USBINTF_CLASS    255
+ #define IPHETH_USBINTF_SUBCLASS 253
+@@ -113,6 +114,10 @@ static struct usb_device_id ipheth_table
+ 		USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_4S,
+ 		IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
+ 		IPHETH_USBINTF_PROTO) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(
++		USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_5,
++		IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
++		IPHETH_USBINTF_PROTO) },
+ 	{ }
+ };
+ MODULE_DEVICE_TABLE(usb, ipheth_table);