From: Greg Kroah-Hartman Date: Thu, 4 Dec 2014 01:08:19 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.62~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8d724dce95c367e8173a376a859a6e0a5bb90b40;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: ieee802154-fix-error-handling-in-ieee802154fake_probe.patch inetdevice-fixed-signed-integer-overflow.patch ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch pptp-fix-stack-info-leak-in-pptp_getname.patch qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch sparc64-fix-constraints-on-swab-helpers.patch --- diff --git a/queue-3.10/ieee802154-fix-error-handling-in-ieee802154fake_probe.patch b/queue-3.10/ieee802154-fix-error-handling-in-ieee802154fake_probe.patch new file mode 100644 index 00000000000..303bb992e50 --- /dev/null +++ b/queue-3.10/ieee802154-fix-error-handling-in-ieee802154fake_probe.patch @@ -0,0 +1,52 @@ +From foo@baz Wed Dec 3 17:07:11 PST 2014 +From: Alexey Khoroshilov +Date: Sat, 15 Nov 2014 02:11:59 +0300 +Subject: ieee802154: fix error handling in ieee802154fake_probe() + +From: Alexey Khoroshilov + +[ Upstream commit 8c2dd54485ccee7fc4086611e188478584758c8d ] + +In case of any failure ieee802154fake_probe() just calls unregister_netdev(). +But it does not look safe to unregister netdevice before it was registered. + +The patch implements straightforward resource deallocation in case of +failure in ieee802154fake_probe(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/fakehard.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/ieee802154/fakehard.c ++++ b/drivers/net/ieee802154/fakehard.c +@@ -376,17 +376,20 @@ static int ieee802154fake_probe(struct p + + err = wpan_phy_register(phy); + if (err) +- goto out; ++ goto err_phy_reg; + + err = register_netdev(dev); +- if (err < 0) +- goto out; ++ if (err) ++ goto err_netdev_reg; + + dev_info(&pdev->dev, "Added ieee802154 HardMAC hardware\n"); + return 0; + +-out: +- unregister_netdev(dev); ++err_netdev_reg: ++ wpan_phy_unregister(phy); ++err_phy_reg: ++ free_netdev(dev); ++ wpan_phy_free(phy); + return err; + } + diff --git a/queue-3.10/inetdevice-fixed-signed-integer-overflow.patch b/queue-3.10/inetdevice-fixed-signed-integer-overflow.patch new file mode 100644 index 00000000000..4d5ee2dae12 --- /dev/null +++ b/queue-3.10/inetdevice-fixed-signed-integer-overflow.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Dec 3 17:07:11 PST 2014 +From: Vincent BENAYOUN +Date: Thu, 13 Nov 2014 13:47:26 +0100 +Subject: inetdevice: fixed signed integer overflow + +From: Vincent BENAYOUN + +[ Upstream commit 84bc88688e3f6ef843aa8803dbcd90168bb89faf ] + +There could be a signed overflow in the following code. + +The expression, (32-logmask) is comprised between 0 and 31 included. +It may be equal to 31. +In such a case the left shift will produce a signed integer overflow. +According to the C99 Standard, this is an undefined behavior. +A simple fix is to replace the signed int 1 with the unsigned int 1U. + +Signed-off-by: Vincent BENAYOUN +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/inetdevice.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/inetdevice.h ++++ b/include/linux/inetdevice.h +@@ -261,7 +261,7 @@ static inline void in_dev_put(struct in_ + static __inline__ __be32 inet_make_mask(int logmask) + { + if (logmask) +- return htonl(~((1<<(32-logmask))-1)); ++ return htonl(~((1U<<(32-logmask))-1)); + return 0; + } + diff --git a/queue-3.10/ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch b/queue-3.10/ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch new file mode 100644 index 00000000000..d1d6e81b8e8 --- /dev/null +++ b/queue-3.10/ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Dec 3 17:07:11 PST 2014 +From: Panu Matilainen +Date: Fri, 14 Nov 2014 13:14:32 +0200 +Subject: ipv4: Fix incorrect error code when adding an unreachable route + +From: Panu Matilainen + +[ Upstream commit 49dd18ba4615eaa72f15c9087dea1c2ab4744cf5 ] + +Trying to add an unreachable route incorrectly returns -ESRCH if +if custom FIB rules are present: + +[root@localhost ~]# ip route add 74.125.31.199 dev eth0 via 1.2.3.4 +RTNETLINK answers: Network is unreachable +[root@localhost ~]# ip rule add to 55.66.77.88 table 200 +[root@localhost ~]# ip route add 74.125.31.199 dev eth0 via 1.2.3.4 +RTNETLINK answers: No such process +[root@localhost ~]# + +Commit 83886b6b636173b206f475929e58fac75c6f2446 ("[NET]: Change "not found" +return value for rule lookup") changed fib_rules_lookup() +to use -ESRCH as a "not found" code internally, but for user space it +should be translated into -ENETUNREACH. Handle the translation centrally in +ipv4-specific fib_lookup(), leaving the DECnet case alone. + +On a related note, commit b7a71b51ee37d919e4098cd961d59a883fd272d8 +("ipv4: removed redundant conditional") removed a similar translation from +ip_route_input_slow() prematurely AIUI. + +Fixes: b7a71b51ee37 ("ipv4: removed redundant conditional") +Signed-off-by: Panu Matilainen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_rules.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv4/fib_rules.c ++++ b/net/ipv4/fib_rules.c +@@ -62,6 +62,10 @@ int __fib_lookup(struct net *net, struct + else + res->tclassid = 0; + #endif ++ ++ if (err == -ESRCH) ++ err = -ENETUNREACH; ++ + return err; + } + EXPORT_SYMBOL_GPL(__fib_lookup); diff --git a/queue-3.10/ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch b/queue-3.10/ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch new file mode 100644 index 00000000000..4bce5428428 --- /dev/null +++ b/queue-3.10/ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch @@ -0,0 +1,66 @@ +From foo@baz Wed Dec 3 17:07:11 PST 2014 +From: Jiri Bohac +Date: Wed, 19 Nov 2014 23:05:49 +0100 +Subject: ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg + +From: Jiri Bohac + +[ Upstream commit 01462405f0c093b2f8dfddafcadcda6c9e4c5cdf ] + +This fixes an old regression introduced by commit +b0d0d915 (ipx: remove the BKL). + +When a recvmsg syscall blocks waiting for new data, no data can be sent on the +same socket with sendmsg because ipx_recvmsg() sleeps with the socket locked. + +This breaks mars-nwe (NetWare emulator): +- the ncpserv process reads the request using recvmsg +- ncpserv forks and spawns nwconn +- ncpserv calls a (blocking) recvmsg and waits for new requests +- nwconn deadlocks in sendmsg on the same socket + +Commit b0d0d915 has simply replaced BKL locking with +lock_sock/release_sock. Unlike now, BKL got unlocked while +sleeping, so a blocking recvmsg did not block a concurrent +sendmsg. + +Only keep the socket locked while actually working with the socket data and +release it prior to calling skb_recv_datagram(). + +Signed-off-by: Jiri Bohac +Reviewed-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipx/af_ipx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipx/af_ipx.c ++++ b/net/ipx/af_ipx.c +@@ -1778,6 +1778,7 @@ static int ipx_recvmsg(struct kiocb *ioc + struct ipxhdr *ipx = NULL; + struct sk_buff *skb; + int copied, rc; ++ bool locked = true; + + lock_sock(sk); + /* put the autobinding in */ +@@ -1804,6 +1805,8 @@ static int ipx_recvmsg(struct kiocb *ioc + if (sock_flag(sk, SOCK_ZAPPED)) + goto out; + ++ release_sock(sk); ++ locked = false; + skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, + flags & MSG_DONTWAIT, &rc); + if (!skb) +@@ -1837,7 +1840,8 @@ static int ipx_recvmsg(struct kiocb *ioc + out_free: + skb_free_datagram(sk, skb); + out: +- release_sock(sk); ++ if (locked) ++ release_sock(sk); + return rc; + } + diff --git a/queue-3.10/pptp-fix-stack-info-leak-in-pptp_getname.patch b/queue-3.10/pptp-fix-stack-info-leak-in-pptp_getname.patch new file mode 100644 index 00000000000..aa7bec64940 --- /dev/null +++ b/queue-3.10/pptp-fix-stack-info-leak-in-pptp_getname.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Dec 3 17:07:11 PST 2014 +From: Mathias Krause +Date: Wed, 19 Nov 2014 18:05:26 +0100 +Subject: pptp: fix stack info leak in pptp_getname() + +From: Mathias Krause + +[ Upstream commit a5f6fc28d6e6cc379c6839f21820e62262419584 ] + +pptp_getname() only partially initializes the stack variable sa, +particularly only fills the pptp part of the sa_addr union. The code +thereby discloses 16 bytes of kernel stack memory via getsockname(). + +Fix this by memset(0)'ing the union before. + +Cc: Dmitry Kozlov +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pptp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -506,7 +506,9 @@ static int pptp_getname(struct socket *s + int len = sizeof(struct sockaddr_pppox); + struct sockaddr_pppox sp; + +- sp.sa_family = AF_PPPOX; ++ memset(&sp.sa_addr, 0, sizeof(sp.sa_addr)); ++ ++ sp.sa_family = AF_PPPOX; + sp.sa_protocol = PX_PROTO_PPTP; + sp.sa_addr.pptp = pppox_sk(sock->sk)->proto.pptp.src_addr; + diff --git a/queue-3.10/qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch b/queue-3.10/qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch new file mode 100644 index 00000000000..20799a6eb44 --- /dev/null +++ b/queue-3.10/qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Dec 3 17:07:11 PST 2014 +From: Martin Hauke +Date: Sun, 16 Nov 2014 19:55:25 +0100 +Subject: qmi_wwan: Add support for HP lt4112 LTE/HSPA+ Gobi 4G Modem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Hauke + +[ Upstream commit bb2bdeb83fb125c95e47fc7eca2a3e8f868e2a74 ] + +Added the USB VID/PID for the HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) + +Signed-off-by: Martin Hauke +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -756,6 +756,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81a4, 8)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81a8, 8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ ++ {QMI_FIXED_INTF(0x03f0, 0x581d, 4)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Module (Huawei me906e) */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ diff --git a/queue-3.10/series b/queue-3.10/series index 0e600b5978d..7de336c25a6 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -6,3 +6,10 @@ x86_64-traps-rework-bad_iret.patch x86-require-exact-match-for-noxsave-command-line-option.patch x86-mm-set-nx-across-entire-pmd-at-boot.patch uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch +sparc64-fix-constraints-on-swab-helpers.patch +inetdevice-fixed-signed-integer-overflow.patch +ipv4-fix-incorrect-error-code-when-adding-an-unreachable-route.patch +ieee802154-fix-error-handling-in-ieee802154fake_probe.patch +qmi_wwan-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch +pptp-fix-stack-info-leak-in-pptp_getname.patch +ipx-fix-locking-regression-in-ipx_sendmsg-and-ipx_recvmsg.patch diff --git a/queue-3.10/sparc64-fix-constraints-on-swab-helpers.patch b/queue-3.10/sparc64-fix-constraints-on-swab-helpers.patch new file mode 100644 index 00000000000..dee4e7adf80 --- /dev/null +++ b/queue-3.10/sparc64-fix-constraints-on-swab-helpers.patch @@ -0,0 +1,56 @@ +From 5a2b59d3993e8ca4f7788a48a23e5cb303f26954 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Sun, 16 Nov 2014 13:19:32 -0800 +Subject: sparc64: Fix constraints on swab helpers. + +[ Upstream commit 5a2b59d3993e8ca4f7788a48a23e5cb303f26954 ] + +We are reading the memory location, so we have to have a memory +constraint in there purely for the sake of showing the data flow +to the compiler. + +Reported-by: Martin K. Petersen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/uapi/asm/swab.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/sparc/include/uapi/asm/swab.h ++++ b/arch/sparc/include/uapi/asm/swab.h +@@ -9,9 +9,9 @@ static inline __u16 __arch_swab16p(const + { + __u16 ret; + +- __asm__ __volatile__ ("lduha [%1] %2, %0" ++ __asm__ __volatile__ ("lduha [%2] %3, %0" + : "=r" (ret) +- : "r" (addr), "i" (ASI_PL)); ++ : "m" (*addr), "r" (addr), "i" (ASI_PL)); + return ret; + } + #define __arch_swab16p __arch_swab16p +@@ -20,9 +20,9 @@ static inline __u32 __arch_swab32p(const + { + __u32 ret; + +- __asm__ __volatile__ ("lduwa [%1] %2, %0" ++ __asm__ __volatile__ ("lduwa [%2] %3, %0" + : "=r" (ret) +- : "r" (addr), "i" (ASI_PL)); ++ : "m" (*addr), "r" (addr), "i" (ASI_PL)); + return ret; + } + #define __arch_swab32p __arch_swab32p +@@ -31,9 +31,9 @@ static inline __u64 __arch_swab64p(const + { + __u64 ret; + +- __asm__ __volatile__ ("ldxa [%1] %2, %0" ++ __asm__ __volatile__ ("ldxa [%2] %3, %0" + : "=r" (ret) +- : "r" (addr), "i" (ASI_PL)); ++ : "m" (*addr), "r" (addr), "i" (ASI_PL)); + return ret; + } + #define __arch_swab64p __arch_swab64p