From: Greg Kroah-Hartman Date: Mon, 13 Jan 2014 17:38:35 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.4.77~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=963efa893bc6d8e1562f621814de1eff42823966;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: bridge-use-spin_lock_bh-in-br_multicast_set_hash_max.patch drivers-net-hamradio-integer-overflow-in-hdlcdrv_ioctl.patch hamradio-yam-fix-info-leak-in-ioctl.patch ipv6-don-t-count-addrconf-generated-routes-against-gc-limit.patch macvtap-do-not-double-count-received-packets.patch macvtap-signal-truncated-packets.patch macvtap-update-file-current-position.patch net-do-not-pretend-fraglist-support.patch net-drop_monitor-fix-the-value-of-maxattr.patch net-inet_diag-zero-out-uninitialized-idiag_-src-dst-fields.patch net-llc-fix-use-after-free-in-llc_ui_recvmsg.patch net-rose-restore-old-recvmsg-behavior.patch net-unix-allow-bind-to-fail-on-mutex-lock.patch net-unix-allow-set_peek_off-to-fail.patch netvsc-don-t-flush-peers-notifying-work-during-setting-mtu.patch rds-prevent-bug_on-triggered-on-congestion-update-to-loopback.patch rds-prevent-dereference-of-a-null-device.patch tg3-initialize-reg_base_addr-at-pci-config-offset-120-to-0.patch tun-update-file-current-position.patch vlan-fix-header-ops-passthru-when-doing-tx-vlan-offload.patch --- diff --git a/queue-3.4/bridge-use-spin_lock_bh-in-br_multicast_set_hash_max.patch b/queue-3.4/bridge-use-spin_lock_bh-in-br_multicast_set_hash_max.patch new file mode 100644 index 00000000000..620381d535f --- /dev/null +++ b/queue-3.4/bridge-use-spin_lock_bh-in-br_multicast_set_hash_max.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Curt Brune +Date: Mon, 6 Jan 2014 11:00:32 -0800 +Subject: bridge: use spin_lock_bh() in br_multicast_set_hash_max + +From: Curt Brune + +[ Upstream commit fe0d692bbc645786bce1a98439e548ae619269f5 ] + +br_multicast_set_hash_max() is called from process context in +net/bridge/br_sysfs_br.c by the sysfs store_hash_max() function. + +br_multicast_set_hash_max() calls spin_lock(&br->multicast_lock), +which can deadlock the CPU if a softirq that also tries to take the +same lock interrupts br_multicast_set_hash_max() while the lock is +held . This can happen quite easily when any of the bridge multicast +timers expire, which try to take the same lock. + +The fix here is to use spin_lock_bh(), preventing other softirqs from +executing on this CPU. + +Steps to reproduce: + +1. Create a bridge with several interfaces (I used 4). +2. Set the "multicast query interval" to a low number, like 2. +3. Enable the bridge as a multicast querier. +4. Repeatedly set the bridge hash_max parameter via sysfs. + + # brctl addbr br0 + # brctl addif br0 eth1 eth2 eth3 eth4 + # brctl setmcqi br0 2 + # brctl setmcquerier br0 1 + + # while true ; do echo 4096 > /sys/class/net/br0/bridge/hash_max; done + +Signed-off-by: Curt Brune +Signed-off-by: Scott Feldman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1744,7 +1744,7 @@ int br_multicast_set_hash_max(struct net + u32 old; + struct net_bridge_mdb_htable *mdb; + +- spin_lock(&br->multicast_lock); ++ spin_lock_bh(&br->multicast_lock); + if (!netif_running(br->dev)) + goto unlock; + +@@ -1776,7 +1776,7 @@ rollback: + } + + unlock: +- spin_unlock(&br->multicast_lock); ++ spin_unlock_bh(&br->multicast_lock); + + return err; + } diff --git a/queue-3.4/drivers-net-hamradio-integer-overflow-in-hdlcdrv_ioctl.patch b/queue-3.4/drivers-net-hamradio-integer-overflow-in-hdlcdrv_ioctl.patch new file mode 100644 index 00000000000..3a1d57b6529 --- /dev/null +++ b/queue-3.4/drivers-net-hamradio-integer-overflow-in-hdlcdrv_ioctl.patch @@ -0,0 +1,32 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Wenliang Fan +Date: Tue, 17 Dec 2013 11:25:28 +0800 +Subject: drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() + +From: Wenliang Fan + +[ Upstream commit e9db5c21d3646a6454fcd04938dd215ac3ab620a ] + +The local variable 'bi' comes from userspace. If userspace passed a +large number to 'bi.data.calibrate', there would be an integer overflow +in the following line: + s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; + +Signed-off-by: Wenliang Fan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/hdlcdrv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/hamradio/hdlcdrv.c ++++ b/drivers/net/hamradio/hdlcdrv.c +@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_devi + case HDLCDRVCTL_CALIBRATE: + if(!capable(CAP_SYS_RAWIO)) + return -EPERM; ++ if (bi.data.calibrate > INT_MAX / s->par.bitrate) ++ return -EINVAL; + s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; + return 0; + diff --git a/queue-3.4/hamradio-yam-fix-info-leak-in-ioctl.patch b/queue-3.4/hamradio-yam-fix-info-leak-in-ioctl.patch new file mode 100644 index 00000000000..d1b62da7bb5 --- /dev/null +++ b/queue-3.4/hamradio-yam-fix-info-leak-in-ioctl.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: =?UTF-8?q?Salva=20Peir=C3=B3?= +Date: Tue, 17 Dec 2013 10:06:30 +0100 +Subject: hamradio/yam: fix info leak in ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Salva Peiró + +[ Upstream commit 8e3fbf870481eb53b2d3a322d1fc395ad8b367ed ] + +The yam_ioctl() code fails to initialise the cmd field +of the struct yamdrv_ioctl_cfg. Add an explicit memset(0) +before filling the structure to avoid the 4-byte info leak. + +Signed-off-by: Salva Peiró +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/yam.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/hamradio/yam.c ++++ b/drivers/net/hamradio/yam.c +@@ -1058,6 +1058,7 @@ static int yam_ioctl(struct net_device * + break; + + case SIOCYAMGCFG: ++ memset(&yi, 0, sizeof(yi)); + yi.cfg.mask = 0xffffffff; + yi.cfg.iobase = yp->iobase; + yi.cfg.irq = yp->irq; diff --git a/queue-3.4/ipv6-don-t-count-addrconf-generated-routes-against-gc-limit.patch b/queue-3.4/ipv6-don-t-count-addrconf-generated-routes-against-gc-limit.patch new file mode 100644 index 00000000000..e493ec9b1c1 --- /dev/null +++ b/queue-3.4/ipv6-don-t-count-addrconf-generated-routes-against-gc-limit.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Hannes Frederic Sowa +Date: Sat, 7 Dec 2013 03:33:45 +0100 +Subject: ipv6: don't count addrconf generated routes against gc limit + +From: Hannes Frederic Sowa + +[ Upstream commit a3300ef4bbb1f1e33ff0400e1e6cf7733d988f4f ] + +Brett Ciphery reported that new ipv6 addresses failed to get installed +because the addrconf generated dsts where counted against the dst gc +limit. We don't need to count those routes like we currently don't count +administratively added routes. + +Because the max_addresses check enforces a limit on unbounded address +generation first in case someone plays with router advertisments, we +are still safe here. + +Reported-by: Brett Ciphery +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2114,15 +2114,11 @@ struct rt6_info *addrconf_dst_alloc(stru + { + struct net *net = dev_net(idev->dev); + struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, +- net->loopback_dev, 0); ++ net->loopback_dev, DST_NOCOUNT); + int err; + +- if (!rt) { +- if (net_ratelimit()) +- pr_warning("IPv6: Maximum number of routes reached," +- " consider increasing route/max_size.\n"); ++ if (!rt) + return ERR_PTR(-ENOMEM); +- } + + in6_dev_hold(idev); + diff --git a/queue-3.4/macvtap-do-not-double-count-received-packets.patch b/queue-3.4/macvtap-do-not-double-count-received-packets.patch new file mode 100644 index 00000000000..3e12d6435e5 --- /dev/null +++ b/queue-3.4/macvtap-do-not-double-count-received-packets.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Vlad Yasevich +Date: Tue, 26 Nov 2013 12:37:12 -0500 +Subject: macvtap: Do not double-count received packets + +From: Vlad Yasevich + +[ Upstream commit 006da7b07bc4d3a7ffabad17cf639eec6849c9dc ] + +Currently macvlan will count received packets after calling each +vlans receive handler. Macvtap attempts to count the packet +yet again when the user reads the packet from the tap socket. +This code doesn't do this consistently either. Remove the +counting from macvtap and let only macvlan count received +packets. + +Signed-off-by: Vlad Yasevich +Acked-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvtap.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -797,7 +797,6 @@ static ssize_t macvtap_put_user(struct m + const struct sk_buff *skb, + const struct iovec *iv, int len) + { +- struct macvlan_dev *vlan; + int ret; + int vnet_hdr_len = 0; + int vlan_offset = 0; +@@ -851,12 +850,6 @@ static ssize_t macvtap_put_user(struct m + copied += len; + + done: +- rcu_read_lock_bh(); +- vlan = rcu_dereference_bh(q->vlan); +- if (vlan) +- macvlan_count_rx(vlan, copied - vnet_hdr_len, ret == 0, 0); +- rcu_read_unlock_bh(); +- + return ret ? ret : copied; + } + diff --git a/queue-3.4/macvtap-signal-truncated-packets.patch b/queue-3.4/macvtap-signal-truncated-packets.patch new file mode 100644 index 00000000000..74835e00ac2 --- /dev/null +++ b/queue-3.4/macvtap-signal-truncated-packets.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Jason Wang +Date: Wed, 11 Dec 2013 13:08:34 +0800 +Subject: macvtap: signal truncated packets + +From: Jason Wang + +[ Upstream commit ce232ce01d61b184202bb185103d119820e1260c ] + +macvtap_put_user() never return a value grater than iov length, this in fact +bypasses the truncated checking in macvtap_recvmsg(). Fix this by always +returning the size of packet plus the possible vlan header to let the trunca +checking work. + +Cc: Vlad Yasevich +Cc: Zhi Yong Wu +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Vlad Yasevich +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvtap.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -800,7 +800,7 @@ static ssize_t macvtap_put_user(struct m + int ret; + int vnet_hdr_len = 0; + int vlan_offset = 0; +- int copied; ++ int copied, total; + + if (q->flags & IFF_VNET_HDR) { + struct virtio_net_hdr vnet_hdr; +@@ -815,7 +815,8 @@ static ssize_t macvtap_put_user(struct m + if (memcpy_toiovecend(iv, (void *)&vnet_hdr, 0, sizeof(vnet_hdr))) + return -EFAULT; + } +- copied = vnet_hdr_len; ++ total = copied = vnet_hdr_len; ++ total += skb->len; + + if (!vlan_tx_tag_present(skb)) + len = min_t(int, skb->len, len); +@@ -830,6 +831,7 @@ static ssize_t macvtap_put_user(struct m + + vlan_offset = offsetof(struct vlan_ethhdr, h_vlan_proto); + len = min_t(int, skb->len + VLAN_HLEN, len); ++ total += VLAN_HLEN; + + copy = min_t(int, vlan_offset, len); + ret = skb_copy_datagram_const_iovec(skb, 0, iv, copied, copy); +@@ -847,10 +849,9 @@ static ssize_t macvtap_put_user(struct m + } + + ret = skb_copy_datagram_const_iovec(skb, vlan_offset, iv, copied, len); +- copied += len; + + done: +- return ret ? ret : copied; ++ return ret ? ret : total; + } + + static ssize_t macvtap_do_read(struct macvtap_queue *q, struct kiocb *iocb, +@@ -904,7 +905,7 @@ static ssize_t macvtap_aio_read(struct k + } + + ret = macvtap_do_read(q, iocb, iv, len, file->f_flags & O_NONBLOCK); +- ret = min_t(ssize_t, ret, len); /* XXX copied from tun.c. Why? */ ++ ret = min_t(ssize_t, ret, len); + if (ret > 0) + iocb->ki_pos = ret; + out: diff --git a/queue-3.4/macvtap-update-file-current-position.patch b/queue-3.4/macvtap-update-file-current-position.patch new file mode 100644 index 00000000000..a8c4dbfaa70 --- /dev/null +++ b/queue-3.4/macvtap-update-file-current-position.patch @@ -0,0 +1,27 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Zhi Yong Wu +Date: Fri, 6 Dec 2013 14:16:50 +0800 +Subject: macvtap: update file current position + +From: Zhi Yong Wu + +[ Upstream commit e6ebc7f16ca1434a334647aa56399c546be4e64b ] + +Signed-off-by: Zhi Yong Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvtap.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -905,6 +905,8 @@ static ssize_t macvtap_aio_read(struct k + + ret = macvtap_do_read(q, iocb, iv, len, file->f_flags & O_NONBLOCK); + ret = min_t(ssize_t, ret, len); /* XXX copied from tun.c. Why? */ ++ if (ret > 0) ++ iocb->ki_pos = ret; + out: + return ret; + } diff --git a/queue-3.4/net-do-not-pretend-fraglist-support.patch b/queue-3.4/net-do-not-pretend-fraglist-support.patch new file mode 100644 index 00000000000..9649d932c2d --- /dev/null +++ b/queue-3.4/net-do-not-pretend-fraglist-support.patch @@ -0,0 +1,86 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Eric Dumazet +Date: Mon, 2 Dec 2013 08:51:13 -0800 +Subject: net: do not pretend FRAGLIST support + +From: Eric Dumazet + +[ Upstream commit 28e24c62ab3062e965ef1b3bcc244d50aee7fa85 ] + +Few network drivers really supports frag_list : virtual drivers. + +Some drivers wrongly advertise NETIF_F_FRAGLIST feature. + +If skb with a frag_list is given to them, packet on the wire will be +corrupt. + +Remove this flag, as core networking stack will make sure to +provide packets that can be sent without corruption. + +Signed-off-by: Eric Dumazet +Cc: Thadeu Lima de Souza Cascardo +Cc: Anirudha Sarangi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/calxeda/xgmac.c | 2 +- + drivers/net/ethernet/ibm/ehea/ehea_main.c | 2 +- + drivers/net/ethernet/tehuti/tehuti.c | 1 - + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 +- + 5 files changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/calxeda/xgmac.c ++++ b/drivers/net/ethernet/calxeda/xgmac.c +@@ -1776,7 +1776,7 @@ static int xgmac_probe(struct platform_d + if (device_can_wakeup(priv->device)) + priv->wolopts = WAKE_MAGIC; /* Magic Frame as default */ + +- ndev->hw_features = NETIF_F_SG | NETIF_F_FRAGLIST | NETIF_F_HIGHDMA; ++ ndev->hw_features = NETIF_F_SG | NETIF_F_HIGHDMA; + if (readl(priv->base + XGMAC_DMA_HW_FEATURE) & DMA_HW_FEAT_TXCOESEL) + ndev->hw_features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | + NETIF_F_RXCSUM; +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -3029,7 +3029,7 @@ static struct ehea_port *ehea_setup_sing + + dev->hw_features = NETIF_F_SG | NETIF_F_TSO + | NETIF_F_IP_CSUM | NETIF_F_HW_VLAN_TX | NETIF_F_LRO; +- dev->features = NETIF_F_SG | NETIF_F_FRAGLIST | NETIF_F_TSO ++ dev->features = NETIF_F_SG | NETIF_F_TSO + | NETIF_F_HIGHDMA | NETIF_F_IP_CSUM | NETIF_F_HW_VLAN_TX + | NETIF_F_HW_VLAN_RX | NETIF_F_HW_VLAN_FILTER + | NETIF_F_RXCSUM; +--- a/drivers/net/ethernet/tehuti/tehuti.c ++++ b/drivers/net/ethernet/tehuti/tehuti.c +@@ -1995,7 +1995,6 @@ bdx_probe(struct pci_dev *pdev, const st + ndev->features = NETIF_F_IP_CSUM | NETIF_F_SG | NETIF_F_TSO + | NETIF_F_HW_VLAN_TX | NETIF_F_HW_VLAN_RX | + NETIF_F_HW_VLAN_FILTER | NETIF_F_RXCSUM +- /*| NETIF_F_FRAGLIST */ + ; + ndev->hw_features = NETIF_F_IP_CSUM | NETIF_F_SG | + NETIF_F_TSO | NETIF_F_HW_VLAN_TX; +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -1026,7 +1026,7 @@ static int __devinit temac_of_probe(stru + dev_set_drvdata(&op->dev, ndev); + SET_NETDEV_DEV(ndev, &op->dev); + ndev->flags &= ~IFF_MULTICAST; /* clear multicast */ +- ndev->features = NETIF_F_SG | NETIF_F_FRAGLIST; ++ ndev->features = NETIF_F_SG; + ndev->netdev_ops = &temac_netdev_ops; + ndev->ethtool_ops = &temac_ethtool_ops; + #if 0 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1494,7 +1494,7 @@ static int __devinit axienet_of_probe(st + + SET_NETDEV_DEV(ndev, &op->dev); + ndev->flags &= ~IFF_MULTICAST; /* clear multicast */ +- ndev->features = NETIF_F_SG | NETIF_F_FRAGLIST; ++ ndev->features = NETIF_F_SG; + ndev->netdev_ops = &axienet_netdev_ops; + ndev->ethtool_ops = &axienet_ethtool_ops; + diff --git a/queue-3.4/net-drop_monitor-fix-the-value-of-maxattr.patch b/queue-3.4/net-drop_monitor-fix-the-value-of-maxattr.patch new file mode 100644 index 00000000000..bef2462dd47 --- /dev/null +++ b/queue-3.4/net-drop_monitor-fix-the-value-of-maxattr.patch @@ -0,0 +1,29 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Changli Gao +Date: Sun, 8 Dec 2013 09:36:56 -0500 +Subject: net: drop_monitor: fix the value of maxattr + +From: Changli Gao + +[ Upstream commit d323e92cc3f4edd943610557c9ea1bb4bb5056e8 ] + +maxattr in genl_family should be used to save the max attribute +type, but not the max command type. Drop monitor doesn't support +any attributes, so we should leave it as zero. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/drop_monitor.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -61,7 +61,6 @@ static struct genl_family net_drop_monit + .hdrsize = 0, + .name = "NET_DM", + .version = 2, +- .maxattr = NET_DM_CMD_MAX, + }; + + static DEFINE_PER_CPU(struct per_cpu_dm_data, dm_cpu_data); diff --git a/queue-3.4/net-inet_diag-zero-out-uninitialized-idiag_-src-dst-fields.patch b/queue-3.4/net-inet_diag-zero-out-uninitialized-idiag_-src-dst-fields.patch new file mode 100644 index 00000000000..4b645f4c57d --- /dev/null +++ b/queue-3.4/net-inet_diag-zero-out-uninitialized-idiag_-src-dst-fields.patch @@ -0,0 +1,88 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Daniel Borkmann +Date: Tue, 17 Dec 2013 00:38:39 +0100 +Subject: net: inet_diag: zero out uninitialized idiag_{src,dst} fields + +From: Daniel Borkmann + +[ Upstream commit b1aac815c0891fe4a55a6b0b715910142227700f ] + +Jakub reported while working with nlmon netlink sniffer that parts of +the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6. +That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3]. + +In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab] +memory through this. At least, in udp_dump_one(), we allocate a skb in ... + + rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL); + +... and then pass that to inet_sk_diag_fill() that puts the whole struct +inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0], +r->id.idiag_dst[0] and leave the rest untouched: + + r->id.idiag_src[0] = inet->inet_rcv_saddr; + r->id.idiag_dst[0] = inet->inet_daddr; + +struct inet_diag_msg embeds struct inet_diag_sockid that is correctly / +fully filled out in IPv6 case, but for IPv4 not. + +So just zero them out by using plain memset (for this little amount of +bytes it's probably not worth the extra check for idiag_family == AF_INET). + +Similarly, fix also other places where we fill that out. + +Reported-by: Jakub Zawadzki +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_diag.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -110,6 +110,10 @@ int inet_sk_diag_fill(struct sock *sk, s + + r->id.idiag_sport = inet->inet_sport; + r->id.idiag_dport = inet->inet_dport; ++ ++ memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src)); ++ memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst)); ++ + r->id.idiag_src[0] = inet->inet_rcv_saddr; + r->id.idiag_dst[0] = inet->inet_daddr; + +@@ -227,12 +231,19 @@ static int inet_twsk_diag_fill(struct in + + r->idiag_family = tw->tw_family; + r->idiag_retrans = 0; ++ + r->id.idiag_if = tw->tw_bound_dev_if; + sock_diag_save_cookie(tw, r->id.idiag_cookie); ++ + r->id.idiag_sport = tw->tw_sport; + r->id.idiag_dport = tw->tw_dport; ++ ++ memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src)); ++ memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst)); ++ + r->id.idiag_src[0] = tw->tw_rcv_saddr; + r->id.idiag_dst[0] = tw->tw_daddr; ++ + r->idiag_state = tw->tw_substate; + r->idiag_timer = 3; + r->idiag_expires = DIV_ROUND_UP(tmo * 1000, HZ); +@@ -714,8 +725,13 @@ static int inet_diag_fill_req(struct sk_ + + r->id.idiag_sport = inet->inet_sport; + r->id.idiag_dport = ireq->rmt_port; ++ ++ memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src)); ++ memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst)); ++ + r->id.idiag_src[0] = ireq->loc_addr; + r->id.idiag_dst[0] = ireq->rmt_addr; ++ + r->idiag_expires = jiffies_to_msecs(tmo); + r->idiag_rqueue = 0; + r->idiag_wqueue = 0; diff --git a/queue-3.4/net-llc-fix-use-after-free-in-llc_ui_recvmsg.patch b/queue-3.4/net-llc-fix-use-after-free-in-llc_ui_recvmsg.patch new file mode 100644 index 00000000000..bc2069e1887 --- /dev/null +++ b/queue-3.4/net-llc-fix-use-after-free-in-llc_ui_recvmsg.patch @@ -0,0 +1,65 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Daniel Borkmann +Date: Mon, 30 Dec 2013 23:40:50 +0100 +Subject: net: llc: fix use after free in llc_ui_recvmsg + +From: Daniel Borkmann + +[ Upstream commit 4d231b76eef6c4a6bd9c96769e191517765942cb ] + +While commit 30a584d944fb fixes datagram interface in LLC, a use +after free bug has been introduced for SOCK_STREAM sockets that do +not make use of MSG_PEEK. + +The flow is as follow ... + + if (!(flags & MSG_PEEK)) { + ... + sk_eat_skb(sk, skb, false); + ... + } + ... + if (used + offset < skb->len) + continue; + +... where sk_eat_skb() calls __kfree_skb(). Therefore, cache +original length and work on skb_len to check partial reads. + +Fixes: 30a584d944fb ("[LLX]: SOCK_DGRAM interface fixes") +Signed-off-by: Daniel Borkmann +Cc: Stephen Hemminger +Cc: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -716,7 +716,7 @@ static int llc_ui_recvmsg(struct kiocb * + unsigned long cpu_flags; + size_t copied = 0; + u32 peek_seq = 0; +- u32 *seq; ++ u32 *seq, skb_len; + unsigned long used; + int target; /* Read at least this many bytes */ + long timeo; +@@ -814,6 +814,7 @@ static int llc_ui_recvmsg(struct kiocb * + } + continue; + found_ok_skb: ++ skb_len = skb->len; + /* Ok so how much can we use? */ + used = skb->len - offset; + if (len < used) +@@ -846,7 +847,7 @@ static int llc_ui_recvmsg(struct kiocb * + } + + /* Partial read */ +- if (used + offset < skb->len) ++ if (used + offset < skb_len) + continue; + } while (len > 0); + diff --git a/queue-3.4/net-rose-restore-old-recvmsg-behavior.patch b/queue-3.4/net-rose-restore-old-recvmsg-behavior.patch new file mode 100644 index 00000000000..949bbd2391a --- /dev/null +++ b/queue-3.4/net-rose-restore-old-recvmsg-behavior.patch @@ -0,0 +1,61 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Florian Westphal +Date: Mon, 23 Dec 2013 00:32:31 +0100 +Subject: net: rose: restore old recvmsg behavior + +From: Florian Westphal + +[ Upstream commit f81152e35001e91997ec74a7b4e040e6ab0acccf ] + +recvmsg handler in net/rose/af_rose.c performs size-check ->msg_namelen. + +After commit f3d3342602f8bcbf37d7c46641cb9bca7618eb1c +(net: rework recvmsg handler msg_name and msg_namelen logic), we now +always take the else branch due to namelen being initialized to 0. + +Digging in netdev-vger-cvs git repo shows that msg_namelen was +initialized with a fixed-size since at least 1995, so the else branch +was never taken. + +Compile tested only. + +Signed-off-by: Florian Westphal +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rose/af_rose.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1257,6 +1257,7 @@ static int rose_recvmsg(struct kiocb *io + + if (msg->msg_name) { + struct sockaddr_rose *srose; ++ struct full_sockaddr_rose *full_srose = msg->msg_name; + + memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose)); + srose = msg->msg_name; +@@ -1264,18 +1265,9 @@ static int rose_recvmsg(struct kiocb *io + srose->srose_addr = rose->dest_addr; + srose->srose_call = rose->dest_call; + srose->srose_ndigis = rose->dest_ndigis; +- if (msg->msg_namelen >= sizeof(struct full_sockaddr_rose)) { +- struct full_sockaddr_rose *full_srose = (struct full_sockaddr_rose *)msg->msg_name; +- for (n = 0 ; n < rose->dest_ndigis ; n++) +- full_srose->srose_digis[n] = rose->dest_digis[n]; +- msg->msg_namelen = sizeof(struct full_sockaddr_rose); +- } else { +- if (rose->dest_ndigis >= 1) { +- srose->srose_ndigis = 1; +- srose->srose_digi = rose->dest_digis[0]; +- } +- msg->msg_namelen = sizeof(struct sockaddr_rose); +- } ++ for (n = 0 ; n < rose->dest_ndigis ; n++) ++ full_srose->srose_digis[n] = rose->dest_digis[n]; ++ msg->msg_namelen = sizeof(struct full_sockaddr_rose); + } + + skb_free_datagram(sk, skb); diff --git a/queue-3.4/net-unix-allow-bind-to-fail-on-mutex-lock.patch b/queue-3.4/net-unix-allow-bind-to-fail-on-mutex-lock.patch new file mode 100644 index 00000000000..cbb2ae620da --- /dev/null +++ b/queue-3.4/net-unix-allow-bind-to-fail-on-mutex-lock.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Sasha Levin +Date: Fri, 13 Dec 2013 10:54:22 -0500 +Subject: net: unix: allow bind to fail on mutex lock + +From: Sasha Levin + +[ Upstream commit 37ab4fa7844a044dc21fde45e2a0fc2f3c3b6490 ] + +This is similar to the set_peek_off patch where calling bind while the +socket is stuck in unix_dgram_recvmsg() will block and cause a hung task +spew after a while. + +This is also the last place that did a straightforward mutex_lock(), so +there shouldn't be any more of these patches. + +Signed-off-by: Sasha Levin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -712,7 +712,9 @@ static int unix_autobind(struct socket * + int err; + unsigned int retries = 0; + +- mutex_lock(&u->readlock); ++ err = mutex_lock_interruptible(&u->readlock); ++ if (err) ++ return err; + + err = 0; + if (u->addr) +@@ -845,7 +847,9 @@ static int unix_bind(struct socket *sock + goto out; + addr_len = err; + +- mutex_lock(&u->readlock); ++ err = mutex_lock_interruptible(&u->readlock); ++ if (err) ++ goto out; + + err = -EINVAL; + if (u->addr) diff --git a/queue-3.4/net-unix-allow-set_peek_off-to-fail.patch b/queue-3.4/net-unix-allow-set_peek_off-to-fail.patch new file mode 100644 index 00000000000..82d06892e26 --- /dev/null +++ b/queue-3.4/net-unix-allow-set_peek_off-to-fail.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Sasha Levin +Date: Sat, 7 Dec 2013 17:26:27 -0500 +Subject: net: unix: allow set_peek_off to fail + +From: Sasha Levin + +[ Upstream commit 12663bfc97c8b3fdb292428105dd92d563164050 ] + +unix_dgram_recvmsg() will hold the readlock of the socket until recv +is complete. + +In the same time, we may try to setsockopt(SO_PEEK_OFF) which will hang until +unix_dgram_recvmsg() will complete (which can take a while) without allowing +us to break out of it, triggering a hung task spew. + +Instead, allow set_peek_off to fail, this way userspace will not hang. + +Signed-off-by: Sasha Levin +Acked-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/net.h | 2 +- + net/core/sock.c | 2 +- + net/unix/af_unix.c | 8 ++++++-- + 3 files changed, 8 insertions(+), 4 deletions(-) + +--- a/include/linux/net.h ++++ b/include/linux/net.h +@@ -215,7 +215,7 @@ struct proto_ops { + int offset, size_t size, int flags); + ssize_t (*splice_read)(struct socket *sock, loff_t *ppos, + struct pipe_inode_info *pipe, size_t len, unsigned int flags); +- void (*set_peek_off)(struct sock *sk, int val); ++ int (*set_peek_off)(struct sock *sk, int val); + }; + + #define DECLARE_SOCKADDR(type, dst, src) \ +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -795,7 +795,7 @@ set_rcvbuf: + + case SO_PEEK_OFF: + if (sock->ops->set_peek_off) +- sock->ops->set_peek_off(sk, val); ++ ret = sock->ops->set_peek_off(sk, val); + else + ret = -EOPNOTSUPP; + break; +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -524,13 +524,17 @@ static int unix_seqpacket_sendmsg(struct + static int unix_seqpacket_recvmsg(struct kiocb *, struct socket *, + struct msghdr *, size_t, int); + +-static void unix_set_peek_off(struct sock *sk, int val) ++static int unix_set_peek_off(struct sock *sk, int val) + { + struct unix_sock *u = unix_sk(sk); + +- mutex_lock(&u->readlock); ++ if (mutex_lock_interruptible(&u->readlock)) ++ return -EINTR; ++ + sk->sk_peek_off = val; + mutex_unlock(&u->readlock); ++ ++ return 0; + } + + diff --git a/queue-3.4/netvsc-don-t-flush-peers-notifying-work-during-setting-mtu.patch b/queue-3.4/netvsc-don-t-flush-peers-notifying-work-during-setting-mtu.patch new file mode 100644 index 00000000000..aac0f272d27 --- /dev/null +++ b/queue-3.4/netvsc-don-t-flush-peers-notifying-work-during-setting-mtu.patch @@ -0,0 +1,90 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Jason Wang +Date: Fri, 13 Dec 2013 17:21:27 +0800 +Subject: netvsc: don't flush peers notifying work during setting mtu + +From: Jason Wang + +[ Upstream commit 50dc875f2e6e2e04aed3b3033eb0ac99192d6d02 ] + +There's a possible deadlock if we flush the peers notifying work during setting +mtu: + +[ 22.991149] ====================================================== +[ 22.991173] [ INFO: possible circular locking dependency detected ] +[ 22.991198] 3.10.0-54.0.1.el7.x86_64.debug #1 Not tainted +[ 22.991219] ------------------------------------------------------- +[ 22.991243] ip/974 is trying to acquire lock: +[ 22.991261] ((&(&net_device_ctx->dwork)->work)){+.+.+.}, at: [] flush_work+0x5/0x2e0 +[ 22.991307] +but task is already holding lock: +[ 22.991330] (rtnl_mutex){+.+.+.}, at: [] rtnetlink_rcv+0x1b/0x40 +[ 22.991367] +which lock already depends on the new lock. + +[ 22.991398] +the existing dependency chain (in reverse order) is: +[ 22.991426] +-> #1 (rtnl_mutex){+.+.+.}: +[ 22.991449] [] __lock_acquire+0xb19/0x1260 +[ 22.991477] [] lock_acquire+0xa2/0x1f0 +[ 22.991501] [] mutex_lock_nested+0x89/0x4f0 +[ 22.991529] [] rtnl_lock+0x17/0x20 +[ 22.991552] [] netdev_notify_peers+0x12/0x30 +[ 22.991579] [] netvsc_send_garp+0x22/0x30 [hv_netvsc] +[ 22.991610] [] process_one_work+0x211/0x6e0 +[ 22.991637] [] worker_thread+0x11b/0x3a0 +[ 22.991663] [] kthread+0xed/0x100 +[ 22.991686] [] ret_from_fork+0x7c/0xb0 +[ 22.991715] +-> #0 ((&(&net_device_ctx->dwork)->work)){+.+.+.}: +[ 22.991715] [] check_prevs_add+0x967/0x970 +[ 22.991715] [] __lock_acquire+0xb19/0x1260 +[ 22.991715] [] lock_acquire+0xa2/0x1f0 +[ 22.991715] [] flush_work+0x4e/0x2e0 +[ 22.991715] [] __cancel_work_timer+0x95/0x130 +[ 22.991715] [] cancel_delayed_work_sync+0x13/0x20 +[ 22.991715] [] netvsc_change_mtu+0x84/0x200 [hv_netvsc] +[ 22.991715] [] dev_set_mtu+0x34/0x80 +[ 22.991715] [] do_setlink+0x23a/0xa00 +[ 22.991715] [] rtnl_newlink+0x394/0x5e0 +[ 22.991715] [] rtnetlink_rcv_msg+0x9c/0x260 +[ 22.991715] [] netlink_rcv_skb+0xa9/0xc0 +[ 22.991715] [] rtnetlink_rcv+0x2a/0x40 +[ 22.991715] [] netlink_unicast+0xdd/0x190 +[ 22.991715] [] netlink_sendmsg+0x337/0x750 +[ 22.991715] [] sock_sendmsg+0x99/0xd0 +[ 22.991715] [] ___sys_sendmsg+0x39e/0x3b0 +[ 22.991715] [] __sys_sendmsg+0x42/0x80 +[ 22.991715] [] SyS_sendmsg+0x12/0x20 +[ 22.991715] [] system_call_fastpath+0x16/0x1b + +This is because we hold the rtnl_lock() before ndo_change_mtu() and try to flush +the work in netvsc_change_mtu(), in the mean time, netdev_notify_peers() may be +called from worker and also trying to hold the rtnl_lock. This will lead the +flush won't succeed forever. Solve this by not canceling and flushing the work, +this is safe because the transmission done by NETDEV_NOTIFY_PEERS was +synchronized with the netif_tx_disable() called by netvsc_change_mtu(). + +Reported-by: Yaju Cao +Tested-by: Yaju Cao +Cc: K. Y. Srinivasan +Cc: Haiyang Zhang +Signed-off-by: Jason Wang +Acked-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -321,7 +321,6 @@ static int netvsc_change_mtu(struct net_ + return -EINVAL; + + nvdev->start_remove = true; +- cancel_delayed_work_sync(&ndevctx->dwork); + cancel_work_sync(&ndevctx->work); + netif_tx_disable(ndev); + rndis_filter_device_remove(hdev); diff --git a/queue-3.4/rds-prevent-bug_on-triggered-on-congestion-update-to-loopback.patch b/queue-3.4/rds-prevent-bug_on-triggered-on-congestion-update-to-loopback.patch new file mode 100644 index 00000000000..02a87356c7a --- /dev/null +++ b/queue-3.4/rds-prevent-bug_on-triggered-on-congestion-update-to-loopback.patch @@ -0,0 +1,90 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Venkat Venkatsubra +Date: Mon, 2 Dec 2013 15:41:39 -0800 +Subject: rds: prevent BUG_ON triggered on congestion update to loopback + +From: Venkat Venkatsubra + +[ Upstream commit 18fc25c94eadc52a42c025125af24657a93638c0 ] + +After congestion update on a local connection, when rds_ib_xmit returns +less bytes than that are there in the message, rds_send_xmit calls +back rds_ib_xmit with an offset that causes BUG_ON(off & RDS_FRAG_SIZE) +to trigger. + +For a 4Kb PAGE_SIZE rds_ib_xmit returns min(8240,4096)=4096 when actually +the message contains 8240 bytes. rds_send_xmit thinks there is more to send +and calls rds_ib_xmit again with a data offset "off" of 4096-48(rds header) +=4048 bytes thus hitting the BUG_ON(off & RDS_FRAG_SIZE) [RDS_FRAG_SIZE=4k]. + +The commit 6094628bfd94323fc1cea05ec2c6affd98c18f7f +"rds: prevent BUG_ON triggering on congestion map updates" introduced +this regression. That change was addressing the triggering of a different +BUG_ON in rds_send_xmit() on PowerPC architecture with 64Kbytes PAGE_SIZE: + BUG_ON(ret != 0 && + conn->c_xmit_sg == rm->data.op_nents); +This was the sequence it was going through: +(rds_ib_xmit) +/* Do not send cong updates to IB loopback */ +if (conn->c_loopback + && rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) { + rds_cong_map_updated(conn->c_fcong, ~(u64) 0); + return sizeof(struct rds_header) + RDS_CONG_MAP_BYTES; +} +rds_ib_xmit returns 8240 +rds_send_xmit: + c_xmit_data_off = 0 + 8240 - 48 (rds header accounted only the first time) + = 8192 + c_xmit_data_off < 65536 (sg->length), so calls rds_ib_xmit again +rds_ib_xmit returns 8240 +rds_send_xmit: + c_xmit_data_off = 8192 + 8240 = 16432, calls rds_ib_xmit again + and so on (c_xmit_data_off 24672,32912,41152,49392,57632) +rds_ib_xmit returns 8240 +On this iteration this sequence causes the BUG_ON in rds_send_xmit: + while (ret) { + tmp = min_t(int, ret, sg->length - conn->c_xmit_data_off); + [tmp = 65536 - 57632 = 7904] + conn->c_xmit_data_off += tmp; + [c_xmit_data_off = 57632 + 7904 = 65536] + ret -= tmp; + [ret = 8240 - 7904 = 336] + if (conn->c_xmit_data_off == sg->length) { + conn->c_xmit_data_off = 0; + sg++; + conn->c_xmit_sg++; + BUG_ON(ret != 0 && + conn->c_xmit_sg == rm->data.op_nents); + [c_xmit_sg = 1, rm->data.op_nents = 1] + +What the current fix does: +Since the congestion update over loopback is not actually transmitted +as a message, all that rds_ib_xmit needs to do is let the caller think +the full message has been transmitted and not return partial bytes. +It will return 8240 (RDS_CONG_MAP_BYTES+48) when PAGE_SIZE is 4Kb. +And 64Kb+48 when page size is 64Kb. + +Reported-by: Josh Hunt +Tested-by: Honggang Li +Acked-by: Bang Nguyen +Signed-off-by: Venkat Venkatsubra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_send.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/rds/ib_send.c ++++ b/net/rds/ib_send.c +@@ -552,9 +552,8 @@ int rds_ib_xmit(struct rds_connection *c + && rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) { + rds_cong_map_updated(conn->c_fcong, ~(u64) 0); + scat = &rm->data.op_sg[sg]; +- ret = sizeof(struct rds_header) + RDS_CONG_MAP_BYTES; +- ret = min_t(int, ret, scat->length - conn->c_xmit_data_off); +- return ret; ++ ret = max_t(int, RDS_CONG_MAP_BYTES, scat->length); ++ return sizeof(struct rds_header) + ret; + } + + /* FIXME we may overallocate here */ diff --git a/queue-3.4/rds-prevent-dereference-of-a-null-device.patch b/queue-3.4/rds-prevent-dereference-of-a-null-device.patch new file mode 100644 index 00000000000..2009e7d9294 --- /dev/null +++ b/queue-3.4/rds-prevent-dereference-of-a-null-device.patch @@ -0,0 +1,77 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Sasha Levin +Date: Wed, 18 Dec 2013 23:49:42 -0500 +Subject: rds: prevent dereference of a NULL device + +From: Sasha Levin + +[ Upstream commit c2349758acf1874e4c2b93fe41d072336f1a31d0 ] + +Binding might result in a NULL device, which is dereferenced +causing this BUG: + +[ 1317.260548] BUG: unable to handle kernel NULL pointer dereference at 000000000000097 +4 +[ 1317.261847] IP: [] rds_ib_laddr_check+0x82/0x110 +[ 1317.263315] PGD 418bcb067 PUD 3ceb21067 PMD 0 +[ 1317.263502] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC +[ 1317.264179] Dumping ftrace buffer: +[ 1317.264774] (ftrace buffer empty) +[ 1317.265220] Modules linked in: +[ 1317.265824] CPU: 4 PID: 836 Comm: trinity-child46 Tainted: G W 3.13.0-rc4- +next-20131218-sasha-00013-g2cebb9b-dirty #4159 +[ 1317.267415] task: ffff8803ddf33000 ti: ffff8803cd31a000 task.ti: ffff8803cd31a000 +[ 1317.268399] RIP: 0010:[] [] rds_ib_laddr_check+ +0x82/0x110 +[ 1317.269670] RSP: 0000:ffff8803cd31bdf8 EFLAGS: 00010246 +[ 1317.270230] RAX: 0000000000000000 RBX: ffff88020b0dd388 RCX: 0000000000000000 +[ 1317.270230] RDX: ffffffff8439822e RSI: 00000000000c000a RDI: 0000000000000286 +[ 1317.270230] RBP: ffff8803cd31be38 R08: 0000000000000000 R09: 0000000000000000 +[ 1317.270230] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +[ 1317.270230] R13: 0000000054086700 R14: 0000000000a25de0 R15: 0000000000000031 +[ 1317.270230] FS: 00007ff40251d700(0000) GS:ffff88022e200000(0000) knlGS:000000000000 +0000 +[ 1317.270230] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 1317.270230] CR2: 0000000000000974 CR3: 00000003cd478000 CR4: 00000000000006e0 +[ 1317.270230] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1317.270230] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602 +[ 1317.270230] Stack: +[ 1317.270230] 0000000054086700 5408670000a25de0 5408670000000002 0000000000000000 +[ 1317.270230] ffffffff84223542 00000000ea54c767 0000000000000000 ffffffff86d26160 +[ 1317.270230] ffff8803cd31be68 ffffffff84223556 ffff8803cd31beb8 ffff8800c6765280 +[ 1317.270230] Call Trace: +[ 1317.270230] [] ? rds_trans_get_preferred+0x42/0xa0 +[ 1317.270230] [] rds_trans_get_preferred+0x56/0xa0 +[ 1317.270230] [] rds_bind+0x73/0xf0 +[ 1317.270230] [] SYSC_bind+0x92/0xf0 +[ 1317.270230] [] ? context_tracking_user_exit+0xb8/0x1d0 +[ 1317.270230] [] ? trace_hardirqs_on+0xd/0x10 +[ 1317.270230] [] ? syscall_trace_enter+0x32/0x290 +[ 1317.270230] [] SyS_bind+0xe/0x10 +[ 1317.270230] [] tracesys+0xdd/0xe2 +[ 1317.270230] Code: 00 8b 45 cc 48 8d 75 d0 48 c7 45 d8 00 00 00 00 66 c7 45 d0 02 00 +89 45 d4 48 89 df e8 78 49 76 ff 41 89 c4 85 c0 75 0c 48 8b 03 <80> b8 74 09 00 00 01 7 +4 06 41 bc 9d ff ff ff f6 05 2a b6 c2 02 +[ 1317.270230] RIP [] rds_ib_laddr_check+0x82/0x110 +[ 1317.270230] RSP +[ 1317.270230] CR2: 0000000000000974 + +Signed-off-by: Sasha Levin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rds/ib.c ++++ b/net/rds/ib.c +@@ -338,7 +338,8 @@ static int rds_ib_laddr_check(__be32 add + ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin); + /* due to this, we will claim to support iWARP devices unless we + check node_type. */ +- if (ret || cm_id->device->node_type != RDMA_NODE_IB_CA) ++ if (ret || !cm_id->device || ++ cm_id->device->node_type != RDMA_NODE_IB_CA) + ret = -EADDRNOTAVAIL; + + rdsdebug("addr %pI4 ret %d node type %d\n", diff --git a/queue-3.4/series b/queue-3.4/series new file mode 100644 index 00000000000..d5ae80f080c --- /dev/null +++ b/queue-3.4/series @@ -0,0 +1,20 @@ +net-do-not-pretend-fraglist-support.patch +rds-prevent-bug_on-triggered-on-congestion-update-to-loopback.patch +macvtap-do-not-double-count-received-packets.patch +macvtap-update-file-current-position.patch +tun-update-file-current-position.patch +macvtap-signal-truncated-packets.patch +ipv6-don-t-count-addrconf-generated-routes-against-gc-limit.patch +net-drop_monitor-fix-the-value-of-maxattr.patch +net-unix-allow-set_peek_off-to-fail.patch +tg3-initialize-reg_base_addr-at-pci-config-offset-120-to-0.patch +netvsc-don-t-flush-peers-notifying-work-during-setting-mtu.patch +net-unix-allow-bind-to-fail-on-mutex-lock.patch +net-inet_diag-zero-out-uninitialized-idiag_-src-dst-fields.patch +drivers-net-hamradio-integer-overflow-in-hdlcdrv_ioctl.patch +hamradio-yam-fix-info-leak-in-ioctl.patch +rds-prevent-dereference-of-a-null-device.patch +net-rose-restore-old-recvmsg-behavior.patch +vlan-fix-header-ops-passthru-when-doing-tx-vlan-offload.patch +net-llc-fix-use-after-free-in-llc_ui_recvmsg.patch +bridge-use-spin_lock_bh-in-br_multicast_set_hash_max.patch diff --git a/queue-3.4/tg3-initialize-reg_base_addr-at-pci-config-offset-120-to-0.patch b/queue-3.4/tg3-initialize-reg_base_addr-at-pci-config-offset-120-to-0.patch new file mode 100644 index 00000000000..22472743f37 --- /dev/null +++ b/queue-3.4/tg3-initialize-reg_base_addr-at-pci-config-offset-120-to-0.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Nat Gurumoorthy +Date: Mon, 9 Dec 2013 10:43:21 -0800 +Subject: tg3: Initialize REG_BASE_ADDR at PCI config offset 120 to 0 + +From: Nat Gurumoorthy + +[ Upstream commit 388d3335575f4c056dcf7138a30f1454e2145cd8 ] + +The new tg3 driver leaves REG_BASE_ADDR (PCI config offset 120) +uninitialized. From power on reset this register may have garbage in it. The +Register Base Address register defines the device local address of a +register. The data pointed to by this location is read or written using +the Register Data register (PCI config offset 128). When REG_BASE_ADDR has +garbage any read or write of Register Data Register (PCI 128) will cause the +PCI bus to lock up. The TCO watchdog will fire and bring down the system. + +Signed-off-by: Nat Gurumoorthy +Acked-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -14671,6 +14671,9 @@ static int __devinit tg3_get_invariants( + /* Clear this out for sanity. */ + tw32(TG3PCI_MEM_WIN_BASE_ADDR, 0); + ++ /* Clear TG3PCI_REG_BASE_ADDR to prevent hangs. */ ++ tw32(TG3PCI_REG_BASE_ADDR, 0); ++ + pci_read_config_dword(tp->pdev, TG3PCI_PCISTATE, + &pci_state_reg); + if ((pci_state_reg & PCISTATE_CONV_PCI_MODE) == 0 && diff --git a/queue-3.4/tun-update-file-current-position.patch b/queue-3.4/tun-update-file-current-position.patch new file mode 100644 index 00000000000..8cca8cf32da --- /dev/null +++ b/queue-3.4/tun-update-file-current-position.patch @@ -0,0 +1,27 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: Zhi Yong Wu +Date: Fri, 6 Dec 2013 14:16:51 +0800 +Subject: tun: update file current position + +From: Zhi Yong Wu + +[ Upstream commit d0b7da8afa079ffe018ab3e92879b7138977fc8f ] + +Signed-off-by: Zhi Yong Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -903,6 +903,8 @@ static ssize_t tun_chr_aio_read(struct k + + ret = tun_do_read(tun, iocb, iv, len, file->f_flags & O_NONBLOCK); + ret = min_t(ssize_t, ret, len); ++ if (ret > 0) ++ iocb->ki_pos = ret; + out: + tun_put(tun); + return ret; diff --git a/queue-3.4/vlan-fix-header-ops-passthru-when-doing-tx-vlan-offload.patch b/queue-3.4/vlan-fix-header-ops-passthru-when-doing-tx-vlan-offload.patch new file mode 100644 index 00000000000..8c1a1875b5d --- /dev/null +++ b/queue-3.4/vlan-fix-header-ops-passthru-when-doing-tx-vlan-offload.patch @@ -0,0 +1,93 @@ +From foo@baz Mon Jan 13 09:28:30 PST 2014 +From: "David S. Miller" +Date: Tue, 31 Dec 2013 16:23:35 -0500 +Subject: vlan: Fix header ops passthru when doing TX VLAN offload. + +From: "David S. Miller" + +[ Upstream commit 2205369a314e12fcec4781cc73ac9c08fc2b47de ] + +When the vlan code detects that the real device can do TX VLAN offloads +in hardware, it tries to arrange for the real device's header_ops to +be invoked directly. + +But it does so illegally, by simply hooking the real device's +header_ops up to the VLAN device. + +This doesn't work because we will end up invoking a set of header_ops +routines which expect a device type which matches the real device, but +will see a VLAN device instead. + +Fix this by providing a pass-thru set of header_ops which will arrange +to pass the proper real device instead. + +To facilitate this add a dev_rebuild_header(). There are +implementations which provide a ->cache and ->create but not a +->rebuild (f.e. PLIP). So we need a helper function just like +dev_hard_header() to avoid crashes. + +Use this helper in the one existing place where the +header_ops->rebuild was being invoked, the neighbour code. + +With lots of help from Florian Westphal. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 9 +++++++++ + net/8021q/vlan_dev.c | 19 ++++++++++++++++++- + 2 files changed, 27 insertions(+), 1 deletion(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1702,6 +1702,15 @@ static inline int dev_parse_header(const + return dev->header_ops->parse(skb, haddr); + } + ++static inline int dev_rebuild_header(struct sk_buff *skb) ++{ ++ const struct net_device *dev = skb->dev; ++ ++ if (!dev->header_ops || !dev->header_ops->rebuild) ++ return 0; ++ return dev->header_ops->rebuild(skb); ++} ++ + typedef int gifconf_func_t(struct net_device * dev, char __user * bufptr, int len); + extern int register_gifconf(unsigned int family, gifconf_func_t * gifconf); + static inline int unregister_gifconf(unsigned int family) +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -525,6 +525,23 @@ static const struct header_ops vlan_head + .parse = eth_header_parse, + }; + ++static int vlan_passthru_hard_header(struct sk_buff *skb, struct net_device *dev, ++ unsigned short type, ++ const void *daddr, const void *saddr, ++ unsigned int len) ++{ ++ struct vlan_dev_priv *vlan = vlan_dev_priv(dev); ++ struct net_device *real_dev = vlan->real_dev; ++ ++ return dev_hard_header(skb, real_dev, type, daddr, saddr, len); ++} ++ ++static const struct header_ops vlan_passthru_header_ops = { ++ .create = vlan_passthru_hard_header, ++ .rebuild = dev_rebuild_header, ++ .parse = eth_header_parse, ++}; ++ + static const struct net_device_ops vlan_netdev_ops; + + static int vlan_dev_init(struct net_device *dev) +@@ -564,7 +581,7 @@ static int vlan_dev_init(struct net_devi + + dev->needed_headroom = real_dev->needed_headroom; + if (real_dev->features & NETIF_F_HW_VLAN_TX) { +- dev->header_ops = real_dev->header_ops; ++ dev->header_ops = &vlan_passthru_header_ops; + dev->hard_header_len = real_dev->hard_header_len; + } else { + dev->header_ops = &vlan_header_ops;