From 460bd75b14d8a07e81bda359e655152fcb06f020 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 9 Jan 2013 09:31:14 -0800 Subject: [PATCH] 3.7-stable patches added patches: batman-adv-fix-random-jitter-calculation.patch inet-fix-kmemleak-in-tcp_v4-6_syn_recv_sock-and-dccp_v4-6_request_recv_sock.patch ipv6-change-skb-data-before-using-icmpv6_notify-to-propagate-redirect.patch mac802154-fix-nohz-local_softirq_pending-08-warning.patch net-sched-integer-overflow-fix.patch sctp-jsctp_sf_eat_sack-fix-jprobes-function-signature-mismatch.patch tcp-fix-msg_sendpage_notlast-logic.patch --- ...an-adv-fix-random-jitter-calculation.patch | 48 ++++++ ...sock-and-dccp_v4-6_request_recv_sock.patch | 160 ++++++++++++++++++ ...-icmpv6_notify-to-propagate-redirect.patch | 73 ++++++++ ...ohz-local_softirq_pending-08-warning.patch | 41 +++++ .../net-sched-integer-overflow-fix.patch | 31 ++++ ...-jprobes-function-signature-mismatch.patch | 38 +++++ queue-3.7/series | 7 + .../tcp-fix-msg_sendpage_notlast-logic.patch | 54 ++++++ 8 files changed, 452 insertions(+) create mode 100644 queue-3.7/batman-adv-fix-random-jitter-calculation.patch create mode 100644 queue-3.7/inet-fix-kmemleak-in-tcp_v4-6_syn_recv_sock-and-dccp_v4-6_request_recv_sock.patch create mode 100644 queue-3.7/ipv6-change-skb-data-before-using-icmpv6_notify-to-propagate-redirect.patch create mode 100644 queue-3.7/mac802154-fix-nohz-local_softirq_pending-08-warning.patch create mode 100644 queue-3.7/net-sched-integer-overflow-fix.patch create mode 100644 queue-3.7/sctp-jsctp_sf_eat_sack-fix-jprobes-function-signature-mismatch.patch create mode 100644 queue-3.7/tcp-fix-msg_sendpage_notlast-logic.patch diff --git a/queue-3.7/batman-adv-fix-random-jitter-calculation.patch b/queue-3.7/batman-adv-fix-random-jitter-calculation.patch new file mode 100644 index 00000000000..8082de32175 --- /dev/null +++ b/queue-3.7/batman-adv-fix-random-jitter-calculation.patch @@ -0,0 +1,48 @@ +From 9d4265cdd6c161d51b37bb9c6b9a32ab164f72ff Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Wed, 26 Dec 2012 02:32:10 +0000 +Subject: batman-adv: fix random jitter calculation + + +From: Akinobu Mita + +[ Upstream commit 143cdd8f33909ff5a153e3f02048738c5964ba26 ] + +batadv_iv_ogm_emit_send_time() attempts to calculates a random integer +in the range of 'orig_interval +- BATADV_JITTER' by the below lines. + + msecs = atomic_read(&bat_priv->orig_interval) - BATADV_JITTER; + msecs += (random32() % 2 * BATADV_JITTER); + +But it actually gets 'orig_interval' or 'orig_interval - BATADV_JITTER' +because '%' and '*' have same precedence and associativity is +left-to-right. + +This adds the parentheses at the appropriate position so that it matches +original intension. + +Signed-off-by: Akinobu Mita +Acked-by: Antonio Quartulli +Cc: Marek Lindner +Cc: Simon Wunderlich +Cc: Antonio Quartulli +Cc: b.a.t.m.a.n@lists.open-mesh.org +Cc: "David S. Miller" +Cc: netdev@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -119,7 +119,7 @@ batadv_iv_ogm_emit_send_time(const struc + unsigned int msecs; + + msecs = atomic_read(&bat_priv->orig_interval) - BATADV_JITTER; +- msecs += (random32() % 2 * BATADV_JITTER); ++ msecs += random32() % (2 * BATADV_JITTER); + + return jiffies + msecs_to_jiffies(msecs); + } diff --git a/queue-3.7/inet-fix-kmemleak-in-tcp_v4-6_syn_recv_sock-and-dccp_v4-6_request_recv_sock.patch b/queue-3.7/inet-fix-kmemleak-in-tcp_v4-6_syn_recv_sock-and-dccp_v4-6_request_recv_sock.patch new file mode 100644 index 00000000000..4db32d02361 --- /dev/null +++ b/queue-3.7/inet-fix-kmemleak-in-tcp_v4-6_syn_recv_sock-and-dccp_v4-6_request_recv_sock.patch @@ -0,0 +1,160 @@ +From 0831769748c0f4581637faf0f41cf6939cea307e Mon Sep 17 00:00:00 2001 +From: Christoph Paasch +Date: Fri, 14 Dec 2012 04:07:58 +0000 +Subject: inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock + + +From: Christoph Paasch + +[ Upstream commit e337e24d6624e74a558aa69071e112a65f7b5758 ] + +If in either of the above functions inet_csk_route_child_sock() or +__inet_inherit_port() fails, the newsk will not be freed: + +unreferenced object 0xffff88022e8a92c0 (size 1592): + comm "softirq", pid 0, jiffies 4294946244 (age 726.160s) + hex dump (first 32 bytes): + 0a 01 01 01 0a 01 01 02 00 00 00 00 a7 cc 16 00 ................ + 02 00 03 01 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x21/0x3e + [] kmem_cache_alloc+0xb5/0xc5 + [] sk_prot_alloc.isra.53+0x2b/0xcd + [] sk_clone_lock+0x16/0x21e + [] inet_csk_clone_lock+0x10/0x7b + [] tcp_create_openreq_child+0x21/0x481 + [] tcp_v4_syn_recv_sock+0x3a/0x23b + [] tcp_check_req+0x29f/0x416 + [] tcp_v4_do_rcv+0x161/0x2bc + [] tcp_v4_rcv+0x6c9/0x701 + [] ip_local_deliver_finish+0x70/0xc4 + [] ip_local_deliver+0x4e/0x7f + [] ip_rcv_finish+0x1fc/0x233 + [] ip_rcv+0x217/0x267 + [] __netif_receive_skb+0x49e/0x553 + [] netif_receive_skb+0x50/0x82 + +This happens, because sk_clone_lock initializes sk_refcnt to 2, and thus +a single sock_put() is not enough to free the memory. Additionally, things +like xfrm, memcg, cookie_values,... may have been initialized. +We have to free them properly. + +This is fixed by forcing a call to tcp_done(), ending up in +inet_csk_destroy_sock, doing the final sock_put(). tcp_done() is necessary, +because it ends up doing all the cleanup on xfrm, memcg, cookie_values, +xfrm,... + +Before calling tcp_done, we have to set the socket to SOCK_DEAD, to +force it entering inet_csk_destroy_sock. To avoid the warning in +inet_csk_destroy_sock, inet_num has to be set to 0. +As inet_csk_destroy_sock does a dec on orphan_count, we first have to +increase it. + +Calling tcp_done() allows us to remove the calls to +tcp_clear_xmit_timer() and tcp_cleanup_congestion_control(). + +A similar approach is taken for dccp by calling dccp_done(). + +This is in the kernel since 093d282321 (tproxy: fix hash locking issue +when using port redirection in __inet_inherit_port()), thus since +version >= 2.6.37. + +Signed-off-by: Christoph Paasch +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_connection_sock.h | 1 + + net/dccp/ipv4.c | 4 ++-- + net/dccp/ipv6.c | 3 ++- + net/ipv4/inet_connection_sock.c | 16 ++++++++++++++++ + net/ipv4/tcp_ipv4.c | 6 ++---- + net/ipv6/tcp_ipv6.c | 3 ++- + 6 files changed, 25 insertions(+), 8 deletions(-) + +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -318,6 +318,7 @@ extern void inet_csk_reqsk_queue_prune(s + const unsigned long max_rto); + + extern void inet_csk_destroy_sock(struct sock *sk); ++extern void inet_csk_prepare_forced_close(struct sock *sk); + + /* + * LISTEN is a special case for poll.. +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -439,8 +439,8 @@ exit: + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS); + return NULL; + put_and_exit: +- bh_unlock_sock(newsk); +- sock_put(newsk); ++ inet_csk_prepare_forced_close(newsk); ++ dccp_done(newsk); + goto exit; + } + +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -585,7 +585,8 @@ static struct sock *dccp_v6_request_recv + newinet->inet_rcv_saddr = LOOPBACK4_IPV6; + + if (__inet_inherit_port(sk, newsk) < 0) { +- sock_put(newsk); ++ inet_csk_prepare_forced_close(newsk); ++ dccp_done(newsk); + goto out; + } + __inet6_hash(newsk, NULL); +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -699,6 +699,22 @@ void inet_csk_destroy_sock(struct sock * + } + EXPORT_SYMBOL(inet_csk_destroy_sock); + ++/* This function allows to force a closure of a socket after the call to ++ * tcp/dccp_create_openreq_child(). ++ */ ++void inet_csk_prepare_forced_close(struct sock *sk) ++{ ++ /* sk_clone_lock locked the socket and set refcnt to 2 */ ++ bh_unlock_sock(sk); ++ sock_put(sk); ++ ++ /* The below has to be done to allow calling inet_csk_destroy_sock */ ++ sock_set_flag(sk, SOCK_DEAD); ++ percpu_counter_inc(sk->sk_prot->orphan_count); ++ inet_sk(sk)->inet_num = 0; ++} ++EXPORT_SYMBOL(inet_csk_prepare_forced_close); ++ + int inet_csk_listen_start(struct sock *sk, const int nr_table_entries) + { + struct inet_sock *inet = inet_sk(sk); +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1774,10 +1774,8 @@ exit: + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS); + return NULL; + put_and_exit: +- tcp_clear_xmit_timers(newsk); +- tcp_cleanup_congestion_control(newsk); +- bh_unlock_sock(newsk); +- sock_put(newsk); ++ inet_csk_prepare_forced_close(newsk); ++ tcp_done(newsk); + goto exit; + } + EXPORT_SYMBOL(tcp_v4_syn_recv_sock); +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1384,7 +1384,8 @@ static struct sock * tcp_v6_syn_recv_soc + #endif + + if (__inet_inherit_port(sk, newsk) < 0) { +- sock_put(newsk); ++ inet_csk_prepare_forced_close(newsk); ++ tcp_done(newsk); + goto out; + } + __inet6_hash(newsk, NULL); diff --git a/queue-3.7/ipv6-change-skb-data-before-using-icmpv6_notify-to-propagate-redirect.patch b/queue-3.7/ipv6-change-skb-data-before-using-icmpv6_notify-to-propagate-redirect.patch new file mode 100644 index 00000000000..baff7b2a9c1 --- /dev/null +++ b/queue-3.7/ipv6-change-skb-data-before-using-icmpv6_notify-to-propagate-redirect.patch @@ -0,0 +1,73 @@ +From 42d3b8e69761bf8866b11bef2664fa8eacd9398d Mon Sep 17 00:00:00 2001 +From: Duan Jiong +Date: Fri, 14 Dec 2012 02:59:59 +0000 +Subject: ipv6: Change skb->data before using icmpv6_notify() to propagate redirect + + +From: Duan Jiong + +[ Upstream commit 093d04d42fa094f6740bb188f0ad0c215ff61e2c ] + +In function ndisc_redirect_rcv(), the skb->data points to the transport +header, but function icmpv6_notify() need the skb->data points to the +inner IP packet. So before using icmpv6_notify() to propagate redirect, +change skb->data to point the inner IP packet that triggered the sending +of the Redirect, and introduce struct rd_msg to make it easy. + +Signed-off-by: Duan Jiong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ndisc.h | 7 +++++++ + net/ipv6/ndisc.c | 17 +++++++++++++++++ + 2 files changed, 24 insertions(+) + +--- a/include/net/ndisc.h ++++ b/include/net/ndisc.h +@@ -78,6 +78,13 @@ struct ra_msg { + __be32 retrans_timer; + }; + ++struct rd_msg { ++ struct icmp6hdr icmph; ++ struct in6_addr target; ++ struct in6_addr dest; ++ __u8 opt[0]; ++}; ++ + struct nd_opt_hdr { + __u8 nd_opt_type; + __u8 nd_opt_len; +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1333,6 +1333,12 @@ out: + + static void ndisc_redirect_rcv(struct sk_buff *skb) + { ++ u8 *hdr; ++ struct ndisc_options ndopts; ++ struct rd_msg *msg = (struct rd_msg *)skb_transport_header(skb); ++ u32 ndoptlen = skb->tail - (skb->transport_header + ++ offsetof(struct rd_msg, opt)); ++ + #ifdef CONFIG_IPV6_NDISC_NODETYPE + switch (skb->ndisc_nodetype) { + case NDISC_NODETYPE_HOST: +@@ -1349,6 +1355,17 @@ static void ndisc_redirect_rcv(struct sk + return; + } + ++ if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) ++ return; ++ ++ if (!ndopts.nd_opts_rh) ++ return; ++ ++ hdr = (u8 *)ndopts.nd_opts_rh; ++ hdr += 8; ++ if (!pskb_pull(skb, hdr - skb_transport_header(skb))) ++ return; ++ + icmpv6_notify(skb, NDISC_REDIRECT, 0, 0); + } + diff --git a/queue-3.7/mac802154-fix-nohz-local_softirq_pending-08-warning.patch b/queue-3.7/mac802154-fix-nohz-local_softirq_pending-08-warning.patch new file mode 100644 index 00000000000..1d11a188f3c --- /dev/null +++ b/queue-3.7/mac802154-fix-nohz-local_softirq_pending-08-warning.patch @@ -0,0 +1,41 @@ +From a3c544982a40e45cf6d9f92f7d343007abb24042 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Wed, 2 Jan 2013 01:01:10 +0000 +Subject: mac802154: fix NOHZ local_softirq_pending 08 warning + + +From: Alexander Aring + +[ Upstream commit 5ff3fec6d3fc848753c2fa30b18607358f89a202 ] + +When using nanosleep() in an userspace application we get a +ratelimit warning + +NOHZ: local_softirq_pending 08 + +for 10 times. + +This patch replaces netif_rx() with netif_rx_ni() which has +to be used from process/softirq context. +The process/softirq context will be called from fakelb driver. + +See linux-kernel commit 481a819 for similar fix. + +Signed-off-by: Alexander Aring +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mac802154/wpan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac802154/wpan.c ++++ b/net/mac802154/wpan.c +@@ -387,7 +387,7 @@ void mac802154_wpan_setup(struct net_dev + + static int mac802154_process_data(struct net_device *dev, struct sk_buff *skb) + { +- return netif_rx(skb); ++ return netif_rx_ni(skb); + } + + static int diff --git a/queue-3.7/net-sched-integer-overflow-fix.patch b/queue-3.7/net-sched-integer-overflow-fix.patch new file mode 100644 index 00000000000..716481f305b --- /dev/null +++ b/queue-3.7/net-sched-integer-overflow-fix.patch @@ -0,0 +1,31 @@ +From d9b01e1646fc3732ea5d6abfd6188c9a8c743c8f Mon Sep 17 00:00:00 2001 +From: Stefan Hasko +Date: Fri, 21 Dec 2012 15:04:59 +0000 +Subject: net: sched: integer overflow fix + + +From: Stefan Hasko + +[ Upstream commit d2fe85da52e89b8012ffad010ef352a964725d5f ] + +Fixed integer overflow in function htb_dequeue + +Signed-off-by: Stefan Hasko +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_htb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -874,7 +874,7 @@ ok: + q->now = psched_get_time(); + start_at = jiffies; + +- next_event = q->now + 5 * PSCHED_TICKS_PER_SEC; ++ next_event = q->now + 5LLU * PSCHED_TICKS_PER_SEC; + + for (level = 0; level < TC_HTB_MAXDEPTH; level++) { + /* common case optimization - skip event handler quickly */ diff --git a/queue-3.7/sctp-jsctp_sf_eat_sack-fix-jprobes-function-signature-mismatch.patch b/queue-3.7/sctp-jsctp_sf_eat_sack-fix-jprobes-function-signature-mismatch.patch new file mode 100644 index 00000000000..9fe1aecba5b --- /dev/null +++ b/queue-3.7/sctp-jsctp_sf_eat_sack-fix-jprobes-function-signature-mismatch.patch @@ -0,0 +1,38 @@ +From 7ce38ac6147d069c5b0b0ad8d53e069f38ef26ab Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Sat, 15 Dec 2012 10:12:43 +0000 +Subject: sctp: jsctp_sf_eat_sack: fix jprobes function signature mismatch + + +From: Daniel Borkmann + +[ Upstream commit 4cb9d6eaf85ecdd266a9a5c6d825c56ca9eefc14 ] + +Commit 24cb81a6a (sctp: Push struct net down into all of the +state machine functions) introduced the net structure into all +state machine functions, but jsctp_sf_eat_sack was not updated, +hence when SCTP association probing is enabled in the kernel, +any simple SCTP client/server program from userspace will panic +the kernel. + +Cc: Vlad Yasevich +Signed-off-by: Daniel Borkmann +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/probe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/probe.c ++++ b/net/sctp/probe.c +@@ -122,7 +122,8 @@ static const struct file_operations sctp + .llseek = noop_llseek, + }; + +-sctp_disposition_t jsctp_sf_eat_sack(const struct sctp_endpoint *ep, ++sctp_disposition_t jsctp_sf_eat_sack(struct net *net, ++ const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const sctp_subtype_t type, + void *arg, diff --git a/queue-3.7/series b/queue-3.7/series index a5b3603f531..e374fb4dfb7 100644 --- a/queue-3.7/series +++ b/queue-3.7/series @@ -81,3 +81,10 @@ sparc64-set-crypto_tfm_req_may_sleep-consistently-in-aes-code.patch sparc64-fix-ecb-looping-constructs-in-aes-code.patch sparc64-set-crypto_tfm_req_may_sleep-consistently-in-des-code.patch sparc64-set-crypto_tfm_req_may_sleep-consistently-in-camellia-code.patch +batman-adv-fix-random-jitter-calculation.patch +inet-fix-kmemleak-in-tcp_v4-6_syn_recv_sock-and-dccp_v4-6_request_recv_sock.patch +ipv6-change-skb-data-before-using-icmpv6_notify-to-propagate-redirect.patch +mac802154-fix-nohz-local_softirq_pending-08-warning.patch +net-sched-integer-overflow-fix.patch +sctp-jsctp_sf_eat_sack-fix-jprobes-function-signature-mismatch.patch +tcp-fix-msg_sendpage_notlast-logic.patch diff --git a/queue-3.7/tcp-fix-msg_sendpage_notlast-logic.patch b/queue-3.7/tcp-fix-msg_sendpage_notlast-logic.patch new file mode 100644 index 00000000000..2f77bb0d005 --- /dev/null +++ b/queue-3.7/tcp-fix-msg_sendpage_notlast-logic.patch @@ -0,0 +1,54 @@ +From 6ab1806169c92aadc5a1cc1224647a8d83363f1e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 6 Jan 2013 18:21:49 +0000 +Subject: tcp: fix MSG_SENDPAGE_NOTLAST logic + + +From: Eric Dumazet + +[ Upstream commit ae62ca7b03217be5e74759dc6d7698c95df498b3 ] + +commit 35f9c09fe9c72e (tcp: tcp_sendpages() should call tcp_push() once) +added an internal flag : MSG_SENDPAGE_NOTLAST meant to be set on all +frags but the last one for a splice() call. + +The condition used to set the flag in pipe_to_sendpage() relied on +splice() user passing the exact number of bytes present in the pipe, +or a smaller one. + +But some programs pass an arbitrary high value, and the test fails. + +The effect of this bug is a lack of tcp_push() at the end of a +splice(pipe -> socket) call, and possibly very slow or erratic TCP +sessions. + +We should both test sd->total_len and fact that another fragment +is in the pipe (pipe->nrbufs > 1) + +Many thanks to Willy for providing very clear bug report, bisection +and test programs. + +Reported-by: Willy Tarreau +Bisected-by: Willy Tarreau +Tested-by: Willy Tarreau +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + fs/splice.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -696,8 +696,10 @@ static int pipe_to_sendpage(struct pipe_ + return -EINVAL; + + more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0; +- if (sd->len < sd->total_len) ++ ++ if (sd->len < sd->total_len && pipe->nrbufs > 1) + more |= MSG_SENDPAGE_NOTLAST; ++ + return file->f_op->sendpage(file, buf->page, buf->offset, + sd->len, &pos, more); + } -- 2.47.3