From 707eb63b4b097f4a6749e9a63bf1a48862011a43 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 7 May 2020 11:58:38 +0200 Subject: [PATCH] 4.4-stable patches added patches: arm64-bpf-jit-jmp_jset_-x-k.patch be2net-don-t-leak-iomapped-memory-on-removal.patch bpf-trace-check-event-type-in-bpf_perf_event_read.patch clk-gpio-handle-error-codes-for-of_clk_get_parent_count.patch clk-imx-clk-pllv3-fix-incorrect-handle-of-enet-powerdown-bit.patch clk-multiplier-prevent-the-multiplier-from-under-over-flowing.patch clk-st-avoid-uninitialized-variable-use.patch clk-ti-omap3-dpll-use-non-locking-version-of-clk_get_rate.patch clk-xgene-don-t-call-__pa-on-ioremaped-address.patch cls_bpf-reset-class-and-reuse-major-in-da.patch flow_dissector-check-for-ip-fragmentation-even-if-not-using-ipv4-address.patch ipv4-accept-u8-in-ip_tos-ancillary-data.patch ipv4-do-not-abuse-gfp_atomic-in-inet_netconf_notify_devconf.patch ipv4-fix-checksum-annotation-in-udp4_csum_init.patch ipv4-fix-memory-leak-in-exception-case-for-splitting-tries.patch ipv6-add-missing-netconf-notif-when-all-is-updated.patch ipv6-do-not-abuse-gfp_atomic-in-inet6_netconf_notify_devconf.patch ipv6-fix-checksum-annotation-in-udp6_csum_init.patch memory-tegra-add-number-of-tlb-lines-for-tegra124.patch net-ipv6-fix-processing-of-ras-in-presence-of-vrf.patch net-vrf-fix-dev-refcnt-leak-due-to-ipv6-prefix-route.patch netfilter-nf_tables-destroy-the-set-if-fail-to-add-transaction.patch netfilter-nf_tables-fix-a-wrong-check-to-skip-the-inactive-rules.patch netfilter-nft_dup-do-not-use-sreg_dev-if-the-user-doesn-t-specify-it.patch netfilter-nft_dynset-fix-panic-if-nft_set_hash-is-not-enabled.patch pinctrl-bcm2835-fix-memory-leak-in-error-path.patch target-fix-a-memory-leak-in-target_dev_lba_map_store.patch udp-restore-udplite-many-cast-delivery.patch --- queue-4.4/arm64-bpf-jit-jmp_jset_-x-k.patch | 50 +++++ ...on-t-leak-iomapped-memory-on-removal.patch | 59 +++++ ...ck-event-type-in-bpf_perf_event_read.patch | 36 ++++ ...or-codes-for-of_clk_get_parent_count.patch | 45 ++++ ...correct-handle-of-enet-powerdown-bit.patch | 49 +++++ ...e-multiplier-from-under-over-flowing.patch | 61 ++++++ ...-st-avoid-uninitialized-variable-use.patch | 64 ++++++ ...-non-locking-version-of-clk_get_rate.patch | 38 ++++ ...don-t-call-__pa-on-ioremaped-address.patch | 64 ++++++ ...pf-reset-class-and-reuse-major-in-da.patch | 66 ++++++ ...ation-even-if-not-using-ipv4-address.patch | 52 +++++ ...4-accept-u8-in-ip_tos-ancillary-data.patch | 56 +++++ ...tomic-in-inet_netconf_notify_devconf.patch | 81 +++++++ ...hecksum-annotation-in-udp4_csum_init.patch | 37 ++++ ...n-exception-case-for-splitting-tries.patch | 37 ++++ ...ng-netconf-notif-when-all-is-updated.patch | 37 ++++ ...omic-in-inet6_netconf_notify_devconf.patch | 82 +++++++ ...hecksum-annotation-in-udp6_csum_init.patch | 36 ++++ ...add-number-of-tlb-lines-for-tegra124.patch | 37 ++++ ...processing-of-ras-in-presence-of-vrf.patch | 204 ++++++++++++++++++ ...refcnt-leak-due-to-ipv6-prefix-route.patch | 77 +++++++ ...y-the-set-if-fail-to-add-transaction.patch | 39 ++++ ...ong-check-to-skip-the-inactive-rules.patch | 33 +++ ...g_dev-if-the-user-doesn-t-specify-it.patch | 66 ++++++ ...panic-if-nft_set_hash-is-not-enabled.patch | 52 +++++ ...cm2835-fix-memory-leak-in-error-path.patch | 34 +++ queue-4.4/series | 28 +++ ...ory-leak-in-target_dev_lba_map_store.patch | 53 +++++ ...p-restore-udplite-many-cast-delivery.patch | 55 +++++ 29 files changed, 1628 insertions(+) create mode 100644 queue-4.4/arm64-bpf-jit-jmp_jset_-x-k.patch create mode 100644 queue-4.4/be2net-don-t-leak-iomapped-memory-on-removal.patch create mode 100644 queue-4.4/bpf-trace-check-event-type-in-bpf_perf_event_read.patch create mode 100644 queue-4.4/clk-gpio-handle-error-codes-for-of_clk_get_parent_count.patch create mode 100644 queue-4.4/clk-imx-clk-pllv3-fix-incorrect-handle-of-enet-powerdown-bit.patch create mode 100644 queue-4.4/clk-multiplier-prevent-the-multiplier-from-under-over-flowing.patch create mode 100644 queue-4.4/clk-st-avoid-uninitialized-variable-use.patch create mode 100644 queue-4.4/clk-ti-omap3-dpll-use-non-locking-version-of-clk_get_rate.patch create mode 100644 queue-4.4/clk-xgene-don-t-call-__pa-on-ioremaped-address.patch create mode 100644 queue-4.4/cls_bpf-reset-class-and-reuse-major-in-da.patch create mode 100644 queue-4.4/flow_dissector-check-for-ip-fragmentation-even-if-not-using-ipv4-address.patch create mode 100644 queue-4.4/ipv4-accept-u8-in-ip_tos-ancillary-data.patch create mode 100644 queue-4.4/ipv4-do-not-abuse-gfp_atomic-in-inet_netconf_notify_devconf.patch create mode 100644 queue-4.4/ipv4-fix-checksum-annotation-in-udp4_csum_init.patch create mode 100644 queue-4.4/ipv4-fix-memory-leak-in-exception-case-for-splitting-tries.patch create mode 100644 queue-4.4/ipv6-add-missing-netconf-notif-when-all-is-updated.patch create mode 100644 queue-4.4/ipv6-do-not-abuse-gfp_atomic-in-inet6_netconf_notify_devconf.patch create mode 100644 queue-4.4/ipv6-fix-checksum-annotation-in-udp6_csum_init.patch create mode 100644 queue-4.4/memory-tegra-add-number-of-tlb-lines-for-tegra124.patch create mode 100644 queue-4.4/net-ipv6-fix-processing-of-ras-in-presence-of-vrf.patch create mode 100644 queue-4.4/net-vrf-fix-dev-refcnt-leak-due-to-ipv6-prefix-route.patch create mode 100644 queue-4.4/netfilter-nf_tables-destroy-the-set-if-fail-to-add-transaction.patch create mode 100644 queue-4.4/netfilter-nf_tables-fix-a-wrong-check-to-skip-the-inactive-rules.patch create mode 100644 queue-4.4/netfilter-nft_dup-do-not-use-sreg_dev-if-the-user-doesn-t-specify-it.patch create mode 100644 queue-4.4/netfilter-nft_dynset-fix-panic-if-nft_set_hash-is-not-enabled.patch create mode 100644 queue-4.4/pinctrl-bcm2835-fix-memory-leak-in-error-path.patch create mode 100644 queue-4.4/target-fix-a-memory-leak-in-target_dev_lba_map_store.patch create mode 100644 queue-4.4/udp-restore-udplite-many-cast-delivery.patch diff --git a/queue-4.4/arm64-bpf-jit-jmp_jset_-x-k.patch b/queue-4.4/arm64-bpf-jit-jmp_jset_-x-k.patch new file mode 100644 index 00000000000..10e418948aa --- /dev/null +++ b/queue-4.4/arm64-bpf-jit-jmp_jset_-x-k.patch @@ -0,0 +1,50 @@ +From 98397fc547e3f4553553a30ea56fa34d613f0a4c Mon Sep 17 00:00:00 2001 +From: Zi Shen Lim +Date: Thu, 12 May 2016 23:37:58 -0700 +Subject: arm64: bpf: jit JMP_JSET_{X,K} + +From: Zi Shen Lim + +commit 98397fc547e3f4553553a30ea56fa34d613f0a4c upstream. + +Original implementation commit e54bcde3d69d ("arm64: eBPF JIT compiler") +had the relevant code paths, but due to an oversight always fail jiting. + +As a result, we had been falling back to BPF interpreter whenever a BPF +program has JMP_JSET_{X,K} instructions. + +With this fix, we confirm that the corresponding tests in lib/test_bpf +continue to pass, and also jited. + +... +[ 2.784553] test_bpf: #30 JSET jited:1 188 192 197 PASS +[ 2.791373] test_bpf: #31 tcpdump port 22 jited:1 325 677 625 PASS +[ 2.808800] test_bpf: #32 tcpdump complex jited:1 323 731 991 PASS +... +[ 3.190759] test_bpf: #237 JMP_JSET_K: if (0x3 & 0x2) return 1 jited:1 110 PASS +[ 3.192524] test_bpf: #238 JMP_JSET_K: if (0x3 & 0xffffffff) return 1 jited:1 98 PASS +[ 3.211014] test_bpf: #249 JMP_JSET_X: if (0x3 & 0x2) return 1 jited:1 120 PASS +[ 3.212973] test_bpf: #250 JMP_JSET_X: if (0x3 & 0xffffffff) return 1 jited:1 89 PASS +... + +Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler") +Signed-off-by: Zi Shen Lim +Acked-by: Will Deacon +Acked-by: Yang Shi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/net/bpf_jit_comp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -482,6 +482,7 @@ emit_cond_jmp: + case BPF_JGE: + jmp_cond = A64_COND_CS; + break; ++ case BPF_JSET: + case BPF_JNE: + jmp_cond = A64_COND_NE; + break; diff --git a/queue-4.4/be2net-don-t-leak-iomapped-memory-on-removal.patch b/queue-4.4/be2net-don-t-leak-iomapped-memory-on-removal.patch new file mode 100644 index 00000000000..de94ce3d8a5 --- /dev/null +++ b/queue-4.4/be2net-don-t-leak-iomapped-memory-on-removal.patch @@ -0,0 +1,59 @@ +From a69bf3c5b49ef488970c74e26ba0ec12f08491c2 Mon Sep 17 00:00:00 2001 +From: Douglas Miller +Date: Fri, 4 Mar 2016 15:36:56 -0600 +Subject: be2net: Don't leak iomapped memory on removal. + +From: Douglas Miller + +commit a69bf3c5b49ef488970c74e26ba0ec12f08491c2 upstream. + +The adapter->pcicfg resource is either mapped via pci_iomap() or +derived from adapter->db. During be_remove() this resource was ignored +and so could remain mapped after remove. + +Add a flag to track whether adapter->pcicfg was mapped or not, then +use that flag in be_unmap_pci_bars() to unmap if required. + +Fixes: 25848c901 ("use PCI MMIO read instead of config read for errors") + +Signed-off-by: Douglas Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/emulex/benet/be.h | 1 + + drivers/net/ethernet/emulex/benet/be_main.c | 4 ++++ + 2 files changed, 5 insertions(+) + +--- a/drivers/net/ethernet/emulex/benet/be.h ++++ b/drivers/net/ethernet/emulex/benet/be.h +@@ -531,6 +531,7 @@ struct be_adapter { + + struct delayed_work be_err_detection_work; + u8 err_flags; ++ bool pcicfg_mapped; /* pcicfg obtained via pci_iomap() */ + u32 flags; + u32 cmd_privileges; + /* Ethtool knobs and info */ +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -5526,6 +5526,8 @@ static void be_unmap_pci_bars(struct be_ + pci_iounmap(adapter->pdev, adapter->csr); + if (adapter->db) + pci_iounmap(adapter->pdev, adapter->db); ++ if (adapter->pcicfg && adapter->pcicfg_mapped) ++ pci_iounmap(adapter->pdev, adapter->pcicfg); + } + + static int db_bar(struct be_adapter *adapter) +@@ -5577,8 +5579,10 @@ static int be_map_pci_bars(struct be_ada + if (!addr) + goto pci_map_err; + adapter->pcicfg = addr; ++ adapter->pcicfg_mapped = true; + } else { + adapter->pcicfg = adapter->db + SRIOV_VF_PCICFG_OFFSET; ++ adapter->pcicfg_mapped = false; + } + } + diff --git a/queue-4.4/bpf-trace-check-event-type-in-bpf_perf_event_read.patch b/queue-4.4/bpf-trace-check-event-type-in-bpf_perf_event_read.patch new file mode 100644 index 00000000000..54aa41732f7 --- /dev/null +++ b/queue-4.4/bpf-trace-check-event-type-in-bpf_perf_event_read.patch @@ -0,0 +1,36 @@ +From ad572d174787daa59e24b8b5c83028c09cdb5ddb Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov +Date: Wed, 15 Jun 2016 18:25:39 -0700 +Subject: bpf, trace: check event type in bpf_perf_event_read + +From: Alexei Starovoitov + +commit ad572d174787daa59e24b8b5c83028c09cdb5ddb upstream. + +similar to bpf_perf_event_output() the bpf_perf_event_read() helper +needs to check the type of the perf_event before reading the counter. + +Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") +Reported-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/bpf_trace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -206,6 +206,10 @@ static u64 bpf_perf_event_read(u64 r1, u + event->pmu->count) + return -EINVAL; + ++ if (unlikely(event->attr.type != PERF_TYPE_HARDWARE && ++ event->attr.type != PERF_TYPE_RAW)) ++ return -EINVAL; ++ + /* + * we don't know if the function is run successfully by the + * return value. It can be judged in other places, such as diff --git a/queue-4.4/clk-gpio-handle-error-codes-for-of_clk_get_parent_count.patch b/queue-4.4/clk-gpio-handle-error-codes-for-of_clk_get_parent_count.patch new file mode 100644 index 00000000000..b103074c41f --- /dev/null +++ b/queue-4.4/clk-gpio-handle-error-codes-for-of_clk_get_parent_count.patch @@ -0,0 +1,45 @@ +From 0b2e78865d92e2d70542cb1d4d7af1d4ea0a286d Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 16 Dec 2015 10:35:03 -0800 +Subject: clk: gpio: handle error codes for of_clk_get_parent_count() + +From: Brian Norris + +commit 0b2e78865d92e2d70542cb1d4d7af1d4ea0a286d upstream. + +We might make bad memory allocations if we get (e.g.) -ENOSYS from +of_clk_get_parent_count(). + +Noticed by Coverity. + +Fixes: f66541ba02d5 ("clk: gpio: Get parent clk names in of_gpio_clk_setup()") +Signed-off-by: Brian Norris +Cc: Jyri Sarha +Cc: Sergej Sawazki +Cc: Stephen Boyd +Signed-off-by: Michael Turquette +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk-gpio.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/clk/clk-gpio.c ++++ b/drivers/clk/clk-gpio.c +@@ -287,12 +287,14 @@ static void __init of_gpio_clk_setup(str + const char **parent_names; + int i, num_parents; + ++ num_parents = of_clk_get_parent_count(node); ++ if (num_parents < 0) ++ return; ++ + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return; + +- num_parents = of_clk_get_parent_count(node); +- + parent_names = kcalloc(num_parents, sizeof(char *), GFP_KERNEL); + if (!parent_names) + return; diff --git a/queue-4.4/clk-imx-clk-pllv3-fix-incorrect-handle-of-enet-powerdown-bit.patch b/queue-4.4/clk-imx-clk-pllv3-fix-incorrect-handle-of-enet-powerdown-bit.patch new file mode 100644 index 00000000000..7028d195458 --- /dev/null +++ b/queue-4.4/clk-imx-clk-pllv3-fix-incorrect-handle-of-enet-powerdown-bit.patch @@ -0,0 +1,49 @@ +From b3e76bdc0b2190e67427d31cd740debd01c03631 Mon Sep 17 00:00:00 2001 +From: Dong Aisheng +Date: Wed, 8 Jun 2016 22:33:30 +0800 +Subject: clk: imx: clk-pllv3: fix incorrect handle of enet powerdown bit + +From: Dong Aisheng + +commit b3e76bdc0b2190e67427d31cd740debd01c03631 upstream. + +After commit f53947456f98 ("ARM: clk: imx: update pllv3 to support imx7"), +the former used BM_PLL_POWER bit is not correct anymore for IMX7 ENET. +Instead, pll->powerdown holds the correct bit, so using powerdown bit +in clk_pllv3_{prepare | unprepare} functions. + +Fixes: f53947456f98 ("ARM: clk: imx: update pllv3 to support imx7") +Signed-off-by: Dong Aisheng +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/imx/clk-pllv3.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/clk/imx/clk-pllv3.c ++++ b/drivers/clk/imx/clk-pllv3.c +@@ -76,9 +76,9 @@ static int clk_pllv3_prepare(struct clk_ + + val = readl_relaxed(pll->base); + if (pll->powerup_set) +- val |= BM_PLL_POWER; ++ val |= pll->powerdown; + else +- val &= ~BM_PLL_POWER; ++ val &= ~pll->powerdown; + writel_relaxed(val, pll->base); + + return clk_pllv3_wait_lock(pll); +@@ -91,9 +91,9 @@ static void clk_pllv3_unprepare(struct c + + val = readl_relaxed(pll->base); + if (pll->powerup_set) +- val &= ~BM_PLL_POWER; ++ val &= ~pll->powerdown; + else +- val |= BM_PLL_POWER; ++ val |= pll->powerdown; + writel_relaxed(val, pll->base); + } + diff --git a/queue-4.4/clk-multiplier-prevent-the-multiplier-from-under-over-flowing.patch b/queue-4.4/clk-multiplier-prevent-the-multiplier-from-under-over-flowing.patch new file mode 100644 index 00000000000..469b881a8d2 --- /dev/null +++ b/queue-4.4/clk-multiplier-prevent-the-multiplier-from-under-over-flowing.patch @@ -0,0 +1,61 @@ +From 25f77a3aa4cb948666bf8e7fd972533ea487c3bd Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Mon, 16 May 2016 14:47:02 +0200 +Subject: clk: multiplier: Prevent the multiplier from under / over flowing + +From: Maxime Ripard + +commit 25f77a3aa4cb948666bf8e7fd972533ea487c3bd upstream. + +In the current multiplier base clock implementation, if the +CLK_SET_RATE_PARENT flag isn't set, the code will not make sure that the +multiplier computed remains within the boundaries of our clock. + +This means that if the clock we want to reach is below the parent rate, +or if the multiplier is above the maximum that we can reach, we will end up +with a completely bogus one that the clock cannot achieve. + +Fixes: f2e0a53271a4 ("clk: Add a basic multiplier clock") +Signed-off-by: Maxime Ripard +Signed-off-by: Michael Turquette +Link: lkml.kernel.org/r/1463402840-17062-3-git-send-email-maxime.ripard@free-electrons.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk-multiplier.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/clk/clk-multiplier.c ++++ b/drivers/clk/clk-multiplier.c +@@ -54,14 +54,28 @@ static unsigned long __bestmult(struct c + unsigned long *best_parent_rate, + u8 width, unsigned long flags) + { ++ struct clk_multiplier *mult = to_clk_multiplier(hw); + unsigned long orig_parent_rate = *best_parent_rate; + unsigned long parent_rate, current_rate, best_rate = ~0; + unsigned int i, bestmult = 0; ++ unsigned int maxmult = (1 << width) - 1; + +- if (!(clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT)) +- return rate / *best_parent_rate; ++ if (!(clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT)) { ++ bestmult = rate / orig_parent_rate; + +- for (i = 1; i < ((1 << width) - 1); i++) { ++ /* Make sure we don't end up with a 0 multiplier */ ++ if ((bestmult == 0) && ++ !(mult->flags & CLK_MULTIPLIER_ZERO_BYPASS)) ++ bestmult = 1; ++ ++ /* Make sure we don't overflow the multiplier */ ++ if (bestmult > maxmult) ++ bestmult = maxmult; ++ ++ return bestmult; ++ } ++ ++ for (i = 1; i < maxmult; i++) { + if (rate == orig_parent_rate * i) { + /* + * This is the best case for us if we have a diff --git a/queue-4.4/clk-st-avoid-uninitialized-variable-use.patch b/queue-4.4/clk-st-avoid-uninitialized-variable-use.patch new file mode 100644 index 00000000000..e76e21c2407 --- /dev/null +++ b/queue-4.4/clk-st-avoid-uninitialized-variable-use.patch @@ -0,0 +1,64 @@ +From 2dd52d7f6f9d9d03a82a68040ac3d221dd79af94 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 12 Nov 2015 15:24:29 +0100 +Subject: clk: st: avoid uninitialized variable use + +From: Arnd Bergmann + +commit 2dd52d7f6f9d9d03a82a68040ac3d221dd79af94 upstream. + +quadfs_pll_fs660c32_round_rate prints a few structure members +that are never initialized, and also doesn't print the only one +it cares about. We get a gcc warning about the ones that +are printed: + +clk/st/clkgen-fsyn.c:560:93: warning: 'params.sdiv' may be used uninitialized in this function +clk/st/clkgen-fsyn.c:560:93: warning: 'params.mdiv' may be used uninitialized in this function +clk/st/clkgen-fsyn.c:560:93: warning: 'params.pe' may be used uninitialized in this function +clk/st/clkgen-fsyn.c:560:93: warning: 'params.nsdiv' may be used uninitialized in this function + +This changes the code to no longer print uninitialized data, and +for good measure it also prints the ndiv member that is being +set. + +Signed-off-by: Arnd Bergmann +Fixes: 5f7aa9071e93 ("clk: st: Support for QUADFS inside ClockGenB/C/D/E/F") +Acked-by: Gabriel Fernandez +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/st/clkgen-fsyn.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/clk/st/clkgen-fsyn.c ++++ b/drivers/clk/st/clkgen-fsyn.c +@@ -549,19 +549,20 @@ static int clk_fs660c32_vco_get_params(u + return 0; + } + +-static long quadfs_pll_fs660c32_round_rate(struct clk_hw *hw, unsigned long rate +- , unsigned long *prate) ++static long quadfs_pll_fs660c32_round_rate(struct clk_hw *hw, ++ unsigned long rate, ++ unsigned long *prate) + { + struct stm_fs params; + +- if (!clk_fs660c32_vco_get_params(*prate, rate, ¶ms)) +- clk_fs660c32_vco_get_rate(*prate, ¶ms, &rate); ++ if (clk_fs660c32_vco_get_params(*prate, rate, ¶ms)) ++ return rate; + +- pr_debug("%s: %s new rate %ld [sdiv=0x%x,md=0x%x,pe=0x%x,nsdiv3=%u]\n", ++ clk_fs660c32_vco_get_rate(*prate, ¶ms, &rate); ++ ++ pr_debug("%s: %s new rate %ld [ndiv=%u]\n", + __func__, clk_hw_get_name(hw), +- rate, (unsigned int)params.sdiv, +- (unsigned int)params.mdiv, +- (unsigned int)params.pe, (unsigned int)params.nsdiv); ++ rate, (unsigned int)params.ndiv); + + return rate; + } diff --git a/queue-4.4/clk-ti-omap3-dpll-use-non-locking-version-of-clk_get_rate.patch b/queue-4.4/clk-ti-omap3-dpll-use-non-locking-version-of-clk_get_rate.patch new file mode 100644 index 00000000000..c7bff360476 --- /dev/null +++ b/queue-4.4/clk-ti-omap3-dpll-use-non-locking-version-of-clk_get_rate.patch @@ -0,0 +1,38 @@ +From a0d54c3899aaeb047969d9479263c6bcf385c331 Mon Sep 17 00:00:00 2001 +From: Tero Kristo +Date: Sat, 20 Feb 2016 13:12:57 +0200 +Subject: clk: ti: omap3+: dpll: use non-locking version of clk_get_rate + +From: Tero Kristo + +commit a0d54c3899aaeb047969d9479263c6bcf385c331 upstream. + +As the code in this file is being executed within irq context in some +cases, we must avoid the clk_get_rate which uses mutex internally. +Switch the code to use clk_hw_get_rate instead which is non-locking. + +This fixes an issue where PM runtime will hang the system if enabled +with a serial console before a suspend-resume cycle. + +Signed-off-by: Tero Kristo +Tested-by: Tony Lindgren +Fixes: a53ad8ef3dcc ("clk: ti: Convert to clk_hw based provider APIs") +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ti/dpll3xxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/clk/ti/dpll3xxx.c ++++ b/drivers/clk/ti/dpll3xxx.c +@@ -437,7 +437,8 @@ int omap3_noncore_dpll_enable(struct clk + + parent = clk_hw_get_parent(hw); + +- if (clk_hw_get_rate(hw) == clk_get_rate(dd->clk_bypass)) { ++ if (clk_hw_get_rate(hw) == ++ clk_hw_get_rate(__clk_get_hw(dd->clk_bypass))) { + WARN_ON(parent != __clk_get_hw(dd->clk_bypass)); + r = _omap3_noncore_dpll_bypass(clk); + } else { diff --git a/queue-4.4/clk-xgene-don-t-call-__pa-on-ioremaped-address.patch b/queue-4.4/clk-xgene-don-t-call-__pa-on-ioremaped-address.patch new file mode 100644 index 00000000000..29e87b98c86 --- /dev/null +++ b/queue-4.4/clk-xgene-don-t-call-__pa-on-ioremaped-address.patch @@ -0,0 +1,64 @@ +From 06b113e9f28f8657715919087a3f54b77d1634ed Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Fri, 28 Oct 2016 09:59:38 -0700 +Subject: clk: xgene: Don't call __pa on ioremaped address + +From: Laura Abbott + +commit 06b113e9f28f8657715919087a3f54b77d1634ed upstream. + +ioremaped addresses are not linearly mapped so the physical +address can not be figured out via __pa. More generally, there +is no guarantee that backing value of an ioremapped address +is a physical address at all. The value here is only used +for debugging so just drop the call to __pa on the ioremapped +address. + +Fixes: 6ae5fd381251 ("clk: xgene: Silence sparse warnings") +Signed-off-by: Laura Abbott +Acked-by: Loc Ho +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk-xgene.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/clk/clk-xgene.c ++++ b/drivers/clk/clk-xgene.c +@@ -218,22 +218,20 @@ static int xgene_clk_enable(struct clk_h + struct xgene_clk *pclk = to_xgene_clk(hw); + unsigned long flags = 0; + u32 data; +- phys_addr_t reg; + + if (pclk->lock) + spin_lock_irqsave(pclk->lock, flags); + + if (pclk->param.csr_reg != NULL) { + pr_debug("%s clock enabled\n", clk_hw_get_name(hw)); +- reg = __pa(pclk->param.csr_reg); + /* First enable the clock */ + data = xgene_clk_read(pclk->param.csr_reg + + pclk->param.reg_clk_offset); + data |= pclk->param.reg_clk_mask; + xgene_clk_write(data, pclk->param.csr_reg + + pclk->param.reg_clk_offset); +- pr_debug("%s clock PADDR base %pa clk offset 0x%08X mask 0x%08X value 0x%08X\n", +- clk_hw_get_name(hw), ®, ++ pr_debug("%s clk offset 0x%08X mask 0x%08X value 0x%08X\n", ++ clk_hw_get_name(hw), + pclk->param.reg_clk_offset, pclk->param.reg_clk_mask, + data); + +@@ -243,8 +241,8 @@ static int xgene_clk_enable(struct clk_h + data &= ~pclk->param.reg_csr_mask; + xgene_clk_write(data, pclk->param.csr_reg + + pclk->param.reg_csr_offset); +- pr_debug("%s CSR RESET PADDR base %pa csr offset 0x%08X mask 0x%08X value 0x%08X\n", +- clk_hw_get_name(hw), ®, ++ pr_debug("%s csr offset 0x%08X mask 0x%08X value 0x%08X\n", ++ clk_hw_get_name(hw), + pclk->param.reg_csr_offset, pclk->param.reg_csr_mask, + data); + } diff --git a/queue-4.4/cls_bpf-reset-class-and-reuse-major-in-da.patch b/queue-4.4/cls_bpf-reset-class-and-reuse-major-in-da.patch new file mode 100644 index 00000000000..fe3ff51139b --- /dev/null +++ b/queue-4.4/cls_bpf-reset-class-and-reuse-major-in-da.patch @@ -0,0 +1,66 @@ +From 3a461da1d03e7a857edfa6a002040d07e118c639 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Tue, 15 Mar 2016 22:41:22 +0100 +Subject: cls_bpf: reset class and reuse major in da + +From: Daniel Borkmann + +commit 3a461da1d03e7a857edfa6a002040d07e118c639 upstream. + +There are two issues with the current code. First one is that we need +to set res->class to 0 in case we use non-default classid matching. + +This is important for the case where cls_bpf was initially set up with +an optional binding to a default class with tcf_bind_filter(), where +the underlying qdisc implements bind_tcf() that fills res->class and +tests for it later on when doing the classification. Convention for +these cases is that after tc_classify() was called, such qdiscs (atm, +drr, qfq, cbq, hfsc, htb) first test class, and if 0, then they lookup +based on classid. + +Second, there's a bug with da mode, where res->classid is only assigned +a 16 bit minor, but it needs to expand to the full 32 bit major/minor +combination instead, therefore we need to expand with the bound major. +This is fine as classes belonging to a classful qdisc must share the +same major. + +Fixes: 045efa82ff56 ("cls_bpf: introduce integrated actions") +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_bpf.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -107,8 +107,9 @@ static int cls_bpf_classify(struct sk_bu + } + + if (prog->exts_integrated) { +- res->class = prog->res.class; +- res->classid = qdisc_skb_cb(skb)->tc_classid; ++ res->class = 0; ++ res->classid = TC_H_MAJ(prog->res.classid) | ++ qdisc_skb_cb(skb)->tc_classid; + + ret = cls_bpf_exec_opcode(filter_res); + if (ret == TC_ACT_UNSPEC) +@@ -118,10 +119,12 @@ static int cls_bpf_classify(struct sk_bu + + if (filter_res == 0) + continue; +- +- *res = prog->res; +- if (filter_res != -1) ++ if (filter_res != -1) { ++ res->class = 0; + res->classid = filter_res; ++ } else { ++ *res = prog->res; ++ } + + ret = tcf_exts_exec(skb, &prog->exts, res); + if (ret < 0) diff --git a/queue-4.4/flow_dissector-check-for-ip-fragmentation-even-if-not-using-ipv4-address.patch b/queue-4.4/flow_dissector-check-for-ip-fragmentation-even-if-not-using-ipv4-address.patch new file mode 100644 index 00000000000..f09737cd82e --- /dev/null +++ b/queue-4.4/flow_dissector-check-for-ip-fragmentation-even-if-not-using-ipv4-address.patch @@ -0,0 +1,52 @@ +From 918c023f29ab2dd8c63cfcc6a1239ee15933871a Mon Sep 17 00:00:00 2001 +From: Alexander Duyck +Date: Wed, 24 Feb 2016 09:29:38 -0800 +Subject: flow_dissector: Check for IP fragmentation even if not using IPv4 address + +From: Alexander Duyck + +commit 918c023f29ab2dd8c63cfcc6a1239ee15933871a upstream. + +This patch corrects the logic for the IPv4 parsing so that it is consistent +with how we handle IPv6. Specifically if we do not have the flow key +indicating we want the addresses we still may need to take a look at the IP +fragmentation bits and to see if we should stop after we have recognized +the L3 header. + +Fixes: 807e165dc44f ("flow_dissector: Add control/reporting of fragmentation") +Signed-off-by: Alexander Duyck +Acked-by: Tom Herbert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/flow_dissector.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -178,15 +178,16 @@ ip: + + ip_proto = iph->protocol; + +- if (!dissector_uses_key(flow_dissector, +- FLOW_DISSECTOR_KEY_IPV4_ADDRS)) +- break; ++ if (dissector_uses_key(flow_dissector, ++ FLOW_DISSECTOR_KEY_IPV4_ADDRS)) { ++ key_addrs = skb_flow_dissector_target(flow_dissector, ++ FLOW_DISSECTOR_KEY_IPV4_ADDRS, ++ target_container); + +- key_addrs = skb_flow_dissector_target(flow_dissector, +- FLOW_DISSECTOR_KEY_IPV4_ADDRS, target_container); +- memcpy(&key_addrs->v4addrs, &iph->saddr, +- sizeof(key_addrs->v4addrs)); +- key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; ++ memcpy(&key_addrs->v4addrs, &iph->saddr, ++ sizeof(key_addrs->v4addrs)); ++ key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; ++ } + + if (ip_is_fragment(iph)) { + key_control->flags |= FLOW_DIS_IS_FRAGMENT; diff --git a/queue-4.4/ipv4-accept-u8-in-ip_tos-ancillary-data.patch b/queue-4.4/ipv4-accept-u8-in-ip_tos-ancillary-data.patch new file mode 100644 index 00000000000..84e0e2ce2a7 --- /dev/null +++ b/queue-4.4/ipv4-accept-u8-in-ip_tos-ancillary-data.patch @@ -0,0 +1,56 @@ +From e895cdce683161081e3626c4f5a5c55cb72089f8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 7 Sep 2016 21:52:56 -0700 +Subject: ipv4: accept u8 in IP_TOS ancillary data + +From: Eric Dumazet + +commit e895cdce683161081e3626c4f5a5c55cb72089f8 upstream. + +In commit f02db315b8d8 ("ipv4: IP_TOS and IP_TTL can be specified as +ancillary data") Francesco added IP_TOS values specified as integer. + +However, kernel sends to userspace (at recvmsg() time) an IP_TOS value +in a single byte, when IP_RECVTOS is set on the socket. + +It can be very useful to reflect all ancillary options as given by the +kernel in a subsequent sendmsg(), instead of aborting the sendmsg() with +EINVAL after Francesco patch. + +So this patch extends IP_TOS ancillary to accept an u8, so that an UDP +server can simply reuse same ancillary block without having to mangle +it. + +Jesper can then augment +https://github.com/netoptimizer/network-testing/blob/master/src/udp_example02.c +to add TOS reflection ;) + +Fixes: f02db315b8d8 ("ipv4: IP_TOS and IP_TTL can be specified as ancillary data") +Signed-off-by: Eric Dumazet +Cc: Francesco Fusco +Cc: Jesper Dangaard Brouer +Acked-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_sockglue.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -279,9 +279,12 @@ int ip_cmsg_send(struct net *net, struct + ipc->ttl = val; + break; + case IP_TOS: +- if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) ++ if (cmsg->cmsg_len == CMSG_LEN(sizeof(int))) ++ val = *(int *)CMSG_DATA(cmsg); ++ else if (cmsg->cmsg_len == CMSG_LEN(sizeof(u8))) ++ val = *(u8 *)CMSG_DATA(cmsg); ++ else + return -EINVAL; +- val = *(int *)CMSG_DATA(cmsg); + if (val < 0 || val > 255) + return -EINVAL; + ipc->tos = val; diff --git a/queue-4.4/ipv4-do-not-abuse-gfp_atomic-in-inet_netconf_notify_devconf.patch b/queue-4.4/ipv4-do-not-abuse-gfp_atomic-in-inet_netconf_notify_devconf.patch new file mode 100644 index 00000000000..0a4bf35fc2a --- /dev/null +++ b/queue-4.4/ipv4-do-not-abuse-gfp_atomic-in-inet_netconf_notify_devconf.patch @@ -0,0 +1,81 @@ +From fa17806cde76fb1087532f07e72aa757a30e0500 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 8 Jul 2016 05:18:24 +0200 +Subject: ipv4: do not abuse GFP_ATOMIC in inet_netconf_notify_devconf() + +From: Eric Dumazet + +commit fa17806cde76fb1087532f07e72aa757a30e0500 upstream. + +inet_forward_change() runs with RTNL held. +We are allowed to sleep if required. + +If we use __in_dev_get_rtnl() instead of __in_dev_get_rcu(), +we no longer have to use GFP_ATOMIC allocations in +inet_netconf_notify_devconf(), meaning we are less likely to miss +notifications under memory pressure, and wont touch precious memory +reserves either and risk dropping incoming packets. + +inet_netconf_get_devconf() can also use GFP_KERNEL allocation. + +Fixes: edc9e748934c ("rtnl/ipv4: use netconf msg to advertise forwarding status") +Fixes: 9e5511106f99 ("rtnl/ipv4: add support of RTM_GETNETCONF") +Signed-off-by: Eric Dumazet +Cc: Nicolas Dichtel +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/devinet.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1814,7 +1814,7 @@ void inet_netconf_notify_devconf(struct + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(inet_netconf_msgsize_devconf(type), GFP_ATOMIC); ++ skb = nlmsg_new(inet_netconf_msgsize_devconf(type), GFP_KERNEL); + if (!skb) + goto errout; + +@@ -1826,7 +1826,7 @@ void inet_netconf_notify_devconf(struct + kfree_skb(skb); + goto errout; + } +- rtnl_notify(skb, net, 0, RTNLGRP_IPV4_NETCONF, NULL, GFP_ATOMIC); ++ rtnl_notify(skb, net, 0, RTNLGRP_IPV4_NETCONF, NULL, GFP_KERNEL); + return; + errout: + if (err < 0) +@@ -1883,7 +1883,7 @@ static int inet_netconf_get_devconf(stru + } + + err = -ENOBUFS; +- skb = nlmsg_new(inet_netconf_msgsize_devconf(-1), GFP_ATOMIC); ++ skb = nlmsg_new(inet_netconf_msgsize_devconf(-1), GFP_KERNEL); + if (!skb) + goto errout; + +@@ -2007,16 +2007,16 @@ static void inet_forward_change(struct n + + for_each_netdev(net, dev) { + struct in_device *in_dev; ++ + if (on) + dev_disable_lro(dev); +- rcu_read_lock(); +- in_dev = __in_dev_get_rcu(dev); ++ ++ in_dev = __in_dev_get_rtnl(dev); + if (in_dev) { + IN_DEV_CONF_SET(in_dev, FORWARDING, on); + inet_netconf_notify_devconf(net, NETCONFA_FORWARDING, + dev->ifindex, &in_dev->cnf); + } +- rcu_read_unlock(); + } + } + diff --git a/queue-4.4/ipv4-fix-checksum-annotation-in-udp4_csum_init.patch b/queue-4.4/ipv4-fix-checksum-annotation-in-udp4_csum_init.patch new file mode 100644 index 00000000000..c7f4ed72b69 --- /dev/null +++ b/queue-4.4/ipv4-fix-checksum-annotation-in-udp4_csum_init.patch @@ -0,0 +1,37 @@ +From b46d9f625b07f843c706c2c7d0210a90ccdf143b Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Sun, 12 Jun 2016 12:02:46 +0200 +Subject: ipv4: fix checksum annotation in udp4_csum_init + +From: Hannes Frederic Sowa + +commit b46d9f625b07f843c706c2c7d0210a90ccdf143b upstream. + +Reported-by: Cong Wang +Cc: Cong Wang +Cc: Tom Herbert +Fixes: 4068579e1e098fa ("net: Implmement RFC 6936 (zero RX csums for UDP/IPv6") +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/udp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1754,8 +1754,11 @@ static inline int udp4_csum_init(struct + } + } + +- return skb_checksum_init_zero_check(skb, proto, uh->check, +- inet_compute_pseudo); ++ /* Note, we are only interested in != 0 or == 0, thus the ++ * force to int. ++ */ ++ return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, ++ inet_compute_pseudo); + } + + /* diff --git a/queue-4.4/ipv4-fix-memory-leak-in-exception-case-for-splitting-tries.patch b/queue-4.4/ipv4-fix-memory-leak-in-exception-case-for-splitting-tries.patch new file mode 100644 index 00000000000..67e8e511abc --- /dev/null +++ b/queue-4.4/ipv4-fix-memory-leak-in-exception-case-for-splitting-tries.patch @@ -0,0 +1,37 @@ +From 3114cdfe66c156345b0ae34e2990472f277e0c1b Mon Sep 17 00:00:00 2001 +From: Alexander Duyck +Date: Tue, 15 Nov 2016 05:46:12 -0500 +Subject: ipv4: Fix memory leak in exception case for splitting tries + +From: Alexander Duyck + +commit 3114cdfe66c156345b0ae34e2990472f277e0c1b upstream. + +Fix a small memory leak that can occur where we leak a fib_alias in the +event of us not being able to insert it into the local table. + +Fixes: 0ddcf43d5d4a0 ("ipv4: FIB Local/MAIN table collapse") +Reported-by: Eric Dumazet +Signed-off-by: Alexander Duyck +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/fib_trie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1714,8 +1714,10 @@ struct fib_table *fib_trie_unmerge(struc + local_l = fib_find_node(lt, &local_tp, l->key); + + if (fib_insert_alias(lt, local_tp, local_l, new_fa, +- NULL, l->key)) ++ NULL, l->key)) { ++ kmem_cache_free(fn_alias_kmem, new_fa); + goto out; ++ } + } + + /* stop loop if key wrapped back to 0 */ diff --git a/queue-4.4/ipv6-add-missing-netconf-notif-when-all-is-updated.patch b/queue-4.4/ipv6-add-missing-netconf-notif-when-all-is-updated.patch new file mode 100644 index 00000000000..455b29719d5 --- /dev/null +++ b/queue-4.4/ipv6-add-missing-netconf-notif-when-all-is-updated.patch @@ -0,0 +1,37 @@ +From d26c638c16cb54f6fb1507e27df93ede692db572 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Tue, 30 Aug 2016 10:09:21 +0200 +Subject: ipv6: add missing netconf notif when 'all' is updated + +From: Nicolas Dichtel + +commit d26c638c16cb54f6fb1507e27df93ede692db572 upstream. + +The 'default' value was not advertised. + +Fixes: f3a1bfb11ccb ("rtnl/ipv6: use netconf msg to advertise forwarding status") +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/addrconf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -771,7 +771,14 @@ static int addrconf_fixup_forwarding(str + } + + if (p == &net->ipv6.devconf_all->forwarding) { ++ int old_dflt = net->ipv6.devconf_dflt->forwarding; ++ + net->ipv6.devconf_dflt->forwarding = newf; ++ if ((!newf) ^ (!old_dflt)) ++ inet6_netconf_notify_devconf(net, NETCONFA_FORWARDING, ++ NETCONFA_IFINDEX_DEFAULT, ++ net->ipv6.devconf_dflt); ++ + addrconf_forward_change(net, newf); + if ((!newf) ^ (!old)) + inet6_netconf_notify_devconf(net, NETCONFA_FORWARDING, diff --git a/queue-4.4/ipv6-do-not-abuse-gfp_atomic-in-inet6_netconf_notify_devconf.patch b/queue-4.4/ipv6-do-not-abuse-gfp_atomic-in-inet6_netconf_notify_devconf.patch new file mode 100644 index 00000000000..71eee9d173b --- /dev/null +++ b/queue-4.4/ipv6-do-not-abuse-gfp_atomic-in-inet6_netconf_notify_devconf.patch @@ -0,0 +1,82 @@ +From 927265bc6cd6374c9bafc43408ece4e92311b149 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 8 Jul 2016 05:46:04 +0200 +Subject: ipv6: do not abuse GFP_ATOMIC in inet6_netconf_notify_devconf() + +From: Eric Dumazet + +commit 927265bc6cd6374c9bafc43408ece4e92311b149 upstream. + +All inet6_netconf_notify_devconf() callers are in process context, +so we can use GFP_KERNEL allocations if we take care of not holding +a rwlock while not needed in ip6mr (we hold RTNL there) + +Fixes: d67b8c616b48 ("netconf: advertise mc_forwarding status") +Fixes: f3a1bfb11ccb ("rtnl/ipv6: use netconf msg to advertise forwarding status") +Signed-off-by: Eric Dumazet +Cc: Nicolas Dichtel +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/addrconf.c | 4 ++-- + net/ipv6/ip6mr.c | 13 +++++++------ + 2 files changed, 9 insertions(+), 8 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -540,7 +540,7 @@ void inet6_netconf_notify_devconf(struct + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(inet6_netconf_msgsize_devconf(type), GFP_ATOMIC); ++ skb = nlmsg_new(inet6_netconf_msgsize_devconf(type), GFP_KERNEL); + if (!skb) + goto errout; + +@@ -552,7 +552,7 @@ void inet6_netconf_notify_devconf(struct + kfree_skb(skb); + goto errout; + } +- rtnl_notify(skb, net, 0, RTNLGRP_IPV6_NETCONF, NULL, GFP_ATOMIC); ++ rtnl_notify(skb, net, 0, RTNLGRP_IPV6_NETCONF, NULL, GFP_KERNEL); + return; + errout: + rtnl_set_sk_err(net, RTNLGRP_IPV6_NETCONF, err); +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1594,14 +1594,15 @@ static int ip6mr_sk_init(struct mr6_tabl + if (likely(mrt->mroute6_sk == NULL)) { + mrt->mroute6_sk = sk; + net->ipv6.devconf_all->mc_forwarding++; +- inet6_netconf_notify_devconf(net, NETCONFA_MC_FORWARDING, +- NETCONFA_IFINDEX_ALL, +- net->ipv6.devconf_all); +- } +- else ++ } else { + err = -EADDRINUSE; ++ } + write_unlock_bh(&mrt_lock); + ++ if (!err) ++ inet6_netconf_notify_devconf(net, NETCONFA_MC_FORWARDING, ++ NETCONFA_IFINDEX_ALL, ++ net->ipv6.devconf_all); + rtnl_unlock(); + + return err; +@@ -1619,11 +1620,11 @@ int ip6mr_sk_done(struct sock *sk) + write_lock_bh(&mrt_lock); + mrt->mroute6_sk = NULL; + net->ipv6.devconf_all->mc_forwarding--; ++ write_unlock_bh(&mrt_lock); + inet6_netconf_notify_devconf(net, + NETCONFA_MC_FORWARDING, + NETCONFA_IFINDEX_ALL, + net->ipv6.devconf_all); +- write_unlock_bh(&mrt_lock); + + mroute_clean_tables(mrt, false); + err = 0; diff --git a/queue-4.4/ipv6-fix-checksum-annotation-in-udp6_csum_init.patch b/queue-4.4/ipv6-fix-checksum-annotation-in-udp6_csum_init.patch new file mode 100644 index 00000000000..87baafc279f --- /dev/null +++ b/queue-4.4/ipv6-fix-checksum-annotation-in-udp6_csum_init.patch @@ -0,0 +1,36 @@ +From c148d16369ff0095eca950d17968ba1d56a47b53 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Sat, 11 Jun 2016 21:15:37 +0200 +Subject: ipv6: fix checksum annotation in udp6_csum_init + +From: Hannes Frederic Sowa + +commit c148d16369ff0095eca950d17968ba1d56a47b53 upstream. + +Cc: Tom Herbert +Fixes: 4068579e1e098fa ("net: Implmement RFC 6936 (zero RX csums for UDP/IPv6") +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_checksum.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_checksum.c ++++ b/net/ipv6/ip6_checksum.c +@@ -84,9 +84,12 @@ int udp6_csum_init(struct sk_buff *skb, + * we accept a checksum of zero here. When we find the socket + * for the UDP packet we'll check if that socket allows zero checksum + * for IPv6 (set by socket option). ++ * ++ * Note, we are only interested in != 0 or == 0, thus the ++ * force to int. + */ +- return skb_checksum_init_zero_check(skb, proto, uh->check, +- ip6_compute_pseudo); ++ return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, ++ ip6_compute_pseudo); + } + EXPORT_SYMBOL(udp6_csum_init); + diff --git a/queue-4.4/memory-tegra-add-number-of-tlb-lines-for-tegra124.patch b/queue-4.4/memory-tegra-add-number-of-tlb-lines-for-tegra124.patch new file mode 100644 index 00000000000..fe54f2b7515 --- /dev/null +++ b/queue-4.4/memory-tegra-add-number-of-tlb-lines-for-tegra124.patch @@ -0,0 +1,37 @@ +From e2127ae7a5e80eb53ad431c39145767391da40cd Mon Sep 17 00:00:00 2001 +From: Vince Hsu +Date: Tue, 29 Sep 2015 11:58:51 +0200 +Subject: memory/tegra: Add number of TLB lines for Tegra124 + +From: Vince Hsu + +commit e2127ae7a5e80eb53ad431c39145767391da40cd upstream. + +Tegra124 was accidentally left out when the number of TLB lines was +parameterized in commit 11cec15bf3fb ("iommu/tegra-smmu: Parameterize +number of TLB lines"). Fortunately this doesn't cause any noticeable +regressions upstream, presumably because there aren't any use-cases +that exercise enough pressure on the SMMU. But it is a regression +nonetheless, so let's fix it. + +Fixes: 11cec15bf3fb ("iommu/tegra-smmu: Parameterize number of TLB lines") +Signed-off-by: Vince Hsu +Signed-off-by: Tomasz Figa +[treding@nvidia.com: extract from unrelated patch] +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memory/tegra/tegra124.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/memory/tegra/tegra124.c ++++ b/drivers/memory/tegra/tegra124.c +@@ -1007,6 +1007,7 @@ static const struct tegra_smmu_soc tegra + .num_swgroups = ARRAY_SIZE(tegra124_swgroups), + .supports_round_robin_arbitration = true, + .supports_request_limit = true, ++ .num_tlb_lines = 32, + .num_asids = 128, + }; + diff --git a/queue-4.4/net-ipv6-fix-processing-of-ras-in-presence-of-vrf.patch b/queue-4.4/net-ipv6-fix-processing-of-ras-in-presence-of-vrf.patch new file mode 100644 index 00000000000..3194b753d5b --- /dev/null +++ b/queue-4.4/net-ipv6-fix-processing-of-ras-in-presence-of-vrf.patch @@ -0,0 +1,204 @@ +From 830218c1add1da16519b71909e5cf21522b7d062 Mon Sep 17 00:00:00 2001 +From: David Ahern +Date: Mon, 24 Oct 2016 10:52:35 -0700 +Subject: net: ipv6: Fix processing of RAs in presence of VRF + +From: David Ahern + +commit 830218c1add1da16519b71909e5cf21522b7d062 upstream. + +rt6_add_route_info and rt6_add_dflt_router were updated to pull the FIB +table from the device index, but the corresponding rt6_get_route_info +and rt6_get_dflt_router functions were not leading to the failure to +process RA's: + + ICMPv6: RA: ndisc_router_discovery failed to add default route + +Fix the 'get' functions by using the table id associated with the +device when applicable. + +Also, now that default routes can be added to tables other than the +default table, rt6_purge_dflt_routers needs to be updated as well to +look at all tables. To handle that efficiently, add a flag to the table +denoting if it is has a default route via RA. + +Fixes: ca254490c8dfd ("net: Add VRF support to IPv6 stack") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/ip6_fib.h | 2 + + net/ipv6/route.c | 68 +++++++++++++++++++++++++++++++++++--------------- + 2 files changed, 50 insertions(+), 20 deletions(-) + +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -258,6 +258,8 @@ struct fib6_table { + rwlock_t tb6_lock; + struct fib6_node tb6_root; + struct inet_peer_base tb6_peers; ++ unsigned int flags; ++#define RT6_TABLE_HAS_DFLT_ROUTER BIT(0) + }; + + #define RT6_TABLE_UNSPEC RT_TABLE_UNSPEC +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -101,11 +101,13 @@ static int rt6_score_route(struct rt6_in + #ifdef CONFIG_IPV6_ROUTE_INFO + static struct rt6_info *rt6_add_route_info(struct net *net, + const struct in6_addr *prefix, int prefixlen, +- const struct in6_addr *gwaddr, int ifindex, ++ const struct in6_addr *gwaddr, ++ struct net_device *dev, + unsigned int pref); + static struct rt6_info *rt6_get_route_info(struct net *net, + const struct in6_addr *prefix, int prefixlen, +- const struct in6_addr *gwaddr, int ifindex); ++ const struct in6_addr *gwaddr, ++ struct net_device *dev); + #endif + + struct uncached_list { +@@ -801,7 +803,7 @@ int rt6_route_rcv(struct net_device *dev + rt = rt6_get_dflt_router(gwaddr, dev); + else + rt = rt6_get_route_info(net, prefix, rinfo->prefix_len, +- gwaddr, dev->ifindex); ++ gwaddr, dev); + + if (rt && !lifetime) { + ip6_del_rt(rt); +@@ -809,8 +811,8 @@ int rt6_route_rcv(struct net_device *dev + } + + if (!rt && lifetime) +- rt = rt6_add_route_info(net, prefix, rinfo->prefix_len, gwaddr, dev->ifindex, +- pref); ++ rt = rt6_add_route_info(net, prefix, rinfo->prefix_len, gwaddr, ++ dev, pref); + else if (rt) + rt->rt6i_flags = RTF_ROUTEINFO | + (rt->rt6i_flags & ~RTF_PREF_MASK) | RTF_PREF(pref); +@@ -2273,13 +2275,16 @@ static void ip6_rt_copy_init(struct rt6_ + #ifdef CONFIG_IPV6_ROUTE_INFO + static struct rt6_info *rt6_get_route_info(struct net *net, + const struct in6_addr *prefix, int prefixlen, +- const struct in6_addr *gwaddr, int ifindex) ++ const struct in6_addr *gwaddr, ++ struct net_device *dev) + { ++ u32 tb_id = l3mdev_fib_table(dev) ? : RT6_TABLE_INFO; ++ int ifindex = dev->ifindex; + struct fib6_node *fn; + struct rt6_info *rt = NULL; + struct fib6_table *table; + +- table = fib6_get_table(net, RT6_TABLE_INFO); ++ table = fib6_get_table(net, tb_id); + if (!table) + return NULL; + +@@ -2305,12 +2310,13 @@ out: + + static struct rt6_info *rt6_add_route_info(struct net *net, + const struct in6_addr *prefix, int prefixlen, +- const struct in6_addr *gwaddr, int ifindex, ++ const struct in6_addr *gwaddr, ++ struct net_device *dev, + unsigned int pref) + { + struct fib6_config cfg = { + .fc_metric = IP6_RT_PRIO_USER, +- .fc_ifindex = ifindex, ++ .fc_ifindex = dev->ifindex, + .fc_dst_len = prefixlen, + .fc_flags = RTF_GATEWAY | RTF_ADDRCONF | RTF_ROUTEINFO | + RTF_UP | RTF_PREF(pref), +@@ -2319,7 +2325,7 @@ static struct rt6_info *rt6_add_route_in + .fc_nlinfo.nl_net = net, + }; + +- cfg.fc_table = l3mdev_fib_table_by_index(net, ifindex) ? : RT6_TABLE_INFO; ++ cfg.fc_table = l3mdev_fib_table(dev) ? : RT6_TABLE_INFO, + cfg.fc_dst = *prefix; + cfg.fc_gateway = *gwaddr; + +@@ -2329,16 +2335,17 @@ static struct rt6_info *rt6_add_route_in + + ip6_route_add(&cfg); + +- return rt6_get_route_info(net, prefix, prefixlen, gwaddr, ifindex); ++ return rt6_get_route_info(net, prefix, prefixlen, gwaddr, dev); + } + #endif + + struct rt6_info *rt6_get_dflt_router(const struct in6_addr *addr, struct net_device *dev) + { ++ u32 tb_id = l3mdev_fib_table(dev) ? : RT6_TABLE_DFLT; + struct rt6_info *rt; + struct fib6_table *table; + +- table = fib6_get_table(dev_net(dev), RT6_TABLE_DFLT); ++ table = fib6_get_table(dev_net(dev), tb_id); + if (!table) + return NULL; + +@@ -2372,20 +2379,20 @@ struct rt6_info *rt6_add_dflt_router(con + + cfg.fc_gateway = *gwaddr; + +- ip6_route_add(&cfg); ++ if (!ip6_route_add(&cfg)) { ++ struct fib6_table *table; ++ ++ table = fib6_get_table(dev_net(dev), cfg.fc_table); ++ if (table) ++ table->flags |= RT6_TABLE_HAS_DFLT_ROUTER; ++ } + + return rt6_get_dflt_router(gwaddr, dev); + } + +-void rt6_purge_dflt_routers(struct net *net) ++static void __rt6_purge_dflt_routers(struct fib6_table *table) + { + struct rt6_info *rt; +- struct fib6_table *table; +- +- /* NOTE: Keep consistent with rt6_get_dflt_router */ +- table = fib6_get_table(net, RT6_TABLE_DFLT); +- if (!table) +- return; + + restart: + read_lock_bh(&table->tb6_lock); +@@ -2399,6 +2406,27 @@ restart: + } + } + read_unlock_bh(&table->tb6_lock); ++ ++ table->flags &= ~RT6_TABLE_HAS_DFLT_ROUTER; ++} ++ ++void rt6_purge_dflt_routers(struct net *net) ++{ ++ struct fib6_table *table; ++ struct hlist_head *head; ++ unsigned int h; ++ ++ rcu_read_lock(); ++ ++ for (h = 0; h < FIB6_TABLE_HASHSZ; h++) { ++ head = &net->ipv6.fib_table_hash[h]; ++ hlist_for_each_entry_rcu(table, head, tb6_hlist) { ++ if (table->flags & RT6_TABLE_HAS_DFLT_ROUTER) ++ __rt6_purge_dflt_routers(table); ++ } ++ } ++ ++ rcu_read_unlock(); + } + + static void rtmsg_to_fib6_config(struct net *net, diff --git a/queue-4.4/net-vrf-fix-dev-refcnt-leak-due-to-ipv6-prefix-route.patch b/queue-4.4/net-vrf-fix-dev-refcnt-leak-due-to-ipv6-prefix-route.patch new file mode 100644 index 00000000000..29e301166ad --- /dev/null +++ b/queue-4.4/net-vrf-fix-dev-refcnt-leak-due-to-ipv6-prefix-route.patch @@ -0,0 +1,77 @@ +From 4f7f34eaab9f68c9bcd45386b15c414c38b40587 Mon Sep 17 00:00:00 2001 +From: David Ahern +Date: Thu, 7 Apr 2016 11:10:41 -0700 +Subject: net: vrf: Fix dev refcnt leak due to IPv6 prefix route + +From: David Ahern + +commit 4f7f34eaab9f68c9bcd45386b15c414c38b40587 upstream. + +ifupdown2 found a kernel bug with IPv6 routes and movement from the main +table to the VRF table. Sequence of events: + +Create the interface and add addresses: + ip link add dev eth4.105 link eth4 type vlan id 105 + ip addr add dev eth4.105 8.105.105.10/24 + ip -6 addr add dev eth4.105 2008:105:105::10/64 + +At this point IPv6 has inserted a prefix route in the main table even +though the interface is 'down'. From there the VRF device is created: + ip link add dev vrf105 type vrf table 105 + ip addr add dev vrf105 9.9.105.10/32 + ip -6 addr add dev vrf105 2000:9:105::10/128 + ip link set vrf105 up + +Then the interface is enslaved, while still in the 'down' state: + ip link set dev eth4.105 master vrf105 + +Since the device is down the VRF driver cycling the device does not +send the NETDEV_UP and NETDEV_DOWN but rather the NETDEV_CHANGE event +which does not flush the routes inserted prior. + +When the link is brought up + ip link set dev eth4.105 up + +the prefix route is added in the VRF table, but does not remove +the route from the main table. + +Fix by handling the NETDEV_CHANGEUPPER event similar what was implemented +for IPv4 in 7f49e7a38b77 ("net: Flush local routes when device changes vrf +association") + +Fixes: 35402e3136634 ("net: Add IPv6 support to VRF device") + +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/addrconf.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3146,6 +3146,7 @@ static int addrconf_notify(struct notifi + void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct netdev_notifier_changeupper_info *info; + struct inet6_dev *idev = __in6_dev_get(dev); + struct net *net = dev_net(dev); + int run_pending = 0; +@@ -3307,6 +3308,15 @@ static int addrconf_notify(struct notifi + case NETDEV_POST_TYPE_CHANGE: + addrconf_type_change(dev, event); + break; ++ ++ case NETDEV_CHANGEUPPER: ++ info = ptr; ++ ++ /* flush all routes if dev is linked to or unlinked from ++ * an L3 master device (e.g., VRF) ++ */ ++ if (info->upper_dev && netif_is_l3_master(info->upper_dev)) ++ addrconf_ifdown(dev, 0); + } + + return NOTIFY_OK; diff --git a/queue-4.4/netfilter-nf_tables-destroy-the-set-if-fail-to-add-transaction.patch b/queue-4.4/netfilter-nf_tables-destroy-the-set-if-fail-to-add-transaction.patch new file mode 100644 index 00000000000..1eefcffb093 --- /dev/null +++ b/queue-4.4/netfilter-nf_tables-destroy-the-set-if-fail-to-add-transaction.patch @@ -0,0 +1,39 @@ +From c17c3cdff10b9f59ef1244a14604f10949f17117 Mon Sep 17 00:00:00 2001 +From: Liping Zhang +Date: Sat, 29 Oct 2016 22:03:05 +0800 +Subject: netfilter: nf_tables: destroy the set if fail to add transaction + +From: Liping Zhang + +commit c17c3cdff10b9f59ef1244a14604f10949f17117 upstream. + +When the memory is exhausted, then we will fail to add the NFT_MSG_NEWSET +transaction. In such case, we should destroy the set before we free it. + +Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2849,12 +2849,14 @@ static int nf_tables_newset(struct net * + + err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); + if (err < 0) +- goto err2; ++ goto err3; + + list_add_tail_rcu(&set->list, &table->sets); + table->use++; + return 0; + ++err3: ++ ops->destroy(set); + err2: + kfree(set); + err1: diff --git a/queue-4.4/netfilter-nf_tables-fix-a-wrong-check-to-skip-the-inactive-rules.patch b/queue-4.4/netfilter-nf_tables-fix-a-wrong-check-to-skip-the-inactive-rules.patch new file mode 100644 index 00000000000..1e98091b4ab --- /dev/null +++ b/queue-4.4/netfilter-nf_tables-fix-a-wrong-check-to-skip-the-inactive-rules.patch @@ -0,0 +1,33 @@ +From 8fff1722f705ce5023a0d6d77a31a9d013be2a34 Mon Sep 17 00:00:00 2001 +From: Liping Zhang +Date: Tue, 14 Jun 2016 20:13:04 +0800 +Subject: netfilter: nf_tables: fix a wrong check to skip the inactive rules + +From: Liping Zhang + +commit 8fff1722f705ce5023a0d6d77a31a9d013be2a34 upstream. + +nft_genmask_cur has already done left-shift operator on the gencursor, +so there's no need to do left-shift operator on it again. + +Fixes: ea4bd995b0f2 ("netfilter: nf_tables: add transaction helper functions") +Cc: Patrick McHardy +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_core.c ++++ b/net/netfilter/nf_tables_core.c +@@ -130,7 +130,7 @@ next_rule: + list_for_each_entry_continue_rcu(rule, &chain->rules, list) { + + /* This rule is not active, skip. */ +- if (unlikely(rule->genmask & (1 << gencursor))) ++ if (unlikely(rule->genmask & gencursor)) + continue; + + rulenum++; diff --git a/queue-4.4/netfilter-nft_dup-do-not-use-sreg_dev-if-the-user-doesn-t-specify-it.patch b/queue-4.4/netfilter-nft_dup-do-not-use-sreg_dev-if-the-user-doesn-t-specify-it.patch new file mode 100644 index 00000000000..e8fe4f998fb --- /dev/null +++ b/queue-4.4/netfilter-nft_dup-do-not-use-sreg_dev-if-the-user-doesn-t-specify-it.patch @@ -0,0 +1,66 @@ +From b73b8a1ba598236296a46103d81c10d629d9a470 Mon Sep 17 00:00:00 2001 +From: Liping Zhang +Date: Sat, 29 Oct 2016 22:09:51 +0800 +Subject: netfilter: nft_dup: do not use sreg_dev if the user doesn't specify it + +From: Liping Zhang + +commit b73b8a1ba598236296a46103d81c10d629d9a470 upstream. + +The NFTA_DUP_SREG_DEV attribute is not a must option, so we should use it +in routing lookup only when the user specify it. + +Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression") +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/nft_dup_ipv4.c | 6 ++++-- + net/ipv6/netfilter/nft_dup_ipv6.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ipv4/netfilter/nft_dup_ipv4.c ++++ b/net/ipv4/netfilter/nft_dup_ipv4.c +@@ -28,7 +28,7 @@ static void nft_dup_ipv4_eval(const stru + struct in_addr gw = { + .s_addr = (__force __be32)regs->data[priv->sreg_addr], + }; +- int oif = regs->data[priv->sreg_dev]; ++ int oif = priv->sreg_dev ? regs->data[priv->sreg_dev] : -1; + + nf_dup_ipv4(pkt->net, pkt->skb, pkt->hook, &gw, oif); + } +@@ -59,7 +59,9 @@ static int nft_dup_ipv4_dump(struct sk_b + { + struct nft_dup_ipv4 *priv = nft_expr_priv(expr); + +- if (nft_dump_register(skb, NFTA_DUP_SREG_ADDR, priv->sreg_addr) || ++ if (nft_dump_register(skb, NFTA_DUP_SREG_ADDR, priv->sreg_addr)) ++ goto nla_put_failure; ++ if (priv->sreg_dev && + nft_dump_register(skb, NFTA_DUP_SREG_DEV, priv->sreg_dev)) + goto nla_put_failure; + +--- a/net/ipv6/netfilter/nft_dup_ipv6.c ++++ b/net/ipv6/netfilter/nft_dup_ipv6.c +@@ -26,7 +26,7 @@ static void nft_dup_ipv6_eval(const stru + { + struct nft_dup_ipv6 *priv = nft_expr_priv(expr); + struct in6_addr *gw = (struct in6_addr *)®s->data[priv->sreg_addr]; +- int oif = regs->data[priv->sreg_dev]; ++ int oif = priv->sreg_dev ? regs->data[priv->sreg_dev] : -1; + + nf_dup_ipv6(pkt->net, pkt->skb, pkt->hook, gw, oif); + } +@@ -57,7 +57,9 @@ static int nft_dup_ipv6_dump(struct sk_b + { + struct nft_dup_ipv6 *priv = nft_expr_priv(expr); + +- if (nft_dump_register(skb, NFTA_DUP_SREG_ADDR, priv->sreg_addr) || ++ if (nft_dump_register(skb, NFTA_DUP_SREG_ADDR, priv->sreg_addr)) ++ goto nla_put_failure; ++ if (priv->sreg_dev && + nft_dump_register(skb, NFTA_DUP_SREG_DEV, priv->sreg_dev)) + goto nla_put_failure; + diff --git a/queue-4.4/netfilter-nft_dynset-fix-panic-if-nft_set_hash-is-not-enabled.patch b/queue-4.4/netfilter-nft_dynset-fix-panic-if-nft_set_hash-is-not-enabled.patch new file mode 100644 index 00000000000..365b8c2fc3f --- /dev/null +++ b/queue-4.4/netfilter-nft_dynset-fix-panic-if-nft_set_hash-is-not-enabled.patch @@ -0,0 +1,52 @@ +From bb6a6e8e091353770074608c1d1bfde0e20b8154 Mon Sep 17 00:00:00 2001 +From: Liping Zhang +Date: Sat, 22 Oct 2016 18:51:24 +0800 +Subject: netfilter: nft_dynset: fix panic if NFT_SET_HASH is not enabled + +From: Liping Zhang + +commit bb6a6e8e091353770074608c1d1bfde0e20b8154 upstream. + +When CONFIG_NFT_SET_HASH is not enabled and I input the following rule: +"nft add rule filter output flow table test {ip daddr counter }", kernel +panic happened on my system: + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [< (null)>] (null) + [...] + Call Trace: + [] ? nft_dynset_eval+0x56/0x100 [nf_tables] + [] nft_do_chain+0xfb/0x4e0 [nf_tables] + [] ? nf_conntrack_tuple_taken+0x61/0x210 [nf_conntrack] + [] ? get_unique_tuple+0x136/0x560 [nf_nat] + [] ? __nf_ct_ext_add_length+0x111/0x130 [nf_conntrack] + [] ? nf_nat_setup_info+0x87/0x3b0 [nf_nat] + [] ? ipt_do_table+0x327/0x610 + [] ? __nf_nat_alloc_null_binding+0x57/0x80 [nf_nat] + [] nft_ipv4_output+0xaf/0xd0 [nf_tables_ipv4] + [] nf_iterate+0x55/0x60 + [] nf_hook_slow+0x73/0xd0 + +Because in rbtree type set, ops->update is not implemented. So just keep +it simple, in such case, report -EOPNOTSUPP to the user space. + +Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_dynset.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -121,6 +121,9 @@ static int nft_dynset_init(const struct + return PTR_ERR(set); + } + ++ if (set->ops->update == NULL) ++ return -EOPNOTSUPP; ++ + if (set->flags & NFT_SET_CONSTANT) + return -EBUSY; + diff --git a/queue-4.4/pinctrl-bcm2835-fix-memory-leak-in-error-path.patch b/queue-4.4/pinctrl-bcm2835-fix-memory-leak-in-error-path.patch new file mode 100644 index 00000000000..f70017b312e --- /dev/null +++ b/queue-4.4/pinctrl-bcm2835-fix-memory-leak-in-error-path.patch @@ -0,0 +1,34 @@ +From 53653c6b91750debba6dc4503003c851257fd340 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Mon, 21 Dec 2015 00:44:04 +0000 +Subject: pinctrl: bcm2835: Fix memory leak in error path + +From: Stefan Wahren + +commit 53653c6b91750debba6dc4503003c851257fd340 upstream. + +In case of an invalid pin value bcm2835_pctl_dt_node_to_map() +would leak the pull configs of already assigned pins. +So avoid this by calling the free map function in error case. + +Signed-off-by: Stefan Wahren +Fixes: e1b2dc70cd5b ("pinctrl: add bcm2835 driver") +Reviewed-by: Eric Anholt +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/bcm/pinctrl-bcm2835.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/bcm/pinctrl-bcm2835.c ++++ b/drivers/pinctrl/bcm/pinctrl-bcm2835.c +@@ -795,7 +795,7 @@ static int bcm2835_pctl_dt_node_to_map(s + return 0; + + out: +- kfree(maps); ++ bcm2835_pctl_dt_free_map(pctldev, maps, num_pins * maps_per_pin); + return err; + } + diff --git a/queue-4.4/series b/queue-4.4/series index e2587c9a272..8e828f4d7f5 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -185,3 +185,31 @@ i40e-fix-an-uninitialized-variable-bug.patch qede-uninitialized-variable-in-qede_start_xmit.patch qlcnic-potential-null-dereference-in-qlcnic_83xx_get_minidump_template.patch qlcnic-use-the-correct-ring-in-qlcnic_83xx_process_rcv_ring_diag.patch +target-fix-a-memory-leak-in-target_dev_lba_map_store.patch +memory-tegra-add-number-of-tlb-lines-for-tegra124.patch +pinctrl-bcm2835-fix-memory-leak-in-error-path.patch +be2net-don-t-leak-iomapped-memory-on-removal.patch +ipv4-fix-memory-leak-in-exception-case-for-splitting-tries.patch +flow_dissector-check-for-ip-fragmentation-even-if-not-using-ipv4-address.patch +ipv4-fix-checksum-annotation-in-udp4_csum_init.patch +ipv4-do-not-abuse-gfp_atomic-in-inet_netconf_notify_devconf.patch +ipv4-accept-u8-in-ip_tos-ancillary-data.patch +net-vrf-fix-dev-refcnt-leak-due-to-ipv6-prefix-route.patch +ipv6-fix-checksum-annotation-in-udp6_csum_init.patch +ipv6-do-not-abuse-gfp_atomic-in-inet6_netconf_notify_devconf.patch +ipv6-add-missing-netconf-notif-when-all-is-updated.patch +net-ipv6-fix-processing-of-ras-in-presence-of-vrf.patch +netfilter-nf_tables-fix-a-wrong-check-to-skip-the-inactive-rules.patch +netfilter-nft_dynset-fix-panic-if-nft_set_hash-is-not-enabled.patch +netfilter-nf_tables-destroy-the-set-if-fail-to-add-transaction.patch +netfilter-nft_dup-do-not-use-sreg_dev-if-the-user-doesn-t-specify-it.patch +udp-restore-udplite-many-cast-delivery.patch +clk-st-avoid-uninitialized-variable-use.patch +clk-gpio-handle-error-codes-for-of_clk_get_parent_count.patch +clk-ti-omap3-dpll-use-non-locking-version-of-clk_get_rate.patch +clk-multiplier-prevent-the-multiplier-from-under-over-flowing.patch +clk-imx-clk-pllv3-fix-incorrect-handle-of-enet-powerdown-bit.patch +clk-xgene-don-t-call-__pa-on-ioremaped-address.patch +cls_bpf-reset-class-and-reuse-major-in-da.patch +arm64-bpf-jit-jmp_jset_-x-k.patch +bpf-trace-check-event-type-in-bpf_perf_event_read.patch diff --git a/queue-4.4/target-fix-a-memory-leak-in-target_dev_lba_map_store.patch b/queue-4.4/target-fix-a-memory-leak-in-target_dev_lba_map_store.patch new file mode 100644 index 00000000000..52283ce4607 --- /dev/null +++ b/queue-4.4/target-fix-a-memory-leak-in-target_dev_lba_map_store.patch @@ -0,0 +1,53 @@ +From f0a8afecb29ad0005e7e946228a0ef5422058b85 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 5 Jan 2016 14:47:17 +0100 +Subject: target: Fix a memory leak in target_dev_lba_map_store() + +From: Bart Van Assche + +commit f0a8afecb29ad0005e7e946228a0ef5422058b85 upstream. + +strsep() modifies its first argument. Make the pointer passed to kfree() +match the return value of kmalloc(). + +Fixes: 229d4f112fd6 (commit "target_core_alua: Referrals configfs integration") +Signed-off-by: Bart Van Assche +Cc: Hannes Reinecke +Cc: Christoph Hellwig +Cc: Andy Grover +Cc: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_configfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -1980,14 +1980,14 @@ static ssize_t target_dev_lba_map_store( + struct se_device *dev = to_device(item); + struct t10_alua_lba_map *lba_map = NULL; + struct list_head lba_list; +- char *map_entries, *ptr; ++ char *map_entries, *orig, *ptr; + char state; + int pg_num = -1, pg; + int ret = 0, num = 0, pg_id, alua_state; + unsigned long start_lba = -1, end_lba = -1; + unsigned long segment_size = -1, segment_mult = -1; + +- map_entries = kstrdup(page, GFP_KERNEL); ++ orig = map_entries = kstrdup(page, GFP_KERNEL); + if (!map_entries) + return -ENOMEM; + +@@ -2085,7 +2085,7 @@ out: + } else + core_alua_set_lba_map(dev, &lba_list, + segment_size, segment_mult); +- kfree(map_entries); ++ kfree(orig); + return count; + } + diff --git a/queue-4.4/udp-restore-udplite-many-cast-delivery.patch b/queue-4.4/udp-restore-udplite-many-cast-delivery.patch new file mode 100644 index 00000000000..2520bbc7531 --- /dev/null +++ b/queue-4.4/udp-restore-udplite-many-cast-delivery.patch @@ -0,0 +1,55 @@ +From 73e2d5e34b6cdd1080038daf3d6d6d744a9eefe6 Mon Sep 17 00:00:00 2001 +From: Pablo Neira +Date: Mon, 14 Nov 2016 23:40:30 +0100 +Subject: udp: restore UDPlite many-cast delivery + +From: Pablo Neira + +commit 73e2d5e34b6cdd1080038daf3d6d6d744a9eefe6 upstream. + +Honor udptable parameter that is passed to __udp*_lib_mcast_deliver(), +otherwise udplite broadcast/multicast use the wrong table and it breaks. + +Fixes: 2dc41cff7545 ("udp: Use hash2 for long hash1 chains in __udp*_lib_mcast_deliver.") +Signed-off-by: Pablo Neira Ayuso +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/udp.c | 6 +++--- + net/ipv6/udp.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1685,10 +1685,10 @@ static int __udp4_lib_mcast_deliver(stru + + if (use_hash2) { + hash2_any = udp4_portaddr_hash(net, htonl(INADDR_ANY), hnum) & +- udp_table.mask; +- hash2 = udp4_portaddr_hash(net, daddr, hnum) & udp_table.mask; ++ udptable->mask; ++ hash2 = udp4_portaddr_hash(net, daddr, hnum) & udptable->mask; + start_lookup: +- hslot = &udp_table.hash2[hash2]; ++ hslot = &udptable->hash2[hash2]; + offset = offsetof(typeof(*sk), __sk_common.skc_portaddr_node); + } + +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -801,10 +801,10 @@ static int __udp6_lib_mcast_deliver(stru + + if (use_hash2) { + hash2_any = udp6_portaddr_hash(net, &in6addr_any, hnum) & +- udp_table.mask; +- hash2 = udp6_portaddr_hash(net, daddr, hnum) & udp_table.mask; ++ udptable->mask; ++ hash2 = udp6_portaddr_hash(net, daddr, hnum) & udptable->mask; + start_lookup: +- hslot = &udp_table.hash2[hash2]; ++ hslot = &udptable->hash2[hash2]; + offset = offsetof(typeof(*sk), __sk_common.skc_portaddr_node); + } + -- 2.47.3