--- /dev/null
+From 0f569a3222e05564f0f9b0b986d39eb1ad513f6a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun, 28 Jul 2013 23:04:45 +0300
+Subject: af_key: more info leaks in pfkey messages
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ff862a4668dd6dba962b1d2d8bd344afa6375683 ]
+
+This is inspired by a5cc68f3d6 "af_key: fix info leaks in notify
+messages". There are some struct members which don't get initialized
+and could disclose small amounts of private information.
+
+Acked-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/key/af_key.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2073,6 +2073,7 @@ static int pfkey_xfrm_policy2msg(struct
+ pol->sadb_x_policy_type = IPSEC_POLICY_NONE;
+ }
+ pol->sadb_x_policy_dir = dir+1;
++ pol->sadb_x_policy_reserved = 0;
+ pol->sadb_x_policy_id = xp->index;
+ pol->sadb_x_policy_priority = xp->priority;
+
+@@ -3108,7 +3109,9 @@ static int pfkey_send_acquire(struct xfr
+ pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+ pol->sadb_x_policy_dir = dir+1;
++ pol->sadb_x_policy_reserved = 0;
+ pol->sadb_x_policy_id = xp->index;
++ pol->sadb_x_policy_priority = xp->priority;
+
+ /* Set sadb_comb's. */
+ if (x->id.proto == IPPROTO_AH)
+@@ -3496,6 +3499,7 @@ static int pfkey_send_migrate(const stru
+ pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+ pol->sadb_x_policy_dir = dir + 1;
++ pol->sadb_x_policy_reserved = 0;
+ pol->sadb_x_policy_id = 0;
+ pol->sadb_x_policy_priority = 0;
+
--- /dev/null
+From f9f56454299c8930e08e1a3e62cc190baf8122e9 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 19 Jul 2013 08:48:05 +0300
+Subject: arcnet: cleanup sizeof parameter
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 087d273caf4f7d3f2159256f255f1f432bc84a5b ]
+
+This patch doesn't change the compiled code because ARC_HDR_SIZE is 4
+and sizeof(int) is 4, but the intent was to use the header size and not
+the sizeof the header size.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/arcnet/arcnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/arcnet/arcnet.c
++++ b/drivers/net/arcnet/arcnet.c
+@@ -1007,7 +1007,7 @@ static void arcnet_rx(struct net_device
+
+ soft = &pkt.soft.rfc1201;
+
+- lp->hw.copy_from_card(dev, bufnum, 0, &pkt, sizeof(ARC_HDR_SIZE));
++ lp->hw.copy_from_card(dev, bufnum, 0, &pkt, ARC_HDR_SIZE);
+ if (pkt.hard.offset[0]) {
+ ofs = pkt.hard.offset[0];
+ length = 256 - ofs;
--- /dev/null
+From e64c9334d041eefa0040238bca38073c163f9329 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 22 Jul 2013 23:45:53 +0200
+Subject: ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 905a6f96a1b18e490a75f810d733ced93c39b0e5 ]
+
+Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer
+which leads to a panic (from Srivatsa S. Bhat):
+
+BUG: unable to handle kernel paging request at ffff882018552020
+IP: [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
+PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060
+Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
+Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
++ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod
+CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4
+Hardware name: IBM -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012
+Workqueue: netns cleanup_net
+task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000
+RIP: 0010:[<ffffffffa0366b02>] [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
+RSP: 0018:ffff881039367bd8 EFLAGS: 00010286
+RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200
+RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68
+RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222
+R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040
+R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0
+Stack:
+ ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000
+ ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0
+ ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0
+Call Trace:
+ [<ffffffffa034d9d1>] rawv6_close+0x21/0x40 [ipv6]
+ [<ffffffff815bdecb>] inet_release+0xfb/0x220
+ [<ffffffff815bddf2>] ? inet_release+0x22/0x220
+ [<ffffffffa032686f>] inet6_release+0x3f/0x50 [ipv6]
+ [<ffffffff8151c1d9>] sock_release+0x29/0xa0
+ [<ffffffff81525520>] sk_release_kernel+0x30/0x70
+ [<ffffffffa034f14b>] icmpv6_sk_exit+0x3b/0x80 [ipv6]
+ [<ffffffff8152fff9>] ops_exit_list+0x39/0x60
+ [<ffffffff815306fb>] cleanup_net+0xfb/0x1a0
+ [<ffffffff81075e3a>] process_one_work+0x1da/0x610
+ [<ffffffff81075dc9>] ? process_one_work+0x169/0x610
+ [<ffffffff81076390>] worker_thread+0x120/0x3a0
+ [<ffffffff81076270>] ? process_one_work+0x610/0x610
+ [<ffffffff8107da2e>] kthread+0xee/0x100
+ [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
+ [<ffffffff8162a99c>] ret_from_fork+0x7c/0xb0
+ [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
+Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65
+RIP [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
+ RSP <ffff881039367bd8>
+CR2: ffff882018552020
+
+Reported-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
+Tested-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6mr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -256,10 +256,12 @@ static void __net_exit ip6mr_rules_exit(
+ {
+ struct mr6_table *mrt, *next;
+
++ rtnl_lock();
+ list_for_each_entry_safe(mrt, next, &net->ipv6.mr6_tables, list) {
+ list_del(&mrt->list);
+ ip6mr_free_table(mrt);
+ }
++ rtnl_unlock();
+ fib_rules_unregister(net->ipv6.mr6_rules_ops);
+ }
+ #else
+@@ -286,7 +288,10 @@ static int __net_init ip6mr_rules_init(s
+
+ static void __net_exit ip6mr_rules_exit(struct net *net)
+ {
++ rtnl_lock();
+ ip6mr_free_table(net->ipv6.mrt6);
++ net->ipv6.mrt6 = NULL;
++ rtnl_unlock();
+ }
+ #endif
+
--- /dev/null
+From af843ef1c6af2a1b384e3e8f0a0468dd28525108 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Tue, 30 Jul 2013 00:16:21 -0700
+Subject: net_sched: Fix stack info leak in cbq_dump_wrr().
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit a0db856a95a29efb1c23db55c02d9f0ff4f0db48 ]
+
+Make sure the reserved fields, and padding (if any), are
+fully initialized.
+
+Based upon a patch by Dan Carpenter and feedback from
+Joe Perches.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cbq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/sch_cbq.c
++++ b/net/sched/sch_cbq.c
+@@ -1467,6 +1467,7 @@ static int cbq_dump_wrr(struct sk_buff *
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tc_cbq_wrropt opt;
+
++ memset(&opt, 0, sizeof(opt));
+ opt.flags = 0;
+ opt.allot = cl->allot;
+ opt.priority = cl->priority + 1;
--- /dev/null
+From 204409c04d7a167c6b72d8ff2ca610d8cc324a36 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 30 Jul 2013 13:23:39 +0300
+Subject: net_sched: info leak in atm_tc_dump_class()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 8cb3b9c3642c0263d48f31d525bcee7170eedc20 ]
+
+The "pvc" struct has a hole after pvc.sap_family which is not cleared.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_atm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/sch_atm.c
++++ b/net/sched/sch_atm.c
+@@ -605,6 +605,7 @@ static int atm_tc_dump_class(struct Qdis
+ struct sockaddr_atmpvc pvc;
+ int state;
+
++ memset(&pvc, 0, sizeof(pvc));
+ pvc.sap_family = AF_ATMPVC;
+ pvc.sap_addr.itf = flow->vcc->dev ? flow->vcc->dev->number : -1;
+ pvc.sap_addr.vpi = flow->vcc->vpi;
--- /dev/null
+From 1e4595f2e85b0d10644340b96ee328d46a292a5e Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Wed, 12 Jun 2013 14:26:44 -0400
+Subject: sctp: fully initialize sctp_outq in sctp_outq_init
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit c5c7774d7eb4397891edca9ebdf750ba90977a69 ]
+
+In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
+(refactor sctp_outq_teardown to insure proper re-initalization)
+we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
+outq structure. Steve West recently asked me why I removed the q->error = 0
+initalization from sctp_outq_teardown. I did so because I was operating under
+the impression that sctp_outq_init would properly initalize that value for us,
+but it doesn't. sctp_outq_init operates under the assumption that the outq
+struct is all 0's (as it is when called from sctp_association_init), but using
+it in __sctp_outq_teardown violates that assumption. We should do a memset in
+sctp_outq_init to ensure that the entire structure is in a known state there
+instead.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
+CC: Vlad Yasevich <vyasevich@gmail.com>
+CC: netdev@vger.kernel.org
+CC: davem@davemloft.net
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/outqueue.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -205,6 +205,8 @@ static inline int sctp_cacc_skip(struct
+ */
+ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ {
++ memset(q, 0, sizeof(struct sctp_outq));
++
+ q->asoc = asoc;
+ INIT_LIST_HEAD(&q->out_chunk_list);
+ INIT_LIST_HEAD(&q->control_chunk_list);
+@@ -212,13 +214,7 @@ void sctp_outq_init(struct sctp_associat
+ INIT_LIST_HEAD(&q->sacked);
+ INIT_LIST_HEAD(&q->abandoned);
+
+- q->fast_rtx = 0;
+- q->outstanding_bytes = 0;
+ q->empty = 1;
+- q->cork = 0;
+-
+- q->malloced = 0;
+- q->out_qlen = 0;
+ }
+
+ /* Free the outqueue structure and any related pending chunks.
perf-fix-event-group-context-move.patch
x86-fpu-correct-the-asm-constraints-for-fxsave-unbreak-mxcsr.daz.patch
perf-use-css_tryget-to-avoid-propping-up-css-refcount.patch
+arcnet-cleanup-sizeof-parameter.patch
+sysctl-net-keep-tcp_syn_retries-inside-the-boundary.patch
+sctp-fully-initialize-sctp_outq-in-sctp_outq_init.patch
+ipv6-take-rtnl_lock-and-mark-mrt6-table-as-freed-on-namespace-cleanup.patch
+usbnet-do-not-pretend-to-support-sg-tso.patch
+net_sched-fix-stack-info-leak-in-cbq_dump_wrr.patch
+af_key-more-info-leaks-in-pfkey-messages.patch
+net_sched-info-leak-in-atm_tc_dump_class.patch
--- /dev/null
+From eec2e0e28f1ce5260aa4e94ecf6ef4d8b53a5580 Mon Sep 17 00:00:00 2001
+From: Michal Tesar <mtesar@redhat.com>
+Date: Fri, 19 Jul 2013 14:09:01 +0200
+Subject: sysctl net: Keep tcp_syn_retries inside the boundary
+
+From: Michal Tesar <mtesar@redhat.com>
+
+[ Upstream commit 651e92716aaae60fc41b9652f54cb6803896e0da ]
+
+Limit the min/max value passed to the
+/proc/sys/net/ipv4/tcp_syn_retries.
+
+Signed-off-by: Michal Tesar <mtesar@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/sysctl_net_ipv4.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -32,6 +32,8 @@ static int tcp_adv_win_scale_min = -31;
+ static int tcp_adv_win_scale_max = 31;
+ static int ip_ttl_min = 1;
+ static int ip_ttl_max = 255;
++static int tcp_syn_retries_min = 1;
++static int tcp_syn_retries_max = MAX_TCP_SYNCNT;
+ static int ip_ping_group_range_min[] = { 0, 0 };
+ static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
+
+@@ -231,7 +233,9 @@ static struct ctl_table ipv4_table[] = {
+ .data = &sysctl_tcp_syn_retries,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = &tcp_syn_retries_min,
++ .extra2 = &tcp_syn_retries_max
+ },
+ {
+ .procname = "tcp_synack_retries",
--- /dev/null
+From e35133012d98f6c17e977ba7bf212e3ec3df6e8b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 23 Jul 2013 17:15:54 -0700
+Subject: usbnet: do not pretend to support SG/TSO
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 20f0170377264e8449b6987041f0bcc4d746d3ed ]
+
+usbnet doesn't support yet SG, so drivers should not advertise SG or TSO
+capabilities, as they allow TCP stack to build large TSO packets that
+need to be linearized and might use order-5 pages.
+
+This adds an extra copy overhead and possible allocation failures.
+
+Current code ignore skb_linearize() return code so crashes are even
+possible.
+
+Best is to not pretend SG/TSO is supported, and add this again when/if
+usbnet really supports SG for devices who could get a performance gain.
+
+Based on a prior patch from Freddy Xin <freddy@asix.com.tw>
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/smsc75xx.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -43,7 +43,6 @@
+ #define EEPROM_MAC_OFFSET (0x01)
+ #define DEFAULT_TX_CSUM_ENABLE (true)
+ #define DEFAULT_RX_CSUM_ENABLE (true)
+-#define DEFAULT_TSO_ENABLE (true)
+ #define SMSC75XX_INTERNAL_PHY_ID (1)
+ #define SMSC75XX_TX_OVERHEAD (8)
+ #define MAX_RX_FIFO_SIZE (20 * 1024)
+@@ -1034,17 +1033,14 @@ static int smsc75xx_bind(struct usbnet *
+
+ INIT_WORK(&pdata->set_multicast, smsc75xx_deferred_multicast_write);
+
+- if (DEFAULT_TX_CSUM_ENABLE) {
++ if (DEFAULT_TX_CSUM_ENABLE)
+ dev->net->features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM;
+- if (DEFAULT_TSO_ENABLE)
+- dev->net->features |= NETIF_F_SG |
+- NETIF_F_TSO | NETIF_F_TSO6;
+- }
++
+ if (DEFAULT_RX_CSUM_ENABLE)
+ dev->net->features |= NETIF_F_RXCSUM;
+
+ dev->net->hw_features = NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM |
+- NETIF_F_SG | NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_RXCSUM;
++ NETIF_F_RXCSUM;
+
+ /* Init all registers */
+ ret = smsc75xx_reset(dev);
+@@ -1169,8 +1165,6 @@ static struct sk_buff *smsc75xx_tx_fixup
+ {
+ u32 tx_cmd_a, tx_cmd_b;
+
+- skb_linearize(skb);
+-
+ if (skb_headroom(skb) < SMSC75XX_TX_OVERHEAD) {
+ struct sk_buff *skb2 =
+ skb_copy_expand(skb, SMSC75XX_TX_OVERHEAD, 0, flags);
projects / thirdparty / kernel / stable-queue.git / commitdiff
