commit a2601fcca1caa1645a8bf6c7719ec9e41f590a28 Author: Ben Hutchings Date: Wed Apr 9 02:20:47 2014 +0100 Linux 3.2.57 commit 1664028240024d96721a5328c93ff206661cd9e1 Author: Martin Schwidefsky Date: Mon Feb 3 17:37:15 2014 +0100 s390: fix kernel crash due to linkage stack instructions commit 8d7f6690cedb83456edd41c9bd583783f0703bf0 upstream. The kernel currently crashes with a low-address-protection exception if a user space process executes an instruction that tries to use the linkage stack. Set the base-ASTE origin and the subspace-ASTE origin of the dispatchable-unit-control-table to point to a dummy ASTE. Set up control register 15 to point to an empty linkage stack with no room left. A user space process with a linkage stack instruction will still crash but with a different exception which is correctly translated to a segmentation fault instead of a kernel oops. Signed-off-by: Martin Schwidefsky Signed-off-by: Ben Hutchings commit b1a292f3ccbbfe864cb4931e8fed4baea6b17eb8 Author: Jeff Layton Date: Fri Feb 14 07:20:35 2014 -0500 cifs: ensure that uncached writes handle unmapped areas correctly commit 5d81de8e8667da7135d3a32a964087c0faf5483f upstream. It's possible for userland to pass down an iovec via writev() that has a bogus user pointer in it. If that happens and we're doing an uncached write, then we can end up getting less bytes than we expect from the call to iov_iter_copy_from_user. This is CVE-2014-0069 cifs_iovec_write isn't set up to handle that situation however. It'll blindly keep chugging through the page array and not filling those pages with anything useful. Worse yet, we'll later end up with a negative number in wdata->tailsz, which will confuse the sending routines and cause an oops at the very least. Fix this by having the copy phase of cifs_iovec_write stop copying data in this situation and send the last write as a short one. At the same time, we want to avoid sending a zero-length write to the server, so break out of the loop and set rc to -EFAULT if that happens. This also allows us to handle the case where no address in the iovec is valid. [Note: Marking this for stable on v3.4+ kernels, but kernels as old as v2.6.38 may have a similar problem and may need similar fix] Reviewed-by: Pavel Shilovsky Reported-by: Al Viro Signed-off-by: Jeff Layton Signed-off-by: Steve French [bwh: Backported to 3.2: - Adjust context - s/nr_pages/npages/ - s/wdata->pages/pages/ - In case of an error with no data copied, we must kunmap() page 0, but in neither case should we free anything else] Thanks to Raphael Geissert for an independent backport that showed some bugs in my first version.] Signed-off-by: Ben Hutchings commit f5652b31f13ab198ed6802349d6b472e222596c2 Author: Marcelo Tosatti Date: Fri Jan 3 17:00:51 2014 -0200 KVM: VMX: fix use after free of vmx->loaded_vmcs commit 26a865f4aa8e66a6d94958de7656f7f1b03c6c56 upstream. After free_loaded_vmcs executes, the "loaded_vmcs" structure is kfreed, and now vmx->loaded_vmcs points to a kfreed area. Subsequent free_loaded_vmcs then attempts to manipulate vmx->loaded_vmcs. Switch the order to avoid the problem. https://bugzilla.redhat.com/show_bug.cgi?id=1047892 Reviewed-by: Jan Kiszka Signed-off-by: Marcelo Tosatti Signed-off-by: Ben Hutchings commit 738638c53d523683bc4b761be9a58da843f26a10 Author: Marcelo Tosatti Date: Thu Dec 19 15:28:51 2013 -0200 KVM: MMU: handle invalid root_hpa at __direct_map commit 989c6b34f6a9480e397b170cc62237e89bf4fdb9 upstream. It is possible for __direct_map to be called on invalid root_hpa (-1), two examples: 1) try_async_pf -> can_do_async_pf -> vmx_interrupt_allowed -> nested_vmx_vmexit 2) vmx_handle_exit -> vmx_interrupt_allowed -> nested_vmx_vmexit Then to load_vmcs12_host_state and kvm_mmu_reset_context. Check for this possibility, let fault exception be regenerated. BZ: https://bugzilla.redhat.com/show_bug.cgi?id=924916 Signed-off-by: Marcelo Tosatti Signed-off-by: Paolo Bonzini Signed-off-by: Ben Hutchings commit 615139289271610f38aa0b23f36583cee9afc7e5 Author: Emil Goode Date: Thu Feb 13 19:30:39 2014 +0100 net: asix: add missing flag to struct driver_info commit d43ff4cd798911736fb39025ec8004284b1b0bc2 upstream. The struct driver_info ax88178_info is assigned the function asix_rx_fixup_common as it's rx_fixup callback. This means that FLAG_MULTI_PACKET must be set as this function is cloning the data and calling usbnet_skb_return. Not setting this flag leads to usbnet_skb_return beeing called a second time from within the rx_process function in the usbnet module. Signed-off-by: Emil Goode Reported-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit bbc321cec0e7dee2b06c86026b73c1562dc32c39 Author: Emil Goode Date: Mon Mar 31 17:41:32 2014 +0200 net: asix: handle packets crossing URB boundaries commit 8b5b6f5413e97c3e8bafcdd67553d508f4f698cd upstream. ASIX AX88772B started to pack data even more tightly. Packets and the ASIX packet header may now cross URB boundaries. To handle this we have to introduce some state between individual calls to asix_rx_fixup(). Signed-off-by: Lucas Stach Signed-off-by: David S. Miller [ Emil: backported to 3.2: - dropped changes to drivers/net/usb/ax88172a.c - Introduced some static function declarations as the functions are not used outside of asix.c (sparse is complaining about it) ] Signed-off-by: Emil Goode Signed-off-by: Ben Hutchings commit a94c450fea945252e3beebacacd5d3b913f38f4b Author: Eric Dumazet Date: Wed Mar 14 20:18:32 2012 +0000 asix: asix_rx_fixup surgery to reduce skb truesizes commit a9e0aca4b37885b5599e52211f098bd7f565e749 upstream. asix_rx_fixup() is complex, and does some unnecessary memory copies (at least on x86 where NET_IP_ALIGN is 0) Also, it tends to provide skbs with a big truesize (4096+256 with MTU=1500) to upper stack, so incoming trafic consume a lot of memory and I noticed early packet drops because we hit socket rcvbuf too fast. Switch to a different strategy, using copybreak so that we provide nice skbs to upper stack (including the NET_SKB_PAD to avoid future head reallocations in some paths) With this patch, I no longer see packets drops or tcp collapses on various tcp workload with a AX88772 adapter. Signed-off-by: Eric Dumazet Cc: Aurelien Jacobs Cc: Greg Kroah-Hartman Cc: Trond Wuellner Cc: Grant Grundler Cc: Paul Stewart Reviewed-by: Grant Grundler Reviewed-by: Grant Grundler Signed-off-by: David S. Miller [ Emil: Backported to 3.2: fixed small conflict ] Signed-off-by: Emil Goode Signed-off-by: Ben Hutchings commit 9be2956736261b04b270bcd9746b80c872ef4934 Author: Ben Hutchings Date: Thu Dec 5 14:37:35 2013 +0000 deb-pkg: Fix cross-building linux-headers package commit f8ce239dfc7ba9add41d9ecdc5e7810738f839fa upstream. builddeb generates a control file that says the linux-headers package can only be built for the build system primary architecture. This breaks cross-building configurations. We should use $debarch for this instead. Since $debarch is not yet set when generating the control file, set Architecture: any and use control file variables to fill in the description. Fixes: cd8d60a20a45 ('kbuild: create linux-headers package in deb-pkg') Reported-and-tested-by: "Niew, Sh." Signed-off-by: Ben Hutchings Signed-off-by: Michal Marek commit 448a779f01583c6fda27d4229641615fdedfb4c5 Author: Ben Hutchings Date: Thu Dec 5 14:39:11 2013 +0000 deb-pkg: Fix building for MIPS big-endian or ARM OABI commit c5e318f67eebbad491615a752c51dbfde7dc3d78 upstream. These commands will mysteriously fail: $ make ARCH=arm versatile_defconfig [...] $ make ARCH=arm deb-pkg [...] make[1]: *** [deb-pkg] Error 1 make: *** [deb-pkg] Error 2 The Debian architecture selection for these kernel architectures does 'grep FOO=y $KCONFIG_CONFIG && echo bar', and after 'set -e' this aborts the script if grep does not find the given config symbol. Fixes: 10f26fa64200 ('build, deb-pkg: select userland architecture based on UTS_MACHINE') Signed-off-by: Ben Hutchings Signed-off-by: Michal Marek commit c0319b50b55b63163cc2cf73eb31861ea754c6c3 Author: Anisse Astier Date: Wed Jul 3 16:02:03 2013 +0200 deb-pkg: use KCONFIG_CONFIG instead of .config file directly commit d20917670ee1fd4b090555e551faea04b014ca97 upstream. Signed-off-by: Anisse Astier Reviewed-by: Ben Hutchings Signed-off-by: Michal Marek [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit caa5344994778a2b4725b2d75c74430f76925e4a Author: Florian Westphal Date: Sat Feb 22 10:33:26 2014 +0100 net: ip, ipv6: handle gso skbs in forwarding path commit fe6cc55f3a9a053482a76f5a6b2257cee51b4663 upstream. [ use zero netdev_feature mask to avoid backport of netif_skb_dev_features function ] Marcelo Ricardo Leitner reported problems when the forwarding link path has a lower mtu than the incoming one if the inbound interface supports GRO. Given: Host R1 R2 Host sends tcp stream which is routed via R1 and R2. R1 performs GRO. In this case, the kernel will fail to send ICMP fragmentation needed messages (or pkt too big for ipv6), as GSO packets currently bypass dstmtu checks in forward path. Instead, Linux tries to send out packets exceeding the mtu. When locking route MTU on Host (i.e., no ipv4 DF bit set), R1 does not fragment the packets when forwarding, and again tries to send out packets exceeding R1-R2 link mtu. This alters the forwarding dstmtu checks to take the individual gso segment lengths into account. For ipv6, we send out pkt too big error for gso if the individual segments are too big. For ipv4, we either send icmp fragmentation needed, or, if the DF bit is not set, perform software segmentation and let the output path create fragments when the packet is leaving the machine. It is not 100% correct as the error message will contain the headers of the GRO skb instead of the original/segmented one, but it seems to work fine in my (limited) tests. Eric Dumazet suggested to simply shrink mss via ->gso_size to avoid sofware segmentation. However it turns out that skb_segment() assumes skb nr_frags is related to mss size so we would BUG there. I don't want to mess with it considering Herbert and Eric disagree on what the correct behavior should be. Hannes Frederic Sowa notes that when we would shrink gso_size skb_segment would then also need to deal with the case where SKB_MAX_FRAGS would be exceeded. This uses sofware segmentation in the forward path when we hit ipv4 non-DF packets and the outgoing link mtu is too small. Its not perfect, but given the lack of bug reports wrt. GRO fwd being broken this is a rare case anyway. Also its not like this could not be improved later once the dust settles. Acked-by: Herbert Xu Reported-by: Marcelo Ricardo Leitner Signed-off-by: Florian Westphal Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 003c46c8d69d85b27979b4fa4f2e5169edeadc54 Author: Florian Westphal Date: Sat Feb 22 10:33:25 2014 +0100 net: add and use skb_gso_transport_seglen() commit de960aa9ab4decc3304959f69533eef64d05d8e8 upstream. [ no skb_gso_seglen helper in 3.4, leave tbf alone ] This moves part of Eric Dumazets skb_gso_seglen helper from tbf sched to skbuff core so it may be reused by upcoming ip forwarding path patch. Signed-off-by: Florian Westphal Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 91182754daa6ca26dd2e97ee0b0f6e9e37d33324 Author: Konstantin Khlebnikov Date: Wed Mar 26 14:12:19 2014 +0400 ipc/msg: fix race around refcount In older kernels (before v3.10) ipc_rcu_hdr->refcount was non-atomic int. There was possuble double-free bug: do_msgsnd() calls ipc_rcu_putref() under msq->q_perm->lock and RCU, while freequeue() calls it while it holds only 'rw_mutex', so there is no sinchronization between them. Two function decrements '2' non-atomically, they both can get '0' as result. do_msgsnd() freequeue() msq = msg_lock_check(ns, msqid); ... ipc_rcu_getref(msq); msg_unlock(msq); schedule(); (caller locks spinlock) expunge_all(msq, -EIDRM); ss_wakeup(&msq->q_senders, 1); msg_rmid(ns, msq); msg_unlock(msq); ipc_lock_by_ptr(&msq->q_perm); ipc_rcu_putref(msq); ipc_rcu_putref(msq); < both may get get --(...)->refcount == 0 > This patch locks ipc_lock and RCU around ipc_rcu_putref in freequeue. ( RCU protects memory for spin_unlock() ) Similar bugs might be in other users of ipc_rcu_putref(). In the mainline this has been fixed in v3.10 indirectly in commmit 6062a8dc0517bce23e3c2f7d2fea5e22411269a3 ("ipc,sem: fine grained locking for semtimedop") by Rik van Riel. That commit optimized locking and converted refcount into atomic. I'm not sure that anybody should care about this bug: it's very-very unlikely and no longer exists in actual mainline. I've found this just by looking into the code, probably this never happens in real life. Signed-off-by: Konstantin Khlebnikov Signed-off-by: Ben Hutchings commit 5b866eaa34e4ddc312c927030fde5f6a6184ddc5 Author: Daniel Borkmann Date: Mon Jan 6 00:57:54 2014 +0100 netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages commit b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 upstream. Some occurences in the netfilter tree use skb_header_pointer() in the following way ... struct dccp_hdr _dh, *dh; ... skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ... where dh itself is a pointer that is being passed as the copy buffer. Instead, we need to use &_dh as the forth argument so that we're copying the data into an actual buffer that sits on the stack. Currently, we probably could overwrite memory on the stack (e.g. with a possibly mal-formed DCCP packet), but unintentionally, as we only want the buffer to be placed into _dh variable. Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support") Signed-off-by: Daniel Borkmann Signed-off-by: Pablo Neira Ayuso Signed-off-by: Ben Hutchings commit 630176c5033a4ed19a0fc6608980344657ba69af Author: Theodore Ts'o Date: Sun Mar 30 10:20:01 2014 -0400 ext4: atomically set inode->i_flags in ext4_set_inode_flags() commit 00a1a053ebe5febcfc2ec498bd894f035ad2aa06 upstream. Use cmpxchg() to atomically set i_flags instead of clearing out the S_IMMUTABLE, S_APPEND, etc. flags and then setting them from the EXT4_IMMUTABLE_FL, EXT4_APPEND_FL flags, since this opens up a race where an immutable file has the immutable flag cleared for a brief window of time. Reported-by: John Sullivan Signed-off-by: "Theodore Ts'o" Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit f0a9fdec2b5a1f82a72a845b09a4ff09c4e7e1ea Author: Ben Hutchings Date: Sun Apr 6 13:19:52 2014 +0100 staging: speakup: Prefix set_mask_bits() symbol This is part of commit ca2beaf84d96 ('staging: speakup: Prefix externally-visible symbols') upstream. It is required as preparation for commit 00a1a053ebe5 ('ext4: atomically set inode->i_flags in ext4_set_inode_flags()'). Signed-off-by: Ben Hutchings commit 70e84c82a975fe66d91a9b11459881d488b118ae Author: Hans de Goede Date: Fri Mar 28 01:01:38 2014 -0700 Input: synaptics - add manual min/max quirk for ThinkPad X240 commit 8a0435d958fb36d93b8df610124a0e91e5675c82 upstream. This extends Benjamin Tissoires manual min/max quirk table with support for the ThinkPad X240. Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit d4249ff3b36d6560b19ef5b84d96c8d382e85d91 Author: Benjamin Tissoires Date: Fri Mar 28 00:43:00 2014 -0700 Input: synaptics - add manual min/max quirk commit 421e08c41fda1f0c2ff6af81a67b491389b653a5 upstream. The new Lenovo Haswell series (-40's) contains a new Synaptics touchpad. However, these new Synaptics devices report bad axis ranges. Under Windows, it is not a problem because the Windows driver uses RMI4 over SMBus to talk to the device. Under Linux, we are using the PS/2 fallback interface and it occurs the reported ranges are wrong. Of course, it would be too easy to have only one range for the whole series, each touchpad seems to be calibrated in a different way. We can not use SMBus to get the actual range because I suspect the firmware will switch into the SMBus mode and stop talking through PS/2 (this is the case for hybrid HID over I2C / PS/2 Synaptics touchpads). So as a temporary solution (until RMI4 land into upstream), start a new list of quirks with the min/max manually set. Signed-off-by: Benjamin Tissoires Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings