commit e9977508d75a36c78c2167800bc9d19d174f7585
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Jan 22 20:47:35 2016 -0800

    Linux 3.14.59

commit 2e647bca7a2c885acdcd89da631b8dd5edc9e310
Author: Yevgeny Pats <yevgeny@perception-point.io>
Date:   Tue Jan 19 22:09:04 2016 +0000

    KEYS: Fix keyring ref leak in join_session_keyring()
    
    commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 upstream.
    
    This fixes CVE-2016-0728.
    
    If a thread is asked to join as a session keyring the keyring that's already
    set as its session, we leak a keyring reference.
    
    This can be tested with the following program:
    
    	#include <stddef.h>
    	#include <stdio.h>
    	#include <sys/types.h>
    	#include <keyutils.h>
    
    	int main(int argc, const char *argv[])
    	{
    		int i = 0;
    		key_serial_t serial;
    
    		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
    				"leaked-keyring");
    		if (serial < 0) {
    			perror("keyctl");
    			return -1;
    		}
    
    		if (keyctl(KEYCTL_SETPERM, serial,
    			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
    			perror("keyctl");
    			return -1;
    		}
    
    		for (i = 0; i < 100; i++) {
    			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
    					"leaked-keyring");
    			if (serial < 0) {
    				perror("keyctl");
    				return -1;
    			}
    		}
    
    		return 0;
    	}
    
    If, after the program has run, there something like the following line in
    /proc/keys:
    
    3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
    
    with a usage count of 100 * the number of times the program has been run,
    then the kernel is malfunctioning.  If leaked-keyring has zero usages or
    has been garbage collected, then the problem is fixed.
    
    Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Acked-by: Don Zickus <dzickus@redhat.com>
    Acked-by: Prarit Bhargava <prarit@redhat.com>
    Acked-by: Jarod Wilson <jarod@redhat.com>
    Signed-off-by: James Morris <james.l.morris@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 92264cc9c4636340a492d78f8f2ae3b3424e7fdd
Author: David Howells <dhowells@redhat.com>
Date:   Fri Dec 18 01:34:26 2015 +0000

    KEYS: Fix race between read and revoke
    
    commit b4a1b4f5047e4f54e194681125c74c0aa64d637d upstream.
    
    This fixes CVE-2015-7550.
    
    There's a race between keyctl_read() and keyctl_revoke().  If the revoke
    happens between keyctl_read() checking the validity of a key and the key's
    semaphore being taken, then the key type read method will see a revoked key.
    
    This causes a problem for the user-defined key type because it assumes in
    its read method that there will always be a payload in a non-revoked key
    and doesn't check for a NULL pointer.
    
    Fix this by making keyctl_read() check the validity of a key after taking
    semaphore instead of before.
    
    I think the bug was introduced with the original keyrings code.
    
    This was discovered by a multithreaded test program generated by syzkaller
    (http://github.com/google/syzkaller).  Here's a cleaned up version:
    
    	#include <sys/types.h>
    	#include <keyutils.h>
    	#include <pthread.h>
    	void *thr0(void *arg)
    	{
    		key_serial_t key = (unsigned long)arg;
    		keyctl_revoke(key);
    		return 0;
    	}
    	void *thr1(void *arg)
    	{
    		key_serial_t key = (unsigned long)arg;
    		char buffer[16];
    		keyctl_read(key, buffer, 16);
    		return 0;
    	}
    	int main()
    	{
    		key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
    		pthread_t th[5];
    		pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
    		pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
    		pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
    		pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
    		pthread_join(th[0], 0);
    		pthread_join(th[1], 0);
    		pthread_join(th[2], 0);
    		pthread_join(th[3], 0);
    		return 0;
    	}
    
    Build as:
    
    	cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
    
    Run as:
    
    	while keyctl-race; do :; done
    
    as it may need several iterations to crash the kernel.  The crash can be
    summarised as:
    
    	BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
    	IP: [<ffffffff81279b08>] user_read+0x56/0xa3
    	...
    	Call Trace:
    	 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
    	 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
    	 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: James Morris <james.l.morris@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aad1f1b859a047397ffe0f0044d12408b2df94c9
Author: David Howells <dhowells@redhat.com>
Date:   Thu Oct 15 17:21:37 2015 +0100

    KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
    
    commit f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 upstream.
    
    The following sequence of commands:
    
        i=`keyctl add user a a @s`
        keyctl request2 keyring foo bar @t
        keyctl unlink $i @s
    
    tries to invoke an upcall to instantiate a keyring if one doesn't already
    exist by that name within the user's keyring set.  However, if the upcall
    fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
    other error code.  When the key is garbage collected, the key destroy
    function is called unconditionally and keyring_destroy() uses list_empty()
    on keyring->type_data.link - which is in a union with reject_error.
    Subsequently, the kernel tries to unlink the keyring from the keyring names
    list - which oopses like this:
    
    	BUG: unable to handle kernel paging request at 00000000ffffff8a
    	IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
    	...
    	Workqueue: events key_garbage_collector
    	...
    	RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
    	RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
    	RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
    	RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
    	RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
    	R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
    	R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
    	...
    	CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
    	...
    	Call Trace:
    	 [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
    	 [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
    	 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
    	 [<ffffffff8105fd17>] worker_thread+0x26e/0x361
    	 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
    	 [<ffffffff810648ad>] kthread+0xf3/0xfb
    	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
    	 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
    	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
    
    Note the value in RAX.  This is a 32-bit representation of -ENOKEY.
    
    The solution is to only call ->destroy() if the key was successfully
    instantiated.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b49c4dd1e05366d168fe7eebbf7a25197d8616e9
Author: David Howells <dhowells@redhat.com>
Date:   Fri Sep 25 16:30:08 2015 +0100

    KEYS: Fix race between key destruction and finding a keyring by name
    
    commit 94c4554ba07adbdde396748ee7ae01e86cf2d8d7 upstream.
    
    There appears to be a race between:
    
     (1) key_gc_unused_keys() which frees key->security and then calls
         keyring_destroy() to unlink the name from the name list
    
     (2) find_keyring_by_name() which calls key_permission(), thus accessing
         key->security, on a key before checking to see whether the key usage is 0
         (ie. the key is dead and might be cleaned up).
    
    Fix this by calling ->destroy() before cleaning up the core key data -
    including key->security.
    
    Reported-by: Petr Matousek <pmatouse@redhat.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d86d08cd91510d2ad1e70cd26d989c6cb5ed6ac
Author: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Date:   Wed Dec 16 20:09:25 2015 +0000

    af_unix: Revert 'lock_interruptible' in stream receive code
    
    [ Upstream commit 3822b5c2fc62e3de8a0f33806ff279fb7df92432 ]
    
    With b3ca9b02b00704053a38bfe4c31dbbb9c13595d0, the AF_UNIX SOCK_STREAM
    receive code was changed from using mutex_lock(&u->readlock) to
    mutex_lock_interruptible(&u->readlock) to prevent signals from being
    delayed for an indefinite time if a thread sleeping on the mutex
    happened to be selected for handling the signal. But this was never a
    problem with the stream receive code (as opposed to its datagram
    counterpart) as that never went to sleep waiting for new messages with the
    mutex held and thus, wouldn't cause secondary readers to block on the
    mutex waiting for the sleeping primary reader. As the interruptible
    locking makes the code more complicated in exchange for no benefit,
    change it back to using mutex_lock.
    
    Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f32e7aeb2d4e7b6427dc0ab630b851eed38b6d0a
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Dec 15 15:39:08 2015 -0500

    bluetooth: Validate socket address length in sco_sock_bind().
    
    [ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ]
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0b21a04d1ff604297995fe4a21bde8ba7333d42c
Author: WANG Cong <xiyou.wangcong@gmail.com>
Date:   Mon Dec 14 13:48:36 2015 -0800

    pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
    
    [ Upstream commit 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ]
    
    Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1b6f95717611bb443d6d77553d97890005d897e6
Author: Vlad Yasevich <vyasevich@gmail.com>
Date:   Mon Dec 14 17:44:10 2015 -0500

    skbuff: Fix offset error in skb_reorder_vlan_header
    
    [ Upstream commit f654861569872d10dcb79d9d7ca219b316f94ff0 ]
    
    skb_reorder_vlan_header is called after the vlan header has
    been pulled.  As a result the offset of the begining of
    the mac header has been incrased by 4 bytes (VLAN_HLEN).
    When moving the mac addresses, include this incrase in
    the offset calcualation so that the mac addresses are
    copied correctly.
    
    Fixes: a6e18ff1117 (vlan: Fix untag operations of stacked vlans with REORDER_HEADER off)
    CC: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    CC: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Vladislav Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c57e93f9090f759c23eefa60283955051a4caf26
Author: Vlad Yasevich <vyasevich@gmail.com>
Date:   Mon Nov 16 15:43:44 2015 -0500

    vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
    
    [ Upstream commit a6e18ff111701b4ff6947605bfbe9594ec42a6e8 ]
    
    When we have multiple stacked vlan devices all of which have
    turned off REORDER_HEADER flag, the untag operation does not
    locate the ethernet addresses correctly for nested vlans.
    The reason is that in case of REORDER_HEADER flag being off,
    the outer vlan headers are put back and the mac_len is adjusted
    to account for the presense of the header.  Then, the subsequent
    untag operation, for the next level vlan, always use VLAN_ETH_HLEN
    to locate the begining of the ethernet header and that ends up
    being a multiple of 4 bytes short of the actuall beginning
    of the mac header (the multiple depending on the how many vlan
    encapsulations ethere are).
    
    As a reslult, if there are multiple levles of vlan devices
    with REODER_HEADER being off, the recevied packets end up
    being dropped.
    
    To solve this, we use skb->mac_len as the offset.  The value
    is always set on receive path and starts out as a ETH_HLEN.
    The value is also updated when the vlan header manupations occur
    so we know it will be correct.
    
    Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 526a0934da10415225cdb8b46939a234a87faa8a
Author: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Date:   Fri Dec 4 01:45:40 2015 +0300

    sh_eth: fix kernel oops in skb_put()
    
    [ Upstream commit 248be83dcb3feb3f6332eb3d010a016402138484 ]
    
    In a low memory situation the following kernel oops occurs:
    
    Unable to handle kernel NULL pointer dereference at virtual address 00000050
    pgd = 8490c000
    [00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000
    Internal error: Oops: 17 [#1] PREEMPT ARM
    Modules linked in:
    CPU: 0    Not tainted  (3.4-at16 #9)
    PC is at skb_put+0x10/0x98
    LR is at sh_eth_poll+0x2c8/0xa10
    pc : [<8035f780>]    lr : [<8028bf50>]    psr: 60000113
    sp : 84eb1a90  ip : 84eb1ac8  fp : 84eb1ac4
    r10: 0000003f  r9 : 000005ea  r8 : 00000000
    r7 : 00000000  r6 : 940453b0  r5 : 00030000  r4 : 9381b180
    r3 : 00000000  r2 : 00000000  r1 : 000005ea  r0 : 00000000
    Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c53c7d  Table: 4248c059  DAC: 00000015
    Process klogd (pid: 2046, stack limit = 0x84eb02e8)
    [...]
    
    This is  because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left
    NULL but sh_eth_rx() later  uses it without checking.  Add such check...
    
    Reported-by: Yasushi SHOJI <yashi@atmark-techno.com>
    Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49c9b76db37ecfbac70b0841438fbe9d446ceb52
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Dec 14 22:03:39 2015 +0100

    net: add validation for the socket syscall protocol argument
    
    [ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ]
    
    郭永刚 reported that one could simply crash the kernel as root by
    using a simple program:
    
    	int socket_fd;
    	struct sockaddr_in addr;
    	addr.sin_port = 0;
    	addr.sin_addr.s_addr = INADDR_ANY;
    	addr.sin_family = 10;
    
    	socket_fd = socket(10,3,0x40000000);
    	connect(socket_fd , &addr,16);
    
    AF_INET, AF_INET6 sockets actually only support 8-bit protocol
    identifiers. inet_sock's skc_protocol field thus is sized accordingly,
    thus larger protocol identifiers simply cut off the higher bits and
    store a zero in the protocol fields.
    
    This could lead to e.g. NULL function pointer because as a result of
    the cut off inet_num is zero and we call down to inet_autobind, which
    is NULL for raw sockets.
    
    kernel: Call Trace:
    kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
    kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
    kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
    kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
    kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
    kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
    kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
    
    I found no particular commit which introduced this problem.
    
    CVE: CVE-2015-8543
    Cc: Cong Wang <cwang@twopensource.com>
    Reported-by: 郭永刚 <guoyonggang@360.cn>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 85229251bb79bc6e867b78b7673d035f651015d0
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Dec 9 07:25:06 2015 -0800

    ipv6: sctp: clone options to avoid use after free
    
    [ Upstream commit 9470e24f35ab81574da54e69df90c1eb4a96b43f ]
    
    SCTP is lacking proper np->opt cloning at accept() time.
    
    TCP and DCCP use ipv6_dup_options() helper, do the same
    in SCTP.
    
    We might later factorize this code in a common helper to avoid
    future mistakes.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 548041a38c62684077b4dc85adec814faac193e7
Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Date:   Fri Dec 4 15:14:04 2015 -0200

    sctp: update the netstamp_needed counter when copying sockets
    
    [ Upstream commit 01ce63c90170283a9855d1db4fe81934dddce648 ]
    
    Dmitry Vyukov reported that SCTP was triggering a WARN on socket destroy
    related to disabling sock timestamp.
    
    When SCTP accepts an association or peel one off, it copies sock flags
    but forgot to call net_enable_timestamp() if a packet timestamping flag
    was copied, leading to extra calls to net_disable_timestamp() whenever
    such clones were closed.
    
    The fix is to call net_enable_timestamp() whenever we copy a sock with
    that flag on, like tcp does.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f580d5c5de89593d6d3785340979df61c972769d
Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Date:   Fri Dec 4 15:14:03 2015 -0200

    sctp: use the same clock as if sock source timestamps were on
    
    [ Upstream commit cb5e173ed7c03a0d4630ce68a95a186cce3cc872 ]
    
    SCTP echoes a cookie o INIT ACK chunks that contains a timestamp, for
    detecting stale cookies. This cookie is echoed back to the server by the
    client and then that timestamp is checked.
    
    Thing is, if the listening socket is using packet timestamping, the
    cookie is encoded with ktime_get() value and checked against
    ktime_get_real(), as done by __net_timestamp().
    
    The fix is to sctp also use ktime_get_real(), so we can compare bananas
    with bananas later no matter if packet timestamping was enabled or not.
    
    Fixes: 52db882f3fc2 ("net: sctp: migrate cookie life from timeval to ktime")
    Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1fc94079ffc2e2ea213b7068385a38f4687bd4fa
Author: Pavel Machek <pavel@ucw.cz>
Date:   Fri Dec 4 09:50:00 2015 +0100

    atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
    
    [ Upstream commit f2a3771ae8aca879c32336c76ad05a017629bae2 ]
    
    atl1c driver is doing order-4 allocation with GFP_ATOMIC
    priority. That often breaks  networking after resume. Switch to
    GFP_KERNEL. Still not ideal, but should be significantly better.
    
    atl1c_setup_ring_resources() is called from .open() function, and
    already uses GFP_KERNEL, so this change is safe.
    
    Signed-off-by: Pavel Machek <pavel@ucw.cz>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b5500a5c883489d49dd6f4e815dc9243a9b189a8
Author: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date:   Thu Dec 3 17:21:50 2015 +0100

    gre6: allow to update all parameters via rtnl
    
    [ Upstream commit 6a61d4dbf4f54b5683e0f1e58d873cecca7cb977 ]
    
    Parameters were updated only if the kernel was unable to find the tunnel
    with the new parameters, ie only if core pamareters were updated (keys,
    addr, link, type).
    Now it's possible to update ttl, hoplimit, flowinfo and flags.
    
    Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
    Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 374d86a376701c72866ed09f335c4f876e8f7466
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Wed Nov 18 02:01:21 2015 +0000

    usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message
    
    commit 5377adb092664d336ac212499961cac5e8728794 upstream.
    
    usb_parse_ss_endpoint_companion() now decodes the burst multiplier
    correctly in order to check that it's <= 3, but still uses the wrong
    expression if warning that it's > 3.
    
    Fixes: ff30cbc8da42 ("usb: Use the USB_SS_MULT() macro to get the ...")
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2fe54e07ae7cf5ef7e7ff223e5f03c8e04ff0063
Author: Alexey Khoroshilov <khoroshilov@ispras.ru>
Date:   Sat Nov 21 00:36:44 2015 +0300

    USB: whci-hcd: add check for dma mapping error
    
    commit f9fa1887dcf26bd346665a6ae3d3f53dec54cba1 upstream.
    
    qset_fill_page_list() do not check for dma mapping errors.
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4180d57beb422ce28d563fee25b5fc45bb9c3186
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Thu Dec 10 15:27:21 2015 -0500

    USB: add quirk for devices with broken LPM
    
    commit ad87e03213b552a5c33d5e1e7a19a73768397010 upstream.
    
    Some USB device / host controller combinations seem to have problems
    with Link Power Management.  For example, Steinar found that his xHCI
    controller wouldn't handle bandwidth calculations correctly for two
    video cards simultaneously when LPM was enabled, even though the bus
    had plenty of bandwidth available.
    
    This patch introduces a new quirk flag for devices that should remain
    disabled for LPM, and creates quirk entries for Steinar's devices.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Reported-by: Steinar H. Gunderson <sgunderson@bigfoot.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 367f16c8077c8951d9724fec652f8b218931bd61
Author: Konstantin Shkolnyy <konstantin.shkolnyy@gmail.com>
Date:   Tue Nov 10 16:40:13 2015 -0600

    USB: cp210x: Remove CP2110 ID from compatibility list
    
    commit 7c90e610b60cd1ed6abafd806acfaedccbbe52d1 upstream.
    
    CP2110 ID (0x10c4, 0xea80) doesn't belong here because it's a HID
    and completely different from CP210x devices.
    
    Signed-off-by: Konstantin Shkolnyy <konstantin.shkolnyy@gmail.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cdaa22da21b9a6059f1bc7eea09fc4a8d141f1bd
Author: Jonas Jonsson <jonas@ludd.ltu.se>
Date:   Sun Nov 22 11:47:18 2015 +0100

    USB: serial: Another Infineon flash loader USB ID
    
    commit a0e80fbd56b4573de997c9a088a33abbc1121400 upstream.
    
    The flash loader has been seen on a Telit UE910 modem. The flash loader
    is a bit special, it presents both an ACM and CDC Data interface but
    only the latter is useful. Unless a magic string is sent to the device
    it will disappear and the regular modem device appears instead.
    
    Signed-off-by: Jonas Jonsson <jonas@ludd.ltu.se>
    Tested-by: Daniele Palmas <dnlplm@gmail.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 46c81170160305498acb6b7bbe7574c2e9197a80
Author: Jonas Jonsson <jonas@ludd.ltu.se>
Date:   Sun Nov 22 11:47:17 2015 +0100

    USB: cdc_acm: Ignore Infineon Flash Loader utility
    
    commit f33a7f72e5fc033daccbb8d4753d7c5c41a4d67b upstream.
    
    Some modems, such as the Telit UE910, are using an Infineon Flash Loader
    utility. It has two interfaces, 2/2/0 (Abstract Modem) and 10/0/0 (CDC
    Data). The latter can be used as a serial interface to upgrade the
    firmware of the modem. However, that isn't possible when the cdc-acm
    driver takes control of the device.
    
    The following is an explanation of the behaviour by Daniele Palmas during
    discussion on linux-usb.
    
    "This is what happens when the device is turned on (without modifying
    the drivers):
    
    [155492.352031] usb 1-3: new high-speed USB device number 27 using ehci-pci
    [155492.485429] usb 1-3: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 255, changing to 11
    [155492.485436] usb 1-3: New USB device found, idVendor=058b, idProduct=0041
    [155492.485439] usb 1-3: New USB device strings: Mfr=0, Product=0, SerialNumber=0
    [155492.485952] cdc_acm 1-3:1.0: ttyACM0: USB ACM device
    
    This is the flashing device that is caught by the cdc-acm driver. Once
    the ttyACM appears, the application starts sending a magic string
    (simple write on the file descriptor) to keep the device in flashing
    mode. If this magic string is not properly received in a certain time
    interval, the modem goes on in normal operative mode:
    
    [155493.748094] usb 1-3: USB disconnect, device number 27
    [155494.916025] usb 1-3: new high-speed USB device number 28 using ehci-pci
    [155495.059978] usb 1-3: New USB device found, idVendor=1bc7, idProduct=0021
    [155495.059983] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [155495.059986] usb 1-3: Product: 6 CDC-ACM + 1 CDC-ECM
    [155495.059989] usb 1-3: Manufacturer: Telit
    [155495.059992] usb 1-3: SerialNumber: 359658044004697
    [155495.138958] cdc_acm 1-3:1.0: ttyACM0: USB ACM device
    [155495.140832] cdc_acm 1-3:1.2: ttyACM1: USB ACM device
    [155495.142827] cdc_acm 1-3:1.4: ttyACM2: USB ACM device
    [155495.144462] cdc_acm 1-3:1.6: ttyACM3: USB ACM device
    [155495.145967] cdc_acm 1-3:1.8: ttyACM4: USB ACM device
    [155495.147588] cdc_acm 1-3:1.10: ttyACM5: USB ACM device
    [155495.154322] cdc_ether 1-3:1.12 wwan0: register 'cdc_ether' at usb-0000:00:1a.7-3, Mobile Broadband Network Device, 00:00:11:12:13:14
    
    Using the cdc-acm driver, the string, though being sent in the same way
    than using the usb-serial-simple driver (I can confirm that the data is
    passing properly since I used an hw usb sniffer), does not make the
    device to stay in flashing mode."
    
    Signed-off-by: Jonas Jonsson <jonas@ludd.ltu.se>
    Tested-by: Daniele Palmas <dnlplm@gmail.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit af28723e308702c1744f49bcc3fe7e81c6aee01c
Author: Junxiao Bi <junxiao.bi@oracle.com>
Date:   Fri Nov 20 15:57:30 2015 -0800

    ocfs2: fix umask ignored issue
    
    commit 8f1eb48758aacf6c1ffce18179295adbf3bd7640 upstream.
    
    New created file's mode is not masked with umask, and this makes umask not
    work for ocfs2 volume.
    
    Fixes: 702e5bc ("ocfs2: use generic posix ACL infrastructure")
    Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Gang He <ghe@suse.com>
    Cc: Mark Fasheh <mfasheh@suse.de>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a8554f03ed2f8528c447d16534b54b443ce367d2
Author: Jeff Layton <jlayton@poochiereds.net>
Date:   Wed Nov 25 13:50:11 2015 -0500

    nfs: if we have no valid attrs, then don't declare the attribute cache valid
    
    commit c812012f9ca7cf89c9e1a1cd512e6c3b5be04b85 upstream.
    
    If we pass in an empty nfs_fattr struct to nfs_update_inode, it will
    (correctly) not update any of the attributes, but it then clears the
    NFS_INO_INVALID_ATTR flag, which indicates that the attributes are
    up to date. Don't clear the flag if the fattr struct has no valid
    attrs to apply.
    
    Reviewed-by: Steve French <steve.french@primarydata.com>
    Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6b04ef75d63c81b31d67ac655287f455ccb1bd5c
Author: Benjamin Coddington <bcodding@redhat.com>
Date:   Fri Nov 20 09:56:20 2015 -0500

    nfs4: start callback_ident at idr 1
    
    commit c68a027c05709330fe5b2f50c50d5fa02124b5d8 upstream.
    
    If clp->cl_cb_ident is zero, then nfs_cb_idr_remove_locked() skips removing
    it when the nfs_client is freed.  A decoding or server bug can then find
    and try to put that first nfs_client which would lead to a crash.
    
    Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
    Fixes: d6870312659d ("nfs4client: convert to idr_alloc()")
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3b87abe77aedbb5539baed9221fd8ea0ce7c0035
Author: Stefan Richter <stefanr@s5r6.in-berlin.de>
Date:   Tue Nov 3 01:46:21 2015 +0100

    firewire: ohci: fix JMicron JMB38x IT context discovery
    
    commit 100ceb66d5c40cc0c7018e06a9474302470be73c upstream.
    
    Reported by Clifford and Craig for JMicron OHCI-1394 + SDHCI combo
    controllers:  Often or even most of the time, the controller is
    initialized with the message "added OHCI v1.10 device as card 0, 4 IR +
    0 IT contexts, quirks 0x10".  With 0 isochronous transmit DMA contexts
    (IT contexts), applications like audio output are impossible.
    
    However, OHCI-1394 demands that at least 4 IT contexts are implemented
    by the link layer controller, and indeed JMicron JMB38x do implement
    four of them.  Only their IsoXmitIntMask register is unreliable at early
    access.
    
    With my own JMB381 single function controller I found:
      - I can reproduce the problem with a lower probability than Craig's.
      - If I put a loop around the section which clears and reads
        IsoXmitIntMask, then either the first or the second attempt will
        return the correct initial mask of 0x0000000f.  I never encountered
        a case of needing more than a second attempt.
      - Consequently, if I put a dummy reg_read(...IsoXmitIntMaskSet)
        before the first write, the subsequent read will return the correct
        result.
      - If I merely ignore a wrong read result and force the known real
        result, later isochronous transmit DMA usage works just fine.
    
    So let's just fix this chip bug up by the latter method.  Tested with
    JMB381 on kernel 3.13 and 4.3.
    
    Since OHCI-1394 generally requires 4 IT contexts at a minium, this
    workaround is simply applied whenever the initial read of IsoXmitIntMask
    returns 0, regardless whether it's a JMicron chip or not.  I never heard
    of this issue together with any other chip though.
    
    I am not 100% sure that this fix works on the OHCI-1394 part of JMB380
    and JMB388 combo controllers exactly the same as on the JMB381 single-
    function controller, but so far I haven't had a chance to let an owner
    of a combo chip run a patched kernel.
    
    Strangely enough, IsoRecvIntMask is always reported correctly, even
    though it is probed right before IsoXmitIntMask.
    
    Reported-by: Clifford Dunn
    Reported-by: Craig Moore <craig.moore@qenos.com>
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9293f419d742b274f53428809be7388b30c0caca
Author: Daeho Jeong <daeho.jeong@samsung.com>
Date:   Sun Oct 18 17:02:56 2015 -0400

    ext4, jbd2: ensure entering into panic after recording an error in superblock
    
    commit 4327ba52afd03fc4b5afa0ee1d774c9c5b0e85c5 upstream.
    
    If a EXT4 filesystem utilizes JBD2 journaling and an error occurs, the
    journaling will be aborted first and the error number will be recorded
    into JBD2 superblock and, finally, the system will enter into the
    panic state in "errors=panic" option.  But, in the rare case, this
    sequence is little twisted like the below figure and it will happen
    that the system enters into panic state, which means the system reset
    in mobile environment, before completion of recording an error in the
    journal superblock. In this case, e2fsck cannot recognize that the
    filesystem failure occurred in the previous run and the corruption
    wouldn't be fixed.
    
    Task A                        Task B
    ext4_handle_error()
    -> jbd2_journal_abort()
      -> __journal_abort_soft()
        -> __jbd2_journal_abort_hard()
        | -> journal->j_flags |= JBD2_ABORT;
        |
        |                         __ext4_abort()
        |                         -> jbd2_journal_abort()
        |                         | -> __journal_abort_soft()
        |                         |   -> if (journal->j_flags & JBD2_ABORT)
        |                         |           return;
        |                         -> panic()
        |
        -> jbd2_journal_update_sb_errno()
    
    Tested-by: Hobin Woo <hobin.woo@samsung.com>
    Signed-off-by: Daeho Jeong <daeho.jeong@samsung.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3c1c70cfbb102e3bdab332730e8aebeb676d10e8
Author: Lukas Czerner <lczerner@redhat.com>
Date:   Sat Oct 17 22:57:06 2015 -0400

    ext4: fix potential use after free in __ext4_journal_stop
    
    commit 6934da9238da947628be83635e365df41064b09b upstream.
    
    There is a use-after-free possibility in __ext4_journal_stop() in the
    case that we free the handle in the first jbd2_journal_stop() because
    we're referencing handle->h_err afterwards. This was introduced in
    9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
    storing the handle->h_err value beforehand and avoid referencing
    potentially freed handle.
    
    Fixes: 9705acd63b125dee8b15c705216d7186daea4625
    Signed-off-by: Lukas Czerner <lczerner@redhat.com>
    Reviewed-by: Andreas Dilger <adilger@dilger.ca>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 389e0b9bbb64969281951ea5a1383448babac2b0
Author: Filipe Manana <fdmanana@suse.com>
Date:   Mon Nov 9 00:33:58 2015 +0000

    Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow
    
    commit 1d512cb77bdbda80f0dd0620a3b260d697fd581d upstream.
    
    If we are using the NO_HOLES feature, we have a tiny time window when
    running delalloc for a nodatacow inode where we can race with a concurrent
    link or xattr add operation leading to a BUG_ON.
    
    This happens because at run_delalloc_nocow() we end up casting a leaf item
    of type BTRFS_INODE_[REF|EXTREF]_KEY or of type BTRFS_XATTR_ITEM_KEY to a
    file extent item (struct btrfs_file_extent_item) and then analyse its
    extent type field, which won't match any of the expected extent types
    (values BTRFS_FILE_EXTENT_[REG|PREALLOC|INLINE]) and therefore trigger an
    explicit BUG_ON(1).
    
    The following sequence diagram shows how the race happens when running a
    no-cow dellaloc range [4K, 8K[ for inode 257 and we have the following
    neighbour leafs:
    
                 Leaf X (has N items)                    Leaf Y
    
     [ ... (257 INODE_ITEM 0) (257 INODE_REF 256) ]  [ (257 EXTENT_DATA 8192), ... ]
                  slot N - 2         slot N - 1              slot 0
    
     (Note the implicit hole for inode 257 regarding the [0, 8K[ range)
    
           CPU 1                                         CPU 2
    
     run_dealloc_nocow()
       btrfs_lookup_file_extent()
         --> searches for a key with value
             (257 EXTENT_DATA 4096) in the
             fs/subvol tree
         --> returns us a path with
             path->nodes[0] == leaf X and
             path->slots[0] == N
    
       because path->slots[0] is >=
       btrfs_header_nritems(leaf X), it
       calls btrfs_next_leaf()
    
       btrfs_next_leaf()
         --> releases the path
    
                                                  hard link added to our inode,
                                                  with key (257 INODE_REF 500)
                                                  added to the end of leaf X,
                                                  so leaf X now has N + 1 keys
    
         --> searches for the key
             (257 INODE_REF 256), because
             it was the last key in leaf X
             before it released the path,
             with path->keep_locks set to 1
    
         --> ends up at leaf X again and
             it verifies that the key
             (257 INODE_REF 256) is no longer
             the last key in the leaf, so it
             returns with path->nodes[0] ==
             leaf X and path->slots[0] == N,
             pointing to the new item with
             key (257 INODE_REF 500)
    
       the loop iteration of run_dealloc_nocow()
       does not break out the loop and continues
       because the key referenced in the path
       at path->nodes[0] and path->slots[0] is
       for inode 257, its type is < BTRFS_EXTENT_DATA_KEY
       and its offset (500) is less then our delalloc
       range's end (8192)
    
       the item pointed by the path, an inode reference item,
       is (incorrectly) interpreted as a file extent item and
       we get an invalid extent type, leading to the BUG_ON(1):
    
       if (extent_type == BTRFS_FILE_EXTENT_REG ||
          extent_type == BTRFS_FILE_EXTENT_PREALLOC) {
           (...)
       } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
           (...)
       } else {
           BUG_ON(1)
       }
    
    The same can happen if a xattr is added concurrently and ends up having
    a key with an offset smaller then the delalloc's range end.
    
    So fix this by skipping keys with a type smaller than
    BTRFS_EXTENT_DATA_KEY.
    
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit de4306a7e44ef04d877c681ab69e1ab2d0bc1397
Author: Filipe Manana <fdmanana@suse.com>
Date:   Fri Nov 6 13:33:33 2015 +0000

    Btrfs: fix race leading to incorrect item deletion when dropping extents
    
    commit aeafbf8486c9e2bd53f5cc3c10c0b7fd7149d69c upstream.
    
    While running a stress test I got the following warning triggered:
    
      [191627.672810] ------------[ cut here ]------------
      [191627.673949] WARNING: CPU: 8 PID: 8447 at fs/btrfs/file.c:779 __btrfs_drop_extents+0x391/0xa50 [btrfs]()
      (...)
      [191627.701485] Call Trace:
      [191627.702037]  [<ffffffff8145f077>] dump_stack+0x4f/0x7b
      [191627.702992]  [<ffffffff81095de5>] ? console_unlock+0x356/0x3a2
      [191627.704091]  [<ffffffff8104b3b0>] warn_slowpath_common+0xa1/0xbb
      [191627.705380]  [<ffffffffa0664499>] ? __btrfs_drop_extents+0x391/0xa50 [btrfs]
      [191627.706637]  [<ffffffff8104b46d>] warn_slowpath_null+0x1a/0x1c
      [191627.707789]  [<ffffffffa0664499>] __btrfs_drop_extents+0x391/0xa50 [btrfs]
      [191627.709155]  [<ffffffff8115663c>] ? cache_alloc_debugcheck_after.isra.32+0x171/0x1d0
      [191627.712444]  [<ffffffff81155007>] ? kmemleak_alloc_recursive.constprop.40+0x16/0x18
      [191627.714162]  [<ffffffffa06570c9>] insert_reserved_file_extent.constprop.40+0x83/0x24e [btrfs]
      [191627.715887]  [<ffffffffa065422b>] ? start_transaction+0x3bb/0x610 [btrfs]
      [191627.717287]  [<ffffffffa065b604>] btrfs_finish_ordered_io+0x273/0x4e2 [btrfs]
      [191627.728865]  [<ffffffffa065b888>] finish_ordered_fn+0x15/0x17 [btrfs]
      [191627.730045]  [<ffffffffa067d688>] normal_work_helper+0x14c/0x32c [btrfs]
      [191627.731256]  [<ffffffffa067d96a>] btrfs_endio_write_helper+0x12/0x14 [btrfs]
      [191627.732661]  [<ffffffff81061119>] process_one_work+0x24c/0x4ae
      [191627.733822]  [<ffffffff810615b0>] worker_thread+0x206/0x2c2
      [191627.734857]  [<ffffffff810613aa>] ? process_scheduled_works+0x2f/0x2f
      [191627.736052]  [<ffffffff810613aa>] ? process_scheduled_works+0x2f/0x2f
      [191627.737349]  [<ffffffff810669a6>] kthread+0xef/0xf7
      [191627.738267]  [<ffffffff810f3b3a>] ? time_hardirqs_on+0x15/0x28
      [191627.739330]  [<ffffffff810668b7>] ? __kthread_parkme+0xad/0xad
      [191627.741976]  [<ffffffff81465592>] ret_from_fork+0x42/0x70
      [191627.743080]  [<ffffffff810668b7>] ? __kthread_parkme+0xad/0xad
      [191627.744206] ---[ end trace bbfddacb7aaada8d ]---
    
      $ cat -n fs/btrfs/file.c
      691  int __btrfs_drop_extents(struct btrfs_trans_handle *trans,
      (...)
      758                  btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
      759                  if (key.objectid > ino ||
      760                      key.type > BTRFS_EXTENT_DATA_KEY || key.offset >= end)
      761                          break;
      762
      763                  fi = btrfs_item_ptr(leaf, path->slots[0],
      764                                      struct btrfs_file_extent_item);
      765                  extent_type = btrfs_file_extent_type(leaf, fi);
      766
      767                  if (extent_type == BTRFS_FILE_EXTENT_REG ||
      768                      extent_type == BTRFS_FILE_EXTENT_PREALLOC) {
      (...)
      774                  } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
      (...)
      778                  } else {
      779                          WARN_ON(1);
      780                          extent_end = search_start;
      781                  }
      (...)
    
    This happened because the item we were processing did not match a file
    extent item (its key type != BTRFS_EXTENT_DATA_KEY), and even on this
    case we cast the item to a struct btrfs_file_extent_item pointer and
    then find a type field value that does not match any of the expected
    values (BTRFS_FILE_EXTENT_[REG|PREALLOC|INLINE]). This scenario happens
    due to a tiny time window where a race can happen as exemplified below.
    For example, consider the following scenario where we're using the
    NO_HOLES feature and we have the following two neighbour leafs:
    
                   Leaf X (has N items)                    Leaf Y
    
    [ ... (257 INODE_ITEM 0) (257 INODE_REF 256) ]  [ (257 EXTENT_DATA 8192), ... ]
              slot N - 2         slot N - 1              slot 0
    
    Our inode 257 has an implicit hole in the range [0, 8K[ (implicit rather
    than explicit because NO_HOLES is enabled). Now if our inode has an
    ordered extent for the range [4K, 8K[ that is finishing, the following
    can happen:
    
              CPU 1                                       CPU 2
    
      btrfs_finish_ordered_io()
        insert_reserved_file_extent()
          __btrfs_drop_extents()
             Searches for the key
              (257 EXTENT_DATA 4096) through
              btrfs_lookup_file_extent()
    
             Key not found and we get a path where
             path->nodes[0] == leaf X and
             path->slots[0] == N
    
             Because path->slots[0] is >=
             btrfs_header_nritems(leaf X), we call
             btrfs_next_leaf()
    
             btrfs_next_leaf() releases the path
    
                                                      inserts key
                                                      (257 INODE_REF 4096)
                                                      at the end of leaf X,
                                                      leaf X now has N + 1 keys,
                                                      and the new key is at
                                                      slot N
    
             btrfs_next_leaf() searches for
             key (257 INODE_REF 256), with
             path->keep_locks set to 1,
             because it was the last key it
             saw in leaf X
    
               finds it in leaf X again and
               notices it's no longer the last
               key of the leaf, so it returns 0
               with path->nodes[0] == leaf X and
               path->slots[0] == N (which is now
               < btrfs_header_nritems(leaf X)),
               pointing to the new key
               (257 INODE_REF 4096)
    
             __btrfs_drop_extents() casts the
             item at path->nodes[0], slot
             path->slots[0], to a struct
             btrfs_file_extent_item - it does
             not skip keys for the target
             inode with a type less than
             BTRFS_EXTENT_DATA_KEY
             (BTRFS_INODE_REF_KEY < BTRFS_EXTENT_DATA_KEY)
    
             sees a bogus value for the type
             field triggering the WARN_ON in
             the trace shown above, and sets
             extent_end = search_start (4096)
    
             does the if-then-else logic to
             fixup 0 length extent items created
             by a past bug from hole punching:
    
               if (extent_end == key.offset &&
                   extent_end >= search_start)
                   goto delete_extent_item;
    
             that evaluates to true and it ends
             up deleting the key pointed to by
             path->slots[0], (257 INODE_REF 4096),
             from leaf X
    
    The same could happen for example for a xattr that ends up having a key
    with an offset value that matches search_start (very unlikely but not
    impossible).
    
    So fix this by ensuring that keys smaller than BTRFS_EXTENT_DATA_KEY are
    skipped, never casted to struct btrfs_file_extent_item and never deleted
    by accident. Also protect against the unexpected case of getting a key
    for a lower inode number by skipping that key and issuing a warning.
    
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a8fa15f0be8c6d2c03afce5f09d5e96c0aec4eb8
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Dec 1 07:20:07 2015 -0800

    ipv6: sctp: implement sctp_v6_destroy_sock()
    
    [ Upstream commit 602dd62dfbda3e63a2d6a3cbde953ebe82bf5087 ]
    
    Dmitry Vyukov reported a memory leak using IPV6 SCTP sockets.
    
    We need to call inet6_destroy_sock() to properly release
    inet6 specific fields.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Daniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f4ce575c5d5bcce5d4d03a24baa4308cf3409ab3
Author: Michal Kubeček <mkubecek@suse.cz>
Date:   Tue Nov 24 15:07:11 2015 +0100

    ipv6: distinguish frag queues by device for multicast and link-local packets
    
    [ Upstream commit 264640fc2c5f4f913db5c73fa3eb1ead2c45e9d7 ]
    
    If a fragmented multicast packet is received on an ethernet device which
    has an active macvlan on top of it, each fragment is duplicated and
    received both on the underlying device and the macvlan. If some
    fragments for macvlan are processed before the whole packet for the
    underlying device is reassembled, the "overlapping fragments" test in
    ip6_frag_queue() discards the whole fragment queue.
    
    To resolve this, add device ifindex to the search key and require it to
    match reassembling multicast packets and packets to link-local
    addresses.
    
    Note: similar patch has been already submitted by Yoshifuji Hideaki in
    
      http://patchwork.ozlabs.org/patch/220979/
    
    but got lost and forgotten for some reason.
    
    Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ad7a4964af681230e3fafc5a5b023ffbcbeed184
Author: Aaro Koskinen <aaro.koskinen@iki.fi>
Date:   Sun Nov 22 01:08:54 2015 +0200

    broadcom: fix PHY_ID_BCM5481 entry in the id table
    
    [ Upstream commit 3c25a860d17b7378822f35d8c9141db9507e3beb ]
    
    Commit fcb26ec5b18d ("broadcom: move all PHY_ID's to header")
    updated broadcom_tbl to use PHY_IDs, but incorrectly replaced 0x0143bca0
    with PHY_ID_BCM5482 (making a duplicate entry, and completely omitting
    the original). Fix that.
    
    Fixes: fcb26ec5b18d ("broadcom: move all PHY_ID's to header")
    Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 10a72b76fcc8bd20d812eb58f5e0e37ca3632336
Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date:   Fri Nov 20 13:54:20 2015 +0100

    net: ip6mr: fix static mfc/dev leaks on table destruction
    
    [ Upstream commit 4c6980462f32b4f282c5d8e5f7ea8070e2937725 ]
    
    Similar to ipv4, when destroying an mrt table the static mfc entries and
    the static devices are kept, which leads to devices that can never be
    destroyed (because of refcnt taken) and leaked memory. Make sure that
    everything is cleaned up on netns destruction.
    
    Fixes: 8229efdaef1e ("netns: ip6mr: enable namespace support in ipv6 multicast forwarding code")
    CC: Benjamin Thery <benjamin.thery@bull.net>
    Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Reviewed-by: Cong Wang <cwang@twopensource.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 207c03d6427702d299ce13ee2213213ad935f6ec
Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date:   Fri Nov 20 13:54:19 2015 +0100

    net: ipmr: fix static mfc/dev leaks on table destruction
    
    [ Upstream commit 0e615e9601a15efeeb8942cf7cd4dadba0c8c5a7 ]
    
    When destroying an mrt table the static mfc entries and the static
    devices are kept, which leads to devices that can never be destroyed
    (because of refcnt taken) and leaked memory, for example:
    unreferenced object 0xffff880034c144c0 (size 192):
      comm "mfc-broken", pid 4777, jiffies 4320349055 (age 46001.964s)
      hex dump (first 32 bytes):
        98 53 f0 34 00 88 ff ff 98 53 f0 34 00 88 ff ff  .S.4.....S.4....
        ef 0a 0a 14 01 02 03 04 00 00 00 00 01 00 00 00  ................
      backtrace:
        [<ffffffff815c1b9e>] kmemleak_alloc+0x4e/0xb0
        [<ffffffff811ea6e0>] kmem_cache_alloc+0x190/0x300
        [<ffffffff815931cb>] ip_mroute_setsockopt+0x5cb/0x910
        [<ffffffff8153d575>] do_ip_setsockopt.isra.11+0x105/0xff0
        [<ffffffff8153e490>] ip_setsockopt+0x30/0xa0
        [<ffffffff81564e13>] raw_setsockopt+0x33/0x90
        [<ffffffff814d1e14>] sock_common_setsockopt+0x14/0x20
        [<ffffffff814d0b51>] SyS_setsockopt+0x71/0xc0
        [<ffffffff815cdbf6>] entry_SYSCALL_64_fastpath+0x16/0x7a
        [<ffffffffffffffff>] 0xffffffffffffffff
    
    Make sure that everything is cleaned on netns destruction.
    
    Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Reviewed-by: Cong Wang <cwang@twopensource.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c35d67001e0a48d48cfcf96b78773d75c935a54b
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Fri Nov 20 00:11:56 2015 +0100

    net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds
    
    [ Upstream commit 6900317f5eff0a7070c5936e5383f589e0de7a09 ]
    
    David and HacKurx reported a following/similar size overflow triggered
    in a grsecurity kernel, thanks to PaX's gcc size overflow plugin:
    
    (Already fixed in later grsecurity versions by Brad and PaX Team.)
    
    [ 1002.296137] PAX: size overflow detected in function scm_detach_fds net/core/scm.c:314
                   cicus.202_127 min, count: 4, decl: msg_controllen; num: 0; context: msghdr;
    [ 1002.296145] CPU: 0 PID: 3685 Comm: scm_rights_recv Not tainted 4.2.3-grsec+ #7
    [ 1002.296149] Hardware name: Apple Inc. MacBookAir5,1/Mac-66F35F19FE2A0D05, [...]
    [ 1002.296153]  ffffffff81c27366 0000000000000000 ffffffff81c27375 ffffc90007843aa8
    [ 1002.296162]  ffffffff818129ba 0000000000000000 ffffffff81c27366 ffffc90007843ad8
    [ 1002.296169]  ffffffff8121f838 fffffffffffffffc fffffffffffffffc ffffc90007843e60
    [ 1002.296176] Call Trace:
    [ 1002.296190]  [<ffffffff818129ba>] dump_stack+0x45/0x57
    [ 1002.296200]  [<ffffffff8121f838>] report_size_overflow+0x38/0x60
    [ 1002.296209]  [<ffffffff816a979e>] scm_detach_fds+0x2ce/0x300
    [ 1002.296220]  [<ffffffff81791899>] unix_stream_read_generic+0x609/0x930
    [ 1002.296228]  [<ffffffff81791c9f>] unix_stream_recvmsg+0x4f/0x60
    [ 1002.296236]  [<ffffffff8178dc00>] ? unix_set_peek_off+0x50/0x50
    [ 1002.296243]  [<ffffffff8168fac7>] sock_recvmsg+0x47/0x60
    [ 1002.296248]  [<ffffffff81691522>] ___sys_recvmsg+0xe2/0x1e0
    [ 1002.296257]  [<ffffffff81693496>] __sys_recvmsg+0x46/0x80
    [ 1002.296263]  [<ffffffff816934fc>] SyS_recvmsg+0x2c/0x40
    [ 1002.296271]  [<ffffffff8181a3ab>] entry_SYSCALL_64_fastpath+0x12/0x85
    
    Further investigation showed that this can happen when an *odd* number of
    fds are being passed over AF_UNIX sockets.
    
    In these cases CMSG_LEN(i * sizeof(int)) and CMSG_SPACE(i * sizeof(int)),
    where i is the number of successfully passed fds, differ by 4 bytes due
    to the extra CMSG_ALIGN() padding in CMSG_SPACE() to an 8 byte boundary
    on 64 bit. The padding is used to align subsequent cmsg headers in the
    control buffer.
    
    When the control buffer passed in from the receiver side *lacks* these 4
    bytes (e.g. due to buggy/wrong API usage), then msg->msg_controllen will
    overflow in scm_detach_fds():
    
      int cmlen = CMSG_LEN(i * sizeof(int));  <--- cmlen w/o tail-padding
      err = put_user(SOL_SOCKET, &cm->cmsg_level);
      if (!err)
        err = put_user(SCM_RIGHTS, &cm->cmsg_type);
      if (!err)
        err = put_user(cmlen, &cm->cmsg_len);
      if (!err) {
        cmlen = CMSG_SPACE(i * sizeof(int));  <--- cmlen w/ 4 byte extra tail-padding
        msg->msg_control += cmlen;
        msg->msg_controllen -= cmlen;         <--- iff no tail-padding space here ...
      }                                            ... wrap-around
    
    F.e. it will wrap to a length of 18446744073709551612 bytes in case the
    receiver passed in msg->msg_controllen of 20 bytes, and the sender
    properly transferred 1 fd to the receiver, so that its CMSG_LEN results
    in 20 bytes and CMSG_SPACE in 24 bytes.
    
    In case of MSG_CMSG_COMPAT (scm_detach_fds_compat()), I haven't seen an
    issue in my tests as alignment seems always on 4 byte boundary. Same
    should be in case of native 32 bit, where we end up with 4 byte boundaries
    as well.
    
    In practice, passing msg->msg_controllen of 20 to recvmsg() while receiving
    a single fd would mean that on successful return, msg->msg_controllen is
    being set by the kernel to 24 bytes instead, thus more than the input
    buffer advertised. It could f.e. become an issue if such application later
    on zeroes or copies the control buffer based on the returned msg->msg_controllen
    elsewhere.
    
    Maximum number of fds we can send is a hard upper limit SCM_MAX_FD (253).
    
    Going over the code, it seems like msg->msg_controllen is not being read
    after scm_detach_fds() in scm_recv() anymore by the kernel, good!
    
    Relevant recvmsg() handler are unix_dgram_recvmsg() (unix_seqpacket_recvmsg())
    and unix_stream_recvmsg(). Both return back to their recvmsg() caller,
    and ___sys_recvmsg() places the updated length, that is, new msg_control -
    old msg_control pointer into msg->msg_controllen (hence the 24 bytes seen
    in the example).
    
    Long time ago, Wei Yongjun fixed something related in commit 1ac70e7ad24a
    ("[NET]: Fix function put_cmsg() which may cause usr application memory
    overflow").
    
    RFC3542, section 20.2. says:
    
      The fields shown as "XX" are possible padding, between the cmsghdr
      structure and the data, and between the data and the next cmsghdr
      structure, if required by the implementation. While sending an
      application may or may not include padding at the end of last
      ancillary data in msg_controllen and implementations must accept both
      as valid. On receiving a portable application must provide space for
      padding at the end of the last ancillary data as implementations may
      copy out the padding at the end of the control message buffer and
      include it in the received msg_controllen. When recvmsg() is called
      if msg_controllen is too small for all the ancillary data items
      including any trailing padding after the last item an implementation
      may set MSG_CTRUNC.
    
    Since we didn't place MSG_CTRUNC for already quite a long time, just do
    the same as in 1ac70e7ad24a to avoid an overflow.
    
    Btw, even man-page author got this wrong :/ See db939c9b26e9 ("cmsg.3: Fix
    error in SCM_RIGHTS code sample"). Some people must have copied this (?),
    thus it got triggered in the wild (reported several times during boot by
    David and HacKurx).
    
    No Fixes tag this time as pre 2002 (that is, pre history tree).
    
    Reported-by: David Sterba <dave@jikos.cz>
    Reported-by: HacKurx <hackurx@gmail.com>
    Cc: PaX Team <pageexec@freemail.hu>
    Cc: Emese Revfy <re.emese@gmail.com>
    Cc: Brad Spengler <spender@grsecurity.net>
    Cc: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d24edcc39b0d9b9a6d87e1a4c18356bd7b65d1b9
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Nov 26 08:18:14 2015 -0800

    tcp: initialize tp->copied_seq in case of cross SYN connection
    
    [ Upstream commit 142a2e7ece8d8ac0e818eb2c91f99ca894730e2a ]
    
    Dmitry provided a syzkaller (http://github.com/google/syzkaller)
    generated program that triggers the WARNING at
    net/ipv4/tcp.c:1729 in tcp_recvmsg() :
    
    WARN_ON(tp->copied_seq != tp->rcv_nxt &&
            !(flags & (MSG_PEEK | MSG_TRUNC)));
    
    His program is specifically attempting a Cross SYN TCP exchange,
    that we support (for the pleasure of hackers ?), but it looks we
    lack proper tcp->copied_seq initialization.
    
    Thanks again Dmitry for your report and testings.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ab3689c898fc280c7d6623f53af94461b7adb7f2
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Nov 18 12:40:13 2015 -0800

    tcp: md5: fix lockdep annotation
    
    [ Upstream commit 1b8e6a01e19f001e9f93b39c32387961c91ed3cc ]
    
    When a passive TCP is created, we eventually call tcp_md5_do_add()
    with sk pointing to the child. It is not owner by the user yet (we
    will add this socket into listener accept queue a bit later anyway)
    
    But we do own the spinlock, so amend the lockdep annotation to avoid
    following splat :
    
    [ 8451.090932] net/ipv4/tcp_ipv4.c:923 suspicious rcu_dereference_protected() usage!
    [ 8451.090932]
    [ 8451.090932] other info that might help us debug this:
    [ 8451.090932]
    [ 8451.090934]
    [ 8451.090934] rcu_scheduler_active = 1, debug_locks = 1
    [ 8451.090936] 3 locks held by socket_sockopt_/214795:
    [ 8451.090936]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff855c6ac1>] __netif_receive_skb_core+0x151/0xe90
    [ 8451.090947]  #1:  (rcu_read_lock){.+.+..}, at: [<ffffffff85618143>] ip_local_deliver_finish+0x43/0x2b0
    [ 8451.090952]  #2:  (slock-AF_INET){+.-...}, at: [<ffffffff855acda5>] sk_clone_lock+0x1c5/0x500
    [ 8451.090958]
    [ 8451.090958] stack backtrace:
    [ 8451.090960] CPU: 7 PID: 214795 Comm: socket_sockopt_
    
    [ 8451.091215] Call Trace:
    [ 8451.091216]  <IRQ>  [<ffffffff856fb29c>] dump_stack+0x55/0x76
    [ 8451.091229]  [<ffffffff85123b5b>] lockdep_rcu_suspicious+0xeb/0x110
    [ 8451.091235]  [<ffffffff8564544f>] tcp_md5_do_add+0x1bf/0x1e0
    [ 8451.091239]  [<ffffffff85645751>] tcp_v4_syn_recv_sock+0x1f1/0x4c0
    [ 8451.091242]  [<ffffffff85642b27>] ? tcp_v4_md5_hash_skb+0x167/0x190
    [ 8451.091246]  [<ffffffff85647c78>] tcp_check_req+0x3c8/0x500
    [ 8451.091249]  [<ffffffff856451ae>] ? tcp_v4_inbound_md5_hash+0x11e/0x190
    [ 8451.091253]  [<ffffffff85647170>] tcp_v4_rcv+0x3c0/0x9f0
    [ 8451.091256]  [<ffffffff85618143>] ? ip_local_deliver_finish+0x43/0x2b0
    [ 8451.091260]  [<ffffffff856181b6>] ip_local_deliver_finish+0xb6/0x2b0
    [ 8451.091263]  [<ffffffff85618143>] ? ip_local_deliver_finish+0x43/0x2b0
    [ 8451.091267]  [<ffffffff85618d38>] ip_local_deliver+0x48/0x80
    [ 8451.091270]  [<ffffffff85618510>] ip_rcv_finish+0x160/0x700
    [ 8451.091273]  [<ffffffff8561900e>] ip_rcv+0x29e/0x3d0
    [ 8451.091277]  [<ffffffff855c74b7>] __netif_receive_skb_core+0xb47/0xe90
    
    Fixes: a8afca0329988 ("tcp: md5: protects md5sig_info with RCU")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e9ec674259698994541a9fecb07f183a5bee4940
Author: Bjørn Mork <bjorn@mork.no>
Date:   Wed Nov 18 21:13:07 2015 +0100

    net: qmi_wwan: add XS Stick W100-2 from 4G Systems
    
    [ Upstream commit 68242a5a1e2edce39b069385cbafb82304eac0f1 ]
    
    Thomas reports
    "
    4gsystems sells two total different LTE-surfsticks under the same name.
    ..
    The newer version of XS Stick W100 is from "omega"
    ..
    Under windows the driver switches to the same ID, and uses MI03\6 for
    network and MI01\6 for modem.
    ..
    echo "1c9e 9b01" > /sys/bus/usb/drivers/qmi_wwan/new_id
    echo "1c9e 9b01" > /sys/bus/usb-serial/drivers/option1/new_id
    
    T:  Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
    D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=1c9e ProdID=9b01 Rev=02.32
    S:  Manufacturer=USB Modem
    S:  Product=USB Modem
    S:  SerialNumber=
    C:  #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
    I:  If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
    
    Now all important things are there:
    
    wwp0s29f7u2i3 (net), ttyUSB2 (at), cdc-wdm0 (qmi), ttyUSB1 (at)
    
    There is also ttyUSB0, but it is not usable, at least not for at.
    
    The device works well with qmi and ModemManager-NetworkManager.
    "
    
    Reported-by: Thomas Schäfer <tschaefer@t-online.de>
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c32a5063f2191192b277f3b6bd97b596d64a653a
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Mon Nov 16 13:09:10 2015 -0500

    snmp: Remove duplicate OUTMCAST stat increment
    
    [ Upstream commit 41033f029e393a64e81966cbe34d66c6cf8a2e7e ]
    
    the OUTMCAST stat is double incremented, getting bumped once in the mcast code
    itself, and again in the common ip output path.  Remove the mcast bump, as its
    not needed
    
    Validated by the reporter, with good results
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: Claus Jensen <claus.jensen@microsemi.com>
    CC: Claus Jensen <claus.jensen@microsemi.com>
    CC: David Miller <davem@davemloft.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f4f4b092f7f06f13e1aed9060dbd4cfeb33f1795
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Thu Nov 12 17:35:58 2015 +0100

    ip_tunnel: disable preemption when updating per-cpu tstats
    
    [ Upstream commit b4fe85f9c9146f60457e9512fb6055e69e6a7a65 ]
    
    Drivers like vxlan use the recently introduced
    udp_tunnel_xmit_skb/udp_tunnel6_xmit_skb APIs. udp_tunnel6_xmit_skb
    makes use of ip6tunnel_xmit, and ip6tunnel_xmit, after sending the
    packet, updates the struct stats using the usual
    u64_stats_update_begin/end calls on this_cpu_ptr(dev->tstats).
    udp_tunnel_xmit_skb makes use of iptunnel_xmit, which doesn't touch
    tstats, so drivers like vxlan, immediately after, call
    iptunnel_xmit_stats, which does the same thing - calls
    u64_stats_update_begin/end on this_cpu_ptr(dev->tstats).
    
    While vxlan is probably fine (I don't know?), calling a similar function
    from, say, an unbound workqueue, on a fully preemptable kernel causes
    real issues:
    
    [  188.434537] BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u8:0/6
    [  188.435579] caller is debug_smp_processor_id+0x17/0x20
    [  188.435583] CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.2.6 #2
    [  188.435607] Call Trace:
    [  188.435611]  [<ffffffff8234e936>] dump_stack+0x4f/0x7b
    [  188.435615]  [<ffffffff81915f3d>] check_preemption_disabled+0x19d/0x1c0
    [  188.435619]  [<ffffffff81915f77>] debug_smp_processor_id+0x17/0x20
    
    The solution would be to protect the whole
    this_cpu_ptr(dev->tstats)/u64_stats_update_begin/end blocks with
    disabling preemption and then reenabling it.
    
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a286e9c08a0700f114b40dffe5d21992f8fda45d
Author: lucien <lucien.xin@gmail.com>
Date:   Thu Nov 12 13:07:07 2015 +0800

    sctp: translate host order to network order when setting a hmacid
    
    [ Upstream commit ed5a377d87dc4c87fb3e1f7f698cba38cd893103 ]
    
    now sctp auth cannot work well when setting a hmacid manually, which
    is caused by that we didn't use the network order for hmacid, so fix
    it by adding the transformation in sctp_auth_ep_set_hmacs.
    
    even we set hmacid with the network order in userspace, it still
    can't work, because of this condition in sctp_auth_ep_set_hmacs():
    
    		if (id > SCTP_AUTH_HMAC_ID_MAX)
    			return -EOPNOTSUPP;
    
    so this wasn't working before and thus it won't break compatibility.
    
    Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit de23f6a7b04807979e6c653ad04d7dde8b383cc6
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Wed Nov 11 23:25:43 2015 +0100

    packet: infer protocol from ethernet header if unset
    
    [ Upstream commit c72219b75fde768efccf7666342282fab7f9e4e7 ]
    
    In case no struct sockaddr_ll has been passed to packet
    socket's sendmsg() when doing a TX_RING flush run, then
    skb->protocol is set to po->num instead, which is the protocol
    passed via socket(2)/bind(2).
    
    Applications only xmitting can go the path of allocating the
    socket as socket(PF_PACKET, <mode>, 0) and do a bind(2) on the
    TX_RING with sll_protocol of 0. That way, register_prot_hook()
    is neither called on creation nor on bind time, which saves
    cycles when there's no interest in capturing anyway.
    
    That leaves us however with po->num 0 instead and therefore
    the TX_RING flush run sets skb->protocol to 0 as well. Eric
    reported that this leads to problems when using tools like
    trafgen over bonding device. I.e. the bonding's hash function
    could invoke the kernel's flow dissector, which depends on
    skb->protocol being properly set. In the current situation, all
    the traffic is then directed to a single slave.
    
    Fix it up by inferring skb->protocol from the Ethernet header
    when not set and we have ARPHRD_ETHER device type. This is only
    done in case of SOCK_RAW and where we have a dev->hard_header_len
    length. In case of ARPHRD_ETHER devices, this is guaranteed to
    cover ETH_HLEN, and therefore being accessed on the skb after
    the skb_store_bits().
    
    Reported-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c8f0bbc005b28c860daaa797838374367cd2edab
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Wed Nov 11 23:25:41 2015 +0100

    packet: always probe for transport header
    
    [ Upstream commit 8fd6c80d9dd938ca338c70698533a7e304752846 ]
    
    We concluded that the skb_probe_transport_header() should better be
    called unconditionally. Avoiding the call into the flow dissector has
    also not really much to do with the direct xmit mode.
    
    While it seems that only virtio_net code makes use of GSO from non
    RX/TX ring packet socket paths, we should probe for a transport header
    nevertheless before they hit devices.
    
    Reference: http://thread.gmane.org/gmane.linux.network/386173/
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0fd58003ee7a7841646cdf01b0e4d30be1b3429f
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Wed Nov 11 23:25:40 2015 +0100

    packet: do skb_probe_transport_header when we actually have data
    
    [ Upstream commit efdfa2f7848f64517008136fb41f53c4a1faf93a ]
    
    In tpacket_fill_skb() commit c1aad275b029 ("packet: set transport
    header before doing xmit") and later on 40893fd0fd4e ("net: switch
    to use skb_probe_transport_header()") was probing for a transport
    header on the skb from a ring buffer slot, but at a time, where
    the skb has _not even_ been filled with data yet. So that call into
    the flow dissector is pretty useless. Lets do it after we've set
    up the skb frags.
    
    Fixes: c1aad275b029 ("packet: set transport header before doing xmit")
    Reported-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4db32ea3a819bc70aef2084288461b951d5079e4
Author: Kamal Mostafa <kamal@canonical.com>
Date:   Wed Nov 11 14:24:27 2015 -0800

    tools/net: Use include/uapi with __EXPORTED_HEADERS__
    
    [ Upstream commit d7475de58575c904818efa369c82e88c6648ce2e ]
    
    Use the local uapi headers to keep in sync with "recently" added #define's
    (e.g. SKF_AD_VLAN_TPID).  Refactored CFLAGS, and bpf_asm doesn't need -I.
    
    Fixes: 3f356385e8a4 ("filter: bpf_asm: add minimal bpf asm tool")
    Signed-off-by: Kamal Mostafa <kamal@canonical.com>
    Acked-by: Daniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9d054f57adc981a5f503d5eb9b259aa450b90dc5
Author: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Date:   Fri Nov 20 22:07:23 2015 +0000

    unix: avoid use-after-free in ep_remove_wait_queue
    
    [ Upstream commit 7d267278a9ece963d77eefec61630223fce08c6c ]
    
    Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
    An AF_UNIX datagram socket being the client in an n:1 association with
    some server socket is only allowed to send messages to the server if the
    receive queue of this socket contains at most sk_max_ack_backlog
    datagrams. This implies that prospective writers might be forced to go
    to sleep despite none of the message presently enqueued on the server
    receive queue were sent by them. In order to ensure that these will be
    woken up once space becomes again available, the present unix_dgram_poll
    routine does a second sock_poll_wait call with the peer_wait wait queue
    of the server socket as queue argument (unix_dgram_recvmsg does a wake
    up on this queue after a datagram was received). This is inherently
    problematic because the server socket is only guaranteed to remain alive
    for as long as the client still holds a reference to it. In case the
    connection is dissolved via connect or by the dead peer detection logic
    in unix_dgram_sendmsg, the server socket may be freed despite "the
    polling mechanism" (in particular, epoll) still has a pointer to the
    corresponding peer_wait queue. There's no way to forcibly deregister a
    wait queue with epoll.
    
    Based on an idea by Jason Baron, the patch below changes the code such
    that a wait_queue_t belonging to the client socket is enqueued on the
    peer_wait queue of the server whenever the peer receive queue full
    condition is detected by either a sendmsg or a poll. A wake up on the
    peer queue is then relayed to the ordinary wait queue of the client
    socket via wake function. The connection to the peer wait queue is again
    dissolved if either a wake up is about to be relayed or the client
    socket reconnects or a dead peer is detected or the client socket is
    itself closed. This enables removing the second sock_poll_wait from
    unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
    that no blocked writer sleeps forever.
    
    Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
    Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
    Reviewed-by: Jason Baron <jbaron@akamai.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>