From efc90e0081348db0f7fb73385bc3fcc6bf163962 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 12 Oct 2012 02:49:02 +0000 Subject: [PATCH] Update to 3.2.31 Drop 2 patches included in it. Add some more hideous hacks to maintain ABI. svn path=/dists/sid/linux/; revision=19432 --- debian/changelog | 25 +- .../all/rds-set-correct-msg_namelen.patch | 217 ------------------ ...-TSO-CAP-for-5704-devs-w-ASF-enabled.patch | 59 ----- .../hid-avoid-ABI-change-in-3.2.31.patch | 41 ++++ .../xfrm-avoid-ABI-change-in-3.2.31.patch | 28 +++ debian/patches/series | 4 +- 6 files changed, 95 insertions(+), 279 deletions(-) delete mode 100644 debian/patches/bugfix/all/rds-set-correct-msg_namelen.patch delete mode 100644 debian/patches/bugfix/all/tg3-Fix-TSO-CAP-for-5704-devs-w-ASF-enabled.patch create mode 100644 debian/patches/debian/hid-avoid-ABI-change-in-3.2.31.patch create mode 100644 debian/patches/debian/xfrm-avoid-ABI-change-in-3.2.31.patch diff --git a/debian/changelog b/debian/changelog index 45c9b96d0..7da60e957 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,28 @@ -linux (3.2.30-2) UNRELEASED; urgency=low +linux (3.2.31-1) UNRELEASED; urgency=low + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.31 + - target: Fix ->data_length re-assignment bug with SCSI overflow + - hpsa: fix handling of protocol error + - cifs: fix return value in cifsConvertToUTF16 + - asix: Support DLink DUB-E100 H/W Ver C1 (Closes: #687567) + - dj: memory scribble in logi_dj + - dm: handle requests beyond end of device instead of using BUG_ON + - md/raid10: fix "enough" function for detecting if array is failed. + - libata: Prevent interface errors with Seagate FreeAgent GoFlex + - vfs: dcache: fix deadlock in tree traversal + - Revert "drm/radeon: rework pll selection (v3)" (regression in 3.2.30) + - HID: hidraw: don't deallocate memory when it is in use + - xfrm: Workaround incompatibility of ESN and async crypto + - xfrm_user: fix various information leaks + - xfrm_user: ensure user supplied esn replay window is valid + - net: guard tcp_set_keepalive() to tcp sockets + - ipv4: raw: fix icmp_filter() + - ipv6: raw: fix icmpv6_filter() + - ipv6: mip6: fix mip6_mh_filter() + - netrom: copy_datagram_iovec can fail + + [ Ben Hutchings ] * codel: refine one condition to avoid a nul rec_inv_sqrt * [mips,mipsel] Ignore NFS/SunRPC ABI changes in 3.2.30 (fixes FTBFS) * tg3: Fix TSO CAP for 5704 devs w / ASF enabled diff --git a/debian/patches/bugfix/all/rds-set-correct-msg_namelen.patch b/debian/patches/bugfix/all/rds-set-correct-msg_namelen.patch deleted file mode 100644 index f5c1f0fe7..000000000 --- a/debian/patches/bugfix/all/rds-set-correct-msg_namelen.patch +++ /dev/null @@ -1,217 +0,0 @@ -From: Weiping Pan -Date: Mon, 23 Jul 2012 10:37:48 +0800 -Subject: rds: set correct msg_namelen - -commit 06b6a1cf6e776426766298d055bb3991957d90a7 upstream. - -Jay Fenlason (fenlason@redhat.com) found a bug, -that recvfrom() on an RDS socket can return the contents of random kernel -memory to userspace if it was called with a address length larger than -sizeof(struct sockaddr_in). -rds_recvmsg() also fails to set the addr_len paramater properly before -returning, but that's just a bug. -There are also a number of cases wher recvfrom() can return an entirely bogus -address. Anything in rds_recvmsg() that returns a non-negative value but does -not go through the "sin = (struct sockaddr_in *)msg->msg_name;" code path -at the end of the while(1) loop will return up to 128 bytes of kernel memory -to userspace. - -And I write two test programs to reproduce this bug, you will see that in -rds_server, fromAddr will be overwritten and the following sock_fd will be -destroyed. -Yes, it is the programmer's fault to set msg_namelen incorrectly, but it is -better to make the kernel copy the real length of address to user space in -such case. - -How to run the test programs ? -I test them on 32bit x86 system, 3.5.0-rc7. - -1 compile -gcc -o rds_client rds_client.c -gcc -o rds_server rds_server.c - -2 run ./rds_server on one console - -3 run ./rds_client on another console - -4 you will see something like: -server is waiting to receive data... -old socket fd=3 -server received data from client:data from client -msg.msg_namelen=32 -new socket fd=-1067277685 -sendmsg() -: Bad file descriptor - -/***************** rds_client.c ********************/ - -int main(void) -{ - int sock_fd; - struct sockaddr_in serverAddr; - struct sockaddr_in toAddr; - char recvBuffer[128] = "data from client"; - struct msghdr msg; - struct iovec iov; - - sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0); - if (sock_fd < 0) { - perror("create socket error\n"); - exit(1); - } - - memset(&serverAddr, 0, sizeof(serverAddr)); - serverAddr.sin_family = AF_INET; - serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); - serverAddr.sin_port = htons(4001); - - if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) { - perror("bind() error\n"); - close(sock_fd); - exit(1); - } - - memset(&toAddr, 0, sizeof(toAddr)); - toAddr.sin_family = AF_INET; - toAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); - toAddr.sin_port = htons(4000); - msg.msg_name = &toAddr; - msg.msg_namelen = sizeof(toAddr); - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - msg.msg_iov->iov_base = recvBuffer; - msg.msg_iov->iov_len = strlen(recvBuffer) + 1; - msg.msg_control = 0; - msg.msg_controllen = 0; - msg.msg_flags = 0; - - if (sendmsg(sock_fd, &msg, 0) == -1) { - perror("sendto() error\n"); - close(sock_fd); - exit(1); - } - - printf("client send data:%s\n", recvBuffer); - - memset(recvBuffer, '\0', 128); - - msg.msg_name = &toAddr; - msg.msg_namelen = sizeof(toAddr); - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - msg.msg_iov->iov_base = recvBuffer; - msg.msg_iov->iov_len = 128; - msg.msg_control = 0; - msg.msg_controllen = 0; - msg.msg_flags = 0; - if (recvmsg(sock_fd, &msg, 0) == -1) { - perror("recvmsg() error\n"); - close(sock_fd); - exit(1); - } - - printf("receive data from server:%s\n", recvBuffer); - - close(sock_fd); - - return 0; -} - -/***************** rds_server.c ********************/ - -int main(void) -{ - struct sockaddr_in fromAddr; - int sock_fd; - struct sockaddr_in serverAddr; - unsigned int addrLen; - char recvBuffer[128]; - struct msghdr msg; - struct iovec iov; - - sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0); - if(sock_fd < 0) { - perror("create socket error\n"); - exit(0); - } - - memset(&serverAddr, 0, sizeof(serverAddr)); - serverAddr.sin_family = AF_INET; - serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); - serverAddr.sin_port = htons(4000); - if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) { - perror("bind error\n"); - close(sock_fd); - exit(1); - } - - printf("server is waiting to receive data...\n"); - msg.msg_name = &fromAddr; - - /* - * I add 16 to sizeof(fromAddr), ie 32, - * and pay attention to the definition of fromAddr, - * recvmsg() will overwrite sock_fd, - * since kernel will copy 32 bytes to userspace. - * - * If you just use sizeof(fromAddr), it works fine. - * */ - msg.msg_namelen = sizeof(fromAddr) + 16; - /* msg.msg_namelen = sizeof(fromAddr); */ - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - msg.msg_iov->iov_base = recvBuffer; - msg.msg_iov->iov_len = 128; - msg.msg_control = 0; - msg.msg_controllen = 0; - msg.msg_flags = 0; - - while (1) { - printf("old socket fd=%d\n", sock_fd); - if (recvmsg(sock_fd, &msg, 0) == -1) { - perror("recvmsg() error\n"); - close(sock_fd); - exit(1); - } - printf("server received data from client:%s\n", recvBuffer); - printf("msg.msg_namelen=%d\n", msg.msg_namelen); - printf("new socket fd=%d\n", sock_fd); - strcat(recvBuffer, "--data from server"); - if (sendmsg(sock_fd, &msg, 0) == -1) { - perror("sendmsg()\n"); - close(sock_fd); - exit(1); - } - } - - close(sock_fd); - return 0; -} - -Signed-off-by: Weiping Pan -Signed-off-by: David S. Miller ---- - net/rds/recv.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/rds/recv.c b/net/rds/recv.c -index 5c6e9f1..9f0f17c 100644 ---- a/net/rds/recv.c -+++ b/net/rds/recv.c -@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - - rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); - -+ msg->msg_namelen = 0; -+ - if (msg_flags & MSG_OOB) - goto out; - -@@ -485,6 +487,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - sin->sin_port = inc->i_hdr.h_sport; - sin->sin_addr.s_addr = inc->i_saddr; - memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ msg->msg_namelen = sizeof(*sin); - } - break; - } diff --git a/debian/patches/bugfix/all/tg3-Fix-TSO-CAP-for-5704-devs-w-ASF-enabled.patch b/debian/patches/bugfix/all/tg3-Fix-TSO-CAP-for-5704-devs-w-ASF-enabled.patch deleted file mode 100644 index 00e50676c..000000000 --- a/debian/patches/bugfix/all/tg3-Fix-TSO-CAP-for-5704-devs-w-ASF-enabled.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Matt Carlson -Date: Mon, 28 Nov 2011 09:41:03 +0000 -Subject: tg3: Fix TSO CAP for 5704 devs w / ASF enabled - -commit cf9ecf4b631f649a964fa611f1a5e8874f2a76db upstream. - -On the earliest TSO capable devices, TSO was accomplished through -firmware. The TSO cannot coexist with ASF management firmware though. -The tg3 driver determines whether or not ASF is enabled by calling -tg3_get_eeprom_hw_cfg(), which checks a particular bit of NIC memory. -Commit dabc5c670d3f86d15ee4f42ab38ec5bd2682487d, entitled "tg3: Move -TSO_CAPABLE assignment", accidentally moved the code that determines -TSO capabilities earlier than the call to tg3_get_eeprom_hw_cfg(). As a -consequence, the driver was attempting to determine TSO capabilities -before it had all the data it needed to make the decision. - -This patch fixes the problem by revisiting and reevaluating the decision -after tg3_get_eeprom_hw_cfg() is called. - -Signed-off-by: Matt Carlson -Signed-off-by: Michael Chan -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/broadcom/tg3.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c -index 0acb279..0c695dc 100644 ---- a/drivers/net/ethernet/broadcom/tg3.c -+++ b/drivers/net/ethernet/broadcom/tg3.c -@@ -13988,9 +13988,13 @@ static int __devinit tg3_get_invariants(struct tg3 *tp) - if (tg3_flag(tp, HW_TSO_1) || - tg3_flag(tp, HW_TSO_2) || - tg3_flag(tp, HW_TSO_3) || -- (tp->fw_needed && !tg3_flag(tp, ENABLE_ASF))) -+ tp->fw_needed) { -+ /* For firmware TSO, assume ASF is disabled. -+ * We'll disable TSO later if we discover ASF -+ * is enabled in tg3_get_eeprom_hw_cfg(). -+ */ - tg3_flag_set(tp, TSO_CAPABLE); -- else { -+ } else { - tg3_flag_clear(tp, TSO_CAPABLE); - tg3_flag_clear(tp, TSO_BUG); - tp->fw_needed = NULL; -@@ -14266,6 +14270,12 @@ static int __devinit tg3_get_invariants(struct tg3 *tp) - */ - tg3_get_eeprom_hw_cfg(tp); - -+ if (tp->fw_needed && tg3_flag(tp, ENABLE_ASF)) { -+ tg3_flag_clear(tp, TSO_CAPABLE); -+ tg3_flag_clear(tp, TSO_BUG); -+ tp->fw_needed = NULL; -+ } -+ - if (tg3_flag(tp, ENABLE_APE)) { - /* Allow reads and writes to the - * APE register and memory space. diff --git a/debian/patches/debian/hid-avoid-ABI-change-in-3.2.31.patch b/debian/patches/debian/hid-avoid-ABI-change-in-3.2.31.patch new file mode 100644 index 000000000..f1ba88ffe --- /dev/null +++ b/debian/patches/debian/hid-avoid-ABI-change-in-3.2.31.patch @@ -0,0 +1,41 @@ +From: Ben Hutchings +Subject: hid: Avoid ABI change in 3.2.31 + +Commit b6787242f32700377d3da3b8d788ab3928bab849 ('HID: hidraw: add +proper error handling to raw event reporting') changed the return type +of hid_report_raw_event() and hidraw_report_event() from void to int +(an error number). Any existing OOT callers are going to ignore this +value, whether or not they get recompiled. Therefore, hide the change +from genksyms. +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -875,8 +875,14 @@ static inline int hid_hw_power(struct hi + return hdev->ll_driver->power ? hdev->ll_driver->power(hdev, level) : 0; + } + ++#ifdef __GENKSYMS__ ++/* Old callers will ignore the return value even if we change the return type */ ++void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, ++ int interrupt); ++#else + int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, + int interrupt); ++#endif + + extern int hid_generic_init(void); + extern void hid_generic_exit(void); +--- a/include/linux/hidraw.h ++++ b/include/linux/hidraw.h +@@ -76,7 +76,12 @@ struct hidraw_list { + #ifdef CONFIG_HIDRAW + int hidraw_init(void); + void hidraw_exit(void); ++#ifdef __GENKSYMS__ ++/* Old callers will ignore the return value even if we change the return type */ ++void hidraw_report_event(struct hid_device *, u8 *, int); ++#else + int hidraw_report_event(struct hid_device *, u8 *, int); ++#endif + int hidraw_connect(struct hid_device *); + void hidraw_disconnect(struct hid_device *); + #else diff --git a/debian/patches/debian/xfrm-avoid-ABI-change-in-3.2.31.patch b/debian/patches/debian/xfrm-avoid-ABI-change-in-3.2.31.patch new file mode 100644 index 000000000..2997c32c1 --- /dev/null +++ b/debian/patches/debian/xfrm-avoid-ABI-change-in-3.2.31.patch @@ -0,0 +1,28 @@ +From: Ben Hutchings +Subject: xfrm: Avoid ABI change in 3.2.31 + +Commit 3b59df46a449ec9975146d71318c4777ad086744 ('xfrm: Workaround +incompatibility of ESN and async crypto') added a new operation +'recheck' to struct xfrm_replay. There is only one instance which +needs this to be different than 'check'. So instead of adding the +operation, check whether we're using that instance and call the +recheck implementation directly. + +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -269,11 +269,13 @@ struct xfrm_replay { + int (*check)(struct xfrm_state *x, + struct sk_buff *skb, + __be32 net_seq); ++ void (*notify)(struct xfrm_state *x, int event); ++ int (*overflow)(struct xfrm_state *x, struct sk_buff *skb); ++#ifndef __GENKSYMS__ + int (*recheck)(struct xfrm_state *x, + struct sk_buff *skb, + __be32 net_seq); +- void (*notify)(struct xfrm_state *x, int event); +- int (*overflow)(struct xfrm_state *x, struct sk_buff *skb); ++#endif + }; + + struct net_device; diff --git a/debian/patches/series b/debian/patches/series index 794387b94..565970366 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -387,7 +387,6 @@ features/all/bql/ixgbe-add-support-for-byte-queue-limits.patch features/all/bql/igb-ixgbe-netdev_tx_reset_queue-incorrectly-called-from-tx-init.patch features/all/bql/skge-add-byte-queue-limit-support.patch -bugfix/all/rds-set-correct-msg_namelen.patch bugfix/all/PCI-PM-Runtime-make-PCI-traces-quieter.patch bugfix/all/media-rc-ite-cir-Initialise-ite_dev-rdev-earlier.patch features/all/USB-add-USB_VENDOR_AND_INTERFACE_INFO-macro.patch @@ -398,6 +397,7 @@ bugfix/x86/drm-i915-i8xx-interrupt-handler.patch features/arm/ahci-Add-JMicron-362-device-IDs.patch bugfix/all/speakup-lower-default-software-speech-rate.patch debian/perf-hide-abi-change-in-3.2.30.patch -bugfix/all/tg3-Fix-TSO-CAP-for-5704-devs-w-ASF-enabled.patch bugfix/all/SUNRPC-Set-alloc_slot-for-backchannel-tcp-ops.patch debian/iwlwifi-do-not-request-unreleased-firmware.patch +debian/hid-avoid-ABI-change-in-3.2.31.patch +debian/xfrm-avoid-ABI-change-in-3.2.31.patch