<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net, branch v3.14.70</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>atl2: Disable unimplemented scatter/gather feature</title>
<updated>2016-05-19T00:04:01+00:00</updated>
<author>
<name>Ben Hutchings</name>
<email>ben@decadent.org.uk</email>
</author>
<published>2016-04-20T22:23:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d6b8a68ac7b6d2e241f8d34b769c98a1793d9124'/>
<id>d6b8a68ac7b6d2e241f8d34b769c98a1793d9124</id>
<content type='text'>
[ Upstream commit f43bfaeddc79effbf3d0fcb53ca477cca66f3db8 ]

atl2 includes NETIF_F_SG in hw_features even though it has no support
for non-linear skbs.  This bug was originally harmless since the
driver does not claim to implement checksum offload and that used to
be a requirement for SG.

Now that SG and checksum offload are independent features, if you
explicitly enable SG *and* use one of the rare protocols that can use
SG without checkusm offload, this potentially leaks sensitive
information (before you notice that it just isn't working).  Therefore
this obscure bug has been designated CVE-2016-2117.

Reported-by: Justin Yackoski &lt;jyackoski@crypto-nite.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Fixes: ec5f06156423 ("net: Kill link between CSUM and SG features.")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit f43bfaeddc79effbf3d0fcb53ca477cca66f3db8 ]

atl2 includes NETIF_F_SG in hw_features even though it has no support
for non-linear skbs.  This bug was originally harmless since the
driver does not claim to implement checksum offload and that used to
be a requirement for SG.

Now that SG and checksum offload are independent features, if you
explicitly enable SG *and* use one of the rare protocols that can use
SG without checkusm offload, this potentially leaks sensitive
information (before you notice that it just isn't working).  Therefore
this obscure bug has been designated CVE-2016-2117.

Reported-by: Justin Yackoski &lt;jyackoski@crypto-nite.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Fixes: ec5f06156423 ("net: Kill link between CSUM and SG features.")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>jme: Fix device PM wakeup API usage</title>
<updated>2016-05-04T21:51:26+00:00</updated>
<author>
<name>Guo-Fu Tseng</name>
<email>cooldavid@cooldavid.org</email>
</author>
<published>2016-03-05T00:11:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bfdaced9ab7d00ffa857a23cdfb30d82986d96ee'/>
<id>bfdaced9ab7d00ffa857a23cdfb30d82986d96ee</id>
<content type='text'>
commit 81422e672f8181d7ad1ee6c60c723aac649f538f upstream.

According to Documentation/power/devices.txt

The driver should not use device_set_wakeup_enable() which is the policy
for user to decide.

Using device_init_wakeup() to initialize dev-&gt;power.should_wakeup and
dev-&gt;power.can_wakeup on driver initialization.

And use device_may_wakeup() on suspend to decide if WoL function should
be enabled on NIC.

Reported-by: Diego Viola &lt;diego.viola@gmail.com&gt;
Signed-off-by: Guo-Fu Tseng &lt;cooldavid@cooldavid.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 81422e672f8181d7ad1ee6c60c723aac649f538f upstream.

According to Documentation/power/devices.txt

The driver should not use device_set_wakeup_enable() which is the policy
for user to decide.

Using device_init_wakeup() to initialize dev-&gt;power.should_wakeup and
dev-&gt;power.can_wakeup on driver initialization.

And use device_may_wakeup() on suspend to decide if WoL function should
be enabled on NIC.

Reported-by: Diego Viola &lt;diego.viola@gmail.com&gt;
Signed-off-by: Guo-Fu Tseng &lt;cooldavid@cooldavid.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>jme: Do not enable NIC WoL functions on S0</title>
<updated>2016-05-04T21:51:26+00:00</updated>
<author>
<name>Guo-Fu Tseng</name>
<email>cooldavid@cooldavid.org</email>
</author>
<published>2016-03-05T00:11:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=560fd2871ea67293e36e00c0af2fc0b2c51e6cd1'/>
<id>560fd2871ea67293e36e00c0af2fc0b2c51e6cd1</id>
<content type='text'>
commit 0772a99b818079e628a1da122ac7ee023faed83e upstream.

Otherwise it might be back on resume right after going to suspend in
some hardware.

Reported-by: Diego Viola &lt;diego.viola@gmail.com&gt;
Signed-off-by: Guo-Fu Tseng &lt;cooldavid@cooldavid.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0772a99b818079e628a1da122ac7ee023faed83e upstream.

Otherwise it might be back on resume right after going to suspend in
some hardware.

Reported-by: Diego Viola &lt;diego.viola@gmail.com&gt;
Signed-off-by: Guo-Fu Tseng &lt;cooldavid@cooldavid.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>qmi_wwan: add "D-Link DWM-221 B1" device id</title>
<updated>2016-04-20T06:40:43+00:00</updated>
<author>
<name>Bjørn Mork</name>
<email>bjorn@mork.no</email>
</author>
<published>2016-03-28T20:38:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=50474f1f92b45dac3c63c079698e37f83d3d5084'/>
<id>50474f1f92b45dac3c63c079698e37f83d3d5084</id>
<content type='text'>
[ Upstream commit e84810c7b85a2d7897797b3ad3e879168a8e032a ]

Thomas reports:
"Windows:

00 diagnostics
01 modem
02 at-port
03 nmea
04 nic

Linux:

T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(&gt;ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=2001 ProdID=7e19 Rev=02.32
S:  Manufacturer=Mobile Connect
S:  Product=Mobile Connect
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I:  If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"

Reported-by: Thomas Schäfer &lt;tschaefer@t-online.de&gt;
Signed-off-by: Bjørn Mork &lt;bjorn@mork.no&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e84810c7b85a2d7897797b3ad3e879168a8e032a ]

Thomas reports:
"Windows:

00 diagnostics
01 modem
02 at-port
03 nmea
04 nic

Linux:

T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(&gt;ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=2001 ProdID=7e19 Rev=02.32
S:  Manufacturer=Mobile Connect
S:  Product=Mobile Connect
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I:  If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"

Reported-by: Thomas Schäfer &lt;tschaefer@t-online.de&gt;
Signed-off-by: Bjørn Mork &lt;bjorn@mork.no&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ppp: take reference on channels netns</title>
<updated>2016-04-20T06:40:43+00:00</updated>
<author>
<name>Guillaume Nault</name>
<email>g.nault@alphalink.fr</email>
</author>
<published>2016-03-23T15:38:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2d6c3459438d6c0bab867b79c35db7e154648ad1'/>
<id>2d6c3459438d6c0bab867b79c35db7e154648ad1</id>
<content type='text'>
[ Upstream commit 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 ]

Let channels hold a reference on their network namespace.
Some channel types, like ppp_async and ppp_synctty, can have their
userspace controller running in a different namespace. Therefore they
can't rely on them to preclude their netns from being removed from
under them.

==================================================================
BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
addr ffff880064e217e0
Read of size 8 by task syz-executor/11581
=============================================================================
BUG net_namespace (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
[&lt;      none      &gt;] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
[&lt;      none      &gt;] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
[&lt;     inline     &gt;] slab_alloc_node kernel/mm/slub.c:2532
[&lt;     inline     &gt;] slab_alloc kernel/mm/slub.c:2574
[&lt;      none      &gt;] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
[&lt;     inline     &gt;] kmem_cache_zalloc kernel/include/linux/slab.h:597
[&lt;     inline     &gt;] net_alloc kernel/net/core/net_namespace.c:325
[&lt;      none      &gt;] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
[&lt;      none      &gt;] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
[&lt;      none      &gt;] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
[&lt;      none      &gt;] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
[&lt;     inline     &gt;] copy_process kernel/kernel/fork.c:1274
[&lt;      none      &gt;] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
[&lt;     inline     &gt;] SYSC_clone kernel/kernel/fork.c:1832
[&lt;      none      &gt;] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
[&lt;      none      &gt;] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185

INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
[&lt;      none      &gt;] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
[&lt;     inline     &gt;] slab_free kernel/mm/slub.c:2805
[&lt;      none      &gt;] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
[&lt;     inline     &gt;] net_free kernel/net/core/net_namespace.c:341
[&lt;      none      &gt;] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
[&lt;      none      &gt;] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
[&lt;      none      &gt;] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
[&lt;      none      &gt;] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
[&lt;      none      &gt;] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
[&lt;      none      &gt;] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
flags=0x5fffc0000004080
INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200

CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
 ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
 ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
Call Trace:
 [&lt;     inline     &gt;] __dump_stack kernel/lib/dump_stack.c:15
 [&lt;ffffffff8292049d&gt;] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
 [&lt;ffffffff816f2054&gt;] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
 [&lt;ffffffff816f875f&gt;] object_err+0x2f/0x40 kernel/mm/slub.c:661
 [&lt;     inline     &gt;] print_address_description kernel/mm/kasan/report.c:138
 [&lt;ffffffff816fb0c5&gt;] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
 [&lt;     inline     &gt;] kasan_report kernel/mm/kasan/report.c:259
 [&lt;ffffffff816fb4de&gt;] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
 [&lt;     inline     &gt;] ? ppp_pernet kernel/include/linux/compiler.h:218
 [&lt;ffffffff83ad71b2&gt;] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [&lt;     inline     &gt;] ppp_pernet kernel/include/linux/compiler.h:218
 [&lt;ffffffff83ad71b2&gt;] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [&lt;     inline     &gt;] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
 [&lt;ffffffff83ad6f26&gt;] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [&lt;ffffffff83ae18f3&gt;] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
 [&lt;ffffffff83ae1850&gt;] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
 [&lt;ffffffff82c33239&gt;] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
 [&lt;ffffffff82c332c0&gt;] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
 [&lt;ffffffff82c34943&gt;] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
 [&lt;ffffffff82c1ef21&gt;] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
 [&lt;ffffffff82c1e460&gt;] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
 [&lt;ffffffff8174de36&gt;] __fput+0x236/0x780 kernel/fs/file_table.c:208
 [&lt;ffffffff8174e405&gt;] ____fput+0x15/0x20 kernel/fs/file_table.c:244
 [&lt;ffffffff813595ab&gt;] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
 [&lt;     inline     &gt;] exit_task_work kernel/include/linux/task_work.h:21
 [&lt;ffffffff81307105&gt;] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
 [&lt;ffffffff813fdd20&gt;] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
 [&lt;ffffffff81306850&gt;] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
 [&lt;ffffffff813215e6&gt;] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
 [&lt;ffffffff8132067b&gt;] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
 [&lt;ffffffff81309628&gt;] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
 [&lt;ffffffff8132b9d4&gt;] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
 [&lt;     inline     &gt;] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
 [&lt;ffffffff8151d355&gt;] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
 [&lt;ffffffff8115f7d3&gt;] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
 [&lt;ffffffff8151d2a0&gt;] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
 [&lt;ffffffff8115f750&gt;] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
 [&lt;ffffffff81380864&gt;] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
 [&lt;     inline     &gt;] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
 [&lt;ffffffff81380560&gt;] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
 [&lt;     inline     &gt;] ? context_switch kernel/kernel/sched/core.c:2807
 [&lt;ffffffff85d794e9&gt;] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
 [&lt;ffffffff81003901&gt;] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
 [&lt;     inline     &gt;] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
 [&lt;ffffffff810062ef&gt;] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
 [&lt;ffffffff85d88022&gt;] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
Memory state around the buggy address:
 ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
&gt;ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Reported-by: Baozeng Ding &lt;sploving1@gmail.com&gt;
Signed-off-by: Guillaume Nault &lt;g.nault@alphalink.fr&gt;
Reviewed-by: Cyrill Gorcunov &lt;gorcunov@openvz.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 ]

Let channels hold a reference on their network namespace.
Some channel types, like ppp_async and ppp_synctty, can have their
userspace controller running in a different namespace. Therefore they
can't rely on them to preclude their netns from being removed from
under them.

==================================================================
BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
addr ffff880064e217e0
Read of size 8 by task syz-executor/11581
=============================================================================
BUG net_namespace (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
[&lt;      none      &gt;] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
[&lt;      none      &gt;] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
[&lt;     inline     &gt;] slab_alloc_node kernel/mm/slub.c:2532
[&lt;     inline     &gt;] slab_alloc kernel/mm/slub.c:2574
[&lt;      none      &gt;] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
[&lt;     inline     &gt;] kmem_cache_zalloc kernel/include/linux/slab.h:597
[&lt;     inline     &gt;] net_alloc kernel/net/core/net_namespace.c:325
[&lt;      none      &gt;] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
[&lt;      none      &gt;] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
[&lt;      none      &gt;] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
[&lt;      none      &gt;] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
[&lt;     inline     &gt;] copy_process kernel/kernel/fork.c:1274
[&lt;      none      &gt;] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
[&lt;     inline     &gt;] SYSC_clone kernel/kernel/fork.c:1832
[&lt;      none      &gt;] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
[&lt;      none      &gt;] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185

INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
[&lt;      none      &gt;] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
[&lt;     inline     &gt;] slab_free kernel/mm/slub.c:2805
[&lt;      none      &gt;] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
[&lt;     inline     &gt;] net_free kernel/net/core/net_namespace.c:341
[&lt;      none      &gt;] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
[&lt;      none      &gt;] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
[&lt;      none      &gt;] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
[&lt;      none      &gt;] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
[&lt;      none      &gt;] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
[&lt;      none      &gt;] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
flags=0x5fffc0000004080
INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200

CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
 ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
 ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
Call Trace:
 [&lt;     inline     &gt;] __dump_stack kernel/lib/dump_stack.c:15
 [&lt;ffffffff8292049d&gt;] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
 [&lt;ffffffff816f2054&gt;] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
 [&lt;ffffffff816f875f&gt;] object_err+0x2f/0x40 kernel/mm/slub.c:661
 [&lt;     inline     &gt;] print_address_description kernel/mm/kasan/report.c:138
 [&lt;ffffffff816fb0c5&gt;] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
 [&lt;     inline     &gt;] kasan_report kernel/mm/kasan/report.c:259
 [&lt;ffffffff816fb4de&gt;] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
 [&lt;     inline     &gt;] ? ppp_pernet kernel/include/linux/compiler.h:218
 [&lt;ffffffff83ad71b2&gt;] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [&lt;     inline     &gt;] ppp_pernet kernel/include/linux/compiler.h:218
 [&lt;ffffffff83ad71b2&gt;] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [&lt;     inline     &gt;] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
 [&lt;ffffffff83ad6f26&gt;] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [&lt;ffffffff83ae18f3&gt;] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
 [&lt;ffffffff83ae1850&gt;] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
 [&lt;ffffffff82c33239&gt;] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
 [&lt;ffffffff82c332c0&gt;] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
 [&lt;ffffffff82c34943&gt;] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
 [&lt;ffffffff82c1ef21&gt;] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
 [&lt;ffffffff82c1e460&gt;] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
 [&lt;ffffffff8174de36&gt;] __fput+0x236/0x780 kernel/fs/file_table.c:208
 [&lt;ffffffff8174e405&gt;] ____fput+0x15/0x20 kernel/fs/file_table.c:244
 [&lt;ffffffff813595ab&gt;] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
 [&lt;     inline     &gt;] exit_task_work kernel/include/linux/task_work.h:21
 [&lt;ffffffff81307105&gt;] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
 [&lt;ffffffff813fdd20&gt;] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
 [&lt;ffffffff81306850&gt;] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
 [&lt;ffffffff813215e6&gt;] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
 [&lt;ffffffff8132067b&gt;] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
 [&lt;ffffffff81309628&gt;] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
 [&lt;ffffffff8132b9d4&gt;] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
 [&lt;     inline     &gt;] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
 [&lt;ffffffff8151d355&gt;] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
 [&lt;ffffffff8115f7d3&gt;] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
 [&lt;ffffffff8151d2a0&gt;] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
 [&lt;ffffffff8115f750&gt;] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
 [&lt;ffffffff81380864&gt;] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
 [&lt;     inline     &gt;] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
 [&lt;ffffffff81380560&gt;] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
 [&lt;     inline     &gt;] ? context_switch kernel/kernel/sched/core.c:2807
 [&lt;ffffffff85d794e9&gt;] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
 [&lt;ffffffff81003901&gt;] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
 [&lt;     inline     &gt;] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
 [&lt;ffffffff810062ef&gt;] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
 [&lt;ffffffff85d88022&gt;] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
Memory state around the buggy address:
 ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
&gt;ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Reported-by: Baozeng Ding &lt;sploving1@gmail.com&gt;
Signed-off-by: Guillaume Nault &lt;g.nault@alphalink.fr&gt;
Reviewed-by: Cyrill Gorcunov &lt;gorcunov@openvz.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>qlge: Fix receive packets drop.</title>
<updated>2016-04-20T06:40:42+00:00</updated>
<author>
<name>Manish Chopra</name>
<email>manish.chopra@qlogic.com</email>
</author>
<published>2016-03-15T11:13:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fd87f95c015280aa087f04cbc1f7d8061e3b34a8'/>
<id>fd87f95c015280aa087f04cbc1f7d8061e3b34a8</id>
<content type='text'>
[ Upstream commit 2c9a266afefe137bff06bbe0fc48b4d3b3cb348c ]

When running small packets [length &lt; 256 bytes] traffic, packets were
being dropped due to invalid data in those packets which were
delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
ensures copying latest and updated data into skb from the receive buffer.

Signed-off-by: Sony Chacko &lt;sony.chacko@qlogic.com&gt;
Signed-off-by: Manish Chopra &lt;manish.chopra@qlogic.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2c9a266afefe137bff06bbe0fc48b4d3b3cb348c ]

When running small packets [length &lt; 256 bytes] traffic, packets were
being dropped due to invalid data in those packets which were
delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
ensures copying latest and updated data into skb from the receive buffer.

Signed-off-by: Sony Chacko &lt;sony.chacko@qlogic.com&gt;
Signed-off-by: Manish Chopra &lt;manish.chopra@qlogic.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath9k: fix buffer overrun for ar9287</title>
<updated>2016-04-20T06:40:42+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2016-03-14T14:18:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d805f291ee2f594c015c9411d20d41e7e56f1bc6'/>
<id>d805f291ee2f594c015c9411d20d41e7e56f1bc6</id>
<content type='text'>
[ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ]

Code that was added back in 2.6.38 has an obvious overflow
when accessing a static array, and at the time it was added
only a code comment was put in front of it as a reminder
to have it reviewed properly.

This has not happened, but gcc-6 now points to the specific
overflow:

drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
     maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
                   ~~~~~~~~~~~~~~~~~~~~~~~~~^~~

It turns out that the correct array length exists in the local
'intercepts' variable of this function, so we can just use that
instead of hardcoding '4', so this patch changes all three
instances to use that variable. The other two instances were
already correct, but it's more consistent this way.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ]

Code that was added back in 2.6.38 has an obvious overflow
when accessing a static array, and at the time it was added
only a code comment was put in front of it as a reminder
to have it reviewed properly.

This has not happened, but gcc-6 now points to the specific
overflow:

drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
     maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
                   ~~~~~~~~~~~~~~~~~~~~~~~~~^~~

It turns out that the correct array length exists in the local
'intercepts' variable of this function, so we can just use that
instead of hardcoding '4', so this patch changes all three
instances to use that variable. The other two instances were
already correct, but it's more consistent this way.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>farsync: fix off-by-one bug in fst_add_one</title>
<updated>2016-04-20T06:40:42+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2016-03-14T14:18:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=26a628c5c79d35a0f121179beeed635f4930e801'/>
<id>26a628c5c79d35a0f121179beeed635f4930e801</id>
<content type='text'>
[ Upstream commit e725a66c0202b5f36c2f9d59d26a65c53bbf21f7 ]

gcc-6 finds an out of bounds access in the fst_add_one function
when calculating the end of the mmio area:

drivers/net/wan/farsync.c: In function 'fst_add_one':
drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
 #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                                     ^
include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
  __builtin_offsetof(a, b)
                     ^
drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
 #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                     ^~~~~~~~
drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
                                  + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
                                    ^~~~~~~~~~

The warning is correct, but not critical because this appears
to be a write-only variable that is set by each WAN driver but
never accessed afterwards.

I'm taking the minimal fix here, using the correct pointer by
pointing 'mem_end' to the last byte inside of the register area
as all other WAN drivers do, rather than the first byte outside of
it. An alternative would be to just remove the mem_end member
entirely.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e725a66c0202b5f36c2f9d59d26a65c53bbf21f7 ]

gcc-6 finds an out of bounds access in the fst_add_one function
when calculating the end of the mmio area:

drivers/net/wan/farsync.c: In function 'fst_add_one':
drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
 #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                                     ^
include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
  __builtin_offsetof(a, b)
                     ^
drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
 #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                     ^~~~~~~~
drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
                                  + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
                                    ^~~~~~~~~~

The warning is correct, but not critical because this appears
to be a write-only variable that is set by each WAN driver but
never accessed afterwards.

I'm taking the minimal fix here, using the correct pointer by
pointing 'mem_end' to the last byte inside of the register area
as all other WAN drivers do, rather than the first byte outside of
it. An alternative would be to just remove the mem_end member
entirely.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sh_eth: fix NULL pointer dereference in sh_eth_ring_format()</title>
<updated>2016-04-20T06:40:41+00:00</updated>
<author>
<name>Sergei Shtylyov</name>
<email>sergei.shtylyov@cogentembedded.com</email>
</author>
<published>2016-03-07T22:36:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3b199517879d1db45a75aa1d9072a1374f661380'/>
<id>3b199517879d1db45a75aa1d9072a1374f661380</id>
<content type='text'>
[ Upstream commit c1b7fca65070bfadca94dd53a4e6b71cd4f69715 ]

In a low memory situation, if netdev_alloc_skb() fails on a first RX ring
loop iteration  in sh_eth_ring_format(), 'rxdesc' is still NULL.  Avoid
kernel oops by adding the 'rxdesc' check after the loop.

Reported-by: Wolfram Sang &lt;wsa+renesas@sang-engineering.com&gt;
Signed-off-by: Sergei Shtylyov &lt;sergei.shtylyov@cogentembedded.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c1b7fca65070bfadca94dd53a4e6b71cd4f69715 ]

In a low memory situation, if netdev_alloc_skb() fails on a first RX ring
loop iteration  in sh_eth_ring_format(), 'rxdesc' is still NULL.  Avoid
kernel oops by adding the 'rxdesc' check after the loop.

Reported-by: Wolfram Sang &lt;wsa+renesas@sang-engineering.com&gt;
Signed-off-by: Sergei Shtylyov &lt;sergei.shtylyov@cogentembedded.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbnet: cleanup after bind() in probe()</title>
<updated>2016-04-20T06:40:41+00:00</updated>
<author>
<name>Oliver Neukum</name>
<email>oneukum@suse.com</email>
</author>
<published>2016-03-07T10:31:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7f3216bee081816d415566a86a5bd3fcf2d5dcd7'/>
<id>7f3216bee081816d415566a86a5bd3fcf2d5dcd7</id>
<content type='text'>
[ Upstream commit 1666984c8625b3db19a9abc298931d35ab7bc64b ]

In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
http://www.spinics.net/lists/netdev/msg367669.html
and needs to go on top of Linus' fix to cdc-ncm.

Signed-off-by: Oliver Neukum &lt;ONeukum@suse.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1666984c8625b3db19a9abc298931d35ab7bc64b ]

In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
http://www.spinics.net/lists/netdev/msg367669.html
and needs to go on top of Linus' fix to cdc-ncm.

Signed-off-by: Oliver Neukum &lt;ONeukum@suse.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
