Release 3.2.86

5 files changed, 190 insertions, 0 deletions

diff --git a/releases/3.2.86/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch b/releases/3.2.86/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch
new file mode 100644
index 00000000..3dedb32f
--- /dev/null
+++ b/releases/3.2.86/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch
@@ -0,0 +1,44 @@
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Thu, 16 Feb 2017 17:22:46 +0100
+Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
+
+commit 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 upstream.
+
+In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
+is forcibly freed via __kfree_skb in dccp_rcv_state_process if
+dccp_v6_conn_request successfully returns.
+
+However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
+is saved to ireq->pktopts and the ref count for skb is incremented in
+dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
+in dccp_rcv_state_process.
+
+Fix by calling consume_skb instead of doing goto discard and therefore
+calling __kfree_skb.
+
+Similar fixes for TCP:
+
+fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
+0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
+simply consumed
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/dccp/input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/dccp/input.c
++++ b/net/dccp/input.c
+@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *
+ 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
+ 								    skb) < 0)
+ 				return 1;
+-			goto discard;
++			consume_skb(skb);
++			return 0;
+ 		}
+ 		if (dh->dccph_type == DCCP_PKT_RESET)
+ 			goto discard;
diff --git a/releases/3.2.86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch b/releases/3.2.86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch
new file mode 100644
index 00000000..98fafb0f
--- /dev/null
+++ b/releases/3.2.86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch
@@ -0,0 +1,62 @@
+From: Jim Mattson <jmattson@google.com>
+Date: Mon, 12 Dec 2016 11:01:37 -0800
+Subject: kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)
+
+commit ef85b67385436ddc1998f45f1d6a210f935b3388 upstream.
+
+When L2 exits to L0 due to "exception or NMI", software exceptions
+(#BP and #OF) for which L1 has requested an intercept should be
+handled by L1 rather than L0. Previously, only hardware exceptions
+were forwarded to L1.
+
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/x86/kvm/vmx.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -876,10 +876,10 @@ static inline bool nested_cpu_has_virtua
+ 	return vmcs12->pin_based_vm_exec_control & PIN_BASED_VIRTUAL_NMIS;
+ }
+ 
+-static inline bool is_exception(u32 intr_info)
++static inline bool is_nmi(u32 intr_info)
+ {
+ 	return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
+-		== (INTR_TYPE_HARD_EXCEPTION | INTR_INFO_VALID_MASK);
++		== (INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK);
+ }
+ 
+ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu);
+@@ -4225,7 +4225,7 @@ static int handle_exception(struct kvm_v
+ 		return 0;
+ 	}
+ 
+-	if ((intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR)
++	if (is_nmi(intr_info))
+ 		return 1;  /* already handled by vmx_vcpu_run() */
+ 
+ 	if (is_no_device(intr_info)) {
+@@ -5773,7 +5773,7 @@ static bool nested_vmx_exit_handled(stru
+ 
+ 	switch (exit_reason) {
+ 	case EXIT_REASON_EXCEPTION_NMI:
+-		if (!is_exception(intr_info))
++		if (is_nmi(intr_info))
+ 			return 0;
+ 		else if (is_page_fault(intr_info))
+ 			return enable_ept;
+@@ -5973,8 +5973,7 @@ static void vmx_complete_atomic_exit(str
+ 		kvm_machine_check();
+ 
+ 	/* We need to handle NMIs before interrupts are enabled */
+-	if ((exit_intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR &&
+-	    (exit_intr_info & INTR_INFO_VALID_MASK)) {
++	if (is_nmi(exit_intr_info)) {
+ 		kvm_before_handle_nmi(&vmx->vcpu);
+ 		asm("int $2");
+ 		kvm_after_handle_nmi(&vmx->vcpu);
diff --git a/releases/3.2.86/series b/releases/3.2.86/series
new file mode 100644
index 00000000..a697280a
--- /dev/null
+++ b/releases/3.2.86/series
@@ -0,0 +1,4 @@
+kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch
+usb-serial-kl5kusb105-fix-line-state-error-handling.patch
+dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch
+tcp-avoid-infinite-loop-in-tcp_splice_read.patch
diff --git a/releases/3.2.86/tcp-avoid-infinite-loop-in-tcp_splice_read.patch b/releases/3.2.86/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
new file mode 100644
index 00000000..8246cedc
--- /dev/null
+++ b/releases/3.2.86/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
@@ -0,0 +1,43 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 3 Feb 2017 14:59:38 -0800
+Subject: tcp: avoid infinite loop in tcp_splice_read()
+
+commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82 upstream.
+
+Splicing from TCP socket is vulnerable when a packet with URG flag is
+received and stored into receive queue.
+
+__tcp_splice_read() returns 0, and sk_wait_data() immediately
+returns since there is the problematic skb in queue.
+
+This is a nice way to burn cpu (aka infinite loop) and trigger
+soft lockups.
+
+Again, this gem was found by syzkaller tool.
+
+Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov  <dvyukov@google.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ipv4/tcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -659,6 +659,12 @@ ssize_t tcp_splice_read(struct socket *s
+ 				ret = -EAGAIN;
+ 				break;
+ 			}
++			/* if __tcp_splice_read() got nothing while we have
++			 * an skb in receive queue, we do not want to loop.
++			 * This might happen with URG data.
++			 */
++			if (!skb_queue_empty(&sk->sk_receive_queue))
++				break;
+ 			sk_wait_data(sk, &timeo);
+ 			if (signal_pending(current)) {
+ 				ret = sock_intr_errno(timeo);
diff --git a/releases/3.2.86/usb-serial-kl5kusb105-fix-line-state-error-handling.patch b/releases/3.2.86/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
new file mode 100644
index 00000000..92bf9ea0
--- /dev/null
+++ b/releases/3.2.86/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
@@ -0,0 +1,37 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Jan 2017 12:05:37 +0100
+Subject: USB: serial: kl5kusb105: fix line-state error handling
+
+commit 146cc8a17a3b4996f6805ee5c080e7101277c410 upstream.
+
+The current implementation failed to detect short transfers when
+attempting to read the line state, and also, to make things worse,
+logged the content of the uninitialised heap transfer buffer.
+
+Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/kl5kusb105.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/kl5kusb105.c
++++ b/drivers/usb/serial/kl5kusb105.c
+@@ -209,10 +209,11 @@ static int klsi_105_get_line_state(struc
+ 			     status_buf, KLSI_STATUSBUF_LEN,
+ 			     10000
+ 			     );
+-	if (rc < 0)
+-		dev_err(&port->dev, "Reading line status failed (error = %d)\n",
+-			rc);
+-	else {
++	if (rc != KLSI_STATUSBUF_LEN) {
++		dev_err(&port->dev, "reading line status failed: %d\n", rc);
++		if (rc >= 0)
++			rc = -EIO;
++	} else {
+ 		status = get_unaligned_le16(status_buf);
+ 
+ 		dev_info(&port->serial->dev->dev, "read status %x %x",