)]}'
{
  "log": [
    {
      "commit": "514ddfedb89c19c57de82aedec8da2bd8ff3802c",
      "tree": "4a7c2c137effec29e674f73153a82f394612aa21",
      "parents": [
        "09c6cf7f980f1e8dbf58dc9ae0ebf4f6eb93cc0d"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Sat Sep 22 00:08:29 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:44 2012 +0900"
      },
      "message": "ipv4: raw: fix icmp_filter()\n\n[ Upstream commit ab43ed8b7490cb387782423ecf74aeee7237e591 ]\n\nicmp_filter() should not modify its input, or else its caller\nwould need to recompute ip_hdr() if skb-\u003ehead is reallocated.\n\nUse skb_header_pointer() instead of pskb_may_pull() and\nchange the prototype to make clear both sk and skb are const.\n\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "09c6cf7f980f1e8dbf58dc9ae0ebf4f6eb93cc0d",
      "tree": "f50557960f49a3f54e4e1df40a0364ce637d08df",
      "parents": [
        "6b8fc5c4eba92b5cd3c9ca0d926e99831604f81e"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Mon Sep 24 07:00:11 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:44 2012 +0900"
      },
      "message": "net: guard tcp_set_keepalive() to tcp sockets\n\n[ Upstream commit 3e10986d1d698140747fcfc2761ec9cb64c1d582 ]\n\nIts possible to use RAW sockets to get a crash in\ntcp_set_keepalive() / sk_reset_timer()\n\nFix is to make sure socket is a SOCK_STREAM one.\n\nReported-by: Dave Jones \u003cdavej@redhat.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "6b8fc5c4eba92b5cd3c9ca0d926e99831604f81e",
      "tree": "ff3dafa60edf6c064aefc1003fa41863aa624f3b",
      "parents": [
        "e043257dde697ded17ed99f280cdb7643fdc007a"
      ],
      "author": {
        "name": "Chema Gonzalez",
        "email": "chema@google.com",
        "time": "Fri Sep 07 13:40:50 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:44 2012 +0900"
      },
      "message": "net: small bug on rxhash calculation\n\n[ Upstream commit 6862234238e84648c305526af2edd98badcad1e0 ]\n\nIn the current rxhash calculation function, while the\nsorting of the ports/addrs is coherent (you get the\nsame rxhash for packets sharing the same 4-tuple, in\nboth directions), ports and addrs are sorted\nindependently. This implies packets from a connection\nbetween the same addresses but crossed ports hash to\nthe same rxhash.\n\nFor example, traffic between A\u003dS:l and B\u003dL:s is hashed\n(in both directions) from {L, S, {s, l}}. The same\nrxhash is obtained for packets between C\u003dS:s and D\u003dL:l.\n\nThis patch ensures that you either swap both addrs and ports,\nor you swap none. Traffic between A and B, and traffic\nbetween C and D, get their rxhash from different sources\n({L, S, {l, s}} for A\u003c-\u003eB, and {L, S, {s, l}} for C\u003c-\u003eD)\n\nThe patch is co-written with Eric Dumazet \u003cedumazet@google.com\u003e\n\nSigned-off-by: Chema Gonzalez \u003cchema@google.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "8d16c6268b7c3af2ce4f58de903588489e037fcf",
      "tree": "a4d19ab5bf251a234e882db1fb39e79c1fbe6e57",
      "parents": [
        "2033554a2fe3c5e54764f2f1dba0baff3261f8b5"
      ],
      "author": {
        "name": "Thomas Graf",
        "email": "tgraf@suug.ch",
        "time": "Mon Sep 03 04:27:42 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:44 2012 +0900"
      },
      "message": "sctp: Don\u0027t charge for data in sndbuf again when transmitting packet\n\n[ Upstream commit 4c3a5bdae293f75cdf729c6c00124e8489af2276 ]\n\nSCTP charges wmem_alloc via sctp_set_owner_w() in sctp_sendmsg() and via\nskb_set_owner_w() in sctp_packet_transmit(). If a sender runs out of\nsndbuf it will sleep in sctp_wait_for_sndbuf() and expects to be waken up\nby __sctp_write_space().\n\nBuffer space charged via sctp_set_owner_w() is released in sctp_wfree()\nwhich calls __sctp_write_space() directly.\n\nBuffer space charged via skb_set_owner_w() is released via sock_wfree()\nwhich calls sk-\u003esk_write_space() _if_ SOCK_USE_WRITE_QUEUE is not set.\nsctp_endpoint_init() sets SOCK_USE_WRITE_QUEUE on all sockets.\n\nTherefore if sctp_packet_transmit() manages to queue up more than sndbuf\nbytes, sctp_wait_for_sndbuf() will never be woken up again unless it is\ninterrupted by a signal.\n\nThis could be fixed by clearing the SOCK_USE_WRITE_QUEUE flag but ...\n\nCharging for the data twice does not make sense in the first place, it\nleads to overcharging sndbuf by a factor 2. Therefore this patch only\ncharges a single byte in wmem_alloc when transmitting an SCTP packet to\nensure that the socket stays alive until the packet has been released.\n\nThis means that control chunks are no longer accounted for in wmem_alloc\nwhich I believe is not a problem as skb-\u003etruesize will typically lead\nto overcharging anyway and thus compensates for any control overhead.\n\nSigned-off-by: Thomas Graf \u003ctgraf@suug.ch\u003e\nCC: Vlad Yasevich \u003cvyasevic@redhat.com\u003e\nCC: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nCC: David Miller \u003cdavem@davemloft.net\u003e\nAcked-by: Vlad Yasevich \u003cvyasevich@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "2033554a2fe3c5e54764f2f1dba0baff3261f8b5",
      "tree": "ac3133307617931783ead5088f05e6de216a89c4",
      "parents": [
        "410eafac650a906e990351a01ec70451064df83d"
      ],
      "author": {
        "name": "Michal Kubeček",
        "email": "mkubecek@suse.cz",
        "time": "Fri Sep 14 04:59:52 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:43 2012 +0900"
      },
      "message": "tcp: flush DMA queue before sk_wait_data if rcv_wnd is zero\n\n[ Upstream commit 15c041759bfcd9ab0a4e43f1c16e2644977d0467 ]\n\nIf recv() syscall is called for a TCP socket so that\n  - IOAT DMA is used\n  - MSG_WAITALL flag is used\n  - requested length is bigger than sk_rcvbuf\n  - enough data has already arrived to bring rcv_wnd to zero\nthen when tcp_recvmsg() gets to calling sk_wait_data(), receive\nwindow can be still zero while sk_async_wait_queue exhausts\nenough space to keep it zero. As this queue isn\u0027t cleaned until\nthe tcp_service_net_dma() call, sk_wait_data() cannot receive\nany data and blocks forever.\n\nIf zero receive window and non-empty sk_async_wait_queue is\ndetected before calling sk_wait_data(), process the queue first.\n\nSigned-off-by: Michal Kubecek \u003cmkubecek@suse.cz\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "410eafac650a906e990351a01ec70451064df83d",
      "tree": "9fc349433e6179e90b8234bd32c2ccca274b18ca",
      "parents": [
        "d5e36b089edcc8179d4640e1a8e5bca6fb74409e"
      ],
      "author": {
        "name": "Wei Yongjun",
        "email": "yongjun_wei@trendmicro.com.cn",
        "time": "Thu Sep 20 18:29:56 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:43 2012 +0900"
      },
      "message": "ipv6: fix return value check in fib6_add()\n\n[ Upstream commit f950c0ecc78f745e490d615280e031de4dbb1306 ]\n\nIn case of error, the function fib6_add_1() returns ERR_PTR()\nor NULL pointer. The ERR_PTR() case check is missing in fib6_add().\n\ndpatch engine is used to generated this patch.\n(https://github.com/weiyj/dpatch)\n\nSigned-off-by: Wei Yongjun \u003cyongjun_wei@trendmicro.com.cn\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "d5e36b089edcc8179d4640e1a8e5bca6fb74409e",
      "tree": "8e9cd19cc439a68a260f74f646f1a059f40dada1",
      "parents": [
        "17de307472bf21479e6d7c35211204b6ea186a7c"
      ],
      "author": {
        "name": "Nicolas Dichtel",
        "email": "nicolas.dichtel@6wind.com",
        "time": "Wed Sep 26 00:04:55 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:43 2012 +0900"
      },
      "message": "ipv6: del unreachable route when an addr is deleted on lo\n\n[ Upstream commit 64c6d08e6490fb18cea09bb03686c149946bd818 ]\n\nWhen an address is added on loopback (ip -6 a a 2002::1/128 dev lo), two routes\nare added:\n - one in the local table:\n    local 2002::1 via :: dev lo  proto none  metric 0\n - one the in main table (for the prefix):\n    unreachable 2002::1 dev lo  proto kernel  metric 256  error -101\n\nWhen the address is deleted, the route inserted in the main table remains\nbecause we use rt6_lookup(), which returns NULL when dst-\u003eerror is set, which\nis the case here! Thus, it is better to use ip6_route_lookup() to avoid this\nkind of filter.\n\nSigned-off-by: Nicolas Dichtel \u003cnicolas.dichtel@6wind.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "17de307472bf21479e6d7c35211204b6ea186a7c",
      "tree": "e90915dc70367e2252e35f2af7a9aeea992ceb30",
      "parents": [
        "2ab08687cf48805c5abd0f9a785e09181eda9492"
      ],
      "author": {
        "name": "Gao feng",
        "email": "gaofeng@cn.fujitsu.com",
        "time": "Wed Sep 19 19:25:34 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:43 2012 +0900"
      },
      "message": "ipv6: release reference of ip6_null_entry\u0027s dst entry in __ip6_del_rt\n\n[ Upstream commit 6825a26c2dc21eb4f8df9c06d3786ddec97cf53b ]\n\nas we hold dst_entry before we call __ip6_del_rt,\nso we should alse call dst_release not only return\n-ENOENT when the rt6_info is ip6_null_entry.\n\nand we already hold the dst entry, so I think it\u0027s\nsafe to call dst_release out of the write-read lock.\n\nSigned-off-by: Gao feng \u003cgaofeng@cn.fujitsu.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "2ab08687cf48805c5abd0f9a785e09181eda9492",
      "tree": "0cb7d9dfdd3f2e6c27541151c414fe70896d054b",
      "parents": [
        "97d5d3295198279362552d9b810c088d3410da23"
      ],
      "author": {
        "name": "Antonio Quartulli",
        "email": "ordex@autistici.org",
        "time": "Tue Oct 02 06:14:17 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:43 2012 +0900"
      },
      "message": "8021q: fix mac_len recomputation in vlan_untag()\n\n[ Upstream commit 5316cf9a5197eb80b2800e1acadde287924ca975 ]\n\nskb_reset_mac_len() relies on the value of the skb-\u003enetwork_header pointer,\ntherefore we must wait for such pointer to be recalculated before computing\nthe new mac_len value.\n\nSigned-off-by: Antonio Quartulli \u003cordex@autistici.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "5ee708f19bd6a1da1d7bab5916382bbbfba4edbb",
      "tree": "323985eff3ef122f5199587bac04a2ca44a5f7dd",
      "parents": [
        "52ee75479f2aea816d8bb6a9d6caf5c1ebb36724"
      ],
      "author": {
        "name": "Paolo Valente",
        "email": "paolo.valente@unimore.it",
        "time": "Sat Sep 15 00:41:35 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:42 2012 +0900"
      },
      "message": "pkt_sched: fix virtual-start-time update in QFQ\n\n[ Upstream commit 71261956973ba9e0637848a5adb4a5819b4bae83 ]\n\nIf the old timestamps of a class, say cl, are stale when the class\nbecomes active, then QFQ may assign to cl a much higher start time\nthan the maximum value allowed. This may happen when QFQ assigns to\nthe start time of cl the finish time of a group whose classes are\ncharacterized by a higher value of the ratio\nmax_class_pkt/weight_of_the_class with respect to that of\ncl. Inserting a class with a too high start time into the bucket list\ncorrupts the data structure and may eventually lead to crashes.\nThis patch limits the maximum start time assigned to a class.\n\nSigned-off-by: Paolo Valente \u003cpaolo.valente@unimore.it\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "52ee75479f2aea816d8bb6a9d6caf5c1ebb36724",
      "tree": "e3f3d348712777a3c47c0376ba2d970e71341dbb",
      "parents": [
        "6720119023f635bd8c285530a7092716c23bdfcc"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Tue Sep 11 13:11:12 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:42 2012 +0900"
      },
      "message": "net-sched: sch_cbq: avoid infinite loop\n\n[ Upstream commit bdfc87f7d1e253e0a61e2fc6a75ea9d76f7fc03a ]\n\nIts possible to setup a bad cbq configuration leading to\nan infinite loop in cbq_classify()\n\nDEV_OUT\u003deth0\nICMP\u003d\"match ip protocol 1 0xff\"\nU32\u003d\"protocol ip u32\"\nDST\u003d\"match ip dst\"\ntc qdisc add dev $DEV_OUT root handle 1: cbq avpkt 1000 \\\n\tbandwidth 100mbit\ntc class add dev $DEV_OUT parent 1: classid 1:1 cbq \\\n\trate 512kbit allot 1500 prio 5 bounded isolated\ntc filter add dev $DEV_OUT parent 1: prio 3 $U32 \\\n\t$ICMP $DST 192.168.3.234 flowid 1:\n\nReported-by: Denys Fedoryschenko \u003cdenys@visp.net.lb\u003e\nTested-by: Denys Fedoryschenko \u003cdenys@visp.net.lb\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "53bf1469924e07385b4493d3cbd78551d4afaaa3",
      "tree": "26fd323abf51bc1e9a5362b3ebbd0869425bea6d",
      "parents": [
        "743b911d8b2214bfa9ecd1631edbe6f61f8fdced"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Thu Sep 20 10:01:49 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:41 2012 +0900"
      },
      "message": "xfrm_user: ensure user supplied esn replay window is valid\n\n[ Upstream commit ecd7918745234e423dd87fcc0c077da557909720 ]\n\nThe current code fails to ensure that the netlink message actually\ncontains as many bytes as the header indicates. If a user creates a new\nstate or updates an existing one but does not supply the bytes for the\nwhole ESN replay window, the kernel copies random heap bytes into the\nreplay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL\nnetlink attribute. This leads to following issues:\n\n1. The replay window has random bits set confusing the replay handling\n   code later on.\n\n2. A malicious user could use this flaw to leak up to ~3.5kB of heap\n   memory when she has access to the XFRM netlink interface (requires\n   CAP_NET_ADMIN).\n\nKnown users of the ESN replay window are strongSwan and Steffen\u0027s\niproute2 patch (\u003chttp://patchwork.ozlabs.org/patch/85962/\u003e). The latter\nuses the interface with a bitmap supplied while the former does not.\nstrongSwan is therefore prone to run into issue 1.\n\nTo fix both issues without breaking existing userland allow using the\nXFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a\nfully specified one. For the former case we initialize the in-kernel\nbitmap with zero, for the latter we copy the user supplied bitmap. For\nstate updates the full bitmap must be supplied.\n\nTo prevent overflows in the bitmap length calculation the maximum size\nof bmp_len is limited to 128 by this patch -- resulting in a maximum\nreplay window of 4096 packets. This should be sufficient for all real\nlife scenarios (RFC 4303 recommends a default replay window size of 64).\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nCc: Martin Willi \u003cmartin@revosec.ch\u003e\nCc: Ben Hutchings \u003cbhutchings@solarflare.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "743b911d8b2214bfa9ecd1631edbe6f61f8fdced",
      "tree": "7266729acce0b72e62a1339c67343a152f34e60a",
      "parents": [
        "0c5e37586ef83845acbae1738e693bc97c12d4c3"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Sep 19 11:33:43 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:41 2012 +0900"
      },
      "message": "xfrm_user: don\u0027t copy esn replay window twice for new states\n\n[ Upstream commit e3ac104d41a97b42316915020ba228c505447d21 ]\n\nThe ESN replay window was already fully initialized in\nxfrm_alloc_replay_state_esn(). No need to copy it again.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "0c5e37586ef83845acbae1738e693bc97c12d4c3",
      "tree": "09336b4613715c597972b251a5dd8b8b8fed7a36",
      "parents": [
        "97f96eab8eb32f3178439f73acca4e286c091435"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Sep 19 11:33:41 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:41 2012 +0900"
      },
      "message": "xfrm_user: fix info leak in copy_to_user_tmpl()\n\n[ Upstream commit 1f86840f897717f86d523a13e99a447e6a5d2fa5 ]\n\nThe memory used for the template copy is a local stack variable. As\nstruct xfrm_user_tmpl contains multiple holes added by the compiler for\nalignment, not initializing the memory will lead to leaking stack bytes\nto userland. Add an explicit memset(0) to avoid the info leak.\n\nInitial version of the patch by Brad Spengler.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Brad Spengler \u003cspender@grsecurity.net\u003e\nAcked-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "97f96eab8eb32f3178439f73acca4e286c091435",
      "tree": "d7f2526d4bd16dadffc4ae2237ddf148d1e767a3",
      "parents": [
        "d5f1f7c230df5f2a198fb231547f1b298594c709"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Sep 19 11:33:40 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:41 2012 +0900"
      },
      "message": "xfrm_user: fix info leak in copy_to_user_policy()\n\n[ Upstream commit 7b789836f434c87168eab067cfbed1ec4783dffd ]\n\nThe memory reserved to dump the xfrm policy includes multiple padding\nbytes added by the compiler for alignment (padding bytes in struct\nxfrm_selector and struct xfrm_userpolicy_info). Add an explicit\nmemset(0) before filling the buffer to avoid the heap info leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nAcked-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "d5f1f7c230df5f2a198fb231547f1b298594c709",
      "tree": "1295ee4909bacd777b6d9652703efb97ac58ed01",
      "parents": [
        "37d61a27a59671d88279dcc4d331f950d4901d4d"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Sep 19 11:33:39 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:41 2012 +0900"
      },
      "message": "xfrm_user: fix info leak in copy_to_user_state()\n\n[ Upstream commit f778a636713a435d3a922c60b1622a91136560c1 ]\n\nThe memory reserved to dump the xfrm state includes the padding bytes of\nstruct xfrm_usersa_info added by the compiler for alignment (7 for\namd64, 3 for i386). Add an explicit memset(0) before filling the buffer\nto avoid the info leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nAcked-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "37d61a27a59671d88279dcc4d331f950d4901d4d",
      "tree": "cd9a28ee5484e21e322634d00391658ec8e05259",
      "parents": [
        "a91af73f445cacfb0db4df3eb2e3d0ddeff43893"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Sep 19 11:33:38 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:40 2012 +0900"
      },
      "message": "xfrm_user: fix info leak in copy_to_user_auth()\n\n[ Upstream commit 4c87308bdea31a7b4828a51f6156e6f721a1fcc9 ]\n\ncopy_to_user_auth() fails to initialize the remainder of alg_name and\ntherefore discloses up to 54 bytes of heap memory via netlink to\nuserland.\n\nUse strncpy() instead of strcpy() to fill the trailing bytes of alg_name\nwith null bytes.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nAcked-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "a91af73f445cacfb0db4df3eb2e3d0ddeff43893",
      "tree": "a4fb8945340d3ee94f5f427d1a4e61250ede0d0f",
      "parents": [
        "f38b334adca51bbf18ad549a9736c0f86bb4a375"
      ],
      "author": {
        "name": "Li RongQing",
        "email": "roy.qing.li@gmail.com",
        "time": "Mon Sep 17 22:40:10 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:40 2012 +0900"
      },
      "message": "xfrm: fix a read lock imbalance in make_blackhole\n\n[ Upstream commit 433a19548061bb5457b6ab77ed7ea58ca6e43ddb ]\n\nif xfrm_policy_get_afinfo returns 0, it has already released the read\nlock, xfrm_policy_put_afinfo should not be called again.\n\nSigned-off-by: Li RongQing \u003croy.qing.li@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "f38b334adca51bbf18ad549a9736c0f86bb4a375",
      "tree": "827539bccdea31dbaad05dc0db4a738227278a0e",
      "parents": [
        "555144b63d57c0df7a2677868f83957a34135207"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Fri Sep 14 09:58:32 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:40 2012 +0900"
      },
      "message": "xfrm_user: return error pointer instead of NULL #2\n\n[ Upstream commit c25463722509fef0ed630b271576a8c9a70236f3 ]\n\nWhen dump_one_policy() returns an error, e.g. because of a too small\nbuffer to dump the whole xfrm policy, xfrm_policy_netlink() returns\nNULL instead of an error pointer. But its caller expects an error\npointer and therefore continues to operate on a NULL skbuff.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nAcked-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "555144b63d57c0df7a2677868f83957a34135207",
      "tree": "f25e99ec2bf0436cc9d6a190ad1498e58bd8f378",
      "parents": [
        "20eb20851385e53d27dff9ed79c4e68e58e3d9da"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Thu Sep 13 11:41:26 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:40 2012 +0900"
      },
      "message": "xfrm_user: return error pointer instead of NULL\n\n[ Upstream commit 864745d291b5ba80ea0bd0edcbe67273de368836 ]\n\nWhen dump_one_state() returns an error, e.g. because of a too small\nbuffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL\ninstead of an error pointer. But its callers expect an error pointer\nand therefore continue to operate on a NULL skbuff.\n\nThis could lead to a privilege escalation (execution of user code in\nkernel context) if the attacker has CAP_NET_ADMIN and is able to map\naddress 0.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nAcked-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "20eb20851385e53d27dff9ed79c4e68e58e3d9da",
      "tree": "b3a5a5e16f823d5ca39f44124bf18b5f63fa2a2f",
      "parents": [
        "657197486950474bf30290344339fd0914fe99c9"
      ],
      "author": {
        "name": "Steffen Klassert",
        "email": "steffen.klassert@secunet.com",
        "time": "Tue Sep 04 00:03:29 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Oct 13 05:38:40 2012 +0900"
      },
      "message": "xfrm: Workaround incompatibility of ESN and async crypto\n\n[ Upstream commit 3b59df46a449ec9975146d71318c4777ad086744 ]\n\nESN for esp is defined in RFC 4303. This RFC assumes that the\nsequence number counters are always up to date. However,\nthis is not true if an async crypto algorithm is employed.\n\nIf the sequence number counters are not up to date on sequence\nnumber check, we may incorrectly update the upper 32 bit of\nthe sequence number. This leads to a DOS.\n\nWe workaround this by comparing the upper sequence number,\n(used for authentication) with the upper sequence number\ncomputed after the async processing. We drop the packet\nif these numbers are different.\n\nTo do this, we introduce a recheck function that does this\ncheck in the ESN case.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "b2c1fcae0409fec6d96351fe2793a502870f4370",
      "tree": "8b95900f8a41da6de47141368d34bae45b733e63",
      "parents": [
        "11266a8e031a3782241760850f002c79ee2887e1"
      ],
      "author": {
        "name": "Weiping Pan",
        "email": "wpan@redhat.com",
        "time": "Mon Jul 23 10:37:48 2012 +0800"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:35 2012 -0700"
      },
      "message": "rds: set correct msg_namelen\n\ncommit 06b6a1cf6e776426766298d055bb3991957d90a7 upstream.\n\nJay Fenlason (fenlason@redhat.com) found a bug,\nthat recvfrom() on an RDS socket can return the contents of random kernel\nmemory to userspace if it was called with a address length larger than\nsizeof(struct sockaddr_in).\nrds_recvmsg() also fails to set the addr_len paramater properly before\nreturning, but that\u0027s just a bug.\nThere are also a number of cases wher recvfrom() can return an entirely bogus\naddress. Anything in rds_recvmsg() that returns a non-negative value but does\nnot go through the \"sin \u003d (struct sockaddr_in *)msg-\u003emsg_name;\" code path\nat the end of the while(1) loop will return up to 128 bytes of kernel memory\nto userspace.\n\nAnd I write two test programs to reproduce this bug, you will see that in\nrds_server, fromAddr will be overwritten and the following sock_fd will be\ndestroyed.\nYes, it is the programmer\u0027s fault to set msg_namelen incorrectly, but it is\nbetter to make the kernel copy the real length of address to user space in\nsuch case.\n\nHow to run the test programs ?\nI test them on 32bit x86 system, 3.5.0-rc7.\n\n1 compile\ngcc -o rds_client rds_client.c\ngcc -o rds_server rds_server.c\n\n2 run ./rds_server on one console\n\n3 run ./rds_client on another console\n\n4 you will see something like:\nserver is waiting to receive data...\nold socket fd\u003d3\nserver received data from client:data from client\nmsg.msg_namelen\u003d32\nnew socket fd\u003d-1067277685\nsendmsg()\n: Bad file descriptor\n\n/***************** rds_client.c ********************/\n\nint main(void)\n{\n\tint sock_fd;\n\tstruct sockaddr_in serverAddr;\n\tstruct sockaddr_in toAddr;\n\tchar recvBuffer[128] \u003d \"data from client\";\n\tstruct msghdr msg;\n\tstruct iovec iov;\n\n\tsock_fd \u003d socket(AF_RDS, SOCK_SEQPACKET, 0);\n\tif (sock_fd \u003c 0) {\n\t\tperror(\"create socket error\\n\");\n\t\texit(1);\n\t}\n\n\tmemset(\u0026serverAddr, 0, sizeof(serverAddr));\n\tserverAddr.sin_family \u003d AF_INET;\n\tserverAddr.sin_addr.s_addr \u003d inet_addr(\"127.0.0.1\");\n\tserverAddr.sin_port \u003d htons(4001);\n\n\tif (bind(sock_fd, (struct sockaddr*)\u0026serverAddr, sizeof(serverAddr)) \u003c 0) {\n\t\tperror(\"bind() error\\n\");\n\t\tclose(sock_fd);\n\t\texit(1);\n\t}\n\n\tmemset(\u0026toAddr, 0, sizeof(toAddr));\n\ttoAddr.sin_family \u003d AF_INET;\n\ttoAddr.sin_addr.s_addr \u003d inet_addr(\"127.0.0.1\");\n\ttoAddr.sin_port \u003d htons(4000);\n\tmsg.msg_name \u003d \u0026toAddr;\n\tmsg.msg_namelen \u003d sizeof(toAddr);\n\tmsg.msg_iov \u003d \u0026iov;\n\tmsg.msg_iovlen \u003d 1;\n\tmsg.msg_iov-\u003eiov_base \u003d recvBuffer;\n\tmsg.msg_iov-\u003eiov_len \u003d strlen(recvBuffer) + 1;\n\tmsg.msg_control \u003d 0;\n\tmsg.msg_controllen \u003d 0;\n\tmsg.msg_flags \u003d 0;\n\n\tif (sendmsg(sock_fd, \u0026msg, 0) \u003d\u003d -1) {\n\t\tperror(\"sendto() error\\n\");\n\t\tclose(sock_fd);\n\t\texit(1);\n\t}\n\n\tprintf(\"client send data:%s\\n\", recvBuffer);\n\n\tmemset(recvBuffer, \u0027\\0\u0027, 128);\n\n\tmsg.msg_name \u003d \u0026toAddr;\n\tmsg.msg_namelen \u003d sizeof(toAddr);\n\tmsg.msg_iov \u003d \u0026iov;\n\tmsg.msg_iovlen \u003d 1;\n\tmsg.msg_iov-\u003eiov_base \u003d recvBuffer;\n\tmsg.msg_iov-\u003eiov_len \u003d 128;\n\tmsg.msg_control \u003d 0;\n\tmsg.msg_controllen \u003d 0;\n\tmsg.msg_flags \u003d 0;\n\tif (recvmsg(sock_fd, \u0026msg, 0) \u003d\u003d -1) {\n\t\tperror(\"recvmsg() error\\n\");\n\t\tclose(sock_fd);\n\t\texit(1);\n\t}\n\n\tprintf(\"receive data from server:%s\\n\", recvBuffer);\n\n\tclose(sock_fd);\n\n\treturn 0;\n}\n\n/***************** rds_server.c ********************/\n\nint main(void)\n{\n\tstruct sockaddr_in fromAddr;\n\tint sock_fd;\n\tstruct sockaddr_in serverAddr;\n\tunsigned int addrLen;\n\tchar recvBuffer[128];\n\tstruct msghdr msg;\n\tstruct iovec iov;\n\n\tsock_fd \u003d socket(AF_RDS, SOCK_SEQPACKET, 0);\n\tif(sock_fd \u003c 0) {\n\t\tperror(\"create socket error\\n\");\n\t\texit(0);\n\t}\n\n\tmemset(\u0026serverAddr, 0, sizeof(serverAddr));\n\tserverAddr.sin_family \u003d AF_INET;\n\tserverAddr.sin_addr.s_addr \u003d inet_addr(\"127.0.0.1\");\n\tserverAddr.sin_port \u003d htons(4000);\n\tif (bind(sock_fd, (struct sockaddr*)\u0026serverAddr, sizeof(serverAddr)) \u003c 0) {\n\t\tperror(\"bind error\\n\");\n\t\tclose(sock_fd);\n\t\texit(1);\n\t}\n\n\tprintf(\"server is waiting to receive data...\\n\");\n\tmsg.msg_name \u003d \u0026fromAddr;\n\n\t/*\n\t * I add 16 to sizeof(fromAddr), ie 32,\n\t * and pay attention to the definition of fromAddr,\n\t * recvmsg() will overwrite sock_fd,\n\t * since kernel will copy 32 bytes to userspace.\n\t *\n\t * If you just use sizeof(fromAddr), it works fine.\n\t * */\n\tmsg.msg_namelen \u003d sizeof(fromAddr) + 16;\n\t/* msg.msg_namelen \u003d sizeof(fromAddr); */\n\tmsg.msg_iov \u003d \u0026iov;\n\tmsg.msg_iovlen \u003d 1;\n\tmsg.msg_iov-\u003eiov_base \u003d recvBuffer;\n\tmsg.msg_iov-\u003eiov_len \u003d 128;\n\tmsg.msg_control \u003d 0;\n\tmsg.msg_controllen \u003d 0;\n\tmsg.msg_flags \u003d 0;\n\n\twhile (1) {\n\t\tprintf(\"old socket fd\u003d%d\\n\", sock_fd);\n\t\tif (recvmsg(sock_fd, \u0026msg, 0) \u003d\u003d -1) {\n\t\t\tperror(\"recvmsg() error\\n\");\n\t\t\tclose(sock_fd);\n\t\t\texit(1);\n\t\t}\n\t\tprintf(\"server received data from client:%s\\n\", recvBuffer);\n\t\tprintf(\"msg.msg_namelen\u003d%d\\n\", msg.msg_namelen);\n\t\tprintf(\"new socket fd\u003d%d\\n\", sock_fd);\n\t\tstrcat(recvBuffer, \"--data from server\");\n\t\tif (sendmsg(sock_fd, \u0026msg, 0) \u003d\u003d -1) {\n\t\t\tperror(\"sendmsg()\\n\");\n\t\t\tclose(sock_fd);\n\t\t\texit(1);\n\t\t}\n\t}\n\n\tclose(sock_fd);\n\treturn 0;\n}\n\nSigned-off-by: Weiping Pan \u003cwpan@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "e6da94be68b025bdbbee3764428769a85367aa79",
      "tree": "6be1d9b7148e3e2d1a027d3b38232a61bab84239",
      "parents": [
        "c031edca540afb66764db24eed10eb149ac6c852"
      ],
      "author": {
        "name": "Rustad, Mark D",
        "email": "mark.d.rustad@intel.com",
        "time": "Wed Jul 18 09:06:07 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:35 2012 -0700"
      },
      "message": "net: Statically initialize init_net.dev_base_head\n\ncommit 734b65417b24d6eea3e3d7457e1f11493890ee1d upstream.\n\nThis change eliminates an initialization-order hazard most\nrecently seen when netprio_cgroup is built into the kernel.\n\nWith thanks to Eric Dumazet for catching a bug.\n\nSigned-off-by: Mark Rustad \u003cmark.d.rustad@intel.com\u003e\nAcked-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "c031edca540afb66764db24eed10eb149ac6c852",
      "tree": "867a052756c1bb8942b407f7098a3da4ea95261d",
      "parents": [
        "0fcc0805df9cf7483e927cf6a4dc94938318c06a"
      ],
      "author": {
        "name": "Vinicius Costa Gomes",
        "email": "vinicius.gomes@openbossa.org",
        "time": "Thu Aug 23 21:32:44 2012 -0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:34 2012 -0700"
      },
      "message": "Bluetooth: Fix sending a HCI Authorization Request over LE links\n\ncommit d8343f125710fb596f7a88cd756679f14f4e77b9 upstream.\n\nIn the case that the link is already in the connected state and a\nPairing request arrives from the mgmt interface, hci_conn_security()\nwould be called but it was not considering LE links.\n\nReported-by: João Paulo Rechi Vita \u003cjprvita@openbossa.org\u003e\nSigned-off-by: Vinicius Costa Gomes \u003cvinicius.gomes@openbossa.org\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "0fcc0805df9cf7483e927cf6a4dc94938318c06a",
      "tree": "5218645ca3737cf7ec1d9b3a039b6a1ec8048931",
      "parents": [
        "27d50469825fd267f44e13fb0627b011c0da6abd"
      ],
      "author": {
        "name": "Vinicius Costa Gomes",
        "email": "vinicius.gomes@openbossa.org",
        "time": "Thu Aug 23 21:32:43 2012 -0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:34 2012 -0700"
      },
      "message": "Bluetooth: Change signature of smp_conn_security()\n\ncommit cc110922da7e902b62d18641a370fec01a9fa794 upstream.\n\nTo make it clear that it may be called from contexts that may not have\nany knowledge of L2CAP, we change the connection parameter, to receive\na hci_conn.\n\nThis also makes it clear that it is checking the security of the link.\n\nSigned-off-by: Vinicius Costa Gomes \u003cvinicius.gomes@openbossa.org\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "27d50469825fd267f44e13fb0627b011c0da6abd",
      "tree": "3bc48f09647dfa7cb31375136cde64ddd6abfea1",
      "parents": [
        "403c9ebee757d7ec82e3e06e456ae2445f0b9f40"
      ],
      "author": {
        "name": "Andre Guedes",
        "email": "andre.guedes@openbossa.org",
        "time": "Wed Aug 01 20:34:15 2012 -0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:34 2012 -0700"
      },
      "message": "Bluetooth: Fix use-after-free bug in SMP\n\ncommit 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 upstream.\n\nIf SMP fails, we should always cancel security_timer delayed work.\nOtherwise, security_timer function may run after l2cap_conn object\nhas been freed.\n\nThis patch fixes the following warning reported by ODEBUG:\n\nWARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d()\nHardware name: Bochs\nODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x27\nModules linked in: btusb bluetooth\nPid: 440, comm: kworker/u:2 Not tainted 3.5.0-rc1+ #4\nCall Trace:\n [\u003cffffffff81174600\u003e] ? free_obj_work+0x4a/0x7f\n [\u003cffffffff81023eb8\u003e] warn_slowpath_common+0x7e/0x97\n [\u003cffffffff81023f65\u003e] warn_slowpath_fmt+0x41/0x43\n [\u003cffffffff811746b1\u003e] debug_print_object+0x7c/0x8d\n [\u003cffffffff810394f0\u003e] ? __queue_work+0x241/0x241\n [\u003cffffffff81174fdd\u003e] debug_check_no_obj_freed+0x92/0x159\n [\u003cffffffff810ac08e\u003e] slab_free_hook+0x6f/0x77\n [\u003cffffffffa0019145\u003e] ? l2cap_conn_del+0x148/0x157 [bluetooth]\n [\u003cffffffff810ae408\u003e] kfree+0x59/0xac\n [\u003cffffffffa0019145\u003e] l2cap_conn_del+0x148/0x157 [bluetooth]\n [\u003cffffffffa001b9a2\u003e] l2cap_recv_frame+0xa77/0xfa4 [bluetooth]\n [\u003cffffffff810592f9\u003e] ? trace_hardirqs_on_caller+0x112/0x1ad\n [\u003cffffffffa001c86c\u003e] l2cap_recv_acldata+0xe2/0x264 [bluetooth]\n [\u003cffffffffa0002b2f\u003e] hci_rx_work+0x235/0x33c [bluetooth]\n [\u003cffffffff81038dc3\u003e] ? process_one_work+0x126/0x2fe\n [\u003cffffffff81038e22\u003e] process_one_work+0x185/0x2fe\n [\u003cffffffff81038dc3\u003e] ? process_one_work+0x126/0x2fe\n [\u003cffffffff81059f2e\u003e] ? lock_acquired+0x1b5/0x1cf\n [\u003cffffffffa00028fa\u003e] ? le_scan_work+0x11d/0x11d [bluetooth]\n [\u003cffffffff81036fb6\u003e] ? spin_lock_irq+0x9/0xb\n [\u003cffffffff81039209\u003e] worker_thread+0xcf/0x175\n [\u003cffffffff8103913a\u003e] ? rescuer_thread+0x175/0x175\n [\u003cffffffff8103cfe0\u003e] kthread+0x95/0x9d\n [\u003cffffffff812c5054\u003e] kernel_threadi_helper+0x4/0x10\n [\u003cffffffff812c36b0\u003e] ? retint_restore_args+0x13/0x13\n [\u003cffffffff8103cf4b\u003e] ? flush_kthread_worker+0xdb/0xdb\n [\u003cffffffff812c5050\u003e] ? gs_change+0x13/0x13\n\nThis bug can be reproduced using hctool lecc or l2test tools and\nbluetoothd not running.\n\nSigned-off-by: Andre Guedes \u003candre.guedes@openbossa.org\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "7334e402a35e0379933e8b0442f0baeed1104217",
      "tree": "29901c172d78fcc76023461ad2204419d4b23169",
      "parents": [
        "12e58ca43097b5330e028f4087e7e4789c08abf7"
      ],
      "author": {
        "name": "Luis R. Rodriguez",
        "email": "mcgrof@do-not-panic.com",
        "time": "Fri Sep 14 15:36:57 2012 -0700"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:09 2012 -0700"
      },
      "message": "cfg80211: fix possible circular lock on reg_regdb_search()\n\ncommit a85d0d7f3460b1a123b78e7f7e39bf72c37dfb78 upstream.\n\nWhen call_crda() is called we kick off a witch hunt search\nfor the same regulatory domain on our internal regulatory\ndatabase and that work gets kicked off on a workqueue, this\nis done while the cfg80211_mutex is held. If that workqueue\nkicks off it will first lock reg_regdb_search_mutex and\nlater cfg80211_mutex but to ensure two CPUs will not contend\nagainst cfg80211_mutex the right thing to do is to have the\nreg_regdb_search() wait until the cfg80211_mutex is let go.\n\nThe lockdep report is pasted below.\n\ncfg80211: Calling CRDA to update world regulatory domain\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ INFO: possible circular locking dependency detected ]\n3.3.8 #3 Tainted: G           O\n-------------------------------------------------------\nkworker/0:1/235 is trying to acquire lock:\n (cfg80211_mutex){+.+...}, at: [\u003c816468a4\u003e] set_regdom+0x78c/0x808 [cfg80211]\n\nbut task is already holding lock:\n (reg_regdb_search_mutex){+.+...}, at: [\u003c81646828\u003e] set_regdom+0x710/0x808 [cfg80211]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #2 (reg_regdb_search_mutex){+.+...}:\n       [\u003c800a8384\u003e] lock_acquire+0x60/0x88\n       [\u003c802950a8\u003e] mutex_lock_nested+0x54/0x31c\n       [\u003c81645778\u003e] is_world_regdom+0x9f8/0xc74 [cfg80211]\n\n-\u003e #1 (reg_mutex#2){+.+...}:\n       [\u003c800a8384\u003e] lock_acquire+0x60/0x88\n       [\u003c802950a8\u003e] mutex_lock_nested+0x54/0x31c\n       [\u003c8164539c\u003e] is_world_regdom+0x61c/0xc74 [cfg80211]\n\n-\u003e #0 (cfg80211_mutex){+.+...}:\n       [\u003c800a77b8\u003e] __lock_acquire+0x10d4/0x17bc\n       [\u003c800a8384\u003e] lock_acquire+0x60/0x88\n       [\u003c802950a8\u003e] mutex_lock_nested+0x54/0x31c\n       [\u003c816468a4\u003e] set_regdom+0x78c/0x808 [cfg80211]\n\nother info that might help us debug this:\n\nChain exists of:\n  cfg80211_mutex --\u003e reg_mutex#2 --\u003e reg_regdb_search_mutex\n\n Possible unsafe locking scenario:\n\n       CPU0                    CPU1\n       ----                    ----\n  lock(reg_regdb_search_mutex);\n                               lock(reg_mutex#2);\n                               lock(reg_regdb_search_mutex);\n  lock(cfg80211_mutex);\n\n *** DEADLOCK ***\n\n3 locks held by kworker/0:1/235:\n #0:  (events){.+.+..}, at: [\u003c80089a00\u003e] process_one_work+0x230/0x460\n #1:  (reg_regdb_work){+.+...}, at: [\u003c80089a00\u003e] process_one_work+0x230/0x460\n #2:  (reg_regdb_search_mutex){+.+...}, at: [\u003c81646828\u003e] set_regdom+0x710/0x808 [cfg80211]\n\nstack backtrace:\nCall Trace:\n[\u003c80290fd4\u003e] dump_stack+0x8/0x34\n[\u003c80291bc4\u003e] print_circular_bug+0x2ac/0x2d8\n[\u003c800a77b8\u003e] __lock_acquire+0x10d4/0x17bc\n[\u003c800a8384\u003e] lock_acquire+0x60/0x88\n[\u003c802950a8\u003e] mutex_lock_nested+0x54/0x31c\n[\u003c816468a4\u003e] set_regdom+0x78c/0x808 [cfg80211]\n\nReported-by: Felix Fietkau \u003cnbd@openwrt.org\u003e\nTested-by: Felix Fietkau \u003cnbd@openwrt.org\u003e\nSigned-off-by: Luis R. Rodriguez \u003cmcgrof@do-not-panic.com\u003e\nReviewed-by: Johannes Berg \u003cjohannes@sipsolutions.net\u003e\nSigned-off-by: John W. Linville \u003clinville@tuxdriver.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "a6be20b8cd1e5e847c4191b8f249b939aaabf987",
      "tree": "544ffd0fef49963cd28e75f9e8dc8f7308d768b5",
      "parents": [
        "ec4d417c66a406bb464598220faf9f561d5b6d25"
      ],
      "author": {
        "name": "Andrzej Kaczmarek",
        "email": "andrzej.kaczmarek@tieto.com",
        "time": "Wed Aug 29 10:02:09 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:08 2012 -0700"
      },
      "message": "Bluetooth: mgmt: Fix enabling LE while powered off\n\ncommit 562fcc246ebe31ade6e1be08585673b9b2785498 upstream.\n\nWhen new BT USB adapter is plugged in it\u0027s configured while still being powered\noff (HCI_AUTO_OFF flag is set), thus Set LE will only set dev_flags but won\u0027t\nwrite changes to controller. As a result it\u0027s not possible to start device\ndiscovery session on LE controller as it uses interleaved discovery which\nrequires LE Supported Host flag in extended features.\n\nThis patch ensures HCI Write LE Host Supported is sent when Set Powered is\ncalled to power on controller and clear HCI_AUTO_OFF flag.\n\nSigned-off-by: Andrzej Kaczmarek \u003candrzej.kaczmarek@tieto.com\u003e\nAcked-by: Johan Hedberg \u003cjohan.hedberg@intel.com\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "ec4d417c66a406bb464598220faf9f561d5b6d25",
      "tree": "080f11280018b491b3c998c26a99ffe6ff158481",
      "parents": [
        "dcc8dbc21ff2052c0df6dee3e1a36c3ef4f1133c"
      ],
      "author": {
        "name": "Vinicius Costa Gomes",
        "email": "vinicius.gomes@openbossa.org",
        "time": "Fri Sep 14 16:34:46 2012 -0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:08 2012 -0700"
      },
      "message": "Bluetooth: Fix not removing power_off delayed work\n\ncommit 78c04c0bf52360dc2f7185e99c8e9aa05d73ae5a upstream.\n\nFor example, when a usb reset is received (I could reproduce it\nrunning something very similar to this[1] in a loop) it could be\nthat the device is unregistered while the power_off delayed work\nis still scheduled to run.\n\nBacktrace:\n\nWARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d()\nHardware name: To Be Filled By O.E.M.\nODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x26\nModules linked in: nouveau mxm_wmi btusb wmi bluetooth ttm coretemp drm_kms_helper\nPid: 2114, comm: usb-reset Not tainted 3.5.0bt-next #2\nCall Trace:\n [\u003cffffffff8124cc00\u003e] ? free_obj_work+0x57/0x91\n [\u003cffffffff81058f88\u003e] warn_slowpath_common+0x7e/0x97\n [\u003cffffffff81059035\u003e] warn_slowpath_fmt+0x41/0x43\n [\u003cffffffff8124ccb6\u003e] debug_print_object+0x7c/0x8d\n [\u003cffffffff8106e3ec\u003e] ? __queue_work+0x259/0x259\n [\u003cffffffff8124d63e\u003e] ? debug_check_no_obj_freed+0x6f/0x1b5\n [\u003cffffffff8124d667\u003e] debug_check_no_obj_freed+0x98/0x1b5\n [\u003cffffffffa00aa031\u003e] ? bt_host_release+0x10/0x1e [bluetooth]\n [\u003cffffffff810fc035\u003e] kfree+0x90/0xe6\n [\u003cffffffffa00aa031\u003e] bt_host_release+0x10/0x1e [bluetooth]\n [\u003cffffffff812ec2f9\u003e] device_release+0x4a/0x7e\n [\u003cffffffff8123ef57\u003e] kobject_release+0x11d/0x154\n [\u003cffffffff8123ed98\u003e] kobject_put+0x4a/0x4f\n [\u003cffffffff812ec0d9\u003e] put_device+0x12/0x14\n [\u003cffffffffa009472b\u003e] hci_free_dev+0x22/0x26 [bluetooth]\n [\u003cffffffffa0280dd0\u003e] btusb_disconnect+0x96/0x9f [btusb]\n [\u003cffffffff813581b4\u003e] usb_unbind_interface+0x57/0x106\n [\u003cffffffff812ef988\u003e] __device_release_driver+0x83/0xd6\n [\u003cffffffff812ef9fb\u003e] device_release_driver+0x20/0x2d\n [\u003cffffffff813582a7\u003e] usb_driver_release_interface+0x44/0x7b\n [\u003cffffffff81358795\u003e] usb_forced_unbind_intf+0x45/0x4e\n [\u003cffffffff8134f959\u003e] usb_reset_device+0xa6/0x12e\n [\u003cffffffff8135df86\u003e] usbdev_do_ioctl+0x319/0xe20\n [\u003cffffffff81203244\u003e] ? avc_has_perm_flags+0xc9/0x12e\n [\u003cffffffff812031a0\u003e] ? avc_has_perm_flags+0x25/0x12e\n [\u003cffffffff81050101\u003e] ? do_page_fault+0x31e/0x3a1\n [\u003cffffffff8135eaa6\u003e] usbdev_ioctl+0x9/0xd\n [\u003cffffffff811126b1\u003e] vfs_ioctl+0x21/0x34\n [\u003cffffffff81112f7b\u003e] do_vfs_ioctl+0x408/0x44b\n [\u003cffffffff81208d45\u003e] ? file_has_perm+0x76/0x81\n [\u003cffffffff8111300f\u003e] sys_ioctl+0x51/0x76\n [\u003cffffffff8158db22\u003e] system_call_fastpath+0x16/0x1b\n\n[1] http://cpansearch.perl.org/src/DPAVLIN/Biblio-RFID-0.03/examples/usbreset.c\n\nSigned-off-by: Vinicius Costa Gomes \u003cvinicius.gomes@openbossa.org\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "dcc8dbc21ff2052c0df6dee3e1a36c3ef4f1133c",
      "tree": "6fc28055b407f59a94f9086b85269c9ea98c6b15",
      "parents": [
        "f51909c0af2ebc533eaf48c7daff503b3e54d983"
      ],
      "author": {
        "name": "Andrzej Kaczmarek",
        "email": "andrzej.kaczmarek@tieto.com",
        "time": "Wed Aug 29 10:02:08 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:08 2012 -0700"
      },
      "message": "Bluetooth: mgmt: Fix enabling SSP while powered off\n\ncommit 3d1cbdd6aefff711bcf389fdabc4af9bc22e8201 upstream.\n\nWhen new BT USB adapter is plugged in it\u0027s configured while still being powered\noff (HCI_AUTO_OFF flag is set), thus Set SSP will only set dev_flags but won\u0027t\nwrite changes to controller. As a result remote devices won\u0027t use Secure Simple\nPairing with our device due to SSP Host Support flag disabled in extended\nfeatures and may also reject SSP attempt from our side (with possible fallback\nto legacy pairing).\n\nThis patch ensures HCI Write Simple Pairing Mode is sent when Set Powered is\ncalled to power on controller and clear HCI_AUTO_OFF flag.\n\nSigned-off-by: Andrzej Kaczmarek \u003candrzej.kaczmarek@tieto.com\u003e\nAcked-by: Johan Hedberg \u003cjohan.hedberg@intel.com\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "ba41a6df9e32ee5752165496017cadf700c14ca9",
      "tree": "4907a445243d0ccd97e903e169b4f04c72e52509",
      "parents": [
        "0bf2a827d745808dde90001134ecc6a4af39b361"
      ],
      "author": {
        "name": "Eliad Peller",
        "email": "eliad@wizery.com",
        "time": "Tue Sep 04 17:44:45 2012 +0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:30:07 2012 -0700"
      },
      "message": "mac80211: clear bssid on auth/assoc failure\n\ncommit 3d2abdfdf14f4d6decc2023708211e19b096f4ca upstream.\n\nifmgd-\u003ebssid wasn\u0027t cleared properly in some\nauth/assoc failure cases, causing mac80211 and\nthe low-level driver to go out of sync.\n\nClear ifmgd-\u003ebssid on failure, and notify the driver.\n\nSigned-off-by: Eliad Peller \u003celiad@wizery.com\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "2ff0cd9f615bae1de9d812de92eff6426aad26c9",
      "tree": "c2bb19352286bb93c6d0e32163351a1d58f0589d",
      "parents": [
        "6cacd608448898cf0b7bb4353e1a92c6dc7d5dd9"
      ],
      "author": {
        "name": "Jesse Gross",
        "email": "jesse@nicira.com",
        "time": "Fri May 25 11:29:30 2012 -0700"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:50 2012 -0700"
      },
      "message": "openvswitch: Reset upper layer protocol info on internal devices.\n\n[ Upstream commit 7fe99e2d434eafeac0c57b279a77e5de39212636 ]\n\nIt\u0027s possible that packets that are sent on internal devices (from\nthe OVS perspective) have already traversed the local IP stack.\nAfter they go through the internal device, they will again travel\nthrough the IP stack which may get confused by the presence of\nexisting information in the skb. The problem can be observed\nwhen switching between namespaces. This clears out that information\nto avoid problems but deliberately leaves other metadata alone.\nThis is to provide maximum flexibility in chaining together OVS\nand other Linux components.\n\nSigned-off-by: Jesse Gross \u003cjesse@nicira.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "b9d798a996cddfc4c1045e9af97ee434ccab4956",
      "tree": "e38de752bdba626b8fe7f5b8f6506438b0bfe2d0",
      "parents": [
        "fae286b0e547ed0379d93ace7664ea6f55cce0e0"
      ],
      "author": {
        "name": "Francesco Ruggeri",
        "email": "fruggeri@aristanetworks.com",
        "time": "Fri Aug 24 07:38:35 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:50 2012 -0700"
      },
      "message": "net: ipv4: ipmr_expire_timer causes crash when removing net namespace\n\n[ Upstream commit acbb219d5f53821b2d0080d047800410c0420ea1 ]\n\nWhen tearing down a net namespace, ipv4 mr_table structures are freed\nwithout first deactivating their timers. This can result in a crash in\nrun_timer_softirq.\nThis patch mimics the corresponding behaviour in ipv6.\nLocking and synchronization seem to be adequate.\nWe are about to kfree mrt, so existing code should already make sure that\nno other references to mrt are pending or can be created by incoming traffic.\nThe functions invoked here do not cause new references to mrt or other\nrace conditions to be created.\nInvoking del_timer_sync guarantees that ipmr_expire_timer is inactive.\nBoth ipmr_expire_process (whose completion we may have to wait in\ndel_timer_sync) and mroute_clean_tables internally use mfc_unres_lock\nor other synchronizations when needed, and they both only modify mrt.\n\nTested in Linux 3.4.8.\n\nSigned-off-by: Francesco Ruggeri \u003cfruggeri@aristanetworks.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n"
    },
    {
      "commit": "fae286b0e547ed0379d93ace7664ea6f55cce0e0",
      "tree": "fa7f0814dc371a996fdc785add3b5dc072a9c3e1",
      "parents": [
        "c5ca1d03c29df5dc550f71bd1669af8bc30e32f8"
      ],
      "author": {
        "name": "xeb@mail.ru",
        "email": "xeb@mail.ru",
        "time": "Fri Aug 24 01:07:38 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:42 2012 -0700"
      },
      "message": "l2tp: avoid to use synchronize_rcu in tunnel free function\n\n[ Upstream commit 99469c32f79a32d8481f87be0d3c66dad286f4ec ]\n\nAvoid to use synchronize_rcu in l2tp_tunnel_free because context may be\natomic.\n\nSigned-off-by: Dmitry Kozlov \u003cxeb@mail.ru\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n"
    },
    {
      "commit": "fbc350126994de9682e0400b969ab84437768894",
      "tree": "f9cc4d4fc4e9f96f1bfa2e746901511feb0403b7",
      "parents": [
        "912af4d4433a29aa51bcbc33c4275541d8ccc4b1"
      ],
      "author": {
        "name": "Yuchung Cheng",
        "email": "ycheng@google.com",
        "time": "Thu Aug 23 07:05:17 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:38 2012 -0700"
      },
      "message": "tcp: fix cwnd reduction for non-sack recovery\n\n[ Upstream commit 7c4a56fec379ac0d7754e0d4da6a7361f1a4fe64 ]\n\nThe cwnd reduction in fast recovery is based on the number of packets\nnewly delivered per ACK. For non-sack connections every DUPACK\nsignifies a packet has been delivered, but the sender mistakenly\nskips counting them for cwnd reduction.\n\nThe fix is to compute newly_acked_sacked after DUPACKs are accounted\nin sacked_out for non-sack connections.\n\nSigned-off-by: Yuchung Cheng \u003cycheng@google.com\u003e\nAcked-by: Nandita Dukkipati \u003cnanditad@google.com\u003e\nAcked-by: Neal Cardwell \u003cncardwell@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n"
    },
    {
      "commit": "912af4d4433a29aa51bcbc33c4275541d8ccc4b1",
      "tree": "0b66cd3dc6ac1ca8f4950c9991b166d55649fa9d",
      "parents": [
        "7c799a1e1ca2bc766574078b684c14474da9f704"
      ],
      "author": {
        "name": "Pablo Neira Ayuso",
        "email": "pablo@netfilter.org",
        "time": "Thu Aug 23 02:09:11 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:38 2012 -0700"
      },
      "message": "netlink: fix possible spoofing from non-root processes\n\n[ Upstream commit 20e1db19db5d6b9e4e83021595eab0dc8f107bef ]\n\nNon-root user-space processes can send Netlink messages to other\nprocesses that are well-known for being subscribed to Netlink\nasynchronous notifications. This allows ilegitimate non-root\nprocess to send forged messages to Netlink subscribers.\n\nThe userspace process usually verifies the legitimate origin in\ntwo ways:\n\na) Socket credentials. If UID !\u003d 0, then the message comes from\n   some ilegitimate process and the message needs to be dropped.\n\nb) Netlink portID. In general, portID \u003d\u003d 0 means that the origin\n   of the messages comes from the kernel. Thus, discarding any\n   message not coming from the kernel.\n\nHowever, ctnetlink sets the portID in event messages that has\nbeen triggered by some user-space process, eg. conntrack utility.\nSo other processes subscribed to ctnetlink events, eg. conntrackd,\nknow that the event was triggered by some user-space action.\n\nNeither of the two ways to discard ilegitimate messages coming\nfrom non-root processes can help for ctnetlink.\n\nThis patch adds capability validation in case that dst_pid is set\nin netlink_sendmsg(). This approach is aggressive since existing\napplications using any Netlink bus to deliver messages between\ntwo user-space processes will break. Note that the exception is\nNETLINK_USERSOCK, since it is reserved for netlink-to-netlink\nuserspace communication.\n\nStill, if anyone wants that his Netlink bus allows netlink-to-netlink\nuserspace, then they can set NL_NONROOT_SEND. However, by default,\nI don\u0027t think it makes sense to allow to use NETLINK_ROUTE to\ncommunicate two processes that are sending no matter what information\nthat is not related to link/neighbouring/routing. They should be using\nNETLINK_USERSOCK instead for that.\n\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n"
    },
    {
      "commit": "7c799a1e1ca2bc766574078b684c14474da9f704",
      "tree": "3920b2c94d08c9355c0f6f3e94b30f8ffd42529b",
      "parents": [
        "9e296becde8a8da5bcc1a8e22f27bdf9bd8636fe"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Tue Aug 21 06:21:17 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:37 2012 -0700"
      },
      "message": "af_netlink: force credentials passing [CVE-2012-3520]\n\n[ Upstream commit e0e3cea46d31d23dc40df0a49a7a2c04fe8edfea ]\n\nPablo Neira Ayuso discovered that avahi and\npotentially NetworkManager accept spoofed Netlink messages because of a\nkernel bug.  The kernel passes all-zero SCM_CREDENTIALS ancillary data\nto the receiver if the sender did not provide such data, instead of not\nincluding any such data at all or including the correct data from the\npeer (as it is the case with AF_UNIX).\n\nThis bug was introduced in commit 16e572626961\n(af_unix: dont send SCM_CREDENTIALS by default)\n\nThis patch forces passing credentials for netlink, as\nbefore the regression.\n\nAnother fix would be to not add SCM_CREDENTIALS in\nnetlink messages if not provided by the sender, but it\nmight break some programs.\n\nWith help from Florian Weimer \u0026 Petr Matousek\n\nThis issue is designated as CVE-2012-3520\n\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Petr Matousek \u003cpmatouse@redhat.com\u003e\nCc: Florian Weimer \u003cfweimer@redhat.com\u003e\nCc: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n"
    },
    {
      "commit": "9e296becde8a8da5bcc1a8e22f27bdf9bd8636fe",
      "tree": "be7a8a0b16cb84b2781b7e210e9749b8236092db",
      "parents": [
        "d09b3b2b1183848e287bc0b6397f8d05945becc4"
      ],
      "author": {
        "name": "Eric Leblond",
        "email": "eric@regit.org",
        "time": "Thu Aug 16 22:02:58 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:37 2012 -0700"
      },
      "message": "af_packet: don\u0027t emit packet on orig fanout group\n\n[ Upstream commit c0de08d04215031d68fa13af36f347a6cfa252ca ]\n\nIf a packet is emitted on one socket in one group of fanout sockets,\nit is transmitted again. It is thus read again on one of the sockets\nof the fanout group. This result in a loop for software which\ngenerate packets when receiving one.\nThis retransmission is not the intended behavior: a fanout group\nmust behave like a single socket. The packet should not be\ntransmitted on a socket if it originates from a socket belonging\nto the same fanout group.\n\nThis patch fixes the issue by changing the transmission check to\ntake fanout group info account.\n\nReported-by: Aleksandr Kotov \u003ca1k@mail.ru\u003e\nSigned-off-by: Eric Leblond \u003ceric@regit.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "d09b3b2b1183848e287bc0b6397f8d05945becc4",
      "tree": "1f3bd8db097160f7672c7cd987a48e4eb4e6d9d6",
      "parents": [
        "62b4d90b525c6c11e467a2eadb12fcf64a6f0829"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:57 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:37 2012 -0700"
      },
      "message": "net: fix info leak in compat dev_ifconf()\n\n[ Upstream commit 43da5f2e0d0c69ded3d51907d9552310a6b545e8 ]\n\nThe implementation of dev_ifconf() for the compat ioctl interface uses\nan intermediate ifc structure allocated in userland for the duration of\nthe syscall. Though, it fails to initialize the padding bytes inserted\nfor alignment and that for leaks four bytes of kernel stack. Add an\nexplicit memset(0) before filling the structure to avoid the info leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "62b4d90b525c6c11e467a2eadb12fcf64a6f0829",
      "tree": "1a7f38e53fbca60b6651a295a8063b714947157d",
      "parents": [
        "59039dc90bb7879bd4c8c959109d27131f0ce40f"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:56 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:37 2012 -0700"
      },
      "message": "ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)\n\n[ Upstream commit 2d8a041b7bfe1097af21441cb77d6af95f4f4680 ]\n\nIf at least one of CONFIG_IP_VS_PROTO_TCP or CONFIG_IP_VS_PROTO_UDP is\nnot set, __ip_vs_get_timeouts() does not fully initialize the structure\nthat gets copied to userland and that for leaks up to 12 bytes of kernel\nstack. Add an explicit memset(0) before passing the structure to\n__ip_vs_get_timeouts() to avoid the info leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Wensong Zhang \u003cwensong@linux-vs.org\u003e\nCc: Simon Horman \u003chorms@verge.net.au\u003e\nCc: Julian Anastasov \u003cja@ssi.bg\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "59039dc90bb7879bd4c8c959109d27131f0ce40f",
      "tree": "63a3e774f903b4f560702083debf6749c33fd9ef",
      "parents": [
        "00ed5b8f397447a944a3305274b74049bfcd633f"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:55 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:37 2012 -0700"
      },
      "message": "dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)\n\n[ Upstream commit 7b07f8eb75aa3097cdfd4f6eac3da49db787381d ]\n\nThe CCID3 code fails to initialize the trailing padding bytes of struct\ntfrc_tx_info added for alignment on 64 bit architectures. It that for\npotentially leaks four bytes kernel stack via the getsockopt() syscall.\nAdd an explicit memset(0) before filling the structure to avoid the\ninfo leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Gerrit Renker \u003cgerrit@erg.abdn.ac.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "00ed5b8f397447a944a3305274b74049bfcd633f",
      "tree": "93b0b7fa842936ef99be4f604ee8d0e9d8346d1e",
      "parents": [
        "dbcba7a54a0327f0ef6d6a3ec53b67d0969109b6"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:53 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:37 2012 -0700"
      },
      "message": "llc: fix info leak via getsockname()\n\n[ Upstream commit 3592aaeb80290bda0f2cf0b5456c97bfc638b192 ]\n\nThe LLC code wrongly returns 0, i.e. \"success\", when the socket is\nzapped. Together with the uninitialized uaddrlen pointer argument from\nsys_getsockname this leads to an arbitrary memory leak of up to 128\nbytes kernel stack via the getsockname() syscall.\n\nReturn an error instead when the socket is zapped to prevent the info\nleak. Also remove the unnecessary memset(0). We don\u0027t directly write to\nthe memory pointed by uaddr but memcpy() a local structure at the end of\nthe function that is properly initialized.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@ghostprotocols.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "dbcba7a54a0327f0ef6d6a3ec53b67d0969109b6",
      "tree": "802a5ba716e47fa4c7364c0681f48a0a3c7e124b",
      "parents": [
        "8717cd3d63233ee5591bf8e8d6e5960a1f6252b1"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:51 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:36 2012 -0700"
      },
      "message": "Bluetooth: L2CAP - Fix info leak via getsockname()\n\n[ Upstream commit 792039c73cf176c8e39a6e8beef2c94ff46522ed ]\n\nThe L2CAP code fails to initialize the l2_bdaddr_type member of struct\nsockaddr_l2 and the padding byte added for alignment. It that for leaks\ntwo bytes kernel stack via the getsockname() syscall. Add an explicit\nmemset(0) before filling the structure to avoid the info leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: Gustavo Padovan \u003cgustavo@padovan.org\u003e\nCc: Johan Hedberg \u003cjohan.hedberg@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "8717cd3d63233ee5591bf8e8d6e5960a1f6252b1",
      "tree": "ffc4c49e501cf875899afc531332fe6b87c4cfff",
      "parents": [
        "279d3f5b2d402034dee1a81b7f5e3f678aa46d21"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:50 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:36 2012 -0700"
      },
      "message": "Bluetooth: RFCOMM - Fix info leak via getsockname()\n\n[ Upstream commit 9344a972961d1a6d2c04d9008b13617bcb6ec2ef ]\n\nThe RFCOMM code fails to initialize the trailing padding byte of struct\nsockaddr_rc added for alignment. It that for leaks one byte kernel stack\nvia the getsockname() syscall. Add an explicit memset(0) before filling\nthe structure to avoid the info leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: Gustavo Padovan \u003cgustavo@padovan.org\u003e\nCc: Johan Hedberg \u003cjohan.hedberg@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "279d3f5b2d402034dee1a81b7f5e3f678aa46d21",
      "tree": "7e44b53ad4a9dc5cebdc5efde5ab80c926d877db",
      "parents": [
        "745dcdb0fd330f0cc984bd8a7764a81f04e44780"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:49 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:36 2012 -0700"
      },
      "message": "Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)\n\n[ Upstream commit f9432c5ec8b1e9a09b9b0e5569e3c73db8de432a ]\n\nThe RFCOMM code fails to initialize the two padding bytes of struct\nrfcomm_dev_list_req inserted for alignment before copying it to\nuserland. Additionally there are two padding bytes in each instance of\nstruct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus\ndev_num times two bytes uninitialized kernel heap memory.\n\nAllocate the memory using kzalloc() to fix this issue.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: Gustavo Padovan \u003cgustavo@padovan.org\u003e\nCc: Johan Hedberg \u003cjohan.hedberg@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "745dcdb0fd330f0cc984bd8a7764a81f04e44780",
      "tree": "f0acac1ff978f33ebb9fa23bb470d18e375a30df",
      "parents": [
        "639edee79eb2035b6fe3976f50a1c5364acc7352"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:48 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:36 2012 -0700"
      },
      "message": "Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY)\n\n[ Upstream commit 9ad2de43f1aee7e7274a4e0d41465489299e344b ]\n\nThe RFCOMM code fails to initialize the key_size member of struct\nbt_security before copying it to userland -- that for leaking one\nbyte kernel stack. Initialize key_size with 0 to avoid the info\nleak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: Gustavo Padovan \u003cgustavo@padovan.org\u003e\nCc: Johan Hedberg \u003cjohan.hedberg@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "639edee79eb2035b6fe3976f50a1c5364acc7352",
      "tree": "b891e242addb0d42f802f1d6042b8da270f7d663",
      "parents": [
        "87c42a1dfd5939d0a24795cd99b3d63daa4e1eff"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:47 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:36 2012 -0700"
      },
      "message": "Bluetooth: HCI - Fix info leak via getsockname()\n\n[ Upstream commit 3f68ba07b1da811bf383b4b701b129bfcb2e4988 ]\n\nThe HCI code fails to initialize the hci_channel member of struct\nsockaddr_hci and that for leaks two bytes kernel stack via the\ngetsockname() syscall. Initialize hci_channel with 0 to avoid the\ninfo leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: Gustavo Padovan \u003cgustavo@padovan.org\u003e\nCc: Johan Hedberg \u003cjohan.hedberg@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "87c42a1dfd5939d0a24795cd99b3d63daa4e1eff",
      "tree": "abff8acbebc4d3f6037a53ea40dee1e9c75e1fff",
      "parents": [
        "458ed5622e976848aacdea07d4bfcb84a350c460"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:46 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:36 2012 -0700"
      },
      "message": "Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)\n\n[ Upstream commit e15ca9a0ef9a86f0477530b0f44a725d67f889ee ]\n\nThe HCI code fails to initialize the two padding bytes of struct\nhci_ufilter before copying it to userland -- that for leaking two\nbytes kernel stack. Add an explicit memset(0) before filling the\nstructure to avoid the info leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: Gustavo Padovan \u003cgustavo@padovan.org\u003e\nCc: Johan Hedberg \u003cjohan.hedberg@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "458ed5622e976848aacdea07d4bfcb84a350c460",
      "tree": "863b701597e40dc811ba93d9a33c814ad7fd2496",
      "parents": [
        "5b26dbdd5f22871c21fc2ea4afedfe4ecad62d72"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:45 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:36 2012 -0700"
      },
      "message": "atm: fix info leak via getsockname()\n\n[ Upstream commit 3c0c5cfdcd4d69ffc4b9c0907cec99039f30a50a ]\n\nThe ATM code fails to initialize the two padding bytes of struct\nsockaddr_atmpvc inserted for alignment. Add an explicit memset(0)\nbefore filling the structure to avoid the info leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "5b26dbdd5f22871c21fc2ea4afedfe4ecad62d72",
      "tree": "879879858bb2508f4285b0d1eae2b25e4c51a7a1",
      "parents": [
        "84a2d3c44cce71152f3555af83bafea6ec5ef23c"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:44 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:35 2012 -0700"
      },
      "message": "atm: fix info leak in getsockopt(SO_ATMPVC)\n\n[ Upstream commit e862f1a9b7df4e8196ebec45ac62295138aa3fc2 ]\n\nThe ATM code fails to initialize the two padding bytes of struct\nsockaddr_atmpvc inserted for alignment. Add an explicit memset(0)\nbefore filling the structure to avoid the info leak.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "84a2d3c44cce71152f3555af83bafea6ec5ef23c",
      "tree": "fb069dbaa2fe6244cf4a4eaa9cbcdfdc57d22771",
      "parents": [
        "c8cca9d90b953a0a2b5d0edab789f5c52ae983f5"
      ],
      "author": {
        "name": "Ben Hutchings",
        "email": "bhutchings@solarflare.com",
        "time": "Tue Aug 14 08:54:51 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:35 2012 -0700"
      },
      "message": "ipv6: addrconf: Avoid calling netdevice notifiers with RCU read-side lock\n\n[ Upstream commit 4acd4945cd1e1f92b20d14e349c6c6a52acbd42d ]\n\nCong Wang reports that lockdep detected suspicious RCU usage while\nenabling IPV6 forwarding:\n\n [ 1123.310275] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n [ 1123.442202] [ INFO: suspicious RCU usage. ]\n [ 1123.558207] 3.6.0-rc1+ #109 Not tainted\n [ 1123.665204] -------------------------------\n [ 1123.768254] include/linux/rcupdate.h:430 Illegal context switch in RCU read-side critical section!\n [ 1123.992320]\n [ 1123.992320] other info that might help us debug this:\n [ 1123.992320]\n [ 1124.307382]\n [ 1124.307382] rcu_scheduler_active \u003d 1, debug_locks \u003d 0\n [ 1124.522220] 2 locks held by sysctl/5710:\n [ 1124.648364]  #0:  (rtnl_mutex){+.+.+.}, at: [\u003cffffffff81768498\u003e] rtnl_trylock+0x15/0x17\n [ 1124.882211]  #1:  (rcu_read_lock){.+.+.+}, at: [\u003cffffffff81871df8\u003e] rcu_lock_acquire+0x0/0x29\n [ 1125.085209]\n [ 1125.085209] stack backtrace:\n [ 1125.332213] Pid: 5710, comm: sysctl Not tainted 3.6.0-rc1+ #109\n [ 1125.441291] Call Trace:\n [ 1125.545281]  [\u003cffffffff8109d915\u003e] lockdep_rcu_suspicious+0x109/0x112\n [ 1125.667212]  [\u003cffffffff8107c240\u003e] rcu_preempt_sleep_check+0x45/0x47\n [ 1125.781838]  [\u003cffffffff8107c260\u003e] __might_sleep+0x1e/0x19b\n[...]\n [ 1127.445223]  [\u003cffffffff81757ac5\u003e] call_netdevice_notifiers+0x4a/0x4f\n[...]\n [ 1127.772188]  [\u003cffffffff8175e125\u003e] dev_disable_lro+0x32/0x6b\n [ 1127.885174]  [\u003cffffffff81872d26\u003e] dev_forward_change+0x30/0xcb\n [ 1128.013214]  [\u003cffffffff818738c4\u003e] addrconf_forward_change+0x85/0xc5\n[...]\n\naddrconf_forward_change() uses RCU iteration over the netdev list,\nwhich is unnecessary since it already holds the RTNL lock.  We also\ncannot reasonably require netdevice notifier functions not to sleep.\n\nReported-by: Cong Wang \u003camwang@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cbhutchings@solarflare.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "c8cca9d90b953a0a2b5d0edab789f5c52ae983f5",
      "tree": "cb7361eb1dbf30145276156e99f4e82941f456bd",
      "parents": [
        "caf2630c41a183b72e5d6211e5efd1457ac0c463"
      ],
      "author": {
        "name": "danborkmann@iogearbox.net",
        "email": "danborkmann@iogearbox.net",
        "time": "Fri Aug 10 22:48:54 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:35 2012 -0700"
      },
      "message": "af_packet: remove BUG statement in tpacket_destruct_skb\n\n[ Upstream commit 7f5c3e3a80e6654cf48dfba7cf94f88c6b505467 ]\n\nHere\u0027s a quote of the comment about the BUG macro from asm-generic/bug.h:\n\n Don\u0027t use BUG() or BUG_ON() unless there\u0027s really no way out; one\n example might be detecting data structure corruption in the middle\n of an operation that can\u0027t be backed out of.  If the (sub)system\n can somehow continue operating, perhaps with reduced functionality,\n it\u0027s probably not BUG-worthy.\n\n If you\u0027re tempted to BUG(), think again:  is completely giving up\n really the *only* solution?  There are usually better options, where\n users don\u0027t need to reboot ASAP and can mostly shut down cleanly.\n\nIn our case, the status flag of a ring buffer slot is managed from both sides,\nthe kernel space and the user space. This means that even though the kernel\nside might work as expected, the user space screws up and changes this flag\nright between the send(2) is triggered when the flag is changed to\nTP_STATUS_SENDING and a given skb is destructed after some time. Then, this\nwill hit the BUG macro. As David suggested, the best solution is to simply\nremove this statement since it cannot be used for kernel side internal\nconsistency checks. I\u0027ve tested it and the system still behaves /stable/ in\nthis case, so in accordance with the above comment, we should rather remove it.\n\nSigned-off-by: Daniel Borkmann \u003cdaniel.borkmann@tik.ee.ethz.ch\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "caf2630c41a183b72e5d6211e5efd1457ac0c463",
      "tree": "5bcd1cdd058be10d65ea4fb7a809c5b00ef41aaf",
      "parents": [
        "a348ed02b367a8a8307444724db5c8e96c90ac78"
      ],
      "author": {
        "name": "Alexey Khoroshilov",
        "email": "khoroshilov@ispras.ru",
        "time": "Wed Aug 08 00:33:25 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:35 2012 -0700"
      },
      "message": "net/core: Fix potential memory leak in dev_set_alias()\n\n[ Upstream commit 7364e445f62825758fa61195d237a5b8ecdd06ec ]\n\nDo not leak memory by updating pointer with potentially NULL realloc return value.\n\nFound by Linux Driver Verification project (linuxtesting.org).\n\nSigned-off-by: Alexey Khoroshilov \u003ckhoroshilov@ispras.ru\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "7e0c71a9a5a23f9433eac1d0aabbc9d54da3428b",
      "tree": "78f3871cb2b2f4cd89a6ed8bda6bfc325e3f7814",
      "parents": [
        "4658b24b2dd0e4c6215db2203743fa999765e8a0"
      ],
      "author": {
        "name": "Hiroaki SHIMODA",
        "email": "shimoda.hiroaki@gmail.com",
        "time": "Fri Aug 03 19:57:52 2012 +0900"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:34 2012 -0700"
      },
      "message": "net_sched: gact: Fix potential panic in tcf_gact().\n\n[ Upstream commit 696ecdc10622d86541f2e35cc16e15b6b3b1b67e ]\n\ngact_rand array is accessed by gact-\u003etcfg_ptype whose value\nis assumed to less than MAX_RAND, but any range checks are\nnot performed.\n\nSo add a check in tcf_gact_init(). And in tcf_gact(), we can\nreduce a branch.\n\nSigned-off-by: Hiroaki SHIMODA \u003cshimoda.hiroaki@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "4658b24b2dd0e4c6215db2203743fa999765e8a0",
      "tree": "9a88804f646780a2424a5ac87586151e923b1b64",
      "parents": [
        "0a1f711681e0d7068b69c0697c4ba284fbf1b2bf"
      ],
      "author": {
        "name": "Ben Hutchings",
        "email": "bhutchings@solarflare.com",
        "time": "Mon Jul 30 16:11:42 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:34 2012 -0700"
      },
      "message": "tcp: Apply device TSO segment limit earlier\n\n[ Upstream commit 1485348d2424e1131ea42efc033cbd9366462b01 ]\n\nCache the device gso_max_segs in sock::sk_gso_max_segs and use it to\nlimit the size of TSO skbs.  This avoids the need to fall back to\nsoftware GSO for local TCP senders.\n\nSigned-off-by: Ben Hutchings \u003cbhutchings@solarflare.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "2dc3b21fbca98bd3c8d9e53acf5d966add3c7606",
      "tree": "6fe9f88dec40cfca839962a5a363848b27afb744",
      "parents": [
        "00709f7f01c3a10252f030f0bdacecbb349d7be4"
      ],
      "author": {
        "name": "Ben Hutchings",
        "email": "bhutchings@solarflare.com",
        "time": "Mon Jul 30 15:57:00 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Tue Oct 02 10:29:34 2012 -0700"
      },
      "message": "net: Allow driver to limit number of GSO segments per skb\n\n[ Upstream commit 30b678d844af3305cda5953467005cebb5d7b687 ]\n\nA peer (or local user) may cause TCP to use a nominal MSS of as little\nas 88 (actual MSS of 76 with timestamps).  Given that we have a\nsufficiently prodigious local sender and the peer ACKs quickly enough,\nit is nevertheless possible to grow the window for such a connection\nto the point that we will try to send just under 64K at once.  This\nresults in a single skb that expands to 861 segments.\n\nIn some drivers with TSO support, such an skb will require hundreds of\nDMA descriptors; a substantial fraction of a TX ring or even more than\na full ring.  The TX queue selected for the skb may stall and trigger\nthe TX watchdog repeatedly (since the problem skb will be retried\nafter the TX reset).  This particularly affects sfc, for which the\nissue is designated as CVE-2012-3412.\n\nTherefore:\n1. Add the field net_device::gso_max_segs holding the device-specific\n   limit.\n2. In netif_skb_features(), if the number of segments is too high then\n   mask out GSO features to force fall back to software GSO.\n\nSigned-off-by: Ben Hutchings \u003cbhutchings@solarflare.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "af843972724e172827266e91ba326c069c8c088c",
      "tree": "532784df2f1c8e938f015e9f52c6fe7ae23981e4",
      "parents": [
        "72961d91696071841fa013f11f686eaa7e2d0996"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Wed Aug 15 11:31:54 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Fri Sep 14 10:00:34 2012 -0700"
      },
      "message": "dccp: check ccid before dereferencing\n\ncommit 276bdb82dedb290511467a5a4fdbe9f0b52dce6f upstream.\n\nccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with\na NULL ccid pointer leading to a NULL pointer dereference. This could\nlead to a privilege escalation if the attacker is able to map page 0 and\nprepare it with a fake ccid_ops pointer.\n\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Gerrit Renker \u003cgerrit@erg.abdn.ac.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "43da476d7f734a1b55680668246d0237dde4ea57",
      "tree": "109cac684c7f88772dcf89779f863730e70907ad",
      "parents": [
        "05d71a5a25da396f76ee942af6682dfaecc73e84"
      ],
      "author": {
        "name": "Mikulas Patocka",
        "email": "mpatocka@redhat.com",
        "time": "Sat Sep 01 12:34:07 2012 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Fri Sep 14 10:00:23 2012 -0700"
      },
      "message": "Fix order of arguments to compat_put_time[spec|val]\n\ncommit ed6fe9d614fc1bca95eb8c0ccd0e92db00ef9d5d upstream.\n\nCommit 644595f89620 (\"compat: Handle COMPAT_USE_64BIT_TIME in\nnet/socket.c\") introduced a bug where the helper functions to take\neither a 64-bit or compat time[spec|val] got the arguments in the wrong\norder, passing the kernel stack pointer off as a user pointer (and vice\nversa).\n\nBecause of the user address range check, that in turn then causes an\nEFAULT due to the user pointer range checking failing for the kernel\naddress.  Incorrectly resuling in a failed system call for 32-bit\nprocesses with a 64-bit kernel.\n\nOn odder architectures like HP-PA (with separate user/kernel address\nspaces), it can be used read kernel memory.\n\nSigned-off-by: Mikulas Patocka \u003cmpatocka@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "234c04ccc3c86c1da2f4173fdafb805bb6160380",
      "tree": "6d9f9b0d30042c6356d0d2c57b9af9f0d88881e5",
      "parents": [
        "973caa9ec69452d87f65e67019429be5265f2534"
      ],
      "author": {
        "name": "J. Bruce Fields",
        "email": "bfields@redhat.com",
        "time": "Mon Aug 20 16:04:40 2012 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Fri Sep 14 10:00:19 2012 -0700"
      },
      "message": "svcrpc: sends on closed socket should stop immediately\n\ncommit f06f00a24d76e168ecb38d352126fd203937b601 upstream.\n\nsvc_tcp_sendto sets XPT_CLOSE if we fail to transmit the entire reply.\nHowever, the XPT_CLOSE won\u0027t be acted on immediately.  Meanwhile other\nthreads could send further replies before the socket is really shut\ndown.  This can manifest as data corruption: for example, if a truncated\nread reply is followed by another rpc reply, that second reply will look\nto the client like further read data.\n\nSymptoms were data corruption preceded by svc_tcp_sendto logging\nsomething like\n\n\tkernel: rpc-srv/tcp: nfsd: sent only 963696 when sending 1048708 bytes - shutting down socket\n\nReported-by: Malahal Naineni \u003cmalahal@us.ibm.com\u003e\nTested-by: Malahal Naineni \u003cmalahal@us.ibm.com\u003e\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "973caa9ec69452d87f65e67019429be5265f2534",
      "tree": "c2fd5a6e895d37f93e9dad62c773481ca251d366",
      "parents": [
        "389aec33837aeaf7e7e3cb31b6f1c6da6b009fb6"
      ],
      "author": {
        "name": "J. Bruce Fields",
        "email": "bfields@redhat.com",
        "time": "Fri Aug 17 17:31:53 2012 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Fri Sep 14 10:00:19 2012 -0700"
      },
      "message": "svcrpc: fix svc_xprt_enqueue/svc_recv busy-looping\n\ncommit d10f27a750312ed5638c876e4bd6aa83664cccd8 upstream.\n\nThe rpc server tries to ensure that there will be room to send a reply\nbefore it receives a request.\n\nIt does this by tracking, in xpt_reserved, an upper bound on the total\nsize of the replies that is has already committed to for the socket.\n\nCurrently it is adding in the estimate for a new reply *before* it\nchecks whether there is space available.  If it finds that there is not\nspace, it then subtracts the estimate back out.\n\nThis may lead the subsequent svc_xprt_enqueue to decide that there is\nspace after all.\n\nThe results is a svc_recv() that will repeatedly return -EAGAIN, causing\nserver threads to loop without doing any actual work.\n\nReported-by: Michael Tokarev \u003cmjt@tls.msk.ru\u003e\nTested-by: Michael Tokarev \u003cmjt@tls.msk.ru\u003e\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "389aec33837aeaf7e7e3cb31b6f1c6da6b009fb6",
      "tree": "2c9e3b1b1c7765fe98ebaac5ae61bdba4bdbcd96",
      "parents": [
        "cbd3df71bb6563fe9ab2a16dc57937c0b59c3976"
      ],
      "author": {
        "name": "J. Bruce Fields",
        "email": "bfields@redhat.com",
        "time": "Thu Aug 09 18:12:28 2012 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Fri Sep 14 10:00:19 2012 -0700"
      },
      "message": "svcrpc: fix BUG() in svc_tcp_clear_pages\n\ncommit be1e44441a560c43c136a562d49a1c9623c91197 upstream.\n\nExamination of svc_tcp_clear_pages shows that it assumes sk_tcplen is\nconsistent with sk_pages[] (in particular, sk_pages[n] can\u0027t be NULL if\nsk_tcplen would lead us to expect n pages of data).\n\nsvc_tcp_restore_pages zeroes out sk_pages[] while leaving sk_tcplen.\nThis is OK, since both functions are serialized by XPT_BUSY.  However,\nthat means the inconsistency must be repaired before dropping XPT_BUSY.\n\nTherefore we should be ensuring that svc_tcp_save_pages repairs the\nproblem before exiting svc_tcp_recv_record on error.\n\nSymptoms were a BUG() in svc_tcp_clear_pages.\n\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "3cf3cfc448c480c86c439ba7c707a7b4f73ba9d9",
      "tree": "cf9b205436c7bbd8425fca235cdcd9e37c3e5391",
      "parents": [
        "4a20bce04ec14c74f5b77c73d7d8d476ace74cea"
      ],
      "author": {
        "name": "Szymon Janc",
        "email": "szymon.janc@tieto.com",
        "time": "Thu Jul 19 14:46:08 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Fri Sep 14 10:00:18 2012 -0700"
      },
      "message": "Bluetooth: Fix legacy pairing with some devices\n\ncommit a9ea3ed9b71cc3271dd59e76f65748adcaa76422 upstream.\n\nSome devices e.g. some Android based phones don\u0027t do SDP search before\npairing and cancel legacy pairing when ACL is disconnected.\n\nPIN Code Request event which changes ACL timeout to HCI_PAIRING_TIMEOUT\nis only received after remote user entered PIN.\n\nIn that case no L2CAP is connected so default HCI_DISCONN_TIMEOUT\n(2 seconds) is being used to timeout ACL connection. This results in\nproblems with legacy pairing as remote user has only few seconds to\nenter PIN before ACL is disconnected.\n\nIncrease disconnect timeout for incomming connection to\nHCI_PAIRING_TIMEOUT if SSP is disabled and no linkey exists.\n\nTo avoid keeping ACL alive for too long after SDP search set ACL\ntimeout back to HCI_DISCONN_TIMEOUT when L2CAP is connected.\n\n2012-07-19 13:24:43.413521 \u003c HCI Command: Create Connection (0x01|0x0005) plen 13\n    bdaddr 00:02:72:D6:6A:3F ptype 0xcc18 rswitch 0x01 clkoffset 0x0000\n    Packet type: DM1 DM3 DM5 DH1 DH3 DH5\n2012-07-19 13:24:43.425224 \u003e HCI Event: Command Status (0x0f) plen 4\n    Create Connection (0x01|0x0005) status 0x00 ncmd 1\n2012-07-19 13:24:43.885222 \u003e HCI Event: Role Change (0x12) plen 8\n    status 0x00 bdaddr 00:02:72:D6:6A:3F role 0x01\n    Role: Slave\n2012-07-19 13:24:44.054221 \u003e HCI Event: Connect Complete (0x03) plen 11\n    status 0x00 handle 42 bdaddr 00:02:72:D6:6A:3F type ACL encrypt 0x00\n2012-07-19 13:24:44.054313 \u003c HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2\n    handle 42\n2012-07-19 13:24:44.055176 \u003e HCI Event: Page Scan Repetition Mode Change (0x20) plen 7\n    bdaddr 00:02:72:D6:6A:3F mode 0\n2012-07-19 13:24:44.056217 \u003e HCI Event: Max Slots Change (0x1b) plen 3\n    handle 42 slots 5\n2012-07-19 13:24:44.059218 \u003e HCI Event: Command Status (0x0f) plen 4\n    Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 0\n2012-07-19 13:24:44.062192 \u003e HCI Event: Command Status (0x0f) plen 4\n    Unknown (0x00|0x0000) status 0x00 ncmd 1\n2012-07-19 13:24:44.067219 \u003e HCI Event: Read Remote Supported Features (0x0b) plen 11\n    status 0x00 handle 42\n    Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87\n2012-07-19 13:24:44.067248 \u003c HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3\n    handle 42 page 1\n2012-07-19 13:24:44.071217 \u003e HCI Event: Command Status (0x0f) plen 4\n    Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1\n2012-07-19 13:24:44.076218 \u003e HCI Event: Read Remote Extended Features (0x23) plen 13\n    status 0x00 handle 42 page 1 max 1\n    Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n2012-07-19 13:24:44.076249 \u003c HCI Command: Remote Name Request (0x01|0x0019) plen 10\n    bdaddr 00:02:72:D6:6A:3F mode 2 clkoffset 0x0000\n2012-07-19 13:24:44.081218 \u003e HCI Event: Command Status (0x0f) plen 4\n    Remote Name Request (0x01|0x0019) status 0x00 ncmd 1\n2012-07-19 13:24:44.105214 \u003e HCI Event: Remote Name Req Complete (0x07) plen 255\n    status 0x00 bdaddr 00:02:72:D6:6A:3F name \u0027uw000951-0\u0027\n2012-07-19 13:24:44.105284 \u003c HCI Command: Authentication Requested (0x01|0x0011) plen 2\n    handle 42\n2012-07-19 13:24:44.111207 \u003e HCI Event: Command Status (0x0f) plen 4\n    Authentication Requested (0x01|0x0011) status 0x00 ncmd 1\n2012-07-19 13:24:44.112220 \u003e HCI Event: Link Key Request (0x17) plen 6\n    bdaddr 00:02:72:D6:6A:3F\n2012-07-19 13:24:44.112249 \u003c HCI Command: Link Key Request Negative Reply (0x01|0x000c) plen 6\n    bdaddr 00:02:72:D6:6A:3F\n2012-07-19 13:24:44.115215 \u003e HCI Event: Command Complete (0x0e) plen 10\n    Link Key Request Negative Reply (0x01|0x000c) ncmd 1\n    status 0x00 bdaddr 00:02:72:D6:6A:3F\n2012-07-19 13:24:44.116215 \u003e HCI Event: PIN Code Request (0x16) plen 6\n    bdaddr 00:02:72:D6:6A:3F\n2012-07-19 13:24:48.099184 \u003e HCI Event: Auth Complete (0x06) plen 3\n    status 0x13 handle 42\n    Error: Remote User Terminated Connection\n2012-07-19 13:24:48.179182 \u003e HCI Event: Disconn Complete (0x05) plen 4\n    status 0x00 handle 42 reason 0x13\n    Reason: Remote User Terminated Connection\n\nSigned-off-by: Szymon Janc \u003cszymon.janc@tieto.com\u003e\nAcked-by: Johan Hedberg \u003cjohan.hedberg@intel.com\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "4a20bce04ec14c74f5b77c73d7d8d476ace74cea",
      "tree": "398e58b2c115a384a0d3836f6bd6338c2c642777",
      "parents": [
        "a8b8ad6dcf49c84c7a8633082191c6fd7539c355"
      ],
      "author": {
        "name": "Ram Malovany",
        "email": "ramm@ti.com",
        "time": "Thu Jul 19 10:26:11 2012 +0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Fri Sep 14 10:00:18 2012 -0700"
      },
      "message": "Bluetooth: Set name_state to unknown when entry name is empty\n\ncommit c3e7c0d90b14a3e7ac091d24cef09efb516d587b upstream.\n\nWhen the name of the given entry is empty , the state needs to be\nupdated accordingly.\n\nSigned-off-by: Ram Malovany \u003cramm@ti.com\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "a8b8ad6dcf49c84c7a8633082191c6fd7539c355",
      "tree": "04b83d3d6fd2d6c2c5fefff150b835d7a315bead",
      "parents": [
        "a431bd57a95921188f61096e5ce29d1b769be118"
      ],
      "author": {
        "name": "Ram Malovany",
        "email": "ramm@ti.com",
        "time": "Thu Jul 19 10:26:10 2012 +0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Fri Sep 14 10:00:18 2012 -0700"
      },
      "message": "Bluetooth: Fix using a NULL inquiry cache entry\n\ncommit 7cc8380eb10347016d95bf6f9d842c2ae6d12932 upstream.\n\nIf the device was not found in a list of found devices names of which\nare pending.This may happen in a case when HCI Remote Name Request\nwas sent as a part of incoming connection establishment procedure.\nHence there is no need to continue resolving a next name as it will\nbe done upon receiving another Remote Name Request Complete Event.\nThis will fix a kernel crash when trying to use this entry to resolve\nthe next name.\n\nSigned-off-by: Ram Malovany \u003cramm@ti.com\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "a431bd57a95921188f61096e5ce29d1b769be118",
      "tree": "f4fbb606f078679e9f9e918354ddba0b075e4ada",
      "parents": [
        "4c795fe18aa1d2756a82c46ca29d4bfad2704d4d"
      ],
      "author": {
        "name": "Ram Malovany",
        "email": "ramm@ti.com",
        "time": "Thu Jul 19 10:26:09 2012 +0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Fri Sep 14 10:00:18 2012 -0700"
      },
      "message": "Bluetooth: Fix using NULL inquiry entry\n\ncommit c810089c27e48b816181b454fcc493d19fdbc2ba upstream.\n\nIf entry wasn\u0027t found in the hci_inquiry_cache_lookup_resolve do not\nresolve the name.This will fix a kernel crash when trying to use NULL\npointer.\n\nSigned-off-by: Ram Malovany \u003cramm@ti.com\u003e\nSigned-off-by: Gustavo Padovan \u003cgustavo.padovan@collabora.co.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "510f1d143b72225df068a31b2b105edaef5f2420",
      "tree": "2cc6c7531cbd91cb5fa1737ce9a2726590aceee1",
      "parents": [
        "25320e75fe0296dab5ae37c6b59f18899cd1c310"
      ],
      "author": {
        "name": "Liang Li",
        "email": "liang.li@windriver.com",
        "time": "Thu Aug 02 18:55:41 2012 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Aug 15 08:10:33 2012 -0700"
      },
      "message": "cfg80211: fix interface combinations check for ADHOC(IBSS)\n\npartial of commit 8e8b41f9d8c8e63fc92f899ace8da91a490ac573 upstream.\n\nAs part of commit 463454b5dbd8 (\"cfg80211: fix interface\ncombinations check\"), this extra check was introduced:\n\n       if ((all_iftypes \u0026 used_iftypes) !\u003d used_iftypes)\n               goto cont;\n\nHowever, most wireless NIC drivers did not advertise ADHOC in\nwiphy.iface_combinations[i].limits[] and hence we\u0027ll get -EBUSY\nwhen we bring up a ADHOC wlan with commands similar to:\n\n # iwconfig wlan0 mode ad-hoc \u0026\u0026 ifconfig wlan0 up\n\nIn commit 8e8b41f9d8c8e (\"cfg80211: enforce lack of interface\ncombinations\"), the change below fixes the issue:\n\n       if (total \u003d\u003d 1)\n               return 0;\n\nBut it also introduces other dependencies for stable. For example,\na full cherry pick of 8e8b41f9d8c8e would introduce additional\nregressions unless we also start cherry picking driver specific\nfixes like the following:\n\n  9b4760e  ath5k: add possible wiphy interface combinations\n  1ae2fc2  mac80211_hwsim: advertise interface combinations\n  20c8e8d  ath9k: add possible wiphy interface combinations\n\nAnd the purpose of the \u0027if (total \u003d\u003d 1)\u0027 is to cover the specific\nuse case (IBSS, adhoc) that was mentioned above. So we just pick\nthe specific part out from 8e8b41f9d8c8e here.\n\nDoing so gives stable kernels a way to fix the change introduced\nby 463454b5dbd8, without having to make cherry picks specific to\nvarious NIC drivers.\n\nSigned-off-by: Liang Li \u003cliang.li@windriver.com\u003e\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "25320e75fe0296dab5ae37c6b59f18899cd1c310",
      "tree": "207d5ae58f78b1331e71e339b618736ac9acd3b8",
      "parents": [
        "5784dff6267c788b40a2c9931b13a079e9011936"
      ],
      "author": {
        "name": "Daniel Drake",
        "email": "dsd@laptop.org",
        "time": "Thu Aug 02 18:41:48 2012 +0100"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Aug 15 08:10:32 2012 -0700"
      },
      "message": "cfg80211: process pending events when unregistering net device\n\ncommit 1f6fc43e621167492ed4b7f3b4269c584c3d6ccc upstream.\n\nlibertas currently calls cfg80211_disconnected() when it is being\nbrought down. This causes an event to be allocated, but since the\nwdev is already removed from the rdev by the time that the event\nprocessing work executes, the event is never processed or freed.\nhttp://article.gmane.org/gmane.linux.kernel.wireless.general/95666\n\nFix this leak, and other possible situations, by processing the event\nqueue when a device is being unregistered. Thanks to Johannes Berg for\nthe suggestion.\n\nSigned-off-by: Daniel Drake \u003cdsd@laptop.org\u003e\nReviewed-by: Johannes Berg \u003cjohannes@sipsolutions.net\u003e\nSigned-off-by: John W. Linville \u003clinville@tuxdriver.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "e48fa33d22f6a28b57ade6522230755eae394548",
      "tree": "1cfc2536fabfac9f07acdf8be6f3b7c82fbeba46",
      "parents": [
        "76b9be5d7feba335f0bfd4edf0386296cdaf57f2"
      ],
      "author": {
        "name": "Theodore Ts\u0027o",
        "email": "tytso@mit.edu",
        "time": "Wed Jul 04 21:23:25 2012 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Aug 15 08:10:28 2012 -0700"
      },
      "message": "net: feed /dev/random with the MAC address when registering a device\n\ncommit 7bf2357524408b97fec58344caf7397f8140c3fd upstream.\n\nSigned-off-by: \"Theodore Ts\u0027o\" \u003ctytso@mit.edu\u003e\nCc: David Miller \u003cdavem@davemloft.net\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "0295403cd835f7260c6d9262817138f9f1cd8e19",
      "tree": "7f768cbbaa79380c0c7824af61373ca7f3a3a73f",
      "parents": [
        "ccf0b822f9fbbde08d56c2be07c0ab4c17036d1d"
      ],
      "author": {
        "name": "Stanislaw Gruszka",
        "email": "sgruszka@redhat.com",
        "time": "Tue Jul 24 08:35:39 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Aug 15 08:10:10 2012 -0700"
      },
      "message": "wireless: reg: restore previous behaviour of chan-\u003emax_power calculations\n\ncommit 5e31fc0815a4e2c72b1b495fe7a0d8f9bfb9e4b4 upstream.\n\ncommit eccc068e8e84c8fe997115629925e0422a98e4de\nAuthor: Hong Wu \u003cHong.Wu@dspg.com\u003e\nDate:   Wed Jan 11 20:33:39 2012 +0200\n\n    wireless: Save original maximum regulatory transmission power for the calucation of the local maximum transmit pow\n\nchanged the way we calculate chan-\u003emax_power as min(chan-\u003emax_power,\nchan-\u003emax_reg_power). That broke rt2x00 (and perhaps some other\ndrivers) that do not set chan-\u003emax_power. It is not so easy to fix this\nproblem correctly in rt2x00.\n\nAccording to commit eccc068e8 changelog, change claim only to save\nmaximum regulatory power - changing setting of chan-\u003emax_power was side\neffect. This patch restore previous calculations of chan-\u003emax_power and\ndo not touch chan-\u003emax_reg_power.\n\nSigned-off-by: Stanislaw Gruszka \u003csgruszka@redhat.com\u003e\nAcked-by: Luis R. Rodriguez \u003cmcgrof@qca.qualcomm.com\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "33db2f2ced18a4119746e8fa89a3aba13a9d2eac",
      "tree": "958bad3e7bb08f65ef09dbc8f96ce63c03f45b67",
      "parents": [
        "73ee3f4cbd1e240e53c51283a3e6110f222ef424"
      ],
      "author": {
        "name": "Johannes Berg",
        "email": "johannes.berg@intel.com",
        "time": "Wed Aug 01 21:03:21 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Aug 15 08:10:09 2012 -0700"
      },
      "message": "mac80211: cancel mesh path timer\n\ncommit dd4c9260e7f23f2e951cbfb2726e468c6d30306c upstream.\n\nThe mesh path timer needs to be canceled when\nleaving the mesh as otherwise it could fire\nafter the interface has been removed already.\n\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "d281dc7448010256bf2e23a65e10a4f6fc786284",
      "tree": "424581752457e5ba30cd92bbe3746d8b03765c80",
      "parents": [
        "613975f7a65f75b6e720bfca721d2d99542c53b8"
      ],
      "author": {
        "name": "Stanislav Kinsbursky",
        "email": "skinsbursky@parallels.com",
        "time": "Fri Jul 20 15:57:48 2012 +0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Aug 15 08:10:05 2012 -0700"
      },
      "message": "SUNRPC: return negative value in case rpcbind client creation error\n\ncommit caea33da898e4e14f0ba58173e3b7689981d2c0b upstream.\n\nWithout this patch kernel will panic on LockD start, because lockd_up() checks\nlockd_up_net() result for negative value.\nFrom my pow it\u0027s better to return negative value from rpcbind routines instead\nof replacing all such checks like in lockd_up().\n\nSigned-off-by: Stanislav Kinsbursky \u003cskinsbursky@parallels.com\u003e\nSigned-off-by: Trond Myklebust \u003cTrond.Myklebust@netapp.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "613975f7a65f75b6e720bfca721d2d99542c53b8",
      "tree": "bb5d6b7ed75bb03b05ce36d76514f7f056c37800",
      "parents": [
        "88cdb96565315a7e127a1fcd6a8e2d1374be9aa2"
      ],
      "author": {
        "name": "Joe Perches",
        "email": "joe@perches.com",
        "time": "Wed Jul 18 11:17:11 2012 -0700"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Aug 15 08:10:04 2012 -0700"
      },
      "message": "sunrpc: clnt: Add missing braces\n\ncommit cac5d07e3ca696dcacfb123553cf6c722111cfd3 upstream.\n\nAdd a missing set of braces that commit 4e0038b6b24\n(\"SUNRPC: Move clnt-\u003ecl_server into struct rpc_xprt\")\nforgot.\n\nSigned-off-by: Joe Perches \u003cjoe@perches.com\u003e\nSigned-off-by: Trond Myklebust \u003cTrond.Myklebust@netapp.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "2ce42ec4ef551b08d2e5d26775d838ac640f82ad",
      "tree": "b0b95bbd562ed19c5423ac568030fee08a841332",
      "parents": [
        "202a3667cfc09edca2338a1fb5d6ffb0dddc9bcc"
      ],
      "author": {
        "name": "Jiri Kosina",
        "email": "jkosina@suse.cz",
        "time": "Fri Jul 27 10:38:50 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:51 2012 -0700"
      },
      "message": "tcp: perform DMA to userspace only if there is a task waiting for it\n\n[ Upstream commit 59ea33a68a9083ac98515e4861c00e71efdc49a1 ]\n\nBack in 2006, commit 1a2449a87b (\"[I/OAT]: TCP recv offload to I/OAT\")\nadded support for receive offloading to IOAT dma engine if available.\n\nThe code in tcp_rcv_established() tries to perform early DMA copy if\napplicable. It however does so without checking whether the userspace\ntask is actually expecting the data in the buffer.\n\nThis is not a problem under normal circumstances, but there is a corner\ncase where this doesn\u0027t work -- and that\u0027s when MSG_TRUNC flag to\nrecvmsg() is used.\n\nIf the IOAT dma engine is not used, the code properly checks whether\nthere is a valid ucopy.task and the socket is owned by userspace, but\nmisses the check in the dmaengine case.\n\nThis problem can be observed in real trivially -- for example \u0027tbench\u0027 is a\ngood reproducer, as it makes a heavy use of MSG_TRUNC. On systems utilizing\nIOAT, you will soon find tbench waiting indefinitely in sk_wait_data(), as they\nhave been already early-copied in tcp_rcv_established() using dma engine.\n\nThis patch introduces the same check we are performing in the simple\niovec copy case to the IOAT case as well. It fixes the indefinite\nrecvmsg(MSG_TRUNC) hangs.\n\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "202a3667cfc09edca2338a1fb5d6ffb0dddc9bcc",
      "tree": "96ab669f4f0011b9e1d0b6c7f79a06c302821b83",
      "parents": [
        "e5481652427aa25fc74b45d755ff678df33601c1"
      ],
      "author": {
        "name": "Jiri Benc",
        "email": "jbenc@redhat.com",
        "time": "Fri Jul 27 02:58:22 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:51 2012 -0700"
      },
      "message": "net: fix rtnetlink IFF_PROMISC and IFF_ALLMULTI handling\n\n[ Upstream commit b1beb681cba5358f62e6187340660ade226a5fcc ]\n\nWhen device flags are set using rtnetlink, IFF_PROMISC and IFF_ALLMULTI\nflags are handled specially. Function dev_change_flags sets IFF_PROMISC and\nIFF_ALLMULTI bits in dev-\u003egflags according to the passed value but\ndo_setlink passes a result of rtnl_dev_combine_flags which takes those bits\nfrom dev-\u003eflags.\n\nThis can be easily trigerred by doing:\n\ntcpdump -i eth0 \u0026\nip l s up eth0\n\nip sets IFF_UP flag in ifi_flags and ifi_change, which is combined with\nIFF_PROMISC by rtnl_dev_combine_flags, causing __dev_change_flags to set\nIFF_PROMISC in gflags.\n\nReported-by: Max Matveev \u003cmakc@redhat.com\u003e\nSigned-off-by: Jiri Benc \u003cjbenc@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "ac6b310c5f5ecd6154e07069c6b6b67b7e768d8b",
      "tree": "a0629399ce8a1e6428b7b7438d8631e61ed1d0b8",
      "parents": [
        "1a8634186c17426f79c3bfcbc4fab75aa0f53c3b"
      ],
      "author": {
        "name": "Hangbin Liu",
        "email": "liuhangbin@gmail.com",
        "time": "Thu Jul 26 22:52:21 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:51 2012 -0700"
      },
      "message": "tcp: Add TCP_USER_TIMEOUT negative value check\n\n[ Upstream commit 42493570100b91ef663c4c6f0c0fdab238f9d3c2 ]\n\nTCP_USER_TIMEOUT is a TCP level socket option that takes an unsigned int. But\npatch \"tcp: Add TCP_USER_TIMEOUT socket option\"(dca43c75) didn\u0027t check the negative\nvalues. If a user assign -1 to it, the socket will set successfully and wait\nfor 4294967295 miliseconds. This patch add a negative value check to avoid\nthis issue.\n\nSigned-off-by: Hangbin Liu \u003cliuhangbin@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "1a8634186c17426f79c3bfcbc4fab75aa0f53c3b",
      "tree": "f17766d79578af5d10746015fb9c3f1041687fdb",
      "parents": [
        "2138dede8c23f5646c81381c71aac37e67b491b0"
      ],
      "author": {
        "name": "Alan Cox",
        "email": "alan@linux.intel.com",
        "time": "Tue Jul 24 08:16:25 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:51 2012 -0700"
      },
      "message": "wanmain: comparing array with NULL\n\n[ Upstream commit 8b72ff6484fe303e01498b58621810a114f3cf09 ]\n\ngcc really should warn about these !\n\nSigned-off-by: Alan Cox \u003calan@linux.intel.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "4deb65e759dd2ff7dd5e40bd6d4bf0dad6d88269",
      "tree": "f3df7cc13f2bb4238e1ec23cf1fcdcf375404ff3",
      "parents": [
        "a080e65186d367508e2b4e68290656ddce493136"
      ],
      "author": {
        "name": "Jesper Juhl",
        "email": "jj@chaosbits.net",
        "time": "Sun Jul 22 11:37:20 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:42 2012 -0700"
      },
      "message": "net: Fix references to out-of-scope variables in put_cmsg_compat()\n\n[ Upstream commit 818810472b129004c16fc51bf0a570b60776bfb7 ]\n\nIn net/compat.c::put_cmsg_compat() we may assign \u0027data\u0027 the address of\neither the \u0027ctv\u0027 or \u0027cts\u0027 local variables inside the \u0027if\n(!COMPAT_USE_64BIT_TIME)\u0027 branch.\n\nThose variables go out of scope at the end of the \u0027if\u0027 statement, so\nwhen we use \u0027data\u0027 further down in \u0027copy_to_user(CMSG_COMPAT_DATA(cm),\ndata, cmlen - sizeof(struct compat_cmsghdr))\u0027 there\u0027s no telling what\nit may be refering to - not good.\n\nFix the problem by simply giving \u0027ctv\u0027 and \u0027cts\u0027 function scope.\n\nSigned-off-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "a080e65186d367508e2b4e68290656ddce493136",
      "tree": "ee58c4f07584ab6ae1da3c827f21dc92ce94ae2b",
      "parents": [
        "60d2aa556cc3f00f1276ae363dc6601359180ddc"
      ],
      "author": {
        "name": "Paul Moore",
        "email": "pmoore@redhat.com",
        "time": "Tue Jul 17 11:07:47 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:42 2012 -0700"
      },
      "message": "cipso: don\u0027t follow a NULL pointer when setsockopt() is called\n\n[ Upstream commit 89d7ae34cdda4195809a5a987f697a517a2a3177 ]\n\nAs reported by Alan Cox, and verified by Lin Ming, when a user\nattempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL\ntag the kernel dies a terrible death when it attempts to follow a NULL\npointer (the skb argument to cipso_v4_validate() is NULL when called via\nthe setsockopt() syscall).\n\nThis patch fixes this by first checking to ensure that the skb is\nnon-NULL before using it to find the incoming network interface.  In\nthe unlikely case where the skb is NULL and the user attempts to add\na CIPSO option with the _TAG_LOCAL tag we return an error as this is\nnot something we want to allow.\n\nA simple reproducer, kindly supplied by Lin Ming, although you must\nhave the CIPSO DOI #3 configure on the system first or you will be\ncaught early in cipso_v4_validate():\n\n\t#include \u003csys/types.h\u003e\n\t#include \u003csys/socket.h\u003e\n\t#include \u003clinux/ip.h\u003e\n\t#include \u003clinux/in.h\u003e\n\t#include \u003cstring.h\u003e\n\n\tstruct local_tag {\n\t\tchar type;\n\t\tchar length;\n\t\tchar info[4];\n\t};\n\n\tstruct cipso {\n\t\tchar type;\n\t\tchar length;\n\t\tchar doi[4];\n\t\tstruct local_tag local;\n\t};\n\n\tint main(int argc, char **argv)\n\t{\n\t\tint sockfd;\n\t\tstruct cipso cipso \u003d {\n\t\t\t.type \u003d IPOPT_CIPSO,\n\t\t\t.length \u003d sizeof(struct cipso),\n\t\t\t.local \u003d {\n\t\t\t\t.type \u003d 128,\n\t\t\t\t.length \u003d sizeof(struct local_tag),\n\t\t\t},\n\t\t};\n\n\t\tmemset(cipso.doi, 0, 4);\n\t\tcipso.doi[3] \u003d 3;\n\n\t\tsockfd \u003d socket(AF_INET, SOCK_DGRAM, 0);\n\t\t#define SOL_IP 0\n\t\tsetsockopt(sockfd, SOL_IP, IP_OPTIONS,\n\t\t\t\u0026cipso, sizeof(struct cipso));\n\n\t\treturn 0;\n\t}\n\nCC: Lin Ming \u003cmlin@ss.pku.edu.cn\u003e\nReported-by: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "60d2aa556cc3f00f1276ae363dc6601359180ddc",
      "tree": "b2120ef5892b7b1dd39d2fab0083894445c9c65a",
      "parents": [
        "2936d35db07cc3c9e3f2d60ed90f9a72f2031130"
      ],
      "author": {
        "name": "Sjur Brændeland",
        "email": "sjur.brandeland@stericsson.com",
        "time": "Sun Jul 15 10:10:14 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:42 2012 -0700"
      },
      "message": "caif: Fix access to freed pernet memory\n\n[ Upstream commit 96f80d123eff05c3cd4701463786b87952a6c3ac ]\n\nunregister_netdevice_notifier() must be called before\nunregister_pernet_subsys() to avoid accessing already freed\npernet memory. This fixes the following oops when doing rmmod:\n\nCall Trace:\n [\u003cffffffffa0f802bd\u003e] caif_device_notify+0x4d/0x5a0 [caif]\n [\u003cffffffff81552ba9\u003e] unregister_netdevice_notifier+0xb9/0x100\n [\u003cffffffffa0f86dcc\u003e] caif_device_exit+0x1c/0x250 [caif]\n [\u003cffffffff810e7734\u003e] sys_delete_module+0x1a4/0x300\n [\u003cffffffff810da82d\u003e] ? trace_hardirqs_on_caller+0x15d/0x1e0\n [\u003cffffffff813517de\u003e] ? trace_hardirqs_on_thunk+0x3a/0x3\n [\u003cffffffff81696bad\u003e] system_call_fastpath+0x1a/0x1f\n\nRIP\n [\u003cffffffffa0f7f561\u003e] caif_get+0x51/0xb0 [caif]\n\nSigned-off-by: Sjur Brændeland \u003csjur.brandeland@stericsson.com\u003e\nAcked-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "2936d35db07cc3c9e3f2d60ed90f9a72f2031130",
      "tree": "568237d8b74c8dd354e58dc499f639ad0329d139",
      "parents": [
        "d5eeca5f5c19c472f8f221a81bb27f15a7aeed6c"
      ],
      "author": {
        "name": "Neil Horman",
        "email": "nhorman@tuxdriver.com",
        "time": "Mon Jul 16 09:13:51 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:42 2012 -0700"
      },
      "message": "sctp: Fix list corruption resulting from freeing an association on a list\n\n[ Upstream commit 2eebc1e188e9e45886ee00662519849339884d6d ]\n\nA few days ago Dave Jones reported this oops:\n\n[22766.294255] general protection fault: 0000 [#1] PREEMPT SMP\n[22766.295376] CPU 0\n[22766.295384] Modules linked in:\n[22766.387137]  ffffffffa169f292 6b6b6b6b6b6b6b6b ffff880147c03a90\nffff880147c03a74\n[22766.387135] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000\n[22766.387136] Process trinity-watchdo (pid: 10896, threadinfo ffff88013e7d2000,\n[22766.387137] Stack:\n[22766.387140]  ffff880147c03a10\n[22766.387140]  ffffffffa169f2b6\n[22766.387140]  ffff88013ed95728\n[22766.387143]  0000000000000002\n[22766.387143]  0000000000000000\n[22766.387143]  ffff880003fad062\n[22766.387144]  ffff88013c120000\n[22766.387144]\n[22766.387145] Call Trace:\n[22766.387145]  \u003cIRQ\u003e\n[22766.387150]  [\u003cffffffffa169f292\u003e] ? __sctp_lookup_association+0x62/0xd0\n[sctp]\n[22766.387154]  [\u003cffffffffa169f2b6\u003e] __sctp_lookup_association+0x86/0xd0 [sctp]\n[22766.387157]  [\u003cffffffffa169f597\u003e] sctp_rcv+0x207/0xbb0 [sctp]\n[22766.387161]  [\u003cffffffff810d4da8\u003e] ? trace_hardirqs_off_caller+0x28/0xd0\n[22766.387163]  [\u003cffffffff815827e3\u003e] ? nf_hook_slow+0x133/0x210\n[22766.387166]  [\u003cffffffff815902fc\u003e] ? ip_local_deliver_finish+0x4c/0x4c0\n[22766.387168]  [\u003cffffffff8159043d\u003e] ip_local_deliver_finish+0x18d/0x4c0\n[22766.387169]  [\u003cffffffff815902fc\u003e] ? ip_local_deliver_finish+0x4c/0x4c0\n[22766.387171]  [\u003cffffffff81590a07\u003e] ip_local_deliver+0x47/0x80\n[22766.387172]  [\u003cffffffff8158fd80\u003e] ip_rcv_finish+0x150/0x680\n[22766.387174]  [\u003cffffffff81590c54\u003e] ip_rcv+0x214/0x320\n[22766.387176]  [\u003cffffffff81558c07\u003e] __netif_receive_skb+0x7b7/0x910\n[22766.387178]  [\u003cffffffff8155856c\u003e] ? __netif_receive_skb+0x11c/0x910\n[22766.387180]  [\u003cffffffff810d423e\u003e] ? put_lock_stats.isra.25+0xe/0x40\n[22766.387182]  [\u003cffffffff81558f83\u003e] netif_receive_skb+0x23/0x1f0\n[22766.387183]  [\u003cffffffff815596a9\u003e] ? dev_gro_receive+0x139/0x440\n[22766.387185]  [\u003cffffffff81559280\u003e] napi_skb_finish+0x70/0xa0\n[22766.387187]  [\u003cffffffff81559cb5\u003e] napi_gro_receive+0xf5/0x130\n[22766.387218]  [\u003cffffffffa01c4679\u003e] e1000_receive_skb+0x59/0x70 [e1000e]\n[22766.387242]  [\u003cffffffffa01c5aab\u003e] e1000_clean_rx_irq+0x28b/0x460 [e1000e]\n[22766.387266]  [\u003cffffffffa01c9c18\u003e] e1000e_poll+0x78/0x430 [e1000e]\n[22766.387268]  [\u003cffffffff81559fea\u003e] net_rx_action+0x1aa/0x3d0\n[22766.387270]  [\u003cffffffff810a495f\u003e] ? account_system_vtime+0x10f/0x130\n[22766.387273]  [\u003cffffffff810734d0\u003e] __do_softirq+0xe0/0x420\n[22766.387275]  [\u003cffffffff8169826c\u003e] call_softirq+0x1c/0x30\n[22766.387278]  [\u003cffffffff8101db15\u003e] do_softirq+0xd5/0x110\n[22766.387279]  [\u003cffffffff81073bc5\u003e] irq_exit+0xd5/0xe0\n[22766.387281]  [\u003cffffffff81698b03\u003e] do_IRQ+0x63/0xd0\n[22766.387283]  [\u003cffffffff8168ee2f\u003e] common_interrupt+0x6f/0x6f\n[22766.387283]  \u003cEOI\u003e\n[22766.387284]\n[22766.387285]  [\u003cffffffff8168eed9\u003e] ? retint_swapgs+0x13/0x1b\n[22766.387285] Code: c0 90 5d c3 66 0f 1f 44 00 00 4c 89 c8 5d c3 0f 1f 00 55 48\n89 e5 48 83\nec 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 \u003c0f\u003e b7 87 98 00 00 00\n48 89 fb\n49 89 f5 66 c1 c0 08 66 39 46 02\n[22766.387307]\n[22766.387307] RIP\n[22766.387311]  [\u003cffffffffa168a2c9\u003e] sctp_assoc_is_match+0x19/0x90 [sctp]\n[22766.387311]  RSP \u003cffff880147c039b0\u003e\n[22766.387142]  ffffffffa16ab120\n[22766.599537] ---[ end trace 3f6dae82e37b17f5 ]---\n[22766.601221] Kernel panic - not syncing: Fatal exception in interrupt\n\nIt appears from his analysis and some staring at the code that this is likely\noccuring because an association is getting freed while still on the\nsctp_assoc_hashtable.  As a result, we get a gpf when traversing the hashtable\nwhile a freed node corrupts part of the list.\n\nNominally I would think that an mibalanced refcount was responsible for this,\nbut I can\u0027t seem to find any obvious imbalance.  What I did note however was\nthat the two places where we create an association using\nsctp_primitive_ASSOCIATE (__sctp_connect and sctp_sendmsg), have failure paths\nwhich free a newly created association after calling sctp_primitive_ASSOCIATE.\nsctp_primitive_ASSOCIATE brings us into the sctp_sf_do_prm_asoc path, which\nissues a SCTP_CMD_NEW_ASOC side effect, which in turn adds a new association to\nthe aforementioned hash table.  the sctp command interpreter that process side\neffects has not way to unwind previously processed commands, so freeing the\nassociation from the __sctp_connect or sctp_sendmsg error path would lead to a\nfreed association remaining on this hash table.\n\nI\u0027ve fixed this but modifying sctp_[un]hash_established to use hlist_del_init,\nwhich allows us to proerly use hlist_unhashed to check if the node is on a\nhashlist safely during a delete.  That in turn alows us to safely call\nsctp_unhash_established in the __sctp_connect and sctp_sendmsg error paths\nbefore freeing them, regardles of what the associations state is on the hash\nlist.\n\nI noted, while I was doing this, that the __sctp_unhash_endpoint was using\nhlist_unhsashed in a simmilar fashion, but never nullified any removed nodes\npointers to make that function work properly, so I fixed that up in a simmilar\nfashion.\n\nI attempted to test this using a virtual guest running the SCTP_RR test from\nnetperf in a loop while running the trinity fuzzer, both in a loop.  I wasn\u0027t\nable to recreate the problem prior to this fix, nor was I able to trigger the\nfailure after (neither of which I suppose is suprising).  Given the trace above\nhowever, I think its likely that this is what we hit.\n\nSigned-off-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nReported-by: davej@redhat.com\nCC: davej@redhat.com\nCC: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCC: Vlad Yasevich \u003cvyasevich@gmail.com\u003e\nCC: Sridhar Samudrala \u003csri@us.ibm.com\u003e\nCC: linux-sctp@vger.kernel.org\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "d5eeca5f5c19c472f8f221a81bb27f15a7aeed6c",
      "tree": "4812210a3233ee1532376ffb3fc88191e94faa98",
      "parents": [
        "af8ca6ddbb2928d5fb26f0a78710971e1210a299"
      ],
      "author": {
        "name": "Alan Cox",
        "email": "alan@linux.intel.com",
        "time": "Thu Jul 12 03:39:11 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:42 2012 -0700"
      },
      "message": "sch_sfb: Fix missing NULL check\n\n[ Upstream commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d ]\n\nResolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id\u003d44461\n\nSigned-off-by: Alan Cox \u003calan@linux.intel.com\u003e\nAcked-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "a5b4b62d8517f12c77f912b8c249e36019d31a0c",
      "tree": "21a1b8386a690f0544ce2895f4f45f6b303dc33c",
      "parents": [
        "d680c0462d9f4d96b255853364fb0bcd5c202553"
      ],
      "author": {
        "name": "Amir Hanania",
        "email": "amir.hanania@intel.com",
        "time": "Mon Jul 09 20:47:19 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:41 2012 -0700"
      },
      "message": "net: Fix memory leak - vlan_info struct\n\n[ Upstream commit efc73f4bbc238d4f579fb612c04c8e1dd8a82979 ]\n\nIn driver reload test there is a memory leak.\nThe structure vlan_info was not freed when the driver was removed.\nIt was not released since the nr_vids var is one after last vlan was removed.\nThe nr_vids is one, since vlan zero is added to the interface when the interface\nis being set, but the vlan zero is not deleted at unregister.\nFix - delete vlan zero when we unregister the device.\n\nSigned-off-by: Amir Hanania \u003camir.hanania@intel.com\u003e\nAcked-by: John Fastabend \u003cjohn.r.fastabend@intel.com\u003e\nTested-by: Aaron Brown \u003caaron.f.brown@intel.com\u003e\nSigned-off-by: Jeff Kirsher \u003cjeffrey.t.kirsher@intel.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "f7a47ee34686694148f6d34a4576385853c5e33f",
      "tree": "543b6be306465338ca6a7bfa60a643c84da7b937",
      "parents": [
        "aa505bba77961634215eb8bdd8ab9f4bd0c6f1d1"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Tue Jul 03 20:55:21 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:41 2012 -0700"
      },
      "message": "netem: add limitation to reordered packets\n\n[ Upstream commit 960fb66e520a405dde39ff883f17ff2669c13d85 ]\n\nFix two netem bugs :\n\n1) When a frame was dropped by tfifo_enqueue(), drop counter\n   was incremented twice.\n\n2) When reordering is triggered, we enqueue a packet without\n   checking queue limit. This can OOM pretty fast when this\n   is repeated enough, since skbs are orphaned, no socket limit\n   can help in this situation.\n\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Mark Gordon \u003cmsg@google.com\u003e\nCc: Andreas Terzis \u003caterzis@google.com\u003e\nCc: Yuchung Cheng \u003cycheng@google.com\u003e\nCc: Hagen Paul Pfeifer \u003chagen@jauu.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "032da6abbc34272959c790941ce8705337061dbf",
      "tree": "f55aa206bf8cd63cd9348dc0758e0a31ff15e4dd",
      "parents": [
        "f0f5dcc0020b78983061a2a674491f4eaa03e386"
      ],
      "author": {
        "name": "Jeff Layton",
        "email": "jlayton@redhat.com",
        "time": "Mon Jul 23 13:58:51 2012 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:40 2012 -0700"
      },
      "message": "nfs: skip commit in releasepage if we\u0027re freeing memory for fs-related reasons\n\ncommit 5cf02d09b50b1ee1c2d536c9cf64af5a7d433f56 upstream.\n\nWe\u0027ve had some reports of a deadlock where rpciod ends up with a stack\ntrace like this:\n\n    PID: 2507   TASK: ffff88103691ab40  CPU: 14  COMMAND: \"rpciod/14\"\n     #0 [ffff8810343bf2f0] schedule at ffffffff814dabd9\n     #1 [ffff8810343bf3b8] nfs_wait_bit_killable at ffffffffa038fc04 [nfs]\n     #2 [ffff8810343bf3c8] __wait_on_bit at ffffffff814dbc2f\n     #3 [ffff8810343bf418] out_of_line_wait_on_bit at ffffffff814dbcd8\n     #4 [ffff8810343bf488] nfs_commit_inode at ffffffffa039e0c1 [nfs]\n     #5 [ffff8810343bf4f8] nfs_release_page at ffffffffa038bef6 [nfs]\n     #6 [ffff8810343bf528] try_to_release_page at ffffffff8110c670\n     #7 [ffff8810343bf538] shrink_page_list.clone.0 at ffffffff81126271\n     #8 [ffff8810343bf668] shrink_inactive_list at ffffffff81126638\n     #9 [ffff8810343bf818] shrink_zone at ffffffff8112788f\n    #10 [ffff8810343bf8c8] do_try_to_free_pages at ffffffff81127b1e\n    #11 [ffff8810343bf958] try_to_free_pages at ffffffff8112812f\n    #12 [ffff8810343bfa08] __alloc_pages_nodemask at ffffffff8111fdad\n    #13 [ffff8810343bfb28] kmem_getpages at ffffffff81159942\n    #14 [ffff8810343bfb58] fallback_alloc at ffffffff8115a55a\n    #15 [ffff8810343bfbd8] ____cache_alloc_node at ffffffff8115a2d9\n    #16 [ffff8810343bfc38] kmem_cache_alloc at ffffffff8115b09b\n    #17 [ffff8810343bfc78] sk_prot_alloc at ffffffff81411808\n    #18 [ffff8810343bfcb8] sk_alloc at ffffffff8141197c\n    #19 [ffff8810343bfce8] inet_create at ffffffff81483ba6\n    #20 [ffff8810343bfd38] __sock_create at ffffffff8140b4a7\n    #21 [ffff8810343bfd98] xs_create_sock at ffffffffa01f649b [sunrpc]\n    #22 [ffff8810343bfdd8] xs_tcp_setup_socket at ffffffffa01f6965 [sunrpc]\n    #23 [ffff8810343bfe38] worker_thread at ffffffff810887d0\n    #24 [ffff8810343bfee8] kthread at ffffffff8108dd96\n    #25 [ffff8810343bff48] kernel_thread at ffffffff8100c1ca\n\nrpciod is trying to allocate memory for a new socket to talk to the\nserver. The VM ends up calling -\u003ereleasepage to get more memory, and it\ntries to do a blocking commit. That commit can\u0027t succeed however without\na connected socket, so we deadlock.\n\nFix this by setting PF_FSTRANS on the workqueue task prior to doing the\nsocket allocation, and having nfs_release_page check for that flag when\ndeciding whether to do a commit call. Also, set PF_FSTRANS\nunconditionally in rpc_async_schedule since that function can also do\nallocations sometimes.\n\nSigned-off-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Trond Myklebust \u003cTrond.Myklebust@netapp.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "79746484cab1dede1480580efe9edde68de06770",
      "tree": "88fc5ecfd54d8e1e595bd971e33f2f5b662ef51e",
      "parents": [
        "20855fe2097ccfde927c6997101ae35340f1d278"
      ],
      "author": {
        "name": "Eliad Peller",
        "email": "eliad@wizery.com",
        "time": "Sun May 13 18:07:04 2012 +0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:30 2012 -0700"
      },
      "message": "mac80211: fail authentication when AP denied authentication\n\ncommit dac211ec10d268b9d09000093a9fa2ac1773894f upstream.\n\nieee80211_rx_mgmt_auth() doesn\u0027t handle denied authentication\nproperly - it authenticates the station and waits for association\n(for 5 seconds) instead of failing the authentication.\n\nFix it by destroying auth_data and bailing out instead.\n\nSigned-off-by: Eliad Peller \u003celiad@wizery.com\u003e\nAcked-by: Johannes Berg \u003cjohannes@sipsolutions.net\u003e\nSigned-off-by: John W. Linville \u003clinville@tuxdriver.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "20855fe2097ccfde927c6997101ae35340f1d278",
      "tree": "b185ec5c08472d49f5c96c65c0a4b9d51e41cfc1",
      "parents": [
        "ecbd55f98e07e25d4017077d0a611ce6c766257b"
      ],
      "author": {
        "name": "Mikulas Patocka",
        "email": "mikulas@artax.karlin.mff.cuni.cz",
        "time": "Thu Jul 19 06:13:36 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 09 08:31:30 2012 -0700"
      },
      "message": "tun: fix a crash bug and a memory leak\n\ncommit b09e786bd1dd66418b69348cb110f3a64764626a upstream.\n\nThis patch fixes a crash\ntun_chr_close -\u003e netdev_run_todo -\u003e tun_free_netdev -\u003e sk_release_kernel -\u003e\nsock_release -\u003e iput(SOCK_INODE(sock))\nintroduced by commit 1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d\n\nThe problem is that this socket is embedded in struct tun_struct, it has\nno inode, iput is called on invalid inode, which modifies invalid memory\nand optionally causes a crash.\n\nsock_release also decrements sockets_in_use, this causes a bug that\n\"sockets: used\" field in /proc/*/net/sockstat keeps on decreasing when\ncreating and closing tun devices.\n\nThis patch introduces a flag SOCK_EXTERNALLY_ALLOCATED that instructs\nsock_release to not free the inode and not decrement sockets_in_use,\nfixing both memory corruption and sockets_in_use underflow.\n\nIt should be backported to 3.3 an 3.4 stabke.\n\nSigned-off-by: Mikulas Patocka \u003cmikulas@artax.karlin.mff.cuni.cz\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "738c88c1b8ebe16c3ecd1694871474b470275d82",
      "tree": "0304eeede8d31709ea9918b47c450e76fe743fdf",
      "parents": [
        "871d4f5e1d82cf0ad56ae076c8535004e7837416"
      ],
      "author": {
        "name": "Michal Kazior",
        "email": "michal.kazior@tieto.com",
        "time": "Fri Jun 08 10:55:44 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Jul 19 08:58:59 2012 -0700"
      },
      "message": "cfg80211: check iface combinations only when iface is running\n\ncommit f8cdddb8d61d16a156229f0910f7ecfc7a82c003 upstream.\n\nDon\u0027t validate interface combinations on a stopped\ninterface. Otherwise we might end up being able to\ncreate a new interface with a certain type, but\nwon\u0027t be able to change an existing interface\ninto that type.\n\nThis also skips some other functions when\ninterface is stopped and changing interface type.\n\nSigned-off-by: Michal Kazior \u003cmichal.kazior@tieto.com\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n[Fixes regression introduced by cherry pick of 463454b5dbd8]\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\n\n"
    },
    {
      "commit": "3cf16f7e388934d4458d0d6cebdf752e4424f226",
      "tree": "39ab80a575f7ad735c01cc6806fe9ead84034d34",
      "parents": [
        "c8ed7cf355f41b649524029c49f101d878499482"
      ],
      "author": {
        "name": "Eliad Peller",
        "email": "eliad@wizery.com",
        "time": "Mon Jul 02 14:42:03 2012 +0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Jul 19 08:58:57 2012 -0700"
      },
      "message": "mac80211: destroy assoc_data correctly if assoc fails\n\ncommit 10a9109f2705fdc3caa94d768b2559587a9a050c upstream.\n\nIf association failed due to internal error (e.g. no\nsupported rates IE), we call ieee80211_destroy_assoc_data()\nwith assoc\u003dtrue, while we actually reject the association.\n\nThis results in the BSSID not being zeroed out.\n\nAfter passing assoc\u003dfalse, we no longer have to call\nsta_info_destroy_addr() explicitly. While on it, move\nthe \"associated\" message after the assoc_success check.\n\nSigned-off-by: Eliad Peller \u003celiad@wizery.com\u003e\nReviewed-by: Johannes Berg \u003cjohannes@sipsolutions.net\u003e\nSigned-off-by: John W. Linville \u003clinville@tuxdriver.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "2c07f25ea7800adb36cd8da9b58c4ecd3fc3d064",
      "tree": "b312e3b679b544de20569f8e31dd1469e8a72be1",
      "parents": [
        "5318edefb61eddf91d4c4a089644fcee3ccfda62"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Tue Jun 12 15:24:40 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:04:42 2012 -0700"
      },
      "message": "splice: fix racy pipe-\u003ebuffers uses\n\ncommit 047fe3605235888f3ebcda0c728cb31937eadfe6 upstream.\n\nDave Jones reported a kernel BUG at mm/slub.c:3474! triggered\nby splice_shrink_spd() called from vmsplice_to_pipe()\n\ncommit 35f3d14dbbc5 (pipe: add support for shrinking and growing pipes)\nadded capability to adjust pipe-\u003ebuffers.\n\nProblem is some paths don\u0027t hold pipe mutex and assume pipe-\u003ebuffers\ndoesn\u0027t change for their duration.\n\nFix this by adding nr_pages_max field in struct splice_pipe_desc, and\nuse it in place of pipe-\u003ebuffers where appropriate.\n\nsplice_shrink_spd() loses its struct pipe_inode_info argument.\n\nReported-by: Dave Jones \u003cdavej@redhat.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Jens Axboe \u003caxboe@kernel.dk\u003e\nCc: Alexander Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Tom Herbert \u003ctherbert@google.com\u003e\nTested-by: Dave Jones \u003cdavej@redhat.com\u003e\nSigned-off-by: Jens Axboe \u003caxboe@kernel.dk\u003e\n[bwh: Backported to 3.2:\n - Adjust context in vmsplice_to_pipe()\n - Update one more call to splice_shrink_spd(), from skb_splice_bits()]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "bf2370ff886b0059f574d78c7dfc9c1cb6fd38e0",
      "tree": "bf03c36857ac7529a4caadbe4e5f1c23fb97ff10",
      "parents": [
        "f183282bb88ffa944449cf3a24a649c754d9e7af"
      ],
      "author": {
        "name": "Johannes Berg",
        "email": "johannes.berg@intel.com",
        "time": "Wed Jun 27 18:11:56 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:04:40 2012 -0700"
      },
      "message": "mac80211: fix queues stuck issue with HT bandwidth change\n\nNo upstream commit, the buggy code was removed in 3.5 in commit\n7213cf2cb0dfbb4d6b55a1da000d34338f76c0e3 and others.\n\nRajkumar changed code for handling channel switching in\nmac80211 to stop the queues in\n\n  commit 7cc44ed48d0ec0937c1f098642540b6c9ca38de5\n  Author: Rajkumar Manoharan \u003crmanohar@qca.qualcomm.com\u003e\n  Date:   Fri Sep 16 15:32:34 2011 +0530\n\n      mac80211: Fix regression on queue stop during 2040 bss change\n\nwhich went into 3.2. In the 3.4 cycle, Paul\u0027s change\n\n  commit 3117bbdb7899d43927c8ce4fe885ab7c1231c121\n  Author: Paul Stewart \u003cpstew@chromium.org\u003e\n  Date:   Tue Mar 13 07:46:18 2012 -0700\n\n      mac80211: Don\u0027t let regulatory make us deaf\n\nwent in and changed the TX/RX enable logic, but now\nthe conditions for stopping and restarting the queues\nwere different so that now, if the AP changes between\n20/40 MHz bandwidth, it can happen that we stop but\nnever restart the queues. This breaks the connection\nand the module actually has to be reloaded to get it\nback to work.\n\nFix this by making sure the queues are always started\nwhen they were stopped.\n\nReported-by: Florian Manschwetus \u003cmanschwetus@googlemail.com\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "ee92389156c2cdb45b94866186a4174858b820cd",
      "tree": "ce025a20a1c679a511d174df4a0818f8146cbf0a",
      "parents": [
        "10762419cafd82a9a3a6f68bef54c29f1af75842"
      ],
      "author": {
        "name": "Stanislav Kinsbursky",
        "email": "skinsbursky@parallels.com",
        "time": "Mon Jun 25 16:40:09 2012 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:04:39 2012 -0700"
      },
      "message": "SUNRPC: move per-net operations from svc_destroy()\n\nupstream commit 786185b5f8abefa6a8a16695bb4a59c164d5a071.\n\nThe idea is to separate service destruction and per-net operations,\nbecause these are two different things and the mix looks ugly.\n\nNotes:\n\n1) For NFS server this patch looks ugly (sorry for that). But these\nplace will be rewritten soon during NFSd containerization.\n\n2) LockD per-net counter increase int lockd_up() was moved prior to\nmake_socks() to make lockd_down_net() call safe in case of error.\n\nSigned-off-by: Stanislav Kinsbursky \u003cskinsbursky@parallels.com\u003e\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "10762419cafd82a9a3a6f68bef54c29f1af75842",
      "tree": "45e0a1689e4ffa4c94fc09c9c72d454fab1e6639",
      "parents": [
        "0bbc9d1b4b011e83ba65852b1d652561c7f562f1"
      ],
      "author": {
        "name": "Stanislav Kinsbursky",
        "email": "skinsbursky@parallels.com",
        "time": "Mon Jun 25 16:40:08 2012 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:04:39 2012 -0700"
      },
      "message": "SUNRPC: new svc_bind() routine introduced\n\nupstream commit 9793f7c88937e7ac07305ab1af1a519225836823.\n\nThis new routine is responsible for service registration in a specified\nnetwork context.\n\nThe idea is to separate service creation from per-net operations.\n\nNote also: since registering service with svc_bind() can fail, the\nservice will be destroyed and during destruction it will try to\nunregister itself from rpcbind. In this case unregistration has to be\nskipped.\n\nSigned-off-by: Stanislav Kinsbursky \u003cskinsbursky@parallels.com\u003e\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "cec8fdaf9656e82c599729595baae99c2c2a78b7",
      "tree": "bd0231de3e0bb02e8218ca7560f1724cc06018bd",
      "parents": [
        "576f080b901d7258874a4632850ad94fc296911f"
      ],
      "author": {
        "name": "Johannes Berg",
        "email": "johannes.berg@intel.com",
        "time": "Wed Jun 27 15:38:56 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:04:23 2012 -0700"
      },
      "message": "mac80211: correct behaviour on unrecognised action frames\n\ncommit 4b5ebccc40843104d980f0714bc86bfcd5568941 upstream.\n\nWhen receiving an \"individually addressed\" action frame, the\nreceiver is required to return it to the sender. mac80211\ngets this wrong as it also returns group addressed (mcast)\nframes to the sender. Fix this and update the reference to\nthe new 802.11 standards version since things were shuffled\naround significantly.\n\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: John W. Linville \u003clinville@tuxdriver.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "576f080b901d7258874a4632850ad94fc296911f",
      "tree": "0f11c6ee0315f53f1063477b460a0bdc2f77c826",
      "parents": [
        "8359e058c9677f0459760f3610161bc2cfcd930f"
      ],
      "author": {
        "name": "Eliad Peller",
        "email": "eliad@wizery.com",
        "time": "Fri Jun 01 11:14:03 2012 +0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:04:22 2012 -0700"
      },
      "message": "mac80211: clear ifmgd-\u003ebssid only after building DELBA\n\ncommit 88a9e31c506c00c8b7a2f1611406d0e38dcb33b3 upstream.\n\nieee80211_set_disassoc() clears ifmgd-\u003ebssid before\nbuilding DELBA frames, resulting in frames with invalid\nbssid (\"00:00:00:00:00:00\").\n\nFix it by clearing ifmgd-\u003ebssid only after building\nall the needed frames.\n\nAfter this change, we no longer need to save the\nbssid (before clearing it), so remove the local array.\n\nReported-by: Ido Yariv \u003cido@wizery.com\u003e\nSigned-off-by: Eliad Peller \u003celiad@wizery.com\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "0c290a35a401ba4f608cb9cc669645a3b07498e2",
      "tree": "365b3057e5a853b14c17e54f169d895a51a09b5c",
      "parents": [
        "a7faba5c5263f9d8a31b3f542a0504552fa80932"
      ],
      "author": {
        "name": "Marek Lindner",
        "email": "lindner_marek@yahoo.de",
        "time": "Wed Jun 20 17:16:05 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:04:11 2012 -0700"
      },
      "message": "batman-adv: only drop packets of known wifi clients\n\ncommit 5870adc68fc39d81089f1e80efdf64b97e5c37a1 upstream.\n\nbug introduced with 59b699cdee039d75915c354da06937102d1f9a84\n\nIf the source or destination mac address of an ethernet packet\ncould not be found in the translation table the packet was\ndropped if AP isolation was turned on. This behavior would\nmake it impossible to send broadcast packets over the mesh as\nthe broadcast address will never enter the translation table.\n\nSigned-off-by: Marek Lindner \u003clindner_marek@yahoo.de\u003e\nAcked-by: Antonio Quartulli \u003cordex@autistici.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "a7faba5c5263f9d8a31b3f542a0504552fa80932",
      "tree": "614201eeddf946308faffefa896db58f68c000b1",
      "parents": [
        "0d84f6e5ba73f0b2ef3af8e5c1f96b8ab8ecff6f"
      ],
      "author": {
        "name": "Antonio Quartulli",
        "email": "ordex@autistici.org",
        "time": "Tue Jun 19 09:26:39 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:04:11 2012 -0700"
      },
      "message": "batman-adv: fix skb-\u003edata assignment\n\ncommit 2c995ff892313009e336ecc8ec3411022f5b1c39 upstream.\n\nskb_linearize(skb) possibly rearranges the skb internal data and then changes\nthe skb-\u003edata pointer value. For this reason any other pointer in the code that\nwas assigned skb-\u003edata before invoking skb_linearise(skb) must be re-assigned.\n\nIn the current tt_query message handling code this is not done and therefore, in\ncase of skb linearization, the pointer used to handle the packet header ends up\nin pointing to free\u0027d memory.\n\nThis bug was introduced by a73105b8d4c765d9ebfb664d0a66802127d8e4c7\n(batman-adv: improved client announcement mechanism)\n\nSigned-off-by: Antonio Quartulli \u003cordex@autistici.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "0d84f6e5ba73f0b2ef3af8e5c1f96b8ab8ecff6f",
      "tree": "c945d549e0b79c524df7c0f4da067986f6a2fc26",
      "parents": [
        "5a851e1314972efe28723b15b57ff645cb818003"
      ],
      "author": {
        "name": "Eliad Peller",
        "email": "eliad@wizery.com",
        "time": "Tue Jun 12 12:53:13 2012 +0300"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:04:11 2012 -0700"
      },
      "message": "cfg80211: fix potential deadlock in regulatory\n\ncommit fe20b39ec32e975f1054c0b7866c873a954adf05 upstream.\n\nreg_timeout_work() calls restore_regulatory_settings() which\ntakes cfg80211_mutex.\n\nreg_set_request_processed() already holds cfg80211_mutex\nbefore calling cancel_delayed_work_sync(reg_timeout),\nso it might deadlock.\n\nCall the async cancel_delayed_work instead, in order\nto avoid the potential deadlock.\n\nThis is the relevant lockdep warning:\n\ncfg80211: Calling CRDA for country: XX\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ INFO: possible circular locking dependency detected ]\n3.4.0-rc5-wl+ #26 Not tainted\n-------------------------------------------------------\nkworker/0:2/1391 is trying to acquire lock:\n (cfg80211_mutex){+.+.+.}, at: [\u003cbf28ae00\u003e] restore_regulatory_settings+0x34/0x418 [cfg80211]\n\nbut task is already holding lock:\n ((reg_timeout).work){+.+...}, at: [\u003cc0059e94\u003e] process_one_work+0x1f0/0x480\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #2 ((reg_timeout).work){+.+...}:\n       [\u003cc008fd44\u003e] validate_chain+0xb94/0x10f0\n       [\u003cc0090b68\u003e] __lock_acquire+0x8c8/0x9b0\n       [\u003cc0090d40\u003e] lock_acquire+0xf0/0x114\n       [\u003cc005b600\u003e] wait_on_work+0x4c/0x154\n       [\u003cc005c000\u003e] __cancel_work_timer+0xd4/0x11c\n       [\u003cc005c064\u003e] cancel_delayed_work_sync+0x1c/0x20\n       [\u003cbf28b274\u003e] reg_set_request_processed+0x50/0x78 [cfg80211]\n       [\u003cbf28bd84\u003e] set_regdom+0x550/0x600 [cfg80211]\n       [\u003cbf294cd8\u003e] nl80211_set_reg+0x218/0x258 [cfg80211]\n       [\u003cc03c7738\u003e] genl_rcv_msg+0x1a8/0x1e8\n       [\u003cc03c6a00\u003e] netlink_rcv_skb+0x5c/0xc0\n       [\u003cc03c7584\u003e] genl_rcv+0x28/0x34\n       [\u003cc03c6720\u003e] netlink_unicast+0x15c/0x228\n       [\u003cc03c6c7c\u003e] netlink_sendmsg+0x218/0x298\n       [\u003cc03933c8\u003e] sock_sendmsg+0xa4/0xc0\n       [\u003cc039406c\u003e] __sys_sendmsg+0x1e4/0x268\n       [\u003cc0394228\u003e] sys_sendmsg+0x4c/0x70\n       [\u003cc0013840\u003e] ret_fast_syscall+0x0/0x3c\n\n-\u003e #1 (reg_mutex){+.+.+.}:\n       [\u003cc008fd44\u003e] validate_chain+0xb94/0x10f0\n       [\u003cc0090b68\u003e] __lock_acquire+0x8c8/0x9b0\n       [\u003cc0090d40\u003e] lock_acquire+0xf0/0x114\n       [\u003cc04734dc\u003e] mutex_lock_nested+0x48/0x320\n       [\u003cbf28b2cc\u003e] reg_todo+0x30/0x538 [cfg80211]\n       [\u003cc0059f44\u003e] process_one_work+0x2a0/0x480\n       [\u003cc005a4b4\u003e] worker_thread+0x1bc/0x2bc\n       [\u003cc0061148\u003e] kthread+0x98/0xa4\n       [\u003cc0014af4\u003e] kernel_thread_exit+0x0/0x8\n\n-\u003e #0 (cfg80211_mutex){+.+.+.}:\n       [\u003cc008ed58\u003e] print_circular_bug+0x68/0x2cc\n       [\u003cc008fb28\u003e] validate_chain+0x978/0x10f0\n       [\u003cc0090b68\u003e] __lock_acquire+0x8c8/0x9b0\n       [\u003cc0090d40\u003e] lock_acquire+0xf0/0x114\n       [\u003cc04734dc\u003e] mutex_lock_nested+0x48/0x320\n       [\u003cbf28ae00\u003e] restore_regulatory_settings+0x34/0x418 [cfg80211]\n       [\u003cbf28b200\u003e] reg_timeout_work+0x1c/0x20 [cfg80211]\n       [\u003cc0059f44\u003e] process_one_work+0x2a0/0x480\n       [\u003cc005a4b4\u003e] worker_thread+0x1bc/0x2bc\n       [\u003cc0061148\u003e] kthread+0x98/0xa4\n       [\u003cc0014af4\u003e] kernel_thread_exit+0x0/0x8\n\nother info that might help us debug this:\n\nChain exists of:\n  cfg80211_mutex --\u003e reg_mutex --\u003e (reg_timeout).work\n\n Possible unsafe locking scenario:\n\n       CPU0                    CPU1\n       ----                    ----\n  lock((reg_timeout).work);\n                               lock(reg_mutex);\n                               lock((reg_timeout).work);\n  lock(cfg80211_mutex);\n\n *** DEADLOCK ***\n\n2 locks held by kworker/0:2/1391:\n #0:  (events){.+.+.+}, at: [\u003cc0059e94\u003e] process_one_work+0x1f0/0x480\n #1:  ((reg_timeout).work){+.+...}, at: [\u003cc0059e94\u003e] process_one_work+0x1f0/0x480\n\nstack backtrace:\n[\u003cc001b928\u003e] (unwind_backtrace+0x0/0x12c) from [\u003cc0471d3c\u003e] (dump_stack+0x20/0x24)\n[\u003cc0471d3c\u003e] (dump_stack+0x20/0x24) from [\u003cc008ef70\u003e] (print_circular_bug+0x280/0x2cc)\n[\u003cc008ef70\u003e] (print_circular_bug+0x280/0x2cc) from [\u003cc008fb28\u003e] (validate_chain+0x978/0x10f0)\n[\u003cc008fb28\u003e] (validate_chain+0x978/0x10f0) from [\u003cc0090b68\u003e] (__lock_acquire+0x8c8/0x9b0)\n[\u003cc0090b68\u003e] (__lock_acquire+0x8c8/0x9b0) from [\u003cc0090d40\u003e] (lock_acquire+0xf0/0x114)\n[\u003cc0090d40\u003e] (lock_acquire+0xf0/0x114) from [\u003cc04734dc\u003e] (mutex_lock_nested+0x48/0x320)\n[\u003cc04734dc\u003e] (mutex_lock_nested+0x48/0x320) from [\u003cbf28ae00\u003e] (restore_regulatory_settings+0x34/0x418 [cfg80211])\n[\u003cbf28ae00\u003e] (restore_regulatory_settings+0x34/0x418 [cfg80211]) from [\u003cbf28b200\u003e] (reg_timeout_work+0x1c/0x20 [cfg80211])\n[\u003cbf28b200\u003e] (reg_timeout_work+0x1c/0x20 [cfg80211]) from [\u003cc0059f44\u003e] (process_one_work+0x2a0/0x480)\n[\u003cc0059f44\u003e] (process_one_work+0x2a0/0x480) from [\u003cc005a4b4\u003e] (worker_thread+0x1bc/0x2bc)\n[\u003cc005a4b4\u003e] (worker_thread+0x1bc/0x2bc) from [\u003cc0061148\u003e] (kthread+0x98/0xa4)\n[\u003cc0061148\u003e] (kthread+0x98/0xa4) from [\u003cc0014af4\u003e] (kernel_thread_exit+0x0/0x8)\ncfg80211: Calling CRDA to update world regulatory domain\ncfg80211: World regulatory domain updated:\ncfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)\ncfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)\ncfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)\ncfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)\ncfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)\ncfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)\n\nSigned-off-by: Eliad Peller \u003celiad@wizery.com\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "6ee6b4d65c65a006b54b2f8f0aee405b1e01e2b2",
      "tree": "167d469491ff63058ab3e1f2274eb1318828ae2f",
      "parents": [
        "ee0b2dd6344911d7769f9fd638d30f45e66b8410"
      ],
      "author": {
        "name": "Dan Rosenberg",
        "email": "dan.j.rosenberg@gmail.com",
        "time": "Mon Jun 25 16:05:27 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:03:50 2012 -0700"
      },
      "message": "NFC: Prevent multiple buffer overflows in NCI\n\ncommit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.\n\nFix multiple remotely-exploitable stack-based buffer overflows due to\nthe NCI code pulling length fields directly from incoming frames and\ncopying too much data into statically-sized arrays.\n\nSigned-off-by: Dan Rosenberg \u003cdan.j.rosenberg@gmail.com\u003e\nCc: security@kernel.org\nCc: Lauro Ramos Venancio \u003clauro.venancio@openbossa.org\u003e\nCc: Aloisio Almeida Jr \u003caloisio.almeida@openbossa.org\u003e\nCc: Samuel Ortiz \u003csameo@linux.intel.com\u003e\nCc: David S. Miller \u003cdavem@davemloft.net\u003e\nAcked-by: Ilan Elias \u003cilane@ti.com\u003e\nSigned-off-by: Samuel Ortiz \u003csameo@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "ee0b2dd6344911d7769f9fd638d30f45e66b8410",
      "tree": "6bedde6f74c49420630009583e468ea0af2d761f",
      "parents": [
        "dd3ce2fa647d42d524392d5e6a0647061fc64c67"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Tue Jun 12 00:47:58 2012 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:03:50 2012 -0700"
      },
      "message": "NFC: Return from rawsock_release when sk is NULL\n\ncommit 03e934f620101ca2cfc9383bd76172dd3e1f8567 upstream.\n\nSasha Levin reported following panic :\n\n[ 2136.383310] BUG: unable to handle kernel NULL pointer dereference at\n00000000000003b0\n[ 2136.384022] IP: [\u003cffffffff8114e400\u003e] __lock_acquire+0xc0/0x4b0\n[ 2136.384022] PGD 131c4067 PUD 11c0c067 PMD 0\n[ 2136.388106] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC\n[ 2136.388106] CPU 1\n[ 2136.388106] Pid: 24855, comm: trinity-child1 Tainted: G        W\n3.5.0-rc2-sasha-00015-g7b268f7 #374\n[ 2136.388106] RIP: 0010:[\u003cffffffff8114e400\u003e]  [\u003cffffffff8114e400\u003e]\n__lock_acquire+0xc0/0x4b0\n[ 2136.388106] RSP: 0018:ffff8800130b3ca8  EFLAGS: 00010046\n[ 2136.388106] RAX: 0000000000000086 RBX: ffff88001186b000 RCX:\n0000000000000000\n[ 2136.388106] RDX: 0000000000000000 RSI: 0000000000000000 RDI:\n0000000000000000\n[ 2136.388106] RBP: ffff8800130b3d08 R08: 0000000000000001 R09:\n0000000000000000\n[ 2136.388106] R10: 0000000000000000 R11: 0000000000000001 R12:\n0000000000000002\n[ 2136.388106] R13: 00000000000003b0 R14: 0000000000000000 R15:\n0000000000000000\n[ 2136.388106] FS:  00007fa5b1bd4700(0000) GS:ffff88001b800000(0000)\nknlGS:0000000000000000\n[ 2136.388106] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 2136.388106] CR2: 00000000000003b0 CR3: 0000000011d1f000 CR4:\n00000000000406e0\n[ 2136.388106] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 2136.388106] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:\n0000000000000400\n[ 2136.388106] Process trinity-child1 (pid: 24855, threadinfo\nffff8800130b2000, task ffff88001186b000)\n[ 2136.388106] Stack:\n[ 2136.388106]  ffff8800130b3cd8 ffffffff81121785 ffffffff81236774\n000080d000000001\n[ 2136.388106]  ffff88001b9d6c00 00000000001d6c00 ffffffff130b3d08\nffff88001186b000\n[ 2136.388106]  0000000000000000 0000000000000002 0000000000000000\n0000000000000000\n[ 2136.388106] Call Trace:\n[ 2136.388106]  [\u003cffffffff81121785\u003e] ? sched_clock_local+0x25/0x90\n[ 2136.388106]  [\u003cffffffff81236774\u003e] ? get_empty_filp+0x74/0x220\n[ 2136.388106]  [\u003cffffffff8114e97a\u003e] lock_acquire+0x18a/0x1e0\n[ 2136.388106]  [\u003cffffffff836b37df\u003e] ? rawsock_release+0x4f/0xa0\n[ 2136.388106]  [\u003cffffffff837c0ef0\u003e] _raw_write_lock_bh+0x40/0x80\n[ 2136.388106]  [\u003cffffffff836b37df\u003e] ? rawsock_release+0x4f/0xa0\n[ 2136.388106]  [\u003cffffffff836b37df\u003e] rawsock_release+0x4f/0xa0\n[ 2136.388106]  [\u003cffffffff8321cfe8\u003e] sock_release+0x18/0x70\n[ 2136.388106]  [\u003cffffffff8321d069\u003e] sock_close+0x29/0x30\n[ 2136.388106]  [\u003cffffffff81236bca\u003e] __fput+0x11a/0x2c0\n[ 2136.388106]  [\u003cffffffff81236d85\u003e] fput+0x15/0x20\n[ 2136.388106]  [\u003cffffffff8321de34\u003e] sys_accept4+0x1b4/0x200\n[ 2136.388106]  [\u003cffffffff837c165c\u003e] ? _raw_spin_unlock_irq+0x4c/0x80\n[ 2136.388106]  [\u003cffffffff837c1669\u003e] ? _raw_spin_unlock_irq+0x59/0x80\n[ 2136.388106]  [\u003cffffffff837c2565\u003e] ? sysret_check+0x22/0x5d\n[ 2136.388106]  [\u003cffffffff8321de8b\u003e] sys_accept+0xb/0x10\n[ 2136.388106]  [\u003cffffffff837c2539\u003e] system_call_fastpath+0x16/0x1b\n[ 2136.388106] Code: ec 04 00 0f 85 ea 03 00 00 be d5 0b 00 00 48 c7 c7\n8a c1 40 84 e8 b1 a5 f8 ff 31 c0 e9 d4 03 00 00 66 2e 0f 1f 84 00 00 00\n00 00 \u003c49\u003e 81 7d 00 60 73 5e 85 b8 01 00 00 00 44 0f 44 e0 83 fe 01 77\n[ 2136.388106] RIP  [\u003cffffffff8114e400\u003e] __lock_acquire+0xc0/0x4b0\n[ 2136.388106]  RSP \u003cffff8800130b3ca8\u003e\n[ 2136.388106] CR2: 00000000000003b0\n[ 2136.388106] ---[ end trace 6d450e935ee18982 ]---\n[ 2136.388106] Kernel panic - not syncing: Fatal exception in interrupt\n\nrawsock_release() should test if sock-\u003esk is NULL before calling\nsock_orphan()/sock_put()\n\nReported-by: Sasha Levin \u003clevinsasha928@gmail.com\u003e\nTested-by: Sasha Levin \u003clevinsasha928@gmail.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: Samuel Ortiz \u003csameo@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "f7153a449ce35459169a790ba6cce8830c116894",
      "tree": "e6d60134ea15b02d6dbb08a77f4f7eda2a1384e4",
      "parents": [
        "993772c70fda9d05299fc3a8ed9d1cba268870f1"
      ],
      "author": {
        "name": "stephen hemminger",
        "email": "shemminger@vyatta.com",
        "time": "Tue Jun 26 05:48:45 2012 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 16 09:03:49 2012 -0700"
      },
      "message": "bridge: Assign rtnl_link_ops to bridge devices created via ioctl (v2)\n\n[ Upstream commit 149ddd83a92b02c658d6c61f3276eb6500d585e8 ]\n\nThis ensures that bridges created with brctl(8) or ioctl(2) directly\nalso carry IFLA_LINKINFO when dumped over netlink. This also allows\nto create a bridge with ioctl(2) and delete it with RTM_DELLINK.\n\nSigned-off-by: Thomas Graf \u003ctgraf@suug.ch\u003e\nSigned-off-by: Stephen Hemminger \u003cshemminger@vyatta.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    }
  ],
  "next": "993772c70fda9d05299fc3a8ed9d1cba268870f1"
}
