--- /dev/null
+From a8b98aa575d6e75fabacfa68134081db49af5b25 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Fri, 8 Feb 2013 00:19:11 +0000
+Subject: atm/iphase: rename fregt_t -> ffreg_t
+
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+[ Upstream commit ab54ee80aa7585f9666ff4dd665441d7ce41f1e8 ]
+
+We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the
+iphase atm device driver, which causes the compile error below.
+Unfortunately the s390 typedef can't be renamed, since it's a user visible api,
+nor can I change the include order in s390 code to avoid the conflict.
+
+So simply rename the iphase typedef to a new name. Fixes this compile error:
+
+In file included from drivers/atm/iphase.c:66:0:
+drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t'
+In file included from next/arch/s390/include/asm/ptrace.h:9:0,
+ from next/arch/s390/include/asm/lowcore.h:12,
+ from next/arch/s390/include/asm/thread_info.h:30,
+ from include/linux/thread_info.h:54,
+ from include/linux/preempt.h:9,
+ from include/linux/spinlock.h:50,
+ from include/linux/seqlock.h:29,
+ from include/linux/time.h:5,
+ from include/linux/stat.h:18,
+ from include/linux/module.h:10,
+ from drivers/atm/iphase.c:43:
+next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here
+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Acked-by: chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/iphase.h | 146 +++++++++++++++++++++++++--------------------------
+ 1 file changed, 73 insertions(+), 73 deletions(-)
+
+--- a/drivers/atm/iphase.h
++++ b/drivers/atm/iphase.h
+@@ -636,82 +636,82 @@ struct rx_buf_desc {
+ #define SEG_BASE IPHASE5575_FRAG_CONTROL_REG_BASE
+ #define REASS_BASE IPHASE5575_REASS_CONTROL_REG_BASE
+
+-typedef volatile u_int freg_t;
++typedef volatile u_int ffreg_t;
+ typedef u_int rreg_t;
+
+ typedef struct _ffredn_t {
+- freg_t idlehead_high; /* Idle cell header (high) */
+- freg_t idlehead_low; /* Idle cell header (low) */
+- freg_t maxrate; /* Maximum rate */
+- freg_t stparms; /* Traffic Management Parameters */
+- freg_t abrubr_abr; /* ABRUBR Priority Byte 1, TCR Byte 0 */
+- freg_t rm_type; /* */
+- u_int filler5[0x17 - 0x06];
+- freg_t cmd_reg; /* Command register */
+- u_int filler18[0x20 - 0x18];
+- freg_t cbr_base; /* CBR Pointer Base */
+- freg_t vbr_base; /* VBR Pointer Base */
+- freg_t abr_base; /* ABR Pointer Base */
+- freg_t ubr_base; /* UBR Pointer Base */
+- u_int filler24;
+- freg_t vbrwq_base; /* VBR Wait Queue Base */
+- freg_t abrwq_base; /* ABR Wait Queue Base */
+- freg_t ubrwq_base; /* UBR Wait Queue Base */
+- freg_t vct_base; /* Main VC Table Base */
+- freg_t vcte_base; /* Extended Main VC Table Base */
+- u_int filler2a[0x2C - 0x2A];
+- freg_t cbr_tab_beg; /* CBR Table Begin */
+- freg_t cbr_tab_end; /* CBR Table End */
+- freg_t cbr_pointer; /* CBR Pointer */
+- u_int filler2f[0x30 - 0x2F];
+- freg_t prq_st_adr; /* Packet Ready Queue Start Address */
+- freg_t prq_ed_adr; /* Packet Ready Queue End Address */
+- freg_t prq_rd_ptr; /* Packet Ready Queue read pointer */
+- freg_t prq_wr_ptr; /* Packet Ready Queue write pointer */
+- freg_t tcq_st_adr; /* Transmit Complete Queue Start Address*/
+- freg_t tcq_ed_adr; /* Transmit Complete Queue End Address */
+- freg_t tcq_rd_ptr; /* Transmit Complete Queue read pointer */
+- freg_t tcq_wr_ptr; /* Transmit Complete Queue write pointer*/
+- u_int filler38[0x40 - 0x38];
+- freg_t queue_base; /* Base address for PRQ and TCQ */
+- freg_t desc_base; /* Base address of descriptor table */
+- u_int filler42[0x45 - 0x42];
+- freg_t mode_reg_0; /* Mode register 0 */
+- freg_t mode_reg_1; /* Mode register 1 */
+- freg_t intr_status_reg;/* Interrupt Status register */
+- freg_t mask_reg; /* Mask Register */
+- freg_t cell_ctr_high1; /* Total cell transfer count (high) */
+- freg_t cell_ctr_lo1; /* Total cell transfer count (low) */
+- freg_t state_reg; /* Status register */
+- u_int filler4c[0x58 - 0x4c];
+- freg_t curr_desc_num; /* Contains the current descriptor num */
+- freg_t next_desc; /* Next descriptor */
+- freg_t next_vc; /* Next VC */
+- u_int filler5b[0x5d - 0x5b];
+- freg_t present_slot_cnt;/* Present slot count */
+- u_int filler5e[0x6a - 0x5e];
+- freg_t new_desc_num; /* New descriptor number */
+- freg_t new_vc; /* New VC */
+- freg_t sched_tbl_ptr; /* Schedule table pointer */
+- freg_t vbrwq_wptr; /* VBR wait queue write pointer */
+- freg_t vbrwq_rptr; /* VBR wait queue read pointer */
+- freg_t abrwq_wptr; /* ABR wait queue write pointer */
+- freg_t abrwq_rptr; /* ABR wait queue read pointer */
+- freg_t ubrwq_wptr; /* UBR wait queue write pointer */
+- freg_t ubrwq_rptr; /* UBR wait queue read pointer */
+- freg_t cbr_vc; /* CBR VC */
+- freg_t vbr_sb_vc; /* VBR SB VC */
+- freg_t abr_sb_vc; /* ABR SB VC */
+- freg_t ubr_sb_vc; /* UBR SB VC */
+- freg_t vbr_next_link; /* VBR next link */
+- freg_t abr_next_link; /* ABR next link */
+- freg_t ubr_next_link; /* UBR next link */
+- u_int filler7a[0x7c-0x7a];
+- freg_t out_rate_head; /* Out of rate head */
+- u_int filler7d[0xca-0x7d]; /* pad out to full address space */
+- freg_t cell_ctr_high1_nc;/* Total cell transfer count (high) */
+- freg_t cell_ctr_lo1_nc;/* Total cell transfer count (low) */
+- u_int fillercc[0x100-0xcc]; /* pad out to full address space */
++ ffreg_t idlehead_high; /* Idle cell header (high) */
++ ffreg_t idlehead_low; /* Idle cell header (low) */
++ ffreg_t maxrate; /* Maximum rate */
++ ffreg_t stparms; /* Traffic Management Parameters */
++ ffreg_t abrubr_abr; /* ABRUBR Priority Byte 1, TCR Byte 0 */
++ ffreg_t rm_type; /* */
++ u_int filler5[0x17 - 0x06];
++ ffreg_t cmd_reg; /* Command register */
++ u_int filler18[0x20 - 0x18];
++ ffreg_t cbr_base; /* CBR Pointer Base */
++ ffreg_t vbr_base; /* VBR Pointer Base */
++ ffreg_t abr_base; /* ABR Pointer Base */
++ ffreg_t ubr_base; /* UBR Pointer Base */
++ u_int filler24;
++ ffreg_t vbrwq_base; /* VBR Wait Queue Base */
++ ffreg_t abrwq_base; /* ABR Wait Queue Base */
++ ffreg_t ubrwq_base; /* UBR Wait Queue Base */
++ ffreg_t vct_base; /* Main VC Table Base */
++ ffreg_t vcte_base; /* Extended Main VC Table Base */
++ u_int filler2a[0x2C - 0x2A];
++ ffreg_t cbr_tab_beg; /* CBR Table Begin */
++ ffreg_t cbr_tab_end; /* CBR Table End */
++ ffreg_t cbr_pointer; /* CBR Pointer */
++ u_int filler2f[0x30 - 0x2F];
++ ffreg_t prq_st_adr; /* Packet Ready Queue Start Address */
++ ffreg_t prq_ed_adr; /* Packet Ready Queue End Address */
++ ffreg_t prq_rd_ptr; /* Packet Ready Queue read pointer */
++ ffreg_t prq_wr_ptr; /* Packet Ready Queue write pointer */
++ ffreg_t tcq_st_adr; /* Transmit Complete Queue Start Address*/
++ ffreg_t tcq_ed_adr; /* Transmit Complete Queue End Address */
++ ffreg_t tcq_rd_ptr; /* Transmit Complete Queue read pointer */
++ ffreg_t tcq_wr_ptr; /* Transmit Complete Queue write pointer*/
++ u_int filler38[0x40 - 0x38];
++ ffreg_t queue_base; /* Base address for PRQ and TCQ */
++ ffreg_t desc_base; /* Base address of descriptor table */
++ u_int filler42[0x45 - 0x42];
++ ffreg_t mode_reg_0; /* Mode register 0 */
++ ffreg_t mode_reg_1; /* Mode register 1 */
++ ffreg_t intr_status_reg;/* Interrupt Status register */
++ ffreg_t mask_reg; /* Mask Register */
++ ffreg_t cell_ctr_high1; /* Total cell transfer count (high) */
++ ffreg_t cell_ctr_lo1; /* Total cell transfer count (low) */
++ ffreg_t state_reg; /* Status register */
++ u_int filler4c[0x58 - 0x4c];
++ ffreg_t curr_desc_num; /* Contains the current descriptor num */
++ ffreg_t next_desc; /* Next descriptor */
++ ffreg_t next_vc; /* Next VC */
++ u_int filler5b[0x5d - 0x5b];
++ ffreg_t present_slot_cnt;/* Present slot count */
++ u_int filler5e[0x6a - 0x5e];
++ ffreg_t new_desc_num; /* New descriptor number */
++ ffreg_t new_vc; /* New VC */
++ ffreg_t sched_tbl_ptr; /* Schedule table pointer */
++ ffreg_t vbrwq_wptr; /* VBR wait queue write pointer */
++ ffreg_t vbrwq_rptr; /* VBR wait queue read pointer */
++ ffreg_t abrwq_wptr; /* ABR wait queue write pointer */
++ ffreg_t abrwq_rptr; /* ABR wait queue read pointer */
++ ffreg_t ubrwq_wptr; /* UBR wait queue write pointer */
++ ffreg_t ubrwq_rptr; /* UBR wait queue read pointer */
++ ffreg_t cbr_vc; /* CBR VC */
++ ffreg_t vbr_sb_vc; /* VBR SB VC */
++ ffreg_t abr_sb_vc; /* ABR SB VC */
++ ffreg_t ubr_sb_vc; /* UBR SB VC */
++ ffreg_t vbr_next_link; /* VBR next link */
++ ffreg_t abr_next_link; /* ABR next link */
++ ffreg_t ubr_next_link; /* UBR next link */
++ u_int filler7a[0x7c-0x7a];
++ ffreg_t out_rate_head; /* Out of rate head */
++ u_int filler7d[0xca-0x7d]; /* pad out to full address space */
++ ffreg_t cell_ctr_high1_nc;/* Total cell transfer count (high) */
++ ffreg_t cell_ctr_lo1_nc;/* Total cell transfer count (low) */
++ u_int fillercc[0x100-0xcc]; /* pad out to full address space */
+ } ffredn_t;
+
+ typedef struct _rfredn_t {
--- /dev/null
+From de09ab7354e878980ef4561420fd217f8f356e41 Mon Sep 17 00:00:00 2001
+From: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
+Date: Wed, 10 Oct 2012 01:15:01 +0000
+Subject: bridge: Pull ip header into skb->data before looking into ip header.
+
+
+From: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
+
+[ Upstream commit 6caab7b0544e83e6c160b5e80f5a4a7dd69545c7 ]
+
+If lower layer driver leaves the ip header in the skb fragment, it needs to
+be first pulled into skb->data before inspecting ip header length or ip version
+number.
+
+Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_netfilter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bridge/br_netfilter.c
++++ b/net/bridge/br_netfilter.c
+@@ -233,6 +233,9 @@ static int br_parse_ip_options(struct sk
+ struct net_device *dev = skb->dev;
+ u32 len;
+
++ if (!pskb_may_pull(skb, sizeof(struct iphdr)))
++ goto inhdr_error;
++
+ iph = ip_hdr(skb);
+ opt = &(IPCB(skb)->opt);
+
--- /dev/null
+From 18c9ecee38027b65bb87357646d1f51346f4752a Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <mleitner@redhat.com>
+Date: Tue, 29 Jan 2013 22:26:08 +0000
+Subject: ipv6: do not create neighbor entries for local delivery
+
+
+From: Marcelo Ricardo Leitner <mleitner@redhat.com>
+
+[ Upstream commit bd30e947207e2ea0ff2c08f5b4a03025ddce48d3 ]
+
+They will be created at output, if ever needed. This avoids creating
+empty neighbor entries when TPROXYing/Forwarding packets for addresses
+that are not even directly reachable.
+
+Note that IPv4 already handles it this way. No neighbor entries are
+created for local input.
+
+Tested by myself and customer.
+
+Signed-off-by: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -802,7 +802,8 @@ restart:
+ dst_hold(&rt->dst);
+ read_unlock_bh(&table->tb6_lock);
+
+- if (!dst_get_neighbour_raw(&rt->dst) && !(rt->rt6i_flags & RTF_NONEXTHOP))
++ if (!dst_get_neighbour_raw(&rt->dst) &&
++ !(rt->rt6i_flags & (RTF_NONEXTHOP | RTF_LOCAL)))
+ nrt = rt6_alloc_cow(rt, &fl6->daddr, &fl6->saddr);
+ else if (!(rt->dst.flags & DST_HOST))
+ nrt = rt6_alloc_clone(rt, &fl6->daddr);
--- /dev/null
+From c30d36c733b4d0b2c800c25eda1aa0a2c9d4ec36 Mon Sep 17 00:00:00 2001
+From: Tilman Schmidt <tilman@imap.cc>
+Date: Mon, 21 Jan 2013 11:57:21 +0000
+Subject: isdn/gigaset: fix zero size border case in debug dump
+
+
+From: Tilman Schmidt <tilman@imap.cc>
+
+[ Upstream commit d721a1752ba544df8d7d36959038b26bc92bdf80 ]
+
+If subtracting 12 from l leaves zero we'd do a zero size allocation,
+leading to an oops later when we try to set the NUL terminator.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tilman Schmidt <tilman@imap.cc>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/gigaset/capi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/isdn/gigaset/capi.c
++++ b/drivers/isdn/gigaset/capi.c
+@@ -263,6 +263,8 @@ static inline void dump_rawmsg(enum debu
+ CAPIMSG_APPID(data), CAPIMSG_MSGID(data), l,
+ CAPIMSG_CONTROL(data));
+ l -= 12;
++ if (l <= 0)
++ return;
+ dbgline = kmalloc(3*l, GFP_ATOMIC);
+ if (!dbgline)
+ return;
--- /dev/null
+From b6b7ae73c7788ae7311247536847946d213e48f4 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen.hemminger@vyatta.com>
+Date: Wed, 16 Jan 2013 09:55:57 -0800
+Subject: MAINTAINERS: Stephen Hemminger email change
+
+
+From: Stephen Hemminger <stephen.hemminger@vyatta.com>
+
+[ Upstream commit adbbf69d1a54abf424e91875746a610dcc80017d ]
+
+I changed my email because the vyatta.com mail server is now
+redirected to brocade.com; and the Brocade mail system
+is not friendly to Linux desktop users.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ MAINTAINERS | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -2491,7 +2491,7 @@ S: Maintained
+ F: drivers/net/eexpress.*
+
+ ETHERNET BRIDGE
+-M: Stephen Hemminger <shemminger@linux-foundation.org>
++M: Stephen Hemminger <stephen@networkplumber.org>
+ L: bridge@lists.linux-foundation.org
+ L: netdev@vger.kernel.org
+ W: http://www.linuxfoundation.org/en/Net:Bridge
+@@ -4327,7 +4327,7 @@ S: Supported
+ F: drivers/infiniband/hw/nes/
+
+ NETEM NETWORK EMULATOR
+-M: Stephen Hemminger <shemminger@linux-foundation.org>
++M: Stephen Hemminger <stephen@networkplumber.org>
+ L: netem@lists.linux-foundation.org
+ S: Maintained
+ F: net/sched/sch_netem.c
+@@ -5779,7 +5779,7 @@ S: Maintained
+ F: drivers/usb/misc/sisusbvga/
+
+ SKGE, SKY2 10/100/1000 GIGABIT ETHERNET DRIVERS
+-M: Stephen Hemminger <shemminger@linux-foundation.org>
++M: Stephen Hemminger <stephen@networkplumber.org>
+ L: netdev@vger.kernel.org
+ S: Maintained
+ F: drivers/net/skge.*
--- /dev/null
+From ce01f5df54b7459150020f9b9bf9d7b0ef0e8e25 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 25 Jan 2013 07:44:41 +0000
+Subject: net: loopback: fix a dst refcounting issue
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 794ed393b707f01858f5ebe2ae5eabaf89d00022 ]
+
+Ben Greear reported crashes in ip_rcv_finish() on a stress
+test involving many macvlans.
+
+We tracked the bug to a dst use after free. ip_rcv_finish()
+was calling dst->input() and got garbage for dst->input value.
+
+It appears the bug is in loopback driver, lacking
+a skb_dst_force() before calling netif_rx().
+
+As a result, a non refcounted dst, normally protected by a
+RCU read_lock section, was escaping this section and could
+be freed before the packet being processed.
+
+ [<ffffffff813a3c4d>] loopback_xmit+0x64/0x83
+ [<ffffffff81477364>] dev_hard_start_xmit+0x26c/0x35e
+ [<ffffffff8147771a>] dev_queue_xmit+0x2c4/0x37c
+ [<ffffffff81477456>] ? dev_hard_start_xmit+0x35e/0x35e
+ [<ffffffff8148cfa6>] ? eth_header+0x28/0xb6
+ [<ffffffff81480f09>] neigh_resolve_output+0x176/0x1a7
+ [<ffffffff814ad835>] ip_finish_output2+0x297/0x30d
+ [<ffffffff814ad6d5>] ? ip_finish_output2+0x137/0x30d
+ [<ffffffff814ad90e>] ip_finish_output+0x63/0x68
+ [<ffffffff814ae412>] ip_output+0x61/0x67
+ [<ffffffff814ab904>] dst_output+0x17/0x1b
+ [<ffffffff814adb6d>] ip_local_out+0x1e/0x23
+ [<ffffffff814ae1c4>] ip_queue_xmit+0x315/0x353
+ [<ffffffff814adeaf>] ? ip_send_unicast_reply+0x2cc/0x2cc
+ [<ffffffff814c018f>] tcp_transmit_skb+0x7ca/0x80b
+ [<ffffffff814c3571>] tcp_connect+0x53c/0x587
+ [<ffffffff810c2f0c>] ? getnstimeofday+0x44/0x7d
+ [<ffffffff810c2f56>] ? ktime_get_real+0x11/0x3e
+ [<ffffffff814c6f9b>] tcp_v4_connect+0x3c2/0x431
+ [<ffffffff814d6913>] __inet_stream_connect+0x84/0x287
+ [<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
+ [<ffffffff8108d695>] ? _local_bh_enable_ip+0x84/0x9f
+ [<ffffffff8108d6c8>] ? local_bh_enable+0xd/0x11
+ [<ffffffff8146763c>] ? lock_sock_nested+0x6e/0x79
+ [<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
+ [<ffffffff814d6b49>] inet_stream_connect+0x33/0x49
+ [<ffffffff814632c6>] sys_connect+0x75/0x98
+
+This bug was introduced in linux-2.6.35, in commit
+7fee226ad2397b (net: add a noref bit on skb dst)
+
+skb_dst_force() is enforced in dev_queue_xmit() for devices having a
+qdisc.
+
+Reported-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/loopback.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/loopback.c
++++ b/drivers/net/loopback.c
+@@ -78,6 +78,11 @@ static netdev_tx_t loopback_xmit(struct
+
+ skb_orphan(skb);
+
++ /* Before queueing this packet to netif_rx(),
++ * make sure dst is refcounted.
++ */
++ skb_dst_force(skb);
++
+ skb->protocol = eth_type_trans(skb, dev);
+
+ /* it's OK to use per_cpu_ptr() because BHs are off */
--- /dev/null
+From 939500bdecec387c8bd8dc205cdbef5f5b0c6303 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 7 Jan 2013 21:17:00 +0000
+Subject: net: prevent setting ttl=0 via IP_TTL
+
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit c9be4a5c49cf51cc70a993f004c5bb30067a65ce ]
+
+A regression is introduced by the following commit:
+
+ commit 4d52cfbef6266092d535237ba5a4b981458ab171
+ Author: Eric Dumazet <eric.dumazet@gmail.com>
+ Date: Tue Jun 2 00:42:16 2009 -0700
+
+ net: ipv4/ip_sockglue.c cleanups
+
+ Pure cleanups
+
+but it is not a pure cleanup...
+
+ - if (val != -1 && (val < 1 || val>255))
+ + if (val != -1 && (val < 0 || val > 255))
+
+Since there is no reason provided to allow ttl=0, change it back.
+
+Reported-by: nitin padalia <padalia.nitin@gmail.com>
+Cc: nitin padalia <padalia.nitin@gmail.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_sockglue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -599,7 +599,7 @@ static int do_ip_setsockopt(struct sock
+ case IP_TTL:
+ if (optlen < 1)
+ goto e_inval;
+- if (val != -1 && (val < 0 || val > 255))
++ if (val != -1 && (val < 1 || val > 255))
+ goto e_inval;
+ inet->uc_ttl = val;
+ break;
--- /dev/null
+From 8cc0a7c8a231729c250c14fb887db1cb4102c2f1 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri, 8 Feb 2013 03:04:35 +0000
+Subject: net: sctp: sctp_endpoint_free: zero out secret key data
+
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit b5c37fe6e24eec194bb29d22fdd55d73bcc709bf ]
+
+On sctp_endpoint_destroy, previously used sensitive keying material
+should be zeroed out before the memory is returned, as we already do
+with e.g. auth keys when released.
+
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Vlad Yasevich <vyasevic@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/endpointola.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/sctp/endpointola.c
++++ b/net/sctp/endpointola.c
+@@ -248,6 +248,8 @@ void sctp_endpoint_free(struct sctp_endp
+ /* Final destructor for endpoint. */
+ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
+ {
++ int i;
++
+ SCTP_ASSERT(ep->base.dead, "Endpoint is not dead", return);
+
+ /* Free up the HMAC transform. */
+@@ -270,6 +272,9 @@ static void sctp_endpoint_destroy(struct
+ sctp_inq_free(&ep->base.inqueue);
+ sctp_bind_addr_free(&ep->base.bind_addr);
+
++ for (i = 0; i < SCTP_HOW_MANY_SECRETS; ++i)
++ memset(&ep->secret_key[i], 0, SCTP_SECRET_SIZE);
++
+ /* Remove and free the port */
+ if (sctp_sk(ep->base.sk)->bind_hash)
+ sctp_put_port(ep->base.sk);
--- /dev/null
+From 6304eb467412af5c5af8934d6778f4a0cf0a1dae Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri, 8 Feb 2013 03:04:34 +0000
+Subject: net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
+
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit 6ba542a291a5e558603ac51cda9bded347ce7627 ]
+
+In sctp_setsockopt_auth_key, we create a temporary copy of the user
+passed shared auth key for the endpoint or association and after
+internal setup, we free it right away. Since it's sensitive data, we
+should zero out the key before returning the memory back to the
+allocator. Thus, use kzfree instead of kfree, just as we do in
+sctp_auth_key_put().
+
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -3304,7 +3304,7 @@ static int sctp_setsockopt_auth_key(stru
+
+ ret = sctp_auth_set_key(sctp_sk(sk)->ep, asoc, authkey);
+ out:
+- kfree(authkey);
++ kzfree(authkey);
+ return ret;
+ }
+
--- /dev/null
+From 4a00b6427182a347df180f546e0b8eca996a4987 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil.sutter@viprinet.com>
+Date: Fri, 1 Feb 2013 07:21:41 +0000
+Subject: packet: fix leakage of tx_ring memory
+
+
+From: Phil Sutter <phil.sutter@viprinet.com>
+
+[ Upstream commit 9665d5d62487e8e7b1f546c00e11107155384b9a ]
+
+When releasing a packet socket, the routine packet_set_ring() is reused
+to free rings instead of allocating them. But when calling it for the
+first time, it fills req->tp_block_nr with the value of rb->pg_vec_len
+which in the second invocation makes it bail out since req->tp_block_nr
+is greater zero but req->tp_block_size is zero.
+
+This patch solves the problem by passing a zeroed auto-variable to
+packet_set_ring() upon each invocation from packet_release().
+
+As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING
+and packet mmap), i.e. the original inclusion of TX ring support into
+af_packet, but applies only to sockets with both RX and TX ring
+allocated, which is probably why this was unnoticed all the time.
+
+Signed-off-by: Phil Sutter <phil.sutter@viprinet.com>
+Cc: Johann Baudy <johann.baudy@gnu-log.net>
+Cc: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1349,13 +1349,15 @@ static int packet_release(struct socket
+
+ packet_flush_mclist(sk);
+
+- memset(&req, 0, sizeof(req));
+-
+- if (po->rx_ring.pg_vec)
++ if (po->rx_ring.pg_vec) {
++ memset(&req, 0, sizeof(req));
+ packet_set_ring(sk, &req, 1, 0);
++ }
+
+- if (po->tx_ring.pg_vec)
++ if (po->tx_ring.pg_vec) {
++ memset(&req, 0, sizeof(req));
+ packet_set_ring(sk, &req, 1, 1);
++ }
+
+ synchronize_net();
+ /*
--- /dev/null
+From ee18bf2dc23bcb67ba759f93016aaaf0f081a58e Mon Sep 17 00:00:00 2001
+From: Cong Wang <amwang@redhat.com>
+Date: Sun, 27 Jan 2013 21:14:08 +0000
+Subject: pktgen: correctly handle failures when adding a device
+
+
+From: Cong Wang <amwang@redhat.com>
+
+[ Upstream commit 604dfd6efc9b79bce432f2394791708d8e8f6efc ]
+
+The return value of pktgen_add_device() is not checked, so
+even if we fail to add some device, for example, non-exist one,
+we still see "OK:...". This patch fixes it.
+
+After this patch, I got:
+
+ # echo "add_device non-exist" > /proc/net/pktgen/kpktgend_0
+ -bash: echo: write error: No such device
+ # cat /proc/net/pktgen/kpktgend_0
+ Running:
+ Stopped:
+ Result: ERROR: can not add device non-exist
+ # echo "add_device eth0" > /proc/net/pktgen/kpktgend_0
+ # cat /proc/net/pktgen/kpktgend_0
+ Running:
+ Stopped: eth0
+ Result: OK: add_device=eth0
+
+(Candidate for -stable)
+
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Cong Wang <amwang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/pktgen.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -1803,10 +1803,13 @@ static ssize_t pktgen_thread_write(struc
+ return -EFAULT;
+ i += len;
+ mutex_lock(&pktgen_thread_lock);
+- pktgen_add_device(t, f);
++ ret = pktgen_add_device(t, f);
+ mutex_unlock(&pktgen_thread_lock);
+- ret = count;
+- sprintf(pg_result, "OK: add_device=%s", f);
++ if (!ret) {
++ ret = count;
++ sprintf(pg_result, "OK: add_device=%s", f);
++ } else
++ sprintf(pg_result, "ERROR: can not add device %s", f);
+ goto out;
+ }
+
--- /dev/null
+From f87642a99a1298cd84cccdb7ce8fdcbff1610238 Mon Sep 17 00:00:00 2001
+From: Timo Teräs <timo.teras@iki.fi>
+Date: Mon, 21 Jan 2013 22:30:35 +0000
+Subject: r8169: remove the obsolete and incorrect AMD workaround
+
+
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+
+[ Upstream commit 5d0feaff230c0abfe4a112e6f09f096ed99e0b2d ]
+
+This was introduced in commit 6dccd16 "r8169: merge with version
+6.001.00 of Realtek's r8169 driver". I did not find the version
+6.001.00 online, but in 6.002.00 or any later r8169 from Realtek
+this hunk is no longer present.
+
+Also commit 05af214 "r8169: fix Ethernet Hangup for RTL8110SC
+rev d" claims to have fixed this issue otherwise.
+
+The magic compare mask of 0xfffe000 is dubious as it masks
+parts of the Reserved part, and parts of the VLAN tag. But this
+does not make much sense as the VLAN tag parts are perfectly
+valid there. In matter of fact this seems to be triggered with
+any VLAN tagged packet as RxVlanTag bit is matched. I would
+suspect 0xfffe0000 was intended to test reserved part only.
+
+Finally, this hunk is evil as it can cause more packets to be
+handled than what was NAPI quota causing net/core/dev.c:
+net_rx_action(): WARN_ON_ONCE(work > weight) to trigger, and
+mess up the NAPI state causing device to hang.
+
+As result, any system using VLANs and having high receive
+traffic (so that NAPI poll budget limits rtl_rx) would result
+in device hang.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+Acked-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/r8169.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -5203,13 +5203,6 @@ static int rtl8169_rx_interrupt(struct n
+ dev->stats.rx_bytes += pkt_size;
+ dev->stats.rx_packets++;
+ }
+-
+- /* Work around for AMD plateform. */
+- if ((desc->opts2 & cpu_to_le32(0xfffe000)) &&
+- (tp->mac_version == RTL_GIGA_MAC_VER_05)) {
+- desc->opts2 = 0;
+- cur_rx++;
+- }
+ }
+
+ count = cur_rx - tp->cur_rx;
--- /dev/null
+From b3887ace720555154eae2262b0de8bac97cf1170 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Thu, 17 Jan 2013 11:15:08 +0000
+Subject: sctp: refactor sctp_outq_teardown to insure proper re-initalization
+
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 ]
+
+Jamie Parsons reported a problem recently, in which the re-initalization of an
+association (The duplicate init case), resulted in a loss of receive window
+space. He tracked down the root cause to sctp_outq_teardown, which discarded
+all the data on an outq during a re-initalization of the corresponding
+association, but never reset the outq->outstanding_data field to zero. I wrote,
+and he tested this fix, which does a proper full re-initalization of the outq,
+fixing this problem, and hopefully future proofing us from simmilar issues down
+the road.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Jamie Parsons <Jamie.Parsons@metaswitch.com>
+Tested-by: Jamie Parsons <Jamie.Parsons@metaswitch.com>
+CC: Jamie Parsons <Jamie.Parsons@metaswitch.com>
+CC: Vlad Yasevich <vyasevich@gmail.com>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: netdev@vger.kernel.org
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/outqueue.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -223,7 +223,7 @@ void sctp_outq_init(struct sctp_associat
+
+ /* Free the outqueue structure and any related pending chunks.
+ */
+-void sctp_outq_teardown(struct sctp_outq *q)
++static void __sctp_outq_teardown(struct sctp_outq *q)
+ {
+ struct sctp_transport *transport;
+ struct list_head *lchunk, *temp;
+@@ -276,8 +276,6 @@ void sctp_outq_teardown(struct sctp_outq
+ sctp_chunk_free(chunk);
+ }
+
+- q->error = 0;
+-
+ /* Throw away any leftover control chunks. */
+ list_for_each_entry_safe(chunk, tmp, &q->control_chunk_list, list) {
+ list_del_init(&chunk->list);
+@@ -285,11 +283,17 @@ void sctp_outq_teardown(struct sctp_outq
+ }
+ }
+
++void sctp_outq_teardown(struct sctp_outq *q)
++{
++ __sctp_outq_teardown(q);
++ sctp_outq_init(q->asoc, q);
++}
++
+ /* Free the outqueue structure and any related pending chunks. */
+ void sctp_outq_free(struct sctp_outq *q)
+ {
+ /* Throw away leftover chunks. */
+- sctp_outq_teardown(q);
++ __sctp_outq_teardown(q);
+
+ /* If we were kmalloc()'d, free the memory. */
+ if (q->malloced)
virtio_console-don-t-access-uninitialized-data.patch
kernel-resource.c-fix-stack-overflow-in-__reserve_region_with_split.patch
mac80211-synchronize-scan-off-on-channel-and-ps-states.patch
+net-prevent-setting-ttl-0-via-ip_ttl.patch
+maintainers-stephen-hemminger-email-change.patch
+isdn-gigaset-fix-zero-size-border-case-in-debug-dump.patch
+r8169-remove-the-obsolete-and-incorrect-amd-workaround.patch
+net-loopback-fix-a-dst-refcounting-issue.patch
+pktgen-correctly-handle-failures-when-adding-a-device.patch
+ipv6-do-not-create-neighbor-entries-for-local-delivery.patch
+packet-fix-leakage-of-tx_ring-memory.patch
+atm-iphase-rename-fregt_t-ffreg_t.patch
+sctp-refactor-sctp_outq_teardown-to-insure-proper-re-initalization.patch
+net-sctp-sctp_setsockopt_auth_key-use-kzfree-instead-of-kfree.patch
+net-sctp-sctp_endpoint_free-zero-out-secret-key-data.patch
+tcp-frto-should-not-set-snd_cwnd-to-0.patch
+tcp-fix-for-zero-packets_in_flight-was-too-broad.patch
+tcp-fix-msg_sendpage_notlast-logic.patch
+bridge-pull-ip-header-into-skb-data-before-looking-into-ip-header.patch
+tg3-avoid-null-pointer-dereference-in-tg3_interrupt-in-netconsole-mode.patch
+tg3-fix-crc-errors-on-jumbo-frame-receive.patch
--- /dev/null
+From 0437a885ff524effbd942340d8f05cde6fe15980 Mon Sep 17 00:00:00 2001
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Mon, 4 Feb 2013 02:14:25 +0000
+Subject: tcp: fix for zero packets_in_flight was too broad
+
+
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@helsinki.fi>
+
+[ Upstream commit 6731d2095bd4aef18027c72ef845ab1087c3ba63 ]
+
+There are transients during normal FRTO procedure during which
+the packets_in_flight can go to zero between write_queue state
+updates and firing the resulting segments out. As FRTO processing
+occurs during that window the check must be more precise to
+not match "spuriously" :-). More specificly, e.g., when
+packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic
+branch that set cwnd into zero would not be taken and new segments
+might be sent out later.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Tested-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3568,8 +3568,7 @@ static int tcp_process_frto(struct sock
+ ((tp->frto_counter >= 2) && (flag & FLAG_RETRANS_DATA_ACKED)))
+ tp->undo_marker = 0;
+
+- if (!before(tp->snd_una, tp->frto_highmark) ||
+- !tcp_packets_in_flight(tp)) {
++ if (!before(tp->snd_una, tp->frto_highmark)) {
+ tcp_enter_frto_loss(sk, (tp->frto_counter == 1 ? 2 : 3), flag);
+ return 1;
+ }
+@@ -3589,6 +3588,11 @@ static int tcp_process_frto(struct sock
+ }
+ } else {
+ if (!(flag & FLAG_DATA_ACKED) && (tp->frto_counter == 1)) {
++ if (!tcp_packets_in_flight(tp)) {
++ tcp_enter_frto_loss(sk, 2, flag);
++ return true;
++ }
++
+ /* Prevent sending of new data. */
+ tp->snd_cwnd = min(tp->snd_cwnd,
+ tcp_packets_in_flight(tp));
--- /dev/null
+From 0f379a8fb8cbf317985476591c05462019fd0350 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 6 Jan 2013 18:21:49 +0000
+Subject: tcp: fix MSG_SENDPAGE_NOTLAST logic
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ae62ca7b03217be5e74759dc6d7698c95df498b3 ]
+
+commit 35f9c09fe9c72e (tcp: tcp_sendpages() should call tcp_push() once)
+added an internal flag : MSG_SENDPAGE_NOTLAST meant to be set on all
+frags but the last one for a splice() call.
+
+The condition used to set the flag in pipe_to_sendpage() relied on
+splice() user passing the exact number of bytes present in the pipe,
+or a smaller one.
+
+But some programs pass an arbitrary high value, and the test fails.
+
+The effect of this bug is a lack of tcp_push() at the end of a
+splice(pipe -> socket) call, and possibly very slow or erratic TCP
+sessions.
+
+We should both test sd->total_len and fact that another fragment
+is in the pipe (pipe->nrbufs > 1)
+
+Many thanks to Willy for providing very clear bug report, bisection
+and test programs.
+
+Reported-by: Willy Tarreau <w@1wt.eu>
+Bisected-by: Willy Tarreau <w@1wt.eu>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/splice.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -693,8 +693,10 @@ static int pipe_to_sendpage(struct pipe_
+ return -EINVAL;
+
+ more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0;
+- if (sd->len < sd->total_len)
++
++ if (sd->len < sd->total_len && pipe->nrbufs > 1)
+ more |= MSG_SENDPAGE_NOTLAST;
++
+ return file->f_op->sendpage(file, buf->page, buf->offset,
+ sd->len, &pos, more);
+ }
--- /dev/null
+From c1cc475460adea2fe1d2fc5d059b5f0c823839af Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 3 Feb 2013 09:13:05 +0000
+Subject: tcp: frto should not set snd_cwnd to 0
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2e5f421211ff76c17130b4597bc06df4eeead24f ]
+
+Commit 9dc274151a548 (tcp: fix ABC in tcp_slow_start())
+uncovered a bug in FRTO code :
+tcp_process_frto() is setting snd_cwnd to 0 if the number
+of in flight packets is 0.
+
+As Neal pointed out, if no packet is in flight we lost our
+chance to disambiguate whether a loss timeout was spurious.
+
+We should assume it was a proper loss.
+
+Reported-by: Pasi Kärkkäinen <pasik@iki.fi>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Cc: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3568,7 +3568,8 @@ static int tcp_process_frto(struct sock
+ ((tp->frto_counter >= 2) && (flag & FLAG_RETRANS_DATA_ACKED)))
+ tp->undo_marker = 0;
+
+- if (!before(tp->snd_una, tp->frto_highmark)) {
++ if (!before(tp->snd_una, tp->frto_highmark) ||
++ !tcp_packets_in_flight(tp)) {
+ tcp_enter_frto_loss(sk, (tp->frto_counter == 1 ? 2 : 3), flag);
+ return 1;
+ }
--- /dev/null
+From 2cec2bdc3e1b5defc8c9b5a3b7c1291ceb8a61e7 Mon Sep 17 00:00:00 2001
+From: Nithin Nayak Sujir <nsujir@broadcom.com>
+Date: Mon, 14 Jan 2013 17:10:59 +0000
+Subject: tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode
+
+
+From: Nithin Nayak Sujir <nsujir@broadcom.com>
+
+[ Upstream commit 9c13cb8bb477a83b9a3c9e5a5478a4e21294a760 ]
+
+When netconsole is enabled, logging messages generated during tg3_open
+can result in a null pointer dereference for the uninitialized tg3
+status block. Use the irq_sync flag to disable polling in the early
+stages. irq_sync is cleared when the driver is enabling interrupts after
+all initialization is completed.
+
+Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com>
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tg3.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/tg3.c
++++ b/drivers/net/tg3.c
+@@ -5662,6 +5662,9 @@ static void tg3_poll_controller(struct n
+ int i;
+ struct tg3 *tp = netdev_priv(dev);
+
++ if (tg3_irq_sync(tp))
++ return;
++
+ for (i = 0; i < tp->irq_cnt; i++)
+ tg3_interrupt(tp->napi[i].irq_vec, &tp->napi[i]);
+ }
+@@ -14981,6 +14984,7 @@ static int __devinit tg3_init_one(struct
+ tp->pm_cap = pm_cap;
+ tp->rx_mode = TG3_DEF_RX_MODE;
+ tp->tx_mode = TG3_DEF_TX_MODE;
++ tp->irq_sync = 1;
+
+ if (tg3_debug > 0)
+ tp->msg_enable = tg3_debug;
--- /dev/null
+From 2a08124fd105787a2ee596636b879c7b2c17f46a Mon Sep 17 00:00:00 2001
+From: Nithin Nayak Sujir <nsujir@broadcom.com>
+Date: Mon, 14 Jan 2013 17:11:00 +0000
+Subject: tg3: Fix crc errors on jumbo frame receive
+
+
+From: Nithin Nayak Sujir <nsujir@broadcom.com>
+
+[ Upstream commit daf3ec688e057f6060fb9bb0819feac7a8bbf45c ]
+
+TG3_PHY_AUXCTL_SMDSP_ENABLE/DISABLE macros do a blind write to the phy
+auxiliary control register and overwrite the EXT_PKT_LEN (bit 14) resulting
+in intermittent crc errors on jumbo frames with some link partners. Change
+the code to do a read/modify/write.
+
+Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com>
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tg3.c | 56 ++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 34 insertions(+), 22 deletions(-)
+
+--- a/drivers/net/tg3.c
++++ b/drivers/net/tg3.c
+@@ -996,14 +996,26 @@ static int tg3_phy_auxctl_write(struct t
+ return tg3_writephy(tp, MII_TG3_AUX_CTRL, set | reg);
+ }
+
+-#define TG3_PHY_AUXCTL_SMDSP_ENABLE(tp) \
+- tg3_phy_auxctl_write((tp), MII_TG3_AUXCTL_SHDWSEL_AUXCTL, \
+- MII_TG3_AUXCTL_ACTL_SMDSP_ENA | \
+- MII_TG3_AUXCTL_ACTL_TX_6DB)
+-
+-#define TG3_PHY_AUXCTL_SMDSP_DISABLE(tp) \
+- tg3_phy_auxctl_write((tp), MII_TG3_AUXCTL_SHDWSEL_AUXCTL, \
+- MII_TG3_AUXCTL_ACTL_TX_6DB);
++static int tg3_phy_toggle_auxctl_smdsp(struct tg3 *tp, bool enable)
++{
++ u32 val;
++ int err;
++
++ err = tg3_phy_auxctl_read(tp, MII_TG3_AUXCTL_SHDWSEL_AUXCTL, &val);
++
++ if (err)
++ return err;
++ if (enable)
++
++ val |= MII_TG3_AUXCTL_ACTL_SMDSP_ENA;
++ else
++ val &= ~MII_TG3_AUXCTL_ACTL_SMDSP_ENA;
++
++ err = tg3_phy_auxctl_write((tp), MII_TG3_AUXCTL_SHDWSEL_AUXCTL,
++ val | MII_TG3_AUXCTL_ACTL_TX_6DB);
++
++ return err;
++}
+
+ static int tg3_bmcr_reset(struct tg3 *tp)
+ {
+@@ -1775,7 +1787,7 @@ static void tg3_phy_apply_otp(struct tg3
+
+ otp = tp->phy_otp;
+
+- if (TG3_PHY_AUXCTL_SMDSP_ENABLE(tp))
++ if (tg3_phy_toggle_auxctl_smdsp(tp, true))
+ return;
+
+ phy = ((otp & TG3_OTP_AGCTGT_MASK) >> TG3_OTP_AGCTGT_SHIFT);
+@@ -1800,7 +1812,7 @@ static void tg3_phy_apply_otp(struct tg3
+ ((otp & TG3_OTP_RCOFF_MASK) >> TG3_OTP_RCOFF_SHIFT);
+ tg3_phydsp_write(tp, MII_TG3_DSP_EXP97, phy);
+
+- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
++ tg3_phy_toggle_auxctl_smdsp(tp, false);
+ }
+
+ static void tg3_phy_eee_adjust(struct tg3 *tp, u32 current_link_up)
+@@ -1848,9 +1860,9 @@ static void tg3_phy_eee_enable(struct tg
+ (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5717 ||
+ GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5719 ||
+ GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_57765) &&
+- !TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) {
++ !tg3_phy_toggle_auxctl_smdsp(tp, true)) {
+ tg3_phydsp_write(tp, MII_TG3_DSP_TAP26, 0x0003);
+- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
++ tg3_phy_toggle_auxctl_smdsp(tp, false);
+ }
+
+ val = tr32(TG3_CPMU_EEE_MODE);
+@@ -1995,7 +2007,7 @@ static int tg3_phy_reset_5703_4_5(struct
+ (MII_TG3_CTRL_AS_MASTER |
+ MII_TG3_CTRL_ENABLE_AS_MASTER));
+
+- err = TG3_PHY_AUXCTL_SMDSP_ENABLE(tp);
++ err = tg3_phy_toggle_auxctl_smdsp(tp, true);
+ if (err)
+ return err;
+
+@@ -2016,7 +2028,7 @@ static int tg3_phy_reset_5703_4_5(struct
+ tg3_writephy(tp, MII_TG3_DSP_ADDRESS, 0x8200);
+ tg3_writephy(tp, MII_TG3_DSP_CONTROL, 0x0000);
+
+- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
++ tg3_phy_toggle_auxctl_smdsp(tp, false);
+
+ tg3_writephy(tp, MII_TG3_CTRL, phy9_orig);
+
+@@ -2105,10 +2117,10 @@ static int tg3_phy_reset(struct tg3 *tp)
+
+ out:
+ if ((tp->phy_flags & TG3_PHYFLG_ADC_BUG) &&
+- !TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) {
++ !tg3_phy_toggle_auxctl_smdsp(tp, true)) {
+ tg3_phydsp_write(tp, 0x201f, 0x2aaa);
+ tg3_phydsp_write(tp, 0x000a, 0x0323);
+- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
++ tg3_phy_toggle_auxctl_smdsp(tp, false);
+ }
+
+ if (tp->phy_flags & TG3_PHYFLG_5704_A0_BUG) {
+@@ -2117,14 +2129,14 @@ out:
+ }
+
+ if (tp->phy_flags & TG3_PHYFLG_BER_BUG) {
+- if (!TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) {
++ if (!tg3_phy_toggle_auxctl_smdsp(tp, true)) {
+ tg3_phydsp_write(tp, 0x000a, 0x310b);
+ tg3_phydsp_write(tp, 0x201f, 0x9506);
+ tg3_phydsp_write(tp, 0x401f, 0x14e2);
+- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
++ tg3_phy_toggle_auxctl_smdsp(tp, false);
+ }
+ } else if (tp->phy_flags & TG3_PHYFLG_JITTER_BUG) {
+- if (!TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) {
++ if (!tg3_phy_toggle_auxctl_smdsp(tp, true)) {
+ tg3_writephy(tp, MII_TG3_DSP_ADDRESS, 0x000a);
+ if (tp->phy_flags & TG3_PHYFLG_ADJUST_TRIM) {
+ tg3_writephy(tp, MII_TG3_DSP_RW_PORT, 0x110b);
+@@ -2133,7 +2145,7 @@ out:
+ } else
+ tg3_writephy(tp, MII_TG3_DSP_RW_PORT, 0x010b);
+
+- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
++ tg3_phy_toggle_auxctl_smdsp(tp, false);
+ }
+ }
+
+@@ -2981,7 +2993,7 @@ static int tg3_phy_autoneg_cfg(struct tg
+ tw32(TG3_CPMU_EEE_MODE,
+ tr32(TG3_CPMU_EEE_MODE) & ~TG3_CPMU_EEEMD_LPI_ENABLE);
+
+- err = TG3_PHY_AUXCTL_SMDSP_ENABLE(tp);
++ err = tg3_phy_toggle_auxctl_smdsp(tp, true);
+ if (!err) {
+ u32 err2;
+
+@@ -3008,7 +3020,7 @@ static int tg3_phy_autoneg_cfg(struct tg
+ val |= MDIO_AN_EEE_ADV_1000T;
+ err = tg3_phy_cl45_write(tp, MDIO_MMD_AN, MDIO_AN_EEE_ADV, val);
+
+- err2 = TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
++ err2 = tg3_phy_toggle_auxctl_smdsp(tp, false);
+ if (!err)
+ err = err2;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
