--- /dev/null
+From 6f21f55ed973d7c575fc108e88d8107fba5d5fe0 Mon Sep 17 00:00:00 2001
+From: Matthew Whitehead <tedheadster@gmail.com>
+Date: Mon, 29 Apr 2013 17:46:53 -0400
+Subject: 3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA)
+
+
+From: Matthew Whitehead <tedheadster@gmail.com>
+
+[ Upstream commit 3b54912f9cd167641b91d4a697bd742f70e534fe ]
+
+The venerable 3c509 driver only sets its device parent in one case, the ISAPnP one.
+It does this with the SET_NETDEV_DEV function. It should register with the device
+hierarchy in two additional cases: standard (non-PnP) ISA and EISA.
+
+- Currently they appear here:
+/sys/devices/virtual/net/eth0 (standard ISA)
+/sys/devices/virtual/net/eth1 (EISA)
+
+- Rather, they should instead be here:
+/sys/devices/isa/3c509.0/net/eth0 (standard ISA)
+/sys/devices/pci0000:00/0000:00:07.0/00:04/net/eth1 (EISA)
+
+Tested on ISA and EISA boards.
+
+Signed-off-by: Matthew Whitehead <tedheadster@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/3com/3c509.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/3com/3c509.c
++++ b/drivers/net/ethernet/3com/3c509.c
+@@ -309,6 +309,7 @@ static int __devinit el3_isa_match(struc
+ if (!dev)
+ return -ENOMEM;
+
++ SET_NETDEV_DEV(dev, pdev);
+ netdev_boot_setup_check(dev);
+
+ if (!request_region(ioaddr, EL3_IO_EXTENT, "3c509-isa")) {
+@@ -704,6 +705,7 @@ static int __init el3_eisa_probe (struct
+ return -ENOMEM;
+ }
+
++ SET_NETDEV_DEV(dev, device);
+ netdev_boot_setup_check(dev);
+
+ el3_dev_fill(dev, phys_addr, ioaddr, irq, if_port, EL3_EISA);
--- /dev/null
+From 3704390b7899e0c022c2d30396956521e8b97015 Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Thu, 2 May 2013 11:10:22 +0000
+Subject: 3c59x: fix freeing nonexistent resource on driver unload
+
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit c81400be716aa4c76f6ebf339ba94358dbbf6da6 ]
+
+When unloading the driver that drives an EISA board, a message similar to the
+following one is displayed:
+
+Trying to free nonexistent resource <0000000000013000-000000000001301f>
+
+Then an user is unable to reload the driver because the resource it requested in
+the previous load hasn't been freed. This happens most probably due to a typo in
+vortex_eisa_remove() which calls release_region() with 'dev->base_addr' instead
+of 'edev->base_addr'...
+
+Reported-by: Matthew Whitehead <tedheadster@gmail.com>
+Tested-by: Matthew Whitehead <tedheadster@gmail.com>
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/3com/3c59x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/3com/3c59x.c
++++ b/drivers/net/ethernet/3com/3c59x.c
+@@ -951,7 +951,7 @@ static int __devexit vortex_eisa_remove(
+
+ unregister_netdev(dev);
+ iowrite16(TotalReset|0x14, ioaddr + EL3_CMD);
+- release_region(dev->base_addr, VORTEX_TOTAL_SIZE);
++ release_region(edev->base_addr, VORTEX_TOTAL_SIZE);
+
+ free_netdev(dev);
+ return 0;
--- /dev/null
+From 1752dd39967f4db52197135a1867bdc85dbf0d84 Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Date: Thu, 9 May 2013 11:14:07 +0000
+Subject: 3c59x: fix PCI resource management
+
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+[ Upstream commit 4b264a1676e70dc656ba53a8cac690f2d4b65f4e ]
+
+The driver wrongly claimed I/O ports at an address returned by pci_iomap() --
+even if it was passed an MMIO address. Fix this by claiming/releasing all PCI
+resources in the PCI driver's probe()/remove() methods instead and get rid of
+'must_free_region' flag weirdness (why would Cardbus claim anything for us?).
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/3com/3c59x.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ethernet/3com/3c59x.c
++++ b/drivers/net/ethernet/3com/3c59x.c
+@@ -632,7 +632,6 @@ struct vortex_private {
+ pm_state_valid:1, /* pci_dev->saved_config_space has sane contents */
+ open:1,
+ medialock:1,
+- must_free_region:1, /* Flag: if zero, Cardbus owns the I/O region */
+ large_frames:1, /* accept large frames */
+ handling_irq:1; /* private in_irq indicator */
+ /* {get|set}_wol operations are already serialized by rtnl.
+@@ -1012,6 +1011,12 @@ static int __devinit vortex_init_one(str
+ if (rc < 0)
+ goto out;
+
++ rc = pci_request_regions(pdev, DRV_NAME);
++ if (rc < 0) {
++ pci_disable_device(pdev);
++ goto out;
++ }
++
+ unit = vortex_cards_found;
+
+ if (global_use_mmio < 0 && (unit >= MAX_UNITS || use_mmio[unit] < 0)) {
+@@ -1027,6 +1032,7 @@ static int __devinit vortex_init_one(str
+ if (!ioaddr) /* If mapping fails, fall-back to BAR 0... */
+ ioaddr = pci_iomap(pdev, 0, 0);
+ if (!ioaddr) {
++ pci_release_regions(pdev);
+ pci_disable_device(pdev);
+ rc = -ENOMEM;
+ goto out;
+@@ -1036,6 +1042,7 @@ static int __devinit vortex_init_one(str
+ ent->driver_data, unit);
+ if (rc < 0) {
+ pci_iounmap(pdev, ioaddr);
++ pci_release_regions(pdev);
+ pci_disable_device(pdev);
+ goto out;
+ }
+@@ -1179,11 +1186,6 @@ static int __devinit vortex_probe1(struc
+
+ /* PCI-only startup logic */
+ if (pdev) {
+- /* EISA resources already marked, so only PCI needs to do this here */
+- /* Ignore return value, because Cardbus drivers already allocate for us */
+- if (request_region(dev->base_addr, vci->io_size, print_name) != NULL)
+- vp->must_free_region = 1;
+-
+ /* enable bus-mastering if necessary */
+ if (vci->flags & PCI_USES_MASTER)
+ pci_set_master(pdev);
+@@ -1221,7 +1223,7 @@ static int __devinit vortex_probe1(struc
+ &vp->rx_ring_dma);
+ retval = -ENOMEM;
+ if (!vp->rx_ring)
+- goto free_region;
++ goto free_device;
+
+ vp->tx_ring = (struct boom_tx_desc *)(vp->rx_ring + RX_RING_SIZE);
+ vp->tx_ring_dma = vp->rx_ring_dma + sizeof(struct boom_rx_desc) * RX_RING_SIZE;
+@@ -1486,9 +1488,7 @@ free_ring:
+ + sizeof(struct boom_tx_desc) * TX_RING_SIZE,
+ vp->rx_ring,
+ vp->rx_ring_dma);
+-free_region:
+- if (vp->must_free_region)
+- release_region(dev->base_addr, vci->io_size);
++free_device:
+ free_netdev(dev);
+ pr_err(PFX "vortex_probe1 fails. Returns %d\n", retval);
+ out:
+@@ -3256,8 +3256,9 @@ static void __devexit vortex_remove_one(
+ + sizeof(struct boom_tx_desc) * TX_RING_SIZE,
+ vp->rx_ring,
+ vp->rx_ring_dma);
+- if (vp->must_free_region)
+- release_region(dev->base_addr, vp->io_size);
++
++ pci_release_regions(pdev);
++
+ free_netdev(dev);
+ }
+
--- /dev/null
+From 471842a45ef380de09b74cbd4b09f7d6f202dfc7 Mon Sep 17 00:00:00 2001
+From: stephen hemminger <stephen@networkplumber.org>
+Date: Thu, 2 May 2013 14:23:28 +0000
+Subject: bridge: fix race with topology change timer
+
+
+From: stephen hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 83401eb4990ff6af55aeed8f49681558544192e6 ]
+
+A bridge should only send topology change notice if it is not
+the root bridge. It is possible for message age timer to elect itself
+as a new root bridge, and still have a topology change timer running
+but waiting for bridge lock on other CPU.
+
+Solve the race by checking if we are root bridge before continuing.
+This was the root cause of the cases where br_send_tcn_bpdu would OOPS.
+
+Reported-by: JerryKang <jerry.kang@samsung.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_stp_timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bridge/br_stp_timer.c
++++ b/net/bridge/br_stp_timer.c
+@@ -107,7 +107,7 @@ static void br_tcn_timer_expired(unsigne
+
+ br_debug(br, "tcn timer expired\n");
+ spin_lock(&br->lock);
+- if (br->dev->flags & IFF_UP) {
++ if (!br_is_root_bridge(br) && (br->dev->flags & IFF_UP)) {
+ br_transmit_tcn(br);
+
+ mod_timer(&br->tcn_timer,jiffies + br->bridge_hello_time);
--- /dev/null
+From 798440a12e3cda06a03e9aa84787703c32ec5f7a Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@redhat.com>
+Date: Wed, 8 May 2013 09:45:47 +0000
+Subject: if_cablemodem.h: Add parenthesis around ioctl macros
+
+
+From: Josh Boyer <jwboyer@redhat.com>
+
+[ Upstream commit 4f924b2aa4d3cb30f07e57d6b608838edcbc0d88 ]
+
+Protect the SIOCGCM* ioctl macros with parenthesis.
+
+Reported-by: Paul Wouters <pwouters@redhat.com>
+Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_cablemodem.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/include/linux/if_cablemodem.h
++++ b/include/linux/if_cablemodem.h
+@@ -12,11 +12,11 @@
+ */
+
+ /* some useful defines for sb1000.c e cmconfig.c - fv */
+-#define SIOCGCMSTATS SIOCDEVPRIVATE+0 /* get cable modem stats */
+-#define SIOCGCMFIRMWARE SIOCDEVPRIVATE+1 /* get cm firmware version */
+-#define SIOCGCMFREQUENCY SIOCDEVPRIVATE+2 /* get cable modem frequency */
+-#define SIOCSCMFREQUENCY SIOCDEVPRIVATE+3 /* set cable modem frequency */
+-#define SIOCGCMPIDS SIOCDEVPRIVATE+4 /* get cable modem PIDs */
+-#define SIOCSCMPIDS SIOCDEVPRIVATE+5 /* set cable modem PIDs */
++#define SIOCGCMSTATS (SIOCDEVPRIVATE+0) /* get cable modem stats */
++#define SIOCGCMFIRMWARE (SIOCDEVPRIVATE+1) /* get cm firmware version */
++#define SIOCGCMFREQUENCY (SIOCDEVPRIVATE+2) /* get cable modem frequency */
++#define SIOCSCMFREQUENCY (SIOCDEVPRIVATE+3) /* set cable modem frequency */
++#define SIOCGCMPIDS (SIOCDEVPRIVATE+4) /* get cable modem PIDs */
++#define SIOCSCMPIDS (SIOCDEVPRIVATE+5) /* set cable modem PIDs */
+
+ #endif
--- /dev/null
+From f1d01a0708c7017820f1a6ddfa90baa2ba9214d1 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 9 May 2013 10:28:16 +0000
+Subject: ipv6: do not clear pinet6 field
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f77d602124d865c38705df7fa25c03de9c284ad2 ]
+
+We have seen multiple NULL dereferences in __inet6_lookup_established()
+
+After analysis, I found that inet6_sk() could be NULL while the
+check for sk_family == AF_INET6 was true.
+
+Bug was added in linux-2.6.29 when RCU lookups were introduced in UDP
+and TCP stacks.
+
+Once an IPv6 socket, using SLAB_DESTROY_BY_RCU is inserted in a hash
+table, we no longer can clear pinet6 field.
+
+This patch extends logic used in commit fcbdf09d9652c891
+("net: fix nulls list corruptions in sk_prot_alloc")
+
+TCP/UDP/UDPLite IPv6 protocols provide their own .clear_sk() method
+to make sure we do not clear pinet6 field.
+
+At socket clone phase, we do not really care, as cloning the parent (non
+NULL) pinet6 is not adding a fatal race.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 12 ++++++++++++
+ net/core/sock.c | 12 ------------
+ net/ipv6/tcp_ipv6.c | 12 ++++++++++++
+ net/ipv6/udp.c | 13 ++++++++++++-
+ net/ipv6/udp_impl.h | 2 ++
+ net/ipv6/udplite.c | 2 +-
+ 6 files changed, 39 insertions(+), 14 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -793,6 +793,18 @@ struct inet_hashinfo;
+ struct raw_hashinfo;
+ struct module;
+
++/*
++ * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes
++ * un-modified. Special care is taken when initializing object to zero.
++ */
++static inline void sk_prot_clear_nulls(struct sock *sk, int size)
++{
++ if (offsetof(struct sock, sk_node.next) != 0)
++ memset(sk, 0, offsetof(struct sock, sk_node.next));
++ memset(&sk->sk_node.pprev, 0,
++ size - offsetof(struct sock, sk_node.pprev));
++}
++
+ /* Networking protocol blocks we attach to sockets.
+ * socket layer -> transport layer interface
+ * transport -> network interface is defined by struct inet_proto
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1093,18 +1093,6 @@ static void sock_copy(struct sock *nsk,
+ #endif
+ }
+
+-/*
+- * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes
+- * un-modified. Special care is taken when initializing object to zero.
+- */
+-static inline void sk_prot_clear_nulls(struct sock *sk, int size)
+-{
+- if (offsetof(struct sock, sk_node.next) != 0)
+- memset(sk, 0, offsetof(struct sock, sk_node.next));
+- memset(&sk->sk_node.pprev, 0,
+- size - offsetof(struct sock, sk_node.pprev));
+-}
+-
+ void sk_prot_clear_portaddr_nulls(struct sock *sk, int size)
+ {
+ unsigned long nulls1, nulls2;
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -2079,6 +2079,17 @@ void tcp6_proc_exit(struct net *net)
+ }
+ #endif
+
++static void tcp_v6_clear_sk(struct sock *sk, int size)
++{
++ struct inet_sock *inet = inet_sk(sk);
++
++ /* we do not want to clear pinet6 field, because of RCU lookups */
++ sk_prot_clear_nulls(sk, offsetof(struct inet_sock, pinet6));
++
++ size -= offsetof(struct inet_sock, pinet6) + sizeof(inet->pinet6);
++ memset(&inet->pinet6 + 1, 0, size);
++}
++
+ struct proto tcpv6_prot = {
+ .name = "TCPv6",
+ .owner = THIS_MODULE,
+@@ -2120,6 +2131,7 @@ struct proto tcpv6_prot = {
+ #ifdef CONFIG_CGROUP_MEM_RES_CTLR_KMEM
+ .proto_cgroup = tcp_proto_cgroup,
+ #endif
++ .clear_sk = tcp_v6_clear_sk,
+ };
+
+ static const struct inet6_protocol tcpv6_protocol = {
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1457,6 +1457,17 @@ void udp6_proc_exit(struct net *net) {
+ }
+ #endif /* CONFIG_PROC_FS */
+
++void udp_v6_clear_sk(struct sock *sk, int size)
++{
++ struct inet_sock *inet = inet_sk(sk);
++
++ /* we do not want to clear pinet6 field, because of RCU lookups */
++ sk_prot_clear_portaddr_nulls(sk, offsetof(struct inet_sock, pinet6));
++
++ size -= offsetof(struct inet_sock, pinet6) + sizeof(inet->pinet6);
++ memset(&inet->pinet6 + 1, 0, size);
++}
++
+ /* ------------------------------------------------------------------------ */
+
+ struct proto udpv6_prot = {
+@@ -1487,7 +1498,7 @@ struct proto udpv6_prot = {
+ .compat_setsockopt = compat_udpv6_setsockopt,
+ .compat_getsockopt = compat_udpv6_getsockopt,
+ #endif
+- .clear_sk = sk_prot_clear_portaddr_nulls,
++ .clear_sk = udp_v6_clear_sk,
+ };
+
+ static struct inet_protosw udpv6_protosw = {
+--- a/net/ipv6/udp_impl.h
++++ b/net/ipv6/udp_impl.h
+@@ -31,6 +31,8 @@ extern int udpv6_recvmsg(struct kiocb *i
+ extern int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb);
+ extern void udpv6_destroy_sock(struct sock *sk);
+
++extern void udp_v6_clear_sk(struct sock *sk, int size);
++
+ #ifdef CONFIG_PROC_FS
+ extern int udp6_seq_show(struct seq_file *seq, void *v);
+ #endif
+--- a/net/ipv6/udplite.c
++++ b/net/ipv6/udplite.c
+@@ -56,7 +56,7 @@ struct proto udplitev6_prot = {
+ .compat_setsockopt = compat_udpv6_setsockopt,
+ .compat_getsockopt = compat_udpv6_getsockopt,
+ #endif
+- .clear_sk = sk_prot_clear_portaddr_nulls,
++ .clear_sk = udp_v6_clear_sk,
+ };
+
+ static struct inet_protosw udplite6_protosw = {
--- /dev/null
+From be2f1b1ca3363534ddc26b854290688471d7d973 Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri@resnulli.us>
+Date: Thu, 9 May 2013 04:23:40 +0000
+Subject: macvlan: fix passthru mode race between dev removal and rx path
+
+
+From: Jiri Pirko <jiri@resnulli.us>
+
+[ Upstream commit 233c7df0821c4190e2d3f4be0f2ca0ab40a5ed8c, note
+ that I had to add list_first_or_null_rcu to rculist.h in order
+ to accomodate this fix. ]
+
+Currently, if macvlan in passthru mode is created and data are rxed and
+you remove this device, following panic happens:
+
+NULL pointer dereference at 0000000000000198
+IP: [<ffffffffa0196058>] macvlan_handle_frame+0x153/0x1f7 [macvlan]
+
+I'm using following script to trigger this:
+<script>
+while [ 1 ]
+do
+ ip link add link e1 name macvtap0 type macvtap mode passthru
+ ip link set e1 up
+ ip link set macvtap0 up
+ IFINDEX=`ip link |grep macvtap0 | cut -f 1 -d ':'`
+ cat /dev/tap$IFINDEX >/dev/null &
+ ip link del dev macvtap0
+done
+</script>
+
+I run this script while "ping -f" is running on another machine to send
+packets to e1 rx.
+
+Reason of the panic is that list_first_entry() is blindly called in
+macvlan_handle_frame() even if the list was empty. vlan is set to
+incorrect pointer which leads to the crash.
+
+I'm fixing this by protecting port->vlans list by rcu and by preventing
+from getting incorrect pointer in case the list is empty.
+
+Introduced by: commit eb06acdc85585f2 "macvlan: Introduce 'passthru' mode to takeover the underlying device"
+
+Signed-off-by: Jiri Pirko <jiri@resnulli.us>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 7 ++++---
+ include/linux/rculist.h | 17 +++++++++++++++++
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -205,7 +205,8 @@ static rx_handler_result_t macvlan_handl
+ }
+
+ if (port->passthru)
+- vlan = list_first_entry(&port->vlans, struct macvlan_dev, list);
++ vlan = list_first_or_null_rcu(&port->vlans,
++ struct macvlan_dev, list);
+ else
+ vlan = macvlan_hash_lookup(port, eth->h_dest);
+ if (vlan == NULL)
+@@ -724,7 +725,7 @@ int macvlan_common_newlink(struct net *s
+ if (err < 0)
+ goto destroy_port;
+
+- list_add_tail(&vlan->list, &port->vlans);
++ list_add_tail_rcu(&vlan->list, &port->vlans);
+ netif_stacked_transfer_operstate(lowerdev, dev);
+
+ return 0;
+@@ -750,7 +751,7 @@ void macvlan_dellink(struct net_device *
+ {
+ struct macvlan_dev *vlan = netdev_priv(dev);
+
+- list_del(&vlan->list);
++ list_del_rcu(&vlan->list);
+ unregister_netdevice_queue(dev, head);
+ }
+ EXPORT_SYMBOL_GPL(macvlan_dellink);
+--- a/include/linux/rculist.h
++++ b/include/linux/rculist.h
+@@ -242,6 +242,23 @@ static inline void list_splice_init_rcu(
+ list_entry_rcu((ptr)->next, type, member)
+
+ /**
++ * list_first_or_null_rcu - get the first element from a list
++ * @ptr: the list head to take the element from.
++ * @type: the type of the struct this is embedded in.
++ * @member: the name of the list_struct within the struct.
++ *
++ * Note that if the list is empty, it returns NULL.
++ *
++ * This primitive may safely run concurrently with the _rcu list-mutation
++ * primitives such as list_add_rcu() as long as it's guarded by rcu_read_lock().
++ */
++#define list_first_or_null_rcu(ptr, type, member) \
++ ({struct list_head *__ptr = (ptr); \
++ struct list_head __rcu *__next = list_next_rcu(__ptr); \
++ likely(__ptr != __next) ? container_of(__next, type, member) : NULL; \
++ })
++
++/**
+ * list_for_each_entry_rcu - iterate over rcu list of given type
+ * @pos: the type * to use as a loop cursor.
+ * @head: the head for your list.
--- /dev/null
+From 03914fc5c6bf1a8527ee6598903b4f9adb2204fa Mon Sep 17 00:00:00 2001
+From: Bjørn Mork <bjorn@mork.no>
+Date: Thu, 18 Apr 2013 12:57:10 +0000
+Subject: net: qmi_wwan: fixup destination address (firmware bug workaround)
+
+
+From: Bjørn Mork <bjorn@mork.no>
+
+[ Upstream commit 6483bdc9d76fb98174797516a19d289eb837909e ]
+
+Received packets are sometimes addressed to 00:a0:c6:00:00:00
+instead of the address the device firmware should have learned
+from the host:
+
+321.224126 77.16.85.204 -> 148.122.171.134 ICMP 98 Echo (ping) request id=0x4025, seq=64/16384, ttl=64
+
+0000 82 c0 82 c9 f1 67 82 c0 82 c9 f1 67 08 00 45 00 .....g.....g..E.
+0010 00 54 00 00 40 00 40 01 57 cc 4d 10 55 cc 94 7a .T..@.@.W.M.U..z
+0020 ab 86 08 00 62 fc 40 25 00 40 b2 bc 6e 51 00 00 ....b.@%.@..nQ..
+0030 00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15 ..k.............
+0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
+0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
+0060 36 37 67
+
+321.240607 148.122.171.134 -> 77.16.85.204 ICMP 98 Echo (ping) reply id=0x4025, seq=64/16384, ttl=55
+
+0000 00 a0 c6 00 00 00 02 50 f3 00 00 00 08 00 45 00 .......P......E.
+0010 00 54 00 56 00 00 37 01 a0 76 94 7a ab 86 4d 10 .T.V..7..v.z..M.
+0020 55 cc 00 00 6a fc 40 25 00 40 b2 bc 6e 51 00 00 U...j.@%.@..nQ..
+0030 00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15 ..k.............
+0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
+0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
+0060 36 37 67
+
+The bogus address is always the same, and matches the address
+suggested by many devices as a default address. It is likely a
+hardcoded firmware default.
+
+The circumstances where this bug has been observed indicates that
+the trigger is related to timing or some other factor the host
+cannot control. Repeating the exact same configuration sequence
+that caused it to trigger once, will not necessarily cause it to
+trigger the next time. Reproducing the bug is therefore difficult.
+This opens up a possibility that the bug is more common than we can
+confirm, because affected devices often will work properly again
+after a reset. A procedure most users are likely to try out before
+reporting a bug.
+
+Unconditionally rewriting the destination address if the first digit
+of the received packet is 0, is considered an acceptable compromise
+since we already have to inspect this digit. The simplification will
+cause unnecessary rewrites if the real address starts with 0, but this
+is still better than adding additional tests for this particular case.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -190,6 +190,10 @@ err:
+ * This means that this function will reliably add the appropriate
+ * header iff necessary, provided our hardware address does not start
+ * with 4 or 6.
++ *
++ * Another common firmware bug results in all packets being addressed
++ * to 00:a0:c6:00:00:00 despite the host address being different.
++ * This function will also fixup such packets.
+ */
+ static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ {
+@@ -206,6 +210,12 @@ static int qmi_wwan_rx_fixup(struct usbn
+ case 0x60:
+ proto = htons(ETH_P_IPV6);
+ break;
++ case 0x00:
++ if (is_multicast_ether_addr(skb->data))
++ return 1;
++ /* possibly bogus destination - rewrite just in case */
++ skb_reset_mac_header(skb);
++ goto fix_dest;
+ default:
+ /* pass along other packets without modifications */
+ return 1;
+@@ -216,6 +226,7 @@ static int qmi_wwan_rx_fixup(struct usbn
+ skb_reset_mac_header(skb);
+ eth_hdr(skb)->h_proto = proto;
+ memset(eth_hdr(skb)->h_source, 0, ETH_ALEN);
++fix_dest:
+ memcpy(eth_hdr(skb)->h_dest, dev->net->dev_addr, ETH_ALEN);
+ return 1;
+ }
--- /dev/null
+From 302a42283a7e71536bc0bc0a54c9e693dc39f95e Mon Sep 17 00:00:00 2001
+From: Bjørn Mork <bjorn@mork.no>
+Date: Thu, 18 Apr 2013 12:57:09 +0000
+Subject: net: qmi_wwan: fixup missing ethernet header (firmware bug workaround)
+
+
+From: Bjørn Mork <bjorn@mork.no>
+
+[ Upstream commit 6ff509af3869ccac69dcf8905fc75b9a76951594 ]
+
+A number of LTE devices from different vendors all suffer from the
+same firmware bug: Most of the packets received from the device while
+it is attached to a LTE network will not have an ethernet header. The
+devices work as expected when attached to 2G or 3G networks, sending
+an ethernet header with all packets.
+
+This driver is not aware of which network the modem attached to, and
+even if it were there are still some packet types which are always
+received with the header intact.
+
+All devices supported by this driver have severely limited
+networking capabilities:
+ - can only transmit IPv4, IPv6 and possibly ARP
+ - can only support a single host hardware address at any time
+ - will only do point-to-point communcation with the host
+
+Because of this, we are able to reliably identify any bogus raw IP
+packets by simply looking at the 4 IP version bits. All we need to
+do is to avoid 4 or 6 in the first digit of the mac address. This
+workaround ensures this, and fix up the received packets as necessary.
+
+Given the distribution of the bug, it is believed that the source is
+the chipset vendor. The devices which are verified to be affected are:
+ Huawei E392u-12 (Qualcomm MDM9200)
+ Pantech UML290 (Qualcomm MDM9600)
+ Novatel USB551L (Qualcomm MDM9600)
+ Novatel E362 (Qualcomm MDM9600)
+
+It is believed that the bug depend on firmware revision, which means
+that possibly all devices based on the above mentioned chipset may be
+affected if we consider all available firmware revisions.
+
+The information about affected devices and versions is likely
+incomplete. As the additional overhead for packets not needing this
+fixup is very small, it is considered acceptable to apply the
+workaround to all devices handled by this driver.
+
+Reported-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 81 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 81 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -9,6 +9,7 @@
+ #include <linux/module.h>
+ #include <linux/netdevice.h>
+ #include <linux/ethtool.h>
++#include <linux/etherdevice.h>
+ #include <linux/mii.h>
+ #include <linux/usb.h>
+ #include <linux/usb/cdc.h>
+@@ -174,6 +175,79 @@ err:
+ return status;
+ }
+
++/* Make up an ethernet header if the packet doesn't have one.
++ *
++ * A firmware bug common among several devices cause them to send raw
++ * IP packets under some circumstances. There is no way for the
++ * driver/host to know when this will happen. And even when the bug
++ * hits, some packets will still arrive with an intact header.
++ *
++ * The supported devices are only capably of sending IPv4, IPv6 and
++ * ARP packets on a point-to-point link. Any packet with an ethernet
++ * header will have either our address or a broadcast/multicast
++ * address as destination. ARP packets will always have a header.
++ *
++ * This means that this function will reliably add the appropriate
++ * header iff necessary, provided our hardware address does not start
++ * with 4 or 6.
++ */
++static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
++{
++ __be16 proto;
++
++ /* usbnet rx_complete guarantees that skb->len is at least
++ * hard_header_len, so we can inspect the dest address without
++ * checking skb->len
++ */
++ switch (skb->data[0] & 0xf0) {
++ case 0x40:
++ proto = htons(ETH_P_IP);
++ break;
++ case 0x60:
++ proto = htons(ETH_P_IPV6);
++ break;
++ default:
++ /* pass along other packets without modifications */
++ return 1;
++ }
++ if (skb_headroom(skb) < ETH_HLEN)
++ return 0;
++ skb_push(skb, ETH_HLEN);
++ skb_reset_mac_header(skb);
++ eth_hdr(skb)->h_proto = proto;
++ memset(eth_hdr(skb)->h_source, 0, ETH_ALEN);
++ memcpy(eth_hdr(skb)->h_dest, dev->net->dev_addr, ETH_ALEN);
++ return 1;
++}
++
++/* very simplistic detection of IPv4 or IPv6 headers */
++static bool possibly_iphdr(const char *data)
++{
++ return (data[0] & 0xd0) == 0x40;
++}
++
++/* disallow addresses which may be confused with IP headers */
++static int qmi_wwan_mac_addr(struct net_device *dev, void *p)
++{
++ struct sockaddr *addr = p;
++
++ if (!is_valid_ether_addr(addr->sa_data) ||
++ possibly_iphdr(addr->sa_data))
++ return -EADDRNOTAVAIL;
++ memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);
++ return 0;
++}
++
++static const struct net_device_ops qmi_wwan_netdev_ops = {
++ .ndo_open = usbnet_open,
++ .ndo_stop = usbnet_stop,
++ .ndo_start_xmit = usbnet_start_xmit,
++ .ndo_tx_timeout = usbnet_tx_timeout,
++ .ndo_change_mtu = usbnet_change_mtu,
++ .ndo_set_mac_address = qmi_wwan_mac_addr,
++ .ndo_validate_addr = eth_validate_addr,
++};
++
+ /* using a counter to merge subdriver requests with our own into a combined state */
+ static int qmi_wwan_manage_power(struct usbnet *dev, int on)
+ {
+@@ -257,6 +331,12 @@ static int qmi_wwan_bind_shared(struct u
+ /* save subdriver struct for suspend/resume wrappers */
+ dev->data[0] = (unsigned long)subdriver;
+
++ /* make MAC addr easily distinguishable from an IP header */
++ if (possibly_iphdr(dev->net->dev_addr)) {
++ dev->net->dev_addr[0] |= 0x02; /* set local assignment bit */
++ dev->net->dev_addr[0] &= 0xbf; /* clear "IP" bit */
++ }
++ dev->net->netdev_ops = &qmi_wwan_netdev_ops;
+ err:
+ return rv;
+ }
+@@ -326,6 +406,7 @@ static const struct driver_info qmi_wwan
+ .bind = qmi_wwan_bind_shared,
+ .unbind = qmi_wwan_unbind_shared,
+ .manage_power = qmi_wwan_manage_power,
++ .rx_fixup = qmi_wwan_rx_fixup,
+ };
+
+ static const struct driver_info qmi_wwan_force_int0 = {
--- /dev/null
+From 490fcceee05287b3e9beae54ef7f19814db4a7d9 Mon Sep 17 00:00:00 2001
+From: Bjørn Mork <bjorn@mork.no>
+Date: Thu, 18 Apr 2013 12:57:11 +0000
+Subject: net: qmi_wwan: prevent duplicate mac address on link (firmware bug workaround)
+
+
+From: Bjørn Mork <bjorn@mork.no>
+
+[ Upstream commit cc6ba5fdaabea7a7b28de3ba1e0fe54d92232fe5 ]
+
+We normally trust and use the CDC functional descriptors provided by a
+number of devices. But some of these will erroneously list the address
+reserved for the device end of the link. Attempting to use this on
+both the device and host side will naturally not work.
+
+Work around this bug by ignoring the functional descriptor and assign a
+random address instead in this case.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -175,6 +175,9 @@ err:
+ return status;
+ }
+
++/* default ethernet address used by the modem */
++static const u8 default_modem_addr[ETH_ALEN] = {0x02, 0x50, 0xf3};
++
+ /* Make up an ethernet header if the packet doesn't have one.
+ *
+ * A firmware bug common among several devices cause them to send raw
+@@ -342,6 +345,12 @@ static int qmi_wwan_bind_shared(struct u
+ /* save subdriver struct for suspend/resume wrappers */
+ dev->data[0] = (unsigned long)subdriver;
+
++ /* Never use the same address on both ends of the link, even
++ * if the buggy firmware told us to.
++ */
++ if (!compare_ether_addr(dev->net->dev_addr, default_modem_addr))
++ eth_hw_addr_random(dev->net);
++
+ /* make MAC addr easily distinguishable from an IP header */
+ if (possibly_iphdr(dev->net->dev_addr)) {
+ dev->net->dev_addr[0] |= 0x02; /* set local assignment bit */
--- /dev/null
+From 3864a4e54dce8b1e834f41205fea5c47f1618b07 Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 1 May 2013 22:36:49 +0000
+Subject: net: use netdev_features_t in skb_needs_linearize()
+
+
+From: Patrick McHardy <kaber@trash.net>
+
+[ Upstream commit 6708c9e5cc9bfc7c9a00ce9c0fdd0b1d4952b3d1 ]
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2170,7 +2170,7 @@ EXPORT_SYMBOL(netif_skb_features);
+ * support DMA from it.
+ */
+ static inline int skb_needs_linearize(struct sk_buff *skb,
+- int features)
++ netdev_features_t features)
+ {
+ return skb_is_nonlinear(skb) &&
+ ((skb_has_frag_list(skb) &&
--- /dev/null
+From 122a6b09205e350cdc6adb28ea12ae05313dcc11 Mon Sep 17 00:00:00 2001
+From: Bjørn Mork <bjorn@mork.no>
+Date: Wed, 1 May 2013 23:06:42 +0000
+Subject: net: vlan,ethtool: netdev_features_t is more than 32 bit
+
+
+From: Bjørn Mork <bjorn@mork.no>
+
+[ Upstream commit b29d3145183da4e07d4b570fa8acdd3ac4a5c572 ]
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan_dev.c | 2 +-
+ net/core/ethtool.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -598,7 +598,7 @@ static netdev_features_t vlan_dev_fix_fe
+ netdev_features_t features)
+ {
+ struct net_device *real_dev = vlan_dev_priv(dev)->real_dev;
+- u32 old_features = features;
++ netdev_features_t old_features = features;
+
+ features &= real_dev->vlan_features;
+ features |= NETIF_F_RXCSUM;
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -1286,7 +1286,7 @@ int dev_ethtool(struct net *net, struct
+ void __user *useraddr = ifr->ifr_data;
+ u32 ethcmd;
+ int rc;
+- u32 old_features;
++ netdev_features_t old_features;
+
+ if (!dev || !netif_device_present(dev))
+ return -ENODEV;
--- /dev/null
+From 47c53307fb5543ec909e53c330ec0f489265163c Mon Sep 17 00:00:00 2001
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+Date: Sun, 28 Apr 2013 05:06:38 +0000
+Subject: net_sched: act_ipt forward compat with xtables
+
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 0dcffd09641f3abb21ac5cabc61542ab289d1a3c ]
+
+Deal with changes in newer xtables while maintaining backward
+compatibility. Thanks to Jan Engelhardt for suggestions.
+
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ipt.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+--- a/net/sched/act_ipt.c
++++ b/net/sched/act_ipt.c
+@@ -8,7 +8,7 @@
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+- * Copyright: Jamal Hadi Salim (2002-4)
++ * Copyright: Jamal Hadi Salim (2002-13)
+ */
+
+ #include <linux/types.h>
+@@ -299,17 +299,44 @@ static struct tc_action_ops act_ipt_ops
+ .walk = tcf_generic_walker
+ };
+
+-MODULE_AUTHOR("Jamal Hadi Salim(2002-4)");
++static struct tc_action_ops act_xt_ops = {
++ .kind = "xt",
++ .hinfo = &ipt_hash_info,
++ .type = TCA_ACT_IPT,
++ .capab = TCA_CAP_NONE,
++ .owner = THIS_MODULE,
++ .act = tcf_ipt,
++ .dump = tcf_ipt_dump,
++ .cleanup = tcf_ipt_cleanup,
++ .lookup = tcf_hash_search,
++ .init = tcf_ipt_init,
++ .walk = tcf_generic_walker
++};
++
++MODULE_AUTHOR("Jamal Hadi Salim(2002-13)");
+ MODULE_DESCRIPTION("Iptables target actions");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS("act_xt");
+
+ static int __init ipt_init_module(void)
+ {
+- return tcf_register_action(&act_ipt_ops);
++ int ret1, ret2;
++ ret1 = tcf_register_action(&act_xt_ops);
++ if (ret1 < 0)
++ printk("Failed to load xt action\n");
++ ret2 = tcf_register_action(&act_ipt_ops);
++ if (ret2 < 0)
++ printk("Failed to load ipt action\n");
++
++ if (ret1 < 0 && ret2 < 0)
++ return ret1;
++ else
++ return 0;
+ }
+
+ static void __exit ipt_cleanup_module(void)
+ {
++ tcf_unregister_action(&act_xt_ops);
+ tcf_unregister_action(&act_ipt_ops);
+ }
+
--- /dev/null
+From ed0679e95e82a4f3f70076315b04dc42e76f4fb2 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri, 3 May 2013 02:57:00 +0000
+Subject: packet: tpacket_v3: do not trigger bug() on wrong header status
+
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit 8da3056c04bfc5f69f840ab038a38389e2de8189 ]
+
+Jakub reported that it is fairly easy to trigger the BUG() macro
+from user space with TPACKET_V3's RX_RING by just giving a wrong
+header status flag. We already had a similar situation in commit
+7f5c3e3a80e6654 (``af_packet: remove BUG statement in
+tpacket_destruct_skb'') where this was the case in the TX_RING
+side that could be triggered from user space. So really, don't use
+BUG() or BUG_ON() unless there's really no way out, and i.e.
+don't use it for consistency checking when there's user space
+involved, no excuses, especially not if you're slapping the user
+with WARN + dump_stack + BUG all at once. The two functions are
+of concern:
+
+ prb_retire_current_block() [when block status != TP_STATUS_KERNEL]
+ prb_open_block() [when block_status != TP_STATUS_KERNEL]
+
+Calls to prb_open_block() are guarded by ealier checks if block_status
+is really TP_STATUS_KERNEL (racy!), but the first one BUG() is easily
+triggable from user space. System behaves still stable after they are
+removed. Also remove that yoda condition entirely, since it's already
+guarded.
+
+Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 54 ++++++++++++++++++-------------------------------
+ 1 file changed, 20 insertions(+), 34 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -812,37 +812,27 @@ static void prb_open_block(struct tpacke
+
+ smp_rmb();
+
+- if (likely(TP_STATUS_KERNEL == BLOCK_STATUS(pbd1))) {
+-
+- /* We could have just memset this but we will lose the
+- * flexibility of making the priv area sticky
+- */
+- BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++;
+- BLOCK_NUM_PKTS(pbd1) = 0;
+- BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
+- getnstimeofday(&ts);
+- h1->ts_first_pkt.ts_sec = ts.tv_sec;
+- h1->ts_first_pkt.ts_nsec = ts.tv_nsec;
+- pkc1->pkblk_start = (char *)pbd1;
+- pkc1->nxt_offset = (char *)(pkc1->pkblk_start +
+- BLK_PLUS_PRIV(pkc1->blk_sizeof_priv));
+- BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
+- BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN;
+- pbd1->version = pkc1->version;
+- pkc1->prev = pkc1->nxt_offset;
+- pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size;
+- prb_thaw_queue(pkc1);
+- _prb_refresh_rx_retire_blk_timer(pkc1);
+-
+- smp_wmb();
+-
+- return;
+- }
++ /* We could have just memset this but we will lose the
++ * flexibility of making the priv area sticky
++ */
++ BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++;
++ BLOCK_NUM_PKTS(pbd1) = 0;
++ BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
++ getnstimeofday(&ts);
++ h1->ts_first_pkt.ts_sec = ts.tv_sec;
++ h1->ts_first_pkt.ts_nsec = ts.tv_nsec;
++ pkc1->pkblk_start = (char *)pbd1;
++ pkc1->nxt_offset = (char *)(pkc1->pkblk_start +
++ BLK_PLUS_PRIV(pkc1->blk_sizeof_priv));
++ BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
++ BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN;
++ pbd1->version = pkc1->version;
++ pkc1->prev = pkc1->nxt_offset;
++ pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size;
++ prb_thaw_queue(pkc1);
++ _prb_refresh_rx_retire_blk_timer(pkc1);
+
+- WARN(1, "ERROR block:%p is NOT FREE status:%d kactive_blk_num:%d\n",
+- pbd1, BLOCK_STATUS(pbd1), pkc1->kactive_blk_num);
+- dump_stack();
+- BUG();
++ smp_wmb();
+ }
+
+ /*
+@@ -933,10 +923,6 @@ static void prb_retire_current_block(str
+ prb_close_block(pkc, pbd, po, status);
+ return;
+ }
+-
+- WARN(1, "ERROR-pbd[%d]:%p\n", pkc->kactive_blk_num, pbd);
+- dump_stack();
+- BUG();
+ }
+
+ static int prb_curr_blk_in_use(struct tpacket_kbdq_core *pkc,
b43-handle-dma-rx-descriptor-underrun.patch
drm-mm-fix-dump-table-bug.patch
drm-don-t-check-modeset-locks-in-panic-handler.patch
+net-qmi_wwan-fixup-missing-ethernet-header-firmware-bug-workaround.patch
+net-qmi_wwan-fixup-destination-address-firmware-bug-workaround.patch
+net-qmi_wwan-prevent-duplicate-mac-address-on-link-firmware-bug-workaround.patch
+tcp-force-a-dst-refcount-when-prequeue-packet.patch
+sfc-fix-naming-of-mtd-partitions-for-fpga-bitfiles.patch
+3c509.c-call-set_netdev_dev-for-all-device-types-isa-isapnp-eisa.patch
+net_sched-act_ipt-forward-compat-with-xtables.patch
+net-use-netdev_features_t-in-skb_needs_linearize.patch
+net-vlan-ethtool-netdev_features_t-is-more-than-32-bit.patch
+bridge-fix-race-with-topology-change-timer.patch
+packet-tpacket_v3-do-not-trigger-bug-on-wrong-header-status.patch
+3c59x-fix-freeing-nonexistent-resource-on-driver-unload.patch
+3c59x-fix-pci-resource-management.patch
+if_cablemodem.h-add-parenthesis-around-ioctl-macros.patch
+macvlan-fix-passthru-mode-race-between-dev-removal-and-rx-path.patch
+ipv6-do-not-clear-pinet6-field.patch
+xfrm6-release-dev-before-returning-error.patch
--- /dev/null
+From c7f858d5bab099ebfea4dbba028bc82e1190fec7 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <bhutchings@solarflare.com>
+Date: Mon, 22 Apr 2013 22:40:07 +0100
+Subject: sfc: Fix naming of MTD partitions for FPGA bitfiles
+
+
+From: Ben Hutchings <bhutchings@solarflare.com>
+
+[ Upstream commit 89cc80a44b7c320e08599cb86f6aef0ead8986a1 ]
+
+efx_mcdi_get_board_cfg() uses a buffer for the firmware response that
+is only large enough to hold subtypes for the originally defined set
+of NVRAM partitions. Longer responses are truncated, and we may read
+off the end of the buffer when copying out subtypes for additional
+partitions. In particular, this can result in the MTD partition for
+an FPGA bitfile being named e.g. 'eth5 sfc_fpga:00' when it should be
+'eth5 sfc_fpga:01'. This means the firmware update tool (sfupdate)
+can't tell which bitfile should be written to the partition.
+
+Correct the response buffer size.
+
+Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/mcdi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/sfc/mcdi.c
++++ b/drivers/net/ethernet/sfc/mcdi.c
+@@ -640,7 +640,7 @@ fail:
+ int efx_mcdi_get_board_cfg(struct efx_nic *efx, u8 *mac_address,
+ u16 *fw_subtype_list, u32 *capabilities)
+ {
+- uint8_t outbuf[MC_CMD_GET_BOARD_CFG_OUT_LENMIN];
++ uint8_t outbuf[MC_CMD_GET_BOARD_CFG_OUT_LENMAX];
+ size_t outlen, offset, i;
+ int port_num = efx_port_num(efx);
+ int rc;
--- /dev/null
+From 456b0df13849266ca7336cb712e18ee22858f9af Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 24 Apr 2013 18:34:55 -0700
+Subject: tcp: force a dst refcount when prequeue packet
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 093162553c33e9479283e107b4431378271c735d ]
+
+Before escaping RCU protected section and adding packet into
+prequeue, make sure the dst is refcounted.
+
+Reported-by: Mike Galbraith <bitbucket@online.de>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -948,6 +948,7 @@ static inline int tcp_prequeue(struct so
+ if (sysctl_tcp_low_latency || !tp->ucopy.task)
+ return 0;
+
++ skb_dst_force(skb);
+ __skb_queue_tail(&tp->ucopy.prequeue, skb);
+ tp->ucopy.memory += skb->truesize;
+ if (tp->ucopy.memory > sk->sk_rcvbuf) {
--- /dev/null
+From ab5d0f8b2af88af5a1a442fcdb39896474dd7943 Mon Sep 17 00:00:00 2001
+From: Cong Wang <amwang@redhat.com>
+Date: Thu, 9 May 2013 22:40:00 +0000
+Subject: xfrm6: release dev before returning error
+
+
+From: Cong Wang <amwang@redhat.com>
+
+[ Upstream commit 84c4a9dfbf430861e7588d95ae3ff61535dca351 ]
+
+We forget to call dev_put() on error path in xfrm6_fill_dst(),
+its caller doesn't handle this.
+
+Signed-off-by: Cong Wang <amwang@redhat.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/xfrm6_policy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -96,8 +96,10 @@ static int xfrm6_fill_dst(struct xfrm_ds
+ dev_hold(dev);
+
+ xdst->u.rt6.rt6i_idev = in6_dev_get(dev);
+- if (!xdst->u.rt6.rt6i_idev)
++ if (!xdst->u.rt6.rt6i_idev) {
++ dev_put(dev);
+ return -ENODEV;
++ }
+
+ xdst->u.rt6.rt6i_peer = rt->rt6i_peer;
+ if (rt->rt6i_peer)
projects / thirdparty / kernel / stable-queue.git / commitdiff
