--- /dev/null
+From da53d48ef2a19f7a550284758aa17a234dead522 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 3 Apr 2013 16:14:47 +0000
+Subject: af_unix: If we don't care about credentials coallesce all messages
+
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+[ Upstream commit 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 ]
+
+It was reported that the following LSB test case failed
+https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
+were not coallescing unix stream messages when the application was
+expecting us to.
+
+The problem was that the first send was before the socket was accepted
+and thus sock->sk_socket was NULL in maybe_add_creds, and the second
+send after the socket was accepted had a non-NULL value for sk->socket
+and thus we could tell the credentials were not needed so we did not
+bother.
+
+The unnecessary credentials on the first message cause
+unix_stream_recvmsg to start verifying that all messages had the same
+credentials before coallescing and then the coallescing failed because
+the second message had no credentials.
+
+Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
+long standing pessimization which would fail to coallesce messages when
+reading from a unix stream socket if the senders were different even if
+we did not care about their credentials.
+
+I have tested this and verified that the in the LSB test case mentioned
+above that the messages do coallesce now, while the were failing to
+coallesce without this change.
+
+Reported-by: Karel Srot <ksrot@redhat.com>
+Reported-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1940,7 +1940,7 @@ static int unix_stream_recvmsg(struct ki
+ skb_queue_head(&sk->sk_receive_queue, skb);
+ break;
+ }
+- } else {
++ } else if (test_bit(SOCK_PASSCRED, &sock->flags)) {
+ /* Copy credentials */
+ scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
+ check_creds = 1;
--- /dev/null
+From f36f87677a830cbb97ebeef442fd45f0eb74da75 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 2 Apr 2013 14:36:46 +0000
+Subject: atl1e: limit gso segment size to prevent generation of wrong ip length fields
+
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 31d1670e73f4911fe401273a8f576edc9c2b5fea ]
+
+The limit of 0x3c00 is taken from the windows driver.
+
+Suggested-by: Huang, Xiong <xiong@qca.qualcomm.com>
+Cc: Huang, Xiong <xiong@qca.qualcomm.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/atl1e/atl1e.h | 2 +-
+ drivers/net/atl1e/atl1e_main.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/atl1e/atl1e.h
++++ b/drivers/net/atl1e/atl1e.h
+@@ -186,7 +186,7 @@ struct atl1e_tpd_desc {
+ /* how about 0x2000 */
+ #define MAX_TX_BUF_LEN 0x2000
+ #define MAX_TX_BUF_SHIFT 13
+-/*#define MAX_TX_BUF_LEN 0x3000 */
++#define MAX_TSO_SEG_SIZE 0x3c00
+
+ /* rrs word 1 bit 0:31 */
+ #define RRS_RX_CSUM_MASK 0xFFFF
+--- a/drivers/net/atl1e/atl1e_main.c
++++ b/drivers/net/atl1e/atl1e_main.c
+@@ -2333,6 +2333,7 @@ static int __devinit atl1e_probe(struct
+
+ INIT_WORK(&adapter->reset_task, atl1e_reset_task);
+ INIT_WORK(&adapter->link_chg_task, atl1e_link_chg_task);
++ netif_set_gso_max_size(netdev, MAX_TSO_SEG_SIZE);
+ err = register_netdev(netdev);
+ if (err) {
+ netdev_err(netdev, "register netdevice failed\n");
--- /dev/null
+From 797dceb64ada1c5055869c407165813a1e819d7e Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: atm: update msg_namelen in vcc_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/atm/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -500,6 +500,8 @@ int vcc_recvmsg(struct kiocb *iocb, stru
+ struct sk_buff *skb;
+ int copied, error = -EINVAL;
+
++ msg->msg_namelen = 0;
++
+ if (sock->state != SS_CONNECTED)
+ return -ENOTCONN;
+ if (flags & ~MSG_DONTWAIT) /* only handle MSG_DONTWAIT */
--- /dev/null
+From 892739d8924c3698e80e7354bdc455355e76488e Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:48 +0000
+Subject: ax25: fix info leak via msg_name in ax25_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit ef3313e84acbf349caecae942ab3ab731471f1a1 ]
+
+When msg_namelen is non-zero the sockaddr info gets filled out, as
+requested, but the code fails to initialize the padding bytes of struct
+sockaddr_ax25 inserted by the compiler for alignment. Additionally the
+msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
+not always filled up to this size.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix both issues by initializing the memory with memset(0).
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1641,6 +1641,7 @@ static int ax25_recvmsg(struct kiocb *io
+ ax25_address src;
+ const unsigned char *mac = skb_mac_header(skb);
+
++ memset(sax, 0, sizeof(struct full_sockaddr_ax25));
+ ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
+ &digi, NULL, NULL);
+ sax->sax25_family = AF_AX25;
--- /dev/null
+From 340dd9ef03f55ea0696e35fd9b02e6f290b680b7 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:49 +0000
+Subject: Bluetooth: fix possible info leak in bt_sock_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 4683f42fde3977bdb4e8a09622788cc8b5313778 ]
+
+In case the socket is already shutting down, bt_sock_recvmsg() returns
+with 0 without updating msg_namelen leading to net/socket.c leaking the
+local, uninitialized sockaddr_storage variable to userland -- 128 bytes
+of kernel stack memory.
+
+Fix this by moving the msg_namelen assignment in front of the shutdown
+test.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/af_bluetooth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -245,6 +245,8 @@ int bt_sock_recvmsg(struct kiocb *iocb,
+ if (flags & (MSG_OOB))
+ return -EOPNOTSUPP;
+
++ msg->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb) {
+ if (sk->sk_shutdown & RCV_SHUTDOWN)
+@@ -252,8 +254,6 @@ int bt_sock_recvmsg(struct kiocb *iocb,
+ return err;
+ }
+
+- msg->msg_namelen = 0;
+-
+ copied = skb->len;
+ if (len < copied) {
+ msg->msg_flags |= MSG_TRUNC;
--- /dev/null
+From c23c33b9e708bd858cd62d92c1c3a95e22cbaeba Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:50 +0000
+Subject: Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691 ]
+
+If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
+early with 0 without updating the possibly set msg_namelen member. This,
+in turn, leads to a 128 byte kernel stack leak in net/socket.c.
+
+Fix this by updating msg_namelen in this case. For all other cases it
+will be handled in bt_sock_stream_recvmsg().
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/rfcomm/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -624,6 +624,7 @@ static int rfcomm_sock_recvmsg(struct ki
+
+ if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
+ rfcomm_dlc_accept(d);
++ msg->msg_namelen = 0;
+ return 0;
+ }
+
--- /dev/null
+From a24efac740a207f9944555e1b3ac8648ec6616f1 Mon Sep 17 00:00:00 2001
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+Date: Thu, 11 Apr 2013 09:18:56 +0000
+Subject: bonding: IFF_BONDING is not stripped on enslave failure
+
+
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+
+[ Upstream commit b6a5a7b9a528a8b4c8bec940b607c5dd9102b8cc ]
+
+While enslaving a new device and after IFF_BONDING flag is set, in case
+of failure it is not stripped from the device's priv_flags while
+cleaning up, which could lead to other problems.
+Cleaning at err_close because the flag is set after dev_open().
+
+v2: no change
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1949,6 +1949,7 @@ err_detach:
+ write_unlock_bh(&bond->lock);
+
+ err_close:
++ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
+
+ err_unset_master:
--- /dev/null
+From ace92f158833eb2e74eb0feed871dc2784c1ae7a Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:52 +0000
+Subject: caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 2d6fbfe733f35c6b355c216644e08e149c61b271 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about caif_seqpkt_recvmsg() not filling the msg_name in case it was
+set.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Sjur Braendeland <sjur.brandeland@stericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -320,6 +320,8 @@ static int caif_seqpkt_recvmsg(struct ki
+ if (m->msg_flags&MSG_OOB)
+ goto read_error;
+
++ m->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags, 0 , &ret);
+ if (!skb)
+ goto read_error;
--- /dev/null
+From 44dcb189aa711a02b131e3ecc70d5af75f91dc57 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@parallels.com>
+Date: Mon, 1 Apr 2013 03:01:32 +0000
+Subject: cbq: incorrect processing of high limits
+
+
+From: Vasily Averin <vvs@parallels.com>
+
+[ Upstream commit f0f6ee1f70c4eaab9d52cf7d255df4bd89f8d1c2 ]
+
+currently cbq works incorrectly for limits > 10% real link bandwidth,
+and practically does not work for limits > 50% real link bandwidth.
+Below are results of experiments taken on 1 Gbit link
+
+ In shaper | Actual Result
+-----------+---------------
+ 100M | 108 Mbps
+ 200M | 244 Mbps
+ 300M | 412 Mbps
+ 500M | 893 Mbps
+
+This happen because of q->now changes incorrectly in cbq_dequeue():
+when it is called before real end of packet transmitting,
+L2T is greater than real time delay, q_now gets an extra boost
+but never compensate it.
+
+To fix this problem we prevent change of q->now until its synchronization
+with real time.
+
+Signed-off-by: Vasily Averin <vvs@openvz.org>
+Reviewed-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cbq.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_cbq.c
++++ b/net/sched/sch_cbq.c
+@@ -963,8 +963,11 @@ cbq_dequeue(struct Qdisc *sch)
+ cbq_update(q);
+ if ((incr -= incr2) < 0)
+ incr = 0;
++ q->now += incr;
++ } else {
++ if (now > q->now)
++ q->now = now;
+ }
+- q->now += incr;
+ q->now_rt = now;
+
+ for (;;) {
--- /dev/null
+From 52bbd85ee3cba9423e1f0ac28d6745c9d24ef615 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Sat, 13 Apr 2013 15:49:03 +0000
+Subject: esp4: fix error return code in esp_output()
+
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+[ Upstream commit 06848c10f720cbc20e3b784c0df24930b7304b93 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as returned elsewhere in this function.
+
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/esp4.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -137,8 +137,6 @@ static int esp_output(struct xfrm_state
+
+ /* skb is pure payload to encrypt */
+
+- err = -ENOMEM;
+-
+ esp = x->data;
+ aead = esp->aead;
+ alen = crypto_aead_authsize(aead);
+@@ -174,8 +172,10 @@ static int esp_output(struct xfrm_state
+ }
+
+ tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
+- if (!tmp)
++ if (!tmp) {
++ err = -ENOMEM;
+ goto error;
++ }
+
+ seqhi = esp_tmp_seqhi(tmp);
+ iv = esp_tmp_iv(aead, tmp, seqhilen);
--- /dev/null
+From dfa96071eda73ddab5c69eaca960ad3269cac58a Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:53 +0000
+Subject: irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 5ae94c0d2f0bed41d6718be743985d61b7f5c47d ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about irda_recvmsg_dgram() not filling the msg_name in case it was
+set.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/irda/af_irda.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kio
+
+ IRDA_DEBUG(4, "%s()\n", __func__);
+
++ msg->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &err);
+ if (!skb)
--- /dev/null
+From e76456f9449125c6f3765ff7d6836ae0054c10c2 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:54 +0000
+Subject: iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit a5598bd9c087dc0efc250a5221e5d0e6f584ee88 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about iucv_sock_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Ursula Braun <ursula.braun@de.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/iucv/af_iucv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1157,6 +1157,8 @@ static int iucv_sock_recvmsg(struct kioc
+ struct sk_buff *skb, *rskb, *cskb;
+ int err = 0;
+
++ msg->msg_namelen = 0;
++
+ if ((sk->sk_state == IUCV_DISCONN || sk->sk_state == IUCV_SEVERED) &&
+ skb_queue_empty(&iucv->backlog_skb_q) &&
+ skb_queue_empty(&sk->sk_receive_queue) &&
--- /dev/null
+From 178af9988a430d77d88416e0452ead9b0b2cea3d Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:56 +0000
+Subject: llc: Fix missing msg_namelen update in llc_ui_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit c77a4b9cffb6215a15196ec499490d116dfad181 ]
+
+For stream sockets the code misses to update the msg_namelen member
+to 0 and therefore makes net/socket.c leak the local, uninitialized
+sockaddr_storage variable to userland -- 128 bytes of kernel stack
+memory. The msg_namelen update is also missing for datagram sockets
+in case the socket is shutting down during receive.
+
+Fix both issues by setting msg_namelen to 0 early. It will be
+updated later if we're going to fill the msg_name member.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -720,6 +720,8 @@ static int llc_ui_recvmsg(struct kiocb *
+ int target; /* Read at least this many bytes */
+ long timeo;
+
++ msg->msg_namelen = 0;
++
+ lock_sock(sk);
+ copied = -ENOTCONN;
+ if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
--- /dev/null
+From 0c0a2f0a038fc21695fe02c754b40aa7760718e7 Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vyasevic@redhat.com>
+Date: Tue, 2 Apr 2013 17:10:07 -0400
+Subject: net: count hw_addr syncs so that unsync works properly.
+
+
+From: Vlad Yasevich <vyasevic@redhat.com>
+
+[ Upstream commit 4543fbefe6e06a9e40d9f2b28d688393a299f079 ]
+
+A few drivers use dev_uc_sync/unsync to synchronize the
+address lists from master down to slave/lower devices. In
+some cases (bond/team) a single address list is synched down
+to multiple devices. At the time of unsync, we have a leak
+in these lower devices, because "synced" is treated as a
+boolean and the address will not be unsynced for anything after
+the first device/call.
+
+Treat "synced" as a count (same as refcount) and allow all
+unsync calls to work.
+
+Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 2 +-
+ net/core/dev_addr_lists.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -231,9 +231,9 @@ struct netdev_hw_addr {
+ #define NETDEV_HW_ADDR_T_SLAVE 3
+ #define NETDEV_HW_ADDR_T_UNICAST 4
+ #define NETDEV_HW_ADDR_T_MULTICAST 5
+- bool synced;
+ bool global_use;
+ int refcount;
++ int synced;
+ struct rcu_head rcu_head;
+ };
+
+--- a/net/core/dev_addr_lists.c
++++ b/net/core/dev_addr_lists.c
+@@ -56,7 +56,7 @@ static int __hw_addr_add_ex(struct netde
+ ha->type = addr_type;
+ ha->refcount = 1;
+ ha->global_use = global;
+- ha->synced = false;
++ ha->synced = 0;
+ list_add_tail_rcu(&ha->list, &list->list);
+ list->count++;
+ return 0;
+@@ -154,7 +154,7 @@ int __hw_addr_sync(struct netdev_hw_addr
+ addr_len, ha->type);
+ if (err)
+ break;
+- ha->synced = true;
++ ha->synced++;
+ ha->refcount++;
+ } else if (ha->refcount == 1) {
+ __hw_addr_del(to_list, ha->addr, addr_len, ha->type);
+@@ -175,7 +175,7 @@ void __hw_addr_unsync(struct netdev_hw_a
+ if (ha->synced) {
+ __hw_addr_del(to_list, ha->addr,
+ addr_len, ha->type);
+- ha->synced = false;
++ ha->synced--;
+ __hw_addr_del(from_list, ha->addr,
+ addr_len, ha->type);
+ }
--- /dev/null
+From ef6be2a875542c872e46e8f314d546223b8d030f Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 16 Apr 2013 12:55:41 +0000
+Subject: net: drop dst before queueing fragments
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 97599dc792b45b1669c3cdb9a4b365aad0232f65 ]
+
+Commit 4a94445c9a5c (net: Use ip_route_input_noref() in input path)
+added a bug in IP defragmentation handling, as non refcounted
+dst could escape an RCU protected section.
+
+Commit 64f3b9e203bd068 (net: ip_expire() must revalidate route) fixed
+the case of timeouts, but not the general problem.
+
+Tom Parkin noticed crashes in UDP stack and provided a patch,
+but further analysis permitted us to pinpoint the root cause.
+
+Before queueing a packet into a frag list, we must drop its dst,
+as this dst has limited lifetime (RCU protected)
+
+When/if a packet is finally reassembled, we use the dst of the very
+last skb, still protected by RCU and valid, as the dst of the
+reassembled packet.
+
+Use same logic in IPv6, as there is no need to hold dst references.
+
+Reported-by: Tom Parkin <tparkin@katalix.com>
+Tested-by: Tom Parkin <tparkin@katalix.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_fragment.c | 15 +++++++++++----
+ net/ipv6/reassembly.c | 13 +++++++++++--
+ 2 files changed, 22 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -251,8 +251,7 @@ static void ip_expire(unsigned long arg)
+ if (!head->dev)
+ goto out_rcu_unlock;
+
+- /* skb dst is stale, drop it, and perform route lookup again */
+- skb_dst_drop(head);
++ /* skb has no dst, perform route lookup again */
+ iph = ip_hdr(head);
+ err = ip_route_input_noref(head, iph->daddr, iph->saddr,
+ iph->tos, head->dev);
+@@ -517,8 +516,16 @@ found:
+ qp->q.last_in |= INET_FRAG_FIRST_IN;
+
+ if (qp->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
+- qp->q.meat == qp->q.len)
+- return ip_frag_reasm(qp, prev, dev);
++ qp->q.meat == qp->q.len) {
++ unsigned long orefdst = skb->_skb_refdst;
++
++ skb->_skb_refdst = 0UL;
++ err = ip_frag_reasm(qp, prev, dev);
++ skb->_skb_refdst = orefdst;
++ return err;
++ }
++
++ skb_dst_drop(skb);
+
+ write_lock(&ip4_frags.lock);
+ list_move_tail(&qp->q.lru_list, &qp->q.net->lru_list);
+--- a/net/ipv6/reassembly.c
++++ b/net/ipv6/reassembly.c
+@@ -385,8 +385,17 @@ found:
+ }
+
+ if (fq->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
+- fq->q.meat == fq->q.len)
+- return ip6_frag_reasm(fq, prev, dev);
++ fq->q.meat == fq->q.len) {
++ int res;
++ unsigned long orefdst = skb->_skb_refdst;
++
++ skb->_skb_refdst = 0UL;
++ res = ip6_frag_reasm(fq, prev, dev);
++ skb->_skb_refdst = orefdst;
++ return res;
++ }
++
++ skb_dst_drop(skb);
+
+ write_lock(&ip6_frags.lock);
+ list_move_tail(&fq->q.lru_list, &fq->q.net->lru_list);
--- /dev/null
+From 5e86346c9c11a6d7c0298566dd9b32e46a1dd0bf Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 19 Apr 2013 15:32:32 +0000
+Subject: net: fix incorrect credentials passing
+
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494 ]
+
+Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+sender") changed the credentials passing code to pass in the effective
+uid/gid instead of the real uid/gid.
+
+Obviously this doesn't matter most of the time (since normally they are
+the same), but it results in differences for suid binaries when the wrong
+uid/gid ends up being used.
+
+This just undoes that (presumably unintentional) part of the commit.
+
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Serge E. Hallyn <serge@hallyn.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/socket.h | 3 ++-
+ include/net/scm.h | 2 +-
+ net/core/sock.c | 14 ++++++++++----
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -312,7 +312,8 @@ struct ucred {
+ /* IPX options */
+ #define IPX_TYPE 1
+
+-extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
++extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred,
++ bool use_effective);
+
+ extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
+ extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -50,7 +50,7 @@ static __inline__ void scm_set_cred(stru
+ {
+ scm->pid = get_pid(pid);
+ scm->cred = get_cred(cred);
+- cred_to_ucred(pid, cred, &scm->creds);
++ cred_to_ucred(pid, cred, &scm->creds, false);
+ }
+
+ static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -752,15 +752,20 @@ EXPORT_SYMBOL(sock_setsockopt);
+
+
+ void cred_to_ucred(struct pid *pid, const struct cred *cred,
+- struct ucred *ucred)
++ struct ucred *ucred, bool use_effective)
+ {
+ ucred->pid = pid_vnr(pid);
+ ucred->uid = ucred->gid = -1;
+ if (cred) {
+ struct user_namespace *current_ns = current_user_ns();
+
+- ucred->uid = user_ns_map_uid(current_ns, cred, cred->euid);
+- ucred->gid = user_ns_map_gid(current_ns, cred, cred->egid);
++ if (use_effective) {
++ ucred->uid = user_ns_map_uid(current_ns, cred, cred->euid);
++ ucred->gid = user_ns_map_gid(current_ns, cred, cred->egid);
++ } else {
++ ucred->uid = user_ns_map_uid(current_ns, cred, cred->uid);
++ ucred->gid = user_ns_map_gid(current_ns, cred, cred->gid);
++ }
+ }
+ }
+ EXPORT_SYMBOL_GPL(cred_to_ucred);
+@@ -921,7 +926,8 @@ int sock_getsockopt(struct socket *sock,
+ struct ucred peercred;
+ if (len > sizeof(peercred))
+ len = sizeof(peercred);
+- cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
++ cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred,
++ &peercred, true);
+ if (copy_to_user(optval, &peercred, len))
+ return -EFAULT;
+ goto lenout;
--- /dev/null
+From 0dbeb2884a4d09764fcad3e15a34a49fd7cb4da4 Mon Sep 17 00:00:00 2001
+From: Balakumaran Kannan <kumaran.4353@gmail.com>
+Date: Tue, 2 Apr 2013 16:15:05 +0530
+Subject: net IPv6 : Fix broken IPv6 routing table after loopback down-up
+
+
+From: Balakumaran Kannan <kumaran.4353@gmail.com>
+
+[ Upstream commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f ]
+
+IPv6 Routing table becomes broken once we do ifdown, ifup of the loopback(lo)
+interface. After down-up, routes of other interface's IPv6 addresses through
+'lo' are lost.
+
+IPv6 addresses assigned to all interfaces are routed through 'lo' for internal
+communication. Once 'lo' is down, those routing entries are removed from routing
+table. But those removed entries are not being re-created properly when 'lo' is
+brought up. So IPv6 addresses of other interfaces becomes unreachable from the
+same machine. Also this breaks communication with other machines because of
+NDISC packet processing failure.
+
+This patch fixes this issue by reading all interface's IPv6 addresses and adding
+them to IPv6 routing table while bringing up 'lo'.
+
+==Testing==
+Before applying the patch:
+$ route -A inet6
+Kernel IPv6 routing table
+Destination Next Hop Flag Met Ref Use If
+2000::20/128 :: U 256 0 0 eth0
+fe80::/64 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+::1/128 :: Un 0 1 0 lo
+2000::20/128 :: Un 0 1 0 lo
+fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo
+ff00::/8 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+$ sudo ifdown lo
+$ sudo ifup lo
+$ route -A inet6
+Kernel IPv6 routing table
+Destination Next Hop Flag Met Ref Use If
+2000::20/128 :: U 256 0 0 eth0
+fe80::/64 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+::1/128 :: Un 0 1 0 lo
+ff00::/8 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+$
+
+After applying the patch:
+$ route -A inet6
+Kernel IPv6 routing
+table
+Destination Next Hop Flag Met Ref Use If
+2000::20/128 :: U 256 0 0 eth0
+fe80::/64 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+::1/128 :: Un 0 1 0 lo
+2000::20/128 :: Un 0 1 0 lo
+fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo
+ff00::/8 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+$ sudo ifdown lo
+$ sudo ifup lo
+$ route -A inet6
+Kernel IPv6 routing table
+Destination Next Hop Flag Met Ref Use If
+2000::20/128 :: U 256 0 0 eth0
+fe80::/64 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+::1/128 :: Un 0 1 0 lo
+2000::20/128 :: Un 0 1 0 lo
+fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo
+ff00::/8 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+$
+
+Signed-off-by: Balakumaran Kannan <Balakumaran.Kannan@ap.sony.com>
+Signed-off-by: Maruthi Thotad <Maruthi.Thotad@ap.sony.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2327,6 +2327,9 @@ static void sit_add_v4_addrs(struct inet
+ static void init_loopback(struct net_device *dev)
+ {
+ struct inet6_dev *idev;
++ struct net_device *sp_dev;
++ struct inet6_ifaddr *sp_ifa;
++ struct rt6_info *sp_rt;
+
+ /* ::1 */
+
+@@ -2338,6 +2341,30 @@ static void init_loopback(struct net_dev
+ }
+
+ add_addr(idev, &in6addr_loopback, 128, IFA_HOST);
++
++ /* Add routes to other interface's IPv6 addresses */
++ for_each_netdev(dev_net(dev), sp_dev) {
++ if (!strcmp(sp_dev->name, dev->name))
++ continue;
++
++ idev = __in6_dev_get(sp_dev);
++ if (!idev)
++ continue;
++
++ read_lock_bh(&idev->lock);
++ list_for_each_entry(sp_ifa, &idev->addr_list, if_list) {
++
++ if (sp_ifa->flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE))
++ continue;
++
++ sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0);
++
++ /* Failure cases are ignored */
++ if (!IS_ERR(sp_rt))
++ ip6_ins_rt(sp_rt);
++ }
++ read_unlock_bh(&idev->lock);
++ }
+ }
+
+ static void addrconf_add_linklocal(struct inet6_dev *idev, const struct in6_addr *addr)
--- /dev/null
+From dcb6e239c0ddfdfbcfeda165915c6c8d6046a9ed Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Thu, 7 Feb 2013 00:55:37 +0000
+Subject: net: sctp: sctp_auth_key_put: use kzfree instead of kfree
+
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit 586c31f3bf04c290dc0a0de7fc91d20aa9a5ee53 ]
+
+For sensitive data like keying material, it is common practice to zero
+out keys before returning the memory back to the allocator. Thus, use
+kzfree instead of kfree.
+
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -71,7 +71,7 @@ void sctp_auth_key_put(struct sctp_auth_
+ return;
+
+ if (atomic_dec_and_test(&key->refcnt)) {
+- kfree(key);
++ kzfree(key);
+ SCTP_DBG_OBJCNT_DEC(keys);
+ }
+ }
--- /dev/null
+From 3eefcfb890381fd7072203598b5d5631ee136608 Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Fri, 5 Apr 2013 20:42:05 +0200
+Subject: netfilter: don't reset nf_trace in nf_reset()
+
+
+From: Patrick McHardy <kaber@trash.net>
+
+[ Upstream commit 124dff01afbdbff251f0385beca84ba1b9adda68 ]
+
+Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code
+to reset nf_trace in nf_reset(). This is wrong and unnecessary.
+
+nf_reset() is used in the following cases:
+
+- when passing packets up the the socket layer, at which point we want to
+ release all netfilter references that might keep modules pinned while
+ the packet is queued. nf_trace doesn't matter anymore at this point.
+
+- when encapsulating or decapsulating IPsec packets. We want to continue
+ tracing these packets after IPsec processing.
+
+- when passing packets through virtual network devices. Only devices on
+ that encapsulate in IPv4/v6 matter since otherwise nf_trace is not
+ used anymore. Its not entirely clear whether those packets should
+ be traced after that, however we've always done that.
+
+- when passing packets through virtual network devices that make the
+ packet cross network namespace boundaries. This is the only cases
+ where we clearly want to reset nf_trace and is also what the
+ original patch intended to fix.
+
+Add a new function nf_reset_trace() and use it in dev_forward_skb() to
+fix this properly.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 8 ++++++++
+ net/core/dev.c | 1 +
+ 2 files changed, 9 insertions(+)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2135,6 +2135,14 @@ static inline void nf_reset(struct sk_bu
+ #endif
+ }
+
++static inline void nf_reset_trace(struct sk_buff *skb)
++{
++#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
++ defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
++ skb->nf_trace = 0;
++#endif
++}
++
+ /* Note: This doesn't put any conntrack and bridge info in dst. */
+ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
+ {
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1545,6 +1545,7 @@ int dev_forward_skb(struct net_device *d
+ skb->mark = 0;
+ secpath_reset(skb);
+ nf_reset(skb);
++ nf_reset_trace(skb);
+ return netif_rx(skb);
+ }
+ EXPORT_SYMBOL_GPL(dev_forward_skb);
--- /dev/null
+From d18e48d136cf9eef9a34a1fcb2e1e116c55d2362 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:57 +0000
+Subject: netrom: fix info leak via msg_name in nr_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commits 3ce5efad47b62c57a4f5c54248347085a750ce0e and
+ c802d759623acbd6e1ee9fbdabae89159a513913 ]
+
+In case msg_name is set the sockaddr info gets filled out, as
+requested, but the code fails to initialize the padding bytes of
+struct sockaddr_ax25 inserted by the compiler for alignment. Also
+the sax25_ndigis member does not get assigned, leaking four more
+bytes.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix both issues by initializing the memory with memset(0).
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1178,6 +1178,7 @@ static int nr_recvmsg(struct kiocb *iocb
+ }
+
+ if (sax != NULL) {
++ memset(sax, 0, sizeof(sax));
+ sax->sax25_family = AF_NETROM;
+ skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
+ AX25_ADDR_LEN);
--- /dev/null
+From ac723bd8a7acfced38df47375eeaafca54475842 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue, 9 Apr 2013 10:07:19 +0800
+Subject: netrom: fix invalid use of sizeof in nr_recvmsg()
+
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+[ Upstream commit c802d759623acbd6e1ee9fbdabae89159a513913 ]
+
+sizeof() when applied to a pointer typed expression gives the size of the
+pointer, not that of the pointed data.
+Introduced by commit 3ce5ef(netrom: fix info leak via msg_name in nr_recvmsg)
+
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1178,7 +1178,7 @@ static int nr_recvmsg(struct kiocb *iocb
+ }
+
+ if (sax != NULL) {
+- memset(sax, 0, sizeof(sax));
++ memset(sax, 0, sizeof(*sax));
+ sax->sax25_family = AF_NETROM;
+ skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
+ AX25_ADDR_LEN);
--- /dev/null
+From 9134fcea8aac307bda6254cca8033b4857564316 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:59 +0000
+Subject: rose: fix info leak via msg_name in rose_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 4a184233f21645cf0b719366210ed445d1024d72 ]
+
+The code in rose_recvmsg() does not initialize all of the members of
+struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
+Nor does it initialize the padding bytes of the structure inserted by
+the compiler for alignment. This will lead to leaking uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the issue by initializing the memory used for sockaddr info with
+memset(0).
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rose/af_rose.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1258,6 +1258,7 @@ static int rose_recvmsg(struct kiocb *io
+ skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+
+ if (srose != NULL) {
++ memset(srose, 0, msg->msg_namelen);
+ srose->srose_family = AF_ROSE;
+ srose->srose_addr = rose->dest_addr;
+ srose->srose_call = rose->dest_call;
--- /dev/null
+From ec774f59239982ca2b033a9126d6c3cf1e73ac0f Mon Sep 17 00:00:00 2001
+From: Michael Riesch <michael.riesch@omicron.at>
+Date: Mon, 8 Apr 2013 05:45:26 +0000
+Subject: rtnetlink: Call nlmsg_parse() with correct header length
+
+
+From: Michael Riesch <michael.riesch@omicron.at>
+
+[ Upstream commit 88c5b5ce5cb57af6ca2a7cf4d5715fa320448ff9 ]
+
+Signed-off-by: Michael Riesch <michael.riesch@omicron.at>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Benc <jbenc@redhat.com>
+Cc: "Theodore Ts'o" <tytso@mit.edu>
+Cc: linux-kernel@vger.kernel.org
+Acked-by: Mark Rustad <mark.d.rustad@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1045,7 +1045,7 @@ static int rtnl_dump_ifinfo(struct sk_bu
+
+ rcu_read_lock();
+
+- if (nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,
++ if (nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
+ ifla_policy) >= 0) {
+
+ if (tb[IFLA_EXT_MASK])
+@@ -1876,7 +1876,7 @@ static u16 rtnl_calcit(struct sk_buff *s
+ u32 ext_filter_mask = 0;
+ u16 min_ifinfo_dump_size = 0;
+
+- if (nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,
++ if (nlmsg_parse(nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
+ ifla_policy) >= 0) {
+ if (tb[IFLA_EXT_MASK])
+ ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
tty-do-not-update-atime-mtime-on-read-write.patch
tty-fix-atime-mtime-regression.patch
sparc64-fix-race-in-tlb-batch-processing.patch
+cbq-incorrect-processing-of-high-limits.patch
+net-ipv6-fix-broken-ipv6-routing-table-after-loopback-down-up.patch
+net-count-hw_addr-syncs-so-that-unsync-works-properly.patch
+atl1e-limit-gso-segment-size-to-prevent-generation-of-wrong-ip-length-fields.patch
+bonding-iff_bonding-is-not-stripped-on-enslave-failure.patch
+af_unix-if-we-don-t-care-about-credentials-coallesce-all-messages.patch
+netfilter-don-t-reset-nf_trace-in-nf_reset.patch
+rtnetlink-call-nlmsg_parse-with-correct-header-length.patch
+tcp-incoming-connections-might-use-wrong-route-under-synflood.patch
+esp4-fix-error-return-code-in-esp_output.patch
+net-sctp-sctp_auth_key_put-use-kzfree-instead-of-kfree.patch
+tcp-call-tcp_replace_ts_recent-from-tcp_ack.patch
+net-fix-incorrect-credentials-passing.patch
+atm-update-msg_namelen-in-vcc_recvmsg.patch
+ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
+bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
+bluetooth-rfcomm-fix-missing-msg_namelen-update-in-rfcomm_sock_recvmsg.patch
+caif-fix-missing-msg_namelen-update-in-caif_seqpkt_recvmsg.patch
+irda-fix-missing-msg_namelen-update-in-irda_recvmsg_dgram.patch
+iucv-fix-missing-msg_namelen-update-in-iucv_sock_recvmsg.patch
+llc-fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
+netrom-fix-info-leak-via-msg_name-in-nr_recvmsg.patch
+rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_stream.patch
+netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
+net-drop-dst-before-queueing-fragments.patch
--- /dev/null
+From 67d00a7600e05dc627f85c88ce5fb20d9d3c8c76 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 19 Apr 2013 07:19:48 +0000
+Subject: tcp: call tcp_replace_ts_recent() from tcp_ack()
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 12fb3dd9dc3c64ba7d64cec977cca9b5fb7b1d4e ]
+
+commit bd090dfc634d (tcp: tcp_replace_ts_recent() should not be called
+from tcp_validate_incoming()) introduced a TS ecr bug in slow path
+processing.
+
+1 A > B P. 1:10001(10000) ack 1 <nop,nop,TS val 1001 ecr 200>
+2 B < A . 1:1(0) ack 1 win 257 <sack 9001:10001,TS val 300 ecr 1001>
+3 A > B . 1:1001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
+4 A > B . 1001:2001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
+
+(ecr 200 should be ecr 300 in packets 3 & 4)
+
+Problem is tcp_ack() can trigger send of new packets (retransmits),
+reflecting the prior TSval, instead of the TSval contained in the
+currently processed incoming packet.
+
+Fix this by calling tcp_replace_ts_recent() from tcp_ack() after the
+checks, but before the actions.
+
+Reported-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 65 +++++++++++++++++++++++++--------------------------
+ 1 file changed, 32 insertions(+), 33 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -115,6 +115,7 @@ int sysctl_tcp_abc __read_mostly;
+ #define FLAG_DSACKING_ACK 0x800 /* SACK blocks contained D-SACK info */
+ #define FLAG_NONHEAD_RETRANS_ACKED 0x1000 /* Non-head rexmitted data was ACKed */
+ #define FLAG_SACK_RENEGING 0x2000 /* snd_una advanced to a sacked seq */
++#define FLAG_UPDATE_TS_RECENT 0x4000 /* tcp_replace_ts_recent() */
+
+ #define FLAG_ACKED (FLAG_DATA_ACKED|FLAG_SYN_ACKED)
+ #define FLAG_NOT_DUP (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED)
+@@ -3656,6 +3657,27 @@ static void tcp_send_challenge_ack(struc
+ }
+ }
+
++static void tcp_store_ts_recent(struct tcp_sock *tp)
++{
++ tp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval;
++ tp->rx_opt.ts_recent_stamp = get_seconds();
++}
++
++static void tcp_replace_ts_recent(struct tcp_sock *tp, u32 seq)
++{
++ if (tp->rx_opt.saw_tstamp && !after(seq, tp->rcv_wup)) {
++ /* PAWS bug workaround wrt. ACK frames, the PAWS discard
++ * extra check below makes sure this can only happen
++ * for pure ACK frames. -DaveM
++ *
++ * Not only, also it occurs for expired timestamps.
++ */
++
++ if (tcp_paws_check(&tp->rx_opt, 0))
++ tcp_store_ts_recent(tp);
++ }
++}
++
+ /* This routine deals with incoming acks, but not outgoing ones. */
+ static int tcp_ack(struct sock *sk, struct sk_buff *skb, int flag)
+ {
+@@ -3702,6 +3724,12 @@ static int tcp_ack(struct sock *sk, stru
+ prior_fackets = tp->fackets_out;
+ prior_in_flight = tcp_packets_in_flight(tp);
+
++ /* ts_recent update must be made after we are sure that the packet
++ * is in window.
++ */
++ if (flag & FLAG_UPDATE_TS_RECENT)
++ tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
++
+ if (!(flag & FLAG_SLOWPATH) && after(ack, prior_snd_una)) {
+ /* Window is constant, pure forward advance.
+ * No more checks are required.
+@@ -3988,27 +4016,6 @@ u8 *tcp_parse_md5sig_option(struct tcphd
+ EXPORT_SYMBOL(tcp_parse_md5sig_option);
+ #endif
+
+-static inline void tcp_store_ts_recent(struct tcp_sock *tp)
+-{
+- tp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval;
+- tp->rx_opt.ts_recent_stamp = get_seconds();
+-}
+-
+-static inline void tcp_replace_ts_recent(struct tcp_sock *tp, u32 seq)
+-{
+- if (tp->rx_opt.saw_tstamp && !after(seq, tp->rcv_wup)) {
+- /* PAWS bug workaround wrt. ACK frames, the PAWS discard
+- * extra check below makes sure this can only happen
+- * for pure ACK frames. -DaveM
+- *
+- * Not only, also it occurs for expired timestamps.
+- */
+-
+- if (tcp_paws_check(&tp->rx_opt, 0))
+- tcp_store_ts_recent(tp);
+- }
+-}
+-
+ /* Sorry, PAWS as specified is broken wrt. pure-ACKs -DaveM
+ *
+ * It is not fatal. If this ACK does _not_ change critical state (seqs, window)
+@@ -5477,14 +5484,10 @@ slow_path:
+ return 0;
+
+ step5:
+- if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
++ if (th->ack &&
++ tcp_ack(sk, skb, FLAG_SLOWPATH | FLAG_UPDATE_TS_RECENT) < 0)
+ goto discard;
+
+- /* ts_recent update must be made after we are sure that the packet
+- * is in window.
+- */
+- tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
+-
+ tcp_rcv_rtt_measure_ts(sk, skb);
+
+ /* Process urgent data. */
+@@ -5848,7 +5851,8 @@ int tcp_rcv_state_process(struct sock *s
+
+ /* step 5: check the ACK field */
+ if (th->ack) {
+- int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;
++ int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH |
++ FLAG_UPDATE_TS_RECENT) > 0;
+
+ switch (sk->sk_state) {
+ case TCP_SYN_RECV:
+@@ -5961,11 +5965,6 @@ int tcp_rcv_state_process(struct sock *s
+ } else
+ goto discard;
+
+- /* ts_recent update must be made after we are sure that the packet
+- * is in window.
+- */
+- tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
+-
+ /* step 6: check the URG bit */
+ tcp_urg(sk, skb, th);
+
--- /dev/null
+From 7293e360700498d14aa0530071fc29819f242e74 Mon Sep 17 00:00:00 2001
+From: Dmitry Popov <dp@highloadlab.com>
+Date: Thu, 11 Apr 2013 08:55:07 +0000
+Subject: tcp: incoming connections might use wrong route under synflood
+
+
+From: Dmitry Popov <dp@highloadlab.com>
+
+[ Upstream commit d66954a066158781ccf9c13c91d0316970fe57b6 ]
+
+There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
+ flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+ RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+ inet_sk_flowi_flags(sk),
+ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+ ireq->loc_addr, th->source, th->dest);
+
+Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
+taken. This dst_entry is used by new socket (get_cookie_sock ->
+tcp_v4_syn_recv_sock), so its packets may take the wrong path.
+
+Signed-off-by: Dmitry Popov <dp@highloadlab.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/syncookies.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -345,8 +345,8 @@ struct sock *cookie_v4_check(struct sock
+ * hasn't changed since we received the original syn, but I see
+ * no easy way to do this.
+ */
+- flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+- RT_SCOPE_UNIVERSE, IPPROTO_TCP,
++ flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark,
++ RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+ inet_sk_flowi_flags(sk),
+ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+ ireq->loc_addr, th->source, th->dest);
--- /dev/null
+From 035f2df5f782a4ca71a6036d6a0e1caf29ae6619 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:52:00 +0000
+Subject: tipc: fix info leaks via msg_name in recv_msg/recv_stream
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ]
+
+The code in set_orig_addr() does not initialize all of the members of
+struct sockaddr_tipc when filling the sockaddr info -- namely the union
+is only partly filled. This will make recv_msg() and recv_stream() --
+the only users of this function -- leak kernel stack memory as the
+msg_name member is a local variable in net/socket.c.
+
+Additionally to that both recv_msg() and recv_stream() fail to update
+the msg_namelen member to 0 while otherwise returning with 0, i.e.
+"success". This is the case for, e.g., non-blocking sockets. This will
+lead to a 128 byte kernel stack leak in net/socket.c.
+
+Fix the first issue by initializing the memory of the union with
+memset(0). Fix the second one by setting msg_namelen to 0 early as it
+will be updated later if we're going to fill the msg_name member.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Cc: Allan Stephens <allan.stephens@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -829,6 +829,7 @@ static void set_orig_addr(struct msghdr
+ if (addr) {
+ addr->family = AF_TIPC;
+ addr->addrtype = TIPC_ADDR_ID;
++ memset(&addr->addr, 0, sizeof(addr->addr));
+ addr->addr.id.ref = msg_origport(msg);
+ addr->addr.id.node = msg_orignode(msg);
+ addr->addr.name.domain = 0; /* could leave uninitialized */
+@@ -948,6 +949,9 @@ static int recv_msg(struct kiocb *iocb,
+ goto exit;
+ }
+
++ /* will be updated in set_orig_addr() if needed */
++ m->msg_namelen = 0;
++
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+
+@@ -1074,6 +1078,9 @@ static int recv_stream(struct kiocb *ioc
+ goto exit;
+ }
+
++ /* will be updated in set_orig_addr() if needed */
++ m->msg_namelen = 0;
++
+ target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
projects / thirdparty / kernel / stable-queue.git / commitdiff
