--- /dev/null
+From 7d758add176d3e35f202b92886061f7323576d41 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 3 Apr 2013 16:14:47 +0000
+Subject: af_unix: If we don't care about credentials coallesce all messages
+
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+[ Upstream commit 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 ]
+
+It was reported that the following LSB test case failed
+https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
+were not coallescing unix stream messages when the application was
+expecting us to.
+
+The problem was that the first send was before the socket was accepted
+and thus sock->sk_socket was NULL in maybe_add_creds, and the second
+send after the socket was accepted had a non-NULL value for sk->socket
+and thus we could tell the credentials were not needed so we did not
+bother.
+
+The unnecessary credentials on the first message cause
+unix_stream_recvmsg to start verifying that all messages had the same
+credentials before coallescing and then the coallescing failed because
+the second message had no credentials.
+
+Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
+long standing pessimization which would fail to coallesce messages when
+reading from a unix stream socket if the senders were different even if
+we did not care about their credentials.
+
+I have tested this and verified that the in the LSB test case mentioned
+above that the messages do coallesce now, while the were failing to
+coallesce without this change.
+
+Reported-by: Karel Srot <ksrot@redhat.com>
+Reported-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1986,7 +1986,7 @@ again:
+ if ((UNIXCB(skb).pid != siocb->scm->pid) ||
+ (UNIXCB(skb).cred != siocb->scm->cred))
+ break;
+- } else {
++ } else if (test_bit(SOCK_PASSCRED, &sock->flags)) {
+ /* Copy credentials */
+ scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
+ check_creds = 1;
--- /dev/null
+From db7408189c80397d5b036a2cc7a2eda889cd437e Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 2 Apr 2013 14:36:46 +0000
+Subject: atl1e: limit gso segment size to prevent generation of wrong ip length fields
+
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 31d1670e73f4911fe401273a8f576edc9c2b5fea ]
+
+The limit of 0x3c00 is taken from the windows driver.
+
+Suggested-by: Huang, Xiong <xiong@qca.qualcomm.com>
+Cc: Huang, Xiong <xiong@qca.qualcomm.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/atl1e/atl1e.h | 2 +-
+ drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/atheros/atl1e/atl1e.h
++++ b/drivers/net/ethernet/atheros/atl1e/atl1e.h
+@@ -186,7 +186,7 @@ struct atl1e_tpd_desc {
+ /* how about 0x2000 */
+ #define MAX_TX_BUF_LEN 0x2000
+ #define MAX_TX_BUF_SHIFT 13
+-/*#define MAX_TX_BUF_LEN 0x3000 */
++#define MAX_TSO_SEG_SIZE 0x3c00
+
+ /* rrs word 1 bit 0:31 */
+ #define RRS_RX_CSUM_MASK 0xFFFF
+--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+@@ -2354,6 +2354,7 @@ static int __devinit atl1e_probe(struct
+
+ INIT_WORK(&adapter->reset_task, atl1e_reset_task);
+ INIT_WORK(&adapter->link_chg_task, atl1e_link_chg_task);
++ netif_set_gso_max_size(netdev, MAX_TSO_SEG_SIZE);
+ err = register_netdev(netdev);
+ if (err) {
+ netdev_err(netdev, "register netdevice failed\n");
--- /dev/null
+From 243e5c6c1f78e9c846d63e9ff7cc1b4f7b7c7088 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: atm: update msg_namelen in vcc_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/atm/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -520,6 +520,8 @@ int vcc_recvmsg(struct kiocb *iocb, stru
+ struct sk_buff *skb;
+ int copied, error = -EINVAL;
+
++ msg->msg_namelen = 0;
++
+ if (sock->state != SS_CONNECTED)
+ return -ENOTCONN;
+
--- /dev/null
+From 2730a8b5b87c74838f431f4ee61dc8637d316e64 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:48 +0000
+Subject: ax25: fix info leak via msg_name in ax25_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit ef3313e84acbf349caecae942ab3ab731471f1a1 ]
+
+When msg_namelen is non-zero the sockaddr info gets filled out, as
+requested, but the code fails to initialize the padding bytes of struct
+sockaddr_ax25 inserted by the compiler for alignment. Additionally the
+msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
+not always filled up to this size.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix both issues by initializing the memory with memset(0).
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1646,6 +1646,7 @@ static int ax25_recvmsg(struct kiocb *io
+ ax25_address src;
+ const unsigned char *mac = skb_mac_header(skb);
+
++ memset(sax, 0, sizeof(struct full_sockaddr_ax25));
+ ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
+ &digi, NULL, NULL);
+ sax->sax25_family = AF_AX25;
--- /dev/null
+From 6bcc4146079e2b4c3e78591e595094f5bea90d9a Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:49 +0000
+Subject: Bluetooth: fix possible info leak in bt_sock_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 4683f42fde3977bdb4e8a09622788cc8b5313778 ]
+
+In case the socket is already shutting down, bt_sock_recvmsg() returns
+with 0 without updating msg_namelen leading to net/socket.c leaking the
+local, uninitialized sockaddr_storage variable to userland -- 128 bytes
+of kernel stack memory.
+
+Fix this by moving the msg_namelen assignment in front of the shutdown
+test.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/af_bluetooth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -240,6 +240,8 @@ int bt_sock_recvmsg(struct kiocb *iocb,
+ if (flags & (MSG_OOB))
+ return -EOPNOTSUPP;
+
++ msg->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb) {
+ if (sk->sk_shutdown & RCV_SHUTDOWN)
+@@ -247,8 +249,6 @@ int bt_sock_recvmsg(struct kiocb *iocb,
+ return err;
+ }
+
+- msg->msg_namelen = 0;
+-
+ copied = skb->len;
+ if (len < copied) {
+ msg->msg_flags |= MSG_TRUNC;
--- /dev/null
+From 9b06a61eca8515c1db466f92792bce1f5d8a2bee Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:50 +0000
+Subject: Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691 ]
+
+If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
+early with 0 without updating the possibly set msg_namelen member. This,
+in turn, leads to a 128 byte kernel stack leak in net/socket.c.
+
+Fix this by updating msg_namelen in this case. For all other cases it
+will be handled in bt_sock_stream_recvmsg().
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/rfcomm/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -628,6 +628,7 @@ static int rfcomm_sock_recvmsg(struct ki
+
+ if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
+ rfcomm_dlc_accept(d);
++ msg->msg_namelen = 0;
+ return 0;
+ }
+
--- /dev/null
+From 1d0ca04f861a39a45e1dd3e5533aa88a0aff4d8d Mon Sep 17 00:00:00 2001
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+Date: Sat, 6 Apr 2013 00:54:38 +0000
+Subject: bonding: fix bonding_masters race condition in bond unloading
+
+
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+
+[ Upstream commit 69b0216ac255f523556fa3d4ff030d857eaaa37f ]
+
+While the bonding module is unloading, it is considered that after
+rtnl_link_unregister all bond devices are destroyed but since no
+synchronization mechanism exists, a new bond device can be created
+via bonding_masters before unregister_pernet_subsys which would
+lead to multiple problems (e.g. NULL pointer dereference, wrong RIP,
+list corruption).
+
+This patch fixes the issue by removing any bond devices left in the
+netns after bonding_masters is removed from sysfs.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
+Acked-by: Veaceslav Falico <vfalico@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4864,9 +4864,18 @@ static int __net_init bond_net_init(stru
+ static void __net_exit bond_net_exit(struct net *net)
+ {
+ struct bond_net *bn = net_generic(net, bond_net_id);
++ struct bonding *bond, *tmp_bond;
++ LIST_HEAD(list);
+
+ bond_destroy_sysfs(bn);
+ bond_destroy_proc_dir(bn);
++
++ /* Kill off any bonds created after unregistering bond rtnl ops */
++ rtnl_lock();
++ list_for_each_entry_safe(bond, tmp_bond, &bn->dev_list, bond_list)
++ unregister_netdevice_queue(bond->dev, &list);
++ unregister_netdevice_many(&list);
++ rtnl_unlock();
+ }
+
+ static struct pernet_operations bond_net_ops = {
--- /dev/null
+From 185c9303d5dad0517146172d792cc044c429e8f1 Mon Sep 17 00:00:00 2001
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+Date: Thu, 11 Apr 2013 09:18:56 +0000
+Subject: bonding: IFF_BONDING is not stripped on enslave failure
+
+
+From: "nikolay@redhat.com" <nikolay@redhat.com>
+
+[ Upstream commit b6a5a7b9a528a8b4c8bec940b607c5dd9102b8cc ]
+
+While enslaving a new device and after IFF_BONDING flag is set, in case
+of failure it is not stripped from the device's priv_flags while
+cleaning up, which could lead to other problems.
+Cleaning at err_close because the flag is set after dev_open().
+
+v2: no change
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1888,6 +1888,7 @@ err_detach:
+ write_unlock_bh(&bond->lock);
+
+ err_close:
++ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
+
+ err_unset_master:
--- /dev/null
+From 2eb568f45b28caf3f42bb797cf20cc54a3a87ba0 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:52 +0000
+Subject: caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 2d6fbfe733f35c6b355c216644e08e149c61b271 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about caif_seqpkt_recvmsg() not filling the msg_name in case it was
+set.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Sjur Braendeland <sjur.brandeland@stericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -287,6 +287,8 @@ static int caif_seqpkt_recvmsg(struct ki
+ if (m->msg_flags&MSG_OOB)
+ goto read_error;
+
++ m->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags, 0 , &ret);
+ if (!skb)
+ goto read_error;
--- /dev/null
+From 9706be11b9c30a6b11a5b779a3298309aa44ee71 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@parallels.com>
+Date: Mon, 1 Apr 2013 03:01:32 +0000
+Subject: cbq: incorrect processing of high limits
+
+
+From: Vasily Averin <vvs@parallels.com>
+
+[ Upstream commit f0f6ee1f70c4eaab9d52cf7d255df4bd89f8d1c2 ]
+
+currently cbq works incorrectly for limits > 10% real link bandwidth,
+and practically does not work for limits > 50% real link bandwidth.
+Below are results of experiments taken on 1 Gbit link
+
+ In shaper | Actual Result
+-----------+---------------
+ 100M | 108 Mbps
+ 200M | 244 Mbps
+ 300M | 412 Mbps
+ 500M | 893 Mbps
+
+This happen because of q->now changes incorrectly in cbq_dequeue():
+when it is called before real end of packet transmitting,
+L2T is greater than real time delay, q_now gets an extra boost
+but never compensate it.
+
+To fix this problem we prevent change of q->now until its synchronization
+with real time.
+
+Signed-off-by: Vasily Averin <vvs@openvz.org>
+Reviewed-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cbq.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_cbq.c
++++ b/net/sched/sch_cbq.c
+@@ -963,8 +963,11 @@ cbq_dequeue(struct Qdisc *sch)
+ cbq_update(q);
+ if ((incr -= incr2) < 0)
+ incr = 0;
++ q->now += incr;
++ } else {
++ if (now > q->now)
++ q->now = now;
+ }
+- q->now += incr;
+ q->now_rt = now;
+
+ for (;;) {
--- /dev/null
+From 89d77a1bc32aea264ec81dbf433ddf5bcfbb461a Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Sat, 13 Apr 2013 15:49:03 +0000
+Subject: esp4: fix error return code in esp_output()
+
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+[ Upstream commit 06848c10f720cbc20e3b784c0df24930b7304b93 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as returned elsewhere in this function.
+
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/esp4.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -139,8 +139,6 @@ static int esp_output(struct xfrm_state
+
+ /* skb is pure payload to encrypt */
+
+- err = -ENOMEM;
+-
+ esp = x->data;
+ aead = esp->aead;
+ alen = crypto_aead_authsize(aead);
+@@ -176,8 +174,10 @@ static int esp_output(struct xfrm_state
+ }
+
+ tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
+- if (!tmp)
++ if (!tmp) {
++ err = -ENOMEM;
+ goto error;
++ }
+
+ seqhi = esp_tmp_seqhi(tmp);
+ iv = esp_tmp_iv(aead, tmp, seqhilen);
--- /dev/null
+From afe366fa45ba2fade1b06bb84841ece7586c670e Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:53 +0000
+Subject: irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 5ae94c0d2f0bed41d6718be743985d61b7f5c47d ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about irda_recvmsg_dgram() not filling the msg_name in case it was
+set.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/irda/af_irda.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kio
+
+ IRDA_DEBUG(4, "%s()\n", __func__);
+
++ msg->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &err);
+ if (!skb)
--- /dev/null
+From b6c6c452de3636d40c96c13bdcb5c2ab5c0a4dfc Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:54 +0000
+Subject: iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit a5598bd9c087dc0efc250a5221e5d0e6f584ee88 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about iucv_sock_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Ursula Braun <ursula.braun@de.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/iucv/af_iucv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1331,6 +1331,8 @@ static int iucv_sock_recvmsg(struct kioc
+ struct sk_buff *skb, *rskb, *cskb;
+ int err = 0;
+
++ msg->msg_namelen = 0;
++
+ if ((sk->sk_state == IUCV_DISCONN) &&
+ skb_queue_empty(&iucv->backlog_skb_q) &&
+ skb_queue_empty(&sk->sk_receive_queue) &&
--- /dev/null
+From c108d07365ddd2fec6b17fb40e00731b7db06bda Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:56 +0000
+Subject: llc: Fix missing msg_namelen update in llc_ui_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit c77a4b9cffb6215a15196ec499490d116dfad181 ]
+
+For stream sockets the code misses to update the msg_namelen member
+to 0 and therefore makes net/socket.c leak the local, uninitialized
+sockaddr_storage variable to userland -- 128 bytes of kernel stack
+memory. The msg_namelen update is also missing for datagram sockets
+in case the socket is shutting down during receive.
+
+Fix both issues by setting msg_namelen to 0 early. It will be
+updated later if we're going to fill the msg_name member.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -721,6 +721,8 @@ static int llc_ui_recvmsg(struct kiocb *
+ int target; /* Read at least this many bytes */
+ long timeo;
+
++ msg->msg_namelen = 0;
++
+ lock_sock(sk);
+ copied = -ENOTCONN;
+ if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
--- /dev/null
+From e1f62fd070a7ee124d6986b8792f14019e3e15ff Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vyasevic@redhat.com>
+Date: Tue, 2 Apr 2013 17:10:07 -0400
+Subject: net: count hw_addr syncs so that unsync works properly.
+
+
+From: Vlad Yasevich <vyasevic@redhat.com>
+
+[ Upstream commit 4543fbefe6e06a9e40d9f2b28d688393a299f079 ]
+
+A few drivers use dev_uc_sync/unsync to synchronize the
+address lists from master down to slave/lower devices. In
+some cases (bond/team) a single address list is synched down
+to multiple devices. At the time of unsync, we have a leak
+in these lower devices, because "synced" is treated as a
+boolean and the address will not be unsynced for anything after
+the first device/call.
+
+Treat "synced" as a count (same as refcount) and allow all
+unsync calls to work.
+
+Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 2 +-
+ net/core/dev_addr_lists.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -232,9 +232,9 @@ struct netdev_hw_addr {
+ #define NETDEV_HW_ADDR_T_SLAVE 3
+ #define NETDEV_HW_ADDR_T_UNICAST 4
+ #define NETDEV_HW_ADDR_T_MULTICAST 5
+- bool synced;
+ bool global_use;
+ int refcount;
++ int synced;
+ struct rcu_head rcu_head;
+ };
+
+--- a/net/core/dev_addr_lists.c
++++ b/net/core/dev_addr_lists.c
+@@ -57,7 +57,7 @@ static int __hw_addr_add_ex(struct netde
+ ha->type = addr_type;
+ ha->refcount = 1;
+ ha->global_use = global;
+- ha->synced = false;
++ ha->synced = 0;
+ list_add_tail_rcu(&ha->list, &list->list);
+ list->count++;
+ return 0;
+@@ -155,7 +155,7 @@ int __hw_addr_sync(struct netdev_hw_addr
+ addr_len, ha->type);
+ if (err)
+ break;
+- ha->synced = true;
++ ha->synced++;
+ ha->refcount++;
+ } else if (ha->refcount == 1) {
+ __hw_addr_del(to_list, ha->addr, addr_len, ha->type);
+@@ -176,7 +176,7 @@ void __hw_addr_unsync(struct netdev_hw_a
+ if (ha->synced) {
+ __hw_addr_del(to_list, ha->addr,
+ addr_len, ha->type);
+- ha->synced = false;
++ ha->synced--;
+ __hw_addr_del(from_list, ha->addr,
+ addr_len, ha->type);
+ }
--- /dev/null
+From 2b889b265dd67faceed5aeb2c06379b84b2a405b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 16 Apr 2013 12:55:41 +0000
+Subject: net: drop dst before queueing fragments
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 97599dc792b45b1669c3cdb9a4b365aad0232f65 ]
+
+Commit 4a94445c9a5c (net: Use ip_route_input_noref() in input path)
+added a bug in IP defragmentation handling, as non refcounted
+dst could escape an RCU protected section.
+
+Commit 64f3b9e203bd068 (net: ip_expire() must revalidate route) fixed
+the case of timeouts, but not the general problem.
+
+Tom Parkin noticed crashes in UDP stack and provided a patch,
+but further analysis permitted us to pinpoint the root cause.
+
+Before queueing a packet into a frag list, we must drop its dst,
+as this dst has limited lifetime (RCU protected)
+
+When/if a packet is finally reassembled, we use the dst of the very
+last skb, still protected by RCU and valid, as the dst of the
+reassembled packet.
+
+Use same logic in IPv6, as there is no need to hold dst references.
+
+Reported-by: Tom Parkin <tparkin@katalix.com>
+Tested-by: Tom Parkin <tparkin@katalix.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_fragment.c | 15 +++++++++++----
+ net/ipv6/reassembly.c | 13 +++++++++++--
+ 2 files changed, 22 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -251,8 +251,7 @@ static void ip_expire(unsigned long arg)
+ if (!head->dev)
+ goto out_rcu_unlock;
+
+- /* skb dst is stale, drop it, and perform route lookup again */
+- skb_dst_drop(head);
++ /* skb has no dst, perform route lookup again */
+ iph = ip_hdr(head);
+ err = ip_route_input_noref(head, iph->daddr, iph->saddr,
+ iph->tos, head->dev);
+@@ -517,8 +516,16 @@ found:
+ qp->q.last_in |= INET_FRAG_FIRST_IN;
+
+ if (qp->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
+- qp->q.meat == qp->q.len)
+- return ip_frag_reasm(qp, prev, dev);
++ qp->q.meat == qp->q.len) {
++ unsigned long orefdst = skb->_skb_refdst;
++
++ skb->_skb_refdst = 0UL;
++ err = ip_frag_reasm(qp, prev, dev);
++ skb->_skb_refdst = orefdst;
++ return err;
++ }
++
++ skb_dst_drop(skb);
+
+ write_lock(&ip4_frags.lock);
+ list_move_tail(&qp->q.lru_list, &qp->q.net->lru_list);
+--- a/net/ipv6/reassembly.c
++++ b/net/ipv6/reassembly.c
+@@ -385,8 +385,17 @@ found:
+ }
+
+ if (fq->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
+- fq->q.meat == fq->q.len)
+- return ip6_frag_reasm(fq, prev, dev);
++ fq->q.meat == fq->q.len) {
++ int res;
++ unsigned long orefdst = skb->_skb_refdst;
++
++ skb->_skb_refdst = 0UL;
++ res = ip6_frag_reasm(fq, prev, dev);
++ skb->_skb_refdst = orefdst;
++ return res;
++ }
++
++ skb_dst_drop(skb);
+
+ write_lock(&ip6_frags.lock);
+ list_move_tail(&fq->q.lru_list, &fq->q.net->lru_list);
--- /dev/null
+From 0e59f33a971304ccd9a4c84b0beb1ce969780b06 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 19 Apr 2013 15:32:32 +0000
+Subject: net: fix incorrect credentials passing
+
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494 ]
+
+Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+sender") changed the credentials passing code to pass in the effective
+uid/gid instead of the real uid/gid.
+
+Obviously this doesn't matter most of the time (since normally they are
+the same), but it results in differences for suid binaries when the wrong
+uid/gid ends up being used.
+
+This just undoes that (presumably unintentional) part of the commit.
+
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Serge E. Hallyn <serge@hallyn.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/socket.h | 3 ++-
+ include/net/scm.h | 2 +-
+ net/core/sock.c | 14 ++++++++++----
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -316,7 +316,8 @@ struct ucred {
+ /* IPX options */
+ #define IPX_TYPE 1
+
+-extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
++extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred,
++ bool use_effective);
+
+ extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
+ extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -50,7 +50,7 @@ static __inline__ void scm_set_cred(stru
+ {
+ scm->pid = get_pid(pid);
+ scm->cred = cred ? get_cred(cred) : NULL;
+- cred_to_ucred(pid, cred, &scm->creds);
++ cred_to_ucred(pid, cred, &scm->creds, false);
+ }
+
+ static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -815,15 +815,20 @@ EXPORT_SYMBOL(sock_setsockopt);
+
+
+ void cred_to_ucred(struct pid *pid, const struct cred *cred,
+- struct ucred *ucred)
++ struct ucred *ucred, bool use_effective)
+ {
+ ucred->pid = pid_vnr(pid);
+ ucred->uid = ucred->gid = -1;
+ if (cred) {
+ struct user_namespace *current_ns = current_user_ns();
+
+- ucred->uid = user_ns_map_uid(current_ns, cred, cred->euid);
+- ucred->gid = user_ns_map_gid(current_ns, cred, cred->egid);
++ if (use_effective) {
++ ucred->uid = user_ns_map_uid(current_ns, cred, cred->euid);
++ ucred->gid = user_ns_map_gid(current_ns, cred, cred->egid);
++ } else {
++ ucred->uid = user_ns_map_uid(current_ns, cred, cred->uid);
++ ucred->gid = user_ns_map_gid(current_ns, cred, cred->gid);
++ }
+ }
+ }
+ EXPORT_SYMBOL_GPL(cred_to_ucred);
+@@ -984,7 +989,8 @@ int sock_getsockopt(struct socket *sock,
+ struct ucred peercred;
+ if (len > sizeof(peercred))
+ len = sizeof(peercred);
+- cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
++ cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred,
++ &peercred, true);
+ if (copy_to_user(optval, &peercred, len))
+ return -EFAULT;
+ goto lenout;
--- /dev/null
+From 3ec2ad707e8ed4ca45ff5d4f7b1e723b194dd866 Mon Sep 17 00:00:00 2001
+From: Balakumaran Kannan <kumaran.4353@gmail.com>
+Date: Tue, 2 Apr 2013 16:15:05 +0530
+Subject: net IPv6 : Fix broken IPv6 routing table after loopback down-up
+
+
+From: Balakumaran Kannan <kumaran.4353@gmail.com>
+
+[ Upstream commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f ]
+
+IPv6 Routing table becomes broken once we do ifdown, ifup of the loopback(lo)
+interface. After down-up, routes of other interface's IPv6 addresses through
+'lo' are lost.
+
+IPv6 addresses assigned to all interfaces are routed through 'lo' for internal
+communication. Once 'lo' is down, those routing entries are removed from routing
+table. But those removed entries are not being re-created properly when 'lo' is
+brought up. So IPv6 addresses of other interfaces becomes unreachable from the
+same machine. Also this breaks communication with other machines because of
+NDISC packet processing failure.
+
+This patch fixes this issue by reading all interface's IPv6 addresses and adding
+them to IPv6 routing table while bringing up 'lo'.
+
+==Testing==
+Before applying the patch:
+$ route -A inet6
+Kernel IPv6 routing table
+Destination Next Hop Flag Met Ref Use If
+2000::20/128 :: U 256 0 0 eth0
+fe80::/64 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+::1/128 :: Un 0 1 0 lo
+2000::20/128 :: Un 0 1 0 lo
+fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo
+ff00::/8 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+$ sudo ifdown lo
+$ sudo ifup lo
+$ route -A inet6
+Kernel IPv6 routing table
+Destination Next Hop Flag Met Ref Use If
+2000::20/128 :: U 256 0 0 eth0
+fe80::/64 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+::1/128 :: Un 0 1 0 lo
+ff00::/8 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+$
+
+After applying the patch:
+$ route -A inet6
+Kernel IPv6 routing
+table
+Destination Next Hop Flag Met Ref Use If
+2000::20/128 :: U 256 0 0 eth0
+fe80::/64 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+::1/128 :: Un 0 1 0 lo
+2000::20/128 :: Un 0 1 0 lo
+fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo
+ff00::/8 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+$ sudo ifdown lo
+$ sudo ifup lo
+$ route -A inet6
+Kernel IPv6 routing table
+Destination Next Hop Flag Met Ref Use If
+2000::20/128 :: U 256 0 0 eth0
+fe80::/64 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+::1/128 :: Un 0 1 0 lo
+2000::20/128 :: Un 0 1 0 lo
+fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo
+ff00::/8 :: U 256 0 0 eth0
+::/0 :: !n -1 1 1 lo
+$
+
+Signed-off-by: Balakumaran Kannan <Balakumaran.Kannan@ap.sony.com>
+Signed-off-by: Maruthi Thotad <Maruthi.Thotad@ap.sony.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2399,6 +2399,9 @@ static void sit_add_v4_addrs(struct inet
+ static void init_loopback(struct net_device *dev)
+ {
+ struct inet6_dev *idev;
++ struct net_device *sp_dev;
++ struct inet6_ifaddr *sp_ifa;
++ struct rt6_info *sp_rt;
+
+ /* ::1 */
+
+@@ -2410,6 +2413,30 @@ static void init_loopback(struct net_dev
+ }
+
+ add_addr(idev, &in6addr_loopback, 128, IFA_HOST);
++
++ /* Add routes to other interface's IPv6 addresses */
++ for_each_netdev(dev_net(dev), sp_dev) {
++ if (!strcmp(sp_dev->name, dev->name))
++ continue;
++
++ idev = __in6_dev_get(sp_dev);
++ if (!idev)
++ continue;
++
++ read_lock_bh(&idev->lock);
++ list_for_each_entry(sp_ifa, &idev->addr_list, if_list) {
++
++ if (sp_ifa->flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE))
++ continue;
++
++ sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0);
++
++ /* Failure cases are ignored */
++ if (!IS_ERR(sp_rt))
++ ip6_ins_rt(sp_rt);
++ }
++ read_unlock_bh(&idev->lock);
++ }
+ }
+
+ static void addrconf_add_linklocal(struct inet6_dev *idev, const struct in6_addr *addr)
--- /dev/null
+From c0bb88dad87d55604cc656c60779ea8ca61ca068 Mon Sep 17 00:00:00 2001
+From: Ben Greear <greearb@candelatech.com>
+Date: Fri, 19 Apr 2013 10:45:52 +0000
+Subject: net: rate-limit warn-bad-offload splats.
+
+
+From: Ben Greear <greearb@candelatech.com>
+
+[ Upstream commit c846ad9b880ece01bb4d8d07ba917734edf0324f ]
+
+If one does do something unfortunate and allow a
+bad offload bug into the kernel, this the
+skb_warn_bad_offload can effectively live-lock the
+system, filling the logs with the same error over
+and over.
+
+Add rate limitation to this so that box remains otherwise
+functional in this case.
+
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1895,6 +1895,9 @@ static void skb_warn_bad_offload(const s
+ struct net_device *dev = skb->dev;
+ const char *driver = "";
+
++ if (!net_ratelimit())
++ return;
++
+ if (dev && dev->dev.parent)
+ driver = dev_driver_string(dev->dev.parent);
+
--- /dev/null
+From 325382a75784ecc05c6ae30e2e97e2c60d325cec Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Thu, 7 Feb 2013 00:55:37 +0000
+Subject: net: sctp: sctp_auth_key_put: use kzfree instead of kfree
+
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit 586c31f3bf04c290dc0a0de7fc91d20aa9a5ee53 ]
+
+For sensitive data like keying material, it is common practice to zero
+out keys before returning the memory back to the allocator. Thus, use
+kzfree instead of kfree.
+
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -71,7 +71,7 @@ void sctp_auth_key_put(struct sctp_auth_
+ return;
+
+ if (atomic_dec_and_test(&key->refcnt)) {
+- kfree(key);
++ kzfree(key);
+ SCTP_DBG_OBJCNT_DEC(keys);
+ }
+ }
--- /dev/null
+From c0ec37c8285f5978a0e178a562d66829c00e2f6a Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Fri, 5 Apr 2013 20:42:05 +0200
+Subject: netfilter: don't reset nf_trace in nf_reset()
+
+
+From: Patrick McHardy <kaber@trash.net>
+
+[ Upstream commit 124dff01afbdbff251f0385beca84ba1b9adda68 ]
+
+Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code
+to reset nf_trace in nf_reset(). This is wrong and unnecessary.
+
+nf_reset() is used in the following cases:
+
+- when passing packets up the the socket layer, at which point we want to
+ release all netfilter references that might keep modules pinned while
+ the packet is queued. nf_trace doesn't matter anymore at this point.
+
+- when encapsulating or decapsulating IPsec packets. We want to continue
+ tracing these packets after IPsec processing.
+
+- when passing packets through virtual network devices. Only devices on
+ that encapsulate in IPv4/v6 matter since otherwise nf_trace is not
+ used anymore. Its not entirely clear whether those packets should
+ be traced after that, however we've always done that.
+
+- when passing packets through virtual network devices that make the
+ packet cross network namespace boundaries. This is the only cases
+ where we clearly want to reset nf_trace and is also what the
+ original patch intended to fix.
+
+Add a new function nf_reset_trace() and use it in dev_forward_skb() to
+fix this properly.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 7 +++++++
+ net/core/dev.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2392,6 +2392,13 @@ static inline void nf_reset(struct sk_bu
+ #endif
+ }
+
++static inline void nf_reset_trace(struct sk_buff *skb)
++{
++#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
++ skb->nf_trace = 0;
++#endif
++}
++
+ /* Note: This doesn't put any conntrack and bridge info in dst. */
+ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
+ {
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1628,6 +1628,7 @@ int dev_forward_skb(struct net_device *d
+ skb->mark = 0;
+ secpath_reset(skb);
+ nf_reset(skb);
++ nf_reset_trace(skb);
+ return netif_rx(skb);
+ }
+ EXPORT_SYMBOL_GPL(dev_forward_skb);
--- /dev/null
+From 77d04b80c07c03ee66148b8d756a3dd27f11b3fc Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:57 +0000
+Subject: netrom: fix info leak via msg_name in nr_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commits 3ce5efad47b62c57a4f5c54248347085a750ce0e and
+ c802d759623acbd6e1ee9fbdabae89159a513913 ]
+
+In case msg_name is set the sockaddr info gets filled out, as
+requested, but the code fails to initialize the padding bytes of
+struct sockaddr_ax25 inserted by the compiler for alignment. Also
+the sax25_ndigis member does not get assigned, leaking four more
+bytes.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix both issues by initializing the memory with memset(0).
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1177,6 +1177,7 @@ static int nr_recvmsg(struct kiocb *iocb
+ }
+
+ if (sax != NULL) {
++ memset(sax, 0, sizeof(sax));
+ sax->sax25_family = AF_NETROM;
+ skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
+ AX25_ADDR_LEN);
--- /dev/null
+From bef41eeabe2f888ff26e05497b78574a6ab4d906 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue, 9 Apr 2013 10:07:19 +0800
+Subject: netrom: fix invalid use of sizeof in nr_recvmsg()
+
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+[ Upstream commit c802d759623acbd6e1ee9fbdabae89159a513913 ]
+
+sizeof() when applied to a pointer typed expression gives the size of the
+pointer, not that of the pointed data.
+Introduced by commit 3ce5ef(netrom: fix info leak via msg_name in nr_recvmsg)
+
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1177,7 +1177,7 @@ static int nr_recvmsg(struct kiocb *iocb
+ }
+
+ if (sax != NULL) {
+- memset(sax, 0, sizeof(sax));
++ memset(sax, 0, sizeof(*sax));
+ sax->sax25_family = AF_NETROM;
+ skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
+ AX25_ADDR_LEN);
--- /dev/null
+From f2c9def51f6071d442897b2148bf1dd617a9b5b7 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:58 +0000
+Subject: NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit d26d6504f23e803824e8ebd14e52d4fc0a0b09cb ]
+
+The code in llcp_sock_recvmsg() does not initialize all the members of
+struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
+initialize the padding bytes of the structure inserted by the compiler
+for alignment.
+
+Also, if the socket is in state LLCP_CLOSED or is shutting down during
+receive the msg_namelen member is not updated to 0 while otherwise
+returning with 0, i.e. "success". The msg_namelen update is also
+missing for stream and seqpacket sockets which don't fill the sockaddr
+info.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the first issue by initializing the memory used for sockaddr info
+with memset(0). Fix the second one by setting msg_namelen to 0 early.
+It will be updated later if we're going to fill the msg_name member.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
+Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp/sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/llcp/sock.c
++++ b/net/nfc/llcp/sock.c
+@@ -514,6 +514,8 @@ static int llcp_sock_recvmsg(struct kioc
+
+ pr_debug("%p %zu\n", sk, len);
+
++ msg->msg_namelen = 0;
++
+ lock_sock(sk);
+
+ if (sk->sk_state == LLCP_CLOSED &&
--- /dev/null
+From cb0e08205989b6cc4d04efc0233411e42b258cf0 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:59 +0000
+Subject: rose: fix info leak via msg_name in rose_recvmsg()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 4a184233f21645cf0b719366210ed445d1024d72 ]
+
+The code in rose_recvmsg() does not initialize all of the members of
+struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
+Nor does it initialize the padding bytes of the structure inserted by
+the compiler for alignment. This will lead to leaking uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the issue by initializing the memory used for sockaddr info with
+memset(0).
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rose/af_rose.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1257,6 +1257,7 @@ static int rose_recvmsg(struct kiocb *io
+ skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+
+ if (srose != NULL) {
++ memset(srose, 0, msg->msg_namelen);
+ srose->srose_family = AF_ROSE;
+ srose->srose_addr = rose->dest_addr;
+ srose->srose_call = rose->dest_call;
--- /dev/null
+From 3b86159c3d22710e21f35fb99e9b5e2710a3c501 Mon Sep 17 00:00:00 2001
+From: Michael Riesch <michael.riesch@omicron.at>
+Date: Mon, 8 Apr 2013 05:45:26 +0000
+Subject: rtnetlink: Call nlmsg_parse() with correct header length
+
+
+From: Michael Riesch <michael.riesch@omicron.at>
+
+[ Upstream commit 88c5b5ce5cb57af6ca2a7cf4d5715fa320448ff9 ]
+
+Signed-off-by: Michael Riesch <michael.riesch@omicron.at>
+Cc: Jiri Benc <jbenc@redhat.com>
+Cc: "Theodore Ts'o" <tytso@mit.edu>
+Acked-by: Mark Rustad <mark.d.rustad@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1066,7 +1066,7 @@ static int rtnl_dump_ifinfo(struct sk_bu
+ rcu_read_lock();
+ cb->seq = net->dev_base_seq;
+
+- if (nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,
++ if (nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
+ ifla_policy) >= 0) {
+
+ if (tb[IFLA_EXT_MASK])
+@@ -1910,7 +1910,7 @@ static u16 rtnl_calcit(struct sk_buff *s
+ u32 ext_filter_mask = 0;
+ u16 min_ifinfo_dump_size = 0;
+
+- if (nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,
++ if (nlmsg_parse(nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
+ ifla_policy) >= 0) {
+ if (tb[IFLA_EXT_MASK])
+ ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
tty-do-not-update-atime-mtime-on-read-write.patch
tty-fix-atime-mtime-regression.patch
sparc64-fix-race-in-tlb-batch-processing.patch
+atm-update-msg_namelen-in-vcc_recvmsg.patch
+ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
+bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
+bluetooth-rfcomm-fix-missing-msg_namelen-update-in-rfcomm_sock_recvmsg.patch
+caif-fix-missing-msg_namelen-update-in-caif_seqpkt_recvmsg.patch
+irda-fix-missing-msg_namelen-update-in-irda_recvmsg_dgram.patch
+iucv-fix-missing-msg_namelen-update-in-iucv_sock_recvmsg.patch
+llc-fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
+netrom-fix-info-leak-via-msg_name-in-nr_recvmsg.patch
+nfc-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_recvmsg.patch
+rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_stream.patch
+netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
+cbq-incorrect-processing-of-high-limits.patch
+net-ipv6-fix-broken-ipv6-routing-table-after-loopback-down-up.patch
+net-count-hw_addr-syncs-so-that-unsync-works-properly.patch
+atl1e-limit-gso-segment-size-to-prevent-generation-of-wrong-ip-length-fields.patch
+bonding-fix-bonding_masters-race-condition-in-bond-unloading.patch
+bonding-iff_bonding-is-not-stripped-on-enslave-failure.patch
+af_unix-if-we-don-t-care-about-credentials-coallesce-all-messages.patch
+netfilter-don-t-reset-nf_trace-in-nf_reset.patch
+rtnetlink-call-nlmsg_parse-with-correct-header-length.patch
+tcp-incoming-connections-might-use-wrong-route-under-synflood.patch
+tcp-reallocate-headroom-if-it-would-overflow-csum_start.patch
+esp4-fix-error-return-code-in-esp_output.patch
+net-sctp-sctp_auth_key_put-use-kzfree-instead-of-kfree.patch
+tcp-call-tcp_replace_ts_recent-from-tcp_ack.patch
+net-rate-limit-warn-bad-offload-splats.patch
+net-fix-incorrect-credentials-passing.patch
+net-drop-dst-before-queueing-fragments.patch
--- /dev/null
+From 58bd4a47469059f9f5395885d7b0a3b1dc7ae1e3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 19 Apr 2013 07:19:48 +0000
+Subject: tcp: call tcp_replace_ts_recent() from tcp_ack()
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 12fb3dd9dc3c64ba7d64cec977cca9b5fb7b1d4e ]
+
+commit bd090dfc634d (tcp: tcp_replace_ts_recent() should not be called
+from tcp_validate_incoming()) introduced a TS ecr bug in slow path
+processing.
+
+1 A > B P. 1:10001(10000) ack 1 <nop,nop,TS val 1001 ecr 200>
+2 B < A . 1:1(0) ack 1 win 257 <sack 9001:10001,TS val 300 ecr 1001>
+3 A > B . 1:1001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
+4 A > B . 1001:2001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
+
+(ecr 200 should be ecr 300 in packets 3 & 4)
+
+Problem is tcp_ack() can trigger send of new packets (retransmits),
+reflecting the prior TSval, instead of the TSval contained in the
+currently processed incoming packet.
+
+Fix this by calling tcp_replace_ts_recent() from tcp_ack() after the
+checks, but before the actions.
+
+Reported-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 65 +++++++++++++++++++++++++--------------------------
+ 1 file changed, 32 insertions(+), 33 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -116,6 +116,7 @@ int sysctl_tcp_abc __read_mostly;
+ #define FLAG_DSACKING_ACK 0x800 /* SACK blocks contained D-SACK info */
+ #define FLAG_NONHEAD_RETRANS_ACKED 0x1000 /* Non-head rexmitted data was ACKed */
+ #define FLAG_SACK_RENEGING 0x2000 /* snd_una advanced to a sacked seq */
++#define FLAG_UPDATE_TS_RECENT 0x4000 /* tcp_replace_ts_recent() */
+
+ #define FLAG_ACKED (FLAG_DATA_ACKED|FLAG_SYN_ACKED)
+ #define FLAG_NOT_DUP (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED)
+@@ -3707,6 +3708,27 @@ static void tcp_send_challenge_ack(struc
+ }
+ }
+
++static void tcp_store_ts_recent(struct tcp_sock *tp)
++{
++ tp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval;
++ tp->rx_opt.ts_recent_stamp = get_seconds();
++}
++
++static void tcp_replace_ts_recent(struct tcp_sock *tp, u32 seq)
++{
++ if (tp->rx_opt.saw_tstamp && !after(seq, tp->rcv_wup)) {
++ /* PAWS bug workaround wrt. ACK frames, the PAWS discard
++ * extra check below makes sure this can only happen
++ * for pure ACK frames. -DaveM
++ *
++ * Not only, also it occurs for expired timestamps.
++ */
++
++ if (tcp_paws_check(&tp->rx_opt, 0))
++ tcp_store_ts_recent(tp);
++ }
++}
++
+ /* This routine deals with incoming acks, but not outgoing ones. */
+ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
+ {
+@@ -3756,6 +3778,12 @@ static int tcp_ack(struct sock *sk, cons
+ prior_fackets = tp->fackets_out;
+ prior_in_flight = tcp_packets_in_flight(tp);
+
++ /* ts_recent update must be made after we are sure that the packet
++ * is in window.
++ */
++ if (flag & FLAG_UPDATE_TS_RECENT)
++ tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
++
+ if (!(flag & FLAG_SLOWPATH) && after(ack, prior_snd_una)) {
+ /* Window is constant, pure forward advance.
+ * No more checks are required.
+@@ -4053,27 +4081,6 @@ const u8 *tcp_parse_md5sig_option(const
+ EXPORT_SYMBOL(tcp_parse_md5sig_option);
+ #endif
+
+-static inline void tcp_store_ts_recent(struct tcp_sock *tp)
+-{
+- tp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval;
+- tp->rx_opt.ts_recent_stamp = get_seconds();
+-}
+-
+-static inline void tcp_replace_ts_recent(struct tcp_sock *tp, u32 seq)
+-{
+- if (tp->rx_opt.saw_tstamp && !after(seq, tp->rcv_wup)) {
+- /* PAWS bug workaround wrt. ACK frames, the PAWS discard
+- * extra check below makes sure this can only happen
+- * for pure ACK frames. -DaveM
+- *
+- * Not only, also it occurs for expired timestamps.
+- */
+-
+- if (tcp_paws_check(&tp->rx_opt, 0))
+- tcp_store_ts_recent(tp);
+- }
+-}
+-
+ /* Sorry, PAWS as specified is broken wrt. pure-ACKs -DaveM
+ *
+ * It is not fatal. If this ACK does _not_ change critical state (seqs, window)
+@@ -5577,14 +5584,10 @@ slow_path:
+ return 0;
+
+ step5:
+- if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
++ if (th->ack &&
++ tcp_ack(sk, skb, FLAG_SLOWPATH | FLAG_UPDATE_TS_RECENT) < 0)
+ goto discard;
+
+- /* ts_recent update must be made after we are sure that the packet
+- * is in window.
+- */
+- tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
+-
+ tcp_rcv_rtt_measure_ts(sk, skb);
+
+ /* Process urgent data. */
+@@ -5948,7 +5951,8 @@ int tcp_rcv_state_process(struct sock *s
+
+ /* step 5: check the ACK field */
+ if (th->ack) {
+- int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;
++ int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH |
++ FLAG_UPDATE_TS_RECENT) > 0;
+
+ switch (sk->sk_state) {
+ case TCP_SYN_RECV:
+@@ -6055,11 +6059,6 @@ int tcp_rcv_state_process(struct sock *s
+ } else
+ goto discard;
+
+- /* ts_recent update must be made after we are sure that the packet
+- * is in window.
+- */
+- tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
+-
+ /* step 6: check the URG bit */
+ tcp_urg(sk, skb, th);
+
--- /dev/null
+From f69107361c6ad91517a8b0323fb96c928804864c Mon Sep 17 00:00:00 2001
+From: Dmitry Popov <dp@highloadlab.com>
+Date: Thu, 11 Apr 2013 08:55:07 +0000
+Subject: tcp: incoming connections might use wrong route under synflood
+
+
+From: Dmitry Popov <dp@highloadlab.com>
+
+[ Upstream commit d66954a066158781ccf9c13c91d0316970fe57b6 ]
+
+There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
+ flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+ RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+ inet_sk_flowi_flags(sk),
+ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+ ireq->loc_addr, th->source, th->dest);
+
+Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
+taken. This dst_entry is used by new socket (get_cookie_sock ->
+tcp_v4_syn_recv_sock), so its packets may take the wrong path.
+
+Signed-off-by: Dmitry Popov <dp@highloadlab.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/syncookies.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -347,8 +347,8 @@ struct sock *cookie_v4_check(struct sock
+ * hasn't changed since we received the original syn, but I see
+ * no easy way to do this.
+ */
+- flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+- RT_SCOPE_UNIVERSE, IPPROTO_TCP,
++ flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark,
++ RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+ inet_sk_flowi_flags(sk),
+ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+ ireq->loc_addr, th->source, th->dest);
--- /dev/null
+From 2527557a08f9d60e9fd38737b5a029b480af50bd Mon Sep 17 00:00:00 2001
+From: Thomas Graf <tgraf@suug.ch>
+Date: Thu, 11 Apr 2013 10:57:18 +0000
+Subject: tcp: Reallocate headroom if it would overflow csum_start
+
+
+From: Thomas Graf <tgraf@suug.ch>
+
+[ Upstream commit 50bceae9bd3569d56744882f3012734d48a1d413 ]
+
+If a TCP retransmission gets partially ACKed and collapsed multiple
+times it is possible for the headroom to grow beyond 64K which will
+overflow the 16bit skb->csum_start which is based on the start of
+the headroom. It has been observed rarely in the wild with IPoIB due
+to the 64K MTU.
+
+Verify if the acking and collapsing resulted in a headroom exceeding
+what csum_start can cover and reallocate the headroom if so.
+
+A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
+LLNL for helping out with the investigation and testing.
+
+Reported-by: Jim Foraker <foraker1@llnl.gov>
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2154,8 +2154,12 @@ int tcp_retransmit_skb(struct sock *sk,
+ */
+ TCP_SKB_CB(skb)->when = tcp_time_stamp;
+
+- /* make sure skb->data is aligned on arches that require it */
+- if (unlikely(NET_IP_ALIGN && ((unsigned long)skb->data & 3))) {
++ /* make sure skb->data is aligned on arches that require it
++ * and check if ack-trimming & collapsing extended the headroom
++ * beyond what csum_start can cover.
++ */
++ if (unlikely((NET_IP_ALIGN && ((unsigned long)skb->data & 3)) ||
++ skb_headroom(skb) >= 0xFFFF)) {
+ struct sk_buff *nskb = __pskb_copy(skb, MAX_TCP_HEADER,
+ GFP_ATOMIC);
+ err = nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) :
--- /dev/null
+From fbdcc697a43e4b7eae4b8fb00ac054c2eac90a30 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 7 Apr 2013 01:52:00 +0000
+Subject: tipc: fix info leaks via msg_name in recv_msg/recv_stream
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ]
+
+The code in set_orig_addr() does not initialize all of the members of
+struct sockaddr_tipc when filling the sockaddr info -- namely the union
+is only partly filled. This will make recv_msg() and recv_stream() --
+the only users of this function -- leak kernel stack memory as the
+msg_name member is a local variable in net/socket.c.
+
+Additionally to that both recv_msg() and recv_stream() fail to update
+the msg_namelen member to 0 while otherwise returning with 0, i.e.
+"success". This is the case for, e.g., non-blocking sockets. This will
+lead to a 128 byte kernel stack leak in net/socket.c.
+
+Fix the first issue by initializing the memory of the union with
+memset(0). Fix the second one by setting msg_namelen to 0 early as it
+will be updated later if we're going to fill the msg_name member.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Cc: Allan Stephens <allan.stephens@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -829,6 +829,7 @@ static void set_orig_addr(struct msghdr
+ if (addr) {
+ addr->family = AF_TIPC;
+ addr->addrtype = TIPC_ADDR_ID;
++ memset(&addr->addr, 0, sizeof(addr->addr));
+ addr->addr.id.ref = msg_origport(msg);
+ addr->addr.id.node = msg_orignode(msg);
+ addr->addr.name.domain = 0; /* could leave uninitialized */
+@@ -948,6 +949,9 @@ static int recv_msg(struct kiocb *iocb,
+ goto exit;
+ }
+
++ /* will be updated in set_orig_addr() if needed */
++ m->msg_namelen = 0;
++
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+
+@@ -1074,6 +1078,9 @@ static int recv_stream(struct kiocb *ioc
+ goto exit;
+ }
+
++ /* will be updated in set_orig_addr() if needed */
++ m->msg_namelen = 0;
++
+ target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
projects / thirdparty / kernel / stable-queue.git / commitdiff
