--- /dev/null
+From 9d4265cdd6c161d51b37bb9c6b9a32ab164f72ff Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Wed, 26 Dec 2012 02:32:10 +0000
+Subject: batman-adv: fix random jitter calculation
+
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 143cdd8f33909ff5a153e3f02048738c5964ba26 ]
+
+batadv_iv_ogm_emit_send_time() attempts to calculates a random integer
+in the range of 'orig_interval +- BATADV_JITTER' by the below lines.
+
+ msecs = atomic_read(&bat_priv->orig_interval) - BATADV_JITTER;
+ msecs += (random32() % 2 * BATADV_JITTER);
+
+But it actually gets 'orig_interval' or 'orig_interval - BATADV_JITTER'
+because '%' and '*' have same precedence and associativity is
+left-to-right.
+
+This adds the parentheses at the appropriate position so that it matches
+original intension.
+
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Antonio Quartulli <ordex@autistici.org>
+Cc: Marek Lindner <lindner_marek@yahoo.de>
+Cc: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
+Cc: Antonio Quartulli <ordex@autistici.org>
+Cc: b.a.t.m.a.n@lists.open-mesh.org
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -119,7 +119,7 @@ batadv_iv_ogm_emit_send_time(const struc
+ unsigned int msecs;
+
+ msecs = atomic_read(&bat_priv->orig_interval) - BATADV_JITTER;
+- msecs += (random32() % 2 * BATADV_JITTER);
++ msecs += random32() % (2 * BATADV_JITTER);
+
+ return jiffies + msecs_to_jiffies(msecs);
+ }
--- /dev/null
+From 0831769748c0f4581637faf0f41cf6939cea307e Mon Sep 17 00:00:00 2001
+From: Christoph Paasch <christoph.paasch@uclouvain.be>
+Date: Fri, 14 Dec 2012 04:07:58 +0000
+Subject: inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock
+
+
+From: Christoph Paasch <christoph.paasch@uclouvain.be>
+
+[ Upstream commit e337e24d6624e74a558aa69071e112a65f7b5758 ]
+
+If in either of the above functions inet_csk_route_child_sock() or
+__inet_inherit_port() fails, the newsk will not be freed:
+
+unreferenced object 0xffff88022e8a92c0 (size 1592):
+ comm "softirq", pid 0, jiffies 4294946244 (age 726.160s)
+ hex dump (first 32 bytes):
+ 0a 01 01 01 0a 01 01 02 00 00 00 00 a7 cc 16 00 ................
+ 02 00 03 01 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8153d190>] kmemleak_alloc+0x21/0x3e
+ [<ffffffff810ab3e7>] kmem_cache_alloc+0xb5/0xc5
+ [<ffffffff8149b65b>] sk_prot_alloc.isra.53+0x2b/0xcd
+ [<ffffffff8149b784>] sk_clone_lock+0x16/0x21e
+ [<ffffffff814d711a>] inet_csk_clone_lock+0x10/0x7b
+ [<ffffffff814ebbc3>] tcp_create_openreq_child+0x21/0x481
+ [<ffffffff814e8fa5>] tcp_v4_syn_recv_sock+0x3a/0x23b
+ [<ffffffff814ec5ba>] tcp_check_req+0x29f/0x416
+ [<ffffffff814e8e10>] tcp_v4_do_rcv+0x161/0x2bc
+ [<ffffffff814eb917>] tcp_v4_rcv+0x6c9/0x701
+ [<ffffffff814cea9f>] ip_local_deliver_finish+0x70/0xc4
+ [<ffffffff814cec20>] ip_local_deliver+0x4e/0x7f
+ [<ffffffff814ce9f8>] ip_rcv_finish+0x1fc/0x233
+ [<ffffffff814cee68>] ip_rcv+0x217/0x267
+ [<ffffffff814a7bbe>] __netif_receive_skb+0x49e/0x553
+ [<ffffffff814a7cc3>] netif_receive_skb+0x50/0x82
+
+This happens, because sk_clone_lock initializes sk_refcnt to 2, and thus
+a single sock_put() is not enough to free the memory. Additionally, things
+like xfrm, memcg, cookie_values,... may have been initialized.
+We have to free them properly.
+
+This is fixed by forcing a call to tcp_done(), ending up in
+inet_csk_destroy_sock, doing the final sock_put(). tcp_done() is necessary,
+because it ends up doing all the cleanup on xfrm, memcg, cookie_values,
+xfrm,...
+
+Before calling tcp_done, we have to set the socket to SOCK_DEAD, to
+force it entering inet_csk_destroy_sock. To avoid the warning in
+inet_csk_destroy_sock, inet_num has to be set to 0.
+As inet_csk_destroy_sock does a dec on orphan_count, we first have to
+increase it.
+
+Calling tcp_done() allows us to remove the calls to
+tcp_clear_xmit_timer() and tcp_cleanup_congestion_control().
+
+A similar approach is taken for dccp by calling dccp_done().
+
+This is in the kernel since 093d282321 (tproxy: fix hash locking issue
+when using port redirection in __inet_inherit_port()), thus since
+version >= 2.6.37.
+
+Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet_connection_sock.h | 1 +
+ net/dccp/ipv4.c | 4 ++--
+ net/dccp/ipv6.c | 3 ++-
+ net/ipv4/inet_connection_sock.c | 16 ++++++++++++++++
+ net/ipv4/tcp_ipv4.c | 6 ++----
+ net/ipv6/tcp_ipv6.c | 3 ++-
+ 6 files changed, 25 insertions(+), 8 deletions(-)
+
+--- a/include/net/inet_connection_sock.h
++++ b/include/net/inet_connection_sock.h
+@@ -318,6 +318,7 @@ extern void inet_csk_reqsk_queue_prune(s
+ const unsigned long max_rto);
+
+ extern void inet_csk_destroy_sock(struct sock *sk);
++extern void inet_csk_prepare_forced_close(struct sock *sk);
+
+ /*
+ * LISTEN is a special case for poll..
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -439,8 +439,8 @@ exit:
+ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
+ return NULL;
+ put_and_exit:
+- bh_unlock_sock(newsk);
+- sock_put(newsk);
++ inet_csk_prepare_forced_close(newsk);
++ dccp_done(newsk);
+ goto exit;
+ }
+
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -585,7 +585,8 @@ static struct sock *dccp_v6_request_recv
+ newinet->inet_rcv_saddr = LOOPBACK4_IPV6;
+
+ if (__inet_inherit_port(sk, newsk) < 0) {
+- sock_put(newsk);
++ inet_csk_prepare_forced_close(newsk);
++ dccp_done(newsk);
+ goto out;
+ }
+ __inet6_hash(newsk, NULL);
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -699,6 +699,22 @@ void inet_csk_destroy_sock(struct sock *
+ }
+ EXPORT_SYMBOL(inet_csk_destroy_sock);
+
++/* This function allows to force a closure of a socket after the call to
++ * tcp/dccp_create_openreq_child().
++ */
++void inet_csk_prepare_forced_close(struct sock *sk)
++{
++ /* sk_clone_lock locked the socket and set refcnt to 2 */
++ bh_unlock_sock(sk);
++ sock_put(sk);
++
++ /* The below has to be done to allow calling inet_csk_destroy_sock */
++ sock_set_flag(sk, SOCK_DEAD);
++ percpu_counter_inc(sk->sk_prot->orphan_count);
++ inet_sk(sk)->inet_num = 0;
++}
++EXPORT_SYMBOL(inet_csk_prepare_forced_close);
++
+ int inet_csk_listen_start(struct sock *sk, const int nr_table_entries)
+ {
+ struct inet_sock *inet = inet_sk(sk);
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1774,10 +1774,8 @@ exit:
+ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
+ return NULL;
+ put_and_exit:
+- tcp_clear_xmit_timers(newsk);
+- tcp_cleanup_congestion_control(newsk);
+- bh_unlock_sock(newsk);
+- sock_put(newsk);
++ inet_csk_prepare_forced_close(newsk);
++ tcp_done(newsk);
+ goto exit;
+ }
+ EXPORT_SYMBOL(tcp_v4_syn_recv_sock);
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1384,7 +1384,8 @@ static struct sock * tcp_v6_syn_recv_soc
+ #endif
+
+ if (__inet_inherit_port(sk, newsk) < 0) {
+- sock_put(newsk);
++ inet_csk_prepare_forced_close(newsk);
++ tcp_done(newsk);
+ goto out;
+ }
+ __inet6_hash(newsk, NULL);
--- /dev/null
+From 42d3b8e69761bf8866b11bef2664fa8eacd9398d Mon Sep 17 00:00:00 2001
+From: Duan Jiong <djduanjiong@gmail.com>
+Date: Fri, 14 Dec 2012 02:59:59 +0000
+Subject: ipv6: Change skb->data before using icmpv6_notify() to propagate redirect
+
+
+From: Duan Jiong <djduanjiong@gmail.com>
+
+[ Upstream commit 093d04d42fa094f6740bb188f0ad0c215ff61e2c ]
+
+In function ndisc_redirect_rcv(), the skb->data points to the transport
+header, but function icmpv6_notify() need the skb->data points to the
+inner IP packet. So before using icmpv6_notify() to propagate redirect,
+change skb->data to point the inner IP packet that triggered the sending
+of the Redirect, and introduce struct rd_msg to make it easy.
+
+Signed-off-by: Duan Jiong <djduanjiong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ndisc.h | 7 +++++++
+ net/ipv6/ndisc.c | 17 +++++++++++++++++
+ 2 files changed, 24 insertions(+)
+
+--- a/include/net/ndisc.h
++++ b/include/net/ndisc.h
+@@ -78,6 +78,13 @@ struct ra_msg {
+ __be32 retrans_timer;
+ };
+
++struct rd_msg {
++ struct icmp6hdr icmph;
++ struct in6_addr target;
++ struct in6_addr dest;
++ __u8 opt[0];
++};
++
+ struct nd_opt_hdr {
+ __u8 nd_opt_type;
+ __u8 nd_opt_len;
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1333,6 +1333,12 @@ out:
+
+ static void ndisc_redirect_rcv(struct sk_buff *skb)
+ {
++ u8 *hdr;
++ struct ndisc_options ndopts;
++ struct rd_msg *msg = (struct rd_msg *)skb_transport_header(skb);
++ u32 ndoptlen = skb->tail - (skb->transport_header +
++ offsetof(struct rd_msg, opt));
++
+ #ifdef CONFIG_IPV6_NDISC_NODETYPE
+ switch (skb->ndisc_nodetype) {
+ case NDISC_NODETYPE_HOST:
+@@ -1349,6 +1355,17 @@ static void ndisc_redirect_rcv(struct sk
+ return;
+ }
+
++ if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts))
++ return;
++
++ if (!ndopts.nd_opts_rh)
++ return;
++
++ hdr = (u8 *)ndopts.nd_opts_rh;
++ hdr += 8;
++ if (!pskb_pull(skb, hdr - skb_transport_header(skb)))
++ return;
++
+ icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
+ }
+
--- /dev/null
+From a3c544982a40e45cf6d9f92f7d343007abb24042 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <alex.aring@googlemail.com>
+Date: Wed, 2 Jan 2013 01:01:10 +0000
+Subject: mac802154: fix NOHZ local_softirq_pending 08 warning
+
+
+From: Alexander Aring <alex.aring@googlemail.com>
+
+[ Upstream commit 5ff3fec6d3fc848753c2fa30b18607358f89a202 ]
+
+When using nanosleep() in an userspace application we get a
+ratelimit warning
+
+NOHZ: local_softirq_pending 08
+
+for 10 times.
+
+This patch replaces netif_rx() with netif_rx_ni() which has
+to be used from process/softirq context.
+The process/softirq context will be called from fakelb driver.
+
+See linux-kernel commit 481a819 for similar fix.
+
+Signed-off-by: Alexander Aring <alex.aring@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac802154/wpan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac802154/wpan.c
++++ b/net/mac802154/wpan.c
+@@ -387,7 +387,7 @@ void mac802154_wpan_setup(struct net_dev
+
+ static int mac802154_process_data(struct net_device *dev, struct sk_buff *skb)
+ {
+- return netif_rx(skb);
++ return netif_rx_ni(skb);
+ }
+
+ static int
--- /dev/null
+From d9b01e1646fc3732ea5d6abfd6188c9a8c743c8f Mon Sep 17 00:00:00 2001
+From: Stefan Hasko <hasko.stevo@gmail.com>
+Date: Fri, 21 Dec 2012 15:04:59 +0000
+Subject: net: sched: integer overflow fix
+
+
+From: Stefan Hasko <hasko.stevo@gmail.com>
+
+[ Upstream commit d2fe85da52e89b8012ffad010ef352a964725d5f ]
+
+Fixed integer overflow in function htb_dequeue
+
+Signed-off-by: Stefan Hasko <hasko.stevo@gmail.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_htb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_htb.c
++++ b/net/sched/sch_htb.c
+@@ -874,7 +874,7 @@ ok:
+ q->now = psched_get_time();
+ start_at = jiffies;
+
+- next_event = q->now + 5 * PSCHED_TICKS_PER_SEC;
++ next_event = q->now + 5LLU * PSCHED_TICKS_PER_SEC;
+
+ for (level = 0; level < TC_HTB_MAXDEPTH; level++) {
+ /* common case optimization - skip event handler quickly */
--- /dev/null
+From 7ce38ac6147d069c5b0b0ad8d53e069f38ef26ab Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Sat, 15 Dec 2012 10:12:43 +0000
+Subject: sctp: jsctp_sf_eat_sack: fix jprobes function signature mismatch
+
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit 4cb9d6eaf85ecdd266a9a5c6d825c56ca9eefc14 ]
+
+Commit 24cb81a6a (sctp: Push struct net down into all of the
+state machine functions) introduced the net structure into all
+state machine functions, but jsctp_sf_eat_sack was not updated,
+hence when SCTP association probing is enabled in the kernel,
+any simple SCTP client/server program from userspace will panic
+the kernel.
+
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/probe.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/probe.c
++++ b/net/sctp/probe.c
+@@ -122,7 +122,8 @@ static const struct file_operations sctp
+ .llseek = noop_llseek,
+ };
+
+-sctp_disposition_t jsctp_sf_eat_sack(const struct sctp_endpoint *ep,
++sctp_disposition_t jsctp_sf_eat_sack(struct net *net,
++ const struct sctp_endpoint *ep,
+ const struct sctp_association *asoc,
+ const sctp_subtype_t type,
+ void *arg,
sparc64-fix-ecb-looping-constructs-in-aes-code.patch
sparc64-set-crypto_tfm_req_may_sleep-consistently-in-des-code.patch
sparc64-set-crypto_tfm_req_may_sleep-consistently-in-camellia-code.patch
+batman-adv-fix-random-jitter-calculation.patch
+inet-fix-kmemleak-in-tcp_v4-6_syn_recv_sock-and-dccp_v4-6_request_recv_sock.patch
+ipv6-change-skb-data-before-using-icmpv6_notify-to-propagate-redirect.patch
+mac802154-fix-nohz-local_softirq_pending-08-warning.patch
+net-sched-integer-overflow-fix.patch
+sctp-jsctp_sf_eat_sack-fix-jprobes-function-signature-mismatch.patch
+tcp-fix-msg_sendpage_notlast-logic.patch
--- /dev/null
+From 6ab1806169c92aadc5a1cc1224647a8d83363f1e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 6 Jan 2013 18:21:49 +0000
+Subject: tcp: fix MSG_SENDPAGE_NOTLAST logic
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ae62ca7b03217be5e74759dc6d7698c95df498b3 ]
+
+commit 35f9c09fe9c72e (tcp: tcp_sendpages() should call tcp_push() once)
+added an internal flag : MSG_SENDPAGE_NOTLAST meant to be set on all
+frags but the last one for a splice() call.
+
+The condition used to set the flag in pipe_to_sendpage() relied on
+splice() user passing the exact number of bytes present in the pipe,
+or a smaller one.
+
+But some programs pass an arbitrary high value, and the test fails.
+
+The effect of this bug is a lack of tcp_push() at the end of a
+splice(pipe -> socket) call, and possibly very slow or erratic TCP
+sessions.
+
+We should both test sd->total_len and fact that another fragment
+is in the pipe (pipe->nrbufs > 1)
+
+Many thanks to Willy for providing very clear bug report, bisection
+and test programs.
+
+Reported-by: Willy Tarreau <w@1wt.eu>
+Bisected-by: Willy Tarreau <w@1wt.eu>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/splice.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -696,8 +696,10 @@ static int pipe_to_sendpage(struct pipe_
+ return -EINVAL;
+
+ more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0;
+- if (sd->len < sd->total_len)
++
++ if (sd->len < sd->total_len && pipe->nrbufs > 1)
+ more |= MSG_SENDPAGE_NOTLAST;
++
+ return file->f_op->sendpage(file, buf->page, buf->offset,
+ sd->len, &pos, more);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
