--- /dev/null
+From de0e843d1feb6feca47e723b0de29496439025ed Mon Sep 17 00:00:00 2001
+From: Michael Chan <mchan@broadcom.com>
+Date: Tue, 10 Jul 2012 10:04:40 +0000
+Subject: bnx2: Fix bug in bnx2_free_tx_skbs().
+
+
+From: Michael Chan <mchan@broadcom.com>
+
+[ Upstream commit c1f5163de417dab01fa9daaf09a74bbb19303f3c ]
+
+In rare cases, bnx2x_free_tx_skbs() can unmap the wrong DMA address
+when it gets to the last entry of the tx ring. We were not using
+the proper macro to skip the last entry when advancing the tx index.
+
+Reported-by: Zongyun Lai <zlai@vmware.com>
+Reviewed-by: Jeffrey Huang <huangjw@broadcom.com>
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bnx2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/bnx2.c
++++ b/drivers/net/bnx2.c
+@@ -5310,7 +5310,7 @@ bnx2_free_tx_skbs(struct bnx2 *bp)
+ int k, last;
+
+ if (skb == NULL) {
+- j++;
++ j = NEXT_TX_BD(j);
+ continue;
+ }
+
+@@ -5322,8 +5322,8 @@ bnx2_free_tx_skbs(struct bnx2 *bp)
+ tx_buf->skb = NULL;
+
+ last = tx_buf->nr_frags;
+- j++;
+- for (k = 0; k < last; k++, j++) {
++ j = NEXT_TX_BD(j);
++ for (k = 0; k < last; k++, j = NEXT_TX_BD(j)) {
+ tx_buf = &txr->tx_buf_ring[TX_RING_IDX(j)];
+ dma_unmap_page(&bp->pdev->dev,
+ dma_unmap_addr(tx_buf, mapping),
--- /dev/null
+From 5df4edecb73b2e4406ce8236d461a2be610f72c6 Mon Sep 17 00:00:00 2001
+From: Sjur Brændeland <sjur.brandeland@stericsson.com>
+Date: Sun, 15 Jul 2012 10:10:14 +0000
+Subject: caif: Fix access to freed pernet memory
+
+
+From: Sjur Brændeland <sjur.brandeland@stericsson.com>
+
+[ Upstream commit 96f80d123eff05c3cd4701463786b87952a6c3ac ]
+
+unregister_netdevice_notifier() must be called before
+unregister_pernet_subsys() to avoid accessing already freed
+pernet memory. This fixes the following oops when doing rmmod:
+
+Call Trace:
+ [<ffffffffa0f802bd>] caif_device_notify+0x4d/0x5a0 [caif]
+ [<ffffffff81552ba9>] unregister_netdevice_notifier+0xb9/0x100
+ [<ffffffffa0f86dcc>] caif_device_exit+0x1c/0x250 [caif]
+ [<ffffffff810e7734>] sys_delete_module+0x1a4/0x300
+ [<ffffffff810da82d>] ? trace_hardirqs_on_caller+0x15d/0x1e0
+ [<ffffffff813517de>] ? trace_hardirqs_on_thunk+0x3a/0x3
+ [<ffffffff81696bad>] system_call_fastpath+0x1a/0x1f
+
+RIP
+ [<ffffffffa0f7f561>] caif_get+0x51/0xb0 [caif]
+
+Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
+Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/caif/caif_dev.c
++++ b/net/caif/caif_dev.c
+@@ -424,9 +424,9 @@ static int __init caif_device_init(void)
+
+ static void __exit caif_device_exit(void)
+ {
+- unregister_pernet_subsys(&caif_net_ops);
+ unregister_netdevice_notifier(&caif_device_notifier);
+ dev_remove_pack(&caif_packet_type);
++ unregister_pernet_subsys(&caif_net_ops);
+ }
+
+ module_init(caif_device_init);
--- /dev/null
+From 9b19693fb723a0b184c71e9a96cbacf588126a36 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Tue, 24 Jul 2012 02:42:14 +0000
+Subject: caif: fix NULL pointer check
+
+
+From: Alan Cox <alan@linux.intel.com>
+
+[ Upstream commit c66b9b7d365444b433307ebb18734757cb668a02 ]
+
+Reported-by: <rucsoftsec@gmail.com>
+Resolves-bug: http://bugzilla.kernel.org/show_bug?44441
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/caif/caif_serial.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/caif/caif_serial.c
++++ b/drivers/net/caif/caif_serial.c
+@@ -325,6 +325,9 @@ static int ldisc_open(struct tty_struct
+
+ sprintf(name, "cf%s", tty->name);
+ dev = alloc_netdev(sizeof(*ser), name, caifdev_setup);
++ if (!dev)
++ return -ENOMEM;
++
+ ser = netdev_priv(dev);
+ ser->tty = tty_kref_get(tty);
+ ser->dev = dev;
--- /dev/null
+From f930989bc1e72e766749f893091e9b1feb5ee309 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Tue, 17 Jul 2012 11:07:47 +0000
+Subject: cipso: don't follow a NULL pointer when setsockopt() is called
+
+
+From: Paul Moore <pmoore@redhat.com>
+
+[ Upstream commit 89d7ae34cdda4195809a5a987f697a517a2a3177 ]
+
+As reported by Alan Cox, and verified by Lin Ming, when a user
+attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL
+tag the kernel dies a terrible death when it attempts to follow a NULL
+pointer (the skb argument to cipso_v4_validate() is NULL when called via
+the setsockopt() syscall).
+
+This patch fixes this by first checking to ensure that the skb is
+non-NULL before using it to find the incoming network interface. In
+the unlikely case where the skb is NULL and the user attempts to add
+a CIPSO option with the _TAG_LOCAL tag we return an error as this is
+not something we want to allow.
+
+A simple reproducer, kindly supplied by Lin Ming, although you must
+have the CIPSO DOI #3 configure on the system first or you will be
+caught early in cipso_v4_validate():
+
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <linux/ip.h>
+ #include <linux/in.h>
+ #include <string.h>
+
+ struct local_tag {
+ char type;
+ char length;
+ char info[4];
+ };
+
+ struct cipso {
+ char type;
+ char length;
+ char doi[4];
+ struct local_tag local;
+ };
+
+ int main(int argc, char **argv)
+ {
+ int sockfd;
+ struct cipso cipso = {
+ .type = IPOPT_CIPSO,
+ .length = sizeof(struct cipso),
+ .local = {
+ .type = 128,
+ .length = sizeof(struct local_tag),
+ },
+ };
+
+ memset(cipso.doi, 0, 4);
+ cipso.doi[3] = 3;
+
+ sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+ #define SOL_IP 0
+ setsockopt(sockfd, SOL_IP, IP_OPTIONS,
+ &cipso, sizeof(struct cipso));
+
+ return 0;
+ }
+
+CC: Lin Ming <mlin@ss.pku.edu.cn>
+Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/cipso_ipv4.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1725,8 +1725,10 @@ int cipso_v4_validate(const struct sk_bu
+ case CIPSO_V4_TAG_LOCAL:
+ /* This is a non-standard tag that we only allow for
+ * local connections, so if the incoming interface is
+- * not the loopback device drop the packet. */
+- if (!(skb->dev->flags & IFF_LOOPBACK)) {
++ * not the loopback device drop the packet. Further,
++ * there is no legitimate reason for setting this from
++ * userspace so reject it if skb is NULL. */
++ if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) {
+ err_offset = opt_iter;
+ goto validate_return_locked;
+ }
--- /dev/null
+From 032f2f5faa82cabb5459c3a6c7bbc75fbf22f9d0 Mon Sep 17 00:00:00 2001
+From: Jiri Benc <jbenc@redhat.com>
+Date: Fri, 27 Jul 2012 02:58:22 +0000
+Subject: net: fix rtnetlink IFF_PROMISC and IFF_ALLMULTI handling
+
+
+From: Jiri Benc <jbenc@redhat.com>
+
+[ Upstream commit b1beb681cba5358f62e6187340660ade226a5fcc ]
+
+When device flags are set using rtnetlink, IFF_PROMISC and IFF_ALLMULTI
+flags are handled specially. Function dev_change_flags sets IFF_PROMISC and
+IFF_ALLMULTI bits in dev->gflags according to the passed value but
+do_setlink passes a result of rtnl_dev_combine_flags which takes those bits
+from dev->flags.
+
+This can be easily trigerred by doing:
+
+tcpdump -i eth0 &
+ip l s up eth0
+
+ip sets IFF_UP flag in ifi_flags and ifi_change, which is combined with
+IFF_PROMISC by rtnl_dev_combine_flags, causing __dev_change_flags to set
+IFF_PROMISC in gflags.
+
+Reported-by: Max Matveev <makc@redhat.com>
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -647,6 +647,12 @@ static void set_operstate(struct net_dev
+ }
+ }
+
++static unsigned int rtnl_dev_get_flags(const struct net_device *dev)
++{
++ return (dev->flags & ~(IFF_PROMISC | IFF_ALLMULTI)) |
++ (dev->gflags & (IFF_PROMISC | IFF_ALLMULTI));
++}
++
+ static unsigned int rtnl_dev_combine_flags(const struct net_device *dev,
+ const struct ifinfomsg *ifm)
+ {
+@@ -655,7 +661,7 @@ static unsigned int rtnl_dev_combine_fla
+ /* bugwards compatibility: ifi_change == 0 is treated as ~0 */
+ if (ifm->ifi_change)
+ flags = (flags & ifm->ifi_change) |
+- (dev->flags & ~ifm->ifi_change);
++ (rtnl_dev_get_flags(dev) & ~ifm->ifi_change);
+
+ return flags;
+ }
--- /dev/null
+From d85ec052dc477d6b7d579cf454f18b0bf8a0de7a Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 29 Jul 2012 19:45:14 +0000
+Subject: net/tun: fix ioctl() based info leaks
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commits a117dacde0288f3ec60b6e5bcedae8fa37ee0dfc
+ and 8bbb181308bc348e02bfdbebdedd4e4ec9d452ce ]
+
+The tun module leaks up to 36 bytes of memory by not fully initializing
+a structure located on the stack that gets copied to user memory by the
+TUNGETIFF and SIOCGIFHWADDR ioctl()s.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1239,10 +1239,12 @@ static long __tun_chr_ioctl(struct file
+ int vnet_hdr_sz;
+ int ret;
+
+- if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)
++ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
+ if (copy_from_user(&ifr, argp, ifreq_len))
+ return -EFAULT;
+-
++ } else {
++ memset(&ifr, 0, sizeof(ifr));
++ }
+ if (cmd == TUNGETFEATURES) {
+ /* Currently this just means: "what IFF flags are valid?".
+ * This is needed because we never checked for invalid flags on
--- /dev/null
+From b41d7b4779e76ae90aa193ee848303ac47c68e74 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Thu, 12 Jul 2012 03:39:11 +0000
+Subject: sch_sfb: Fix missing NULL check
+
+
+From: Alan Cox <alan@linux.intel.com>
+
+[ Upstream commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d ]
+
+Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=44461
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_sfb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sched/sch_sfb.c
++++ b/net/sched/sch_sfb.c
+@@ -556,6 +556,8 @@ static int sfb_dump(struct Qdisc *sch, s
+
+ sch->qstats.backlog = q->qdisc->qstats.backlog;
+ opts = nla_nest_start(skb, TCA_OPTIONS);
++ if (opts == NULL)
++ goto nla_put_failure;
+ NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt);
+ return nla_nest_end(skb, opts);
+
--- /dev/null
+From 01036d0ee5b8be881661295d1a97085e1270d81e Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Mon, 16 Jul 2012 09:13:51 +0000
+Subject: sctp: Fix list corruption resulting from freeing an association on a list
+
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit 2eebc1e188e9e45886ee00662519849339884d6d ]
+
+A few days ago Dave Jones reported this oops:
+
+[22766.294255] general protection fault: 0000 [#1] PREEMPT SMP
+[22766.295376] CPU 0
+[22766.295384] Modules linked in:
+[22766.387137] ffffffffa169f292 6b6b6b6b6b6b6b6b ffff880147c03a90
+ffff880147c03a74
+[22766.387135] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000
+[22766.387136] Process trinity-watchdo (pid: 10896, threadinfo ffff88013e7d2000,
+[22766.387137] Stack:
+[22766.387140] ffff880147c03a10
+[22766.387140] ffffffffa169f2b6
+[22766.387140] ffff88013ed95728
+[22766.387143] 0000000000000002
+[22766.387143] 0000000000000000
+[22766.387143] ffff880003fad062
+[22766.387144] ffff88013c120000
+[22766.387144]
+[22766.387145] Call Trace:
+[22766.387145] <IRQ>
+[22766.387150] [<ffffffffa169f292>] ? __sctp_lookup_association+0x62/0xd0
+[sctp]
+[22766.387154] [<ffffffffa169f2b6>] __sctp_lookup_association+0x86/0xd0 [sctp]
+[22766.387157] [<ffffffffa169f597>] sctp_rcv+0x207/0xbb0 [sctp]
+[22766.387161] [<ffffffff810d4da8>] ? trace_hardirqs_off_caller+0x28/0xd0
+[22766.387163] [<ffffffff815827e3>] ? nf_hook_slow+0x133/0x210
+[22766.387166] [<ffffffff815902fc>] ? ip_local_deliver_finish+0x4c/0x4c0
+[22766.387168] [<ffffffff8159043d>] ip_local_deliver_finish+0x18d/0x4c0
+[22766.387169] [<ffffffff815902fc>] ? ip_local_deliver_finish+0x4c/0x4c0
+[22766.387171] [<ffffffff81590a07>] ip_local_deliver+0x47/0x80
+[22766.387172] [<ffffffff8158fd80>] ip_rcv_finish+0x150/0x680
+[22766.387174] [<ffffffff81590c54>] ip_rcv+0x214/0x320
+[22766.387176] [<ffffffff81558c07>] __netif_receive_skb+0x7b7/0x910
+[22766.387178] [<ffffffff8155856c>] ? __netif_receive_skb+0x11c/0x910
+[22766.387180] [<ffffffff810d423e>] ? put_lock_stats.isra.25+0xe/0x40
+[22766.387182] [<ffffffff81558f83>] netif_receive_skb+0x23/0x1f0
+[22766.387183] [<ffffffff815596a9>] ? dev_gro_receive+0x139/0x440
+[22766.387185] [<ffffffff81559280>] napi_skb_finish+0x70/0xa0
+[22766.387187] [<ffffffff81559cb5>] napi_gro_receive+0xf5/0x130
+[22766.387218] [<ffffffffa01c4679>] e1000_receive_skb+0x59/0x70 [e1000e]
+[22766.387242] [<ffffffffa01c5aab>] e1000_clean_rx_irq+0x28b/0x460 [e1000e]
+[22766.387266] [<ffffffffa01c9c18>] e1000e_poll+0x78/0x430 [e1000e]
+[22766.387268] [<ffffffff81559fea>] net_rx_action+0x1aa/0x3d0
+[22766.387270] [<ffffffff810a495f>] ? account_system_vtime+0x10f/0x130
+[22766.387273] [<ffffffff810734d0>] __do_softirq+0xe0/0x420
+[22766.387275] [<ffffffff8169826c>] call_softirq+0x1c/0x30
+[22766.387278] [<ffffffff8101db15>] do_softirq+0xd5/0x110
+[22766.387279] [<ffffffff81073bc5>] irq_exit+0xd5/0xe0
+[22766.387281] [<ffffffff81698b03>] do_IRQ+0x63/0xd0
+[22766.387283] [<ffffffff8168ee2f>] common_interrupt+0x6f/0x6f
+[22766.387283] <EOI>
+[22766.387284]
+[22766.387285] [<ffffffff8168eed9>] ? retint_swapgs+0x13/0x1b
+[22766.387285] Code: c0 90 5d c3 66 0f 1f 44 00 00 4c 89 c8 5d c3 0f 1f 00 55 48
+89 e5 48 83
+ec 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 <0f> b7 87 98 00 00 00
+48 89 fb
+49 89 f5 66 c1 c0 08 66 39 46 02
+[22766.387307]
+[22766.387307] RIP
+[22766.387311] [<ffffffffa168a2c9>] sctp_assoc_is_match+0x19/0x90 [sctp]
+[22766.387311] RSP <ffff880147c039b0>
+[22766.387142] ffffffffa16ab120
+[22766.599537] ---[ end trace 3f6dae82e37b17f5 ]---
+[22766.601221] Kernel panic - not syncing: Fatal exception in interrupt
+
+It appears from his analysis and some staring at the code that this is likely
+occuring because an association is getting freed while still on the
+sctp_assoc_hashtable. As a result, we get a gpf when traversing the hashtable
+while a freed node corrupts part of the list.
+
+Nominally I would think that an mibalanced refcount was responsible for this,
+but I can't seem to find any obvious imbalance. What I did note however was
+that the two places where we create an association using
+sctp_primitive_ASSOCIATE (__sctp_connect and sctp_sendmsg), have failure paths
+which free a newly created association after calling sctp_primitive_ASSOCIATE.
+sctp_primitive_ASSOCIATE brings us into the sctp_sf_do_prm_asoc path, which
+issues a SCTP_CMD_NEW_ASOC side effect, which in turn adds a new association to
+the aforementioned hash table. the sctp command interpreter that process side
+effects has not way to unwind previously processed commands, so freeing the
+association from the __sctp_connect or sctp_sendmsg error path would lead to a
+freed association remaining on this hash table.
+
+I've fixed this but modifying sctp_[un]hash_established to use hlist_del_init,
+which allows us to proerly use hlist_unhashed to check if the node is on a
+hashlist safely during a delete. That in turn alows us to safely call
+sctp_unhash_established in the __sctp_connect and sctp_sendmsg error paths
+before freeing them, regardles of what the associations state is on the hash
+list.
+
+I noted, while I was doing this, that the __sctp_unhash_endpoint was using
+hlist_unhsashed in a simmilar fashion, but never nullified any removed nodes
+pointers to make that function work properly, so I fixed that up in a simmilar
+fashion.
+
+I attempted to test this using a virtual guest running the SCTP_RR test from
+netperf in a loop while running the trinity fuzzer, both in a loop. I wasn't
+able to recreate the problem prior to this fix, nor was I able to trigger the
+failure after (neither of which I suppose is suprising). Given the trace above
+however, I think its likely that this is what we hit.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: davej@redhat.com
+CC: davej@redhat.com
+CC: "David S. Miller" <davem@davemloft.net>
+CC: Vlad Yasevich <vyasevich@gmail.com>
+CC: Sridhar Samudrala <sri@us.ibm.com>
+CC: linux-sctp@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/input.c | 7 ++-----
+ net/sctp/socket.c | 12 ++++++++++--
+ 2 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -737,15 +737,12 @@ static void __sctp_unhash_endpoint(struc
+
+ epb = &ep->base;
+
+- if (hlist_unhashed(&epb->node))
+- return;
+-
+ epb->hashent = sctp_ep_hashfn(epb->bind_addr.port);
+
+ head = &sctp_ep_hashtable[epb->hashent];
+
+ sctp_write_lock(&head->lock);
+- __hlist_del(&epb->node);
++ hlist_del_init(&epb->node);
+ sctp_write_unlock(&head->lock);
+ }
+
+@@ -826,7 +823,7 @@ static void __sctp_unhash_established(st
+ head = &sctp_assoc_hashtable[epb->hashent];
+
+ sctp_write_lock(&head->lock);
+- __hlist_del(&epb->node);
++ hlist_del_init(&epb->node);
+ sctp_write_unlock(&head->lock);
+ }
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1160,8 +1160,14 @@ out_free:
+ SCTP_DEBUG_PRINTK("About to exit __sctp_connect() free asoc: %p"
+ " kaddrs: %p err: %d\n",
+ asoc, kaddrs, err);
+- if (asoc)
++ if (asoc) {
++ /* sctp_primitive_ASSOCIATE may have added this association
++ * To the hash table, try to unhash it, just in case, its a noop
++ * if it wasn't hashed so we're safe
++ */
++ sctp_unhash_established(asoc);
+ sctp_association_free(asoc);
++ }
+ return err;
+ }
+
+@@ -1871,8 +1877,10 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
+ goto out_unlock;
+
+ out_free:
+- if (new_asoc)
++ if (new_asoc) {
++ sctp_unhash_established(asoc);
+ sctp_association_free(asoc);
++ }
+ out_unlock:
+ sctp_release_sock(sk);
+
nfs-skip-commit-in-releasepage-if-we-re-freeing-memory-for-fs-related-reasons.patch
ext4-pass-a-char-to-ext4_count_free-instead-of-a-buffer_head-ptr.patch
ext4-don-t-let-i_reserved_meta_blocks-go-negative.patch
+bnx2-fix-bug-in-bnx2_free_tx_skbs.patch
+sch_sfb-fix-missing-null-check.patch
+sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch
+caif-fix-access-to-freed-pernet-memory.patch
+cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch
+caif-fix-null-pointer-check.patch
+wanmain-comparing-array-with-null.patch
+tcp-add-tcp_user_timeout-negative-value-check.patch
+usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch
+net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch
+tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch
+net-tun-fix-ioctl-based-info-leaks.patch
--- /dev/null
+From e1a1ee222ec5396d300b37683be440c12a614b64 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 26 Jul 2012 22:52:21 +0000
+Subject: tcp: Add TCP_USER_TIMEOUT negative value check
+
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 42493570100b91ef663c4c6f0c0fdab238f9d3c2 ]
+
+TCP_USER_TIMEOUT is a TCP level socket option that takes an unsigned int. But
+patch "tcp: Add TCP_USER_TIMEOUT socket option"(dca43c75) didn't check the negative
+values. If a user assign -1 to it, the socket will set successfully and wait
+for 4294967295 miliseconds. This patch add a negative value check to avoid
+this issue.
+
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2394,7 +2394,10 @@ static int do_tcp_setsockopt(struct sock
+ /* Cap the max timeout in ms TCP will retry/retrans
+ * before giving up and aborting (ETIMEDOUT) a connection.
+ */
+- icsk->icsk_user_timeout = msecs_to_jiffies(val);
++ if (val < 0)
++ err = -EINVAL;
++ else
++ icsk->icsk_user_timeout = msecs_to_jiffies(val);
+ break;
+ default:
+ err = -ENOPROTOOPT;
--- /dev/null
+From bc46d9b438e2c0c49b90c7b3e46ad6c7f01d4102 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Fri, 27 Jul 2012 10:38:50 +0000
+Subject: tcp: perform DMA to userspace only if there is a task waiting for it
+
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+[ Upstream commit 59ea33a68a9083ac98515e4861c00e71efdc49a1 ]
+
+Back in 2006, commit 1a2449a87b ("[I/OAT]: TCP recv offload to I/OAT")
+added support for receive offloading to IOAT dma engine if available.
+
+The code in tcp_rcv_established() tries to perform early DMA copy if
+applicable. It however does so without checking whether the userspace
+task is actually expecting the data in the buffer.
+
+This is not a problem under normal circumstances, but there is a corner
+case where this doesn't work -- and that's when MSG_TRUNC flag to
+recvmsg() is used.
+
+If the IOAT dma engine is not used, the code properly checks whether
+there is a valid ucopy.task and the socket is owned by userspace, but
+misses the check in the dmaengine case.
+
+This problem can be observed in real trivially -- for example 'tbench' is a
+good reproducer, as it makes a heavy use of MSG_TRUNC. On systems utilizing
+IOAT, you will soon find tbench waiting indefinitely in sk_wait_data(), as they
+have been already early-copied in tcp_rcv_established() using dma engine.
+
+This patch introduces the same check we are performing in the simple
+iovec copy case to the IOAT case as well. It fixes the indefinite
+recvmsg(MSG_TRUNC) hangs.
+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5340,7 +5340,9 @@ int tcp_rcv_established(struct sock *sk,
+ if (tp->copied_seq == tp->rcv_nxt &&
+ len - tcp_header_len <= tp->ucopy.len) {
+ #ifdef CONFIG_NET_DMA
+- if (tcp_dma_try_early_copy(sk, skb, tcp_header_len)) {
++ if (tp->ucopy.task == current &&
++ sock_owned_by_user(sk) &&
++ tcp_dma_try_early_copy(sk, skb, tcp_header_len)) {
+ copied_early = 1;
+ eaten = 1;
+ }
--- /dev/null
+From 32a2b80371e48f11c6316b18009a1020641287b0 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 27 Jul 2012 01:46:51 +0000
+Subject: USB: kaweth.c: use GFP_ATOMIC under spin_lock
+
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e4c7f259c5be99dcfc3d98f913590663b0305bf8 ]
+
+The problem is that we call this with a spin lock held. The call tree
+is:
+ kaweth_start_xmit() holds kaweth->device_lock.
+ -> kaweth_async_set_rx_mode()
+ -> kaweth_control()
+ -> kaweth_internal_control_msg()
+
+The kaweth_internal_control_msg() function is only called from
+kaweth_control() which used GFP_ATOMIC for its allocations.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/kaweth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -1308,7 +1308,7 @@ static int kaweth_internal_control_msg(s
+ int retv;
+ int length = 0; /* shut up GCC */
+
+- urb = usb_alloc_urb(0, GFP_NOIO);
++ urb = usb_alloc_urb(0, GFP_ATOMIC);
+ if (!urb)
+ return -ENOMEM;
+
--- /dev/null
+From a3fa345f8fdc23941caeed59c1a05110a843b3ae Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Tue, 24 Jul 2012 08:16:25 +0000
+Subject: wanmain: comparing array with NULL
+
+
+From: Alan Cox <alan@linux.intel.com>
+
+[ Upstream commit 8b72ff6484fe303e01498b58621810a114f3cf09 ]
+
+gcc really should warn about these !
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wanrouter/wanmain.c | 53 +++++++++++++++++++++---------------------------
+ 1 file changed, 24 insertions(+), 29 deletions(-)
+
+--- a/net/wanrouter/wanmain.c
++++ b/net/wanrouter/wanmain.c
+@@ -602,36 +602,31 @@ static int wanrouter_device_new_if(struc
+ * successfully, add it to the interface list.
+ */
+
+- if (dev->name == NULL) {
+- err = -EINVAL;
+- } else {
+-
+- #ifdef WANDEBUG
+- printk(KERN_INFO "%s: registering interface %s...\n",
+- wanrouter_modname, dev->name);
+- #endif
+-
+- err = register_netdev(dev);
+- if (!err) {
+- struct net_device *slave = NULL;
+- unsigned long smp_flags=0;
+-
+- lock_adapter_irq(&wandev->lock, &smp_flags);
+-
+- if (wandev->dev == NULL) {
+- wandev->dev = dev;
+- } else {
+- for (slave=wandev->dev;
+- DEV_TO_SLAVE(slave);
+- slave = DEV_TO_SLAVE(slave))
+- DEV_TO_SLAVE(slave) = dev;
+- }
+- ++wandev->ndev;
+-
+- unlock_adapter_irq(&wandev->lock, &smp_flags);
+- err = 0; /* done !!! */
+- goto out;
++#ifdef WANDEBUG
++ printk(KERN_INFO "%s: registering interface %s...\n",
++ wanrouter_modname, dev->name);
++#endif
++
++ err = register_netdev(dev);
++ if (!err) {
++ struct net_device *slave = NULL;
++ unsigned long smp_flags=0;
++
++ lock_adapter_irq(&wandev->lock, &smp_flags);
++
++ if (wandev->dev == NULL) {
++ wandev->dev = dev;
++ } else {
++ for (slave=wandev->dev;
++ DEV_TO_SLAVE(slave);
++ slave = DEV_TO_SLAVE(slave))
++ DEV_TO_SLAVE(slave) = dev;
+ }
++ ++wandev->ndev;
++
++ unlock_adapter_irq(&wandev->lock, &smp_flags);
++ err = 0; /* done !!! */
++ goto out;
+ }
+ if (wandev->del_if)
+ wandev->del_if(wandev, dev);
projects / thirdparty / kernel / stable-queue.git / commitdiff
