--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Wed, 16 Dec 2015 20:09:25 +0000
+Subject: af_unix: Revert 'lock_interruptible' in stream receive code
+
+From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+
+[ Upstream commit 3822b5c2fc62e3de8a0f33806ff279fb7df92432 ]
+
+With b3ca9b02b00704053a38bfe4c31dbbb9c13595d0, the AF_UNIX SOCK_STREAM
+receive code was changed from using mutex_lock(&u->readlock) to
+mutex_lock_interruptible(&u->readlock) to prevent signals from being
+delayed for an indefinite time if a thread sleeping on the mutex
+happened to be selected for handling the signal. But this was never a
+problem with the stream receive code (as opposed to its datagram
+counterpart) as that never went to sleep waiting for new messages with the
+mutex held and thus, wouldn't cause secondary readers to block on the
+mutex waiting for the sleeping primary reader. As the interruptible
+locking makes the code more complicated in exchange for no benefit,
+change it back to using mutex_lock.
+
+Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2072,14 +2072,7 @@ static int unix_stream_recvmsg(struct so
+
+ memset(&scm, 0, sizeof(scm));
+
+- err = mutex_lock_interruptible(&u->readlock);
+- if (unlikely(err)) {
+- /* recvmsg() in non blocking mode is supposed to return -EAGAIN
+- * sk_rcvtimeo is not honored by mutex_lock_interruptible()
+- */
+- err = noblock ? -EAGAIN : -ERESTARTSYS;
+- goto out;
+- }
++ mutex_lock(&u->readlock);
+
+ if (flags & MSG_PEEK)
+ skip = sk_peek_offset(sk, flags);
+@@ -2120,12 +2113,12 @@ again:
+
+ timeo = unix_stream_data_wait(sk, timeo, last);
+
+- if (signal_pending(current)
+- || mutex_lock_interruptible(&u->readlock)) {
++ if (signal_pending(current)) {
+ err = sock_intr_errno(timeo);
+ goto out;
+ }
+
++ mutex_lock(&u->readlock);
+ continue;
+ unlock:
+ unix_state_unlock(sk);
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Pavel Machek <pavel@ucw.cz>
+Date: Fri, 4 Dec 2015 09:50:00 +0100
+Subject: atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
+
+From: Pavel Machek <pavel@ucw.cz>
+
+[ Upstream commit f2a3771ae8aca879c32336c76ad05a017629bae2 ]
+
+atl1c driver is doing order-4 allocation with GFP_ATOMIC
+priority. That often breaks networking after resume. Switch to
+GFP_KERNEL. Still not ideal, but should be significantly better.
+
+atl1c_setup_ring_resources() is called from .open() function, and
+already uses GFP_KERNEL, so this change is safe.
+
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+@@ -1014,13 +1014,12 @@ static int atl1c_setup_ring_resources(st
+ sizeof(struct atl1c_recv_ret_status) * rx_desc_count +
+ 8 * 4;
+
+- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size,
+- &ring_header->dma);
++ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size,
++ &ring_header->dma, GFP_KERNEL);
+ if (unlikely(!ring_header->desc)) {
+- dev_err(&pdev->dev, "pci_alloc_consistend failed\n");
++ dev_err(&pdev->dev, "could not get memory for DMA buffer\n");
+ goto err_nomem;
+ }
+- memset(ring_header->desc, 0, ring_header->size);
+ /* init TPD ring */
+
+ tpd_ring[0].dma = roundup(ring_header->dma, 8);
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: "David S. Miller" <davem@davemloft.net>
+Date: Tue, 15 Dec 2015 15:39:08 -0500
+Subject: bluetooth: Validate socket address length in sco_sock_bind().
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ]
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/sco.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -520,6 +520,9 @@ static int sco_sock_bind(struct socket *
+ if (!addr || addr->sa_family != AF_BLUETOOTH)
+ return -EINVAL;
+
++ if (addr_len < sizeof(struct sockaddr_sco))
++ return -EINVAL;
++
+ lock_sock(sk);
+
+ if (sk->sk_state != BT_OPEN) {
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 15 Dec 2015 21:01:53 +0100
+Subject: fou: clean up socket with kfree_rcu
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 3036facbb7be3a169e35be3b271162b0fa564a2d ]
+
+fou->udp_offloads is managed by RCU. As it is actually included inside
+the fou sockets, we cannot let the memory go out of scope before a grace
+period. We either can synchronize_rcu or switch over to kfree_rcu to
+manage the sockets. kfree_rcu seems appropriate as it is used by vxlan
+and geneve.
+
+Fixes: 23461551c00628c ("fou: Support for foo-over-udp RX path")
+Cc: Tom Herbert <tom@herbertland.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fou.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -24,6 +24,7 @@ struct fou {
+ u16 type;
+ struct udp_offload udp_offloads;
+ struct list_head list;
++ struct rcu_head rcu;
+ };
+
+ #define FOU_F_REMCSUM_NOPARTIAL BIT(0)
+@@ -421,7 +422,7 @@ static void fou_release(struct fou *fou)
+ list_del(&fou->list);
+ udp_tunnel_sock_release(sock);
+
+- kfree(fou);
++ kfree_rcu(fou, rcu);
+ }
+
+ static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg)
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Thu, 3 Dec 2015 17:21:50 +0100
+Subject: gre6: allow to update all parameters via rtnl
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit 6a61d4dbf4f54b5683e0f1e58d873cecca7cb977 ]
+
+Parameters were updated only if the kernel was unable to find the tunnel
+with the new parameters, ie only if core pamareters were updated (keys,
+addr, link, type).
+Now it's possible to update ttl, hoplimit, flowinfo and flags.
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1553,13 +1553,11 @@ static int ip6gre_changelink(struct net_
+ return -EEXIST;
+ } else {
+ t = nt;
+-
+- ip6gre_tunnel_unlink(ign, t);
+- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
+- ip6gre_tunnel_link(ign, t);
+- netdev_state_change(dev);
+ }
+
++ ip6gre_tunnel_unlink(ign, t);
++ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
++ ip6gre_tunnel_link(ign, t);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 15 Dec 2015 22:59:12 +0100
+Subject: ipv6: automatically enable stable privacy mode if stable_secret set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 9b29c6962b70f232cde4076b1020191e1be0889d ]
+
+Bjørn reported that while we switch all interfaces to privacy stable mode
+when setting the secret, we don't set this mode for new interfaces. This
+does not make sense, so change this behaviour.
+
+Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf")
+Reported-by: Bjørn Mork <bjorn@mork.no>
+Cc: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -343,6 +343,12 @@ static struct inet6_dev *ipv6_add_dev(st
+ setup_timer(&ndev->rs_timer, addrconf_rs_timer,
+ (unsigned long)ndev);
+ memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf));
++
++ if (ndev->cnf.stable_secret.initialized)
++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
++ else
++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64;
++
+ ndev->cnf.mtu6 = dev->mtu;
+ ndev->cnf.sysctl = NULL;
+ ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 4 Dec 2015 14:15:08 +0100
+Subject: ipv6: keep existing flags when setting IFA_F_OPTIMISTIC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit 9a1ec4612c9bfc94d4185e3459055a37a685e575 ]
+
+Commit 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag")
+failed to update the setting of the IFA_F_OPTIMISTIC flag, causing
+the IFA_F_STABLE_PRIVACY flag to be lost if IFA_F_OPTIMISTIC is set.
+
+Cc: Erik Kline <ek@google.com>
+Cc: Fernando Gont <fgont@si6networks.com>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Cc: YOSHIFUJI Hideaki/吉藤英明 <hideaki.yoshifuji@miraclelinux.com>
+Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Fixes: 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag")
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2384,7 +2384,7 @@ ok:
+ #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
+ if (in6_dev->cnf.optimistic_dad &&
+ !net->ipv6.devconf_all->forwarding && sllao)
+- addr_flags = IFA_F_OPTIMISTIC;
++ addr_flags |= IFA_F_OPTIMISTIC;
+ #endif
+
+ /* Do not allow to create too much of autoconfigured
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 9 Dec 2015 07:25:06 -0800
+Subject: ipv6: sctp: clone options to avoid use after free
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9470e24f35ab81574da54e69df90c1eb4a96b43f ]
+
+SCTP is lacking proper np->opt cloning at accept() time.
+
+TCP and DCCP use ipv6_dup_options() helper, do the same
+in SCTP.
+
+We might later factorize this code in a common helper to avoid
+future mistakes.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -634,6 +634,7 @@ static struct sock *sctp_v6_create_accep
+ struct sock *newsk;
+ struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
+ struct sctp6_sock *newsctp6sk;
++ struct ipv6_txoptions *opt;
+
+ newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot);
+ if (!newsk)
+@@ -653,6 +654,13 @@ static struct sock *sctp_v6_create_accep
+
+ memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+
++ rcu_read_lock();
++ opt = rcu_dereference(np->opt);
++ if (opt)
++ opt = ipv6_dup_options(newsk, opt);
++ RCU_INIT_POINTER(newnp->opt, opt);
++ rcu_read_unlock();
++
+ /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname()
+ * and getpeername().
+ */
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 14 Dec 2015 22:03:39 +0100
+Subject: net: add validation for the socket syscall protocol argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ]
+
+郭永刚 reported that one could simply crash the kernel as root by
+using a simple program:
+
+ int socket_fd;
+ struct sockaddr_in addr;
+ addr.sin_port = 0;
+ addr.sin_addr.s_addr = INADDR_ANY;
+ addr.sin_family = 10;
+
+ socket_fd = socket(10,3,0x40000000);
+ connect(socket_fd , &addr,16);
+
+AF_INET, AF_INET6 sockets actually only support 8-bit protocol
+identifiers. inet_sock's skc_protocol field thus is sized accordingly,
+thus larger protocol identifiers simply cut off the higher bits and
+store a zero in the protocol fields.
+
+This could lead to e.g. NULL function pointer because as a result of
+the cut off inet_num is zero and we call down to inet_autobind, which
+is NULL for raw sockets.
+
+kernel: Call Trace:
+kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
+kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
+kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
+kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
+kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
+kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
+kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
+
+I found no particular commit which introduced this problem.
+
+CVE: CVE-2015-8543
+Cc: Cong Wang <cwang@twopensource.com>
+Reported-by: 郭永刚 <guoyonggang@360.cn>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 1 +
+ net/ax25/af_ax25.c | 3 +++
+ net/decnet/af_decnet.c | 3 +++
+ net/ipv4/af_inet.c | 3 +++
+ net/ipv6/af_inet6.c | 3 +++
+ net/irda/af_irda.c | 3 +++
+ 6 files changed, 16 insertions(+)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -386,6 +386,7 @@ struct sock {
+ sk_no_check_rx : 1,
+ sk_userlocks : 4,
+ sk_protocol : 8,
++#define SK_PROTOCOL_MAX U8_MAX
+ sk_type : 16;
+ kmemcheck_bitfield_end(flags);
+ int sk_wmem_queued;
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -806,6 +806,9 @@ static int ax25_create(struct net *net,
+ struct sock *sk;
+ ax25_cb *ax25;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (!net_eq(net, &init_net))
+ return -EAFNOSUPPORT;
+
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -678,6 +678,9 @@ static int dn_create(struct net *net, st
+ {
+ struct sock *sk;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (!net_eq(net, &init_net))
+ return -EAFNOSUPPORT;
+
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -259,6 +259,9 @@ static int inet_create(struct net *net,
+ int try_loading_module = 0;
+ int err;
+
++ if (protocol < 0 || protocol >= IPPROTO_MAX)
++ return -EINVAL;
++
+ sock->state = SS_UNCONNECTED;
+
+ /* Look for the requested type/protocol pair. */
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -109,6 +109,9 @@ static int inet6_create(struct net *net,
+ int try_loading_module = 0;
+ int err;
+
++ if (protocol < 0 || protocol >= IPPROTO_MAX)
++ return -EINVAL;
++
+ /* Look for the requested type/protocol pair. */
+ lookup_protocol:
+ err = -ESOCKTNOSUPPORT;
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net,
+ struct sock *sk;
+ struct irda_sock *self;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (net != &init_net)
+ return -EAFNOSUPPORT;
+
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed, 16 Dec 2015 23:39:04 -0800
+Subject: net: check both type and procotol for tcp sockets
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+[ Upstream commit ac5cc977991d2dce85fc734a6c71ddb33f6fe3c1 ]
+
+Dmitry reported the following out-of-bound access:
+
+Call Trace:
+ [<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
+mm/kasan/report.c:294
+ [<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
+ [< inline >] SYSC_setsockopt net/socket.c:1746
+ [<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
+ [<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
+arch/x86/entry/entry_64.S:185
+
+This is because we mistake a raw socket as a tcp socket.
+We should check both sk->sk_type and sk->sk_protocol to ensure
+it is a tcp socket.
+
+Willem points out __skb_complete_tx_timestamp() needs to fix as well.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 3 ++-
+ net/core/sock.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3661,7 +3661,8 @@ static void __skb_complete_tx_timestamp(
+ serr->ee.ee_info = tstype;
+ if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
+ serr->ee.ee_data = skb_shinfo(skb)->tskey;
+- if (sk->sk_protocol == IPPROTO_TCP)
++ if (sk->sk_protocol == IPPROTO_TCP &&
++ sk->sk_type == SOCK_STREAM)
+ serr->ee.ee_data -= sk->sk_tskey;
+ }
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -859,7 +859,8 @@ set_rcvbuf:
+
+ if (val & SOF_TIMESTAMPING_OPT_ID &&
+ !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
+- if (sk->sk_protocol == IPPROTO_TCP) {
++ if (sk->sk_protocol == IPPROTO_TCP &&
++ sk->sk_type == SOCK_STREAM) {
+ if (sk->sk_state != TCP_ESTABLISHED) {
+ ret = -EINVAL;
+ break;
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 14 Dec 2015 14:08:53 -0800
+Subject: net: fix IP early demux races
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5037e9ef9454917b047f9f3a19b4dd179fbf7cd4 ]
+
+David Wilder reported crashes caused by dst reuse.
+
+<quote David>
+ I am seeing a crash on a distro V4.2.3 kernel caused by a double
+ release of a dst_entry. In ipv4_dst_destroy() the call to
+ list_empty() finds a poisoned next pointer, indicating the dst_entry
+ has already been removed from the list and freed. The crash occurs
+ 18 to 24 hours into a run of a network stress exerciser.
+</quote>
+
+Thanks to his detailed report and analysis, we were able to understand
+the core issue.
+
+IP early demux can associate a dst to skb, after a lookup in TCP/UDP
+sockets.
+
+When socket cache is not properly set, we want to store into
+sk->sk_dst_cache the dst for future IP early demux lookups,
+by acquiring a stable refcount on the dst.
+
+Problem is this acquisition is simply using an atomic_inc(),
+which works well, unless the dst was queued for destruction from
+dst_release() noticing dst refcount went to zero, if DST_NOCACHE
+was set on dst.
+
+We need to make sure current refcount is not zero before incrementing
+it, or risk double free as David reported.
+
+This patch, being a stable candidate, adds two new helpers, and use
+them only from IP early demux problematic paths.
+
+It might be possible to merge in net-next skb_dst_force() and
+skb_dst_force_safe(), but I prefer having the smallest patch for stable
+kernels : Maybe some skb_dst_force() callers do not expect skb->dst
+can suddenly be cleared.
+
+Can probably be backported back to linux-3.6 kernels
+
+Reported-by: David J. Wilder <dwilder@us.ibm.com>
+Tested-by: David J. Wilder <dwilder@us.ibm.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/dst.h | 33 +++++++++++++++++++++++++++++++++
+ include/net/sock.h | 2 +-
+ net/ipv4/tcp_ipv4.c | 5 ++---
+ net/ipv6/tcp_ipv6.c | 3 +--
+ 4 files changed, 37 insertions(+), 6 deletions(-)
+
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -312,6 +312,39 @@ static inline void skb_dst_force(struct
+ }
+ }
+
++/**
++ * dst_hold_safe - Take a reference on a dst if possible
++ * @dst: pointer to dst entry
++ *
++ * This helper returns false if it could not safely
++ * take a reference on a dst.
++ */
++static inline bool dst_hold_safe(struct dst_entry *dst)
++{
++ if (dst->flags & DST_NOCACHE)
++ return atomic_inc_not_zero(&dst->__refcnt);
++ dst_hold(dst);
++ return true;
++}
++
++/**
++ * skb_dst_force_safe - makes sure skb dst is refcounted
++ * @skb: buffer
++ *
++ * If dst is not yet refcounted and not destroyed, grab a ref on it.
++ */
++static inline void skb_dst_force_safe(struct sk_buff *skb)
++{
++ if (skb_dst_is_noref(skb)) {
++ struct dst_entry *dst = skb_dst(skb);
++
++ if (!dst_hold_safe(dst))
++ dst = NULL;
++
++ skb->_skb_refdst = (unsigned long)dst;
++ }
++}
++
+
+ /**
+ * __skb_tunnel_rx - prepare skb for rx reinsert
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -799,7 +799,7 @@ void sk_stream_write_space(struct sock *
+ static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb)
+ {
+ /* dont let skb dst not refcounted, we are going to leave rcu lock */
+- skb_dst_force(skb);
++ skb_dst_force_safe(skb);
+
+ if (!sk->sk_backlog.tail)
+ sk->sk_backlog.head = skb;
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struc
+ if (likely(sk->sk_rx_dst))
+ skb_dst_drop(skb);
+ else
+- skb_dst_force(skb);
++ skb_dst_force_safe(skb);
+
+ __skb_queue_tail(&tp->ucopy.prequeue, skb);
+ tp->ucopy.memory += skb->truesize;
+@@ -1714,8 +1714,7 @@ void inet_sk_rx_dst_set(struct sock *sk,
+ {
+ struct dst_entry *dst = skb_dst(skb);
+
+- if (dst) {
+- dst_hold(dst);
++ if (dst && dst_hold_safe(dst)) {
+ sk->sk_rx_dst = dst;
+ inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
+ }
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct s
+ {
+ struct dst_entry *dst = skb_dst(skb);
+
+- if (dst) {
++ if (dst && dst_hold_safe(dst)) {
+ const struct rt6_info *rt = (const struct rt6_info *)dst;
+
+- dst_hold(dst);
+ sk->sk_rx_dst = dst;
+ inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
+ if (rt->rt6i_node)
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: "tadeusz.struk@intel.com" <tadeusz.struk@intel.com>
+Date: Tue, 15 Dec 2015 10:46:17 -0800
+Subject: net: fix uninitialized variable issue
+
+From: "tadeusz.struk@intel.com" <tadeusz.struk@intel.com>
+
+[ Upstream commit 130ed5d105dde141e7fe60d5440aa53e0a84f13b ]
+
+msg_iocb needs to be initialized on the recv/recvfrom path.
+Otherwise afalg will wrongly interpret it as an async call.
+
+Cc: stable@vger.kernel.org
+Reported-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1705,6 +1705,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void
+ msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
+ /* We assume all kernel code knows the size of sockaddr_storage */
+ msg.msg_namelen = 0;
++ msg.msg_iocb = NULL;
+ if (sock->file->f_flags & O_NONBLOCK)
+ flags |= MSG_DONTWAIT;
+ err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags);
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Fri, 4 Dec 2015 16:29:10 +0100
+Subject: net: qca_spi: fix transmit queue timeout handling
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit ed7d42e24effbd3681e909711a7a2119a85e9217 ]
+
+In case of a tx queue timeout every transmit is blocked until the
+QCA7000 resets himself and triggers a sync which makes the driver
+flushs the tx ring. So avoid this blocking situation by triggering
+the sync immediately after the timeout. Waking the queue doesn't
+make sense in this situation.
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/qca_spi.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_devi
+ netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n",
+ jiffies, jiffies - dev->trans_start);
+ qca->net_dev->stats.tx_errors++;
+- /* wake the queue if there is room */
+- if (qcaspi_tx_ring_has_space(&qca->txr))
+- netif_wake_queue(dev);
++ /* Trigger tx queue flush and QCA7000 reset */
++ qca->sync = QCASPI_SYNC_UNKNOWN;
+ }
+
+ static int
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 15 Dec 2015 09:43:12 -0800
+Subject: net_sched: make qdisc_tree_decrease_qlen() work for non mq
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 225734de70cd0a9e0b978f3583a4a87939271d5e ]
+
+Stas Nichiporovich reported a regression in his HFSC qdisc setup
+on a non multi queue device.
+
+It turns out I mistakenly added a TCQ_F_NOPARENT flag on all qdisc
+allocated in qdisc_create() for non multi queue devices, which was
+rather buggy. I was clearly mislead by the TCQ_F_ONETXQUEUE that is
+also set here for no good reason, since it only matters for the root
+qdisc.
+
+Fixes: 4eaf3b84f288 ("net_sched: fix qdisc_tree_decrease_qlen() races")
+Reported-by: Stas Nichiporovich <stasn77@gmail.com>
+Tested-by: Stas Nichiporovich <stasn77@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, str
+ }
+ lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
+ if (!netif_is_multiqueue(dev))
+- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
++ sch->flags |= TCQ_F_ONETXQUEUE;
+ }
+
+ sch->handle = handle;
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Thu, 3 Dec 2015 16:49:32 +0100
+Subject: pppoe: fix memory corruption in padt work structure
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit fe53985aaac83d516b38358d4f39921d9942a0e2 ]
+
+pppoe_connect() mustn't touch the padt_work field of pppoe sockets
+because that work could be already pending.
+
+[ 21.473147] BUG: unable to handle kernel NULL pointer dereference at 00000004
+[ 21.474523] IP: [<c1043177>] process_one_work+0x29/0x31c
+[ 21.475164] *pde = 00000000
+[ 21.475513] Oops: 0000 [#1] SMP
+[ 21.475910] Modules linked in: pppoe pppox ppp_generic slhc crc32c_intel aesni_intel virtio_net xts aes_i586 lrw gf128mul ablk_helper cryptd evdev acpi_cpufreq processor serio_raw button ext4 crc16 mbcache jbd2 virtio_blk virtio_pci virtio_ring virtio
+[ 21.476168] CPU: 2 PID: 164 Comm: kworker/2:2 Not tainted 4.4.0-rc1 #1
+[ 21.476168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
+[ 21.476168] task: f5f83c00 ti: f5e28000 task.ti: f5e28000
+[ 21.476168] EIP: 0060:[<c1043177>] EFLAGS: 00010046 CPU: 2
+[ 21.476168] EIP is at process_one_work+0x29/0x31c
+[ 21.484082] EAX: 00000000 EBX: f678b2a0 ECX: 00000004 EDX: 00000000
+[ 21.484082] ESI: f6c69940 EDI: f5e29ef0 EBP: f5e29f0c ESP: f5e29edc
+[ 21.484082] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
+[ 21.484082] CR0: 80050033 CR2: 000000a4 CR3: 317ad000 CR4: 00040690
+[ 21.484082] Stack:
+[ 21.484082] 00000000 f6c69950 00000000 f6c69940 c0042338 f5e29f0c c1327945 00000000
+[ 21.484082] 00000008 f678b2a0 f6c69940 f678b2b8 f5e29f30 c1043984 f5f83c00 f6c69970
+[ 21.484082] f678b2a0 c10437d3 f6775e80 f678b2a0 c10437d3 f5e29fac c1047059 f5e29f74
+[ 21.484082] Call Trace:
+[ 21.484082] [<c1327945>] ? _raw_spin_lock_irq+0x28/0x30
+[ 21.484082] [<c1043984>] worker_thread+0x1b1/0x244
+[ 21.484082] [<c10437d3>] ? rescuer_thread+0x229/0x229
+[ 21.484082] [<c10437d3>] ? rescuer_thread+0x229/0x229
+[ 21.484082] [<c1047059>] kthread+0x8f/0x94
+[ 21.484082] [<c1327a32>] ? _raw_spin_unlock_irq+0x22/0x26
+[ 21.484082] [<c1327ee9>] ret_from_kernel_thread+0x21/0x38
+[ 21.484082] [<c1046fca>] ? kthread_parkme+0x19/0x19
+[ 21.496082] Code: 5d c3 55 89 e5 57 56 53 89 c3 83 ec 24 89 d0 89 55 e0 8d 7d e4 e8 6c d8 ff ff b9 04 00 00 00 89 45 d8 8b 43 24 89 45 dc 8b 45 d8 <8b> 40 04 8b 80 e0 00 00 00 c1 e8 05 24 01 88 45 d7 8b 45 e0 8d
+[ 21.496082] EIP: [<c1043177>] process_one_work+0x29/0x31c SS:ESP 0068:f5e29edc
+[ 21.496082] CR2: 0000000000000004
+[ 21.496082] ---[ end trace e362cc9cf10dae89 ]---
+
+Reported-by: Andrew <nitr0@seti.kr.ua>
+Fixes: 287f3a943fef ("pppoe: Use workqueue to die properly when a PADT is received")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pppoe.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net,
+ sk->sk_family = PF_PPPOX;
+ sk->sk_protocol = PX_PROTO_OE;
+
++ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work,
++ pppoe_unbind_sock_work);
++
+ return 0;
+ }
+
+@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *
+
+ lock_sock(sk);
+
+- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work);
+-
+ error = -EINVAL;
+ if (sp->sa_protocol != PX_PROTO_OE)
+ goto end;
+@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *
+ po->pppoe_dev = NULL;
+ }
+
+- memset(sk_pppox(po) + 1, 0,
+- sizeof(struct pppox_sock) - sizeof(struct sock));
++ po->pppoe_ifindex = 0;
++ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa));
++ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay));
++ memset(&po->chan, 0, sizeof(po->chan));
++ po->next = NULL;
++ po->num = 0;
++
+ sk->sk_state = PPPOX_NONE;
+ }
+
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon, 14 Dec 2015 13:48:36 -0800
+Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ]
+
+Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pptp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -420,6 +420,9 @@ static int pptp_bind(struct socket *sock
+ struct pptp_opt *opt = &po->proto.pptp;
+ int error = 0;
+
++ if (sockaddr_len < sizeof(struct sockaddr_pppox))
++ return -EINVAL;
++
+ lock_sock(sk);
+
+ opt->src_addr = sp->sa_addr.pptp;
+@@ -441,6 +444,9 @@ static int pptp_connect(struct socket *s
+ struct flowi4 fl4;
+ int error = 0;
+
++ if (sockaddr_len < sizeof(struct sockaddr_pppox))
++ return -EINVAL;
++
+ if (sp->sa_protocol != PX_PROTO_PPTP)
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Peter Wu <peter@lekensteyn.nl>
+Date: Tue, 8 Dec 2015 12:17:42 +0100
+Subject: r8152: fix lockup when runtime PM is enabled
+
+From: Peter Wu <peter@lekensteyn.nl>
+
+[ Upstream commit 90186af404ada5a47b875bf3c16d0b02bb023ea0 ]
+
+When an interface is brought up which was previously suspended (via
+runtime PM), it would hang. This happens because napi_disable is called
+before napi_enable.
+
+Solve this by avoiding napi_enable in the resume during open function
+(netif_running is true when open is called, IFF_UP is set after a
+successful open; netif_running is false when close is called, but IFF_UP
+is then still set).
+
+While at it, remove WORK_ENABLE check from rtl8152_open (introduced with
+the original change) because it cannot happen:
+
+ - After this patch, runtime resume will not set it during rtl8152_open.
+ - When link is up, rtl8152_open is not called.
+ - When link is down during system/auto suspend/resume, it is not set.
+
+Fixes: 41cec84cf285 ("r8152: don't enable napi before rx ready")
+Link: https://lkml.kernel.org/r/20151205105912.GA1766@al
+Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Acked-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 21 +++------------------
+ 1 file changed, 3 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -3006,17 +3006,6 @@ static int rtl8152_open(struct net_devic
+
+ mutex_lock(&tp->control);
+
+- /* The WORK_ENABLE may be set when autoresume occurs */
+- if (test_bit(WORK_ENABLE, &tp->flags)) {
+- clear_bit(WORK_ENABLE, &tp->flags);
+- usb_kill_urb(tp->intr_urb);
+- cancel_delayed_work_sync(&tp->schedule);
+-
+- /* disable the tx/rx, if the workqueue has enabled them. */
+- if (netif_carrier_ok(netdev))
+- tp->rtl_ops.disable(tp);
+- }
+-
+ tp->rtl_ops.up(tp);
+
+ rtl8152_set_speed(tp, AUTONEG_ENABLE,
+@@ -3063,12 +3052,6 @@ static int rtl8152_close(struct net_devi
+ } else {
+ mutex_lock(&tp->control);
+
+- /* The autosuspend may have been enabled and wouldn't
+- * be disable when autoresume occurs, because the
+- * netif_running() would be false.
+- */
+- rtl_runtime_suspend_enable(tp, false);
+-
+ tp->rtl_ops.down(tp);
+
+ mutex_unlock(&tp->control);
+@@ -3369,7 +3352,7 @@ static int rtl8152_resume(struct usb_int
+ netif_device_attach(tp->netdev);
+ }
+
+- if (netif_running(tp->netdev)) {
++ if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) {
+ if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) {
+ rtl_runtime_suspend_enable(tp, false);
+ clear_bit(SELECTIVE_SUSPEND, &tp->flags);
+@@ -3387,6 +3370,8 @@ static int rtl8152_resume(struct usb_int
+ }
+ usb_submit_urb(tp->intr_urb, GFP_KERNEL);
+ } else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) {
++ if (tp->netdev->flags & IFF_UP)
++ rtl_runtime_suspend_enable(tp, false);
+ clear_bit(SELECTIVE_SUSPEND, &tp->flags);
+ }
+
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Wed, 16 Dec 2015 18:13:14 +0800
+Subject: rhashtable: Enforce minimum size on initial hash table
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3a324606bbabfc30084ce9d08169910773ba9a92 ]
+
+William Hua <william.hua@canonical.com> wrote:
+>
+> I wasn't aware there was an enforced minimum size. I simply set the
+> nelem_hint in the rhastable_params struct to 1, expecting it to grow as
+> needed. This caused a segfault afterwards when trying to insert an
+> element.
+
+OK we're doing the size computation before we enforce the limit
+on min_size.
+
+---8<---
+We need to do the initial hash table size computation after we
+have obtained the correct min_size/max_size parameters. Otherwise
+we may end up with a hash table whose size is outside the allowed
+envelope.
+
+Fixes: a998f712f77e ("rhashtable: Round up/down min/max_size to...")
+Reported-by: William Hua <william.hua@canonical.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/rhashtable.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/lib/rhashtable.c
++++ b/lib/rhashtable.c
+@@ -730,9 +730,6 @@ int rhashtable_init(struct rhashtable *h
+ if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT))
+ return -EINVAL;
+
+- if (params->nelem_hint)
+- size = rounded_hashtable_size(params);
+-
+ memset(ht, 0, sizeof(*ht));
+ mutex_init(&ht->mutex);
+ spin_lock_init(&ht->lock);
+@@ -752,6 +749,9 @@ int rhashtable_init(struct rhashtable *h
+
+ ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE);
+
++ if (params->nelem_hint)
++ size = rounded_hashtable_size(&ht->p);
++
+ /* The maximum (not average) chain length grows with the
+ * size of the hash table, at a rate of (log N)/(log log N).
+ * The value of 16 is selected so that even if the hash
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Wed, 16 Dec 2015 16:45:54 +0800
+Subject: rhashtable: Fix walker list corruption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit c6ff5268293ef98e48a99597e765ffc417e39fa5 ]
+
+The commit ba7c95ea3870fe7b847466d39a049ab6f156aa2c ("rhashtable:
+Fix sleeping inside RCU critical section in walk_stop") introduced
+a new spinlock for the walker list. However, it did not convert
+all existing users of the list over to the new spin lock. Some
+continued to use the old mutext for this purpose. This obviously
+led to corruption of the list.
+
+The fix is to use the spin lock everywhere where we touch the list.
+
+This also allows us to do rcu_rad_lock before we take the lock in
+rhashtable_walk_start. With the old mutex this would've deadlocked
+but it's safe with the new spin lock.
+
+Fixes: ba7c95ea3870 ("rhashtable: Fix sleeping inside RCU...")
+Reported-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/rhashtable.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/lib/rhashtable.c
++++ b/lib/rhashtable.c
+@@ -506,10 +506,11 @@ int rhashtable_walk_init(struct rhashtab
+ if (!iter->walker)
+ return -ENOMEM;
+
+- mutex_lock(&ht->mutex);
+- iter->walker->tbl = rht_dereference(ht->tbl, ht);
++ spin_lock(&ht->lock);
++ iter->walker->tbl =
++ rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock));
+ list_add(&iter->walker->list, &iter->walker->tbl->walkers);
+- mutex_unlock(&ht->mutex);
++ spin_unlock(&ht->lock);
+
+ return 0;
+ }
+@@ -523,10 +524,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init);
+ */
+ void rhashtable_walk_exit(struct rhashtable_iter *iter)
+ {
+- mutex_lock(&iter->ht->mutex);
++ spin_lock(&iter->ht->lock);
+ if (iter->walker->tbl)
+ list_del(&iter->walker->list);
+- mutex_unlock(&iter->ht->mutex);
++ spin_unlock(&iter->ht->lock);
+ kfree(iter->walker);
+ }
+ EXPORT_SYMBOL_GPL(rhashtable_walk_exit);
+@@ -550,14 +551,12 @@ int rhashtable_walk_start(struct rhashta
+ {
+ struct rhashtable *ht = iter->ht;
+
+- mutex_lock(&ht->mutex);
++ rcu_read_lock();
+
++ spin_lock(&ht->lock);
+ if (iter->walker->tbl)
+ list_del(&iter->walker->list);
+-
+- rcu_read_lock();
+-
+- mutex_unlock(&ht->mutex);
++ spin_unlock(&ht->lock);
+
+ if (!iter->walker->tbl) {
+ iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht);
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri, 4 Dec 2015 15:14:05 -0200
+Subject: sctp: also copy sk_tsflags when copying the socket
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 50a5ffb1ef535e3c6989711c51b5d61b543a3b45 ]
+
+As we are keeping timestamps on when copying the socket, we also have to
+copy sk_tsflags.
+
+This is needed since b9f40e21ef42 ("net-timestamp: move timestamp flags
+out of sk_flags").
+
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -7175,6 +7175,7 @@ void sctp_copy_sock(struct sock *newsk,
+ newsk->sk_type = sk->sk_type;
+ newsk->sk_bound_dev_if = sk->sk_bound_dev_if;
+ newsk->sk_flags = sk->sk_flags;
++ newsk->sk_tsflags = sk->sk_tsflags;
+ newsk->sk_no_check_tx = sk->sk_no_check_tx;
+ newsk->sk_no_check_rx = sk->sk_no_check_rx;
+ newsk->sk_reuse = sk->sk_reuse;
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri, 4 Dec 2015 15:14:04 -0200
+Subject: sctp: update the netstamp_needed counter when copying sockets
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 01ce63c90170283a9855d1db4fe81934dddce648 ]
+
+Dmitry Vyukov reported that SCTP was triggering a WARN on socket destroy
+related to disabling sock timestamp.
+
+When SCTP accepts an association or peel one off, it copies sock flags
+but forgot to call net_enable_timestamp() if a packet timestamping flag
+was copied, leading to extra calls to net_disable_timestamp() whenever
+such clones were closed.
+
+The fix is to call net_enable_timestamp() whenever we copy a sock with
+that flag on, like tcp does.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 2 ++
+ net/core/sock.c | 2 --
+ net/sctp/socket.c | 3 +++
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -722,6 +722,8 @@ enum sock_flags {
+ SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */
+ };
+
++#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
++
+ static inline void sock_copy_flags(struct sock *nsk, struct sock *osk)
+ {
+ nsk->sk_flags = osk->sk_flags;
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -421,8 +421,6 @@ static void sock_warn_obsolete_bsdism(co
+ }
+ }
+
+-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
+-
+ static void sock_disable_timestamp(struct sock *sk, unsigned long flags)
+ {
+ if (sk->sk_flags & flags) {
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -7207,6 +7207,9 @@ void sctp_copy_sock(struct sock *newsk,
+ newinet->mc_ttl = 1;
+ newinet->mc_index = 0;
+ newinet->mc_list = NULL;
++
++ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
++ net_enable_timestamp();
+ }
+
+ static inline void sctp_copy_descendant(struct sock *sk_to,
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri, 4 Dec 2015 15:14:03 -0200
+Subject: sctp: use the same clock as if sock source timestamps were on
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit cb5e173ed7c03a0d4630ce68a95a186cce3cc872 ]
+
+SCTP echoes a cookie o INIT ACK chunks that contains a timestamp, for
+detecting stale cookies. This cookie is echoed back to the server by the
+client and then that timestamp is checked.
+
+Thing is, if the listening socket is using packet timestamping, the
+cookie is encoded with ktime_get() value and checked against
+ktime_get_real(), as done by __net_timestamp().
+
+The fix is to sctp also use ktime_get_real(), so we can compare bananas
+with bananas later no matter if packet timestamping was enabled or not.
+
+Fixes: 52db882f3fc2 ("net: sctp: migrate cookie life from timeval to ktime")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_co
+
+ /* Set an expiration time for the cookie. */
+ cookie->c.expiration = ktime_add(asoc->cookie_life,
+- ktime_get());
++ ktime_get_real());
+
+ /* Copy the peer's init packet. */
+ memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr,
+@@ -1780,7 +1780,7 @@ no_hmac:
+ if (sock_flag(ep->base.sk, SOCK_TIMESTAMP))
+ kt = skb_get_ktime(skb);
+ else
+- kt = ktime_get();
++ kt = ktime_get_real();
+
+ if (!asoc && ktime_before(bear_cookie->expiration, kt)) {
+ /*
usb-musb-usb_ti_cppi41_dma-requires-dmaengine-support.patch
usb-core-hub-fix-bos-null-pointer-kernel-panic.patch
usb-use-the-usb_ss_mult-macro-to-decode-burst-multiplier-for-log-message.patch
+pppoe-fix-memory-corruption-in-padt-work-structure.patch
+gre6-allow-to-update-all-parameters-via-rtnl.patch
+atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch
+ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch
+vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch
+sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch
+sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch
+sctp-also-copy-sk_tsflags-when-copying-the-socket.patch
+net-qca_spi-fix-transmit-queue-timeout-handling.patch
+r8152-fix-lockup-when-runtime-pm-is-enabled.patch
+ipv6-sctp-clone-options-to-avoid-use-after-free.patch
+net-add-validation-for-the-socket-syscall-protocol-argument.patch
+sh_eth-fix-kernel-oops-in-skb_put.patch
+net-fix-ip-early-demux-races.patch
+pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch
+vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch
+skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch
+net-check-both-type-and-procotol-for-tcp-sockets.patch
+net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch
+bluetooth-validate-socket-address-length-in-sco_sock_bind.patch
+net-fix-uninitialized-variable-issue.patch
+ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch
+rhashtable-enforce-minimum-size-on-initial-hash-table.patch
+fou-clean-up-socket-with-kfree_rcu.patch
+af_unix-revert-lock_interruptible-in-stream-receive-code.patch
+tcp-restore-fastopen-with-no-data-in-syn-packet.patch
+rhashtable-fix-walker-list-corruption.patch
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Fri, 4 Dec 2015 01:45:40 +0300
+Subject: sh_eth: fix kernel oops in skb_put()
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit 248be83dcb3feb3f6332eb3d010a016402138484 ]
+
+In a low memory situation the following kernel oops occurs:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000050
+pgd = 8490c000
+[00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000
+Internal error: Oops: 17 [#1] PREEMPT ARM
+Modules linked in:
+CPU: 0 Not tainted (3.4-at16 #9)
+PC is at skb_put+0x10/0x98
+LR is at sh_eth_poll+0x2c8/0xa10
+pc : [<8035f780>] lr : [<8028bf50>] psr: 60000113
+sp : 84eb1a90 ip : 84eb1ac8 fp : 84eb1ac4
+r10: 0000003f r9 : 000005ea r8 : 00000000
+r7 : 00000000 r6 : 940453b0 r5 : 00030000 r4 : 9381b180
+r3 : 00000000 r2 : 00000000 r1 : 000005ea r0 : 00000000
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 10c53c7d Table: 4248c059 DAC: 00000015
+Process klogd (pid: 2046, stack limit = 0x84eb02e8)
+[...]
+
+This is because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left
+NULL but sh_eth_rx() later uses it without checking. Add such check...
+
+Reported-by: Yasushi SHOJI <yashi@atmark-techno.com>
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device *
+ if (mdp->cd->shift_rd0)
+ desc_status >>= 16;
+
++ skb = mdp->rx_skbuff[entry];
+ if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 |
+ RD_RFS5 | RD_RFS6 | RD_RFS10)) {
+ ndev->stats.rx_errors++;
+@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device *
+ ndev->stats.rx_missed_errors++;
+ if (desc_status & RD_RFS10)
+ ndev->stats.rx_over_errors++;
+- } else {
++ } else if (skb) {
+ if (!mdp->cd->hw_swap)
+ sh_eth_soft_swap(
+ phys_to_virt(ALIGN(rxdesc->addr, 4)),
+ pkt_len + 2);
+- skb = mdp->rx_skbuff[entry];
+ mdp->rx_skbuff[entry] = NULL;
+ if (mdp->cd->rpadir)
+ skb_reserve(skb, NET_IP_ALIGN);
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Vlad Yasevich <vyasevich@gmail.com>
+Date: Mon, 14 Dec 2015 17:44:10 -0500
+Subject: skbuff: Fix offset error in skb_reorder_vlan_header
+
+From: Vlad Yasevich <vyasevich@gmail.com>
+
+[ Upstream commit f654861569872d10dcb79d9d7ca219b316f94ff0 ]
+
+skb_reorder_vlan_header is called after the vlan header has
+been pulled. As a result the offset of the begining of
+the mac header has been incrased by 4 bytes (VLAN_HLEN).
+When moving the mac addresses, include this incrase in
+the offset calcualation so that the mac addresses are
+copied correctly.
+
+Fixes: a6e18ff1117 (vlan: Fix untag operations of stacked vlans with REORDER_HEADER off)
+CC: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+CC: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Vladislav Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4200,7 +4200,7 @@ static struct sk_buff *skb_reorder_vlan_
+ return NULL;
+ }
+
+- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len,
++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
+ 2 * ETH_ALEN);
+ skb->mac_header += VLAN_HLEN;
+ return skb;
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 16 Dec 2015 13:53:10 -0800
+Subject: tcp: restore fastopen with no data in SYN packet
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 07e100f984975cb0417a7d5e626d0409efbad478 ]
+
+Yuchung tracked a regression caused by commit 57be5bdad759 ("ip: convert
+tcp_sendmsg() to iov_iter primitives") for TCP Fast Open.
+
+Some Fast Open users do not actually add any data in the SYN packet.
+
+Fixes: 57be5bdad759 ("ip: convert tcp_sendmsg() to iov_iter primitives")
+Reported-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3143,7 +3143,7 @@ static int tcp_send_syn_data(struct sock
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct tcp_fastopen_request *fo = tp->fastopen_req;
+- int syn_loss = 0, space, err = 0, copied;
++ int syn_loss = 0, space, err = 0;
+ unsigned long last_syn_loss = 0;
+ struct sk_buff *syn_data;
+
+@@ -3181,17 +3181,18 @@ static int tcp_send_syn_data(struct sock
+ goto fallback;
+ syn_data->ip_summed = CHECKSUM_PARTIAL;
+ memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
+- copied = copy_from_iter(skb_put(syn_data, space), space,
+- &fo->data->msg_iter);
+- if (unlikely(!copied)) {
+- kfree_skb(syn_data);
+- goto fallback;
+- }
+- if (copied != space) {
+- skb_trim(syn_data, copied);
+- space = copied;
++ if (space) {
++ int copied = copy_from_iter(skb_put(syn_data, space), space,
++ &fo->data->msg_iter);
++ if (unlikely(!copied)) {
++ kfree_skb(syn_data);
++ goto fallback;
++ }
++ if (copied != space) {
++ skb_trim(syn_data, copied);
++ space = copied;
++ }
+ }
+-
+ /* No more data pending in inet_wait_for_connect() */
+ if (space == fo->size)
+ fo->data = NULL;
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Vlad Yasevich <vyasevich@gmail.com>
+Date: Mon, 16 Nov 2015 15:43:44 -0500
+Subject: vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
+
+From: Vlad Yasevich <vyasevich@gmail.com>
+
+[ Upstream commit a6e18ff111701b4ff6947605bfbe9594ec42a6e8 ]
+
+When we have multiple stacked vlan devices all of which have
+turned off REORDER_HEADER flag, the untag operation does not
+locate the ethernet addresses correctly for nested vlans.
+The reason is that in case of REORDER_HEADER flag being off,
+the outer vlan headers are put back and the mac_len is adjusted
+to account for the presense of the header. Then, the subsequent
+untag operation, for the next level vlan, always use VLAN_ETH_HLEN
+to locate the begining of the ethernet header and that ends up
+being a multiple of 4 bytes short of the actuall beginning
+of the mac header (the multiple depending on the how many vlan
+encapsulations ethere are).
+
+As a reslult, if there are multiple levles of vlan devices
+with REODER_HEADER being off, the recevied packets end up
+being dropped.
+
+To solve this, we use skb->mac_len as the offset. The value
+is always set on receive path and starts out as a ETH_HLEN.
+The value is also updated when the vlan header manupations occur
+so we know it will be correct.
+
+Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4200,7 +4200,8 @@ static struct sk_buff *skb_reorder_vlan_
+ return NULL;
+ }
+
+- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN);
++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len,
++ 2 * ETH_ALEN);
+ skb->mac_header += VLAN_HLEN;
+ return skb;
+ }
--- /dev/null
+From foo@baz Wed Dec 30 19:52:45 PST 2015
+From: Jiri Benc <jbenc@redhat.com>
+Date: Fri, 4 Dec 2015 13:54:03 +0100
+Subject: vxlan: fix incorrect RCO bit in VXLAN header
+
+From: Jiri Benc <jbenc@redhat.com>
+
+[ Upstream commit c5fb8caaf91ea6a92920cf24db10cfc94d58de0f ]
+
+Commit 3511494ce2f3d ("vxlan: Group Policy extension") changed definition of
+VXLAN_HF_RCO from 0x00200000 to BIT(24). This is obviously incorrect. It's
+also in violation with the RFC draft.
+
+Fixes: 3511494ce2f3d ("vxlan: Group Policy extension")
+Cc: Thomas Graf <tgraf@suug.ch>
+Cc: Tom Herbert <therbert@google.com>
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Acked-by: Tom Herbert <tom@herbertland.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/vxlan.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/vxlan.h
++++ b/include/net/vxlan.h
+@@ -78,7 +78,7 @@ struct vxlanhdr {
+ };
+
+ /* VXLAN header flags. */
+-#define VXLAN_HF_RCO BIT(24)
++#define VXLAN_HF_RCO BIT(21)
+ #define VXLAN_HF_VNI BIT(27)
+ #define VXLAN_HF_GBP BIT(31)
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
