--- /dev/null
+From 8febcfeffe07f11fd9414d54c1681ba711cfeb04 Mon Sep 17 00:00:00 2001
+From: Eric Leblond <eric@regit.org>
+Date: Tue, 6 Nov 2012 02:10:10 +0000
+Subject: af-packet: fix oops when socket is not present
+
+
+From: Eric Leblond <eric@regit.org>
+
+[ Upstream commit a3d744e995d2b936c500585ae39d99ee251c89b4 ]
+
+Due to a NULL dereference, the following patch is causing oops
+in normal trafic condition:
+
+commit c0de08d04215031d68fa13af36f347a6cfa252ca
+Author: Eric Leblond <eric@regit.org>
+Date: Thu Aug 16 22:02:58 2012 +0000
+
+ af_packet: don't emit packet on orig fanout group
+
+This buggy patch was a feature fix and has reached most stable
+branches.
+
+When skb->sk is NULL and when packet fanout is used, there is a
+crash in match_fanout_group where skb->sk is accessed.
+This patch fixes the issue by returning false as soon as the
+socket is NULL: this correspond to the wanted behavior because
+the kernel as to resend the skb to all the listening socket in
+this case.
+
+Signed-off-by: Eric Leblond <eric@regit.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1643,7 +1643,7 @@ static inline int deliver_skb(struct sk_
+
+ static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
+ {
+- if (ptype->af_packet_priv == NULL)
++ if (!ptype->af_packet_priv || !skb->sk)
+ return false;
+
+ if (ptype->id_match)
--- /dev/null
+From 23a8e85d95e93dae69b7da8cdf560afc431957ae Mon Sep 17 00:00:00 2001
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+Date: Sun, 28 Oct 2012 06:12:00 +0000
+Subject: drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free
+
+
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+
+[ Upstream commit 57c10b61c84bfed68b1b317d6f507a392724b9c4 ]
+
+Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0
+
+Calling mdiobus_free without calling mdiobus_unregister causes
+BUG_ON(). This patch fixes the issue.
+
+The semantic patch that found this issue(http://coccinelle.lip6.fr/):
+// <smpl>
+@@
+expression E;
+@@
+ ... when != mdiobus_unregister(E);
+
++ mdiobus_unregister(E);
+ mdiobus_free(E);
+// </smpl>
+
+Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
+Tested-by: Roland Stigge <stigge@antcom.de>
+Tested-by: Alexandre Pereira da Silva <aletes.xgr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/nxp/lpc_eth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/nxp/lpc_eth.c
++++ b/drivers/net/ethernet/nxp/lpc_eth.c
+@@ -1523,6 +1523,7 @@ static int lpc_eth_drv_remove(struct pla
+ pldat->dma_buff_base_p);
+ free_irq(ndev->irq, ndev);
+ iounmap(pldat->net_base);
++ mdiobus_unregister(pldat->mii_bus);
+ mdiobus_free(pldat->mii_bus);
+ clk_disable(pldat->clk);
+ clk_put(pldat->clk);
--- /dev/null
+From 111f54cfd6727b18a032e5434e7b4c425f428c34 Mon Sep 17 00:00:00 2001
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+Date: Sun, 28 Oct 2012 06:12:01 +0000
+Subject: drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free
+
+
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+
+[ Upstream commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e ]
+
+Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0
+
+Calling mdiobus_free without calling mdiobus_unregister causes
+BUG_ON(). This patch fixes the issue.
+
+The semantic patch that found this issue(http://coccinelle.lip6.fr/):
+// <smpl>
+@@
+expression E;
+@@
+ ... when != mdiobus_unregister(E);
+
++ mdiobus_unregister(E);
+ mdiobus_free(E);
+// </smpl>
+
+Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/mdio-bitbang.c
++++ b/drivers/net/phy/mdio-bitbang.c
+@@ -234,6 +234,7 @@ void free_mdio_bitbang(struct mii_bus *b
+ struct mdiobb_ctrl *ctrl = bus->priv;
+
+ module_put(ctrl->ops->owner);
++ mdiobus_unregister(bus);
+ mdiobus_free(bus);
+ }
+ EXPORT_SYMBOL(free_mdio_bitbang);
--- /dev/null
+From 619bfd7ed4d4273c58ab898c951206f05973013f Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 6 Nov 2012 16:18:41 +0000
+Subject: ipv6: send unsolicited neighbour advertisements to all-nodes
+
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 60713a0ca7fd6651b951cc1b4dbd528d1fc0281b ]
+
+As documented in RFC4861 (Neighbor Discovery for IP version 6) 7.2.6.,
+unsolicited neighbour advertisements should be sent to the all-nodes
+multicast address.
+
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ndisc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -593,7 +593,7 @@ static void ndisc_send_unsol_na(struct n
+ {
+ struct inet6_dev *idev;
+ struct inet6_ifaddr *ifa;
+- struct in6_addr mcaddr;
++ struct in6_addr mcaddr = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
+
+ idev = in6_dev_get(dev);
+ if (!idev)
+@@ -601,7 +601,6 @@ static void ndisc_send_unsol_na(struct n
+
+ read_lock_bh(&idev->lock);
+ list_for_each_entry(ifa, &idev->addr_list, if_list) {
+- addrconf_addr_solict_mult(&ifa->addr, &mcaddr);
+ ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr,
+ /*router=*/ !!idev->cnf.forwarding,
+ /*solicited=*/ false, /*override=*/ true,
--- /dev/null
+From 7b333cd7dda5263431eced5b21842836369b7f27 Mon Sep 17 00:00:00 2001
+From: Li RongQing <roy.qing.li@gmail.com>
+Date: Wed, 24 Oct 2012 14:01:18 +0800
+Subject: ipv6: Set default hoplimit as zero.
+
+
+From: Li RongQing <roy.qing.li@gmail.com>
+
+[ Upstream commit 14edd87dc67311556f1254a8f29cf4dd6cb5b7d1 ]
+
+Commit a02e4b7dae4551(Demark default hoplimit as zero) only changes the
+hoplimit checking condition and default value in ip6_dst_hoplimit, not
+zeros all hoplimit default value.
+
+Keep the zeroing ip6_template_metrics[RTAX_HOPLIMIT - 1] to force it as
+const, cause as a37e6e344910(net: force dst_default_metrics to const
+section)
+
+Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -203,7 +203,7 @@ static struct dst_ops ip6_dst_blackhole_
+ };
+
+ static const u32 ip6_template_metrics[RTAX_MAX] = {
+- [RTAX_HOPLIMIT - 1] = 255,
++ [RTAX_HOPLIMIT - 1] = 0,
+ };
+
+ static struct rt6_info ip6_null_entry_template = {
+@@ -1135,7 +1135,7 @@ struct dst_entry *icmp6_dst_alloc(struct
+ rt->rt6i_dst.addr = fl6->daddr;
+ rt->rt6i_dst.plen = 128;
+ rt->rt6i_idev = idev;
+- dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255);
++ dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 0);
+
+ spin_lock_bh(&icmp6_dst_lock);
+ rt->dst.next = icmp6_dst_gc_list;
--- /dev/null
+From 24d9d3f94bccfb3ee9eb85260d34033e3e2d247d Mon Sep 17 00:00:00 2001
+From: Tom Parkin <tparkin@katalix.com>
+Date: Mon, 29 Oct 2012 23:41:48 +0000
+Subject: l2tp: fix oops in l2tp_eth_create() error path
+
+
+From: Tom Parkin <tparkin@katalix.com>
+
+[ Upstream commit 789336360e0a2aeb9750c16ab704a02cbe035e9e ]
+
+When creating an L2TPv3 Ethernet session, if register_netdev() should fail for
+any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the
+32k-interface limit), the netdev is freed in the error path. However, the
+l2tp_eth_sess structure's dev pointer is left uncleared, and this results in
+l2tp_eth_delete() then attempting to unregister the same netdev later in the
+session teardown. This results in an oops.
+
+To avoid this, clear the session dev pointer in the error path.
+
+Signed-off-by: Tom Parkin <tparkin@katalix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_eth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/l2tp/l2tp_eth.c
++++ b/net/l2tp/l2tp_eth.c
+@@ -269,6 +269,7 @@ static int l2tp_eth_create(struct net *n
+
+ out_del_dev:
+ free_netdev(dev);
++ spriv->dev = NULL;
+ out_del_session:
+ l2tp_session_delete(session);
+ out:
--- /dev/null
+From d0d72c2878b3d7a77e2ec93362179adaf8e27779 Mon Sep 17 00:00:00 2001
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+Date: Wed, 31 Oct 2012 02:45:32 +0000
+Subject: net: fix divide by zero in tcp algorithm illinois
+
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit 8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664 ]
+
+Reading TCP stats when using TCP Illinois congestion control algorithm
+can cause a divide by zero kernel oops.
+
+The division by zero occur in tcp_illinois_info() at:
+ do_div(t, ca->cnt_rtt);
+where ca->cnt_rtt can become zero (when rtt_reset is called)
+
+Steps to Reproduce:
+ 1. Register tcp_illinois:
+ # sysctl -w net.ipv4.tcp_congestion_control=illinois
+ 2. Monitor internal TCP information via command "ss -i"
+ # watch -d ss -i
+ 3. Establish new TCP conn to machine
+
+Either it fails at the initial conn, or else it needs to wait
+for a loss or a reset.
+
+This is only related to reading stats. The function avg_delay() also
+performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its
+calling point in update_params(). Thus, simply fix tcp_illinois_info().
+
+Function tcp_illinois_info() / get_info() is called without
+socket lock. Thus, eliminate any race condition on ca->cnt_rtt
+by using a local stack variable. Simply reuse info.tcpv_rttcnt,
+as its already set to ca->cnt_rtt.
+Function avg_delay() is not affected by this race condition, as
+its called with the socket lock.
+
+Cc: Petr Matousek <pmatouse@redhat.com>
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_illinois.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_illinois.c
++++ b/net/ipv4/tcp_illinois.c
+@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct soc
+ .tcpv_rttcnt = ca->cnt_rtt,
+ .tcpv_minrtt = ca->base_rtt,
+ };
+- u64 t = ca->sum_rtt;
+
+- do_div(t, ca->cnt_rtt);
+- info.tcpv_rtt = t;
++ if (info.tcpv_rttcnt > 0) {
++ u64 t = ca->sum_rtt;
+
++ do_div(t, info.tcpv_rttcnt);
++ info.tcpv_rtt = t;
++ }
+ nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
+ }
+ }
--- /dev/null
+From 7515bbf9e7722c1f3cb75bc931f6b9a2b5533231 Mon Sep 17 00:00:00 2001
+From: Cyrill Gorcunov <gorcunov@openvz.org>
+Date: Sat, 3 Nov 2012 09:30:34 +0000
+Subject: net: inet_diag -- Return error code if protocol handler is missed
+
+
+From: Cyrill Gorcunov <gorcunov@openvz.org>
+
+[ Upstream commit cacb6ba0f36ab14a507f4ee7697e8332899015d2 ]
+
+We've observed that in case if UDP diag module is not
+supported in kernel the netlink returns NLMSG_DONE without
+notifying a caller that handler is missed.
+
+This patch makes __inet_diag_dump to return error code instead.
+
+So as example it become possible to detect such situation
+and handle it gracefully on userspace level.
+
+Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
+CC: David Miller <davem@davemloft.net>
+CC: Eric Dumazet <eric.dumazet@gmail.com>
+CC: Pavel Emelyanov <xemul@parallels.com>
+Acked-by: Pavel Emelyanov <xemul@parallels.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_diag.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -875,13 +875,16 @@ static int __inet_diag_dump(struct sk_bu
+ struct inet_diag_req_v2 *r, struct nlattr *bc)
+ {
+ const struct inet_diag_handler *handler;
++ int err = 0;
+
+ handler = inet_diag_lock_handler(r->sdiag_protocol);
+ if (!IS_ERR(handler))
+ handler->dump(skb, cb, r, bc);
++ else
++ err = PTR_ERR(handler);
+ inet_diag_unlock_handler(handler);
+
+- return skb->len;
++ return err ? : skb->len;
+ }
+
+ static int inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
--- /dev/null
+From f8584e697469d706728e0ce61617b913da6ff44c Mon Sep 17 00:00:00 2001
+From: Hemant Kumar <hemantk@codeaurora.org>
+Date: Thu, 25 Oct 2012 18:17:54 +0000
+Subject: net: usb: Fix memory leak on Tx data path
+
+
+From: Hemant Kumar <hemantk@codeaurora.org>
+
+[ Upstream commit 39707c2a3ba5011038b363f84d37c8a98d2d9db1 ]
+
+Driver anchors the tx urbs and defers the urb submission if
+a transmit request comes when the interface is suspended.
+Anchoring urb increments the urb reference count. These
+deferred urbs are later accessed by calling usb_get_from_anchor()
+for submission during interface resume. usb_get_from_anchor()
+unanchors the urb but urb reference count remains same.
+This causes the urb reference count to remain non-zero
+after usb_free_urb() gets called and urb never gets freed.
+Hence call usb_put_urb() after anchoring the urb to properly
+balance the reference count for these deferred urbs. Also,
+unanchor these deferred urbs during disconnect, to free them
+up.
+
+Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
+Acked-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1158,6 +1158,7 @@ netdev_tx_t usbnet_start_xmit (struct sk
+ usb_anchor_urb(urb, &dev->deferred);
+ /* no use to process more packets */
+ netif_stop_queue(net);
++ usb_put_urb(urb);
+ spin_unlock_irqrestore(&dev->txq.lock, flags);
+ netdev_dbg(dev->net, "Delaying transmission for resumption\n");
+ goto deferred;
+@@ -1299,6 +1300,8 @@ void usbnet_disconnect (struct usb_inter
+
+ cancel_work_sync(&dev->kevent);
+
++ usb_scuttle_anchored_urbs(&dev->deferred);
++
+ if (dev->driver_info->unbind)
+ dev->driver_info->unbind (dev, intf);
+
--- /dev/null
+From 57c219abab9d8d40257a2575f19e394414c33692 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 18 Oct 2012 03:21:55 +0000
+Subject: netlink: use kfree_rcu() in netlink_release()
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6d772ac5578f711d1ce7b03535d1c95bffb21dff ]
+
+On some suspend/resume operations involving wimax device, we have
+noticed some intermittent memory corruptions in netlink code.
+
+Stéphane Marchesin tracked this corruption in netlink_update_listeners()
+and suggested a patch.
+
+It appears netlink_release() should use kfree_rcu() instead of kfree()
+for the listeners structure as it may be used by other cpus using RCU
+protection.
+
+netlink_release() must set to NULL the listeners pointer when
+it is about to be freed.
+
+Also have to protect netlink_update_listeners() and
+netlink_has_listeners() if listeners is NULL.
+
+Add a nl_deref_protected() lockdep helper to properly document which
+locks protects us.
+
+Reported-by: Jonathan Kliegman <kliegs@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Stéphane Marchesin <marcheu@google.com>
+Cc: Sam Leffler <sleffler@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -137,6 +137,8 @@ static void netlink_destroy_callback(str
+ static DEFINE_RWLOCK(nl_table_lock);
+ static atomic_t nl_table_users = ATOMIC_INIT(0);
+
++#define nl_deref_protected(X) rcu_dereference_protected(X, lockdep_is_held(&nl_table_lock));
++
+ static ATOMIC_NOTIFIER_HEAD(netlink_chain);
+
+ static inline u32 netlink_group_mask(u32 group)
+@@ -332,6 +334,11 @@ netlink_update_listeners(struct sock *sk
+ struct hlist_node *node;
+ unsigned long mask;
+ unsigned int i;
++ struct listeners *listeners;
++
++ listeners = nl_deref_protected(tbl->listeners);
++ if (!listeners)
++ return;
+
+ for (i = 0; i < NLGRPLONGS(tbl->groups); i++) {
+ mask = 0;
+@@ -339,7 +346,7 @@ netlink_update_listeners(struct sock *sk
+ if (i < NLGRPLONGS(nlk_sk(sk)->ngroups))
+ mask |= nlk_sk(sk)->groups[i];
+ }
+- tbl->listeners->masks[i] = mask;
++ listeners->masks[i] = mask;
+ }
+ /* this function is only called with the netlink table "grabbed", which
+ * makes sure updates are visible before bind or setsockopt return. */
+@@ -520,7 +527,11 @@ static int netlink_release(struct socket
+ if (netlink_is_kernel(sk)) {
+ BUG_ON(nl_table[sk->sk_protocol].registered == 0);
+ if (--nl_table[sk->sk_protocol].registered == 0) {
+- kfree(nl_table[sk->sk_protocol].listeners);
++ struct listeners *old;
++
++ old = nl_deref_protected(nl_table[sk->sk_protocol].listeners);
++ RCU_INIT_POINTER(nl_table[sk->sk_protocol].listeners, NULL);
++ kfree_rcu(old, rcu);
+ nl_table[sk->sk_protocol].module = NULL;
+ nl_table[sk->sk_protocol].registered = 0;
+ }
+@@ -950,7 +961,7 @@ int netlink_has_listeners(struct sock *s
+ rcu_read_lock();
+ listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners);
+
+- if (group - 1 < nl_table[sk->sk_protocol].groups)
++ if (listeners && group - 1 < nl_table[sk->sk_protocol].groups)
+ res = test_bit(group - 1, listeners->masks);
+
+ rcu_read_unlock();
+@@ -1582,7 +1593,7 @@ int __netlink_change_ngroups(struct sock
+ new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC);
+ if (!new)
+ return -ENOMEM;
+- old = rcu_dereference_protected(tbl->listeners, 1);
++ old = nl_deref_protected(tbl->listeners);
+ memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups));
+ rcu_assign_pointer(tbl->listeners, new);
+
--- /dev/null
+From 9f1a81c4425f74362671fa4d49a95519669c4160 Mon Sep 17 00:00:00 2001
+From: Zijie Pan <zijie.pan@6wind.com>
+Date: Mon, 15 Oct 2012 03:56:39 +0000
+Subject: sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter()
+
+
+From: Zijie Pan <zijie.pan@6wind.com>
+
+[ Upstream commit f6e80abeab928b7c47cc1fbf53df13b4398a2bec ]
+
+Bug introduced by commit edfee0339e681a784ebacec7e8c2dc97dc6d2839
+(sctp: check src addr when processing SACK to update transport state)
+
+Signed-off-by: Zijie Pan <zijie.pan@6wind.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_sideeffect.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -1610,8 +1610,9 @@ static int sctp_cmd_interpreter(sctp_eve
+ asoc->outqueue.outstanding_bytes;
+ sackh.num_gap_ack_blocks = 0;
+ sackh.num_dup_tsns = 0;
++ chunk->subh.sack_hdr = &sackh;
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK,
+- SCTP_SACKH(&sackh));
++ SCTP_CHUNK(chunk));
+ break;
+
+ case SCTP_CMD_DISCARD_PACKET:
alsa-usb-audio-fix-races-at-disconnection-in-mixer_quirks.c.patch
alsa-add-a-reference-counter-to-card-instance.patch
alsa-avoid-endless-sleep-after-disconnect.patch
+sctp-fix-call-to-sctp_cmd_process_sack-in-sctp_cmd_interpreter.patch
+netlink-use-kfree_rcu-in-netlink_release.patch
+tcp-fix-fionread-siocinq.patch
+ipv6-set-default-hoplimit-as-zero.patch
+net-usb-fix-memory-leak-on-tx-data-path.patch
+net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch
+drivers-net-ethernet-nxp-lpc_eth.c-call-mdiobus_unregister-before-mdiobus_free.patch
+drivers-net-phy-mdio-bitbang.c-call-mdiobus_unregister-before-mdiobus_free.patch
+l2tp-fix-oops-in-l2tp_eth_create-error-path.patch
+net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch
+af-packet-fix-oops-when-socket-is-not-present.patch
+ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch
--- /dev/null
+From c4708f8f66bb6d3507350a1cdf09ea4c4c1b5b59 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 18 Oct 2012 09:14:12 +0000
+Subject: tcp: fix FIONREAD/SIOCINQ
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a3374c42aa5f7237e87ff3b0622018636b0c847e ]
+
+tcp_ioctl() tries to take into account if tcp socket received a FIN
+to report correct number bytes in receive queue.
+
+But its flaky because if the application ate the last skb,
+we return 1 instead of 0.
+
+Correct way to detect that FIN was received is to test SOCK_DONE.
+
+Reported-by: Elliot Hughes <enh@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Cc: Tom Herbert <therbert@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -481,14 +481,12 @@ int tcp_ioctl(struct sock *sk, int cmd,
+ !tp->urg_data ||
+ before(tp->urg_seq, tp->copied_seq) ||
+ !before(tp->urg_seq, tp->rcv_nxt)) {
+- struct sk_buff *skb;
+
+ answ = tp->rcv_nxt - tp->copied_seq;
+
+- /* Subtract 1, if FIN is in queue. */
+- skb = skb_peek_tail(&sk->sk_receive_queue);
+- if (answ && skb)
+- answ -= tcp_hdr(skb)->fin;
++ /* Subtract 1, if FIN was received */
++ if (answ && sock_flag(sk, SOCK_DONE))
++ answ--;
+ } else
+ answ = tp->urg_seq - tp->copied_seq;
+ release_sock(sk);
projects / thirdparty / kernel / stable-queue.git / commitdiff
