--- /dev/null
+From d3fe98f18874cf71f0b810de9d5513149f052b2e Mon Sep 17 00:00:00 2001
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Date: Sat, 9 Mar 2013 09:11:57 +0000
+Subject: 6lowpan: Fix endianness issue in is_addr_link_local().
+
+
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+
+[ Upstream commit 9026c4927254f5bea695cc3ef2e255280e6a3011 ]
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/6lowpan.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ieee802154/6lowpan.h
++++ b/net/ieee802154/6lowpan.h
+@@ -87,7 +87,7 @@
+ (memcmp(addr1, addr2, length >> 3) == 0)
+
+ /* local link, i.e. FE80::/10 */
+-#define is_addr_link_local(a) (((a)->s6_addr16[0]) == 0x80FE)
++#define is_addr_link_local(a) (((a)->s6_addr16[0]) == htons(0xFE80))
+
+ /*
+ * check whether we can compress the IID to 16 bits,
--- /dev/null
+From 0893e3334b342f0832a983fc3c12070434f39ecd Mon Sep 17 00:00:00 2001
+From: Cristian Bercaru <B43982@freescale.com>
+Date: Fri, 8 Mar 2013 07:03:38 +0000
+Subject: bridging: fix rx_handlers return code
+
+
+From: Cristian Bercaru <B43982@freescale.com>
+
+[ Upstream commit 3bc1b1add7a8484cc4a261c3e128dbe1528ce01f ]
+
+The frames for which rx_handlers return RX_HANDLER_CONSUMED are no longer
+counted as dropped. They are counted as successfully received by
+'netif_receive_skb'.
+
+This allows network interface drivers to correctly update their RX-OK and
+RX-DRP counters based on the result of 'netif_receive_skb'.
+
+Signed-off-by: Cristian Bercaru <B43982@freescale.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3230,6 +3230,7 @@ ncls:
+ }
+ switch (rx_handler(&skb)) {
+ case RX_HANDLER_CONSUMED:
++ ret = NET_RX_SUCCESS;
+ goto out;
+ case RX_HANDLER_ANOTHER:
+ goto another_round;
--- /dev/null
+From 020db0957e084039acf6cf4eff10308872117735 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 9 Mar 2013 05:52:21 +0000
+Subject: dcbnl: fix various netlink info leaks
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ]
+
+The dcb netlink interface leaks stack memory in various places:
+* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
+ copied completely,
+* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
+ so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
+ for ieee_pfc structs, etc.,
+* the same is true for CEE -- no in-kernel driver fills the whole
+ struct,
+
+Prevent all of the above stack info leaks by properly initializing the
+buffers/structures involved.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -336,6 +336,7 @@ static int dcbnl_getperm_hwaddr(struct n
+ dcb->dcb_family = AF_UNSPEC;
+ dcb->cmd = DCB_CMD_GPERM_HWADDR;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr),
+@@ -1238,6 +1239,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+
+ if (ops->ieee_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_getets(netdev, &ets);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets);
+@@ -1245,6 +1247,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+
+ if (ops->ieee_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc);
+@@ -1277,6 +1280,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+ /* get peer info if available */
+ if (ops->ieee_peer_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_peer_getets(netdev, &ets);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets);
+@@ -1284,6 +1288,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+
+ if (ops->ieee_peer_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_peer_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc);
+@@ -1463,6 +1468,7 @@ static int dcbnl_cee_fill(struct sk_buff
+ /* peer info if available */
+ if (ops->cee_peer_getpg) {
+ struct cee_pg pg;
++ memset(&pg, 0, sizeof(pg));
+ err = ops->cee_peer_getpg(netdev, &pg);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg);
+@@ -1470,6 +1476,7 @@ static int dcbnl_cee_fill(struct sk_buff
+
+ if (ops->cee_peer_getpfc) {
+ struct cee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->cee_peer_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc);
--- /dev/null
+From daee605b36cbf0f8f3472cebae7c15344eed5cfb Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri, 8 Mar 2013 02:07:23 +0000
+Subject: ipv6: stop multicast forwarding to process interface scoped addresses
+
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit ddf64354af4a702ee0b85d0a285ba74c7278a460 ]
+
+v2:
+a) used struct ipv6_addr_props
+
+v3:
+a) reverted changes for ipv6_addr_props
+
+v4:
+a) do not use __ipv6_addr_needs_scope_id
+
+Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_input.c
++++ b/net/ipv6/ip6_input.c
+@@ -265,7 +265,8 @@ int ip6_mc_input(struct sk_buff *skb)
+ * IPv6 multicast router mode is now supported ;)
+ */
+ if (dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding &&
+- !(ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) &&
++ !(ipv6_addr_type(&hdr->daddr) &
++ (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) &&
+ likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) {
+ /*
+ * Okay, we try to forward - split and duplicate
--- /dev/null
+From 5b343bfe238f11e486c703d867c9f465913c543c Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri, 1 Mar 2013 05:02:02 +0000
+Subject: l2tp: Restore socket refcount when sendmsg succeeds
+
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit 8b82547e33e85fc24d4d172a93c796de1fefa81a ]
+
+The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
+reference counter after successful transmissions. Any successful
+sendmsg() call from userspace will then increase the reference counter
+forever, thus preventing the kernel's session and tunnel data from
+being freed later on.
+
+The problem only happens when writing directly on L2TP sockets.
+PPP sockets attached to L2TP are unaffected as the PPP subsystem
+uses pppol2tp_xmit() which symmetrically increase/decrease reference
+counters.
+
+This patch adds the missing call to sock_put() before returning from
+pppol2tp_sendmsg().
+
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -360,6 +360,7 @@ static int pppol2tp_sendmsg(struct kiocb
+ l2tp_xmit_skb(session, skb, session->hdr_len);
+
+ sock_put(ps->tunnel_sock);
++ sock_put(sk);
+
+ return error;
+
--- /dev/null
+From f4c03683e2470220337ea037c33964de1483942f Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vyasevic@redhat.com>
+Date: Thu, 7 Mar 2013 10:21:48 +0000
+Subject: macvlan: Set IFF_UNICAST_FLT flag to prevent unnecessary promisc mode.
+
+
+From: Vlad Yasevich <vyasevic@redhat.com>
+
+[ Upstream commit 87ab7f6f2874f1115817e394a7ed2dea1c72549e ]
+
+Macvlan already supports hw address filters. Set the IFF_UNICAST_FLT
+so that it doesn't needlesly enter PROMISC mode when macvlans are
+stacked.
+
+Signed-of-by: Vlad Yasevich <vyasevic@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -584,6 +584,7 @@ void macvlan_common_setup(struct net_dev
+ ether_setup(dev);
+
+ dev->priv_flags &= ~(IFF_XMIT_DST_RELEASE | IFF_TX_SKB_SHARING);
++ dev->priv_flags |= IFF_UNICAST_FLT;
+ dev->netdev_ops = &macvlan_netdev_ops;
+ dev->destructor = free_netdev;
+ dev->header_ops = &macvlan_hard_header_ops,
--- /dev/null
+From 6a371a97d27f41655fc7597d37f7d14713ab99ba Mon Sep 17 00:00:00 2001
+From: Lorenzo Colitti <lorenzo@google.com>
+Date: Sun, 3 Mar 2013 20:46:46 +0000
+Subject: net: ipv6: Don't purge default router if accept_ra=2
+
+
+From: Lorenzo Colitti <lorenzo@google.com>
+
+[ Upstream commit 3e8b0ac3e41e3c882222a5522d5df7212438ab51 ]
+
+Setting net.ipv6.conf.<interface>.accept_ra=2 causes the kernel
+to accept RAs even when forwarding is enabled. However, enabling
+forwarding purges all default routes on the system, breaking
+connectivity until the next RA is received. Fix this by not
+purging default routes on interfaces that have accept_ra=2.
+
+Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
+Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1973,7 +1973,8 @@ void rt6_purge_dflt_routers(struct net *
+ restart:
+ read_lock_bh(&table->tb6_lock);
+ for (rt = table->tb6_root.leaf; rt; rt = rt->dst.rt6_next) {
+- if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) {
++ if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF) &&
++ (!rt->rt6i_idev || rt->rt6i_idev->cnf.accept_ra != 2)) {
+ dst_hold(&rt->dst);
+ read_unlock_bh(&table->tb6_lock);
+ ip6_del_rt(rt);
--- /dev/null
+From 83f3236795f824a81418086d0360968d975bf813 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Wed, 6 Mar 2013 11:45:24 +0000
+Subject: netlabel: correctly list all the static label mappings
+
+
+From: Paul Moore <pmoore@redhat.com>
+
+[ Upstream commits 0c1233aba1e948c37f6dc7620cb7c253fcd71ce9 and
+ a6a8fe950e1b8596bb06f2c89c3a1a4bf2011ba9 ]
+
+When we have a large number of static label mappings that spill across
+the netlink message boundary we fail to properly save our state in the
+netlink_callback struct which causes us to repeat the same listings.
+This patch fixes this problem by saving the state correctly between
+calls to the NetLabel static label netlink "dumpit" routines.
+
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlabel/netlabel_unlabeled.c | 27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -1189,8 +1189,6 @@ static int netlbl_unlabel_staticlist(str
+ struct netlbl_unlhsh_walk_arg cb_arg;
+ u32 skip_bkt = cb->args[0];
+ u32 skip_chain = cb->args[1];
+- u32 skip_addr4 = cb->args[2];
+- u32 skip_addr6 = cb->args[3];
+ u32 iter_bkt;
+ u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
+ struct netlbl_unlhsh_iface *iface;
+@@ -1215,7 +1213,7 @@ static int netlbl_unlabel_staticlist(str
+ continue;
+ netlbl_af4list_foreach_rcu(addr4,
+ &iface->addr4_list) {
+- if (iter_addr4++ < skip_addr4)
++ if (iter_addr4++ < cb->args[2])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(
+ NLBL_UNLABEL_C_STATICLIST,
+@@ -1231,7 +1229,7 @@ static int netlbl_unlabel_staticlist(str
+ #if IS_ENABLED(CONFIG_IPV6)
+ netlbl_af6list_foreach_rcu(addr6,
+ &iface->addr6_list) {
+- if (iter_addr6++ < skip_addr6)
++ if (iter_addr6++ < cb->args[3])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(
+ NLBL_UNLABEL_C_STATICLIST,
+@@ -1250,10 +1248,10 @@ static int netlbl_unlabel_staticlist(str
+
+ unlabel_staticlist_return:
+ rcu_read_unlock();
+- cb->args[0] = skip_bkt;
+- cb->args[1] = skip_chain;
+- cb->args[2] = skip_addr4;
+- cb->args[3] = skip_addr6;
++ cb->args[0] = iter_bkt;
++ cb->args[1] = iter_chain;
++ cb->args[2] = iter_addr4;
++ cb->args[3] = iter_addr6;
+ return skb->len;
+ }
+
+@@ -1273,12 +1271,9 @@ static int netlbl_unlabel_staticlistdef(
+ {
+ struct netlbl_unlhsh_walk_arg cb_arg;
+ struct netlbl_unlhsh_iface *iface;
+- u32 skip_addr4 = cb->args[0];
+- u32 skip_addr6 = cb->args[1];
+- u32 iter_addr4 = 0;
++ u32 iter_addr4 = 0, iter_addr6 = 0;
+ struct netlbl_af4list *addr4;
+ #if IS_ENABLED(CONFIG_IPV6)
+- u32 iter_addr6 = 0;
+ struct netlbl_af6list *addr6;
+ #endif
+
+@@ -1292,7 +1287,7 @@ static int netlbl_unlabel_staticlistdef(
+ goto unlabel_staticlistdef_return;
+
+ netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) {
+- if (iter_addr4++ < skip_addr4)
++ if (iter_addr4++ < cb->args[0])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
+ iface,
+@@ -1305,7 +1300,7 @@ static int netlbl_unlabel_staticlistdef(
+ }
+ #if IS_ENABLED(CONFIG_IPV6)
+ netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) {
+- if (iter_addr6++ < skip_addr6)
++ if (iter_addr6++ < cb->args[1])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
+ iface,
+@@ -1320,8 +1315,8 @@ static int netlbl_unlabel_staticlistdef(
+
+ unlabel_staticlistdef_return:
+ rcu_read_unlock();
+- cb->args[0] = skip_addr4;
+- cb->args[1] = skip_addr6;
++ cb->args[0] = iter_addr4;
++ cb->args[1] = iter_addr6;
+ return skb->len;
+ }
+
--- /dev/null
+From d3a7ebf73779faa29a1a7d45266579f57dc011ab Mon Sep 17 00:00:00 2001
+From: Cong Wang <amwang@redhat.com>
+Date: Sun, 3 Mar 2013 16:18:11 +0000
+Subject: rds: limit the size allocated by rds_message_alloc()
+
+
+From: Cong Wang <amwang@redhat.com>
+
+[ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ]
+
+Dave Jones reported the following bug:
+
+"When fed mangled socket data, rds will trust what userspace gives it,
+and tries to allocate enormous amounts of memory larger than what
+kmalloc can satisfy."
+
+WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
+Hardware name: GA-MA78GM-S2H
+Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
+Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
+Call Trace:
+ [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
+ [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
+ [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
+ [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
+ [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
+ [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
+ [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
+ [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
+ [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
+ [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
+ [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
+ [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
+ [<ffffffff81567f30>] sys_sendto+0x130/0x180
+ [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
+ [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
+ [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
+ [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
+---[ end trace eed6ae990d018c8b ]---
+
+Reported-by: Dave Jones <davej@redhat.com>
+Cc: Dave Jones <davej@redhat.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Signed-off-by: Cong Wang <amwang@redhat.com>
+Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/message.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(un
+ {
+ struct rds_message *rm;
+
++ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message))
++ return NULL;
++
+ rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp);
+ if (!rm)
+ goto out;
--- /dev/null
+From 1088cedd7b5a08f7000c81716c9c53aca2c343d7 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 9 Mar 2013 05:52:20 +0000
+Subject: rtnl: fix info leak on RTM_GETLINK request for VF devices
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ]
+
+Initialize the mac address buffer with 0 as the driver specific function
+will probably not fill the whole buffer. In fact, all in-kernel drivers
+fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
+bytes. Therefore we currently leak 26 bytes of stack memory to userland
+via the netlink interface.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -975,6 +975,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ * report anything.
+ */
+ ivi.spoofchk = -1;
++ memset(ivi.mac, 0, sizeof(ivi.mac));
+ if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
+ break;
+ vf_mac.vf =
loopdev-fix-a-deadlock.patch
loopdev-remove-an-user-triggerable-oops.patch
drm-i915-increase-the-rc6p-threshold.patch
+l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch
+rds-limit-the-size-allocated-by-rds_message_alloc.patch
+net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch
+tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch
+tun-add-a-missing-nf_reset-in-tun_net_xmit.patch
+macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch
+netlabel-correctly-list-all-the-static-label-mappings.patch
+bridging-fix-rx_handlers-return-code.patch
+ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch
+rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
+dcbnl-fix-various-netlink-info-leaks.patch
+6lowpan-fix-endianness-issue-in-is_addr_link_local.patch
--- /dev/null
+From dde9364409613d724007a54f92f6b6d0f1945f4a Mon Sep 17 00:00:00 2001
+From: Neal Cardwell <ncardwell@google.com>
+Date: Mon, 4 Mar 2013 06:23:05 +0000
+Subject: tcp: fix double-counted receiver RTT when leaving receiver fast path
+
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit aab2b4bf224ef8358d262f95b568b8ad0cecf0a0 ]
+
+We should not update ts_recent and call tcp_rcv_rtt_measure_ts() both
+before and after going to step5. That wastes CPU and double-counts the
+receiver-side RTT sample.
+
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5519,6 +5519,9 @@ int tcp_rcv_established(struct sock *sk,
+ if (tcp_checksum_complete_user(sk, skb))
+ goto csum_error;
+
++ if ((int)skb->truesize > sk->sk_forward_alloc)
++ goto step5;
++
+ /* Predicted packet is in window by definition.
+ * seq == rcv_nxt and rcv_wup <= rcv_nxt.
+ * Hence, check seq<=rcv_wup reduces to:
+@@ -5530,9 +5533,6 @@ int tcp_rcv_established(struct sock *sk,
+
+ tcp_rcv_rtt_measure_ts(sk, skb);
+
+- if ((int)skb->truesize > sk->sk_forward_alloc)
+- goto step5;
+-
+ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPHITS);
+
+ /* Bulk data transfer: receiver */
--- /dev/null
+From 2ff4c18108ed5f5a900a4c37347b0edb564a3edd Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 6 Mar 2013 11:02:37 +0000
+Subject: tun: add a missing nf_reset() in tun_net_xmit()
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f8af75f3517a24838a36eb5797a1a3e60bf9e276 ]
+
+Dave reported following crash :
+
+general protection fault: 0000 [#1] SMP
+CPU 2
+Pid: 25407, comm: qemu-kvm Not tainted 3.7.9-205.fc18.x86_64 #1 Hewlett-Packard HP Z400 Workstation/0B4Ch
+RIP: 0010:[<ffffffffa0399bd5>] [<ffffffffa0399bd5>] destroy_conntrack+0x35/0x120 [nf_conntrack]
+RSP: 0018:ffff880276913d78 EFLAGS: 00010206
+RAX: 50626b6b7876376c RBX: ffff88026e530d68 RCX: ffff88028d158e00
+RDX: ffff88026d0d5470 RSI: 0000000000000011 RDI: 0000000000000002
+RBP: ffff880276913d88 R08: 0000000000000000 R09: ffff880295002900
+R10: 0000000000000000 R11: 0000000000000003 R12: ffffffff81ca3b40
+R13: ffffffff8151a8e0 R14: ffff880270875000 R15: 0000000000000002
+FS: 00007ff3bce38a00(0000) GS:ffff88029fc40000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 00007fd1430bd000 CR3: 000000027042b000 CR4: 00000000000027e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process qemu-kvm (pid: 25407, threadinfo ffff880276912000, task ffff88028c369720)
+Stack:
+ ffff880156f59100 ffff880156f59100 ffff880276913d98 ffffffff815534f7
+ ffff880276913db8 ffffffff8151a74b ffff880270875000 ffff880156f59100
+ ffff880276913dd8 ffffffff8151a5a6 ffff880276913dd8 ffff88026d0d5470
+Call Trace:
+ [<ffffffff815534f7>] nf_conntrack_destroy+0x17/0x20
+ [<ffffffff8151a74b>] skb_release_head_state+0x7b/0x100
+ [<ffffffff8151a5a6>] __kfree_skb+0x16/0xa0
+ [<ffffffff8151a666>] kfree_skb+0x36/0xa0
+ [<ffffffff8151a8e0>] skb_queue_purge+0x20/0x40
+ [<ffffffffa02205f7>] __tun_detach+0x117/0x140 [tun]
+ [<ffffffffa022184c>] tun_chr_close+0x3c/0xd0 [tun]
+ [<ffffffff8119669c>] __fput+0xec/0x240
+ [<ffffffff811967fe>] ____fput+0xe/0x10
+ [<ffffffff8107eb27>] task_work_run+0xa7/0xe0
+ [<ffffffff810149e1>] do_notify_resume+0x71/0xb0
+ [<ffffffff81640152>] int_signal+0x12/0x17
+Code: 00 00 04 48 89 e5 41 54 53 48 89 fb 4c 8b a7 e8 00 00 00 0f 85 de 00 00 00 0f b6 73 3e 0f b7 7b 2a e8 10 40 00 00 48 85 c0 74 0e <48> 8b 40 28 48 85 c0 74 05 48 89 df ff d0 48 c7 c7 08 6a 3a a0
+RIP [<ffffffffa0399bd5>] destroy_conntrack+0x35/0x120 [nf_conntrack]
+ RSP <ffff880276913d78>
+
+This is because tun_net_xmit() needs to call nf_reset()
+before queuing skb into receive_queue
+
+Reported-by: Dave Jones <davej@redhat.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -417,6 +417,8 @@ static netdev_tx_t tun_net_xmit(struct s
+ * for indefinite time. */
+ skb_orphan(skb);
+
++ nf_reset(skb);
++
+ /* Enqueue packet */
+ skb_queue_tail(&tun->socket.sk->sk_receive_queue, skb);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
