--- /dev/null
+From 77c368502ce5496996462f232ea6e89c274d7e26 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 21 Aug 2012 06:21:17 +0000
+Subject: af_netlink: force credentials passing [CVE-2012-3520]
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e0e3cea46d31d23dc40df0a49a7a2c04fe8edfea ]
+
+Pablo Neira Ayuso discovered that avahi and
+potentially NetworkManager accept spoofed Netlink messages because of a
+kernel bug. The kernel passes all-zero SCM_CREDENTIALS ancillary data
+to the receiver if the sender did not provide such data, instead of not
+including any such data at all or including the correct data from the
+peer (as it is the case with AF_UNIX).
+
+This bug was introduced in commit 16e572626961
+(af_unix: dont send SCM_CREDENTIALS by default)
+
+This patch forces passing credentials for netlink, as
+before the regression.
+
+Another fix would be to not add SCM_CREDENTIALS in
+netlink messages if not provided by the sender, but it
+might break some programs.
+
+With help from Florian Weimer & Petr Matousek
+
+This issue is designated as CVE-2012-3520
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Cc: Florian Weimer <fweimer@redhat.com>
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/scm.h | 4 +++-
+ net/netlink/af_netlink.c | 2 +-
+ net/unix/af_unix.c | 4 ++--
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -71,9 +71,11 @@ static __inline__ void scm_destroy(struc
+ }
+
+ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
+- struct scm_cookie *scm)
++ struct scm_cookie *scm, bool forcecreds)
+ {
+ memset(scm, 0, sizeof(*scm));
++ if (forcecreds)
++ scm_set_cred(scm, task_tgid(current), current_cred());
+ unix_get_peersec_dgram(sock, scm);
+ if (msg->msg_controllen <= 0)
+ return 0;
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1344,7 +1344,7 @@ static int netlink_sendmsg(struct kiocb
+ if (NULL == siocb->scm)
+ siocb->scm = &scm;
+
+- err = scm_send(sock, msg, siocb->scm);
++ err = scm_send(sock, msg, siocb->scm, true);
+ if (err < 0)
+ return err;
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1448,7 +1448,7 @@ static int unix_dgram_sendmsg(struct kio
+ if (NULL == siocb->scm)
+ siocb->scm = &tmp_scm;
+ wait_for_unix_gc();
+- err = scm_send(sock, msg, siocb->scm);
++ err = scm_send(sock, msg, siocb->scm, false);
+ if (err < 0)
+ return err;
+
+@@ -1617,7 +1617,7 @@ static int unix_stream_sendmsg(struct ki
+ if (NULL == siocb->scm)
+ siocb->scm = &tmp_scm;
+ wait_for_unix_gc();
+- err = scm_send(sock, msg, siocb->scm);
++ err = scm_send(sock, msg, siocb->scm, false);
+ if (err < 0)
+ return err;
+
--- /dev/null
+From 7756088c98170a42a89287d32f89bfcec5863ffe Mon Sep 17 00:00:00 2001
+From: Eric Leblond <eric@regit.org>
+Date: Thu, 16 Aug 2012 22:02:58 +0000
+Subject: af_packet: don't emit packet on orig fanout group
+
+
+From: Eric Leblond <eric@regit.org>
+
+[ Upstream commit c0de08d04215031d68fa13af36f347a6cfa252ca ]
+
+If a packet is emitted on one socket in one group of fanout sockets,
+it is transmitted again. It is thus read again on one of the sockets
+of the fanout group. This result in a loop for software which
+generate packets when receiving one.
+This retransmission is not the intended behavior: a fanout group
+must behave like a single socket. The packet should not be
+transmitted on a socket if it originates from a socket belonging
+to the same fanout group.
+
+This patch fixes the issue by changing the transmission check to
+take fanout group info account.
+
+Reported-by: Aleksandr Kotov <a1k@mail.ru>
+Signed-off-by: Eric Leblond <eric@regit.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 2 ++
+ net/core/dev.c | 16 ++++++++++++++--
+ net/packet/af_packet.c | 9 +++++++++
+ 3 files changed, 25 insertions(+), 2 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1520,6 +1520,8 @@ struct packet_type {
+ struct sk_buff **(*gro_receive)(struct sk_buff **head,
+ struct sk_buff *skb);
+ int (*gro_complete)(struct sk_buff *skb);
++ bool (*id_match)(struct packet_type *ptype,
++ struct sock *sk);
+ void *af_packet_priv;
+ struct list_head list;
+ };
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1640,6 +1640,19 @@ static inline int deliver_skb(struct sk_
+ return pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
+ }
+
++static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
++{
++ if (ptype->af_packet_priv == NULL)
++ return false;
++
++ if (ptype->id_match)
++ return ptype->id_match(ptype, skb->sk);
++ else if ((struct sock *)ptype->af_packet_priv == skb->sk)
++ return true;
++
++ return false;
++}
++
+ /*
+ * Support routine. Sends outgoing frames to any network
+ * taps currently in use.
+@@ -1657,8 +1670,7 @@ static void dev_queue_xmit_nit(struct sk
+ * they originated from - MvS (miquels@drinkel.ow.org)
+ */
+ if ((ptype->dev == dev || !ptype->dev) &&
+- (ptype->af_packet_priv == NULL ||
+- (struct sock *)ptype->af_packet_priv != skb->sk)) {
++ (!skb_loop_sk(ptype, skb))) {
+ if (pt_prev) {
+ deliver_skb(skb2, pt_prev, skb->dev);
+ pt_prev = ptype;
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1280,6 +1280,14 @@ static void __fanout_unlink(struct sock
+ spin_unlock(&f->lock);
+ }
+
++bool match_fanout_group(struct packet_type *ptype, struct sock * sk)
++{
++ if (ptype->af_packet_priv == (void*)((struct packet_sock *)sk)->fanout)
++ return true;
++
++ return false;
++}
++
+ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
+ {
+ struct packet_sock *po = pkt_sk(sk);
+@@ -1332,6 +1340,7 @@ static int fanout_add(struct sock *sk, u
+ match->prot_hook.dev = po->prot_hook.dev;
+ match->prot_hook.func = packet_rcv_fanout;
+ match->prot_hook.af_packet_priv = match;
++ match->prot_hook.id_match = match_fanout_group;
+ dev_add_pack(&match->prot_hook);
+ list_add(&match->list, &fanout_list);
+ }
--- /dev/null
+From 2337b3461addc75ef50c117cca63df2bcb181166 Mon Sep 17 00:00:00 2001
+From: "danborkmann@iogearbox.net" <danborkmann@iogearbox.net>
+Date: Fri, 10 Aug 2012 22:48:54 +0000
+Subject: af_packet: remove BUG statement in tpacket_destruct_skb
+
+
+From: "danborkmann@iogearbox.net" <danborkmann@iogearbox.net>
+
+[ Upstream commit 7f5c3e3a80e6654cf48dfba7cf94f88c6b505467 ]
+
+Here's a quote of the comment about the BUG macro from asm-generic/bug.h:
+
+ Don't use BUG() or BUG_ON() unless there's really no way out; one
+ example might be detecting data structure corruption in the middle
+ of an operation that can't be backed out of. If the (sub)system
+ can somehow continue operating, perhaps with reduced functionality,
+ it's probably not BUG-worthy.
+
+ If you're tempted to BUG(), think again: is completely giving up
+ really the *only* solution? There are usually better options, where
+ users don't need to reboot ASAP and can mostly shut down cleanly.
+
+In our case, the status flag of a ring buffer slot is managed from both sides,
+the kernel space and the user space. This means that even though the kernel
+side might work as expected, the user space screws up and changes this flag
+right between the send(2) is triggered when the flag is changed to
+TP_STATUS_SENDING and a given skb is destructed after some time. Then, this
+will hit the BUG macro. As David suggested, the best solution is to simply
+remove this statement since it cannot be used for kernel side internal
+consistency checks. I've tested it and the system still behaves /stable/ in
+this case, so in accordance with the above comment, we should rather remove it.
+
+Signed-off-by: Daniel Borkmann <daniel.borkmann@tik.ee.ethz.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1943,7 +1943,6 @@ static void tpacket_destruct_skb(struct
+
+ if (likely(po->tx_ring.pg_vec)) {
+ ph = skb_shinfo(skb)->destructor_arg;
+- BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING);
+ BUG_ON(atomic_read(&po->tx_ring.pending) == 0);
+ atomic_dec(&po->tx_ring.pending);
+ __packet_set_status(po, ph, TP_STATUS_AVAILABLE);
--- /dev/null
+From ce43fdf08181ec04357cd52eab4668bcd80d3424 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:44 +0000
+Subject: atm: fix info leak in getsockopt(SO_ATMPVC)
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit e862f1a9b7df4e8196ebec45ac62295138aa3fc2 ]
+
+The ATM code fails to initialize the two padding bytes of struct
+sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
+before filling the structure to avoid the info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/atm/common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -812,6 +812,7 @@ int vcc_getsockopt(struct socket *sock,
+
+ if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags))
+ return -ENOTCONN;
++ memset(&pvc, 0, sizeof(pvc));
+ pvc.sap_family = AF_ATMPVC;
+ pvc.sap_addr.itf = vcc->dev->number;
+ pvc.sap_addr.vpi = vcc->vpi;
--- /dev/null
+From 728ddd57f43fe7bbf9b3486d1622bb16aa8e0f02 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:45 +0000
+Subject: atm: fix info leak via getsockname()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 3c0c5cfdcd4d69ffc4b9c0907cec99039f30a50a ]
+
+The ATM code fails to initialize the two padding bytes of struct
+sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
+before filling the structure to avoid the info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/atm/pvc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/atm/pvc.c
++++ b/net/atm/pvc.c
+@@ -95,6 +95,7 @@ static int pvc_getname(struct socket *so
+ return -ENOTCONN;
+ *sockaddr_len = sizeof(struct sockaddr_atmpvc);
+ addr = (struct sockaddr_atmpvc *)sockaddr;
++ memset(addr, 0, sizeof(*addr));
+ addr->sap_family = AF_ATMPVC;
+ addr->sap_addr.itf = vcc->dev->number;
+ addr->sap_addr.vpi = vcc->vpi;
--- /dev/null
+From f922ac54143cd628dda10bc682e1dfce674eaeb8 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:46 +0000
+Subject: Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit e15ca9a0ef9a86f0477530b0f44a725d67f889ee ]
+
+The HCI code fails to initialize the two padding bytes of struct
+hci_ufilter before copying it to userland -- that for leaking two
+bytes kernel stack. Add an explicit memset(0) before filling the
+structure to avoid the info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -1016,6 +1016,7 @@ static int hci_sock_getsockopt(struct so
+ {
+ struct hci_filter *f = &hci_pi(sk)->filter;
+
++ memset(&uf, 0, sizeof(uf));
+ uf.type_mask = f->type_mask;
+ uf.opcode = f->opcode;
+ uf.event_mask[0] = *((u32 *) f->event_mask + 0);
--- /dev/null
+From bb9c32102505b6d7a3f3f4a97cacf67b75588046 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:47 +0000
+Subject: Bluetooth: HCI - Fix info leak via getsockname()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 3f68ba07b1da811bf383b4b701b129bfcb2e4988 ]
+
+The HCI code fails to initialize the hci_channel member of struct
+sockaddr_hci and that for leaks two bytes kernel stack via the
+getsockname() syscall. Initialize hci_channel with 0 to avoid the
+info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -706,6 +706,7 @@ static int hci_sock_getname(struct socke
+ *addr_len = sizeof(*haddr);
+ haddr->hci_family = AF_BLUETOOTH;
+ haddr->hci_dev = hdev->id;
++ haddr->hci_channel= 0;
+
+ release_sock(sk);
+ return 0;
--- /dev/null
+From b902fc94a9bbb206b63a5841970a7aa853926618 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:51 +0000
+Subject: Bluetooth: L2CAP - Fix info leak via getsockname()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 792039c73cf176c8e39a6e8beef2c94ff46522ed ]
+
+The L2CAP code fails to initialize the l2_bdaddr_type member of struct
+sockaddr_l2 and the padding byte added for alignment. It that for leaks
+two bytes kernel stack via the getsockname() syscall. Add an explicit
+memset(0) before filling the structure to avoid the info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -246,6 +246,7 @@ static int l2cap_sock_getname(struct soc
+
+ BT_DBG("sock %p, sk %p", sock, sk);
+
++ memset(la, 0, sizeof(struct sockaddr_l2));
+ addr->sa_family = AF_BLUETOOTH;
+ *len = sizeof(struct sockaddr_l2);
+
--- /dev/null
+From fbd3ba1637931cd8a8e934f234ae79b50e22e5d4 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:48 +0000
+Subject: Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY)
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 9ad2de43f1aee7e7274a4e0d41465489299e344b ]
+
+The RFCOMM code fails to initialize the key_size member of struct
+bt_security before copying it to userland -- that for leaking one
+byte kernel stack. Initialize key_size with 0 to avoid the info
+leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/rfcomm/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -841,6 +841,7 @@ static int rfcomm_sock_getsockopt(struct
+ }
+
+ sec.level = rfcomm_pi(sk)->sec_level;
++ sec.key_size = 0;
+
+ len = min_t(unsigned int, len, sizeof(sec));
+ if (copy_to_user(optval, (char *) &sec, len))
--- /dev/null
+From 2ef6d025b5b062c6ad6926edd149323b1da27f55 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:49 +0000
+Subject: Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit f9432c5ec8b1e9a09b9b0e5569e3c73db8de432a ]
+
+The RFCOMM code fails to initialize the two padding bytes of struct
+rfcomm_dev_list_req inserted for alignment before copying it to
+userland. Additionally there are two padding bytes in each instance of
+struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
+dev_num times two bytes uninitialized kernel heap memory.
+
+Allocate the memory using kzalloc() to fix this issue.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/rfcomm/tty.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/rfcomm/tty.c
++++ b/net/bluetooth/rfcomm/tty.c
+@@ -461,7 +461,7 @@ static int rfcomm_get_dev_list(void __us
+
+ size = sizeof(*dl) + dev_num * sizeof(*di);
+
+- dl = kmalloc(size, GFP_KERNEL);
++ dl = kzalloc(size, GFP_KERNEL);
+ if (!dl)
+ return -ENOMEM;
+
--- /dev/null
+From 16ddf8d8c926d2c4d886a33608d43e47426edb48 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:50 +0000
+Subject: Bluetooth: RFCOMM - Fix info leak via getsockname()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 9344a972961d1a6d2c04d9008b13617bcb6ec2ef ]
+
+The RFCOMM code fails to initialize the trailing padding byte of struct
+sockaddr_rc added for alignment. It that for leaks one byte kernel stack
+via the getsockname() syscall. Add an explicit memset(0) before filling
+the structure to avoid the info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/rfcomm/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -547,6 +547,7 @@ static int rfcomm_sock_getname(struct so
+
+ BT_DBG("sock %p, sk %p", sock, sk);
+
++ memset(sa, 0, sizeof(*sa));
+ sa->rc_family = AF_BLUETOOTH;
+ sa->rc_channel = rfcomm_pi(sk)->channel;
+ if (peer)
--- /dev/null
+From 04c43d45d82e21b0ea77a15823c875d5ac9c3d15 Mon Sep 17 00:00:00 2001
+From: Yuval Mintz <yuvalmin@broadcom.com>
+Date: Sun, 26 Aug 2012 00:35:45 +0000
+Subject: bnx2x: fix 57840_MF pci id
+
+
+From: Yuval Mintz <yuvalmin@broadcom.com>
+
+[ Upstream commit 5c879d2094946081af934739850c7260e8b25d3c ]
+
+Commit c3def943c7117d42caaed3478731ea7c3c87190e have added support for
+new pci ids of the 57840 board, while failing to change the obsolete value
+in 'pci_ids.h'.
+This patch does so, allowing the probe of such devices.
+
+Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
+Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/pci_ids.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -2148,7 +2148,7 @@
+ #define PCI_DEVICE_ID_TIGON3_5704S 0x16a8
+ #define PCI_DEVICE_ID_NX2_57800_VF 0x16a9
+ #define PCI_DEVICE_ID_NX2_5706S 0x16aa
+-#define PCI_DEVICE_ID_NX2_57840_MF 0x16ab
++#define PCI_DEVICE_ID_NX2_57840_MF 0x16a4
+ #define PCI_DEVICE_ID_NX2_5708S 0x16ac
+ #define PCI_DEVICE_ID_NX2_57840_VF 0x16ad
+ #define PCI_DEVICE_ID_NX2_57810_MF 0x16ae
--- /dev/null
+From d4ffa161ab3990735400f1797ec0cd643b5a18e8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 29 Jul 2012 20:52:21 +0000
+Subject: codel: refine one condition to avoid a nul rec_inv_sqrt
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2359a47671fc4fb0fe5e9945f76c2cb10792c0f8 ]
+
+One condition before codel_Newton_step() was not good if
+we never left the dropping state for a flow. As a result
+rec_inv_sqrt was 0, instead of the ~0 initial value.
+
+codel control law was then set to a very aggressive mode, dropping
+many packets before reaching 'target' and recovering from this problem.
+
+To keep codel_vars_init() as efficient as possible, refine
+the condition to make sure rec_inv_sqrt initial value is correct
+
+Many thanks to Anton Mich for discovering the issue and suggesting
+a fix.
+
+Reported-by: Anton Mich <lp2s1h@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/codel.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/include/net/codel.h
++++ b/include/net/codel.h
+@@ -305,6 +305,8 @@ static struct sk_buff *codel_dequeue(str
+ }
+ }
+ } else if (drop) {
++ u32 delta;
++
+ if (params->ecn && INET_ECN_set_ce(skb)) {
+ stats->ecn_mark++;
+ } else {
+@@ -320,9 +322,11 @@ static struct sk_buff *codel_dequeue(str
+ * assume that the drop rate that controlled the queue on the
+ * last cycle is a good starting point to control it now.
+ */
+- if (codel_time_before(now - vars->drop_next,
++ delta = vars->count - vars->lastcount;
++ if (delta > 1 &&
++ codel_time_before(now - vars->drop_next,
+ 16 * params->interval)) {
+- vars->count = (vars->count - vars->lastcount) | 1;
++ vars->count = delta;
+ /* we dont care if rec_inv_sqrt approximation
+ * is not very precise :
+ * Next Newton steps will correct it quadratically.
--- /dev/null
+From 05ee0f138d368dbf7951e46c1819a83deec5c8d8 Mon Sep 17 00:00:00 2001
+From: Jaccon Bastiaansen <jaccon.bastiaansen@gmail.com>
+Date: Mon, 27 Aug 2012 11:53:51 +0000
+Subject: cs89x0 : packet reception not working
+
+
+From: Jaccon Bastiaansen <jaccon.bastiaansen@gmail.com>
+
+[ Upstream commit b72c200975a4ed579dbf3353019e19528745a29a ]
+
+The RxCFG register of the CS89x0 could be configured incorrectly
+(because of misplaced parentheses), resulting in the disabling
+of packet reception.
+
+Signed-off-by: Jaccon Bastiaansen <jaccon.bastiaansen@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cirrus/cs89x0.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/cirrus/cs89x0.c
++++ b/drivers/net/ethernet/cirrus/cs89x0.c
+@@ -1243,6 +1243,7 @@ static void set_multicast_list(struct ne
+ {
+ struct net_local *lp = netdev_priv(dev);
+ unsigned long flags;
++ u16 cfg;
+
+ spin_lock_irqsave(&lp->lock, flags);
+ if (dev->flags & IFF_PROMISC)
+@@ -1260,11 +1261,10 @@ static void set_multicast_list(struct ne
+ /* in promiscuous mode, we accept errored packets,
+ * so we have to enable interrupts on them also
+ */
+- writereg(dev, PP_RxCFG,
+- (lp->curr_rx_cfg |
+- (lp->rx_mode == RX_ALL_ACCEPT)
+- ? (RX_CRC_ERROR_ENBL | RX_RUNT_ENBL | RX_EXTRA_DATA_ENBL)
+- : 0));
++ cfg = lp->curr_rx_cfg;
++ if (lp->rx_mode == RX_ALL_ACCEPT)
++ cfg |= RX_CRC_ERROR_ENBL | RX_RUNT_ENBL | RX_EXTRA_DATA_ENBL;
++ writereg(dev, PP_RxCFG, cfg);
+ spin_unlock_irqrestore(&lp->lock, flags);
+ }
+
--- /dev/null
+From 9c61250e1c8771a3afa7708b24c0fb742d78382d Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:55 +0000
+Subject: dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 7b07f8eb75aa3097cdfd4f6eac3da49db787381d ]
+
+The CCID3 code fails to initialize the trailing padding bytes of struct
+tfrc_tx_info added for alignment on 64 bit architectures. It that for
+potentially leaks four bytes kernel stack via the getsockopt() syscall.
+Add an explicit memset(0) before filling the structure to avoid the
+info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/ccids/ccid3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/dccp/ccids/ccid3.c
++++ b/net/dccp/ccids/ccid3.c
+@@ -531,6 +531,7 @@ static int ccid3_hc_tx_getsockopt(struct
+ case DCCP_SOCKOPT_CCID_TX_INFO:
+ if (len < sizeof(tfrc))
+ return -EINVAL;
++ memset(&tfrc, 0, sizeof(tfrc));
+ tfrc.tfrctx_x = hc->tx_x;
+ tfrc.tfrctx_x_recv = hc->tx_x_recv;
+ tfrc.tfrctx_x_calc = hc->tx_x_calc;
--- /dev/null
+From 7cb4850eb37c3957bc80893ee078cb9073bfa165 Mon Sep 17 00:00:00 2001
+From: Claudiu Manoil <claudiu.manoil@freescale.com>
+Date: Thu, 23 Aug 2012 21:46:25 +0000
+Subject: gianfar: fix default tx vlan offload feature flag
+
+
+From: Claudiu Manoil <claudiu.manoil@freescale.com>
+
+[ Upstream commit e2c53be223aca36cf93eb6a0f6bafa079e78f52b ]
+
+Commit -
+"b852b72 gianfar: fix bug caused by
+87c288c6e9aa31720b72e2bc2d665e24e1653c3e"
+disables by default (on mac init) the hw vlan tag insertion.
+The "features" flags were not updated to reflect this, and
+"ethtool -K" shows tx-vlan-offload to be "on" by default.
+
+Cc: Sebastian Poehn <sebastian.poehn@belden.com>
+Signed-off-by: Claudiu Manoil <claudiu.manoil@freescale.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/gianfar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -1037,7 +1037,7 @@ static int gfar_probe(struct platform_de
+
+ if (priv->device_flags & FSL_GIANFAR_DEV_HAS_VLAN) {
+ dev->hw_features |= NETIF_F_HW_VLAN_TX | NETIF_F_HW_VLAN_RX;
+- dev->features |= NETIF_F_HW_VLAN_TX | NETIF_F_HW_VLAN_RX;
++ dev->features |= NETIF_F_HW_VLAN_RX;
+ }
+
+ if (priv->device_flags & FSL_GIANFAR_DEV_HAS_EXTENDED_HASH) {
--- /dev/null
+From 4771461ea660338626e4213d108e5d929ff95a4f Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <bhutchings@solarflare.com>
+Date: Tue, 14 Aug 2012 08:54:51 +0000
+Subject: ipv6: addrconf: Avoid calling netdevice notifiers with RCU read-side lock
+
+
+From: Ben Hutchings <bhutchings@solarflare.com>
+
+[ Upstream commit 4acd4945cd1e1f92b20d14e349c6c6a52acbd42d ]
+
+Cong Wang reports that lockdep detected suspicious RCU usage while
+enabling IPV6 forwarding:
+
+ [ 1123.310275] ===============================
+ [ 1123.442202] [ INFO: suspicious RCU usage. ]
+ [ 1123.558207] 3.6.0-rc1+ #109 Not tainted
+ [ 1123.665204] -------------------------------
+ [ 1123.768254] include/linux/rcupdate.h:430 Illegal context switch in RCU read-side critical section!
+ [ 1123.992320]
+ [ 1123.992320] other info that might help us debug this:
+ [ 1123.992320]
+ [ 1124.307382]
+ [ 1124.307382] rcu_scheduler_active = 1, debug_locks = 0
+ [ 1124.522220] 2 locks held by sysctl/5710:
+ [ 1124.648364] #0: (rtnl_mutex){+.+.+.}, at: [<ffffffff81768498>] rtnl_trylock+0x15/0x17
+ [ 1124.882211] #1: (rcu_read_lock){.+.+.+}, at: [<ffffffff81871df8>] rcu_lock_acquire+0x0/0x29
+ [ 1125.085209]
+ [ 1125.085209] stack backtrace:
+ [ 1125.332213] Pid: 5710, comm: sysctl Not tainted 3.6.0-rc1+ #109
+ [ 1125.441291] Call Trace:
+ [ 1125.545281] [<ffffffff8109d915>] lockdep_rcu_suspicious+0x109/0x112
+ [ 1125.667212] [<ffffffff8107c240>] rcu_preempt_sleep_check+0x45/0x47
+ [ 1125.781838] [<ffffffff8107c260>] __might_sleep+0x1e/0x19b
+[...]
+ [ 1127.445223] [<ffffffff81757ac5>] call_netdevice_notifiers+0x4a/0x4f
+[...]
+ [ 1127.772188] [<ffffffff8175e125>] dev_disable_lro+0x32/0x6b
+ [ 1127.885174] [<ffffffff81872d26>] dev_forward_change+0x30/0xcb
+ [ 1128.013214] [<ffffffff818738c4>] addrconf_forward_change+0x85/0xc5
+[...]
+
+addrconf_forward_change() uses RCU iteration over the netdev list,
+which is unnecessary since it already holds the RTNL lock. We also
+cannot reasonably require netdevice notifier functions not to sleep.
+
+Reported-by: Cong Wang <amwang@redhat.com>
+Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -493,8 +493,7 @@ static void addrconf_forward_change(stru
+ struct net_device *dev;
+ struct inet6_dev *idev;
+
+- rcu_read_lock();
+- for_each_netdev_rcu(net, dev) {
++ for_each_netdev(net, dev) {
+ idev = __in6_dev_get(dev);
+ if (idev) {
+ int changed = (!idev->cnf.forwarding) ^ (!newf);
+@@ -503,7 +502,6 @@ static void addrconf_forward_change(stru
+ dev_forward_change(idev);
+ }
+ }
+- rcu_read_unlock();
+ }
+
+ static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int newf)
--- /dev/null
+From fb6087cf23d6356d3852b7e2a83a090839b20595 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:56 +0000
+Subject: ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 2d8a041b7bfe1097af21441cb77d6af95f4f4680 ]
+
+If at least one of CONFIG_IP_VS_PROTO_TCP or CONFIG_IP_VS_PROTO_UDP is
+not set, __ip_vs_get_timeouts() does not fully initialize the structure
+that gets copied to userland and that for leaks up to 12 bytes of kernel
+stack. Add an explicit memset(0) before passing the structure to
+__ip_vs_get_timeouts() to avoid the info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Wensong Zhang <wensong@linux-vs.org>
+Cc: Simon Horman <horms@verge.net.au>
+Cc: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2759,6 +2759,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cm
+ {
+ struct ip_vs_timeout_user t;
+
++ memset(&t, 0, sizeof(t));
+ __ip_vs_get_timeouts(net, &t);
+ if (copy_to_user(user, &t, sizeof(t)) != 0)
+ ret = -EFAULT;
--- /dev/null
+From 55ad44e231bc005c1f6ad799e2badd8c35412601 Mon Sep 17 00:00:00 2001
+From: Wu Fengguang <fengguang.wu@intel.com>
+Date: Thu, 2 Aug 2012 23:10:01 +0000
+Subject: isdnloop: fix and simplify isdnloop_init()
+
+
+From: Wu Fengguang <fengguang.wu@intel.com>
+
+[ Upstream commit 77f00f6324cb97cf1df6f9c4aaeea6ada23abdb2 ]
+
+Fix a buffer overflow bug by removing the revision and printk.
+
+[ 22.016214] isdnloop-ISDN-driver Rev 1.11.6.7
+[ 22.097508] isdnloop: (loop0) virtual card added
+[ 22.174400] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff83244972
+[ 22.174400]
+[ 22.436157] Pid: 1, comm: swapper Not tainted 3.5.0-bisect-00018-gfa8bbb1-dirty #129
+[ 22.624071] Call Trace:
+[ 22.720558] [<ffffffff832448c3>] ? CallcNew+0x56/0x56
+[ 22.815248] [<ffffffff8222b623>] panic+0x110/0x329
+[ 22.914330] [<ffffffff83244972>] ? isdnloop_init+0xaf/0xb1
+[ 23.014800] [<ffffffff832448c3>] ? CallcNew+0x56/0x56
+[ 23.090763] [<ffffffff8108e24b>] __stack_chk_fail+0x2b/0x30
+[ 23.185748] [<ffffffff83244972>] isdnloop_init+0xaf/0xb1
+
+Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/isdnloop/isdnloop.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/drivers/isdn/isdnloop/isdnloop.c
++++ b/drivers/isdn/isdnloop/isdnloop.c
+@@ -16,7 +16,6 @@
+ #include <linux/sched.h>
+ #include "isdnloop.h"
+
+-static char *revision = "$Revision: 1.11.6.7 $";
+ static char *isdnloop_id = "loop0";
+
+ MODULE_DESCRIPTION("ISDN4Linux: Pseudo Driver that simulates an ISDN card");
+@@ -1494,17 +1493,6 @@ isdnloop_addcard(char *id1)
+ static int __init
+ isdnloop_init(void)
+ {
+- char *p;
+- char rev[10];
+-
+- if ((p = strchr(revision, ':'))) {
+- strcpy(rev, p + 1);
+- p = strchr(rev, '$');
+- *p = 0;
+- } else
+- strcpy(rev, " ??? ");
+- printk(KERN_NOTICE "isdnloop-ISDN-driver Rev%s\n", rev);
+-
+ if (isdnloop_id)
+ return (isdnloop_addcard(isdnloop_id));
+
--- /dev/null
+From f48305cbef36e65b5ef0d9c394768a6601cfe5b9 Mon Sep 17 00:00:00 2001
+From: "xeb@mail.ru" <xeb@mail.ru>
+Date: Fri, 24 Aug 2012 01:07:38 +0000
+Subject: l2tp: avoid to use synchronize_rcu in tunnel free function
+
+
+From: "xeb@mail.ru" <xeb@mail.ru>
+
+[ Upstream commit 99469c32f79a32d8481f87be0d3c66dad286f4ec ]
+
+Avoid to use synchronize_rcu in l2tp_tunnel_free because context may be
+atomic.
+
+Signed-off-by: Dmitry Kozlov <xeb@mail.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 3 +--
+ net/l2tp/l2tp_core.h | 1 +
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1346,11 +1346,10 @@ static void l2tp_tunnel_free(struct l2tp
+ /* Remove from tunnel list */
+ spin_lock_bh(&pn->l2tp_tunnel_list_lock);
+ list_del_rcu(&tunnel->list);
++ kfree_rcu(tunnel, rcu);
+ spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
+- synchronize_rcu();
+
+ atomic_dec(&l2tp_tunnel_count);
+- kfree(tunnel);
+ }
+
+ /* Create a socket for the tunnel, if one isn't set up by
+--- a/net/l2tp/l2tp_core.h
++++ b/net/l2tp/l2tp_core.h
+@@ -163,6 +163,7 @@ struct l2tp_tunnel_cfg {
+
+ struct l2tp_tunnel {
+ int magic; /* Should be L2TP_TUNNEL_MAGIC */
++ struct rcu_head rcu;
+ rwlock_t hlist_lock; /* protect session_hlist */
+ struct hlist_head session_hlist[L2TP_HASH_SIZE];
+ /* hashed list of sessions,
--- /dev/null
+From c2a22a136f3fedc20e23349a52256c4eb489c47f Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:52 +0000
+Subject: l2tp: fix info leak via getsockname()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 04d4fbca1017c11381e7d82acea21dd741e748bc ]
+
+The L2TP code for IPv6 fails to initialize the l2tp_unused member of
+struct sockaddr_l2tpip6 and that for leaks two bytes kernel stack via
+the getsockname() syscall. Initialize l2tp_unused with 0 to avoid the
+info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: James Chapman <jchapman@katalix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ip6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -410,6 +410,7 @@ static int l2tp_ip6_getname(struct socke
+ lsa->l2tp_family = AF_INET6;
+ lsa->l2tp_flowinfo = 0;
+ lsa->l2tp_scope_id = 0;
++ lsa->l2tp_unused = 0;
+ if (peer) {
+ if (!lsk->peer_conn_id)
+ return -ENOTCONN;
--- /dev/null
+From 15967b68adbcfa836663ae9fa5f201270377af03 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:53 +0000
+Subject: llc: fix info leak via getsockname()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 3592aaeb80290bda0f2cf0b5456c97bfc638b192 ]
+
+The LLC code wrongly returns 0, i.e. "success", when the socket is
+zapped. Together with the uninitialized uaddrlen pointer argument from
+sys_getsockname this leads to an arbitrary memory leak of up to 128
+bytes kernel stack via the getsockname() syscall.
+
+Return an error instead when the socket is zapped to prevent the info
+leak. Also remove the unnecessary memset(0). We don't directly write to
+the memory pointed by uaddr but memcpy() a local structure at the end of
+the function that is properly initialized.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -969,14 +969,13 @@ static int llc_ui_getname(struct socket
+ struct sockaddr_llc sllc;
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc = llc_sk(sk);
+- int rc = 0;
++ int rc = -EBADF;
+
+ memset(&sllc, 0, sizeof(sllc));
+ lock_sock(sk);
+ if (sock_flag(sk, SOCK_ZAPPED))
+ goto out;
+ *uaddrlen = sizeof(sllc);
+- memset(uaddr, 0, *uaddrlen);
+ if (peer) {
+ rc = -ENOTCONN;
+ if (sk->sk_state != TCP_ESTABLISHED)
--- /dev/null
+From 019c941564d043bd0b99a53f4e9c25c5a917b934 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <bhutchings@solarflare.com>
+Date: Mon, 30 Jul 2012 15:57:00 +0000
+Subject: net: Allow driver to limit number of GSO segments per skb
+
+
+From: Ben Hutchings <bhutchings@solarflare.com>
+
+[ Upstream commit 30b678d844af3305cda5953467005cebb5d7b687 ]
+
+A peer (or local user) may cause TCP to use a nominal MSS of as little
+as 88 (actual MSS of 76 with timestamps). Given that we have a
+sufficiently prodigious local sender and the peer ACKs quickly enough,
+it is nevertheless possible to grow the window for such a connection
+to the point that we will try to send just under 64K at once. This
+results in a single skb that expands to 861 segments.
+
+In some drivers with TSO support, such an skb will require hundreds of
+DMA descriptors; a substantial fraction of a TX ring or even more than
+a full ring. The TX queue selected for the skb may stall and trigger
+the TX watchdog repeatedly (since the problem skb will be retried
+after the TX reset). This particularly affects sfc, for which the
+issue is designated as CVE-2012-3412.
+
+Therefore:
+1. Add the field net_device::gso_max_segs holding the device-specific
+ limit.
+2. In netif_skb_features(), if the number of segments is too high then
+ mask out GSO features to force fall back to software GSO.
+
+Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 2 ++
+ net/core/dev.c | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1301,6 +1301,8 @@ struct net_device {
+ /* for setting kernel sock attribute on TCP connection setup */
+ #define GSO_MAX_SIZE 65536
+ unsigned int gso_max_size;
++#define GSO_MAX_SEGS 65535
++ u16 gso_max_segs;
+
+ #ifdef CONFIG_DCB
+ /* Data Center Bridging netlink ops */
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2119,6 +2119,9 @@ netdev_features_t netif_skb_features(str
+ __be16 protocol = skb->protocol;
+ netdev_features_t features = skb->dev->features;
+
++ if (skb_shinfo(skb)->gso_segs > skb->dev->gso_max_segs)
++ features &= ~NETIF_F_GSO_MASK;
++
+ if (protocol == htons(ETH_P_8021Q)) {
+ struct vlan_ethhdr *veh = (struct vlan_ethhdr *)skb->data;
+ protocol = veh->h_vlan_encapsulated_proto;
+@@ -5911,6 +5914,7 @@ struct net_device *alloc_netdev_mqs(int
+ dev_net_set(dev, &init_net);
+
+ dev->gso_max_size = GSO_MAX_SIZE;
++ dev->gso_max_segs = GSO_MAX_SEGS;
+
+ INIT_LIST_HEAD(&dev->napi_list);
+ INIT_LIST_HEAD(&dev->unreg_list);
--- /dev/null
+From 55939a0509f7270c6a77473e3071fbdbd61b5387 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Wed, 8 Aug 2012 00:33:25 +0000
+Subject: net/core: Fix potential memory leak in dev_set_alias()
+
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit 7364e445f62825758fa61195d237a5b8ecdd06ec ]
+
+Do not leak memory by updating pointer with potentially NULL realloc return value.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1055,6 +1055,8 @@ rollback:
+ */
+ int dev_set_alias(struct net_device *dev, const char *alias, size_t len)
+ {
++ char *new_ifalias;
++
+ ASSERT_RTNL();
+
+ if (len >= IFALIASZ)
+@@ -1068,9 +1070,10 @@ int dev_set_alias(struct net_device *dev
+ return 0;
+ }
+
+- dev->ifalias = krealloc(dev->ifalias, len + 1, GFP_KERNEL);
+- if (!dev->ifalias)
++ new_ifalias = krealloc(dev->ifalias, len + 1, GFP_KERNEL);
++ if (!new_ifalias)
+ return -ENOMEM;
++ dev->ifalias = new_ifalias;
+
+ strlcpy(dev->ifalias, alias, len+1);
+ return len;
--- /dev/null
+From c8e371d87129cf9bad8c9d765d6a5b3eb938c5f9 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 15 Aug 2012 11:31:57 +0000
+Subject: net: fix info leak in compat dev_ifconf()
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 43da5f2e0d0c69ded3d51907d9552310a6b545e8 ]
+
+The implementation of dev_ifconf() for the compat ioctl interface uses
+an intermediate ifc structure allocated in userland for the duration of
+the syscall. Though, it fails to initialize the padding bytes inserted
+for alignment and that for leaks four bytes of kernel stack. Add an
+explicit memset(0) before filling the structure to avoid the info leak.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2658,6 +2658,7 @@ static int dev_ifconf(struct net *net, s
+ if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf)))
+ return -EFAULT;
+
++ memset(&ifc, 0, sizeof(ifc));
+ if (ifc32.ifcbuf == 0) {
+ ifc32.ifc_len = 0;
+ ifc.ifc_len = 0;
--- /dev/null
+From 6879e6e89b5331040673e8f65dc0a15fcb7e62fd Mon Sep 17 00:00:00 2001
+From: Francesco Ruggeri <fruggeri@aristanetworks.com>
+Date: Fri, 24 Aug 2012 07:38:35 +0000
+Subject: net: ipv4: ipmr_expire_timer causes crash when removing net namespace
+
+
+From: Francesco Ruggeri <fruggeri@aristanetworks.com>
+
+[ Upstream commit acbb219d5f53821b2d0080d047800410c0420ea1 ]
+
+When tearing down a net namespace, ipv4 mr_table structures are freed
+without first deactivating their timers. This can result in a crash in
+run_timer_softirq.
+This patch mimics the corresponding behaviour in ipv6.
+Locking and synchronization seem to be adequate.
+We are about to kfree mrt, so existing code should already make sure that
+no other references to mrt are pending or can be created by incoming traffic.
+The functions invoked here do not cause new references to mrt or other
+race conditions to be created.
+Invoking del_timer_sync guarantees that ipmr_expire_timer is inactive.
+Both ipmr_expire_process (whose completion we may have to wait in
+del_timer_sync) and mroute_clean_tables internally use mfc_unres_lock
+or other synchronizations when needed, and they both only modify mrt.
+
+Tested in Linux 3.4.8.
+
+Signed-off-by: Francesco Ruggeri <fruggeri@aristanetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ipmr.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -124,6 +124,8 @@ static DEFINE_SPINLOCK(mfc_unres_lock);
+ static struct kmem_cache *mrt_cachep __read_mostly;
+
+ static struct mr_table *ipmr_new_table(struct net *net, u32 id);
++static void ipmr_free_table(struct mr_table *mrt);
++
+ static int ip_mr_forward(struct net *net, struct mr_table *mrt,
+ struct sk_buff *skb, struct mfc_cache *cache,
+ int local);
+@@ -131,6 +133,7 @@ static int ipmr_cache_report(struct mr_t
+ struct sk_buff *pkt, vifi_t vifi, int assert);
+ static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb,
+ struct mfc_cache *c, struct rtmsg *rtm);
++static void mroute_clean_tables(struct mr_table *mrt);
+ static void ipmr_expire_process(unsigned long arg);
+
+ #ifdef CONFIG_IP_MROUTE_MULTIPLE_TABLES
+@@ -271,7 +274,7 @@ static void __net_exit ipmr_rules_exit(s
+
+ list_for_each_entry_safe(mrt, next, &net->ipv4.mr_tables, list) {
+ list_del(&mrt->list);
+- kfree(mrt);
++ ipmr_free_table(mrt);
+ }
+ fib_rules_unregister(net->ipv4.mr_rules_ops);
+ }
+@@ -299,7 +302,7 @@ static int __net_init ipmr_rules_init(st
+
+ static void __net_exit ipmr_rules_exit(struct net *net)
+ {
+- kfree(net->ipv4.mrt);
++ ipmr_free_table(net->ipv4.mrt);
+ }
+ #endif
+
+@@ -336,6 +339,13 @@ static struct mr_table *ipmr_new_table(s
+ return mrt;
+ }
+
++static void ipmr_free_table(struct mr_table *mrt)
++{
++ del_timer_sync(&mrt->ipmr_expire_timer);
++ mroute_clean_tables(mrt);
++ kfree(mrt);
++}
++
+ /* Service routines creating virtual interfaces: DVMRP tunnels and PIMREG */
+
+ static void ipmr_del_tunnel(struct net_device *dev, struct vifctl *v)
--- /dev/null
+From 4a27ff65129fad3975e85b51a4d163b9308b0a50 Mon Sep 17 00:00:00 2001
+From: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
+Date: Fri, 3 Aug 2012 19:57:52 +0900
+Subject: net_sched: gact: Fix potential panic in tcf_gact().
+
+
+From: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
+
+[ Upstream commit 696ecdc10622d86541f2e35cc16e15b6b3b1b67e ]
+
+gact_rand array is accessed by gact->tcfg_ptype whose value
+is assumed to less than MAX_RAND, but any range checks are
+not performed.
+
+So add a check in tcf_gact_init(). And in tcf_gact(), we can
+reduce a branch.
+
+Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_gact.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/net/sched/act_gact.c
++++ b/net/sched/act_gact.c
+@@ -67,6 +67,9 @@ static int tcf_gact_init(struct nlattr *
+ struct tcf_common *pc;
+ int ret = 0;
+ int err;
++#ifdef CONFIG_GACT_PROB
++ struct tc_gact_p *p_parm = NULL;
++#endif
+
+ if (nla == NULL)
+ return -EINVAL;
+@@ -82,6 +85,12 @@ static int tcf_gact_init(struct nlattr *
+ #ifndef CONFIG_GACT_PROB
+ if (tb[TCA_GACT_PROB] != NULL)
+ return -EOPNOTSUPP;
++#else
++ if (tb[TCA_GACT_PROB]) {
++ p_parm = nla_data(tb[TCA_GACT_PROB]);
++ if (p_parm->ptype >= MAX_RAND)
++ return -EINVAL;
++ }
+ #endif
+
+ pc = tcf_hash_check(parm->index, a, bind, &gact_hash_info);
+@@ -103,8 +112,7 @@ static int tcf_gact_init(struct nlattr *
+ spin_lock_bh(&gact->tcf_lock);
+ gact->tcf_action = parm->action;
+ #ifdef CONFIG_GACT_PROB
+- if (tb[TCA_GACT_PROB] != NULL) {
+- struct tc_gact_p *p_parm = nla_data(tb[TCA_GACT_PROB]);
++ if (p_parm) {
+ gact->tcfg_paction = p_parm->paction;
+ gact->tcfg_pval = p_parm->pval;
+ gact->tcfg_ptype = p_parm->ptype;
+@@ -133,7 +141,7 @@ static int tcf_gact(struct sk_buff *skb,
+
+ spin_lock(&gact->tcf_lock);
+ #ifdef CONFIG_GACT_PROB
+- if (gact->tcfg_ptype && gact_rand[gact->tcfg_ptype] != NULL)
++ if (gact->tcfg_ptype)
+ action = gact_rand[gact->tcfg_ptype](gact);
+ else
+ action = gact->tcf_action;
--- /dev/null
+From 85fdd856a3c5e2e20a8e34c29268e6e18f2dd01e Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 23 Aug 2012 02:09:11 +0000
+Subject: netlink: fix possible spoofing from non-root processes
+
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 20e1db19db5d6b9e4e83021595eab0dc8f107bef ]
+
+Non-root user-space processes can send Netlink messages to other
+processes that are well-known for being subscribed to Netlink
+asynchronous notifications. This allows ilegitimate non-root
+process to send forged messages to Netlink subscribers.
+
+The userspace process usually verifies the legitimate origin in
+two ways:
+
+a) Socket credentials. If UID != 0, then the message comes from
+ some ilegitimate process and the message needs to be dropped.
+
+b) Netlink portID. In general, portID == 0 means that the origin
+ of the messages comes from the kernel. Thus, discarding any
+ message not coming from the kernel.
+
+However, ctnetlink sets the portID in event messages that has
+been triggered by some user-space process, eg. conntrack utility.
+So other processes subscribed to ctnetlink events, eg. conntrackd,
+know that the event was triggered by some user-space action.
+
+Neither of the two ways to discard ilegitimate messages coming
+from non-root processes can help for ctnetlink.
+
+This patch adds capability validation in case that dst_pid is set
+in netlink_sendmsg(). This approach is aggressive since existing
+applications using any Netlink bus to deliver messages between
+two user-space processes will break. Note that the exception is
+NETLINK_USERSOCK, since it is reserved for netlink-to-netlink
+userspace communication.
+
+Still, if anyone wants that his Netlink bus allows netlink-to-netlink
+userspace, then they can set NL_NONROOT_SEND. However, by default,
+I don't think it makes sense to allow to use NETLINK_ROUTE to
+communicate two processes that are sending no matter what information
+that is not related to link/neighbouring/routing. They should be using
+NETLINK_USERSOCK instead for that.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1355,7 +1355,8 @@ static int netlink_sendmsg(struct kiocb
+ dst_pid = addr->nl_pid;
+ dst_group = ffs(addr->nl_groups);
+ err = -EPERM;
+- if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
++ if ((dst_group || dst_pid) &&
++ !netlink_capable(sock, NL_NONROOT_SEND))
+ goto out;
+ } else {
+ dst_pid = nlk->dst_pid;
+@@ -2124,6 +2125,7 @@ static void __init netlink_add_usersock_
+ rcu_assign_pointer(nl_table[NETLINK_USERSOCK].listeners, listeners);
+ nl_table[NETLINK_USERSOCK].module = THIS_MODULE;
+ nl_table[NETLINK_USERSOCK].registered = 1;
++ nl_table[NETLINK_USERSOCK].nl_nonroot = NL_NONROOT_SEND;
+
+ netlink_table_ungrab();
+ }
--- /dev/null
+From 802de090dee2eb363027e6634a3740877d45b972 Mon Sep 17 00:00:00 2001
+From: Jesse Gross <jesse@nicira.com>
+Date: Fri, 25 May 2012 11:29:30 -0700
+Subject: openvswitch: Reset upper layer protocol info on internal devices.
+
+
+From: Jesse Gross <jesse@nicira.com>
+
+[ Upstream commit 7fe99e2d434eafeac0c57b279a77e5de39212636 ]
+
+It's possible that packets that are sent on internal devices (from
+the OVS perspective) have already traversed the local IP stack.
+After they go through the internal device, they will again travel
+through the IP stack which may get confused by the presence of
+existing information in the skb. The problem can be observed
+when switching between namespaces. This clears out that information
+to avoid problems but deliberately leaves other metadata alone.
+This is to provide maximum flexibility in chaining together OVS
+and other Linux components.
+
+Signed-off-by: Jesse Gross <jesse@nicira.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/vport-internal_dev.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/openvswitch/vport-internal_dev.c
++++ b/net/openvswitch/vport-internal_dev.c
+@@ -24,6 +24,9 @@
+ #include <linux/ethtool.h>
+ #include <linux/skbuff.h>
+
++#include <net/dst.h>
++#include <net/xfrm.h>
++
+ #include "datapath.h"
+ #include "vport-internal_dev.h"
+ #include "vport-netdev.h"
+@@ -209,6 +212,11 @@ static int internal_dev_recv(struct vpor
+ int len;
+
+ len = skb->len;
++
++ skb_dst_drop(skb);
++ nf_reset(skb);
++ secpath_reset(skb);
++
+ skb->dev = netdev;
+ skb->pkt_type = PACKET_HOST;
+ skb->protocol = eth_type_trans(skb, netdev);
--- /dev/null
+From aa50adc8f1a1da412f01cc21e992b175c73af74e Mon Sep 17 00:00:00 2001
+From: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Tue, 7 Aug 2012 00:23:11 +0000
+Subject: pptp: lookup route with the proper net namespace
+
+
+From: Gao feng <gaofeng@cn.fujitsu.com>
+
+[ Upstream commit 08252b32311c3fa84219ad794d640af7399b5485 ]
+
+pptp always use init_net as the net namespace to lookup
+route, this will cause route lookup failed in container.
+
+because we already set the correct net namespace to struct
+sock in pptp_create,so fix this by using sock_net(sk) to
+replace &init_net.
+
+Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pptp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -189,7 +189,7 @@ static int pptp_xmit(struct ppp_channel
+ if (sk_pppox(po)->sk_state & PPPOX_DEAD)
+ goto tx_error;
+
+- rt = ip_route_output_ports(&init_net, &fl4, NULL,
++ rt = ip_route_output_ports(sock_net(sk), &fl4, NULL,
+ opt->dst_addr.sin_addr.s_addr,
+ opt->src_addr.sin_addr.s_addr,
+ 0, 0, IPPROTO_GRE,
+@@ -468,7 +468,7 @@ static int pptp_connect(struct socket *s
+ po->chan.private = sk;
+ po->chan.ops = &pptp_chan_ops;
+
+- rt = ip_route_output_ports(&init_net, &fl4, sk,
++ rt = ip_route_output_ports(sock_net(sk), &fl4, sk,
+ opt->dst_addr.sin_addr.s_addr,
+ opt->src_addr.sin_addr.s_addr,
+ 0, 0,
--- /dev/null
+codel-refine-one-condition-to-avoid-a-nul-rec_inv_sqrt.patch
+net-allow-driver-to-limit-number-of-gso-segments-per-skb.patch
+sfc-fix-maximum-number-of-tso-segments-and-minimum-tx-queue-size.patch
+tcp-apply-device-tso-segment-limit-earlier.patch
+net_sched-gact-fix-potential-panic-in-tcf_gact.patch
+isdnloop-fix-and-simplify-isdnloop_init.patch
+pptp-lookup-route-with-the-proper-net-namespace.patch
+net-core-fix-potential-memory-leak-in-dev_set_alias.patch
+af_packet-remove-bug-statement-in-tpacket_destruct_skb.patch
+ipv6-addrconf-avoid-calling-netdevice-notifiers-with-rcu-read-side-lock.patch
+atm-fix-info-leak-in-getsockopt-so_atmpvc.patch
+atm-fix-info-leak-via-getsockname.patch
+bluetooth-hci-fix-info-leak-in-getsockopt-hci_filter.patch
+bluetooth-hci-fix-info-leak-via-getsockname.patch
+bluetooth-rfcomm-fix-info-leak-in-getsockopt-bt_security.patch
+bluetooth-rfcomm-fix-info-leak-in-ioctl-rfcommgetdevlist.patch
+bluetooth-rfcomm-fix-info-leak-via-getsockname.patch
+bluetooth-l2cap-fix-info-leak-via-getsockname.patch
+l2tp-fix-info-leak-via-getsockname.patch
+llc-fix-info-leak-via-getsockname.patch
+dccp-fix-info-leak-via-getsockopt-dccp_sockopt_ccid_tx_info.patch
+ipvs-fix-info-leak-in-getsockopt-ip_vs_so_get_timeout.patch
+net-fix-info-leak-in-compat-dev_ifconf.patch
+af_packet-don-t-emit-packet-on-orig-fanout-group.patch
+af_netlink-force-credentials-passing.patch
+netlink-fix-possible-spoofing-from-non-root-processes.patch
+tcp-fix-cwnd-reduction-for-non-sack-recovery.patch
+sfc-fix-reporting-of-ipv4-full-filters-through-ethtool.patch
+gianfar-fix-default-tx-vlan-offload-feature-flag.patch
+l2tp-avoid-to-use-synchronize_rcu-in-tunnel-free-function.patch
+net-ipv4-ipmr_expire_timer-causes-crash-when-removing-net-namespace.patch
+bnx2x-fix-57840_mf-pci-id.patch
+cs89x0-packet-reception-not-working.patch
+openvswitch-reset-upper-layer-protocol-info-on-internal-devices.patch
--- /dev/null
+From aebf58da7fc90169585f6b18dd43175b1d4d3b4c Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <bhutchings@solarflare.com>
+Date: Mon, 30 Jul 2012 15:57:44 +0000
+Subject: sfc: Fix maximum number of TSO segments and minimum TX queue size
+
+
+From: Ben Hutchings <bhutchings@solarflare.com>
+
+[ Upstream commit 7e6d06f0de3f74ca929441add094518ae332257c ]
+
+
+Currently an skb requiring TSO may not fit within a minimum-size TX
+queue. The TX queue selected for the skb may stall and trigger the TX
+watchdog repeatedly (since the problem skb will be retried after the
+TX reset). This issue is designated as CVE-2012-3412.
+
+Set the maximum number of TSO segments for our devices to 100. This
+should make no difference to behaviour unless the actual MSS is less
+than about 700. Increase the minimum TX queue size accordingly to
+allow for 2 worst-case skbs, so that there will definitely be space
+to add an skb after we wake a queue.
+
+To avoid invalidating existing configurations, change
+efx_ethtool_set_ringparam() to fix up values that are too small rather
+than returning -EINVAL.
+
+Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/efx.c | 6 ++++++
+ drivers/net/ethernet/sfc/efx.h | 14 ++++++++++----
+ drivers/net/ethernet/sfc/ethtool.c | 16 +++++++++++-----
+ drivers/net/ethernet/sfc/tx.c | 19 +++++++++++++++++++
+ 4 files changed, 46 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/sfc/efx.c
++++ b/drivers/net/ethernet/sfc/efx.c
+@@ -1503,6 +1503,11 @@ static int efx_probe_all(struct efx_nic
+ goto fail2;
+ }
+
++ BUILD_BUG_ON(EFX_DEFAULT_DMAQ_SIZE < EFX_RXQ_MIN_ENT);
++ if (WARN_ON(EFX_DEFAULT_DMAQ_SIZE < EFX_TXQ_MIN_ENT(efx))) {
++ rc = -EINVAL;
++ goto fail3;
++ }
+ efx->rxq_entries = efx->txq_entries = EFX_DEFAULT_DMAQ_SIZE;
+
+ rc = efx_probe_filters(efx);
+@@ -2070,6 +2075,7 @@ static int efx_register_netdev(struct ef
+ net_dev->irq = efx->pci_dev->irq;
+ net_dev->netdev_ops = &efx_netdev_ops;
+ SET_ETHTOOL_OPS(net_dev, &efx_ethtool_ops);
++ net_dev->gso_max_segs = EFX_TSO_MAX_SEGS;
+
+ rtnl_lock();
+
+--- a/drivers/net/ethernet/sfc/efx.h
++++ b/drivers/net/ethernet/sfc/efx.h
+@@ -30,6 +30,7 @@ extern netdev_tx_t
+ efx_enqueue_skb(struct efx_tx_queue *tx_queue, struct sk_buff *skb);
+ extern void efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index);
+ extern int efx_setup_tc(struct net_device *net_dev, u8 num_tc);
++extern unsigned int efx_tx_max_skb_descs(struct efx_nic *efx);
+
+ /* RX */
+ extern int efx_probe_rx_queue(struct efx_rx_queue *rx_queue);
+@@ -52,10 +53,15 @@ extern void efx_schedule_slow_fill(struc
+ #define EFX_MAX_EVQ_SIZE 16384UL
+ #define EFX_MIN_EVQ_SIZE 512UL
+
+-/* The smallest [rt]xq_entries that the driver supports. Callers of
+- * efx_wake_queue() assume that they can subsequently send at least one
+- * skb. Falcon/A1 may require up to three descriptors per skb_frag. */
+-#define EFX_MIN_RING_SIZE (roundup_pow_of_two(2 * 3 * MAX_SKB_FRAGS))
++/* Maximum number of TCP segments we support for soft-TSO */
++#define EFX_TSO_MAX_SEGS 100
++
++/* The smallest [rt]xq_entries that the driver supports. RX minimum
++ * is a bit arbitrary. For TX, we must have space for at least 2
++ * TSO skbs.
++ */
++#define EFX_RXQ_MIN_ENT 128U
++#define EFX_TXQ_MIN_ENT(efx) (2 * efx_tx_max_skb_descs(efx))
+
+ /* Filters */
+ extern int efx_probe_filters(struct efx_nic *efx);
+--- a/drivers/net/ethernet/sfc/ethtool.c
++++ b/drivers/net/ethernet/sfc/ethtool.c
+@@ -680,21 +680,27 @@ static int efx_ethtool_set_ringparam(str
+ struct ethtool_ringparam *ring)
+ {
+ struct efx_nic *efx = netdev_priv(net_dev);
++ u32 txq_entries;
+
+ if (ring->rx_mini_pending || ring->rx_jumbo_pending ||
+ ring->rx_pending > EFX_MAX_DMAQ_SIZE ||
+ ring->tx_pending > EFX_MAX_DMAQ_SIZE)
+ return -EINVAL;
+
+- if (ring->rx_pending < EFX_MIN_RING_SIZE ||
+- ring->tx_pending < EFX_MIN_RING_SIZE) {
++ if (ring->rx_pending < EFX_RXQ_MIN_ENT) {
+ netif_err(efx, drv, efx->net_dev,
+- "TX and RX queues cannot be smaller than %ld\n",
+- EFX_MIN_RING_SIZE);
++ "RX queues cannot be smaller than %u\n",
++ EFX_RXQ_MIN_ENT);
+ return -EINVAL;
+ }
+
+- return efx_realloc_channels(efx, ring->rx_pending, ring->tx_pending);
++ txq_entries = max(ring->tx_pending, EFX_TXQ_MIN_ENT(efx));
++ if (txq_entries != ring->tx_pending)
++ netif_warn(efx, drv, efx->net_dev,
++ "increasing TX queue size to minimum of %u\n",
++ txq_entries);
++
++ return efx_realloc_channels(efx, ring->rx_pending, txq_entries);
+ }
+
+ static int efx_ethtool_set_pauseparam(struct net_device *net_dev,
+--- a/drivers/net/ethernet/sfc/tx.c
++++ b/drivers/net/ethernet/sfc/tx.c
+@@ -119,6 +119,25 @@ efx_max_tx_len(struct efx_nic *efx, dma_
+ return len;
+ }
+
++unsigned int efx_tx_max_skb_descs(struct efx_nic *efx)
++{
++ /* Header and payload descriptor for each output segment, plus
++ * one for every input fragment boundary within a segment
++ */
++ unsigned int max_descs = EFX_TSO_MAX_SEGS * 2 + MAX_SKB_FRAGS;
++
++ /* Possibly one more per segment for the alignment workaround */
++ if (EFX_WORKAROUND_5391(efx))
++ max_descs += EFX_TSO_MAX_SEGS;
++
++ /* Possibly more for PCIe page boundaries within input fragments */
++ if (PAGE_SIZE > EFX_PAGE_SIZE)
++ max_descs += max_t(unsigned int, MAX_SKB_FRAGS,
++ DIV_ROUND_UP(GSO_MAX_SIZE, EFX_PAGE_SIZE));
++
++ return max_descs;
++}
++
+ /*
+ * Add a socket buffer to a TX queue
+ *
--- /dev/null
+From 39ccdade2c87b83383c5832ea37ed0d17c427248 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <bhutchings@solarflare.com>
+Date: Wed, 15 Aug 2012 18:09:15 +0100
+Subject: sfc: Fix reporting of IPv4 full filters through ethtool
+
+
+From: Ben Hutchings <bhutchings@solarflare.com>
+
+[ Upstream commit ac70b2e9a13423b5efa0178e081936ce6979aea5 ]
+
+ETHTOOL_GRXCLSRULE returns filters for a TCP/IPv4 or UDP/IPv4 4-tuple
+with source and destination swapped.
+
+Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/sfc/ethtool.c
++++ b/drivers/net/ethernet/sfc/ethtool.c
+@@ -863,8 +863,8 @@ static int efx_ethtool_get_class_rule(st
+ &ip_entry->ip4dst, &ip_entry->pdst);
+ if (rc != 0) {
+ rc = efx_filter_get_ipv4_full(
+- &spec, &proto, &ip_entry->ip4src, &ip_entry->psrc,
+- &ip_entry->ip4dst, &ip_entry->pdst);
++ &spec, &proto, &ip_entry->ip4dst, &ip_entry->pdst,
++ &ip_entry->ip4src, &ip_entry->psrc);
+ EFX_WARN_ON_PARANOID(rc);
+ ip_mask->ip4src = ~0;
+ ip_mask->psrc = ~0;
--- /dev/null
+From 1378c3d6150bcbd40ef652487adef9c67b500bf1 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <bhutchings@solarflare.com>
+Date: Mon, 30 Jul 2012 16:11:42 +0000
+Subject: tcp: Apply device TSO segment limit earlier
+
+
+From: Ben Hutchings <bhutchings@solarflare.com>
+
+[ Upstream commit 1485348d2424e1131ea42efc033cbd9366462b01 ]
+
+Cache the device gso_max_segs in sock::sk_gso_max_segs and use it to
+limit the size of TSO skbs. This avoids the need to fall back to
+software GSO for local TCP senders.
+
+Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 2 ++
+ net/core/sock.c | 1 +
+ net/ipv4/tcp.c | 4 +++-
+ net/ipv4/tcp_cong.c | 3 ++-
+ net/ipv4/tcp_output.c | 21 ++++++++++++---------
+ 5 files changed, 20 insertions(+), 11 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -217,6 +217,7 @@ struct cg_proto;
+ * @sk_route_nocaps: forbidden route capabilities (e.g NETIF_F_GSO_MASK)
+ * @sk_gso_type: GSO type (e.g. %SKB_GSO_TCPV4)
+ * @sk_gso_max_size: Maximum GSO segment size to build
++ * @sk_gso_max_segs: Maximum number of GSO segments
+ * @sk_lingertime: %SO_LINGER l_linger setting
+ * @sk_backlog: always used with the per-socket spinlock held
+ * @sk_callback_lock: used with the callbacks in the end of this struct
+@@ -336,6 +337,7 @@ struct sock {
+ netdev_features_t sk_route_nocaps;
+ int sk_gso_type;
+ unsigned int sk_gso_max_size;
++ u16 sk_gso_max_segs;
+ int sk_rcvlowat;
+ unsigned long sk_lingertime;
+ struct sk_buff_head sk_error_queue;
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1403,6 +1403,7 @@ void sk_setup_caps(struct sock *sk, stru
+ } else {
+ sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM;
+ sk->sk_gso_max_size = dst->dev->gso_max_size;
++ sk->sk_gso_max_segs = dst->dev->gso_max_segs;
+ }
+ }
+ }
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -805,7 +805,9 @@ static unsigned int tcp_xmit_size_goal(s
+ old_size_goal + mss_now > xmit_size_goal)) {
+ xmit_size_goal = old_size_goal;
+ } else {
+- tp->xmit_size_goal_segs = xmit_size_goal / mss_now;
++ tp->xmit_size_goal_segs =
++ min_t(u16, xmit_size_goal / mss_now,
++ sk->sk_gso_max_segs);
+ xmit_size_goal = tp->xmit_size_goal_segs * mss_now;
+ }
+ }
+--- a/net/ipv4/tcp_cong.c
++++ b/net/ipv4/tcp_cong.c
+@@ -291,7 +291,8 @@ bool tcp_is_cwnd_limited(const struct so
+ left = tp->snd_cwnd - in_flight;
+ if (sk_can_gso(sk) &&
+ left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd &&
+- left * tp->mss_cache < sk->sk_gso_max_size)
++ left * tp->mss_cache < sk->sk_gso_max_size &&
++ left < sk->sk_gso_max_segs)
+ return true;
+ return left <= tcp_max_tso_deferred_mss(tp);
+ }
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1334,21 +1334,21 @@ static void tcp_cwnd_validate(struct soc
+ * when we would be allowed to send the split-due-to-Nagle skb fully.
+ */
+ static unsigned int tcp_mss_split_point(const struct sock *sk, const struct sk_buff *skb,
+- unsigned int mss_now, unsigned int cwnd)
++ unsigned int mss_now, unsigned int max_segs)
+ {
+ const struct tcp_sock *tp = tcp_sk(sk);
+- u32 needed, window, cwnd_len;
++ u32 needed, window, max_len;
+
+ window = tcp_wnd_end(tp) - TCP_SKB_CB(skb)->seq;
+- cwnd_len = mss_now * cwnd;
++ max_len = mss_now * max_segs;
+
+- if (likely(cwnd_len <= window && skb != tcp_write_queue_tail(sk)))
+- return cwnd_len;
++ if (likely(max_len <= window && skb != tcp_write_queue_tail(sk)))
++ return max_len;
+
+ needed = min(skb->len, window);
+
+- if (cwnd_len <= needed)
+- return cwnd_len;
++ if (max_len <= needed)
++ return max_len;
+
+ return needed - needed % mss_now;
+ }
+@@ -1577,7 +1577,8 @@ static bool tcp_tso_should_defer(struct
+ limit = min(send_win, cong_win);
+
+ /* If a full-sized TSO skb can be sent, do it. */
+- if (limit >= sk->sk_gso_max_size)
++ if (limit >= min_t(unsigned int, sk->sk_gso_max_size,
++ sk->sk_gso_max_segs * tp->mss_cache))
+ goto send_now;
+
+ /* Middle in queue won't get any more data, full sendable already? */
+@@ -1803,7 +1804,9 @@ static bool tcp_write_xmit(struct sock *
+ limit = mss_now;
+ if (tso_segs > 1 && !tcp_urg_mode(tp))
+ limit = tcp_mss_split_point(sk, skb, mss_now,
+- cwnd_quota);
++ min_t(unsigned int,
++ cwnd_quota,
++ sk->sk_gso_max_segs));
+
+ if (skb->len > limit &&
+ unlikely(tso_fragment(sk, skb, limit, mss_now, gfp)))
--- /dev/null
+From 24baff9a467fac676343e7070fac3f2f8b36da07 Mon Sep 17 00:00:00 2001
+From: Yuchung Cheng <ycheng@google.com>
+Date: Thu, 23 Aug 2012 07:05:17 +0000
+Subject: tcp: fix cwnd reduction for non-sack recovery
+
+
+From: Yuchung Cheng <ycheng@google.com>
+
+[ Upstream commit 7c4a56fec379ac0d7754e0d4da6a7361f1a4fe64 ]
+
+The cwnd reduction in fast recovery is based on the number of packets
+newly delivered per ACK. For non-sack connections every DUPACK
+signifies a packet has been delivered, but the sender mistakenly
+skips counting them for cwnd reduction.
+
+The fix is to compute newly_acked_sacked after DUPACKs are accounted
+in sacked_out for non-sack connections.
+
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Nandita Dukkipati <nanditad@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3107,13 +3107,14 @@ static void tcp_enter_recovery(struct so
+ * tcp_xmit_retransmit_queue().
+ */
+ static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
+- int newly_acked_sacked, bool is_dupack,
++ int prior_sacked, bool is_dupack,
+ int flag)
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+ int do_lost = is_dupack || ((flag & FLAG_DATA_SACKED) &&
+ (tcp_fackets_out(tp) > tp->reordering));
++ int newly_acked_sacked = 0;
+ int fast_rexmit = 0;
+
+ if (WARN_ON(!tp->packets_out && tp->sacked_out))
+@@ -3173,6 +3174,7 @@ static void tcp_fastretrans_alert(struct
+ tcp_add_reno_sack(sk);
+ } else
+ do_lost = tcp_try_undo_partial(sk, pkts_acked);
++ newly_acked_sacked = pkts_acked + tp->sacked_out - prior_sacked;
+ break;
+ case TCP_CA_Loss:
+ if (flag & FLAG_DATA_ACKED)
+@@ -3194,6 +3196,7 @@ static void tcp_fastretrans_alert(struct
+ if (is_dupack)
+ tcp_add_reno_sack(sk);
+ }
++ newly_acked_sacked = pkts_acked + tp->sacked_out - prior_sacked;
+
+ if (icsk->icsk_ca_state <= TCP_CA_Disorder)
+ tcp_try_undo_dsack(sk);
+@@ -3771,7 +3774,6 @@ static int tcp_ack(struct sock *sk, cons
+ int prior_packets;
+ int prior_sacked = tp->sacked_out;
+ int pkts_acked = 0;
+- int newly_acked_sacked = 0;
+ bool frto_cwnd = false;
+
+ /* If the ack is older than previous acks
+@@ -3847,8 +3849,6 @@ static int tcp_ack(struct sock *sk, cons
+ flag |= tcp_clean_rtx_queue(sk, prior_fackets, prior_snd_una);
+
+ pkts_acked = prior_packets - tp->packets_out;
+- newly_acked_sacked = (prior_packets - prior_sacked) -
+- (tp->packets_out - tp->sacked_out);
+
+ if (tp->frto_counter)
+ frto_cwnd = tcp_process_frto(sk, flag);
+@@ -3862,7 +3862,7 @@ static int tcp_ack(struct sock *sk, cons
+ tcp_may_raise_cwnd(sk, flag))
+ tcp_cong_avoid(sk, ack, prior_in_flight);
+ is_dupack = !(flag & (FLAG_SND_UNA_ADVANCED | FLAG_NOT_DUP));
+- tcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,
++ tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
+ is_dupack, flag);
+ } else {
+ if ((flag & FLAG_DATA_ACKED) && !frto_cwnd)
+@@ -3877,7 +3877,7 @@ static int tcp_ack(struct sock *sk, cons
+ no_queue:
+ /* If data was DSACKed, see if we can undo a cwnd reduction. */
+ if (flag & FLAG_DSACKING_ACK)
+- tcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,
++ tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
+ is_dupack, flag);
+ /* If this ack opens up a zero window, clear backoff. It was
+ * being used to time the probes, and is probably far higher than
+@@ -3897,8 +3897,7 @@ old_ack:
+ */
+ if (TCP_SKB_CB(skb)->sacked) {
+ flag |= tcp_sacktag_write_queue(sk, skb, prior_snd_una);
+- newly_acked_sacked = tp->sacked_out - prior_sacked;
+- tcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,
++ tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
+ is_dupack, flag);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
