--- /dev/null
+From khlebnikov@openvz.org Wed May 8 15:32:19 2013
+From: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Date: Wed, 08 May 2013 12:10:25 +0400
+Subject: e1000e: fix accessing to suspended device
+To: stable@vger.kernel.org
+Cc: Tóth Attila <atoth@atoth.sote.hu>
+Message-ID: <20130508081025.25748.44396.stgit@zurg>
+
+From: Konstantin Khlebnikov <khlebnikov@openvz.org>
+
+commit e60b22c5b7e59db09a7c9490b1e132c7e49ae904 upstream.
+
+This patch fixes some annoying messages like 'Error reading PHY register' and
+'Hardware Erorr' and saves several seconds on reboot.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Cc: Bruce Allan <bruce.w.allan@intel.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Tested-by: Borislav Petkov <bp@suse.de>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Tested-by: Tóth Attila <atoth@atoth.sote.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/e1000e/ethtool.c | 13 +++++++++++++
+ drivers/net/ethernet/intel/e1000e/netdev.c | 2 ++
+ 2 files changed, 15 insertions(+)
+
+--- a/drivers/net/ethernet/intel/e1000e/ethtool.c
++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
+@@ -35,6 +35,7 @@
+ #include <linux/slab.h>
+ #include <linux/delay.h>
+ #include <linux/vmalloc.h>
++#include <linux/pm_runtime.h>
+
+ #include "e1000.h"
+
+@@ -2053,7 +2054,19 @@ static int e1000_get_rxnfc(struct net_de
+ }
+ }
+
++static int e1000e_ethtool_begin(struct net_device *netdev)
++{
++ return pm_runtime_get_sync(netdev->dev.parent);
++}
++
++static void e1000e_ethtool_complete(struct net_device *netdev)
++{
++ pm_runtime_put_sync(netdev->dev.parent);
++}
++
+ static const struct ethtool_ops e1000_ethtool_ops = {
++ .begin = e1000e_ethtool_begin,
++ .complete = e1000e_ethtool_complete,
+ .get_settings = e1000_get_settings,
+ .set_settings = e1000_set_settings,
+ .get_drvinfo = e1000_get_drvinfo,
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -4313,6 +4313,7 @@ static void e1000_phy_read_status(struct
+ (adapter->hw.phy.media_type == e1000_media_type_copper)) {
+ int ret_val;
+
++ pm_runtime_get_sync(&adapter->pdev->dev);
+ ret_val = e1e_rphy(hw, PHY_CONTROL, &phy->bmcr);
+ ret_val |= e1e_rphy(hw, PHY_STATUS, &phy->bmsr);
+ ret_val |= e1e_rphy(hw, PHY_AUTONEG_ADV, &phy->advertise);
+@@ -4323,6 +4324,7 @@ static void e1000_phy_read_status(struct
+ ret_val |= e1e_rphy(hw, PHY_EXT_STATUS, &phy->estatus);
+ if (ret_val)
+ e_warn("Error reading PHY register\n");
++ pm_runtime_put_sync(&adapter->pdev->dev);
+ } else {
+ /* Do not read PHY registers if link is not up
+ * Set values to typical power-on defaults
--- /dev/null
+From khlebnikov@openvz.org Wed May 8 15:31:32 2013
+From: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Date: Wed, 08 May 2013 12:10:21 +0400
+Subject: e1000e: fix runtime power management transitions
+To: stable@vger.kernel.org
+Cc: Tóth Attila <atoth@atoth.sote.hu>
+Message-ID: <20130508081021.25748.74292.stgit@zurg>
+
+From: Konstantin Khlebnikov <khlebnikov@openvz.org>
+
+commit 66148babe728f3e00e13c56f6b0ecf325abd80da upstream.
+
+This patch removes redundant actions from driver and fixes its interaction
+with actions in pci-bus runtime power management code.
+
+It removes pci_save_state() from __e1000_shutdown() for normal adapters,
+PCI bus callbacks pci_pm_*() will do all this for us. Now __e1000_shutdown()
+switches to D3-state only quad-port adapters, because they needs quirk for
+clearing false-positive error from downsteam pci-e port.
+
+pci_save_state() now called after clearing bus-master bit, thus __e1000_resume()
+and e1000_io_slot_reset() must set it back after restoring configuration space.
+
+This patch set get_link_status before calling pm_runtime_put() in e1000_open()
+to allow e1000_idle() get real link status and schedule first runtime suspend.
+
+This patch also enables wakeup for device if management mode is enabled
+(like for WoL) as result pci_prepare_to_sleep() would setup wakeup without
+special actions like custom 'enable_wakeup' sign.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Cc: Bruce Allan <bruce.w.allan@intel.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Tested-by: Borislav Petkov <bp@suse.de>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Tested-by: Tóth Attila <atoth@atoth.sote.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 78 ++++++-----------------------
+ 1 file changed, 18 insertions(+), 60 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -3952,6 +3952,7 @@ static int e1000_open(struct net_device
+ netif_start_queue(netdev);
+
+ adapter->idle_check = true;
++ hw->mac.get_link_status = true;
+ pm_runtime_put(&pdev->dev);
+
+ /* fire a link status change interrupt to start the watchdog */
+@@ -5450,8 +5451,7 @@ release:
+ return retval;
+ }
+
+-static int __e1000_shutdown(struct pci_dev *pdev, bool *enable_wake,
+- bool runtime)
++static int __e1000_shutdown(struct pci_dev *pdev, bool runtime)
+ {
+ struct net_device *netdev = pci_get_drvdata(pdev);
+ struct e1000_adapter *adapter = netdev_priv(netdev);
+@@ -5475,10 +5475,6 @@ static int __e1000_shutdown(struct pci_d
+ }
+ e1000e_reset_interrupt_capability(adapter);
+
+- retval = pci_save_state(pdev);
+- if (retval)
+- return retval;
+-
+ status = er32(STATUS);
+ if (status & E1000_STATUS_LU)
+ wufc &= ~E1000_WUFC_LNKC;
+@@ -5534,13 +5530,6 @@ static int __e1000_shutdown(struct pci_d
+ ew32(WUFC, 0);
+ }
+
+- *enable_wake = !!wufc;
+-
+- /* make sure adapter isn't asleep if manageability is enabled */
+- if ((adapter->flags & FLAG_MNG_PT_ENABLED) ||
+- (hw->mac.ops.check_mng_mode(hw)))
+- *enable_wake = true;
+-
+ if (adapter->hw.phy.type == e1000_phy_igp_3)
+ e1000e_igp3_phy_powerdown_workaround_ich8lan(&adapter->hw);
+
+@@ -5551,26 +5540,6 @@ static int __e1000_shutdown(struct pci_d
+
+ pci_clear_master(pdev);
+
+- return 0;
+-}
+-
+-static void e1000_power_off(struct pci_dev *pdev, bool sleep, bool wake)
+-{
+- if (sleep && wake) {
+- pci_prepare_to_sleep(pdev);
+- return;
+- }
+-
+- pci_wake_from_d3(pdev, wake);
+- pci_set_power_state(pdev, PCI_D3hot);
+-}
+-
+-static void e1000_complete_shutdown(struct pci_dev *pdev, bool sleep,
+- bool wake)
+-{
+- struct net_device *netdev = pci_get_drvdata(pdev);
+- struct e1000_adapter *adapter = netdev_priv(netdev);
+-
+ /* The pci-e switch on some quad port adapters will report a
+ * correctable error when the MAC transitions from D0 to D3. To
+ * prevent this we need to mask off the correctable errors on the
+@@ -5584,12 +5553,13 @@ static void e1000_complete_shutdown(stru
+ pcie_capability_write_word(us_dev, PCI_EXP_DEVCTL,
+ (devctl & ~PCI_EXP_DEVCTL_CERE));
+
+- e1000_power_off(pdev, sleep, wake);
++ pci_save_state(pdev);
++ pci_prepare_to_sleep(pdev);
+
+ pcie_capability_write_word(us_dev, PCI_EXP_DEVCTL, devctl);
+- } else {
+- e1000_power_off(pdev, sleep, wake);
+ }
++
++ return 0;
+ }
+
+ #ifdef CONFIG_PCIEASPM
+@@ -5640,9 +5610,7 @@ static int __e1000_resume(struct pci_dev
+ if (aspm_disable_flag)
+ e1000e_disable_aspm(pdev, aspm_disable_flag);
+
+- pci_set_power_state(pdev, PCI_D0);
+- pci_restore_state(pdev);
+- pci_save_state(pdev);
++ pci_set_master(pdev);
+
+ e1000e_set_interrupt_capability(adapter);
+ if (netif_running(netdev)) {
+@@ -5708,14 +5676,8 @@ static int __e1000_resume(struct pci_dev
+ static int e1000_suspend(struct device *dev)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
+- int retval;
+- bool wake;
+-
+- retval = __e1000_shutdown(pdev, &wake, false);
+- if (!retval)
+- e1000_complete_shutdown(pdev, true, wake);
+
+- return retval;
++ return __e1000_shutdown(pdev, false);
+ }
+
+ static int e1000_resume(struct device *dev)
+@@ -5738,13 +5700,10 @@ static int e1000_runtime_suspend(struct
+ struct net_device *netdev = pci_get_drvdata(pdev);
+ struct e1000_adapter *adapter = netdev_priv(netdev);
+
+- if (e1000e_pm_ready(adapter)) {
+- bool wake;
+-
+- __e1000_shutdown(pdev, &wake, true);
+- }
++ if (!e1000e_pm_ready(adapter))
++ return 0;
+
+- return 0;
++ return __e1000_shutdown(pdev, true);
+ }
+
+ static int e1000_idle(struct device *dev)
+@@ -5782,12 +5741,7 @@ static int e1000_runtime_resume(struct d
+
+ static void e1000_shutdown(struct pci_dev *pdev)
+ {
+- bool wake = false;
+-
+- __e1000_shutdown(pdev, &wake, false);
+-
+- if (system_state == SYSTEM_POWER_OFF)
+- e1000_complete_shutdown(pdev, false, wake);
++ __e1000_shutdown(pdev, false);
+ }
+
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+@@ -5908,9 +5862,9 @@ static pci_ers_result_t e1000_io_slot_re
+ "Cannot re-enable PCI device after reset.\n");
+ result = PCI_ERS_RESULT_DISCONNECT;
+ } else {
+- pci_set_master(pdev);
+ pdev->state_saved = true;
+ pci_restore_state(pdev);
++ pci_set_master(pdev);
+
+ pci_enable_wake(pdev, PCI_D3hot, 0);
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+@@ -6341,7 +6295,11 @@ static int e1000_probe(struct pci_dev *p
+
+ /* initialize the wol settings based on the eeprom settings */
+ adapter->wol = adapter->eeprom_wol;
+- device_set_wakeup_enable(&adapter->pdev->dev, adapter->wol);
++
++ /* make sure adapter isn't asleep if manageability is enabled */
++ if (adapter->wol || (adapter->flags & FLAG_MNG_PT_ENABLED) ||
++ (hw->mac.ops.check_mng_mode(hw)))
++ device_wakeup_enable(&pdev->dev);
+
+ /* save off EEPROM version number */
+ e1000_read_nvm(&adapter->hw, 5, 1, &adapter->eeprom_vers);
--- /dev/null
+From 3f8a6411fbada1fa482276591e037f3b1adcf55b Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 21 Apr 2013 22:56:32 -0400
+Subject: ext4: add check for inodes_count overflow in new resize ioctl
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 3f8a6411fbada1fa482276591e037f3b1adcf55b upstream.
+
+Addresses-Red-Hat-Bugzilla: #913245
+
+Reported-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Signed-off-by: Lingzhu Xiang <lxiang@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1880,6 +1880,10 @@ retry:
+ return 0;
+
+ ext4_get_group_no_and_offset(sb, n_blocks_count - 1, &n_group, &offset);
++ if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
++ ext4_warning(sb, "resize would cause inodes_count overflow");
++ return -EINVAL;
++ }
+ ext4_get_group_no_and_offset(sb, o_blocks_count - 1, &o_group, &offset);
+
+ n_desc_blocks = num_desc_blocks(sb, n_group + 1);
--- /dev/null
+From 197887f03daecdb3ae21bafeb4155412abad3497 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joro@8bytes.org>
+Date: Tue, 9 Apr 2013 21:14:08 +0200
+Subject: iommu/amd: Properly initialize irq-table lock
+
+From: Joerg Roedel <joro@8bytes.org>
+
+commit 197887f03daecdb3ae21bafeb4155412abad3497 upstream.
+
+Fixes a lockdep warning.
+
+Reviewed-by: Shuah Khan <shuahkhan@gmail.com>
+Signed-off-by: Joerg Roedel <joro@8bytes.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -3948,6 +3948,9 @@ static struct irq_remap_table *get_irq_t
+ if (!table)
+ goto out;
+
++ /* Initialize table spin-lock */
++ spin_lock_init(&table->lock);
++
+ if (ioapic)
+ /* Keep the first 32 indexes free for IOAPIC interrupts */
+ table->min_index = 32;
--- /dev/null
+From f7a1dd6e3ad59f0cfd51da29dfdbfd54122c5916 Mon Sep 17 00:00:00 2001
+From: Hans Schillstrom <hans@schillstrom.com>
+Date: Sat, 27 Apr 2013 20:06:14 +0200
+Subject: ipvs: ip_vs_sip_fill_param() BUG: bad check of return value
+
+From: Hans Schillstrom <hans@schillstrom.com>
+
+commit f7a1dd6e3ad59f0cfd51da29dfdbfd54122c5916 upstream.
+
+The reason for this patch is crash in kmemdup
+caused by returning from get_callid with uniialized
+matchoff and matchlen.
+
+Removing Zero check of matchlen since it's done by ct_sip_get_header()
+
+BUG: unable to handle kernel paging request at ffff880457b5763f
+IP: [<ffffffff810df7fc>] kmemdup+0x2e/0x35
+PGD 27f6067 PUD 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in: xt_state xt_helper nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle xt_connmark xt_conntrack ip6_tables nf_conntrack_ftp ip_vs_ftp nf_nat xt_tcpudp iptable_mangle xt_mark ip_tables x_tables ip_vs_rr ip_vs_lblcr ip_vs_pe_sip ip_vs nf_conntrack_sip nf_conntrack bonding igb i2c_algo_bit i2c_core
+CPU 5
+Pid: 0, comm: swapper/5 Not tainted 3.9.0-rc5+ #5 /S1200KP
+RIP: 0010:[<ffffffff810df7fc>] [<ffffffff810df7fc>] kmemdup+0x2e/0x35
+RSP: 0018:ffff8803fea03648 EFLAGS: 00010282
+RAX: ffff8803d61063e0 RBX: 0000000000000003 RCX: 0000000000000003
+RDX: 0000000000000003 RSI: ffff880457b5763f RDI: ffff8803d61063e0
+RBP: ffff8803fea03658 R08: 0000000000000008 R09: 0000000000000011
+R10: 0000000000000011 R11: 00ffffffff81a8a3 R12: ffff880457b5763f
+R13: ffff8803d67f786a R14: ffff8803fea03730 R15: ffffffffa0098e90
+FS: 0000000000000000(0000) GS:ffff8803fea00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffff880457b5763f CR3: 0000000001a0c000 CR4: 00000000001407e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process swapper/5 (pid: 0, threadinfo ffff8803ee18c000, task ffff8803ee18a480)
+Stack:
+ ffff8803d822a080 000000000000001c ffff8803fea036c8 ffffffffa000937a
+ ffffffff81f0d8a0 000000038135fdd5 ffff880300000014 ffff880300110000
+ ffffffff150118ac ffff8803d7e8a000 ffff88031e0118ac 0000000000000000
+Call Trace:
+ <IRQ>
+
+ [<ffffffffa000937a>] ip_vs_sip_fill_param+0x13a/0x187 [ip_vs_pe_sip]
+ [<ffffffffa007b209>] ip_vs_sched_persist+0x2c6/0x9c3 [ip_vs]
+ [<ffffffff8107dc53>] ? __lock_acquire+0x677/0x1697
+ [<ffffffff8100972e>] ? native_sched_clock+0x3c/0x7d
+ [<ffffffff8100972e>] ? native_sched_clock+0x3c/0x7d
+ [<ffffffff810649bc>] ? sched_clock_cpu+0x43/0xcf
+ [<ffffffffa007bb1e>] ip_vs_schedule+0x181/0x4ba [ip_vs]
+...
+
+Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_pe_sip.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
++++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
+@@ -37,14 +37,10 @@ static int get_callid(const char *dptr,
+ if (ret > 0)
+ break;
+ if (!ret)
+- return 0;
++ return -EINVAL;
+ dataoff += *matchoff;
+ }
+
+- /* Empty callid is useless */
+- if (!*matchlen)
+- return -EINVAL;
+-
+ /* Too large is useless */
+ if (*matchlen > IP_VS_PEDATA_MAXLEN)
+ return -EINVAL;
--- /dev/null
+From 13f85203e1060da83d9ec1c1c5a63343eaab8de4 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Fri, 3 May 2013 17:19:01 +0000
+Subject: net/eth/ibmveth: Fixup retrieval of MAC address
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 13f85203e1060da83d9ec1c1c5a63343eaab8de4 upstream.
+
+Some ancient pHyp versions used to create a 8 bytes local-mac-address
+property in the device-tree instead of a 6 bytes one for veth.
+
+The Linux driver code to deal with that is an insane hack which also
+happens to break with some choices of MAC addresses in qemu by testing
+for a bit in the address rather than just looking at the size of the
+property.
+
+Sanitize this by doing the latter instead.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1326,7 +1326,7 @@ static const struct net_device_ops ibmve
+
+ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id)
+ {
+- int rc, i;
++ int rc, i, mac_len;
+ struct net_device *netdev;
+ struct ibmveth_adapter *adapter;
+ unsigned char *mac_addr_p;
+@@ -1336,11 +1336,19 @@ static int ibmveth_probe(struct vio_dev
+ dev->unit_address);
+
+ mac_addr_p = (unsigned char *)vio_get_attribute(dev, VETH_MAC_ADDR,
+- NULL);
++ &mac_len);
+ if (!mac_addr_p) {
+ dev_err(&dev->dev, "Can't find VETH_MAC_ADDR attribute\n");
+ return -EINVAL;
+ }
++ /* Workaround for old/broken pHyp */
++ if (mac_len == 8)
++ mac_addr_p += 2;
++ else if (mac_len != 6) {
++ dev_err(&dev->dev, "VETH_MAC_ADDR attribute wrong len %d\n",
++ mac_len);
++ return -EINVAL;
++ }
+
+ mcastFilterSize_p = (unsigned int *)vio_get_attribute(dev,
+ VETH_MCAST_FILTER_SIZE, NULL);
+@@ -1365,17 +1373,6 @@ static int ibmveth_probe(struct vio_dev
+
+ netif_napi_add(netdev, &adapter->napi, ibmveth_poll, 16);
+
+- /*
+- * Some older boxes running PHYP non-natively have an OF that returns
+- * a 8-byte local-mac-address field (and the first 2 bytes have to be
+- * ignored) while newer boxes' OF return a 6-byte field. Note that
+- * IEEE 1275 specifies that local-mac-address must be a 6-byte field.
+- * The RPA doc specifies that the first byte must be 10b, so we'll
+- * just look for it to solve this 8 vs. 6 byte field issue
+- */
+- if ((*mac_addr_p & 0x3) != 0x02)
+- mac_addr_p += 2;
+-
+ adapter->mac_addr = 0;
+ memcpy(&adapter->mac_addr, mac_addr_p, 6);
+
--- /dev/null
+From 442fad9423b78319e0019a7f5047eddf3317afbc Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 11 Feb 2013 23:22:38 +0000
+Subject: netfilter: ctnetlink: don't permit ct creation with random tuple
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 442fad9423b78319e0019a7f5047eddf3317afbc upstream.
+
+Userspace can cause kernel panic by not specifying orig/reply
+tuple: kernel will create a tuple with random stack values.
+
+Problem is that tuple.dst.dir will be random, too, which
+causes nf_ct_tuplehash_to_ctrack() to return garbage.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -1705,6 +1705,9 @@ ctnetlink_new_conntrack(struct sock *ctn
+ if (nlh->nlmsg_flags & NLM_F_CREATE) {
+ enum ip_conntrack_events events;
+
++ if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
++ return -EINVAL;
++
+ ct = ctnetlink_create_conntrack(net, zone, cda, &otuple,
+ &rtuple, u3);
+ if (IS_ERR(ct))
--- /dev/null
+From 906b1c394d0906a154fbdc904ca506bceb515756 Mon Sep 17 00:00:00 2001
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sat, 30 Mar 2013 10:23:12 +0000
+Subject: netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
+
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+
+commit 906b1c394d0906a154fbdc904ca506bceb515756 upstream.
+
+The bitmask used for the prefix mangling was being calculated
+incorrectly, leading to the wrong part of the address being replaced
+when the prefix length wasn't a multiple of 32.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/netfilter/ip6t_NPT.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter/ip6t_NPT.c
++++ b/net/ipv6/netfilter/ip6t_NPT.c
+@@ -57,7 +57,7 @@ static bool ip6t_npt_map_pfx(const struc
+ if (pfx_len - i >= 32)
+ mask = 0;
+ else
+- mask = htonl(~((1 << (pfx_len - i)) - 1));
++ mask = htonl((1 << (i - pfx_len + 32)) - 1);
+
+ idx = i / 32;
+ addr->s6_addr32[idx] &= mask;
--- /dev/null
+From dd82088dab3646ed28e4aa43d1a5b5d5ffc2afba Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Thu, 21 Feb 2013 11:12:40 +0100
+Subject: netfilter: ipset: "Directory not empty" error message
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit dd82088dab3646ed28e4aa43d1a5b5d5ffc2afba upstream.
+
+When an entry flagged with "nomatch" was tested by ipset, it
+returned the error message "Kernel error received:
+Directory not empty" instead of "<element> is NOT in set <setname>"
+(reported by John Brendler).
+
+The internal error code was not properly transformed before returning
+to userspace, fixed.
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1470,7 +1470,8 @@ ip_set_utest(struct sock *ctnl, struct s
+ if (ret == -EAGAIN)
+ ret = 1;
+
+- return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST;
++ return (ret < 0 && ret != -ENOTEMPTY) ? ret :
++ ret > 0 ? 0 : -IPSET_ERR_EXIST;
+ }
+
+ /* Get headed data of a set */
--- /dev/null
+From 02f815cb6d3f57914228be84df9613ee5a01c2e6 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Tue, 9 Apr 2013 08:57:19 +0000
+Subject: netfilter: ipset: list:set: fix reference counter update
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 02f815cb6d3f57914228be84df9613ee5a01c2e6 upstream.
+
+The last element can be replaced or pushed off and in both
+cases the reference counter must be updated.
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_list_set.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_list_set.c
++++ b/net/netfilter/ipset/ip_set_list_set.c
+@@ -174,9 +174,13 @@ list_set_add(struct list_set *map, u32 i
+ {
+ const struct set_elem *e = list_set_elem(map, i);
+
+- if (i == map->size - 1 && e->id != IPSET_INVALID_ID)
+- /* Last element replaced: e.g. add new,before,last */
+- ip_set_put_byindex(e->id);
++ if (e->id != IPSET_INVALID_ID) {
++ const struct set_elem *x = list_set_elem(map, map->size - 1);
++
++ /* Last element replaced or pushed off */
++ if (x->id != IPSET_INVALID_ID)
++ ip_set_put_byindex(x->id);
++ }
+ if (with_timeout(map->timeout))
+ list_elem_tadd(map, i, id, ip_set_timeout_set(timeout));
+ else
--- /dev/null
+From 6e2f0aa8cf8892868bf2c19349cb5d7c407f690d Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 12 Feb 2013 05:59:53 +0000
+Subject: netfilter: nf_ct_helper: don't discard helper if it is actually the same
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 6e2f0aa8cf8892868bf2c19349cb5d7c407f690d upstream.
+
+commit (32f5376 netfilter: nf_ct_helper: disable automatic helper
+re-assignment of different type) broke transparent proxy scenarios.
+
+For example, initial helper lookup might yield "ftp" (dport 21),
+while re-lookup after REDIRECT yields "ftp-2121".
+
+This causes the autoassign code to toss the ftp helper, even
+though these are just different instances of the same helper.
+
+Change the test to check for the helper function address instead
+of the helper address, as suggested by Pablo.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_helper.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -236,7 +236,9 @@ int __nf_ct_try_assign_helper(struct nf_
+ /* We only allow helper re-assignment of the same sort since
+ * we cannot reallocate the helper extension area.
+ */
+- if (help->helper != helper) {
++ struct nf_conntrack_helper *tmp = rcu_dereference(help->helper);
++
++ if (tmp && tmp->help != helper->help) {
+ RCU_INIT_POINTER(help->helper, NULL);
+ goto out;
+ }
--- /dev/null
+From 3a7b21eaf4fb3c971bdb47a98f570550ddfe4471 Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Fri, 5 Apr 2013 08:13:30 +0000
+Subject: netfilter: nf_ct_sip: don't drop packets with offsets
+ pointing outside the packet
+
+From: Patrick McHardy <kaber@trash.net>
+
+commit 3a7b21eaf4fb3c971bdb47a98f570550ddfe4471 upstream.
+
+Some Cisco phones create huge messages that are spread over multiple packets.
+After calculating the offset of the SIP body, it is validated to be within
+the packet and the packet is dropped otherwise. This breaks operation of
+these phones. Since connection tracking is supposed to be passive, just let
+those packets pass unmodified and untracked.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_sip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1547,7 +1547,7 @@ static int sip_help_tcp(struct sk_buff *
+
+ msglen = origlen = end - dptr;
+ if (msglen > datalen)
+- return NF_DROP;
++ return NF_ACCEPT;
+
+ ret = process_sip_msg(skb, ct, protoff, dataoff,
+ &dptr, &msglen);
--- /dev/null
+From c2d421e171868586939c328dfb91bab840fe4c49 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 11 Apr 2013 04:22:39 +0000
+Subject: netfilter: nf_nat: fix race when unloading protocol modules
+
+From: Florian Westphal <fw@strlen.de>
+
+commit c2d421e171868586939c328dfb91bab840fe4c49 upstream.
+
+following oops was reported:
+RIP: 0010:[<ffffffffa03227f2>] [<ffffffffa03227f2>] nf_nat_cleanup_conntrack+0x42/0x70 [nf_nat]
+RSP: 0018:ffff880202c63d40 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8801ac7bec28 RCX: ffff8801d0eedbe0
+RDX: dead000000200200 RSI: 0000000000000011 RDI: ffffffffa03265b8
+[..]
+Call Trace:
+ [..]
+ [<ffffffffa02febed>] destroy_conntrack+0xbd/0x110 [nf_conntrack]
+
+Happens when a conntrack timeout expires right after first part
+of the nat cleanup has completed (bysrc hash removal), but before
+part 2 has completed (re-initialization of nat area).
+
+[ destroy callback tries to delete bysrc again ]
+
+Patrick suggested to just remove the affected conntracks -- the
+connections won't work properly anyway without nat transformation.
+
+So, lets do that.
+
+Reported-by: CAI Qian <caiqian@redhat.com>
+Cc: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_nat_core.c | 40 +++++++---------------------------------
+ 1 file changed, 7 insertions(+), 33 deletions(-)
+
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -468,33 +468,22 @@ EXPORT_SYMBOL_GPL(nf_nat_packet);
+ struct nf_nat_proto_clean {
+ u8 l3proto;
+ u8 l4proto;
+- bool hash;
+ };
+
+-/* Clear NAT section of all conntracks, in case we're loaded again. */
+-static int nf_nat_proto_clean(struct nf_conn *i, void *data)
++/* kill conntracks with affected NAT section */
++static int nf_nat_proto_remove(struct nf_conn *i, void *data)
+ {
+ const struct nf_nat_proto_clean *clean = data;
+ struct nf_conn_nat *nat = nfct_nat(i);
+
+ if (!nat)
+ return 0;
+- if (!(i->status & IPS_SRC_NAT_DONE))
+- return 0;
++
+ if ((clean->l3proto && nf_ct_l3num(i) != clean->l3proto) ||
+ (clean->l4proto && nf_ct_protonum(i) != clean->l4proto))
+ return 0;
+
+- if (clean->hash) {
+- spin_lock_bh(&nf_nat_lock);
+- hlist_del_rcu(&nat->bysource);
+- spin_unlock_bh(&nf_nat_lock);
+- } else {
+- memset(nat, 0, sizeof(*nat));
+- i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK |
+- IPS_SEQ_ADJUST);
+- }
+- return 0;
++ return i->status & IPS_NAT_MASK ? 1 : 0;
+ }
+
+ static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
+@@ -506,16 +495,8 @@ static void nf_nat_l4proto_clean(u8 l3pr
+ struct net *net;
+
+ rtnl_lock();
+- /* Step 1 - remove from bysource hash */
+- clean.hash = true;
+ for_each_net(net)
+- nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
+- synchronize_rcu();
+-
+- /* Step 2 - clean NAT section */
+- clean.hash = false;
+- for_each_net(net)
+- nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
++ nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
+ rtnl_unlock();
+ }
+
+@@ -527,16 +508,9 @@ static void nf_nat_l3proto_clean(u8 l3pr
+ struct net *net;
+
+ rtnl_lock();
+- /* Step 1 - remove from bysource hash */
+- clean.hash = true;
+- for_each_net(net)
+- nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
+- synchronize_rcu();
+
+- /* Step 2 - clean NAT section */
+- clean.hash = false;
+ for_each_net(net)
+- nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
++ nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
+ rtnl_unlock();
+ }
+
+@@ -774,7 +748,7 @@ static void __net_exit nf_nat_net_exit(s
+ {
+ struct nf_nat_proto_clean clean = {};
+
+- nf_ct_iterate_cleanup(net, &nf_nat_proto_clean, &clean);
++ nf_ct_iterate_cleanup(net, &nf_nat_proto_remove, &clean);
+ synchronize_rcu();
+ nf_ct_free_hashtable(net->ct.nat_bysource, net->ct.nat_htable_size);
+ }
--- /dev/null
+From f83a7ea2075ca896f2dbf07672bac9cf3682ff74 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 17 Apr 2013 22:45:24 +0000
+Subject: netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too
+
+From: Florian Westphal <fw@strlen.de>
+
+commit f83a7ea2075ca896f2dbf07672bac9cf3682ff74 upstream.
+
+Alex Efros reported rpfilter module doesn't match following packets:
+IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ]
+(netfilter bugzilla #814).
+
+Problem is that network stack arranges for the locally generated broadcasts
+to appear on the interface they were sent out, so the IFF_LOOPBACK check
+doesn't trigger.
+
+As -m rpfilter is restricted to PREROUTING, we can check for existing
+rtable instead, it catches locally-generated broad/multicast case, too.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/ipt_rpfilter.c | 8 +++++++-
+ net/ipv6/netfilter/ip6t_rpfilter.c | 8 +++++++-
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/ipt_rpfilter.c
++++ b/net/ipv4/netfilter/ipt_rpfilter.c
+@@ -66,6 +66,12 @@ static bool rpfilter_lookup_reverse(stru
+ return dev_match;
+ }
+
++static bool rpfilter_is_local(const struct sk_buff *skb)
++{
++ const struct rtable *rt = skb_rtable(skb);
++ return rt && (rt->rt_flags & RTCF_LOCAL);
++}
++
+ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ {
+ const struct xt_rpfilter_info *info;
+@@ -76,7 +82,7 @@ static bool rpfilter_mt(const struct sk_
+ info = par->matchinfo;
+ invert = info->flags & XT_RPFILTER_INVERT;
+
+- if (par->in->flags & IFF_LOOPBACK)
++ if (rpfilter_is_local(skb))
+ return true ^ invert;
+
+ iph = ip_hdr(skb);
+--- a/net/ipv6/netfilter/ip6t_rpfilter.c
++++ b/net/ipv6/netfilter/ip6t_rpfilter.c
+@@ -71,6 +71,12 @@ static bool rpfilter_lookup_reverse6(con
+ return ret;
+ }
+
++static bool rpfilter_is_local(const struct sk_buff *skb)
++{
++ const struct rt6_info *rt = (const void *) skb_dst(skb);
++ return rt && (rt->rt6i_flags & RTF_LOCAL);
++}
++
+ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ {
+ const struct xt_rpfilter_info *info = par->matchinfo;
+@@ -78,7 +84,7 @@ static bool rpfilter_mt(const struct sk_
+ struct ipv6hdr *iph;
+ bool invert = info->flags & XT_RPFILTER_INVERT;
+
+- if (par->in->flags & IFF_LOOPBACK)
++ if (rpfilter_is_local(skb))
+ return true ^ invert;
+
+ iph = ipv6_hdr(skb);
--- /dev/null
+From khlebnikov@openvz.org Wed May 8 15:30:56 2013
+From: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Date: Wed, 08 May 2013 12:10:18 +0400
+Subject: PCI/PM: Clear state_saved during suspend
+To: stable@vger.kernel.org
+Cc: Tóth Attila <atoth@atoth.sote.hu>
+Message-ID: <20130508081018.25748.86347.stgit@zurg>
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 82fee4d67ab86d6fe5eb0f9a9e988ca9d654d765 upstream.
+
+This patch clears pci_dev->state_saved at the beginning of suspending.
+PCI config state may be saved long before that. Some drivers call
+pci_save_state() from the ->probe() callback to get snapshot of sane
+configuration space to use in the ->slot_reset() callback.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org> # add comment
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Tóth Attila <atoth@atoth.sote.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-driver.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -628,6 +628,7 @@ static int pci_pm_suspend(struct device
+ goto Fixup;
+ }
+
++ pci_dev->state_saved = false;
+ if (pm->suspend) {
+ pci_power_t prev = pci_dev->current_state;
+ int error;
+@@ -774,6 +775,7 @@ static int pci_pm_freeze(struct device *
+ return 0;
+ }
+
++ pci_dev->state_saved = false;
+ if (pm->freeze) {
+ int error;
+
+@@ -862,6 +864,7 @@ static int pci_pm_poweroff(struct device
+ goto Fixup;
+ }
+
++ pci_dev->state_saved = false;
+ if (pm->poweroff) {
+ int error;
+
+@@ -987,6 +990,7 @@ static int pci_pm_runtime_suspend(struct
+ if (!pm || !pm->runtime_suspend)
+ return -ENOSYS;
+
++ pci_dev->state_saved = false;
+ pci_dev->no_d3cold = false;
+ error = pm->runtime_suspend(dev);
+ suspend_report_result(pm->runtime_suspend, error);
--- /dev/null
+From 9a6bc14350b130427725f33e371e86212fa56c85 Mon Sep 17 00:00:00 2001
+From: Vince Weaver <vincent.weaver@maine.edu>
+Date: Mon, 29 Apr 2013 15:52:27 -0400
+Subject: perf/x86/intel: Add support for IvyBridge model 58 Uncore
+
+From: Vince Weaver <vincent.weaver@maine.edu>
+
+commit 9a6bc14350b130427725f33e371e86212fa56c85 upstream.
+
+According to Intel Vol3b 18.9, the IvyBridge model 58 uncore is
+the same as that of SandyBridge.
+
+I've done some simple tests and with this patch things seem to
+work on my mac-mini.
+
+Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
+Cc: Stephane Eranian <eranian@gmail.com>
+Link: http://lkml.kernel.org/r/alpine.DEB.2.02.1304291549320.15827@vincent-weaver-1.um.maine.edu
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+@@ -2853,6 +2853,7 @@ static int __init uncore_cpu_init(void)
+ msr_uncores = nhm_msr_uncores;
+ break;
+ case 42: /* Sandy Bridge */
++ case 58: /* Ivy Bridge */
+ if (snb_uncore_cbox.num_boxes > max_cores)
+ snb_uncore_cbox.num_boxes = max_cores;
+ msr_uncores = snb_msr_uncores;
--- /dev/null
+From 1b0dac2ac6debdbf1541e15f2cede03613cf4465 Mon Sep 17 00:00:00 2001
+From: Jan-Simon Möller <dl9pf@gmx.de>
+Date: Tue, 30 Apr 2013 12:02:33 +0200
+Subject: perf/x86/intel: Fix unintended variable name reuse
+
+From: Jan-Simon Möller <dl9pf@gmx.de>
+
+commit 1b0dac2ac6debdbf1541e15f2cede03613cf4465 upstream.
+
+The variable name events_group is already in used and led to a
+compilation error when using clang to build the Linux Kernel .
+The fix is just to rename the var. No functional change. Please
+apply.
+
+Fix suggested in discussion by PaX Team <pageexec@freemail.hu>
+
+Signed-off-by: Jan-Simon Möller <dl9pf@gmx.de>
+Cc: rostedt@goodmis.org
+Cc: a.p.zijlstra@chello.nl
+Cc: paulus@samba.org
+Cc: acme@ghostprotocols.net
+Link: http://lkml.kernel.org/r/1367316153-14808-1-git-send-email-dl9pf@gmx.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+@@ -2428,7 +2428,7 @@ static void __init uncore_types_exit(str
+ static int __init uncore_type_init(struct intel_uncore_type *type)
+ {
+ struct intel_uncore_pmu *pmus;
+- struct attribute_group *events_group;
++ struct attribute_group *attr_group;
+ struct attribute **attrs;
+ int i, j;
+
+@@ -2455,19 +2455,19 @@ static int __init uncore_type_init(struc
+ while (type->event_descs[i].attr.attr.name)
+ i++;
+
+- events_group = kzalloc(sizeof(struct attribute *) * (i + 1) +
+- sizeof(*events_group), GFP_KERNEL);
+- if (!events_group)
++ attr_group = kzalloc(sizeof(struct attribute *) * (i + 1) +
++ sizeof(*attr_group), GFP_KERNEL);
++ if (!attr_group)
+ goto fail;
+
+- attrs = (struct attribute **)(events_group + 1);
+- events_group->name = "events";
+- events_group->attrs = attrs;
++ attrs = (struct attribute **)(attr_group + 1);
++ attr_group->name = "events";
++ attr_group->attrs = attrs;
+
+ for (j = 0; j < i; j++)
+ attrs[j] = &type->event_descs[j].attr.attr;
+
+- type->events_group = events_group;
++ type->events_group = attr_group;
+ }
+
+ type->pmu_group = &uncore_pmu_attr_group;
--- /dev/null
+From 7cc23cd6c0c7d7f4bee057607e7ce01568925717 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri, 3 May 2013 14:11:25 +0200
+Subject: perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
+
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+
+commit 7cc23cd6c0c7d7f4bee057607e7ce01568925717 upstream.
+
+We should always have proper privileges when requesting kernel
+data.
+
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: eranian@google.com
+Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
+[ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/perf_event_intel_lbr.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_lbr.c
+@@ -310,7 +310,7 @@ void intel_pmu_lbr_read(void)
+ * - in case there is no HW filter
+ * - in case the HW filter has errata or limitations
+ */
+-static void intel_pmu_setup_sw_lbr_filter(struct perf_event *event)
++static int intel_pmu_setup_sw_lbr_filter(struct perf_event *event)
+ {
+ u64 br_type = event->attr.branch_sample_type;
+ int mask = 0;
+@@ -318,8 +318,11 @@ static void intel_pmu_setup_sw_lbr_filte
+ if (br_type & PERF_SAMPLE_BRANCH_USER)
+ mask |= X86_BR_USER;
+
+- if (br_type & PERF_SAMPLE_BRANCH_KERNEL)
++ if (br_type & PERF_SAMPLE_BRANCH_KERNEL) {
++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
++ return -EACCES;
+ mask |= X86_BR_KERNEL;
++ }
+
+ /* we ignore BRANCH_HV here */
+
+@@ -339,6 +342,8 @@ static void intel_pmu_setup_sw_lbr_filte
+ * be used by fixup code for some CPU
+ */
+ event->hw.branch_reg.reg = mask;
++
++ return 0;
+ }
+
+ /*
+@@ -386,7 +391,9 @@ int intel_pmu_setup_lbr_filter(struct pe
+ /*
+ * setup SW LBR filter
+ */
+- intel_pmu_setup_sw_lbr_filter(event);
++ ret = intel_pmu_setup_sw_lbr_filter(event);
++ if (ret)
++ return ret;
+
+ /*
+ * setup HW LBR filter, if any
--- /dev/null
+From 6e15eb3ba6c0249c9e8c783517d131b47db995ca Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri, 3 May 2013 14:11:24 +0200
+Subject: perf/x86/intel/lbr: Fix LBR filter
+
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+
+commit 6e15eb3ba6c0249c9e8c783517d131b47db995ca upstream.
+
+The LBR 'from' adddress is under full userspace control; ensure
+we validate it before reading from it.
+
+Note: is_module_text_address() can potentially be quite
+expensive; for those running into that with high overhead
+in modules optimize it using an RCU backed rb-tree.
+
+Reported-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: eranian@google.com
+Link: http://lkml.kernel.org/r/20130503121256.158211806@chello.nl
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: http://lkml.kernel.org/n/tip-mk8i82ffzax01cnqo829iy1q@git.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/perf_event_intel_lbr.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_lbr.c
+@@ -442,8 +442,18 @@ static int branch_type(unsigned long fro
+ return X86_BR_NONE;
+
+ addr = buf;
+- } else
+- addr = (void *)from;
++ } else {
++ /*
++ * The LBR logs any address in the IP, even if the IP just
++ * faulted. This means userspace can control the from address.
++ * Ensure we don't blindy read any address by validating it is
++ * a known text address.
++ */
++ if (kernel_text_address(from))
++ addr = (void *)from;
++ else
++ return X86_BR_NONE;
++ }
+
+ /*
+ * decoder needs to know the ABI especially
pwm-spear-fix-checking-return-value-of-clk_enable-and-clk_prepare.patch
autofs-remove-autofs-dentry-mount-check.patch
hugetlbfs-fix-mmap-failure-in-unaligned-size-request.patch
+iommu-amd-properly-initialize-irq-table-lock.patch
+net-eth-ibmveth-fixup-retrieval-of-mac-address.patch
+perf-x86-intel-add-support-for-ivybridge-model-58-uncore.patch
+perf-x86-intel-fix-unintended-variable-name-reuse.patch
+perf-x86-intel-lbr-fix-lbr-filter.patch
+perf-x86-intel-lbr-demand-proper-privileges-for-perf_sample_branch_kernel.patch
+pci-pm-clear-state_saved-during-suspend.patch
+e1000e-fix-runtime-power-management-transitions.patch
+e1000e-fix-accessing-to-suspended-device.patch
+xhci-don-t-warn-on-empty-ring-for-suspended-devices.patch
+ipvs-ip_vs_sip_fill_param-bug-bad-check-of-return-value.patch
+netfilter-nf_nat-fix-race-when-unloading-protocol-modules.patch
+netfilter-ipset-list-set-fix-reference-counter-update.patch
+netfilter-nf_ct_sip-don-t-drop-packets-with-offsets.patch
+netfilter-ipset-directory-not-empty-error-message.patch
+netfilter-nf_ct_helper-don-t-discard-helper-if-it-is-actually-the-same.patch
+netfilter-ctnetlink-don-t-permit-ct-creation-with-random-tuple.patch
+netfilter-xt_rpfilter-skip-locally-generated-broadcast-multicast-too.patch
+netfilter-ip6t_npt-fix-translation-for-non-multiple-of-32-prefix-lengths.patch
+ext4-add-check-for-inodes_count-overflow-in-new-resize-ioctl.patch
--- /dev/null
+From a83d6755814e4614ba77e15d82796af0f695c6b8 Mon Sep 17 00:00:00 2001
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Date: Mon, 18 Mar 2013 10:19:51 -0700
+Subject: xhci: Don't warn on empty ring for suspended devices.
+
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+
+commit a83d6755814e4614ba77e15d82796af0f695c6b8 upstream.
+
+When a device attached to the roothub is suspended, the endpoint rings
+are stopped. The host may generate a completion event with the
+completion code set to 'Stopped' or 'Stopped Invalid' when the ring is
+halted. The current xHCI code prints a warning in that case, which can
+be really annoying if the USB device is coming into and out of suspend.
+
+Remove the unnecessary warning.
+
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Tested-by: Stephen Hemminger <stephen@networkplumber.org>
+Cc: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2461,14 +2461,21 @@ static int handle_tx_event(struct xhci_h
+ * TD list.
+ */
+ if (list_empty(&ep_ring->td_list)) {
+- xhci_warn(xhci, "WARN Event TRB for slot %d ep %d "
+- "with no TDs queued?\n",
+- TRB_TO_SLOT_ID(le32_to_cpu(event->flags)),
+- ep_index);
+- xhci_dbg(xhci, "Event TRB with TRB type ID %u\n",
+- (le32_to_cpu(event->flags) &
+- TRB_TYPE_BITMASK)>>10);
+- xhci_print_trb_offsets(xhci, (union xhci_trb *) event);
++ /*
++ * A stopped endpoint may generate an extra completion
++ * event if the device was suspended. Don't print
++ * warnings.
++ */
++ if (!(trb_comp_code == COMP_STOP ||
++ trb_comp_code == COMP_STOP_INVAL)) {
++ xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n",
++ TRB_TO_SLOT_ID(le32_to_cpu(event->flags)),
++ ep_index);
++ xhci_dbg(xhci, "Event TRB with TRB type ID %u\n",
++ (le32_to_cpu(event->flags) &
++ TRB_TYPE_BITMASK)>>10);
++ xhci_print_trb_offsets(xhci, (union xhci_trb *) event);
++ }
+ if (ep->skip) {
+ ep->skip = false;
+ xhci_dbg(xhci, "td_list is empty while skip "
projects / thirdparty / kernel / stable-queue.git / commitdiff
