3.4-stable patches

added patches:
	cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch
	net-flow_dissector-fail-on-evil-iph-ihl.patch
	xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch

diff --git a/queue-3.4/cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch b/queue-3.4/cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch
new file mode 100644 (file)
index 0000000..27c7482
--- /dev/null
+++ b/queue-3.4/cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch
@@ -0,0 +1,45 @@
+From 5e6ba9f656b9ece3d0473f6cdca66b665f72eb36 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 27 Oct 2013 21:02:39 +0000
+Subject: cxgb3: Fix length calculation in write_ofld_wr() on 32-bit architectures
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+[ Upstream commit 262e827fe745642589450ae241b7afd3912c3f25 ]
+
+The length calculation here is now invalid on 32-bit architectures,
+since sk_buff::tail is a pointer and sk_buff::transport_header is
+an integer offset:
+
+drivers/net/ethernet/chelsio/cxgb3/sge.c: In function 'write_ofld_wr':
+drivers/net/ethernet/chelsio/cxgb3/sge.c:1603:9: warning: passing argument 4 of 'make_sgl' makes integer from pointer without a cast [enabled by default]
+         adap->pdev);
+         ^
+drivers/net/ethernet/chelsio/cxgb3/sge.c:964:28: note: expected 'unsigned int' but argument is of type 'sk_buff_data_t'
+ static inline unsigned int make_sgl(const struct sk_buff *skb,
+                            ^
+
+Use the appropriate skb accessor functions.
+
+Compile-tested only.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Fixes: 1a37e412a022 ('net: Use 16bits for *_headers fields of struct skbuff')
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/sge.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb3/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/sge.c
+@@ -1600,7 +1600,8 @@ static void write_ofld_wr(struct adapter
+       flits = skb_transport_offset(skb) / 8;
+       sgp = ndesc == 1 ? (struct sg_ent *)&d->flit[flits] : sgl;
+       sgl_flits = make_sgl(skb, sgp, skb_transport_header(skb),
+-                           skb->tail - skb->transport_header,
++                           skb_tail_pointer(skb) -
++                           skb_transport_header(skb),
+                            adap->pdev);
+       if (need_skb_unmap()) {
+               setup_deferred_unmapping(skb, adap->pdev, sgp, sgl_flits);

diff --git a/queue-3.4/net-flow_dissector-fail-on-evil-iph-ihl.patch b/queue-3.4/net-flow_dissector-fail-on-evil-iph-ihl.patch
new file mode 100644 (file)
index 0000000..97aba1b
--- /dev/null
+++ b/queue-3.4/net-flow_dissector-fail-on-evil-iph-ihl.patch
@@ -0,0 +1,39 @@
+From fca443b873af2dbd7e92b23aa40b47d00d880ad2 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 1 Nov 2013 15:01:10 +0800
+Subject: net: flow_dissector: fail on evil iph->ihl
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 6f092343855a71e03b8d209815d8c45bf3a27fcd ]
+
+We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
+skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
+is evil (less than 5).
+
+This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
+(rps: support IPIP encapsulation).
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/flow_dissector.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -35,7 +35,7 @@ again:
+               struct iphdr _iph;
+ ip:
+               iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
+-              if (!iph)
++              if (!iph || iph->ihl < 5)
+                       return false;
+ 
+               if (ip_is_fragment(iph))

diff --git a/queue-3.4/series b/queue-3.4/series
new file mode 100644 (file)
index 0000000..84a4995
--- /dev/null
+++ b/queue-3.4/series
@@ -0,0 +1,3 @@
+cxgb3-fix-length-calculation-in-write_ofld_wr-on-32-bit-architectures.patch
+xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch
+net-flow_dissector-fail-on-evil-iph-ihl.patch

diff --git a/queue-3.4/xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch b/queue-3.4/xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch
new file mode 100644 (file)
index 0000000..72dacba
--- /dev/null
+++ b/queue-3.4/xen-netback-use-jiffies_64-value-to-calculate-credit-timeout.patch
@@ -0,0 +1,87 @@
+From d6ae66b2acce797afbe0b87c2ab887de80ea3a72 Mon Sep 17 00:00:00 2001
+From: Wei Liu <wei.liu2@citrix.com>
+Date: Mon, 28 Oct 2013 12:07:57 +0000
+Subject: xen-netback: use jiffies_64 value to calculate credit timeout
+
+From: Wei Liu <wei.liu2@citrix.com>
+
+[ Upstream commit 059dfa6a93b779516321e5112db9d7621b1367ba ]
+
+time_after_eq() only works if the delta is < MAX_ULONG/2.
+
+For a 32bit Dom0, if netfront sends packets at a very low rate, the time
+between subsequent calls to tx_credit_exceeded() may exceed MAX_ULONG/2
+and the test for timer_after_eq() will be incorrect. Credit will not be
+replenished and the guest may become unable to send packets (e.g., if
+prior to the long gap, all credit was exhausted).
+
+Use jiffies_64 variant to mitigate this problem for 32bit Dom0.
+
+Suggested-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Wei Liu <wei.liu2@citrix.com>
+Reviewed-by: David Vrabel <david.vrabel@citrix.com>
+Cc: Ian Campbell <ian.campbell@citrix.com>
+Cc: Jason Luan <jianhai.luan@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/common.h    |    1 +
+ drivers/net/xen-netback/interface.c |    3 +--
+ drivers/net/xen-netback/netback.c   |   10 +++++-----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/xen-netback/common.h
++++ b/drivers/net/xen-netback/common.h
+@@ -88,6 +88,7 @@ struct xenvif {
+       unsigned long   credit_usec;
+       unsigned long   remaining_credit;
+       struct timer_list credit_timeout;
++      u64 credit_window_start;
+ 
+       /* Statistics */
+       unsigned long rx_gso_checksum_fixup;
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -273,8 +273,7 @@ struct xenvif *xenvif_alloc(struct devic
+       vif->credit_bytes = vif->remaining_credit = ~0UL;
+       vif->credit_usec  = 0UL;
+       init_timer(&vif->credit_timeout);
+-      /* Initialize 'expires' now: it's used to track the credit window. */
+-      vif->credit_timeout.expires = jiffies;
++      vif->credit_window_start = get_jiffies_64();
+ 
+       dev->netdev_ops = &xenvif_netdev_ops;
+       dev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_TSO;
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -1197,9 +1197,8 @@ out:
+ 
+ static bool tx_credit_exceeded(struct xenvif *vif, unsigned size)
+ {
+-      unsigned long now = jiffies;
+-      unsigned long next_credit =
+-              vif->credit_timeout.expires +
++      u64 now = get_jiffies_64();
++      u64 next_credit = vif->credit_window_start +
+               msecs_to_jiffies(vif->credit_usec / 1000);
+ 
+       /* Timer could already be pending in rare cases. */
+@@ -1207,8 +1206,8 @@ static bool tx_credit_exceeded(struct xe
+               return true;
+ 
+       /* Passed the point where we can replenish credit? */
+-      if (time_after_eq(now, next_credit)) {
+-              vif->credit_timeout.expires = now;
++      if (time_after_eq64(now, next_credit)) {
++              vif->credit_window_start = now;
+               tx_add_credit(vif);
+       }
+ 
+@@ -1220,6 +1219,7 @@ static bool tx_credit_exceeded(struct xe
+                       tx_credit_callback;
+               mod_timer(&vif->credit_timeout,
+                         next_credit);
++              vif->credit_window_start = next_credit;
+ 
+               return true;
+       }