--- /dev/null
+From 2bda4a47e439d617c9723573c4957a707074d8be Mon Sep 17 00:00:00 2001
+From: Cloud Ren <cjren@qca.qualcomm.com>
+Date: Tue, 3 Jul 2012 16:51:48 +0000
+Subject: atl1c: fix issue of transmit queue 0 timed out
+
+
+From: Cloud Ren <cjren@qca.qualcomm.com>
+
+[ Upstream commit b94e52f62683dc0b00c6d1b58b80929a078c0fd5 ]
+
+some people report atl1c could cause system hang with following
+kernel trace info:
+---------------------------------------
+WARNING: at.../net/sched/sch_generic.c:258 dev_watchdog+0x1db/0x1d0()
+...
+NETDEV WATCHDOG: eth0 (atl1c): transmit queue 0 timed out
+...
+---------------------------------------
+This is caused by netif_stop_queue calling when cable Link is down.
+So remove netif_stop_queue, because link_watch will take it over.
+
+Signed-off-by: xiong <xiong@qca.qualcomm.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Cloud Ren <cjren@qca.qualcomm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+@@ -267,7 +267,6 @@ static void atl1c_check_link_status(stru
+ dev_warn(&pdev->dev, "stop mac failed\n");
+ atl1c_set_aspm(hw, false);
+ netif_carrier_off(netdev);
+- netif_stop_queue(netdev);
+ atl1c_phy_reset(hw);
+ atl1c_phy_init(&adapter->hw);
+ } else {
--- /dev/null
+From 91d75a10a7ad795a6f0009807b8086320a269d24 Mon Sep 17 00:00:00 2001
+From: Michael Chan <mchan@broadcom.com>
+Date: Tue, 10 Jul 2012 10:04:40 +0000
+Subject: bnx2: Fix bug in bnx2_free_tx_skbs().
+
+
+From: Michael Chan <mchan@broadcom.com>
+
+[ Upstream commit c1f5163de417dab01fa9daaf09a74bbb19303f3c ]
+
+In rare cases, bnx2x_free_tx_skbs() can unmap the wrong DMA address
+when it gets to the last entry of the tx ring. We were not using
+the proper macro to skip the last entry when advancing the tx index.
+
+Reported-by: Zongyun Lai <zlai@vmware.com>
+Reviewed-by: Jeffrey Huang <huangjw@broadcom.com>
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2.c
++++ b/drivers/net/ethernet/broadcom/bnx2.c
+@@ -5372,7 +5372,7 @@ bnx2_free_tx_skbs(struct bnx2 *bp)
+ int k, last;
+
+ if (skb == NULL) {
+- j++;
++ j = NEXT_TX_BD(j);
+ continue;
+ }
+
+@@ -5384,8 +5384,8 @@ bnx2_free_tx_skbs(struct bnx2 *bp)
+ tx_buf->skb = NULL;
+
+ last = tx_buf->nr_frags;
+- j++;
+- for (k = 0; k < last; k++, j++) {
++ j = NEXT_TX_BD(j);
++ for (k = 0; k < last; k++, j = NEXT_TX_BD(j)) {
+ tx_buf = &txr->tx_buf_ring[TX_RING_IDX(j)];
+ dma_unmap_page(&bp->pdev->dev,
+ dma_unmap_addr(tx_buf, mapping),
--- /dev/null
+From d1e6373442e667e2a5625339b956d7774c8527e1 Mon Sep 17 00:00:00 2001
+From: Sjur Brændeland <sjur.brandeland@stericsson.com>
+Date: Sun, 15 Jul 2012 10:10:14 +0000
+Subject: caif: Fix access to freed pernet memory
+
+
+From: Sjur Brændeland <sjur.brandeland@stericsson.com>
+
+[ Upstream commit 96f80d123eff05c3cd4701463786b87952a6c3ac ]
+
+unregister_netdevice_notifier() must be called before
+unregister_pernet_subsys() to avoid accessing already freed
+pernet memory. This fixes the following oops when doing rmmod:
+
+Call Trace:
+ [<ffffffffa0f802bd>] caif_device_notify+0x4d/0x5a0 [caif]
+ [<ffffffff81552ba9>] unregister_netdevice_notifier+0xb9/0x100
+ [<ffffffffa0f86dcc>] caif_device_exit+0x1c/0x250 [caif]
+ [<ffffffff810e7734>] sys_delete_module+0x1a4/0x300
+ [<ffffffff810da82d>] ? trace_hardirqs_on_caller+0x15d/0x1e0
+ [<ffffffff813517de>] ? trace_hardirqs_on_thunk+0x3a/0x3
+ [<ffffffff81696bad>] system_call_fastpath+0x1a/0x1f
+
+RIP
+ [<ffffffffa0f7f561>] caif_get+0x51/0xb0 [caif]
+
+Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
+Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/caif/caif_dev.c
++++ b/net/caif/caif_dev.c
+@@ -562,9 +562,9 @@ static int __init caif_device_init(void)
+
+ static void __exit caif_device_exit(void)
+ {
+- unregister_pernet_subsys(&caif_net_ops);
+ unregister_netdevice_notifier(&caif_device_notifier);
+ dev_remove_pack(&caif_packet_type);
++ unregister_pernet_subsys(&caif_net_ops);
+ }
+
+ module_init(caif_device_init);
--- /dev/null
+From 38fe7d774a34e41eaa6ef6d2676b343b6f6a862a Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Tue, 24 Jul 2012 02:42:14 +0000
+Subject: caif: fix NULL pointer check
+
+
+From: Alan Cox <alan@linux.intel.com>
+
+[ Upstream commit c66b9b7d365444b433307ebb18734757cb668a02 ]
+
+Reported-by: <rucsoftsec@gmail.com>
+Resolves-bug: http://bugzilla.kernel.org/show_bug?44441
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/caif/caif_serial.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/caif/caif_serial.c
++++ b/drivers/net/caif/caif_serial.c
+@@ -325,6 +325,9 @@ static int ldisc_open(struct tty_struct
+
+ sprintf(name, "cf%s", tty->name);
+ dev = alloc_netdev(sizeof(*ser), name, caifdev_setup);
++ if (!dev)
++ return -ENOMEM;
++
+ ser = netdev_priv(dev);
+ ser->tty = tty_kref_get(tty);
+ ser->dev = dev;
--- /dev/null
+From da13bdb3e4cbadb8a93970fdb2cb5fbf33a9a8cc Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Tue, 17 Jul 2012 11:07:47 +0000
+Subject: cipso: don't follow a NULL pointer when setsockopt() is called
+
+
+From: Paul Moore <pmoore@redhat.com>
+
+[ Upstream commit 89d7ae34cdda4195809a5a987f697a517a2a3177 ]
+
+As reported by Alan Cox, and verified by Lin Ming, when a user
+attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL
+tag the kernel dies a terrible death when it attempts to follow a NULL
+pointer (the skb argument to cipso_v4_validate() is NULL when called via
+the setsockopt() syscall).
+
+This patch fixes this by first checking to ensure that the skb is
+non-NULL before using it to find the incoming network interface. In
+the unlikely case where the skb is NULL and the user attempts to add
+a CIPSO option with the _TAG_LOCAL tag we return an error as this is
+not something we want to allow.
+
+A simple reproducer, kindly supplied by Lin Ming, although you must
+have the CIPSO DOI #3 configure on the system first or you will be
+caught early in cipso_v4_validate():
+
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <linux/ip.h>
+ #include <linux/in.h>
+ #include <string.h>
+
+ struct local_tag {
+ char type;
+ char length;
+ char info[4];
+ };
+
+ struct cipso {
+ char type;
+ char length;
+ char doi[4];
+ struct local_tag local;
+ };
+
+ int main(int argc, char **argv)
+ {
+ int sockfd;
+ struct cipso cipso = {
+ .type = IPOPT_CIPSO,
+ .length = sizeof(struct cipso),
+ .local = {
+ .type = 128,
+ .length = sizeof(struct local_tag),
+ },
+ };
+
+ memset(cipso.doi, 0, 4);
+ cipso.doi[3] = 3;
+
+ sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+ #define SOL_IP 0
+ setsockopt(sockfd, SOL_IP, IP_OPTIONS,
+ &cipso, sizeof(struct cipso));
+
+ return 0;
+ }
+
+CC: Lin Ming <mlin@ss.pku.edu.cn>
+Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/cipso_ipv4.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1725,8 +1725,10 @@ int cipso_v4_validate(const struct sk_bu
+ case CIPSO_V4_TAG_LOCAL:
+ /* This is a non-standard tag that we only allow for
+ * local connections, so if the incoming interface is
+- * not the loopback device drop the packet. */
+- if (!(skb->dev->flags & IFF_LOOPBACK)) {
++ * not the loopback device drop the packet. Further,
++ * there is no legitimate reason for setting this from
++ * userspace so reject it if skb is NULL. */
++ if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) {
+ err_offset = opt_iter;
+ goto validate_return_locked;
+ }
--- /dev/null
+From a80e8d2e59d8ffa5d559c7e37005180f425095ea Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Jul 2012 11:45:13 +0000
+Subject: gianfar: fix potential sk_wmem_alloc imbalance
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 313b037cf054ec908de92fb4c085403ffd7420d4 ]
+
+commit db83d136d7f753 (gianfar: Fix missing sock reference when
+processing TX time stamps) added a potential sk_wmem_alloc imbalance
+
+If the new skb has a different truesize than old one, we can get a
+negative sk_wmem_alloc once new skb is orphaned at TX completion.
+
+Now we no longer early orphan skbs in dev_hard_start_xmit(), this
+probably can lead to fatal bugs.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+Cc: Manfred Rudigier <manfred.rudigier@omicron.at>
+Cc: Claudiu Manoil <claudiu.manoil@freescale.com>
+Cc: Jiajun Wu <b06378@freescale.com>
+Cc: Andy Fleming <afleming@freescale.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/gianfar.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -2065,10 +2065,9 @@ static int gfar_start_xmit(struct sk_buf
+ return NETDEV_TX_OK;
+ }
+
+- /* Steal sock reference for processing TX time stamps */
+- swap(skb_new->sk, skb->sk);
+- swap(skb_new->destructor, skb->destructor);
+- kfree_skb(skb);
++ if (skb->sk)
++ skb_set_owner_w(skb_new, skb->sk);
++ consume_skb(skb);
+ skb = skb_new;
+ }
+
--- /dev/null
+From df19f687fe20a1dc89c5cc0ecadb0ff2019f65b2 Mon Sep 17 00:00:00 2001
+From: Amir Hanania <amir.hanania@intel.com>
+Date: Mon, 9 Jul 2012 20:47:19 +0000
+Subject: net: Fix memory leak - vlan_info struct
+
+
+From: Amir Hanania <amir.hanania@intel.com>
+
+[ Upstream commit efc73f4bbc238d4f579fb612c04c8e1dd8a82979 ]
+
+In driver reload test there is a memory leak.
+The structure vlan_info was not freed when the driver was removed.
+It was not released since the nr_vids var is one after last vlan was removed.
+The nr_vids is one, since vlan zero is added to the interface when the interface
+is being set, but the vlan zero is not deleted at unregister.
+Fix - delete vlan zero when we unregister the device.
+
+Signed-off-by: Amir Hanania <amir.hanania@intel.com>
+Acked-by: John Fastabend <john.r.fastabend@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -403,6 +403,9 @@ static int vlan_device_event(struct noti
+ break;
+
+ case NETDEV_DOWN:
++ if (dev->features & NETIF_F_HW_VLAN_FILTER)
++ vlan_vid_del(dev, 0);
++
+ /* Put all VLANs for this dev in the down state too. */
+ for (i = 0; i < VLAN_N_VID; i++) {
+ vlandev = vlan_group_get_device(grp, i);
--- /dev/null
+From 881ae72880363758105c4492c4d8bd435860d322 Mon Sep 17 00:00:00 2001
+From: Jesper Juhl <jj@chaosbits.net>
+Date: Sun, 22 Jul 2012 11:37:20 +0000
+Subject: net: Fix references to out-of-scope variables in put_cmsg_compat()
+
+
+From: Jesper Juhl <jj@chaosbits.net>
+
+[ Upstream commit 818810472b129004c16fc51bf0a570b60776bfb7 ]
+
+In net/compat.c::put_cmsg_compat() we may assign 'data' the address of
+either the 'ctv' or 'cts' local variables inside the 'if
+(!COMPAT_USE_64BIT_TIME)' branch.
+
+Those variables go out of scope at the end of the 'if' statement, so
+when we use 'data' further down in 'copy_to_user(CMSG_COMPAT_DATA(cm),
+data, cmlen - sizeof(struct compat_cmsghdr))' there's no telling what
+it may be refering to - not good.
+
+Fix the problem by simply giving 'ctv' and 'cts' function scope.
+
+Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/compat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -221,6 +221,8 @@ int put_cmsg_compat(struct msghdr *kmsg,
+ {
+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
+ struct compat_cmsghdr cmhdr;
++ struct compat_timeval ctv;
++ struct compat_timespec cts[3];
+ int cmlen;
+
+ if (cm == NULL || kmsg->msg_controllen < sizeof(*cm)) {
+@@ -229,8 +231,6 @@ int put_cmsg_compat(struct msghdr *kmsg,
+ }
+
+ if (!COMPAT_USE_64BIT_TIME) {
+- struct compat_timeval ctv;
+- struct compat_timespec cts[3];
+ if (level == SOL_SOCKET && type == SCM_TIMESTAMP) {
+ struct timeval *tv = (struct timeval *)data;
+ ctv.tv_sec = tv->tv_sec;
--- /dev/null
+From 56df7d65ac82e3f82208d7acd456e05f4f0b5a4d Mon Sep 17 00:00:00 2001
+From: Jiri Benc <jbenc@redhat.com>
+Date: Fri, 27 Jul 2012 02:58:22 +0000
+Subject: net: fix rtnetlink IFF_PROMISC and IFF_ALLMULTI handling
+
+
+From: Jiri Benc <jbenc@redhat.com>
+
+[ Upstream commit b1beb681cba5358f62e6187340660ade226a5fcc ]
+
+When device flags are set using rtnetlink, IFF_PROMISC and IFF_ALLMULTI
+flags are handled specially. Function dev_change_flags sets IFF_PROMISC and
+IFF_ALLMULTI bits in dev->gflags according to the passed value but
+do_setlink passes a result of rtnl_dev_combine_flags which takes those bits
+from dev->flags.
+
+This can be easily trigerred by doing:
+
+tcpdump -i eth0 &
+ip l s up eth0
+
+ip sets IFF_UP flag in ifi_flags and ifi_change, which is combined with
+IFF_PROMISC by rtnl_dev_combine_flags, causing __dev_change_flags to set
+IFF_PROMISC in gflags.
+
+Reported-by: Max Matveev <makc@redhat.com>
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -671,6 +671,12 @@ static void set_operstate(struct net_dev
+ }
+ }
+
++static unsigned int rtnl_dev_get_flags(const struct net_device *dev)
++{
++ return (dev->flags & ~(IFF_PROMISC | IFF_ALLMULTI)) |
++ (dev->gflags & (IFF_PROMISC | IFF_ALLMULTI));
++}
++
+ static unsigned int rtnl_dev_combine_flags(const struct net_device *dev,
+ const struct ifinfomsg *ifm)
+ {
+@@ -679,7 +685,7 @@ static unsigned int rtnl_dev_combine_fla
+ /* bugwards compatibility: ifi_change == 0 is treated as ~0 */
+ if (ifm->ifi_change)
+ flags = (flags & ifm->ifi_change) |
+- (dev->flags & ~ifm->ifi_change);
++ (rtnl_dev_get_flags(dev) & ~ifm->ifi_change);
+
+ return flags;
+ }
--- /dev/null
+From ae4531f8cbfc6d2c5ca25c0f093630a01a9726ed Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 29 Jul 2012 19:45:14 +0000
+Subject: net/tun: fix ioctl() based info leaks
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commits a117dacde0288f3ec60b6e5bcedae8fa37ee0dfc
+ and 8bbb181308bc348e02bfdbebdedd4e4ec9d452ce ]
+
+The tun module leaks up to 36 bytes of memory by not fully initializing
+a structure located on the stack that gets copied to user memory by the
+TUNGETIFF and SIOCGIFHWADDR ioctl()s.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1255,10 +1255,12 @@ static long __tun_chr_ioctl(struct file
+ int vnet_hdr_sz;
+ int ret;
+
+- if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)
++ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
+ if (copy_from_user(&ifr, argp, ifreq_len))
+ return -EFAULT;
+-
++ } else {
++ memset(&ifr, 0, sizeof(ifr));
++ }
+ if (cmd == TUNGETFEATURES) {
+ /* Currently this just means: "what IFF flags are valid?".
+ * This is needed because we never checked for invalid flags on
--- /dev/null
+From 61de5110ac1a66ae39907b4c509e694988a3bb05 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 3 Jul 2012 20:55:21 +0000
+Subject: netem: add limitation to reordered packets
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 960fb66e520a405dde39ff883f17ff2669c13d85 ]
+
+Fix two netem bugs :
+
+1) When a frame was dropped by tfifo_enqueue(), drop counter
+ was incremented twice.
+
+2) When reordering is triggered, we enqueue a packet without
+ checking queue limit. This can OOM pretty fast when this
+ is repeated enough, since skbs are orphaned, no socket limit
+ can help in this situation.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Mark Gordon <msg@google.com>
+Cc: Andreas Terzis <aterzis@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Hagen Paul Pfeifer <hagen@jauu.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_netem.c | 42 +++++++++++++++---------------------------
+ 1 file changed, 15 insertions(+), 27 deletions(-)
+
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -329,29 +329,22 @@ static psched_time_t packet_len_2_sched_
+ return PSCHED_NS2TICKS(ticks);
+ }
+
+-static int tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch)
++static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch)
+ {
+ struct sk_buff_head *list = &sch->q;
+ psched_time_t tnext = netem_skb_cb(nskb)->time_to_send;
+- struct sk_buff *skb;
++ struct sk_buff *skb = skb_peek_tail(list);
+
+- if (likely(skb_queue_len(list) < sch->limit)) {
+- skb = skb_peek_tail(list);
+- /* Optimize for add at tail */
+- if (likely(!skb || tnext >= netem_skb_cb(skb)->time_to_send))
+- return qdisc_enqueue_tail(nskb, sch);
+-
+- skb_queue_reverse_walk(list, skb) {
+- if (tnext >= netem_skb_cb(skb)->time_to_send)
+- break;
+- }
++ /* Optimize for add at tail */
++ if (likely(!skb || tnext >= netem_skb_cb(skb)->time_to_send))
++ return __skb_queue_tail(list, nskb);
+
+- __skb_queue_after(list, skb, nskb);
+- sch->qstats.backlog += qdisc_pkt_len(nskb);
+- return NET_XMIT_SUCCESS;
++ skb_queue_reverse_walk(list, skb) {
++ if (tnext >= netem_skb_cb(skb)->time_to_send)
++ break;
+ }
+
+- return qdisc_reshape_fail(nskb, sch);
++ __skb_queue_after(list, skb, nskb);
+ }
+
+ /*
+@@ -366,7 +359,6 @@ static int netem_enqueue(struct sk_buff
+ /* We don't fill cb now as skb_unshare() may invalidate it */
+ struct netem_skb_cb *cb;
+ struct sk_buff *skb2;
+- int ret;
+ int count = 1;
+
+ /* Random duplication */
+@@ -414,6 +406,11 @@ static int netem_enqueue(struct sk_buff
+ skb->data[net_random() % skb_headlen(skb)] ^= 1<<(net_random() % 8);
+ }
+
++ if (unlikely(skb_queue_len(&sch->q) >= sch->limit))
++ return qdisc_reshape_fail(skb, sch);
++
++ sch->qstats.backlog += qdisc_pkt_len(skb);
++
+ cb = netem_skb_cb(skb);
+ if (q->gap == 0 || /* not doing reordering */
+ q->counter < q->gap - 1 || /* inside last reordering gap */
+@@ -445,7 +442,7 @@ static int netem_enqueue(struct sk_buff
+
+ cb->time_to_send = now + delay;
+ ++q->counter;
+- ret = tfifo_enqueue(skb, sch);
++ tfifo_enqueue(skb, sch);
+ } else {
+ /*
+ * Do re-ordering by putting one out of N packets at the front
+@@ -455,16 +452,7 @@ static int netem_enqueue(struct sk_buff
+ q->counter = 0;
+
+ __skb_queue_head(&sch->q, skb);
+- sch->qstats.backlog += qdisc_pkt_len(skb);
+ sch->qstats.requeues++;
+- ret = NET_XMIT_SUCCESS;
+- }
+-
+- if (ret != NET_XMIT_SUCCESS) {
+- if (net_xmit_drop_count(ret)) {
+- sch->qstats.drops++;
+- return ret;
+- }
+ }
+
+ return NET_XMIT_SUCCESS;
--- /dev/null
+From 0269a4e38c90050f8b704137a5fa8fc44178aa50 Mon Sep 17 00:00:00 2001
+From: Francois Romieu <romieu@fr.zoreil.com>
+Date: Mon, 23 Jul 2012 22:55:55 +0200
+Subject: r8169: revert "add byte queue limit support".
+
+
+From: Francois Romieu <romieu@fr.zoreil.com>
+
+[ Upstream commit 17bcb684f08649a2ab6a7dcd8288332e72d208f1 ]
+
+This reverts commit 036dafa28da1e2565a8529de2ae663c37b7a0060.
+
+First it appears in bisection, then reverting it solves the usual
+netdev watchdog problem for different people. I don't have a proper
+fix yet so get rid of it.
+
+Bisected-and-reported-by: Alex Villacís Lasso <a_villacis@palosanto.com>
+Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
+Cc: Josh Boyer <jwboyer@redhat.com>
+Cc: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 27 +++++----------------------
+ 1 file changed, 5 insertions(+), 22 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -5000,7 +5000,6 @@ static void rtl8169_tx_clear(struct rtl8
+ {
+ rtl8169_tx_clear_range(tp, tp->dirty_tx, NUM_TX_DESC);
+ tp->cur_tx = tp->dirty_tx = 0;
+- netdev_reset_queue(tp->dev);
+ }
+
+ static void rtl_reset_work(struct rtl8169_private *tp)
+@@ -5155,8 +5154,6 @@ static netdev_tx_t rtl8169_start_xmit(st
+
+ txd->opts2 = cpu_to_le32(opts[1]);
+
+- netdev_sent_queue(dev, skb->len);
+-
+ skb_tx_timestamp(skb);
+
+ wmb();
+@@ -5253,16 +5250,9 @@ static void rtl8169_pcierr_interrupt(str
+ rtl_schedule_task(tp, RTL_FLAG_TASK_RESET_PENDING);
+ }
+
+-struct rtl_txc {
+- int packets;
+- int bytes;
+-};
+-
+ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp)
+ {
+- struct rtl8169_stats *tx_stats = &tp->tx_stats;
+ unsigned int dirty_tx, tx_left;
+- struct rtl_txc txc = { 0, 0 };
+
+ dirty_tx = tp->dirty_tx;
+ smp_rmb();
+@@ -5281,24 +5271,17 @@ static void rtl_tx(struct net_device *de
+ rtl8169_unmap_tx_skb(&tp->pci_dev->dev, tx_skb,
+ tp->TxDescArray + entry);
+ if (status & LastFrag) {
+- struct sk_buff *skb = tx_skb->skb;
+-
+- txc.packets++;
+- txc.bytes += skb->len;
+- dev_kfree_skb(skb);
++ u64_stats_update_begin(&tp->tx_stats.syncp);
++ tp->tx_stats.packets++;
++ tp->tx_stats.bytes += tx_skb->skb->len;
++ u64_stats_update_end(&tp->tx_stats.syncp);
++ dev_kfree_skb(tx_skb->skb);
+ tx_skb->skb = NULL;
+ }
+ dirty_tx++;
+ tx_left--;
+ }
+
+- u64_stats_update_begin(&tx_stats->syncp);
+- tx_stats->packets += txc.packets;
+- tx_stats->bytes += txc.bytes;
+- u64_stats_update_end(&tx_stats->syncp);
+-
+- netdev_completed_queue(dev, txc.packets, txc.bytes);
+-
+ if (tp->dirty_tx != dirty_tx) {
+ tp->dirty_tx = dirty_tx;
+ /* Sync with rtl8169_start_xmit:
--- /dev/null
+From 8ccf8eccc2efdfd6e081890a5c117360aeffd48b Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Thu, 12 Jul 2012 03:39:11 +0000
+Subject: sch_sfb: Fix missing NULL check
+
+
+From: Alan Cox <alan@linux.intel.com>
+
+[ Upstream commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d ]
+
+Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=44461
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_sfb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sched/sch_sfb.c
++++ b/net/sched/sch_sfb.c
+@@ -570,6 +570,8 @@ static int sfb_dump(struct Qdisc *sch, s
+
+ sch->qstats.backlog = q->qdisc->qstats.backlog;
+ opts = nla_nest_start(skb, TCA_OPTIONS);
++ if (opts == NULL)
++ goto nla_put_failure;
+ NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt);
+ return nla_nest_end(skb, opts);
+
--- /dev/null
+From 6f5bee7370837f3aa55cbd8eb53059fba5b9e276 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Mon, 16 Jul 2012 09:13:51 +0000
+Subject: sctp: Fix list corruption resulting from freeing an association on a list
+
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit 2eebc1e188e9e45886ee00662519849339884d6d ]
+
+A few days ago Dave Jones reported this oops:
+
+[22766.294255] general protection fault: 0000 [#1] PREEMPT SMP
+[22766.295376] CPU 0
+[22766.295384] Modules linked in:
+[22766.387137] ffffffffa169f292 6b6b6b6b6b6b6b6b ffff880147c03a90
+ffff880147c03a74
+[22766.387135] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000
+[22766.387136] Process trinity-watchdo (pid: 10896, threadinfo ffff88013e7d2000,
+[22766.387137] Stack:
+[22766.387140] ffff880147c03a10
+[22766.387140] ffffffffa169f2b6
+[22766.387140] ffff88013ed95728
+[22766.387143] 0000000000000002
+[22766.387143] 0000000000000000
+[22766.387143] ffff880003fad062
+[22766.387144] ffff88013c120000
+[22766.387144]
+[22766.387145] Call Trace:
+[22766.387145] <IRQ>
+[22766.387150] [<ffffffffa169f292>] ? __sctp_lookup_association+0x62/0xd0
+[sctp]
+[22766.387154] [<ffffffffa169f2b6>] __sctp_lookup_association+0x86/0xd0 [sctp]
+[22766.387157] [<ffffffffa169f597>] sctp_rcv+0x207/0xbb0 [sctp]
+[22766.387161] [<ffffffff810d4da8>] ? trace_hardirqs_off_caller+0x28/0xd0
+[22766.387163] [<ffffffff815827e3>] ? nf_hook_slow+0x133/0x210
+[22766.387166] [<ffffffff815902fc>] ? ip_local_deliver_finish+0x4c/0x4c0
+[22766.387168] [<ffffffff8159043d>] ip_local_deliver_finish+0x18d/0x4c0
+[22766.387169] [<ffffffff815902fc>] ? ip_local_deliver_finish+0x4c/0x4c0
+[22766.387171] [<ffffffff81590a07>] ip_local_deliver+0x47/0x80
+[22766.387172] [<ffffffff8158fd80>] ip_rcv_finish+0x150/0x680
+[22766.387174] [<ffffffff81590c54>] ip_rcv+0x214/0x320
+[22766.387176] [<ffffffff81558c07>] __netif_receive_skb+0x7b7/0x910
+[22766.387178] [<ffffffff8155856c>] ? __netif_receive_skb+0x11c/0x910
+[22766.387180] [<ffffffff810d423e>] ? put_lock_stats.isra.25+0xe/0x40
+[22766.387182] [<ffffffff81558f83>] netif_receive_skb+0x23/0x1f0
+[22766.387183] [<ffffffff815596a9>] ? dev_gro_receive+0x139/0x440
+[22766.387185] [<ffffffff81559280>] napi_skb_finish+0x70/0xa0
+[22766.387187] [<ffffffff81559cb5>] napi_gro_receive+0xf5/0x130
+[22766.387218] [<ffffffffa01c4679>] e1000_receive_skb+0x59/0x70 [e1000e]
+[22766.387242] [<ffffffffa01c5aab>] e1000_clean_rx_irq+0x28b/0x460 [e1000e]
+[22766.387266] [<ffffffffa01c9c18>] e1000e_poll+0x78/0x430 [e1000e]
+[22766.387268] [<ffffffff81559fea>] net_rx_action+0x1aa/0x3d0
+[22766.387270] [<ffffffff810a495f>] ? account_system_vtime+0x10f/0x130
+[22766.387273] [<ffffffff810734d0>] __do_softirq+0xe0/0x420
+[22766.387275] [<ffffffff8169826c>] call_softirq+0x1c/0x30
+[22766.387278] [<ffffffff8101db15>] do_softirq+0xd5/0x110
+[22766.387279] [<ffffffff81073bc5>] irq_exit+0xd5/0xe0
+[22766.387281] [<ffffffff81698b03>] do_IRQ+0x63/0xd0
+[22766.387283] [<ffffffff8168ee2f>] common_interrupt+0x6f/0x6f
+[22766.387283] <EOI>
+[22766.387284]
+[22766.387285] [<ffffffff8168eed9>] ? retint_swapgs+0x13/0x1b
+[22766.387285] Code: c0 90 5d c3 66 0f 1f 44 00 00 4c 89 c8 5d c3 0f 1f 00 55 48
+89 e5 48 83
+ec 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 <0f> b7 87 98 00 00 00
+48 89 fb
+49 89 f5 66 c1 c0 08 66 39 46 02
+[22766.387307]
+[22766.387307] RIP
+[22766.387311] [<ffffffffa168a2c9>] sctp_assoc_is_match+0x19/0x90 [sctp]
+[22766.387311] RSP <ffff880147c039b0>
+[22766.387142] ffffffffa16ab120
+[22766.599537] ---[ end trace 3f6dae82e37b17f5 ]---
+[22766.601221] Kernel panic - not syncing: Fatal exception in interrupt
+
+It appears from his analysis and some staring at the code that this is likely
+occuring because an association is getting freed while still on the
+sctp_assoc_hashtable. As a result, we get a gpf when traversing the hashtable
+while a freed node corrupts part of the list.
+
+Nominally I would think that an mibalanced refcount was responsible for this,
+but I can't seem to find any obvious imbalance. What I did note however was
+that the two places where we create an association using
+sctp_primitive_ASSOCIATE (__sctp_connect and sctp_sendmsg), have failure paths
+which free a newly created association after calling sctp_primitive_ASSOCIATE.
+sctp_primitive_ASSOCIATE brings us into the sctp_sf_do_prm_asoc path, which
+issues a SCTP_CMD_NEW_ASOC side effect, which in turn adds a new association to
+the aforementioned hash table. the sctp command interpreter that process side
+effects has not way to unwind previously processed commands, so freeing the
+association from the __sctp_connect or sctp_sendmsg error path would lead to a
+freed association remaining on this hash table.
+
+I've fixed this but modifying sctp_[un]hash_established to use hlist_del_init,
+which allows us to proerly use hlist_unhashed to check if the node is on a
+hashlist safely during a delete. That in turn alows us to safely call
+sctp_unhash_established in the __sctp_connect and sctp_sendmsg error paths
+before freeing them, regardles of what the associations state is on the hash
+list.
+
+I noted, while I was doing this, that the __sctp_unhash_endpoint was using
+hlist_unhsashed in a simmilar fashion, but never nullified any removed nodes
+pointers to make that function work properly, so I fixed that up in a simmilar
+fashion.
+
+I attempted to test this using a virtual guest running the SCTP_RR test from
+netperf in a loop while running the trinity fuzzer, both in a loop. I wasn't
+able to recreate the problem prior to this fix, nor was I able to trigger the
+failure after (neither of which I suppose is suprising). Given the trace above
+however, I think its likely that this is what we hit.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: davej@redhat.com
+CC: davej@redhat.com
+CC: "David S. Miller" <davem@davemloft.net>
+CC: Vlad Yasevich <vyasevich@gmail.com>
+CC: Sridhar Samudrala <sri@us.ibm.com>
+CC: linux-sctp@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/input.c | 7 ++-----
+ net/sctp/socket.c | 12 ++++++++++--
+ 2 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -736,15 +736,12 @@ static void __sctp_unhash_endpoint(struc
+
+ epb = &ep->base;
+
+- if (hlist_unhashed(&epb->node))
+- return;
+-
+ epb->hashent = sctp_ep_hashfn(epb->bind_addr.port);
+
+ head = &sctp_ep_hashtable[epb->hashent];
+
+ sctp_write_lock(&head->lock);
+- __hlist_del(&epb->node);
++ hlist_del_init(&epb->node);
+ sctp_write_unlock(&head->lock);
+ }
+
+@@ -825,7 +822,7 @@ static void __sctp_unhash_established(st
+ head = &sctp_assoc_hashtable[epb->hashent];
+
+ sctp_write_lock(&head->lock);
+- __hlist_del(&epb->node);
++ hlist_del_init(&epb->node);
+ sctp_write_unlock(&head->lock);
+ }
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1231,8 +1231,14 @@ out_free:
+ SCTP_DEBUG_PRINTK("About to exit __sctp_connect() free asoc: %p"
+ " kaddrs: %p err: %d\n",
+ asoc, kaddrs, err);
+- if (asoc)
++ if (asoc) {
++ /* sctp_primitive_ASSOCIATE may have added this association
++ * To the hash table, try to unhash it, just in case, its a noop
++ * if it wasn't hashed so we're safe
++ */
++ sctp_unhash_established(asoc);
+ sctp_association_free(asoc);
++ }
+ return err;
+ }
+
+@@ -1942,8 +1948,10 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
+ goto out_unlock;
+
+ out_free:
+- if (new_asoc)
++ if (new_asoc) {
++ sctp_unhash_established(asoc);
+ sctp_association_free(asoc);
++ }
+ out_unlock:
+ sctp_release_sock(sk);
+
ext4-fix-hole-punch-failure-when-depth-is-greater-than-0.patch
ext4-don-t-let-i_reserved_meta_blocks-go-negative.patch
ext4-undo-ext4_calc_metadata_amount-if-we-fail-to-claim-space.patch
+atl1c-fix-issue-of-transmit-queue-0-timed-out.patch
+netem-add-limitation-to-reordered-packets.patch
+gianfar-fix-potential-sk_wmem_alloc-imbalance.patch
+net-fix-memory-leak-vlan_info-struct.patch
+bnx2-fix-bug-in-bnx2_free_tx_skbs.patch
+sch_sfb-fix-missing-null-check.patch
+sctp-fix-list-corruption-resulting-from-freeing-an-association-on-a-list.patch
+caif-fix-access-to-freed-pernet-memory.patch
+cipso-don-t-follow-a-null-pointer-when-setsockopt-is-called.patch
+net-fix-references-to-out-of-scope-variables-in-put_cmsg_compat.patch
+r8169-revert-add-byte-queue-limit-support.patch
+caif-fix-null-pointer-check.patch
+wanmain-comparing-array-with-null.patch
+tcp-add-tcp_user_timeout-negative-value-check.patch
+usb-kaweth.c-use-gfp_atomic-under-spin_lock.patch
+net-fix-rtnetlink-iff_promisc-and-iff_allmulti-handling.patch
+tcp-perform-dma-to-userspace-only-if-there-is-a-task-waiting-for-it.patch
+net-tun-fix-ioctl-based-info-leaks.patch
--- /dev/null
+From a89ac47dc392484140f0f41d6372141f1e05a159 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 26 Jul 2012 22:52:21 +0000
+Subject: tcp: Add TCP_USER_TIMEOUT negative value check
+
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 42493570100b91ef663c4c6f0c0fdab238f9d3c2 ]
+
+TCP_USER_TIMEOUT is a TCP level socket option that takes an unsigned int. But
+patch "tcp: Add TCP_USER_TIMEOUT socket option"(dca43c75) didn't check the negative
+values. If a user assign -1 to it, the socket will set successfully and wait
+for 4294967295 miliseconds. This patch add a negative value check to avoid
+this issue.
+
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2408,7 +2408,10 @@ static int do_tcp_setsockopt(struct sock
+ /* Cap the max timeout in ms TCP will retry/retrans
+ * before giving up and aborting (ETIMEDOUT) a connection.
+ */
+- icsk->icsk_user_timeout = msecs_to_jiffies(val);
++ if (val < 0)
++ err = -EINVAL;
++ else
++ icsk->icsk_user_timeout = msecs_to_jiffies(val);
+ break;
+ default:
+ err = -ENOPROTOOPT;
--- /dev/null
+From 5e837fb360c207e0839fdd38bbf7ec175192bd29 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Fri, 27 Jul 2012 10:38:50 +0000
+Subject: tcp: perform DMA to userspace only if there is a task waiting for it
+
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+[ Upstream commit 59ea33a68a9083ac98515e4861c00e71efdc49a1 ]
+
+Back in 2006, commit 1a2449a87b ("[I/OAT]: TCP recv offload to I/OAT")
+added support for receive offloading to IOAT dma engine if available.
+
+The code in tcp_rcv_established() tries to perform early DMA copy if
+applicable. It however does so without checking whether the userspace
+task is actually expecting the data in the buffer.
+
+This is not a problem under normal circumstances, but there is a corner
+case where this doesn't work -- and that's when MSG_TRUNC flag to
+recvmsg() is used.
+
+If the IOAT dma engine is not used, the code properly checks whether
+there is a valid ucopy.task and the socket is owned by userspace, but
+misses the check in the dmaengine case.
+
+This problem can be observed in real trivially -- for example 'tbench' is a
+good reproducer, as it makes a heavy use of MSG_TRUNC. On systems utilizing
+IOAT, you will soon find tbench waiting indefinitely in sk_wait_data(), as they
+have been already early-copied in tcp_rcv_established() using dma engine.
+
+This patch introduces the same check we are performing in the simple
+iovec copy case to the IOAT case as well. It fixes the indefinite
+recvmsg(MSG_TRUNC) hangs.
+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5441,7 +5441,9 @@ int tcp_rcv_established(struct sock *sk,
+ if (tp->copied_seq == tp->rcv_nxt &&
+ len - tcp_header_len <= tp->ucopy.len) {
+ #ifdef CONFIG_NET_DMA
+- if (tcp_dma_try_early_copy(sk, skb, tcp_header_len)) {
++ if (tp->ucopy.task == current &&
++ sock_owned_by_user(sk) &&
++ tcp_dma_try_early_copy(sk, skb, tcp_header_len)) {
+ copied_early = 1;
+ eaten = 1;
+ }
--- /dev/null
+From 780bb6dee5412fb52cfeb6bc45cf8b6884bda16f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 27 Jul 2012 01:46:51 +0000
+Subject: USB: kaweth.c: use GFP_ATOMIC under spin_lock
+
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e4c7f259c5be99dcfc3d98f913590663b0305bf8 ]
+
+The problem is that we call this with a spin lock held. The call tree
+is:
+ kaweth_start_xmit() holds kaweth->device_lock.
+ -> kaweth_async_set_rx_mode()
+ -> kaweth_control()
+ -> kaweth_internal_control_msg()
+
+The kaweth_internal_control_msg() function is only called from
+kaweth_control() which used GFP_ATOMIC for its allocations.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/kaweth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -1302,7 +1302,7 @@ static int kaweth_internal_control_msg(s
+ int retv;
+ int length = 0; /* shut up GCC */
+
+- urb = usb_alloc_urb(0, GFP_NOIO);
++ urb = usb_alloc_urb(0, GFP_ATOMIC);
+ if (!urb)
+ return -ENOMEM;
+
--- /dev/null
+From 2c0d1d0fa3e03ad99738d44186c42d3585acabd3 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Tue, 24 Jul 2012 08:16:25 +0000
+Subject: wanmain: comparing array with NULL
+
+
+From: Alan Cox <alan@linux.intel.com>
+
+[ Upstream commit 8b72ff6484fe303e01498b58621810a114f3cf09 ]
+
+gcc really should warn about these !
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wanrouter/wanmain.c | 53 +++++++++++++++++++++---------------------------
+ 1 file changed, 24 insertions(+), 29 deletions(-)
+
+--- a/net/wanrouter/wanmain.c
++++ b/net/wanrouter/wanmain.c
+@@ -602,36 +602,31 @@ static int wanrouter_device_new_if(struc
+ * successfully, add it to the interface list.
+ */
+
+- if (dev->name == NULL) {
+- err = -EINVAL;
+- } else {
+-
+- #ifdef WANDEBUG
+- printk(KERN_INFO "%s: registering interface %s...\n",
+- wanrouter_modname, dev->name);
+- #endif
+-
+- err = register_netdev(dev);
+- if (!err) {
+- struct net_device *slave = NULL;
+- unsigned long smp_flags=0;
+-
+- lock_adapter_irq(&wandev->lock, &smp_flags);
+-
+- if (wandev->dev == NULL) {
+- wandev->dev = dev;
+- } else {
+- for (slave=wandev->dev;
+- DEV_TO_SLAVE(slave);
+- slave = DEV_TO_SLAVE(slave))
+- DEV_TO_SLAVE(slave) = dev;
+- }
+- ++wandev->ndev;
+-
+- unlock_adapter_irq(&wandev->lock, &smp_flags);
+- err = 0; /* done !!! */
+- goto out;
++#ifdef WANDEBUG
++ printk(KERN_INFO "%s: registering interface %s...\n",
++ wanrouter_modname, dev->name);
++#endif
++
++ err = register_netdev(dev);
++ if (!err) {
++ struct net_device *slave = NULL;
++ unsigned long smp_flags=0;
++
++ lock_adapter_irq(&wandev->lock, &smp_flags);
++
++ if (wandev->dev == NULL) {
++ wandev->dev = dev;
++ } else {
++ for (slave=wandev->dev;
++ DEV_TO_SLAVE(slave);
++ slave = DEV_TO_SLAVE(slave))
++ DEV_TO_SLAVE(slave) = dev;
+ }
++ ++wandev->ndev;
++
++ unlock_adapter_irq(&wandev->lock, &smp_flags);
++ err = 0; /* done !!! */
++ goto out;
+ }
+ if (wandev->del_if)
+ wandev->del_if(wandev, dev);
projects / thirdparty / kernel / stable-queue.git / commitdiff
