--- /dev/null
+From a5b6aee89011b07fc499c791d6cff9361d895c5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Thu, 11 Jul 2013 13:16:54 -0400
+Subject: 9p: fix off by one causing access violations and memory corruption
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+[ Upstream commit 110ecd69a9feea82a152bbf9b12aba57e6396883 ]
+
+p9_release_pages() would attempt to dereference one value past the end of
+pages[]. This would cause the following crashes:
+
+[ 6293.171817] BUG: unable to handle kernel paging request at ffff8807c96f3000
+[ 6293.174146] IP: [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
+[ 6293.176447] PGD 79c5067 PUD 82c1e3067 PMD 82c197067 PTE 80000007c96f3060
+[ 6293.180060] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+[ 6293.180060] Modules linked in:
+[ 6293.180060] CPU: 62 PID: 174043 Comm: modprobe Tainted: G W 3.10.0-next-20130710-sasha #3954
+[ 6293.180060] task: ffff8807b803b000 ti: ffff880787dde000 task.ti: ffff880787dde000
+[ 6293.180060] RIP: 0010:[<ffffffff8412793b>] [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
+[ 6293.214316] RSP: 0000:ffff880787ddfc28 EFLAGS: 00010202
+[ 6293.214316] RAX: 0000000000000001 RBX: ffff8807c96f2ff8 RCX: 0000000000000000
+[ 6293.222017] RDX: ffff8807b803b000 RSI: 0000000000000001 RDI: ffffea001c7e3d40
+[ 6293.222017] RBP: ffff880787ddfc48 R08: 0000000000000000 R09: 0000000000000000
+[ 6293.222017] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001
+[ 6293.222017] R13: 0000000000000001 R14: ffff8807cc50c070 R15: ffff8807cc50c070
+[ 6293.222017] FS: 00007f572641d700(0000) GS:ffff8807f3600000(0000) knlGS:0000000000000000
+[ 6293.256784] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 6293.256784] CR2: ffff8807c96f3000 CR3: 00000007c8e81000 CR4: 00000000000006e0
+[ 6293.256784] Stack:
+[ 6293.256784] ffff880787ddfcc8 ffff880787ddfcc8 0000000000000000 ffff880787ddfcc8
+[ 6293.256784] ffff880787ddfd48 ffffffff84128be8 ffff880700000002 0000000000000001
+[ 6293.256784] ffff8807b803b000 ffff880787ddfce0 0000100000000000 0000000000000000
+[ 6293.256784] Call Trace:
+[ 6293.256784] [<ffffffff84128be8>] p9_virtio_zc_request+0x598/0x630
+[ 6293.256784] [<ffffffff8115c610>] ? wake_up_bit+0x40/0x40
+[ 6293.256784] [<ffffffff841209b1>] p9_client_zc_rpc+0x111/0x3a0
+[ 6293.256784] [<ffffffff81174b78>] ? sched_clock_cpu+0x108/0x120
+[ 6293.256784] [<ffffffff84122a21>] p9_client_read+0xe1/0x2c0
+[ 6293.256784] [<ffffffff81708a90>] v9fs_file_read+0x90/0xc0
+[ 6293.256784] [<ffffffff812bd073>] vfs_read+0xc3/0x130
+[ 6293.256784] [<ffffffff811a78bd>] ? trace_hardirqs_on+0xd/0x10
+[ 6293.256784] [<ffffffff812bd5a2>] SyS_read+0x62/0xa0
+[ 6293.256784] [<ffffffff841a1a00>] tracesys+0xdd/0xe2
+[ 6293.256784] Code: 66 90 48 89 fb 41 89 f5 48 8b 3f 48 85 ff 74 29 85 f6 74 25 45 31 e4 66 0f 1f 84 00 00 00 00 00 e8 eb 14 12 fd 41 ff c4 49 63 c4 <48> 8b 3c c3 48 85 ff 74 05 45 39 e5 75 e7 48 83 c4 08 5b 41 5c
+[ 6293.256784] RIP [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
+[ 6293.256784] RSP <ffff880787ddfc28>
+[ 6293.256784] CR2: ffff8807c96f3000
+[ 6293.256784] ---[ end trace 50822ee72cd360fc ]---
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_common.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/9p/trans_common.c
++++ b/net/9p/trans_common.c
+@@ -24,11 +24,11 @@
+ */
+ void p9_release_pages(struct page **pages, int nr_pages)
+ {
+- int i = 0;
+- while (pages[i] && nr_pages--) {
+- put_page(pages[i]);
+- i++;
+- }
++ int i;
++
++ for (i = 0; i < nr_pages; i++)
++ if (pages[i])
++ put_page(pages[i]);
+ }
+ EXPORT_SYMBOL(p9_release_pages);
+
--- /dev/null
+From 2e95b29e6a3034847536cd937448341ac952c612 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Wed, 26 Jun 2013 23:52:30 +0200
+Subject: af_key: fix info leaks in notify messages
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887 ]
+
+key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
+the sadb_msg_reserved member of the broadcasted message and thereby
+leak 2 bytes of heap memory to listeners. Fix that.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/key/af_key.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1705,6 +1705,7 @@ static int key_notify_sa_flush(const str
+ hdr->sadb_msg_version = PF_KEY_V2;
+ hdr->sadb_msg_errno = (uint8_t) 0;
+ hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++ hdr->sadb_msg_reserved = 0;
+
+ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+
+@@ -2686,6 +2687,7 @@ static int key_notify_policy_flush(const
+ hdr->sadb_msg_version = PF_KEY_V2;
+ hdr->sadb_msg_errno = (uint8_t) 0;
+ hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++ hdr->sadb_msg_reserved = 0;
+ pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ return 0;
+
--- /dev/null
+From 0de186aaa4fe5c05d1485ea2457c4f8d52609a50 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Fri, 12 Jul 2013 10:58:48 -0400
+Subject: atl1e: fix dma mapping warnings
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit 352900b583b2852152a1e05ea0e8b579292e731e ]
+
+Recently had this backtrace reported:
+WARNING: at lib/dma-debug.c:937 check_unmap+0x47d/0x930()
+Hardware name: System Product Name
+ATL1E 0000:02:00.0: DMA-API: device driver failed to check map error[device
+address=0x00000000cbfd1000] [size=90 bytes] [mapped as single]
+Modules linked in: xt_conntrack nf_conntrack ebtable_filter ebtables
+ip6table_filter ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek iTCO_wdt
+iTCO_vendor_support snd_hda_intel acpi_cpufreq mperf coretemp btrfs zlib_deflate
+snd_hda_codec snd_hwdep microcode raid6_pq libcrc32c snd_seq usblp serio_raw xor
+snd_seq_device joydev snd_pcm snd_page_alloc snd_timer snd lpc_ich i2c_i801
+soundcore mfd_core atl1e asus_atk0110 ata_generic pata_acpi radeon i2c_algo_bit
+drm_kms_helper ttm drm i2c_core pata_marvell uinput
+Pid: 314, comm: systemd-journal Not tainted 3.9.0-0.rc6.git2.3.fc19.x86_64 #1
+Call Trace:
+ <IRQ> [<ffffffff81069106>] warn_slowpath_common+0x66/0x80
+ [<ffffffff8106916c>] warn_slowpath_fmt+0x4c/0x50
+ [<ffffffff8138151d>] check_unmap+0x47d/0x930
+ [<ffffffff810ad048>] ? sched_clock_cpu+0xa8/0x100
+ [<ffffffff81381a2f>] debug_dma_unmap_page+0x5f/0x70
+ [<ffffffff8137ce30>] ? unmap_single+0x20/0x30
+ [<ffffffffa01569a1>] atl1e_intr+0x3a1/0x5b0 [atl1e]
+ [<ffffffff810d53fd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff81119636>] handle_irq_event_percpu+0x56/0x390
+ [<ffffffff811199ad>] handle_irq_event+0x3d/0x60
+ [<ffffffff8111cb6a>] handle_fasteoi_irq+0x5a/0x100
+ [<ffffffff8101c36f>] handle_irq+0xbf/0x150
+ [<ffffffff811dcb2f>] ? file_sb_list_del+0x3f/0x50
+ [<ffffffff81073b10>] ? irq_enter+0x50/0xa0
+ [<ffffffff8172738d>] do_IRQ+0x4d/0xc0
+ [<ffffffff811dcb2f>] ? file_sb_list_del+0x3f/0x50
+ [<ffffffff8171c6b2>] common_interrupt+0x72/0x72
+ <EOI> [<ffffffff810db5b2>] ? lock_release+0xc2/0x310
+ [<ffffffff8109ea04>] lg_local_unlock_cpu+0x24/0x50
+ [<ffffffff811dcb2f>] file_sb_list_del+0x3f/0x50
+ [<ffffffff811dcb6d>] fput+0x2d/0xc0
+ [<ffffffff811d8ea1>] filp_close+0x61/0x90
+ [<ffffffff811fae4d>] __close_fd+0x8d/0x150
+ [<ffffffff811d8ef0>] sys_close+0x20/0x50
+ [<ffffffff81725699>] system_call_fastpath+0x16/0x1b
+
+The usual straighforward failure to check for dma_mapping_error after a map
+operation is completed.
+
+This patch should fix it, the reporter wandered off after filing this bz:
+https://bugzilla.redhat.com/show_bug.cgi?id=954170
+
+and I don't have hardware to test, but the fix is pretty straightforward, so I
+figured I'd post it for review.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+CC: Jay Cliburn <jcliburn@gmail.com>
+CC: Chris Snook <chris.snook@gmail.com>
+CC: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 28 +++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+@@ -1688,8 +1688,8 @@ check_sum:
+ return 0;
+ }
+
+-static void atl1e_tx_map(struct atl1e_adapter *adapter,
+- struct sk_buff *skb, struct atl1e_tpd_desc *tpd)
++static int atl1e_tx_map(struct atl1e_adapter *adapter,
++ struct sk_buff *skb, struct atl1e_tpd_desc *tpd)
+ {
+ struct atl1e_tpd_desc *use_tpd = NULL;
+ struct atl1e_tx_buffer *tx_buffer = NULL;
+@@ -1700,6 +1700,7 @@ static void atl1e_tx_map(struct atl1e_ad
+ u16 nr_frags;
+ u16 f;
+ int segment;
++ int ring_start = adapter->tx_ring.next_to_use;
+
+ nr_frags = skb_shinfo(skb)->nr_frags;
+ segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK;
+@@ -1712,6 +1713,9 @@ static void atl1e_tx_map(struct atl1e_ad
+ tx_buffer->length = map_len;
+ tx_buffer->dma = pci_map_single(adapter->pdev,
+ skb->data, hdr_len, PCI_DMA_TODEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma))
++ return -ENOSPC;
++
+ ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE);
+ mapped_len += map_len;
+ use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma);
+@@ -1738,6 +1742,13 @@ static void atl1e_tx_map(struct atl1e_ad
+ tx_buffer->dma =
+ pci_map_single(adapter->pdev, skb->data + mapped_len,
+ map_len, PCI_DMA_TODEVICE);
++
++ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) {
++ /* Reset the tx rings next pointer */
++ adapter->tx_ring.next_to_use = ring_start;
++ return -ENOSPC;
++ }
++
+ ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE);
+ mapped_len += map_len;
+ use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma);
+@@ -1773,6 +1784,13 @@ static void atl1e_tx_map(struct atl1e_ad
+ (i * MAX_TX_BUF_LEN),
+ tx_buffer->length,
+ DMA_TO_DEVICE);
++
++ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) {
++ /* Reset the ring next to use pointer */
++ adapter->tx_ring.next_to_use = ring_start;
++ return -ENOSPC;
++ }
++
+ ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_PAGE);
+ use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma);
+ use_tpd->word2 = (use_tpd->word2 & (~TPD_BUFLEN_MASK)) |
+@@ -1790,6 +1808,7 @@ static void atl1e_tx_map(struct atl1e_ad
+ /* The last buffer info contain the skb address,
+ so it will be free after unmap */
+ tx_buffer->skb = skb;
++ return 0;
+ }
+
+ static void atl1e_tx_queue(struct atl1e_adapter *adapter, u16 count,
+@@ -1857,10 +1876,13 @@ static netdev_tx_t atl1e_xmit_frame(stru
+ return NETDEV_TX_OK;
+ }
+
+- atl1e_tx_map(adapter, skb, tpd);
++ if (atl1e_tx_map(adapter, skb, tpd))
++ goto out;
++
+ atl1e_tx_queue(adapter, tpd_req, tpd);
+
+ netdev->trans_start = jiffies; /* NETIF_F_LLTX driver :( */
++out:
+ spin_unlock_irqrestore(&adapter->tx_lock, flags);
+ return NETDEV_TX_OK;
+ }
--- /dev/null
+From 807f13ef60d75e0cb4cbd7d4b853f037bdd55145 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Tue, 16 Jul 2013 10:49:41 -0400
+Subject: atl1e: unmap partially mapped skb on dma error and free skb
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit 584ec4355355ffac43571b02a314d43eb2f7fcbf ]
+
+Ben Hutchings pointed out that my recent update to atl1e
+in commit 352900b583b2852152a1e05ea0e8b579292e731e
+("atl1e: fix dma mapping warnings") was missing a bit of code.
+
+Specifically it reset the hardware tx ring to its origional state when
+we hit a dma error, but didn't unmap any exiting mappings from the
+operation. This patch fixes that up. It also remembers to free the
+skb in the event that an error occurs, so we don't leak. Untested, as
+I don't have hardware. I think its pretty straightforward, but please
+review closely.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+CC: Ben Hutchings <bhutchings@solarflare.com>
+CC: Jay Cliburn <jcliburn@gmail.com>
+CC: Chris Snook <chris.snook@gmail.com>
+CC: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+@@ -1701,6 +1701,7 @@ static int atl1e_tx_map(struct atl1e_ada
+ u16 f;
+ int segment;
+ int ring_start = adapter->tx_ring.next_to_use;
++ int ring_end;
+
+ nr_frags = skb_shinfo(skb)->nr_frags;
+ segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK;
+@@ -1744,6 +1745,15 @@ static int atl1e_tx_map(struct atl1e_ada
+ map_len, PCI_DMA_TODEVICE);
+
+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) {
++ /* We need to unwind the mappings we've done */
++ ring_end = adapter->tx_ring.next_to_use;
++ adapter->tx_ring.next_to_use = ring_start;
++ while (adapter->tx_ring.next_to_use != ring_end) {
++ tpd = atl1e_get_tpd(adapter);
++ tx_buffer = atl1e_get_tx_buffer(adapter, tpd);
++ pci_unmap_single(adapter->pdev, tx_buffer->dma,
++ tx_buffer->length, PCI_DMA_TODEVICE);
++ }
+ /* Reset the tx rings next pointer */
+ adapter->tx_ring.next_to_use = ring_start;
+ return -ENOSPC;
+@@ -1786,6 +1796,16 @@ static int atl1e_tx_map(struct atl1e_ada
+ DMA_TO_DEVICE);
+
+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) {
++ /* We need to unwind the mappings we've done */
++ ring_end = adapter->tx_ring.next_to_use;
++ adapter->tx_ring.next_to_use = ring_start;
++ while (adapter->tx_ring.next_to_use != ring_end) {
++ tpd = atl1e_get_tpd(adapter);
++ tx_buffer = atl1e_get_tx_buffer(adapter, tpd);
++ dma_unmap_page(&adapter->pdev->dev, tx_buffer->dma,
++ tx_buffer->length, DMA_TO_DEVICE);
++ }
++
+ /* Reset the ring next to use pointer */
+ adapter->tx_ring.next_to_use = ring_start;
+ return -ENOSPC;
+@@ -1876,8 +1896,10 @@ static netdev_tx_t atl1e_xmit_frame(stru
+ return NETDEV_TX_OK;
+ }
+
+- if (atl1e_tx_map(adapter, skb, tpd))
++ if (atl1e_tx_map(adapter, skb, tpd)) {
++ dev_kfree_skb_any(skb);
+ goto out;
++ }
+
+ atl1e_tx_queue(adapter, tpd_req, tpd);
+
--- /dev/null
+From 25eb5406b6fe44be17919ab95bf620d4ad0816df Mon Sep 17 00:00:00 2001
+From: Linus Lüssing <linus.luessing@web.de>
+Date: Sun, 16 Jun 2013 23:20:34 +0200
+Subject: bridge: fix switched interval for MLD Query types
+
+From: Linus Lüssing <linus.luessing@web.de>
+
+[ Upstream commit 32de868cbc6bee010d2cee95b5071b25ecbec8c3 ]
+
+General Queries (the one with the Multicast Address field
+set to zero / '::') are supposed to have a Maximum Response Delay
+of [Query Response Interval], while for Multicast-Address-Specific
+Queries it is [Last Listener Query Interval] - not the other way
+round. (see RFC2710, section 7.3+7.8)
+
+Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -467,8 +467,9 @@ static struct sk_buff *br_ip6_multicast_
+ skb_set_transport_header(skb, skb->len);
+ mldq = (struct mld_msg *) icmp6_hdr(skb);
+
+- interval = ipv6_addr_any(group) ? br->multicast_last_member_interval :
+- br->multicast_query_response_interval;
++ interval = ipv6_addr_any(group) ?
++ br->multicast_query_response_interval :
++ br->multicast_last_member_interval;
+
+ mldq->mld_type = ICMPV6_MGM_QUERY;
+ mldq->mld_code = 0;
--- /dev/null
+From a6d55637b6b08267b7841332aae1c5c76b58614f Mon Sep 17 00:00:00 2001
+From: dingtianhong <dingtianhong@huawei.com>
+Date: Thu, 11 Jul 2013 19:04:02 +0800
+Subject: dummy: fix oops when loading the dummy failed
+
+From: dingtianhong <dingtianhong@huawei.com>
+
+[ Upstream commit 2c8a01894a12665d8059fad8f0a293c98a264121 ]
+
+We rename the dummy in modprobe.conf like this:
+
+install dummy0 /sbin/modprobe -o dummy0 --ignore-install dummy
+install dummy1 /sbin/modprobe -o dummy1 --ignore-install dummy
+
+We got oops when we run the command:
+
+modprobe dummy0
+modprobe dummy1
+
+------------[ cut here ]------------
+
+[ 3302.187584] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+[ 3302.195411] IP: [<ffffffff813fe62a>] __rtnl_link_unregister+0x9a/0xd0
+[ 3302.201844] PGD 85c94a067 PUD 8517bd067 PMD 0
+[ 3302.206305] Oops: 0002 [#1] SMP
+[ 3302.299737] task: ffff88105ccea300 ti: ffff880eba4a0000 task.ti: ffff880eba4a0000
+[ 3302.307186] RIP: 0010:[<ffffffff813fe62a>] [<ffffffff813fe62a>] __rtnl_link_unregister+0x9a/0xd0
+[ 3302.316044] RSP: 0018:ffff880eba4a1dd8 EFLAGS: 00010246
+[ 3302.321332] RAX: 0000000000000000 RBX: ffffffff81a9d738 RCX: 0000000000000002
+[ 3302.328436] RDX: 0000000000000000 RSI: ffffffffa04d602c RDI: ffff880eba4a1dd8
+[ 3302.335541] RBP: ffff880eba4a1e18 R08: dead000000200200 R09: dead000000100100
+[ 3302.342644] R10: 0000000000000080 R11: 0000000000000003 R12: ffffffff81a9d788
+[ 3302.349748] R13: ffffffffa04d7020 R14: ffffffff81a9d670 R15: ffff880eba4a1dd8
+[ 3302.364910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3302.370630] CR2: 0000000000000008 CR3: 000000085e15e000 CR4: 00000000000427e0
+[ 3302.377734] DR0: 0000000000000003 DR1: 00000000000000b0 DR2: 0000000000000001
+[ 3302.384838] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[ 3302.391940] Stack:
+[ 3302.393944] ffff880eba4a1dd8 ffff880eba4a1dd8 ffff880eba4a1e18 ffffffffa04d70c0
+[ 3302.401350] 00000000ffffffef ffffffffa01a8000 0000000000000000 ffffffff816111c8
+[ 3302.408758] ffff880eba4a1e48 ffffffffa01a80be ffff880eba4a1e48 ffffffffa04d70c0
+[ 3302.416164] Call Trace:
+[ 3302.418605] [<ffffffffa01a8000>] ? 0xffffffffa01a7fff
+[ 3302.423727] [<ffffffffa01a80be>] dummy_init_module+0xbe/0x1000 [dummy0]
+[ 3302.430405] [<ffffffffa01a8000>] ? 0xffffffffa01a7fff
+[ 3302.435535] [<ffffffff81000322>] do_one_initcall+0x152/0x1b0
+[ 3302.441263] [<ffffffff810ab24b>] do_init_module+0x7b/0x200
+[ 3302.446824] [<ffffffff810ad3d2>] load_module+0x4e2/0x530
+[ 3302.452215] [<ffffffff8127ae40>] ? ddebug_dyndbg_boot_param_cb+0x60/0x60
+[ 3302.458979] [<ffffffff810ad5f1>] SyS_init_module+0xd1/0x130
+[ 3302.464627] [<ffffffff814b9652>] system_call_fastpath+0x16/0x1b
+[ 3302.490090] RIP [<ffffffff813fe62a>] __rtnl_link_unregister+0x9a/0xd0
+[ 3302.496607] RSP <ffff880eba4a1dd8>
+[ 3302.500084] CR2: 0000000000000008
+[ 3302.503466] ---[ end trace 8342d49cd49f78ed ]---
+
+The reason is that when loading dummy, if __rtnl_link_register() return failed,
+the init_module should return and avoid take the wrong path.
+
+Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
+Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dummy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/dummy.c
++++ b/drivers/net/dummy.c
+@@ -186,6 +186,8 @@ static int __init dummy_init_module(void
+
+ rtnl_lock();
+ err = __rtnl_link_register(&dummy_link_ops);
++ if (err < 0)
++ goto out;
+
+ for (i = 0; i < numdummies && !err; i++) {
+ err = dummy_init_one();
+@@ -193,6 +195,8 @@ static int __init dummy_init_module(void
+ }
+ if (err < 0)
+ __rtnl_link_unregister(&dummy_link_ops);
++
++out:
+ rtnl_unlock();
+
+ return err;
--- /dev/null
+From cbe23ee3115067ce5bf47fca69e53926ea171596 Mon Sep 17 00:00:00 2001
+From: dingtianhong <dingtianhong@huawei.com>
+Date: Thu, 11 Jul 2013 19:04:06 +0800
+Subject: ifb: fix oops when loading the ifb failed
+
+From: dingtianhong <dingtianhong@huawei.com>
+
+[ Upstream commit f2966cd5691058b8674a20766525bedeaea9cbcf ]
+
+If __rtnl_link_register() return faild when loading the ifb, it will
+take the wrong path and get oops, so fix it just like dummy.
+
+Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ifb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ifb.c
++++ b/drivers/net/ifb.c
+@@ -290,6 +290,8 @@ static int __init ifb_init_module(void)
+
+ rtnl_lock();
+ err = __rtnl_link_register(&ifb_link_ops);
++ if (err < 0)
++ goto out;
+
+ for (i = 0; i < numifbs && !err; i++) {
+ err = ifb_init_one(i);
+@@ -297,6 +299,8 @@ static int __init ifb_init_module(void)
+ }
+ if (err)
+ __rtnl_link_unregister(&ifb_link_ops);
++
++out:
+ rtnl_unlock();
+
+ return err;
--- /dev/null
+From 7398bbbc81ad70c664ded751b7fd3417bc944414 Mon Sep 17 00:00:00 2001
+From: dingtianhong <dingtianhong@huawei.com>
+Date: Wed, 10 Jul 2013 12:04:02 +0800
+Subject: ifb: fix rcu_sched self-detected stalls
+
+From: dingtianhong <dingtianhong@huawei.com>
+
+[ Upstream commit 440d57bc5ff55ec1efb3efc9cbe9420b4bbdfefa ]
+
+According to the commit 16b0dc29c1af9df341428f4c49ada4f626258082
+(dummy: fix rcu_sched self-detected stalls)
+
+Eric Dumazet fix the problem in dummy, but the ifb will occur the
+same problem like the dummy modules.
+
+Trying to "modprobe ifb numifbs=30000" triggers :
+
+INFO: rcu_sched self-detected stall on CPU
+
+After this splat, RTNL is locked and reboot is needed.
+
+We must call cond_resched() to avoid this, even holding RTNL.
+
+Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ifb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ifb.c
++++ b/drivers/net/ifb.c
+@@ -291,8 +291,10 @@ static int __init ifb_init_module(void)
+ rtnl_lock();
+ err = __rtnl_link_register(&ifb_link_ops);
+
+- for (i = 0; i < numifbs && !err; i++)
++ for (i = 0; i < numifbs && !err; i++) {
+ err = ifb_init_one(i);
++ cond_resched();
++ }
+ if (err)
+ __rtnl_link_unregister(&ifb_link_ops);
+ rtnl_unlock();
--- /dev/null
+From 7ffc6947279d932705a604f7e5a73f38c5cd83a4 Mon Sep 17 00:00:00 2001
+From: Aydin Arik <aydin.arik@alliedtelesis.co.nz>
+Date: Fri, 14 Jun 2013 18:56:31 +1200
+Subject: ipv4: Fixed MD5 key lookups when adding/ removing MD5 to/ from TCP sockets.
+
+From: Aydin Arik <aydin.arik@alliedtelesis.co.nz>
+
+[ Upstream commit c0353c7b5da4cbd2ab8227e84bbc9c79890f24ce ]
+
+MD5 key lookups on a given TCP socket were being performed
+incorrectly. This fix alters parameter inputs to the MD5
+lookup function tcp_md5_do_lookup, which is called by functions
+tcp_md5_do_add and tcp_md5_do_del. Specifically, the change now
+inputs the correct address and address family required to make
+a proper lookup.
+
+Signed-off-by: Aydin Arik <aydin.arik@alliedtelesis.co.nz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ipv4.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -974,7 +974,7 @@ int tcp_md5_do_add(struct sock *sk, cons
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct tcp_md5sig_info *md5sig;
+
+- key = tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&addr, AF_INET);
++ key = tcp_md5_do_lookup(sk, addr, family);
+ if (key) {
+ /* Pre-existing entry - just update that one. */
+ memcpy(key->key, newkey, newkeylen);
+@@ -1019,7 +1019,7 @@ int tcp_md5_do_del(struct sock *sk, cons
+ struct tcp_md5sig_key *key;
+ struct tcp_md5sig_info *md5sig;
+
+- key = tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&addr, AF_INET);
++ key = tcp_md5_do_lookup(sk, addr, family);
+ if (!key)
+ return -ENOENT;
+ hlist_del_rcu(&key->node);
--- /dev/null
+From 3e5fbc0f41aab931d8d1ef785331a213d16adba2 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 1 Jul 2013 20:21:30 +0200
+Subject: ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ]
+
+We accidentally call down to ip6_push_pending_frames when uncorking
+pending AF_INET data on a ipv6 socket. This results in the following
+splat (from Dave Jones):
+
+skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
+------------[ cut here ]------------
+kernel BUG at net/core/skbuff.c:126!
+invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
++netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
+CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
+task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
+RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
+RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
+RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
+RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
+RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
+R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
+FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
+Stack:
+ ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
+ ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
+ ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
+Call Trace:
+ [<ffffffff8159a9aa>] skb_push+0x3a/0x40
+ [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
+ [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
+ [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
+ [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
+ [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
+ [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
+ [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
+ [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
+ [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
+ [<ffffffff816f5d54>] tracesys+0xdd/0xe2
+Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
+RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
+ RSP <ffff8801e6431de8>
+
+This patch adds a check if the pending data is of address family AF_INET
+and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
+if that is the case.
+
+This bug was found by Dave Jones with trinity.
+
+(Also move the initialization of fl6 below the AF_INET check, even if
+not strictly necessary.)
+
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Cc: Dave Jones <davej@redhat.com>
+Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/udp.h | 1 +
+ net/ipv4/udp.c | 3 ++-
+ net/ipv6/udp.c | 7 ++++++-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/include/net/udp.h
++++ b/include/net/udp.h
+@@ -181,6 +181,7 @@ extern int udp_get_port(struct sock *sk,
+ extern void udp_err(struct sk_buff *, u32);
+ extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk,
+ struct msghdr *msg, size_t len);
++extern int udp_push_pending_frames(struct sock *sk);
+ extern void udp_flush_pending_frames(struct sock *sk);
+ extern int udp_rcv(struct sk_buff *skb);
+ extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg);
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -768,7 +768,7 @@ send:
+ /*
+ * Push out all pending data as one UDP datagram. Socket is locked.
+ */
+-static int udp_push_pending_frames(struct sock *sk)
++int udp_push_pending_frames(struct sock *sk)
+ {
+ struct udp_sock *up = udp_sk(sk);
+ struct inet_sock *inet = inet_sk(sk);
+@@ -787,6 +787,7 @@ out:
+ up->pending = 0;
+ return err;
+ }
++EXPORT_SYMBOL(udp_push_pending_frames);
+
+ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ size_t len)
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -895,11 +895,16 @@ static int udp_v6_push_pending_frames(st
+ struct udphdr *uh;
+ struct udp_sock *up = udp_sk(sk);
+ struct inet_sock *inet = inet_sk(sk);
+- struct flowi6 *fl6 = &inet->cork.fl.u.ip6;
++ struct flowi6 *fl6;
+ int err = 0;
+ int is_udplite = IS_UDPLITE(sk);
+ __wsum csum = 0;
+
++ if (up->pending == AF_INET)
++ return udp_push_pending_frames(sk);
++
++ fl6 = &inet->cork.fl.u.ip6;
++
+ /* Grab the skbuff where UDP header space exists. */
+ if ((skb = skb_peek(&sk->sk_write_queue)) == NULL)
+ goto out;
--- /dev/null
+From cb6bdbd023b7275fd30f88bfd6c3531f677850b1 Mon Sep 17 00:00:00 2001
+From: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Sun, 16 Jun 2013 11:14:30 +0800
+Subject: ipv6: don't call addrconf_dst_alloc again when enable lo
+
+From: Gao feng <gaofeng@cn.fujitsu.com>
+
+[ Upstream commit a881ae1f625c599b460cc8f8a7fcb1c438f699ad ]
+
+If we disable all of the net interfaces, and enable
+un-lo interface before lo interface, we already allocated
+the addrconf dst in ipv6_add_addr. So we shouldn't allocate
+it again when we enable lo interface.
+
+Otherwise the message below will be triggered.
+unregister_netdevice: waiting for sit1 to become free. Usage count = 1
+
+This problem is introduced by commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f
+"net IPv6 : Fix broken IPv6 routing table after loopback down-up"
+
+Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2429,6 +2429,9 @@ static void init_loopback(struct net_dev
+ if (sp_ifa->flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE))
+ continue;
+
++ if (sp_ifa->rt)
++ continue;
++
+ sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0);
+
+ /* Failure cases are ignored */
--- /dev/null
+From d29ee4b5c0d7b39dcf13139e8748cfdb6371fb1f Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Wed, 10 Jul 2013 23:00:57 +0200
+Subject: ipv6: in case of link failure remove route directly instead of letting it expire
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 1eb4f758286884e7566627164bca4c4a16952a83 ]
+
+We could end up expiring a route which is part of an ecmp route set. Doing
+so would invalidate the rt->rt6i_nsiblings calculations and could provoke
+the following panic:
+
+[ 80.144667] ------------[ cut here ]------------
+[ 80.145172] kernel BUG at net/ipv6/ip6_fib.c:733!
+[ 80.145172] invalid opcode: 0000 [#1] SMP
+[ 80.145172] Modules linked in: 8021q nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables
++snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc snd_timer virtio_balloon snd soundcore i2c_piix4 i2c_core virtio_net virtio_blk
+[ 80.145172] CPU: 1 PID: 786 Comm: ping6 Not tainted 3.10.0+ #118
+[ 80.145172] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 80.145172] task: ffff880117fa0000 ti: ffff880118770000 task.ti: ffff880118770000
+[ 80.145172] RIP: 0010:[<ffffffff815f3b5d>] [<ffffffff815f3b5d>] fib6_add+0x75d/0x830
+[ 80.145172] RSP: 0018:ffff880118771798 EFLAGS: 00010202
+[ 80.145172] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011350e480
+[ 80.145172] RDX: ffff88011350e238 RSI: 0000000000000004 RDI: ffff88011350f738
+[ 80.145172] RBP: ffff880118771848 R08: ffff880117903280 R09: 0000000000000001
+[ 80.145172] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88011350f680
+[ 80.145172] R13: ffff880117903280 R14: ffff880118771890 R15: ffff88011350ef90
+[ 80.145172] FS: 00007f02b5127740(0000) GS:ffff88011fd00000(0000) knlGS:0000000000000000
+[ 80.145172] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 80.145172] CR2: 00007f981322a000 CR3: 00000001181b1000 CR4: 00000000000006e0
+[ 80.145172] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 80.145172] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[ 80.145172] Stack:
+[ 80.145172] 0000000000000001 ffff880100000000 ffff880100000000 ffff880117903280
+[ 80.145172] 0000000000000000 ffff880119a4cf00 0000000000000400 00000000000007fa
+[ 80.145172] 0000000000000000 0000000000000000 0000000000000000 ffff88011350f680
+[ 80.145172] Call Trace:
+[ 80.145172] [<ffffffff815eeceb>] ? rt6_bind_peer+0x4b/0x90
+[ 80.145172] [<ffffffff815ed985>] __ip6_ins_rt+0x45/0x70
+[ 80.145172] [<ffffffff815eee35>] ip6_ins_rt+0x35/0x40
+[ 80.145172] [<ffffffff815ef1e4>] ip6_pol_route.isra.44+0x3a4/0x4b0
+[ 80.145172] [<ffffffff815ef34a>] ip6_pol_route_output+0x2a/0x30
+[ 80.145172] [<ffffffff81616077>] fib6_rule_action+0xd7/0x210
+[ 80.145172] [<ffffffff815ef320>] ? ip6_pol_route_input+0x30/0x30
+[ 80.145172] [<ffffffff81553026>] fib_rules_lookup+0xc6/0x140
+[ 80.145172] [<ffffffff81616374>] fib6_rule_lookup+0x44/0x80
+[ 80.145172] [<ffffffff815ef320>] ? ip6_pol_route_input+0x30/0x30
+[ 80.145172] [<ffffffff815edea3>] ip6_route_output+0x73/0xb0
+[ 80.145172] [<ffffffff815dfdf3>] ip6_dst_lookup_tail+0x2c3/0x2e0
+[ 80.145172] [<ffffffff813007b1>] ? list_del+0x11/0x40
+[ 80.145172] [<ffffffff81082a4c>] ? remove_wait_queue+0x3c/0x50
+[ 80.145172] [<ffffffff815dfe4d>] ip6_dst_lookup_flow+0x3d/0xa0
+[ 80.145172] [<ffffffff815fda77>] rawv6_sendmsg+0x267/0xc20
+[ 80.145172] [<ffffffff815a8a83>] inet_sendmsg+0x63/0xb0
+[ 80.145172] [<ffffffff8128eb93>] ? selinux_socket_sendmsg+0x23/0x30
+[ 80.145172] [<ffffffff815218d6>] sock_sendmsg+0xa6/0xd0
+[ 80.145172] [<ffffffff81524a68>] SYSC_sendto+0x128/0x180
+[ 80.145172] [<ffffffff8109825c>] ? update_curr+0xec/0x170
+[ 80.145172] [<ffffffff81041d09>] ? kvm_clock_get_cycles+0x9/0x10
+[ 80.145172] [<ffffffff810afd1e>] ? __getnstimeofday+0x3e/0xd0
+[ 80.145172] [<ffffffff8152509e>] SyS_sendto+0xe/0x10
+[ 80.145172] [<ffffffff8164efd9>] system_call_fastpath+0x16/0x1b
+[ 80.145172] Code: fe ff ff 41 f6 45 2a 06 0f 85 ca fe ff ff 49 8b 7e 08 4c 89 ee e8 94 ef ff ff e9 b9 fe ff ff 48 8b 82 28 05 00 00 e9 01 ff ff ff <0f> 0b 49 8b 54 24 30 0d 00 00 40 00 89 83 14 01 00 00 48 89 53
+[ 80.145172] RIP [<ffffffff815f3b5d>] fib6_add+0x75d/0x830
+[ 80.145172] RSP <ffff880118771798>
+[ 80.387413] ---[ end trace 02f20b7a8b81ed95 ]---
+[ 80.390154] Kernel panic - not syncing: Fatal exception in interrupt
+
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1032,10 +1032,13 @@ static void ip6_link_failure(struct sk_b
+
+ rt = (struct rt6_info *) skb_dst(skb);
+ if (rt) {
+- if (rt->rt6i_flags & RTF_CACHE)
+- rt6_update_expires(rt, 0);
+- else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT))
++ if (rt->rt6i_flags & RTF_CACHE) {
++ dst_hold(&rt->dst);
++ if (ip6_del_rt(rt))
++ dst_free(&rt->dst);
++ } else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) {
+ rt->rt6i_node->fn_sernum = -1;
++ }
+ }
+ }
+
--- /dev/null
+From 33dcf975875563ee57769861f3ec9c02d1f3de97 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 2 Jul 2013 08:04:05 +0200
+Subject: ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ]
+
+If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
+of this when appending the second frame on a corked socket. This results
+in the following splat:
+
+[37598.993962] ------------[ cut here ]------------
+[37598.994008] kernel BUG at net/core/skbuff.c:2064!
+[37598.994008] invalid opcode: 0000 [#1] SMP
+[37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
++nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
++scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
+[37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
++dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
+[37598.994008] CPU 0
+[37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
+[37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+[37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
+[37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
+[37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
+[37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
+[37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
+[37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
+[37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
+[37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
+[37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
+[37598.994008] Stack:
+[37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
+[37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
+[37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
+[37598.994008] Call Trace:
+[37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
+[37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
+[37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
+[37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
+[37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
+[37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
+[37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
+[37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
+[37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
+[37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
+[37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
+[37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
+[37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
+[37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
+[37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+[37598.994008] RSP <ffff88003670da18>
+[37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
+
+While there, also check if path mtu discovery is activated for this
+socket. The logic was adapted from ip6_append_data when first writing
+on the corked socket.
+
+This bug was introduced with commit
+0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
+fragment").
+
+v2:
+a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
+b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
+ feng, thanks!).
+c) Change mtu to unsigned int, else we get a warning about
+ non-matching types because of the min()-macro type-check.
+
+Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
+Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1187,11 +1187,12 @@ static inline struct ipv6_rt_hdr *ip6_rt
+ return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
+ }
+
+-static void ip6_append_data_mtu(int *mtu,
++static void ip6_append_data_mtu(unsigned int *mtu,
+ int *maxfraglen,
+ unsigned int fragheaderlen,
+ struct sk_buff *skb,
+- struct rt6_info *rt)
++ struct rt6_info *rt,
++ bool pmtuprobe)
+ {
+ if (!(rt->dst.flags & DST_XFRM_TUNNEL)) {
+ if (skb == NULL) {
+@@ -1203,7 +1204,9 @@ static void ip6_append_data_mtu(int *mtu
+ * this fragment is not first, the headers
+ * space is regarded as data space.
+ */
+- *mtu = dst_mtu(rt->dst.path);
++ *mtu = min(*mtu, pmtuprobe ?
++ rt->dst.dev->mtu :
++ dst_mtu(rt->dst.path));
+ }
+ *maxfraglen = ((*mtu - fragheaderlen) & ~7)
+ + fragheaderlen - sizeof(struct frag_hdr);
+@@ -1220,11 +1223,10 @@ int ip6_append_data(struct sock *sk, int
+ struct ipv6_pinfo *np = inet6_sk(sk);
+ struct inet_cork *cork;
+ struct sk_buff *skb, *skb_prev = NULL;
+- unsigned int maxfraglen, fragheaderlen;
++ unsigned int maxfraglen, fragheaderlen, mtu;
+ int exthdrlen;
+ int dst_exthdrlen;
+ int hh_len;
+- int mtu;
+ int copy;
+ int err;
+ int offset = 0;
+@@ -1387,7 +1389,9 @@ alloc_new_skb:
+ /* update mtu and maxfraglen if necessary */
+ if (skb == NULL || skb_prev == NULL)
+ ip6_append_data_mtu(&mtu, &maxfraglen,
+- fragheaderlen, skb, rt);
++ fragheaderlen, skb, rt,
++ np->pmtudisc ==
++ IPV6_PMTUDISC_PROBE);
+
+ skb_prev = skb;
+
--- /dev/null
+From c27b83b129110f60c614324c5e33f9ccbfd49238 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 26 Jun 2013 04:15:07 -0700
+Subject: ipv6: ip6_sk_dst_check() must not assume ipv6 dst
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ]
+
+It's possible to use AF_INET6 sockets and to connect to an IPv4
+destination. After this, socket dst cache is a pointer to a rtable,
+not rt6_info.
+
+ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
+various corruptions/crashes can happen.
+
+Dave Jones can reproduce immediate crash with
+trinity -q -l off -n -c sendmsg -c connect
+
+With help from Hannes Frederic Sowa
+
+Reported-by: Dave Jones <davej@redhat.com>
+Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -912,11 +912,17 @@ static struct dst_entry *ip6_sk_dst_chec
+ const struct flowi6 *fl6)
+ {
+ struct ipv6_pinfo *np = inet6_sk(sk);
+- struct rt6_info *rt = (struct rt6_info *)dst;
++ struct rt6_info *rt;
+
+ if (!dst)
+ goto out;
+
++ if (dst->ops->family != AF_INET6) {
++ dst_release(dst);
++ return NULL;
++ }
++
++ rt = (struct rt6_info *)dst;
+ /* Yes, checking route validity in not connected
+ * case is not very simple. Take into account,
+ * that we do not support routing by source, TOS,
--- /dev/null
+From 47efd75b3dbaea5c2b3f26a8706f1b6062e822ef Mon Sep 17 00:00:00 2001
+From: Amerigo Wang <amwang@redhat.com>
+Date: Sat, 29 Jun 2013 21:30:49 +0800
+Subject: ipv6,mcast: always hold idev->lock before mca_lock
+
+From: Amerigo Wang <amwang@redhat.com>
+
+[ Upstream commit 8965779d2c0e6ab246c82a405236b1fb2adae6b2, with
+ some bits from commit b7b1bfce0bb68bd8f6e62a28295922785cc63781
+ ("ipv6: split duplicate address detection and router solicitation timer")
+ to get the __ipv6_get_lladdr() used by this patch. ]
+
+dingtianhong reported the following deadlock detected by lockdep:
+
+ ======================================================
+ [ INFO: possible circular locking dependency detected ]
+ 3.4.24.05-0.1-default #1 Not tainted
+ -------------------------------------------------------
+ ksoftirqd/0/3 is trying to acquire lock:
+ (&ndev->lock){+.+...}, at: [<ffffffff8147f804>] ipv6_get_lladdr+0x74/0x120
+
+ but task is already holding lock:
+ (&mc->mca_lock){+.+...}, at: [<ffffffff8149d130>] mld_send_report+0x40/0x150
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (&mc->mca_lock){+.+...}:
+ [<ffffffff810a8027>] validate_chain+0x637/0x730
+ [<ffffffff810a8417>] __lock_acquire+0x2f7/0x500
+ [<ffffffff810a8734>] lock_acquire+0x114/0x150
+ [<ffffffff814f691a>] rt_spin_lock+0x4a/0x60
+ [<ffffffff8149e4bb>] igmp6_group_added+0x3b/0x120
+ [<ffffffff8149e5d8>] ipv6_mc_up+0x38/0x60
+ [<ffffffff81480a4d>] ipv6_find_idev+0x3d/0x80
+ [<ffffffff81483175>] addrconf_notify+0x3d5/0x4b0
+ [<ffffffff814fae3f>] notifier_call_chain+0x3f/0x80
+ [<ffffffff81073471>] raw_notifier_call_chain+0x11/0x20
+ [<ffffffff813d8722>] call_netdevice_notifiers+0x32/0x60
+ [<ffffffff813d92d4>] __dev_notify_flags+0x34/0x80
+ [<ffffffff813d9360>] dev_change_flags+0x40/0x70
+ [<ffffffff813ea627>] do_setlink+0x237/0x8a0
+ [<ffffffff813ebb6c>] rtnl_newlink+0x3ec/0x600
+ [<ffffffff813eb4d0>] rtnetlink_rcv_msg+0x160/0x310
+ [<ffffffff814040b9>] netlink_rcv_skb+0x89/0xb0
+ [<ffffffff813eb357>] rtnetlink_rcv+0x27/0x40
+ [<ffffffff81403e20>] netlink_unicast+0x140/0x180
+ [<ffffffff81404a9e>] netlink_sendmsg+0x33e/0x380
+ [<ffffffff813c4252>] sock_sendmsg+0x112/0x130
+ [<ffffffff813c537e>] __sys_sendmsg+0x44e/0x460
+ [<ffffffff813c5544>] sys_sendmsg+0x44/0x70
+ [<ffffffff814feab9>] system_call_fastpath+0x16/0x1b
+
+ -> #0 (&ndev->lock){+.+...}:
+ [<ffffffff810a798e>] check_prev_add+0x3de/0x440
+ [<ffffffff810a8027>] validate_chain+0x637/0x730
+ [<ffffffff810a8417>] __lock_acquire+0x2f7/0x500
+ [<ffffffff810a8734>] lock_acquire+0x114/0x150
+ [<ffffffff814f6c82>] rt_read_lock+0x42/0x60
+ [<ffffffff8147f804>] ipv6_get_lladdr+0x74/0x120
+ [<ffffffff8149b036>] mld_newpack+0xb6/0x160
+ [<ffffffff8149b18b>] add_grhead+0xab/0xc0
+ [<ffffffff8149d03b>] add_grec+0x3ab/0x460
+ [<ffffffff8149d14a>] mld_send_report+0x5a/0x150
+ [<ffffffff8149f99e>] igmp6_timer_handler+0x4e/0xb0
+ [<ffffffff8105705a>] call_timer_fn+0xca/0x1d0
+ [<ffffffff81057b9f>] run_timer_softirq+0x1df/0x2e0
+ [<ffffffff8104e8c7>] handle_pending_softirqs+0xf7/0x1f0
+ [<ffffffff8104ea3b>] __do_softirq_common+0x7b/0xf0
+ [<ffffffff8104f07f>] __thread_do_softirq+0x1af/0x210
+ [<ffffffff8104f1c1>] run_ksoftirqd+0xe1/0x1f0
+ [<ffffffff8106c7de>] kthread+0xae/0xc0
+ [<ffffffff814fff74>] kernel_thread_helper+0x4/0x10
+
+actually we can just hold idev->lock before taking pmc->mca_lock,
+and avoid taking idev->lock again when iterating idev->addr_list,
+since the upper callers of mld_newpack() already take
+read_lock_bh(&idev->lock).
+
+Reported-by: dingtianhong <dingtianhong@huawei.com>
+Cc: dingtianhong <dingtianhong@huawei.com>
+Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Tested-by: Ding Tianhong <dingtianhong@huawei.com>
+Tested-by: Chen Weilong <chenweilong@huawei.com>
+Signed-off-by: Cong Wang <amwang@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/addrconf.h | 3 +++
+ net/ipv6/addrconf.c | 28 ++++++++++++++++++----------
+ net/ipv6/mcast.c | 18 ++++++++++--------
+ 3 files changed, 31 insertions(+), 18 deletions(-)
+
+--- a/include/net/addrconf.h
++++ b/include/net/addrconf.h
+@@ -81,6 +81,9 @@ extern int ipv6_dev_get_saddr(struct n
+ const struct in6_addr *daddr,
+ unsigned int srcprefs,
+ struct in6_addr *saddr);
++extern int __ipv6_get_lladdr(struct inet6_dev *idev,
++ struct in6_addr *addr,
++ unsigned char banned_flags);
+ extern int ipv6_get_lladdr(struct net_device *dev,
+ struct in6_addr *addr,
+ unsigned char banned_flags);
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1233,6 +1233,23 @@ try_nextdev:
+ }
+ EXPORT_SYMBOL(ipv6_dev_get_saddr);
+
++int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr,
++ unsigned char banned_flags)
++{
++ struct inet6_ifaddr *ifp;
++ int err = -EADDRNOTAVAIL;
++
++ list_for_each_entry(ifp, &idev->addr_list, if_list) {
++ if (ifp->scope == IFA_LINK &&
++ !(ifp->flags & banned_flags)) {
++ *addr = ifp->addr;
++ err = 0;
++ break;
++ }
++ }
++ return err;
++}
++
+ int ipv6_get_lladdr(struct net_device *dev, struct in6_addr *addr,
+ unsigned char banned_flags)
+ {
+@@ -1242,17 +1259,8 @@ int ipv6_get_lladdr(struct net_device *d
+ rcu_read_lock();
+ idev = __in6_dev_get(dev);
+ if (idev) {
+- struct inet6_ifaddr *ifp;
+-
+ read_lock_bh(&idev->lock);
+- list_for_each_entry(ifp, &idev->addr_list, if_list) {
+- if (ifp->scope == IFA_LINK &&
+- !(ifp->flags & banned_flags)) {
+- *addr = ifp->addr;
+- err = 0;
+- break;
+- }
+- }
++ err = __ipv6_get_lladdr(idev, addr, banned_flags);
+ read_unlock_bh(&idev->lock);
+ }
+ rcu_read_unlock();
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -1334,8 +1334,9 @@ mld_scount(struct ifmcaddr6 *pmc, int ty
+ return scount;
+ }
+
+-static struct sk_buff *mld_newpack(struct net_device *dev, int size)
++static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size)
+ {
++ struct net_device *dev = idev->dev;
+ struct net *net = dev_net(dev);
+ struct sock *sk = net->ipv6.igmp_sk;
+ struct sk_buff *skb;
+@@ -1360,7 +1361,7 @@ static struct sk_buff *mld_newpack(struc
+
+ skb_reserve(skb, hlen);
+
+- if (ipv6_get_lladdr(dev, &addr_buf, IFA_F_TENTATIVE)) {
++ if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) {
+ /* <draft-ietf-magma-mld-source-05.txt>:
+ * use unspecified address as the source address
+ * when a valid link-local address is not available.
+@@ -1456,7 +1457,7 @@ static struct sk_buff *add_grhead(struct
+ struct mld2_grec *pgr;
+
+ if (!skb)
+- skb = mld_newpack(dev, dev->mtu);
++ skb = mld_newpack(pmc->idev, dev->mtu);
+ if (!skb)
+ return NULL;
+ pgr = (struct mld2_grec *)skb_put(skb, sizeof(struct mld2_grec));
+@@ -1476,7 +1477,8 @@ static struct sk_buff *add_grhead(struct
+ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
+ int type, int gdeleted, int sdeleted)
+ {
+- struct net_device *dev = pmc->idev->dev;
++ struct inet6_dev *idev = pmc->idev;
++ struct net_device *dev = idev->dev;
+ struct mld2_report *pmr;
+ struct mld2_grec *pgr = NULL;
+ struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list;
+@@ -1505,7 +1507,7 @@ static struct sk_buff *add_grec(struct s
+ AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) {
+ if (skb)
+ mld_sendpack(skb);
+- skb = mld_newpack(dev, dev->mtu);
++ skb = mld_newpack(idev, dev->mtu);
+ }
+ }
+ first = 1;
+@@ -1532,7 +1534,7 @@ static struct sk_buff *add_grec(struct s
+ pgr->grec_nsrcs = htons(scount);
+ if (skb)
+ mld_sendpack(skb);
+- skb = mld_newpack(dev, dev->mtu);
++ skb = mld_newpack(idev, dev->mtu);
+ first = 1;
+ scount = 0;
+ }
+@@ -1587,8 +1589,8 @@ static void mld_send_report(struct inet6
+ struct sk_buff *skb = NULL;
+ int type;
+
++ read_lock_bh(&idev->lock);
+ if (!pmc) {
+- read_lock_bh(&idev->lock);
+ for (pmc=idev->mc_list; pmc; pmc=pmc->next) {
+ if (pmc->mca_flags & MAF_NOREPORT)
+ continue;
+@@ -1600,7 +1602,6 @@ static void mld_send_report(struct inet6
+ skb = add_grec(skb, pmc, type, 0, 0);
+ spin_unlock_bh(&pmc->mca_lock);
+ }
+- read_unlock_bh(&idev->lock);
+ } else {
+ spin_lock_bh(&pmc->mca_lock);
+ if (pmc->mca_sfcount[MCAST_EXCLUDE])
+@@ -1610,6 +1611,7 @@ static void mld_send_report(struct inet6
+ skb = add_grec(skb, pmc, type, 0, 0);
+ spin_unlock_bh(&pmc->mca_lock);
+ }
++ read_unlock_bh(&idev->lock);
+ if (skb)
+ mld_sendpack(skb);
+ }
--- /dev/null
+From 9b0516325a5ca314ad186c12045d02dfe8571cd3 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue, 2 Jul 2013 09:02:07 +0800
+Subject: l2tp: add missing .owner to struct pppox_proto
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+[ Upstream commit e1558a93b61962710733dc8c11a2bc765607f1cd ]
+
+Add missing .owner of struct pppox_proto. This prevents the
+module from being removed from underneath its users.
+
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1778,7 +1778,8 @@ static const struct proto_ops pppol2tp_o
+
+ static const struct pppox_proto pppol2tp_proto = {
+ .create = pppol2tp_create,
+- .ioctl = pppol2tp_ioctl
++ .ioctl = pppol2tp_ioctl,
++ .owner = THIS_MODULE,
+ };
+
+ #ifdef CONFIG_L2TP_V3
--- /dev/null
+From 2c2017d0d3e8b8b7f3056aa204196a9bf27b1268 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 10 Jul 2013 13:43:28 +0800
+Subject: macvtap: correctly linearize skb when zerocopy is used
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 61d46bf979d5cd7c164709a80ad5676a35494aae ]
+
+Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to
+linearize parts of the skb to let the rest of iov to be fit in
+the frags, we need count copylen into linear when calling macvtap_alloc_skb()
+instead of partly counting it into data_len. Since this breaks
+zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should
+be zero at beginning. This cause nr_frags to be increased wrongly without
+setting the correct frags.
+
+This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73
+(macvtap: zerocopy: validate vectors before building skb).
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvtap.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -656,6 +656,7 @@ static ssize_t macvtap_get_user(struct m
+ int vnet_hdr_len = 0;
+ int copylen = 0;
+ bool zerocopy = false;
++ size_t linear;
+
+ if (q->flags & IFF_VNET_HDR) {
+ vnet_hdr_len = q->vnet_hdr_sz;
+@@ -710,11 +711,14 @@ static ssize_t macvtap_get_user(struct m
+ copylen = vnet_hdr.hdr_len;
+ if (!copylen)
+ copylen = GOODCOPY_LEN;
+- } else
++ linear = copylen;
++ } else {
+ copylen = len;
++ linear = vnet_hdr.hdr_len;
++ }
+
+ skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen,
+- vnet_hdr.hdr_len, noblock, &err);
++ linear, noblock, &err);
+ if (!skb)
+ goto err;
+
--- /dev/null
+From b716ef2d9113847c893a292d9624a53b8b0d472f Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Sun, 23 Jun 2013 17:26:58 +0300
+Subject: macvtap: fix recovery from gup errors
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+[ Upstream commit 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 ]
+
+get user pages might fail partially in macvtap zero copy
+mode. To recover we need to put all pages that we got,
+but code used a wrong index resulting in double-free
+errors.
+
+Reported-by: Brad Hubbard <bhubbard@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvtap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -534,8 +534,10 @@ static int zerocopy_sg_from_iovec(struct
+ return -EMSGSIZE;
+ num_pages = get_user_pages_fast(base, size, 0, &page[i]);
+ if (num_pages != size) {
+- for (i = 0; i < num_pages; i++)
+- put_page(page[i]);
++ int j;
++
++ for (j = 0; j < num_pages; j++)
++ put_page(page[i + j]);
+ }
+ truesize = size * PAGE_SIZE;
+ skb->data_len += len;
--- /dev/null
+From c7035ea2b52ca2c60fa22c2fe24f582aa6c755e1 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Fri, 28 Jun 2013 02:37:42 -0700
+Subject: neighbour: fix a race in neigh_destroy()
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+[ Upstream commit c9ab4d85de222f3390c67aedc9c18a50e767531e ]
+
+There is a race in neighbour code, because neigh_destroy() uses
+skb_queue_purge(&neigh->arp_queue) without holding neighbour lock,
+while other parts of the code assume neighbour rwlock is what
+protects arp_queue
+
+Convert all skb_queue_purge() calls to the __skb_queue_purge() variant
+
+Use __skb_queue_head_init() instead of skb_queue_head_init()
+to make clear we do not use arp_queue.lock
+
+And hold neigh->lock in neigh_destroy() to close the race.
+
+Reported-by: Joe Jin <joe.jin@oracle.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -237,7 +237,7 @@ static void neigh_flush_dev(struct neigh
+ we must kill timers etc. and move
+ it to safe state.
+ */
+- skb_queue_purge(&n->arp_queue);
++ __skb_queue_purge(&n->arp_queue);
+ n->arp_queue_len_bytes = 0;
+ n->output = neigh_blackhole;
+ if (n->nud_state & NUD_VALID)
+@@ -300,7 +300,7 @@ static struct neighbour *neigh_alloc(str
+ if (!n)
+ goto out_entries;
+
+- skb_queue_head_init(&n->arp_queue);
++ __skb_queue_head_init(&n->arp_queue);
+ rwlock_init(&n->lock);
+ seqlock_init(&n->ha_lock);
+ n->updated = n->used = now;
+@@ -721,7 +721,9 @@ void neigh_destroy(struct neighbour *nei
+ if (neigh_del_timer(neigh))
+ printk(KERN_WARNING "Impossible event.\n");
+
+- skb_queue_purge(&neigh->arp_queue);
++ write_lock_bh(&neigh->lock);
++ __skb_queue_purge(&neigh->arp_queue);
++ write_unlock_bh(&neigh->lock);
+ neigh->arp_queue_len_bytes = 0;
+
+ if (dev->netdev_ops->ndo_neigh_destroy)
+@@ -867,7 +869,7 @@ static void neigh_invalidate(struct neig
+ neigh->ops->error_report(neigh, skb);
+ write_lock(&neigh->lock);
+ }
+- skb_queue_purge(&neigh->arp_queue);
++ __skb_queue_purge(&neigh->arp_queue);
+ neigh->arp_queue_len_bytes = 0;
+ }
+
+@@ -1206,7 +1208,7 @@ int neigh_update(struct neighbour *neigh
+
+ write_lock_bh(&neigh->lock);
+ }
+- skb_queue_purge(&neigh->arp_queue);
++ __skb_queue_purge(&neigh->arp_queue);
+ neigh->arp_queue_len_bytes = 0;
+ }
+ out:
--- /dev/null
+From ad7070e878780ed4334456229d4cd1bc8fe3bedc Mon Sep 17 00:00:00 2001
+From: Changli Gao <xiaosuo@gmail.com>
+Date: Sat, 29 Jun 2013 00:15:51 +0800
+Subject: net: Swap ver and type in pppoe_hdr
+
+From: Changli Gao <xiaosuo@gmail.com>
+
+[ Upstream commit b1a5a34bd0b8767ea689e68f8ea513e9710b671e ]
+
+Ver and type in pppoe_hdr should be swapped as defined by RFC2516
+section-4.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_pppox.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/if_pppox.h
++++ b/include/linux/if_pppox.h
+@@ -128,11 +128,11 @@ struct pppoe_tag {
+
+ struct pppoe_hdr {
+ #if defined(__LITTLE_ENDIAN_BITFIELD)
+- __u8 ver : 4;
+ __u8 type : 4;
++ __u8 ver : 4;
+ #elif defined(__BIG_ENDIAN_BITFIELD)
+- __u8 type : 4;
+ __u8 ver : 4;
++ __u8 type : 4;
+ #else
+ #error "Please fix <asm/byteorder.h>"
+ #endif
--- /dev/null
+From 8684b4f0dadba8d920360be134a68b452ab1d713 Mon Sep 17 00:00:00 2001
+From: Gavin Shan <shangw@linux.vnet.ibm.com>
+Date: Tue, 25 Jun 2013 15:24:32 +0800
+Subject: net/tg3: Avoid delay during MMIO access
+
+From: Gavin Shan <shangw@linux.vnet.ibm.com>
+
+[ Upstream commit 6d446ec32f169c6a5d9bc90684a8082a6cbe90f6 ]
+
+When the EEH error is the result of a fenced host bridge, MMIO accesses
+can be very slow (milliseconds) to timeout and return all 1's,
+thus causing the driver various timeout loops to take way too long and
+trigger soft-lockup warnings (in addition to taking minutes to recover).
+
+It might be worthwhile to check if for any of these cases, ffffffff is
+a valid possible value, and if not, bail early since that means the HW
+is either gone or isolated. In the meantime, checking that the PCI channel
+is offline would be workaround of the problem.
+
+Signed-off-by: Gavin Shan <shangw@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -689,6 +689,9 @@ static int tg3_ape_lock(struct tg3 *tp,
+ status = tg3_ape_read32(tp, gnt + off);
+ if (status == bit)
+ break;
++ if (pci_channel_offline(tp->pdev))
++ break;
++
+ udelay(10);
+ }
+
+@@ -1466,6 +1469,9 @@ static void tg3_wait_for_event_ack(struc
+ for (i = 0; i < delay_cnt; i++) {
+ if (!(tr32(GRC_RX_CPU_EVENT) & GRC_RX_CPU_DRIVER_EVENT))
+ break;
++ if (pci_channel_offline(tp->pdev))
++ break;
++
+ udelay(8);
+ }
+ }
+@@ -1636,6 +1642,9 @@ static int tg3_poll_fw(struct tg3 *tp)
+ for (i = 0; i < 200; i++) {
+ if (tr32(VCPU_STATUS) & VCPU_STATUS_INIT_DONE)
+ return 0;
++ if (pci_channel_offline(tp->pdev))
++ return -ENODEV;
++
+ udelay(100);
+ }
+ return -ENODEV;
+@@ -1646,6 +1655,15 @@ static int tg3_poll_fw(struct tg3 *tp)
+ tg3_read_mem(tp, NIC_SRAM_FIRMWARE_MBOX, &val);
+ if (val == ~NIC_SRAM_FIRMWARE_MBOX_MAGIC1)
+ break;
++ if (pci_channel_offline(tp->pdev)) {
++ if (!tg3_flag(tp, NO_FWARE_REPORTED)) {
++ tg3_flag_set(tp, NO_FWARE_REPORTED);
++ netdev_info(tp->dev, "No firmware running\n");
++ }
++
++ break;
++ }
++
+ udelay(10);
+ }
+
+@@ -3204,6 +3222,8 @@ static int tg3_nvram_write_block_buffere
+ ret = tg3_nvram_exec_cmd(tp, nvram_cmd);
+ if (ret)
+ break;
++ if (pci_channel_offline(tp->pdev))
++ return -EBUSY;
+ }
+ return ret;
+ }
+@@ -7674,6 +7694,14 @@ static int tg3_stop_block(struct tg3 *tp
+ tw32_f(ofs, val);
+
+ for (i = 0; i < MAX_WAIT_CNT; i++) {
++ if (pci_channel_offline(tp->pdev)) {
++ dev_err(&tp->pdev->dev,
++ "tg3_stop_block device offline, "
++ "ofs=%lx enable_bit=%x\n",
++ ofs, enable_bit);
++ return -ENODEV;
++ }
++
+ udelay(100);
+ val = tr32(ofs);
+ if ((val & enable_bit) == 0)
+@@ -7697,6 +7725,13 @@ static int tg3_abort_hw(struct tg3 *tp,
+
+ tg3_disable_ints(tp);
+
++ if (pci_channel_offline(tp->pdev)) {
++ tp->rx_mode &= ~(RX_MODE_ENABLE | TX_MODE_ENABLE);
++ tp->mac_mode &= ~MAC_MODE_TDE_ENABLE;
++ err = -ENODEV;
++ goto err_no_dev;
++ }
++
+ tp->rx_mode &= ~RX_MODE_ENABLE;
+ tw32_f(MAC_RX_MODE, tp->rx_mode);
+ udelay(10);
+@@ -7745,6 +7780,7 @@ static int tg3_abort_hw(struct tg3 *tp,
+ err |= tg3_stop_block(tp, BUFMGR_MODE, BUFMGR_MODE_ENABLE, silent);
+ err |= tg3_stop_block(tp, MEMARB_MODE, MEMARB_MODE_ENABLE, silent);
+
++err_no_dev:
+ for (i = 0; i < tp->irq_cnt; i++) {
+ struct tg3_napi *tnapi = &tp->napi[i];
+ if (tnapi->hw_status)
sparc32-vm_area_struct-access-for-old-sun-sparcs.patch
sparc64-address-congruence-property.patch
sparc-tsb-must-be-flushed-before-tlb.patch
+bridge-fix-switched-interval-for-mld-query-types.patch
+ipv4-fixed-md5-key-lookups-when-adding-removing-md5-to-from-tcp-sockets.patch
+ipv6-don-t-call-addrconf_dst_alloc-again-when-enable-lo.patch
+macvtap-fix-recovery-from-gup-errors.patch
+net-tg3-avoid-delay-during-mmio-access.patch
+ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
+af_key-fix-info-leaks-in-notify-messages.patch
+sh_eth-fix-unhandled-rfe-interrupt.patch
+neighbour-fix-a-race-in-neigh_destroy.patch
+x25-fix-broken-locking-in-ioctl-error-paths.patch
+net-swap-ver-and-type-in-pppoe_hdr.patch
+ipv6-mcast-always-hold-idev-lock-before-mca_lock.patch
+l2tp-add-missing-.owner-to-struct-pppox_proto.patch
+ipv6-call-udp_push_pending_frames-when-uncorking-a-socket-with-af_inet-pending-data.patch
+ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and-frag_size.patch
+sunvnet-vnet_port_remove-must-call-unregister_netdev.patch
+ifb-fix-rcu_sched-self-detected-stalls.patch
+macvtap-correctly-linearize-skb-when-zerocopy-is-used.patch
+ipv6-in-case-of-link-failure-remove-route-directly-instead-of-letting-it-expire.patch
+9p-fix-off-by-one-causing-access-violations-and-memory-corruption.patch
+dummy-fix-oops-when-loading-the-dummy-failed.patch
+ifb-fix-oops-when-loading-the-ifb-failed.patch
+atl1e-fix-dma-mapping-warnings.patch
+atl1e-unmap-partially-mapped-skb-on-dma-error-and-free-skb.patch
+vlan-fix-a-race-in-egress-prio-management.patch
--- /dev/null
+From 7d22b5702289e3cf2d1c8bbad28929d495d9f93f Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Fri, 21 Jun 2013 01:12:21 +0400
+Subject: sh_eth: fix unhandled RFE interrupt
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit ca8c35852138ee0585eaffe6b9f10a5261ea7771 ]
+
+EESR.RFE (receive FIFO overflow) interrupt is enabled by the driver on all SoCs
+and sh_eth_error() handles it but it's not present in any initializer/assignment
+of the 'eesr_err_check' field of 'struct sh_eth_cpu_data'. This leads to that
+interrupt not being handled and cleared, and finally to disabling IRQ and the
+driver being non-functional.
+
+Modify DEFAULT_EESR_ERR_CHECK macro and all explicit initializers of the above
+mentioned field to contain the EESR.RFE bit. Remove useless backslashes from the
+initializers, while at it.
+
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 17 +++++++++--------
+ drivers/net/ethernet/renesas/sh_eth.h | 2 +-
+ 2 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -137,8 +137,9 @@ static struct sh_eth_cpu_data sh_eth_my_
+ .rmcr_value = 0x00000001,
+
+ .tx_check = EESR_FTC | EESR_CND | EESR_DLC | EESR_CD | EESR_RTO,
+- .eesr_err_check = EESR_TWB | EESR_TABT | EESR_RABT | EESR_RDE |
+- EESR_RFRMER | EESR_TFE | EESR_TDE | EESR_ECI,
++ .eesr_err_check = EESR_TWB | EESR_TABT | EESR_RABT | EESR_RFE |
++ EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE |
++ EESR_ECI,
+ .tx_error_check = EESR_TWB | EESR_TABT | EESR_TDE | EESR_TFE,
+
+ .apr = 1,
+@@ -252,9 +253,9 @@ static struct sh_eth_cpu_data sh_eth_my_
+ .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff,
+
+ .tx_check = EESR_TC1 | EESR_FTC,
+- .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | \
+- EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE | \
+- EESR_ECI,
++ .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT |
++ EESR_RFE | EESR_RDE | EESR_RFRMER | EESR_TFE |
++ EESR_TDE | EESR_ECI,
+ .tx_error_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_TDE | \
+ EESR_TFE,
+ .fdr_value = 0x0000072f,
+@@ -361,9 +362,9 @@ static struct sh_eth_cpu_data sh_eth_my_
+ .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff,
+
+ .tx_check = EESR_TC1 | EESR_FTC,
+- .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | \
+- EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE | \
+- EESR_ECI,
++ .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT |
++ EESR_RFE | EESR_RDE | EESR_RFRMER | EESR_TFE |
++ EESR_TDE | EESR_ECI,
+ .tx_error_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_TDE | \
+ EESR_TFE,
+
+--- a/drivers/net/ethernet/renesas/sh_eth.h
++++ b/drivers/net/ethernet/renesas/sh_eth.h
+@@ -467,7 +467,7 @@ enum EESR_BIT {
+
+ #define DEFAULT_TX_CHECK (EESR_FTC | EESR_CND | EESR_DLC | EESR_CD | \
+ EESR_RTO)
+-#define DEFAULT_EESR_ERR_CHECK (EESR_TWB | EESR_TABT | EESR_RABT | \
++#define DEFAULT_EESR_ERR_CHECK (EESR_TWB | EESR_TABT | EESR_RABT | EESR_RFE | \
+ EESR_RDE | EESR_RFRMER | EESR_ADE | \
+ EESR_TFE | EESR_TDE | EESR_ECI)
+ #define DEFAULT_TX_ERROR_CHECK (EESR_TWB | EESR_TABT | EESR_ADE | EESR_TDE | \
--- /dev/null
+From 798b483877ed2d341e824511e5d4a430680f640c Mon Sep 17 00:00:00 2001
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Mon, 1 Jul 2013 16:49:22 -0500
+Subject: sunvnet: vnet_port_remove must call unregister_netdev
+
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+[ Upstream commit aabb9875d02559ab9b928cd6f259a5cc4c21a589 ]
+
+The missing call to unregister_netdev() leaves the interface active
+after the driver is unloaded by rmmod.
+
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sun/sunvnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/sun/sunvnet.c
++++ b/drivers/net/ethernet/sun/sunvnet.c
+@@ -1243,6 +1243,8 @@ static int vnet_port_remove(struct vio_d
+ dev_set_drvdata(&vdev->dev, NULL);
+
+ kfree(port);
++
++ unregister_netdev(vp->dev);
+ }
+ return 0;
+ }
--- /dev/null
+From 13283a8c109808988467f5a7f9adb8e29a54a94f Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 18 Jul 2013 09:35:10 -0700
+Subject: vlan: fix a race in egress prio management
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3e3aac497513c669e1c62c71e1d552ea85c1d974 ]
+
+egress_priority_map[] hash table updates are protected by rtnl,
+and we never remove elements until device is dismantled.
+
+We have to make sure that before inserting an new element in hash table,
+all its fields are committed to memory or else another cpu could
+find corrupt values and crash.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan_dev.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -73,6 +73,8 @@ vlan_dev_get_egress_qos_mask(struct net_
+ {
+ struct vlan_priority_tci_mapping *mp;
+
++ smp_rmb(); /* coupled with smp_wmb() in vlan_dev_set_egress_priority() */
++
+ mp = vlan_dev_priv(dev)->egress_priority_map[(skb->priority & 0xF)];
+ while (mp) {
+ if (mp->priority == skb->priority) {
+@@ -235,6 +237,11 @@ int vlan_dev_set_egress_priority(const s
+ np->next = mp;
+ np->priority = skb_prio;
+ np->vlan_qos = vlan_qos;
++ /* Before inserting this element in hash table, make sure all its fields
++ * are committed to memory.
++ * coupled with smp_rmb() in vlan_dev_get_egress_qos_mask()
++ */
++ smp_wmb();
+ vlan->egress_priority_map[skb_prio & 0xF] = np;
+ if (vlan_qos)
+ vlan->nr_egress_mappings++;
--- /dev/null
+From 5b1332df6784cfb72bf8df79caf874fce021f965 Mon Sep 17 00:00:00 2001
+From: Dave Jones <davej@redhat.com>
+Date: Fri, 28 Jun 2013 12:13:52 -0400
+Subject: x25: Fix broken locking in ioctl error paths.
+
+From: Dave Jones <davej@redhat.com>
+
+[ Upstream commit 4ccb93ce7439b63c31bc7597bfffd13567fa483d ]
+
+Two of the x25 ioctl cases have error paths that break out of the function without
+unlocking the socket, leading to this warning:
+
+================================================
+[ BUG: lock held when returning to user space! ]
+3.10.0-rc7+ #36 Not tainted
+------------------------------------------------
+trinity-child2/31407 is leaving the kernel with locks still held!
+1 lock held by trinity-child2/31407:
+ #0: (sk_lock-AF_X25){+.+.+.}, at: [<ffffffffa024b6da>] x25_ioctl+0x8a/0x740 [x25]
+
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/x25/af_x25.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -1586,11 +1586,11 @@ out_cud_release:
+ case SIOCX25CALLACCPTAPPRV: {
+ rc = -EINVAL;
+ lock_sock(sk);
+- if (sk->sk_state != TCP_CLOSE)
+- break;
+- clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
++ if (sk->sk_state == TCP_CLOSE) {
++ clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
++ rc = 0;
++ }
+ release_sock(sk);
+- rc = 0;
+ break;
+ }
+
+@@ -1598,14 +1598,15 @@ out_cud_release:
+ rc = -EINVAL;
+ lock_sock(sk);
+ if (sk->sk_state != TCP_ESTABLISHED)
+- break;
++ goto out_sendcallaccpt_release;
+ /* must call accptapprv above */
+ if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))
+- break;
++ goto out_sendcallaccpt_release;
+ x25_write_internal(sk, X25_CALL_ACCEPTED);
+ x25->state = X25_STATE_3;
+- release_sock(sk);
+ rc = 0;
++out_sendcallaccpt_release:
++ release_sock(sk);
+ break;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
