--- /dev/null
+From a57d317b332165a84b020006af9d2c158cf267fc Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 12 Oct 2013 14:08:34 -0700
+Subject: bnx2x: record rx queue for LRO packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 60e66fee56b2256dcb1dc2ea1b2ddcb6e273857d ]
+
+RPS support is kind of broken on bnx2x, because only non LRO packets
+get proper rx queue information. This triggers reorders, as it seems
+bnx2x like to generate a non LRO packet for segment including TCP PUSH
+flag : (this might be pure coincidence, but all the reorders I've
+seen involve segments with a PUSH)
+
+11:13:34.335847 IP A > B: . 415808:447136(31328) ack 1 win 457 <nop,nop,timestamp 3789336 3985797>
+11:13:34.335992 IP A > B: . 447136:448560(1424) ack 1 win 457 <nop,nop,timestamp 3789336 3985797>
+11:13:34.336391 IP A > B: . 448560:479888(31328) ack 1 win 457 <nop,nop,timestamp 3789337 3985797>
+11:13:34.336425 IP A > B: P 511216:512640(1424) ack 1 win 457 <nop,nop,timestamp 3789337 3985798>
+11:13:34.336423 IP A > B: . 479888:511216(31328) ack 1 win 457 <nop,nop,timestamp 3789337 3985798>
+11:13:34.336924 IP A > B: . 512640:543968(31328) ack 1 win 457 <nop,nop,timestamp 3789337 3985798>
+11:13:34.336963 IP A > B: . 543968:575296(31328) ack 1 win 457 <nop,nop,timestamp 3789337 3985798>
+
+We must call skb_record_rx_queue() to properly give to RPS (and more
+generally for TX queue selection on forward path) the receive queue
+information.
+
+Similar fix is needed for skb_mark_napi_id(), but will be handled
+in a separate patch to ease stable backports.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Cc: Eilon Greenstein <eilong@broadcom.com>
+Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -547,6 +547,7 @@ static inline void bnx2x_tpa_stop(struct
+ skb, cqe, cqe_idx)) {
+ if (tpa_info->parsing_flags & PARSING_FLAGS_VLAN)
+ __vlan_hwaccel_put_tag(skb, tpa_info->vlan_tag);
++ skb_record_rx_queue(skb, fp->rx_queue);
+ napi_gro_receive(&fp->napi, skb);
+ } else {
+ DP(NETIF_MSG_RX_STATUS,
--- /dev/null
+From 49b5fdb265cd3b947e27bd8434c4070dc7ef6d2e Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vyasevic@redhat.com>
+Date: Tue, 15 Oct 2013 14:57:45 -0400
+Subject: bridge: Correctly clamp MAX forward_delay when enabling STP
+
+From: Vlad Yasevich <vyasevic@redhat.com>
+
+[ Upstream commit 4b6c7879d84ad06a2ac5b964808ed599187a188d ]
+
+Commit be4f154d5ef0ca147ab6bcd38857a774133f5450
+ bridge: Clamp forward_delay when enabling STP
+had a typo when attempting to clamp maximum forward delay.
+
+It is possible to set bridge_forward_delay to be higher then
+permitted maximum when STP is off. When turning STP on, the
+higher then allowed delay has to be clamed down to max value.
+
+Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
+CC: Herbert Xu <herbert@gondor.apana.org.au>
+CC: Stephen Hemminger <shemminger@vyatta.com>
+Reviewed-by: Veaceslav Falico <vfalico@redhat.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_stp_if.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bridge/br_stp_if.c
++++ b/net/bridge/br_stp_if.c
+@@ -134,7 +134,7 @@ static void br_stp_start(struct net_brid
+
+ if (br->bridge_forward_delay < BR_MIN_FORWARD_DELAY)
+ __br_set_forward_delay(br, BR_MIN_FORWARD_DELAY);
+- else if (br->bridge_forward_delay < BR_MAX_FORWARD_DELAY)
++ else if (br->bridge_forward_delay > BR_MAX_FORWARD_DELAY)
+ __br_set_forward_delay(br, BR_MAX_FORWARD_DELAY);
+
+ if (r == 0) {
--- /dev/null
+From 87534b7959309129f7f6be19e23805aed8eb912c Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 5 Oct 2013 21:25:17 +0200
+Subject: can: dev: fix nlmsg size calculation in can_get_size()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit fe119a05f8ca481623a8d02efcc984332e612528 ]
+
+This patch fixes the calculation of the nlmsg size, by adding the missing
+nla_total_size().
+
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/dev.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -665,14 +665,14 @@ static size_t can_get_size(const struct
+ size_t size;
+
+ size = nla_total_size(sizeof(u32)); /* IFLA_CAN_STATE */
+- size += sizeof(struct can_ctrlmode); /* IFLA_CAN_CTRLMODE */
++ size += nla_total_size(sizeof(struct can_ctrlmode)); /* IFLA_CAN_CTRLMODE */
+ size += nla_total_size(sizeof(u32)); /* IFLA_CAN_RESTART_MS */
+- size += sizeof(struct can_bittiming); /* IFLA_CAN_BITTIMING */
+- size += sizeof(struct can_clock); /* IFLA_CAN_CLOCK */
++ size += nla_total_size(sizeof(struct can_bittiming)); /* IFLA_CAN_BITTIMING */
++ size += nla_total_size(sizeof(struct can_clock)); /* IFLA_CAN_CLOCK */
+ if (priv->do_get_berr_counter) /* IFLA_CAN_BERR_COUNTER */
+- size += sizeof(struct can_berr_counter);
++ size += nla_total_size(sizeof(struct can_berr_counter));
+ if (priv->bittiming_const) /* IFLA_CAN_BITTIMING_CONST */
+- size += sizeof(struct can_bittiming_const);
++ size += nla_total_size(sizeof(struct can_bittiming_const));
+
+ return size;
+ }
--- /dev/null
+From 6167e136d789ca819387fcdeebdb79a6ec89cf39 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 30 Sep 2013 22:03:07 +0200
+Subject: connector: use nlmsg_len() to check message length
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 162b2bedc084d2d908a04c93383ba02348b648b0 ]
+
+The current code tests the length of the whole netlink message to be
+at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
+the length of the netlink message header. Use nlmsg_len() instead to
+fix this "off-by-NLMSG_HDRLEN" size check.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/connector/connector.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_bu
+ static void cn_rx_skb(struct sk_buff *__skb)
+ {
+ struct nlmsghdr *nlh;
+- int err;
+ struct sk_buff *skb;
++ int len, err;
+
+ skb = skb_get(__skb);
+
+ if (skb->len >= NLMSG_SPACE(0)) {
+ nlh = nlmsg_hdr(skb);
++ len = nlmsg_len(nlh);
+
+- if (nlh->nlmsg_len < sizeof(struct cn_msg) ||
++ if (len < (int)sizeof(struct cn_msg) ||
+ skb->len < nlh->nlmsg_len ||
+- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) {
++ len > CONNECTOR_MAX_MSG_SIZE) {
+ kfree_skb(skb);
+ return;
+ }
--- /dev/null
+From 8aa5adcf6908d835e5ef6ead5c09068e537ee484 Mon Sep 17 00:00:00 2001
+From: Mariusz Ceier <mceier+kernel@gmail.com>
+Date: Mon, 21 Oct 2013 19:45:04 +0200
+Subject: davinci_emac.c: Fix IFF_ALLMULTI setup
+
+From: Mariusz Ceier <mceier+kernel@gmail.com>
+
+[ Upstream commit d69e0f7ea95fef8059251325a79c004bac01f018 ]
+
+When IFF_ALLMULTI flag is set on interface and IFF_PROMISC isn't,
+emac_dev_mcast_set should only enable RX of multicasts and reset
+MACHASH registers.
+
+It does this, but afterwards it either sets up multicast MACs
+filtering or disables RX of multicasts and resets MACHASH registers
+again, rendering IFF_ALLMULTI flag useless.
+
+This patch fixes emac_dev_mcast_set, so that multicast MACs filtering and
+disabling of RX of multicasts are skipped when IFF_ALLMULTI flag is set.
+
+Tested with kernel 2.6.37.
+
+Signed-off-by: Mariusz Ceier <mceier+kernel@gmail.com>
+Acked-by: Mugunthan V N <mugunthanvnm@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/davinci_emac.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -875,8 +875,7 @@ static void emac_dev_mcast_set(struct ne
+ netdev_mc_count(ndev) > EMAC_DEF_MAX_MULTICAST_ADDRESSES) {
+ mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST);
+ emac_add_mcast(priv, EMAC_ALL_MULTI_SET, NULL);
+- }
+- if (!netdev_mc_empty(ndev)) {
++ } else if (!netdev_mc_empty(ndev)) {
+ struct netdev_hw_addr *ha;
+
+ mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST);
--- /dev/null
+From bc614f7f8b6c78edf425608f2cde7a3d561d9e45 Mon Sep 17 00:00:00 2001
+From: Salva Peiró <speiro@ai2.upv.es>
+Date: Fri, 11 Oct 2013 12:50:03 +0300
+Subject: farsync: fix info leak in ioctl
+
+From: Salva Peiró <speiro@ai2.upv.es>
+
+[ Upstream commit 96b340406724d87e4621284ebac5e059d67b2194 ]
+
+The fst_get_iface() code fails to initialize the two padding bytes of
+struct sync_serial_settings after the ->loopback member. Add an explicit
+memset(0) before filling the structure to avoid the info leak.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/farsync.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wan/farsync.c
++++ b/drivers/net/wan/farsync.c
+@@ -1972,6 +1972,7 @@ fst_get_iface(struct fst_card_info *card
+ }
+
+ i = port->index;
++ memset(&sync, 0, sizeof(sync));
+ sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed);
+ /* Lucky card and linux use same encoding here */
+ sync.clock_type = FST_RDB(card, portConfig[i].internalClock) ==
--- /dev/null
+From 1d0a87b6347d4854cd0eadaa59c47c77d7171cad Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 22 Oct 2013 00:07:47 +0200
+Subject: inet: fix possible memory corruption with UDP_CORK and UFO
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ This is a simplified -stable version of a set of upstream commits. ]
+
+This is a replacement patch only for stable which does fix the problems
+handled by the following two commits in -net:
+
+"ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
+"ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
+
+Three frames are written on a corked udp socket for which the output
+netdevice has UFO enabled. If the first and third frame are smaller than
+the mtu and the second one is bigger, we enqueue the second frame with
+skb_append_datato_frags without initializing the gso fields. This leads
+to the third frame appended regulary and thus constructing an invalid skb.
+
+This fixes the problem by always using skb_append_datato_frags as soon
+as the first frag got enqueued to the skb without marking the packet
+as SKB_GSO_UDP.
+
+The problem with only two frames for ipv6 was fixed by "ipv6: udp
+packets following an UFO enqueued packet need also be handled by UFO"
+(2811ebac2521ceac84f2bdae402455baa6a7fb47).
+
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 5 +++++
+ net/ipv4/ip_output.c | 2 +-
+ net/ipv6/ip6_output.c | 2 +-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1208,6 +1208,11 @@ static inline int skb_pagelen(const stru
+ return len + skb_headlen(skb);
+ }
+
++static inline bool skb_has_frags(const struct sk_buff *skb)
++{
++ return skb_shinfo(skb)->nr_frags;
++}
++
+ /**
+ * __skb_fill_page_desc - initialise a paged fragment in an skb
+ * @skb: buffer containing fragment to be initialised
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -846,7 +846,7 @@ static int __ip_append_data(struct sock
+ csummode = CHECKSUM_PARTIAL;
+
+ cork->length += length;
+- if (((length > mtu) || (skb && skb_is_gso(skb))) &&
++ if (((length > mtu) || (skb && skb_has_frags(skb))) &&
+ (sk->sk_protocol == IPPROTO_UDP) &&
+ (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
+ err = ip_ufo_append_data(sk, queue, getfrag, from, length,
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1345,7 +1345,7 @@ int ip6_append_data(struct sock *sk, int
+ skb = skb_peek_tail(&sk->sk_write_queue);
+ cork->length += length;
+ if (((length > mtu) ||
+- (skb && skb_is_gso(skb))) &&
++ (skb && skb_has_frags(skb))) &&
+ (sk->sk_protocol == IPPROTO_UDP) &&
+ (rt->dst.dev->features & NETIF_F_UFO)) {
+ err = ip6_ufo_append_data(sk, getfrag, from, length,
--- /dev/null
+From 91a8ae09a6eb2abee1b1c2a612f548c194b810af Mon Sep 17 00:00:00 2001
+From: Jiri Benc <jbenc@redhat.com>
+Date: Fri, 4 Oct 2013 17:04:48 +0200
+Subject: ipv4: fix ineffective source address selection
+
+From: Jiri Benc <jbenc@redhat.com>
+
+[ Upstream commit 0a7e22609067ff524fc7bbd45c6951dd08561667 ]
+
+When sending out multicast messages, the source address in inet->mc_addr is
+ignored and rewritten by an autoselected one. This is caused by a typo in
+commit 813b3b5db831 ("ipv4: Use caller's on-stack flowi as-is in output
+route lookups").
+
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2713,7 +2713,7 @@ static struct rtable *ip_route_output_sl
+ RT_SCOPE_LINK);
+ goto make_route;
+ }
+- if (fl4->saddr) {
++ if (!fl4->saddr) {
+ if (ipv4_is_multicast(fl4->daddr))
+ fl4->saddr = inet_select_addr(dev_out, 0,
+ fl4->flowi4_scope);
--- /dev/null
+From fad2fa08df45a84bd4e0a97ac7d6acad8c90c9fa Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <mleitner@redhat.com>
+Date: Tue, 8 Oct 2013 16:41:13 +0200
+Subject: ipv6: restrict neighbor entry creation to output flow
+
+From: Marcelo Ricardo Leitner <mleitner@redhat.com>
+
+This patch is based on 3.2.y branch, the one used by reporter. Please let me
+know if it should be different. Thanks.
+
+The patch which introduced the regression was applied on stables:
+3.0.64 3.4.31 3.7.8 3.2.39
+
+The patch which introduced the regression was for stable trees only.
+
+---8<---
+
+Commit 0d6a77079c475033cb622c07c5a880b392ef664e "ipv6: do not create
+neighbor entries for local delivery" introduced a regression on
+which routes to local delivery would not work anymore. Like this:
+
+ $ ip -6 route add local 2001::/64 dev lo
+ $ ping6 -c1 2001::9
+ PING 2001::9(2001::9) 56 data bytes
+ ping: sendmsg: Invalid argument
+
+As this is a local delivery, that commit would not allow the creation of a
+neighbor entry and thus the packet cannot be sent.
+
+But as TPROXY scenario actually needs to avoid the neighbor entry creation only
+for input flow, this patch now limits previous patch to input flow, keeping
+output as before that patch.
+
+Reported-by: Debabrata Banerjee <dbavatar@gmail.com>
+Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
+Signed-off-by: Jiri Pirko <jiri@resnulli.us>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+CC: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -818,7 +818,7 @@ static struct rt6_info *rt6_alloc_clone(
+ }
+
+ static struct rt6_info *ip6_pol_route(struct net *net, struct fib6_table *table, int oif,
+- struct flowi6 *fl6, int flags)
++ struct flowi6 *fl6, int flags, bool input)
+ {
+ struct fib6_node *fn;
+ struct rt6_info *rt, *nrt;
+@@ -826,8 +826,11 @@ static struct rt6_info *ip6_pol_route(st
+ int attempts = 3;
+ int err;
+ int reachable = net->ipv6.devconf_all->forwarding ? 0 : RT6_LOOKUP_F_REACHABLE;
++ int local = RTF_NONEXTHOP;
+
+ strict |= flags & RT6_LOOKUP_F_IFACE;
++ if (input)
++ local |= RTF_LOCAL;
+
+ relookup:
+ read_lock_bh(&table->tb6_lock);
+@@ -847,7 +850,7 @@ restart:
+ read_unlock_bh(&table->tb6_lock);
+
+ if (!dst_get_neighbour_noref_raw(&rt->dst) &&
+- !(rt->rt6i_flags & (RTF_NONEXTHOP | RTF_LOCAL)))
++ !(rt->rt6i_flags & local))
+ nrt = rt6_alloc_cow(rt, &fl6->daddr, &fl6->saddr);
+ else if (!(rt->dst.flags & DST_HOST))
+ nrt = rt6_alloc_clone(rt, &fl6->daddr);
+@@ -891,7 +894,7 @@ out2:
+ static struct rt6_info *ip6_pol_route_input(struct net *net, struct fib6_table *table,
+ struct flowi6 *fl6, int flags)
+ {
+- return ip6_pol_route(net, table, fl6->flowi6_iif, fl6, flags);
++ return ip6_pol_route(net, table, fl6->flowi6_iif, fl6, flags, true);
+ }
+
+ static struct dst_entry *ip6_route_input_lookup(struct net *net,
+@@ -924,7 +927,7 @@ void ip6_route_input(struct sk_buff *skb
+ static struct rt6_info *ip6_pol_route_output(struct net *net, struct fib6_table *table,
+ struct flowi6 *fl6, int flags)
+ {
+- return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags);
++ return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags, false);
+ }
+
+ struct dst_entry * ip6_route_output(struct net *net, const struct sock *sk,
--- /dev/null
+From 3c1e2fcbfe9c5bd21e0968f229b4f0e535ad1c17 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 10 Oct 2013 06:30:09 -0700
+Subject: l2tp: must disable bh before calling l2tp_xmit_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 455cc32bf128e114455d11ad919321ab89a2c312 ]
+
+François Cachereul made a very nice bug report and suspected
+the bh_lock_sock() / bh_unlok_sock() pair used in l2tp_xmit_skb() from
+process context was not good.
+
+This problem was added by commit 6af88da14ee284aaad6e4326da09a89191ab6165
+("l2tp: Fix locking in l2tp_core.c").
+
+l2tp_eth_dev_xmit() runs from BH context, so we must disable BH
+from other l2tp_xmit_skb() users.
+
+[ 452.060011] BUG: soft lockup - CPU#1 stuck for 23s! [accel-pppd:6662]
+[ 452.061757] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppoe pppox
+ppp_generic slhc ipv6 ext3 mbcache jbd virtio_balloon xfs exportfs dm_mod
+virtio_blk ata_generic virtio_net floppy ata_piix libata virtio_pci virtio_ring virtio [last unloaded: scsi_wait_scan]
+[ 452.064012] CPU 1
+[ 452.080015] BUG: soft lockup - CPU#2 stuck for 23s! [accel-pppd:6643]
+[ 452.080015] CPU 2
+[ 452.080015]
+[ 452.080015] Pid: 6643, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs
+[ 452.080015] RIP: 0010:[<ffffffff81059f6c>] [<ffffffff81059f6c>] do_raw_spin_lock+0x17/0x1f
+[ 452.080015] RSP: 0018:ffff88007125fc18 EFLAGS: 00000293
+[ 452.080015] RAX: 000000000000aba9 RBX: ffffffff811d0703 RCX: 0000000000000000
+[ 452.080015] RDX: 00000000000000ab RSI: ffff8800711f6896 RDI: ffff8800745c8110
+[ 452.080015] RBP: ffff88007125fc18 R08: 0000000000000020 R09: 0000000000000000
+[ 452.080015] R10: 0000000000000000 R11: 0000000000000280 R12: 0000000000000286
+[ 452.080015] R13: 0000000000000020 R14: 0000000000000240 R15: 0000000000000000
+[ 452.080015] FS: 00007fdc0cc24700(0000) GS:ffff8800b6f00000(0000) knlGS:0000000000000000
+[ 452.080015] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 452.080015] CR2: 00007fdb054899b8 CR3: 0000000074404000 CR4: 00000000000006a0
+[ 452.080015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 452.080015] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[ 452.080015] Process accel-pppd (pid: 6643, threadinfo ffff88007125e000, task ffff8800b27e6dd0)
+[ 452.080015] Stack:
+[ 452.080015] ffff88007125fc28 ffffffff81256559 ffff88007125fc98 ffffffffa01b2bd1
+[ 452.080015] ffff88007125fc58 000000000000000c 00000000029490d0 0000009c71dbe25e
+[ 452.080015] 000000000000005c 000000080000000e 0000000000000000 ffff880071170600
+[ 452.080015] Call Trace:
+[ 452.080015] [<ffffffff81256559>] _raw_spin_lock+0xe/0x10
+[ 452.080015] [<ffffffffa01b2bd1>] l2tp_xmit_skb+0x189/0x4ac [l2tp_core]
+[ 452.080015] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
+[ 452.080015] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
+[ 452.080015] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
+[ 452.080015] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616
+[ 452.080015] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
+[ 452.080015] [<ffffffff810bbd21>] ? fget_light+0x75/0x89
+[ 452.080015] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
+[ 452.080015] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b
+[ 452.080015] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
+[ 452.080015] Code: 81 48 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 <8a> 07 eb f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3
+[ 452.080015] Call Trace:
+[ 452.080015] [<ffffffff81256559>] _raw_spin_lock+0xe/0x10
+[ 452.080015] [<ffffffffa01b2bd1>] l2tp_xmit_skb+0x189/0x4ac [l2tp_core]
+[ 452.080015] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
+[ 452.080015] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
+[ 452.080015] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
+[ 452.080015] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616
+[ 452.080015] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
+[ 452.080015] [<ffffffff810bbd21>] ? fget_light+0x75/0x89
+[ 452.080015] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
+[ 452.080015] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b
+[ 452.080015] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
+[ 452.064012]
+[ 452.064012] Pid: 6662, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs
+[ 452.064012] RIP: 0010:[<ffffffff81059f6e>] [<ffffffff81059f6e>] do_raw_spin_lock+0x19/0x1f
+[ 452.064012] RSP: 0018:ffff8800b6e83ba0 EFLAGS: 00000297
+[ 452.064012] RAX: 000000000000aaa9 RBX: ffff8800b6e83b40 RCX: 0000000000000002
+[ 452.064012] RDX: 00000000000000aa RSI: 000000000000000a RDI: ffff8800745c8110
+[ 452.064012] RBP: ffff8800b6e83ba0 R08: 000000000000c802 R09: 000000000000001c
+[ 452.064012] R10: ffff880071096c4e R11: 0000000000000006 R12: ffff8800b6e83b18
+[ 452.064012] R13: ffffffff8125d51e R14: ffff8800b6e83ba0 R15: ffff880072a589c0
+[ 452.064012] FS: 00007fdc0b81e700(0000) GS:ffff8800b6e80000(0000) knlGS:0000000000000000
+[ 452.064012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 452.064012] CR2: 0000000000625208 CR3: 0000000074404000 CR4: 00000000000006a0
+[ 452.064012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 452.064012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[ 452.064012] Process accel-pppd (pid: 6662, threadinfo ffff88007129a000, task ffff8800744f7410)
+[ 452.064012] Stack:
+[ 452.064012] ffff8800b6e83bb0 ffffffff81256559 ffff8800b6e83bc0 ffffffff8121c64a
+[ 452.064012] ffff8800b6e83bf0 ffffffff8121ec7a ffff880072a589c0 ffff880071096c62
+[ 452.064012] 0000000000000011 ffffffff81430024 ffff8800b6e83c80 ffffffff8121f276
+[ 452.064012] Call Trace:
+[ 452.064012] <IRQ>
+[ 452.064012] [<ffffffff81256559>] _raw_spin_lock+0xe/0x10
+[ 452.064012] [<ffffffff8121c64a>] spin_lock+0x9/0xb
+[ 452.064012] [<ffffffff8121ec7a>] udp_queue_rcv_skb+0x186/0x269
+[ 452.064012] [<ffffffff8121f276>] __udp4_lib_rcv+0x297/0x4ae
+[ 452.064012] [<ffffffff8121c178>] ? raw_rcv+0xe9/0xf0
+[ 452.064012] [<ffffffff8121f4a7>] udp_rcv+0x1a/0x1c
+[ 452.064012] [<ffffffff811fe385>] ip_local_deliver_finish+0x12b/0x1a5
+[ 452.064012] [<ffffffff811fe54e>] ip_local_deliver+0x53/0x84
+[ 452.064012] [<ffffffff811fe1d0>] ip_rcv_finish+0x2bc/0x2f3
+[ 452.064012] [<ffffffff811fe78f>] ip_rcv+0x210/0x269
+[ 452.064012] [<ffffffff8101911e>] ? kvm_clock_get_cycles+0x9/0xb
+[ 452.064012] [<ffffffff811d88cd>] __netif_receive_skb+0x3a5/0x3f7
+[ 452.064012] [<ffffffff811d8eba>] netif_receive_skb+0x57/0x5e
+[ 452.064012] [<ffffffff811cf30f>] ? __netdev_alloc_skb+0x1f/0x3b
+[ 452.064012] [<ffffffffa0049126>] virtnet_poll+0x4ba/0x5a4 [virtio_net]
+[ 452.064012] [<ffffffff811d9417>] net_rx_action+0x73/0x184
+[ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
+[ 452.064012] [<ffffffff810343b9>] __do_softirq+0xc3/0x1a8
+[ 452.064012] [<ffffffff81013b56>] ? ack_APIC_irq+0x10/0x12
+[ 452.064012] [<ffffffff81256559>] ? _raw_spin_lock+0xe/0x10
+[ 452.064012] [<ffffffff8125e0ac>] call_softirq+0x1c/0x26
+[ 452.064012] [<ffffffff81003587>] do_softirq+0x45/0x82
+[ 452.064012] [<ffffffff81034667>] irq_exit+0x42/0x9c
+[ 452.064012] [<ffffffff8125e146>] do_IRQ+0x8e/0xa5
+[ 452.064012] [<ffffffff8125676e>] common_interrupt+0x6e/0x6e
+[ 452.064012] <EOI>
+[ 452.064012] [<ffffffff810b82a1>] ? kfree+0x8a/0xa3
+[ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
+[ 452.064012] [<ffffffffa01b2c25>] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core]
+[ 452.064012] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
+[ 452.064012] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
+[ 452.064012] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
+[ 452.064012] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616
+[ 452.064012] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
+[ 452.064012] [<ffffffff810bbd21>] ? fget_light+0x75/0x89
+[ 452.064012] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
+[ 452.064012] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b
+[ 452.064012] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
+[ 452.064012] Code: 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 8a 07 <eb> f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 55 48
+[ 452.064012] Call Trace:
+[ 452.064012] <IRQ> [<ffffffff81256559>] _raw_spin_lock+0xe/0x10
+[ 452.064012] [<ffffffff8121c64a>] spin_lock+0x9/0xb
+[ 452.064012] [<ffffffff8121ec7a>] udp_queue_rcv_skb+0x186/0x269
+[ 452.064012] [<ffffffff8121f276>] __udp4_lib_rcv+0x297/0x4ae
+[ 452.064012] [<ffffffff8121c178>] ? raw_rcv+0xe9/0xf0
+[ 452.064012] [<ffffffff8121f4a7>] udp_rcv+0x1a/0x1c
+[ 452.064012] [<ffffffff811fe385>] ip_local_deliver_finish+0x12b/0x1a5
+[ 452.064012] [<ffffffff811fe54e>] ip_local_deliver+0x53/0x84
+[ 452.064012] [<ffffffff811fe1d0>] ip_rcv_finish+0x2bc/0x2f3
+[ 452.064012] [<ffffffff811fe78f>] ip_rcv+0x210/0x269
+[ 452.064012] [<ffffffff8101911e>] ? kvm_clock_get_cycles+0x9/0xb
+[ 452.064012] [<ffffffff811d88cd>] __netif_receive_skb+0x3a5/0x3f7
+[ 452.064012] [<ffffffff811d8eba>] netif_receive_skb+0x57/0x5e
+[ 452.064012] [<ffffffff811cf30f>] ? __netdev_alloc_skb+0x1f/0x3b
+[ 452.064012] [<ffffffffa0049126>] virtnet_poll+0x4ba/0x5a4 [virtio_net]
+[ 452.064012] [<ffffffff811d9417>] net_rx_action+0x73/0x184
+[ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
+[ 452.064012] [<ffffffff810343b9>] __do_softirq+0xc3/0x1a8
+[ 452.064012] [<ffffffff81013b56>] ? ack_APIC_irq+0x10/0x12
+[ 452.064012] [<ffffffff81256559>] ? _raw_spin_lock+0xe/0x10
+[ 452.064012] [<ffffffff8125e0ac>] call_softirq+0x1c/0x26
+[ 452.064012] [<ffffffff81003587>] do_softirq+0x45/0x82
+[ 452.064012] [<ffffffff81034667>] irq_exit+0x42/0x9c
+[ 452.064012] [<ffffffff8125e146>] do_IRQ+0x8e/0xa5
+[ 452.064012] [<ffffffff8125676e>] common_interrupt+0x6e/0x6e
+[ 452.064012] <EOI> [<ffffffff810b82a1>] ? kfree+0x8a/0xa3
+[ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
+[ 452.064012] [<ffffffffa01b2c25>] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core]
+[ 452.064012] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
+[ 452.064012] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
+[ 452.064012] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
+[ 452.064012] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616
+[ 452.064012] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
+[ 452.064012] [<ffffffff810bbd21>] ? fget_light+0x75/0x89
+[ 452.064012] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
+[ 452.064012] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b
+[ 452.064012] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
+
+Reported-by: François Cachereul <f.cachereul@alphalink.fr>
+Tested-by: François Cachereul <f.cachereul@alphalink.fr>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -357,7 +357,9 @@ static int pppol2tp_sendmsg(struct kiocb
+ goto error_put_sess_tun;
+ }
+
++ local_bh_disable();
+ l2tp_xmit_skb(session, skb, session->hdr_len);
++ local_bh_enable();
+
+ sock_put(ps->tunnel_sock);
+ sock_put(sk);
+@@ -432,7 +434,9 @@ static int pppol2tp_xmit(struct ppp_chan
+ skb->data[0] = ppph[0];
+ skb->data[1] = ppph[1];
+
++ local_bh_disable();
+ l2tp_xmit_skb(session, skb, session->hdr_len);
++ local_bh_enable();
+
+ sock_put(sk_tun);
+ sock_put(sk);
--- /dev/null
+From f7ce17797edc31ceda97040dbfe8e47b72344618 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 1 Oct 2013 21:04:11 -0700
+Subject: net: do not call sock_put() on TIMEWAIT sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 80ad1d61e72d626e30ebe8529a0455e660ca4693 ]
+
+commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
+hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
+
+We should instead use inet_twsk_put()
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_hashtables.c | 2 +-
+ net/ipv6/inet6_hashtables.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -268,7 +268,7 @@ begintw:
+ }
+ if (unlikely(!INET_TW_MATCH(sk, net, hash, acookie,
+ saddr, daddr, ports, dif))) {
+- sock_put(sk);
++ inet_twsk_put(inet_twsk(sk));
+ goto begintw;
+ }
+ goto out;
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -110,7 +110,7 @@ begintw:
+ goto out;
+ }
+ if (!INET6_TW_MATCH(sk, net, hash, saddr, daddr, ports, dif)) {
+- sock_put(sk);
++ inet_twsk_put(inet_twsk(sk));
+ goto begintw;
+ }
+ goto out;
--- /dev/null
+From 0bcc2bad7fea496c21fb7095d5b1ffa47036b5ce Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vyasevich@gmail.com>
+Date: Tue, 15 Oct 2013 22:01:29 -0400
+Subject: net: dst: provide accessor function to dst->xfrm
+
+From: Vlad Yasevich <vyasevich@gmail.com>
+
+[ Upstream commit e87b3998d795123b4139bc3f25490dd236f68212 ]
+
+dst->xfrm is conditionally defined. Provide accessor funtion that
+is always available.
+
+Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/dst.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -464,10 +464,22 @@ static inline struct dst_entry *xfrm_loo
+ {
+ return dst_orig;
+ }
++
++static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst)
++{
++ return NULL;
++}
++
+ #else
+ extern struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
+ const struct flowi *fl, struct sock *sk,
+ int flags);
++
++/* skb attached with this dst needs transformation if dst->xfrm is valid */
++static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst)
++{
++ return dst->xfrm;
++}
+ #endif
+
+ #endif /* _NET_DST_H */
--- /dev/null
+From 08414cb6947bb04badfb47c97c082166a6e029cb Mon Sep 17 00:00:00 2001
+From: Seif Mazareeb <seif@marvell.com>
+Date: Thu, 17 Oct 2013 20:33:21 -0700
+Subject: net: fix cipso packet validation when !NETLABEL
+
+From: Seif Mazareeb <seif@marvell.com>
+
+[ Upstream commit f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b ]
+
+When CONFIG_NETLABEL is disabled, the cipso_v4_validate() function could loop
+forever in the main loop if opt[opt_iter +1] == 0, this will causing a kernel
+crash in an SMP system, since the CPU executing this function will
+stall /not respond to IPIs.
+
+This problem can be reproduced by running the IP Stack Integrity Checker
+(http://isic.sourceforge.net) using the following command on a Linux machine
+connected to DUT:
+
+"icmpsic -s rand -d <DUT IP address> -r 123456"
+wait (1-2 min)
+
+Signed-off-by: Seif Mazareeb <seif@marvell.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cipso_ipv4.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/include/net/cipso_ipv4.h
++++ b/include/net/cipso_ipv4.h
+@@ -290,6 +290,7 @@ static inline int cipso_v4_validate(cons
+ unsigned char err_offset = 0;
+ u8 opt_len = opt[1];
+ u8 opt_iter;
++ u8 tag_len;
+
+ if (opt_len < 8) {
+ err_offset = 1;
+@@ -302,11 +303,12 @@ static inline int cipso_v4_validate(cons
+ }
+
+ for (opt_iter = 6; opt_iter < opt_len;) {
+- if (opt[opt_iter + 1] > (opt_len - opt_iter)) {
++ tag_len = opt[opt_iter + 1];
++ if ((tag_len == 0) || (opt[opt_iter + 1] > (opt_len - opt_iter))) {
+ err_offset = opt_iter + 1;
+ goto out;
+ }
+- opt_iter += opt[opt_iter + 1];
++ opt_iter += tag_len;
+ }
+
+ out:
--- /dev/null
+From c868e4afb84b7fe6c502d7f059bd21492cf932a5 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 3 Oct 2013 00:27:20 +0300
+Subject: net: heap overflow in __audit_sockaddr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ]
+
+We need to cap ->msg_namelen or it leads to a buffer overflow when we
+to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
+exploit this bug.
+
+The call tree is:
+___sys_recvmsg()
+ move_addr_to_user()
+ audit_sockaddr()
+ __audit_sockaddr()
+
+Reported-by: Jüri Aedla <juri.aedla@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/compat.c | 2 ++
+ net/socket.c | 24 ++++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -71,6 +71,8 @@ int get_compat_msghdr(struct msghdr *kms
+ __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
+ __get_user(kmsg->msg_flags, &umsg->msg_flags))
+ return -EFAULT;
++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
++ return -EINVAL;
+ kmsg->msg_name = compat_ptr(tmp1);
+ kmsg->msg_iov = compat_ptr(tmp2);
+ kmsg->msg_control = compat_ptr(tmp3);
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1899,6 +1899,16 @@ struct used_address {
+ unsigned int name_len;
+ };
+
++static int copy_msghdr_from_user(struct msghdr *kmsg,
++ struct msghdr __user *umsg)
++{
++ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
++ return -EFAULT;
++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
++ return -EINVAL;
++ return 0;
++}
++
+ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned flags,
+ struct used_address *used_address)
+@@ -1917,8 +1927,11 @@ static int ___sys_sendmsg(struct socket
+ if (MSG_CMSG_COMPAT & flags) {
+ if (get_compat_msghdr(msg_sys, msg_compat))
+ return -EFAULT;
+- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
+- return -EFAULT;
++ } else {
++ err = copy_msghdr_from_user(msg_sys, msg);
++ if (err)
++ return err;
++ }
+
+ /* do not move before msg_sys is valid */
+ err = -EMSGSIZE;
+@@ -2129,8 +2142,11 @@ static int ___sys_recvmsg(struct socket
+ if (MSG_CMSG_COMPAT & flags) {
+ if (get_compat_msghdr(msg_sys, msg_compat))
+ return -EFAULT;
+- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
+- return -EFAULT;
++ } else {
++ err = copy_msghdr_from_user(msg_sys, msg);
++ if (err)
++ return err;
++ }
+
+ err = -EMSGSIZE;
+ if (msg_sys->msg_iovlen > UIO_MAXIOV)
--- /dev/null
+From d55f1ab4348a82471e38614a8183bca97d3bb2aa Mon Sep 17 00:00:00 2001
+From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Date: Wed, 2 Oct 2013 12:57:21 +0200
+Subject: net: mv643xx_eth: fix orphaned statistics timer crash
+
+From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+
+[ Upstream commit f564412c935111c583b787bcc18157377b208e2e ]
+
+The periodic statistics timer gets started at port _probe() time, but
+is stopped on _stop() only. In a modular environment, this can cause
+the timer to access already deallocated memory, if the module is unloaded
+without starting the eth device. To fix this, we add the timer right
+before the port is started, instead of at _probe() time.
+
+Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Acked-by: Jason Cooper <jason@lakedaemon.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2368,6 +2368,7 @@ static int mv643xx_eth_open(struct net_d
+ mp->int_mask |= INT_TX_END_0 << i;
+ }
+
++ add_timer(&mp->mib_counters_timer);
+ port_start(mp);
+
+ wrlp(mp, INT_MASK_EXT, INT_EXT_LINK_PHY | INT_EXT_TX);
+@@ -2909,7 +2910,6 @@ static int mv643xx_eth_probe(struct plat
+ mp->mib_counters_timer.data = (unsigned long)mp;
+ mp->mib_counters_timer.function = mib_counters_timer_wrapper;
+ mp->mib_counters_timer.expires = jiffies + 30 * HZ;
+- add_timer(&mp->mib_counters_timer);
+
+ spin_lock_init(&mp->mib_counters_lock);
+
--- /dev/null
+From b6f073a85799fc00d41250c4fc254d499d59d51f Mon Sep 17 00:00:00 2001
+From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Date: Wed, 2 Oct 2013 12:57:20 +0200
+Subject: net: mv643xx_eth: update statistics timer from timer context only
+
+From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+
+[ Upstream commit 041b4ddb84989f06ff1df0ca869b950f1ee3cb1c ]
+
+Each port driver installs a periodic timer to update port statistics
+by calling mib_counters_update. As mib_counters_update is also called
+from non-timer context, we should not reschedule the timer there but
+rather move it to timer-only context.
+
+Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Acked-by: Jason Cooper <jason@lakedaemon.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -1274,15 +1274,13 @@ static void mib_counters_update(struct m
+ p->rx_discard += rdlp(mp, RX_DISCARD_FRAME_CNT);
+ p->rx_overrun += rdlp(mp, RX_OVERRUN_FRAME_CNT);
+ spin_unlock_bh(&mp->mib_counters_lock);
+-
+- mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ);
+ }
+
+ static void mib_counters_timer_wrapper(unsigned long _mp)
+ {
+ struct mv643xx_eth_private *mp = (void *)_mp;
+-
+ mib_counters_update(mp);
++ mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ);
+ }
+
+
--- /dev/null
+From dd70abfaaea5edbf4e54205fff1118f51507012d Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Thu, 17 Oct 2013 22:51:31 +0200
+Subject: net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit 90c6bd34f884cd9cee21f1d152baf6c18bcac949 ]
+
+In the case of credentials passing in unix stream sockets (dgram
+sockets seem not affected), we get a rather sparse race after
+commit 16e5726 ("af_unix: dont send SCM_CREDENTIALS by default").
+
+We have a stream server on receiver side that requests credential
+passing from senders (e.g. nc -U). Since we need to set SO_PASSCRED
+on each spawned/accepted socket on server side to 1 first (as it's
+not inherited), it can happen that in the time between accept() and
+setsockopt() we get interrupted, the sender is being scheduled and
+continues with passing data to our receiver. At that time SO_PASSCRED
+is neither set on sender nor receiver side, hence in cmsg's
+SCM_CREDENTIALS we get eventually pid:0, uid:65534, gid:65534
+(== overflow{u,g}id) instead of what we actually would like to see.
+
+On the sender side, here nc -U, the tests in maybe_add_creds()
+invoked through unix_stream_sendmsg() would fail, as at that exact
+time, as mentioned, the sender has neither SO_PASSCRED on his side
+nor sees it on the server side, and we have a valid 'other' socket
+in place. Thus, sender believes it would just look like a normal
+connection, not needing/requesting SO_PASSCRED at that time.
+
+As reverting 16e5726 would not be an option due to the significant
+performance regression reported when having creds always passed,
+one way/trade-off to prevent that would be to set SO_PASSCRED on
+the listener socket and allow inheriting these flags to the spawned
+socket on server side in accept(). It seems also logical to do so
+if we'd tell the listener socket to pass those flags onwards, and
+would fix the race.
+
+Before, strace:
+
+recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}],
+ msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET,
+ cmsg_type=SCM_CREDENTIALS{pid=0, uid=65534, gid=65534}},
+ msg_flags=0}, 0) = 5
+
+After, strace:
+
+recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}],
+ msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET,
+ cmsg_type=SCM_CREDENTIALS{pid=11580, uid=1000, gid=1000}},
+ msg_flags=0}, 0) = 5
+
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1247,6 +1247,15 @@ static int unix_socketpair(struct socket
+ return 0;
+ }
+
++static void unix_sock_inherit_flags(const struct socket *old,
++ struct socket *new)
++{
++ if (test_bit(SOCK_PASSCRED, &old->flags))
++ set_bit(SOCK_PASSCRED, &new->flags);
++ if (test_bit(SOCK_PASSSEC, &old->flags))
++ set_bit(SOCK_PASSSEC, &new->flags);
++}
++
+ static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
+ {
+ struct sock *sk = sock->sk;
+@@ -1281,6 +1290,7 @@ static int unix_accept(struct socket *so
+ /* attach accepted sock to socket */
+ unix_state_lock(tsk);
+ newsock->state = SS_CONNECTED;
++ unix_sock_inherit_flags(sock, newsock);
+ sock_graft(tsk, newsock);
+ unix_state_unlock(tsk);
+ return 0;
--- /dev/null
+From 9f5ee4f8175bb385f2450e334ddec2a6cdd1edbe Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 7 Oct 2013 23:19:58 +0200
+Subject: net: vlan: fix nlmsg size calculation in vlan_get_size()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit c33a39c575068c2ea9bffb22fd6de2df19c74b89 ]
+
+This patch fixes the calculation of the nlmsg size, by adding the missing
+nla_total_size().
+
+Cc: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/8021q/vlan_netlink.c
++++ b/net/8021q/vlan_netlink.c
+@@ -152,7 +152,7 @@ static size_t vlan_get_size(const struct
+ struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+
+ return nla_total_size(2) + /* IFLA_VLAN_ID */
+- sizeof(struct ifla_vlan_flags) + /* IFLA_VLAN_FLAGS */
++ nla_total_size(sizeof(struct ifla_vlan_flags)) + /* IFLA_VLAN_FLAGS */
+ vlan_qos_map_size(vlan->nr_ingress_mappings) +
+ vlan_qos_map_size(vlan->nr_egress_mappings);
+ }
--- /dev/null
+From 5a26a90514e24502d3ec53596ece466899aa4d95 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 30 Sep 2013 22:03:06 +0200
+Subject: proc connector: fix info leaks
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit e727ca82e0e9616ab4844301e6bae60ca7327682 ]
+
+Initialize event_data for all possible message types to prevent leaking
+kernel stack contents to userland (up to 20 bytes). Also set the flags
+member of the connector message to 0 to prevent leaking two more stack
+bytes this way.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/connector/cn_proc.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -64,6 +64,7 @@ void proc_fork_connector(struct task_str
+
+ msg = (struct cn_msg*)buffer;
+ ev = (struct proc_event*)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -79,6 +80,7 @@ void proc_fork_connector(struct task_str
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ /* If cn_netlink_send() failed, the data is not sent */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+@@ -95,6 +97,7 @@ void proc_exec_connector(struct task_str
+
+ msg = (struct cn_msg*)buffer;
+ ev = (struct proc_event*)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -105,6 +108,7 @@ void proc_exec_connector(struct task_str
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -121,6 +125,7 @@ void proc_id_connector(struct task_struc
+
+ msg = (struct cn_msg*)buffer;
+ ev = (struct proc_event*)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ ev->what = which_id;
+ ev->event_data.id.process_pid = task->pid;
+ ev->event_data.id.process_tgid = task->tgid;
+@@ -144,6 +149,7 @@ void proc_id_connector(struct task_struc
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -159,6 +165,7 @@ void proc_sid_connector(struct task_stru
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -169,6 +176,7 @@ void proc_sid_connector(struct task_stru
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -184,6 +192,7 @@ void proc_ptrace_connector(struct task_s
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -202,6 +211,7 @@ void proc_ptrace_connector(struct task_s
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -217,6 +227,7 @@ void proc_comm_connector(struct task_str
+
+ msg = (struct cn_msg *)buffer;
+ ev = (struct proc_event *)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -228,6 +239,7 @@ void proc_comm_connector(struct task_str
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -243,6 +255,7 @@ void proc_exit_connector(struct task_str
+
+ msg = (struct cn_msg*)buffer;
+ ev = (struct proc_event*)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -255,6 +268,7 @@ void proc_exit_connector(struct task_str
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
+@@ -278,6 +292,7 @@ static void cn_proc_ack(int err, int rcv
+
+ msg = (struct cn_msg*)buffer;
+ ev = (struct proc_event*)msg->data;
++ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ msg->seq = rcvd_seq;
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -287,6 +302,7 @@ static void cn_proc_ack(int err, int rcv
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = rcvd_ack + 1;
+ msg->len = sizeof(*ev);
++ msg->flags = 0; /* not used */
+ cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+
--- /dev/null
+From dfda90b72cc54dc1166005c49d844f4ee055c039 Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vyasevich@gmail.com>
+Date: Tue, 15 Oct 2013 22:01:31 -0400
+Subject: sctp: Perform software checksum if packet has to be fragmented.
+
+From: Vlad Yasevich <vyasevich@gmail.com>
+
+[ Upstream commit d2dbbba77e95dff4b4f901fee236fef6d9552072 ]
+
+IP/IPv6 fragmentation knows how to compute only TCP/UDP checksum.
+This causes problems if SCTP packets has to be fragmented and
+ipsummed has been set to PARTIAL due to checksum offload support.
+This condition can happen when retransmitting after MTU discover,
+or when INIT or other control chunks are larger then MTU.
+Check for the rare fragmentation condition in SCTP and use software
+checksum calculation in this case.
+
+CC: Fan Du <fan.du@windriver.com>
+Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -519,7 +519,7 @@ int sctp_packet_transmit(struct sctp_pac
+ */
+ if (!sctp_checksum_disable) {
+ if (!(dst->dev->features & NETIF_F_SCTP_CSUM) ||
+- (dst_xfrm(dst) != NULL)) {
++ (dst_xfrm(dst) != NULL) || packet->ipfragok) {
+ __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
+
+ /* 3) Put the resultant value into the checksum field in the
--- /dev/null
+From 8039b7fa7a658a8035e6b9b371d1754b6f2b4cac Mon Sep 17 00:00:00 2001
+From: Fan Du <fan.du@windriver.com>
+Date: Tue, 15 Oct 2013 22:01:30 -0400
+Subject: sctp: Use software crc32 checksum when xfrm transform will happen.
+
+From: Fan Du <fan.du@windriver.com>
+
+[ Upstream commit 27127a82561a2a3ed955ce207048e1b066a80a2a ]
+
+igb/ixgbe have hardware sctp checksum support, when this feature is enabled
+and also IPsec is armed to protect sctp traffic, ugly things happened as
+xfrm_output checks CHECKSUM_PARTIAL to do checksum operation(sum every thing
+up and pack the 16bits result in the checksum field). The result is fail
+establishment of sctp communication.
+
+Signed-off-by: Fan Du <fan.du@windriver.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/output.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -518,7 +518,8 @@ int sctp_packet_transmit(struct sctp_pac
+ * by CRC32-C as described in <draft-ietf-tsvwg-sctpcsum-02.txt>.
+ */
+ if (!sctp_checksum_disable) {
+- if (!(dst->dev->features & NETIF_F_SCTP_CSUM)) {
++ if (!(dst->dev->features & NETIF_F_SCTP_CSUM) ||
++ (dst_xfrm(dst) != NULL)) {
+ __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
+
+ /* 3) Put the resultant value into the checksum field in the
--- /dev/null
+tcp-must-unclone-packets-before-mangling-them.patch
+tcp-do-not-forget-fin-in-tcp_shifted_skb.patch
+net-do-not-call-sock_put-on-timewait-sockets.patch
+net-mv643xx_eth-update-statistics-timer-from-timer-context-only.patch
+net-mv643xx_eth-fix-orphaned-statistics-timer-crash.patch
+net-heap-overflow-in-__audit_sockaddr.patch
+proc-connector-fix-info-leaks.patch
+ipv4-fix-ineffective-source-address-selection.patch
+can-dev-fix-nlmsg-size-calculation-in-can_get_size.patch
+ipv6-restrict-neighbor-entry-creation-to-output-flow.patch
+bridge-correctly-clamp-max-forward_delay-when-enabling-stp.patch
+net-vlan-fix-nlmsg-size-calculation-in-vlan_get_size.patch
+l2tp-must-disable-bh-before-calling-l2tp_xmit_skb.patch
+farsync-fix-info-leak-in-ioctl.patch
+unix_diag-fix-info-leak.patch
+connector-use-nlmsg_len-to-check-message-length.patch
+bnx2x-record-rx-queue-for-lro-packets.patch
+net-dst-provide-accessor-function-to-dst-xfrm.patch
+sctp-use-software-crc32-checksum-when-xfrm-transform-will-happen.patch
+sctp-perform-software-checksum-if-packet-has-to-be-fragmented.patch
+wanxl-fix-info-leak-in-ioctl.patch
+net-unix-inherit-sock_pass-cred-sec-flags-from-socket-to-fix-race.patch
+net-fix-cipso-packet-validation-when-netlabel.patch
+inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch
+davinci_emac.c-fix-iff_allmulti-setup.patch
--- /dev/null
+From d12c3a9e07f6412fd62482be0f143cd30d88e573 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 4 Oct 2013 10:31:41 -0700
+Subject: tcp: do not forget FIN in tcp_shifted_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5e8a402f831dbe7ee831340a91439e46f0d38acd ]
+
+Yuchung found following problem :
+
+ There are bugs in the SACK processing code, merging part in
+ tcp_shift_skb_data(), that incorrectly resets or ignores the sacked
+ skbs FIN flag. When a receiver first SACK the FIN sequence, and later
+ throw away ofo queue (e.g., sack-reneging), the sender will stop
+ retransmitting the FIN flag, and hangs forever.
+
+Following packetdrill test can be used to reproduce the bug.
+
+$ cat sack-merge-bug.pkt
+`sysctl -q net.ipv4.tcp_fack=0`
+
+// Establish a connection and send 10 MSS.
+0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
++.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
++.000 bind(3, ..., ...) = 0
++.000 listen(3, 1) = 0
+
++.050 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
++.000 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 6>
++.001 < . 1:1(0) ack 1 win 1024
++.000 accept(3, ..., ...) = 4
+
++.100 write(4, ..., 12000) = 12000
++.000 shutdown(4, SHUT_WR) = 0
++.000 > . 1:10001(10000) ack 1
++.050 < . 1:1(0) ack 2001 win 257
++.000 > FP. 10001:12001(2000) ack 1
++.050 < . 1:1(0) ack 2001 win 257 <sack 10001:11001,nop,nop>
++.050 < . 1:1(0) ack 2001 win 257 <sack 10001:12002,nop,nop>
+// SACK reneg
++.050 < . 1:1(0) ack 12001 win 257
++0 %{ print "unacked: ",tcpi_unacked }%
++5 %{ print "" }%
+
+First, a typo inverted left/right of one OR operation, then
+code forgot to advance end_seq if the merged skb carried FIN.
+
+Bug was added in 2.6.29 by commit 832d11c5cd076ab
+("tcp: Try to restore large SKBs while SACK processing")
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Acked-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1468,7 +1468,10 @@ static int tcp_shifted_skb(struct sock *
+ tp->lost_cnt_hint -= tcp_skb_pcount(prev);
+ }
+
+- TCP_SKB_CB(skb)->tcp_flags |= TCP_SKB_CB(prev)->tcp_flags;
++ TCP_SKB_CB(prev)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags;
++ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
++ TCP_SKB_CB(prev)->end_seq++;
++
+ if (skb == tcp_highest_sack(sk))
+ tcp_advance_highest_sack(sk, skb);
+
--- /dev/null
+From 65a3d75c70aeedfcd83259465780171b0449f3cc Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 15 Oct 2013 11:54:30 -0700
+Subject: tcp: must unclone packets before mangling them
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c52e2421f7368fd36cbe330d2cf41b10452e39a9 ]
+
+TCP stack should make sure it owns skbs before mangling them.
+
+We had various crashes using bnx2x, and it turned out gso_size
+was cleared right before bnx2x driver was populating TC descriptor
+of the _previous_ packet send. TCP stack can sometime retransmit
+packets that are still in Qdisc.
+
+Of course we could make bnx2x driver more robust (using
+ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack.
+
+We have identified two points where skb_unclone() was needed.
+
+This patch adds a WARN_ON_ONCE() to warn us if we missed another
+fix of this kind.
+
+Kudos to Neal for finding the root cause of this bug. Its visible
+using small MSS.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 10 ++++++++++
+ net/ipv4/tcp_output.c | 9 ++++++---
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -760,6 +760,16 @@ static inline int skb_cloned(const struc
+ (atomic_read(&skb_shinfo(skb)->dataref) & SKB_DATAREF_MASK) != 1;
+ }
+
++static inline int skb_unclone(struct sk_buff *skb, gfp_t pri)
++{
++ might_sleep_if(pri & __GFP_WAIT);
++
++ if (skb_cloned(skb))
++ return pskb_expand_head(skb, 0, 0, pri);
++
++ return 0;
++}
++
+ /**
+ * skb_header_cloned - is the header a clone
+ * @skb: buffer to check
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -933,6 +933,9 @@ static void tcp_queue_skb(struct sock *s
+ static void tcp_set_skb_tso_segs(const struct sock *sk, struct sk_buff *skb,
+ unsigned int mss_now)
+ {
++ /* Make sure we own this skb before messing gso_size/gso_segs */
++ WARN_ON_ONCE(skb_cloned(skb));
++
+ if (skb->len <= mss_now || !sk_can_gso(sk) ||
+ skb->ip_summed == CHECKSUM_NONE) {
+ /* Avoid the costly divide in the normal
+@@ -1014,9 +1017,7 @@ int tcp_fragment(struct sock *sk, struct
+ if (nsize < 0)
+ nsize = 0;
+
+- if (skb_cloned(skb) &&
+- skb_is_nonlinear(skb) &&
+- pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
++ if (skb_unclone(skb, GFP_ATOMIC))
+ return -ENOMEM;
+
+ /* Get a new skb... force flag on. */
+@@ -2129,6 +2130,8 @@ int tcp_retransmit_skb(struct sock *sk,
+ int oldpcount = tcp_skb_pcount(skb);
+
+ if (unlikely(oldpcount > 1)) {
++ if (skb_unclone(skb, GFP_ATOMIC))
++ return -ENOMEM;
+ tcp_init_tso_segs(sk, skb, cur_mss);
+ tcp_adjust_pcount(sk, skb, oldpcount - tcp_skb_pcount(skb));
+ }
--- /dev/null
+From 5702013cb615a6431f1549670c7d9a613c06886e Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 30 Sep 2013 22:05:40 +0200
+Subject: unix_diag: fix info leak
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 6865d1e834be84ddd5808d93d5035b492346c64a ]
+
+When filling the netlink message we miss to wipe the pad field,
+therefore leak one byte of heap memory to userland. Fix this by
+setting pad to 0.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/diag.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -134,6 +134,7 @@ static int sk_diag_fill(struct sock *sk,
+ rep->udiag_family = AF_UNIX;
+ rep->udiag_type = sk->sk_type;
+ rep->udiag_state = sk->sk_state;
++ rep->pad = 0;
+ rep->udiag_ino = sk_ino;
+ sock_diag_save_cookie(sk, rep->udiag_cookie);
+
--- /dev/null
+From da4e1ebe28ac504f3b5b8e988a4eec608df630a7 Mon Sep 17 00:00:00 2001
+From: Salva Peiró <speiro@ai2.upv.es>
+Date: Wed, 16 Oct 2013 12:46:50 +0200
+Subject: wanxl: fix info leak in ioctl
+
+From: Salva Peiró <speiro@ai2.upv.es>
+
+[ Upstream commit 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 ]
+
+The wanxl_ioctl() code fails to initialize the two padding bytes of
+struct sync_serial_settings after the ->loopback member. Add an explicit
+memset(0) before filling the structure to avoid the info leak.
+
+Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/wanxl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wan/wanxl.c
++++ b/drivers/net/wan/wanxl.c
+@@ -355,6 +355,7 @@ static int wanxl_ioctl(struct net_device
+ ifr->ifr_settings.size = size; /* data size wanted */
+ return -ENOBUFS;
+ }
++ memset(&line, 0, sizeof(line));
+ line.clock_type = get_status(port)->clocking;
+ line.clock_rate = 0;
+ line.loopback = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
