--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:14:58 -0700
+Subject: 8139cp: Call dev_kfree_skby_any instead of kfree_skb.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+Replace kfree_skb with dev_kfree_skb_any in cp_start_xmit
+as it can be called in both hard irq and other contexts.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/8139cp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/realtek/8139cp.c
++++ b/drivers/net/ethernet/realtek/8139cp.c
+@@ -899,7 +899,7 @@ out_unlock:
+
+ return NETDEV_TX_OK;
+ out_dma_error:
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ cp->dev->stats.tx_dropped++;
+ goto out_unlock;
+ }
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:15:36 -0700
+Subject: 8139too: Call dev_kfree_skby_any instead of dev_kfree_skb.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+Replace dev_kfree_skb with dev_kfree_skb_any in functions that can
+be called in hard irq and other contexts.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/8139too.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/8139too.c
++++ b/drivers/net/ethernet/realtek/8139too.c
+@@ -1717,9 +1717,9 @@ static netdev_tx_t rtl8139_start_xmit (s
+ if (len < ETH_ZLEN)
+ memset(tp->tx_buf[entry], 0, ETH_ZLEN);
+ skb_copy_and_csum_dev(skb, tp->tx_buf[entry]);
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ } else {
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ dev->stats.tx_dropped++;
+ return NETDEV_TX_OK;
+ }
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:19:50 -0700
+Subject: benet: Call dev_kfree_skby_any instead of kfree_skb.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+Replace free_skb with dev_kfree_skb_any in be_tx_compl_process as
+which can be called in hard irq by netpoll, softirq context
+by normal napi polling, and in normal sleepable context
+by the network device close method.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -1883,7 +1883,7 @@ static u16 be_tx_compl_process(struct be
+ queue_tail_inc(txq);
+ } while (cur_index != last_index);
+
+- kfree_skb(sent_skb);
++ dev_kfree_skb_any(sent_skb);
+ return num_wrbs;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:17:41 -0700
+Subject: bnx2: Call dev_kfree_skby_any instead of dev_kfree_skb.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+Replace dev_kfree_skb with dev_kfree_skb_any in functions that can
+be called in hard irq and other contexts.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2.c
++++ b/drivers/net/ethernet/broadcom/bnx2.c
+@@ -2886,7 +2886,7 @@ bnx2_tx_int(struct bnx2 *bp, struct bnx2
+ sw_cons = BNX2_NEXT_TX_BD(sw_cons);
+
+ tx_bytes += skb->len;
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ tx_pkt++;
+ if (tx_pkt == budget)
+ break;
+@@ -6640,7 +6640,7 @@ bnx2_start_xmit(struct sk_buff *skb, str
+
+ mapping = dma_map_single(&bp->pdev->dev, skb->data, len, PCI_DMA_TODEVICE);
+ if (dma_mapping_error(&bp->pdev->dev, mapping)) {
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
+@@ -6733,7 +6733,7 @@ dma_error:
+ PCI_DMA_TODEVICE);
+ }
+
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:16:58 -0700
+Subject: bonding: Call dev_kfree_skby_any instead of kfree_skb.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+Replace kfree_skb with dev_kfree_skb_any in functions that can
+be called in hard irq and other contexts.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_3ad.c | 2 +-
+ drivers/net/bonding/bond_alb.c | 2 +-
+ drivers/net/bonding/bond_main.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/bonding/bond_3ad.c
++++ b/drivers/net/bonding/bond_3ad.c
+@@ -2479,7 +2479,7 @@ out:
+ return NETDEV_TX_OK;
+ err_free:
+ /* no suitable interface, frame not sent */
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ goto out;
+ }
+
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -1479,7 +1479,7 @@ int bond_alb_xmit(struct sk_buff *skb, s
+ }
+
+ /* no suitable interface, frame not sent */
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ out:
+ return NETDEV_TX_OK;
+ }
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3568,7 +3568,7 @@ static void bond_xmit_slave_id(struct bo
+ }
+ }
+ /* no slave that can tx has been found */
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ }
+
+ /**
+@@ -3650,7 +3650,7 @@ static int bond_xmit_activebackup(struct
+ if (slave)
+ bond_dev_queue_xmit(bond, skb, slave->dev);
+ else
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+
+ return NETDEV_TX_OK;
+ }
+@@ -3698,7 +3698,7 @@ static int bond_xmit_broadcast(struct sk
+ if (slave && IS_UP(slave->dev) && slave->link == BOND_LINK_UP)
+ bond_dev_queue_xmit(bond, skb, slave->dev);
+ else
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+
+ return NETDEV_TX_OK;
+ }
+@@ -3785,7 +3785,7 @@ static netdev_tx_t __bond_start_xmit(str
+ pr_err("%s: Error: Unknown bonding mode %d\n",
+ dev->name, bond->params.mode);
+ WARN_ON_ONCE(1);
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+ }
+@@ -3806,7 +3806,7 @@ static netdev_tx_t bond_start_xmit(struc
+ if (bond_has_slaves(bond))
+ ret = __bond_start_xmit(skb, dev);
+ else
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ rcu_read_unlock();
+
+ return ret;
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:20:26 -0700
+Subject: gianfar: Carefully free skbs in functions called by netpoll.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+netpoll can call functions in hard irq context that are ordinarily
+called in lesser contexts. For those functions use dev_kfree_skb_any
+and dev_consume_skb_any so skbs are freed safely from hard irq
+context.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/gianfar.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -2152,13 +2152,13 @@ static int gfar_start_xmit(struct sk_buf
+ skb_new = skb_realloc_headroom(skb, fcb_len);
+ if (!skb_new) {
+ dev->stats.tx_errors++;
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
+ if (skb->sk)
+ skb_set_owner_w(skb_new, skb->sk);
+- consume_skb(skb);
++ dev_consume_skb_any(skb);
+ skb = skb_new;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "D.S. Ljungmark" <ljungmark@modio.se>
+Date: Wed, 25 Mar 2015 09:28:15 +0100
+Subject: ipv6: Don't reduce hop limit for an interface
+
+From: "D.S. Ljungmark" <ljungmark@modio.se>
+
+[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ]
+
+A local route may have a lower hop_limit set than global routes do.
+
+RFC 3756, Section 4.2.7, "Parameter Spoofing"
+
+> 1. The attacker includes a Current Hop Limit of one or another small
+> number which the attacker knows will cause legitimate packets to
+> be dropped before they reach their destination.
+
+> As an example, one possible approach to mitigate this threat is to
+> ignore very small hop limits. The nodes could implement a
+> configurable minimum hop limit, and ignore attempts to set it below
+> said limit.
+
+Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ndisc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1193,7 +1193,14 @@ static void ndisc_router_discovery(struc
+ if (rt)
+ rt6_set_expires(rt, jiffies + (HZ * lifetime));
+ if (ra_msg->icmph.icmp6_hop_limit) {
+- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++ /* Only set hop_limit on the interface if it is higher than
++ * the current hop_limit.
++ */
++ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
++ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++ } else {
++ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
++ }
+ if (rt)
+ dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
+ ra_msg->icmph.icmp6_hop_limit);
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "hannes@stressinduktion.org" <hannes@stressinduktion.org>
+Date: Wed, 1 Apr 2015 17:07:44 +0200
+Subject: ipv6: protect skb->sk accesses from recursive dereference inside the stack
+
+From: "hannes@stressinduktion.org" <hannes@stressinduktion.org>
+
+[ Upstream commit f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90 ]
+
+We should not consult skb->sk for output decisions in xmit recursion
+levels > 0 in the stack. Otherwise local socket settings could influence
+the result of e.g. tunnel encapsulation process.
+
+ipv6 does not conform with this in three places:
+
+1) ip6_fragment: we do consult ipv6_npinfo for frag_size
+
+2) sk_mc_loop in ipv6 uses skb->sk and checks if we should
+ loop the packet back to the local socket
+
+3) ip6_skb_dst_mtu could query the settings from the user socket and
+ force a wrong MTU
+
+Furthermore:
+In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
+PF_PACKET socket ontop of an IPv6-backed vxlan device.
+
+Reuse xmit_recursion as we are currently only interested in protecting
+tunnel devices.
+
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 6 ++++++
+ include/net/ip.h | 16 ----------------
+ include/net/ip6_route.h | 3 ++-
+ include/net/sock.h | 2 ++
+ net/core/dev.c | 4 +++-
+ net/core/sock.c | 19 +++++++++++++++++++
+ net/ipv6/ip6_output.c | 3 ++-
+ 7 files changed, 34 insertions(+), 19 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1880,6 +1880,12 @@ void netdev_freemem(struct net_device *d
+ void synchronize_net(void);
+ int init_dummy_netdev(struct net_device *dev);
+
++DECLARE_PER_CPU(int, xmit_recursion);
++static inline int dev_recursion_level(void)
++{
++ return this_cpu_read(xmit_recursion);
++}
++
+ struct net_device *dev_get_by_index(struct net *net, int ifindex);
+ struct net_device *__dev_get_by_index(struct net *net, int ifindex);
+ struct net_device *dev_get_by_index_rcu(struct net *net, int ifindex);
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -407,22 +407,6 @@ static __inline__ void inet_reset_saddr(
+
+ #endif
+
+-static inline int sk_mc_loop(struct sock *sk)
+-{
+- if (!sk)
+- return 1;
+- switch (sk->sk_family) {
+- case AF_INET:
+- return inet_sk(sk)->mc_loop;
+-#if IS_ENABLED(CONFIG_IPV6)
+- case AF_INET6:
+- return inet6_sk(sk)->mc_loop;
+-#endif
+- }
+- WARN_ON(1);
+- return 1;
+-}
+-
+ bool ip_call_ra_chain(struct sk_buff *skb);
+
+ /*
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -168,7 +168,8 @@ int ip6_fragment(struct sk_buff *skb, in
+
+ static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
+ {
+- struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
++ struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ?
++ inet6_sk(skb->sk) : NULL;
+
+ return (np && np->pmtudisc >= IPV6_PMTUDISC_PROBE) ?
+ skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1815,6 +1815,8 @@ struct dst_entry *__sk_dst_check(struct
+
+ struct dst_entry *sk_dst_check(struct sock *sk, u32 cookie);
+
++bool sk_mc_loop(struct sock *sk);
++
+ static inline bool sk_can_gso(const struct sock *sk)
+ {
+ return net_gso_ok(sk->sk_route_caps, sk->sk_gso_type);
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2775,7 +2775,9 @@ static void skb_update_prio(struct sk_bu
+ #define skb_update_prio(skb)
+ #endif
+
+-static DEFINE_PER_CPU(int, xmit_recursion);
++DEFINE_PER_CPU(int, xmit_recursion);
++EXPORT_SYMBOL(xmit_recursion);
++
+ #define RECURSION_LIMIT 10
+
+ /**
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -659,6 +659,25 @@ static inline void sock_valbool_flag(str
+ sock_reset_flag(sk, bit);
+ }
+
++bool sk_mc_loop(struct sock *sk)
++{
++ if (dev_recursion_level())
++ return false;
++ if (!sk)
++ return true;
++ switch (sk->sk_family) {
++ case AF_INET:
++ return inet_sk(sk)->mc_loop;
++#if IS_ENABLED(CONFIG_IPV6)
++ case AF_INET6:
++ return inet6_sk(sk)->mc_loop;
++#endif
++ }
++ WARN_ON(1);
++ return true;
++}
++EXPORT_SYMBOL(sk_mc_loop);
++
+ /*
+ * This is meant for all protocols to use and covers goings on
+ * at the socket level. Everything here is generic.
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -555,7 +555,8 @@ int ip6_fragment(struct sk_buff *skb, in
+ {
+ struct sk_buff *frag;
+ struct rt6_info *rt = (struct rt6_info*)skb_dst(skb);
+- struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
++ struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ?
++ inet6_sk(skb->sk) : NULL;
+ struct ipv6hdr *tmp_hdr;
+ struct frag_hdr *fh;
+ unsigned int mtu, hlen, left, len;
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:18:42 -0700
+Subject: ixgb: Call dev_kfree_skby_any instead of dev_kfree_skb.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+Replace dev_kfree_skb with dev_kfree_skb_any in functions that can
+be called in hard irq and other contexts.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgb/ixgb_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ixgb/ixgb_main.c
++++ b/drivers/net/ethernet/intel/ixgb/ixgb_main.c
+@@ -1521,12 +1521,12 @@ ixgb_xmit_frame(struct sk_buff *skb, str
+ int tso;
+
+ if (test_bit(__IXGB_DOWN, &adapter->flags)) {
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
+ if (skb->len <= 0) {
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
+@@ -1543,7 +1543,7 @@ ixgb_xmit_frame(struct sk_buff *skb, str
+
+ tso = ixgb_tso(adapter, skb);
+ if (tso < 0) {
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:19:14 -0700
+Subject: mlx4: Call dev_kfree_skby_any instead of dev_kfree_skb.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+Replace dev_kfree_skb with dev_kfree_skb_any in functions that can
+be called in hard irq and other contexts.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
+@@ -325,7 +325,7 @@ static u32 mlx4_en_free_tx_desc(struct m
+ }
+ }
+ }
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return tx_info->nr_txbb;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: Ido Shamay <idos@mellanox.com>
+Date: Tue, 24 Mar 2015 15:18:38 +0200
+Subject: net/mlx4_en: Call register_netdevice in the proper location
+
+From: Ido Shamay <idos@mellanox.com>
+
+[ Upstream commit e5eda89d97ec256ba14e7e861387cc0468259c18 ]
+
+Netdevice registration should be performed a the end of the driver
+initialization flow. If we don't do that, after calling register_netdevice,
+device callbacks may be issued by higher layers of the stack before
+final configuration of the device is done.
+
+For example (VXLAN configuration race), mlx4_SET_PORT_VXLAN was issued
+after the register_netdev command. System network scripts may configure
+the interface (UP) right after the registration, which also attach
+unicast VXLAN steering rule, before mlx4_SET_PORT_VXLAN was called,
+causing the firmware to fail the rule attachment.
+
+Fixes: 837052d0ccc5 ("net/mlx4_en: Add netdev support for TCP/IP offloads of vxlan tunneling")
+Signed-off-by: Ido Shamay <idos@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+@@ -2497,13 +2497,6 @@ int mlx4_en_init_netdev(struct mlx4_en_d
+ netif_carrier_off(dev);
+ mlx4_en_set_default_moderation(priv);
+
+- err = register_netdev(dev);
+- if (err) {
+- en_err(priv, "Netdev registration failed for port %d\n", port);
+- goto out;
+- }
+- priv->registered = 1;
+-
+ en_warn(priv, "Using %d TX rings\n", prof->tx_ring_num);
+ en_warn(priv, "Using %d RX rings\n", prof->rx_ring_num);
+
+@@ -2543,6 +2536,14 @@ int mlx4_en_init_netdev(struct mlx4_en_d
+ queue_delayed_work(mdev->workqueue, &priv->service_task,
+ SERVICE_TASK_DELAY);
+
++ err = register_netdev(dev);
++ if (err) {
++ en_err(priv, "Netdev registration failed for port %d\n", port);
++ goto out;
++ }
++
++ priv->registered = 1;
++
+ return 0;
+
+ out:
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:16:14 -0700
+Subject: r8169: Call dev_kfree_skby_any instead of dev_kfree_skb.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+Replace dev_kfree_skb with dev_kfree_skb_any in functions that can
+be called in hard irq and other contexts.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -5834,7 +5834,7 @@ static void rtl8169_tx_clear_range(struc
+ tp->TxDescArray + entry);
+ if (skb) {
+ tp->dev->stats.tx_dropped++;
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ tx_skb->skb = NULL;
+ }
+ }
+@@ -6059,7 +6059,7 @@ static netdev_tx_t rtl8169_start_xmit(st
+ err_dma_1:
+ rtl8169_unmap_tx_skb(d, tp->tx_skb + entry, txd);
+ err_dma_0:
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ err_update_stats:
+ dev->stats.tx_dropped++;
+ return NETDEV_TX_OK;
+@@ -6142,7 +6142,7 @@ static void rtl_tx(struct net_device *de
+ tp->tx_stats.packets++;
+ tp->tx_stats.bytes += tx_skb->skb->len;
+ u64_stats_update_end(&tp->tx_stats.syncp);
+- dev_kfree_skb(tx_skb->skb);
++ dev_kfree_skb_any(tx_skb->skb);
+ tx_skb->skb = NULL;
+ }
+ dirty_tx++;
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: Neal Cardwell <ncardwell@google.com>
+Date: Wed, 1 Apr 2015 20:26:46 -0400
+Subject: tcp: fix FRTO undo on cumulative ACK of SACKed range
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 666b805150efd62f05810ff0db08f44a2370c937 ]
+
+On processing cumulative ACKs, the FRTO code was not checking the
+SACKed bit, meaning that there could be a spurious FRTO undo on a
+cumulative ACK of a previously SACKed skb.
+
+The FRTO code should only consider a cumulative ACK to indicate that
+an original/unretransmitted skb is newly ACKed if the skb was not yet
+SACKed.
+
+The effect of the spurious FRTO undo would typically be to make the
+connection think that all previously-sent packets were in flight when
+they really weren't, leading to a stall and an RTO.
+
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Fixes: e33099f96d99c ("tcp: implement RFC5682 F-RTO")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3064,10 +3064,11 @@ static int tcp_clean_rtx_queue(struct so
+ if (seq_rtt < 0) {
+ seq_rtt = ca_seq_rtt;
+ }
+- if (!(sacked & TCPCB_SACKED_ACKED))
++ if (!(sacked & TCPCB_SACKED_ACKED)) {
+ reord = min(pkts_acked, reord);
+- if (!after(scb->end_seq, tp->high_seq))
+- flag |= FLAG_ORIG_SACK_ACKED;
++ if (!after(scb->end_seq, tp->high_seq))
++ flag |= FLAG_ORIG_SACK_ACKED;
++ }
+ }
+
+ if (sacked & TCPCB_SACKED_ACKED)
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz>
+Date: Mon, 23 Mar 2015 15:14:00 +0100
+Subject: tcp: prevent fetching dst twice in early demux code
+
+From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz>
+
+[ Upstream commit d0c294c53a771ae7e84506dfbd8c18c30f078735 ]
+
+On s390x, gcc 4.8 compiles this part of tcp_v6_early_demux()
+
+ struct dst_entry *dst = sk->sk_rx_dst;
+
+ if (dst)
+ dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie);
+
+to code reading sk->sk_rx_dst twice, once for the test and once for
+the argument of ip6_dst_check() (dst_check() is inline). This allows
+ip6_dst_check() to be called with null first argument, causing a crash.
+
+Protect sk->sk_rx_dst access by ACCESS_ONCE() both in IPv4 and IPv6
+TCP early demux code.
+
+Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
+Fixes: c7109986db3c ("ipv6: Early TCP socket demux")
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ipv4.c | 2 +-
+ net/ipv6/tcp_ipv6.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1875,7 +1875,7 @@ void tcp_v4_early_demux(struct sk_buff *
+ skb->sk = sk;
+ skb->destructor = sock_edemux;
+ if (sk->sk_state != TCP_TIME_WAIT) {
+- struct dst_entry *dst = sk->sk_rx_dst;
++ struct dst_entry *dst = ACCESS_ONCE(sk->sk_rx_dst);
+
+ if (dst)
+ dst = dst_check(dst, 0);
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1633,7 +1633,7 @@ static void tcp_v6_early_demux(struct sk
+ skb->sk = sk;
+ skb->destructor = sock_edemux;
+ if (sk->sk_state != TCP_TIME_WAIT) {
+- struct dst_entry *dst = sk->sk_rx_dst;
++ struct dst_entry *dst = ACCESS_ONCE(sk->sk_rx_dst);
+
+ if (dst)
+ dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie);
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 9 Apr 2015 13:31:56 -0700
+Subject: tcp: tcp_make_synack() should clear skb->tstamp
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b50edd7812852d989f2ef09dcfc729690f54a42d ]
+
+I noticed tcpdump was giving funky timestamps for locally
+generated SYNACK messages on loopback interface.
+
+11:42:46.938990 IP 127.0.0.1.48245 > 127.0.0.2.23850: S
+945476042:945476042(0) win 43690 <mss 65495,nop,nop,sackOK,nop,wscale 7>
+
+20:28:58.502209 IP 127.0.0.2.23850 > 127.0.0.1.48245: S
+3160535375:3160535375(0) ack 945476043 win 43690 <mss
+65495,nop,nop,sackOK,nop,wscale 7>
+
+This is because we need to clear skb->tstamp before
+entering lower stack, otherwise net_timestamp_check()
+does not set skb->tstamp.
+
+Fixes: 7faee5c0d514 ("tcp: remove TCP_SKB_CB(skb)->when")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2796,6 +2796,8 @@ struct sk_buff *tcp_make_synack(struct s
+ }
+ #endif
+
++ /* Do not fool tcpdump (if any), clean our debris */
++ skb->tstamp.tv64 = 0;
+ return skb;
+ }
+ EXPORT_SYMBOL(tcp_make_synack);
--- /dev/null
+From foo@baz Tue Apr 21 23:05:41 CEST 2015
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 11 Mar 2014 14:18:14 -0700
+Subject: tg3: Call dev_kfree_skby_any instead of dev_kfree_skb.
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+Replace dev_kfree_skb with dev_kfree_skb_any in functions that can
+be called in hard irq and other contexts.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -6593,7 +6593,7 @@ static void tg3_tx(struct tg3_napi *tnap
+ pkts_compl++;
+ bytes_compl += skb->len;
+
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+
+ if (unlikely(tx_bug)) {
+ tg3_tx_recover(tp);
+@@ -6925,7 +6925,7 @@ static int tg3_rx(struct tg3_napi *tnapi
+ if (len > (tp->dev->mtu + ETH_HLEN) &&
+ skb->protocol != htons(ETH_P_8021Q) &&
+ skb->protocol != htons(ETH_P_8021AD)) {
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ goto drop_it_no_recycle;
+ }
+
+@@ -7808,7 +7808,7 @@ static int tigon3_dma_hwbug_workaround(s
+ PCI_DMA_TODEVICE);
+ /* Make sure the mapping succeeded */
+ if (pci_dma_mapping_error(tp->pdev, new_addr)) {
+- dev_kfree_skb(new_skb);
++ dev_kfree_skb_any(new_skb);
+ ret = -1;
+ } else {
+ u32 save_entry = *entry;
+@@ -7823,13 +7823,13 @@ static int tigon3_dma_hwbug_workaround(s
+ new_skb->len, base_flags,
+ mss, vlan)) {
+ tg3_tx_skb_unmap(tnapi, save_entry, -1);
+- dev_kfree_skb(new_skb);
++ dev_kfree_skb_any(new_skb);
+ ret = -1;
+ }
+ }
+ }
+
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ *pskb = new_skb;
+ return ret;
+ }
+@@ -7872,7 +7872,7 @@ static int tg3_tso_bug(struct tg3 *tp, s
+ } while (segs);
+
+ tg3_tso_bug_end:
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+
+ return NETDEV_TX_OK;
+ }
+@@ -8110,7 +8110,7 @@ dma_error:
+ tg3_tx_skb_unmap(tnapi, tnapi->tx_prod, --i);
+ tnapi->tx_buffers[tnapi->tx_prod].skb = NULL;
+ drop:
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ drop_nofree:
+ tp->tx_dropped++;
+ return NETDEV_TX_OK;
--- /dev/null
+udptunnels-call-handle_offloads-after-inserting-vlan-tag.patch
+tcp-tcp_make_synack-should-clear-skb-tstamp.patch
+bnx2x-fix-busy_poll-vs-netpoll.patch
+bpf-fix-verifier-memory-corruption.patch
+revert-net-reset-secmark-when-scrubbing-packet.patch
+skbuff-do-not-scrub-skb-mark-within-the-same-name-space.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
