--- /dev/null
+From 109c0742ca251de980968ec04d73cc74bee665b0 Mon Sep 17 00:00:00 2001
+From: Cristian Bercaru <B43982@freescale.com>
+Date: Fri, 8 Mar 2013 07:03:38 +0000
+Subject: bridging: fix rx_handlers return code
+
+
+From: Cristian Bercaru <B43982@freescale.com>
+
+[ Upstream commit 3bc1b1add7a8484cc4a261c3e128dbe1528ce01f ]
+
+The frames for which rx_handlers return RX_HANDLER_CONSUMED are no longer
+counted as dropped. They are counted as successfully received by
+'netif_receive_skb'.
+
+This allows network interface drivers to correctly update their RX-OK and
+RX-DRP counters based on the result of 'netif_receive_skb'.
+
+Signed-off-by: Cristian Bercaru <B43982@freescale.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3165,6 +3165,7 @@ ncls:
+ }
+ switch (rx_handler(&skb)) {
+ case RX_HANDLER_CONSUMED:
++ ret = NET_RX_SUCCESS;
+ goto out;
+ case RX_HANDLER_ANOTHER:
+ goto another_round;
--- /dev/null
+From 3512fe006b6a98f2138f8b7aeb1285ff5dd06402 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 9 Mar 2013 05:52:21 +0000
+Subject: dcbnl: fix various netlink info leaks
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ]
+
+The dcb netlink interface leaks stack memory in various places:
+* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
+ copied completely,
+* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
+ so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
+ for ieee_pfc structs, etc.,
+* the same is true for CEE -- no in-kernel driver fills the whole
+ struct,
+
+Prevent all of the above stack info leaks by properly initializing the
+buffers/structures involved.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -335,6 +335,7 @@ static int dcbnl_getperm_hwaddr(struct n
+ dcb->dcb_family = AF_UNSPEC;
+ dcb->cmd = DCB_CMD_GPERM_HWADDR;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr),
+@@ -1311,6 +1312,7 @@ static int dcbnl_ieee_get(struct net_dev
+
+ if (ops->ieee_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_getets(netdev, &ets);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets);
+@@ -1318,6 +1320,7 @@ static int dcbnl_ieee_get(struct net_dev
+
+ if (ops->ieee_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc);
+@@ -1344,6 +1347,7 @@ static int dcbnl_ieee_get(struct net_dev
+ /* get peer info if available */
+ if (ops->ieee_peer_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_peer_getets(netdev, &ets);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets);
+@@ -1351,6 +1355,7 @@ static int dcbnl_ieee_get(struct net_dev
+
+ if (ops->ieee_peer_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_peer_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc);
+@@ -1551,6 +1556,7 @@ static int dcbnl_cee_get(struct net_devi
+ /* get peer info if available */
+ if (ops->cee_peer_getpg) {
+ struct cee_pg pg;
++ memset(&pg, 0, sizeof(pg));
+ err = ops->cee_peer_getpg(netdev, &pg);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg);
+@@ -1558,6 +1564,7 @@ static int dcbnl_cee_get(struct net_devi
+
+ if (ops->cee_peer_getpfc) {
+ struct cee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->cee_peer_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc);
--- /dev/null
+From 0ebf982ef20c695b397ee7f39b5fdae001b4be97 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri, 8 Mar 2013 02:07:23 +0000
+Subject: ipv6: stop multicast forwarding to process interface scoped addresses
+
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit ddf64354af4a702ee0b85d0a285ba74c7278a460 ]
+
+v2:
+a) used struct ipv6_addr_props
+
+v3:
+a) reverted changes for ipv6_addr_props
+
+v4:
+a) do not use __ipv6_addr_needs_scope_id
+
+Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_input.c
++++ b/net/ipv6/ip6_input.c
+@@ -257,7 +257,8 @@ int ip6_mc_input(struct sk_buff *skb)
+ * IPv6 multicast router mode is now supported ;)
+ */
+ if (dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding &&
+- !(ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) &&
++ !(ipv6_addr_type(&hdr->daddr) &
++ (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) &&
+ likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) {
+ /*
+ * Okay, we try to forward - split and duplicate
--- /dev/null
+From 837d52ce867bcd36b5b5a7a5a6008134f6593069 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri, 1 Mar 2013 05:02:02 +0000
+Subject: l2tp: Restore socket refcount when sendmsg succeeds
+
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit 8b82547e33e85fc24d4d172a93c796de1fefa81a ]
+
+The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
+reference counter after successful transmissions. Any successful
+sendmsg() call from userspace will then increase the reference counter
+forever, thus preventing the kernel's session and tunnel data from
+being freed later on.
+
+The problem only happens when writing directly on L2TP sockets.
+PPP sockets attached to L2TP are unaffected as the PPP subsystem
+uses pppol2tp_xmit() which symmetrically increase/decrease reference
+counters.
+
+This patch adds the missing call to sock_put() before returning from
+pppol2tp_sendmsg().
+
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -360,6 +360,7 @@ static int pppol2tp_sendmsg(struct kiocb
+ l2tp_xmit_skb(session, skb, session->hdr_len);
+
+ sock_put(ps->tunnel_sock);
++ sock_put(sk);
+
+ return error;
+
--- /dev/null
+From cc8c6413dcdfdd20ddbeca2ddac9ebe2d6dcd8b6 Mon Sep 17 00:00:00 2001
+From: Lorenzo Colitti <lorenzo@google.com>
+Date: Sun, 3 Mar 2013 20:46:46 +0000
+Subject: net: ipv6: Don't purge default router if accept_ra=2
+
+
+From: Lorenzo Colitti <lorenzo@google.com>
+
+[ Upstream commit 3e8b0ac3e41e3c882222a5522d5df7212438ab51 ]
+
+Setting net.ipv6.conf.<interface>.accept_ra=2 causes the kernel
+to accept RAs even when forwarding is enabled. However, enabling
+forwarding purges all default routes on the system, breaking
+connectivity until the next RA is received. Fix this by not
+purging default routes on interfaces that have accept_ra=2.
+
+Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
+Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1885,7 +1885,8 @@ void rt6_purge_dflt_routers(struct net *
+ restart:
+ read_lock_bh(&table->tb6_lock);
+ for (rt = table->tb6_root.leaf; rt; rt = rt->dst.rt6_next) {
+- if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) {
++ if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF) &&
++ (!rt->rt6i_idev || rt->rt6i_idev->cnf.accept_ra != 2)) {
+ dst_hold(&rt->dst);
+ read_unlock_bh(&table->tb6_lock);
+ ip6_del_rt(rt);
--- /dev/null
+From 2ea671cf7599777ad4145c5a5b0b2efa84641932 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Wed, 6 Mar 2013 11:45:24 +0000
+Subject: netlabel: correctly list all the static label mappings
+
+
+From: Paul Moore <pmoore@redhat.com>
+
+[ Upstream commits 0c1233aba1e948c37f6dc7620cb7c253fcd71ce9 and
+ a6a8fe950e1b8596bb06f2c89c3a1a4bf2011ba9 ]
+
+When we have a large number of static label mappings that spill across
+the netlink message boundary we fail to properly save our state in the
+netlink_callback struct which causes us to repeat the same listings.
+This patch fixes this problem by saving the state correctly between
+calls to the NetLabel static label netlink "dumpit" routines.
+
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlabel/netlabel_unlabeled.c | 27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -1192,8 +1192,6 @@ static int netlbl_unlabel_staticlist(str
+ struct netlbl_unlhsh_walk_arg cb_arg;
+ u32 skip_bkt = cb->args[0];
+ u32 skip_chain = cb->args[1];
+- u32 skip_addr4 = cb->args[2];
+- u32 skip_addr6 = cb->args[3];
+ u32 iter_bkt;
+ u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
+ struct netlbl_unlhsh_iface *iface;
+@@ -1218,7 +1216,7 @@ static int netlbl_unlabel_staticlist(str
+ continue;
+ netlbl_af4list_foreach_rcu(addr4,
+ &iface->addr4_list) {
+- if (iter_addr4++ < skip_addr4)
++ if (iter_addr4++ < cb->args[2])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(
+ NLBL_UNLABEL_C_STATICLIST,
+@@ -1234,7 +1232,7 @@ static int netlbl_unlabel_staticlist(str
+ #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+ netlbl_af6list_foreach_rcu(addr6,
+ &iface->addr6_list) {
+- if (iter_addr6++ < skip_addr6)
++ if (iter_addr6++ < cb->args[3])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(
+ NLBL_UNLABEL_C_STATICLIST,
+@@ -1253,10 +1251,10 @@ static int netlbl_unlabel_staticlist(str
+
+ unlabel_staticlist_return:
+ rcu_read_unlock();
+- cb->args[0] = skip_bkt;
+- cb->args[1] = skip_chain;
+- cb->args[2] = skip_addr4;
+- cb->args[3] = skip_addr6;
++ cb->args[0] = iter_bkt;
++ cb->args[1] = iter_chain;
++ cb->args[2] = iter_addr4;
++ cb->args[3] = iter_addr6;
+ return skb->len;
+ }
+
+@@ -1276,12 +1274,9 @@ static int netlbl_unlabel_staticlistdef(
+ {
+ struct netlbl_unlhsh_walk_arg cb_arg;
+ struct netlbl_unlhsh_iface *iface;
+- u32 skip_addr4 = cb->args[0];
+- u32 skip_addr6 = cb->args[1];
+- u32 iter_addr4 = 0;
++ u32 iter_addr4 = 0, iter_addr6 = 0;
+ struct netlbl_af4list *addr4;
+ #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+- u32 iter_addr6 = 0;
+ struct netlbl_af6list *addr6;
+ #endif
+
+@@ -1295,7 +1290,7 @@ static int netlbl_unlabel_staticlistdef(
+ goto unlabel_staticlistdef_return;
+
+ netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) {
+- if (iter_addr4++ < skip_addr4)
++ if (iter_addr4++ < cb->args[0])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
+ iface,
+@@ -1308,7 +1303,7 @@ static int netlbl_unlabel_staticlistdef(
+ }
+ #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+ netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) {
+- if (iter_addr6++ < skip_addr6)
++ if (iter_addr6++ < cb->args[1])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
+ iface,
+@@ -1323,8 +1318,8 @@ static int netlbl_unlabel_staticlistdef(
+
+ unlabel_staticlistdef_return:
+ rcu_read_unlock();
+- cb->args[0] = skip_addr4;
+- cb->args[1] = skip_addr6;
++ cb->args[0] = iter_addr4;
++ cb->args[1] = iter_addr6;
+ return skb->len;
+ }
+
--- /dev/null
+From ff4f58c0f8a86a1d38fff9499632f4c618470741 Mon Sep 17 00:00:00 2001
+From: Cong Wang <amwang@redhat.com>
+Date: Sun, 3 Mar 2013 16:18:11 +0000
+Subject: rds: limit the size allocated by rds_message_alloc()
+
+
+From: Cong Wang <amwang@redhat.com>
+
+[ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ]
+
+Dave Jones reported the following bug:
+
+"When fed mangled socket data, rds will trust what userspace gives it,
+and tries to allocate enormous amounts of memory larger than what
+kmalloc can satisfy."
+
+WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
+Hardware name: GA-MA78GM-S2H
+Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
+Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
+Call Trace:
+ [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
+ [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
+ [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
+ [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
+ [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
+ [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
+ [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
+ [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
+ [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
+ [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
+ [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
+ [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
+ [<ffffffff81567f30>] sys_sendto+0x130/0x180
+ [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
+ [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
+ [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
+ [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
+---[ end trace eed6ae990d018c8b ]---
+
+Reported-by: Dave Jones <davej@redhat.com>
+Cc: Dave Jones <davej@redhat.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Signed-off-by: Cong Wang <amwang@redhat.com>
+Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/message.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -196,6 +196,9 @@ struct rds_message *rds_message_alloc(un
+ {
+ struct rds_message *rm;
+
++ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message))
++ return NULL;
++
+ rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp);
+ if (!rm)
+ goto out;
--- /dev/null
+From 47e13bb5773197bef46b59e359e5281de3672d57 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 9 Mar 2013 05:52:20 +0000
+Subject: rtnl: fix info leak on RTM_GETLINK request for VF devices
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ]
+
+Initialize the mac address buffer with 0 as the driver specific function
+will probably not fill the whole buffer. In fact, all in-kernel drivers
+fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
+bytes. Therefore we currently leak 26 bytes of stack memory to userland
+via the netlink interface.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -963,6 +963,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ struct ifla_vf_mac vf_mac;
+ struct ifla_vf_vlan vf_vlan;
+ struct ifla_vf_tx_rate vf_tx_rate;
++ memset(ivi.mac, 0, sizeof(ivi.mac));
+ if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
+ break;
+ vf_mac.vf = vf_vlan.vf = vf_tx_rate.vf = ivi.vf;
hwmon-sht15-fix-memory-leak-if-regulator_enable-fails.patch
block-use-i_size_write-in-bd_set_size.patch
loopdev-fix-a-deadlock.patch
+l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch
+rds-limit-the-size-allocated-by-rds_message_alloc.patch
+net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch
+tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch
+tun-add-a-missing-nf_reset-in-tun_net_xmit.patch
+netlabel-correctly-list-all-the-static-label-mappings.patch
+bridging-fix-rx_handlers-return-code.patch
+ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch
+rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
+dcbnl-fix-various-netlink-info-leaks.patch
--- /dev/null
+From d80e280987ce9a6e7a9bc8a77e09f5942eb9097a Mon Sep 17 00:00:00 2001
+From: Neal Cardwell <ncardwell@google.com>
+Date: Mon, 4 Mar 2013 06:23:05 +0000
+Subject: tcp: fix double-counted receiver RTT when leaving receiver fast path
+
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit aab2b4bf224ef8358d262f95b568b8ad0cecf0a0 ]
+
+We should not update ts_recent and call tcp_rcv_rtt_measure_ts() both
+before and after going to step5. That wastes CPU and double-counts the
+receiver-side RTT sample.
+
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5419,6 +5419,9 @@ int tcp_rcv_established(struct sock *sk,
+ if (tcp_checksum_complete_user(sk, skb))
+ goto csum_error;
+
++ if ((int)skb->truesize > sk->sk_forward_alloc)
++ goto step5;
++
+ /* Predicted packet is in window by definition.
+ * seq == rcv_nxt and rcv_wup <= rcv_nxt.
+ * Hence, check seq<=rcv_wup reduces to:
+@@ -5430,9 +5433,6 @@ int tcp_rcv_established(struct sock *sk,
+
+ tcp_rcv_rtt_measure_ts(sk, skb);
+
+- if ((int)skb->truesize > sk->sk_forward_alloc)
+- goto step5;
+-
+ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPHITS);
+
+ /* Bulk data transfer: receiver */
--- /dev/null
+From 2154d62e4c411a9d97e0212b8a9d80c6a0c01295 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 6 Mar 2013 11:02:37 +0000
+Subject: tun: add a missing nf_reset() in tun_net_xmit()
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f8af75f3517a24838a36eb5797a1a3e60bf9e276 ]
+
+Dave reported following crash :
+
+general protection fault: 0000 [#1] SMP
+CPU 2
+Pid: 25407, comm: qemu-kvm Not tainted 3.7.9-205.fc18.x86_64 #1 Hewlett-Packard HP Z400 Workstation/0B4Ch
+RIP: 0010:[<ffffffffa0399bd5>] [<ffffffffa0399bd5>] destroy_conntrack+0x35/0x120 [nf_conntrack]
+RSP: 0018:ffff880276913d78 EFLAGS: 00010206
+RAX: 50626b6b7876376c RBX: ffff88026e530d68 RCX: ffff88028d158e00
+RDX: ffff88026d0d5470 RSI: 0000000000000011 RDI: 0000000000000002
+RBP: ffff880276913d88 R08: 0000000000000000 R09: ffff880295002900
+R10: 0000000000000000 R11: 0000000000000003 R12: ffffffff81ca3b40
+R13: ffffffff8151a8e0 R14: ffff880270875000 R15: 0000000000000002
+FS: 00007ff3bce38a00(0000) GS:ffff88029fc40000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 00007fd1430bd000 CR3: 000000027042b000 CR4: 00000000000027e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process qemu-kvm (pid: 25407, threadinfo ffff880276912000, task ffff88028c369720)
+Stack:
+ ffff880156f59100 ffff880156f59100 ffff880276913d98 ffffffff815534f7
+ ffff880276913db8 ffffffff8151a74b ffff880270875000 ffff880156f59100
+ ffff880276913dd8 ffffffff8151a5a6 ffff880276913dd8 ffff88026d0d5470
+Call Trace:
+ [<ffffffff815534f7>] nf_conntrack_destroy+0x17/0x20
+ [<ffffffff8151a74b>] skb_release_head_state+0x7b/0x100
+ [<ffffffff8151a5a6>] __kfree_skb+0x16/0xa0
+ [<ffffffff8151a666>] kfree_skb+0x36/0xa0
+ [<ffffffff8151a8e0>] skb_queue_purge+0x20/0x40
+ [<ffffffffa02205f7>] __tun_detach+0x117/0x140 [tun]
+ [<ffffffffa022184c>] tun_chr_close+0x3c/0xd0 [tun]
+ [<ffffffff8119669c>] __fput+0xec/0x240
+ [<ffffffff811967fe>] ____fput+0xe/0x10
+ [<ffffffff8107eb27>] task_work_run+0xa7/0xe0
+ [<ffffffff810149e1>] do_notify_resume+0x71/0xb0
+ [<ffffffff81640152>] int_signal+0x12/0x17
+Code: 00 00 04 48 89 e5 41 54 53 48 89 fb 4c 8b a7 e8 00 00 00 0f 85 de 00 00 00 0f b6 73 3e 0f b7 7b 2a e8 10 40 00 00 48 85 c0 74 0e <48> 8b 40 28 48 85 c0 74 05 48 89 df ff d0 48 c7 c7 08 6a 3a a0
+RIP [<ffffffffa0399bd5>] destroy_conntrack+0x35/0x120 [nf_conntrack]
+ RSP <ffff880276913d78>
+
+This is because tun_net_xmit() needs to call nf_reset()
+before queuing skb into receive_queue
+
+Reported-by: Dave Jones <davej@redhat.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -417,6 +417,8 @@ static netdev_tx_t tun_net_xmit(struct s
+ * for indefinite time. */
+ skb_orphan(skb);
+
++ nf_reset(skb);
++
+ /* Enqueue packet */
+ skb_queue_tail(&tun->socket.sk->sk_receive_queue, skb);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
