--- /dev/null
+From ccac25ca0604f7232d1cfa6ee33b7acaffc77aab Mon Sep 17 00:00:00 2001
+From: Roel Kluin <roel.kluin@gmail.com>
+Date: Thu, 29 Jan 2009 17:32:20 -0800
+Subject: drivers/net/skfp: if !capable(CAP_NET_ADMIN): inverted logic
+
+From: Roel Kluin <roel.kluin@gmail.com>
+
+[ Upstream commit c25b9abbc2c2c0da88e180c3933d6e773245815a ]
+
+Fix inverted logic
+
+Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/skfp/skfddi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/skfp/skfddi.c
++++ b/drivers/net/skfp/skfddi.c
+@@ -998,9 +998,9 @@ static int skfp_ioctl(struct net_device
+ break;
+ case SKFP_CLR_STATS: /* Zero out the driver statistics */
+ if (!capable(CAP_NET_ADMIN)) {
+- memset(&lp->MacStat, 0, sizeof(lp->MacStat));
+- } else {
+ status = -EPERM;
++ } else {
++ memset(&lp->MacStat, 0, sizeof(lp->MacStat));
+ }
+ break;
+ default:
--- /dev/null
+From 03afe37189895abbe71c57047bc55833f1e0b04b Mon Sep 17 00:00:00 2001
+From: Benjamin Zores <benjamin.zores@alcatel-lucent.fr>
+Date: Thu, 29 Jan 2009 16:19:13 -0800
+Subject: ipv4: fix infinite retry loop in IP-Config
+
+From: Benjamin Zores <benjamin.zores@alcatel-lucent.fr>
+
+[ Upstream commit 9d8dba6c979fa99c96938c869611b9a23b73efa9 ]
+
+Signed-off-by: Benjamin Zores <benjamin.zores@alcatel-lucent.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ipconfig.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/ipconfig.c
++++ b/net/ipv4/ipconfig.c
+@@ -1272,6 +1272,9 @@ __be32 __init root_nfs_parse_addr(char *
+ static int __init ip_auto_config(void)
+ {
+ __be32 addr;
++#ifdef IPCONFIG_DYNAMIC
++ int retries = CONF_OPEN_RETRIES;
++#endif
+
+ #ifdef CONFIG_PROC_FS
+ proc_net_fops_create(&init_net, "pnp", S_IRUGO, &pnp_seq_fops);
+@@ -1308,9 +1311,6 @@ static int __init ip_auto_config(void)
+ #endif
+ ic_first_dev->next) {
+ #ifdef IPCONFIG_DYNAMIC
+-
+- int retries = CONF_OPEN_RETRIES;
+-
+ if (ic_dynamic() < 0) {
+ ic_close_devs();
+
--- /dev/null
+From 3d9820a2b68321eb421168b2d53a10994add9c25 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 5 Feb 2009 15:15:50 -0800
+Subject: ipv6: Copy cork options in ip6_append_data
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 0178b695fd6b40a62a215cbeb03dd51ada3bb5e0 ]
+
+As the options passed to ip6_append_data may be ephemeral, we need
+to duplicate it for corking. This patch applies the simplest fix
+which is to memdup all the relevant bits.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_output.c | 67 ++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 52 insertions(+), 15 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1091,6 +1091,18 @@ static inline int ip6_ufo_append_data(st
+ return err;
+ }
+
++static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
++ gfp_t gfp)
++{
++ return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
++}
++
++static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
++ gfp_t gfp)
++{
++ return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
++}
++
+ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
+ int offset, int len, int odd, struct sk_buff *skb),
+ void *from, int length, int transhdrlen,
+@@ -1116,17 +1128,37 @@ int ip6_append_data(struct sock *sk, int
+ * setup for corking
+ */
+ if (opt) {
+- if (np->cork.opt == NULL) {
+- np->cork.opt = kmalloc(opt->tot_len,
+- sk->sk_allocation);
+- if (unlikely(np->cork.opt == NULL))
+- return -ENOBUFS;
+- } else if (np->cork.opt->tot_len < opt->tot_len) {
+- printk(KERN_DEBUG "ip6_append_data: invalid option length\n");
++ if (WARN_ON(np->cork.opt))
+ return -EINVAL;
+- }
+- memcpy(np->cork.opt, opt, opt->tot_len);
+- inet->cork.flags |= IPCORK_OPT;
++
++ np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
++ if (unlikely(np->cork.opt == NULL))
++ return -ENOBUFS;
++
++ np->cork.opt->tot_len = opt->tot_len;
++ np->cork.opt->opt_flen = opt->opt_flen;
++ np->cork.opt->opt_nflen = opt->opt_nflen;
++
++ np->cork.opt->dst0opt = ip6_opt_dup(opt->dst0opt,
++ sk->sk_allocation);
++ if (opt->dst0opt && !np->cork.opt->dst0opt)
++ return -ENOBUFS;
++
++ np->cork.opt->dst1opt = ip6_opt_dup(opt->dst1opt,
++ sk->sk_allocation);
++ if (opt->dst1opt && !np->cork.opt->dst1opt)
++ return -ENOBUFS;
++
++ np->cork.opt->hopopt = ip6_opt_dup(opt->hopopt,
++ sk->sk_allocation);
++ if (opt->hopopt && !np->cork.opt->hopopt)
++ return -ENOBUFS;
++
++ np->cork.opt->srcrt = ip6_rthdr_dup(opt->srcrt,
++ sk->sk_allocation);
++ if (opt->srcrt && !np->cork.opt->srcrt)
++ return -ENOBUFS;
++
+ /* need source address above miyazawa*/
+ }
+ dst_hold(&rt->u.dst);
+@@ -1153,8 +1185,7 @@ int ip6_append_data(struct sock *sk, int
+ } else {
+ rt = (struct rt6_info *)inet->cork.dst;
+ fl = &inet->cork.fl;
+- if (inet->cork.flags & IPCORK_OPT)
+- opt = np->cork.opt;
++ opt = np->cork.opt;
+ transhdrlen = 0;
+ exthdrlen = 0;
+ mtu = inet->cork.fragsize;
+@@ -1393,9 +1424,15 @@ error:
+
+ static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np)
+ {
+- inet->cork.flags &= ~IPCORK_OPT;
+- kfree(np->cork.opt);
+- np->cork.opt = NULL;
++ if (np->cork.opt) {
++ kfree(np->cork.opt->dst0opt);
++ kfree(np->cork.opt->dst1opt);
++ kfree(np->cork.opt->hopopt);
++ kfree(np->cork.opt->srcrt);
++ kfree(np->cork.opt);
++ np->cork.opt = NULL;
++ }
++
+ if (inet->cork.dst) {
+ dst_release(inet->cork.dst);
+ inet->cork.dst = NULL;
--- /dev/null
+From afd861c0bd473bcd285e4d1467428e8b0c2d2433 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Fri, 6 Feb 2009 00:49:55 -0800
+Subject: ipv6: Disallow rediculious flowlabel option sizes.
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 684de409acff8b1fe8bf188d75ff2f99c624387d ]
+
+Just like PKTINFO, limit the options area to 64K.
+
+Based upon report by Eric Sesterhenn and analysis by
+Roland Dreier.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_flowlabel.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -323,17 +323,21 @@ static struct ip6_flowlabel *
+ fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
+ int optlen, int *err_p)
+ {
+- struct ip6_flowlabel *fl;
++ struct ip6_flowlabel *fl = NULL;
+ int olen;
+ int addr_type;
+ int err;
+
++ olen = optlen - CMSG_ALIGN(sizeof(*freq));
++ err = -EINVAL;
++ if (olen > 64 * 1024)
++ goto done;
++
+ err = -ENOMEM;
+ fl = kzalloc(sizeof(*fl), GFP_KERNEL);
+ if (fl == NULL)
+ goto done;
+
+- olen = optlen - CMSG_ALIGN(sizeof(*freq));
+ if (olen > 0) {
+ struct msghdr msg;
+ struct flowi flowi;
--- /dev/null
+From 4a7f6a15e2ca130460e9f5c24d0b554245943aad Mon Sep 17 00:00:00 2001
+From: Clément Lecigne <clement.lecigne@netasq.com>
+Date: Thu, 12 Feb 2009 16:59:09 -0800
+Subject: net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
+
+From: Clément Lecigne <clement.lecigne@netasq.com>
+
+[ Upstream commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da ]
+
+In function sock_getsockopt() located in net/core/sock.c, optval v.val
+is not correctly initialized and directly returned in userland in case
+we have SO_BSDCOMPAT option set.
+
+This dummy code should trigger the bug:
+
+int main(void)
+{
+ unsigned char buf[4] = { 0, 0, 0, 0 };
+ int len;
+ int sock;
+ sock = socket(33, 2, 2);
+ getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
+ printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
+ close(sock);
+}
+
+Here is a patch that fix this bug by initalizing v.val just after its
+declaration.
+
+Signed-off-by: Clément Lecigne <clement.lecigne@netasq.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -695,6 +695,8 @@ int sock_getsockopt(struct socket *sock,
+ if (len < 0)
+ return -EINVAL;
+
++ v.val = 0;
++
+ switch(optname) {
+ case SO_DEBUG:
+ v.val = sock_flag(sk, SOCK_DBG);
--- /dev/null
+From c732e40f3dfbae84b1ae352deeebb316e1c15437 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 29 Jan 2009 16:07:52 -0800
+Subject: net: Fix frag_list handling in skb_seq_read
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 95e3b24cfb4ec0479d2c42f7a1780d68063a542a ]
+
+The frag_list handling was broken in skb_seq_read:
+
+1) We didn't add the stepped offset when looking at the head
+are of fragments other than the first.
+
+2) We didn't take the stepped offset away when setting the data
+pointer in the head area.
+
+3) The frag index wasn't reset.
+
+This patch fixes both issues.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/skbuff.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2001,10 +2001,10 @@ unsigned int skb_seq_read(unsigned int c
+ return 0;
+
+ next_skb:
+- block_limit = skb_headlen(st->cur_skb);
++ block_limit = skb_headlen(st->cur_skb) + st->stepped_offset;
+
+ if (abs_offset < block_limit) {
+- *data = st->cur_skb->data + abs_offset;
++ *data = st->cur_skb->data + (abs_offset - st->stepped_offset);
+ return block_limit - abs_offset;
+ }
+
+@@ -2046,6 +2046,7 @@ next_skb:
+ } else if (st->root_skb == st->cur_skb &&
+ skb_shinfo(st->root_skb)->frag_list) {
+ st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
++ st->frag_idx = 0;
+ goto next_skb;
+ }
+
--- /dev/null
+From 30bfb34a49a208362e814966e9d67884543420b9 Mon Sep 17 00:00:00 2001
+From: Shyam Iyer <shyam_iyer@dell.com>
+Date: Thu, 29 Jan 2009 16:12:42 -0800
+Subject: net: Fix OOPS in skb_seq_read().
+
+From: Shyam Iyer <shyam_iyer@dell.com>
+
+[ Upstream commit 71b3346d182355f19509fadb8fe45114a35cc499 ]
+
+It oopsd for me in skb_seq_read. addr2line said it was
+linux-2.6/net/core/skbuff.c:2228, which is this line:
+
+ while (st->frag_idx < skb_shinfo(st->cur_skb)->nr_frags) {
+
+I added some printks in there and it looks like we hit this:
+
+ } else if (st->root_skb == st->cur_skb &&
+ skb_shinfo(st->root_skb)->frag_list) {
+ st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
+ st->frag_idx = 0;
+ goto next_skb;
+ }
+
+Actually I did some testing and added a few printks and found that the
+st->cur_skb->data was 0 and hence the ptr used by iscsi_tcp was null.
+This caused the kernel panic.
+
+ if (abs_offset < block_limit) {
+- *data = st->cur_skb->data + abs_offset;
++ *data = st->cur_skb->data + (abs_offset - st->stepped_offset);
+
+I enabled the debug_tcp and with a few printks found that the code did
+not go to the next_skb label and could find that the sequence being
+followed was this -
+
+It hit this if condition -
+
+ if (st->cur_skb->next) {
+ st->cur_skb = st->cur_skb->next;
+ st->frag_idx = 0;
+ goto next_skb;
+
+And so, now the st pointer is shifted to the next skb whereas actually
+it should have hit the second else if first since the data is in the
+frag_list.
+
+ else if (st->root_skb == st->cur_skb &&
+ skb_shinfo(st->root_skb)->frag_list) {
+ st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
+ goto next_skb;
+ }
+
+Reversing the two conditions the attached patch fixes the issue for me
+on top of Herbert's patches.
+
+Signed-off-by: Shyam Iyer <shyam_iyer@dell.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/skbuff.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2039,13 +2039,13 @@ next_skb:
+ st->frag_data = NULL;
+ }
+
+- if (st->cur_skb->next) {
+- st->cur_skb = st->cur_skb->next;
++ if (st->root_skb == st->cur_skb &&
++ skb_shinfo(st->root_skb)->frag_list) {
++ st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
+ st->frag_idx = 0;
+ goto next_skb;
+- } else if (st->root_skb == st->cur_skb &&
+- skb_shinfo(st->root_skb)->frag_list) {
+- st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
++ } else if (st->cur_skb->next) {
++ st->cur_skb = st->cur_skb->next;
+ st->frag_idx = 0;
+ goto next_skb;
+ }
--- /dev/null
+From 59cd3da7fe7657e61d0959cbf1c7651878a9c508 Mon Sep 17 00:00:00 2001
+From: Sebastiano Di Paola <sebastiano.dipaola@gmail.com>
+Date: Fri, 30 Jan 2009 23:37:17 +0000
+Subject: net: packet socket packet_lookup_frame fix
+
+From: Sebastiano Di Paola <sebastiano.dipaola@gmail.com>
+
+[ Upstream commit f9e6934502e46c363100245f137ddf0f4b1cb574 ]
+
+packet_lookup_frames() fails to get user frame if current frame header
+status contains extra flags.
+This is due to the wrong assumption on the operators precedence during
+frame status tests.
+Fixed by forcing the right operators precedence order with explicit brackets.
+
+Signed-off-by: Paolo Abeni <paolo.abeni@gmail.com>
+Signed-off-by: Sebastiano Di Paola <sebastiano.dipaola@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/packet/af_packet.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -220,13 +220,13 @@ static void *packet_lookup_frame(struct
+ h.raw = po->pg_vec[pg_vec_pos] + (frame_offset * po->frame_size);
+ switch (po->tp_version) {
+ case TPACKET_V1:
+- if (status != h.h1->tp_status ? TP_STATUS_USER :
+- TP_STATUS_KERNEL)
++ if (status != (h.h1->tp_status ? TP_STATUS_USER :
++ TP_STATUS_KERNEL))
+ return NULL;
+ break;
+ case TPACKET_V2:
+- if (status != h.h2->tp_status ? TP_STATUS_USER :
+- TP_STATUS_KERNEL)
++ if (status != (h.h2->tp_status ? TP_STATUS_USER :
++ TP_STATUS_KERNEL))
+ return NULL;
+ break;
+ }
--- /dev/null
+From e871f1e7faf4962733bf77baf188020a2b0bca80 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 30 Jan 2009 14:12:06 -0800
+Subject: packet: Avoid lock_sock in mmap handler
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 905db44087855e3c1709f538ecdc22fd149cadd8 ]
+
+As the mmap handler gets called under mmap_sem, and we may grab
+mmap_sem elsewhere under the socket lock to access user data, we
+should avoid grabbing the socket lock in the mmap handler.
+
+Since the only thing we care about in the mmap handler is for
+pg_vec* to be invariant, i.e., to exclude packet_set_ring, we
+can achieve this by simply using a new mutex.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Martin MOKREJŠ <mmokrejs@ribosome.natur.cuni.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/packet/af_packet.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -77,6 +77,7 @@
+ #include <linux/poll.h>
+ #include <linux/module.h>
+ #include <linux/init.h>
++#include <linux/mutex.h>
+
+ #ifdef CONFIG_INET
+ #include <net/inet_common.h>
+@@ -175,6 +176,7 @@ struct packet_sock {
+ #endif
+ struct packet_type prot_hook;
+ spinlock_t bind_lock;
++ struct mutex pg_vec_lock;
+ unsigned int running:1, /* prot_hook is attached*/
+ auxdata:1,
+ origdev:1;
+@@ -1068,6 +1070,7 @@ static int packet_create(struct net *net
+ */
+
+ spin_lock_init(&po->bind_lock);
++ mutex_init(&po->pg_vec_lock);
+ po->prot_hook.func = packet_rcv;
+
+ if (sock->type == SOCK_PACKET)
+@@ -1863,6 +1866,7 @@ static int packet_set_ring(struct sock *
+ synchronize_net();
+
+ err = -EBUSY;
++ mutex_lock(&po->pg_vec_lock);
+ if (closing || atomic_read(&po->mapped) == 0) {
+ err = 0;
+ #define XC(a, b) ({ __typeof__ ((a)) __t; __t = (a); (a) = (b); __t; })
+@@ -1884,6 +1888,7 @@ static int packet_set_ring(struct sock *
+ if (atomic_read(&po->mapped))
+ printk(KERN_DEBUG "packet_mmap: vma is busy: %d\n", atomic_read(&po->mapped));
+ }
++ mutex_unlock(&po->pg_vec_lock);
+
+ spin_lock(&po->bind_lock);
+ if (was_running && !po->running) {
+@@ -1916,7 +1921,7 @@ static int packet_mmap(struct file *file
+
+ size = vma->vm_end - vma->vm_start;
+
+- lock_sock(sk);
++ mutex_lock(&po->pg_vec_lock);
+ if (po->pg_vec == NULL)
+ goto out;
+ if (size != po->pg_vec_len*po->pg_vec_pages*PAGE_SIZE)
+@@ -1939,7 +1944,7 @@ static int packet_mmap(struct file *file
+ err = 0;
+
+ out:
+- release_sock(sk);
++ mutex_unlock(&po->pg_vec_lock);
+ return err;
+ }
+ #endif
--- /dev/null
+From d1c8b7c0840db53de8406c52a7802dff4cdc34b2 Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+Date: Thu, 22 Jan 2009 14:52:43 -0800
+Subject: sctp: Correctly start rtx timer on new packet transmissions.
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+[ Upstream commit 6574df9a89f9f7da3a4e5cee7633d430319d3350 ]
+
+Commit 62aeaff5ccd96462b7077046357a6d7886175a57
+(sctp: Start T3-RTX timer when fast retransmitting lowest TSN)
+introduced a regression where it was possible to forcibly
+restart the sctp retransmit timer at the transmission of any
+new chunk. This resulted in much longer timeout times and
+sometimes hung sctp connections.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/outqueue.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -929,7 +929,6 @@ static int sctp_outq_flush(struct sctp_o
+ }
+
+ /* Finally, transmit new packets. */
+- start_timer = 0;
+ while ((chunk = sctp_outq_dequeue_data(q)) != NULL) {
+ /* RFC 2960 6.5 Every DATA chunk MUST carry a valid
+ * stream identifier.
+@@ -1028,7 +1027,7 @@ static int sctp_outq_flush(struct sctp_o
+ list_add_tail(&chunk->transmitted_list,
+ &transport->transmitted);
+
+- sctp_transport_reset_timers(transport, start_timer-1);
++ sctp_transport_reset_timers(transport, 0);
+
+ q->empty = 0;
+
--- /dev/null
+From a5ccfc822cffbe48a873765997f7bb55a1ebd635 Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+Date: Thu, 22 Jan 2009 14:52:23 -0800
+Subject: sctp: Fix crc32c calculations on big-endian arhes.
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+[ Upstream commit 9c5ff5f75d0d0a1c7928ecfae3f38418b51a88e3 ]
+
+crc32c algorithm provides a byteswaped result. On little-endian
+arches, the result ends up in big-endian/network byte order.
+On big-endinan arches, the result ends up in little-endian
+order and needs to be byte swapped again. Thus calling cpu_to_le32
+gives the right output.
+
+Tested-by: Jukka Taimisto <jukka.taimisto@mail.suomi.net>
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/sctp/checksum.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/sctp/checksum.h
++++ b/include/net/sctp/checksum.h
+@@ -79,5 +79,5 @@ static inline __be32 sctp_update_cksum(_
+
+ static inline __be32 sctp_end_cksum(__be32 crc32)
+ {
+- return ~crc32;
++ return (__force __be32)~cpu_to_le32((__force u32)crc32);
+ }
--- /dev/null
+From 8605e580f3a0f30bd125654a81efd21f230f632a Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+Date: Thu, 22 Jan 2009 14:53:01 -0800
+Subject: sctp: Properly timestamp outgoing data chunks for rtx purposes
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+[ Upstream commit 759af00ebef858015eb68876ac1f383bcb6a1774 ]
+
+Recent changes to the retransmit code exposed a long standing
+bug where it was possible for a chunk to be time stamped
+after the retransmit timer was reset. This caused a rare
+situation where the retrnamist timer has expired, but
+nothing was marked for retrnasmission because all of
+timesamps on data were less then 1 rto ago. As result,
+the timer was never restarted since nothing was retransmitted,
+and this resulted in a hung association that did couldn't
+complete the data transfer. The solution is to timestamp
+the chunk when it's added to the packet for transmission
+purposes. After the packet is trsnmitted the rtx timer
+is restarted. This guarantees that when the timer expires,
+there will be data to retransmit.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/output.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -324,14 +324,16 @@ append:
+ switch (chunk->chunk_hdr->type) {
+ case SCTP_CID_DATA:
+ retval = sctp_packet_append_data(packet, chunk);
++ if (SCTP_XMIT_OK != retval)
++ goto finish;
+ /* Disallow SACK bundling after DATA. */
+ packet->has_sack = 1;
+ /* Disallow AUTH bundling after DATA */
+ packet->has_auth = 1;
+ /* Let it be knows that packet has DATA in it */
+ packet->has_data = 1;
+- if (SCTP_XMIT_OK != retval)
+- goto finish;
++ /* timestamp the chunk for rtx purposes */
++ chunk->sent_at = jiffies;
+ break;
+ case SCTP_CID_COOKIE_ECHO:
+ packet->has_cookie_echo = 1;
+@@ -470,7 +472,6 @@ int sctp_packet_transmit(struct sctp_pac
+ } else
+ chunk->resent = 1;
+
+- chunk->sent_at = jiffies;
+ has_data = 1;
+ }
+
x86-vmi-put-a-missing-paravirt_release_pmd-in-pgd_dtor.patch
zd1211rw-adding-0ace-0xa211-as-a-zd1211-device.patch
zd1211rw-treat-maxim_new_rf-as-uw2453_rf-for-tp-link-wn322-422g.patch
+sctp-fix-crc32c-calculations-on-big-endian-arhes.patch
+sctp-correctly-start-rtx-timer-on-new-packet-transmissions.patch
+sctp-properly-timestamp-outgoing-data-chunks-for-rtx-purposes.patch
+drivers-net-skfp-if-capable-inverted-logic.patch
+ipv4-fix-infinite-retry-loop-in-ip-config.patch
+ipv6-disallow-rediculious-flowlabel-option-sizes.patch
+ipv6-copy-cork-options-in-ip6_append_data.patch
+net-4-bytes-kernel-memory-disclosure-in-so_bsdcompat-gsopt-try-2.patch
+net-packet-socket-packet_lookup_frame-fix.patch
+sky2-fix-hard-hang-with-netconsoling-and-iface-going-up.patch
+sungem-soft-lockup-in-sungem-on-netra-ac200-when-switching-interface-up.patch
+tun-add-some-missing-tun-compat-ioctl-translations.patch
+tun-fix-unicast-filter-overflow.patch
+udp-fix-udp-short-packet-false-positive.patch
+udp-increments-sk_drops-in-__udp_queue_rcv_skb.patch
+virtio_net-fix-max_packet_len-to-support-802.1q-vlans.patch
+net-fix-frag_list-handling-in-skb_seq_read.patch
+net-fix-oops-in-skb_seq_read.patch
+packet-avoid-lock_sock-in-mmap-handler.patch
+tcp-splice-as-many-packets-as-possible-at-once.patch
+tcp-fix-length-tcp_splice_data_recv-passes-to-skb_splice_bits.patch
+sparc-enable-syscall-wrappers-for-64-bit.patch
+sparc64-annotate-sparc64-specific-syscalls-with-syscall_definex.patch
--- /dev/null
+From e3b60d791cce9b5de6312843e574cd11620fb3a6 Mon Sep 17 00:00:00 2001
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Fri, 30 Jan 2009 13:45:31 -0800
+Subject: sky2: fix hard hang with netconsoling and iface going up
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+[ Upstream commit a11da890e4c9850411303efcf6514f048ca880ee ]
+
+Printing anything over netconsole before hw is up and running is,
+of course, not going to work.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Acked-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/sky2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/sky2.c
++++ b/drivers/net/sky2.c
+@@ -1403,9 +1403,6 @@ static int sky2_up(struct net_device *de
+
+ }
+
+- if (netif_msg_ifup(sky2))
+- printk(KERN_INFO PFX "%s: enabling interface\n", dev->name);
+-
+ netif_carrier_off(dev);
+
+ /* must be power of 2 */
+@@ -1484,6 +1481,9 @@ static int sky2_up(struct net_device *de
+ sky2_write32(hw, B0_IMSK, imask);
+
+ sky2_set_multicast(dev);
++
++ if (netif_msg_ifup(sky2))
++ printk(KERN_INFO PFX "%s: enabling interface\n", dev->name);
+ return 0;
+
+ err_out:
--- /dev/null
+From bad0923f942edb79ee035cffe215459e3f21fa9d Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 13 Feb 2009 01:08:47 -0800
+Subject: sparc: Enable syscall wrappers for 64-bit (CVE-2009-0029)
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+[ Upstream commit 67605d6812691bbd2158d2f60259e0407611bc1b ]
+
+sparc64 needs sign-extended function parameters. We have to enable
+the system call wrappers.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/sparc64/Kconfig
++++ b/arch/sparc64/Kconfig
+@@ -15,6 +15,7 @@ config SPARC64
+ select HAVE_FTRACE
+ select HAVE_IDE
+ select HAVE_LMB
++ select HAVE_SYSCALL_WRAPPERS
+ select HAVE_ARCH_KGDB
+ select USE_GENERIC_SMP_HELPERS if SMP
+ select HAVE_ARCH_TRACEHOOK
--- /dev/null
+From f2085346544d6e165997090afdb4502d025a375a Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Fri, 13 Feb 2009 01:09:19 -0800
+Subject: sparc64: Annotate sparc64 specific syscalls with SYSCALL_DEFINEx()
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit e42650196df34789c825fa83f8bb37a5d5e52c14 ]
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/sys_sparc.c | 48 +++++++++++++++++++---------------------
+ arch/sparc64/kernel/syscalls.S | 2 -
+ arch/sparc64/kernel/systbls.S | 16 ++++++-------
+ arch/sparc64/kernel/systbls.h | 3 --
+ 4 files changed, 32 insertions(+), 37 deletions(-)
+
+--- a/arch/sparc64/kernel/syscalls.S
++++ b/arch/sparc64/kernel/syscalls.S
+@@ -21,7 +21,7 @@ execve_merge:
+
+ .align 32
+ sys_sparc_pipe:
+- ba,pt %xcc, sparc_pipe
++ ba,pt %xcc, sys_sparc_pipe_real
+ add %sp, PTREGS_OFF, %o0
+ sys_nis_syscall:
+ ba,pt %xcc, c_sys_nis_syscall
+--- a/arch/sparc64/kernel/sys_sparc.c
++++ b/arch/sparc64/kernel/sys_sparc.c
+@@ -397,7 +397,7 @@ void arch_pick_mmap_layout(struct mm_str
+ }
+ }
+
+-asmlinkage unsigned long sparc_brk(unsigned long brk)
++SYSCALL_DEFINE1(sparc_brk, unsigned long, brk)
+ {
+ /* People could try to be nasty and use ta 0x6d in 32bit programs */
+ if (test_thread_flag(TIF_32BIT) && brk >= STACK_TOP32)
+@@ -413,7 +413,7 @@ asmlinkage unsigned long sparc_brk(unsig
+ * sys_pipe() is the normal C calling standard for creating
+ * a pipe. It's not the way unix traditionally does this, though.
+ */
+-asmlinkage long sparc_pipe(struct pt_regs *regs)
++SYSCALL_DEFINE1(sparc_pipe_real, struct pt_regs *, regs)
+ {
+ int fd[2];
+ int error;
+@@ -433,8 +433,8 @@ out:
+ * This is really horribly ugly.
+ */
+
+-asmlinkage long sys_ipc(unsigned int call, int first, unsigned long second,
+- unsigned long third, void __user *ptr, long fifth)
++SYSCALL_DEFINE6(ipc, unsigned int, call, int, first, unsigned long, second,
++ unsigned long, third, void __user *, ptr, long, fifth)
+ {
+ long err;
+
+@@ -517,7 +517,7 @@ out:
+ return err;
+ }
+
+-asmlinkage long sparc64_newuname(struct new_utsname __user *name)
++SYSCALL_DEFINE1(sparc64_newuname, struct new_utsname __user *, name)
+ {
+ int ret = sys_newuname(name);
+
+@@ -528,7 +528,7 @@ asmlinkage long sparc64_newuname(struct
+ return ret;
+ }
+
+-asmlinkage long sparc64_personality(unsigned long personality)
++SYSCALL_DEFINE1(sparc64_personality, unsigned long, personality)
+ {
+ int ret;
+
+@@ -562,9 +562,9 @@ int sparc_mmap_check(unsigned long addr,
+ }
+
+ /* Linux version of mmap */
+-asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags, unsigned long fd,
+- unsigned long off)
++SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len,
++ unsigned long, prot, unsigned long, flags, unsigned long, fd,
++ unsigned long, off)
+ {
+ struct file * file = NULL;
+ unsigned long retval = -EBADF;
+@@ -587,7 +587,7 @@ out:
+ return retval;
+ }
+
+-asmlinkage long sys64_munmap(unsigned long addr, size_t len)
++SYSCALL_DEFINE2(64_munmap, unsigned long, addr, size_t, len)
+ {
+ long ret;
+
+@@ -604,9 +604,9 @@ extern unsigned long do_mremap(unsigned
+ unsigned long old_len, unsigned long new_len,
+ unsigned long flags, unsigned long new_addr);
+
+-asmlinkage unsigned long sys64_mremap(unsigned long addr,
+- unsigned long old_len, unsigned long new_len,
+- unsigned long flags, unsigned long new_addr)
++SYSCALL_DEFINE5(64_mremap, unsigned long, addr, unsigned long, old_len,
++ unsigned long, new_len, unsigned long, flags,
++ unsigned long, new_addr)
+ {
+ unsigned long ret = -EINVAL;
+
+@@ -669,7 +669,7 @@ asmlinkage void sparc_breakpoint(struct
+
+ extern void check_pending(int signum);
+
+-asmlinkage long sys_getdomainname(char __user *name, int len)
++SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
+ {
+ int nlen, err;
+
+@@ -692,11 +692,10 @@ out:
+ return err;
+ }
+
+-asmlinkage long sys_utrap_install(utrap_entry_t type,
+- utrap_handler_t new_p,
+- utrap_handler_t new_d,
+- utrap_handler_t __user *old_p,
+- utrap_handler_t __user *old_d)
++SYSCALL_DEFINE5(utrap_install, utrap_entry_t, type,
++ utrap_handler_t, new_p, utrap_handler_t, new_d,
++ utrap_handler_t __user *, old_p,
++ utrap_handler_t __user *, old_d)
+ {
+ if (type < UT_INSTRUCTION_EXCEPTION || type > UT_TRAP_INSTRUCTION_31)
+ return -EINVAL;
+@@ -762,11 +761,9 @@ asmlinkage long sparc_memory_ordering(un
+ return 0;
+ }
+
+-asmlinkage long sys_rt_sigaction(int sig,
+- const struct sigaction __user *act,
+- struct sigaction __user *oact,
+- void __user *restorer,
+- size_t sigsetsize)
++SYSCALL_DEFINE5(rt_sigaction, int, sig, const struct sigaction __user *, act,
++ struct sigaction __user *, oact, void __user *, restorer,
++ size_t, sigsetsize)
+ {
+ struct k_sigaction new_ka, old_ka;
+ int ret;
+@@ -806,7 +803,8 @@ asmlinkage void update_perfctrs(void)
+ reset_pic();
+ }
+
+-asmlinkage long sys_perfctr(int opcode, unsigned long arg0, unsigned long arg1, unsigned long arg2)
++SYSCALL_DEFINE4(perfctr, int, opcode, unsigned long, arg0,
++ unsigned long, arg1, unsigned long, arg2)
+ {
+ int err = 0;
+
+--- a/arch/sparc64/kernel/systbls.h
++++ b/arch/sparc64/kernel/systbls.h
+@@ -16,9 +16,6 @@ extern asmlinkage long sys_ipc(unsigned
+ void __user *ptr, long fifth);
+ extern asmlinkage long sparc64_newuname(struct new_utsname __user *name);
+ extern asmlinkage long sparc64_personality(unsigned long personality);
+-extern asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long off);
+ extern asmlinkage long sys64_munmap(unsigned long addr, size_t len);
+ extern asmlinkage unsigned long sys64_mremap(unsigned long addr,
+ unsigned long old_len,
+--- a/arch/sparc64/kernel/systbls.S
++++ b/arch/sparc64/kernel/systbls.S
+@@ -21,7 +21,7 @@ sys_call_table32:
+ /*0*/ .word sys_restart_syscall, sys32_exit, sys_fork, sys_read, sys_write
+ /*5*/ .word sys32_open, sys_close, sys32_wait4, sys32_creat, sys_link
+ /*10*/ .word sys_unlink, sunos_execv, sys_chdir, sys_chown16, sys32_mknod
+-/*15*/ .word sys_chmod, sys_lchown16, sparc_brk, sys32_perfctr, sys32_lseek
++/*15*/ .word sys_chmod, sys_lchown16, sys_sparc_brk, sys32_perfctr, sys32_lseek
+ /*20*/ .word sys_getpid, sys_capget, sys_capset, sys_setuid16, sys_getuid16
+ /*25*/ .word sys32_vmsplice, compat_sys_ptrace, sys_alarm, sys32_sigaltstack, sys32_pause
+ /*30*/ .word compat_sys_utime, sys_lchown, sys_fchown, sys32_access, sys32_nice
+@@ -55,8 +55,8 @@ sys_call_table32:
+ /*170*/ .word sys32_lsetxattr, sys32_fsetxattr, sys_getxattr, sys_lgetxattr, compat_sys_getdents
+ .word sys_setsid, sys_fchdir, sys32_fgetxattr, sys_listxattr, sys_llistxattr
+ /*180*/ .word sys32_flistxattr, sys_removexattr, sys_lremovexattr, compat_sys_sigpending, sys_ni_syscall
+- .word sys32_setpgid, sys32_fremovexattr, sys32_tkill, sys32_exit_group, sparc64_newuname
+-/*190*/ .word sys32_init_module, sparc64_personality, sys_remap_file_pages, sys32_epoll_create, sys32_epoll_ctl
++ .word sys32_setpgid, sys32_fremovexattr, sys32_tkill, sys32_exit_group, sys_sparc64_newuname
++/*190*/ .word sys32_init_module, sys_sparc64_personality, sys_remap_file_pages, sys32_epoll_create, sys32_epoll_ctl
+ .word sys32_epoll_wait, sys32_ioprio_set, sys_getppid, sys32_sigaction, sys_sgetmask
+ /*200*/ .word sys32_ssetmask, sys_sigsuspend, compat_sys_newlstat, sys_uselib, compat_sys_old_readdir
+ .word sys32_readahead, sys32_socketcall, sys32_syslog, sys32_lookup_dcookie, sys32_fadvise64
+@@ -95,7 +95,7 @@ sys_call_table:
+ /*0*/ .word sys_restart_syscall, sparc_exit, sys_fork, sys_read, sys_write
+ /*5*/ .word sys_open, sys_close, sys_wait4, sys_creat, sys_link
+ /*10*/ .word sys_unlink, sys_nis_syscall, sys_chdir, sys_chown, sys_mknod
+-/*15*/ .word sys_chmod, sys_lchown, sparc_brk, sys_perfctr, sys_lseek
++/*15*/ .word sys_chmod, sys_lchown, sys_sparc_brk, sys_perfctr, sys_lseek
+ /*20*/ .word sys_getpid, sys_capget, sys_capset, sys_setuid, sys_getuid
+ /*25*/ .word sys_vmsplice, sys_ptrace, sys_alarm, sys_sigaltstack, sys_nis_syscall
+ /*30*/ .word sys_utime, sys_nis_syscall, sys_nis_syscall, sys_access, sys_nice
+@@ -106,7 +106,7 @@ sys_call_table:
+ .word sys_reboot, sys_nis_syscall, sys_symlink, sys_readlink, sys_execve
+ /*60*/ .word sys_umask, sys_chroot, sys_newfstat, sys_fstat64, sys_getpagesize
+ .word sys_msync, sys_vfork, sys_pread64, sys_pwrite64, sys_nis_syscall
+-/*70*/ .word sys_nis_syscall, sys_mmap, sys_nis_syscall, sys64_munmap, sys_mprotect
++/*70*/ .word sys_nis_syscall, sys_mmap, sys_nis_syscall, sys_64_munmap, sys_mprotect
+ .word sys_madvise, sys_vhangup, sys_nis_syscall, sys_mincore, sys_getgroups
+ /*80*/ .word sys_setgroups, sys_getpgrp, sys_nis_syscall, sys_setitimer, sys_nis_syscall
+ .word sys_swapon, sys_getitimer, sys_nis_syscall, sys_sethostname, sys_nis_syscall
+@@ -129,8 +129,8 @@ sys_call_table:
+ /*170*/ .word sys_lsetxattr, sys_fsetxattr, sys_getxattr, sys_lgetxattr, sys_getdents
+ .word sys_setsid, sys_fchdir, sys_fgetxattr, sys_listxattr, sys_llistxattr
+ /*180*/ .word sys_flistxattr, sys_removexattr, sys_lremovexattr, sys_nis_syscall, sys_ni_syscall
+- .word sys_setpgid, sys_fremovexattr, sys_tkill, sys_exit_group, sparc64_newuname
+-/*190*/ .word sys_init_module, sparc64_personality, sys_remap_file_pages, sys_epoll_create, sys_epoll_ctl
++ .word sys_setpgid, sys_fremovexattr, sys_tkill, sys_exit_group, sys_sparc64_newuname
++/*190*/ .word sys_init_module, sys_sparc64_personality, sys_remap_file_pages, sys_epoll_create, sys_epoll_ctl
+ .word sys_epoll_wait, sys_ioprio_set, sys_getppid, sys_nis_syscall, sys_sgetmask
+ /*200*/ .word sys_ssetmask, sys_nis_syscall, sys_newlstat, sys_uselib, sys_nis_syscall
+ .word sys_readahead, sys_socketcall, sys_syslog, sys_lookup_dcookie, sys_fadvise64
+@@ -142,7 +142,7 @@ sys_call_table:
+ .word sys_fstatfs64, sys_llseek, sys_mlock, sys_munlock, sys_mlockall
+ /*240*/ .word sys_munlockall, sys_sched_setparam, sys_sched_getparam, sys_sched_setscheduler, sys_sched_getscheduler
+ .word sys_sched_yield, sys_sched_get_priority_max, sys_sched_get_priority_min, sys_sched_rr_get_interval, sys_nanosleep
+-/*250*/ .word sys64_mremap, sys_sysctl, sys_getsid, sys_fdatasync, sys_nfsservctl
++/*250*/ .word sys_64_mremap, sys_sysctl, sys_getsid, sys_fdatasync, sys_nfsservctl
+ .word sys_sync_file_range, sys_clock_settime, sys_clock_gettime, sys_clock_getres, sys_clock_nanosleep
+ /*260*/ .word sys_sched_getaffinity, sys_sched_setaffinity, sys_timer_settime, sys_timer_gettime, sys_timer_getoverrun
+ .word sys_timer_delete, sys_timer_create, sys_ni_syscall, sys_io_setup, sys_io_destroy
--- /dev/null
+From a6133d3d189be4b3685f12c4765128fff23ea03c Mon Sep 17 00:00:00 2001
+From: Ilkka Virta <itvirta@iki.fi>
+Date: Fri, 6 Feb 2009 22:00:36 -0800
+Subject: sungem: Soft lockup in sungem on Netra AC200 when switching interface up
+
+From: Ilkka Virta <itvirta@iki.fi>
+
+[ Upstream commit 71822faa3bc0af5dbf5e333a2d085f1ed7cd809f ]
+
+From: Ilkka Virta <itvirta@iki.fi>
+
+In the lockup situation the driver seems to go off in an eternal storm
+of interrupts right after calling request_irq(). It doesn't actually
+do anything interesting in the interrupt handler. Since connecting the link
+afterwards works, something later in initialization must fix this.
+
+Looking at gem_do_start() and gem_open(), it seems that the only thing
+done while opening the device after the request_irq(), is a call to
+napi_enable().
+
+I don't know what the ordering requirements are for the
+initialization, but I boldly tried to move the napi_enable() call
+inside gem_do_start() before the link state is checked and interrupts
+subsequently enabled, and it seems to work for me. Doesn't even break
+anything too obvious...
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/sungem.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/sungem.c
++++ b/drivers/net/sungem.c
+@@ -2205,6 +2205,8 @@ static int gem_do_start(struct net_devic
+
+ gp->running = 1;
+
++ napi_enable(&gp->napi);
++
+ if (gp->lstate == link_up) {
+ netif_carrier_on(gp->dev);
+ gem_set_link_modes(gp);
+@@ -2222,6 +2224,8 @@ static int gem_do_start(struct net_devic
+ spin_lock_irqsave(&gp->lock, flags);
+ spin_lock(&gp->tx_lock);
+
++ napi_disable(&gp->napi);
++
+ gp->running = 0;
+ gem_reset(gp);
+ gem_clean_rings(gp);
+@@ -2322,8 +2326,6 @@ static int gem_open(struct net_device *d
+ if (!gp->asleep)
+ rc = gem_do_start(dev);
+ gp->opened = (rc == 0);
+- if (gp->opened)
+- napi_enable(&gp->napi);
+
+ mutex_unlock(&gp->pm_mutex);
+
+@@ -2460,8 +2462,6 @@ static int gem_resume(struct pci_dev *pd
+
+ /* Re-attach net device */
+ netif_device_attach(dev);
+-
+- napi_enable(&gp->napi);
+ }
+
+ spin_lock_irqsave(&gp->lock, flags);
--- /dev/null
+From 45262a3e575776645d55687df78e92e908dee3f7 Mon Sep 17 00:00:00 2001
+From: Dimitris Michailidis <dm@chelsio.com>
+Date: Mon, 26 Jan 2009 22:15:31 -0800
+Subject: tcp: Fix length tcp_splice_data_recv passes to skb_splice_bits.
+
+From: Dimitris Michailidis <dm@chelsio.com>
+
+[ Upstream commit 9fa5fdf291c9b58b1cb8b4bb2a0ee57efa21d635 ]
+
+tcp_splice_data_recv has two lengths to consider: the len parameter it
+gets from tcp_read_sock, which specifies the amount of data in the skb,
+and rd_desc->count, which is the amount of data the splice caller still
+wants. Currently it passes just the latter to skb_splice_bits, which then
+splices min(rd_desc->count, skb->len - offset) bytes.
+
+Most of the time this is fine, except when the skb contains urgent data.
+In that case len goes only up to the urgent byte and is less than
+skb->len - offset. By ignoring len tcp_splice_data_recv may a) splice
+data tcp_read_sock told it not to, b) return to tcp_read_sock a value > len.
+
+Now, tcp_read_sock doesn't handle used > len and leaves the socket in a
+bad state (both sk_receive_queue and copied_seq are bad at that point)
+resulting in duplicated data and corruption.
+
+Fix by passing min(rd_desc->count, len) to skb_splice_bits.
+
+Signed-off-by: Dimitris Michailidis <dm@chelsio.com>
+Acked-by: Eric Dumazet <dada1@cosmosbay.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -520,7 +520,8 @@ static int tcp_splice_data_recv(read_des
+ struct tcp_splice_state *tss = rd_desc->arg.data;
+ int ret;
+
+- ret = skb_splice_bits(skb, offset, tss->pipe, rd_desc->count, tss->flags);
++ ret = skb_splice_bits(skb, offset, tss->pipe, min(rd_desc->count, len),
++ tss->flags);
+ if (ret > 0)
+ rd_desc->count -= ret;
+ return ret;
--- /dev/null
+From 844a8e92acab3d388d4380fc85705118034d84bb Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 13 Jan 2009 16:04:36 -0800
+Subject: tcp: splice as many packets as possible at once
+
+From: Willy Tarreau <w@1wt.eu>
+
+[ Upstream commit 33966dd0e2f68f26943cd9ee93ec6abbc6547a8e ]
+
+As spotted by Willy Tarreau, current splice() from tcp socket to pipe is not
+optimal. It processes at most one segment per call.
+This results in low performance and very high overhead due to syscall rate
+when splicing from interfaces which do not support LRO.
+
+Willy provided a patch inside tcp_splice_read(), but a better fix
+is to let tcp_read_sock() process as many segments as possible, so
+that tcp_rcv_space_adjust() and tcp_cleanup_rbuf() are called less
+often.
+
+With this change, splice() behaves like tcp_recvmsg(), being able
+to consume many skbs in one system call. With typical 1460 bytes
+of payload per frame, that means splice(SPLICE_F_NONBLOCK) can return
+16*1460 = 23360 bytes.
+
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -518,8 +518,12 @@ static int tcp_splice_data_recv(read_des
+ unsigned int offset, size_t len)
+ {
+ struct tcp_splice_state *tss = rd_desc->arg.data;
++ int ret;
+
+- return skb_splice_bits(skb, offset, tss->pipe, tss->len, tss->flags);
++ ret = skb_splice_bits(skb, offset, tss->pipe, rd_desc->count, tss->flags);
++ if (ret > 0)
++ rd_desc->count -= ret;
++ return ret;
+ }
+
+ static int __tcp_splice_read(struct sock *sk, struct tcp_splice_state *tss)
+@@ -527,6 +531,7 @@ static int __tcp_splice_read(struct sock
+ /* Store TCP splice context information in read_descriptor_t. */
+ read_descriptor_t rd_desc = {
+ .arg.data = tss,
++ .count = tss->len,
+ };
+
+ return tcp_read_sock(sk, &rd_desc, tcp_splice_data_recv);
+@@ -611,11 +616,13 @@ ssize_t tcp_splice_read(struct socket *s
+ tss.len -= ret;
+ spliced += ret;
+
++ if (!timeo)
++ break;
+ release_sock(sk);
+ lock_sock(sk);
+
+ if (sk->sk_err || sk->sk_state == TCP_CLOSE ||
+- (sk->sk_shutdown & RCV_SHUTDOWN) || !timeo ||
++ (sk->sk_shutdown & RCV_SHUTDOWN) ||
+ signal_pending(current))
+ break;
+ }
--- /dev/null
+From 2c635c93983244e9957cadabee918597da8146b1 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Thu, 29 Jan 2009 16:53:35 -0800
+Subject: tun: Add some missing TUN compat ioctl translations.
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit df1c46b2b6876d0a1b1b4740f009fa69d95ebbc9 ]
+
+Based upon a report from Michael Tokarev <mjt@tls.msk.ru>:
+
+ Just saw in dmesg:
+
+ ioctl32(kvm:4408): Unknown cmd fd(9) cmd(800454cf){t:'T';sz:4} arg(ffc668e4) on /dev/net/tun
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/compat_ioctl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/compat_ioctl.c
++++ b/fs/compat_ioctl.c
+@@ -538,6 +538,7 @@ static int dev_ifsioc(unsigned int fd, u
+ * cannot be fixed without breaking all existing apps.
+ */
+ case TUNSETIFF:
++ case TUNGETIFF:
+ case SIOCGIFFLAGS:
+ case SIOCGIFMETRIC:
+ case SIOCGIFMTU:
+@@ -1982,6 +1983,11 @@ COMPATIBLE_IOCTL(TUNSETNOCSUM)
+ COMPATIBLE_IOCTL(TUNSETDEBUG)
+ COMPATIBLE_IOCTL(TUNSETPERSIST)
+ COMPATIBLE_IOCTL(TUNSETOWNER)
++COMPATIBLE_IOCTL(TUNSETLINK)
++COMPATIBLE_IOCTL(TUNSETGROUP)
++COMPATIBLE_IOCTL(TUNGETFEATURES)
++COMPATIBLE_IOCTL(TUNSETOFFLOAD)
++COMPATIBLE_IOCTL(TUNSETTXFILTER)
+ /* Big V */
+ COMPATIBLE_IOCTL(VT_SETMODE)
+ COMPATIBLE_IOCTL(VT_GETMODE)
+@@ -2573,6 +2579,7 @@ HANDLE_IOCTL(SIOCGIFPFLAGS, dev_ifsioc)
+ HANDLE_IOCTL(SIOCGIFTXQLEN, dev_ifsioc)
+ HANDLE_IOCTL(SIOCSIFTXQLEN, dev_ifsioc)
+ HANDLE_IOCTL(TUNSETIFF, dev_ifsioc)
++HANDLE_IOCTL(TUNGETIFF, dev_ifsioc)
+ HANDLE_IOCTL(SIOCETHTOOL, ethtool_ioctl)
+ HANDLE_IOCTL(SIOCBONDENSLAVE, bond_ioctl)
+ HANDLE_IOCTL(SIOCBONDRELEASE, bond_ioctl)
--- /dev/null
+From 815708e60c61da198bc6dde8b85fa503bcc135a9 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@hp.com>
+Date: Sun, 8 Feb 2009 17:49:17 -0800
+Subject: tun: Fix unicast filter overflow
+
+From: Alex Williamson <alex.williamson@hp.com>
+
+[ Upstream commit cfbf84fcbcda98bb91ada683a8dc8e6901a83ebd ]
+
+Tap devices can make use of a small MAC filter set via the
+TUNSETTXFILTER ioctl. The filter has a set of exact matches
+plus a hash for imperfect filtering of additional multicast
+addresses. The current code is unbalanced, adding unicast
+addresses to the multicast hash, but only checking the hash
+against multicast addresses. This results in the filter
+dropping unicast addresses that overflow the exact filter.
+The fix is simply to disable the filter by leaving count set
+to zero if we find non-multicast addresses after the exact
+match table is filled.
+
+Signed-off-by: Alex Williamson <alex.williamson@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/tun.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -157,10 +157,16 @@ static int update_filter(struct tap_filt
+
+ nexact = n;
+
+- /* The rest is hashed */
++ /* Remaining multicast addresses are hashed,
++ * unicast will leave the filter disabled. */
+ memset(filter->mask, 0, sizeof(filter->mask));
+- for (; n < uf.count; n++)
++ for (; n < uf.count; n++) {
++ if (!is_multicast_ether_addr(addr[n].u)) {
++ err = 0; /* no filter */
++ goto done;
++ }
+ addr_hash_set(filter->mask, addr[n].u);
++ }
+
+ /* For ALLMULTI just set the mask to all ones.
+ * This overrides the mask populated above. */
--- /dev/null
+From 789feade658bc1a1b7d7b6520f3976a3497966a0 Mon Sep 17 00:00:00 2001
+From: Jesper Dangaard Brouer <hawk@comx.dk>
+Date: Thu, 5 Feb 2009 15:05:45 -0800
+Subject: udp: Fix UDP short packet false positive
+
+From: Jesper Dangaard Brouer <hawk@comx.dk>
+
+[ Upstream commit 7b5e56f9d635643ad54f2f42e69ad16b80a2cff1 ]
+
+The UDP header pointer assignment must happen after calling
+pskb_may_pull(). As pskb_may_pull() can potentially alter the SKB
+buffer.
+
+This was exposted by running multicast traffic through the NIU driver,
+as it won't prepull the protocol headers into the linear area on
+receive.
+
+Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/udp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1172,7 +1172,7 @@ int __udp4_lib_rcv(struct sk_buff *skb,
+ int proto)
+ {
+ struct sock *sk;
+- struct udphdr *uh = udp_hdr(skb);
++ struct udphdr *uh;
+ unsigned short ulen;
+ struct rtable *rt = (struct rtable*)skb->dst;
+ __be32 saddr = ip_hdr(skb)->saddr;
+@@ -1185,6 +1185,7 @@ int __udp4_lib_rcv(struct sk_buff *skb,
+ if (!pskb_may_pull(skb, sizeof(struct udphdr)))
+ goto drop; /* No space for header. */
+
++ uh = udp_hdr(skb);
+ ulen = ntohs(uh->len);
+ if (ulen > skb->len)
+ goto short_packet;
--- /dev/null
+From 94eff2d5648eed5f42dc18ce8aca591fa9cf394f Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <dada1@cosmosbay.com>
+Date: Mon, 2 Feb 2009 13:41:57 -0800
+Subject: udp: increments sk_drops in __udp_queue_rcv_skb()
+
+From: Eric Dumazet <dada1@cosmosbay.com>
+
+[ Upstream commit e408b8dcb5ce42243a902205005208e590f28454 ]
+
+Commit 93821778def10ec1e69aa3ac10adee975dad4ff3 (udp: Fix rcv socket
+locking) accidentally removed sk_drops increments for UDP IPV4
+sockets.
+
+This field can be used to detect incorrect sizing of socket receive
+buffers.
+
+Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/udp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -959,9 +959,11 @@ static int __udp_queue_rcv_skb(struct so
+
+ if ((rc = sock_queue_rcv_skb(sk, skb)) < 0) {
+ /* Note that an ENOMEM error is charged twice */
+- if (rc == -ENOMEM)
++ if (rc == -ENOMEM) {
+ UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
+ is_udplite);
++ atomic_inc(&sk->sk_drops);
++ }
+ goto drop;
+ }
+
--- /dev/null
+From fdf1cf0ff6e25f4e3490da18b5de1162aa7bac3b Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@hp.com>
+Date: Fri, 13 Feb 2009 00:06:29 -0800
+Subject: virtio_net: Fix MAX_PACKET_LEN to support 802.1Q VLANs
+
+From: Alex Williamson <alex.williamson@hp.com>
+
+[ Upstream commit e918085aaff34086e265f825dd469926b1aec4a4 ]
+
+802.1Q expanded the maximum ethernet frame size by 4 bytes for the
+VLAN tag. We're not taking this into account in virtio_net, which
+means the buffers we provide to the backend in the virtqueue RX ring
+aren't big enough to hold a full MTU VLAN packet. For QEMU/KVM,
+this results in the backend exiting with a packet truncation error.
+
+Signed-off-by: Alex Williamson <alex.williamson@hp.com>
+Acked-by: Mark McLoughlin <markmc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/virtio_net.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -24,6 +24,7 @@
+ #include <linux/virtio.h>
+ #include <linux/virtio_net.h>
+ #include <linux/scatterlist.h>
++#include <linux/if_vlan.h>
+
+ static int napi_weight = 128;
+ module_param(napi_weight, int, 0444);
+@@ -33,7 +34,7 @@ module_param(csum, bool, 0444);
+ module_param(gso, bool, 0444);
+
+ /* FIXME: MTU in config. */
+-#define MAX_PACKET_LEN (ETH_HLEN+ETH_DATA_LEN)
++#define MAX_PACKET_LEN (ETH_HLEN + VLAN_HLEN + ETH_DATA_LEN)
+
+ struct virtnet_info
+ {
projects / thirdparty / kernel / stable-queue.git / commitdiff
