--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Sat, 14 Mar 2015 05:22:21 +0000
+Subject: caif: fix MSG_OOB test in caif_seqpkt_recvmsg()
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+[ Upstream commit 3eeff778e00c956875c70b145c52638c313dfb23 ]
+
+It should be checking flags, not msg->msg_flags. It's ->sendmsg()
+instances that need to look for that in ->msg_flags, ->recvmsg() ones
+(including the other ->recvmsg() instance in that file, as well as
+unix_dgram_recvmsg() this one claims to be imitating) check in flags.
+Braino had been introduced in commit dcda13 ("caif: Bugfix - use MSG_TRUNC
+in receive") back in 2010, so it goes quite a while back.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -281,7 +281,7 @@ static int caif_seqpkt_recvmsg(struct ki
+ int copylen;
+
+ ret = -EOPNOTSUPP;
+- if (m->msg_flags&MSG_OOB)
++ if (flags & MSG_OOB)
+ goto read_error;
+
+ skb = skb_recv_datagram(sk, flags, 0 , &ret);
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 13 Mar 2015 09:49:59 -0700
+Subject: inet_diag: fix possible overflow in inet_diag_dump_one_icsk()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c8e2c80d7ec00d020320f905822bf49c5ad85250 ]
+
+inet_diag_dump_one_icsk() allocates too small skb.
+
+Add inet_sk_attr_size() helper right before inet_sk_diag_fill()
+so that it can be updated if/when new attributes are added.
+
+iproute2/ss currently does not use this dump_one() interface,
+this might explain nobody noticed this problem yet.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_diag.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_hand
+ mutex_unlock(&inet_diag_table_mutex);
+ }
+
++static size_t inet_sk_attr_size(void)
++{
++ return nla_total_size(sizeof(struct tcp_info))
++ + nla_total_size(1) /* INET_DIAG_SHUTDOWN */
++ + nla_total_size(1) /* INET_DIAG_TOS */
++ + nla_total_size(1) /* INET_DIAG_TCLASS */
++ + nla_total_size(sizeof(struct inet_diag_meminfo))
++ + nla_total_size(sizeof(struct inet_diag_msg))
++ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32))
++ + nla_total_size(TCP_CA_NAME_MAX)
++ + nla_total_size(sizeof(struct tcpvegas_info))
++ + 64;
++}
++
+ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
+ struct sk_buff *skb, struct inet_diag_req_v2 *req,
+ struct user_namespace *user_ns,
+@@ -324,9 +338,7 @@ int inet_diag_dump_one_icsk(struct inet_
+ if (err)
+ goto out;
+
+- rep = nlmsg_new(sizeof(struct inet_diag_msg) +
+- sizeof(struct inet_diag_meminfo) +
+- sizeof(struct tcp_info) + 64, GFP_KERNEL);
++ rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL);
+ if (!rep) {
+ err = -ENOMEM;
+ goto out;
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Thu, 19 Mar 2015 11:22:32 +0100
+Subject: ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 8e199dfd82ee097b522b00344af6448715d8ee0c ]
+
+Matt Grant reported frequent crashes in ipv6_select_ident when
+udp6_ufo_fragment is called from openvswitch on a skb that doesn't
+have a dst_entry set.
+
+ipv6_proxy_select_ident generates the frag_id without using the dst
+associated with the skb. This approach was suggested by Vladislav
+Yasevich.
+
+Fixes: 0508c07f5e0c ("ipv6: Select fragment id during UFO segmentation if not set.")
+Cc: Vladislav Yasevich <vyasevic@redhat.com>
+Reported-by: Matt Grant <matt@mattgrant.net.nz>
+Tested-by: Matt Grant <matt@mattgrant.net.nz>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Acked-by: Vladislav Yasevich <vyasevic@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/udp_offload.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -112,11 +112,9 @@ static struct sk_buff *udp6_ufo_fragment
+ fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
+ fptr->nexthdr = nexthdr;
+ fptr->reserved = 0;
+- if (skb_shinfo(skb)->ip6_frag_id)
+- fptr->identification = skb_shinfo(skb)->ip6_frag_id;
+- else
+- ipv6_select_ident(fptr,
+- (struct rt6_info *)skb_dst(skb));
++ if (!skb_shinfo(skb)->ip6_frag_id)
++ ipv6_proxy_select_ident(skb);
++ fptr->identification = skb_shinfo(skb)->ip6_frag_id;
+
+ /* Fragment the skb. ipv6 header and the remaining fields of the
+ * fragment header are updated in ipv6_gso_segment()
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Steven Barth <cyrus@openwrt.org>
+Date: Thu, 19 Mar 2015 16:16:04 +0100
+Subject: ipv6: fix backtracking for throw routes
+
+From: Steven Barth <cyrus@openwrt.org>
+
+[ Upstream commit 73ba57bfae4a1914f6a6dac71e3168dd900e00af ]
+
+for throw routes to trigger evaluation of other policy rules
+EAGAIN needs to be propagated up to fib_rules_lookup
+similar to how its done for IPv4
+
+A simple testcase for verification is:
+
+ip -6 rule add lookup 33333 priority 33333
+ip -6 route add throw 2001:db8::1
+ip -6 route add 2001:db8::1 via fe80::1 dev wlan0 table 33333
+ip route get 2001:db8::1
+
+Signed-off-by: Steven Barth <cyrus@openwrt.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/fib6_rules.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/fib6_rules.c
++++ b/net/ipv6/fib6_rules.c
+@@ -104,6 +104,7 @@ static int fib6_rule_action(struct fib_r
+ goto again;
+ flp6->saddr = saddr;
+ }
++ err = rt->dst.error;
+ goto out;
+ }
+ again:
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Fri, 20 Mar 2015 16:48:13 +0000
+Subject: net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+[ Upstream commit 91edd096e224941131f896b86838b1e59553696a ]
+
+Commit db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an
+error) introduced the clamping of msg_namelen when the unsigned value
+was larger than sizeof(struct sockaddr_storage). This caused a
+msg_namelen of -1 to be valid. The native code was subsequently fixed by
+commit dbb490b96584 (net: socket: error on a negative msg_namelen).
+
+In addition, the native code sets msg_namelen to 0 when msg_name is
+NULL. This was done in commit (6a2a2b3ae075 net:socket: set msg_namelen
+to 0 if msg_name is passed as NULL in msghdr struct from userland) and
+subsequently updated by 08adb7dabd48 (fold verify_iovec() into
+copy_msghdr_from_user()).
+
+This patch brings the get_compat_msghdr() in line with
+copy_msghdr_from_user().
+
+Fixes: db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an error)
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/compat.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -49,6 +49,13 @@ ssize_t get_compat_msghdr(struct msghdr
+ __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
+ __get_user(kmsg->msg_flags, &umsg->msg_flags))
+ return -EFAULT;
++
++ if (!uaddr)
++ kmsg->msg_namelen = 0;
++
++ if (kmsg->msg_namelen < 0)
++ return -EINVAL;
++
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+ kmsg->msg_control = compat_ptr(tmp3);
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Nimrod Andy <B38611@freescale.com>
+Date: Tue, 10 Mar 2015 19:09:41 +0800
+Subject: net: fec: fix receive VLAN CTAG HW acceleration issue
+
+From: Nimrod Andy <B38611@freescale.com>
+
+[ Upstream commit af5cbc9822f6bbe399925760a4d5ee82c21f258c ]
+
+The current driver support receive VLAN CTAG HW acceleration feature
+(NETIF_F_HW_VLAN_CTAG_RX) through software simulation. There calls the
+api .skb_copy_to_linear_data_offset() to skip the VLAN tag, but there
+have overlap between the two memory data point range. The patch just fix
+the issue.
+
+V2:
+Michael Grzeschik suggest to use memmove() instead of skb_copy_to_linear_data_offset().
+
+Reported-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Fixes: 1b7bde6d659d ("net: fec: implement rx_copybreak to improve rx performance")
+Signed-off-by: Fugang Duan <B38611@freescale.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1448,8 +1448,7 @@ fec_enet_rx_queue(struct net_device *nde
+
+ vlan_packet_rcvd = true;
+
+- skb_copy_to_linear_data_offset(skb, VLAN_HLEN,
+- data, (2 * ETH_ALEN));
++ memmove(skb->data + VLAN_HLEN, data, ETH_ALEN * 2);
+ skb_pull(skb, VLAN_HLEN);
+ }
+
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Eran Ben Elisha <eranbe@mellanox.com>
+Date: Wed, 18 Mar 2015 16:51:36 +0200
+Subject: net/mlx4_en: Fix off-by-one in ethtool statistics display
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit a16f3565703cfc3094938fb3c979cbb90f6d9eb4 ]
+
+NUM_PORT_STATS was 9 instead of 10, which caused off-by-one bug when
+displaying the statistics starting from tx_chksum_offload in ethtool.
+
+Fixes: f8c6455bb04b ('net/mlx4_en: Extend checksum offloading by CHECKSUM COMPLETE')
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Hadar Hen Zion <hadarh@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
+@@ -451,7 +451,7 @@ struct mlx4_en_port_stats {
+ unsigned long rx_chksum_none;
+ unsigned long rx_chksum_complete;
+ unsigned long tx_chksum_offload;
+-#define NUM_PORT_STATS 9
++#define NUM_PORT_STATS 10
+ };
+
+ struct mlx4_en_perf_stats {
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Wed, 11 Mar 2015 14:29:17 +0300
+Subject: net: sysctl_net_core: check SNDBUF and RCVBUF for min length
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+[ Upstream commit b1cb59cf2efe7971d3d72a7b963d09a512d994c9 ]
+
+sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be
+set to incorrect values. Given that 'struct sk_buff' allocates from
+rcvbuf, incorrectly set buffer length could result to memory
+allocation failures. For example, set them as follows:
+
+ # sysctl net.core.rmem_default=64
+ net.core.wmem_default = 64
+ # sysctl net.core.wmem_default=64
+ net.core.wmem_default = 64
+ # ping localhost -s 1024 -i 0 > /dev/null
+
+This could result to the following failure:
+
+skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32
+head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL>
+kernel BUG at net/core/skbuff.c:102!
+invalid opcode: 0000 [#1] SMP
+...
+task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000
+RIP: 0010:[<ffffffff8155fbd1>] [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
+RSP: 0018:ffff88003ae8bc68 EFLAGS: 00010296
+RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000
+RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8
+RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000
+R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900
+FS: 00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0
+Stack:
+ ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d
+ ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550
+ ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00
+Call Trace:
+ [<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470
+ [<ffffffff81556f56>] sock_write_iter+0x146/0x160
+ [<ffffffff811d9612>] new_sync_write+0x92/0xd0
+ [<ffffffff811d9cd6>] vfs_write+0xd6/0x180
+ [<ffffffff811da499>] SyS_write+0x59/0xd0
+ [<ffffffff81651532>] system_call_fastpath+0x12/0x17
+Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00
+ 00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b
+ eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83
+RIP [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
+RSP <ffff88003ae8bc68>
+Kernel panic - not syncing: Fatal exception
+
+Moreover, the possible minimum is 1, so we can get another kernel panic:
+...
+BUG: unable to handle kernel paging request at ffff88013caee5c0
+IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0
+...
+
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sysctl_net_core.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -25,6 +25,8 @@
+ static int zero = 0;
+ static int one = 1;
+ static int ushort_max = USHRT_MAX;
++static int min_sndbuf = SOCK_MIN_SNDBUF;
++static int min_rcvbuf = SOCK_MIN_RCVBUF;
+
+ static int net_msg_warn; /* Unused, but still a sysctl */
+
+@@ -237,7 +239,7 @@ static struct ctl_table net_core_table[]
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+- .extra1 = &one,
++ .extra1 = &min_sndbuf,
+ },
+ {
+ .procname = "rmem_max",
+@@ -245,7 +247,7 @@ static struct ctl_table net_core_table[]
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+- .extra1 = &one,
++ .extra1 = &min_rcvbuf,
+ },
+ {
+ .procname = "wmem_default",
+@@ -253,7 +255,7 @@ static struct ctl_table net_core_table[]
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+- .extra1 = &one,
++ .extra1 = &min_sndbuf,
+ },
+ {
+ .procname = "rmem_default",
+@@ -261,7 +263,7 @@ static struct ctl_table net_core_table[]
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+- .extra1 = &one,
++ .extra1 = &min_rcvbuf,
+ },
+ {
+ .procname = "dev_weight",
--- /dev/null
+From 4de930efc23b92ddf88ce91c405ee645fe6e27ea Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Fri, 20 Mar 2015 17:41:43 +0000
+Subject: net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 4de930efc23b92ddf88ce91c405ee645fe6e27ea upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __
+
+ if (len > INT_MAX)
+ len = INT_MAX;
++ if (unlikely(!access_ok(VERIFY_READ, buff, len)))
++ return -EFAULT;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void
+
+ if (size > INT_MAX)
+ size = INT_MAX;
++ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
++ return -EFAULT;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon, 9 Mar 2015 17:03:40 -0700
+Subject: net_sched: fix struct tc_u_hnode layout in u32
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 5778d39d070b4ac5f889928175b7f2d53ae7504e ]
+
+We dynamically allocate divisor+1 entries for ->ht[] in tc_u_hnode:
+
+ ht = kzalloc(sizeof(*ht) + divisor*sizeof(void *), GFP_KERNEL);
+
+So ->ht is supposed to be the last field of this struct, however
+this is broken, since an rcu head is appended after it.
+
+Fixes: 1ce87720d456 ("net: sched: make cls_u32 lockless")
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_u32.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -78,8 +78,11 @@ struct tc_u_hnode {
+ struct tc_u_common *tp_c;
+ int refcnt;
+ unsigned int divisor;
+- struct tc_u_knode __rcu *ht[1];
+ struct rcu_head rcu;
++ /* The 'ht' field MUST be the last field in structure to allow for
++ * more entries allocated at end of structure.
++ */
++ struct tc_u_knode __rcu *ht[1];
+ };
+
+ struct tc_u_common {
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 11 Mar 2015 22:46:59 +0100
+Subject: rds: avoid potential stack overflow
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit f862e07cf95d5b62a5fc5e981dd7d0dbaf33a501 ]
+
+The rds_iw_update_cm_id function stores a large 'struct rds_sock' object
+on the stack in order to pass a pair of addresses. This happens to just
+fit withint the 1024 byte stack size warning limit on x86, but just
+exceed that limit on ARM, which gives us this warning:
+
+net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=]
+
+As the use of this large variable is basically bogus, we can rearrange
+the code to not do that. Instead of passing an rds socket into
+rds_iw_get_device, we now just pass the two addresses that we have
+available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly,
+to create two address structures on the stack there.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/iw_rdma.c | 40 ++++++++++++++++++++++------------------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+--- a/net/rds/iw_rdma.c
++++ b/net/rds/iw_rdma.c
+@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg
+ int *unpinned);
+ static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr);
+
+-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id)
++static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst,
++ struct rds_iw_device **rds_iwdev,
++ struct rdma_cm_id **cm_id)
+ {
+ struct rds_iw_device *iwdev;
+ struct rds_iw_cm_id *i_cm_id;
+@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_
+ src_addr->sin_port,
+ dst_addr->sin_addr.s_addr,
+ dst_addr->sin_port,
+- rs->rs_bound_addr,
+- rs->rs_bound_port,
+- rs->rs_conn_addr,
+- rs->rs_conn_port);
++ src->sin_addr.s_addr,
++ src->sin_port,
++ dst->sin_addr.s_addr,
++ dst->sin_port);
+ #ifdef WORKING_TUPLE_DETECTION
+- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr &&
+- src_addr->sin_port == rs->rs_bound_port &&
+- dst_addr->sin_addr.s_addr == rs->rs_conn_addr &&
+- dst_addr->sin_port == rs->rs_conn_port) {
++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr &&
++ src_addr->sin_port == src->sin_port &&
++ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr &&
++ dst_addr->sin_port == dst->sin_port) {
+ #else
+ /* FIXME - needs to compare the local and remote
+ * ipaddr/port tuple, but the ipaddr is the only
+@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_
+ * zero'ed. It doesn't appear to be properly populated
+ * during connection setup...
+ */
+- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) {
++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) {
+ #endif
+ spin_unlock_irq(&iwdev->spinlock);
+ *rds_iwdev = iwdev;
+@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_de
+ {
+ struct sockaddr_in *src_addr, *dst_addr;
+ struct rds_iw_device *rds_iwdev_old;
+- struct rds_sock rs;
+ struct rdma_cm_id *pcm_id;
+ int rc;
+
+ src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
+ dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
+
+- rs.rs_bound_addr = src_addr->sin_addr.s_addr;
+- rs.rs_bound_port = src_addr->sin_port;
+- rs.rs_conn_addr = dst_addr->sin_addr.s_addr;
+- rs.rs_conn_port = dst_addr->sin_port;
+-
+- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id);
++ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id);
+ if (rc)
+ rds_iw_remove_cm_id(rds_iwdev, cm_id);
+
+@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *
+ struct rds_iw_device *rds_iwdev;
+ struct rds_iw_mr *ibmr = NULL;
+ struct rdma_cm_id *cm_id;
++ struct sockaddr_in src = {
++ .sin_addr.s_addr = rs->rs_bound_addr,
++ .sin_port = rs->rs_bound_port,
++ };
++ struct sockaddr_in dst = {
++ .sin_addr.s_addr = rs->rs_conn_addr,
++ .sin_port = rs->rs_conn_port,
++ };
+ int ret;
+
+- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id);
++ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id);
+ if (ret || !cm_id) {
+ ret = -ENODEV;
+ goto out;
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Ondrej Zary <linux@rainbow-software.org>
+Date: Wed, 18 Mar 2015 23:01:01 +0100
+Subject: Revert "net: cx82310_eth: use common match macro"
+
+From: Ondrej Zary <linux@rainbow-software.org>
+
+[ Upstream commit 8d006e0105978619fb472e150c88b0d49337fe2b ]
+
+This reverts commit 11ad714b98f6d9ca0067568442afe3e70eb94845 because
+it breaks cx82310_eth.
+
+The custom USB_DEVICE_CLASS macro matches
+bDeviceClass, bDeviceSubClass and bDeviceProtocol
+but the common USB_DEVICE_AND_INTERFACE_INFO matches
+bInterfaceClass, bInterfaceSubClass and bInterfaceProtocol instead, which are
+not specified.
+
+Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cx82310_eth.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/cx82310_eth.c
++++ b/drivers/net/usb/cx82310_eth.c
+@@ -300,9 +300,18 @@ static const struct driver_info cx82310_
+ .tx_fixup = cx82310_tx_fixup,
+ };
+
++#define USB_DEVICE_CLASS(vend, prod, cl, sc, pr) \
++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | \
++ USB_DEVICE_ID_MATCH_DEV_INFO, \
++ .idVendor = (vend), \
++ .idProduct = (prod), \
++ .bDeviceClass = (cl), \
++ .bDeviceSubClass = (sc), \
++ .bDeviceProtocol = (pr)
++
+ static const struct usb_device_id products[] = {
+ {
+- USB_DEVICE_AND_INTERFACE_INFO(0x0572, 0xcb01, 0xff, 0, 0),
++ USB_DEVICE_CLASS(0x0572, 0xcb01, 0xff, 0, 0),
+ .driver_info = (unsigned long) &cx82310_info
+ },
+ { },
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Sat, 14 Mar 2015 05:34:56 +0000
+Subject: rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg()
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+[ Upstream commit 7d985ed1dca5c90535d67ce92ef6ca520302340a ]
+
+[I would really like an ACK on that one from dhowells; it appears to be
+quite straightforward, but...]
+
+MSG_PEEK isn't passed to ->recvmsg() via msg->msg_flags; as the matter of
+fact, neither the kernel users of rxrpc, nor the syscalls ever set that bit
+in there. It gets passed via flags; in fact, another such check in the same
+function is done correctly - as flags & MSG_PEEK.
+
+It had been that way (effectively disabled) for 8 years, though, so the patch
+needs beating up - that case had never been tested. If it is correct, it's
+-stable fodder.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/ar-recvmsg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rxrpc/ar-recvmsg.c
++++ b/net/rxrpc/ar-recvmsg.c
+@@ -87,7 +87,7 @@ int rxrpc_recvmsg(struct kiocb *iocb, st
+ if (!skb) {
+ /* nothing remains on the queue */
+ if (copied &&
+- (msg->msg_flags & MSG_PEEK || timeo == 0))
++ (flags & MSG_PEEK || timeo == 0))
+ goto out;
+
+ /* wait for a message to turn up */
sparc-perf-make-counting-mode-actually-work.patch
sparc-touch-nmi-watchdog-when-walking-cpus-and-calling-printk.patch
sparc64-fix-several-bugs-in-memmove.patch
+net_sched-fix-struct-tc_u_hnode-layout-in-u32.patch
+net-fec-fix-receive-vlan-ctag-hw-acceleration-issue.patch
+tcp-fix-tcp_cong_avoid_ai-credit-accumulation-bug-with-decreases-in-w.patch
+tcp-restore-1.5x-per-rtt-limit-to-cubic-cwnd-growth-in-congestion-avoidance.patch
+net-sysctl_net_core-check-sndbuf-and-rcvbuf-for-min-length.patch
+rds-avoid-potential-stack-overflow.patch
+virtio-net-correctly-delete-napi-hash.patch
+inet_diag-fix-possible-overflow-in-inet_diag_dump_one_icsk.patch
+caif-fix-msg_oob-test-in-caif_seqpkt_recvmsg.patch
+rxrpc-bogus-msg_peek-test-in-rxrpc_recvmsg.patch
+net-mlx4_en-fix-off-by-one-in-ethtool-statistics-display.patch
+revert-net-cx82310_eth-use-common-match-macro.patch
+ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in-udp6_ufo_fragment.patch
+ipv6-fix-backtracking-for-throw-routes.patch
+tcp-fix-tcp-fin-memory-accounting.patch
+net-compat-update-get_compat_msghdr-to-match-copy_msghdr_from_user-behaviour.patch
+net-validate-the-range-we-feed-to-iov_iter_init-in-sys_sendto-sys_recvfrom.patch
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Josh Hunt <johunt@akamai.com>
+Date: Thu, 19 Mar 2015 19:19:30 -0400
+Subject: tcp: fix tcp fin memory accounting
+
+From: Josh Hunt <johunt@akamai.com>
+
+[ Upstream commit d22e1537181188e5dc8cbc51451832625035bdc2 ]
+
+tcp_send_fin() does not account for the memory it allocates properly, so
+sk_forward_alloc can be negative in cases where we've sent a FIN:
+
+ss example output (ss -amn | grep -B1 f4294):
+tcp FIN-WAIT-1 0 1 192.168.0.1:45520 192.0.2.1:8080
+ skmem:(r0,rb87380,t0,tb87380,f4294966016,w1280,o0,bl0)
+Acked-by: Eric Dumazet <edumazet@google.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2775,15 +2775,11 @@ void tcp_send_fin(struct sock *sk)
+ } else {
+ /* Socket is locked, keep trying until memory is available. */
+ for (;;) {
+- skb = alloc_skb_fclone(MAX_TCP_HEADER,
+- sk->sk_allocation);
++ skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation);
+ if (skb)
+ break;
+ yield();
+ }
+-
+- /* Reserve space for headers and prepare control bits. */
+- skb_reserve(skb, MAX_TCP_HEADER);
+ /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */
+ tcp_init_nondata_skb(skb, tp->write_seq,
+ TCPHDR_ACK | TCPHDR_FIN);
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Neal Cardwell <ncardwell@google.com>
+Date: Tue, 10 Mar 2015 17:17:03 -0400
+Subject: tcp: fix tcp_cong_avoid_ai() credit accumulation bug with decreases in w
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 9949afa42be0b76f5832db112ce51bb6b35b2abb ]
+
+The recent change to tcp_cong_avoid_ai() to handle stretch ACKs
+introduced a bug where snd_cwnd_cnt could accumulate a very large
+value while w was large, and then if w was reduced snd_cwnd could be
+incremented by a large delta, leading to a large burst and high packet
+loss. This was tickled when CUBIC's bictcp_update() sets "ca->cnt =
+100 * cwnd".
+
+This bug crept in while preparing the upstream version of
+814d488c6126.
+
+Testing: This patch has been tested in datacenter netperf transfers
+and live youtube.com and google.com servers.
+
+Fixes: 814d488c6126 ("tcp: fix the timid additive increase on stretch ACKs")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_cong.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ipv4/tcp_cong.c
++++ b/net/ipv4/tcp_cong.c
+@@ -309,6 +309,12 @@ EXPORT_SYMBOL_GPL(tcp_slow_start);
+ */
+ void tcp_cong_avoid_ai(struct tcp_sock *tp, u32 w, u32 acked)
+ {
++ /* If credits accumulated at a higher w, apply them gently now. */
++ if (tp->snd_cwnd_cnt >= w) {
++ tp->snd_cwnd_cnt = 0;
++ tp->snd_cwnd++;
++ }
++
+ tp->snd_cwnd_cnt += acked;
+ if (tp->snd_cwnd_cnt >= w) {
+ u32 delta = tp->snd_cwnd_cnt / w;
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Neal Cardwell <ncardwell@google.com>
+Date: Tue, 10 Mar 2015 17:17:04 -0400
+Subject: tcp: restore 1.5x per RTT limit to CUBIC cwnd growth in congestion avoidance
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit d578e18ce93f5d33a7120fd57c453e22a4c0fc37 ]
+
+Commit 814d488c6126 ("tcp: fix the timid additive increase on stretch
+ACKs") fixed a bug where tcp_cong_avoid_ai() would either credit a
+connection with an increase of snd_cwnd_cnt, or increase snd_cwnd, but
+not both, resulting in cwnd increasing by 1 packet on at most every
+alternate invocation of tcp_cong_avoid_ai().
+
+Although the commit correctly implemented the CUBIC algorithm, which
+can increase cwnd by as much as 1 packet per 1 packet ACKed (2x per
+RTT), in practice that could be too aggressive: in tests on network
+paths with small buffers, YouTube server retransmission rates nearly
+doubled.
+
+This commit restores CUBIC to a maximum cwnd growth rate of 1 packet
+per 2 packets ACKed (1.5x per RTT). In YouTube tests this restored
+retransmit rates to low levels.
+
+Testing: This patch has been tested in datacenter netperf transfers
+and live youtube.com and google.com servers.
+
+Fixes: 9cd981dcf174 ("tcp: fix stretch ACK bugs in CUBIC")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_cubic.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_cubic.c
++++ b/net/ipv4/tcp_cubic.c
+@@ -306,8 +306,10 @@ tcp_friendliness:
+ }
+ }
+
+- if (ca->cnt == 0) /* cannot be zero */
+- ca->cnt = 1;
++ /* The maximum rate of cwnd increase CUBIC allows is 1 packet per
++ * 2 packets ACKed, meaning cwnd grows at 1.5x per RTT.
++ */
++ ca->cnt = max(ca->cnt, 2U);
+ }
+
+ static void bictcp_cong_avoid(struct sock *sk, u32 ack, u32 acked)
--- /dev/null
+From foo@baz Tue Mar 24 11:00:07 CET 2015
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 12 Mar 2015 13:57:44 +0800
+Subject: virtio-net: correctly delete napi hash
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit ab3971b1e7d72270a2a259a29c1a40351b889740 ]
+
+We don't delete napi from hash list during module exit. This will
+cause the following panic when doing module load and unload:
+
+BUG: unable to handle kernel paging request at 0000004e00000075
+IP: [<ffffffff816bd01b>] napi_hash_add+0x6b/0xf0
+PGD 3c5d5067 PUD 0
+Oops: 0000 [#1] SMP
+...
+Call Trace:
+[<ffffffffa0a5bfb7>] init_vqs+0x107/0x490 [virtio_net]
+[<ffffffffa0a5c9f2>] virtnet_probe+0x562/0x791815639d880be [virtio_net]
+[<ffffffff8139e667>] virtio_dev_probe+0x137/0x200
+[<ffffffff814c7f2a>] driver_probe_device+0x7a/0x250
+[<ffffffff814c81d3>] __driver_attach+0x93/0xa0
+[<ffffffff814c8140>] ? __device_attach+0x40/0x40
+[<ffffffff814c6053>] bus_for_each_dev+0x63/0xa0
+[<ffffffff814c7a79>] driver_attach+0x19/0x20
+[<ffffffff814c76f0>] bus_add_driver+0x170/0x220
+[<ffffffffa0a60000>] ? 0xffffffffa0a60000
+[<ffffffff814c894f>] driver_register+0x5f/0xf0
+[<ffffffff8139e41b>] register_virtio_driver+0x1b/0x30
+[<ffffffffa0a60010>] virtio_net_driver_init+0x10/0x12 [virtio_net]
+
+This patch fixes this by doing this in virtnet_free_queues(). And also
+don't delete napi in virtnet_freeze() since it will call
+virtnet_free_queues() which has already did this.
+
+Fixes 91815639d880 ("virtio-net: rx busy polling support")
+Cc: Rusty Russell <rusty@rustcorp.com.au>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1444,8 +1444,10 @@ static void virtnet_free_queues(struct v
+ {
+ int i;
+
+- for (i = 0; i < vi->max_queue_pairs; i++)
++ for (i = 0; i < vi->max_queue_pairs; i++) {
++ napi_hash_del(&vi->rq[i].napi);
+ netif_napi_del(&vi->rq[i].napi);
++ }
+
+ kfree(vi->rq);
+ kfree(vi->sq);
+@@ -1936,11 +1938,8 @@ static int virtnet_freeze(struct virtio_
+ cancel_delayed_work_sync(&vi->refill);
+
+ if (netif_running(vi->dev)) {
+- for (i = 0; i < vi->max_queue_pairs; i++) {
++ for (i = 0; i < vi->max_queue_pairs; i++)
+ napi_disable(&vi->rq[i].napi);
+- napi_hash_del(&vi->rq[i].napi);
+- netif_napi_del(&vi->rq[i].napi);
+- }
+ }
+
+ remove_vq_common(vi);
projects / thirdparty / kernel / stable-queue.git / commitdiff
