From: Greg Kroah-Hartman Date: Thu, 16 May 2013 21:56:40 +0000 (-0400) Subject: 3.4-stable patches X-Git-Tag: v3.0.79~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0764c2300458fbabc2f104ef383097ee0ee12e72;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: 3c509.c-call-set_netdev_dev-for-all-device-types-isa-isapnp-eisa.patch 3c59x-fix-freeing-nonexistent-resource-on-driver-unload.patch 3c59x-fix-pci-resource-management.patch bridge-fix-race-with-topology-change-timer.patch if_cablemodem.h-add-parenthesis-around-ioctl-macros.patch ipv6-do-not-clear-pinet6-field.patch macvlan-fix-passthru-mode-race-between-dev-removal-and-rx-path.patch net-qmi_wwan-fixup-destination-address-firmware-bug-workaround.patch net-qmi_wwan-fixup-missing-ethernet-header-firmware-bug-workaround.patch net-qmi_wwan-prevent-duplicate-mac-address-on-link-firmware-bug-workaround.patch net_sched-act_ipt-forward-compat-with-xtables.patch net-use-netdev_features_t-in-skb_needs_linearize.patch net-vlan-ethtool-netdev_features_t-is-more-than-32-bit.patch packet-tpacket_v3-do-not-trigger-bug-on-wrong-header-status.patch sfc-fix-naming-of-mtd-partitions-for-fpga-bitfiles.patch tcp-force-a-dst-refcount-when-prequeue-packet.patch xfrm6-release-dev-before-returning-error.patch --- diff --git a/queue-3.4/3c509.c-call-set_netdev_dev-for-all-device-types-isa-isapnp-eisa.patch b/queue-3.4/3c509.c-call-set_netdev_dev-for-all-device-types-isa-isapnp-eisa.patch new file mode 100644 index 00000000000..ea74b3568c1 --- /dev/null +++ b/queue-3.4/3c509.c-call-set_netdev_dev-for-all-device-types-isa-isapnp-eisa.patch @@ -0,0 +1,49 @@ +From 6f21f55ed973d7c575fc108e88d8107fba5d5fe0 Mon Sep 17 00:00:00 2001 +From: Matthew Whitehead +Date: Mon, 29 Apr 2013 17:46:53 -0400 +Subject: 3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA) + + +From: Matthew Whitehead + +[ Upstream commit 3b54912f9cd167641b91d4a697bd742f70e534fe ] + +The venerable 3c509 driver only sets its device parent in one case, the ISAPnP one. +It does this with the SET_NETDEV_DEV function. It should register with the device +hierarchy in two additional cases: standard (non-PnP) ISA and EISA. + +- Currently they appear here: +/sys/devices/virtual/net/eth0 (standard ISA) +/sys/devices/virtual/net/eth1 (EISA) + +- Rather, they should instead be here: +/sys/devices/isa/3c509.0/net/eth0 (standard ISA) +/sys/devices/pci0000:00/0000:00:07.0/00:04/net/eth1 (EISA) + +Tested on ISA and EISA boards. + +Signed-off-by: Matthew Whitehead +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/3c509.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/3com/3c509.c ++++ b/drivers/net/ethernet/3com/3c509.c +@@ -309,6 +309,7 @@ static int __devinit el3_isa_match(struc + if (!dev) + return -ENOMEM; + ++ SET_NETDEV_DEV(dev, pdev); + netdev_boot_setup_check(dev); + + if (!request_region(ioaddr, EL3_IO_EXTENT, "3c509-isa")) { +@@ -704,6 +705,7 @@ static int __init el3_eisa_probe (struct + return -ENOMEM; + } + ++ SET_NETDEV_DEV(dev, device); + netdev_boot_setup_check(dev); + + el3_dev_fill(dev, phys_addr, ioaddr, irq, if_port, EL3_EISA); diff --git a/queue-3.4/3c59x-fix-freeing-nonexistent-resource-on-driver-unload.patch b/queue-3.4/3c59x-fix-freeing-nonexistent-resource-on-driver-unload.patch new file mode 100644 index 00000000000..534a240ec7f --- /dev/null +++ b/queue-3.4/3c59x-fix-freeing-nonexistent-resource-on-driver-unload.patch @@ -0,0 +1,40 @@ +From 3704390b7899e0c022c2d30396956521e8b97015 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Thu, 2 May 2013 11:10:22 +0000 +Subject: 3c59x: fix freeing nonexistent resource on driver unload + + +From: Sergei Shtylyov + +[ Upstream commit c81400be716aa4c76f6ebf339ba94358dbbf6da6 ] + +When unloading the driver that drives an EISA board, a message similar to the +following one is displayed: + +Trying to free nonexistent resource <0000000000013000-000000000001301f> + +Then an user is unable to reload the driver because the resource it requested in +the previous load hasn't been freed. This happens most probably due to a typo in +vortex_eisa_remove() which calls release_region() with 'dev->base_addr' instead +of 'edev->base_addr'... + +Reported-by: Matthew Whitehead +Tested-by: Matthew Whitehead +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/3c59x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/3com/3c59x.c ++++ b/drivers/net/ethernet/3com/3c59x.c +@@ -951,7 +951,7 @@ static int __devexit vortex_eisa_remove( + + unregister_netdev(dev); + iowrite16(TotalReset|0x14, ioaddr + EL3_CMD); +- release_region(dev->base_addr, VORTEX_TOTAL_SIZE); ++ release_region(edev->base_addr, VORTEX_TOTAL_SIZE); + + free_netdev(dev); + return 0; diff --git a/queue-3.4/3c59x-fix-pci-resource-management.patch b/queue-3.4/3c59x-fix-pci-resource-management.patch new file mode 100644 index 00000000000..a1fe86a9bda --- /dev/null +++ b/queue-3.4/3c59x-fix-pci-resource-management.patch @@ -0,0 +1,105 @@ +From 1752dd39967f4db52197135a1867bdc85dbf0d84 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Thu, 9 May 2013 11:14:07 +0000 +Subject: 3c59x: fix PCI resource management + + +From: Sergei Shtylyov + +[ Upstream commit 4b264a1676e70dc656ba53a8cac690f2d4b65f4e ] + +The driver wrongly claimed I/O ports at an address returned by pci_iomap() -- +even if it was passed an MMIO address. Fix this by claiming/releasing all PCI +resources in the PCI driver's probe()/remove() methods instead and get rid of +'must_free_region' flag weirdness (why would Cardbus claim anything for us?). + +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/3c59x.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/drivers/net/ethernet/3com/3c59x.c ++++ b/drivers/net/ethernet/3com/3c59x.c +@@ -632,7 +632,6 @@ struct vortex_private { + pm_state_valid:1, /* pci_dev->saved_config_space has sane contents */ + open:1, + medialock:1, +- must_free_region:1, /* Flag: if zero, Cardbus owns the I/O region */ + large_frames:1, /* accept large frames */ + handling_irq:1; /* private in_irq indicator */ + /* {get|set}_wol operations are already serialized by rtnl. +@@ -1012,6 +1011,12 @@ static int __devinit vortex_init_one(str + if (rc < 0) + goto out; + ++ rc = pci_request_regions(pdev, DRV_NAME); ++ if (rc < 0) { ++ pci_disable_device(pdev); ++ goto out; ++ } ++ + unit = vortex_cards_found; + + if (global_use_mmio < 0 && (unit >= MAX_UNITS || use_mmio[unit] < 0)) { +@@ -1027,6 +1032,7 @@ static int __devinit vortex_init_one(str + if (!ioaddr) /* If mapping fails, fall-back to BAR 0... */ + ioaddr = pci_iomap(pdev, 0, 0); + if (!ioaddr) { ++ pci_release_regions(pdev); + pci_disable_device(pdev); + rc = -ENOMEM; + goto out; +@@ -1036,6 +1042,7 @@ static int __devinit vortex_init_one(str + ent->driver_data, unit); + if (rc < 0) { + pci_iounmap(pdev, ioaddr); ++ pci_release_regions(pdev); + pci_disable_device(pdev); + goto out; + } +@@ -1179,11 +1186,6 @@ static int __devinit vortex_probe1(struc + + /* PCI-only startup logic */ + if (pdev) { +- /* EISA resources already marked, so only PCI needs to do this here */ +- /* Ignore return value, because Cardbus drivers already allocate for us */ +- if (request_region(dev->base_addr, vci->io_size, print_name) != NULL) +- vp->must_free_region = 1; +- + /* enable bus-mastering if necessary */ + if (vci->flags & PCI_USES_MASTER) + pci_set_master(pdev); +@@ -1221,7 +1223,7 @@ static int __devinit vortex_probe1(struc + &vp->rx_ring_dma); + retval = -ENOMEM; + if (!vp->rx_ring) +- goto free_region; ++ goto free_device; + + vp->tx_ring = (struct boom_tx_desc *)(vp->rx_ring + RX_RING_SIZE); + vp->tx_ring_dma = vp->rx_ring_dma + sizeof(struct boom_rx_desc) * RX_RING_SIZE; +@@ -1486,9 +1488,7 @@ free_ring: + + sizeof(struct boom_tx_desc) * TX_RING_SIZE, + vp->rx_ring, + vp->rx_ring_dma); +-free_region: +- if (vp->must_free_region) +- release_region(dev->base_addr, vci->io_size); ++free_device: + free_netdev(dev); + pr_err(PFX "vortex_probe1 fails. Returns %d\n", retval); + out: +@@ -3256,8 +3256,9 @@ static void __devexit vortex_remove_one( + + sizeof(struct boom_tx_desc) * TX_RING_SIZE, + vp->rx_ring, + vp->rx_ring_dma); +- if (vp->must_free_region) +- release_region(dev->base_addr, vp->io_size); ++ ++ pci_release_regions(pdev); ++ + free_netdev(dev); + } + diff --git a/queue-3.4/bridge-fix-race-with-topology-change-timer.patch b/queue-3.4/bridge-fix-race-with-topology-change-timer.patch new file mode 100644 index 00000000000..80737f0317a --- /dev/null +++ b/queue-3.4/bridge-fix-race-with-topology-change-timer.patch @@ -0,0 +1,37 @@ +From 471842a45ef380de09b74cbd4b09f7d6f202dfc7 Mon Sep 17 00:00:00 2001 +From: stephen hemminger +Date: Thu, 2 May 2013 14:23:28 +0000 +Subject: bridge: fix race with topology change timer + + +From: stephen hemminger + +[ Upstream commit 83401eb4990ff6af55aeed8f49681558544192e6 ] + +A bridge should only send topology change notice if it is not +the root bridge. It is possible for message age timer to elect itself +as a new root bridge, and still have a topology change timer running +but waiting for bridge lock on other CPU. + +Solve the race by checking if we are root bridge before continuing. +This was the root cause of the cases where br_send_tcn_bpdu would OOPS. + +Reported-by: JerryKang +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_stp_timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bridge/br_stp_timer.c ++++ b/net/bridge/br_stp_timer.c +@@ -107,7 +107,7 @@ static void br_tcn_timer_expired(unsigne + + br_debug(br, "tcn timer expired\n"); + spin_lock(&br->lock); +- if (br->dev->flags & IFF_UP) { ++ if (!br_is_root_bridge(br) && (br->dev->flags & IFF_UP)) { + br_transmit_tcn(br); + + mod_timer(&br->tcn_timer,jiffies + br->bridge_hello_time); diff --git a/queue-3.4/if_cablemodem.h-add-parenthesis-around-ioctl-macros.patch b/queue-3.4/if_cablemodem.h-add-parenthesis-around-ioctl-macros.patch new file mode 100644 index 00000000000..c963cca4e0f --- /dev/null +++ b/queue-3.4/if_cablemodem.h-add-parenthesis-around-ioctl-macros.patch @@ -0,0 +1,40 @@ +From 798440a12e3cda06a03e9aa84787703c32ec5f7a Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Wed, 8 May 2013 09:45:47 +0000 +Subject: if_cablemodem.h: Add parenthesis around ioctl macros + + +From: Josh Boyer + +[ Upstream commit 4f924b2aa4d3cb30f07e57d6b608838edcbc0d88 ] + +Protect the SIOCGCM* ioctl macros with parenthesis. + +Reported-by: Paul Wouters +Signed-off-by: Josh Boyer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/if_cablemodem.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/include/linux/if_cablemodem.h ++++ b/include/linux/if_cablemodem.h +@@ -12,11 +12,11 @@ + */ + + /* some useful defines for sb1000.c e cmconfig.c - fv */ +-#define SIOCGCMSTATS SIOCDEVPRIVATE+0 /* get cable modem stats */ +-#define SIOCGCMFIRMWARE SIOCDEVPRIVATE+1 /* get cm firmware version */ +-#define SIOCGCMFREQUENCY SIOCDEVPRIVATE+2 /* get cable modem frequency */ +-#define SIOCSCMFREQUENCY SIOCDEVPRIVATE+3 /* set cable modem frequency */ +-#define SIOCGCMPIDS SIOCDEVPRIVATE+4 /* get cable modem PIDs */ +-#define SIOCSCMPIDS SIOCDEVPRIVATE+5 /* set cable modem PIDs */ ++#define SIOCGCMSTATS (SIOCDEVPRIVATE+0) /* get cable modem stats */ ++#define SIOCGCMFIRMWARE (SIOCDEVPRIVATE+1) /* get cm firmware version */ ++#define SIOCGCMFREQUENCY (SIOCDEVPRIVATE+2) /* get cable modem frequency */ ++#define SIOCSCMFREQUENCY (SIOCDEVPRIVATE+3) /* set cable modem frequency */ ++#define SIOCGCMPIDS (SIOCDEVPRIVATE+4) /* get cable modem PIDs */ ++#define SIOCSCMPIDS (SIOCDEVPRIVATE+5) /* set cable modem PIDs */ + + #endif diff --git a/queue-3.4/ipv6-do-not-clear-pinet6-field.patch b/queue-3.4/ipv6-do-not-clear-pinet6-field.patch new file mode 100644 index 00000000000..30732658606 --- /dev/null +++ b/queue-3.4/ipv6-do-not-clear-pinet6-field.patch @@ -0,0 +1,163 @@ +From f1d01a0708c7017820f1a6ddfa90baa2ba9214d1 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 9 May 2013 10:28:16 +0000 +Subject: ipv6: do not clear pinet6 field + + +From: Eric Dumazet + +[ Upstream commit f77d602124d865c38705df7fa25c03de9c284ad2 ] + +We have seen multiple NULL dereferences in __inet6_lookup_established() + +After analysis, I found that inet6_sk() could be NULL while the +check for sk_family == AF_INET6 was true. + +Bug was added in linux-2.6.29 when RCU lookups were introduced in UDP +and TCP stacks. + +Once an IPv6 socket, using SLAB_DESTROY_BY_RCU is inserted in a hash +table, we no longer can clear pinet6 field. + +This patch extends logic used in commit fcbdf09d9652c891 +("net: fix nulls list corruptions in sk_prot_alloc") + +TCP/UDP/UDPLite IPv6 protocols provide their own .clear_sk() method +to make sure we do not clear pinet6 field. + +At socket clone phase, we do not really care, as cloning the parent (non +NULL) pinet6 is not adding a fatal race. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 12 ++++++++++++ + net/core/sock.c | 12 ------------ + net/ipv6/tcp_ipv6.c | 12 ++++++++++++ + net/ipv6/udp.c | 13 ++++++++++++- + net/ipv6/udp_impl.h | 2 ++ + net/ipv6/udplite.c | 2 +- + 6 files changed, 39 insertions(+), 14 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -793,6 +793,18 @@ struct inet_hashinfo; + struct raw_hashinfo; + struct module; + ++/* ++ * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes ++ * un-modified. Special care is taken when initializing object to zero. ++ */ ++static inline void sk_prot_clear_nulls(struct sock *sk, int size) ++{ ++ if (offsetof(struct sock, sk_node.next) != 0) ++ memset(sk, 0, offsetof(struct sock, sk_node.next)); ++ memset(&sk->sk_node.pprev, 0, ++ size - offsetof(struct sock, sk_node.pprev)); ++} ++ + /* Networking protocol blocks we attach to sockets. + * socket layer -> transport layer interface + * transport -> network interface is defined by struct inet_proto +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1093,18 +1093,6 @@ static void sock_copy(struct sock *nsk, + #endif + } + +-/* +- * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes +- * un-modified. Special care is taken when initializing object to zero. +- */ +-static inline void sk_prot_clear_nulls(struct sock *sk, int size) +-{ +- if (offsetof(struct sock, sk_node.next) != 0) +- memset(sk, 0, offsetof(struct sock, sk_node.next)); +- memset(&sk->sk_node.pprev, 0, +- size - offsetof(struct sock, sk_node.pprev)); +-} +- + void sk_prot_clear_portaddr_nulls(struct sock *sk, int size) + { + unsigned long nulls1, nulls2; +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -2079,6 +2079,17 @@ void tcp6_proc_exit(struct net *net) + } + #endif + ++static void tcp_v6_clear_sk(struct sock *sk, int size) ++{ ++ struct inet_sock *inet = inet_sk(sk); ++ ++ /* we do not want to clear pinet6 field, because of RCU lookups */ ++ sk_prot_clear_nulls(sk, offsetof(struct inet_sock, pinet6)); ++ ++ size -= offsetof(struct inet_sock, pinet6) + sizeof(inet->pinet6); ++ memset(&inet->pinet6 + 1, 0, size); ++} ++ + struct proto tcpv6_prot = { + .name = "TCPv6", + .owner = THIS_MODULE, +@@ -2120,6 +2131,7 @@ struct proto tcpv6_prot = { + #ifdef CONFIG_CGROUP_MEM_RES_CTLR_KMEM + .proto_cgroup = tcp_proto_cgroup, + #endif ++ .clear_sk = tcp_v6_clear_sk, + }; + + static const struct inet6_protocol tcpv6_protocol = { +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1457,6 +1457,17 @@ void udp6_proc_exit(struct net *net) { + } + #endif /* CONFIG_PROC_FS */ + ++void udp_v6_clear_sk(struct sock *sk, int size) ++{ ++ struct inet_sock *inet = inet_sk(sk); ++ ++ /* we do not want to clear pinet6 field, because of RCU lookups */ ++ sk_prot_clear_portaddr_nulls(sk, offsetof(struct inet_sock, pinet6)); ++ ++ size -= offsetof(struct inet_sock, pinet6) + sizeof(inet->pinet6); ++ memset(&inet->pinet6 + 1, 0, size); ++} ++ + /* ------------------------------------------------------------------------ */ + + struct proto udpv6_prot = { +@@ -1487,7 +1498,7 @@ struct proto udpv6_prot = { + .compat_setsockopt = compat_udpv6_setsockopt, + .compat_getsockopt = compat_udpv6_getsockopt, + #endif +- .clear_sk = sk_prot_clear_portaddr_nulls, ++ .clear_sk = udp_v6_clear_sk, + }; + + static struct inet_protosw udpv6_protosw = { +--- a/net/ipv6/udp_impl.h ++++ b/net/ipv6/udp_impl.h +@@ -31,6 +31,8 @@ extern int udpv6_recvmsg(struct kiocb *i + extern int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb); + extern void udpv6_destroy_sock(struct sock *sk); + ++extern void udp_v6_clear_sk(struct sock *sk, int size); ++ + #ifdef CONFIG_PROC_FS + extern int udp6_seq_show(struct seq_file *seq, void *v); + #endif +--- a/net/ipv6/udplite.c ++++ b/net/ipv6/udplite.c +@@ -56,7 +56,7 @@ struct proto udplitev6_prot = { + .compat_setsockopt = compat_udpv6_setsockopt, + .compat_getsockopt = compat_udpv6_getsockopt, + #endif +- .clear_sk = sk_prot_clear_portaddr_nulls, ++ .clear_sk = udp_v6_clear_sk, + }; + + static struct inet_protosw udplite6_protosw = { diff --git a/queue-3.4/macvlan-fix-passthru-mode-race-between-dev-removal-and-rx-path.patch b/queue-3.4/macvlan-fix-passthru-mode-race-between-dev-removal-and-rx-path.patch new file mode 100644 index 00000000000..ed7efcc307f --- /dev/null +++ b/queue-3.4/macvlan-fix-passthru-mode-race-between-dev-removal-and-rx-path.patch @@ -0,0 +1,108 @@ +From be2f1b1ca3363534ddc26b854290688471d7d973 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Thu, 9 May 2013 04:23:40 +0000 +Subject: macvlan: fix passthru mode race between dev removal and rx path + + +From: Jiri Pirko + +[ Upstream commit 233c7df0821c4190e2d3f4be0f2ca0ab40a5ed8c, note + that I had to add list_first_or_null_rcu to rculist.h in order + to accomodate this fix. ] + +Currently, if macvlan in passthru mode is created and data are rxed and +you remove this device, following panic happens: + +NULL pointer dereference at 0000000000000198 +IP: [] macvlan_handle_frame+0x153/0x1f7 [macvlan] + +I'm using following script to trigger this: + + +I run this script while "ping -f" is running on another machine to send +packets to e1 rx. + +Reason of the panic is that list_first_entry() is blindly called in +macvlan_handle_frame() even if the list was empty. vlan is set to +incorrect pointer which leads to the crash. + +I'm fixing this by protecting port->vlans list by rcu and by preventing +from getting incorrect pointer in case the list is empty. + +Introduced by: commit eb06acdc85585f2 "macvlan: Introduce 'passthru' mode to takeover the underlying device" + +Signed-off-by: Jiri Pirko +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 7 ++++--- + include/linux/rculist.h | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -205,7 +205,8 @@ static rx_handler_result_t macvlan_handl + } + + if (port->passthru) +- vlan = list_first_entry(&port->vlans, struct macvlan_dev, list); ++ vlan = list_first_or_null_rcu(&port->vlans, ++ struct macvlan_dev, list); + else + vlan = macvlan_hash_lookup(port, eth->h_dest); + if (vlan == NULL) +@@ -724,7 +725,7 @@ int macvlan_common_newlink(struct net *s + if (err < 0) + goto destroy_port; + +- list_add_tail(&vlan->list, &port->vlans); ++ list_add_tail_rcu(&vlan->list, &port->vlans); + netif_stacked_transfer_operstate(lowerdev, dev); + + return 0; +@@ -750,7 +751,7 @@ void macvlan_dellink(struct net_device * + { + struct macvlan_dev *vlan = netdev_priv(dev); + +- list_del(&vlan->list); ++ list_del_rcu(&vlan->list); + unregister_netdevice_queue(dev, head); + } + EXPORT_SYMBOL_GPL(macvlan_dellink); +--- a/include/linux/rculist.h ++++ b/include/linux/rculist.h +@@ -242,6 +242,23 @@ static inline void list_splice_init_rcu( + list_entry_rcu((ptr)->next, type, member) + + /** ++ * list_first_or_null_rcu - get the first element from a list ++ * @ptr: the list head to take the element from. ++ * @type: the type of the struct this is embedded in. ++ * @member: the name of the list_struct within the struct. ++ * ++ * Note that if the list is empty, it returns NULL. ++ * ++ * This primitive may safely run concurrently with the _rcu list-mutation ++ * primitives such as list_add_rcu() as long as it's guarded by rcu_read_lock(). ++ */ ++#define list_first_or_null_rcu(ptr, type, member) \ ++ ({struct list_head *__ptr = (ptr); \ ++ struct list_head __rcu *__next = list_next_rcu(__ptr); \ ++ likely(__ptr != __next) ? container_of(__next, type, member) : NULL; \ ++ }) ++ ++/** + * list_for_each_entry_rcu - iterate over rcu list of given type + * @pos: the type * to use as a loop cursor. + * @head: the head for your list. diff --git a/queue-3.4/net-qmi_wwan-fixup-destination-address-firmware-bug-workaround.patch b/queue-3.4/net-qmi_wwan-fixup-destination-address-firmware-bug-workaround.patch new file mode 100644 index 00000000000..500b70280f3 --- /dev/null +++ b/queue-3.4/net-qmi_wwan-fixup-destination-address-firmware-bug-workaround.patch @@ -0,0 +1,95 @@ +From 03914fc5c6bf1a8527ee6598903b4f9adb2204fa Mon Sep 17 00:00:00 2001 +From: Bjørn Mork +Date: Thu, 18 Apr 2013 12:57:10 +0000 +Subject: net: qmi_wwan: fixup destination address (firmware bug workaround) + + +From: Bjørn Mork + +[ Upstream commit 6483bdc9d76fb98174797516a19d289eb837909e ] + +Received packets are sometimes addressed to 00:a0:c6:00:00:00 +instead of the address the device firmware should have learned +from the host: + +321.224126 77.16.85.204 -> 148.122.171.134 ICMP 98 Echo (ping) request id=0x4025, seq=64/16384, ttl=64 + +0000 82 c0 82 c9 f1 67 82 c0 82 c9 f1 67 08 00 45 00 .....g.....g..E. +0010 00 54 00 00 40 00 40 01 57 cc 4d 10 55 cc 94 7a .T..@.@.W.M.U..z +0020 ab 86 08 00 62 fc 40 25 00 40 b2 bc 6e 51 00 00 ....b.@%.@..nQ.. +0030 00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15 ..k............. +0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$% +0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345 +0060 36 37 67 + +321.240607 148.122.171.134 -> 77.16.85.204 ICMP 98 Echo (ping) reply id=0x4025, seq=64/16384, ttl=55 + +0000 00 a0 c6 00 00 00 02 50 f3 00 00 00 08 00 45 00 .......P......E. +0010 00 54 00 56 00 00 37 01 a0 76 94 7a ab 86 4d 10 .T.V..7..v.z..M. +0020 55 cc 00 00 6a fc 40 25 00 40 b2 bc 6e 51 00 00 U...j.@%.@..nQ.. +0030 00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15 ..k............. +0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$% +0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345 +0060 36 37 67 + +The bogus address is always the same, and matches the address +suggested by many devices as a default address. It is likely a +hardcoded firmware default. + +The circumstances where this bug has been observed indicates that +the trigger is related to timing or some other factor the host +cannot control. Repeating the exact same configuration sequence +that caused it to trigger once, will not necessarily cause it to +trigger the next time. Reproducing the bug is therefore difficult. +This opens up a possibility that the bug is more common than we can +confirm, because affected devices often will work properly again +after a reset. A procedure most users are likely to try out before +reporting a bug. + +Unconditionally rewriting the destination address if the first digit +of the received packet is 0, is considered an acceptable compromise +since we already have to inspect this digit. The simplification will +cause unnecessary rewrites if the real address starts with 0, but this +is still better than adding additional tests for this particular case. + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -190,6 +190,10 @@ err: + * This means that this function will reliably add the appropriate + * header iff necessary, provided our hardware address does not start + * with 4 or 6. ++ * ++ * Another common firmware bug results in all packets being addressed ++ * to 00:a0:c6:00:00:00 despite the host address being different. ++ * This function will also fixup such packets. + */ + static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + { +@@ -206,6 +210,12 @@ static int qmi_wwan_rx_fixup(struct usbn + case 0x60: + proto = htons(ETH_P_IPV6); + break; ++ case 0x00: ++ if (is_multicast_ether_addr(skb->data)) ++ return 1; ++ /* possibly bogus destination - rewrite just in case */ ++ skb_reset_mac_header(skb); ++ goto fix_dest; + default: + /* pass along other packets without modifications */ + return 1; +@@ -216,6 +226,7 @@ static int qmi_wwan_rx_fixup(struct usbn + skb_reset_mac_header(skb); + eth_hdr(skb)->h_proto = proto; + memset(eth_hdr(skb)->h_source, 0, ETH_ALEN); ++fix_dest: + memcpy(eth_hdr(skb)->h_dest, dev->net->dev_addr, ETH_ALEN); + return 1; + } diff --git a/queue-3.4/net-qmi_wwan-fixup-missing-ethernet-header-firmware-bug-workaround.patch b/queue-3.4/net-qmi_wwan-fixup-missing-ethernet-header-firmware-bug-workaround.patch new file mode 100644 index 00000000000..482256d910d --- /dev/null +++ b/queue-3.4/net-qmi_wwan-fixup-missing-ethernet-header-firmware-bug-workaround.patch @@ -0,0 +1,166 @@ +From 302a42283a7e71536bc0bc0a54c9e693dc39f95e Mon Sep 17 00:00:00 2001 +From: Bjørn Mork +Date: Thu, 18 Apr 2013 12:57:09 +0000 +Subject: net: qmi_wwan: fixup missing ethernet header (firmware bug workaround) + + +From: Bjørn Mork + +[ Upstream commit 6ff509af3869ccac69dcf8905fc75b9a76951594 ] + +A number of LTE devices from different vendors all suffer from the +same firmware bug: Most of the packets received from the device while +it is attached to a LTE network will not have an ethernet header. The +devices work as expected when attached to 2G or 3G networks, sending +an ethernet header with all packets. + +This driver is not aware of which network the modem attached to, and +even if it were there are still some packet types which are always +received with the header intact. + +All devices supported by this driver have severely limited +networking capabilities: + - can only transmit IPv4, IPv6 and possibly ARP + - can only support a single host hardware address at any time + - will only do point-to-point communcation with the host + +Because of this, we are able to reliably identify any bogus raw IP +packets by simply looking at the 4 IP version bits. All we need to +do is to avoid 4 or 6 in the first digit of the mac address. This +workaround ensures this, and fix up the received packets as necessary. + +Given the distribution of the bug, it is believed that the source is +the chipset vendor. The devices which are verified to be affected are: + Huawei E392u-12 (Qualcomm MDM9200) + Pantech UML290 (Qualcomm MDM9600) + Novatel USB551L (Qualcomm MDM9600) + Novatel E362 (Qualcomm MDM9600) + +It is believed that the bug depend on firmware revision, which means +that possibly all devices based on the above mentioned chipset may be +affected if we consider all available firmware revisions. + +The information about affected devices and versions is likely +incomplete. As the additional overhead for packets not needing this +fixup is very small, it is considered acceptable to apply the +workaround to all devices handled by this driver. + +Reported-by: Dan Williams +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 81 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 81 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -174,6 +175,79 @@ err: + return status; + } + ++/* Make up an ethernet header if the packet doesn't have one. ++ * ++ * A firmware bug common among several devices cause them to send raw ++ * IP packets under some circumstances. There is no way for the ++ * driver/host to know when this will happen. And even when the bug ++ * hits, some packets will still arrive with an intact header. ++ * ++ * The supported devices are only capably of sending IPv4, IPv6 and ++ * ARP packets on a point-to-point link. Any packet with an ethernet ++ * header will have either our address or a broadcast/multicast ++ * address as destination. ARP packets will always have a header. ++ * ++ * This means that this function will reliably add the appropriate ++ * header iff necessary, provided our hardware address does not start ++ * with 4 or 6. ++ */ ++static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb) ++{ ++ __be16 proto; ++ ++ /* usbnet rx_complete guarantees that skb->len is at least ++ * hard_header_len, so we can inspect the dest address without ++ * checking skb->len ++ */ ++ switch (skb->data[0] & 0xf0) { ++ case 0x40: ++ proto = htons(ETH_P_IP); ++ break; ++ case 0x60: ++ proto = htons(ETH_P_IPV6); ++ break; ++ default: ++ /* pass along other packets without modifications */ ++ return 1; ++ } ++ if (skb_headroom(skb) < ETH_HLEN) ++ return 0; ++ skb_push(skb, ETH_HLEN); ++ skb_reset_mac_header(skb); ++ eth_hdr(skb)->h_proto = proto; ++ memset(eth_hdr(skb)->h_source, 0, ETH_ALEN); ++ memcpy(eth_hdr(skb)->h_dest, dev->net->dev_addr, ETH_ALEN); ++ return 1; ++} ++ ++/* very simplistic detection of IPv4 or IPv6 headers */ ++static bool possibly_iphdr(const char *data) ++{ ++ return (data[0] & 0xd0) == 0x40; ++} ++ ++/* disallow addresses which may be confused with IP headers */ ++static int qmi_wwan_mac_addr(struct net_device *dev, void *p) ++{ ++ struct sockaddr *addr = p; ++ ++ if (!is_valid_ether_addr(addr->sa_data) || ++ possibly_iphdr(addr->sa_data)) ++ return -EADDRNOTAVAIL; ++ memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN); ++ return 0; ++} ++ ++static const struct net_device_ops qmi_wwan_netdev_ops = { ++ .ndo_open = usbnet_open, ++ .ndo_stop = usbnet_stop, ++ .ndo_start_xmit = usbnet_start_xmit, ++ .ndo_tx_timeout = usbnet_tx_timeout, ++ .ndo_change_mtu = usbnet_change_mtu, ++ .ndo_set_mac_address = qmi_wwan_mac_addr, ++ .ndo_validate_addr = eth_validate_addr, ++}; ++ + /* using a counter to merge subdriver requests with our own into a combined state */ + static int qmi_wwan_manage_power(struct usbnet *dev, int on) + { +@@ -257,6 +331,12 @@ static int qmi_wwan_bind_shared(struct u + /* save subdriver struct for suspend/resume wrappers */ + dev->data[0] = (unsigned long)subdriver; + ++ /* make MAC addr easily distinguishable from an IP header */ ++ if (possibly_iphdr(dev->net->dev_addr)) { ++ dev->net->dev_addr[0] |= 0x02; /* set local assignment bit */ ++ dev->net->dev_addr[0] &= 0xbf; /* clear "IP" bit */ ++ } ++ dev->net->netdev_ops = &qmi_wwan_netdev_ops; + err: + return rv; + } +@@ -326,6 +406,7 @@ static const struct driver_info qmi_wwan + .bind = qmi_wwan_bind_shared, + .unbind = qmi_wwan_unbind_shared, + .manage_power = qmi_wwan_manage_power, ++ .rx_fixup = qmi_wwan_rx_fixup, + }; + + static const struct driver_info qmi_wwan_force_int0 = { diff --git a/queue-3.4/net-qmi_wwan-prevent-duplicate-mac-address-on-link-firmware-bug-workaround.patch b/queue-3.4/net-qmi_wwan-prevent-duplicate-mac-address-on-link-firmware-bug-workaround.patch new file mode 100644 index 00000000000..ac0cc4ff1dc --- /dev/null +++ b/queue-3.4/net-qmi_wwan-prevent-duplicate-mac-address-on-link-firmware-bug-workaround.patch @@ -0,0 +1,50 @@ +From 490fcceee05287b3e9beae54ef7f19814db4a7d9 Mon Sep 17 00:00:00 2001 +From: Bjørn Mork +Date: Thu, 18 Apr 2013 12:57:11 +0000 +Subject: net: qmi_wwan: prevent duplicate mac address on link (firmware bug workaround) + + +From: Bjørn Mork + +[ Upstream commit cc6ba5fdaabea7a7b28de3ba1e0fe54d92232fe5 ] + +We normally trust and use the CDC functional descriptors provided by a +number of devices. But some of these will erroneously list the address +reserved for the device end of the link. Attempting to use this on +both the device and host side will naturally not work. + +Work around this bug by ignoring the functional descriptor and assign a +random address instead in this case. + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -175,6 +175,9 @@ err: + return status; + } + ++/* default ethernet address used by the modem */ ++static const u8 default_modem_addr[ETH_ALEN] = {0x02, 0x50, 0xf3}; ++ + /* Make up an ethernet header if the packet doesn't have one. + * + * A firmware bug common among several devices cause them to send raw +@@ -342,6 +345,12 @@ static int qmi_wwan_bind_shared(struct u + /* save subdriver struct for suspend/resume wrappers */ + dev->data[0] = (unsigned long)subdriver; + ++ /* Never use the same address on both ends of the link, even ++ * if the buggy firmware told us to. ++ */ ++ if (!compare_ether_addr(dev->net->dev_addr, default_modem_addr)) ++ eth_hw_addr_random(dev->net); ++ + /* make MAC addr easily distinguishable from an IP header */ + if (possibly_iphdr(dev->net->dev_addr)) { + dev->net->dev_addr[0] |= 0x02; /* set local assignment bit */ diff --git a/queue-3.4/net-use-netdev_features_t-in-skb_needs_linearize.patch b/queue-3.4/net-use-netdev_features_t-in-skb_needs_linearize.patch new file mode 100644 index 00000000000..9411f26f5d8 --- /dev/null +++ b/queue-3.4/net-use-netdev_features_t-in-skb_needs_linearize.patch @@ -0,0 +1,28 @@ +From 3864a4e54dce8b1e834f41205fea5c47f1618b07 Mon Sep 17 00:00:00 2001 +From: Patrick McHardy +Date: Wed, 1 May 2013 22:36:49 +0000 +Subject: net: use netdev_features_t in skb_needs_linearize() + + +From: Patrick McHardy + +[ Upstream commit 6708c9e5cc9bfc7c9a00ce9c0fdd0b1d4952b3d1 ] + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2170,7 +2170,7 @@ EXPORT_SYMBOL(netif_skb_features); + * support DMA from it. + */ + static inline int skb_needs_linearize(struct sk_buff *skb, +- int features) ++ netdev_features_t features) + { + return skb_is_nonlinear(skb) && + ((skb_has_frag_list(skb) && diff --git a/queue-3.4/net-vlan-ethtool-netdev_features_t-is-more-than-32-bit.patch b/queue-3.4/net-vlan-ethtool-netdev_features_t-is-more-than-32-bit.patch new file mode 100644 index 00000000000..bee05cafae2 --- /dev/null +++ b/queue-3.4/net-vlan-ethtool-netdev_features_t-is-more-than-32-bit.patch @@ -0,0 +1,40 @@ +From 122a6b09205e350cdc6adb28ea12ae05313dcc11 Mon Sep 17 00:00:00 2001 +From: Bjørn Mork +Date: Wed, 1 May 2013 23:06:42 +0000 +Subject: net: vlan,ethtool: netdev_features_t is more than 32 bit + + +From: Bjørn Mork + +[ Upstream commit b29d3145183da4e07d4b570fa8acdd3ac4a5c572 ] + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 2 +- + net/core/ethtool.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -598,7 +598,7 @@ static netdev_features_t vlan_dev_fix_fe + netdev_features_t features) + { + struct net_device *real_dev = vlan_dev_priv(dev)->real_dev; +- u32 old_features = features; ++ netdev_features_t old_features = features; + + features &= real_dev->vlan_features; + features |= NETIF_F_RXCSUM; +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1286,7 +1286,7 @@ int dev_ethtool(struct net *net, struct + void __user *useraddr = ifr->ifr_data; + u32 ethcmd; + int rc; +- u32 old_features; ++ netdev_features_t old_features; + + if (!dev || !netif_device_present(dev)) + return -ENODEV; diff --git a/queue-3.4/net_sched-act_ipt-forward-compat-with-xtables.patch b/queue-3.4/net_sched-act_ipt-forward-compat-with-xtables.patch new file mode 100644 index 00000000000..7e87cc0ced0 --- /dev/null +++ b/queue-3.4/net_sched-act_ipt-forward-compat-with-xtables.patch @@ -0,0 +1,78 @@ +From 47c53307fb5543ec909e53c330ec0f489265163c Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim +Date: Sun, 28 Apr 2013 05:06:38 +0000 +Subject: net_sched: act_ipt forward compat with xtables + + +From: Jamal Hadi Salim + +[ Upstream commit 0dcffd09641f3abb21ac5cabc61542ab289d1a3c ] + +Deal with changes in newer xtables while maintaining backward +compatibility. Thanks to Jan Engelhardt for suggestions. + +Signed-off-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ipt.c | 33 ++++++++++++++++++++++++++++++--- + 1 file changed, 30 insertions(+), 3 deletions(-) + +--- a/net/sched/act_ipt.c ++++ b/net/sched/act_ipt.c +@@ -8,7 +8,7 @@ + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * +- * Copyright: Jamal Hadi Salim (2002-4) ++ * Copyright: Jamal Hadi Salim (2002-13) + */ + + #include +@@ -299,17 +299,44 @@ static struct tc_action_ops act_ipt_ops + .walk = tcf_generic_walker + }; + +-MODULE_AUTHOR("Jamal Hadi Salim(2002-4)"); ++static struct tc_action_ops act_xt_ops = { ++ .kind = "xt", ++ .hinfo = &ipt_hash_info, ++ .type = TCA_ACT_IPT, ++ .capab = TCA_CAP_NONE, ++ .owner = THIS_MODULE, ++ .act = tcf_ipt, ++ .dump = tcf_ipt_dump, ++ .cleanup = tcf_ipt_cleanup, ++ .lookup = tcf_hash_search, ++ .init = tcf_ipt_init, ++ .walk = tcf_generic_walker ++}; ++ ++MODULE_AUTHOR("Jamal Hadi Salim(2002-13)"); + MODULE_DESCRIPTION("Iptables target actions"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("act_xt"); + + static int __init ipt_init_module(void) + { +- return tcf_register_action(&act_ipt_ops); ++ int ret1, ret2; ++ ret1 = tcf_register_action(&act_xt_ops); ++ if (ret1 < 0) ++ printk("Failed to load xt action\n"); ++ ret2 = tcf_register_action(&act_ipt_ops); ++ if (ret2 < 0) ++ printk("Failed to load ipt action\n"); ++ ++ if (ret1 < 0 && ret2 < 0) ++ return ret1; ++ else ++ return 0; + } + + static void __exit ipt_cleanup_module(void) + { ++ tcf_unregister_action(&act_xt_ops); + tcf_unregister_action(&act_ipt_ops); + } + diff --git a/queue-3.4/packet-tpacket_v3-do-not-trigger-bug-on-wrong-header-status.patch b/queue-3.4/packet-tpacket_v3-do-not-trigger-bug-on-wrong-header-status.patch new file mode 100644 index 00000000000..1f8a2ccb9c2 --- /dev/null +++ b/queue-3.4/packet-tpacket_v3-do-not-trigger-bug-on-wrong-header-status.patch @@ -0,0 +1,110 @@ +From ed0679e95e82a4f3f70076315b04dc42e76f4fb2 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Fri, 3 May 2013 02:57:00 +0000 +Subject: packet: tpacket_v3: do not trigger bug() on wrong header status + + +From: Daniel Borkmann + +[ Upstream commit 8da3056c04bfc5f69f840ab038a38389e2de8189 ] + +Jakub reported that it is fairly easy to trigger the BUG() macro +from user space with TPACKET_V3's RX_RING by just giving a wrong +header status flag. We already had a similar situation in commit +7f5c3e3a80e6654 (``af_packet: remove BUG statement in +tpacket_destruct_skb'') where this was the case in the TX_RING +side that could be triggered from user space. So really, don't use +BUG() or BUG_ON() unless there's really no way out, and i.e. +don't use it for consistency checking when there's user space +involved, no excuses, especially not if you're slapping the user +with WARN + dump_stack + BUG all at once. The two functions are +of concern: + + prb_retire_current_block() [when block status != TP_STATUS_KERNEL] + prb_open_block() [when block_status != TP_STATUS_KERNEL] + +Calls to prb_open_block() are guarded by ealier checks if block_status +is really TP_STATUS_KERNEL (racy!), but the first one BUG() is easily +triggable from user space. System behaves still stable after they are +removed. Also remove that yoda condition entirely, since it's already +guarded. + +Reported-by: Jakub Zawadzki +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 54 ++++++++++++++++++------------------------------- + 1 file changed, 20 insertions(+), 34 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -812,37 +812,27 @@ static void prb_open_block(struct tpacke + + smp_rmb(); + +- if (likely(TP_STATUS_KERNEL == BLOCK_STATUS(pbd1))) { +- +- /* We could have just memset this but we will lose the +- * flexibility of making the priv area sticky +- */ +- BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++; +- BLOCK_NUM_PKTS(pbd1) = 0; +- BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv); +- getnstimeofday(&ts); +- h1->ts_first_pkt.ts_sec = ts.tv_sec; +- h1->ts_first_pkt.ts_nsec = ts.tv_nsec; +- pkc1->pkblk_start = (char *)pbd1; +- pkc1->nxt_offset = (char *)(pkc1->pkblk_start + +- BLK_PLUS_PRIV(pkc1->blk_sizeof_priv)); +- BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv); +- BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN; +- pbd1->version = pkc1->version; +- pkc1->prev = pkc1->nxt_offset; +- pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size; +- prb_thaw_queue(pkc1); +- _prb_refresh_rx_retire_blk_timer(pkc1); +- +- smp_wmb(); +- +- return; +- } ++ /* We could have just memset this but we will lose the ++ * flexibility of making the priv area sticky ++ */ ++ BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++; ++ BLOCK_NUM_PKTS(pbd1) = 0; ++ BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv); ++ getnstimeofday(&ts); ++ h1->ts_first_pkt.ts_sec = ts.tv_sec; ++ h1->ts_first_pkt.ts_nsec = ts.tv_nsec; ++ pkc1->pkblk_start = (char *)pbd1; ++ pkc1->nxt_offset = (char *)(pkc1->pkblk_start + ++ BLK_PLUS_PRIV(pkc1->blk_sizeof_priv)); ++ BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv); ++ BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN; ++ pbd1->version = pkc1->version; ++ pkc1->prev = pkc1->nxt_offset; ++ pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size; ++ prb_thaw_queue(pkc1); ++ _prb_refresh_rx_retire_blk_timer(pkc1); + +- WARN(1, "ERROR block:%p is NOT FREE status:%d kactive_blk_num:%d\n", +- pbd1, BLOCK_STATUS(pbd1), pkc1->kactive_blk_num); +- dump_stack(); +- BUG(); ++ smp_wmb(); + } + + /* +@@ -933,10 +923,6 @@ static void prb_retire_current_block(str + prb_close_block(pkc, pbd, po, status); + return; + } +- +- WARN(1, "ERROR-pbd[%d]:%p\n", pkc->kactive_blk_num, pbd); +- dump_stack(); +- BUG(); + } + + static int prb_curr_blk_in_use(struct tpacket_kbdq_core *pkc, diff --git a/queue-3.4/series b/queue-3.4/series index 37e91b6e26b..42cdeac1e7b 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -21,3 +21,20 @@ mwifiex-fix-setting-of-multicast-filter.patch b43-handle-dma-rx-descriptor-underrun.patch drm-mm-fix-dump-table-bug.patch drm-don-t-check-modeset-locks-in-panic-handler.patch +net-qmi_wwan-fixup-missing-ethernet-header-firmware-bug-workaround.patch +net-qmi_wwan-fixup-destination-address-firmware-bug-workaround.patch +net-qmi_wwan-prevent-duplicate-mac-address-on-link-firmware-bug-workaround.patch +tcp-force-a-dst-refcount-when-prequeue-packet.patch +sfc-fix-naming-of-mtd-partitions-for-fpga-bitfiles.patch +3c509.c-call-set_netdev_dev-for-all-device-types-isa-isapnp-eisa.patch +net_sched-act_ipt-forward-compat-with-xtables.patch +net-use-netdev_features_t-in-skb_needs_linearize.patch +net-vlan-ethtool-netdev_features_t-is-more-than-32-bit.patch +bridge-fix-race-with-topology-change-timer.patch +packet-tpacket_v3-do-not-trigger-bug-on-wrong-header-status.patch +3c59x-fix-freeing-nonexistent-resource-on-driver-unload.patch +3c59x-fix-pci-resource-management.patch +if_cablemodem.h-add-parenthesis-around-ioctl-macros.patch +macvlan-fix-passthru-mode-race-between-dev-removal-and-rx-path.patch +ipv6-do-not-clear-pinet6-field.patch +xfrm6-release-dev-before-returning-error.patch diff --git a/queue-3.4/sfc-fix-naming-of-mtd-partitions-for-fpga-bitfiles.patch b/queue-3.4/sfc-fix-naming-of-mtd-partitions-for-fpga-bitfiles.patch new file mode 100644 index 00000000000..1f48626901a --- /dev/null +++ b/queue-3.4/sfc-fix-naming-of-mtd-partitions-for-fpga-bitfiles.patch @@ -0,0 +1,39 @@ +From c7f858d5bab099ebfea4dbba028bc82e1190fec7 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Mon, 22 Apr 2013 22:40:07 +0100 +Subject: sfc: Fix naming of MTD partitions for FPGA bitfiles + + +From: Ben Hutchings + +[ Upstream commit 89cc80a44b7c320e08599cb86f6aef0ead8986a1 ] + +efx_mcdi_get_board_cfg() uses a buffer for the firmware response that +is only large enough to hold subtypes for the originally defined set +of NVRAM partitions. Longer responses are truncated, and we may read +off the end of the buffer when copying out subtypes for additional +partitions. In particular, this can result in the MTD partition for +an FPGA bitfile being named e.g. 'eth5 sfc_fpga:00' when it should be +'eth5 sfc_fpga:01'. This means the firmware update tool (sfupdate) +can't tell which bitfile should be written to the partition. + +Correct the response buffer size. + +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/mcdi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sfc/mcdi.c ++++ b/drivers/net/ethernet/sfc/mcdi.c +@@ -640,7 +640,7 @@ fail: + int efx_mcdi_get_board_cfg(struct efx_nic *efx, u8 *mac_address, + u16 *fw_subtype_list, u32 *capabilities) + { +- uint8_t outbuf[MC_CMD_GET_BOARD_CFG_OUT_LENMIN]; ++ uint8_t outbuf[MC_CMD_GET_BOARD_CFG_OUT_LENMAX]; + size_t outlen, offset, i; + int port_num = efx_port_num(efx); + int rc; diff --git a/queue-3.4/tcp-force-a-dst-refcount-when-prequeue-packet.patch b/queue-3.4/tcp-force-a-dst-refcount-when-prequeue-packet.patch new file mode 100644 index 00000000000..4f64a02de76 --- /dev/null +++ b/queue-3.4/tcp-force-a-dst-refcount-when-prequeue-packet.patch @@ -0,0 +1,31 @@ +From 456b0df13849266ca7336cb712e18ee22858f9af Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 24 Apr 2013 18:34:55 -0700 +Subject: tcp: force a dst refcount when prequeue packet + + +From: Eric Dumazet + +[ Upstream commit 093162553c33e9479283e107b4431378271c735d ] + +Before escaping RCU protected section and adding packet into +prequeue, make sure the dst is refcounted. + +Reported-by: Mike Galbraith +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -948,6 +948,7 @@ static inline int tcp_prequeue(struct so + if (sysctl_tcp_low_latency || !tp->ucopy.task) + return 0; + ++ skb_dst_force(skb); + __skb_queue_tail(&tp->ucopy.prequeue, skb); + tp->ucopy.memory += skb->truesize; + if (tp->ucopy.memory > sk->sk_rcvbuf) { diff --git a/queue-3.4/xfrm6-release-dev-before-returning-error.patch b/queue-3.4/xfrm6-release-dev-before-returning-error.patch new file mode 100644 index 00000000000..8d887945da0 --- /dev/null +++ b/queue-3.4/xfrm6-release-dev-before-returning-error.patch @@ -0,0 +1,37 @@ +From ab5d0f8b2af88af5a1a442fcdb39896474dd7943 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Thu, 9 May 2013 22:40:00 +0000 +Subject: xfrm6: release dev before returning error + + +From: Cong Wang + +[ Upstream commit 84c4a9dfbf430861e7588d95ae3ff61535dca351 ] + +We forget to call dev_put() on error path in xfrm6_fill_dst(), +its caller doesn't handle this. + +Signed-off-by: Cong Wang +Cc: Herbert Xu +Cc: Steffen Klassert +Cc: David S. Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/xfrm6_policy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -96,8 +96,10 @@ static int xfrm6_fill_dst(struct xfrm_ds + dev_hold(dev); + + xdst->u.rt6.rt6i_idev = in6_dev_get(dev); +- if (!xdst->u.rt6.rt6i_idev) ++ if (!xdst->u.rt6.rt6i_idev) { ++ dev_put(dev); + return -ENODEV; ++ } + + xdst->u.rt6.rt6i_peer = rt->rt6i_peer; + if (rt->rt6i_peer)