From: Greg Kroah-Hartman Date: Wed, 11 Sep 2013 16:54:28 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.0.96~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e94548ab8e92274389c691e5d481a756bcc8fdc;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: 8139cp-fix-skb-leak-in-rx_status_loop-failure-path.patch be2net-fix-disabling-tx-in-be_close.patch bonding-modify-only-neigh_parms-owned-by-us.patch bridge-don-t-try-to-update-timers-in-case-of-broken-mld-queries.patch bridge-use-the-correct-bit-length-for-bitmap-functions-in-the-vlan-code.patch fib_trie-remove-potential-out-of-bound-access.patch genl-fix-genl-dumpit-locking.patch genl-hold-reference-on-correct-module-while-netlink-dump.patch htb-fix-sign-extension-bug.patch icmpv6-treat-dest-unreachable-codes-5-and-6-as-eacces-not-eproto.patch ip_gre-fix-ipgre_header-to-return-correct-offset-mime-version-1.0.patch ip_tunnel-do-not-use-inner-ip-header-id-for-tunnel-ip-header-id.patch ipv4-sendto-hdrincl-don-t-use-destination-address-found-in-header.patch ipv6-don-t-depend-on-per-socket-memory-for-neighbour-discovery-messages.patch ipv6-don-t-stop-backtracking-in-fib6_lookup_1-if-subtree-does-not-match.patch ipv6-drop-packets-with-multiple-fragmentation-headers.patch ipv6-fix-null-pointer-dereference-in-__ip6addrlbl_add.patch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch macvlan-validate-flags.patch neighbour-populate-neigh_parms-on-alloc-before-calling-ndo_neigh_setup.patch net-bridge-convert-mldv2-query-mrc-into-msecs_to_jiffies-for-max_delay.patch net-check-net.core.somaxconn-sysctl-values.patch net-ipv6-tcp-fix-potential-use-after-free-in-tcp_v6_do_rcv.patch net-mvneta-properly-disable-hw-phy-polling-and-ensure-adjust_link-works.patch net-revert-8728c544a9c-net-dev_pick_tx-fix.patch net-rtm_to_ifaddr-free-ifa-if-ifa_cacheinfo-processing-fails.patch net_sched-restore-linklayer-atm-handling.patch net-usb-add-hp-hs2434-device-to-zlp-exception-table.patch packet-restore-packet-statistics-tp_packets-to-include-drops.patch rtnetlink-fix-inverted-check-in-ndo_dflt_fdb_del.patch rtnetlink-rtnl_bridge_getlink-call-nlmsg_find_attr-with-ifinfomsg-header.patch sfc-fix-lookup-of-default-rx-mac-filters-when-steered-using-ethtool.patch tcp-cubic-fix-bug-in-bictcp_acked.patch tcp-cubic-fix-overflow-error-in-bictcp_update.patch tcp-don-t-apply-tsoffset-if-rcv_tsecr-is-zero.patch tcp-initialize-rcv_tstamp-for-restored-sockets.patch tcp-set-timestamps-for-restored-skb-s.patch tcp-tcp_make_synack-should-use-sock_wmalloc.patch tg3-don-t-turn-off-led-on-5719-serdes-port-0.patch tipc-set-sk_err-correctly-when-connection-fails.patch tun-signedness-bug-in-tun_get_user.patch vhost_net-poll-vhost-queue-after-marking-dma-is-done.patch --- diff --git a/queue-3.10/8139cp-fix-skb-leak-in-rx_status_loop-failure-path.patch b/queue-3.10/8139cp-fix-skb-leak-in-rx_status_loop-failure-path.patch new file mode 100644 index 00000000000..8f8830f390d --- /dev/null +++ b/queue-3.10/8139cp-fix-skb-leak-in-rx_status_loop-failure-path.patch @@ -0,0 +1,29 @@ +From 6212ea97b5a4b55a3c4229a9101e0d8bec748f48 Mon Sep 17 00:00:00 2001 +From: Dave Jones +Date: Fri, 9 Aug 2013 11:16:34 -0700 +Subject: 8139cp: Fix skb leak in rx_status_loop failure path. + +From: Dave Jones + +[ Upstream commit d06f5187469eee1b2932c02fd093d113cfc60d5e ] + +Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 +("8139cp: Add dma_mapping_error checking") + +Signed-off-by: Dave Jones +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/8139cp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/realtek/8139cp.c ++++ b/drivers/net/ethernet/realtek/8139cp.c +@@ -524,6 +524,7 @@ rx_status_loop: + PCI_DMA_FROMDEVICE); + if (dma_mapping_error(&cp->pdev->dev, new_mapping)) { + dev->stats.rx_dropped++; ++ kfree_skb(new_skb); + goto rx_next; + } + diff --git a/queue-3.10/be2net-fix-disabling-tx-in-be_close.patch b/queue-3.10/be2net-fix-disabling-tx-in-be_close.patch new file mode 100644 index 00000000000..457c6dcb408 --- /dev/null +++ b/queue-3.10/be2net-fix-disabling-tx-in-be_close.patch @@ -0,0 +1,34 @@ +From 8a298ca277eb1a8c898c8783b731c1ca772f7eca Mon Sep 17 00:00:00 2001 +From: Sathya Perla +Date: Thu, 22 Aug 2013 12:23:41 +0530 +Subject: be2net: fix disabling TX in be_close() + +From: Sathya Perla + +[ Upstream commit 6e1f99757a2b24b7255263b2240a0eb04215174d ] + +commit fba875591 ("disable TX in be_close()") disabled TX in be_close() +to protect be_xmit() from touching freed up queues in the AER recovery +flow. But, TX must be disabled *before* cleaning up TX completions in +the close() path, not after. This allows be_tx_compl_clean() to free up +all TX-req skbs that were notified to the HW. + +Signed-off-by: Sathya Perla +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -2561,8 +2561,8 @@ static int be_close(struct net_device *n + /* Wait for all pending tx completions to arrive so that + * all tx skbs are freed. + */ +- be_tx_compl_clean(adapter); + netif_tx_disable(netdev); ++ be_tx_compl_clean(adapter); + + be_rx_qs_destroy(adapter); + diff --git a/queue-3.10/bonding-modify-only-neigh_parms-owned-by-us.patch b/queue-3.10/bonding-modify-only-neigh_parms-owned-by-us.patch new file mode 100644 index 00000000000..c9aa5d1a1cd --- /dev/null +++ b/queue-3.10/bonding-modify-only-neigh_parms-owned-by-us.patch @@ -0,0 +1,40 @@ +From aaba45b94110b3c8d7dcad1401c9f9db5e237f97 Mon Sep 17 00:00:00 2001 +From: Veaceslav Falico +Date: Fri, 2 Aug 2013 19:07:39 +0200 +Subject: bonding: modify only neigh_parms owned by us + +From: Veaceslav Falico + +[ Upstream commit 9918d5bf329d0dc5bb2d9d293bcb772bdb626e65 ] + +Otherwise, on neighbour creation, bond_neigh_init() will be called with a +foreign netdev. + +Signed-off-by: Veaceslav Falico +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3770,11 +3770,17 @@ static int bond_neigh_init(struct neighb + * The bonding ndo_neigh_setup is called at init time beofre any + * slave exists. So we must declare proxy setup function which will + * be used at run time to resolve the actual slave neigh param setup. ++ * ++ * It's also called by master devices (such as vlans) to setup their ++ * underlying devices. In that case - do nothing, we're already set up from ++ * our init. + */ + static int bond_neigh_setup(struct net_device *dev, + struct neigh_parms *parms) + { +- parms->neigh_setup = bond_neigh_init; ++ /* modify only our neigh_parms */ ++ if (parms->dev == dev) ++ parms->neigh_setup = bond_neigh_init; + + return 0; + } diff --git a/queue-3.10/bridge-don-t-try-to-update-timers-in-case-of-broken-mld-queries.patch b/queue-3.10/bridge-don-t-try-to-update-timers-in-case-of-broken-mld-queries.patch new file mode 100644 index 00000000000..6a7da4fe396 --- /dev/null +++ b/queue-3.10/bridge-don-t-try-to-update-timers-in-case-of-broken-mld-queries.patch @@ -0,0 +1,38 @@ +From 501a584ff0930fa15ed4e780e14281984dc902eb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Tue, 6 Aug 2013 00:32:05 +0200 +Subject: bridge: don't try to update timers in case of broken MLD queries + +From: =?UTF-8?q?Linus=20L=C3=BCssing?= + +[ Upstream commit 248ba8ec05a2c3b118c2224e57eb10c128176ab1 ] + +Currently we are reading an uninitialized value for the max_delay +variable when snooping an MLD query message of invalid length and would +update our timers with that. + +Fixing this by simply ignoring such broken MLD queries (just like we do +for IGMP already). + +This is a regression introduced by: +"bridge: disable snooping if there is no querier" (b00589af3b04) + +Reported-by: Paul Bolle +Signed-off-by: Linus Lüssing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1185,7 +1185,7 @@ static int br_ip6_multicast_query(struct + max_delay = msecs_to_jiffies(ntohs(mld->mld_maxdelay)); + if (max_delay) + group = &mld->mld_mca; +- } else if (skb->len >= sizeof(*mld2q)) { ++ } else { + if (!pskb_may_pull(skb, sizeof(*mld2q))) { + err = -EINVAL; + goto out; diff --git a/queue-3.10/bridge-use-the-correct-bit-length-for-bitmap-functions-in-the-vlan-code.patch b/queue-3.10/bridge-use-the-correct-bit-length-for-bitmap-functions-in-the-vlan-code.patch new file mode 100644 index 00000000000..05a8bd3cd9f --- /dev/null +++ b/queue-3.10/bridge-use-the-correct-bit-length-for-bitmap-functions-in-the-vlan-code.patch @@ -0,0 +1,113 @@ +From faf30e49acea1cb243991027b846dac0f9a710a1 Mon Sep 17 00:00:00 2001 +From: Toshiaki Makita +Date: Tue, 20 Aug 2013 17:10:18 +0900 +Subject: bridge: Use the correct bit length for bitmap functions in the VLAN code + +From: Toshiaki Makita + +[ Upstream commit ef40b7ef181b7b1a24df2ef2d1ef84956bffa635 ] + +The VLAN code needs to know the length of the per-port VLAN bitmap to +perform its most basic operations (retrieving VLAN informations, removing +VLANs, forwarding database manipulation, etc). Unfortunately, in the +current implementation we are using a macro that indicates the bitmap +size in longs in places where the size in bits is expected, which in +some cases can cause what appear to be random failures. +Use the correct macro. + +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_fdb.c | 10 +++++----- + net/bridge/br_netlink.c | 4 ++-- + net/bridge/br_vlan.c | 4 ++-- + 3 files changed, 9 insertions(+), 9 deletions(-) + +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -161,7 +161,7 @@ void br_fdb_change_mac_address(struct ne + if (!pv) + return; + +- for_each_set_bit_from(vid, pv->vlan_bitmap, BR_VLAN_BITMAP_LEN) { ++ for_each_set_bit_from(vid, pv->vlan_bitmap, VLAN_N_VID) { + f = __br_fdb_get(br, br->dev->dev_addr, vid); + if (f && f->is_local && !f->dst) + fdb_delete(br, f); +@@ -725,7 +725,7 @@ int br_fdb_add(struct ndmsg *ndm, struct + /* VID was specified, so use it. */ + err = __br_fdb_add(ndm, p, addr, nlh_flags, vid); + } else { +- if (!pv || bitmap_empty(pv->vlan_bitmap, BR_VLAN_BITMAP_LEN)) { ++ if (!pv || bitmap_empty(pv->vlan_bitmap, VLAN_N_VID)) { + err = __br_fdb_add(ndm, p, addr, nlh_flags, 0); + goto out; + } +@@ -734,7 +734,7 @@ int br_fdb_add(struct ndmsg *ndm, struct + * specify a VLAN. To be nice, add/update entry for every + * vlan on this port. + */ +- for_each_set_bit(vid, pv->vlan_bitmap, BR_VLAN_BITMAP_LEN) { ++ for_each_set_bit(vid, pv->vlan_bitmap, VLAN_N_VID) { + err = __br_fdb_add(ndm, p, addr, nlh_flags, vid); + if (err) + goto out; +@@ -812,7 +812,7 @@ int br_fdb_delete(struct ndmsg *ndm, str + + err = __br_fdb_delete(p, addr, vid); + } else { +- if (!pv || bitmap_empty(pv->vlan_bitmap, BR_VLAN_BITMAP_LEN)) { ++ if (!pv || bitmap_empty(pv->vlan_bitmap, VLAN_N_VID)) { + err = __br_fdb_delete(p, addr, 0); + goto out; + } +@@ -822,7 +822,7 @@ int br_fdb_delete(struct ndmsg *ndm, str + * vlan on this port. + */ + err = -ENOENT; +- for_each_set_bit(vid, pv->vlan_bitmap, BR_VLAN_BITMAP_LEN) { ++ for_each_set_bit(vid, pv->vlan_bitmap, VLAN_N_VID) { + err &= __br_fdb_delete(p, addr, vid); + } + } +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -128,7 +128,7 @@ static int br_fill_ifinfo(struct sk_buff + else + pv = br_get_vlan_info(br); + +- if (!pv || bitmap_empty(pv->vlan_bitmap, BR_VLAN_BITMAP_LEN)) ++ if (!pv || bitmap_empty(pv->vlan_bitmap, VLAN_N_VID)) + goto done; + + af = nla_nest_start(skb, IFLA_AF_SPEC); +@@ -136,7 +136,7 @@ static int br_fill_ifinfo(struct sk_buff + goto nla_put_failure; + + pvid = br_get_pvid(pv); +- for_each_set_bit(vid, pv->vlan_bitmap, BR_VLAN_BITMAP_LEN) { ++ for_each_set_bit(vid, pv->vlan_bitmap, VLAN_N_VID) { + vinfo.vid = vid; + vinfo.flags = 0; + if (vid == pvid) +--- a/net/bridge/br_vlan.c ++++ b/net/bridge/br_vlan.c +@@ -108,7 +108,7 @@ static int __vlan_del(struct net_port_vl + + clear_bit(vid, v->vlan_bitmap); + v->num_vlans--; +- if (bitmap_empty(v->vlan_bitmap, BR_VLAN_BITMAP_LEN)) { ++ if (bitmap_empty(v->vlan_bitmap, VLAN_N_VID)) { + if (v->port_idx) + rcu_assign_pointer(v->parent.port->vlan_info, NULL); + else +@@ -122,7 +122,7 @@ static void __vlan_flush(struct net_port + { + smp_wmb(); + v->pvid = 0; +- bitmap_zero(v->vlan_bitmap, BR_VLAN_BITMAP_LEN); ++ bitmap_zero(v->vlan_bitmap, VLAN_N_VID); + if (v->port_idx) + rcu_assign_pointer(v->parent.port->vlan_info, NULL); + else diff --git a/queue-3.10/fib_trie-remove-potential-out-of-bound-access.patch b/queue-3.10/fib_trie-remove-potential-out-of-bound-access.patch new file mode 100644 index 00000000000..ac50a0d4e77 --- /dev/null +++ b/queue-3.10/fib_trie-remove-potential-out-of-bound-access.patch @@ -0,0 +1,51 @@ +From 150cfa86c3b5817f46888b049a675415780e25e3 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 5 Aug 2013 11:18:49 -0700 +Subject: fib_trie: remove potential out of bound access + +From: Eric Dumazet + +[ Upstream commit aab515d7c32a34300312416c50314e755ea6f765 ] + +AddressSanitizer [1] dynamic checker pointed a potential +out of bound access in leaf_walk_rcu() + +We could allocate one more slot in tnode_new() to leave the prefetch() +in-place but it looks not worth the pain. + +Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") + +[1] : +https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel + +Reported-by: Andrey Konovalov +Signed-off-by: Eric Dumazet +Cc: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_trie.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -71,7 +71,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -1761,10 +1760,8 @@ static struct leaf *leaf_walk_rcu(struct + if (!c) + continue; + +- if (IS_LEAF(c)) { +- prefetch(rcu_dereference_rtnl(p->child[idx])); ++ if (IS_LEAF(c)) + return (struct leaf *) c; +- } + + /* Rescan start scanning in new node */ + p = (struct tnode *) c; diff --git a/queue-3.10/genl-fix-genl-dumpit-locking.patch b/queue-3.10/genl-fix-genl-dumpit-locking.patch new file mode 100644 index 00000000000..ef2dba57a19 --- /dev/null +++ b/queue-3.10/genl-fix-genl-dumpit-locking.patch @@ -0,0 +1,97 @@ +From 0b91de5d552a5c8adbcc071aebe8dbccfc0d4cda Mon Sep 17 00:00:00 2001 +From: Pravin B Shelar +Date: Fri, 23 Aug 2013 12:44:55 -0700 +Subject: genl: Fix genl dumpit() locking. + +From: Pravin B Shelar + +[ Upstream commit 9b96309c5b0b9e466773c07a5bc8b7b68fcf010a ] + +In case of genl-family with parallel ops off, dumpif() callback +is expected to run under genl_lock, But commit def3117493eafd9df +(genl: Allow concurrent genl callbacks.) changed this behaviour +where only first dumpit() op was called under genl-lock. +For subsequent dump, only nlk->cb_lock was taken. +Following patch fixes it by defining locked dumpit() and done() +callback which takes care of genl-locking. + +Signed-off-by: Pravin B Shelar +CC: Jesse Gross +CC: Johannes Berg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/genetlink.c | 51 +++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 46 insertions(+), 5 deletions(-) + +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -544,6 +544,30 @@ void *genlmsg_put(struct sk_buff *skb, u + } + EXPORT_SYMBOL(genlmsg_put); + ++static int genl_lock_dumpit(struct sk_buff *skb, struct netlink_callback *cb) ++{ ++ struct genl_ops *ops = cb->data; ++ int rc; ++ ++ genl_lock(); ++ rc = ops->dumpit(skb, cb); ++ genl_unlock(); ++ return rc; ++} ++ ++static int genl_lock_done(struct netlink_callback *cb) ++{ ++ struct genl_ops *ops = cb->data; ++ int rc = 0; ++ ++ if (ops->done) { ++ genl_lock(); ++ rc = ops->done(cb); ++ genl_unlock(); ++ } ++ return rc; ++} ++ + static int genl_family_rcv_msg(struct genl_family *family, + struct sk_buff *skb, + struct nlmsghdr *nlh) +@@ -572,15 +596,32 @@ static int genl_family_rcv_msg(struct ge + return -EPERM; + + if (nlh->nlmsg_flags & NLM_F_DUMP) { +- struct netlink_dump_control c = { +- .dump = ops->dumpit, +- .done = ops->done, +- }; ++ int rc; + + if (ops->dumpit == NULL) + return -EOPNOTSUPP; + +- return netlink_dump_start(net->genl_sock, skb, nlh, &c); ++ if (!family->parallel_ops) { ++ struct netlink_dump_control c = { ++ .data = ops, ++ .dump = genl_lock_dumpit, ++ .done = genl_lock_done, ++ }; ++ ++ genl_unlock(); ++ rc = netlink_dump_start(net->genl_sock, skb, nlh, &c); ++ genl_lock(); ++ ++ } else { ++ struct netlink_dump_control c = { ++ .dump = ops->dumpit, ++ .done = ops->done, ++ }; ++ ++ rc = netlink_dump_start(net->genl_sock, skb, nlh, &c); ++ } ++ ++ return rc; + } + + if (ops->doit == NULL) diff --git a/queue-3.10/genl-hold-reference-on-correct-module-while-netlink-dump.patch b/queue-3.10/genl-hold-reference-on-correct-module-while-netlink-dump.patch new file mode 100644 index 00000000000..ba22073007c --- /dev/null +++ b/queue-3.10/genl-hold-reference-on-correct-module-while-netlink-dump.patch @@ -0,0 +1,147 @@ +From 276ac8b82acbf3c4cefbfb516deb6903570dc37a Mon Sep 17 00:00:00 2001 +From: Pravin B Shelar +Date: Fri, 23 Aug 2013 12:45:04 -0700 +Subject: genl: Hold reference on correct module while netlink-dump. + +From: Pravin B Shelar + +[ Upstream commit 33c6b1f6b154894321f5734e50c66621e9134e7e ] + +netlink dump operations take module as parameter to hold +reference for entire netlink dump duration. +Currently it holds ref only on genl module which is not correct +when we use ops registered to genl from another module. +Following patch adds module pointer to genl_ops so that netlink +can hold ref count on it. + +Signed-off-by: Pravin B Shelar +CC: Jesse Gross +CC: Johannes Berg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/genetlink.h | 20 ++++++++++++++++++-- + net/netlink/genetlink.c | 20 +++++++++++--------- + 2 files changed, 29 insertions(+), 11 deletions(-) + +--- a/include/net/genetlink.h ++++ b/include/net/genetlink.h +@@ -61,6 +61,7 @@ struct genl_family { + struct list_head ops_list; /* private */ + struct list_head family_list; /* private */ + struct list_head mcast_groups; /* private */ ++ struct module *module; + }; + + /** +@@ -121,9 +122,24 @@ struct genl_ops { + struct list_head ops_list; + }; + +-extern int genl_register_family(struct genl_family *family); +-extern int genl_register_family_with_ops(struct genl_family *family, ++extern int __genl_register_family(struct genl_family *family); ++ ++static inline int genl_register_family(struct genl_family *family) ++{ ++ family->module = THIS_MODULE; ++ return __genl_register_family(family); ++} ++ ++extern int __genl_register_family_with_ops(struct genl_family *family, + struct genl_ops *ops, size_t n_ops); ++ ++static inline int genl_register_family_with_ops(struct genl_family *family, ++ struct genl_ops *ops, size_t n_ops) ++{ ++ family->module = THIS_MODULE; ++ return __genl_register_family_with_ops(family, ops, n_ops); ++} ++ + extern int genl_unregister_family(struct genl_family *family); + extern int genl_register_ops(struct genl_family *, struct genl_ops *ops); + extern int genl_unregister_ops(struct genl_family *, struct genl_ops *ops); +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -364,7 +364,7 @@ int genl_unregister_ops(struct genl_fami + EXPORT_SYMBOL(genl_unregister_ops); + + /** +- * genl_register_family - register a generic netlink family ++ * __genl_register_family - register a generic netlink family + * @family: generic netlink family + * + * Registers the specified family after validating it first. Only one +@@ -374,7 +374,7 @@ EXPORT_SYMBOL(genl_unregister_ops); + * + * Return 0 on success or a negative error code. + */ +-int genl_register_family(struct genl_family *family) ++int __genl_register_family(struct genl_family *family) + { + int err = -EINVAL; + +@@ -430,10 +430,10 @@ errout_locked: + errout: + return err; + } +-EXPORT_SYMBOL(genl_register_family); ++EXPORT_SYMBOL(__genl_register_family); + + /** +- * genl_register_family_with_ops - register a generic netlink family ++ * __genl_register_family_with_ops - register a generic netlink family + * @family: generic netlink family + * @ops: operations to be registered + * @n_ops: number of elements to register +@@ -457,12 +457,12 @@ EXPORT_SYMBOL(genl_register_family); + * + * Return 0 on success or a negative error code. + */ +-int genl_register_family_with_ops(struct genl_family *family, ++int __genl_register_family_with_ops(struct genl_family *family, + struct genl_ops *ops, size_t n_ops) + { + int err, i; + +- err = genl_register_family(family); ++ err = __genl_register_family(family); + if (err) + return err; + +@@ -476,7 +476,7 @@ err_out: + genl_unregister_family(family); + return err; + } +-EXPORT_SYMBOL(genl_register_family_with_ops); ++EXPORT_SYMBOL(__genl_register_family_with_ops); + + /** + * genl_unregister_family - unregister generic netlink family +@@ -603,22 +603,24 @@ static int genl_family_rcv_msg(struct ge + + if (!family->parallel_ops) { + struct netlink_dump_control c = { ++ .module = family->module, + .data = ops, + .dump = genl_lock_dumpit, + .done = genl_lock_done, + }; + + genl_unlock(); +- rc = netlink_dump_start(net->genl_sock, skb, nlh, &c); ++ rc = __netlink_dump_start(net->genl_sock, skb, nlh, &c); + genl_lock(); + + } else { + struct netlink_dump_control c = { ++ .module = family->module, + .dump = ops->dumpit, + .done = ops->done, + }; + +- rc = netlink_dump_start(net->genl_sock, skb, nlh, &c); ++ rc = __netlink_dump_start(net->genl_sock, skb, nlh, &c); + } + + return rc; diff --git a/queue-3.10/htb-fix-sign-extension-bug.patch b/queue-3.10/htb-fix-sign-extension-bug.patch new file mode 100644 index 00000000000..fb575af9222 --- /dev/null +++ b/queue-3.10/htb-fix-sign-extension-bug.patch @@ -0,0 +1,39 @@ +From 115ce20f7b5a22379aea6d652fdc5638215f47cb Mon Sep 17 00:00:00 2001 +From: stephen hemminger +Date: Thu, 1 Aug 2013 22:32:07 -0700 +Subject: htb: fix sign extension bug + +From: stephen hemminger + +[ Upstream commit cbd375567f7e4811b1c721f75ec519828ac6583f ] + +When userspace passes a large priority value +the assignment of the unsigned value hopt->prio +to signed int cl->prio causes cl->prio to become negative and the +comparison is with TC_HTB_NUMPRIO is always false. + +The result is that HTB crashes by referencing outside +the array when processing packets. With this patch the large value +wraps around like other values outside the normal range. + +See: https://bugzilla.kernel.org/show_bug.cgi?id=60669 + +Signed-off-by: Stephen Hemminger +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_htb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -87,7 +87,7 @@ struct htb_class { + unsigned int children; + struct htb_class *parent; /* parent class */ + +- int prio; /* these two are used only by leaves... */ ++ u32 prio; /* these two are used only by leaves... */ + int quantum; /* but stored for parent-to-leaf return */ + + union { diff --git a/queue-3.10/icmpv6-treat-dest-unreachable-codes-5-and-6-as-eacces-not-eproto.patch b/queue-3.10/icmpv6-treat-dest-unreachable-codes-5-and-6-as-eacces-not-eproto.patch new file mode 100644 index 00000000000..da1acaf6934 --- /dev/null +++ b/queue-3.10/icmpv6-treat-dest-unreachable-codes-5-and-6-as-eacces-not-eproto.patch @@ -0,0 +1,72 @@ +From 25afc7964da75b468e258fc2fe1dadf5939eabd7 Mon Sep 17 00:00:00 2001 +From: Jiri Bohac +Date: Fri, 30 Aug 2013 11:18:45 +0200 +Subject: ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO + +From: Jiri Bohac + +[ Upstream commit 61e76b178dbe7145e8d6afa84bb4ccea71918994 ] + +RFC 4443 has defined two additional codes for ICMPv6 type 1 (destination +unreachable) messages: + 5 - Source address failed ingress/egress policy + 6 - Reject route to destination + +Now they are treated as protocol error and icmpv6_err_convert() converts them +to EPROTO. + +RFC 4443 says: + "Codes 5 and 6 are more informative subsets of code 1." + +Treat codes 5 and 6 as code 1 (EACCES) + +Btw, connect() returning -EPROTO confuses firefox, so that fallback to +other/IPv4 addresses does not work: +https://bugzilla.mozilla.org/show_bug.cgi?id=910773 + +Signed-off-by: Jiri Bohac +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/icmpv6.h | 2 ++ + net/ipv6/icmp.c | 10 +++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/include/uapi/linux/icmpv6.h ++++ b/include/uapi/linux/icmpv6.h +@@ -115,6 +115,8 @@ struct icmp6hdr { + #define ICMPV6_NOT_NEIGHBOUR 2 + #define ICMPV6_ADDR_UNREACH 3 + #define ICMPV6_PORT_UNREACH 4 ++#define ICMPV6_POLICY_FAIL 5 ++#define ICMPV6_REJECT_ROUTE 6 + + /* + * Codes for Time Exceeded +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -931,6 +931,14 @@ static const struct icmp6_err { + .err = ECONNREFUSED, + .fatal = 1, + }, ++ { /* POLICY_FAIL */ ++ .err = EACCES, ++ .fatal = 1, ++ }, ++ { /* REJECT_ROUTE */ ++ .err = EACCES, ++ .fatal = 1, ++ }, + }; + + int icmpv6_err_convert(u8 type, u8 code, int *err) +@@ -942,7 +950,7 @@ int icmpv6_err_convert(u8 type, u8 code, + switch (type) { + case ICMPV6_DEST_UNREACH: + fatal = 1; +- if (code <= ICMPV6_PORT_UNREACH) { ++ if (code < ARRAY_SIZE(tab_unreach)) { + *err = tab_unreach[code].err; + fatal = tab_unreach[code].fatal; + } diff --git a/queue-3.10/ip_gre-fix-ipgre_header-to-return-correct-offset-mime-version-1.0.patch b/queue-3.10/ip_gre-fix-ipgre_header-to-return-correct-offset-mime-version-1.0.patch new file mode 100644 index 00000000000..4c1a5e91cd7 --- /dev/null +++ b/queue-3.10/ip_gre-fix-ipgre_header-to-return-correct-offset-mime-version-1.0.patch @@ -0,0 +1,38 @@ +From df2eb62683a7f8691ec535bafc46fe9f721fc8a5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= +Date: Tue, 6 Aug 2013 13:45:43 +0300 +Subject: ip_gre: fix ipgre_header to return correct offset MIME-Version: 1.0 + +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= + +[ Upstream commit 77a482bdb2e68d13fae87541b341905ba70d572b ] + +Fix ipgre_header() (header_ops->create) to return the correct +amount of bytes pushed. Most callers of dev_hard_header() seem +to care only if it was success, but af_packet.c uses it as +offset to the skb to copy from userspace only once. In practice +this fixes packet socket sendto()/sendmsg() to gre tunnels. + +Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 +("GRE: Refactor GRE tunneling code.") + +Cc: Pravin B Shelar +Signed-off-by: Timo Teräs +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_gre.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -572,7 +572,7 @@ static int ipgre_header(struct sk_buff * + if (daddr) + memcpy(&iph->daddr, daddr, 4); + if (iph->daddr) +- return t->hlen; ++ return t->hlen + sizeof(*iph); + + return -(t->hlen + sizeof(*iph)); + } diff --git a/queue-3.10/ip_tunnel-do-not-use-inner-ip-header-id-for-tunnel-ip-header-id.patch b/queue-3.10/ip_tunnel-do-not-use-inner-ip-header-id-for-tunnel-ip-header-id.patch new file mode 100644 index 00000000000..06fdddff220 --- /dev/null +++ b/queue-3.10/ip_tunnel-do-not-use-inner-ip-header-id-for-tunnel-ip-header-id.patch @@ -0,0 +1,75 @@ +From feee33db6df3a8821c41ef414efc4ceaf245af76 Mon Sep 17 00:00:00 2001 +From: Pravin B Shelar +Date: Tue, 13 Aug 2013 01:41:06 -0700 +Subject: ip_tunnel: Do not use inner ip-header-id for tunnel ip-header-id. + +From: Pravin B Shelar + +[ Upstream commit 4221f40513233fa8edeef7fc82e44163fde03b9b ] + +Using inner-id for tunnel id is not safe in some rare cases. +E.g. packets coming from multiple sources entering same tunnel +can have same id. Therefore on tunnel packet receive we +could have packets from two different stream but with same +source and dst IP with same ip-id which could confuse ip packet +reassembly. + +Following patch reverts optimization from commit +490ab08127 (IP_GRE: Fix IP-Identification.) + +Signed-off-by: Pravin B Shelar +CC: Jarno Rajahalme +CC: Ansis Atteka +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 2 +- + include/net/ip_tunnels.h | 14 -------------- + net/ipv4/ip_tunnel.c | 2 +- + 3 files changed, 2 insertions(+), 16 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1090,7 +1090,7 @@ static netdev_tx_t vxlan_xmit_one(struct + iph->daddr = dst; + iph->saddr = fl4.saddr; + iph->ttl = ttl ? : ip4_dst_hoplimit(&rt->dst); +- tunnel_ip_select_ident(skb, old_iph, &rt->dst); ++ __ip_select_ident(iph, &rt->dst, (skb_shinfo(skb)->gso_segs ?: 1) - 1); + + nf_reset(skb); + +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -141,20 +141,6 @@ static inline u8 ip_tunnel_ecn_encap(u8 + return INET_ECN_encapsulate(tos, inner); + } + +-static inline void tunnel_ip_select_ident(struct sk_buff *skb, +- const struct iphdr *old_iph, +- struct dst_entry *dst) +-{ +- struct iphdr *iph = ip_hdr(skb); +- +- /* Use inner packet iph-id if possible. */ +- if (skb->protocol == htons(ETH_P_IP) && old_iph->id) +- iph->id = old_iph->id; +- else +- __ip_select_ident(iph, dst, +- (skb_shinfo(skb)->gso_segs ?: 1) - 1); +-} +- + static inline void iptunnel_xmit(struct sk_buff *skb, struct net_device *dev) + { + int err; +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -686,7 +686,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, + iph->daddr = fl4.daddr; + iph->saddr = fl4.saddr; + iph->ttl = ttl; +- tunnel_ip_select_ident(skb, inner_iph, &rt->dst); ++ __ip_select_ident(iph, &rt->dst, (skb_shinfo(skb)->gso_segs ?: 1) - 1); + + iptunnel_xmit(skb, dev); + return; diff --git a/queue-3.10/ipv4-sendto-hdrincl-don-t-use-destination-address-found-in-header.patch b/queue-3.10/ipv4-sendto-hdrincl-don-t-use-destination-address-found-in-header.patch new file mode 100644 index 00000000000..0d96b9ae0c0 --- /dev/null +++ b/queue-3.10/ipv4-sendto-hdrincl-don-t-use-destination-address-found-in-header.patch @@ -0,0 +1,44 @@ +From 82be3722fbf26502276e78f6283dac616d88fb18 Mon Sep 17 00:00:00 2001 +From: Chris Clark +Date: Tue, 27 Aug 2013 12:02:15 -0600 +Subject: ipv4: sendto/hdrincl: don't use destination address found in header + +From: Chris Clark + +[ Upstream commit c27c9322d015dc1d9dfdf31724fca71c0476c4d1 ] + +ipv4: raw_sendmsg: don't use header's destination address + +A sendto() regression was bisected and found to start with commit +f8126f1d5136be1 (ipv4: Adjust semantics of rt->rt_gateway.) + +The problem is that it tries to ARP-lookup the constructed packet's +destination address rather than the explicitly provided address. + +Fix this using FLOWI_FLAG_KNOWN_NH so that given nexthop is used. + +cf. commit 2ad5b9e4bd314fc685086b99e90e5de3bc59e26b + +Reported-by: Chris Clark +Bisected-by: Chris Clark +Tested-by: Chris Clark +Suggested-by: Julian Anastasov +Signed-off-by: Chris Clark +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/raw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -571,7 +571,8 @@ static int raw_sendmsg(struct kiocb *ioc + flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, + RT_SCOPE_UNIVERSE, + inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, +- inet_sk_flowi_flags(sk) | FLOWI_FLAG_CAN_SLEEP, ++ inet_sk_flowi_flags(sk) | FLOWI_FLAG_CAN_SLEEP | ++ (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + daddr, saddr, 0, 0); + + if (!inet->hdrincl) { diff --git a/queue-3.10/ipv6-don-t-depend-on-per-socket-memory-for-neighbour-discovery-messages.patch b/queue-3.10/ipv6-don-t-depend-on-per-socket-memory-for-neighbour-discovery-messages.patch new file mode 100644 index 00000000000..ba1fa2e32bd --- /dev/null +++ b/queue-3.10/ipv6-don-t-depend-on-per-socket-memory-for-neighbour-discovery-messages.patch @@ -0,0 +1,72 @@ +From 6cdb64d5f00491d0a515a61e233d049ca7f47c9e Mon Sep 17 00:00:00 2001 +From: Thomas Graf +Date: Tue, 3 Sep 2013 13:37:01 +0200 +Subject: ipv6: Don't depend on per socket memory for neighbour discovery messages + +From: Thomas Graf + +[ Upstream commit 25a6e6b84fba601eff7c28d30da8ad7cfbef0d43 ] + +Allocating skbs when sending out neighbour discovery messages +currently uses sock_alloc_send_skb() based on a per net namespace +socket and thus share a socket wmem buffer space. + +If a netdevice is temporarily unable to transmit due to carrier +loss or for other reasons, the queued up ndisc messages will cosnume +all of the wmem space and will thus prevent from any more skbs to +be allocated even for netdevices that are able to transmit packets. + +The number of neighbour discovery messages sent is very limited, +use of alloc_skb() bypasses the socket wmem buffer size enforcement +while the manual call to skb_set_owner_w() maintains the socket +reference needed for the IPv6 output path. + +This patch has orginally been posted by Eric Dumazet in a modified +form. + +Signed-off-by: Thomas Graf +Cc: Eric Dumazet +Cc: Hannes Frederic Sowa +Cc: Stephen Warren +Cc: Fabio Estevam +Tested-by: Fabio Estevam +Tested-by: Stephen Warren +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -372,14 +372,11 @@ static struct sk_buff *ndisc_alloc_skb(s + int tlen = dev->needed_tailroom; + struct sock *sk = dev_net(dev)->ipv6.ndisc_sk; + struct sk_buff *skb; +- int err; + +- skb = sock_alloc_send_skb(sk, +- hlen + sizeof(struct ipv6hdr) + len + tlen, +- 1, &err); ++ skb = alloc_skb(hlen + sizeof(struct ipv6hdr) + len + tlen, GFP_ATOMIC); + if (!skb) { +- ND_PRINTK(0, err, "ndisc: %s failed to allocate an skb, err=%d\n", +- __func__, err); ++ ND_PRINTK(0, err, "ndisc: %s failed to allocate an skb\n", ++ __func__); + return NULL; + } + +@@ -389,6 +386,11 @@ static struct sk_buff *ndisc_alloc_skb(s + skb_reserve(skb, hlen + sizeof(struct ipv6hdr)); + skb_reset_transport_header(skb); + ++ /* Manually assign socket ownership as we avoid calling ++ * sock_alloc_send_pskb() to bypass wmem buffer limits ++ */ ++ skb_set_owner_w(skb, sk); ++ + return skb; + } + diff --git a/queue-3.10/ipv6-don-t-stop-backtracking-in-fib6_lookup_1-if-subtree-does-not-match.patch b/queue-3.10/ipv6-don-t-stop-backtracking-in-fib6_lookup_1-if-subtree-does-not-match.patch new file mode 100644 index 00000000000..45121318a91 --- /dev/null +++ b/queue-3.10/ipv6-don-t-stop-backtracking-in-fib6_lookup_1-if-subtree-does-not-match.patch @@ -0,0 +1,58 @@ +From 05cb459e5c6f5f8c00d66906905c64228f58fb36 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Wed, 7 Aug 2013 02:34:31 +0200 +Subject: ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not match + +From: Hannes Frederic Sowa + +[ Upstream commit 3e3be275851bc6fc90bfdcd732cd95563acd982b ] + +In case a subtree did not match we currently stop backtracking and return +NULL (root table from fib_lookup). This could yield in invalid routing +table lookups when using subtrees. + +Instead continue to backtrack until a valid subtree or node is found +and return this match. + +Also remove unneeded NULL check. + +Reported-by: Teco Boot +Cc: YOSHIFUJI Hideaki +Cc: David Lamparter +Cc: +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -993,14 +993,22 @@ static struct fib6_node * fib6_lookup_1( + + if (ipv6_prefix_equal(&key->addr, args->addr, key->plen)) { + #ifdef CONFIG_IPV6_SUBTREES +- if (fn->subtree) +- fn = fib6_lookup_1(fn->subtree, args + 1); ++ if (fn->subtree) { ++ struct fib6_node *sfn; ++ sfn = fib6_lookup_1(fn->subtree, ++ args + 1); ++ if (!sfn) ++ goto backtrack; ++ fn = sfn; ++ } + #endif +- if (!fn || fn->fn_flags & RTN_RTINFO) ++ if (fn->fn_flags & RTN_RTINFO) + return fn; + } + } +- ++#ifdef CONFIG_IPV6_SUBTREES ++backtrack: ++#endif + if (fn->fn_flags & RTN_ROOT) + break; + diff --git a/queue-3.10/ipv6-drop-packets-with-multiple-fragmentation-headers.patch b/queue-3.10/ipv6-drop-packets-with-multiple-fragmentation-headers.patch new file mode 100644 index 00000000000..bd4dd63d8f5 --- /dev/null +++ b/queue-3.10/ipv6-drop-packets-with-multiple-fragmentation-headers.patch @@ -0,0 +1,63 @@ +From 10f20e321f6de1cf23fd2a6c7bf4e0f4ee7e31f2 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 16 Aug 2013 13:30:07 +0200 +Subject: ipv6: drop packets with multiple fragmentation headers + +From: Hannes Frederic Sowa + +[ Upstream commit f46078cfcd77fa5165bf849f5e568a7ac5fa569c ] + +It is not allowed for an ipv6 packet to contain multiple fragmentation +headers. So discard packets which were already reassembled by +fragmentation logic and send back a parameter problem icmp. + +The updates for RFC 6980 will come in later, I have to do a bit more +research here. + +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ipv6.h | 1 + + net/ipv6/reassembly.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/include/linux/ipv6.h ++++ b/include/linux/ipv6.h +@@ -101,6 +101,7 @@ struct inet6_skb_parm { + #define IP6SKB_FORWARDED 2 + #define IP6SKB_REROUTED 4 + #define IP6SKB_ROUTERALERT 8 ++#define IP6SKB_FRAGMENTED 16 + }; + + #define IP6CB(skb) ((struct inet6_skb_parm*)((skb)->cb)) +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -490,6 +490,7 @@ static int ip6_frag_reasm(struct frag_qu + ipv6_hdr(head)->payload_len = htons(payload_len); + ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn); + IP6CB(head)->nhoff = nhoff; ++ IP6CB(head)->flags |= IP6SKB_FRAGMENTED; + + /* Yes, and fold redundant checksum back. 8) */ + if (head->ip_summed == CHECKSUM_COMPLETE) +@@ -524,6 +525,9 @@ static int ipv6_frag_rcv(struct sk_buff + struct net *net = dev_net(skb_dst(skb)->dev); + int evicted; + ++ if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED) ++ goto fail_hdr; ++ + IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS); + + /* Jumbo payload inhibits frag. header */ +@@ -544,6 +548,7 @@ static int ipv6_frag_rcv(struct sk_buff + ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMOKS); + + IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb); ++ IP6CB(skb)->flags |= IP6SKB_FRAGMENTED; + return 1; + } + diff --git a/queue-3.10/ipv6-fix-null-pointer-dereference-in-__ip6addrlbl_add.patch b/queue-3.10/ipv6-fix-null-pointer-dereference-in-__ip6addrlbl_add.patch new file mode 100644 index 00000000000..f4af54fb2e8 --- /dev/null +++ b/queue-3.10/ipv6-fix-null-pointer-dereference-in-__ip6addrlbl_add.patch @@ -0,0 +1,90 @@ +From 1ffd6c103dc4cf9fe389e4dc34ec066d67061d97 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 3 Sep 2013 02:13:31 +0200 +Subject: ipv6: fix null pointer dereference in __ip6addrlbl_add + +From: Hannes Frederic Sowa + +[ Upstream commit 639739b5e609a5074839bb22fc061b37baa06269 ] + +Commit b67bfe0d42cac56c512dd5da4b1b347a23f4b70a ("hlist: drop +the node parameter from iterators") changed the behavior of +hlist_for_each_entry_safe to leave the p argument NULL. + +Fix this up by tracking the last argument. + +Reported-by: Michele Baldessari +Cc: Hideaki YOSHIFUJI +Cc: Sasha Levin +Signed-off-by: Hannes Frederic Sowa +Tested-by: Michele Baldessari +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrlabel.c | 48 +++++++++++++++++++++++------------------------- + 1 file changed, 23 insertions(+), 25 deletions(-) + +--- a/net/ipv6/addrlabel.c ++++ b/net/ipv6/addrlabel.c +@@ -251,38 +251,36 @@ static struct ip6addrlbl_entry *ip6addrl + /* add a label */ + static int __ip6addrlbl_add(struct ip6addrlbl_entry *newp, int replace) + { ++ struct hlist_node *n; ++ struct ip6addrlbl_entry *last = NULL, *p = NULL; + int ret = 0; + +- ADDRLABEL(KERN_DEBUG "%s(newp=%p, replace=%d)\n", +- __func__, +- newp, replace); ++ ADDRLABEL(KERN_DEBUG "%s(newp=%p, replace=%d)\n", __func__, newp, ++ replace); + +- if (hlist_empty(&ip6addrlbl_table.head)) { +- hlist_add_head_rcu(&newp->list, &ip6addrlbl_table.head); +- } else { +- struct hlist_node *n; +- struct ip6addrlbl_entry *p = NULL; +- hlist_for_each_entry_safe(p, n, +- &ip6addrlbl_table.head, list) { +- if (p->prefixlen == newp->prefixlen && +- net_eq(ip6addrlbl_net(p), ip6addrlbl_net(newp)) && +- p->ifindex == newp->ifindex && +- ipv6_addr_equal(&p->prefix, &newp->prefix)) { +- if (!replace) { +- ret = -EEXIST; +- goto out; +- } +- hlist_replace_rcu(&p->list, &newp->list); +- ip6addrlbl_put(p); +- goto out; +- } else if ((p->prefixlen == newp->prefixlen && !p->ifindex) || +- (p->prefixlen < newp->prefixlen)) { +- hlist_add_before_rcu(&newp->list, &p->list); ++ hlist_for_each_entry_safe(p, n, &ip6addrlbl_table.head, list) { ++ if (p->prefixlen == newp->prefixlen && ++ net_eq(ip6addrlbl_net(p), ip6addrlbl_net(newp)) && ++ p->ifindex == newp->ifindex && ++ ipv6_addr_equal(&p->prefix, &newp->prefix)) { ++ if (!replace) { ++ ret = -EEXIST; + goto out; + } ++ hlist_replace_rcu(&p->list, &newp->list); ++ ip6addrlbl_put(p); ++ goto out; ++ } else if ((p->prefixlen == newp->prefixlen && !p->ifindex) || ++ (p->prefixlen < newp->prefixlen)) { ++ hlist_add_before_rcu(&newp->list, &p->list); ++ goto out; + } +- hlist_add_after_rcu(&p->list, &newp->list); ++ last = p; + } ++ if (last) ++ hlist_add_after_rcu(&last->list, &newp->list); ++ else ++ hlist_add_head_rcu(&newp->list, &ip6addrlbl_table.head); + out: + if (!ret) + ip6addrlbl_table.seq++; diff --git a/queue-3.10/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch b/queue-3.10/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch new file mode 100644 index 00000000000..cba420ae513 --- /dev/null +++ b/queue-3.10/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch @@ -0,0 +1,64 @@ +From 37aef530868d5b0bcd7f3345d044fe0647dfcc8b Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 16 Aug 2013 13:02:27 +0200 +Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr + +From: Hannes Frederic Sowa + +[ Upstream commit 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ] + +Because of the max_addresses check attackers were able to disable privacy +extensions on an interface by creating enough autoconfigured addresses: + + + +But the check is not actually needed: max_addresses protects the +kernel to install too many ipv6 addresses on an interface and guards +addrconf_prefix_rcv to install further addresses as soon as this limit +is reached. We only generate temporary addresses in direct response of +a new address showing up. As soon as we filled up the maximum number of +addresses of an interface, we stop installing more addresses and thus +also stop generating more temp addresses. + +Even if the attacker tries to generate a lot of temporary addresses +by announcing a prefix and removing it again (lifetime == 0) we won't +install more temp addresses, because the temporary addresses do count +to the maximum number of addresses, thus we would stop installing new +autoconfigured addresses when the limit is reached. + +This patch fixes CVE-2013-0343 (but other layer-2 attacks are still +possible). + +Thanks to Ding Tianhong to bring this topic up again. + +Signed-off-by: Hannes Frederic Sowa +Cc: Ding Tianhong +Cc: George Kargiotakis +Cc: P J P +Cc: YOSHIFUJI Hideaki +Acked-by: Ding Tianhong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1124,12 +1124,10 @@ retry: + if (ifp->flags & IFA_F_OPTIMISTIC) + addr_flags |= IFA_F_OPTIMISTIC; + +- ift = !max_addresses || +- ipv6_count_addresses(idev) < max_addresses ? +- ipv6_add_addr(idev, &addr, tmp_plen, +- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, +- addr_flags) : NULL; +- if (IS_ERR_OR_NULL(ift)) { ++ ift = ipv6_add_addr(idev, &addr, tmp_plen, ++ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, ++ addr_flags); ++ if (IS_ERR(ift)) { + in6_ifa_put(ifp); + in6_dev_put(idev); + pr_info("%s: retry temporary address regeneration\n", __func__); diff --git a/queue-3.10/macvlan-validate-flags.patch b/queue-3.10/macvlan-validate-flags.patch new file mode 100644 index 00000000000..08ab80dc387 --- /dev/null +++ b/queue-3.10/macvlan-validate-flags.patch @@ -0,0 +1,41 @@ +From aed1b93c979b14cc55e605e040722c300f81f444 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Mon, 5 Aug 2013 18:25:54 +0300 +Subject: macvlan: validate flags + +From: "Michael S. Tsirkin" + +[ Upstream commit 1512747820367c8b3b8b72035f0f78c62f2bf1e9 ] + +commit df8ef8f3aaa6692970a436204c4429210addb23a + macvlan: add FDB bridge ops and macvlan flags +added a flags field to macvlan, which can be +controlled from userspace. +The idea is to make the interface future-proof +so we can add flags and not new fields. + +However, flags value isn't validated, as a result, +userspace can't detect which flags are supported. + +Signed-off-by: Michael S. Tsirkin +Cc: "David S. Miller" +Cc: John Fastabend +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -727,6 +727,10 @@ static int macvlan_validate(struct nlatt + return -EADDRNOTAVAIL; + } + ++ if (data && data[IFLA_MACVLAN_FLAGS] && ++ nla_get_u16(data[IFLA_MACVLAN_FLAGS]) & ~MACVLAN_FLAG_NOPROMISC) ++ return -EINVAL; ++ + if (data && data[IFLA_MACVLAN_MODE]) { + switch (nla_get_u32(data[IFLA_MACVLAN_MODE])) { + case MACVLAN_MODE_PRIVATE: diff --git a/queue-3.10/neighbour-populate-neigh_parms-on-alloc-before-calling-ndo_neigh_setup.patch b/queue-3.10/neighbour-populate-neigh_parms-on-alloc-before-calling-ndo_neigh_setup.patch new file mode 100644 index 00000000000..eaf1a37c36d --- /dev/null +++ b/queue-3.10/neighbour-populate-neigh_parms-on-alloc-before-calling-ndo_neigh_setup.patch @@ -0,0 +1,44 @@ +From 6956fef14ca8a96fe55e57616525a99173785c22 Mon Sep 17 00:00:00 2001 +From: Veaceslav Falico +Date: Fri, 2 Aug 2013 19:07:38 +0200 +Subject: neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup + +From: Veaceslav Falico + +[ Upstream commit 63134803a6369dcf7dddf7f0d5e37b9566b308d2 ] + +dev->ndo_neigh_setup() might need some of the values of neigh_parms, so +populate them before calling it. + +Signed-off-by: Veaceslav Falico +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1445,16 +1445,18 @@ struct neigh_parms *neigh_parms_alloc(st + atomic_set(&p->refcnt, 1); + p->reachable_time = + neigh_rand_reach_time(p->base_reachable_time); ++ dev_hold(dev); ++ p->dev = dev; ++ write_pnet(&p->net, hold_net(net)); ++ p->sysctl_table = NULL; + + if (ops->ndo_neigh_setup && ops->ndo_neigh_setup(dev, p)) { ++ release_net(net); ++ dev_put(dev); + kfree(p); + return NULL; + } + +- dev_hold(dev); +- p->dev = dev; +- write_pnet(&p->net, hold_net(net)); +- p->sysctl_table = NULL; + write_lock_bh(&tbl->lock); + p->next = tbl->parms.next; + tbl->parms.next = p; diff --git a/queue-3.10/net-bridge-convert-mldv2-query-mrc-into-msecs_to_jiffies-for-max_delay.patch b/queue-3.10/net-bridge-convert-mldv2-query-mrc-into-msecs_to_jiffies-for-max_delay.patch new file mode 100644 index 00000000000..18484e7887e --- /dev/null +++ b/queue-3.10/net-bridge-convert-mldv2-query-mrc-into-msecs_to_jiffies-for-max_delay.patch @@ -0,0 +1,43 @@ +From c38b449d10976508c5c4ec6f7cd83c5ebfec8a32 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Thu, 29 Aug 2013 23:55:05 +0200 +Subject: net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for max_delay + +From: Daniel Borkmann + +[ Upstream commit 2d98c29b6fb3de44d9eaa73c09f9cf7209346383 ] + +While looking into MLDv1/v2 code, I noticed that bridging code does +not convert it's max delay into jiffies for MLDv2 messages as we do +in core IPv6' multicast code. + +RFC3810, 5.1.3. Maximum Response Code says: + + The Maximum Response Code field specifies the maximum time allowed + before sending a responding Report. The actual time allowed, called + the Maximum Response Delay, is represented in units of milliseconds, + and is derived from the Maximum Response Code as follows: [...] + +As we update timers that work with jiffies, we need to convert it. + +Signed-off-by: Daniel Borkmann +Cc: Linus Lüssing +Cc: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1193,7 +1193,8 @@ static int br_ip6_multicast_query(struct + mld2q = (struct mld2_query *)icmp6_hdr(skb); + if (!mld2q->mld2q_nsrcs) + group = &mld2q->mld2q_mca; +- max_delay = mld2q->mld2q_mrc ? MLDV2_MRC(ntohs(mld2q->mld2q_mrc)) : 1; ++ ++ max_delay = max(msecs_to_jiffies(MLDV2_MRC(ntohs(mld2q->mld2q_mrc))), 1UL); + } + + if (!group) diff --git a/queue-3.10/net-check-net.core.somaxconn-sysctl-values.patch b/queue-3.10/net-check-net.core.somaxconn-sysctl-values.patch new file mode 100644 index 00000000000..ad9774d459d --- /dev/null +++ b/queue-3.10/net-check-net.core.somaxconn-sysctl-values.patch @@ -0,0 +1,70 @@ +From 3b4c36ba48c0be2aa92b01fff11523762efdb687 Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Fri, 2 Aug 2013 18:36:40 +0400 +Subject: net: check net.core.somaxconn sysctl values + +From: Roman Gushchin + +[ Upstream commit 5f671d6b4ec3e6d66c2a868738af2cdea09e7509 ] + +It's possible to assign an invalid value to the net.core.somaxconn +sysctl variable, because there is no checks at all. + +The sk_max_ack_backlog field of the sock structure is defined as +unsigned short. Therefore, the backlog argument in inet_listen() +shouldn't exceed USHRT_MAX. The backlog argument in the listen() syscall +is truncated to the somaxconn value. So, the somaxconn value shouldn't +exceed 65535 (USHRT_MAX). +Also, negative values of somaxconn are meaningless. + +before: +$ sysctl -w net.core.somaxconn=256 +net.core.somaxconn = 256 +$ sysctl -w net.core.somaxconn=65536 +net.core.somaxconn = 65536 +$ sysctl -w net.core.somaxconn=-100 +net.core.somaxconn = -100 + +after: +$ sysctl -w net.core.somaxconn=256 +net.core.somaxconn = 256 +$ sysctl -w net.core.somaxconn=65536 +error: "Invalid argument" setting key "net.core.somaxconn" +$ sysctl -w net.core.somaxconn=-100 +error: "Invalid argument" setting key "net.core.somaxconn" + +Based on a prior patch from Changli Gao. + +Signed-off-by: Roman Gushchin +Reported-by: Changli Gao +Suggested-by: Eric Dumazet +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sysctl_net_core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -20,7 +20,9 @@ + #include + #include + ++static int zero = 0; + static int one = 1; ++static int ushort_max = USHRT_MAX; + + #ifdef CONFIG_RPS + static int rps_sock_flow_sysctl(ctl_table *table, int write, +@@ -204,7 +206,9 @@ static struct ctl_table netns_core_table + .data = &init_net.core.sysctl_somaxconn, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .extra1 = &zero, ++ .extra2 = &ushort_max, ++ .proc_handler = proc_dointvec_minmax + }, + { } + }; diff --git a/queue-3.10/net-ipv6-tcp-fix-potential-use-after-free-in-tcp_v6_do_rcv.patch b/queue-3.10/net-ipv6-tcp-fix-potential-use-after-free-in-tcp_v6_do_rcv.patch new file mode 100644 index 00000000000..614ae84a1fc --- /dev/null +++ b/queue-3.10/net-ipv6-tcp-fix-potential-use-after-free-in-tcp_v6_do_rcv.patch @@ -0,0 +1,45 @@ +From 8ae50caa631ec336efee755358de38db683b86cb Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Tue, 3 Sep 2013 19:29:12 +0200 +Subject: net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv + +From: Daniel Borkmann + +[ Upstream commit 3a1c756590633c0e86df606e5c618c190926a0df ] + +In tcp_v6_do_rcv() code, when processing pkt options, we soley work +on our skb clone opt_skb that we've created earlier before entering +tcp_rcv_established() on our way. However, only in condition ... + + if (np->rxopt.bits.rxtclass) + np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); + +... we work on skb itself. As we extract every other information out +of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can +already be released by tcp_rcv_established() earlier on. When we try +to access it in ipv6_hdr(), we will dereference freed skb. + +[ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for + IP_PKTOPTIONS") ] + +Signed-off-by: Daniel Borkmann +Cc: Eric Dumazet +Acked-by: Eric Dumazet +Acked-by: Jiri Benc +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/tcp_ipv6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1426,7 +1426,7 @@ ipv6_pktoptions: + if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) + np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit; + if (np->rxopt.bits.rxtclass) +- np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ++ np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(opt_skb)); + if (ipv6_opt_accepted(sk, opt_skb)) { + skb_set_owner_r(opt_skb, sk); + opt_skb = xchg(&np->pktoptions, opt_skb); diff --git a/queue-3.10/net-mvneta-properly-disable-hw-phy-polling-and-ensure-adjust_link-works.patch b/queue-3.10/net-mvneta-properly-disable-hw-phy-polling-and-ensure-adjust_link-works.patch new file mode 100644 index 00000000000..ca66efaf884 --- /dev/null +++ b/queue-3.10/net-mvneta-properly-disable-hw-phy-polling-and-ensure-adjust_link-works.patch @@ -0,0 +1,117 @@ +From fcc53f61084b34f9a6b74e3ea396736f3f78c57b Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Wed, 4 Sep 2013 16:21:18 +0200 +Subject: net: mvneta: properly disable HW PHY polling and ensure adjust_link() works + +From: Thomas Petazzoni + +[ Upstream commit 714086029116b6b0a34e67ba1dd2f0d1cf26770c ] + +This commit fixes a long-standing bug that has been reported by many +users: on some Armada 370 platforms, only the network interface that +has been used in U-Boot to tftp the kernel works properly in +Linux. The other network interfaces can see a 'link up', but are +unable to transmit data. The reports were generally made on the Armada +370-based Mirabox, but have also been given on the Armada 370-RD +board. + +The network MAC in the Armada 370/XP (supported by the mvneta driver +in Linux) has a functionality that allows it to continuously poll the +PHY and directly update the MAC configuration accordingly (speed, +duplex, etc.). The very first versions of the driver submitted for +review were using this hardware mechanism, but due to this, the driver +was not integrated with the kernel phylib. Following reviews, the +driver was changed to use the phylib, and therefore a software based +polling. In software based polling, Linux regularly talks to the PHY +over the MDIO bus, and sees if the link status has changed. If it's +the case then the adjust_link() callback of the driver is called to +update the MAC configuration accordingly. + +However, it turns out that the adjust_link() callback was not +configuring the hardware in a completely correct way: while it was +setting the speed and duplex bits correctly, it wasn't telling the +hardware to actually take into account those bits rather than what the +hardware-based PHY polling mechanism has concluded. So, in fact the +adjust_link() callback was basically a no-op. + +However, the network happened to be working because on the network +interfaces used by U-Boot for tftp on Armada 370 platforms because the +hardware PHY polling was enabled by the bootloader, and left enabled +by Linux. However, the second network interface not used for tftp (or +both network interfaces if the kernel is loaded from USB, NAND or SD +card) didn't had the hardware PHY polling enabled. + +This patch fixes this situation by: + + (1) Making sure that the hardware PHY polling is disabled by clearing + the MVNETA_PHY_POLLING_ENABLE bit in the MVNETA_UNIT_CONTROL + register in the driver ->probe() function. + + (2) Making sure that the duplex and speed selections made by the + adjust_link() callback are taken into account by clearing the + MVNETA_GMAC_AN_SPEED_EN and MVNETA_GMAC_AN_DUPLEX_EN bits in the + MVNETA_GMAC_AUTONEG_CONFIG register. + +This patch has been tested on Armada 370 Mirabox, and now both network +interfaces are usable after boot. + +[ Problem introduced by commit c5aff18 ("net: mvneta: driver for + Marvell Armada 370/XP network unit") ] + +Signed-off-by: Thomas Petazzoni +Cc: Willy Tarreau +Cc: Jochen De Smet +Cc: Peter Sanford +Cc: Ethan Tuttle +Cc: Chény Yves-Gael +Cc: Ryan Press +Cc: Simon Guinot +Cc: vdonnefort@lacie.com +Cc: stable@vger.kernel.org +Acked-by: Jason Cooper +Tested-by: Vincent Donnefort +Tested-by: Yves-Gael Cheny +Tested-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -136,7 +136,9 @@ + #define MVNETA_GMAC_FORCE_LINK_PASS BIT(1) + #define MVNETA_GMAC_CONFIG_MII_SPEED BIT(5) + #define MVNETA_GMAC_CONFIG_GMII_SPEED BIT(6) ++#define MVNETA_GMAC_AN_SPEED_EN BIT(7) + #define MVNETA_GMAC_CONFIG_FULL_DUPLEX BIT(12) ++#define MVNETA_GMAC_AN_DUPLEX_EN BIT(13) + #define MVNETA_MIB_COUNTERS_BASE 0x3080 + #define MVNETA_MIB_LATE_COLLISION 0x7c + #define MVNETA_DA_FILT_SPEC_MCAST 0x3400 +@@ -911,6 +913,13 @@ static void mvneta_defaults_set(struct m + /* Assign port SDMA configuration */ + mvreg_write(pp, MVNETA_SDMA_CONFIG, val); + ++ /* Disable PHY polling in hardware, since we're using the ++ * kernel phylib to do this. ++ */ ++ val = mvreg_read(pp, MVNETA_UNIT_CONTROL); ++ val &= ~MVNETA_PHY_POLLING_ENABLE; ++ mvreg_write(pp, MVNETA_UNIT_CONTROL, val); ++ + mvneta_set_ucast_table(pp, -1); + mvneta_set_special_mcast_table(pp, -1); + mvneta_set_other_mcast_table(pp, -1); +@@ -2288,7 +2297,9 @@ static void mvneta_adjust_link(struct ne + val = mvreg_read(pp, MVNETA_GMAC_AUTONEG_CONFIG); + val &= ~(MVNETA_GMAC_CONFIG_MII_SPEED | + MVNETA_GMAC_CONFIG_GMII_SPEED | +- MVNETA_GMAC_CONFIG_FULL_DUPLEX); ++ MVNETA_GMAC_CONFIG_FULL_DUPLEX | ++ MVNETA_GMAC_AN_SPEED_EN | ++ MVNETA_GMAC_AN_DUPLEX_EN); + + if (phydev->duplex) + val |= MVNETA_GMAC_CONFIG_FULL_DUPLEX; diff --git a/queue-3.10/net-revert-8728c544a9c-net-dev_pick_tx-fix.patch b/queue-3.10/net-revert-8728c544a9c-net-dev_pick_tx-fix.patch new file mode 100644 index 00000000000..309f299a189 --- /dev/null +++ b/queue-3.10/net-revert-8728c544a9c-net-dev_pick_tx-fix.patch @@ -0,0 +1,56 @@ +From e8b87e3d4dd56f2edc4fa09bc63681af9d4be0c5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 28 Aug 2013 18:10:43 -0700 +Subject: net: revert 8728c544a9c ("net: dev_pick_tx() fix") + +From: Eric Dumazet + +[ Upstream commit 702821f4ea6f68db18aa1de7d8ed62c6ba586a64 ] + +commit 8728c544a9cbdc ("net: dev_pick_tx() fix") and commit +b6fe83e9525a ("bonding: refine IFF_XMIT_DST_RELEASE capability") +are quite incompatible : Queue selection is disabled because skb +dst was dropped before entering bonding device. + +This causes major performance regression, mainly because TCP packets +for a given flow can be sent to multiple queues. + +This is particularly visible when using the new FQ packet scheduler +with MQ + FQ setup on the slaves. + +We can safely revert the first commit now that 416186fbf8c5b +("net: Split core bits of netdev_pick_tx into __netdev_pick_tx") +properly caps the queue_index. + +Reported-by: Xi Wang +Diagnosed-by: Xi Wang +Signed-off-by: Eric Dumazet +Cc: Tom Herbert +Cc: Alexander Duyck +Cc: Denys Fedorysychenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/flow_dissector.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -345,14 +345,9 @@ u16 __netdev_pick_tx(struct net_device * + if (new_index < 0) + new_index = skb_tx_hash(dev, skb); + +- if (queue_index != new_index && sk) { +- struct dst_entry *dst = +- rcu_dereference_check(sk->sk_dst_cache, 1); +- +- if (dst && skb_dst(skb) == dst) +- sk_tx_queue_set(sk, queue_index); +- +- } ++ if (queue_index != new_index && sk && ++ rcu_access_pointer(sk->sk_dst_cache)) ++ sk_tx_queue_set(sk, queue_index); + + queue_index = new_index; + } diff --git a/queue-3.10/net-rtm_to_ifaddr-free-ifa-if-ifa_cacheinfo-processing-fails.patch b/queue-3.10/net-rtm_to_ifaddr-free-ifa-if-ifa_cacheinfo-processing-fails.patch new file mode 100644 index 00000000000..9ac60e8753d --- /dev/null +++ b/queue-3.10/net-rtm_to_ifaddr-free-ifa-if-ifa_cacheinfo-processing-fails.patch @@ -0,0 +1,41 @@ +From cbb94deff5aca631a841fc87fb09d1b2263ecc99 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Fri, 2 Aug 2013 11:32:43 +0200 +Subject: net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails + +From: Daniel Borkmann + +[ Upstream commit 446266b0c742a2c9ee8f0dce759a0117bce58a86 ] + +Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa +resource that was allocated via inet_alloc_ifa() unfreed when returning +the function with -EINVAL. Thus, free it first via inet_free_ifa(). + +Signed-off-by: Daniel Borkmann +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/devinet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -771,7 +771,7 @@ static struct in_ifaddr *rtm_to_ifaddr(s + ci = nla_data(tb[IFA_CACHEINFO]); + if (!ci->ifa_valid || ci->ifa_prefered > ci->ifa_valid) { + err = -EINVAL; +- goto errout; ++ goto errout_free; + } + *pvalid_lft = ci->ifa_valid; + *pprefered_lft = ci->ifa_prefered; +@@ -779,6 +779,8 @@ static struct in_ifaddr *rtm_to_ifaddr(s + + return ifa; + ++errout_free: ++ inet_free_ifa(ifa); + errout: + return ERR_PTR(err); + } diff --git a/queue-3.10/net-usb-add-hp-hs2434-device-to-zlp-exception-table.patch b/queue-3.10/net-usb-add-hp-hs2434-device-to-zlp-exception-table.patch new file mode 100644 index 00000000000..6f2aab8fc7c --- /dev/null +++ b/queue-3.10/net-usb-add-hp-hs2434-device-to-zlp-exception-table.patch @@ -0,0 +1,41 @@ +From 6680134f998b56cb5e161423c1fffc185f5d912d Mon Sep 17 00:00:00 2001 +From: Rob Gardner +Date: Sun, 25 Aug 2013 16:02:23 -0600 +Subject: net: usb: Add HP hs2434 device to ZLP exception table + +From: Rob Gardner + +[ Upstream commit 03803a59e32453ee5737c6096a295f748f03cc49 ] + +This patch adds another entry (HP hs2434 Mobile Broadband) to the list +of exceptional devices that require a zero length packet in order to +function properly. This list was added in commit 844e88f0. The hs2434 +is manufactured by Sierra Wireless, who also produces the MC7710, +which the ZLP exception list was created for in the first place. So +hopefully it is just this one producer's devices that will need this +workaround. + +Tested on a DM1-4310NR HP notebook, which does not function without this +change. + +Signed-off-by: Rob Gardner +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_mbim.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -400,6 +400,10 @@ static const struct usb_device_id mbim_d + { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68a2, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info_zlp, + }, ++ /* HP hs2434 Mobile Broadband Module needs ZLPs */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x3f0, 0x4b1d, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&cdc_mbim_info_zlp, ++ }, + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info, + }, diff --git a/queue-3.10/net_sched-restore-linklayer-atm-handling.patch b/queue-3.10/net_sched-restore-linklayer-atm-handling.patch new file mode 100644 index 00000000000..280bf54b268 --- /dev/null +++ b/queue-3.10/net_sched-restore-linklayer-atm-handling.patch @@ -0,0 +1,194 @@ +From 075da85c2f8f1c0f07f321bdbec4f66b1b2553de Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Wed, 14 Aug 2013 23:47:11 +0200 +Subject: net_sched: restore "linklayer atm" handling + +From: Jesper Dangaard Brouer + +[ Upstream commit 8a8e3d84b1719a56f9151909e80ea6ebc5b8e318 ] + +commit 56b765b79 ("htb: improved accuracy at high rates") +broke the "linklayer atm" handling. + + tc class add ... htb rate X ceil Y linklayer atm + +The linklayer setting is implemented by modifying the rate table +which is send to the kernel. No direct parameter were +transferred to the kernel indicating the linklayer setting. + +The commit 56b765b79 ("htb: improved accuracy at high rates") +removed the use of the rate table system. + +To keep compatible with older iproute2 utils, this patch detects +the linklayer by parsing the rate table. It also supports future +versions of iproute2 to send this linklayer parameter to the +kernel directly. This is done by using the __reserved field in +struct tc_ratespec, to convey the choosen linklayer option, but +only using the lower 4 bits of this field. + +Linklayer detection is limited to speeds below 100Mbit/s, because +at high rates the rtab is gets too inaccurate, so bad that +several fields contain the same values, this resembling the ATM +detect. Fields even start to contain "0" time to send, e.g. at +1000Mbit/s sending a 96 bytes packet cost "0", thus the rtab have +been more broken than we first realized. + +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sch_generic.h | 9 ++++++++- + include/uapi/linux/pkt_sched.h | 10 +++++++++- + net/sched/sch_api.c | 41 +++++++++++++++++++++++++++++++++++++++++ + net/sched/sch_generic.c | 1 + + net/sched/sch_htb.c | 13 +++++++++++++ + 5 files changed, 72 insertions(+), 2 deletions(-) + +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -682,13 +682,19 @@ struct psched_ratecfg { + u64 rate_bps; + u32 mult; + u16 overhead; ++ u8 linklayer; + u8 shift; + }; + + static inline u64 psched_l2t_ns(const struct psched_ratecfg *r, + unsigned int len) + { +- return ((u64)(len + r->overhead) * r->mult) >> r->shift; ++ len += r->overhead; ++ ++ if (unlikely(r->linklayer == TC_LINKLAYER_ATM)) ++ return ((u64)(DIV_ROUND_UP(len,48)*53) * r->mult) >> r->shift; ++ ++ return ((u64)len * r->mult) >> r->shift; + } + + extern void psched_ratecfg_precompute(struct psched_ratecfg *r, const struct tc_ratespec *conf); +@@ -699,6 +705,7 @@ static inline void psched_ratecfg_getrat + memset(res, 0, sizeof(*res)); + res->rate = r->rate_bps >> 3; + res->overhead = r->overhead; ++ res->linklayer = (r->linklayer & TC_LINKLAYER_MASK); + } + + #endif +--- a/include/uapi/linux/pkt_sched.h ++++ b/include/uapi/linux/pkt_sched.h +@@ -73,9 +73,17 @@ struct tc_estimator { + #define TC_H_ROOT (0xFFFFFFFFU) + #define TC_H_INGRESS (0xFFFFFFF1U) + ++/* Need to corrospond to iproute2 tc/tc_core.h "enum link_layer" */ ++enum tc_link_layer { ++ TC_LINKLAYER_UNAWARE, /* Indicate unaware old iproute2 util */ ++ TC_LINKLAYER_ETHERNET, ++ TC_LINKLAYER_ATM, ++}; ++#define TC_LINKLAYER_MASK 0x0F /* limit use to lower 4 bits */ ++ + struct tc_ratespec { + unsigned char cell_log; +- unsigned char __reserved; ++ __u8 linklayer; /* lower 4 bits */ + unsigned short overhead; + short cell_align; + unsigned short mpu; +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -285,6 +285,45 @@ static struct Qdisc_ops *qdisc_lookup_op + return q; + } + ++/* The linklayer setting were not transferred from iproute2, in older ++ * versions, and the rate tables lookup systems have been dropped in ++ * the kernel. To keep backward compatible with older iproute2 tc ++ * utils, we detect the linklayer setting by detecting if the rate ++ * table were modified. ++ * ++ * For linklayer ATM table entries, the rate table will be aligned to ++ * 48 bytes, thus some table entries will contain the same value. The ++ * mpu (min packet unit) is also encoded into the old rate table, thus ++ * starting from the mpu, we find low and high table entries for ++ * mapping this cell. If these entries contain the same value, when ++ * the rate tables have been modified for linklayer ATM. ++ * ++ * This is done by rounding mpu to the nearest 48 bytes cell/entry, ++ * and then roundup to the next cell, calc the table entry one below, ++ * and compare. ++ */ ++static __u8 __detect_linklayer(struct tc_ratespec *r, __u32 *rtab) ++{ ++ int low = roundup(r->mpu, 48); ++ int high = roundup(low+1, 48); ++ int cell_low = low >> r->cell_log; ++ int cell_high = (high >> r->cell_log) - 1; ++ ++ /* rtab is too inaccurate at rates > 100Mbit/s */ ++ if ((r->rate > (100000000/8)) || (rtab[0] == 0)) { ++ pr_debug("TC linklayer: Giving up ATM detection\n"); ++ return TC_LINKLAYER_ETHERNET; ++ } ++ ++ if ((cell_high > cell_low) && (cell_high < 256) ++ && (rtab[cell_low] == rtab[cell_high])) { ++ pr_debug("TC linklayer: Detected ATM, low(%d)=high(%d)=%u\n", ++ cell_low, cell_high, rtab[cell_high]); ++ return TC_LINKLAYER_ATM; ++ } ++ return TC_LINKLAYER_ETHERNET; ++} ++ + static struct qdisc_rate_table *qdisc_rtab_list; + + struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *tab) +@@ -308,6 +347,8 @@ struct qdisc_rate_table *qdisc_get_rtab( + rtab->rate = *r; + rtab->refcnt = 1; + memcpy(rtab->data, nla_data(tab), 1024); ++ if (r->linklayer == TC_LINKLAYER_UNAWARE) ++ r->linklayer = __detect_linklayer(r, rtab->data); + rtab->next = qdisc_rtab_list; + qdisc_rtab_list = rtab; + } +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -908,6 +908,7 @@ void psched_ratecfg_precompute(struct ps + memset(r, 0, sizeof(*r)); + r->overhead = conf->overhead; + r->rate_bps = (u64)conf->rate << 3; ++ r->linklayer = (conf->linklayer & TC_LINKLAYER_MASK); + r->mult = 1; + /* + * Calibrate mult, shift so that token counting is accurate +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -1312,6 +1312,7 @@ static int htb_change_class(struct Qdisc + struct htb_sched *q = qdisc_priv(sch); + struct htb_class *cl = (struct htb_class *)*arg, *parent; + struct nlattr *opt = tca[TCA_OPTIONS]; ++ struct qdisc_rate_table *rtab = NULL, *ctab = NULL; + struct nlattr *tb[TCA_HTB_MAX + 1]; + struct tc_htb_opt *hopt; + +@@ -1333,6 +1334,18 @@ static int htb_change_class(struct Qdisc + if (!hopt->rate.rate || !hopt->ceil.rate) + goto failure; + ++ /* Keeping backward compatible with rate_table based iproute2 tc */ ++ if (hopt->rate.linklayer == TC_LINKLAYER_UNAWARE) { ++ rtab = qdisc_get_rtab(&hopt->rate, tb[TCA_HTB_RTAB]); ++ if (rtab) ++ qdisc_put_rtab(rtab); ++ } ++ if (hopt->ceil.linklayer == TC_LINKLAYER_UNAWARE) { ++ ctab = qdisc_get_rtab(&hopt->ceil, tb[TCA_HTB_CTAB]); ++ if (ctab) ++ qdisc_put_rtab(ctab); ++ } ++ + if (!cl) { /* new class */ + struct Qdisc *new_q; + int prio; diff --git a/queue-3.10/packet-restore-packet-statistics-tp_packets-to-include-drops.patch b/queue-3.10/packet-restore-packet-statistics-tp_packets-to-include-drops.patch new file mode 100644 index 00000000000..a8bda71d2d0 --- /dev/null +++ b/queue-3.10/packet-restore-packet-statistics-tp_packets-to-include-drops.patch @@ -0,0 +1,40 @@ +From 9f9b9300265933297ff1141e621ddddc2c6bad0b Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Mon, 19 Aug 2013 16:40:22 -0400 +Subject: packet: restore packet statistics tp_packets to include drops + +From: Willem de Bruijn + +[ Upstream commit 8bcdeaff5ed544704a9a691d4aef0adb3f9c5b8f ] + +getsockopt PACKET_STATISTICS returns tp_packets + tp_drops. Commit +ee80fbf301 ("packet: account statistics only in tpacket_stats_u") +cleaned up the getsockopt PACKET_STATISTICS code. +This also changed semantics. Historically, tp_packets included +tp_drops on return. The commit removed the line that adds tp_drops +into tp_packets. + +This patch reinstates the old semantics. + +Signed-off-by: Willem de Bruijn +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3259,9 +3259,11 @@ static int packet_getsockopt(struct sock + + if (po->tp_version == TPACKET_V3) { + lv = sizeof(struct tpacket_stats_v3); ++ st.stats3.tp_packets += st.stats3.tp_drops; + data = &st.stats3; + } else { + lv = sizeof(struct tpacket_stats); ++ st.stats1.tp_packets += st.stats1.tp_drops; + data = &st.stats1; + } + diff --git a/queue-3.10/rtnetlink-fix-inverted-check-in-ndo_dflt_fdb_del.patch b/queue-3.10/rtnetlink-fix-inverted-check-in-ndo_dflt_fdb_del.patch new file mode 100644 index 00000000000..9b0852136e3 --- /dev/null +++ b/queue-3.10/rtnetlink-fix-inverted-check-in-ndo_dflt_fdb_del.patch @@ -0,0 +1,29 @@ +From c83a5ded2a11c17792031f671b8c018e45b69256 Mon Sep 17 00:00:00 2001 +From: Sridhar Samudrala +Date: Thu, 8 Aug 2013 15:19:48 -0700 +Subject: rtnetlink: Fix inverted check in ndo_dflt_fdb_del() + +From: Sridhar Samudrala + +[ Upstream commit 645359930231d5e78fd3296a38b98c1a658a7ade ] + +Fix inverted check when deleting an fdb entry. + +Signed-off-by: Sridhar Samudrala +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2142,7 +2142,7 @@ int ndo_dflt_fdb_del(struct ndmsg *ndm, + /* If aging addresses are supported device will need to + * implement its own handler for this. + */ +- if (ndm->ndm_state & NUD_PERMANENT) { ++ if (!(ndm->ndm_state & NUD_PERMANENT)) { + pr_info("%s: FDB only supports static addresses\n", dev->name); + return -EINVAL; + } diff --git a/queue-3.10/rtnetlink-rtnl_bridge_getlink-call-nlmsg_find_attr-with-ifinfomsg-header.patch b/queue-3.10/rtnetlink-rtnl_bridge_getlink-call-nlmsg_find_attr-with-ifinfomsg-header.patch new file mode 100644 index 00000000000..08cd197058d --- /dev/null +++ b/queue-3.10/rtnetlink-rtnl_bridge_getlink-call-nlmsg_find_attr-with-ifinfomsg-header.patch @@ -0,0 +1,70 @@ +From 74b9168e6ddc870a7be40c756422a350c3fa8efe Mon Sep 17 00:00:00 2001 +From: Asbjoern Sloth Toennesen +Date: Mon, 12 Aug 2013 16:30:09 +0000 +Subject: rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header + +From: Asbjoern Sloth Toennesen + +[ Upstream commit 3e805ad288c524bb65aad3f1e004402223d3d504 ] + +Fix the iproute2 command `bridge vlan show`, after switching from +rtgenmsg to ifinfomsg. + +Let's start with a little history: + +Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in + the 3.9 merge window. + In the kernel commit 6cbdceeb, he added attribute support to + bridge GETLINK requests sent with rtgenmsg. + +Mar 6th: Vlad got this iproute2 reference implementation of the bridge + vlan netlink interface accepted (iproute2 9eff0e5c) + +Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) + http://patchwork.ozlabs.org/patch/239602/ + http://marc.info/?t=136680900700007 + +Apr 28th: Linus released 3.9 + +Apr 30th: Stephen released iproute2 3.9.0 + +The `bridge vlan show` command haven't been working since the switch to +ifinfomsg, or in a released version of iproute2. Since the kernel side +only supports rtgenmsg, which iproute2 switched away from just prior to +the iproute2 3.9.0 release. + +I haven't been able to find any documentation, about neither rtgenmsg +nor ifinfomsg, and in which situation to use which, but kernel commit +88c5b5ce seams to suggest that ifinfomsg should be used. + +Fixing this in kernel will break compatibility, but I doubt that anybody +have been using it due to this bug in the user space reference +implementation, at least not without noticing this bug. That said the +functionality is still fully functional in 3.9, when reversing iproute2 +commit 63338dca. + +This could also be fixed in iproute2, but thats an ugly patch that would +reintroduce rtgenmsg in iproute2, and from searching in netdev it seams +like rtgenmsg usage is discouraged. I'm assuming that the only reason +that Vlad implemented the kernel side to use rtgenmsg, was because +iproute2 was using it at the time. + +Signed-off-by: Asbjoern Sloth Toennesen +Reviewed-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2374,7 +2374,7 @@ static int rtnl_bridge_getlink(struct sk + struct nlattr *extfilt; + u32 filter_mask = 0; + +- extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct rtgenmsg), ++ extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg), + IFLA_EXT_MASK); + if (extfilt) + filter_mask = nla_get_u32(extfilt); diff --git a/queue-3.10/series b/queue-3.10/series new file mode 100644 index 00000000000..d2d691fa6f4 --- /dev/null +++ b/queue-3.10/series @@ -0,0 +1,42 @@ +htb-fix-sign-extension-bug.patch +net-rtm_to_ifaddr-free-ifa-if-ifa_cacheinfo-processing-fails.patch +net-check-net.core.somaxconn-sysctl-values.patch +macvlan-validate-flags.patch +neighbour-populate-neigh_parms-on-alloc-before-calling-ndo_neigh_setup.patch +bonding-modify-only-neigh_parms-owned-by-us.patch +fib_trie-remove-potential-out-of-bound-access.patch +bridge-don-t-try-to-update-timers-in-case-of-broken-mld-queries.patch +tcp-cubic-fix-overflow-error-in-bictcp_update.patch +tcp-cubic-fix-bug-in-bictcp_acked.patch +ipv6-don-t-stop-backtracking-in-fib6_lookup_1-if-subtree-does-not-match.patch +ip_gre-fix-ipgre_header-to-return-correct-offset-mime-version-1.0.patch +8139cp-fix-skb-leak-in-rx_status_loop-failure-path.patch +rtnetlink-fix-inverted-check-in-ndo_dflt_fdb_del.patch +genl-fix-genl-dumpit-locking.patch +genl-hold-reference-on-correct-module-while-netlink-dump.patch +ip_tunnel-do-not-use-inner-ip-header-id-for-tunnel-ip-header-id.patch +rtnetlink-rtnl_bridge_getlink-call-nlmsg_find_attr-with-ifinfomsg-header.patch +tun-signedness-bug-in-tun_get_user.patch +ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch +ipv6-drop-packets-with-multiple-fragmentation-headers.patch +tcp-set-timestamps-for-restored-skb-s.patch +packet-restore-packet-statistics-tp_packets-to-include-drops.patch +bridge-use-the-correct-bit-length-for-bitmap-functions-in-the-vlan-code.patch +net_sched-restore-linklayer-atm-handling.patch +sfc-fix-lookup-of-default-rx-mac-filters-when-steered-using-ethtool.patch +be2net-fix-disabling-tx-in-be_close.patch +net-usb-add-hp-hs2434-device-to-zlp-exception-table.patch +tcp-initialize-rcv_tstamp-for-restored-sockets.patch +tcp-don-t-apply-tsoffset-if-rcv_tsecr-is-zero.patch +ipv4-sendto-hdrincl-don-t-use-destination-address-found-in-header.patch +ipv6-don-t-depend-on-per-socket-memory-for-neighbour-discovery-messages.patch +tcp-tcp_make_synack-should-use-sock_wmalloc.patch +tipc-set-sk_err-correctly-when-connection-fails.patch +net-revert-8728c544a9c-net-dev_pick_tx-fix.patch +net-bridge-convert-mldv2-query-mrc-into-msecs_to_jiffies-for-max_delay.patch +icmpv6-treat-dest-unreachable-codes-5-and-6-as-eacces-not-eproto.patch +tg3-don-t-turn-off-led-on-5719-serdes-port-0.patch +vhost_net-poll-vhost-queue-after-marking-dma-is-done.patch +ipv6-fix-null-pointer-dereference-in-__ip6addrlbl_add.patch +net-ipv6-tcp-fix-potential-use-after-free-in-tcp_v6_do_rcv.patch +net-mvneta-properly-disable-hw-phy-polling-and-ensure-adjust_link-works.patch diff --git a/queue-3.10/sfc-fix-lookup-of-default-rx-mac-filters-when-steered-using-ethtool.patch b/queue-3.10/sfc-fix-lookup-of-default-rx-mac-filters-when-steered-using-ethtool.patch new file mode 100644 index 00000000000..1340b0e131d --- /dev/null +++ b/queue-3.10/sfc-fix-lookup-of-default-rx-mac-filters-when-steered-using-ethtool.patch @@ -0,0 +1,32 @@ +From 181c3a8617319d6fdae74b47d25ddf84630804d1 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Tue, 9 Jul 2013 17:12:49 +0100 +Subject: sfc: Fix lookup of default RX MAC filters when steered using ethtool + +From: Ben Hutchings + +[ Upstream commit f3851b0acc5a75bd33c6d344a2e4f920e1622ff0 ] + +commit 385904f819e3 ('sfc: Don't use +efx_filter_{build,hash,increment}() for default MAC filters') used the +wrong name to find the index of default RX MAC filters at insertion/ +update time. This could result in memory corruption and would in any +case silently fail to update the filter. + +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sfc/filter.c ++++ b/drivers/net/ethernet/sfc/filter.c +@@ -675,7 +675,7 @@ s32 efx_filter_insert_filter(struct efx_ + BUILD_BUG_ON(EFX_FILTER_INDEX_UC_DEF != 0); + BUILD_BUG_ON(EFX_FILTER_INDEX_MC_DEF != + EFX_FILTER_MC_DEF - EFX_FILTER_UC_DEF); +- rep_index = spec->type - EFX_FILTER_INDEX_UC_DEF; ++ rep_index = spec->type - EFX_FILTER_UC_DEF; + ins_index = rep_index; + + spin_lock_bh(&state->lock); diff --git a/queue-3.10/tcp-cubic-fix-bug-in-bictcp_acked.patch b/queue-3.10/tcp-cubic-fix-bug-in-bictcp_acked.patch new file mode 100644 index 00000000000..dca80637d5d --- /dev/null +++ b/queue-3.10/tcp-cubic-fix-bug-in-bictcp_acked.patch @@ -0,0 +1,46 @@ +From bae65bba1d325e521a2acbe236cbcd8bef1d0b1a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 5 Aug 2013 20:05:12 -0700 +Subject: tcp: cubic: fix bug in bictcp_acked() + +From: Eric Dumazet + +[ Upstream commit cd6b423afd3c08b27e1fed52db828ade0addbc6b ] + +While investigating about strange increase of retransmit rates +on hosts ~24 days after boot, Van found hystart was disabled +if ca->epoch_start was 0, as following condition is true +when tcp_time_stamp high order bit is set. + +(s32)(tcp_time_stamp - ca->epoch_start) < HZ + +Quoting Van : + + At initialization & after every loss ca->epoch_start is set to zero so + I believe that the above line will turn off hystart as soon as the 2^31 + bit is set in tcp_time_stamp & hystart will stay off for 24 days. + I think we've observed that cubic's restart is too aggressive without + hystart so this might account for the higher drop rate we observe. + +Diagnosed-by: Van Jacobson +Signed-off-by: Eric Dumazet +Cc: Neal Cardwell +Cc: Yuchung Cheng +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_cubic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_cubic.c ++++ b/net/ipv4/tcp_cubic.c +@@ -416,7 +416,7 @@ static void bictcp_acked(struct sock *sk + return; + + /* Discard delay samples right after fast recovery */ +- if ((s32)(tcp_time_stamp - ca->epoch_start) < HZ) ++ if (ca->epoch_start && (s32)(tcp_time_stamp - ca->epoch_start) < HZ) + return; + + delay = (rtt_us << 3) / USEC_PER_MSEC; diff --git a/queue-3.10/tcp-cubic-fix-overflow-error-in-bictcp_update.patch b/queue-3.10/tcp-cubic-fix-overflow-error-in-bictcp_update.patch new file mode 100644 index 00000000000..791a4c10b32 --- /dev/null +++ b/queue-3.10/tcp-cubic-fix-overflow-error-in-bictcp_update.patch @@ -0,0 +1,68 @@ +From 68e2de5cd376e7c693ac22b22c2f65ca23a1a9df Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 5 Aug 2013 17:10:15 -0700 +Subject: tcp: cubic: fix overflow error in bictcp_update() + +From: Eric Dumazet + +[ Upstream commit 2ed0edf9090bf4afa2c6fc4f38575a85a80d4b20 ] + +commit 17a6e9f1aa9 ("tcp_cubic: fix clock dependency") added an +overflow error in bictcp_update() in following code : + +/* change the unit from HZ to bictcp_HZ */ +t = ((tcp_time_stamp + msecs_to_jiffies(ca->delay_min>>3) - + ca->epoch_start) << BICTCP_HZ) / HZ; + +Because msecs_to_jiffies() being unsigned long, compiler does +implicit type promotion. + +We really want to constrain (tcp_time_stamp - ca->epoch_start) +to a signed 32bit value, or else 't' has unexpected high values. + +This bugs triggers an increase of retransmit rates ~24 days after +boot [1], as the high order bit of tcp_time_stamp flips. + +[1] for hosts with HZ=1000 + +Big thanks to Van Jacobson for spotting this problem. + +Diagnosed-by: Van Jacobson +Signed-off-by: Eric Dumazet +Cc: Neal Cardwell +Cc: Yuchung Cheng +Cc: Stephen Hemminger +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_cubic.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/ipv4/tcp_cubic.c ++++ b/net/ipv4/tcp_cubic.c +@@ -206,8 +206,8 @@ static u32 cubic_root(u64 a) + */ + static inline void bictcp_update(struct bictcp *ca, u32 cwnd) + { +- u64 offs; +- u32 delta, t, bic_target, max_cnt; ++ u32 delta, bic_target, max_cnt; ++ u64 offs, t; + + ca->ack_cnt++; /* count the number of ACKs */ + +@@ -250,9 +250,11 @@ static inline void bictcp_update(struct + * if the cwnd < 1 million packets !!! + */ + ++ t = (s32)(tcp_time_stamp - ca->epoch_start); ++ t += msecs_to_jiffies(ca->delay_min >> 3); + /* change the unit from HZ to bictcp_HZ */ +- t = ((tcp_time_stamp + msecs_to_jiffies(ca->delay_min>>3) +- - ca->epoch_start) << BICTCP_HZ) / HZ; ++ t <<= BICTCP_HZ; ++ do_div(t, HZ); + + if (t < ca->bic_K) /* t - K */ + offs = ca->bic_K - t; diff --git a/queue-3.10/tcp-don-t-apply-tsoffset-if-rcv_tsecr-is-zero.patch b/queue-3.10/tcp-don-t-apply-tsoffset-if-rcv_tsecr-is-zero.patch new file mode 100644 index 00000000000..84c8e6e0a90 --- /dev/null +++ b/queue-3.10/tcp-don-t-apply-tsoffset-if-rcv_tsecr-is-zero.patch @@ -0,0 +1,66 @@ +From 240f8b76956547352e91c049eddcc8abe8320b6c Mon Sep 17 00:00:00 2001 +From: Andrew Vagin +Date: Tue, 27 Aug 2013 12:21:55 +0400 +Subject: tcp: don't apply tsoffset if rcv_tsecr is zero + +From: Andrew Vagin + +[ Upstream commit e3e12028315749b7fa2edbc37328e5847be9ede9 ] + +The zero value means that tsecr is not valid, so it's a special case. + +tsoffset is used to customize tcp_time_stamp for one socket. +tsoffset is usually zero, it's used when a socket was moved from one +host to another host. + +Currently this issue affects logic of tcp_rcv_rtt_measure_ts. Due to +incorrect value of rcv_tsecr, tcp_rcv_rtt_measure_ts sets rto to +TCP_RTO_MAX. + +Reported-by: Cyrill Gorcunov +Cc: Pavel Emelyanov +Cc: Eric Dumazet +Cc: "David S. Miller" +Cc: Alexey Kuznetsov +Cc: James Morris +Cc: Hideaki YOSHIFUJI +Cc: Patrick McHardy +Signed-off-by: Andrey Vagin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3598,7 +3598,10 @@ static bool tcp_parse_aligned_timestamp( + ++ptr; + tp->rx_opt.rcv_tsval = ntohl(*ptr); + ++ptr; +- tp->rx_opt.rcv_tsecr = ntohl(*ptr) - tp->tsoffset; ++ if (*ptr) ++ tp->rx_opt.rcv_tsecr = ntohl(*ptr) - tp->tsoffset; ++ else ++ tp->rx_opt.rcv_tsecr = 0; + return true; + } + return false; +@@ -3623,7 +3626,7 @@ static bool tcp_fast_parse_options(const + } + + tcp_parse_options(skb, &tp->rx_opt, 1, NULL); +- if (tp->rx_opt.saw_tstamp) ++ if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr) + tp->rx_opt.rcv_tsecr -= tp->tsoffset; + + return true; +@@ -5376,7 +5379,7 @@ static int tcp_rcv_synsent_state_process + int saved_clamp = tp->rx_opt.mss_clamp; + + tcp_parse_options(skb, &tp->rx_opt, 0, &foc); +- if (tp->rx_opt.saw_tstamp) ++ if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr) + tp->rx_opt.rcv_tsecr -= tp->tsoffset; + + if (th->ack) { diff --git a/queue-3.10/tcp-initialize-rcv_tstamp-for-restored-sockets.patch b/queue-3.10/tcp-initialize-rcv_tstamp-for-restored-sockets.patch new file mode 100644 index 00000000000..d7fa1b022f2 --- /dev/null +++ b/queue-3.10/tcp-initialize-rcv_tstamp-for-restored-sockets.patch @@ -0,0 +1,46 @@ +From 1c16cb86e026c7de4f729ec77bd6461b3a6a2927 Mon Sep 17 00:00:00 2001 +From: Andrew Vagin +Date: Tue, 27 Aug 2013 12:20:40 +0400 +Subject: tcp: initialize rcv_tstamp for restored sockets + +From: Andrew Vagin + +[ Upstream commit c7781a6e3c4a9a17e144ec2db00ebfea327bd627 ] + +u32 rcv_tstamp; /* timestamp of last received ACK */ + +Its value used in tcp_retransmit_timer, which closes socket +if the last ack was received more then TCP_RTO_MAX ago. + +Currently rcv_tstamp is initialized to zero and if tcp_retransmit_timer +is called before receiving a first ack, the connection is closed. + +This patch initializes rcv_tstamp to a timestamp, when a socket was +restored. + +Reported-by: Cyrill Gorcunov +Cc: Pavel Emelyanov +Cc: Eric Dumazet +Cc: "David S. Miller" +Cc: Alexey Kuznetsov +Cc: James Morris +Cc: Hideaki YOSHIFUJI +Cc: Patrick McHardy +Signed-off-by: Andrey Vagin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2808,6 +2808,8 @@ void tcp_connect_init(struct sock *sk) + + if (likely(!tp->repair)) + tp->rcv_nxt = 0; ++ else ++ tp->rcv_tstamp = tcp_time_stamp; + tp->rcv_wup = tp->rcv_nxt; + tp->copied_seq = tp->rcv_nxt; + diff --git a/queue-3.10/tcp-set-timestamps-for-restored-skb-s.patch b/queue-3.10/tcp-set-timestamps-for-restored-skb-s.patch new file mode 100644 index 00000000000..3df45334938 --- /dev/null +++ b/queue-3.10/tcp-set-timestamps-for-restored-skb-s.patch @@ -0,0 +1,46 @@ +From 00009381077ffbc9229f3fec5c462c7d6cc8ca73 Mon Sep 17 00:00:00 2001 +From: Andrey Vagin +Date: Fri, 16 Aug 2013 19:04:36 +0400 +Subject: tcp: set timestamps for restored skb-s + +From: Andrey Vagin + +[ Upstream commit 7ed5c5ae96d23da22de95e1c7a239537acd378b1 ] + +When the repair mode is turned off, the write queue seqs are +updated so that the whole queue is considered to be 'already sent. + +The "when" field must be set for such skb. It's used in tcp_rearm_rto +for example. If the "when" field isn't set, the retransmit timeout can +be calculated incorrectly and a tcp connected can stop for two minutes +(TCP_RTO_MAX). + +Acked-by: Pavel Emelyanov +Cc: "David S. Miller" +Cc: Alexey Kuznetsov +Cc: James Morris +Cc: Hideaki YOSHIFUJI +Cc: Patrick McHardy +Signed-off-by: Andrey Vagin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1118,6 +1118,13 @@ new_segment: + goto wait_for_memory; + + /* ++ * All packets are restored as if they have ++ * already been sent. ++ */ ++ if (tp->repair) ++ TCP_SKB_CB(skb)->when = tcp_time_stamp; ++ ++ /* + * Check whether we can use HW checksum. + */ + if (sk->sk_route_caps & NETIF_F_ALL_CSUM) diff --git a/queue-3.10/tcp-tcp_make_synack-should-use-sock_wmalloc.patch b/queue-3.10/tcp-tcp_make_synack-should-use-sock_wmalloc.patch new file mode 100644 index 00000000000..fb31f65ffad --- /dev/null +++ b/queue-3.10/tcp-tcp_make_synack-should-use-sock_wmalloc.patch @@ -0,0 +1,35 @@ +From aa038fcce1e8a0940cff6251696b1384b7635951 Mon Sep 17 00:00:00 2001 +From: Phil Oester +Date: Tue, 27 Aug 2013 16:41:40 -0700 +Subject: tcp: tcp_make_synack() should use sock_wmalloc + +From: Phil Oester + +[ Upstream commit eb8895debe1baba41fcb62c78a16f0c63c21662a ] + +In commit 90ba9b19 (tcp: tcp_make_synack() can use alloc_skb()), Eric changed +the call to sock_wmalloc in tcp_make_synack to alloc_skb. In doing so, +the netfilter owner match lost its ability to block the SYNACK packet on +outbound listening sockets. Revert the change, restoring the owner match +functionality. + +This closes netfilter bugzilla #847. + +Signed-off-by: Phil Oester +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2664,7 +2664,7 @@ struct sk_buff *tcp_make_synack(struct s + int tcp_header_size; + int mss; + +- skb = alloc_skb(MAX_TCP_HEADER + 15, sk_gfp_atomic(sk, GFP_ATOMIC)); ++ skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC); + if (unlikely(!skb)) { + dst_release(dst); + return NULL; diff --git a/queue-3.10/tg3-don-t-turn-off-led-on-5719-serdes-port-0.patch b/queue-3.10/tg3-don-t-turn-off-led-on-5719-serdes-port-0.patch new file mode 100644 index 00000000000..15f2789c84a --- /dev/null +++ b/queue-3.10/tg3-don-t-turn-off-led-on-5719-serdes-port-0.patch @@ -0,0 +1,56 @@ +From fb9a93765565162903285b69eb5a5f118fe8dded Mon Sep 17 00:00:00 2001 +From: Nithin Sujir +Date: Fri, 30 Aug 2013 17:01:36 -0700 +Subject: tg3: Don't turn off led on 5719 serdes port 0 + +From: Nithin Sujir + +[ Upstream commit 989038e217e94161862a959e82f9a1ecf8dda152 ] + +Turning off led on port 0 of the 5719 serdes causes all other ports to +lose power and stop functioning. Add tg3_phy_led_bug() function to check +for this condition. We use a switch() in tg3_phy_led_bug() for +consistency with the tg3_phy_power_bug() function. + +Signed-off-by: Nithin Nayak Sujir +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -3003,6 +3003,19 @@ static bool tg3_phy_power_bug(struct tg3 + return false; + } + ++static bool tg3_phy_led_bug(struct tg3 *tp) ++{ ++ switch (tg3_asic_rev(tp)) { ++ case ASIC_REV_5719: ++ if ((tp->phy_flags & TG3_PHYFLG_MII_SERDES) && ++ !tp->pci_fn) ++ return true; ++ return false; ++ } ++ ++ return false; ++} ++ + static void tg3_power_down_phy(struct tg3 *tp, bool do_low_power) + { + u32 val; +@@ -3050,8 +3063,9 @@ static void tg3_power_down_phy(struct tg + } + return; + } else if (do_low_power) { +- tg3_writephy(tp, MII_TG3_EXT_CTRL, +- MII_TG3_EXT_CTRL_FORCE_LED_OFF); ++ if (!tg3_phy_led_bug(tp)) ++ tg3_writephy(tp, MII_TG3_EXT_CTRL, ++ MII_TG3_EXT_CTRL_FORCE_LED_OFF); + + val = MII_TG3_AUXCTL_PCTL_100TX_LPWR | + MII_TG3_AUXCTL_PCTL_SPR_ISOLATE | diff --git a/queue-3.10/tipc-set-sk_err-correctly-when-connection-fails.patch b/queue-3.10/tipc-set-sk_err-correctly-when-connection-fails.patch new file mode 100644 index 00000000000..d393a15e512 --- /dev/null +++ b/queue-3.10/tipc-set-sk_err-correctly-when-connection-fails.patch @@ -0,0 +1,50 @@ +From 294ee95e91fc3e4d3f314865c084971024cbb0e4 Mon Sep 17 00:00:00 2001 +From: Erik Hugne +Date: Wed, 28 Aug 2013 09:29:58 +0200 +Subject: tipc: set sk_err correctly when connection fails + +From: Erik Hugne + +[ Upstream commit 2c8d85182348021fc0a1bed193a4be4161dc8364 ] + +Should a connect fail, if the publication/server is unavailable or +due to some other error, a positive value will be returned and errno +is never set. If the application code checks for an explicit zero +return from connect (success) or a negative return (failure), it +will not catch the error and subsequent send() calls will fail as +shown from the strace snippet below. + +socket(0x1e /* PF_??? */, SOCK_SEQPACKET, 0) = 3 +connect(3, {sa_family=0x1e /* AF_??? */, sa_data="\2\1\322\4\0\0\322\4\0\0\0\0\0\0"}, 16) = 111 +sendto(3, "test", 4, 0, NULL, 0) = -1 EPIPE (Broken pipe) + +The reason for this behaviour is that TIPC wrongly inverts error +codes set in sk_err. + +Signed-off-by: Erik Hugne +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1179,7 +1179,7 @@ static u32 filter_connect(struct tipc_so + /* Accept only ACK or NACK message */ + if (unlikely(msg_errcode(msg))) { + sock->state = SS_DISCONNECTING; +- sk->sk_err = -ECONNREFUSED; ++ sk->sk_err = ECONNREFUSED; + retval = TIPC_OK; + break; + } +@@ -1190,7 +1190,7 @@ static u32 filter_connect(struct tipc_so + res = auto_connect(sock, msg); + if (res) { + sock->state = SS_DISCONNECTING; +- sk->sk_err = res; ++ sk->sk_err = -res; + retval = TIPC_OK; + break; + } diff --git a/queue-3.10/tun-signedness-bug-in-tun_get_user.patch b/queue-3.10/tun-signedness-bug-in-tun_get_user.patch new file mode 100644 index 00000000000..661f974d8df --- /dev/null +++ b/queue-3.10/tun-signedness-bug-in-tun_get_user.patch @@ -0,0 +1,46 @@ +From 15b1ef892c05aea9e36984bd2a411a809b144186 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 15 Aug 2013 15:52:57 +0300 +Subject: tun: signedness bug in tun_get_user() + +From: Dan Carpenter + +[ Upstream commit 15718ea0d844e4816dbd95d57a8a0e3e264ba90e ] + +The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is +not totally correct. Because "len" and "sizeof()" are size_t type, that +means they are never less than zero. + +Signed-off-by: Dan Carpenter +Acked-by: Michael S. Tsirkin +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1076,8 +1076,9 @@ static ssize_t tun_get_user(struct tun_s + u32 rxhash; + + if (!(tun->flags & TUN_NO_PI)) { +- if ((len -= sizeof(pi)) > total_len) ++ if (len < sizeof(pi)) + return -EINVAL; ++ len -= sizeof(pi); + + if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi))) + return -EFAULT; +@@ -1085,8 +1086,9 @@ static ssize_t tun_get_user(struct tun_s + } + + if (tun->flags & TUN_VNET_HDR) { +- if ((len -= tun->vnet_hdr_sz) > total_len) ++ if (len < tun->vnet_hdr_sz) + return -EINVAL; ++ len -= tun->vnet_hdr_sz; + + if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso))) + return -EFAULT; diff --git a/queue-3.10/vhost_net-poll-vhost-queue-after-marking-dma-is-done.patch b/queue-3.10/vhost_net-poll-vhost-queue-after-marking-dma-is-done.patch new file mode 100644 index 00000000000..e13d5095d7b --- /dev/null +++ b/queue-3.10/vhost_net-poll-vhost-queue-after-marking-dma-is-done.patch @@ -0,0 +1,45 @@ +From d0fc38475bf219aebcd5cbbc4d6b58df1ac866bb Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Mon, 2 Sep 2013 16:41:00 +0800 +Subject: vhost_net: poll vhost queue after marking DMA is done + +From: Jason Wang + +[ Upstream commit 19c73b3e08d16ee923f3962df4abf6205127896a ] + +We used to poll vhost queue before making DMA is done, this is racy if vhost +thread were waked up before marking DMA is done which can result the signal to +be missed. Fix this by always polling the vhost thread before DMA is done. + +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -307,6 +307,11 @@ static void vhost_zerocopy_callback(stru + struct vhost_virtqueue *vq = ubufs->vq; + int cnt = atomic_read(&ubufs->kref.refcount); + ++ /* set len to mark this desc buffers done DMA */ ++ vq->heads[ubuf->desc].len = success ? ++ VHOST_DMA_DONE_LEN : VHOST_DMA_FAILED_LEN; ++ vhost_net_ubuf_put(ubufs); ++ + /* + * Trigger polling thread if guest stopped submitting new buffers: + * in this case, the refcount after decrement will eventually reach 1 +@@ -317,10 +322,6 @@ static void vhost_zerocopy_callback(stru + */ + if (cnt <= 2 || !(cnt % 16)) + vhost_poll_queue(&vq->poll); +- /* set len to mark this desc buffers done DMA */ +- vq->heads[ubuf->desc].len = success ? +- VHOST_DMA_DONE_LEN : VHOST_DMA_FAILED_LEN; +- vhost_net_ubuf_put(ubufs); + } + + /* Expects to be always run from workqueue - which acts as