From: Greg Kroah-Hartman Date: Mon, 18 Mar 2013 20:05:02 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.0.70~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d477130d2499c5b164dbdc2736194e2a9ed8c538;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: bridging-fix-rx_handlers-return-code.patch dcbnl-fix-various-netlink-info-leaks.patch ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch netlabel-correctly-list-all-the-static-label-mappings.patch rds-limit-the-size-allocated-by-rds_message_alloc.patch rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch tun-add-a-missing-nf_reset-in-tun_net_xmit.patch --- diff --git a/queue-3.0/bridging-fix-rx_handlers-return-code.patch b/queue-3.0/bridging-fix-rx_handlers-return-code.patch new file mode 100644 index 00000000000..89e06e74519 --- /dev/null +++ b/queue-3.0/bridging-fix-rx_handlers-return-code.patch @@ -0,0 +1,35 @@ +From 109c0742ca251de980968ec04d73cc74bee665b0 Mon Sep 17 00:00:00 2001 +From: Cristian Bercaru +Date: Fri, 8 Mar 2013 07:03:38 +0000 +Subject: bridging: fix rx_handlers return code + + +From: Cristian Bercaru + +[ Upstream commit 3bc1b1add7a8484cc4a261c3e128dbe1528ce01f ] + +The frames for which rx_handlers return RX_HANDLER_CONSUMED are no longer +counted as dropped. They are counted as successfully received by +'netif_receive_skb'. + +This allows network interface drivers to correctly update their RX-OK and +RX-DRP counters based on the result of 'netif_receive_skb'. + +Signed-off-by: Cristian Bercaru +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3165,6 +3165,7 @@ ncls: + } + switch (rx_handler(&skb)) { + case RX_HANDLER_CONSUMED: ++ ret = NET_RX_SUCCESS; + goto out; + case RX_HANDLER_ANOTHER: + goto another_round; diff --git a/queue-3.0/dcbnl-fix-various-netlink-info-leaks.patch b/queue-3.0/dcbnl-fix-various-netlink-info-leaks.patch new file mode 100644 index 00000000000..88cfbba8e44 --- /dev/null +++ b/queue-3.0/dcbnl-fix-various-netlink-info-leaks.patch @@ -0,0 +1,87 @@ +From 3512fe006b6a98f2138f8b7aeb1285ff5dd06402 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 9 Mar 2013 05:52:21 +0000 +Subject: dcbnl: fix various netlink info leaks + + +From: Mathias Krause + +[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ] + +The dcb netlink interface leaks stack memory in various places: +* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but + copied completely, +* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, + so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes + for ieee_pfc structs, etc., +* the same is true for CEE -- no in-kernel driver fills the whole + struct, + +Prevent all of the above stack info leaks by properly initializing the +buffers/structures involved. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -335,6 +335,7 @@ static int dcbnl_getperm_hwaddr(struct n + dcb->dcb_family = AF_UNSPEC; + dcb->cmd = DCB_CMD_GPERM_HWADDR; + ++ memset(perm_addr, 0, sizeof(perm_addr)); + netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); + + ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), +@@ -1311,6 +1312,7 @@ static int dcbnl_ieee_get(struct net_dev + + if (ops->ieee_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_getets(netdev, &ets); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets); +@@ -1318,6 +1320,7 @@ static int dcbnl_ieee_get(struct net_dev + + if (ops->ieee_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_getpfc(netdev, &pfc); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc); +@@ -1344,6 +1347,7 @@ static int dcbnl_ieee_get(struct net_dev + /* get peer info if available */ + if (ops->ieee_peer_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_peer_getets(netdev, &ets); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets); +@@ -1351,6 +1355,7 @@ static int dcbnl_ieee_get(struct net_dev + + if (ops->ieee_peer_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_peer_getpfc(netdev, &pfc); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc); +@@ -1551,6 +1556,7 @@ static int dcbnl_cee_get(struct net_devi + /* get peer info if available */ + if (ops->cee_peer_getpg) { + struct cee_pg pg; ++ memset(&pg, 0, sizeof(pg)); + err = ops->cee_peer_getpg(netdev, &pg); + if (!err) + NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg); +@@ -1558,6 +1564,7 @@ static int dcbnl_cee_get(struct net_devi + + if (ops->cee_peer_getpfc) { + struct cee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->cee_peer_getpfc(netdev, &pfc); + if (!err) + NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc); diff --git a/queue-3.0/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch b/queue-3.0/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch new file mode 100644 index 00000000000..e6475e5abda --- /dev/null +++ b/queue-3.0/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch @@ -0,0 +1,40 @@ +From 0ebf982ef20c695b397ee7f39b5fdae001b4be97 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 8 Mar 2013 02:07:23 +0000 +Subject: ipv6: stop multicast forwarding to process interface scoped addresses + + +From: Hannes Frederic Sowa + +[ Upstream commit ddf64354af4a702ee0b85d0a285ba74c7278a460 ] + +v2: +a) used struct ipv6_addr_props + +v3: +a) reverted changes for ipv6_addr_props + +v4: +a) do not use __ipv6_addr_needs_scope_id + +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Acked-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -257,7 +257,8 @@ int ip6_mc_input(struct sk_buff *skb) + * IPv6 multicast router mode is now supported ;) + */ + if (dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding && +- !(ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) && ++ !(ipv6_addr_type(&hdr->daddr) & ++ (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) && + likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) { + /* + * Okay, we try to forward - split and duplicate diff --git a/queue-3.0/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch b/queue-3.0/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch new file mode 100644 index 00000000000..6546474f46e --- /dev/null +++ b/queue-3.0/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch @@ -0,0 +1,41 @@ +From 837d52ce867bcd36b5b5a7a5a6008134f6593069 Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Fri, 1 Mar 2013 05:02:02 +0000 +Subject: l2tp: Restore socket refcount when sendmsg succeeds + + +From: Guillaume Nault + +[ Upstream commit 8b82547e33e85fc24d4d172a93c796de1fefa81a ] + +The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket +reference counter after successful transmissions. Any successful +sendmsg() call from userspace will then increase the reference counter +forever, thus preventing the kernel's session and tunnel data from +being freed later on. + +The problem only happens when writing directly on L2TP sockets. +PPP sockets attached to L2TP are unaffected as the PPP subsystem +uses pppol2tp_xmit() which symmetrically increase/decrease reference +counters. + +This patch adds the missing call to sock_put() before returning from +pppol2tp_sendmsg(). + +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -360,6 +360,7 @@ static int pppol2tp_sendmsg(struct kiocb + l2tp_xmit_skb(session, skb, session->hdr_len); + + sock_put(ps->tunnel_sock); ++ sock_put(sk); + + return error; + diff --git a/queue-3.0/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch b/queue-3.0/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch new file mode 100644 index 00000000000..72cde77f3fc --- /dev/null +++ b/queue-3.0/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch @@ -0,0 +1,37 @@ +From cc8c6413dcdfdd20ddbeca2ddac9ebe2d6dcd8b6 Mon Sep 17 00:00:00 2001 +From: Lorenzo Colitti +Date: Sun, 3 Mar 2013 20:46:46 +0000 +Subject: net: ipv6: Don't purge default router if accept_ra=2 + + +From: Lorenzo Colitti + +[ Upstream commit 3e8b0ac3e41e3c882222a5522d5df7212438ab51 ] + +Setting net.ipv6.conf..accept_ra=2 causes the kernel +to accept RAs even when forwarding is enabled. However, enabling +forwarding purges all default routes on the system, breaking +connectivity until the next RA is received. Fix this by not +purging default routes on interfaces that have accept_ra=2. + +Signed-off-by: Lorenzo Colitti +Acked-by: YOSHIFUJI Hideaki +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1885,7 +1885,8 @@ void rt6_purge_dflt_routers(struct net * + restart: + read_lock_bh(&table->tb6_lock); + for (rt = table->tb6_root.leaf; rt; rt = rt->dst.rt6_next) { +- if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) { ++ if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF) && ++ (!rt->rt6i_idev || rt->rt6i_idev->cnf.accept_ra != 2)) { + dst_hold(&rt->dst); + read_unlock_bh(&table->tb6_lock); + ip6_del_rt(rt); diff --git a/queue-3.0/netlabel-correctly-list-all-the-static-label-mappings.patch b/queue-3.0/netlabel-correctly-list-all-the-static-label-mappings.patch new file mode 100644 index 00000000000..86ba7967bb2 --- /dev/null +++ b/queue-3.0/netlabel-correctly-list-all-the-static-label-mappings.patch @@ -0,0 +1,111 @@ +From 2ea671cf7599777ad4145c5a5b0b2efa84641932 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Wed, 6 Mar 2013 11:45:24 +0000 +Subject: netlabel: correctly list all the static label mappings + + +From: Paul Moore + +[ Upstream commits 0c1233aba1e948c37f6dc7620cb7c253fcd71ce9 and + a6a8fe950e1b8596bb06f2c89c3a1a4bf2011ba9 ] + +When we have a large number of static label mappings that spill across +the netlink message boundary we fail to properly save our state in the +netlink_callback struct which causes us to repeat the same listings. +This patch fixes this problem by saving the state correctly between +calls to the NetLabel static label netlink "dumpit" routines. + +Signed-off-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlabel/netlabel_unlabeled.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -1192,8 +1192,6 @@ static int netlbl_unlabel_staticlist(str + struct netlbl_unlhsh_walk_arg cb_arg; + u32 skip_bkt = cb->args[0]; + u32 skip_chain = cb->args[1]; +- u32 skip_addr4 = cb->args[2]; +- u32 skip_addr6 = cb->args[3]; + u32 iter_bkt; + u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0; + struct netlbl_unlhsh_iface *iface; +@@ -1218,7 +1216,7 @@ static int netlbl_unlabel_staticlist(str + continue; + netlbl_af4list_foreach_rcu(addr4, + &iface->addr4_list) { +- if (iter_addr4++ < skip_addr4) ++ if (iter_addr4++ < cb->args[2]) + continue; + if (netlbl_unlabel_staticlist_gen( + NLBL_UNLABEL_C_STATICLIST, +@@ -1234,7 +1232,7 @@ static int netlbl_unlabel_staticlist(str + #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) + netlbl_af6list_foreach_rcu(addr6, + &iface->addr6_list) { +- if (iter_addr6++ < skip_addr6) ++ if (iter_addr6++ < cb->args[3]) + continue; + if (netlbl_unlabel_staticlist_gen( + NLBL_UNLABEL_C_STATICLIST, +@@ -1253,10 +1251,10 @@ static int netlbl_unlabel_staticlist(str + + unlabel_staticlist_return: + rcu_read_unlock(); +- cb->args[0] = skip_bkt; +- cb->args[1] = skip_chain; +- cb->args[2] = skip_addr4; +- cb->args[3] = skip_addr6; ++ cb->args[0] = iter_bkt; ++ cb->args[1] = iter_chain; ++ cb->args[2] = iter_addr4; ++ cb->args[3] = iter_addr6; + return skb->len; + } + +@@ -1276,12 +1274,9 @@ static int netlbl_unlabel_staticlistdef( + { + struct netlbl_unlhsh_walk_arg cb_arg; + struct netlbl_unlhsh_iface *iface; +- u32 skip_addr4 = cb->args[0]; +- u32 skip_addr6 = cb->args[1]; +- u32 iter_addr4 = 0; ++ u32 iter_addr4 = 0, iter_addr6 = 0; + struct netlbl_af4list *addr4; + #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) +- u32 iter_addr6 = 0; + struct netlbl_af6list *addr6; + #endif + +@@ -1295,7 +1290,7 @@ static int netlbl_unlabel_staticlistdef( + goto unlabel_staticlistdef_return; + + netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) { +- if (iter_addr4++ < skip_addr4) ++ if (iter_addr4++ < cb->args[0]) + continue; + if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, + iface, +@@ -1308,7 +1303,7 @@ static int netlbl_unlabel_staticlistdef( + } + #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) + netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) { +- if (iter_addr6++ < skip_addr6) ++ if (iter_addr6++ < cb->args[1]) + continue; + if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, + iface, +@@ -1323,8 +1318,8 @@ static int netlbl_unlabel_staticlistdef( + + unlabel_staticlistdef_return: + rcu_read_unlock(); +- cb->args[0] = skip_addr4; +- cb->args[1] = skip_addr6; ++ cb->args[0] = iter_addr4; ++ cb->args[1] = iter_addr6; + return skb->len; + } + diff --git a/queue-3.0/rds-limit-the-size-allocated-by-rds_message_alloc.patch b/queue-3.0/rds-limit-the-size-allocated-by-rds_message_alloc.patch new file mode 100644 index 00000000000..098db0a45e0 --- /dev/null +++ b/queue-3.0/rds-limit-the-size-allocated-by-rds_message_alloc.patch @@ -0,0 +1,71 @@ +From ff4f58c0f8a86a1d38fff9499632f4c618470741 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sun, 3 Mar 2013 16:18:11 +0000 +Subject: rds: limit the size allocated by rds_message_alloc() + + +From: Cong Wang + +[ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ] + +Dave Jones reported the following bug: + +"When fed mangled socket data, rds will trust what userspace gives it, +and tries to allocate enormous amounts of memory larger than what +kmalloc can satisfy." + +WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() +Hardware name: GA-MA78GM-S2H +Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s +Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 +Call Trace: + [] warn_slowpath_common+0x75/0xa0 + [] warn_slowpath_null+0x1a/0x20 + [] __alloc_pages_nodemask+0xa0d/0xbe0 + [] ? native_sched_clock+0x26/0x90 + [] ? trace_hardirqs_off_caller+0x28/0xc0 + [] ? trace_hardirqs_off+0xd/0x10 + [] alloc_pages_current+0xb8/0x180 + [] __get_free_pages+0x2a/0x80 + [] kmalloc_order_trace+0x3e/0x1a0 + [] __kmalloc+0x2f5/0x3a0 + [] ? local_bh_enable_ip+0x7c/0xf0 + [] rds_message_alloc+0x23/0xb0 [rds] + [] rds_sendmsg+0x2b1/0x990 [rds] + [] ? trace_hardirqs_off+0xd/0x10 + [] sock_sendmsg+0xb0/0xe0 + [] ? get_lock_stats+0x22/0x70 + [] ? put_lock_stats.isra.23+0xe/0x40 + [] sys_sendto+0x130/0x180 + [] ? trace_hardirqs_on+0xd/0x10 + [] ? _raw_spin_unlock_irq+0x3b/0x60 + [] ? sysret_check+0x1b/0x56 + [] ? trace_hardirqs_on_caller+0x115/0x1a0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b +---[ end trace eed6ae990d018c8b ]--- + +Reported-by: Dave Jones +Cc: Dave Jones +Cc: David S. Miller +Cc: Venkat Venkatsubra +Signed-off-by: Cong Wang +Acked-by: Venkat Venkatsubra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/message.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -196,6 +196,9 @@ struct rds_message *rds_message_alloc(un + { + struct rds_message *rm; + ++ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message)) ++ return NULL; ++ + rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp); + if (!rm) + goto out; diff --git a/queue-3.0/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch b/queue-3.0/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch new file mode 100644 index 00000000000..7161b64b586 --- /dev/null +++ b/queue-3.0/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch @@ -0,0 +1,33 @@ +From 47e13bb5773197bef46b59e359e5281de3672d57 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 9 Mar 2013 05:52:20 +0000 +Subject: rtnl: fix info leak on RTM_GETLINK request for VF devices + + +From: Mathias Krause + +[ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ] + +Initialize the mac address buffer with 0 as the driver specific function +will probably not fill the whole buffer. In fact, all in-kernel drivers +fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible +bytes. Therefore we currently leak 26 bytes of stack memory to userland +via the netlink interface. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -963,6 +963,7 @@ static int rtnl_fill_ifinfo(struct sk_bu + struct ifla_vf_mac vf_mac; + struct ifla_vf_vlan vf_vlan; + struct ifla_vf_tx_rate vf_tx_rate; ++ memset(ivi.mac, 0, sizeof(ivi.mac)); + if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi)) + break; + vf_mac.vf = vf_vlan.vf = vf_tx_rate.vf = ivi.vf; diff --git a/queue-3.0/series b/queue-3.0/series index bd34a71f538..a54b2869cef 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -28,3 +28,13 @@ drm-i915-ebusy-status-handling-added-to-i915_gem_fault.patch hwmon-sht15-fix-memory-leak-if-regulator_enable-fails.patch block-use-i_size_write-in-bd_set_size.patch loopdev-fix-a-deadlock.patch +l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch +rds-limit-the-size-allocated-by-rds_message_alloc.patch +net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch +tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch +tun-add-a-missing-nf_reset-in-tun_net_xmit.patch +netlabel-correctly-list-all-the-static-label-mappings.patch +bridging-fix-rx_handlers-return-code.patch +ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch +rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch +dcbnl-fix-various-netlink-info-leaks.patch diff --git a/queue-3.0/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch b/queue-3.0/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch new file mode 100644 index 00000000000..e357de119c4 --- /dev/null +++ b/queue-3.0/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch @@ -0,0 +1,44 @@ +From d80e280987ce9a6e7a9bc8a77e09f5942eb9097a Mon Sep 17 00:00:00 2001 +From: Neal Cardwell +Date: Mon, 4 Mar 2013 06:23:05 +0000 +Subject: tcp: fix double-counted receiver RTT when leaving receiver fast path + + +From: Neal Cardwell + +[ Upstream commit aab2b4bf224ef8358d262f95b568b8ad0cecf0a0 ] + +We should not update ts_recent and call tcp_rcv_rtt_measure_ts() both +before and after going to step5. That wastes CPU and double-counts the +receiver-side RTT sample. + +Signed-off-by: Neal Cardwell +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5419,6 +5419,9 @@ int tcp_rcv_established(struct sock *sk, + if (tcp_checksum_complete_user(sk, skb)) + goto csum_error; + ++ if ((int)skb->truesize > sk->sk_forward_alloc) ++ goto step5; ++ + /* Predicted packet is in window by definition. + * seq == rcv_nxt and rcv_wup <= rcv_nxt. + * Hence, check seq<=rcv_wup reduces to: +@@ -5430,9 +5433,6 @@ int tcp_rcv_established(struct sock *sk, + + tcp_rcv_rtt_measure_ts(sk, skb); + +- if ((int)skb->truesize > sk->sk_forward_alloc) +- goto step5; +- + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPHITS); + + /* Bulk data transfer: receiver */ diff --git a/queue-3.0/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch b/queue-3.0/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch new file mode 100644 index 00000000000..3f80dd9cf10 --- /dev/null +++ b/queue-3.0/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch @@ -0,0 +1,71 @@ +From 2154d62e4c411a9d97e0212b8a9d80c6a0c01295 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 6 Mar 2013 11:02:37 +0000 +Subject: tun: add a missing nf_reset() in tun_net_xmit() + + +From: Eric Dumazet + +[ Upstream commit f8af75f3517a24838a36eb5797a1a3e60bf9e276 ] + +Dave reported following crash : + +general protection fault: 0000 [#1] SMP +CPU 2 +Pid: 25407, comm: qemu-kvm Not tainted 3.7.9-205.fc18.x86_64 #1 Hewlett-Packard HP Z400 Workstation/0B4Ch +RIP: 0010:[] [] destroy_conntrack+0x35/0x120 [nf_conntrack] +RSP: 0018:ffff880276913d78 EFLAGS: 00010206 +RAX: 50626b6b7876376c RBX: ffff88026e530d68 RCX: ffff88028d158e00 +RDX: ffff88026d0d5470 RSI: 0000000000000011 RDI: 0000000000000002 +RBP: ffff880276913d88 R08: 0000000000000000 R09: ffff880295002900 +R10: 0000000000000000 R11: 0000000000000003 R12: ffffffff81ca3b40 +R13: ffffffff8151a8e0 R14: ffff880270875000 R15: 0000000000000002 +FS: 00007ff3bce38a00(0000) GS:ffff88029fc40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 00007fd1430bd000 CR3: 000000027042b000 CR4: 00000000000027e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process qemu-kvm (pid: 25407, threadinfo ffff880276912000, task ffff88028c369720) +Stack: + ffff880156f59100 ffff880156f59100 ffff880276913d98 ffffffff815534f7 + ffff880276913db8 ffffffff8151a74b ffff880270875000 ffff880156f59100 + ffff880276913dd8 ffffffff8151a5a6 ffff880276913dd8 ffff88026d0d5470 +Call Trace: + [] nf_conntrack_destroy+0x17/0x20 + [] skb_release_head_state+0x7b/0x100 + [] __kfree_skb+0x16/0xa0 + [] kfree_skb+0x36/0xa0 + [] skb_queue_purge+0x20/0x40 + [] __tun_detach+0x117/0x140 [tun] + [] tun_chr_close+0x3c/0xd0 [tun] + [] __fput+0xec/0x240 + [] ____fput+0xe/0x10 + [] task_work_run+0xa7/0xe0 + [] do_notify_resume+0x71/0xb0 + [] int_signal+0x12/0x17 +Code: 00 00 04 48 89 e5 41 54 53 48 89 fb 4c 8b a7 e8 00 00 00 0f 85 de 00 00 00 0f b6 73 3e 0f b7 7b 2a e8 10 40 00 00 48 85 c0 74 0e <48> 8b 40 28 48 85 c0 74 05 48 89 df ff d0 48 c7 c7 08 6a 3a a0 +RIP [] destroy_conntrack+0x35/0x120 [nf_conntrack] + RSP + +This is because tun_net_xmit() needs to call nf_reset() +before queuing skb into receive_queue + +Reported-by: Dave Jones +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -417,6 +417,8 @@ static netdev_tx_t tun_net_xmit(struct s + * for indefinite time. */ + skb_orphan(skb); + ++ nf_reset(skb); ++ + /* Enqueue packet */ + skb_queue_tail(&tun->socket.sk->sk_receive_queue, skb); +