From 04431af7520ce99bf224926062f22a5da302014b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 Feb 2013 10:40:45 -0800 Subject: [PATCH] 3.0-stable patches added patches: atm-iphase-rename-fregt_t-ffreg_t.patch bridge-pull-ip-header-into-skb-data-before-looking-into-ip-header.patch ipv6-do-not-create-neighbor-entries-for-local-delivery.patch isdn-gigaset-fix-zero-size-border-case-in-debug-dump.patch maintainers-stephen-hemminger-email-change.patch net-loopback-fix-a-dst-refcounting-issue.patch net-prevent-setting-ttl-0-via-ip_ttl.patch net-sctp-sctp_endpoint_free-zero-out-secret-key-data.patch net-sctp-sctp_setsockopt_auth_key-use-kzfree-instead-of-kfree.patch packet-fix-leakage-of-tx_ring-memory.patch pktgen-correctly-handle-failures-when-adding-a-device.patch r8169-remove-the-obsolete-and-incorrect-amd-workaround.patch sctp-refactor-sctp_outq_teardown-to-insure-proper-re-initalization.patch tcp-fix-for-zero-packets_in_flight-was-too-broad.patch tcp-fix-msg_sendpage_notlast-logic.patch tcp-frto-should-not-set-snd_cwnd-to-0.patch tg3-avoid-null-pointer-dereference-in-tg3_interrupt-in-netconsole-mode.patch tg3-fix-crc-errors-on-jumbo-frame-receive.patch --- .../atm-iphase-rename-fregt_t-ffreg_t.patch | 198 ++++++++++++++++++ ...b-data-before-looking-into-ip-header.patch | 33 +++ ...-neighbor-entries-for-local-delivery.patch | 39 ++++ ...-zero-size-border-case-in-debug-dump.patch | 32 +++ ...iners-stephen-hemminger-email-change.patch | 50 +++++ ...loopback-fix-a-dst-refcounting-issue.patch | 80 +++++++ ...net-prevent-setting-ttl-0-via-ip_ttl.patch | 50 +++++ ...dpoint_free-zero-out-secret-key-data.patch | 43 ++++ ...auth_key-use-kzfree-instead-of-kfree.patch | 35 ++++ ...packet-fix-leakage-of-tx_ring-memory.patch | 56 +++++ ...handle-failures-when-adding-a-device.patch | 57 +++++ ...bsolete-and-incorrect-amd-workaround.patch | 58 +++++ ...wn-to-insure-proper-re-initalization.patch | 72 +++++++ queue-3.0/series | 18 ++ ...zero-packets_in_flight-was-too-broad.patch | 52 +++++ .../tcp-fix-msg_sendpage_notlast-logic.patch | 54 +++++ ...cp-frto-should-not-set-snd_cwnd-to-0.patch | 43 ++++ ...-in-tg3_interrupt-in-netconsole-mode.patch | 44 ++++ ...ix-crc-errors-on-jumbo-frame-receive.patch | 166 +++++++++++++++ 19 files changed, 1180 insertions(+) create mode 100644 queue-3.0/atm-iphase-rename-fregt_t-ffreg_t.patch create mode 100644 queue-3.0/bridge-pull-ip-header-into-skb-data-before-looking-into-ip-header.patch create mode 100644 queue-3.0/ipv6-do-not-create-neighbor-entries-for-local-delivery.patch create mode 100644 queue-3.0/isdn-gigaset-fix-zero-size-border-case-in-debug-dump.patch create mode 100644 queue-3.0/maintainers-stephen-hemminger-email-change.patch create mode 100644 queue-3.0/net-loopback-fix-a-dst-refcounting-issue.patch create mode 100644 queue-3.0/net-prevent-setting-ttl-0-via-ip_ttl.patch create mode 100644 queue-3.0/net-sctp-sctp_endpoint_free-zero-out-secret-key-data.patch create mode 100644 queue-3.0/net-sctp-sctp_setsockopt_auth_key-use-kzfree-instead-of-kfree.patch create mode 100644 queue-3.0/packet-fix-leakage-of-tx_ring-memory.patch create mode 100644 queue-3.0/pktgen-correctly-handle-failures-when-adding-a-device.patch create mode 100644 queue-3.0/r8169-remove-the-obsolete-and-incorrect-amd-workaround.patch create mode 100644 queue-3.0/sctp-refactor-sctp_outq_teardown-to-insure-proper-re-initalization.patch create mode 100644 queue-3.0/tcp-fix-for-zero-packets_in_flight-was-too-broad.patch create mode 100644 queue-3.0/tcp-fix-msg_sendpage_notlast-logic.patch create mode 100644 queue-3.0/tcp-frto-should-not-set-snd_cwnd-to-0.patch create mode 100644 queue-3.0/tg3-avoid-null-pointer-dereference-in-tg3_interrupt-in-netconsole-mode.patch create mode 100644 queue-3.0/tg3-fix-crc-errors-on-jumbo-frame-receive.patch diff --git a/queue-3.0/atm-iphase-rename-fregt_t-ffreg_t.patch b/queue-3.0/atm-iphase-rename-fregt_t-ffreg_t.patch new file mode 100644 index 00000000000..57b54cb4af4 --- /dev/null +++ b/queue-3.0/atm-iphase-rename-fregt_t-ffreg_t.patch @@ -0,0 +1,198 @@ +From a8b98aa575d6e75fabacfa68134081db49af5b25 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Fri, 8 Feb 2013 00:19:11 +0000 +Subject: atm/iphase: rename fregt_t -> ffreg_t + + +From: Heiko Carstens + +[ Upstream commit ab54ee80aa7585f9666ff4dd665441d7ce41f1e8 ] + +We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the +iphase atm device driver, which causes the compile error below. +Unfortunately the s390 typedef can't be renamed, since it's a user visible api, +nor can I change the include order in s390 code to avoid the conflict. + +So simply rename the iphase typedef to a new name. Fixes this compile error: + +In file included from drivers/atm/iphase.c:66:0: +drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t' +In file included from next/arch/s390/include/asm/ptrace.h:9:0, + from next/arch/s390/include/asm/lowcore.h:12, + from next/arch/s390/include/asm/thread_info.h:30, + from include/linux/thread_info.h:54, + from include/linux/preempt.h:9, + from include/linux/spinlock.h:50, + from include/linux/seqlock.h:29, + from include/linux/time.h:5, + from include/linux/stat.h:18, + from include/linux/module.h:10, + from drivers/atm/iphase.c:43: +next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here + +Signed-off-by: Heiko Carstens +Acked-by: chas williams - CONTRACTOR +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/iphase.h | 146 +++++++++++++++++++++++++-------------------------- + 1 file changed, 73 insertions(+), 73 deletions(-) + +--- a/drivers/atm/iphase.h ++++ b/drivers/atm/iphase.h +@@ -636,82 +636,82 @@ struct rx_buf_desc { + #define SEG_BASE IPHASE5575_FRAG_CONTROL_REG_BASE + #define REASS_BASE IPHASE5575_REASS_CONTROL_REG_BASE + +-typedef volatile u_int freg_t; ++typedef volatile u_int ffreg_t; + typedef u_int rreg_t; + + typedef struct _ffredn_t { +- freg_t idlehead_high; /* Idle cell header (high) */ +- freg_t idlehead_low; /* Idle cell header (low) */ +- freg_t maxrate; /* Maximum rate */ +- freg_t stparms; /* Traffic Management Parameters */ +- freg_t abrubr_abr; /* ABRUBR Priority Byte 1, TCR Byte 0 */ +- freg_t rm_type; /* */ +- u_int filler5[0x17 - 0x06]; +- freg_t cmd_reg; /* Command register */ +- u_int filler18[0x20 - 0x18]; +- freg_t cbr_base; /* CBR Pointer Base */ +- freg_t vbr_base; /* VBR Pointer Base */ +- freg_t abr_base; /* ABR Pointer Base */ +- freg_t ubr_base; /* UBR Pointer Base */ +- u_int filler24; +- freg_t vbrwq_base; /* VBR Wait Queue Base */ +- freg_t abrwq_base; /* ABR Wait Queue Base */ +- freg_t ubrwq_base; /* UBR Wait Queue Base */ +- freg_t vct_base; /* Main VC Table Base */ +- freg_t vcte_base; /* Extended Main VC Table Base */ +- u_int filler2a[0x2C - 0x2A]; +- freg_t cbr_tab_beg; /* CBR Table Begin */ +- freg_t cbr_tab_end; /* CBR Table End */ +- freg_t cbr_pointer; /* CBR Pointer */ +- u_int filler2f[0x30 - 0x2F]; +- freg_t prq_st_adr; /* Packet Ready Queue Start Address */ +- freg_t prq_ed_adr; /* Packet Ready Queue End Address */ +- freg_t prq_rd_ptr; /* Packet Ready Queue read pointer */ +- freg_t prq_wr_ptr; /* Packet Ready Queue write pointer */ +- freg_t tcq_st_adr; /* Transmit Complete Queue Start Address*/ +- freg_t tcq_ed_adr; /* Transmit Complete Queue End Address */ +- freg_t tcq_rd_ptr; /* Transmit Complete Queue read pointer */ +- freg_t tcq_wr_ptr; /* Transmit Complete Queue write pointer*/ +- u_int filler38[0x40 - 0x38]; +- freg_t queue_base; /* Base address for PRQ and TCQ */ +- freg_t desc_base; /* Base address of descriptor table */ +- u_int filler42[0x45 - 0x42]; +- freg_t mode_reg_0; /* Mode register 0 */ +- freg_t mode_reg_1; /* Mode register 1 */ +- freg_t intr_status_reg;/* Interrupt Status register */ +- freg_t mask_reg; /* Mask Register */ +- freg_t cell_ctr_high1; /* Total cell transfer count (high) */ +- freg_t cell_ctr_lo1; /* Total cell transfer count (low) */ +- freg_t state_reg; /* Status register */ +- u_int filler4c[0x58 - 0x4c]; +- freg_t curr_desc_num; /* Contains the current descriptor num */ +- freg_t next_desc; /* Next descriptor */ +- freg_t next_vc; /* Next VC */ +- u_int filler5b[0x5d - 0x5b]; +- freg_t present_slot_cnt;/* Present slot count */ +- u_int filler5e[0x6a - 0x5e]; +- freg_t new_desc_num; /* New descriptor number */ +- freg_t new_vc; /* New VC */ +- freg_t sched_tbl_ptr; /* Schedule table pointer */ +- freg_t vbrwq_wptr; /* VBR wait queue write pointer */ +- freg_t vbrwq_rptr; /* VBR wait queue read pointer */ +- freg_t abrwq_wptr; /* ABR wait queue write pointer */ +- freg_t abrwq_rptr; /* ABR wait queue read pointer */ +- freg_t ubrwq_wptr; /* UBR wait queue write pointer */ +- freg_t ubrwq_rptr; /* UBR wait queue read pointer */ +- freg_t cbr_vc; /* CBR VC */ +- freg_t vbr_sb_vc; /* VBR SB VC */ +- freg_t abr_sb_vc; /* ABR SB VC */ +- freg_t ubr_sb_vc; /* UBR SB VC */ +- freg_t vbr_next_link; /* VBR next link */ +- freg_t abr_next_link; /* ABR next link */ +- freg_t ubr_next_link; /* UBR next link */ +- u_int filler7a[0x7c-0x7a]; +- freg_t out_rate_head; /* Out of rate head */ +- u_int filler7d[0xca-0x7d]; /* pad out to full address space */ +- freg_t cell_ctr_high1_nc;/* Total cell transfer count (high) */ +- freg_t cell_ctr_lo1_nc;/* Total cell transfer count (low) */ +- u_int fillercc[0x100-0xcc]; /* pad out to full address space */ ++ ffreg_t idlehead_high; /* Idle cell header (high) */ ++ ffreg_t idlehead_low; /* Idle cell header (low) */ ++ ffreg_t maxrate; /* Maximum rate */ ++ ffreg_t stparms; /* Traffic Management Parameters */ ++ ffreg_t abrubr_abr; /* ABRUBR Priority Byte 1, TCR Byte 0 */ ++ ffreg_t rm_type; /* */ ++ u_int filler5[0x17 - 0x06]; ++ ffreg_t cmd_reg; /* Command register */ ++ u_int filler18[0x20 - 0x18]; ++ ffreg_t cbr_base; /* CBR Pointer Base */ ++ ffreg_t vbr_base; /* VBR Pointer Base */ ++ ffreg_t abr_base; /* ABR Pointer Base */ ++ ffreg_t ubr_base; /* UBR Pointer Base */ ++ u_int filler24; ++ ffreg_t vbrwq_base; /* VBR Wait Queue Base */ ++ ffreg_t abrwq_base; /* ABR Wait Queue Base */ ++ ffreg_t ubrwq_base; /* UBR Wait Queue Base */ ++ ffreg_t vct_base; /* Main VC Table Base */ ++ ffreg_t vcte_base; /* Extended Main VC Table Base */ ++ u_int filler2a[0x2C - 0x2A]; ++ ffreg_t cbr_tab_beg; /* CBR Table Begin */ ++ ffreg_t cbr_tab_end; /* CBR Table End */ ++ ffreg_t cbr_pointer; /* CBR Pointer */ ++ u_int filler2f[0x30 - 0x2F]; ++ ffreg_t prq_st_adr; /* Packet Ready Queue Start Address */ ++ ffreg_t prq_ed_adr; /* Packet Ready Queue End Address */ ++ ffreg_t prq_rd_ptr; /* Packet Ready Queue read pointer */ ++ ffreg_t prq_wr_ptr; /* Packet Ready Queue write pointer */ ++ ffreg_t tcq_st_adr; /* Transmit Complete Queue Start Address*/ ++ ffreg_t tcq_ed_adr; /* Transmit Complete Queue End Address */ ++ ffreg_t tcq_rd_ptr; /* Transmit Complete Queue read pointer */ ++ ffreg_t tcq_wr_ptr; /* Transmit Complete Queue write pointer*/ ++ u_int filler38[0x40 - 0x38]; ++ ffreg_t queue_base; /* Base address for PRQ and TCQ */ ++ ffreg_t desc_base; /* Base address of descriptor table */ ++ u_int filler42[0x45 - 0x42]; ++ ffreg_t mode_reg_0; /* Mode register 0 */ ++ ffreg_t mode_reg_1; /* Mode register 1 */ ++ ffreg_t intr_status_reg;/* Interrupt Status register */ ++ ffreg_t mask_reg; /* Mask Register */ ++ ffreg_t cell_ctr_high1; /* Total cell transfer count (high) */ ++ ffreg_t cell_ctr_lo1; /* Total cell transfer count (low) */ ++ ffreg_t state_reg; /* Status register */ ++ u_int filler4c[0x58 - 0x4c]; ++ ffreg_t curr_desc_num; /* Contains the current descriptor num */ ++ ffreg_t next_desc; /* Next descriptor */ ++ ffreg_t next_vc; /* Next VC */ ++ u_int filler5b[0x5d - 0x5b]; ++ ffreg_t present_slot_cnt;/* Present slot count */ ++ u_int filler5e[0x6a - 0x5e]; ++ ffreg_t new_desc_num; /* New descriptor number */ ++ ffreg_t new_vc; /* New VC */ ++ ffreg_t sched_tbl_ptr; /* Schedule table pointer */ ++ ffreg_t vbrwq_wptr; /* VBR wait queue write pointer */ ++ ffreg_t vbrwq_rptr; /* VBR wait queue read pointer */ ++ ffreg_t abrwq_wptr; /* ABR wait queue write pointer */ ++ ffreg_t abrwq_rptr; /* ABR wait queue read pointer */ ++ ffreg_t ubrwq_wptr; /* UBR wait queue write pointer */ ++ ffreg_t ubrwq_rptr; /* UBR wait queue read pointer */ ++ ffreg_t cbr_vc; /* CBR VC */ ++ ffreg_t vbr_sb_vc; /* VBR SB VC */ ++ ffreg_t abr_sb_vc; /* ABR SB VC */ ++ ffreg_t ubr_sb_vc; /* UBR SB VC */ ++ ffreg_t vbr_next_link; /* VBR next link */ ++ ffreg_t abr_next_link; /* ABR next link */ ++ ffreg_t ubr_next_link; /* UBR next link */ ++ u_int filler7a[0x7c-0x7a]; ++ ffreg_t out_rate_head; /* Out of rate head */ ++ u_int filler7d[0xca-0x7d]; /* pad out to full address space */ ++ ffreg_t cell_ctr_high1_nc;/* Total cell transfer count (high) */ ++ ffreg_t cell_ctr_lo1_nc;/* Total cell transfer count (low) */ ++ u_int fillercc[0x100-0xcc]; /* pad out to full address space */ + } ffredn_t; + + typedef struct _rfredn_t { diff --git a/queue-3.0/bridge-pull-ip-header-into-skb-data-before-looking-into-ip-header.patch b/queue-3.0/bridge-pull-ip-header-into-skb-data-before-looking-into-ip-header.patch new file mode 100644 index 00000000000..83c30886d43 --- /dev/null +++ b/queue-3.0/bridge-pull-ip-header-into-skb-data-before-looking-into-ip-header.patch @@ -0,0 +1,33 @@ +From de09ab7354e878980ef4561420fd217f8f356e41 Mon Sep 17 00:00:00 2001 +From: Sarveshwar Bandi +Date: Wed, 10 Oct 2012 01:15:01 +0000 +Subject: bridge: Pull ip header into skb->data before looking into ip header. + + +From: Sarveshwar Bandi + +[ Upstream commit 6caab7b0544e83e6c160b5e80f5a4a7dd69545c7 ] + +If lower layer driver leaves the ip header in the skb fragment, it needs to +be first pulled into skb->data before inspecting ip header length or ip version +number. + +Signed-off-by: Sarveshwar Bandi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_netfilter.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bridge/br_netfilter.c ++++ b/net/bridge/br_netfilter.c +@@ -233,6 +233,9 @@ static int br_parse_ip_options(struct sk + struct net_device *dev = skb->dev; + u32 len; + ++ if (!pskb_may_pull(skb, sizeof(struct iphdr))) ++ goto inhdr_error; ++ + iph = ip_hdr(skb); + opt = &(IPCB(skb)->opt); + diff --git a/queue-3.0/ipv6-do-not-create-neighbor-entries-for-local-delivery.patch b/queue-3.0/ipv6-do-not-create-neighbor-entries-for-local-delivery.patch new file mode 100644 index 00000000000..d40b565c94d --- /dev/null +++ b/queue-3.0/ipv6-do-not-create-neighbor-entries-for-local-delivery.patch @@ -0,0 +1,39 @@ +From 18c9ecee38027b65bb87357646d1f51346f4752a Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner +Date: Tue, 29 Jan 2013 22:26:08 +0000 +Subject: ipv6: do not create neighbor entries for local delivery + + +From: Marcelo Ricardo Leitner + +[ Upstream commit bd30e947207e2ea0ff2c08f5b4a03025ddce48d3 ] + +They will be created at output, if ever needed. This avoids creating +empty neighbor entries when TPROXYing/Forwarding packets for addresses +that are not even directly reachable. + +Note that IPv4 already handles it this way. No neighbor entries are +created for local input. + +Tested by myself and customer. + +Signed-off-by: Jiri Pirko +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -802,7 +802,8 @@ restart: + dst_hold(&rt->dst); + read_unlock_bh(&table->tb6_lock); + +- if (!dst_get_neighbour_raw(&rt->dst) && !(rt->rt6i_flags & RTF_NONEXTHOP)) ++ if (!dst_get_neighbour_raw(&rt->dst) && ++ !(rt->rt6i_flags & (RTF_NONEXTHOP | RTF_LOCAL))) + nrt = rt6_alloc_cow(rt, &fl6->daddr, &fl6->saddr); + else if (!(rt->dst.flags & DST_HOST)) + nrt = rt6_alloc_clone(rt, &fl6->daddr); diff --git a/queue-3.0/isdn-gigaset-fix-zero-size-border-case-in-debug-dump.patch b/queue-3.0/isdn-gigaset-fix-zero-size-border-case-in-debug-dump.patch new file mode 100644 index 00000000000..c1a48465d83 --- /dev/null +++ b/queue-3.0/isdn-gigaset-fix-zero-size-border-case-in-debug-dump.patch @@ -0,0 +1,32 @@ +From c30d36c733b4d0b2c800c25eda1aa0a2c9d4ec36 Mon Sep 17 00:00:00 2001 +From: Tilman Schmidt +Date: Mon, 21 Jan 2013 11:57:21 +0000 +Subject: isdn/gigaset: fix zero size border case in debug dump + + +From: Tilman Schmidt + +[ Upstream commit d721a1752ba544df8d7d36959038b26bc92bdf80 ] + +If subtracting 12 from l leaves zero we'd do a zero size allocation, +leading to an oops later when we try to set the NUL terminator. + +Reported-by: Dan Carpenter +Signed-off-by: Tilman Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/gigaset/capi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/isdn/gigaset/capi.c ++++ b/drivers/isdn/gigaset/capi.c +@@ -263,6 +263,8 @@ static inline void dump_rawmsg(enum debu + CAPIMSG_APPID(data), CAPIMSG_MSGID(data), l, + CAPIMSG_CONTROL(data)); + l -= 12; ++ if (l <= 0) ++ return; + dbgline = kmalloc(3*l, GFP_ATOMIC); + if (!dbgline) + return; diff --git a/queue-3.0/maintainers-stephen-hemminger-email-change.patch b/queue-3.0/maintainers-stephen-hemminger-email-change.patch new file mode 100644 index 00000000000..d3d0d0f0823 --- /dev/null +++ b/queue-3.0/maintainers-stephen-hemminger-email-change.patch @@ -0,0 +1,50 @@ +From b6b7ae73c7788ae7311247536847946d213e48f4 Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Wed, 16 Jan 2013 09:55:57 -0800 +Subject: MAINTAINERS: Stephen Hemminger email change + + +From: Stephen Hemminger + +[ Upstream commit adbbf69d1a54abf424e91875746a610dcc80017d ] + +I changed my email because the vyatta.com mail server is now +redirected to brocade.com; and the Brocade mail system +is not friendly to Linux desktop users. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + MAINTAINERS | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -2491,7 +2491,7 @@ S: Maintained + F: drivers/net/eexpress.* + + ETHERNET BRIDGE +-M: Stephen Hemminger ++M: Stephen Hemminger + L: bridge@lists.linux-foundation.org + L: netdev@vger.kernel.org + W: http://www.linuxfoundation.org/en/Net:Bridge +@@ -4327,7 +4327,7 @@ S: Supported + F: drivers/infiniband/hw/nes/ + + NETEM NETWORK EMULATOR +-M: Stephen Hemminger ++M: Stephen Hemminger + L: netem@lists.linux-foundation.org + S: Maintained + F: net/sched/sch_netem.c +@@ -5779,7 +5779,7 @@ S: Maintained + F: drivers/usb/misc/sisusbvga/ + + SKGE, SKY2 10/100/1000 GIGABIT ETHERNET DRIVERS +-M: Stephen Hemminger ++M: Stephen Hemminger + L: netdev@vger.kernel.org + S: Maintained + F: drivers/net/skge.* diff --git a/queue-3.0/net-loopback-fix-a-dst-refcounting-issue.patch b/queue-3.0/net-loopback-fix-a-dst-refcounting-issue.patch new file mode 100644 index 00000000000..b0ad32f74ad --- /dev/null +++ b/queue-3.0/net-loopback-fix-a-dst-refcounting-issue.patch @@ -0,0 +1,80 @@ +From ce01f5df54b7459150020f9b9bf9d7b0ef0e8e25 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 25 Jan 2013 07:44:41 +0000 +Subject: net: loopback: fix a dst refcounting issue + + +From: Eric Dumazet + +[ Upstream commit 794ed393b707f01858f5ebe2ae5eabaf89d00022 ] + +Ben Greear reported crashes in ip_rcv_finish() on a stress +test involving many macvlans. + +We tracked the bug to a dst use after free. ip_rcv_finish() +was calling dst->input() and got garbage for dst->input value. + +It appears the bug is in loopback driver, lacking +a skb_dst_force() before calling netif_rx(). + +As a result, a non refcounted dst, normally protected by a +RCU read_lock section, was escaping this section and could +be freed before the packet being processed. + + [] loopback_xmit+0x64/0x83 + [] dev_hard_start_xmit+0x26c/0x35e + [] dev_queue_xmit+0x2c4/0x37c + [] ? dev_hard_start_xmit+0x35e/0x35e + [] ? eth_header+0x28/0xb6 + [] neigh_resolve_output+0x176/0x1a7 + [] ip_finish_output2+0x297/0x30d + [] ? ip_finish_output2+0x137/0x30d + [] ip_finish_output+0x63/0x68 + [] ip_output+0x61/0x67 + [] dst_output+0x17/0x1b + [] ip_local_out+0x1e/0x23 + [] ip_queue_xmit+0x315/0x353 + [] ? ip_send_unicast_reply+0x2cc/0x2cc + [] tcp_transmit_skb+0x7ca/0x80b + [] tcp_connect+0x53c/0x587 + [] ? getnstimeofday+0x44/0x7d + [] ? ktime_get_real+0x11/0x3e + [] tcp_v4_connect+0x3c2/0x431 + [] __inet_stream_connect+0x84/0x287 + [] ? inet_stream_connect+0x22/0x49 + [] ? _local_bh_enable_ip+0x84/0x9f + [] ? local_bh_enable+0xd/0x11 + [] ? lock_sock_nested+0x6e/0x79 + [] ? inet_stream_connect+0x22/0x49 + [] inet_stream_connect+0x33/0x49 + [] sys_connect+0x75/0x98 + +This bug was introduced in linux-2.6.35, in commit +7fee226ad2397b (net: add a noref bit on skb dst) + +skb_dst_force() is enforced in dev_queue_xmit() for devices having a +qdisc. + +Reported-by: Ben Greear +Signed-off-by: Eric Dumazet +Tested-by: Ben Greear +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/loopback.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/loopback.c ++++ b/drivers/net/loopback.c +@@ -78,6 +78,11 @@ static netdev_tx_t loopback_xmit(struct + + skb_orphan(skb); + ++ /* Before queueing this packet to netif_rx(), ++ * make sure dst is refcounted. ++ */ ++ skb_dst_force(skb); ++ + skb->protocol = eth_type_trans(skb, dev); + + /* it's OK to use per_cpu_ptr() because BHs are off */ diff --git a/queue-3.0/net-prevent-setting-ttl-0-via-ip_ttl.patch b/queue-3.0/net-prevent-setting-ttl-0-via-ip_ttl.patch new file mode 100644 index 00000000000..a493ba1b734 --- /dev/null +++ b/queue-3.0/net-prevent-setting-ttl-0-via-ip_ttl.patch @@ -0,0 +1,50 @@ +From 939500bdecec387c8bd8dc205cdbef5f5b0c6303 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Mon, 7 Jan 2013 21:17:00 +0000 +Subject: net: prevent setting ttl=0 via IP_TTL + + +From: Cong Wang + +[ Upstream commit c9be4a5c49cf51cc70a993f004c5bb30067a65ce ] + +A regression is introduced by the following commit: + + commit 4d52cfbef6266092d535237ba5a4b981458ab171 + Author: Eric Dumazet + Date: Tue Jun 2 00:42:16 2009 -0700 + + net: ipv4/ip_sockglue.c cleanups + + Pure cleanups + +but it is not a pure cleanup... + + - if (val != -1 && (val < 1 || val>255)) + + if (val != -1 && (val < 0 || val > 255)) + +Since there is no reason provided to allow ttl=0, change it back. + +Reported-by: nitin padalia +Cc: nitin padalia +Cc: Eric Dumazet +Cc: David S. Miller +Signed-off-by: Cong Wang +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_sockglue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -599,7 +599,7 @@ static int do_ip_setsockopt(struct sock + case IP_TTL: + if (optlen < 1) + goto e_inval; +- if (val != -1 && (val < 0 || val > 255)) ++ if (val != -1 && (val < 1 || val > 255)) + goto e_inval; + inet->uc_ttl = val; + break; diff --git a/queue-3.0/net-sctp-sctp_endpoint_free-zero-out-secret-key-data.patch b/queue-3.0/net-sctp-sctp_endpoint_free-zero-out-secret-key-data.patch new file mode 100644 index 00000000000..5ba89016b25 --- /dev/null +++ b/queue-3.0/net-sctp-sctp_endpoint_free-zero-out-secret-key-data.patch @@ -0,0 +1,43 @@ +From 8cc0a7c8a231729c250c14fb887db1cb4102c2f1 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Fri, 8 Feb 2013 03:04:35 +0000 +Subject: net: sctp: sctp_endpoint_free: zero out secret key data + + +From: Daniel Borkmann + +[ Upstream commit b5c37fe6e24eec194bb29d22fdd55d73bcc709bf ] + +On sctp_endpoint_destroy, previously used sensitive keying material +should be zeroed out before the memory is returned, as we already do +with e.g. auth keys when released. + +Signed-off-by: Daniel Borkmann +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/endpointola.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/sctp/endpointola.c ++++ b/net/sctp/endpointola.c +@@ -248,6 +248,8 @@ void sctp_endpoint_free(struct sctp_endp + /* Final destructor for endpoint. */ + static void sctp_endpoint_destroy(struct sctp_endpoint *ep) + { ++ int i; ++ + SCTP_ASSERT(ep->base.dead, "Endpoint is not dead", return); + + /* Free up the HMAC transform. */ +@@ -270,6 +272,9 @@ static void sctp_endpoint_destroy(struct + sctp_inq_free(&ep->base.inqueue); + sctp_bind_addr_free(&ep->base.bind_addr); + ++ for (i = 0; i < SCTP_HOW_MANY_SECRETS; ++i) ++ memset(&ep->secret_key[i], 0, SCTP_SECRET_SIZE); ++ + /* Remove and free the port */ + if (sctp_sk(ep->base.sk)->bind_hash) + sctp_put_port(ep->base.sk); diff --git a/queue-3.0/net-sctp-sctp_setsockopt_auth_key-use-kzfree-instead-of-kfree.patch b/queue-3.0/net-sctp-sctp_setsockopt_auth_key-use-kzfree-instead-of-kfree.patch new file mode 100644 index 00000000000..7e83cd5e474 --- /dev/null +++ b/queue-3.0/net-sctp-sctp_setsockopt_auth_key-use-kzfree-instead-of-kfree.patch @@ -0,0 +1,35 @@ +From 6304eb467412af5c5af8934d6778f4a0cf0a1dae Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Fri, 8 Feb 2013 03:04:34 +0000 +Subject: net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree + + +From: Daniel Borkmann + +[ Upstream commit 6ba542a291a5e558603ac51cda9bded347ce7627 ] + +In sctp_setsockopt_auth_key, we create a temporary copy of the user +passed shared auth key for the endpoint or association and after +internal setup, we free it right away. Since it's sensitive data, we +should zero out the key before returning the memory back to the +allocator. Thus, use kzfree instead of kfree, just as we do in +sctp_auth_key_put(). + +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -3304,7 +3304,7 @@ static int sctp_setsockopt_auth_key(stru + + ret = sctp_auth_set_key(sctp_sk(sk)->ep, asoc, authkey); + out: +- kfree(authkey); ++ kzfree(authkey); + return ret; + } + diff --git a/queue-3.0/packet-fix-leakage-of-tx_ring-memory.patch b/queue-3.0/packet-fix-leakage-of-tx_ring-memory.patch new file mode 100644 index 00000000000..4f9dae8b281 --- /dev/null +++ b/queue-3.0/packet-fix-leakage-of-tx_ring-memory.patch @@ -0,0 +1,56 @@ +From 4a00b6427182a347df180f546e0b8eca996a4987 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 1 Feb 2013 07:21:41 +0000 +Subject: packet: fix leakage of tx_ring memory + + +From: Phil Sutter + +[ Upstream commit 9665d5d62487e8e7b1f546c00e11107155384b9a ] + +When releasing a packet socket, the routine packet_set_ring() is reused +to free rings instead of allocating them. But when calling it for the +first time, it fills req->tp_block_nr with the value of rb->pg_vec_len +which in the second invocation makes it bail out since req->tp_block_nr +is greater zero but req->tp_block_size is zero. + +This patch solves the problem by passing a zeroed auto-variable to +packet_set_ring() upon each invocation from packet_release(). + +As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING +and packet mmap), i.e. the original inclusion of TX ring support into +af_packet, but applies only to sockets with both RX and TX ring +allocated, which is probably why this was unnoticed all the time. + +Signed-off-by: Phil Sutter +Cc: Johann Baudy +Cc: Daniel Borkmann +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1349,13 +1349,15 @@ static int packet_release(struct socket + + packet_flush_mclist(sk); + +- memset(&req, 0, sizeof(req)); +- +- if (po->rx_ring.pg_vec) ++ if (po->rx_ring.pg_vec) { ++ memset(&req, 0, sizeof(req)); + packet_set_ring(sk, &req, 1, 0); ++ } + +- if (po->tx_ring.pg_vec) ++ if (po->tx_ring.pg_vec) { ++ memset(&req, 0, sizeof(req)); + packet_set_ring(sk, &req, 1, 1); ++ } + + synchronize_net(); + /* diff --git a/queue-3.0/pktgen-correctly-handle-failures-when-adding-a-device.patch b/queue-3.0/pktgen-correctly-handle-failures-when-adding-a-device.patch new file mode 100644 index 00000000000..c7caeff041d --- /dev/null +++ b/queue-3.0/pktgen-correctly-handle-failures-when-adding-a-device.patch @@ -0,0 +1,57 @@ +From ee18bf2dc23bcb67ba759f93016aaaf0f081a58e Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sun, 27 Jan 2013 21:14:08 +0000 +Subject: pktgen: correctly handle failures when adding a device + + +From: Cong Wang + +[ Upstream commit 604dfd6efc9b79bce432f2394791708d8e8f6efc ] + +The return value of pktgen_add_device() is not checked, so +even if we fail to add some device, for example, non-exist one, +we still see "OK:...". This patch fixes it. + +After this patch, I got: + + # echo "add_device non-exist" > /proc/net/pktgen/kpktgend_0 + -bash: echo: write error: No such device + # cat /proc/net/pktgen/kpktgend_0 + Running: + Stopped: + Result: ERROR: can not add device non-exist + # echo "add_device eth0" > /proc/net/pktgen/kpktgend_0 + # cat /proc/net/pktgen/kpktgend_0 + Running: + Stopped: eth0 + Result: OK: add_device=eth0 + +(Candidate for -stable) + +Cc: David S. Miller +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/pktgen.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -1803,10 +1803,13 @@ static ssize_t pktgen_thread_write(struc + return -EFAULT; + i += len; + mutex_lock(&pktgen_thread_lock); +- pktgen_add_device(t, f); ++ ret = pktgen_add_device(t, f); + mutex_unlock(&pktgen_thread_lock); +- ret = count; +- sprintf(pg_result, "OK: add_device=%s", f); ++ if (!ret) { ++ ret = count; ++ sprintf(pg_result, "OK: add_device=%s", f); ++ } else ++ sprintf(pg_result, "ERROR: can not add device %s", f); + goto out; + } + diff --git a/queue-3.0/r8169-remove-the-obsolete-and-incorrect-amd-workaround.patch b/queue-3.0/r8169-remove-the-obsolete-and-incorrect-amd-workaround.patch new file mode 100644 index 00000000000..da9b84c4e80 --- /dev/null +++ b/queue-3.0/r8169-remove-the-obsolete-and-incorrect-amd-workaround.patch @@ -0,0 +1,58 @@ +From f87642a99a1298cd84cccdb7ce8fdcbff1610238 Mon Sep 17 00:00:00 2001 +From: Timo Teräs +Date: Mon, 21 Jan 2013 22:30:35 +0000 +Subject: r8169: remove the obsolete and incorrect AMD workaround + + +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= + +[ Upstream commit 5d0feaff230c0abfe4a112e6f09f096ed99e0b2d ] + +This was introduced in commit 6dccd16 "r8169: merge with version +6.001.00 of Realtek's r8169 driver". I did not find the version +6.001.00 online, but in 6.002.00 or any later r8169 from Realtek +this hunk is no longer present. + +Also commit 05af214 "r8169: fix Ethernet Hangup for RTL8110SC +rev d" claims to have fixed this issue otherwise. + +The magic compare mask of 0xfffe000 is dubious as it masks +parts of the Reserved part, and parts of the VLAN tag. But this +does not make much sense as the VLAN tag parts are perfectly +valid there. In matter of fact this seems to be triggered with +any VLAN tagged packet as RxVlanTag bit is matched. I would +suspect 0xfffe0000 was intended to test reserved part only. + +Finally, this hunk is evil as it can cause more packets to be +handled than what was NAPI quota causing net/core/dev.c: +net_rx_action(): WARN_ON_ONCE(work > weight) to trigger, and +mess up the NAPI state causing device to hang. + +As result, any system using VLANs and having high receive +traffic (so that NAPI poll budget limits rtl_rx) would result +in device hang. + +Signed-off-by: Timo Teräs +Acked-by: Francois Romieu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/r8169.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -5203,13 +5203,6 @@ static int rtl8169_rx_interrupt(struct n + dev->stats.rx_bytes += pkt_size; + dev->stats.rx_packets++; + } +- +- /* Work around for AMD plateform. */ +- if ((desc->opts2 & cpu_to_le32(0xfffe000)) && +- (tp->mac_version == RTL_GIGA_MAC_VER_05)) { +- desc->opts2 = 0; +- cur_rx++; +- } + } + + count = cur_rx - tp->cur_rx; diff --git a/queue-3.0/sctp-refactor-sctp_outq_teardown-to-insure-proper-re-initalization.patch b/queue-3.0/sctp-refactor-sctp_outq_teardown-to-insure-proper-re-initalization.patch new file mode 100644 index 00000000000..53b65307220 --- /dev/null +++ b/queue-3.0/sctp-refactor-sctp_outq_teardown-to-insure-proper-re-initalization.patch @@ -0,0 +1,72 @@ +From b3887ace720555154eae2262b0de8bac97cf1170 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Thu, 17 Jan 2013 11:15:08 +0000 +Subject: sctp: refactor sctp_outq_teardown to insure proper re-initalization + + +From: Neil Horman + +[ Upstream commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 ] + +Jamie Parsons reported a problem recently, in which the re-initalization of an +association (The duplicate init case), resulted in a loss of receive window +space. He tracked down the root cause to sctp_outq_teardown, which discarded +all the data on an outq during a re-initalization of the corresponding +association, but never reset the outq->outstanding_data field to zero. I wrote, +and he tested this fix, which does a proper full re-initalization of the outq, +fixing this problem, and hopefully future proofing us from simmilar issues down +the road. + +Signed-off-by: Neil Horman +Reported-by: Jamie Parsons +Tested-by: Jamie Parsons +CC: Jamie Parsons +CC: Vlad Yasevich +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/outqueue.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/sctp/outqueue.c ++++ b/net/sctp/outqueue.c +@@ -223,7 +223,7 @@ void sctp_outq_init(struct sctp_associat + + /* Free the outqueue structure and any related pending chunks. + */ +-void sctp_outq_teardown(struct sctp_outq *q) ++static void __sctp_outq_teardown(struct sctp_outq *q) + { + struct sctp_transport *transport; + struct list_head *lchunk, *temp; +@@ -276,8 +276,6 @@ void sctp_outq_teardown(struct sctp_outq + sctp_chunk_free(chunk); + } + +- q->error = 0; +- + /* Throw away any leftover control chunks. */ + list_for_each_entry_safe(chunk, tmp, &q->control_chunk_list, list) { + list_del_init(&chunk->list); +@@ -285,11 +283,17 @@ void sctp_outq_teardown(struct sctp_outq + } + } + ++void sctp_outq_teardown(struct sctp_outq *q) ++{ ++ __sctp_outq_teardown(q); ++ sctp_outq_init(q->asoc, q); ++} ++ + /* Free the outqueue structure and any related pending chunks. */ + void sctp_outq_free(struct sctp_outq *q) + { + /* Throw away leftover chunks. */ +- sctp_outq_teardown(q); ++ __sctp_outq_teardown(q); + + /* If we were kmalloc()'d, free the memory. */ + if (q->malloced) diff --git a/queue-3.0/series b/queue-3.0/series index 0c27657834d..3a5ffa3233a 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -2,3 +2,21 @@ rtlwifi-fix-the-usage-of-the-wrong-variable-in-usb.c.patch virtio_console-don-t-access-uninitialized-data.patch kernel-resource.c-fix-stack-overflow-in-__reserve_region_with_split.patch mac80211-synchronize-scan-off-on-channel-and-ps-states.patch +net-prevent-setting-ttl-0-via-ip_ttl.patch +maintainers-stephen-hemminger-email-change.patch +isdn-gigaset-fix-zero-size-border-case-in-debug-dump.patch +r8169-remove-the-obsolete-and-incorrect-amd-workaround.patch +net-loopback-fix-a-dst-refcounting-issue.patch +pktgen-correctly-handle-failures-when-adding-a-device.patch +ipv6-do-not-create-neighbor-entries-for-local-delivery.patch +packet-fix-leakage-of-tx_ring-memory.patch +atm-iphase-rename-fregt_t-ffreg_t.patch +sctp-refactor-sctp_outq_teardown-to-insure-proper-re-initalization.patch +net-sctp-sctp_setsockopt_auth_key-use-kzfree-instead-of-kfree.patch +net-sctp-sctp_endpoint_free-zero-out-secret-key-data.patch +tcp-frto-should-not-set-snd_cwnd-to-0.patch +tcp-fix-for-zero-packets_in_flight-was-too-broad.patch +tcp-fix-msg_sendpage_notlast-logic.patch +bridge-pull-ip-header-into-skb-data-before-looking-into-ip-header.patch +tg3-avoid-null-pointer-dereference-in-tg3_interrupt-in-netconsole-mode.patch +tg3-fix-crc-errors-on-jumbo-frame-receive.patch diff --git a/queue-3.0/tcp-fix-for-zero-packets_in_flight-was-too-broad.patch b/queue-3.0/tcp-fix-for-zero-packets_in_flight-was-too-broad.patch new file mode 100644 index 00000000000..a3f7a00a80d --- /dev/null +++ b/queue-3.0/tcp-fix-for-zero-packets_in_flight-was-too-broad.patch @@ -0,0 +1,52 @@ +From 0437a885ff524effbd942340d8f05cde6fe15980 Mon Sep 17 00:00:00 2001 +From: Ilpo Järvinen +Date: Mon, 4 Feb 2013 02:14:25 +0000 +Subject: tcp: fix for zero packets_in_flight was too broad + + +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= + +[ Upstream commit 6731d2095bd4aef18027c72ef845ab1087c3ba63 ] + +There are transients during normal FRTO procedure during which +the packets_in_flight can go to zero between write_queue state +updates and firing the resulting segments out. As FRTO processing +occurs during that window the check must be more precise to +not match "spuriously" :-). More specificly, e.g., when +packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic +branch that set cwnd into zero would not be taken and new segments +might be sent out later. + +Signed-off-by: Ilpo Järvinen +Tested-by: Eric Dumazet +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3568,8 +3568,7 @@ static int tcp_process_frto(struct sock + ((tp->frto_counter >= 2) && (flag & FLAG_RETRANS_DATA_ACKED))) + tp->undo_marker = 0; + +- if (!before(tp->snd_una, tp->frto_highmark) || +- !tcp_packets_in_flight(tp)) { ++ if (!before(tp->snd_una, tp->frto_highmark)) { + tcp_enter_frto_loss(sk, (tp->frto_counter == 1 ? 2 : 3), flag); + return 1; + } +@@ -3589,6 +3588,11 @@ static int tcp_process_frto(struct sock + } + } else { + if (!(flag & FLAG_DATA_ACKED) && (tp->frto_counter == 1)) { ++ if (!tcp_packets_in_flight(tp)) { ++ tcp_enter_frto_loss(sk, 2, flag); ++ return true; ++ } ++ + /* Prevent sending of new data. */ + tp->snd_cwnd = min(tp->snd_cwnd, + tcp_packets_in_flight(tp)); diff --git a/queue-3.0/tcp-fix-msg_sendpage_notlast-logic.patch b/queue-3.0/tcp-fix-msg_sendpage_notlast-logic.patch new file mode 100644 index 00000000000..02a401ff36e --- /dev/null +++ b/queue-3.0/tcp-fix-msg_sendpage_notlast-logic.patch @@ -0,0 +1,54 @@ +From 0f379a8fb8cbf317985476591c05462019fd0350 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 6 Jan 2013 18:21:49 +0000 +Subject: tcp: fix MSG_SENDPAGE_NOTLAST logic + + +From: Eric Dumazet + +[ Upstream commit ae62ca7b03217be5e74759dc6d7698c95df498b3 ] + +commit 35f9c09fe9c72e (tcp: tcp_sendpages() should call tcp_push() once) +added an internal flag : MSG_SENDPAGE_NOTLAST meant to be set on all +frags but the last one for a splice() call. + +The condition used to set the flag in pipe_to_sendpage() relied on +splice() user passing the exact number of bytes present in the pipe, +or a smaller one. + +But some programs pass an arbitrary high value, and the test fails. + +The effect of this bug is a lack of tcp_push() at the end of a +splice(pipe -> socket) call, and possibly very slow or erratic TCP +sessions. + +We should both test sd->total_len and fact that another fragment +is in the pipe (pipe->nrbufs > 1) + +Many thanks to Willy for providing very clear bug report, bisection +and test programs. + +Reported-by: Willy Tarreau +Bisected-by: Willy Tarreau +Tested-by: Willy Tarreau +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + fs/splice.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -693,8 +693,10 @@ static int pipe_to_sendpage(struct pipe_ + return -EINVAL; + + more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0; +- if (sd->len < sd->total_len) ++ ++ if (sd->len < sd->total_len && pipe->nrbufs > 1) + more |= MSG_SENDPAGE_NOTLAST; ++ + return file->f_op->sendpage(file, buf->page, buf->offset, + sd->len, &pos, more); + } diff --git a/queue-3.0/tcp-frto-should-not-set-snd_cwnd-to-0.patch b/queue-3.0/tcp-frto-should-not-set-snd_cwnd-to-0.patch new file mode 100644 index 00000000000..d468afb4ca1 --- /dev/null +++ b/queue-3.0/tcp-frto-should-not-set-snd_cwnd-to-0.patch @@ -0,0 +1,43 @@ +From c1cc475460adea2fe1d2fc5d059b5f0c823839af Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 3 Feb 2013 09:13:05 +0000 +Subject: tcp: frto should not set snd_cwnd to 0 + + +From: Eric Dumazet + +[ Upstream commit 2e5f421211ff76c17130b4597bc06df4eeead24f ] + +Commit 9dc274151a548 (tcp: fix ABC in tcp_slow_start()) +uncovered a bug in FRTO code : +tcp_process_frto() is setting snd_cwnd to 0 if the number +of in flight packets is 0. + +As Neal pointed out, if no packet is in flight we lost our +chance to disambiguate whether a loss timeout was spurious. + +We should assume it was a proper loss. + +Reported-by: Pasi Kärkkäinen +Signed-off-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Cc: Ilpo Järvinen +Cc: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3568,7 +3568,8 @@ static int tcp_process_frto(struct sock + ((tp->frto_counter >= 2) && (flag & FLAG_RETRANS_DATA_ACKED))) + tp->undo_marker = 0; + +- if (!before(tp->snd_una, tp->frto_highmark)) { ++ if (!before(tp->snd_una, tp->frto_highmark) || ++ !tcp_packets_in_flight(tp)) { + tcp_enter_frto_loss(sk, (tp->frto_counter == 1 ? 2 : 3), flag); + return 1; + } diff --git a/queue-3.0/tg3-avoid-null-pointer-dereference-in-tg3_interrupt-in-netconsole-mode.patch b/queue-3.0/tg3-avoid-null-pointer-dereference-in-tg3_interrupt-in-netconsole-mode.patch new file mode 100644 index 00000000000..e5e5555dfff --- /dev/null +++ b/queue-3.0/tg3-avoid-null-pointer-dereference-in-tg3_interrupt-in-netconsole-mode.patch @@ -0,0 +1,44 @@ +From 2cec2bdc3e1b5defc8c9b5a3b7c1291ceb8a61e7 Mon Sep 17 00:00:00 2001 +From: Nithin Nayak Sujir +Date: Mon, 14 Jan 2013 17:10:59 +0000 +Subject: tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode + + +From: Nithin Nayak Sujir + +[ Upstream commit 9c13cb8bb477a83b9a3c9e5a5478a4e21294a760 ] + +When netconsole is enabled, logging messages generated during tg3_open +can result in a null pointer dereference for the uninitialized tg3 +status block. Use the irq_sync flag to disable polling in the early +stages. irq_sync is cleared when the driver is enabling interrupts after +all initialization is completed. + +Signed-off-by: Nithin Nayak Sujir +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tg3.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -5662,6 +5662,9 @@ static void tg3_poll_controller(struct n + int i; + struct tg3 *tp = netdev_priv(dev); + ++ if (tg3_irq_sync(tp)) ++ return; ++ + for (i = 0; i < tp->irq_cnt; i++) + tg3_interrupt(tp->napi[i].irq_vec, &tp->napi[i]); + } +@@ -14981,6 +14984,7 @@ static int __devinit tg3_init_one(struct + tp->pm_cap = pm_cap; + tp->rx_mode = TG3_DEF_RX_MODE; + tp->tx_mode = TG3_DEF_TX_MODE; ++ tp->irq_sync = 1; + + if (tg3_debug > 0) + tp->msg_enable = tg3_debug; diff --git a/queue-3.0/tg3-fix-crc-errors-on-jumbo-frame-receive.patch b/queue-3.0/tg3-fix-crc-errors-on-jumbo-frame-receive.patch new file mode 100644 index 00000000000..40c2b898f0f --- /dev/null +++ b/queue-3.0/tg3-fix-crc-errors-on-jumbo-frame-receive.patch @@ -0,0 +1,166 @@ +From 2a08124fd105787a2ee596636b879c7b2c17f46a Mon Sep 17 00:00:00 2001 +From: Nithin Nayak Sujir +Date: Mon, 14 Jan 2013 17:11:00 +0000 +Subject: tg3: Fix crc errors on jumbo frame receive + + +From: Nithin Nayak Sujir + +[ Upstream commit daf3ec688e057f6060fb9bb0819feac7a8bbf45c ] + +TG3_PHY_AUXCTL_SMDSP_ENABLE/DISABLE macros do a blind write to the phy +auxiliary control register and overwrite the EXT_PKT_LEN (bit 14) resulting +in intermittent crc errors on jumbo frames with some link partners. Change +the code to do a read/modify/write. + +Signed-off-by: Nithin Nayak Sujir +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tg3.c | 56 ++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 34 insertions(+), 22 deletions(-) + +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -996,14 +996,26 @@ static int tg3_phy_auxctl_write(struct t + return tg3_writephy(tp, MII_TG3_AUX_CTRL, set | reg); + } + +-#define TG3_PHY_AUXCTL_SMDSP_ENABLE(tp) \ +- tg3_phy_auxctl_write((tp), MII_TG3_AUXCTL_SHDWSEL_AUXCTL, \ +- MII_TG3_AUXCTL_ACTL_SMDSP_ENA | \ +- MII_TG3_AUXCTL_ACTL_TX_6DB) +- +-#define TG3_PHY_AUXCTL_SMDSP_DISABLE(tp) \ +- tg3_phy_auxctl_write((tp), MII_TG3_AUXCTL_SHDWSEL_AUXCTL, \ +- MII_TG3_AUXCTL_ACTL_TX_6DB); ++static int tg3_phy_toggle_auxctl_smdsp(struct tg3 *tp, bool enable) ++{ ++ u32 val; ++ int err; ++ ++ err = tg3_phy_auxctl_read(tp, MII_TG3_AUXCTL_SHDWSEL_AUXCTL, &val); ++ ++ if (err) ++ return err; ++ if (enable) ++ ++ val |= MII_TG3_AUXCTL_ACTL_SMDSP_ENA; ++ else ++ val &= ~MII_TG3_AUXCTL_ACTL_SMDSP_ENA; ++ ++ err = tg3_phy_auxctl_write((tp), MII_TG3_AUXCTL_SHDWSEL_AUXCTL, ++ val | MII_TG3_AUXCTL_ACTL_TX_6DB); ++ ++ return err; ++} + + static int tg3_bmcr_reset(struct tg3 *tp) + { +@@ -1775,7 +1787,7 @@ static void tg3_phy_apply_otp(struct tg3 + + otp = tp->phy_otp; + +- if (TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) ++ if (tg3_phy_toggle_auxctl_smdsp(tp, true)) + return; + + phy = ((otp & TG3_OTP_AGCTGT_MASK) >> TG3_OTP_AGCTGT_SHIFT); +@@ -1800,7 +1812,7 @@ static void tg3_phy_apply_otp(struct tg3 + ((otp & TG3_OTP_RCOFF_MASK) >> TG3_OTP_RCOFF_SHIFT); + tg3_phydsp_write(tp, MII_TG3_DSP_EXP97, phy); + +- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp); ++ tg3_phy_toggle_auxctl_smdsp(tp, false); + } + + static void tg3_phy_eee_adjust(struct tg3 *tp, u32 current_link_up) +@@ -1848,9 +1860,9 @@ static void tg3_phy_eee_enable(struct tg + (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5717 || + GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5719 || + GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_57765) && +- !TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) { ++ !tg3_phy_toggle_auxctl_smdsp(tp, true)) { + tg3_phydsp_write(tp, MII_TG3_DSP_TAP26, 0x0003); +- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp); ++ tg3_phy_toggle_auxctl_smdsp(tp, false); + } + + val = tr32(TG3_CPMU_EEE_MODE); +@@ -1995,7 +2007,7 @@ static int tg3_phy_reset_5703_4_5(struct + (MII_TG3_CTRL_AS_MASTER | + MII_TG3_CTRL_ENABLE_AS_MASTER)); + +- err = TG3_PHY_AUXCTL_SMDSP_ENABLE(tp); ++ err = tg3_phy_toggle_auxctl_smdsp(tp, true); + if (err) + return err; + +@@ -2016,7 +2028,7 @@ static int tg3_phy_reset_5703_4_5(struct + tg3_writephy(tp, MII_TG3_DSP_ADDRESS, 0x8200); + tg3_writephy(tp, MII_TG3_DSP_CONTROL, 0x0000); + +- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp); ++ tg3_phy_toggle_auxctl_smdsp(tp, false); + + tg3_writephy(tp, MII_TG3_CTRL, phy9_orig); + +@@ -2105,10 +2117,10 @@ static int tg3_phy_reset(struct tg3 *tp) + + out: + if ((tp->phy_flags & TG3_PHYFLG_ADC_BUG) && +- !TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) { ++ !tg3_phy_toggle_auxctl_smdsp(tp, true)) { + tg3_phydsp_write(tp, 0x201f, 0x2aaa); + tg3_phydsp_write(tp, 0x000a, 0x0323); +- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp); ++ tg3_phy_toggle_auxctl_smdsp(tp, false); + } + + if (tp->phy_flags & TG3_PHYFLG_5704_A0_BUG) { +@@ -2117,14 +2129,14 @@ out: + } + + if (tp->phy_flags & TG3_PHYFLG_BER_BUG) { +- if (!TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) { ++ if (!tg3_phy_toggle_auxctl_smdsp(tp, true)) { + tg3_phydsp_write(tp, 0x000a, 0x310b); + tg3_phydsp_write(tp, 0x201f, 0x9506); + tg3_phydsp_write(tp, 0x401f, 0x14e2); +- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp); ++ tg3_phy_toggle_auxctl_smdsp(tp, false); + } + } else if (tp->phy_flags & TG3_PHYFLG_JITTER_BUG) { +- if (!TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) { ++ if (!tg3_phy_toggle_auxctl_smdsp(tp, true)) { + tg3_writephy(tp, MII_TG3_DSP_ADDRESS, 0x000a); + if (tp->phy_flags & TG3_PHYFLG_ADJUST_TRIM) { + tg3_writephy(tp, MII_TG3_DSP_RW_PORT, 0x110b); +@@ -2133,7 +2145,7 @@ out: + } else + tg3_writephy(tp, MII_TG3_DSP_RW_PORT, 0x010b); + +- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp); ++ tg3_phy_toggle_auxctl_smdsp(tp, false); + } + } + +@@ -2981,7 +2993,7 @@ static int tg3_phy_autoneg_cfg(struct tg + tw32(TG3_CPMU_EEE_MODE, + tr32(TG3_CPMU_EEE_MODE) & ~TG3_CPMU_EEEMD_LPI_ENABLE); + +- err = TG3_PHY_AUXCTL_SMDSP_ENABLE(tp); ++ err = tg3_phy_toggle_auxctl_smdsp(tp, true); + if (!err) { + u32 err2; + +@@ -3008,7 +3020,7 @@ static int tg3_phy_autoneg_cfg(struct tg + val |= MDIO_AN_EEE_ADV_1000T; + err = tg3_phy_cl45_write(tp, MDIO_MMD_AN, MDIO_AN_EEE_ADV, val); + +- err2 = TG3_PHY_AUXCTL_SMDSP_DISABLE(tp); ++ err2 = tg3_phy_toggle_auxctl_smdsp(tp, false); + if (!err) + err = err2; + } -- 2.47.3