From 3d3bdec2bb858d29e699004b7894908c40b1a8cf Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 2 Apr 2013 14:05:15 -0700 Subject: [PATCH] 3.0-stable patches added patches: 8021q-fix-a-potential-use-after-free.patch aoe-reserve-enough-headroom-on-skbs.patch atl1e-drop-pci-msi-support-because-of-packet-corruption.patch drivers-net-ethernet-davinci_emac-use-netif_wake_queue-while-restarting-tx-queue.patch ipv6-fix-bad-free-of-addrconf_init_net.patch ks8851-fix-interpretation-of-rxlen-field.patch net-add-a-synchronize_net-in-netdev_rx_handler_unregister.patch pch_gbe-fix-ip_summed-checksum-reporting-on-rx.patch sky2-receive-overflows-not-counted.patch sky2-threshold-for-pause-packet-is-set-wrong.patch smsc75xx-fix-jumbo-frame-support.patch tcp-preserve-ack-clocking-in-tso.patch tcp-undo-spurious-timeout-after-sack-reneging.patch thermal-shorten-too-long-mcast-group-name.patch unix-fix-a-race-condition-in-unix_release.patch --- ...8021q-fix-a-potential-use-after-free.patch | 56 ++++++++ .../aoe-reserve-enough-headroom-on-skbs.patch | 42 ++++++ ...support-because-of-packet-corruption.patch | 75 +++++++++++ ...wake_queue-while-restarting-tx-queue.patch | 31 +++++ ...v6-fix-bad-free-of-addrconf_init_net.patch | 56 ++++++++ ...51-fix-interpretation-of-rxlen-field.patch | 38 ++++++ ..._net-in-netdev_rx_handler_unregister.patch | 127 ++++++++++++++++++ ...x-ip_summed-checksum-reporting-on-rx.patch | 36 +++++ queue-3.0/series | 15 +++ .../sky2-receive-overflows-not-counted.patch | 37 +++++ ...eshold-for-pause-packet-is-set-wrong.patch | 35 +++++ .../smsc75xx-fix-jumbo-frame-support.patch | 63 +++++++++ .../tcp-preserve-ack-clocking-in-tso.patch | 88 ++++++++++++ ...spurious-timeout-after-sack-reneging.patch | 40 ++++++ ...al-shorten-too-long-mcast-group-name.patch | 44 ++++++ ...fix-a-race-condition-in-unix_release.patch | 66 +++++++++ 16 files changed, 849 insertions(+) create mode 100644 queue-3.0/8021q-fix-a-potential-use-after-free.patch create mode 100644 queue-3.0/aoe-reserve-enough-headroom-on-skbs.patch create mode 100644 queue-3.0/atl1e-drop-pci-msi-support-because-of-packet-corruption.patch create mode 100644 queue-3.0/drivers-net-ethernet-davinci_emac-use-netif_wake_queue-while-restarting-tx-queue.patch create mode 100644 queue-3.0/ipv6-fix-bad-free-of-addrconf_init_net.patch create mode 100644 queue-3.0/ks8851-fix-interpretation-of-rxlen-field.patch create mode 100644 queue-3.0/net-add-a-synchronize_net-in-netdev_rx_handler_unregister.patch create mode 100644 queue-3.0/pch_gbe-fix-ip_summed-checksum-reporting-on-rx.patch create mode 100644 queue-3.0/sky2-receive-overflows-not-counted.patch create mode 100644 queue-3.0/sky2-threshold-for-pause-packet-is-set-wrong.patch create mode 100644 queue-3.0/smsc75xx-fix-jumbo-frame-support.patch create mode 100644 queue-3.0/tcp-preserve-ack-clocking-in-tso.patch create mode 100644 queue-3.0/tcp-undo-spurious-timeout-after-sack-reneging.patch create mode 100644 queue-3.0/thermal-shorten-too-long-mcast-group-name.patch create mode 100644 queue-3.0/unix-fix-a-race-condition-in-unix_release.patch diff --git a/queue-3.0/8021q-fix-a-potential-use-after-free.patch b/queue-3.0/8021q-fix-a-potential-use-after-free.patch new file mode 100644 index 00000000000..e889dee4d12 --- /dev/null +++ b/queue-3.0/8021q-fix-a-potential-use-after-free.patch @@ -0,0 +1,56 @@ +From 5df252fbe8f672a24dc75dc5ce5d0c5f8532f105 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Fri, 22 Mar 2013 19:14:07 +0000 +Subject: 8021q: fix a potential use-after-free + + +From: Cong Wang + +[ Upstream commit 4a7df340ed1bac190c124c1601bfc10cde9fb4fb ] + +vlan_vid_del() could possibly free ->vlan_info after a RCU grace +period, however, we may still refer to the freed memory area +by 'grp' pointer. Found by code inspection. + +This patch moves vlan_vid_del() as behind as possible. + +Cc: Patrick McHardy +Cc: "David S. Miller" +Signed-off-by: Cong Wang +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -108,13 +108,6 @@ void unregister_vlan_dev(struct net_devi + grp = rtnl_dereference(real_dev->vlgrp); + BUG_ON(!grp); + +- /* Take it out of our own structures, but be sure to interlock with +- * HW accelerating devices or SW vlan input packet processing if +- * VLAN is not 0 (leave it there for 802.1p). +- */ +- if (vlan_id && (real_dev->features & NETIF_F_HW_VLAN_FILTER)) +- ops->ndo_vlan_rx_kill_vid(real_dev, vlan_id); +- + grp->nr_vlans--; + + if (vlan->flags & VLAN_FLAG_GVRP) +@@ -139,6 +132,13 @@ void unregister_vlan_dev(struct net_devi + call_rcu(&grp->rcu, vlan_rcu_free); + } + ++ /* Take it out of our own structures, but be sure to interlock with ++ * HW accelerating devices or SW vlan input packet processing if ++ * VLAN is not 0 (leave it there for 802.1p). ++ */ ++ if (vlan_id && (real_dev->features & NETIF_F_HW_VLAN_FILTER)) ++ ops->ndo_vlan_rx_kill_vid(real_dev, vlan_id); ++ + /* Get rid of the vlan's reference to real_dev */ + dev_put(real_dev); + } diff --git a/queue-3.0/aoe-reserve-enough-headroom-on-skbs.patch b/queue-3.0/aoe-reserve-enough-headroom-on-skbs.patch new file mode 100644 index 00000000000..e38fa576d5d --- /dev/null +++ b/queue-3.0/aoe-reserve-enough-headroom-on-skbs.patch @@ -0,0 +1,42 @@ +From 38622c1b4d825bbeaf90133681b1563209db3cd7 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 27 Mar 2013 18:28:41 +0000 +Subject: aoe: reserve enough headroom on skbs + + +From: Eric Dumazet + +[ Upstream commit 91c5746425aed8f7188a351f1224a26aa232e4b3 ] + +Some network drivers use a non default hard_header_len + +Transmitted skb should take into account dev->hard_header_len, or risk +crashes or expensive reallocations. + +In the case of aoe, lets reserve MAX_HEADER bytes. + +David reported a crash in defxx driver, solved by this patch. + +Reported-by: David Oostdyk +Tested-by: David Oostdyk +Signed-off-by: Eric Dumazet +Cc: Ed Cashin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/aoe/aoecmd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/aoe/aoecmd.c ++++ b/drivers/block/aoe/aoecmd.c +@@ -30,8 +30,9 @@ new_skb(ulong len) + { + struct sk_buff *skb; + +- skb = alloc_skb(len, GFP_ATOMIC); ++ skb = alloc_skb(len + MAX_HEADER, GFP_ATOMIC); + if (skb) { ++ skb_reserve(skb, MAX_HEADER); + skb_reset_mac_header(skb); + skb_reset_network_header(skb); + skb->protocol = __constant_htons(ETH_P_AOE); diff --git a/queue-3.0/atl1e-drop-pci-msi-support-because-of-packet-corruption.patch b/queue-3.0/atl1e-drop-pci-msi-support-because-of-packet-corruption.patch new file mode 100644 index 00000000000..846ed23aeb7 --- /dev/null +++ b/queue-3.0/atl1e-drop-pci-msi-support-because-of-packet-corruption.patch @@ -0,0 +1,75 @@ +From 780e8f21d300ad098fd365d1ee4cd7d39da8d40d Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Thu, 28 Mar 2013 18:10:50 +0000 +Subject: atl1e: drop pci-msi support because of packet corruption + + +From: Mugunthan V N + +[ Upstream commit 188ab1b105c96656f6bcfb49d0d8bb1b1936b632 ] + +Usage of pci-msi results in corrupted dma packet transfers to the host. + +Reported-by: rebelyouth +Cc: Huang, Xiong +Tested-by: Christian Sünkenberg +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/atl1e/atl1e.h | 1 - + drivers/net/atl1e/atl1e_main.c | 22 ++-------------------- + 2 files changed, 2 insertions(+), 21 deletions(-) + +--- a/drivers/net/atl1e/atl1e.h ++++ b/drivers/net/atl1e/atl1e.h +@@ -439,7 +439,6 @@ struct atl1e_adapter { + struct atl1e_hw hw; + struct atl1e_hw_stats hw_stats; + +- bool have_msi; + u32 wol; + u16 link_speed; + u16 link_duplex; +--- a/drivers/net/atl1e/atl1e_main.c ++++ b/drivers/net/atl1e/atl1e_main.c +@@ -1848,37 +1848,19 @@ static void atl1e_free_irq(struct atl1e_ + struct net_device *netdev = adapter->netdev; + + free_irq(adapter->pdev->irq, netdev); +- +- if (adapter->have_msi) +- pci_disable_msi(adapter->pdev); + } + + static int atl1e_request_irq(struct atl1e_adapter *adapter) + { + struct pci_dev *pdev = adapter->pdev; + struct net_device *netdev = adapter->netdev; +- int flags = 0; + int err = 0; + +- adapter->have_msi = true; +- err = pci_enable_msi(adapter->pdev); +- if (err) { +- netdev_dbg(adapter->netdev, +- "Unable to allocate MSI interrupt Error: %d\n", err); +- adapter->have_msi = false; +- } else +- netdev->irq = pdev->irq; +- +- +- if (!adapter->have_msi) +- flags |= IRQF_SHARED; +- err = request_irq(adapter->pdev->irq, atl1e_intr, flags, +- netdev->name, netdev); ++ err = request_irq(pdev->irq, atl1e_intr, IRQF_SHARED, ++ netdev->name, netdev); + if (err) { + netdev_dbg(adapter->netdev, + "Unable to allocate interrupt Error: %d\n", err); +- if (adapter->have_msi) +- pci_disable_msi(adapter->pdev); + return err; + } + netdev_dbg(adapter->netdev, "atl1e_request_irq OK\n"); diff --git a/queue-3.0/drivers-net-ethernet-davinci_emac-use-netif_wake_queue-while-restarting-tx-queue.patch b/queue-3.0/drivers-net-ethernet-davinci_emac-use-netif_wake_queue-while-restarting-tx-queue.patch new file mode 100644 index 00000000000..75e481d6373 --- /dev/null +++ b/queue-3.0/drivers-net-ethernet-davinci_emac-use-netif_wake_queue-while-restarting-tx-queue.patch @@ -0,0 +1,31 @@ +From 90617597c88aa3e6dc0600657e8d4f31f09c6ef7 Mon Sep 17 00:00:00 2001 +From: Mugunthan V N +Date: Wed, 27 Mar 2013 04:42:00 +0000 +Subject: drivers: net: ethernet: davinci_emac: use netif_wake_queue() while restarting tx queue + + +To restart tx queue use netif_wake_queue() intead of netif_start_queue() +so that net schedule will restart transmission immediately which will +increase network performance while doing huge data transfers. + +Reported-by: Dan Franke +Suggested-by: Sriramakrishnan A G +Signed-off-by: Mugunthan V N +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/davinci_emac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/davinci_emac.c ++++ b/drivers/net/davinci_emac.c +@@ -1049,7 +1049,7 @@ static void emac_tx_handler(void *token, + struct net_device *ndev = skb->dev; + + if (unlikely(netif_queue_stopped(ndev))) +- netif_start_queue(ndev); ++ netif_wake_queue(ndev); + ndev->stats.tx_packets++; + ndev->stats.tx_bytes += len; + dev_kfree_skb_any(skb); diff --git a/queue-3.0/ipv6-fix-bad-free-of-addrconf_init_net.patch b/queue-3.0/ipv6-fix-bad-free-of-addrconf_init_net.patch new file mode 100644 index 00000000000..6fa62568549 --- /dev/null +++ b/queue-3.0/ipv6-fix-bad-free-of-addrconf_init_net.patch @@ -0,0 +1,56 @@ +From afd992e36043604fa58c218041380445215cfee4 Mon Sep 17 00:00:00 2001 +From: Hong Zhiguo +Date: Tue, 26 Mar 2013 01:52:45 +0800 +Subject: ipv6: fix bad free of addrconf_init_net + + +From: Hong Zhiguo + +[ Upstream commit a79ca223e029aa4f09abb337accf1812c900a800 ] + +Signed-off-by: Hong Zhiguo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -4553,26 +4553,20 @@ static void addrconf_sysctl_unregister(s + + static int __net_init addrconf_init_net(struct net *net) + { +- int err; ++ int err = -ENOMEM; + struct ipv6_devconf *all, *dflt; + +- err = -ENOMEM; +- all = &ipv6_devconf; +- dflt = &ipv6_devconf_dflt; ++ all = kmemdup(&ipv6_devconf, sizeof(ipv6_devconf), GFP_KERNEL); ++ if (all == NULL) ++ goto err_alloc_all; + +- if (!net_eq(net, &init_net)) { +- all = kmemdup(all, sizeof(ipv6_devconf), GFP_KERNEL); +- if (all == NULL) +- goto err_alloc_all; ++ dflt = kmemdup(&ipv6_devconf_dflt, sizeof(ipv6_devconf_dflt), GFP_KERNEL); ++ if (dflt == NULL) ++ goto err_alloc_dflt; + +- dflt = kmemdup(dflt, sizeof(ipv6_devconf_dflt), GFP_KERNEL); +- if (dflt == NULL) +- goto err_alloc_dflt; +- } else { +- /* these will be inherited by all namespaces */ +- dflt->autoconf = ipv6_defaults.autoconf; +- dflt->disable_ipv6 = ipv6_defaults.disable_ipv6; +- } ++ /* these will be inherited by all namespaces */ ++ dflt->autoconf = ipv6_defaults.autoconf; ++ dflt->disable_ipv6 = ipv6_defaults.disable_ipv6; + + net->ipv6.devconf_all = all; + net->ipv6.devconf_dflt = dflt; diff --git a/queue-3.0/ks8851-fix-interpretation-of-rxlen-field.patch b/queue-3.0/ks8851-fix-interpretation-of-rxlen-field.patch new file mode 100644 index 00000000000..85cfbb2da00 --- /dev/null +++ b/queue-3.0/ks8851-fix-interpretation-of-rxlen-field.patch @@ -0,0 +1,38 @@ +From f9e8a1730f84e1d3ec369a20cc23019296f2e95d Mon Sep 17 00:00:00 2001 +From: "Max.Nekludov@us.elster.com" +Date: Fri, 29 Mar 2013 05:27:36 +0000 +Subject: ks8851: Fix interpretation of rxlen field. + + +From: "Max.Nekludov@us.elster.com" + +[ Upstream commit 14bc435ea54cb888409efb54fc6b76c13ef530e9 ] + +According to the Datasheet (page 52): +15-12 Reserved +11-0 RXBC Receive Byte Count +This field indicates the present received frame byte size. + +The code has a bug: + rxh = ks8851_rdreg32(ks, KS_RXFHSR); + rxstat = rxh & 0xffff; + rxlen = rxh >> 16; // BUG!!! 0xFFF mask should be applied + +Signed-off-by: Max Nekludov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ks8851.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ks8851.c ++++ b/drivers/net/ks8851.c +@@ -489,7 +489,7 @@ static void ks8851_rx_pkts(struct ks8851 + for (; rxfc != 0; rxfc--) { + rxh = ks8851_rdreg32(ks, KS_RXFHSR); + rxstat = rxh & 0xffff; +- rxlen = rxh >> 16; ++ rxlen = (rxh >> 16) & 0xfff; + + netif_dbg(ks, rx_status, ks->netdev, + "rx: stat 0x%04x, len 0x%04x\n", rxstat, rxlen); diff --git a/queue-3.0/net-add-a-synchronize_net-in-netdev_rx_handler_unregister.patch b/queue-3.0/net-add-a-synchronize_net-in-netdev_rx_handler_unregister.patch new file mode 100644 index 00000000000..0dd9546685a --- /dev/null +++ b/queue-3.0/net-add-a-synchronize_net-in-netdev_rx_handler_unregister.patch @@ -0,0 +1,127 @@ +From f7417bbd93aa80dbd313f4ef0202572cb3fb48bc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 29 Mar 2013 03:01:22 +0000 +Subject: net: add a synchronize_net() in netdev_rx_handler_unregister() + + +From: Eric Dumazet + +[ Upstream commit 00cfec37484761a44a3b6f4675a54caa618210ae ] + +commit 35d48903e97819 (bonding: fix rx_handler locking) added a race +in bonding driver, reported by Steven Rostedt who did a very good +diagnosis : + + + +I'm currently debugging a crash in an old 3.0-rt kernel that one of our +customers is seeing. The bug happens with a stress test that loads and +unloads the bonding module in a loop (I don't know all the details as +I'm not the one that is directly interacting with the customer). But the +bug looks to be something that may still be present and possibly present +in mainline too. It will just be much harder to trigger it in mainline. + +In -rt, interrupts are threads, and can schedule in and out just like +any other thread. Note, mainline now supports interrupt threads so this +may be easily reproducible in mainline as well. I don't have the ability +to tell the customer to try mainline or other kernels, so my hands are +somewhat tied to what I can do. + +But according to a core dump, I tracked down that the eth irq thread +crashed in bond_handle_frame() here: + + slave = bond_slave_get_rcu(skb->dev); + bond = slave->bond; <--- BUG + +the slave returned was NULL and accessing slave->bond caused a NULL +pointer dereference. + +Looking at the code that unregisters the handler: + +void netdev_rx_handler_unregister(struct net_device *dev) +{ + + ASSERT_RTNL(); + RCU_INIT_POINTER(dev->rx_handler, NULL); + RCU_INIT_POINTER(dev->rx_handler_data, NULL); +} + +Which is basically: + dev->rx_handler = NULL; + dev->rx_handler_data = NULL; + +And looking at __netif_receive_skb() we have: + + rx_handler = rcu_dereference(skb->dev->rx_handler); + if (rx_handler) { + if (pt_prev) { + ret = deliver_skb(skb, pt_prev, orig_dev); + pt_prev = NULL; + } + switch (rx_handler(&skb)) { + +My question to all of you is, what stops this interrupt from happening +while the bonding module is unloading? What happens if the interrupt +triggers and we have this: + + CPU0 CPU1 + ---- ---- + rx_handler = skb->dev->rx_handler + + netdev_rx_handler_unregister() { + dev->rx_handler = NULL; + dev->rx_handler_data = NULL; + + rx_handler() + bond_handle_frame() { + slave = skb->dev->rx_handler; + bond = slave->bond; <-- NULL pointer dereference!!! + +What protection am I missing in the bond release handler that would +prevent the above from happening? + + + +We can fix bug this in two ways. First is adding a test in +bond_handle_frame() and others to check if rx_handler_data is NULL. + +A second way is adding a synchronize_net() in +netdev_rx_handler_unregister() to make sure that a rcu protected reader +has the guarantee to see a non NULL rx_handler_data. + +The second way is better as it avoids an extra test in fast path. + +Reported-by: Steven Rostedt +Signed-off-by: Eric Dumazet +Cc: Jiri Pirko +Cc: Paul E. McKenney +Acked-by: Steven Rostedt +Reviewed-by: Paul E. McKenney +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3070,6 +3070,7 @@ int netdev_rx_handler_register(struct ne + if (dev->rx_handler) + return -EBUSY; + ++ /* Note: rx_handler_data must be set before rx_handler */ + rcu_assign_pointer(dev->rx_handler_data, rx_handler_data); + rcu_assign_pointer(dev->rx_handler, rx_handler); + +@@ -3090,6 +3091,11 @@ void netdev_rx_handler_unregister(struct + + ASSERT_RTNL(); + rcu_assign_pointer(dev->rx_handler, NULL); ++ /* a reader seeing a non NULL rx_handler in a rcu_read_lock() ++ * section has a guarantee to see a non NULL rx_handler_data ++ * as well. ++ */ ++ synchronize_net(); + rcu_assign_pointer(dev->rx_handler_data, NULL); + } + EXPORT_SYMBOL_GPL(netdev_rx_handler_unregister); diff --git a/queue-3.0/pch_gbe-fix-ip_summed-checksum-reporting-on-rx.patch b/queue-3.0/pch_gbe-fix-ip_summed-checksum-reporting-on-rx.patch new file mode 100644 index 00000000000..86cc02c1a6a --- /dev/null +++ b/queue-3.0/pch_gbe-fix-ip_summed-checksum-reporting-on-rx.patch @@ -0,0 +1,36 @@ +From a16495417dc88a4f3671140460dfb1d14dae17bd Mon Sep 17 00:00:00 2001 +From: Veaceslav Falico +Date: Mon, 25 Mar 2013 22:26:21 +0000 +Subject: pch_gbe: fix ip_summed checksum reporting on rx + + +From: Veaceslav Falico + +[ Upstream commit 76a0e68129d7d24eb995a6871ab47081bbfa0acc ] + +skb->ip_summed should be CHECKSUM_UNNECESSARY when the driver reports that +checksums were correct and CHECKSUM_NONE in any other case. They're +currently placed vice versa, which breaks the forwarding scenario. Fix it +by placing them as described above. + +Signed-off-by: Veaceslav Falico +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/pch_gbe/pch_gbe_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/pch_gbe/pch_gbe_main.c +@@ -1509,9 +1509,9 @@ pch_gbe_clean_rx(struct pch_gbe_adapter + skb_put(skb, length); + skb->protocol = eth_type_trans(skb, netdev); + if (tcp_ip_status & PCH_GBE_RXD_ACC_STAT_TCPIPOK) +- skb->ip_summed = CHECKSUM_NONE; +- else + skb->ip_summed = CHECKSUM_UNNECESSARY; ++ else ++ skb->ip_summed = CHECKSUM_NONE; + + napi_gro_receive(&adapter->napi, skb); + (*work_done)++; diff --git a/queue-3.0/series b/queue-3.0/series index 434abb1807f..c7effca753f 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -38,3 +38,18 @@ efivars-handle-duplicate-names-from-get_next_variable.patch ext4-use-atomic64_t-for-the-per-flexbg-free_clusters-count.patch tracing-protect-tracer-flags-with-trace_types_lock.patch tracing-prevent-buffer-overwrite-disabled-for-latency-tracers.patch +sky2-receive-overflows-not-counted.patch +sky2-threshold-for-pause-packet-is-set-wrong.patch +tcp-preserve-ack-clocking-in-tso.patch +tcp-undo-spurious-timeout-after-sack-reneging.patch +8021q-fix-a-potential-use-after-free.patch +thermal-shorten-too-long-mcast-group-name.patch +unix-fix-a-race-condition-in-unix_release.patch +aoe-reserve-enough-headroom-on-skbs.patch +drivers-net-ethernet-davinci_emac-use-netif_wake_queue-while-restarting-tx-queue.patch +atl1e-drop-pci-msi-support-because-of-packet-corruption.patch +ipv6-fix-bad-free-of-addrconf_init_net.patch +ks8851-fix-interpretation-of-rxlen-field.patch +net-add-a-synchronize_net-in-netdev_rx_handler_unregister.patch +pch_gbe-fix-ip_summed-checksum-reporting-on-rx.patch +smsc75xx-fix-jumbo-frame-support.patch diff --git a/queue-3.0/sky2-receive-overflows-not-counted.patch b/queue-3.0/sky2-receive-overflows-not-counted.patch new file mode 100644 index 00000000000..b88e4487734 --- /dev/null +++ b/queue-3.0/sky2-receive-overflows-not-counted.patch @@ -0,0 +1,37 @@ +From 4bb61ea70ccff82a239f6e99858935d6fdef2721 Mon Sep 17 00:00:00 2001 +From: Mirko Lindner +Date: Tue, 26 Mar 2013 06:38:35 +0000 +Subject: sky2: Receive Overflows not counted + + +From: Mirko Lindner + +[ Upstream commit 9cfe8b156c21cf340b3a10ecb3022fbbc1c39185 ] + +The sky2 driver doesn't count the Receive Overflows because the MAC +interrupt for this event is not set in the MAC's interrupt mask. +The MAC's interrupt mask is set only for Transmit FIFO Underruns. + +Fix: The correct setting should be (GM_IS_TX_FF_UR | GM_IS_RX_FF_OR) +Otherwise the Receive Overflow event will not generate any interrupt. +The Receive Overflow interrupt is handled correctly + +Signed-off-by: Mirko Lindner +Acked-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/sky2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/sky2.h ++++ b/drivers/net/sky2.h +@@ -2064,7 +2064,7 @@ enum { + GM_IS_RX_FF_OR = 1<<1, /* Receive FIFO Overrun */ + GM_IS_RX_COMPL = 1<<0, /* Frame Reception Complete */ + +-#define GMAC_DEF_MSK GM_IS_TX_FF_UR ++#define GMAC_DEF_MSK (GM_IS_TX_FF_UR | GM_IS_RX_FF_OR) + }; + + /* GMAC_LINK_CTRL 16 bit GMAC Link Control Reg (YUKON only) */ diff --git a/queue-3.0/sky2-threshold-for-pause-packet-is-set-wrong.patch b/queue-3.0/sky2-threshold-for-pause-packet-is-set-wrong.patch new file mode 100644 index 00000000000..e0b2cb49e55 --- /dev/null +++ b/queue-3.0/sky2-threshold-for-pause-packet-is-set-wrong.patch @@ -0,0 +1,35 @@ +From a75335578dc9887ffde563ae72c9f92bac5f1b31 Mon Sep 17 00:00:00 2001 +From: Mirko Lindner +Date: Tue, 26 Mar 2013 06:38:42 +0000 +Subject: sky2: Threshold for Pause Packet is set wrong + + +From: Mirko Lindner + +[ Upstream commit 74f9f42c1c1650e74fb464f76644c9041f996851 ] + +The sky2 driver sets the Rx Upper Threshold for Pause Packet generation to a +wrong value which leads to only 2kB of RAM remaining space. This can lead to +Rx overflow errors even with activated flow-control. + +Fix: We should increase the value to 8192/8 + +Signed-off-by: Mirko Lindner +Acked-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/sky2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/sky2.c ++++ b/drivers/net/sky2.c +@@ -992,7 +992,7 @@ static void sky2_ramset(struct sky2_hw * + sky2_write32(hw, RB_ADDR(q, RB_RX_UTHP), tp); + sky2_write32(hw, RB_ADDR(q, RB_RX_LTHP), space/2); + +- tp = space - 2048/8; ++ tp = space - 8192/8; + sky2_write32(hw, RB_ADDR(q, RB_RX_UTPP), tp); + sky2_write32(hw, RB_ADDR(q, RB_RX_LTPP), space/4); + } else { diff --git a/queue-3.0/smsc75xx-fix-jumbo-frame-support.patch b/queue-3.0/smsc75xx-fix-jumbo-frame-support.patch new file mode 100644 index 00000000000..07b41e3e3c4 --- /dev/null +++ b/queue-3.0/smsc75xx-fix-jumbo-frame-support.patch @@ -0,0 +1,63 @@ +From 8f63c8d369d596c2221ef73a05f766bce9a34cb8 Mon Sep 17 00:00:00 2001 +From: Steve Glendinning +Date: Thu, 28 Mar 2013 02:34:41 +0000 +Subject: smsc75xx: fix jumbo frame support + + +From: Steve Glendinning + +[ Upstream commit 4c51e53689569398d656e631c17308d9b8e84650 ] + +This patch enables RX of jumbo frames for LAN7500. + +Previously the driver would transmit jumbo frames succesfully but +would drop received jumbo frames (incrementing the interface errors +count). + +With this patch applied the device can succesfully receive jumbo +frames up to MTU 9000 (9014 bytes on the wire including ethernet +header). + +Signed-off-by: Steve Glendinning +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/smsc75xx.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -719,8 +719,12 @@ static int smsc75xx_set_rx_max_frame_len + static int smsc75xx_change_mtu(struct net_device *netdev, int new_mtu) + { + struct usbnet *dev = netdev_priv(netdev); ++ int ret; ++ ++ if (new_mtu > MAX_SINGLE_PACKET_SIZE) ++ return -EINVAL; + +- int ret = smsc75xx_set_rx_max_frame_length(dev, new_mtu); ++ ret = smsc75xx_set_rx_max_frame_length(dev, new_mtu + ETH_HLEN); + check_warn_return(ret, "Failed to set mac rx frame length"); + + return usbnet_change_mtu(netdev, new_mtu); +@@ -964,7 +968,7 @@ static int smsc75xx_reset(struct usbnet + + netif_dbg(dev, ifup, dev->net, "FCT_TX_CTL set to 0x%08x", buf); + +- ret = smsc75xx_set_rx_max_frame_length(dev, 1514); ++ ret = smsc75xx_set_rx_max_frame_length(dev, dev->net->mtu + ETH_HLEN); + check_warn_return(ret, "Failed to set max rx frame length"); + + ret = smsc75xx_read_reg(dev, MAC_RX, &buf); +@@ -1108,8 +1112,8 @@ static int smsc75xx_rx_fixup(struct usbn + else if (rx_cmd_a & (RX_CMD_A_LONG | RX_CMD_A_RUNT)) + dev->net->stats.rx_frame_errors++; + } else { +- /* ETH_FRAME_LEN + 4(CRC) + 2(COE) + 4(Vlan) */ +- if (unlikely(size > (ETH_FRAME_LEN + 12))) { ++ /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ ++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x", rx_cmd_a); + return 0; diff --git a/queue-3.0/tcp-preserve-ack-clocking-in-tso.patch b/queue-3.0/tcp-preserve-ack-clocking-in-tso.patch new file mode 100644 index 00000000000..9abe036314b --- /dev/null +++ b/queue-3.0/tcp-preserve-ack-clocking-in-tso.patch @@ -0,0 +1,88 @@ +From be21fd47c74ce56ad8ca52f1e784f0d3727026b0 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 21 Mar 2013 17:36:09 +0000 +Subject: tcp: preserve ACK clocking in TSO + + +From: Eric Dumazet + +[ Upstream commit f4541d60a449afd40448b06496dcd510f505928e ] + +A long standing problem with TSO is the fact that tcp_tso_should_defer() +rearms the deferred timer, while it should not. + +Current code leads to following bad bursty behavior : + +20:11:24.484333 IP A > B: . 297161:316921(19760) ack 1 win 119 +20:11:24.484337 IP B > A: . ack 263721 win 1117 +20:11:24.485086 IP B > A: . ack 265241 win 1117 +20:11:24.485925 IP B > A: . ack 266761 win 1117 +20:11:24.486759 IP B > A: . ack 268281 win 1117 +20:11:24.487594 IP B > A: . ack 269801 win 1117 +20:11:24.488430 IP B > A: . ack 271321 win 1117 +20:11:24.489267 IP B > A: . ack 272841 win 1117 +20:11:24.490104 IP B > A: . ack 274361 win 1117 +20:11:24.490939 IP B > A: . ack 275881 win 1117 +20:11:24.491775 IP B > A: . ack 277401 win 1117 +20:11:24.491784 IP A > B: . 316921:332881(15960) ack 1 win 119 +20:11:24.492620 IP B > A: . ack 278921 win 1117 +20:11:24.493448 IP B > A: . ack 280441 win 1117 +20:11:24.494286 IP B > A: . ack 281961 win 1117 +20:11:24.495122 IP B > A: . ack 283481 win 1117 +20:11:24.495958 IP B > A: . ack 285001 win 1117 +20:11:24.496791 IP B > A: . ack 286521 win 1117 +20:11:24.497628 IP B > A: . ack 288041 win 1117 +20:11:24.498459 IP B > A: . ack 289561 win 1117 +20:11:24.499296 IP B > A: . ack 291081 win 1117 +20:11:24.500133 IP B > A: . ack 292601 win 1117 +20:11:24.500970 IP B > A: . ack 294121 win 1117 +20:11:24.501388 IP B > A: . ack 295641 win 1117 +20:11:24.501398 IP A > B: . 332881:351881(19000) ack 1 win 119 + +While the expected behavior is more like : + +20:19:49.259620 IP A > B: . 197601:202161(4560) ack 1 win 119 +20:19:49.260446 IP B > A: . ack 154281 win 1212 +20:19:49.261282 IP B > A: . ack 155801 win 1212 +20:19:49.262125 IP B > A: . ack 157321 win 1212 +20:19:49.262136 IP A > B: . 202161:206721(4560) ack 1 win 119 +20:19:49.262958 IP B > A: . ack 158841 win 1212 +20:19:49.263795 IP B > A: . ack 160361 win 1212 +20:19:49.264628 IP B > A: . ack 161881 win 1212 +20:19:49.264637 IP A > B: . 206721:211281(4560) ack 1 win 119 +20:19:49.265465 IP B > A: . ack 163401 win 1212 +20:19:49.265886 IP B > A: . ack 164921 win 1212 +20:19:49.266722 IP B > A: . ack 166441 win 1212 +20:19:49.266732 IP A > B: . 211281:215841(4560) ack 1 win 119 +20:19:49.267559 IP B > A: . ack 167961 win 1212 +20:19:49.268394 IP B > A: . ack 169481 win 1212 +20:19:49.269232 IP B > A: . ack 171001 win 1212 +20:19:49.269241 IP A > B: . 215841:221161(5320) ack 1 win 119 + +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Cc: Van Jacobson +Cc: Neal Cardwell +Cc: Nandita Dukkipati +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1579,8 +1579,11 @@ static int tcp_tso_should_defer(struct s + goto send_now; + } + +- /* Ok, it looks like it is advisable to defer. */ +- tp->tso_deferred = 1 | (jiffies << 1); ++ /* Ok, it looks like it is advisable to defer. ++ * Do not rearm the timer if already set to not break TCP ACK clocking. ++ */ ++ if (!tp->tso_deferred) ++ tp->tso_deferred = 1 | (jiffies << 1); + + return 1; + diff --git a/queue-3.0/tcp-undo-spurious-timeout-after-sack-reneging.patch b/queue-3.0/tcp-undo-spurious-timeout-after-sack-reneging.patch new file mode 100644 index 00000000000..1dba6d4a834 --- /dev/null +++ b/queue-3.0/tcp-undo-spurious-timeout-after-sack-reneging.patch @@ -0,0 +1,40 @@ +From 7218906669c7a4ca1d16fcafbb54e40e9fa21004 Mon Sep 17 00:00:00 2001 +From: Yuchung Cheng +Date: Sun, 24 Mar 2013 10:42:25 +0000 +Subject: tcp: undo spurious timeout after SACK reneging + + +From: Yuchung Cheng + +[ Upstream commit 7ebe183c6d444ef5587d803b64a1f4734b18c564 ] + +On SACK reneging the sender immediately retransmits and forces a +timeout but disables Eifel (undo). If the (buggy) receiver does not +drop any packet this can trigger a false slow-start retransmit storm +driven by the ACKs of the original packets. This can be detected with +undo and TCP timestamps. + +Signed-off-by: Yuchung Cheng +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2244,11 +2244,8 @@ void tcp_enter_loss(struct sock *sk, int + if (tcp_is_reno(tp)) + tcp_reset_reno_sack(tp); + +- if (!how) { +- /* Push undo marker, if it was plain RTO and nothing +- * was retransmitted. */ +- tp->undo_marker = tp->snd_una; +- } else { ++ tp->undo_marker = tp->snd_una; ++ if (how) { + tp->sacked_out = 0; + tp->fackets_out = 0; + } diff --git a/queue-3.0/thermal-shorten-too-long-mcast-group-name.patch b/queue-3.0/thermal-shorten-too-long-mcast-group-name.patch new file mode 100644 index 00000000000..7503d18e799 --- /dev/null +++ b/queue-3.0/thermal-shorten-too-long-mcast-group-name.patch @@ -0,0 +1,44 @@ +From 35bddc8f1f1d4cae26e6aa645e14f3e01785c858 Mon Sep 17 00:00:00 2001 +From: Masatake YAMATO +Date: Mon, 1 Apr 2013 14:50:40 -0400 +Subject: thermal: shorten too long mcast group name + + +From: Masatake YAMATO + +[ Upstream commits 73214f5d9f33b79918b1f7babddd5c8af28dd23d + and f1e79e208076ffe7bad97158275f1c572c04f5c7, the latter + adds an assertion to genetlink to prevent this from happening + again in the future. ] + +The original name is too long. + +Signed-off-by: Masatake YAMATO +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/thermal.h | 2 +- + net/netlink/genetlink.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/thermal.h ++++ b/include/linux/thermal.h +@@ -130,7 +130,7 @@ struct thermal_zone_device { + /* Adding event notification support elements */ + #define THERMAL_GENL_FAMILY_NAME "thermal_event" + #define THERMAL_GENL_VERSION 0x01 +-#define THERMAL_GENL_MCAST_GROUP_NAME "thermal_mc_group" ++#define THERMAL_GENL_MCAST_GROUP_NAME "thermal_mc_grp" + + enum events { + THERMAL_AUX0, +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -134,6 +134,7 @@ int genl_register_mc_group(struct genl_f + int err = 0; + + BUG_ON(grp->name[0] == '\0'); ++ BUG_ON(memchr(grp->name, '\0', GENL_NAMSIZ) == NULL); + + genl_lock(); + diff --git a/queue-3.0/unix-fix-a-race-condition-in-unix_release.patch b/queue-3.0/unix-fix-a-race-condition-in-unix_release.patch new file mode 100644 index 00000000000..3c0a6c1aef1 --- /dev/null +++ b/queue-3.0/unix-fix-a-race-condition-in-unix_release.patch @@ -0,0 +1,66 @@ +From 12e64573e10a351a21cbb3754be31bce4df1785f Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Mon, 25 Mar 2013 03:18:33 +0000 +Subject: unix: fix a race condition in unix_release() + + +From: Paul Moore + +[ Upstream commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0 ] + +As reported by Jan, and others over the past few years, there is a +race condition caused by unix_release setting the sock->sk pointer +to NULL before properly marking the socket as dead/orphaned. This +can cause a problem with the LSM hook security_unix_may_send() if +there is another socket attempting to write to this partially +released socket in between when sock->sk is set to NULL and it is +marked as dead/orphaned. This patch fixes this by only setting +sock->sk to NULL after the socket has been marked as dead; I also +take the opportunity to make unix_release_sock() a void function +as it only ever returned 0/success. + +Dave, I think this one should go on the -stable pile. + +Special thanks to Jan for coming up with a reproducer for this +problem. + +Reported-by: Jan Stancek +Signed-off-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -371,7 +371,7 @@ static void unix_sock_destructor(struct + #endif + } + +-static int unix_release_sock(struct sock *sk, int embrion) ++static void unix_release_sock(struct sock *sk, int embrion) + { + struct unix_sock *u = unix_sk(sk); + struct dentry *dentry; +@@ -444,8 +444,6 @@ static int unix_release_sock(struct sock + + if (unix_tot_inflight) + unix_gc(); /* Garbage collect fds */ +- +- return 0; + } + + static void init_peercred(struct sock *sk) +@@ -682,9 +680,10 @@ static int unix_release(struct socket *s + if (!sk) + return 0; + ++ unix_release_sock(sk, 0); + sock->sk = NULL; + +- return unix_release_sock(sk, 0); ++ return 0; + } + + static int unix_autobind(struct socket *sock) -- 2.47.3