From e3f3ff252788309609da6d7cd18edea5e293555f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 25 Apr 2008 18:08:06 -0700 Subject: [PATCH] .25 networking patches --- ...catch-22-with-algorithm-ids-above-31.patch | 83 ++++++++++++ ...etation-of-some-copy_to_user-results.patch | 60 +++++++++ ...eased-before-returning-to-user-space.patch | 58 ++++++++ ...etlink-fix-bogus-assert_rtnl-warning.patch | 69 ++++++++++ queue-2.6.25/series | 7 + ...st-threshold-from-3-to-tp-reordering.patch | 42 ++++++ ...-overflow-and-incorrect-return-value.patch | 59 +++++++++ .../tg3-5701-dma-corruption-fix.patch | 125 ++++++++++++++++++ 8 files changed, 503 insertions(+) create mode 100644 queue-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch create mode 100644 queue-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch create mode 100644 queue-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch create mode 100644 queue-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch create mode 100644 queue-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch create mode 100644 queue-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch create mode 100644 queue-2.6.25/tg3-5701-dma-corruption-fix.patch diff --git a/queue-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch b/queue-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch new file mode 100644 index 00000000000..2dfcfd03367 --- /dev/null +++ b/queue-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch @@ -0,0 +1,83 @@ +From 26e2b0a9f7064ac9e6169a61c60e18e12a5dd0f6 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 25 Apr 2008 01:41:47 -0700 +Subject: IPSEC: Fix catch-22 with algorithm IDs above 31 + +From: Herbert Xu + +[ Upstream commit: c5d18e984a313adf5a1a4ae69e0b1d93cf410229 ] + +As it stands it's impossible to use any authentication algorithms +with an ID above 31 portably. It just happens to work on x86 but +fails miserably on ppc64. + +The reason is that we're using a bit mask to check the algorithm +ID but the mask is only 32 bits wide. + +After looking at how this is used in the field, I have concluded +that in the long term we should phase out state matching by IDs +because this is made superfluous by the reqid feature. For current +applications, the best solution IMHO is to allow all algorithms when +the bit masks are all ~0. + +The following patch does exactly that. + +This bug was identified by IBM when testing on the ppc64 platform +using the NULL authentication algorithm which has an ID of 251. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/xfrm.h | 3 +++ + net/key/af_key.c | 2 +- + net/xfrm/xfrm_policy.c | 2 +- + net/xfrm/xfrm_user.c | 2 ++ + 4 files changed, 7 insertions(+), 2 deletions(-) + +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -435,6 +435,9 @@ struct xfrm_tmpl + /* May skip this transfomration if no SA is found */ + __u8 optional; + ++/* Skip aalgos/ealgos/calgos checks. */ ++ __u8 allalgs; ++ + /* Bit mask of algos allowed for acquisition */ + __u32 aalgos; + __u32 ealgos; +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1856,7 +1856,7 @@ parse_ipsecrequest(struct xfrm_policy *x + t->encap_family = xp->family; + + /* No way to set this via kame pfkey */ +- t->aalgos = t->ealgos = t->calgos = ~0; ++ t->allalgs = 1; + xp->xfrm_nr++; + return 0; + } +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1772,7 +1772,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, st + (x->id.spi == tmpl->id.spi || !tmpl->id.spi) && + (x->props.reqid == tmpl->reqid || !tmpl->reqid) && + x->props.mode == tmpl->mode && +- ((tmpl->aalgos & (1<props.aalgo)) || ++ (tmpl->allalgs || (tmpl->aalgos & (1<props.aalgo)) || + !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) && + !(x->props.mode != XFRM_MODE_TRANSPORT && + xfrm_state_addr_cmp(tmpl, x, family)); +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -975,6 +975,8 @@ static void copy_templates(struct xfrm_p + t->aalgos = ut->aalgos; + t->ealgos = ut->ealgos; + t->calgos = ut->calgos; ++ /* If all masks are ~0, then we allow all algorithms. */ ++ t->allalgs = !~(t->aalgos & t->ealgos & t->calgos); + t->encap_family = ut->family; + } + } diff --git a/queue-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch b/queue-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch new file mode 100644 index 00000000000..018c74b4c03 --- /dev/null +++ b/queue-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch @@ -0,0 +1,60 @@ +From 35f1735890991fb3e3e7095ffb2997c7661f4cde Mon Sep 17 00:00:00 2001 +From: Pavel Emelyanov +Date: Fri, 25 Apr 2008 01:49:48 -0700 +Subject: net: Fix wrong interpretation of some copy_to_user() results. + +From: Pavel Emelyanov + +[ Upstream commit: 653252c2302cdf2dfbca66a7e177f7db783f9efa ] + +I found some places, that erroneously return the value obtained from +the copy_to_user() call: if some amount of bytes were not able to get +to the user (this is what this one returns) the proper behavior is to +return the -EFAULT error, not that number itself. + +Signed-off-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/raw.c | 3 ++- + net/dccp/probe.c | 2 +- + net/tipc/socket.c | 4 ++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -573,7 +573,8 @@ static int raw_getsockopt(struct socket + int fsize = ro->count * sizeof(struct can_filter); + if (len > fsize) + len = fsize; +- err = copy_to_user(optval, ro->filter, len); ++ if (copy_to_user(optval, ro->filter, len)) ++ err = -EFAULT; + } else + len = 0; + release_sock(sk); +--- a/net/dccp/probe.c ++++ b/net/dccp/probe.c +@@ -145,7 +145,7 @@ static ssize_t dccpprobe_read(struct fil + goto out_free; + + cnt = kfifo_get(dccpw.fifo, tbuf, len); +- error = copy_to_user(buf, tbuf, cnt); ++ error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0; + + out_free: + vfree(tbuf); +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1600,8 +1600,8 @@ static int getsockopt(struct socket *soc + else if (len < sizeof(value)) { + res = -EINVAL; + } +- else if ((res = copy_to_user(ov, &value, sizeof(value)))) { +- /* couldn't return value */ ++ else if (copy_to_user(ov, &value, sizeof(value))) { ++ res = -EFAULT; + } + else { + res = put_user(sizeof(value), ol); diff --git a/queue-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch b/queue-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch new file mode 100644 index 00000000000..2d24a1ba7ac --- /dev/null +++ b/queue-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch @@ -0,0 +1,58 @@ +From 365bb0226bc0ef101936eb080acc484f87052fa9 Mon Sep 17 00:00:00 2001 +From: Bernard Pidoux +Date: Fri, 25 Apr 2008 01:42:36 -0700 +Subject: rose: Socket lock was not released before returning to user space + +From: Bernard Pidoux + +[ Upstream commit: 43837b1e6c5aef803d57009a68db18df13e64892 ] + +================================================ +[ BUG: lock held when returning to user space! ] +------------------------------------------------ +xfbbd/3683 is leaving the kernel with locks still held! +1 lock held by xfbbd/3683: + #0: (sk_lock-AF_ROSE){--..}, at: [] rose_connect+0x73/0x420 [rose] + +INFO: task xfbbd:3683 blocked for more than 120 seconds. +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +xfbbd D 00000246 0 3683 3669 + c6965ee0 00000092 c02c5c40 00000246 c0f6b5f0 c0f6b5c0 c0f6b5f0 c0f6b5c0 + c0f6b614 c6965f18 c024b74b ffffffff c06ba070 00000000 00000000 00000001 + c6ab07c0 c012d450 c0f6b634 c0f6b634 c7b5bf10 c0d6004c c7b5bf10 c6965f40 +Call Trace: + [] lock_sock_nested+0x6b/0xd0 + [] ? autoremove_wake_function+0x0/0x40 + [] sock_fasync+0x41/0x150 + [] sock_close+0x19/0x40 + [] __fput+0xb4/0x170 + [] fput+0x18/0x20 + [] filp_close+0x3e/0x70 + [] sys_close+0x69/0xb0 + [] sysenter_past_esp+0x5f/0xa5 + ======================= +INFO: lockdep is turned off. + +Signed-off-by: Bernard Pidoux +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rose/af_rose.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -760,8 +760,10 @@ static int rose_connect(struct socket *s + + rose->neighbour = rose_get_neigh(&addr->srose_addr, &cause, + &diagnostic); +- if (!rose->neighbour) +- return -ENETUNREACH; ++ if (!rose->neighbour) { ++ err = -ENETUNREACH; ++ goto out_release; ++ } + + rose->lci = rose_new_lci(rose->neighbour); + if (!rose->lci) { diff --git a/queue-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch b/queue-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch new file mode 100644 index 00000000000..e15b9c4e5d9 --- /dev/null +++ b/queue-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch @@ -0,0 +1,69 @@ +From 23d71a9adb296b870970da1fd3fc1c5d4efee36e Mon Sep 17 00:00:00 2001 +From: Patrick McHardy +Date: Wed, 23 Apr 2008 22:10:48 -0700 +Subject: RTNETLINK: Fix bogus ASSERT_RTNL warning + +From: Patrick McHardy + +[ Upstream commit: c9c1014b2bd014c7ec037bbb6f58818162fdb265 ] + +ASSERT_RTNL uses mutex_trylock to test whether the rtnl_mutex is +held. This bogus warnings when running in atomic context, which +f.e. happens when adding secondary unicast addresses through +macvlan or vlan or when synchronizing multicast addresses from +wireless devices. + +Mid-term we might want to consider moving all address updates +to process context since the locking seems overly complicated, +for now just fix the bogus warning by changing ASSERT_RTNL to +use mutex_is_locked(). + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/rtnetlink.h | 4 ++-- + net/core/rtnetlink.c | 6 ++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/include/linux/rtnetlink.h ++++ b/include/linux/rtnetlink.h +@@ -740,13 +740,13 @@ extern void rtmsg_ifinfo(int type, struc + extern void rtnl_lock(void); + extern void rtnl_unlock(void); + extern int rtnl_trylock(void); ++extern int rtnl_is_locked(void); + + extern void rtnetlink_init(void); + extern void __rtnl_unlock(void); + + #define ASSERT_RTNL() do { \ +- if (unlikely(rtnl_trylock())) { \ +- rtnl_unlock(); \ ++ if (unlikely(!rtnl_is_locked())) { \ + printk(KERN_ERR "RTNL: assertion failed at %s (%d)\n", \ + __FILE__, __LINE__); \ + dump_stack(); \ +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -82,6 +82,11 @@ int rtnl_trylock(void) + return mutex_trylock(&rtnl_mutex); + } + ++int rtnl_is_locked(void) ++{ ++ return mutex_is_locked(&rtnl_mutex); ++} ++ + static struct rtnl_link *rtnl_msg_handlers[NPROTO]; + + static inline int rtm_msgindex(int msgtype) +@@ -1389,6 +1394,7 @@ EXPORT_SYMBOL(rtnetlink_put_metrics); + EXPORT_SYMBOL(rtnl_lock); + EXPORT_SYMBOL(rtnl_trylock); + EXPORT_SYMBOL(rtnl_unlock); ++EXPORT_SYMBOL(rtnl_is_locked); + EXPORT_SYMBOL(rtnl_unicast); + EXPORT_SYMBOL(rtnl_notify); + EXPORT_SYMBOL(rtnl_set_sk_err); diff --git a/queue-2.6.25/series b/queue-2.6.25/series index 2e7f584a5b7..f45722e7cf6 100644 --- a/queue-2.6.25/series +++ b/queue-2.6.25/series @@ -1 +1,8 @@ jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch +tg3-5701-dma-corruption-fix.patch +tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch +tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch +rtnetlink-fix-bogus-assert_rtnl-warning.patch +rose-socket-lock-was-not-released-before-returning-to-user-space.patch +net-fix-wrong-interpretation-of-some-copy_to_user-results.patch +ipsec-fix-catch-22-with-algorithm-ids-above-31.patch diff --git a/queue-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch b/queue-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch new file mode 100644 index 00000000000..350ae8bbb8c --- /dev/null +++ b/queue-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch @@ -0,0 +1,42 @@ +From 3c0390e1a6d8a5d0cdae57959f0be37a236b474d Mon Sep 17 00:00:00 2001 +From: John Heffner +Date: Fri, 25 Apr 2008 01:43:57 -0700 +Subject: TCP: Increase the max_burst threshold from 3 to tp->reordering. + +From: John Heffner + +[ Upstream commit: dd9e0dda66ba38a2ddd1405ac279894260dc5c36 ] + +This change is necessary to allow cwnd to grow during persistent +reordering. Cwnd moderation is applied when in the disorder state +and an ack that fills the hole comes in. If the hole was greater +than 3 packets, but less than tp->reordering, cwnd will shrink when +it should not have. + +Signed-off-by: John Heffner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/tcp.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -776,11 +776,14 @@ extern void tcp_enter_cwr(struct sock *s + extern __u32 tcp_init_cwnd(struct tcp_sock *tp, struct dst_entry *dst); + + /* Slow start with delack produces 3 packets of burst, so that +- * it is safe "de facto". ++ * it is safe "de facto". This will be the default - same as ++ * the default reordering threshold - but if reordering increases, ++ * we must be able to allow cwnd to burst at least this much in order ++ * to not pull it back when holes are filled. + */ + static __inline__ __u32 tcp_max_burst(const struct tcp_sock *tp) + { +- return 3; ++ return tp->reordering; + } + + /* Returns end sequence number of the receiver's advertised window */ diff --git a/queue-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch b/queue-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch new file mode 100644 index 00000000000..24a59b77eb9 --- /dev/null +++ b/queue-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch @@ -0,0 +1,59 @@ +From dd66bf65f96a02b454929181360bee13ffebee52 Mon Sep 17 00:00:00 2001 +From: Tom Quetchenbach +Date: Fri, 25 Apr 2008 01:45:32 -0700 +Subject: tcp: tcp_probe buffer overflow and incorrect return value + +From: Tom Quetchenbach + +[ Upstream commit: 8d390efd903485923419584275fd0c2aa4c94183 ] + +tcp_probe has a bounds-checking bug that causes many programs (less, +python) to crash reading /proc/net/tcp_probe. When it outputs a log +line to the reader, it only checks if that line alone will fit in the +reader's buffer, rather than that line and all the previous lines it +has already written. + +tcpprobe_read also returns the wrong value if copy_to_user fails--it +just passes on the return value of copy_to_user (number of bytes not +copied), which makes a failure look like a success. + +This patch fixes the buffer overflow and sets the return value to +-EFAULT if copy_to_user fails. + +Patch is against latest net-2.6; tested briefly and seems to fix the +crashes in less and python. + +Signed-off-by: Tom Quetchenbach +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_probe.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp_probe.c ++++ b/net/ipv4/tcp_probe.c +@@ -190,19 +190,18 @@ static ssize_t tcpprobe_read(struct file + + width = tcpprobe_sprint(tbuf, sizeof(tbuf)); + +- if (width < len) ++ if (cnt + width < len) + tcp_probe.tail = (tcp_probe.tail + 1) % bufsize; + + spin_unlock_bh(&tcp_probe.lock); + + /* if record greater than space available + return partial buffer (so far) */ +- if (width >= len) ++ if (cnt + width >= len) + break; + +- error = copy_to_user(buf + cnt, tbuf, width); +- if (error) +- break; ++ if (copy_to_user(buf + cnt, tbuf, width)) ++ return -EFAULT; + cnt += width; + } + diff --git a/queue-2.6.25/tg3-5701-dma-corruption-fix.patch b/queue-2.6.25/tg3-5701-dma-corruption-fix.patch new file mode 100644 index 00000000000..ac97c8fb1b3 --- /dev/null +++ b/queue-2.6.25/tg3-5701-dma-corruption-fix.patch @@ -0,0 +1,125 @@ +From 4bace198c4354bdd6e5e74fd0ad288d7930a943d Mon Sep 17 00:00:00 2001 +From: Matt Carlson +Date: Fri, 25 Apr 2008 01:46:46 -0700 +Subject: tg3: 5701 DMA corruption fix + +From: Matt Carlson + +[ Upstream commit: 41588ba1ae166eaba0a70abf2d7ff064ad9331d3 ] + +Herbert Xu's commit fb93134dfc2a6e6fbedc7c270a31da03fce88db9, entitled +"[TCP]: Fix size calculation in sk_stream_alloc_pskb", has triggered a +bug in the 5701 where the 5701 DMA engine will corrupt outgoing +packets. This problem only happens when the starting address of the +packet matches a certain range of offsets and only when the 5701 is +placed downstream of a particular Intel bridge. + +This patch detects the problematic bridge and if present, readjusts the +starting address of the packet data to a dword aligned boundary. + +Signed-off-by: Matt Carlson +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tg3.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++---- + drivers/net/tg3.h | 1 + + 2 files changed, 49 insertions(+), 4 deletions(-) + +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -64,8 +64,8 @@ + + #define DRV_MODULE_NAME "tg3" + #define PFX DRV_MODULE_NAME ": " +-#define DRV_MODULE_VERSION "3.90" +-#define DRV_MODULE_RELDATE "April 12, 2008" ++#define DRV_MODULE_VERSION "3.91" ++#define DRV_MODULE_RELDATE "April 18, 2008" + + #define TG3_DEF_MAC_MODE 0 + #define TG3_DEF_RX_MODE 0 +@@ -4135,11 +4135,21 @@ static int tigon3_dma_hwbug_workaround(s + u32 last_plus_one, u32 *start, + u32 base_flags, u32 mss) + { +- struct sk_buff *new_skb = skb_copy(skb, GFP_ATOMIC); ++ struct sk_buff *new_skb; + dma_addr_t new_addr = 0; + u32 entry = *start; + int i, ret = 0; + ++ if (GET_ASIC_REV(tp->pci_chip_rev_id) != ASIC_REV_5701) ++ new_skb = skb_copy(skb, GFP_ATOMIC); ++ else { ++ int more_headroom = 4 - ((unsigned long)skb->data & 3); ++ ++ new_skb = skb_copy_expand(skb, ++ skb_headroom(skb) + more_headroom, ++ skb_tailroom(skb), GFP_ATOMIC); ++ } ++ + if (!new_skb) { + ret = -1; + } else { +@@ -4462,7 +4472,9 @@ static int tg3_start_xmit_dma_bug(struct + + would_hit_hwbug = 0; + +- if (tg3_4g_overflow_test(mapping, len)) ++ if (tp->tg3_flags3 & TG3_FLG3_5701_DMA_BUG) ++ would_hit_hwbug = 1; ++ else if (tg3_4g_overflow_test(mapping, len)) + would_hit_hwbug = 1; + + tg3_set_txd(tp, entry, mapping, len, base_flags, +@@ -11339,6 +11351,38 @@ static int __devinit tg3_get_invariants( + } + } + ++ if ((GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5701)) { ++ static struct tg3_dev_id { ++ u32 vendor; ++ u32 device; ++ } bridge_chipsets[] = { ++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PXH_0 }, ++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PXH_1 }, ++ { }, ++ }; ++ struct tg3_dev_id *pci_id = &bridge_chipsets[0]; ++ struct pci_dev *bridge = NULL; ++ ++ while (pci_id->vendor != 0) { ++ bridge = pci_get_device(pci_id->vendor, ++ pci_id->device, ++ bridge); ++ if (!bridge) { ++ pci_id++; ++ continue; ++ } ++ if (bridge->subordinate && ++ (bridge->subordinate->number <= ++ tp->pdev->bus->number) && ++ (bridge->subordinate->subordinate >= ++ tp->pdev->bus->number)) { ++ tp->tg3_flags3 |= TG3_FLG3_5701_DMA_BUG; ++ pci_dev_put(bridge); ++ break; ++ } ++ } ++ } ++ + /* The EPB bridge inside 5714, 5715, and 5780 cannot support + * DMA addresses > 40-bit. This bridge may have other additional + * 57xx devices behind it in some 4-port NIC designs for example. +--- a/drivers/net/tg3.h ++++ b/drivers/net/tg3.h +@@ -2476,6 +2476,7 @@ struct tg3 { + #define TG3_FLG3_NO_NVRAM_ADDR_TRANS 0x00000001 + #define TG3_FLG3_ENABLE_APE 0x00000002 + #define TG3_FLG3_5761_5784_AX_FIXES 0x00000004 ++#define TG3_FLG3_5701_DMA_BUG 0x00000008 + + struct timer_list timer; + u16 timer_counter; -- 2.47.3