--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Dmitry Popov <ixaphire@qrator.net>
+Date: Fri, 6 Jun 2014 23:19:21 +0400
+Subject: ipip, sit: fix ipv4_{update_pmtu,redirect} calls
+
+From: Dmitry Popov <ixaphire@qrator.net>
+
+[ Upstream commit 2346829e641b804ece9ac9298136b56d9567c278 ]
+
+ipv4_{update_pmtu,redirect} were called with tunnel's ifindex (t->dev is a
+tunnel netdevice). It caused wrong route lookup and failure of pmtu update or
+redirect. We should use the same ifindex that we use in ip_route_output_* in
+*tunnel_xmit code. It is t->parms.link .
+
+Signed-off-by: Dmitry Popov <ixaphire@qrator.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ipip.c | 4 ++--
+ net/ipv6/sit.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/ipip.c
++++ b/net/ipv4/ipip.c
+@@ -149,13 +149,13 @@ static int ipip_err(struct sk_buff *skb,
+
+ if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
+ ipv4_update_pmtu(skb, dev_net(skb->dev), info,
+- t->dev->ifindex, 0, IPPROTO_IPIP, 0);
++ t->parms.link, 0, IPPROTO_IPIP, 0);
+ err = 0;
+ goto out;
+ }
+
+ if (type == ICMP_REDIRECT) {
+- ipv4_redirect(skb, dev_net(skb->dev), t->dev->ifindex, 0,
++ ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0,
+ IPPROTO_IPIP, 0);
+ err = 0;
+ goto out;
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -530,12 +530,12 @@ static int ipip6_err(struct sk_buff *skb
+
+ if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
+ ipv4_update_pmtu(skb, dev_net(skb->dev), info,
+- t->dev->ifindex, 0, IPPROTO_IPV6, 0);
++ t->parms.link, 0, IPPROTO_IPV6, 0);
+ err = 0;
+ goto out;
+ }
+ if (type == ICMP_REDIRECT) {
+- ipv4_redirect(skb, dev_net(skb->dev), t->dev->ifindex, 0,
++ ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0,
+ IPPROTO_IPV6, 0);
+ err = 0;
+ goto out;
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 10 Jun 2014 06:43:01 -0700
+Subject: ipv4: fix a race in ip4_datagram_release_cb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9709674e68646cee5a24e3000b3558d25412203a ]
+
+Alexey gave a AddressSanitizer[1] report that finally gave a good hint
+at where was the origin of various problems already reported by Dormando
+in the past [2]
+
+Problem comes from the fact that UDP can have a lockless TX path, and
+concurrent threads can manipulate sk_dst_cache, while another thread,
+is holding socket lock and calls __sk_dst_set() in
+ip4_datagram_release_cb() (this was added in linux-3.8)
+
+It seems that all we need to do is to use sk_dst_check() and
+sk_dst_set() so that all the writers hold same spinlock
+(sk->sk_dst_lock) to prevent corruptions.
+
+TCP stack do not need this protection, as all sk_dst_cache writers hold
+the socket lock.
+
+[1]
+https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
+
+AddressSanitizer: heap-use-after-free in ipv4_dst_check
+Read of size 2 by thread T15453:
+ [<ffffffff817daa3a>] ipv4_dst_check+0x1a/0x90 ./net/ipv4/route.c:1116
+ [<ffffffff8175b789>] __sk_dst_check+0x89/0xe0 ./net/core/sock.c:531
+ [<ffffffff81830a36>] ip4_datagram_release_cb+0x46/0x390 ??:0
+ [<ffffffff8175eaea>] release_sock+0x17a/0x230 ./net/core/sock.c:2413
+ [<ffffffff81830882>] ip4_datagram_connect+0x462/0x5d0 ??:0
+ [<ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
+ [<ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
+ [<ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
+ [<ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
+./arch/x86/kernel/entry_64.S:629
+
+Freed by thread T15455:
+ [<ffffffff8178d9b8>] dst_destroy+0xa8/0x160 ./net/core/dst.c:251
+ [<ffffffff8178de25>] dst_release+0x45/0x80 ./net/core/dst.c:280
+ [<ffffffff818304c1>] ip4_datagram_connect+0xa1/0x5d0 ??:0
+ [<ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
+ [<ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
+ [<ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
+ [<ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
+./arch/x86/kernel/entry_64.S:629
+
+Allocated by thread T15453:
+ [<ffffffff8178d291>] dst_alloc+0x81/0x2b0 ./net/core/dst.c:171
+ [<ffffffff817db3b7>] rt_dst_alloc+0x47/0x50 ./net/ipv4/route.c:1406
+ [< inlined >] __ip_route_output_key+0x3e8/0xf70
+__mkroute_output ./net/ipv4/route.c:1939
+ [<ffffffff817dde08>] __ip_route_output_key+0x3e8/0xf70 ./net/ipv4/route.c:2161
+ [<ffffffff817deb34>] ip_route_output_flow+0x14/0x30 ./net/ipv4/route.c:2249
+ [<ffffffff81830737>] ip4_datagram_connect+0x317/0x5d0 ??:0
+ [<ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
+ [<ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
+ [<ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
+ [<ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
+./arch/x86/kernel/entry_64.S:629
+
+[2]
+<4>[196727.311203] general protection fault: 0000 [#1] SMP
+<4>[196727.311224] Modules linked in: xt_TEE xt_dscp xt_DSCP macvlan bridge coretemp crc32_pclmul ghash_clmulni_intel gpio_ich microcode ipmi_watchdog ipmi_devintf sb_edac edac_core lpc_ich mfd_core tpm_tis tpm tpm_bios ipmi_si ipmi_msghandler isci igb libsas i2c_algo_bit ixgbe ptp pps_core mdio
+<4>[196727.311333] CPU: 17 PID: 0 Comm: swapper/17 Not tainted 3.10.26 #1
+<4>[196727.311344] Hardware name: Supermicro X9DRi-LN4+/X9DR3-LN4+/X9DRi-LN4+/X9DR3-LN4+, BIOS 3.0 07/05/2013
+<4>[196727.311364] task: ffff885e6f069700 ti: ffff885e6f072000 task.ti: ffff885e6f072000
+<4>[196727.311377] RIP: 0010:[<ffffffff815f8c7f>] [<ffffffff815f8c7f>] ipv4_dst_destroy+0x4f/0x80
+<4>[196727.311399] RSP: 0018:ffff885effd23a70 EFLAGS: 00010282
+<4>[196727.311409] RAX: dead000000200200 RBX: ffff8854c398ecc0 RCX: 0000000000000040
+<4>[196727.311423] RDX: dead000000100100 RSI: dead000000100100 RDI: dead000000200200
+<4>[196727.311437] RBP: ffff885effd23a80 R08: ffffffff815fd9e0 R09: ffff885d5a590800
+<4>[196727.311451] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+<4>[196727.311464] R13: ffffffff81c8c280 R14: 0000000000000000 R15: ffff880e85ee16ce
+<4>[196727.311510] FS: 0000000000000000(0000) GS:ffff885effd20000(0000) knlGS:0000000000000000
+<4>[196727.311554] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4>[196727.311581] CR2: 00007a46751eb000 CR3: 0000005e65688000 CR4: 00000000000407e0
+<4>[196727.311625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+<4>[196727.311669] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+<4>[196727.311713] Stack:
+<4>[196727.311733] ffff8854c398ecc0 ffff8854c398ecc0 ffff885effd23ab0 ffffffff815b7f42
+<4>[196727.311784] ffff88be6595bc00 ffff8854c398ecc0 0000000000000000 ffff8854c398ecc0
+<4>[196727.311834] ffff885effd23ad0 ffffffff815b86c6 ffff885d5a590800 ffff8816827821c0
+<4>[196727.311885] Call Trace:
+<4>[196727.311907] <IRQ>
+<4>[196727.311912] [<ffffffff815b7f42>] dst_destroy+0x32/0xe0
+<4>[196727.311959] [<ffffffff815b86c6>] dst_release+0x56/0x80
+<4>[196727.311986] [<ffffffff81620bd5>] tcp_v4_do_rcv+0x2a5/0x4a0
+<4>[196727.312013] [<ffffffff81622b5a>] tcp_v4_rcv+0x7da/0x820
+<4>[196727.312041] [<ffffffff815fd9e0>] ? ip_rcv_finish+0x360/0x360
+<4>[196727.312070] [<ffffffff815de02d>] ? nf_hook_slow+0x7d/0x150
+<4>[196727.312097] [<ffffffff815fd9e0>] ? ip_rcv_finish+0x360/0x360
+<4>[196727.312125] [<ffffffff815fda92>] ip_local_deliver_finish+0xb2/0x230
+<4>[196727.312154] [<ffffffff815fdd9a>] ip_local_deliver+0x4a/0x90
+<4>[196727.312183] [<ffffffff815fd799>] ip_rcv_finish+0x119/0x360
+<4>[196727.312212] [<ffffffff815fe00b>] ip_rcv+0x22b/0x340
+<4>[196727.312242] [<ffffffffa0339680>] ? macvlan_broadcast+0x160/0x160 [macvlan]
+<4>[196727.312275] [<ffffffff815b0c62>] __netif_receive_skb_core+0x512/0x640
+<4>[196727.312308] [<ffffffff811427fb>] ? kmem_cache_alloc+0x13b/0x150
+<4>[196727.312338] [<ffffffff815b0db1>] __netif_receive_skb+0x21/0x70
+<4>[196727.312368] [<ffffffff815b0fa1>] netif_receive_skb+0x31/0xa0
+<4>[196727.312397] [<ffffffff815b1ae8>] napi_gro_receive+0xe8/0x140
+<4>[196727.312433] [<ffffffffa00274f1>] ixgbe_poll+0x551/0x11f0 [ixgbe]
+<4>[196727.312463] [<ffffffff815fe00b>] ? ip_rcv+0x22b/0x340
+<4>[196727.312491] [<ffffffff815b1691>] net_rx_action+0x111/0x210
+<4>[196727.312521] [<ffffffff815b0db1>] ? __netif_receive_skb+0x21/0x70
+<4>[196727.312552] [<ffffffff810519d0>] __do_softirq+0xd0/0x270
+<4>[196727.312583] [<ffffffff816cef3c>] call_softirq+0x1c/0x30
+<4>[196727.312613] [<ffffffff81004205>] do_softirq+0x55/0x90
+<4>[196727.312640] [<ffffffff81051c85>] irq_exit+0x55/0x60
+<4>[196727.312668] [<ffffffff816cf5c3>] do_IRQ+0x63/0xe0
+<4>[196727.312696] [<ffffffff816c5aaa>] common_interrupt+0x6a/0x6a
+<4>[196727.312722] <EOI>
+<1>[196727.313071] RIP [<ffffffff815f8c7f>] ipv4_dst_destroy+0x4f/0x80
+<4>[196727.313100] RSP <ffff885effd23a70>
+<4>[196727.313377] ---[ end trace 64b3f14fae0f2e29 ]---
+<0>[196727.380908] Kernel panic - not syncing: Fatal exception in interrupt
+
+Reported-by: Alexey Preobrazhensky <preobr@google.com>
+Reported-by: dormando <dormando@rydia.ne>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Fixes: 8141ed9fcedb2 ("ipv4: Add a socket release callback for datagram sockets")
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/datagram.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/datagram.c
++++ b/net/ipv4/datagram.c
+@@ -86,18 +86,26 @@ out:
+ }
+ EXPORT_SYMBOL(ip4_datagram_connect);
+
++/* Because UDP xmit path can manipulate sk_dst_cache without holding
++ * socket lock, we need to use sk_dst_set() here,
++ * even if we own the socket lock.
++ */
+ void ip4_datagram_release_cb(struct sock *sk)
+ {
+ const struct inet_sock *inet = inet_sk(sk);
+ const struct ip_options_rcu *inet_opt;
+ __be32 daddr = inet->inet_daddr;
++ struct dst_entry *dst;
+ struct flowi4 fl4;
+ struct rtable *rt;
+
+- if (! __sk_dst_get(sk) || __sk_dst_check(sk, 0))
+- return;
+-
+ rcu_read_lock();
++
++ dst = __sk_dst_get(sk);
++ if (!dst || !dst->obsolete || dst->ops->check(dst, 0)) {
++ rcu_read_unlock();
++ return;
++ }
+ inet_opt = rcu_dereference(inet->inet_opt);
+ if (inet_opt && inet_opt->opt.srr)
+ daddr = inet_opt->opt.faddr;
+@@ -105,8 +113,10 @@ void ip4_datagram_release_cb(struct sock
+ inet->inet_saddr, inet->inet_dport,
+ inet->inet_sport, sk->sk_protocol,
+ RT_CONN_FLAGS(sk), sk->sk_bound_dev_if);
+- if (!IS_ERR(rt))
+- __sk_dst_set(sk, &rt->dst);
++
++ dst = !IS_ERR(rt) ? &rt->dst : NULL;
++ sk_dst_set(sk, dst);
++
+ rcu_read_unlock();
+ }
+ EXPORT_SYMBOL_GPL(ip4_datagram_release_cb);
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 23 Apr 2014 14:28:03 -0700
+Subject: net: Add variants of capable for use on netlink messages
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+[ Upstream commit aa4cf9452f469f16cea8c96283b641b4576d4a7b ]
+
+netlink_net_capable - The common case use, for operations that are safe on a network namespace
+netlink_capable - For operations that are only known to be safe for the global root
+netlink_ns_capable - The general case of capable used to handle special cases
+
+__netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of
+ the skbuff of a netlink message.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netlink.h | 7 +++++
+ net/netlink/af_netlink.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 72 insertions(+)
+
+--- a/include/linux/netlink.h
++++ b/include/linux/netlink.h
+@@ -144,4 +144,11 @@ static inline int netlink_dump_start(str
+ return __netlink_dump_start(ssk, skb, nlh, control);
+ }
+
++bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
++ struct user_namespace *ns, int cap);
++bool netlink_ns_capable(const struct sk_buff *skb,
++ struct user_namespace *ns, int cap);
++bool netlink_capable(const struct sk_buff *skb, int cap);
++bool netlink_net_capable(const struct sk_buff *skb, int cap);
++
+ #endif /* __LINUX_NETLINK_H */
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1219,6 +1219,71 @@ retry:
+ return err;
+ }
+
++/**
++ * __netlink_ns_capable - General netlink message capability test
++ * @nsp: NETLINK_CB of the socket buffer holding a netlink command from userspace.
++ * @user_ns: The user namespace of the capability to use
++ * @cap: The capability to use
++ *
++ * Test to see if the opener of the socket we received the message
++ * from had when the netlink socket was created and the sender of the
++ * message has has the capability @cap in the user namespace @user_ns.
++ */
++bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
++ struct user_namespace *user_ns, int cap)
++{
++ return sk_ns_capable(nsp->sk, user_ns, cap);
++}
++EXPORT_SYMBOL(__netlink_ns_capable);
++
++/**
++ * netlink_ns_capable - General netlink message capability test
++ * @skb: socket buffer holding a netlink command from userspace
++ * @user_ns: The user namespace of the capability to use
++ * @cap: The capability to use
++ *
++ * Test to see if the opener of the socket we received the message
++ * from had when the netlink socket was created and the sender of the
++ * message has has the capability @cap in the user namespace @user_ns.
++ */
++bool netlink_ns_capable(const struct sk_buff *skb,
++ struct user_namespace *user_ns, int cap)
++{
++ return __netlink_ns_capable(&NETLINK_CB(skb), user_ns, cap);
++}
++EXPORT_SYMBOL(netlink_ns_capable);
++
++/**
++ * netlink_capable - Netlink global message capability test
++ * @skb: socket buffer holding a netlink command from userspace
++ * @cap: The capability to use
++ *
++ * Test to see if the opener of the socket we received the message
++ * from had when the netlink socket was created and the sender of the
++ * message has has the capability @cap in all user namespaces.
++ */
++bool netlink_capable(const struct sk_buff *skb, int cap)
++{
++ return netlink_ns_capable(skb, &init_user_ns, cap);
++}
++EXPORT_SYMBOL(netlink_capable);
++
++/**
++ * netlink_net_capable - Netlink network namespace message capability test
++ * @skb: socket buffer holding a netlink command from userspace
++ * @cap: The capability to use
++ *
++ * Test to see if the opener of the socket we received the message
++ * from had when the netlink socket was created and the sender of the
++ * message has has the capability @cap over the network namespace of
++ * the socket we received the message from.
++ */
++bool netlink_net_capable(const struct sk_buff *skb, int cap)
++{
++ return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap);
++}
++EXPORT_SYMBOL(netlink_net_capable);
++
+ static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
+ {
+ return (nl_table[sock->sk->sk_protocol].flags & flag) ||
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 23 Apr 2014 14:26:56 -0700
+Subject: net: Add variants of capable for use on on sockets
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+[ Upstream commit a3b299da869d6e78cf42ae0b1b41797bcb8c5e4b ]
+
+sk_net_capable - The common case, operations that are safe in a network namespace.
+sk_capable - Operations that are not known to be safe in a network namespace
+sk_ns_capable - The general case for special cases.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 5 +++++
+ net/core/sock.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2248,6 +2248,11 @@ extern void sock_enable_timestamp(struct
+ extern int sock_get_timestamp(struct sock *, struct timeval __user *);
+ extern int sock_get_timestampns(struct sock *, struct timespec __user *);
+
++bool sk_ns_capable(const struct sock *sk,
++ struct user_namespace *user_ns, int cap);
++bool sk_capable(const struct sock *sk, int cap);
++bool sk_net_capable(const struct sock *sk, int cap);
++
+ /*
+ * Enable debug/info messages
+ */
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -142,6 +142,55 @@
+ static DEFINE_MUTEX(proto_list_mutex);
+ static LIST_HEAD(proto_list);
+
++/**
++ * sk_ns_capable - General socket capability test
++ * @sk: Socket to use a capability on or through
++ * @user_ns: The user namespace of the capability to use
++ * @cap: The capability to use
++ *
++ * Test to see if the opener of the socket had when the socket was
++ * created and the current process has the capability @cap in the user
++ * namespace @user_ns.
++ */
++bool sk_ns_capable(const struct sock *sk,
++ struct user_namespace *user_ns, int cap)
++{
++ return file_ns_capable(sk->sk_socket->file, user_ns, cap) &&
++ ns_capable(user_ns, cap);
++}
++EXPORT_SYMBOL(sk_ns_capable);
++
++/**
++ * sk_capable - Socket global capability test
++ * @sk: Socket to use a capability on or through
++ * @cap: The global capbility to use
++ *
++ * Test to see if the opener of the socket had when the socket was
++ * created and the current process has the capability @cap in all user
++ * namespaces.
++ */
++bool sk_capable(const struct sock *sk, int cap)
++{
++ return sk_ns_capable(sk, &init_user_ns, cap);
++}
++EXPORT_SYMBOL(sk_capable);
++
++/**
++ * sk_net_capable - Network namespace socket capability test
++ * @sk: Socket to use a capability on or through
++ * @cap: The capability to use
++ *
++ * Test to see if the opener of the socket had when the socke was created
++ * and the current process has the capability @cap over the network namespace
++ * the socket is a member of.
++ */
++bool sk_net_capable(const struct sock *sk, int cap)
++{
++ return sk_ns_capable(sk, sock_net(sk)->user_ns, cap);
++}
++EXPORT_SYMBOL(sk_net_capable);
++
++
+ #ifdef CONFIG_MEMCG_KMEM
+ int mem_cgroup_sockets_init(struct mem_cgroup *memcg, struct cgroup_subsys *ss)
+ {
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Alexei Starovoitov <ast@plumgrid.com>
+Date: Fri, 6 Jun 2014 08:35:59 -0700
+Subject: net: filter: fix sparc32 typo
+
+From: Alexei Starovoitov <ast@plumgrid.com>
+
+[ Upstream commit 588f5d629b3369aba88f52217d1c473a28fa7723 ]
+
+Fixes: 569810d1e327 ("net: filter: fix typo in sparc BPF JIT")
+Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sparc/net/bpf_jit_comp.c
++++ b/arch/sparc/net/bpf_jit_comp.c
+@@ -85,7 +85,7 @@ static void bpf_flush_icache(void *start
+ #ifdef CONFIG_SPARC64
+ #define BE_PTR (F2(0, 1) | CONDE | (2 << 20))
+ #else
+-#define BE_PTR BNE
++#define BE_PTR BE
+ #endif
+
+ #define SETHI(K, REG) \
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Alexei Starovoitov <ast@plumgrid.com>
+Date: Thu, 5 Jun 2014 22:47:44 -0700
+Subject: net: filter: fix typo in sparc BPF JIT
+
+From: Alexei Starovoitov <ast@plumgrid.com>
+
+[ Upstream commit 569810d1e3278907264f5b115281fca3f0038d53 ]
+
+fix typo in sparc codegen for SKF_AD_IFINDEX and SKF_AD_HATYPE
+classic BPF extensions
+
+Fixes: 2809a2087cc4 ("net: filter: Just In Time compiler for sparc")
+Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/net/bpf_jit_comp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/sparc/net/bpf_jit_comp.c
++++ b/arch/sparc/net/bpf_jit_comp.c
+@@ -83,9 +83,9 @@ static void bpf_flush_icache(void *start
+ #define BNE (F2(0, 2) | CONDNE)
+
+ #ifdef CONFIG_SPARC64
+-#define BNE_PTR (F2(0, 1) | CONDNE | (2 << 20))
++#define BE_PTR (F2(0, 1) | CONDE | (2 << 20))
+ #else
+-#define BNE_PTR BNE
++#define BE_PTR BNE
+ #endif
+
+ #define SETHI(K, REG) \
+@@ -600,7 +600,7 @@ void bpf_jit_compile(struct sk_filter *f
+ case BPF_S_ANC_IFINDEX:
+ emit_skb_loadptr(dev, r_A);
+ emit_cmpi(r_A, 0);
+- emit_branch(BNE_PTR, cleanup_addr + 4);
++ emit_branch(BE_PTR, cleanup_addr + 4);
+ emit_nop();
+ emit_load32(r_A, struct net_device, ifindex, r_A);
+ break;
+@@ -613,7 +613,7 @@ void bpf_jit_compile(struct sk_filter *f
+ case BPF_S_ANC_HATYPE:
+ emit_skb_loadptr(dev, r_A);
+ emit_cmpi(r_A, 0);
+- emit_branch(BNE_PTR, cleanup_addr + 4);
++ emit_branch(BE_PTR, cleanup_addr + 4);
+ emit_nop();
+ emit_load16(r_A, struct net_device, type, r_A);
+ break;
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 29 May 2014 08:45:14 -0700
+Subject: net: fix inet_getid() and ipv6_select_ident() bugs
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 39c36094d78c39e038c1e499b2364e13bce36f54 ]
+
+I noticed we were sending wrong IPv4 ID in TCP flows when MTU discovery
+is disabled.
+Note how GSO/TSO packets do not have monotonically incrementing ID.
+
+06:37:41.575531 IP (id 14227, proto: TCP (6), length: 4396)
+06:37:41.575534 IP (id 14272, proto: TCP (6), length: 65212)
+06:37:41.575544 IP (id 14312, proto: TCP (6), length: 57972)
+06:37:41.575678 IP (id 14317, proto: TCP (6), length: 7292)
+06:37:41.575683 IP (id 14361, proto: TCP (6), length: 63764)
+
+It appears I introduced this bug in linux-3.1.
+
+inet_getid() must return the old value of peer->ip_id_count,
+not the new one.
+
+Lets revert this part, and remove the prevention of
+a null identification field in IPv6 Fragment Extension Header,
+which is dubious and not even done properly.
+
+Fixes: 87c48fa3b463 ("ipv6: make fragment identifications less predictable")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inetpeer.h | 9 +--------
+ net/ipv6/output_core.c | 11 +++--------
+ 2 files changed, 4 insertions(+), 16 deletions(-)
+
+--- a/include/net/inetpeer.h
++++ b/include/net/inetpeer.h
+@@ -178,16 +178,9 @@ static inline void inet_peer_refcheck(co
+ /* can be called with or without local BH being disabled */
+ static inline int inet_getid(struct inet_peer *p, int more)
+ {
+- int old, new;
+ more++;
+ inet_peer_refcheck(p);
+- do {
+- old = atomic_read(&p->ip_id_count);
+- new = old + more;
+- if (!new)
+- new = 1;
+- } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
+- return new;
++ return atomic_add_return(more, &p->ip_id_count) - more;
+ }
+
+ #endif /* _NET_INETPEER_H */
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -9,7 +9,7 @@
+ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
+ {
+ static atomic_t ipv6_fragmentation_id;
+- int old, new;
++ int ident;
+
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (rt && !(rt->dst.flags & DST_NOPEER)) {
+@@ -25,13 +25,8 @@ void ipv6_select_ident(struct frag_hdr *
+ }
+ }
+ #endif
+- do {
+- old = atomic_read(&ipv6_fragmentation_id);
+- new = old + 1;
+- if (!new)
+- new = 1;
+- } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old);
+- fhdr->identification = htonl(new);
++ ident = atomic_inc_return(&ipv6_fragmentation_id);
++ fhdr->identification = htonl(ident);
+ }
+ EXPORT_SYMBOL(ipv6_select_ident);
+
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 6 Jun 2014 06:44:03 -0700
+Subject: net: force a list_del() in unregister_netdevice_many()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 87757a917b0b3c0787e0563c679762152be81312 ]
+
+unregister_netdevice_many() API is error prone and we had too
+many bugs because of dangling LIST_HEAD on stacks.
+
+See commit f87e6f47933e3e ("net: dont leave active on stack LIST_HEAD")
+
+In fact, instead of making sure no caller leaves an active list_head,
+just force a list_del() in the callee. No one seems to need to access
+the list after unregister_netdevice_many()
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 1 -
+ net/core/dev.c | 5 ++++-
+ net/core/rtnetlink.c | 1 -
+ net/mac80211/iface.c | 1 -
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -961,7 +961,6 @@ static int macvlan_device_event(struct n
+ list_for_each_entry_safe(vlan, next, &port->vlans, list)
+ vlan->dev->rtnl_link_ops->dellink(vlan->dev, &list_kill);
+ unregister_netdevice_many(&list_kill);
+- list_del(&list_kill);
+ break;
+ case NETDEV_PRE_TYPE_CHANGE:
+ /* Forbid underlaying device to change its type. */
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5827,6 +5827,9 @@ EXPORT_SYMBOL(unregister_netdevice_queue
+ /**
+ * unregister_netdevice_many - unregister many devices
+ * @head: list of devices
++ *
++ * Note: As most callers use a stack allocated list_head,
++ * we force a list_del() to make sure stack wont be corrupted later.
+ */
+ void unregister_netdevice_many(struct list_head *head)
+ {
+@@ -5836,6 +5839,7 @@ void unregister_netdevice_many(struct li
+ rollback_registered_many(head);
+ list_for_each_entry(dev, head, unreg_list)
+ net_set_todo(dev);
++ list_del(head);
+ }
+ }
+ EXPORT_SYMBOL(unregister_netdevice_many);
+@@ -6252,7 +6256,6 @@ static void __net_exit default_device_ex
+ }
+ }
+ unregister_netdevice_many(&dev_kill_list);
+- list_del(&dev_kill_list);
+ rtnl_unlock();
+ }
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1601,7 +1601,6 @@ static int rtnl_dellink(struct sk_buff *
+
+ ops->dellink(dev, &list_kill);
+ unregister_netdevice_many(&list_kill);
+- list_del(&list_kill);
+ return 0;
+ }
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1746,7 +1746,6 @@ void ieee80211_remove_interfaces(struct
+ }
+ mutex_unlock(&local->iflist_mtx);
+ unregister_netdevice_many(&unreg_list);
+- list_del(&unreg_list);
+
+ list_for_each_entry_safe(sdata, tmp, &wdev_list, list) {
+ list_del(&sdata->list);
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Wei Yang <weiyang@linux.vnet.ibm.com>
+Date: Sun, 1 Jun 2014 15:24:59 +0800
+Subject: net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset
+
+From: Wei Yang <weiyang@linux.vnet.ibm.com>
+
+[ No upstream commit, this is a cherry picked backport enabler. ]
+
+The second parameter of __mlx4_init_one() is used to identify whether the
+pci_dev is a PF or VF. Currently, when it is invoked in mlx4_pci_slot_reset()
+this information is missed.
+
+This patch match the pci_dev with mlx4_pci_table and passes the
+pci_device_id.driver_data to __mlx4_init_one() in mlx4_pci_slot_reset().
+
+Signed-off-by: Wei Yang <weiyang@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -2517,7 +2517,11 @@ static pci_ers_result_t mlx4_pci_err_det
+
+ static pci_ers_result_t mlx4_pci_slot_reset(struct pci_dev *pdev)
+ {
+- int ret = __mlx4_init_one(pdev, 0);
++ const struct pci_device_id *id;
++ int ret;
++
++ id = pci_match_id(mlx4_pci_table, pdev);
++ ret = __mlx4_init_one(pdev, id->driver_data);
+
+ return ret ? PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_RECOVERED;
+ }
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Wei Yang <weiyang@linux.vnet.ibm.com>
+Date: Sun, 1 Jun 2014 15:25:00 +0800
+Subject: net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one()
+
+From: Wei Yang <weiyang@linux.vnet.ibm.com>
+
+[ Upstream commit befdf8978accecac2e0739e6b5075afc62db37fe ]
+
+pci_match_id() just match the static pci_device_id, which may return NULL if
+someone binds the driver to a device manually using
+/sys/bus/pci/drivers/.../new_id.
+
+This patch wrap up a helper function __mlx4_remove_one() which does the tear
+down function but preserve the drv_data. Functions like
+mlx4_pci_err_detected() and mlx4_restart_one() will call this one with out
+releasing drvdata.
+
+Fixes: 97a5221 "net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset".
+
+CC: Bjorn Helgaas <bhelgaas@google.com>
+CC: Amir Vadai <amirv@mellanox.com>
+CC: Jack Morgenstein <jackm@dev.mellanox.co.il>
+CC: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Wei Yang <weiyang@linux.vnet.ibm.com>
+Acked-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 170 ++++++++++++++++--------------
+ drivers/net/ethernet/mellanox/mlx4/mlx4.h | 1
+ 2 files changed, 96 insertions(+), 75 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -2129,13 +2129,8 @@ static int __mlx4_init_one(struct pci_de
+ /* Allow large DMA segments, up to the firmware limit of 1 GB */
+ dma_set_max_seg_size(&pdev->dev, 1024 * 1024 * 1024);
+
+- priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+- if (!priv) {
+- err = -ENOMEM;
+- goto err_release_regions;
+- }
+-
+- dev = &priv->dev;
++ dev = pci_get_drvdata(pdev);
++ priv = mlx4_priv(dev);
+ dev->pdev = pdev;
+ INIT_LIST_HEAD(&priv->ctx_list);
+ spin_lock_init(&priv->ctx_lock);
+@@ -2300,8 +2295,7 @@ slave_start:
+ mlx4_sense_init(dev);
+ mlx4_start_sense(dev);
+
+- priv->pci_dev_data = pci_dev_data;
+- pci_set_drvdata(pdev, dev);
++ priv->removed = 0;
+
+ return 0;
+
+@@ -2367,84 +2361,110 @@ err_disable_pdev:
+
+ static int mlx4_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ {
++ struct mlx4_priv *priv;
++ struct mlx4_dev *dev;
++
+ printk_once(KERN_INFO "%s", mlx4_version);
+
++ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
++ if (!priv)
++ return -ENOMEM;
++
++ dev = &priv->dev;
++ pci_set_drvdata(pdev, dev);
++ priv->pci_dev_data = id->driver_data;
++
+ return __mlx4_init_one(pdev, id->driver_data);
+ }
+
+-static void mlx4_remove_one(struct pci_dev *pdev)
++static void __mlx4_remove_one(struct pci_dev *pdev)
+ {
+ struct mlx4_dev *dev = pci_get_drvdata(pdev);
+ struct mlx4_priv *priv = mlx4_priv(dev);
++ int pci_dev_data;
+ int p;
+
+- if (dev) {
+- /* in SRIOV it is not allowed to unload the pf's
+- * driver while there are alive vf's */
+- if (mlx4_is_master(dev)) {
+- if (mlx4_how_many_lives_vf(dev))
+- printk(KERN_ERR "Removing PF when there are assigned VF's !!!\n");
+- }
+- mlx4_stop_sense(dev);
+- mlx4_unregister_device(dev);
++ if (priv->removed)
++ return;
+
+- for (p = 1; p <= dev->caps.num_ports; p++) {
+- mlx4_cleanup_port_info(&priv->port[p]);
+- mlx4_CLOSE_PORT(dev, p);
+- }
++ pci_dev_data = priv->pci_dev_data;
+
+- if (mlx4_is_master(dev))
+- mlx4_free_resource_tracker(dev,
+- RES_TR_FREE_SLAVES_ONLY);
++ /* in SRIOV it is not allowed to unload the pf's
++ * driver while there are alive vf's */
++ if (mlx4_is_master(dev)) {
++ if (mlx4_how_many_lives_vf(dev))
++ printk(KERN_ERR "Removing PF when there are assigned VF's !!!\n");
++ }
++ mlx4_stop_sense(dev);
++ mlx4_unregister_device(dev);
+
+- mlx4_cleanup_counters_table(dev);
+- mlx4_cleanup_mcg_table(dev);
+- mlx4_cleanup_qp_table(dev);
+- mlx4_cleanup_srq_table(dev);
+- mlx4_cleanup_cq_table(dev);
+- mlx4_cmd_use_polling(dev);
+- mlx4_cleanup_eq_table(dev);
+- mlx4_cleanup_mr_table(dev);
+- mlx4_cleanup_xrcd_table(dev);
+- mlx4_cleanup_pd_table(dev);
++ for (p = 1; p <= dev->caps.num_ports; p++) {
++ mlx4_cleanup_port_info(&priv->port[p]);
++ mlx4_CLOSE_PORT(dev, p);
++ }
+
+- if (mlx4_is_master(dev))
+- mlx4_free_resource_tracker(dev,
+- RES_TR_FREE_STRUCTS_ONLY);
++ if (mlx4_is_master(dev))
++ mlx4_free_resource_tracker(dev,
++ RES_TR_FREE_SLAVES_ONLY);
+
+- iounmap(priv->kar);
+- mlx4_uar_free(dev, &priv->driver_uar);
+- mlx4_cleanup_uar_table(dev);
+- if (!mlx4_is_slave(dev))
+- mlx4_clear_steering(dev);
+- mlx4_free_eq_table(dev);
+- if (mlx4_is_master(dev))
+- mlx4_multi_func_cleanup(dev);
+- mlx4_close_hca(dev);
+- if (mlx4_is_slave(dev))
+- mlx4_multi_func_cleanup(dev);
+- mlx4_cmd_cleanup(dev);
+-
+- if (dev->flags & MLX4_FLAG_MSI_X)
+- pci_disable_msix(pdev);
+- if (dev->flags & MLX4_FLAG_SRIOV) {
+- mlx4_warn(dev, "Disabling SR-IOV\n");
+- pci_disable_sriov(pdev);
+- }
++ mlx4_cleanup_counters_table(dev);
++ mlx4_cleanup_qp_table(dev);
++ mlx4_cleanup_srq_table(dev);
++ mlx4_cleanup_cq_table(dev);
++ mlx4_cmd_use_polling(dev);
++ mlx4_cleanup_eq_table(dev);
++ mlx4_cleanup_mcg_table(dev);
++ mlx4_cleanup_mr_table(dev);
++ mlx4_cleanup_xrcd_table(dev);
++ mlx4_cleanup_pd_table(dev);
+
+- if (!mlx4_is_slave(dev))
+- mlx4_free_ownership(dev);
++ if (mlx4_is_master(dev))
++ mlx4_free_resource_tracker(dev,
++ RES_TR_FREE_STRUCTS_ONLY);
+
+- kfree(dev->caps.qp0_tunnel);
+- kfree(dev->caps.qp0_proxy);
+- kfree(dev->caps.qp1_tunnel);
+- kfree(dev->caps.qp1_proxy);
+-
+- kfree(priv);
+- pci_release_regions(pdev);
+- pci_disable_device(pdev);
+- pci_set_drvdata(pdev, NULL);
++ iounmap(priv->kar);
++ mlx4_uar_free(dev, &priv->driver_uar);
++ mlx4_cleanup_uar_table(dev);
++ if (!mlx4_is_slave(dev))
++ mlx4_clear_steering(dev);
++ mlx4_free_eq_table(dev);
++ if (mlx4_is_master(dev))
++ mlx4_multi_func_cleanup(dev);
++ mlx4_close_hca(dev);
++ if (mlx4_is_slave(dev))
++ mlx4_multi_func_cleanup(dev);
++ mlx4_cmd_cleanup(dev);
++
++ if (dev->flags & MLX4_FLAG_MSI_X)
++ pci_disable_msix(pdev);
++ if (dev->flags & MLX4_FLAG_SRIOV) {
++ mlx4_warn(dev, "Disabling SR-IOV\n");
++ pci_disable_sriov(pdev);
+ }
++
++ if (!mlx4_is_slave(dev))
++ mlx4_free_ownership(dev);
++
++ kfree(dev->caps.qp0_tunnel);
++ kfree(dev->caps.qp0_proxy);
++ kfree(dev->caps.qp1_tunnel);
++ kfree(dev->caps.qp1_proxy);
++
++ pci_release_regions(pdev);
++ pci_disable_device(pdev);
++ memset(priv, 0, sizeof(*priv));
++ priv->pci_dev_data = pci_dev_data;
++ priv->removed = 1;
++}
++
++static void mlx4_remove_one(struct pci_dev *pdev)
++{
++ struct mlx4_dev *dev = pci_get_drvdata(pdev);
++ struct mlx4_priv *priv = mlx4_priv(dev);
++
++ __mlx4_remove_one(pdev);
++ kfree(priv);
++ pci_set_drvdata(pdev, NULL);
+ }
+
+ int mlx4_restart_one(struct pci_dev *pdev)
+@@ -2454,7 +2474,7 @@ int mlx4_restart_one(struct pci_dev *pde
+ int pci_dev_data;
+
+ pci_dev_data = priv->pci_dev_data;
+- mlx4_remove_one(pdev);
++ __mlx4_remove_one(pdev);
+ return __mlx4_init_one(pdev, pci_dev_data);
+ }
+
+@@ -2509,7 +2529,7 @@ MODULE_DEVICE_TABLE(pci, mlx4_pci_table)
+ static pci_ers_result_t mlx4_pci_err_detected(struct pci_dev *pdev,
+ pci_channel_state_t state)
+ {
+- mlx4_remove_one(pdev);
++ __mlx4_remove_one(pdev);
+
+ return state == pci_channel_io_perm_failure ?
+ PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_NEED_RESET;
+@@ -2517,11 +2537,11 @@ static pci_ers_result_t mlx4_pci_err_det
+
+ static pci_ers_result_t mlx4_pci_slot_reset(struct pci_dev *pdev)
+ {
+- const struct pci_device_id *id;
+- int ret;
++ struct mlx4_dev *dev = pci_get_drvdata(pdev);
++ struct mlx4_priv *priv = mlx4_priv(dev);
++ int ret;
+
+- id = pci_match_id(mlx4_pci_table, pdev);
+- ret = __mlx4_init_one(pdev, id->driver_data);
++ ret = __mlx4_init_one(pdev, priv->pci_dev_data);
+
+ return ret ? PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_RECOVERED;
+ }
+--- a/drivers/net/ethernet/mellanox/mlx4/mlx4.h
++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4.h
+@@ -743,6 +743,7 @@ struct mlx4_priv {
+ spinlock_t ctx_lock;
+
+ int pci_dev_data;
++ int removed;
+
+ struct list_head pgdir_list;
+ struct mutex pgdir_mutex;
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 23 Apr 2014 14:26:25 -0700
+Subject: net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+[ Upstream commit a53b72c83a4216f2eb883ed45a0cbce014b8e62d ]
+
+The permission check in sock_diag_put_filterinfo is wrong, and it is so removed
+from it's sources it is not clear why it is wrong. Move the computation
+into packet_diag_dump and pass a bool of the result into sock_diag_filterinfo.
+
+This does not yet correct the capability check but instead simply moves it to make
+it clear what is going on.
+
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sock_diag.h | 2 +-
+ net/core/sock_diag.c | 4 ++--
+ net/packet/diag.c | 7 ++++++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/include/linux/sock_diag.h
++++ b/include/linux/sock_diag.h
+@@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u
+ void sock_diag_save_cookie(void *sk, __u32 *cookie);
+
+ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
+-int sock_diag_put_filterinfo(struct sock *sk,
++int sock_diag_put_filterinfo(bool may_report_filterinfo, struct sock *sk,
+ struct sk_buff *skb, int attrtype);
+
+ #endif
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *s
+ }
+ EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
+
+-int sock_diag_put_filterinfo(struct sock *sk,
++int sock_diag_put_filterinfo(bool may_report_filterinfo, struct sock *sk,
+ struct sk_buff *skb, int attrtype)
+ {
+ struct nlattr *attr;
+@@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct sock
+ unsigned int len;
+ int err = 0;
+
+- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
++ if (!may_report_filterinfo) {
+ nla_reserve(skb, attrtype, 0);
+ return 0;
+ }
+--- a/net/packet/diag.c
++++ b/net/packet/diag.c
+@@ -127,6 +127,7 @@ static int pdiag_put_fanout(struct packe
+
+ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
+ struct packet_diag_req *req,
++ bool may_report_filterinfo,
+ struct user_namespace *user_ns,
+ u32 portid, u32 seq, u32 flags, int sk_ino)
+ {
+@@ -171,7 +172,8 @@ static int sk_diag_fill(struct sock *sk,
+ goto out_nlmsg_trim;
+
+ if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
+- sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER))
++ sock_diag_put_filterinfo(may_report_filterinfo, sk, skb,
++ PACKET_DIAG_FILTER))
+ goto out_nlmsg_trim;
+
+ return nlmsg_end(skb, nlh);
+@@ -187,9 +189,11 @@ static int packet_diag_dump(struct sk_bu
+ struct packet_diag_req *req;
+ struct net *net;
+ struct sock *sk;
++ bool may_report_filterinfo;
+
+ net = sock_net(skb->sk);
+ req = nlmsg_data(cb->nlh);
++ may_report_filterinfo = ns_capable(net->user_ns, CAP_NET_ADMIN);
+
+ mutex_lock(&net->packet.sklist_lock);
+ sk_for_each(sk, &net->packet.sklist) {
+@@ -199,6 +203,7 @@ static int packet_diag_dump(struct sk_bu
+ goto next;
+
+ if (sk_diag_fill(sk, skb, req,
++ may_report_filterinfo,
+ sk_user_ns(NETLINK_CB(cb->skb).sk),
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq, NLM_F_MULTI,
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 6 Jun 2014 17:27:59 +0200
+Subject: net: qmi_wwan: add Olivetti Olicard modems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit ba6de0f5304ccdc45ae260e7e0feb6e0ef2dd558 ]
+
+Lars writes: "I'm only 99% sure that the net interfaces are qmi
+interfaces, nothing to lose by adding them in my opinion."
+
+And I tend to agree based on the similarity with the two Olicard
+modems we already have here.
+
+Reported-by: Lars Melin <larsm17@gmail.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -739,7 +739,12 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
+- {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */
++ {QMI_FIXED_INTF(0x0b3c, 0xc000, 4)}, /* Olivetti Olicard 100 */
++ {QMI_FIXED_INTF(0x0b3c, 0xc001, 4)}, /* Olivetti Olicard 120 */
++ {QMI_FIXED_INTF(0x0b3c, 0xc002, 4)}, /* Olivetti Olicard 140 */
++ {QMI_FIXED_INTF(0x0b3c, 0xc004, 6)}, /* Olivetti Olicard 155 */
++ {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */
++ {QMI_FIXED_INTF(0x0b3c, 0xc00a, 6)}, /* Olivetti Olicard 160 */
+ {QMI_FIXED_INTF(0x0b3c, 0xc00b, 4)}, /* Olivetti Olicard 500 */
+ {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */
+ {QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Tom Gundersen <teg@jklm.no>
+Date: Thu, 15 May 2014 23:21:30 +0200
+Subject: net: tunnels - enable module autoloading
+
+From: Tom Gundersen <teg@jklm.no>
+
+[ Upstream commit f98f89a0104454f35a62d681683c844f6dbf4043 ]
+
+Enable the module alias hookup to allow tunnel modules to be autoloaded on demand.
+
+This is in line with how most other netdev kinds work, and will allow userspace
+to create tunnels without having CAP_SYS_MODULE.
+
+Signed-off-by: Tom Gundersen <teg@jklm.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ipip.c | 1 +
+ net/ipv6/ip6_tunnel.c | 1 +
+ net/ipv6/sit.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+--- a/net/ipv4/ipip.c
++++ b/net/ipv4/ipip.c
+@@ -483,4 +483,5 @@ static void __exit ipip_fini(void)
+ module_init(ipip_init);
+ module_exit(ipip_fini);
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_RTNL_LINK("ipip");
+ MODULE_ALIAS_NETDEV("tunl0");
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -61,6 +61,7 @@
+ MODULE_AUTHOR("Ville Nuorvala");
+ MODULE_DESCRIPTION("IPv6 tunneling device");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_RTNL_LINK("ip6tnl");
+ MODULE_ALIAS_NETDEV("ip6tnl0");
+
+ #ifdef IP6_TNL_DEBUG
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1654,4 +1654,5 @@ xfrm_tunnel_failed:
+ module_init(sit_init);
+ module_exit(sit_cleanup);
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_RTNL_LINK("sit");
+ MODULE_ALIAS_NETDEV("sit0");
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 23 Apr 2014 14:29:27 -0700
+Subject: net: Use netlink_ns_capable to verify the permisions of netlink messages
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+[ Upstream commit 90f62cf30a78721641e08737bda787552428061e ]
+
+It is possible by passing a netlink socket to a more privileged
+executable and then to fool that executable into writing to the socket
+data that happens to be valid netlink message to do something that
+privileged executable did not intend to do.
+
+To keep this from happening replace bare capable and ns_capable calls
+with netlink_capable, netlink_net_calls and netlink_ns_capable calls.
+Which act the same as the previous calls except they verify that the
+opener of the socket had the desired permissions as well.
+
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/crypto_user.c | 2 +-
+ drivers/connector/cn_proc.c | 2 +-
+ drivers/scsi/scsi_netlink.c | 2 +-
+ kernel/audit.c | 4 ++--
+ net/can/gw.c | 4 ++--
+ net/core/rtnetlink.c | 20 +++++++++++---------
+ net/dcb/dcbnl.c | 2 +-
+ net/decnet/dn_dev.c | 4 ++--
+ net/decnet/dn_fib.c | 4 ++--
+ net/decnet/netfilter/dn_rtmsg.c | 2 +-
+ net/netfilter/nfnetlink.c | 2 +-
+ net/netlink/genetlink.c | 2 +-
+ net/packet/diag.c | 2 +-
+ net/phonet/pn_netlink.c | 8 ++++----
+ net/sched/act_api.c | 2 +-
+ net/sched/cls_api.c | 2 +-
+ net/sched/sch_api.c | 6 +++---
+ net/tipc/netlink.c | 2 +-
+ net/xfrm/xfrm_user.c | 2 +-
+ 19 files changed, 38 insertions(+), 36 deletions(-)
+
+--- a/crypto/crypto_user.c
++++ b/crypto/crypto_user.c
+@@ -466,7 +466,7 @@ static int crypto_user_rcv_msg(struct sk
+ type -= CRYPTO_MSG_BASE;
+ link = &crypto_dispatch[type];
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if ((type == (CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE) &&
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -369,7 +369,7 @@ static void cn_proc_mcast_ctl(struct cn_
+ return;
+
+ /* Can only change if privileged. */
+- if (!capable(CAP_NET_ADMIN)) {
++ if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) {
+ err = EPERM;
+ goto out;
+ }
+--- a/drivers/scsi/scsi_netlink.c
++++ b/drivers/scsi/scsi_netlink.c
+@@ -77,7 +77,7 @@ scsi_nl_rcv_msg(struct sk_buff *skb)
+ goto next_msg;
+ }
+
+- if (!capable(CAP_SYS_ADMIN)) {
++ if (!netlink_capable(skb, CAP_SYS_ADMIN)) {
+ err = -EPERM;
+ goto next_msg;
+ }
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -593,13 +593,13 @@ static int audit_netlink_ok(struct sk_bu
+ case AUDIT_TTY_SET:
+ case AUDIT_TRIM:
+ case AUDIT_MAKE_EQUIV:
+- if (!capable(CAP_AUDIT_CONTROL))
++ if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
+ err = -EPERM;
+ break;
+ case AUDIT_USER:
+ case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
+ case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
+- if (!capable(CAP_AUDIT_WRITE))
++ if (!netlink_capable(skb, CAP_AUDIT_WRITE))
+ err = -EPERM;
+ break;
+ default: /* bad msg */
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -784,7 +784,7 @@ static int cgw_create_job(struct sk_buff
+ struct cgw_job *gwj;
+ int err = 0;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (nlmsg_len(nlh) < sizeof(*r))
+@@ -876,7 +876,7 @@ static int cgw_remove_job(struct sk_buff
+ struct can_can_gw ccgw;
+ int err = 0;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (nlmsg_len(nlh) < sizeof(*r))
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1294,7 +1294,8 @@ static int do_set_master(struct net_devi
+ return 0;
+ }
+
+-static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
++static int do_setlink(const struct sk_buff *skb,
++ struct net_device *dev, struct ifinfomsg *ifm,
+ struct nlattr **tb, char *ifname, int modified)
+ {
+ const struct net_device_ops *ops = dev->netdev_ops;
+@@ -1306,7 +1307,7 @@ static int do_setlink(struct net_device
+ err = PTR_ERR(net);
+ goto errout;
+ }
+- if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
++ if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) {
+ err = -EPERM;
+ goto errout;
+ }
+@@ -1560,7 +1561,7 @@ static int rtnl_setlink(struct sk_buff *
+ if (err < 0)
+ goto errout;
+
+- err = do_setlink(dev, ifm, tb, ifname, 0);
++ err = do_setlink(skb, dev, ifm, tb, ifname, 0);
+ errout:
+ return err;
+ }
+@@ -1678,7 +1679,8 @@ err:
+ }
+ EXPORT_SYMBOL(rtnl_create_link);
+
+-static int rtnl_group_changelink(struct net *net, int group,
++static int rtnl_group_changelink(const struct sk_buff *skb,
++ struct net *net, int group,
+ struct ifinfomsg *ifm,
+ struct nlattr **tb)
+ {
+@@ -1687,7 +1689,7 @@ static int rtnl_group_changelink(struct
+
+ for_each_netdev(net, dev) {
+ if (dev->group == group) {
+- err = do_setlink(dev, ifm, tb, NULL, 0);
++ err = do_setlink(skb, dev, ifm, tb, NULL, 0);
+ if (err < 0)
+ return err;
+ }
+@@ -1789,12 +1791,12 @@ replay:
+ modified = 1;
+ }
+
+- return do_setlink(dev, ifm, tb, ifname, modified);
++ return do_setlink(skb, dev, ifm, tb, ifname, modified);
+ }
+
+ if (!(nlh->nlmsg_flags & NLM_F_CREATE)) {
+ if (ifm->ifi_index == 0 && tb[IFLA_GROUP])
+- return rtnl_group_changelink(net,
++ return rtnl_group_changelink(skb, net,
+ nla_get_u32(tb[IFLA_GROUP]),
+ ifm, tb);
+ return -ENODEV;
+@@ -2179,7 +2181,7 @@ static int rtnl_fdb_del(struct sk_buff *
+ int err = -EINVAL;
+ __u8 *addr;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL);
+@@ -2635,7 +2637,7 @@ static int rtnetlink_rcv_msg(struct sk_b
+ sz_idx = type>>2;
+ kind = type&3;
+
+- if (kind != 2 && !ns_capable(net->user_ns, CAP_NET_ADMIN))
++ if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) {
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -1670,7 +1670,7 @@ static int dcb_doit(struct sk_buff *skb,
+ struct nlmsghdr *reply_nlh = NULL;
+ const struct reply_func *fn;
+
+- if ((nlh->nlmsg_type == RTM_SETDCB) && !capable(CAP_NET_ADMIN))
++ if ((nlh->nlmsg_type == RTM_SETDCB) && !netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ ret = nlmsg_parse(nlh, sizeof(*dcb), tb, DCB_ATTR_MAX,
+--- a/net/decnet/dn_dev.c
++++ b/net/decnet/dn_dev.c
+@@ -573,7 +573,7 @@ static int dn_nl_deladdr(struct sk_buff
+ struct dn_ifaddr __rcu **ifap;
+ int err = -EINVAL;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (!net_eq(net, &init_net))
+@@ -617,7 +617,7 @@ static int dn_nl_newaddr(struct sk_buff
+ struct dn_ifaddr *ifa;
+ int err;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (!net_eq(net, &init_net))
+--- a/net/decnet/dn_fib.c
++++ b/net/decnet/dn_fib.c
+@@ -505,7 +505,7 @@ static int dn_fib_rtm_delroute(struct sk
+ struct nlattr *attrs[RTA_MAX+1];
+ int err;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (!net_eq(net, &init_net))
+@@ -530,7 +530,7 @@ static int dn_fib_rtm_newroute(struct sk
+ struct nlattr *attrs[RTA_MAX+1];
+ int err;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (!net_eq(net, &init_net))
+--- a/net/decnet/netfilter/dn_rtmsg.c
++++ b/net/decnet/netfilter/dn_rtmsg.c
+@@ -107,7 +107,7 @@ static inline void dnrmg_receive_user_sk
+ if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
+ return;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ RCV_SKB_FAIL(-EPERM);
+
+ /* Eventually we might send routing messages too */
+--- a/net/netfilter/nfnetlink.c
++++ b/net/netfilter/nfnetlink.c
+@@ -147,7 +147,7 @@ static int nfnetlink_rcv_msg(struct sk_b
+ const struct nfnetlink_subsystem *ss;
+ int type, err;
+
+- if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
++ if (!netlink_net_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ /* All the messages must at least contain nfgenmsg */
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -592,7 +592,7 @@ static int genl_family_rcv_msg(struct ge
+ return -EOPNOTSUPP;
+
+ if ((ops->flags & GENL_ADMIN_PERM) &&
+- !capable(CAP_NET_ADMIN))
++ !netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+--- a/net/packet/diag.c
++++ b/net/packet/diag.c
+@@ -193,7 +193,7 @@ static int packet_diag_dump(struct sk_bu
+
+ net = sock_net(skb->sk);
+ req = nlmsg_data(cb->nlh);
+- may_report_filterinfo = ns_capable(net->user_ns, CAP_NET_ADMIN);
++ may_report_filterinfo = netlink_net_capable(cb->skb, CAP_NET_ADMIN);
+
+ mutex_lock(&net->packet.sklist_lock);
+ sk_for_each(sk, &net->packet.sklist) {
+--- a/net/phonet/pn_netlink.c
++++ b/net/phonet/pn_netlink.c
+@@ -70,10 +70,10 @@ static int addr_doit(struct sk_buff *skb
+ int err;
+ u8 pnaddr;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+- if (!capable(CAP_SYS_ADMIN))
++ if (!netlink_capable(skb, CAP_SYS_ADMIN))
+ return -EPERM;
+
+ ASSERT_RTNL();
+@@ -233,10 +233,10 @@ static int route_doit(struct sk_buff *sk
+ int err;
+ u8 dst;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+- if (!capable(CAP_SYS_ADMIN))
++ if (!netlink_capable(skb, CAP_SYS_ADMIN))
+ return -EPERM;
+
+ ASSERT_RTNL();
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -989,7 +989,7 @@ static int tc_ctl_action(struct sk_buff
+ u32 portid = skb ? NETLINK_CB(skb).portid : 0;
+ int ret = 0, ovr = 0;
+
+- if ((n->nlmsg_type != RTM_GETACTION) && !capable(CAP_NET_ADMIN))
++ if ((n->nlmsg_type != RTM_GETACTION) && !netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ ret = nlmsg_parse(n, sizeof(struct tcamsg), tca, TCA_ACT_MAX, NULL);
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -138,7 +138,7 @@ static int tc_ctl_tfilter(struct sk_buff
+ int err;
+ int tp_created = 0;
+
+- if ((n->nlmsg_type != RTM_GETTFILTER) && !capable(CAP_NET_ADMIN))
++ if ((n->nlmsg_type != RTM_GETTFILTER) && !netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ replay:
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1024,7 +1024,7 @@ static int tc_get_qdisc(struct sk_buff *
+ struct Qdisc *p = NULL;
+ int err;
+
+- if ((n->nlmsg_type != RTM_GETQDISC) && !capable(CAP_NET_ADMIN))
++ if ((n->nlmsg_type != RTM_GETQDISC) && !netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
+@@ -1091,7 +1091,7 @@ static int tc_modify_qdisc(struct sk_buf
+ struct Qdisc *q, *p;
+ int err;
+
+- if (!capable(CAP_NET_ADMIN))
++ if (!netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ replay:
+@@ -1431,7 +1431,7 @@ static int tc_ctl_tclass(struct sk_buff
+ u32 qid;
+ int err;
+
+- if ((n->nlmsg_type != RTM_GETTCLASS) && !capable(CAP_NET_ADMIN))
++ if ((n->nlmsg_type != RTM_GETTCLASS) && !netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
+--- a/net/tipc/netlink.c
++++ b/net/tipc/netlink.c
+@@ -47,7 +47,7 @@ static int handle_cmd(struct sk_buff *sk
+ int hdr_space = nlmsg_total_size(GENL_HDRLEN + TIPC_GENL_HDRLEN);
+ u16 cmd;
+
+- if ((req_userhdr->cmd & 0xC000) && (!capable(CAP_NET_ADMIN)))
++ if ((req_userhdr->cmd & 0xC000) && (!netlink_capable(skb, CAP_NET_ADMIN)))
+ cmd = TIPC_CMD_NOT_NET_ADMIN;
+ else
+ cmd = req_userhdr->cmd;
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2362,7 +2362,7 @@ static int xfrm_user_rcv_msg(struct sk_b
+ link = &xfrm_dispatch[type];
+
+ /* All operations require privileges, even GET */
+- if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
++ if (!netlink_net_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Fri, 30 May 2014 11:04:00 -0700
+Subject: netlink: Only check file credentials for implicit destinations
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+[ Upstream commit 2d7a85f4b06e9c27ff629f07a524c48074f07f81 ]
+
+It was possible to get a setuid root or setcap executable to write to
+it's stdout or stderr (which has been set made a netlink socket) and
+inadvertently reconfigure the networking stack.
+
+To prevent this we check that both the creator of the socket and
+the currentl applications has permission to reconfigure the network
+stack.
+
+Unfortunately this breaks Zebra which always uses sendto/sendmsg
+and creates it's socket without any privileges.
+
+To keep Zebra working don't bother checking if the creator of the
+socket has privilege when a destination address is specified. Instead
+rely exclusively on the privileges of the sender of the socket.
+
+Note from Andy: This is exactly Eric's code except for some comment
+clarifications and formatting fixes. Neither I nor, I think, anyone
+else is thrilled with this approach, but I'm hesitant to wait on a
+better fix since 3.15 is almost here.
+
+Note to stable maintainers: This is a mess. An earlier series of
+patches in 3.15 fix a rather serious security issue (CVE-2014-0181),
+but they did so in a way that breaks Zebra. The offending series
+includes:
+
+ commit aa4cf9452f469f16cea8c96283b641b4576d4a7b
+ Author: Eric W. Biederman <ebiederm@xmission.com>
+ Date: Wed Apr 23 14:28:03 2014 -0700
+
+ net: Add variants of capable for use on netlink messages
+
+If a given kernel version is missing that series of fixes, it's
+probably worth backporting it and this patch. if that series is
+present, then this fix is critical if you care about Zebra.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netlink.h | 7 ++++---
+ net/netlink/af_netlink.c | 7 ++++++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/include/linux/netlink.h
++++ b/include/linux/netlink.h
+@@ -16,9 +16,10 @@ static inline struct nlmsghdr *nlmsg_hdr
+ }
+
+ enum netlink_skb_flags {
+- NETLINK_SKB_MMAPED = 0x1, /* Packet data is mmaped */
+- NETLINK_SKB_TX = 0x2, /* Packet was sent by userspace */
+- NETLINK_SKB_DELIVERED = 0x4, /* Packet was delivered */
++ NETLINK_SKB_MMAPED = 0x1, /* Packet data is mmaped */
++ NETLINK_SKB_TX = 0x2, /* Packet was sent by userspace */
++ NETLINK_SKB_DELIVERED = 0x4, /* Packet was delivered */
++ NETLINK_SKB_DST = 0x8, /* Dst set in sendto or sendmsg */
+ };
+
+ struct netlink_skb_parms {
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1232,7 +1232,9 @@ retry:
+ bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
+ struct user_namespace *user_ns, int cap)
+ {
+- return sk_ns_capable(nsp->sk, user_ns, cap);
++ return ((nsp->flags & NETLINK_SKB_DST) ||
++ file_ns_capable(nsp->sk->sk_socket->file, user_ns, cap)) &&
++ ns_capable(user_ns, cap);
+ }
+ EXPORT_SYMBOL(__netlink_ns_capable);
+
+@@ -2118,6 +2120,7 @@ static int netlink_sendmsg(struct kiocb
+ struct sk_buff *skb;
+ int err;
+ struct scm_cookie scm;
++ u32 netlink_skb_flags = 0;
+
+ if (msg->msg_flags&MSG_OOB)
+ return -EOPNOTSUPP;
+@@ -2139,6 +2142,7 @@ static int netlink_sendmsg(struct kiocb
+ if ((dst_group || dst_portid) &&
+ !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
+ goto out;
++ netlink_skb_flags |= NETLINK_SKB_DST;
+ } else {
+ dst_portid = nlk->dst_portid;
+ dst_group = nlk->dst_group;
+@@ -2168,6 +2172,7 @@ static int netlink_sendmsg(struct kiocb
+ NETLINK_CB(skb).portid = nlk->portid;
+ NETLINK_CB(skb).dst_group = dst_group;
+ NETLINK_CB(skb).creds = siocb->scm->creds;
++ NETLINK_CB(skb).flags = netlink_skb_flags;
+
+ err = -EFAULT;
+ if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon, 2 Jun 2014 18:25:02 +0200
+Subject: netlink: rate-limit leftover bytes warning and print process name
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit bfc5184b69cf9eeb286137640351c650c27f118a ]
+
+Any process is able to send netlink messages with leftover bytes.
+Make the warning rate-limited to prevent too much log spam.
+
+The warning is supposed to help find userspace bugs, so print the
+triggering command name to implicate the buggy program.
+
+[v2: Use pr_warn_ratelimited instead of printk_ratelimited.]
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/nlattr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -201,8 +201,8 @@ int nla_parse(struct nlattr **tb, int ma
+ }
+
+ if (unlikely(rem > 0))
+- printk(KERN_WARNING "netlink: %d bytes leftover after parsing "
+- "attributes.\n", rem);
++ pr_warn_ratelimited("netlink: %d bytes leftover after parsing attributes in process `%s'.\n",
++ rem, current->comm);
+
+ err = 0;
+ errout:
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 23 Apr 2014 14:25:48 -0700
+Subject: netlink: Rename netlink_capable netlink_allowed
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+[ Upstream commit 5187cd055b6e81fc6526109456f8b20623148d5f ]
+
+netlink_capable is a static internal function in af_netlink.c and we
+have better uses for the name netlink_capable.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1219,7 +1219,7 @@ retry:
+ return err;
+ }
+
+-static inline int netlink_capable(const struct socket *sock, unsigned int flag)
++static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
+ {
+ return (nl_table[sock->sk->sk_protocol].flags & flag) ||
+ ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
+@@ -1287,7 +1287,7 @@ static int netlink_bind(struct socket *s
+
+ /* Only superuser is allowed to listen multicasts */
+ if (nladdr->nl_groups) {
+- if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV))
++ if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV))
+ return -EPERM;
+ err = netlink_realloc_groups(sk);
+ if (err)
+@@ -1349,7 +1349,7 @@ static int netlink_connect(struct socket
+ return -EINVAL;
+
+ /* Only superuser is allowed to send multicasts */
+- if (nladdr->nl_groups && !netlink_capable(sock, NL_CFG_F_NONROOT_SEND))
++ if (nladdr->nl_groups && !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
+ return -EPERM;
+
+ if (!nlk->portid)
+@@ -1921,7 +1921,7 @@ static int netlink_setsockopt(struct soc
+ break;
+ case NETLINK_ADD_MEMBERSHIP:
+ case NETLINK_DROP_MEMBERSHIP: {
+- if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV))
++ if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV))
+ return -EPERM;
+ err = netlink_realloc_groups(sk);
+ if (err)
+@@ -2072,7 +2072,7 @@ static int netlink_sendmsg(struct kiocb
+ dst_group = ffs(addr->nl_groups);
+ err = -EPERM;
+ if ((dst_group || dst_portid) &&
+- !netlink_capable(sock, NL_CFG_F_NONROOT_SEND))
++ !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
+ goto out;
+ } else {
+ dst_portid = nlk->dst_portid;
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Wed, 28 May 2014 14:15:19 +0200
+Subject: rtnetlink: fix userspace API breakage for iproute2 < v3.9.0
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit e5eca6d41f53db48edd8cf88a3f59d2c30227f8e ]
+
+When running RHEL6 userspace on a current upstream kernel, "ip link"
+fails to show VF information.
+
+The reason is a kernel<->userspace API change introduced by commit
+88c5b5ce5cb57 ("rtnetlink: Call nlmsg_parse() with correct header length"),
+after which the kernel does not see iproute2's IFLA_EXT_MASK attribute
+in the netlink request.
+
+iproute2 adjusted for the API change in its commit 63338dca4513
+("libnetlink: Use ifinfomsg instead of rtgenmsg in rtnl_wilddump_req_filter").
+
+The problem has been noticed before:
+http://marc.info/?l=linux-netdev&m=136692296022182&w=2
+(Subject: Re: getting VF link info seems to be broken in 3.9-rc8)
+
+We can do better than tell those with old userspace to upgrade. We can
+recognize the old iproute2 in the kernel by checking the netlink message
+length. Even when including the IFLA_EXT_MASK attribute, its netlink
+message is shorter than struct ifinfomsg.
+
+With this patch "ip link" shows VF information in both old and new
+iproute2 versions.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1044,6 +1044,7 @@ static int rtnl_dump_ifinfo(struct sk_bu
+ struct nlattr *tb[IFLA_MAX+1];
+ u32 ext_filter_mask = 0;
+ int err;
++ int hdrlen;
+
+ s_h = cb->args[0];
+ s_idx = cb->args[1];
+@@ -1051,8 +1052,17 @@ static int rtnl_dump_ifinfo(struct sk_bu
+ rcu_read_lock();
+ cb->seq = net->dev_base_seq;
+
+- if (nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
+- ifla_policy) >= 0) {
++ /* A hack to preserve kernel<->userspace interface.
++ * The correct header is ifinfomsg. It is consistent with rtnl_getlink.
++ * However, before Linux v3.9 the code here assumed rtgenmsg and that's
++ * what iproute2 < v3.9.0 used.
++ * We can detect the old iproute2. Even including the IFLA_EXT_MASK
++ * attribute, its netlink message is shorter than struct ifinfomsg.
++ */
++ hdrlen = nlmsg_len(cb->nlh) < sizeof(struct ifinfomsg) ?
++ sizeof(struct rtgenmsg) : sizeof(struct ifinfomsg);
++
++ if (nlmsg_parse(cb->nlh, hdrlen, tb, IFLA_MAX, ifla_policy) >= 0) {
+
+ if (tb[IFLA_EXT_MASK])
+ ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
+@@ -1907,9 +1917,13 @@ static u16 rtnl_calcit(struct sk_buff *s
+ struct nlattr *tb[IFLA_MAX+1];
+ u32 ext_filter_mask = 0;
+ u16 min_ifinfo_dump_size = 0;
++ int hdrlen;
++
++ /* Same kernel<->userspace interface hack as in rtnl_dump_ifinfo. */
++ hdrlen = nlmsg_len(nlh) < sizeof(struct ifinfomsg) ?
++ sizeof(struct rtgenmsg) : sizeof(struct ifinfomsg);
+
+- if (nlmsg_parse(nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
+- ifla_policy) >= 0) {
++ if (nlmsg_parse(nlh, hdrlen, tb, IFLA_MAX, ifla_policy) >= 0) {
+ if (tb[IFLA_EXT_MASK])
+ ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
+ }
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Xufeng Zhang <xufeng.zhang@windriver.com>
+Date: Thu, 12 Jun 2014 10:53:36 +0800
+Subject: sctp: Fix sk_ack_backlog wrap-around problem
+
+From: Xufeng Zhang <xufeng.zhang@windriver.com>
+
+[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]
+
+Consider the scenario:
+For a TCP-style socket, while processing the COOKIE_ECHO chunk in
+sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
+a new association would be created in sctp_unpack_cookie(), but afterwards,
+some processing maybe failed, and sctp_association_free() will be called to
+free the previously allocated association, in sctp_association_free(),
+sk_ack_backlog value is decremented for this socket, since the initial
+value for sk_ack_backlog is 0, after the decrement, it will be 65535,
+a wrap-around problem happens, and if we want to establish new associations
+afterward in the same socket, ABORT would be triggered since sctp deem the
+accept queue as full.
+Fix this issue by only decrementing sk_ack_backlog for associations in
+the endpoint's list.
+
+Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
+Acked-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/associola.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -387,7 +387,7 @@ void sctp_association_free(struct sctp_a
+ /* Only real associations count against the endpoint, so
+ * don't bother for if this is a temporary association.
+ */
+- if (!asoc->temp) {
++ if (!list_empty(&asoc->asocs)) {
+ list_del(&asoc->asocs);
+
+ /* Decrement the backlog value for a TCP-style listening
iscsi-target-reject-mutual-authentication-with-reflected-chap_c.patch
ima-introduce-ima_kernel_read.patch
evm-prohibit-userspace-writing-security.evm-hmac-value.patch
+netlink-rename-netlink_capable-netlink_allowed.patch
+net-move-the-permission-check-in-sock_diag_put_filterinfo-to-packet_diag_dump.patch
+net-add-variants-of-capable-for-use-on-on-sockets.patch
+net-add-variants-of-capable-for-use-on-netlink-messages.patch
+net-use-netlink_ns_capable-to-verify-the-permisions-of-netlink-messages.patch
+netlink-only-check-file-credentials-for-implicit-destinations.patch
+netlink-rate-limit-leftover-bytes-warning-and-print-process-name.patch
+net-tunnels-enable-module-autoloading.patch
+net-fix-inet_getid-and-ipv6_select_ident-bugs.patch
+team-fix-mtu-setting.patch
+tcp-fix-cwnd-undo-on-dsack-in-f-rto.patch
+net-filter-fix-typo-in-sparc-bpf-jit.patch
+net-filter-fix-sparc32-typo.patch
+net-qmi_wwan-add-olivetti-olicard-modems.patch
+net-force-a-list_del-in-unregister_netdevice_many.patch
+ipip-sit-fix-ipv4_-update_pmtu-redirect-calls.patch
+ipv4-fix-a-race-in-ip4_datagram_release_cb.patch
+sctp-fix-sk_ack_backlog-wrap-around-problem.patch
+rtnetlink-fix-userspace-api-breakage-for-iproute2-v3.9.0.patch
+vxlan-use-dev-needed_headroom-instead-of-dev-hard_header_len.patch
+net-mlx4_core-pass-pci_device_id.driver_data-to-__mlx4_init_one-during-reset.patch
+net-mlx4_core-preserve-pci_dev_data-after-__mlx4_remove_one.patch
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Yuchung Cheng <ycheng@google.com>
+Date: Fri, 30 May 2014 15:25:59 -0700
+Subject: tcp: fix cwnd undo on DSACK in F-RTO
+
+From: Yuchung Cheng <ycheng@google.com>
+
+[ Upstream commit 0cfa5c07d6d1d7f8e710fc671c5ba1ce85e09fa4 ]
+
+This bug is discovered by an recent F-RTO issue on tcpm list
+https://www.ietf.org/mail-archive/web/tcpm/current/msg08794.html
+
+The bug is that currently F-RTO does not use DSACK to undo cwnd in
+certain cases: upon receiving an ACK after the RTO retransmission in
+F-RTO, and the ACK has DSACK indicating the retransmission is spurious,
+the sender only calls tcp_try_undo_loss() if some never retransmisted
+data is sacked (FLAG_ORIG_DATA_SACKED).
+
+The correct behavior is to unconditionally call tcp_try_undo_loss so
+the DSACK information is used properly to undo the cwnd reduction.
+
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2720,13 +2720,12 @@ static void tcp_process_loss(struct sock
+ bool recovered = !before(tp->snd_una, tp->high_seq);
+
+ if (tp->frto) { /* F-RTO RFC5682 sec 3.1 (sack enhanced version). */
+- if (flag & FLAG_ORIG_SACK_ACKED) {
+- /* Step 3.b. A timeout is spurious if not all data are
+- * lost, i.e., never-retransmitted data are (s)acked.
+- */
+- tcp_try_undo_loss(sk, true);
++ /* Step 3.b. A timeout is spurious if not all data are
++ * lost, i.e., never-retransmitted data are (s)acked.
++ */
++ if (tcp_try_undo_loss(sk, flag & FLAG_ORIG_SACK_ACKED))
+ return;
+- }
++
+ if (after(tp->snd_nxt, tp->high_seq) &&
+ (flag & FLAG_DATA_SACKED || is_dupack)) {
+ tp->frto = 0; /* Loss was real: 2nd part of step 3.a */
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Jiri Pirko <jiri@resnulli.us>
+Date: Thu, 29 May 2014 20:46:17 +0200
+Subject: team: fix mtu setting
+
+From: Jiri Pirko <jiri@resnulli.us>
+
+[ Upstream commit 9d0d68faea6962d62dd501cd6e71ce5cc8ed262b ]
+
+Now it is not possible to set mtu to team device which has a port
+enslaved to it. The reason is that when team_change_mtu() calls
+dev_set_mtu() for port device, notificator for NETDEV_PRECHANGEMTU
+event is called and team_device_event() returns NOTIFY_BAD forbidding
+the change. So fix this by returning NOTIFY_DONE here in case team is
+changing mtu in team_change_mtu().
+
+Introduced-by: 3d249d4c "net: introduce ethernet teaming device"
+Signed-off-by: Jiri Pirko <jiri@resnulli.us>
+Acked-by: Flavio Leitner <fbl@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 7 ++++++-
+ include/linux/if_team.h | 1 +
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1542,6 +1542,7 @@ static int team_change_mtu(struct net_de
+ * to traverse list in reverse under rcu_read_lock
+ */
+ mutex_lock(&team->lock);
++ team->port_mtu_change_allowed = true;
+ list_for_each_entry(port, &team->port_list, list) {
+ err = dev_set_mtu(port->dev, new_mtu);
+ if (err) {
+@@ -1550,6 +1551,7 @@ static int team_change_mtu(struct net_de
+ goto unwind;
+ }
+ }
++ team->port_mtu_change_allowed = false;
+ mutex_unlock(&team->lock);
+
+ dev->mtu = new_mtu;
+@@ -1559,6 +1561,7 @@ static int team_change_mtu(struct net_de
+ unwind:
+ list_for_each_entry_continue_reverse(port, &team->port_list, list)
+ dev_set_mtu(port->dev, dev->mtu);
++ team->port_mtu_change_allowed = false;
+ mutex_unlock(&team->lock);
+
+ return err;
+@@ -2678,7 +2681,9 @@ static int team_device_event(struct noti
+ break;
+ case NETDEV_CHANGEMTU:
+ /* Forbid to change mtu of underlaying device */
+- return NOTIFY_BAD;
++ if (!port->team->port_mtu_change_allowed)
++ return NOTIFY_BAD;
++ break;
+ case NETDEV_PRE_TYPE_CHANGE:
+ /* Forbid to change type of underlaying device */
+ return NOTIFY_BAD;
+--- a/include/linux/if_team.h
++++ b/include/linux/if_team.h
+@@ -193,6 +193,7 @@ struct team {
+ bool user_carrier_enabled;
+ bool queue_override_enabled;
+ struct list_head *qom_lists; /* array of queue override mapping lists */
++ bool port_mtu_change_allowed;
+ long mode_priv[TEAM_MODE_PRIV_LONGS];
+ };
+
--- /dev/null
+From foo@baz Wed Jun 18 20:08:21 PDT 2014
+From: Cong Wang <cwang@twopensource.com>
+Date: Thu, 12 Jun 2014 11:53:10 -0700
+Subject: vxlan: use dev->needed_headroom instead of dev->hard_header_len
+
+From: Cong Wang <cwang@twopensource.com>
+
+[ Upstream commit 2853af6a2ea1a8ed09b09dd4fb578e7f435e8d34 ]
+
+When we mirror packets from a vxlan tunnel to other device,
+the mirror device should see the same packets (that is, without
+outer header). Because vxlan tunnel sets dev->hard_header_len,
+tcf_mirred() resets mac header back to outer mac, the mirror device
+actually sees packets with outer headers
+
+Vxlan tunnel should set dev->needed_headroom instead of
+dev->hard_header_len, like what other ip tunnels do. This fixes
+the above problem.
+
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: stephen hemminger <stephen@networkplumber.org>
+Cc: Pravin B Shelar <pshelar@nicira.com>
+Signed-off-by: Cong Wang <cwang@twopensource.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1314,7 +1314,7 @@ static void vxlan_setup(struct net_devic
+
+ eth_hw_addr_random(dev);
+ ether_setup(dev);
+- dev->hard_header_len = ETH_HLEN + VXLAN_HEADROOM;
++ dev->needed_headroom = ETH_HLEN + VXLAN_HEADROOM;
+
+ dev->netdev_ops = &vxlan_netdev_ops;
+ dev->destructor = vxlan_free;
+@@ -1454,7 +1454,7 @@ static int vxlan_newlink(struct net *net
+ dev->mtu = lowerdev->mtu - VXLAN_HEADROOM;
+
+ /* update header length based on lower device */
+- dev->hard_header_len = lowerdev->hard_header_len +
++ dev->needed_headroom = lowerdev->hard_header_len +
+ VXLAN_HEADROOM;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
