--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 3 Mar 2014 20:18:36 +0800
+Subject: ip_tunnel:multicast process cause panic due to skb->_skb_refdst NULL pointer
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 10ddceb22bab11dab10ba645c7df2e4a8e7a5db5 ]
+
+when ip_tunnel process multicast packets, it may check if the packet is looped
+back packet though 'rt_is_output_route(skb_rtable(skb))' in ip_tunnel_rcv(),
+but before that , skb->_skb_refdst has been dropped in iptunnel_pull_header(),
+so which leads to a panic.
+
+fix the bug: https://bugzilla.kernel.org/show_bug.cgi?id=70681
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel_core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -109,7 +109,6 @@ int iptunnel_pull_header(struct sk_buff
+ secpath_reset(skb);
+ if (!skb->l4_rxhash)
+ skb->rxhash = 0;
+- skb_dst_drop(skb);
+ skb->vlan_tci = 0;
+ skb_set_queue_mapping(skb, 0);
+ skb->pkt_type = PACKET_HOST;
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 24 Feb 2014 00:48:05 +0100
+Subject: ipv4: ipv6: better estimate tunnel header cut for correct ufo handling
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 91a48a2e85a3b70ce10ead34b4ab5347f8d215c9 ]
+
+Currently the UFO fragmentation process does not correctly handle inner
+UDP frames.
+
+(The following tcpdumps are captured on the parent interface with ufo
+disabled while tunnel has ufo enabled, 2000 bytes payload, mtu 1280,
+both sit device):
+
+IPv6:
+16:39:10.031613 IP (tos 0x0, ttl 64, id 3208, offset 0, flags [DF], proto IPv6 (41), length 1300)
+ 192.168.122.151 > 1.1.1.1: IP6 (hlim 64, next-header Fragment (44) payload length: 1240) 2001::1 > 2001::8: frag (0x00000001:0|1232) 44883 > distinct: UDP, length 2000
+16:39:10.031709 IP (tos 0x0, ttl 64, id 3209, offset 0, flags [DF], proto IPv6 (41), length 844)
+ 192.168.122.151 > 1.1.1.1: IP6 (hlim 64, next-header Fragment (44) payload length: 784) 2001::1 > 2001::8: frag (0x00000001:0|776) 58979 > 46366: UDP, length 5471
+
+We can see that fragmentation header offset is not correctly updated.
+(fragmentation id handling is corrected by 916e4cf46d0204 ("ipv6: reuse
+ip6_frag_id from ip6_ufo_append_data")).
+
+IPv4:
+16:39:57.737761 IP (tos 0x0, ttl 64, id 3209, offset 0, flags [DF], proto IPIP (4), length 1296)
+ 192.168.122.151 > 1.1.1.1: IP (tos 0x0, ttl 64, id 57034, offset 0, flags [none], proto UDP (17), length 1276)
+ 192.168.99.1.35961 > 192.168.99.2.distinct: UDP, length 2000
+16:39:57.738028 IP (tos 0x0, ttl 64, id 3210, offset 0, flags [DF], proto IPIP (4), length 792)
+ 192.168.122.151 > 1.1.1.1: IP (tos 0x0, ttl 64, id 57035, offset 0, flags [none], proto UDP (17), length 772)
+ 192.168.99.1.13531 > 192.168.99.2.20653: UDP, length 51109
+
+In this case fragmentation id is incremented and offset is not updated.
+
+First, I aligned inet_gso_segment and ipv6_gso_segment:
+* align naming of flags
+* ipv6_gso_segment: setting skb->encapsulation is unnecessary, as we
+ always ensure that the state of this flag is left untouched when
+ returning from upper gso segmenation function
+* ipv6_gso_segment: move skb_reset_inner_headers below updating the
+ fragmentation header data, we don't care for updating fragmentation
+ header data
+* remove currently unneeded comment indicating skb->encapsulation might
+ get changed by upper gso_segment callback (gre and udp-tunnel reset
+ encapsulation after segmentation on each fragment)
+
+If we encounter an IPIP or SIT gso skb we now check for the protocol ==
+IPPROTO_UDP and that we at least have already traversed another ip(6)
+protocol header.
+
+The reason why we have to special case GSO_IPIP and GSO_SIT is that
+we reset skb->encapsulation to 0 while skb_mac_gso_segment the inner
+protocol of GSO_UDP_TUNNEL or GSO_GRE packets.
+
+Reported-by: Wolfgang Walter <linux@stwm.de>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Tom Herbert <therbert@google.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/af_inet.c | 7 +++++--
+ net/ipv6/ip6_offload.c | 20 ++++++++++++--------
+ 2 files changed, 17 insertions(+), 10 deletions(-)
+
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -1299,8 +1299,11 @@ static struct sk_buff *inet_gso_segment(
+
+ segs = ERR_PTR(-EPROTONOSUPPORT);
+
+- /* Note : following gso_segment() might change skb->encapsulation */
+- udpfrag = !skb->encapsulation && proto == IPPROTO_UDP;
++ if (skb->encapsulation &&
++ skb_shinfo(skb)->gso_type & (SKB_GSO_SIT|SKB_GSO_IPIP))
++ udpfrag = proto == IPPROTO_UDP && encap;
++ else
++ udpfrag = proto == IPPROTO_UDP && !skb->encapsulation;
+
+ ops = rcu_dereference(inet_offloads[proto]);
+ if (likely(ops && ops->callbacks.gso_segment))
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -89,7 +89,7 @@ static struct sk_buff *ipv6_gso_segment(
+ unsigned int unfrag_ip6hlen;
+ u8 *prevhdr;
+ int offset = 0;
+- bool tunnel;
++ bool encap, udpfrag;
+ int nhoff;
+
+ if (unlikely(skb_shinfo(skb)->gso_type &
+@@ -110,8 +110,8 @@ static struct sk_buff *ipv6_gso_segment(
+ if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
+ goto out;
+
+- tunnel = SKB_GSO_CB(skb)->encap_level > 0;
+- if (tunnel)
++ encap = SKB_GSO_CB(skb)->encap_level > 0;
++ if (encap)
+ features = skb->dev->hw_enc_features & netif_skb_features(skb);
+ SKB_GSO_CB(skb)->encap_level += sizeof(*ipv6h);
+
+@@ -121,6 +121,12 @@ static struct sk_buff *ipv6_gso_segment(
+
+ proto = ipv6_gso_pull_exthdrs(skb, ipv6h->nexthdr);
+
++ if (skb->encapsulation &&
++ skb_shinfo(skb)->gso_type & (SKB_GSO_SIT|SKB_GSO_IPIP))
++ udpfrag = proto == IPPROTO_UDP && encap;
++ else
++ udpfrag = proto == IPPROTO_UDP && !skb->encapsulation;
++
+ ops = rcu_dereference(inet6_offloads[proto]);
+ if (likely(ops && ops->callbacks.gso_segment)) {
+ skb_reset_transport_header(skb);
+@@ -133,13 +139,9 @@ static struct sk_buff *ipv6_gso_segment(
+ for (skb = segs; skb; skb = skb->next) {
+ ipv6h = (struct ipv6hdr *)(skb_mac_header(skb) + nhoff);
+ ipv6h->payload_len = htons(skb->len - nhoff - sizeof(*ipv6h));
+- if (tunnel) {
+- skb_reset_inner_headers(skb);
+- skb->encapsulation = 1;
+- }
+ skb->network_header = (u8 *)ipv6h - skb->head;
+
+- if (!tunnel && proto == IPPROTO_UDP) {
++ if (udpfrag) {
+ unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+ fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
+ fptr->frag_off = htons(offset);
+@@ -148,6 +150,8 @@ static struct sk_buff *ipv6_gso_segment(
+ offset += (ntohs(ipv6h->payload_len) -
+ sizeof(struct frag_hdr));
+ }
++ if (encap)
++ skb_reset_inner_headers(skb);
+ }
+
+ out:
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Hans Schillstrom <hans@schillstrom.com>
+Date: Thu, 27 Feb 2014 12:57:58 +0100
+Subject: ipv6: ipv6_find_hdr restore prev functionality
+
+From: Hans Schillstrom <hans@schillstrom.com>
+
+[ Upstream commit accfe0e356327da5bd53da8852b93fc22de9b5fc ]
+
+The commit 9195bb8e381d81d5a315f911904cdf0cfcc919b8 ("ipv6: improve
+ipv6_find_hdr() to skip empty routing headers") broke ipv6_find_hdr().
+
+When a target is specified like IPPROTO_ICMPV6 ipv6_find_hdr()
+returns -ENOENT when it's found, not the header as expected.
+
+A part of IPVS is broken and possible also nft_exthdr_eval().
+When target is -1 which it is most cases, it works.
+
+This patch exits the do while loop if the specific header is found
+so the nexthdr could be returned as expected.
+
+Reported-by: Art -kwaak- van Breemen <ard@telegraafnet.nl>
+Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
+CC:Ansis Atteka <aatteka@nicira.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/exthdrs_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/exthdrs_core.c
++++ b/net/ipv6/exthdrs_core.c
+@@ -212,7 +212,7 @@ int ipv6_find_hdr(const struct sk_buff *
+ found = (nexthdr == target);
+
+ if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
+- if (target < 0)
++ if (target < 0 || found)
+ break;
+ return -ENOENT;
+ }
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri, 21 Feb 2014 02:55:35 +0100
+Subject: ipv6: reuse ip6_frag_id from ip6_ufo_append_data
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 916e4cf46d0204806c062c8c6c4d1f633852c5b6 ]
+
+Currently we generate a new fragmentation id on UFO segmentation. It
+is pretty hairy to identify the correct net namespace and dst there.
+Especially tunnels use IFF_XMIT_DST_RELEASE and thus have no skb_dst
+available at all.
+
+This causes unreliable or very predictable ipv6 fragmentation id
+generation while segmentation.
+
+Luckily we already have pregenerated the ip6_frag_id in
+ip6_ufo_append_data and can use it here.
+
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/udp_offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -113,7 +113,7 @@ static struct sk_buff *udp6_ufo_fragment
+ fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
+ fptr->nexthdr = nexthdr;
+ fptr->reserved = 0;
+- ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb));
++ fptr->identification = skb_shinfo(skb)->ip6_frag_id;
+
+ /* Fragment the skb. ipv6 header and the remaining fields of the
+ * fragment header are updated in ipv6_gso_segment()
--- /dev/null
+From foo@baz Wed Mar 19 23:31:34 Local time zone must be set--see zic manual page 2014
+From: Vlad Yasevich <vyasevic@redhat.com>
+Date: Mon, 3 Mar 2014 15:33:53 -0500
+Subject: macvlan: Add support for 'always_on' offload features
+
+From: Vlad Yasevich <vyasevic@redhat.com>
+
+[ Upstream commit 8b4703e9bd1172a5f8244276ebb94302e6153e26 ]
+
+Macvlan currently inherits all of its features from the lower
+device. When lower device disables offload support, this causes
+macvlan to disable offload support as well. This causes
+performance regression when using macvlan/macvtap in bridge
+mode.
+
+It can be easily demonstrated by creating 2 namespaces using
+macvlan in bridge mode and running netperf between them:
+
+MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.0.1 () port 0 AF_INET
+Recv Send Send
+Socket Socket Message Elapsed
+Size Size Size Time Throughput
+bytes bytes bytes secs. 10^6bits/sec
+
+ 87380 16384 16384 20.00 1204.61
+
+To restore the performance, we add software offload features
+to the list of "always_on" features for macvlan. This way
+when a namespace or a guest using macvtap initially sends a
+packet, this packet will not be segmented at macvlan level.
+It will only be segmented when macvlan sends the packet
+to the lower device.
+
+MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.0.1 () port 0 AF_INET
+Recv Send Send
+Socket Socket Message Elapsed
+Size Size Size Time Throughput
+bytes bytes bytes secs. 10^6bits/sec
+
+ 87380 16384 16384 20.00 5507.35
+
+Fixes: 6acf54f1cf0a6747bac9fea26f34cfc5a9029523 (macvtap: Add support of packet capture on macvtap device.)
+Fixes: 797f87f83b60685ff8a13fa0572d2f10393c50d3 (macvlan: fix netdev feature propagation from lower device)
+CC: Florian Westphal <fw@strlen.de>
+CC: Christian Borntraeger <borntraeger@de.ibm.com>
+CC: Jason Wang <jasowang@redhat.com>
+CC: Michael S. Tsirkin <mst@redhat.com>
+Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -507,6 +507,9 @@ static int macvlan_change_mtu(struct net
+ static struct lock_class_key macvlan_netdev_xmit_lock_key;
+ static struct lock_class_key macvlan_netdev_addr_lock_key;
+
++#define ALWAYS_ON_FEATURES \
++ (NETIF_F_SG | NETIF_F_GEN_CSUM | NETIF_F_GSO_SOFTWARE | NETIF_F_LLTX)
++
+ #define MACVLAN_FEATURES \
+ (NETIF_F_SG | NETIF_F_ALL_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
+ NETIF_F_GSO | NETIF_F_TSO | NETIF_F_UFO | NETIF_F_GSO_ROBUST | \
+@@ -540,7 +543,7 @@ static int macvlan_init(struct net_devic
+ dev->state = (dev->state & ~MACVLAN_STATE_MASK) |
+ (lowerdev->state & MACVLAN_STATE_MASK);
+ dev->features = lowerdev->features & MACVLAN_FEATURES;
+- dev->features |= NETIF_F_LLTX;
++ dev->features |= ALWAYS_ON_FEATURES;
+ dev->gso_max_size = lowerdev->gso_max_size;
+ dev->iflink = lowerdev->ifindex;
+ dev->hard_header_len = lowerdev->hard_header_len;
+@@ -700,7 +703,7 @@ static netdev_features_t macvlan_fix_fea
+ features = netdev_increment_features(vlan->lowerdev->features,
+ features,
+ mask);
+- features |= NETIF_F_LLTX;
++ features |= ALWAYS_ON_FEATURES;
+
+ return features;
+ }
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Duan Jiong <duanj.fnst@cn.fujitsu.com>
+Date: Thu, 27 Feb 2014 17:14:41 +0800
+Subject: neigh: recompute reachabletime before returning from neigh_periodic_work()
+
+From: Duan Jiong <duanj.fnst@cn.fujitsu.com>
+
+[ Upstream commit feff9ab2e7fa773b6a3965f77375fe89f7fd85cf ]
+
+If the neigh table's entries is less than gc_thresh1, the function
+will return directly, and the reachabletime will not be recompute,
+so the reachabletime can be guessed.
+
+Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -764,9 +764,6 @@ static void neigh_periodic_work(struct w
+ nht = rcu_dereference_protected(tbl->nht,
+ lockdep_is_held(&tbl->lock));
+
+- if (atomic_read(&tbl->entries) < tbl->gc_thresh1)
+- goto out;
+-
+ /*
+ * periodically recompute ReachableTime from random function
+ */
+@@ -779,6 +776,9 @@ static void neigh_periodic_work(struct w
+ neigh_rand_reach_time(p->base_reachable_time);
+ }
+
++ if (atomic_read(&tbl->entries) < tbl->gc_thresh1)
++ goto out;
++
+ for (i = 0 ; i < (1 << nht->hash_shift); i++) {
+ np = &nht->hash_buckets[i];
+
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon, 3 Mar 2014 17:23:04 +0100
+Subject: net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ]
+
+RFC4895 introduced AUTH chunks for SCTP; during the SCTP
+handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
+being optional though):
+
+ ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
+ <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
+ -------------------- COOKIE-ECHO -------------------->
+ <-------------------- COOKIE-ACK ---------------------
+
+A special case is when an endpoint requires COOKIE-ECHO
+chunks to be authenticated:
+
+ ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
+ <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
+ ------------------ AUTH; COOKIE-ECHO ---------------->
+ <-------------------- COOKIE-ACK ---------------------
+
+RFC4895, section 6.3. Receiving Authenticated Chunks says:
+
+ The receiver MUST use the HMAC algorithm indicated in
+ the HMAC Identifier field. If this algorithm was not
+ specified by the receiver in the HMAC-ALGO parameter in
+ the INIT or INIT-ACK chunk during association setup, the
+ AUTH chunk and all the chunks after it MUST be discarded
+ and an ERROR chunk SHOULD be sent with the error cause
+ defined in Section 4.1. [...] If no endpoint pair shared
+ key has been configured for that Shared Key Identifier,
+ all authenticated chunks MUST be silently discarded. [...]
+
+ When an endpoint requires COOKIE-ECHO chunks to be
+ authenticated, some special procedures have to be followed
+ because the reception of a COOKIE-ECHO chunk might result
+ in the creation of an SCTP association. If a packet arrives
+ containing an AUTH chunk as a first chunk, a COOKIE-ECHO
+ chunk as the second chunk, and possibly more chunks after
+ them, and the receiver does not have an STCB for that
+ packet, then authentication is based on the contents of
+ the COOKIE-ECHO chunk. In this situation, the receiver MUST
+ authenticate the chunks in the packet by using the RANDOM
+ parameters, CHUNKS parameters and HMAC_ALGO parameters
+ obtained from the COOKIE-ECHO chunk, and possibly a local
+ shared secret as inputs to the authentication procedure
+ specified in Section 6.3. If authentication fails, then
+ the packet is discarded. If the authentication is successful,
+ the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
+ MUST be processed. If the receiver has an STCB, it MUST
+ process the AUTH chunk as described above using the STCB
+ from the existing association to authenticate the
+ COOKIE-ECHO chunk and all the chunks after it. [...]
+
+Commit bbd0d59809f9 introduced the possibility to receive
+and verification of AUTH chunk, including the edge case for
+authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
+the function sctp_sf_do_5_1D_ce() handles processing,
+unpacks and creates a new association if it passed sanity
+checks and also tests for authentication chunks being
+present. After a new association has been processed, it
+invokes sctp_process_init() on the new association and
+walks through the parameter list it received from the INIT
+chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
+and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
+meta data (peer_random, peer_hmacs, peer_chunks) in case
+sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
+SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
+peer_random != NULL and peer_hmacs != NULL the peer is to be
+assumed asoc->peer.auth_capable=1, in any other case
+asoc->peer.auth_capable=0.
+
+Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
+available, we set up a fake auth chunk and pass that on to
+sctp_sf_authenticate(), which at latest in
+sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
+at position 0..0008 when setting up the crypto key in
+crypto_hash_setkey() by using asoc->asoc_shared_key that is
+NULL as condition key_id == asoc->active_key_id is true if
+the AUTH chunk was injected correctly from remote. This
+happens no matter what net.sctp.auth_enable sysctl says.
+
+The fix is to check for net->sctp.auth_enable and for
+asoc->peer.auth_capable before doing any operations like
+sctp_sf_authenticate() as no key is activated in
+sctp_auth_asoc_init_active_key() for each case.
+
+Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
+passed from the INIT chunk was not used in the AUTH chunk, we
+SHOULD send an error; however in this case it would be better
+to just silently discard such a maliciously prepared handshake
+as we didn't even receive a parameter at all. Also, as our
+endpoint has no shared key configured, section 6.3 says that
+MUST silently discard, which we are doing from now onwards.
+
+Before calling sctp_sf_pdiscard(), we need not only to free
+the association, but also the chunk->auth_chunk skb, as
+commit bbd0d59809f9 created a skb clone in that case.
+
+I have tested this locally by using netfilter's nfqueue and
+re-injecting packets into the local stack after maliciously
+modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
+and the SCTP packet containing the COOKIE_ECHO (injecting
+AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
+
+Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Cc: Vlad Yasevich <yasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_statefuns.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -759,6 +759,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(st
+ struct sctp_chunk auth;
+ sctp_ierror_t ret;
+
++ /* Make sure that we and the peer are AUTH capable */
++ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
++ kfree_skb(chunk->auth_chunk);
++ sctp_association_free(new_asoc);
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++ }
++
+ /* set-up our fake chunk so that we can process it */
+ auth.skb = chunk->auth_chunk;
+ auth.asoc = chunk->asoc;
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 20 Feb 2014 10:09:18 -0800
+Subject: net-tcp: fastopen: fix high order allocations
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f5ddcbbb40aa0ba7fbfe22355d287603dbeeaaac ]
+
+This patch fixes two bugs in fastopen :
+
+1) The tcp_sendmsg(..., @size) argument was ignored.
+
+ Code was relying on user not fooling the kernel with iovec mismatches
+
+2) When MTU is about 64KB, tcp_send_syn_data() attempts order-5
+allocations, which are likely to fail when memory gets fragmented.
+
+Fixes: 783237e8daf13 ("net-tcp: Fast Open client - sending SYN-data")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Tested-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 3 ++-
+ net/ipv4/tcp.c | 8 +++++---
+ net/ipv4/tcp_output.c | 7 ++++++-
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1312,7 +1312,8 @@ struct tcp_fastopen_request {
+ /* Fast Open cookie. Size 0 means a cookie request */
+ struct tcp_fastopen_cookie cookie;
+ struct msghdr *data; /* data in MSG_FASTOPEN */
+- u16 copied; /* queued in tcp_connect() */
++ size_t size;
++ int copied; /* queued in tcp_connect() */
+ };
+ void tcp_free_fastopen_req(struct tcp_sock *tp);
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -1002,7 +1002,8 @@ void tcp_free_fastopen_req(struct tcp_so
+ }
+ }
+
+-static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg, int *size)
++static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg,
++ int *copied, size_t size)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+ int err, flags;
+@@ -1017,11 +1018,12 @@ static int tcp_sendmsg_fastopen(struct s
+ if (unlikely(tp->fastopen_req == NULL))
+ return -ENOBUFS;
+ tp->fastopen_req->data = msg;
++ tp->fastopen_req->size = size;
+
+ flags = (msg->msg_flags & MSG_DONTWAIT) ? O_NONBLOCK : 0;
+ err = __inet_stream_connect(sk->sk_socket, msg->msg_name,
+ msg->msg_namelen, flags);
+- *size = tp->fastopen_req->copied;
++ *copied = tp->fastopen_req->copied;
+ tcp_free_fastopen_req(tp);
+ return err;
+ }
+@@ -1041,7 +1043,7 @@ int tcp_sendmsg(struct kiocb *iocb, stru
+
+ flags = msg->msg_flags;
+ if (flags & MSG_FASTOPEN) {
+- err = tcp_sendmsg_fastopen(sk, msg, &copied_syn);
++ err = tcp_sendmsg_fastopen(sk, msg, &copied_syn, size);
+ if (err == -EINPROGRESS && copied_syn > 0)
+ goto out;
+ else if (err)
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2887,7 +2887,12 @@ static int tcp_send_syn_data(struct sock
+ space = __tcp_mtu_to_mss(sk, inet_csk(sk)->icsk_pmtu_cookie) -
+ MAX_TCP_OPTION_SPACE;
+
+- syn_data = skb_copy_expand(syn, skb_headroom(syn), space,
++ space = min_t(size_t, space, fo->size);
++
++ /* limit to order-0 allocations */
++ space = min_t(size_t, space, SKB_MAX_HEAD(MAX_TCP_HEADER));
++
++ syn_data = skb_copy_expand(syn, MAX_TCP_HEADER, space,
+ sk->sk_allocation);
+ if (syn_data == NULL)
+ goto fallback;
--- /dev/null
+From 04379dffdd4da820d51a1566ad2e86f3b1ad97ed Mon Sep 17 00:00:00 2001
+From: Alexandre Bounine <alexandre.bounine@idt.com>
+Date: Mon, 3 Mar 2014 15:38:36 -0800
+Subject: rapidio/tsi721: fix tasklet termination in dma channel release
+
+From: Alexandre Bounine <alexandre.bounine@idt.com>
+
+commit 04379dffdd4da820d51a1566ad2e86f3b1ad97ed upstream.
+
+This patch is a modification of the patch originally proposed by
+Xiaotian Feng <xtfeng@gmail.com>: https://lkml.org/lkml/2012/11/5/413
+This new version disables DMA channel interrupts and ensures that the
+tasklet wil not be scheduled again before calling tasklet_kill().
+
+Unfortunately the updated patch was not released at that time due to
+planned rework of Tsi721 mport driver to use threaded interrupts (which
+has yet to happen). Recently the issue was reported again:
+https://lkml.org/lkml/2014/2/19/762.
+
+Description from the original Xiaotian's patch:
+
+ "Some drivers use tasklet_disable in device remove/release process,
+ tasklet_disable will inc tasklet->count and return. If the tasklet is
+ not handled yet under some softirq pressure, the tasklet will be
+ placed on the tasklet_vec, never have a chance to be excuted. This
+ might lead to a heavy loaded ksoftirqd, wakeup with pending_softirq,
+ but tasklet is disabled. tasklet_kill should be used in this case."
+
+This patch is applicable to kernel versions starting from v3.5.
+
+Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Xiaotian Feng <xtfeng@gmail.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mike Galbraith <bitbucket@online.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rapidio/devices/tsi721.h | 1 +
+ drivers/rapidio/devices/tsi721_dma.c | 27 ++++++++++++++++++---------
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+--- a/drivers/rapidio/devices/tsi721.h
++++ b/drivers/rapidio/devices/tsi721.h
+@@ -678,6 +678,7 @@ struct tsi721_bdma_chan {
+ struct list_head free_list;
+ dma_cookie_t completed_cookie;
+ struct tasklet_struct tasklet;
++ bool active;
+ };
+
+ #endif /* CONFIG_RAPIDIO_DMA_ENGINE */
+--- a/drivers/rapidio/devices/tsi721_dma.c
++++ b/drivers/rapidio/devices/tsi721_dma.c
+@@ -206,8 +206,8 @@ void tsi721_bdma_handler(struct tsi721_b
+ {
+ /* Disable BDMA channel interrupts */
+ iowrite32(0, bdma_chan->regs + TSI721_DMAC_INTE);
+-
+- tasklet_schedule(&bdma_chan->tasklet);
++ if (bdma_chan->active)
++ tasklet_schedule(&bdma_chan->tasklet);
+ }
+
+ #ifdef CONFIG_PCI_MSI
+@@ -562,7 +562,7 @@ static int tsi721_alloc_chan_resources(s
+ }
+ #endif /* CONFIG_PCI_MSI */
+
+- tasklet_enable(&bdma_chan->tasklet);
++ bdma_chan->active = true;
+ tsi721_bdma_interrupt_enable(bdma_chan, 1);
+
+ return bdma_chan->bd_num - 1;
+@@ -576,9 +576,7 @@ err_out:
+ static void tsi721_free_chan_resources(struct dma_chan *dchan)
+ {
+ struct tsi721_bdma_chan *bdma_chan = to_tsi721_chan(dchan);
+-#ifdef CONFIG_PCI_MSI
+ struct tsi721_device *priv = to_tsi721(dchan->device);
+-#endif
+ LIST_HEAD(list);
+
+ dev_dbg(dchan->device->dev, "%s: Entry\n", __func__);
+@@ -589,14 +587,25 @@ static void tsi721_free_chan_resources(s
+ BUG_ON(!list_empty(&bdma_chan->active_list));
+ BUG_ON(!list_empty(&bdma_chan->queue));
+
+- tasklet_disable(&bdma_chan->tasklet);
++ tsi721_bdma_interrupt_enable(bdma_chan, 0);
++ bdma_chan->active = false;
++
++#ifdef CONFIG_PCI_MSI
++ if (priv->flags & TSI721_USING_MSIX) {
++ synchronize_irq(priv->msix[TSI721_VECT_DMA0_DONE +
++ bdma_chan->id].vector);
++ synchronize_irq(priv->msix[TSI721_VECT_DMA0_INT +
++ bdma_chan->id].vector);
++ } else
++#endif
++ synchronize_irq(priv->pdev->irq);
++
++ tasklet_kill(&bdma_chan->tasklet);
+
+ spin_lock_bh(&bdma_chan->lock);
+ list_splice_init(&bdma_chan->free_list, &list);
+ spin_unlock_bh(&bdma_chan->lock);
+
+- tsi721_bdma_interrupt_enable(bdma_chan, 0);
+-
+ #ifdef CONFIG_PCI_MSI
+ if (priv->flags & TSI721_USING_MSIX) {
+ free_irq(priv->msix[TSI721_VECT_DMA0_DONE +
+@@ -790,6 +799,7 @@ int tsi721_register_dma(struct tsi721_de
+ bdma_chan->dchan.cookie = 1;
+ bdma_chan->dchan.chan_id = i;
+ bdma_chan->id = i;
++ bdma_chan->active = false;
+
+ spin_lock_init(&bdma_chan->lock);
+
+@@ -799,7 +809,6 @@ int tsi721_register_dma(struct tsi721_de
+
+ tasklet_init(&bdma_chan->tasklet, tsi721_dma_tasklet,
+ (unsigned long)bdma_chan);
+- tasklet_disable(&bdma_chan->tasklet);
+ list_add_tail(&bdma_chan->dchan.device_node,
+ &mport->dma.channels);
+ }
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
+Date: Wed, 26 Feb 2014 21:43:42 +0900
+Subject: sch_tbf: Fix potential memory leak in tbf_change().
+
+From: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
+
+[ Upstream commit 724b9e1d75ab3401aaa081bd4efb440c1b3509db ]
+
+The allocated child qdisc is not freed in error conditions.
+Defer the allocation after user configuration turns out to be
+valid and acceptable.
+
+Fixes: cc106e441a63b ("net: sched: tbf: fix the calculation of max_size")
+Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
+Cc: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_tbf.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/net/sched/sch_tbf.c
++++ b/net/sched/sch_tbf.c
+@@ -332,18 +332,6 @@ static int tbf_change(struct Qdisc *sch,
+ qdisc_put_rtab(qdisc_get_rtab(&qopt->peakrate,
+ tb[TCA_TBF_PTAB]));
+
+- if (q->qdisc != &noop_qdisc) {
+- err = fifo_set_limit(q->qdisc, qopt->limit);
+- if (err)
+- goto done;
+- } else if (qopt->limit > 0) {
+- child = fifo_create_dflt(sch, &bfifo_qdisc_ops, qopt->limit);
+- if (IS_ERR(child)) {
+- err = PTR_ERR(child);
+- goto done;
+- }
+- }
+-
+ buffer = min_t(u64, PSCHED_TICKS2NS(qopt->buffer), ~0U);
+ mtu = min_t(u64, PSCHED_TICKS2NS(qopt->mtu), ~0U);
+
+@@ -377,6 +365,18 @@ static int tbf_change(struct Qdisc *sch,
+ goto done;
+ }
+
++ if (q->qdisc != &noop_qdisc) {
++ err = fifo_set_limit(q->qdisc, qopt->limit);
++ if (err)
++ goto done;
++ } else if (qopt->limit > 0) {
++ child = fifo_create_dflt(sch, &bfifo_qdisc_ops, qopt->limit);
++ if (IS_ERR(child)) {
++ err = PTR_ERR(child);
++ goto done;
++ }
++ }
++
+ sch_tree_lock(sch);
+ if (child) {
+ qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen);
--- /dev/null
+From 791c9e0292671a3bfa95286bb5c08129d8605618 Mon Sep 17 00:00:00 2001
+From: George McCollister <george.mccollister@gmail.com>
+Date: Tue, 18 Feb 2014 17:56:51 -0600
+Subject: sched: Fix double normalization of vruntime
+
+From: George McCollister <george.mccollister@gmail.com>
+
+commit 791c9e0292671a3bfa95286bb5c08129d8605618 upstream.
+
+dequeue_entity() is called when p->on_rq and sets se->on_rq = 0
+which appears to guarentee that the !se->on_rq condition is met.
+If the task has done set_current_state(TASK_INTERRUPTIBLE) without
+schedule() the second condition will be met and vruntime will be
+incorrectly adjusted twice.
+
+In certain cases this can result in the task's vruntime never increasing
+past the vruntime of other tasks on the CFS' run queue, starving them of
+CPU time.
+
+This patch changes switched_from_fair() to use !p->on_rq instead of
+!se->on_rq.
+
+I'm able to cause a task with a priority of 120 to starve all other
+tasks with the same priority on an ARM platform running 3.2.51-rt72
+PREEMPT RT by writing one character at time to a serial tty (16550 UART)
+in a tight loop. I'm also able to verify making this change corrects the
+problem on that platform and kernel version.
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1392767811-28916-1-git-send-email-george.mccollister@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/fair.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -7012,15 +7012,15 @@ static void switched_from_fair(struct rq
+ struct cfs_rq *cfs_rq = cfs_rq_of(se);
+
+ /*
+- * Ensure the task's vruntime is normalized, so that when its
++ * Ensure the task's vruntime is normalized, so that when it's
+ * switched back to the fair class the enqueue_entity(.flags=0) will
+ * do the right thing.
+ *
+- * If it was on_rq, then the dequeue_entity(.flags=0) will already
+- * have normalized the vruntime, if it was !on_rq, then only when
++ * If it's on_rq, then the dequeue_entity(.flags=0) will already
++ * have normalized the vruntime, if it's !on_rq, then only when
+ * the task is sleeping will it still have non-normalized vruntime.
+ */
+- if (!se->on_rq && p->state != TASK_RUNNING) {
++ if (!p->on_rq && p->state != TASK_RUNNING) {
+ /*
+ * Fix up our vruntime so that the current sleep doesn't
+ * cause 'unlimited' sleep bonus.
ocfs2-fix-quota-file-corruption.patch
ocfs2-syncs-the-wrong-range.patch
memcg-fix-endless-loop-in-__mem_cgroup_iter_next.patch
+sched-fix-double-normalization-of-vruntime.patch
+rapidio-tsi721-fix-tasklet-termination-in-dma-channel-release.patch
+veth-fix-vlan_features-so-as-to-be-able-to-use-stacked-vlan-interfaces.patch
+tun-remove-bogus-hardware-vlan-acceleration-flags-from-vlan_features.patch
+net-tcp-fastopen-fix-high-order-allocations.patch
+neigh-recompute-reachabletime-before-returning-from-neigh_periodic_work.patch
+virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch
+ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch
+ipv4-ipv6-better-estimate-tunnel-header-cut-for-correct-ufo-handling.patch
+sfc-check-for-null-efx-ptp_data-in-efx_ptp_event.patch
+sch_tbf-fix-potential-memory-leak-in-tbf_change.patch
+ipv6-ipv6_find_hdr-restore-prev-functionality.patch
+tg3-don-t-check-undefined-error-bits-in-rxbd.patch
+ip_tunnel-multicast-process-cause-panic-due-to-skb-_skb_refdst-null-pointer.patch
+net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch
+macvlan-add-support-for-always_on-offload-features.patch
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Edward Cree <ecree@solarflare.com>
+Date: Tue, 25 Feb 2014 13:17:59 +0000
+Subject: sfc: check for NULL efx->ptp_data in efx_ptp_event
+
+From: Edward Cree <ecree@solarflare.com>
+
+[ Upstream commit 8f355e5cee63c2c0c145d8206c4245d0189f47ff ]
+
+If we receive a PTP event from the NIC when we haven't set up PTP state
+in the driver, we attempt to read through a NULL pointer efx->ptp_data,
+triggering a panic.
+
+Signed-off-by: Edward Cree <ecree@solarflare.com>
+Acked-by: Shradha Shah <sshah@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/ptp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/ethernet/sfc/ptp.c
++++ b/drivers/net/ethernet/sfc/ptp.c
+@@ -1360,6 +1360,13 @@ void efx_ptp_event(struct efx_nic *efx,
+ struct efx_ptp_data *ptp = efx->ptp_data;
+ int code = EFX_QWORD_FIELD(*ev, MCDI_EVENT_CODE);
+
++ if (!ptp) {
++ if (net_ratelimit())
++ netif_warn(efx, drv, efx->net_dev,
++ "Received PTP event but PTP not set up\n");
++ return;
++ }
++
+ if (!ptp->enabled)
+ return;
+
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Michael Chan <mchan@broadcom.com>
+Date: Fri, 28 Feb 2014 15:05:10 -0800
+Subject: tg3: Don't check undefined error bits in RXBD
+
+From: Michael Chan <mchan@broadcom.com>
+
+[ Upstream commit d7b95315cc7f441418845a165ee56df723941487 ]
+
+Redefine the RXD_ERR_MASK to include only relevant error bits. This fixes
+a customer reported issue of randomly dropping packets on the 5719.
+
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 3 +--
+ drivers/net/ethernet/broadcom/tg3.h | 6 +++++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -6827,8 +6827,7 @@ static int tg3_rx(struct tg3_napi *tnapi
+
+ work_mask |= opaque_key;
+
+- if ((desc->err_vlan & RXD_ERR_MASK) != 0 &&
+- (desc->err_vlan != RXD_ERR_ODD_NIBBLE_RCVD_MII)) {
++ if (desc->err_vlan & RXD_ERR_MASK) {
+ drop_it:
+ tg3_recycle_rx(tnapi, tpr, opaque_key,
+ desc_idx, *post_ptr);
+--- a/drivers/net/ethernet/broadcom/tg3.h
++++ b/drivers/net/ethernet/broadcom/tg3.h
+@@ -2601,7 +2601,11 @@ struct tg3_rx_buffer_desc {
+ #define RXD_ERR_TOO_SMALL 0x00400000
+ #define RXD_ERR_NO_RESOURCES 0x00800000
+ #define RXD_ERR_HUGE_FRAME 0x01000000
+-#define RXD_ERR_MASK 0xffff0000
++
++#define RXD_ERR_MASK (RXD_ERR_BAD_CRC | RXD_ERR_COLLISION | \
++ RXD_ERR_LINK_LOST | RXD_ERR_PHY_DECODE | \
++ RXD_ERR_MAC_ABRT | RXD_ERR_TOO_SMALL | \
++ RXD_ERR_NO_RESOURCES | RXD_ERR_HUGE_FRAME)
+
+ u32 reserved;
+ u32 opaque;
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
+Date: Tue, 18 Feb 2014 21:20:09 +0900
+Subject: tun: remove bogus hardware vlan acceleration flags from vlan_features
+
+From: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
+
+[ Upstream commit 6671b2240c54585d4afb5286a29f1569fe5e40a8 ]
+
+Even though only the outer vlan tag can be HW accelerated in the transmission
+path, in the TUN/TAP driver vlan_features mirrors hw_features, which happens
+to have the NETIF_F_HW_VLAN_?TAG_TX flags set. Because of this, during packet
+tranmisssion through a stacked vlan device dev_hard_start_xmit, (incorrectly)
+assuming that the vlan device supports hardware vlan acceleration, does not
+add the vlan header to the skb payload and the inner vlan tags are lost
+(vlan_tci contains the outer vlan tag when userspace reads the packet from
+the tap device).
+
+Signed-off-by: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1651,7 +1651,9 @@ static int tun_set_iff(struct net *net,
+ TUN_USER_FEATURES | NETIF_F_HW_VLAN_CTAG_TX |
+ NETIF_F_HW_VLAN_STAG_TX;
+ dev->features = dev->hw_features;
+- dev->vlan_features = dev->features;
++ dev->vlan_features = dev->features &
++ ~(NETIF_F_HW_VLAN_CTAG_TX |
++ NETIF_F_HW_VLAN_STAG_TX);
+
+ INIT_LIST_HEAD(&tun->disabled);
+ err = tun_attach(tun, file, false);
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Tue, 18 Feb 2014 21:20:08 +0900
+Subject: veth: Fix vlan_features so as to be able to use stacked vlan interfaces
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+[ Upstream commit 8d0d21f4053c07714802cbe8b1fe26913ec296cc ]
+
+Even if we create a stacked vlan interface such as veth0.10.20, it sends
+single tagged frames (tagged with only vid 10).
+Because vlan_features of a veth interface has the
+NETIF_F_HW_VLAN_[CTAG/STAG]_TX bits, veth0.10 also has that feature, so
+dev_hard_start_xmit(veth0.10) doesn't call __vlan_put_tag() and
+vlan_dev_hard_start_xmit(veth0.10) overwrites vlan_tci.
+This prevents us from using a combination of 802.1ad and 802.1Q
+in containers, etc.
+
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Acked-by: Flavio Leitner <fbl@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/veth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -285,7 +285,8 @@ static void veth_setup(struct net_device
+ dev->ethtool_ops = &veth_ethtool_ops;
+ dev->features |= NETIF_F_LLTX;
+ dev->features |= VETH_FEATURES;
+- dev->vlan_features = dev->features;
++ dev->vlan_features = dev->features &
++ ~(NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_STAG_TX);
+ dev->destructor = veth_dev_free;
+
+ dev->hw_features = VETH_FEATURES;
--- /dev/null
+From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 21 Feb 2014 13:08:04 +0800
+Subject: virtio-net: alloc big buffers also when guest can receive UFO
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 0e7ede80d929ff0f830c44a543daa1acd590c749 ]
+
+We should alloc big buffers also when guest can receive UFO
+packets to let the big packets fit into guest rx buffer.
+
+Fixes 5c5167515d80f78f6bb538492c423adcae31ad65
+(virtio-net: Allow UFO feature to be set and advertised.)
+
+Cc: Rusty Russell <rusty@rustcorp.com.au>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1645,7 +1645,8 @@ static int virtnet_probe(struct virtio_d
+ /* If we can receive ANY GSO packets, we must allocate large ones. */
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) ||
+ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6) ||
+- virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN))
++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN) ||
++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_UFO))
+ vi->big_packets = true;
+
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_MRG_RXBUF))
projects / thirdparty / kernel / stable-queue.git / commitdiff
