--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Date: Wed, 9 Apr 2014 12:52:59 +0200
+Subject: bonding: Remove debug_fs files when module init fails
+
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+
+[ Upstream commit db29868653394937037d71dc3545768302dda643 ]
+
+Remove the bonding debug_fs entries when the
+module initialization fails. The debug_fs
+entries should be removed together with all other
+already allocated resources.
+
+Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Signed-off-by: Jay Vosburgh <j.vosburgh@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4995,6 +4995,7 @@ static int __init bonding_init(void)
+ out:
+ return res;
+ err:
++ bond_destroy_debugfs();
+ rtnl_link_unregister(&bond_link_ops);
+ err_link:
+ unregister_pernet_subsys(&bond_net_ops);
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Wed, 9 Apr 2014 17:00:30 +0900
+Subject: bridge: Fix double free and memory leak around br_allowed_ingress
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+[ Upstream commit eb7076182d1ae4bc4641534134ed707100d76acc ]
+
+br_allowed_ingress() has two problems.
+
+1. If br_allowed_ingress() is called by br_handle_frame_finish() and
+vlan_untag() in br_allowed_ingress() fails, skb will be freed by both
+vlan_untag() and br_handle_frame_finish().
+
+2. If br_allowed_ingress() is called by br_dev_xmit() and
+br_allowed_ingress() fails, the skb will not be freed.
+
+Fix these two problems by freeing the skb in br_allowed_ingress()
+if it fails.
+
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_input.c | 2 +-
+ net/bridge/br_vlan.c | 7 ++++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -71,7 +71,7 @@ int br_handle_frame_finish(struct sk_buf
+ goto drop;
+
+ if (!br_allowed_ingress(p->br, nbp_get_vlan_info(p), skb, &vid))
+- goto drop;
++ goto out;
+
+ /* insert into forwarding database after filtering to avoid spoofing */
+ br = p->br;
+--- a/net/bridge/br_vlan.c
++++ b/net/bridge/br_vlan.c
+@@ -202,7 +202,7 @@ bool br_allowed_ingress(struct net_bridg
+ * rejected.
+ */
+ if (!v)
+- return false;
++ goto drop;
+
+ if (br_vlan_get_tag(skb, vid)) {
+ u16 pvid = br_get_pvid(v);
+@@ -212,7 +212,7 @@ bool br_allowed_ingress(struct net_bridg
+ * traffic belongs to.
+ */
+ if (pvid == VLAN_N_VID)
+- return false;
++ goto drop;
+
+ /* PVID is set on this port. Any untagged ingress
+ * frame is considered to belong to this vlan.
+@@ -224,7 +224,8 @@ bool br_allowed_ingress(struct net_bridg
+ /* Frame had a valid vlan tag. See if vlan is allowed */
+ if (test_bit(*vid, v->vlan_bitmap))
+ return true;
+-
++drop:
++ kfree_skb(skb);
+ return false;
+ }
+
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Fri, 25 Apr 2014 17:01:18 +0900
+Subject: bridge: Handle IFLA_ADDRESS correctly when creating bridge device
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+[ Upstream commit 30313a3d5794472c3548d7288e306a5492030370 ]
+
+When bridge device is created with IFLA_ADDRESS, we are not calling
+br_stp_change_bridge_id(), which leads to incorrect local fdb
+management and bridge id calculation, and prevents us from receiving
+frames on the bridge device.
+
+Reported-by: Tom Gundersen <teg@jklm.no>
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_netlink.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -438,6 +438,20 @@ static int br_validate(struct nlattr *tb
+ return 0;
+ }
+
++static int br_dev_newlink(struct net *src_net, struct net_device *dev,
++ struct nlattr *tb[], struct nlattr *data[])
++{
++ struct net_bridge *br = netdev_priv(dev);
++
++ if (tb[IFLA_ADDRESS]) {
++ spin_lock_bh(&br->lock);
++ br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS]));
++ spin_unlock_bh(&br->lock);
++ }
++
++ return register_netdevice(dev);
++}
++
+ static size_t br_get_link_af_size(const struct net_device *dev)
+ {
+ struct net_port_vlans *pv;
+@@ -466,6 +480,7 @@ struct rtnl_link_ops br_link_ops __read_
+ .priv_size = sizeof(struct net_bridge),
+ .setup = br_dev_setup,
+ .validate = br_validate,
++ .newlink = br_dev_newlink,
+ .dellink = br_dev_delete,
+ };
+
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 13 Apr 2014 18:23:33 +0200
+Subject: filter: prevent nla extensions to peek beyond the end of the message
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3 ]
+
+The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
+for a minimal message length before testing the supplied offset to be
+within the bounds of the message. This allows the subtraction of the nla
+header to underflow and therefore -- as the data type is unsigned --
+allowing far to big offset and length values for the search of the
+netlink attribute.
+
+The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
+also wrong. It has the minuend and subtrahend mixed up, therefore
+calculates a huge length value, allowing to overrun the end of the
+message while looking for the netlink attribute.
+
+The following three BPF snippets will trigger the bugs when attached to
+a UNIX datagram socket and parsing a message with length 1, 2 or 3.
+
+ ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
+ | ld #0x87654321
+ | ldx #42
+ | ld #nla
+ | ret a
+ `---
+
+ ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
+ | ld #0x87654321
+ | ldx #42
+ | ld #nlan
+ | ret a
+ `---
+
+ ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
+ | ; (needs a fake netlink header at offset 0)
+ | ld #0
+ | ldx #42
+ | ld #nlan
+ | ret a
+ `---
+
+Fix the first issue by ensuring the message length fulfills the minimal
+size constrains of a nla header. Fix the second bug by getting the math
+for the remainder calculation right.
+
+Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
+Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Acked-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -355,6 +355,8 @@ load_b:
+
+ if (skb_is_nonlinear(skb))
+ return 0;
++ if (skb->len < sizeof(struct nlattr))
++ return 0;
+ if (A > skb->len - sizeof(struct nlattr))
+ return 0;
+
+@@ -371,11 +373,13 @@ load_b:
+
+ if (skb_is_nonlinear(skb))
+ return 0;
++ if (skb->len < sizeof(struct nlattr))
++ return 0;
+ if (A > skb->len - sizeof(struct nlattr))
+ return 0;
+
+ nla = (struct nlattr *)&skb->data[A];
+- if (nla->nla_len > A - skb->len)
++ if (nla->nla_len > skb->len - A)
+ return 0;
+
+ nla = nla_find_nested(nla, X);
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 11 Apr 2014 15:51:18 +0200
+Subject: gre: don't allow to add the same tunnel twice
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit 5a4552752d8f7f4cef1d98775ece7adb7616fde2 ]
+
+Before the patch, it was possible to add two times the same tunnel:
+ip l a gre1 type gre remote 10.16.0.121 local 10.16.0.249
+ip l a gre2 type gre remote 10.16.0.121 local 10.16.0.249
+
+It was possible, because ip_tunnel_newlink() calls ip_tunnel_find() with the
+argument dev->type, which was set only later (when calling ndo_init handler
+in register_netdevice()). Let's set this type in the setup handler, which is
+called before newlink handler.
+
+Introduced by commit c54419321455 ("GRE: Refactor GRE tunneling code.").
+
+CC: Pravin B Shelar <pshelar@nicira.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_gre.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -652,6 +652,7 @@ static const struct net_device_ops ipgre
+ static void ipgre_tunnel_setup(struct net_device *dev)
+ {
+ dev->netdev_ops = &ipgre_netdev_ops;
++ dev->type = ARPHRD_IPGRE;
+ ip_tunnel_setup(dev, ipgre_net_id);
+ }
+
+@@ -690,7 +691,6 @@ static int ipgre_tunnel_init(struct net_
+ memcpy(dev->dev_addr, &iph->saddr, 4);
+ memcpy(dev->broadcast, &iph->daddr, 4);
+
+- dev->type = ARPHRD_IPGRE;
+ dev->flags = IFF_NOARP;
+ dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
+ dev->addr_len = 4;
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Mon, 14 Apr 2014 17:11:38 +0200
+Subject: ip6_gre: don't allow to remove the fb_tunnel_dev
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit 54d63f787b652755e66eb4dd8892ee6d3f5197fc ]
+
+It's possible to remove the FB tunnel with the command 'ip link del ip6gre0' but
+this is unsafe, the module always supposes that this device exists. For example,
+ip6gre_tunnel_lookup() may use it unconditionally.
+
+Let's add a rtnl handler for dellink, which will never remove the FB tunnel (we
+let ip6gre_destroy_tunnels() do the job).
+
+Introduced by commit c12b395a4664 ("gre: Support GRE over IPv6").
+
+CC: Dmitry Kozlov <xeb@mail.ru>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1549,6 +1549,15 @@ static int ip6gre_changelink(struct net_
+ return 0;
+ }
+
++static void ip6gre_dellink(struct net_device *dev, struct list_head *head)
++{
++ struct net *net = dev_net(dev);
++ struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
++
++ if (dev != ign->fb_tunnel_dev)
++ unregister_netdevice_queue(dev, head);
++}
++
+ static size_t ip6gre_get_size(const struct net_device *dev)
+ {
+ return
+@@ -1626,6 +1635,7 @@ static struct rtnl_link_ops ip6gre_link_
+ .validate = ip6gre_tunnel_validate,
+ .newlink = ip6gre_newlink,
+ .changelink = ip6gre_changelink,
++ .dellink = ip6gre_dellink,
+ .get_size = ip6gre_get_size,
+ .fill_info = ip6gre_fill_info,
+ };
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Susant Sahani <susant@redhat.com>
+Date: Sat, 10 May 2014 00:11:32 +0530
+Subject: ip6_tunnel: fix potential NULL pointer dereference
+
+From: Susant Sahani <susant@redhat.com>
+
+[ Upstream commit c8965932a2e3b70197ec02c6741c29460279e2a8 ]
+
+The function ip6_tnl_validate assumes that the rtnl
+attribute IFLA_IPTUN_PROTO always be filled . If this
+attribute is not filled by the userspace application
+kernel get crashed with NULL pointer dereference. This
+patch fixes the potential kernel crash when
+IFLA_IPTUN_PROTO is missing .
+
+Signed-off-by: Susant Sahani <susant@redhat.com>
+Acked-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1531,7 +1531,7 @@ static int ip6_tnl_validate(struct nlatt
+ {
+ u8 proto;
+
+- if (!data)
++ if (!data || !data[IFLA_IPTUN_PROTO])
+ return 0;
+
+ proto = nla_get_u8(data[IFLA_IPTUN_PROTO]);
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Sergey Popovich <popovich_sergei@mail.ru>
+Date: Tue, 6 May 2014 18:23:08 +0300
+Subject: ipv4: fib_semantics: increment fib_info_cnt after fib_info allocation
+
+From: Sergey Popovich <popovich_sergei@mail.ru>
+
+[ Upstream commit aeefa1ecfc799b0ea2c4979617f14cecd5cccbfd ]
+
+Increment fib_info_cnt in fib_create_info() right after successfuly
+alllocating fib_info structure, overwise fib_metrics allocation failure
+leads to fib_info_cnt incorrectly decremented in free_fib_info(), called
+on error path from fib_create_info().
+
+Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_semantics.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -818,13 +818,13 @@ struct fib_info *fib_create_info(struct
+ fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
+ if (fi == NULL)
+ goto failure;
++ fib_info_cnt++;
+ if (cfg->fc_mx) {
+ fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL);
+ if (!fi->fib_metrics)
+ goto failure;
+ } else
+ fi->fib_metrics = (u32 *) dst_default_metrics;
+- fib_info_cnt++;
+
+ fi->fib_net = hold_net(net);
+ fi->fib_protocol = cfg->fc_protocol;
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Li RongQing <roy.qing.li@gmail.com>
+Date: Thu, 22 May 2014 16:36:55 +0800
+Subject: ipv4: initialise the itag variable in __mkroute_input
+
+From: Li RongQing <roy.qing.li@gmail.com>
+
+[ Upstream commit fbdc0ad095c0a299e9abf5d8ac8f58374951149a ]
+
+the value of itag is a random value from stack, and may not be initiated by
+fib_validate_source, which called fib_combine_itag if CONFIG_IP_ROUTE_CLASSID
+is not set
+
+This will make the cached dst uncertainty
+
+Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
+Acked-by: Alexei Starovoitov <ast@plumgrid.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1478,7 +1478,7 @@ static int __mkroute_input(struct sk_buf
+ struct in_device *out_dev;
+ unsigned int flags = 0;
+ bool do_cache;
+- u32 itag;
++ u32 itag = 0;
+
+ /* get a working reference to the output device */
+ out_dev = __in_dev_get_rcu(FIB_RES_DEV(*res));
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sun, 13 Apr 2014 18:08:02 +0300
+Subject: ipv4: return valid RTA_IIF on ip route get
+
+From: Julian Anastasov <ja@ssi.bg>
+
+[ Upstream commit 91146153da2feab18efab2e13b0945b6bb704ded ]
+
+Extend commit 13378cad02afc2adc6c0e07fca03903c7ada0b37
+("ipv4: Change rt->rt_iif encoding.") from 3.6 to return valid
+RTA_IIF on 'ip route get ... iif DEVICE' instead of rt_iif 0
+which is displayed as 'iif *'.
+
+inet_iif is not appropriate to use because skb_iif is not set.
+Use the skb->dev->ifindex instead.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2306,7 +2306,7 @@ static int rt_fill_info(struct net *net,
+ }
+ } else
+ #endif
+- if (nla_put_u32(skb, RTA_IIF, rt->rt_iif))
++ if (nla_put_u32(skb, RTA_IIF, skb->dev->ifindex))
+ goto nla_put_failure;
+ }
+
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Kumar Sundararajan <kumar@fb.com>
+Date: Thu, 24 Apr 2014 09:48:53 -0400
+Subject: ipv6: fib: fix fib dump restart
+
+From: Kumar Sundararajan <kumar@fb.com>
+
+[ Upstream commit 1c2658545816088477e91860c3a645053719cb54 ]
+
+When the ipv6 fib changes during a table dump, the walk is
+restarted and the number of nodes dumped are skipped. But the existing
+code doesn't advance to the next node after a node is skipped. This can
+cause the dump to loop or produce lots of duplicates when the fib
+is modified during the dump.
+
+This change advances the walk to the next node if the current node is
+skipped after a restart.
+
+Signed-off-by: Kumar Sundararajan <kumar@fb.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -1418,7 +1418,7 @@ static int fib6_walk_continue(struct fib
+
+ if (w->skip) {
+ w->skip--;
+- continue;
++ goto skip;
+ }
+
+ err = w->func(w);
+@@ -1428,6 +1428,7 @@ static int fib6_walk_continue(struct fib
+ w->count++;
+ continue;
+ }
++skip:
+ w->state = FWS_U;
+ case FWS_U:
+ if (fn == w->root)
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 10 Apr 2014 21:23:36 -0700
+Subject: ipv6: Limit mtu to 65575 bytes
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 30f78d8ebf7f514801e71b88a10c948275168518 ]
+
+Francois reported that setting big mtu on loopback device could prevent
+tcp sessions making progress.
+
+We do not support (yet ?) IPv6 Jumbograms and cook corrupted packets.
+
+We must limit the IPv6 MTU to (65535 + 40) bytes in theory.
+
+Tested:
+
+ifconfig lo mtu 70000
+netperf -H ::1
+
+Before patch : Throughput : 0.05 Mbits
+
+After patch : Throughput : 35484 Mbits
+
+Reported-by: Francois WELLENREITER <f.wellenreiter@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip6_route.h | 5 +++++
+ net/ipv6/route.c | 5 +++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -32,6 +32,11 @@ struct route_info {
+ #define RT6_LOOKUP_F_SRCPREF_PUBLIC 0x00000010
+ #define RT6_LOOKUP_F_SRCPREF_COA 0x00000020
+
++/* We do not (yet ?) support IPv6 jumbograms (RFC 2675)
++ * Unlike IPv4, hdr->seg_len doesn't include the IPv6 header
++ */
++#define IP6_MAX_MTU (0xFFFF + sizeof(struct ipv6hdr))
++
+ /*
+ * rt6_srcprefs2flags() and rt6_flags2srcprefs() translate
+ * between IPV6_ADDR_PREFERENCES socket option values
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1236,7 +1236,7 @@ static unsigned int ip6_mtu(const struct
+ unsigned int mtu = dst_metric_raw(dst, RTAX_MTU);
+
+ if (mtu)
+- return mtu;
++ goto out;
+
+ mtu = IPV6_MIN_MTU;
+
+@@ -1246,7 +1246,8 @@ static unsigned int ip6_mtu(const struct
+ mtu = idev->cnf.mtu6;
+ rcu_read_unlock();
+
+- return mtu;
++out:
++ return min_t(unsigned int, mtu, IP6_MAX_MTU);
+ }
+
+ static struct dst_entry *icmp6_dst_gc_list;
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Dmitry Petukhov <dmgenp@gmail.com>
+Date: Wed, 9 Apr 2014 02:23:20 +0600
+Subject: l2tp: take PMTU from tunnel UDP socket
+
+From: Dmitry Petukhov <dmgenp@gmail.com>
+
+[ Upstream commit f34c4a35d87949fbb0e0f31eba3c054e9f8199ba ]
+
+When l2tp driver tries to get PMTU for the tunnel destination, it uses
+the pointer to struct sock that represents PPPoX socket, while it
+should use the pointer that represents UDP socket of the tunnel.
+
+Signed-off-by: Dmitry Petukhov <dmgenp@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -754,9 +754,9 @@ static int pppol2tp_connect(struct socke
+ session->deref = pppol2tp_session_sock_put;
+
+ /* If PMTU discovery was enabled, use the MTU that was discovered */
+- dst = sk_dst_get(sk);
++ dst = sk_dst_get(tunnel->sock);
+ if (dst != NULL) {
+- u32 pmtu = dst_mtu(__sk_dst_get(sk));
++ u32 pmtu = dst_mtu(__sk_dst_get(tunnel->sock));
+ if (pmtu != 0)
+ session->mtu = session->mru = pmtu -
+ PPPOL2TP_HEADER_OVERHEAD;
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Tue, 12 Nov 2013 15:10:01 -0800
+Subject: list: introduce list_next_entry() and list_prev_entry()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+[ Upstream commit 008208c6b26f21c2648c250a09c55e737c02c5f8 ]
+
+Add two trivial helpers list_next_entry() and list_prev_entry(), they
+can have a lot of users including list.h itself. In fact the 1st one is
+already defined in events/core.c and bnx2x_sp.c, so the patch simply
+moves the definition to list.h.
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Eilon Greenstein <eilong@broadcom.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 3 ---
+ include/linux/list.h | 16 ++++++++++++++++
+ kernel/events/core.c | 3 ---
+ 3 files changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
+@@ -1038,9 +1038,6 @@ static void bnx2x_set_one_vlan_mac_e1h(s
+ ETH_VLAN_FILTER_CLASSIFY, config);
+ }
+
+-#define list_next_entry(pos, member) \
+- list_entry((pos)->member.next, typeof(*(pos)), member)
+-
+ /**
+ * bnx2x_vlan_mac_restore - reconfigure next MAC/VLAN/VLAN-MAC element
+ *
+--- a/include/linux/list.h
++++ b/include/linux/list.h
+@@ -373,6 +373,22 @@ static inline void list_splice_tail_init
+ (!list_empty(ptr) ? list_first_entry(ptr, type, member) : NULL)
+
+ /**
++ * list_next_entry - get the next element in list
++ * @pos: the type * to cursor
++ * @member: the name of the list_struct within the struct.
++ */
++#define list_next_entry(pos, member) \
++ list_entry((pos)->member.next, typeof(*(pos)), member)
++
++/**
++ * list_prev_entry - get the prev element in list
++ * @pos: the type * to cursor
++ * @member: the name of the list_struct within the struct.
++ */
++#define list_prev_entry(pos, member) \
++ list_entry((pos)->member.prev, typeof(*(pos)), member)
++
++/**
+ * list_for_each - iterate over a list
+ * @pos: the &struct list_head to use as a loop cursor.
+ * @head: the head for your list.
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -2016,9 +2016,6 @@ static void __perf_event_sync_stat(struc
+ perf_event_update_userpage(next_event);
+ }
+
+-#define list_next_entry(pos, member) \
+- list_entry(pos->member.next, typeof(*pos), member)
+-
+ static void perf_event_sync_stat(struct perf_event_context *ctx,
+ struct perf_event_context *next_ctx)
+ {
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Peter Christensen <pch@ordbogen.com>
+Date: Thu, 8 May 2014 11:15:37 +0200
+Subject: macvlan: Don't propagate IFF_ALLMULTI changes on down interfaces.
+
+From: Peter Christensen <pch@ordbogen.com>
+
+[ Upstream commit bbeb0eadcf9fe74fb2b9b1a6fea82cd538b1e556 ]
+
+Clearing the IFF_ALLMULTI flag on a down interface could cause an allmulti
+overflow on the underlying interface.
+
+Attempting the set IFF_ALLMULTI on the underlying interface would cause an
+error and the log message:
+
+"allmulti touches root, set allmulti failed."
+
+Signed-off-by: Peter Christensen <pch@ordbogen.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -420,8 +420,10 @@ static void macvlan_change_rx_flags(stru
+ struct macvlan_dev *vlan = netdev_priv(dev);
+ struct net_device *lowerdev = vlan->lowerdev;
+
+- if (change & IFF_ALLMULTI)
+- dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1);
++ if (dev->flags & IFF_UP) {
++ if (change & IFF_ALLMULTI)
++ dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1);
++ }
+ }
+
+ static void macvlan_set_mac_lists(struct net_device *dev)
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 9 May 2014 14:45:00 +0200
+Subject: net: cdc_mbim: handle unaccelerated VLAN tagged frames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit 6b5eeb7f874b689403e52a646e485d0191ab9507 ]
+
+This driver maps 802.1q VLANs to MBIM sessions. The mapping is based on
+a bogus assumption that all tagged frames will use the acceleration API
+because we enable NETIF_F_HW_VLAN_CTAG_TX. This fails for e.g. frames
+tagged in userspace using packet sockets. Such frames will erroneously
+be considered as untagged and silently dropped based on not being IP.
+
+Fix by falling back to looking into the ethernet header for a tag if no
+accelerated tag was found.
+
+Fixes: a82c7ce5bc5b ("net: cdc_ncm: map MBIM IPS SessionID to VLAN ID")
+Cc: Greg Suarez <gsuarez@smithmicro.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_mbim.c | 39 ++++++++++++++++++++++++++++-----------
+ 1 file changed, 28 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/usb/cdc_mbim.c
++++ b/drivers/net/usb/cdc_mbim.c
+@@ -120,6 +120,16 @@ static void cdc_mbim_unbind(struct usbne
+ cdc_ncm_unbind(dev, intf);
+ }
+
++/* verify that the ethernet protocol is IPv4 or IPv6 */
++static bool is_ip_proto(__be16 proto)
++{
++ switch (proto) {
++ case htons(ETH_P_IP):
++ case htons(ETH_P_IPV6):
++ return true;
++ }
++ return false;
++}
+
+ static struct sk_buff *cdc_mbim_tx_fixup(struct usbnet *dev, struct sk_buff *skb, gfp_t flags)
+ {
+@@ -128,6 +138,7 @@ static struct sk_buff *cdc_mbim_tx_fixup
+ struct cdc_ncm_ctx *ctx = info->ctx;
+ __le32 sign = cpu_to_le32(USB_CDC_MBIM_NDP16_IPS_SIGN);
+ u16 tci = 0;
++ bool is_ip;
+ u8 *c;
+
+ if (!ctx)
+@@ -137,25 +148,32 @@ static struct sk_buff *cdc_mbim_tx_fixup
+ if (skb->len <= ETH_HLEN)
+ goto error;
+
++ /* Some applications using e.g. packet sockets will
++ * bypass the VLAN acceleration and create tagged
++ * ethernet frames directly. We primarily look for
++ * the accelerated out-of-band tag, but fall back if
++ * required
++ */
++ skb_reset_mac_header(skb);
++ if (vlan_get_tag(skb, &tci) < 0 && skb->len > VLAN_ETH_HLEN &&
++ __vlan_get_tag(skb, &tci) == 0) {
++ is_ip = is_ip_proto(vlan_eth_hdr(skb)->h_vlan_encapsulated_proto);
++ skb_pull(skb, VLAN_ETH_HLEN);
++ } else {
++ is_ip = is_ip_proto(eth_hdr(skb)->h_proto);
++ skb_pull(skb, ETH_HLEN);
++ }
++
+ /* mapping VLANs to MBIM sessions:
+ * no tag => IPS session <0>
+ * 1 - 255 => IPS session <vlanid>
+ * 256 - 511 => DSS session <vlanid - 256>
+ * 512 - 4095 => unsupported, drop
+ */
+- vlan_get_tag(skb, &tci);
+-
+ switch (tci & 0x0f00) {
+ case 0x0000: /* VLAN ID 0 - 255 */
+- /* verify that datagram is IPv4 or IPv6 */
+- skb_reset_mac_header(skb);
+- switch (eth_hdr(skb)->h_proto) {
+- case htons(ETH_P_IP):
+- case htons(ETH_P_IPV6):
+- break;
+- default:
++ if (!is_ip)
+ goto error;
+- }
+ c = (u8 *)&sign;
+ c[3] = tci;
+ break;
+@@ -169,7 +187,6 @@ static struct sk_buff *cdc_mbim_tx_fixup
+ "unsupported tci=0x%04x\n", tci);
+ goto error;
+ }
+- skb_pull(skb, ETH_HLEN);
+ }
+
+ spin_lock_bh(&ctx->mtx);
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 9 Apr 2014 10:28:50 +0200
+Subject: net: core: don't account for udp header size when computing seglen
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 6d39d589bb76ee8a1c6cde6822006ae0053decff ]
+
+In case of tcp, gso_size contains the tcpmss.
+
+For UFO (udp fragmentation offloading) skbs, gso_size is the fragment
+payload size, i.e. we must not account for udp header size.
+
+Otherwise, when using virtio drivers, a to-be-forwarded UFO GSO packet
+will be needlessly fragmented in the forward path, because we think its
+individual segments are too large for the outgoing link.
+
+Fixes: fe6cc55f3a9a053 ("net: ip, ipv6: handle gso skbs in forwarding path")
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Reported-by: Tobias Brunner <tobias@strongswan.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3487,12 +3487,14 @@ EXPORT_SYMBOL(skb_try_coalesce);
+ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
+ {
+ const struct skb_shared_info *shinfo = skb_shinfo(skb);
+- unsigned int hdr_len;
+
+ if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))
+- hdr_len = tcp_hdrlen(skb);
+- else
+- hdr_len = sizeof(struct udphdr);
+- return hdr_len + shinfo->gso_size;
++ return tcp_hdrlen(skb) + shinfo->gso_size;
++
++ /* UFO sets gso_size to the size of the fragmentation
++ * payload, i.e. the size of the L4 (UDP) header is already
++ * accounted for.
++ */
++ return shinfo->gso_size;
+ }
+ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Andrew Lutomirski <luto@amacapital.net>
+Date: Wed, 16 Apr 2014 21:41:34 -0700
+Subject: net: Fix ns_capable check in sock_diag_put_filterinfo
+
+From: Andrew Lutomirski <luto@amacapital.net>
+
+[ Upstream commit 78541c1dc60b65ecfce5a6a096fc260219d6784e ]
+
+The caller needs capabilities on the namespace being queried, not on
+their own namespace. This is a security bug, although it likely has
+only a minor impact.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sock_diag.h | 2 +-
+ net/core/sock_diag.c | 4 ++--
+ net/packet/diag.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/sock_diag.h
++++ b/include/linux/sock_diag.h
+@@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u
+ void sock_diag_save_cookie(void *sk, __u32 *cookie);
+
+ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
+-int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
++int sock_diag_put_filterinfo(struct sock *sk,
+ struct sk_buff *skb, int attrtype);
+
+ #endif
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *s
+ }
+ EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
+
+-int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
++int sock_diag_put_filterinfo(struct sock *sk,
+ struct sk_buff *skb, int attrtype)
+ {
+ struct nlattr *attr;
+@@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct user
+ unsigned int len;
+ int err = 0;
+
+- if (!ns_capable(user_ns, CAP_NET_ADMIN)) {
++ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ nla_reserve(skb, attrtype, 0);
+ return 0;
+ }
+--- a/net/packet/diag.c
++++ b/net/packet/diag.c
+@@ -171,7 +171,7 @@ static int sk_diag_fill(struct sock *sk,
+ goto out_nlmsg_trim;
+
+ if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
+- sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER))
++ sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER))
+ goto out_nlmsg_trim;
+
+ return nlmsg_end(skb, nlh);
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Apr 2014 09:28:10 -0700
+Subject: net-gro: reset skb->truesize in napi_reuse_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e33d0ba8047b049c9262fdb1fcafb93cb52ceceb ]
+
+Recycling skb always had been very tough...
+
+This time it appears GRO layer can accumulate skb->truesize
+adjustments made by drivers when they attach a fragment to skb.
+
+skb_gro_receive() can only subtract from skb->truesize the used part
+of a fragment.
+
+I spotted this problem seeing TcpExtPruneCalled and
+TcpExtTCPRcvCollapsed that were unexpected with a recent kernel, where
+TCP receive window should be sized properly to accept traffic coming
+from a driver not overshooting skb->truesize.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3898,6 +3898,7 @@ static void napi_reuse_skb(struct napi_s
+ skb->vlan_tci = 0;
+ skb->dev = napi->dev;
+ skb->skb_iif = 0;
++ skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
+
+ napi->skb = skb;
+ }
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: "Wang, Xiaoming" <xiaoming.wang@intel.com>
+Date: Mon, 14 Apr 2014 12:30:45 -0400
+Subject: net: ipv4: current group_info should be put after using.
+
+From: "Wang, Xiaoming" <xiaoming.wang@intel.com>
+
+[ Upstream commit b04c46190219a4f845e46a459e3102137b7f6cac ]
+
+Plug a group_info refcount leak in ping_init.
+group_info is only needed during initialization and
+the code failed to release the reference on exit.
+While here move grabbing the reference to a place
+where it is actually needed.
+
+Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
+Signed-off-by: Zhang Dongxing <dongxing.zhang@intel.com>
+Signed-off-by: xiaoming wang <xiaoming.wang@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ping.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -204,26 +204,33 @@ static int ping_init_sock(struct sock *s
+ {
+ struct net *net = sock_net(sk);
+ kgid_t group = current_egid();
+- struct group_info *group_info = get_current_groups();
+- int i, j, count = group_info->ngroups;
++ struct group_info *group_info;
++ int i, j, count;
+ kgid_t low, high;
++ int ret = 0;
+
+ inet_get_ping_group_range_net(net, &low, &high);
+ if (gid_lte(low, group) && gid_lte(group, high))
+ return 0;
+
++ group_info = get_current_groups();
++ count = group_info->ngroups;
+ for (i = 0; i < group_info->nblocks; i++) {
+ int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
+ for (j = 0; j < cp_count; j++) {
+ kgid_t gid = group_info->blocks[i][j];
+ if (gid_lte(low, gid) && gid_lte(gid, high))
+- return 0;
++ goto out_release_group;
+ }
+
+ count -= cp_count;
+ }
+
+- return -EACCES;
++ ret = -EACCES;
++
++out_release_group:
++ put_group_info(group_info);
++ return ret;
+ }
+
+ static void ping_close(struct sock *sk, long timeout)
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 4 May 2014 23:24:31 +0200
+Subject: net: ipv4: ip_forward: fix inverted local_df test
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit ca6c5d4ad216d5942ae544bbf02503041bd802aa ]
+
+local_df means 'ignore DF bit if set', so if its set we're
+allowed to perform ip fragmentation.
+
+This wasn't noticed earlier because the output path also drops such skbs
+(and emits needed icmp error) and because netfilter ip defrag did not
+set local_df until couple of days ago.
+
+Only difference is that DF-packets-larger-than MTU now discarded
+earlier (f.e. we avoid pointless netfilter postrouting trip).
+
+While at it, drop the repeated test ip_exceeds_mtu, checking it once
+is enough...
+
+Fixes: fe6cc55f3a9 ("net: ip, ipv6: handle gso skbs in forwarding path")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_forward.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -42,12 +42,12 @@
+ static bool ip_may_fragment(const struct sk_buff *skb)
+ {
+ return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) ||
+- !skb->local_df;
++ skb->local_df;
+ }
+
+ static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
+ {
+- if (skb->len <= mtu || skb->local_df)
++ if (skb->len <= mtu)
+ return false;
+
+ if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 5 May 2014 00:03:34 +0200
+Subject: net: ipv6: send pkttoobig immediately if orig frag size > mtu
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 418a31561d594a2b636c1e2fa94ecd9e1245abb1 ]
+
+If conntrack defragments incoming ipv6 frags it stores largest original
+frag size in ip6cb and sets ->local_df.
+
+We must thus first test the largest original frag size vs. mtu, and not
+vice versa.
+
+Without this patch PKTTOOBIG is still generated in ip6_fragment() later
+in the stack, but
+
+1) IPSTATS_MIB_INTOOBIGERRORS won't increment
+2) packet did (needlessly) traverse netfilter postrouting hook.
+
+Fixes: fe6cc55f3a9 ("net: ip, ipv6: handle gso skbs in forwarding path")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -347,12 +347,16 @@ static inline int ip6_forward_finish(str
+
+ static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu)
+ {
+- if (skb->len <= mtu || skb->local_df)
++ if (skb->len <= mtu)
+ return false;
+
++ /* ipv6 conntrack defrag sets max_frag_size + local_df */
+ if (IP6CB(skb)->frag_max_size && IP6CB(skb)->frag_max_size > mtu)
+ return true;
+
++ if (skb->local_df)
++ return false;
++
+ if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
+ return false;
+
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 25 Apr 2014 19:00:33 +0200
+Subject: net: qmi_wwan: add a number of CMOTech devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit 41be7d90993b1502d445bfc59e58348c258ce66a ]
+
+A number of older CMOTech modems are based on Qualcomm
+chips and exporting a QMI/wwan function.
+
+Reported-by: Lars Melin <larsm17@gmail.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -649,6 +649,22 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
+ {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
++ {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */
++ {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */
++ {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */
++ {QMI_FIXED_INTF(0x16d8, 0x6280, 0)}, /* CMOTech CHU-628 */
++ {QMI_FIXED_INTF(0x16d8, 0x7001, 0)}, /* CMOTech CHU-720S */
++ {QMI_FIXED_INTF(0x16d8, 0x7002, 0)}, /* CMOTech 7002 */
++ {QMI_FIXED_INTF(0x16d8, 0x7003, 4)}, /* CMOTech CHU-629K */
++ {QMI_FIXED_INTF(0x16d8, 0x7004, 3)}, /* CMOTech 7004 */
++ {QMI_FIXED_INTF(0x16d8, 0x7006, 5)}, /* CMOTech CGU-629 */
++ {QMI_FIXED_INTF(0x16d8, 0x700a, 4)}, /* CMOTech CHU-629S */
++ {QMI_FIXED_INTF(0x16d8, 0x7211, 0)}, /* CMOTech CHU-720I */
++ {QMI_FIXED_INTF(0x16d8, 0x7212, 0)}, /* CMOTech 7212 */
++ {QMI_FIXED_INTF(0x16d8, 0x7213, 0)}, /* CMOTech 7213 */
++ {QMI_FIXED_INTF(0x16d8, 0x7251, 1)}, /* CMOTech 7251 */
++ {QMI_FIXED_INTF(0x16d8, 0x7252, 1)}, /* CMOTech 7252 */
++ {QMI_FIXED_INTF(0x16d8, 0x7253, 1)}, /* CMOTech 7253 */
+ {QMI_FIXED_INTF(0x19d2, 0x0002, 1)},
+ {QMI_FIXED_INTF(0x19d2, 0x0012, 1)},
+ {QMI_FIXED_INTF(0x19d2, 0x0017, 3)},
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 25 Apr 2014 19:00:34 +0200
+Subject: net: qmi_wwan: add a number of Dell devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit 6f10c5d1b1aeddb63d33070abb8bc5a177beeb1f ]
+
+Dan writes:
+
+"The Dell drivers use the same configuration for PIDs:
+
+81A2: Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card
+81A3: Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card
+81A4: Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card
+81A8: Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card
+81A9: Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card
+
+These devices are all clearly Sierra devices, but are also definitely
+Gobi-based. The A8 might be the MC7700/7710 and A9 is likely a MC7750.
+
+>From DellGobi5kSetup.exe from the Dell drivers:
+
+usbif0: serial/firmware loader?
+usbif2: nmea
+usbif3: modem/ppp
+usbif8: net/QMI"
+
+Reported-by: AceLan Kao <acelan.kao@canonical.com>
+Reported-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -743,6 +743,11 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x0b3c, 0xc00b, 4)}, /* Olivetti Olicard 500 */
+ {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */
+ {QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */
++ {QMI_FIXED_INTF(0x413c, 0x81a2, 8)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
++ {QMI_FIXED_INTF(0x413c, 0x81a3, 8)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
++ {QMI_FIXED_INTF(0x413c, 0x81a4, 8)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
++ {QMI_FIXED_INTF(0x413c, 0x81a8, 8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */
++ {QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
+
+ /* 4. Gobi 1000 devices */
+ {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 25 Apr 2014 19:00:32 +0200
+Subject: net: qmi_wwan: add Alcatel L800MA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit 75573660c47a0db7cc931dcf154945610e02130a ]
+
+Device interface layout:
+0: ff/ff/ff - serial
+1: ff/00/00 - serial AT+PPP
+2: ff/ff/ff - QMI/wwan
+3: 08/06/50 - storage
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -718,6 +718,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */
+ {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */
+ {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
++ {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 25 Apr 2014 19:00:31 +0200
+Subject: net: qmi_wwan: add Olivetti Olicard 500
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit efc0b25c3add97717ece57bf5319792ca98f348e ]
+
+Device interface layout:
+0: ff/ff/ff - serial
+1: ff/ff/ff - serial AT+PPP
+2: 08/06/50 - storage
+3: ff/ff/ff - serial
+4: ff/ff/ff - QMI/wwan
+
+Reported-by: Julio Araujo <julio.araujo@wllctel.com.br>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -723,6 +723,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */
++ {QMI_FIXED_INTF(0x0b3c, 0xc00b, 4)}, /* Olivetti Olicard 500 */
+ {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */
+ {QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */
+
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 28 Jun 2013 17:17:50 +0200
+Subject: net: qmi_wwan: add Option GTM681W
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit aa3aba1cbcbe823bba623c7cab33d84ddf0fb6cd ]
+
+A standard Gobi 3000 reference design module.
+
+Reported-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -747,6 +747,7 @@ static const struct usb_device_id produc
+ {QMI_GOBI_DEVICE(0x05c6, 0x9265)}, /* Asus Gobi 2000 Modem device (VR305) */
+ {QMI_GOBI_DEVICE(0x05c6, 0x9235)}, /* Top Global Gobi 2000 Modem device (VR306) */
+ {QMI_GOBI_DEVICE(0x05c6, 0x9275)}, /* iRex Technologies Gobi 2000 Modem device (VR307) */
++ {QMI_GOBI_DEVICE(0x0af0, 0x8120)}, /* Option GTM681W */
+ {QMI_GOBI_DEVICE(0x1199, 0x68a5)}, /* Sierra Wireless Modem */
+ {QMI_GOBI_DEVICE(0x1199, 0x68a9)}, /* Sierra Wireless Modem */
+ {QMI_GOBI_DEVICE(0x1199, 0x9001)}, /* Sierra Wireless Gobi 2000 Modem device (VT773) */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 25 Apr 2014 19:00:28 +0200
+Subject: net: qmi_wwan: add Sierra Wireless EM7355
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit b85f5deaf052340021d025e120a9858f084a1d79 ]
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -711,6 +711,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 19)}, /* Sierra Wireless MC7710 in QMI mode */
+ {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */
++ {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */
+ {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */
+ {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 25 Apr 2014 19:00:30 +0200
+Subject: net: qmi_wwan: add Sierra Wireless MC7305/MC7355
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit 9214224e43e4264b02686ea8b455f310935607b5 ]
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -715,6 +715,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1199, 0x68c0, 11)}, /* Sierra Wireless MC73xx */
+ {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */
+ {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */
++ {QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */
+ {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */
+ {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 25 Apr 2014 19:00:29 +0200
+Subject: net: qmi_wwan: add Sierra Wireless MC73xx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit 1c138607a7be64074d7fba68d0d533ec38f9d17b ]
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -710,6 +710,9 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 19)}, /* Sierra Wireless MC7710 in QMI mode */
++ {QMI_FIXED_INTF(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC73xx */
++ {QMI_FIXED_INTF(0x1199, 0x68c0, 10)}, /* Sierra Wireless MC73xx */
++ {QMI_FIXED_INTF(0x1199, 0x68c0, 11)}, /* Sierra Wireless MC73xx */
+ {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */
+ {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */
+ {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Aleksander Morgado <aleksander@aleksander.es>
+Date: Wed, 12 Feb 2014 15:55:14 +0100
+Subject: net: qmi_wwan: add support for Cinterion PXS8 and PHS8
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Aleksander Morgado <aleksander@aleksander.es>
+
+[ Upstream commit 9b2b6a2d669c909dd0b125fc834da94bcfc0aee7 ]
+
+When the PXS8 and PHS8 devices show up with PID 0x0053 they will expose both a
+QMI port and a WWAN interface.
+
+CC: Hans-Christoph Schemmel <hans-christoph.schemmel@gemalto.com>
+CC: Christian Schmiedl <christian.schmiedl@gemalto.com>
+CC: Nicolaus Colberg <nicolaus.colberg@gemalto.com>
+CC: David McCullough <david.mccullough@accelecon.com>
+Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -719,6 +719,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */
+ {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */
++ {QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */
+
+ /* 4. Gobi 1000 devices */
+ {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+Date: Wed, 25 Sep 2013 11:21:25 +0200
+Subject: net: qmi_wwan: add Telit LE920 newer firmware support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+
+[ Upstream commit 905468fa4d54c3e572ed3045cd47cce37780716e ]
+
+Newer firmware use a new pid and a different interface.
+
+Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -715,6 +715,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
++ {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x1e2d, 0x12d1, 4)}, /* Cinterion PLxx */
+
+ /* 4. Gobi 1000 devices */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 28 Jun 2013 17:17:51 +0200
+Subject: net: qmi_wwan: add TP-LINK MA260
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit d0b5e516298fba30774e2df22cfbd00ecb09c298 ]
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -712,6 +712,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */
+ {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
++ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x1e2d, 0x12d1, 4)}, /* Cinterion PLxx */
+
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Raymond Wanyoike <raymond.wanyoike@gmail.com>
+Date: Sun, 9 Feb 2014 00:01:02 +0300
+Subject: net: qmi_wwan: add ZTE MF667
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Raymond Wanyoike <raymond.wanyoike@gmail.com>
+
+[ Upstream commit 7653aabfbdc73c1567e29a9790701f5898ba1420 ]
+
+The driver description files give these descriptions to the vendor specific
+ports on this modem:
+
+ VID_19D2&PID_1270&MI_00: "ZTE MF667 Diagnostics Port"
+ VID_19D2&PID_1270&MI_01: "ZTE MF667 AT Port"
+ VID_19D2&PID_1270&MI_02: "ZTE MF667 ATExt2 Port"
+ VID_19D2&PID_1270&MI_03: "ZTE MF667 ATExt Port"
+ VID_19D2&PID_1270&MI_04: "ZTE MF667 USB Modem"
+ VID_19D2&PID_1270&MI_05: "ZTE MF667 Network Adapter"
+
+Signed-off-by: Raymond Wanyoike <raymond.wanyoike@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -699,6 +699,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x19d2, 0x1255, 3)},
+ {QMI_FIXED_INTF(0x19d2, 0x1255, 4)},
+ {QMI_FIXED_INTF(0x19d2, 0x1256, 4)},
++ {QMI_FIXED_INTF(0x19d2, 0x1270, 5)}, /* ZTE MF667 */
+ {QMI_FIXED_INTF(0x19d2, 0x1401, 2)},
+ {QMI_FIXED_INTF(0x19d2, 0x1402, 2)}, /* ZTE MF60 */
+ {QMI_FIXED_INTF(0x19d2, 0x1424, 2)},
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Aleksander Morgado <aleksander@lanedo.com>
+Date: Wed, 25 Sep 2013 17:02:36 +0200
+Subject: net: qmi_wwan: fix Cinterion PLXX product ID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Aleksander Morgado <aleksander@lanedo.com>
+
+[ Upstream commit 2d77f343343c4f38b8f94be1964bbbc6456a147f ]
+
+Cinterion PLXX LTE devices have a 0x0060 product ID, not 0x12d1.
+
+The blacklisting in the serial/option driver does actually use the correct PID,
+as per commit 8ff10bdb14a52e3f25d4ce09e0582a8684c1a6db ('USB: Blacklisted
+Cinterion's PLxx WWAN Interface').
+
+CC: Hans-Christoph Schemmel <hans-christoph.schemmel@gemalto.com>
+CC: Christian Schmiedl <christian.schmiedl@gemalto.com>
+CC: Nicolaus Colberg <nicolaus.colberg@gemalto.com>
+Signed-off-by: Aleksander Morgado <aleksander@lanedo.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Acked-by: Christian Schmiedl <christian.schmiedl@gemalto.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -716,7 +716,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
+- {QMI_FIXED_INTF(0x1e2d, 0x12d1, 4)}, /* Cinterion PLxx */
++ {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */
+
+ /* 4. Gobi 1000 devices */
+ {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 28 Jun 2013 17:17:49 +0200
+Subject: net: qmi_wwan: fixup Sierra Wireless MC8305 entry
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit 5a008ffa73b4401251d548c10cadac6f8a67cfb5 ]
+
+The MC8305 module got an additional entry added based solely on
+information from a Windows driver *.inf file. We now have the
+actual descriptor layout from one of these modules, and it
+consists of two alternate configurations where cfg #1 is a
+normal Gobi 2k layout and cfg #2 is MBIM only, using interface
+numbers 5 and 6 for MBIM control and data. The extra Windows
+driver entry for interface number 5 was most likely a bug.
+
+Deleting the bogus entry to avoid unnecessary qmi_wwan probe
+failures when using the MBIM configuration.
+
+Reported-by: Lana Black <sickmind@lavabit.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -760,7 +760,6 @@ static const struct usb_device_id produc
+ {QMI_GOBI_DEVICE(0x1199, 0x9009)}, /* Sierra Wireless Gobi 2000 Modem device (VT773) */
+ {QMI_GOBI_DEVICE(0x1199, 0x900a)}, /* Sierra Wireless Gobi 2000 Modem device (VT773) */
+ {QMI_GOBI_DEVICE(0x1199, 0x9011)}, /* Sierra Wireless Gobi 2000 Modem device (MC8305) */
+- {QMI_FIXED_INTF(0x1199, 0x9011, 5)}, /* alternate interface number!? */
+ {QMI_GOBI_DEVICE(0x16d8, 0x8002)}, /* CMDTech Gobi 2000 Modem device (VU922) */
+ {QMI_GOBI_DEVICE(0x05c6, 0x9205)}, /* Gobi 2000 Modem device */
+ {QMI_GOBI_DEVICE(0x1199, 0x9013)}, /* Sierra Wireless Gobi 3000 Modem device (MC8355) */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Enrico Mioso <mrkiko.rs@gmail.com>
+Date: Tue, 15 Oct 2013 15:06:48 +0200
+Subject: net: qmi_wwan: Olivetti Olicard 200 support
+
+From: Enrico Mioso <mrkiko.rs@gmail.com>
+
+[ Upstream commit ce97fef4235378108ed3bd96e1b3eab8fd0a1fbd ]
+
+This is a QMI device, manufactured by TCT Mobile Phones.
+A companion patch blacklisting this device's QMI interface in the option.c
+driver has been sent.
+
+Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
+Signed-off-by: Antonella Pellizzari <anto.pellizzari83@gmail.com>
+Tested-by: Dan Williams <dcbw@redhat.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -716,6 +716,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
++ {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */
+ {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */
+
+ /* 4. Gobi 1000 devices */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Vlad Yasevich <vyasevic@redhat.com>
+Date: Thu, 17 Apr 2014 17:26:50 +0200
+Subject: net: sctp: cache auth_enable per endpoint
+
+From: Vlad Yasevich <vyasevic@redhat.com>
+
+[ Upstream commit b14878ccb7fac0242db82720b784ab62c467c0dc ]
+
+Currently, it is possible to create an SCTP socket, then switch
+auth_enable via sysctl setting to 1 and crash the system on connect:
+
+Oops[#1]:
+CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
+task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
+[...]
+Call Trace:
+[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
+[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
+[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
+[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
+[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
+[<ffffffff8043af68>] sctp_rcv+0x588/0x630
+[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
+[<ffffffff803acb50>] ip6_input+0x2c0/0x440
+[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
+[<ffffffff80310650>] process_backlog+0xb4/0x18c
+[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
+[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
+[<ffffffff800345e0>] irq_exit+0x54/0xb0
+[<ffffffff800075a4>] ret_from_irq+0x0/0x4
+[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
+[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
+[<ffffffff805a88b0>] start_kernel+0x37c/0x398
+Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
+03e00008 00000000
+---[ end trace b530b0551467f2fd ]---
+Kernel panic - not syncing: Fatal exception in interrupt
+
+What happens while auth_enable=0 in that case is, that
+ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
+when endpoint is being created.
+
+After that point, if an admin switches over to auth_enable=1,
+the machine can crash due to NULL pointer dereference during
+reception of an INIT chunk. When we enter sctp_process_init()
+via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
+the INIT verification succeeds and while we walk and process
+all INIT params via sctp_process_param() we find that
+net->sctp.auth_enable is set, therefore do not fall through,
+but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
+dereference what we have set to NULL during endpoint
+initialization phase.
+
+The fix is to make auth_enable immutable by caching its value
+during endpoint initialization, so that its original value is
+being carried along until destruction. The bug seems to originate
+from the very first days.
+
+Fix in joint work with Daniel Borkmann.
+
+Reported-by: Joshua Kinard <kumba@gentoo.org>
+Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Tested-by: Joshua Kinard <kumba@gentoo.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sctp/structs.h | 4 ++-
+ net/sctp/auth.c | 17 +++++---------
+ net/sctp/endpointola.c | 3 +-
+ net/sctp/sm_make_chunk.c | 32 ++++++++++++++------------
+ net/sctp/sm_statefuns.c | 6 ++---
+ net/sctp/socket.c | 54 +++++++++++++++++++++------------------------
+ net/sctp/sysctl.c | 38 ++++++++++++++++++++++++++++++-
+ 7 files changed, 93 insertions(+), 61 deletions(-)
+
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -1252,6 +1252,7 @@ struct sctp_endpoint {
+ /* SCTP-AUTH: endpoint shared keys */
+ struct list_head endpoint_shared_keys;
+ __u16 active_key_id;
++ __u8 auth_enable;
+ };
+
+ /* Recover the outter endpoint structure. */
+@@ -1280,7 +1281,8 @@ struct sctp_endpoint *sctp_endpoint_is_m
+ int sctp_has_association(struct net *net, const union sctp_addr *laddr,
+ const union sctp_addr *paddr);
+
+-int sctp_verify_init(struct net *net, const struct sctp_association *asoc,
++int sctp_verify_init(struct net *net, const struct sctp_endpoint *ep,
++ const struct sctp_association *asoc,
+ sctp_cid_t, sctp_init_chunk_t *peer_init,
+ struct sctp_chunk *chunk, struct sctp_chunk **err_chunk);
+ int sctp_process_init(struct sctp_association *, struct sctp_chunk *chunk,
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -393,14 +393,13 @@ nomem:
+ */
+ int sctp_auth_asoc_init_active_key(struct sctp_association *asoc, gfp_t gfp)
+ {
+- struct net *net = sock_net(asoc->base.sk);
+ struct sctp_auth_bytes *secret;
+ struct sctp_shared_key *ep_key;
+
+ /* If we don't support AUTH, or peer is not capable
+ * we don't need to do anything.
+ */
+- if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
++ if (!asoc->ep->auth_enable || !asoc->peer.auth_capable)
+ return 0;
+
+ /* If the key_id is non-zero and we couldn't find an
+@@ -447,16 +446,16 @@ struct sctp_shared_key *sctp_auth_get_sh
+ */
+ int sctp_auth_init_hmacs(struct sctp_endpoint *ep, gfp_t gfp)
+ {
+- struct net *net = sock_net(ep->base.sk);
+ struct crypto_hash *tfm = NULL;
+ __u16 id;
+
+- /* if the transforms are already allocted, we are done */
+- if (!net->sctp.auth_enable) {
++ /* If AUTH extension is disabled, we are done */
++ if (!ep->auth_enable) {
+ ep->auth_hmacs = NULL;
+ return 0;
+ }
+
++ /* If the transforms are already allocated, we are done */
+ if (ep->auth_hmacs)
+ return 0;
+
+@@ -677,12 +676,10 @@ static int __sctp_auth_cid(sctp_cid_t ch
+ /* Check if peer requested that this chunk is authenticated */
+ int sctp_auth_send_cid(sctp_cid_t chunk, const struct sctp_association *asoc)
+ {
+- struct net *net;
+ if (!asoc)
+ return 0;
+
+- net = sock_net(asoc->base.sk);
+- if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
++ if (!asoc->ep->auth_enable || !asoc->peer.auth_capable)
+ return 0;
+
+ return __sctp_auth_cid(chunk, asoc->peer.peer_chunks);
+@@ -691,12 +688,10 @@ int sctp_auth_send_cid(sctp_cid_t chunk,
+ /* Check if we requested that peer authenticate this chunk. */
+ int sctp_auth_recv_cid(sctp_cid_t chunk, const struct sctp_association *asoc)
+ {
+- struct net *net;
+ if (!asoc)
+ return 0;
+
+- net = sock_net(asoc->base.sk);
+- if (!net->sctp.auth_enable)
++ if (!asoc->ep->auth_enable)
+ return 0;
+
+ return __sctp_auth_cid(chunk,
+--- a/net/sctp/endpointola.c
++++ b/net/sctp/endpointola.c
+@@ -75,7 +75,8 @@ static struct sctp_endpoint *sctp_endpoi
+ if (!ep->digest)
+ return NULL;
+
+- if (net->sctp.auth_enable) {
++ ep->auth_enable = net->sctp.auth_enable;
++ if (ep->auth_enable) {
+ /* Allocate space for HMACS and CHUNKS authentication
+ * variables. There are arrays that we encode directly
+ * into parameters to make the rest of the operations easier.
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -199,6 +199,7 @@ struct sctp_chunk *sctp_make_init(const
+ gfp_t gfp, int vparam_len)
+ {
+ struct net *net = sock_net(asoc->base.sk);
++ struct sctp_endpoint *ep = asoc->ep;
+ sctp_inithdr_t init;
+ union sctp_params addrs;
+ size_t chunksize;
+@@ -258,7 +259,7 @@ struct sctp_chunk *sctp_make_init(const
+ chunksize += vparam_len;
+
+ /* Account for AUTH related parameters */
+- if (net->sctp.auth_enable) {
++ if (ep->auth_enable) {
+ /* Add random parameter length*/
+ chunksize += sizeof(asoc->c.auth_random);
+
+@@ -343,7 +344,7 @@ struct sctp_chunk *sctp_make_init(const
+ }
+
+ /* Add SCTP-AUTH chunks to the parameter list */
+- if (net->sctp.auth_enable) {
++ if (ep->auth_enable) {
+ sctp_addto_chunk(retval, sizeof(asoc->c.auth_random),
+ asoc->c.auth_random);
+ if (auth_hmacs)
+@@ -1995,7 +1996,7 @@ static void sctp_process_ext_param(struc
+ /* if the peer reports AUTH, assume that he
+ * supports AUTH.
+ */
+- if (net->sctp.auth_enable)
++ if (asoc->ep->auth_enable)
+ asoc->peer.auth_capable = 1;
+ break;
+ case SCTP_CID_ASCONF:
+@@ -2087,6 +2088,7 @@ static sctp_ierror_t sctp_process_unk_pa
+ * SCTP_IERROR_NO_ERROR - continue with the chunk
+ */
+ static sctp_ierror_t sctp_verify_param(struct net *net,
++ const struct sctp_endpoint *ep,
+ const struct sctp_association *asoc,
+ union sctp_params param,
+ sctp_cid_t cid,
+@@ -2137,7 +2139,7 @@ static sctp_ierror_t sctp_verify_param(s
+ goto fallthrough;
+
+ case SCTP_PARAM_RANDOM:
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ goto fallthrough;
+
+ /* SCTP-AUTH: Secion 6.1
+@@ -2154,7 +2156,7 @@ static sctp_ierror_t sctp_verify_param(s
+ break;
+
+ case SCTP_PARAM_CHUNKS:
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ goto fallthrough;
+
+ /* SCTP-AUTH: Section 3.2
+@@ -2170,7 +2172,7 @@ static sctp_ierror_t sctp_verify_param(s
+ break;
+
+ case SCTP_PARAM_HMAC_ALGO:
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ goto fallthrough;
+
+ hmacs = (struct sctp_hmac_algo_param *)param.p;
+@@ -2204,10 +2206,9 @@ fallthrough:
+ }
+
+ /* Verify the INIT packet before we process it. */
+-int sctp_verify_init(struct net *net, const struct sctp_association *asoc,
+- sctp_cid_t cid,
+- sctp_init_chunk_t *peer_init,
+- struct sctp_chunk *chunk,
++int sctp_verify_init(struct net *net, const struct sctp_endpoint *ep,
++ const struct sctp_association *asoc, sctp_cid_t cid,
++ sctp_init_chunk_t *peer_init, struct sctp_chunk *chunk,
+ struct sctp_chunk **errp)
+ {
+ union sctp_params param;
+@@ -2250,8 +2251,8 @@ int sctp_verify_init(struct net *net, co
+
+ /* Verify all the variable length parameters */
+ sctp_walk_params(param, peer_init, init_hdr.params) {
+-
+- result = sctp_verify_param(net, asoc, param, cid, chunk, errp);
++ result = sctp_verify_param(net, ep, asoc, param, cid,
++ chunk, errp);
+ switch (result) {
+ case SCTP_IERROR_ABORT:
+ case SCTP_IERROR_NOMEM:
+@@ -2483,6 +2484,7 @@ static int sctp_process_param(struct sct
+ struct sctp_af *af;
+ union sctp_addr_param *addr_param;
+ struct sctp_transport *t;
++ struct sctp_endpoint *ep = asoc->ep;
+
+ /* We maintain all INIT parameters in network byte order all the
+ * time. This allows us to not worry about whether the parameters
+@@ -2623,7 +2625,7 @@ do_addr_param:
+ goto fall_through;
+
+ case SCTP_PARAM_RANDOM:
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ goto fall_through;
+
+ /* Save peer's random parameter */
+@@ -2636,7 +2638,7 @@ do_addr_param:
+ break;
+
+ case SCTP_PARAM_HMAC_ALGO:
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ goto fall_through;
+
+ /* Save peer's HMAC list */
+@@ -2652,7 +2654,7 @@ do_addr_param:
+ break;
+
+ case SCTP_PARAM_CHUNKS:
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ goto fall_through;
+
+ asoc->peer.peer_chunks = kmemdup(param.p,
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -364,7 +364,7 @@ sctp_disposition_t sctp_sf_do_5_1B_init(
+
+ /* Verify the INIT chunk before processing it. */
+ err_chunk = NULL;
+- if (!sctp_verify_init(net, asoc, chunk->chunk_hdr->type,
++ if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
+ (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
+ &err_chunk)) {
+ /* This chunk contains fatal error. It is to be discarded.
+@@ -531,7 +531,7 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(s
+
+ /* Verify the INIT chunk before processing it. */
+ err_chunk = NULL;
+- if (!sctp_verify_init(net, asoc, chunk->chunk_hdr->type,
++ if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
+ (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
+ &err_chunk)) {
+
+@@ -1437,7 +1437,7 @@ static sctp_disposition_t sctp_sf_do_une
+
+ /* Verify the INIT chunk before processing it. */
+ err_chunk = NULL;
+- if (!sctp_verify_init(net, asoc, chunk->chunk_hdr->type,
++ if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
+ (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
+ &err_chunk)) {
+ /* This chunk contains fatal error. It is to be discarded.
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -3318,10 +3318,10 @@ static int sctp_setsockopt_auth_chunk(st
+ char __user *optval,
+ unsigned int optlen)
+ {
+- struct net *net = sock_net(sk);
++ struct sctp_endpoint *ep = sctp_sk(sk)->ep;
+ struct sctp_authchunk val;
+
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ return -EACCES;
+
+ if (optlen != sizeof(struct sctp_authchunk))
+@@ -3338,7 +3338,7 @@ static int sctp_setsockopt_auth_chunk(st
+ }
+
+ /* add this chunk id to the endpoint */
+- return sctp_auth_ep_add_chunkid(sctp_sk(sk)->ep, val.sauth_chunk);
++ return sctp_auth_ep_add_chunkid(ep, val.sauth_chunk);
+ }
+
+ /*
+@@ -3351,12 +3351,12 @@ static int sctp_setsockopt_hmac_ident(st
+ char __user *optval,
+ unsigned int optlen)
+ {
+- struct net *net = sock_net(sk);
++ struct sctp_endpoint *ep = sctp_sk(sk)->ep;
+ struct sctp_hmacalgo *hmacs;
+ u32 idents;
+ int err;
+
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ return -EACCES;
+
+ if (optlen < sizeof(struct sctp_hmacalgo))
+@@ -3373,7 +3373,7 @@ static int sctp_setsockopt_hmac_ident(st
+ goto out;
+ }
+
+- err = sctp_auth_ep_set_hmacs(sctp_sk(sk)->ep, hmacs);
++ err = sctp_auth_ep_set_hmacs(ep, hmacs);
+ out:
+ kfree(hmacs);
+ return err;
+@@ -3389,12 +3389,12 @@ static int sctp_setsockopt_auth_key(stru
+ char __user *optval,
+ unsigned int optlen)
+ {
+- struct net *net = sock_net(sk);
++ struct sctp_endpoint *ep = sctp_sk(sk)->ep;
+ struct sctp_authkey *authkey;
+ struct sctp_association *asoc;
+ int ret;
+
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ return -EACCES;
+
+ if (optlen <= sizeof(struct sctp_authkey))
+@@ -3415,7 +3415,7 @@ static int sctp_setsockopt_auth_key(stru
+ goto out;
+ }
+
+- ret = sctp_auth_set_key(sctp_sk(sk)->ep, asoc, authkey);
++ ret = sctp_auth_set_key(ep, asoc, authkey);
+ out:
+ kzfree(authkey);
+ return ret;
+@@ -3431,11 +3431,11 @@ static int sctp_setsockopt_active_key(st
+ char __user *optval,
+ unsigned int optlen)
+ {
+- struct net *net = sock_net(sk);
++ struct sctp_endpoint *ep = sctp_sk(sk)->ep;
+ struct sctp_authkeyid val;
+ struct sctp_association *asoc;
+
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ return -EACCES;
+
+ if (optlen != sizeof(struct sctp_authkeyid))
+@@ -3447,8 +3447,7 @@ static int sctp_setsockopt_active_key(st
+ if (!asoc && val.scact_assoc_id && sctp_style(sk, UDP))
+ return -EINVAL;
+
+- return sctp_auth_set_active_key(sctp_sk(sk)->ep, asoc,
+- val.scact_keynumber);
++ return sctp_auth_set_active_key(ep, asoc, val.scact_keynumber);
+ }
+
+ /*
+@@ -3460,11 +3459,11 @@ static int sctp_setsockopt_del_key(struc
+ char __user *optval,
+ unsigned int optlen)
+ {
+- struct net *net = sock_net(sk);
++ struct sctp_endpoint *ep = sctp_sk(sk)->ep;
+ struct sctp_authkeyid val;
+ struct sctp_association *asoc;
+
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ return -EACCES;
+
+ if (optlen != sizeof(struct sctp_authkeyid))
+@@ -3476,8 +3475,7 @@ static int sctp_setsockopt_del_key(struc
+ if (!asoc && val.scact_assoc_id && sctp_style(sk, UDP))
+ return -EINVAL;
+
+- return sctp_auth_del_key_id(sctp_sk(sk)->ep, asoc,
+- val.scact_keynumber);
++ return sctp_auth_del_key_id(ep, asoc, val.scact_keynumber);
+
+ }
+
+@@ -5368,16 +5366,16 @@ static int sctp_getsockopt_maxburst(stru
+ static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
+ char __user *optval, int __user *optlen)
+ {
+- struct net *net = sock_net(sk);
++ struct sctp_endpoint *ep = sctp_sk(sk)->ep;
+ struct sctp_hmacalgo __user *p = (void __user *)optval;
+ struct sctp_hmac_algo_param *hmacs;
+ __u16 data_len = 0;
+ u32 num_idents;
+
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ return -EACCES;
+
+- hmacs = sctp_sk(sk)->ep->auth_hmacs_list;
++ hmacs = ep->auth_hmacs_list;
+ data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t);
+
+ if (len < sizeof(struct sctp_hmacalgo) + data_len)
+@@ -5398,11 +5396,11 @@ static int sctp_getsockopt_hmac_ident(st
+ static int sctp_getsockopt_active_key(struct sock *sk, int len,
+ char __user *optval, int __user *optlen)
+ {
+- struct net *net = sock_net(sk);
++ struct sctp_endpoint *ep = sctp_sk(sk)->ep;
+ struct sctp_authkeyid val;
+ struct sctp_association *asoc;
+
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ return -EACCES;
+
+ if (len < sizeof(struct sctp_authkeyid))
+@@ -5417,7 +5415,7 @@ static int sctp_getsockopt_active_key(st
+ if (asoc)
+ val.scact_keynumber = asoc->active_key_id;
+ else
+- val.scact_keynumber = sctp_sk(sk)->ep->active_key_id;
++ val.scact_keynumber = ep->active_key_id;
+
+ len = sizeof(struct sctp_authkeyid);
+ if (put_user(len, optlen))
+@@ -5431,7 +5429,7 @@ static int sctp_getsockopt_active_key(st
+ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
+ char __user *optval, int __user *optlen)
+ {
+- struct net *net = sock_net(sk);
++ struct sctp_endpoint *ep = sctp_sk(sk)->ep;
+ struct sctp_authchunks __user *p = (void __user *)optval;
+ struct sctp_authchunks val;
+ struct sctp_association *asoc;
+@@ -5439,7 +5437,7 @@ static int sctp_getsockopt_peer_auth_chu
+ u32 num_chunks = 0;
+ char __user *to;
+
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ return -EACCES;
+
+ if (len < sizeof(struct sctp_authchunks))
+@@ -5475,7 +5473,7 @@ num:
+ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
+ char __user *optval, int __user *optlen)
+ {
+- struct net *net = sock_net(sk);
++ struct sctp_endpoint *ep = sctp_sk(sk)->ep;
+ struct sctp_authchunks __user *p = (void __user *)optval;
+ struct sctp_authchunks val;
+ struct sctp_association *asoc;
+@@ -5483,7 +5481,7 @@ static int sctp_getsockopt_local_auth_ch
+ u32 num_chunks = 0;
+ char __user *to;
+
+- if (!net->sctp.auth_enable)
++ if (!ep->auth_enable)
+ return -EACCES;
+
+ if (len < sizeof(struct sctp_authchunks))
+@@ -5500,7 +5498,7 @@ static int sctp_getsockopt_local_auth_ch
+ if (asoc)
+ ch = (struct sctp_chunks_param*)asoc->c.auth_chunks;
+ else
+- ch = sctp_sk(sk)->ep->auth_chunk_list;
++ ch = ep->auth_chunk_list;
+
+ if (!ch)
+ goto num;
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -65,8 +65,11 @@ extern int sysctl_sctp_wmem[3];
+ static int proc_sctp_do_hmac_alg(ctl_table *ctl,
+ int write,
+ void __user *buffer, size_t *lenp,
+-
+ loff_t *ppos);
++static int proc_sctp_do_auth(struct ctl_table *ctl, int write,
++ void __user *buffer, size_t *lenp,
++ loff_t *ppos);
++
+ static ctl_table sctp_table[] = {
+ {
+ .procname = "sctp_mem",
+@@ -267,7 +270,7 @@ static ctl_table sctp_net_table[] = {
+ .data = &init_net.sctp.auth_enable,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec,
++ .proc_handler = proc_sctp_do_auth,
+ },
+ {
+ .procname = "addr_scope_policy",
+@@ -346,6 +349,37 @@ static int proc_sctp_do_hmac_alg(ctl_tab
+ }
+
+ return ret;
++}
++
++static int proc_sctp_do_auth(struct ctl_table *ctl, int write,
++ void __user *buffer, size_t *lenp,
++ loff_t *ppos)
++{
++ struct net *net = current->nsproxy->net_ns;
++ struct ctl_table tbl;
++ int new_value, ret;
++
++ memset(&tbl, 0, sizeof(struct ctl_table));
++ tbl.maxlen = sizeof(unsigned int);
++
++ if (write)
++ tbl.data = &new_value;
++ else
++ tbl.data = &net->sctp.auth_enable;
++
++ ret = proc_dointvec(&tbl, write, buffer, lenp, ppos);
++
++ if (write) {
++ struct sock *sk = net->sctp.ctl_sock;
++
++ net->sctp.auth_enable = new_value;
++ /* Update the value in the control socket */
++ lock_sock(sk);
++ sctp_sk(sk)->ep->auth_enable = new_value;
++ release_sock(sk);
++ }
++
++ return ret;
+ }
+
+ int sctp_sysctl_net_register(struct net *net)
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed, 9 Apr 2014 16:10:20 +0200
+Subject: net: sctp: test if association is dead in sctp_wake_up_waiters
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit 1e1cdf8ac78793e0875465e98a648df64694a8d0 ]
+
+In function sctp_wake_up_waiters(), we need to involve a test
+if the association is declared dead. If so, we don't have any
+reference to a possible sibling association anymore and need
+to invoke sctp_write_space() instead, and normally walk the
+socket's associations and notify them of new wmem space. The
+reason for special casing is that otherwise, we could run
+into the following issue when a sctp_primitive_SEND() call
+from sctp_sendmsg() fails, and tries to flush an association's
+outq, i.e. in the following way:
+
+sctp_association_free()
+`-> list_del(&asoc->asocs) <-- poisons list pointer
+ asoc->base.dead = true
+ sctp_outq_free(&asoc->outqueue)
+ `-> __sctp_outq_teardown()
+ `-> sctp_chunk_free()
+ `-> consume_skb()
+ `-> sctp_wfree()
+ `-> sctp_wake_up_waiters() <-- dereferences poisoned pointers
+ if asoc->ep->sndbuf_policy=0
+
+Therefore, only walk the list in an 'optimized' way if we find
+that the current association is still active. We could also use
+list_del_init() in addition when we call sctp_association_free(),
+but as Vlad suggests, we want to trap such bugs and thus leave
+it poisoned as is.
+
+Why is it safe to resolve the issue by testing for asoc->base.dead?
+Parallel calls to sctp_sendmsg() are protected under socket lock,
+that is lock_sock()/release_sock(). Only within that path under
+lock held, we're setting skb/chunk owner via sctp_set_owner_w().
+Eventually, chunks are freed directly by an association still
+under that lock. So when traversing association list on destruction
+time from sctp_wake_up_waiters() via sctp_wfree(), a different
+CPU can't be running sctp_wfree() while another one calls
+sctp_association_free() as both happens under the same lock.
+Therefore, this can also not race with setting/testing against
+asoc->base.dead as we are guaranteed for this to happen in order,
+under lock. Further, Vlad says: the times we check asoc->base.dead
+is when we've cached an association pointer for later processing.
+In between cache and processing, the association may have been
+freed and is simply still around due to reference counts. We check
+asoc->base.dead under a lock, so it should always be safe to check
+and not race against sctp_association_free(). Stress-testing seems
+fine now, too.
+
+Fixes: cd253f9f357d ("net: sctp: wake up all assocs if sndbuf policy is per socket")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Cc: Vlad Yasevich <vyasevic@redhat.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Vlad Yasevich <vyasevic@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -6593,6 +6593,12 @@ static void sctp_wake_up_waiters(struct
+ if (asoc->ep->sndbuf_policy)
+ return __sctp_write_space(asoc);
+
++ /* If association goes down and is just flushing its
++ * outq, then just normally notify others.
++ */
++ if (asoc->base.dead)
++ return sctp_write_space(sk);
++
+ /* Accounting for the sndbuf space is per socket, so we
+ * need to wake up others, try to be fair and in case of
+ * other associations, let them have a go first instead
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Tue, 8 Apr 2014 17:26:13 +0200
+Subject: net: sctp: wake up all assocs if sndbuf policy is per socket
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit 52c35befb69b005c3fc5afdaae3a5717ad013411 ]
+
+SCTP charges chunks for wmem accounting via skb->truesize in
+sctp_set_owner_w(), and sctp_wfree() respectively as the
+reverse operation. If a sender runs out of wmem, it needs to
+wait via sctp_wait_for_sndbuf(), and gets woken up by a call
+to __sctp_write_space() mostly via sctp_wfree().
+
+__sctp_write_space() is being called per association. Although
+we assign sk->sk_write_space() to sctp_write_space(), which
+is then being done per socket, it is only used if send space
+is increased per socket option (SO_SNDBUF), as SOCK_USE_WRITE_QUEUE
+is set and therefore not invoked in sock_wfree().
+
+Commit 4c3a5bdae293 ("sctp: Don't charge for data in sndbuf
+again when transmitting packet") fixed an issue where in case
+sctp_packet_transmit() manages to queue up more than sndbuf
+bytes, sctp_wait_for_sndbuf() will never be woken up again
+unless it is interrupted by a signal. However, a still
+remaining issue is that if net.sctp.sndbuf_policy=0, that is
+accounting per socket, and one-to-many sockets are in use,
+the reclaimed write space from sctp_wfree() is 'unfairly'
+handed back on the server to the association that is the lucky
+one to be woken up again via __sctp_write_space(), while
+the remaining associations are never be woken up again
+(unless by a signal).
+
+The effect disappears with net.sctp.sndbuf_policy=1, that
+is wmem accounting per association, as it guarantees a fair
+share of wmem among associations.
+
+Therefore, if we have reclaimed memory in case of per socket
+accounting, wake all related associations to a socket in a
+fair manner, that is, traverse the socket association list
+starting from the current neighbour of the association and
+issue a __sctp_write_space() to everyone until we end up
+waking ourselves. This guarantees that no association is
+preferred over another and even if more associations are
+taken into the one-to-many session, all receivers will get
+messages from the server and are not stalled forever on
+high load. This setting still leaves the advantage of per
+socket accounting in touch as an association can still use
+up global limits if unused by others.
+
+Fixes: 4eb701dfc618 ("[SCTP] Fix SCTP sendbuffer accouting.")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Cc: Thomas Graf <tgraf@suug.ch>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: Vlad Yasevich <vyasevic@redhat.com>
+Acked-by: Vlad Yasevich <vyasevic@redhat.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -6582,6 +6582,40 @@ static void __sctp_write_space(struct sc
+ }
+ }
+
++static void sctp_wake_up_waiters(struct sock *sk,
++ struct sctp_association *asoc)
++{
++ struct sctp_association *tmp = asoc;
++
++ /* We do accounting for the sndbuf space per association,
++ * so we only need to wake our own association.
++ */
++ if (asoc->ep->sndbuf_policy)
++ return __sctp_write_space(asoc);
++
++ /* Accounting for the sndbuf space is per socket, so we
++ * need to wake up others, try to be fair and in case of
++ * other associations, let them have a go first instead
++ * of just doing a sctp_write_space() call.
++ *
++ * Note that we reach sctp_wake_up_waiters() only when
++ * associations free up queued chunks, thus we are under
++ * lock and the list of associations on a socket is
++ * guaranteed not to change.
++ */
++ for (tmp = list_next_entry(tmp, asocs); 1;
++ tmp = list_next_entry(tmp, asocs)) {
++ /* Manually skip the head element. */
++ if (&tmp->asocs == &((sctp_sk(sk))->ep->asocs))
++ continue;
++ /* Wake up association. */
++ __sctp_write_space(tmp);
++ /* We've reached the end. */
++ if (tmp == asoc)
++ break;
++ }
++}
++
+ /* Do accounting for the sndbuf space.
+ * Decrement the used sndbuf space of the corresponding association by the
+ * data size which was just transmitted(freed).
+@@ -6609,7 +6643,7 @@ static void sctp_wfree(struct sk_buff *s
+ sk_mem_uncharge(sk, skb->truesize);
+
+ sock_wfree(skb);
+- __sctp_write_space(asoc);
++ sctp_wake_up_waiters(sk, asoc);
+
+ sctp_association_put(asoc);
+ }
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Enrico Mioso <mrkiko.rs@gmail.com>
+Date: Sat, 29 Jun 2013 15:39:19 +0200
+Subject: qmi_wwan: add ONDA MT689DC device ID (fwd)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Enrico Mioso <mrkiko.rs@gmail.com>
+
+[ Upstream commit d8eb8f9963a55ccf6ebafa4bfdb9f70c17067825 ]
+
+Another QMI-speaking device by ZTE, re-branded by ONDA!
+
+I'm connected ovr this device's QMI interface right now, so I can say I tested
+it! :)
+
+Note: a follow-up patch was posted to the linux-usb mailing list, to prevent
+the option driver from binding to the device's QMI interface, making it
+unusable.
+
+Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -652,6 +652,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x19d2, 0x0002, 1)},
+ {QMI_FIXED_INTF(0x19d2, 0x0012, 1)},
+ {QMI_FIXED_INTF(0x19d2, 0x0017, 3)},
++ {QMI_FIXED_INTF(0x19d2, 0x0019, 3)}, /* ONDA MT689DC */
+ {QMI_FIXED_INTF(0x19d2, 0x0021, 4)},
+ {QMI_FIXED_INTF(0x19d2, 0x0025, 1)},
+ {QMI_FIXED_INTF(0x19d2, 0x0031, 4)},
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Vlad Yasevich <vyasevic@redhat.com>
+Date: Tue, 29 Apr 2014 10:09:51 -0400
+Subject: Revert "macvlan : fix checksums error when we are in bridge mode"
+
+From: Vlad Yasevich <vyasevic@redhat.com>
+
+[ Upstream commit f114890cdf84d753f6b41cd0cc44ba51d16313da ]
+
+This reverts commit 12a2856b604476c27d85a5f9a57ae1661fc46019.
+The commit above doesn't appear to be necessary any more as the
+checksums appear to be correctly computed/validated.
+
+Additionally the above commit breaks kvm configurations where
+one VM is using a device that support checksum offload (virtio) and
+the other VM does not.
+In this case, packets leaving virtio device will have CHECKSUM_PARTIAL
+set. The packets is forwarded to a macvtap that has offload features
+turned off. Since we use CHECKSUM_UNNECESSARY, the host does does not
+update the checksum and thus a bad checksum is passed up to
+the guest.
+
+CC: Daniel Lezcano <daniel.lezcano@free.fr>
+CC: Patrick McHardy <kaber@trash.net>
+CC: Andrian Nord <nightnord@gmail.com>
+CC: Eric Dumazet <eric.dumazet@gmail.com>
+CC: Michael S. Tsirkin <mst@redhat.com>
+CC: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -261,11 +261,9 @@ static int macvlan_queue_xmit(struct sk_
+ const struct macvlan_dev *vlan = netdev_priv(dev);
+ const struct macvlan_port *port = vlan->port;
+ const struct macvlan_dev *dest;
+- __u8 ip_summed = skb->ip_summed;
+
+ if (vlan->mode == MACVLAN_MODE_BRIDGE) {
+ const struct ethhdr *eth = (void *)skb->data;
+- skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+ /* send to other bridge ports directly */
+ if (is_multicast_ether_addr(eth->h_dest)) {
+@@ -283,7 +281,6 @@ static int macvlan_queue_xmit(struct sk_
+ }
+
+ xmit_world:
+- skb->ip_summed = ip_summed;
+ skb->dev = vlan->lowerdev;
+ return dev_queue_xmit(skb);
+ }
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Thu, 24 Apr 2014 10:22:36 +1000
+Subject: rtnetlink: Only supply IFLA_VF_PORTS information when RTEXT_FILTER_VF is set
+
+From: David Gibson <david@gibson.dropbear.id.au>
+
+[ Upstream commit c53864fd60227de025cb79e05493b13f69843971 ]
+
+Since 115c9b81928360d769a76c632bae62d15206a94a (rtnetlink: Fix problem with
+buffer allocation), RTM_NEWLINK messages only contain the IFLA_VFINFO_LIST
+attribute if they were solicited by a GETLINK message containing an
+IFLA_EXT_MASK attribute with the RTEXT_FILTER_VF flag.
+
+That was done because some user programs broke when they received more data
+than expected - because IFLA_VFINFO_LIST contains information for each VF
+it can become large if there are many VFs.
+
+However, the IFLA_VF_PORTS attribute, supplied for devices which implement
+ndo_get_vf_port (currently the 'enic' driver only), has the same problem.
+It supplies per-VF information and can therefore become large, but it is
+not currently conditional on the IFLA_EXT_MASK value.
+
+Worse, it interacts badly with the existing EXT_MASK handling. When
+IFLA_EXT_MASK is not supplied, the buffer for netlink replies is fixed at
+NLMSG_GOODSIZE. If the information for IFLA_VF_PORTS exceeds this, then
+rtnl_fill_ifinfo() returns -EMSGSIZE on the first message in a packet.
+netlink_dump() will misinterpret this as having finished the listing and
+omit data for this interface and all subsequent ones. That can cause
+getifaddrs(3) to enter an infinite loop.
+
+This patch addresses the problem by only supplying IFLA_VF_PORTS when
+IFLA_EXT_MASK is supplied with the RTEXT_FILTER_VF flag set.
+
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -714,7 +714,8 @@ static inline int rtnl_vfinfo_size(const
+ return 0;
+ }
+
+-static size_t rtnl_port_size(const struct net_device *dev)
++static size_t rtnl_port_size(const struct net_device *dev,
++ u32 ext_filter_mask)
+ {
+ size_t port_size = nla_total_size(4) /* PORT_VF */
+ + nla_total_size(PORT_PROFILE_MAX) /* PORT_PROFILE */
+@@ -730,7 +731,8 @@ static size_t rtnl_port_size(const struc
+ size_t port_self_size = nla_total_size(sizeof(struct nlattr))
+ + port_size;
+
+- if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent)
++ if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent ||
++ !(ext_filter_mask & RTEXT_FILTER_VF))
+ return 0;
+ if (dev_num_vf(dev->dev.parent))
+ return port_self_size + vf_ports_size +
+@@ -765,7 +767,7 @@ static noinline size_t if_nlmsg_size(con
+ + nla_total_size(ext_filter_mask
+ & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */
+ + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */
+- + rtnl_port_size(dev) /* IFLA_VF_PORTS + IFLA_PORT_SELF */
++ + rtnl_port_size(dev, ext_filter_mask) /* IFLA_VF_PORTS + IFLA_PORT_SELF */
+ + rtnl_link_get_size(dev) /* IFLA_LINKINFO */
+ + rtnl_link_get_af_size(dev); /* IFLA_AF_SPEC */
+ }
+@@ -826,11 +828,13 @@ static int rtnl_port_self_fill(struct sk
+ return 0;
+ }
+
+-static int rtnl_port_fill(struct sk_buff *skb, struct net_device *dev)
++static int rtnl_port_fill(struct sk_buff *skb, struct net_device *dev,
++ u32 ext_filter_mask)
+ {
+ int err;
+
+- if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent)
++ if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent ||
++ !(ext_filter_mask & RTEXT_FILTER_VF))
+ return 0;
+
+ err = rtnl_port_self_fill(skb, dev);
+@@ -985,7 +989,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ nla_nest_end(skb, vfinfo);
+ }
+
+- if (rtnl_port_fill(skb, dev))
++ if (rtnl_port_fill(skb, dev, ext_filter_mask))
+ goto nla_put_failure;
+
+ if (dev->rtnl_link_ops) {
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Thu, 24 Apr 2014 10:22:35 +1000
+Subject: rtnetlink: Warn when interface's information won't fit in our packet
+
+From: David Gibson <david@gibson.dropbear.id.au>
+
+[ Upstream commit 973462bbde79bb827824c73b59027a0aed5c9ca6 ]
+
+Without IFLA_EXT_MASK specified, the information reported for a single
+interface in response to RTM_GETLINK is expected to fit within a netlink
+packet of NLMSG_GOODSIZE.
+
+If it doesn't, however, things will go badly wrong, When listing all
+interfaces, netlink_dump() will incorrectly treat -EMSGSIZE on the first
+message in a packet as the end of the listing and omit information for
+that interface and all subsequent ones. This can cause getifaddrs(3) to
+enter an infinite loop.
+
+This patch won't fix the problem, but it will WARN_ON() making it easier to
+track down what's going wrong.
+
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Reviewed-by: Jiri Pirko <jpirko@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1039,6 +1039,7 @@ static int rtnl_dump_ifinfo(struct sk_bu
+ struct hlist_head *head;
+ struct nlattr *tb[IFLA_MAX+1];
+ u32 ext_filter_mask = 0;
++ int err;
+
+ s_h = cb->args[0];
+ s_idx = cb->args[1];
+@@ -1059,11 +1060,17 @@ static int rtnl_dump_ifinfo(struct sk_bu
+ hlist_for_each_entry_rcu(dev, head, index_hlist) {
+ if (idx < s_idx)
+ goto cont;
+- if (rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK,
+- NETLINK_CB(cb->skb).portid,
+- cb->nlh->nlmsg_seq, 0,
+- NLM_F_MULTI,
+- ext_filter_mask) <= 0)
++ err = rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK,
++ NETLINK_CB(cb->skb).portid,
++ cb->nlh->nlmsg_seq, 0,
++ NLM_F_MULTI,
++ ext_filter_mask);
++ /* If we ran out of room on the first message,
++ * we're in trouble
++ */
++ WARN_ON((err == -EMSGSIZE) && (skb->len == 0));
++
++ if (err <= 0)
+ goto out;
+
+ nl_dump_check_consistent(cb, nlmsg_hdr(skb));
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Xufeng Zhang <xufeng.zhang@windriver.com>
+Date: Fri, 25 Apr 2014 16:55:41 +0800
+Subject: sctp: reset flowi4_oif parameter on route lookup
+
+From: Xufeng Zhang <xufeng.zhang@windriver.com>
+
+[ Upstream commit 85350871317a5adb35519d9dc6fc9e80809d42ad ]
+
+commit 813b3b5db83 (ipv4: Use caller's on-stack flowi as-is
+in output route lookups.) introduces another regression which
+is very similar to the problem of commit e6b45241c (ipv4: reset
+flowi parameters on route connect) wants to fix:
+Before we call ip_route_output_key() in sctp_v4_get_dst() to
+get a dst that matches a bind address as the source address,
+we have already called this function previously and the flowi
+parameters have been initialized including flowi4_oif, so when
+we call this function again, the process in __ip_route_output_key()
+will be different because of the setting of flowi4_oif, and we'll
+get a networking device which corresponds to the inputted flowi4_oif
+as the output device, this is wrong because we'll never hit this
+place if the previously returned source address of dst match one
+of the bound addresses.
+
+To reproduce this problem, a vlan setting is enough:
+ # ifconfig eth0 up
+ # route del default
+ # vconfig add eth0 2
+ # vconfig add eth0 3
+ # ifconfig eth0.2 10.0.1.14 netmask 255.255.255.0
+ # route add default gw 10.0.1.254 dev eth0.2
+ # ifconfig eth0.3 10.0.0.14 netmask 255.255.255.0
+ # ip rule add from 10.0.0.14 table 4
+ # ip route add table 4 default via 10.0.0.254 src 10.0.0.14 dev eth0.3
+ # sctp_darn -H 10.0.0.14 -P 36422 -h 10.1.4.134 -p 36422 -s -I
+You'll detect that all the flow are routed to eth0.2(10.0.1.254).
+
+Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/protocol.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -498,8 +498,13 @@ static void sctp_v4_get_dst(struct sctp_
+ continue;
+ if ((laddr->state == SCTP_ADDR_SRC) &&
+ (AF_INET == laddr->a.sa.sa_family)) {
+- fl4->saddr = laddr->a.v4.sin_addr.s_addr;
+ fl4->fl4_sport = laddr->a.v4.sin_port;
++ flowi4_update_output(fl4,
++ asoc->base.sk->sk_bound_dev_if,
++ RT_CONN_FLAGS(asoc->base.sk),
++ daddr->v4.sin_addr.s_addr,
++ laddr->a.v4.sin_addr.s_addr);
++
+ rt = ip_route_output_key(sock_net(sk), fl4);
+ if (!IS_ERR(rt)) {
+ dst = &rt->dst;
drm-vmwgfx-make-sure-user-space-can-t-dma-across-buffer-object-boundaries-v2.patch
drm-qxl-unset-a-pointer-in-sync_obj_unref.patch
drm-radeon-call-drm_edid_to_eld-when-we-update-the-edid.patch
+list-introduce-list_next_entry-and-list_prev_entry.patch
+net-sctp-wake-up-all-assocs-if-sndbuf-policy-is-per-socket.patch
+net-sctp-test-if-association-is-dead-in-sctp_wake_up_waiters.patch
+l2tp-take-pmtu-from-tunnel-udp-socket.patch
+net-core-don-t-account-for-udp-header-size-when-computing-seglen.patch
+bonding-remove-debug_fs-files-when-module-init-fails.patch
+bridge-fix-double-free-and-memory-leak-around-br_allowed_ingress.patch
+ipv6-limit-mtu-to-65575-bytes.patch
+gre-don-t-allow-to-add-the-same-tunnel-twice.patch
+vti-don-t-allow-to-add-the-same-tunnel-twice.patch
+net-ipv4-current-group_info-should-be-put-after-using.patch
+ipv4-return-valid-rta_iif-on-ip-route-get.patch
+filter-prevent-nla-extensions-to-peek-beyond-the-end-of-the-message.patch
+ip6_gre-don-t-allow-to-remove-the-fb_tunnel_dev.patch
+vlan-fix-lockdep-warning-when-vlan-dev-handle-notification.patch
+tg3-update-rx_jumbo_pending-ring-param-only-when-jumbo-frames-are-enabled.patch
+net-sctp-cache-auth_enable-per-endpoint.patch
+net-fix-ns_capable-check-in-sock_diag_put_filterinfo.patch
+rtnetlink-warn-when-interface-s-information-won-t-fit-in-our-packet.patch
+rtnetlink-only-supply-ifla_vf_ports-information-when-rtext_filter_vf-is-set.patch
+ipv6-fib-fix-fib-dump-restart.patch
+bridge-handle-ifla_address-correctly-when-creating-bridge-device.patch
+sctp-reset-flowi4_oif-parameter-on-route-lookup.patch
+revert-macvlan-fix-checksums-error-when-we-are-in-bridge-mode.patch
+tcp_cubic-fix-the-range-of-delayed_ack.patch
+net-ipv4-ip_forward-fix-inverted-local_df-test.patch
+net-ipv6-send-pkttoobig-immediately-if-orig-frag-size-mtu.patch
+ipv4-fib_semantics-increment-fib_info_cnt-after-fib_info-allocation.patch
+net-cdc_mbim-handle-unaccelerated-vlan-tagged-frames.patch
+macvlan-don-t-propagate-iff_allmulti-changes-on-down-interfaces.patch
+ip6_tunnel-fix-potential-null-pointer-dereference.patch
+ipv4-initialise-the-itag-variable-in-__mkroute_input.patch
+net-gro-reset-skb-truesize-in-napi_reuse_skb.patch
+net-qmi_wwan-fixup-sierra-wireless-mc8305-entry.patch
+net-qmi_wwan-add-option-gtm681w.patch
+net-qmi_wwan-add-tp-link-ma260.patch
+qmi_wwan-add-onda-mt689dc-device-id-fwd.patch
+net-qmi_wwan-add-telit-le920-newer-firmware-support.patch
+net-qmi_wwan-fix-cinterion-plxx-product-id.patch
+net-qmi_wwan-olivetti-olicard-200-support.patch
+net-qmi_wwan-add-zte-mf667.patch
+net-qmi_wwan-add-support-for-cinterion-pxs8-and-phs8.patch
+net-qmi_wwan-add-sierra-wireless-em7355.patch
+net-qmi_wwan-add-sierra-wireless-mc73xx.patch
+net-qmi_wwan-add-sierra-wireless-mc7305-mc7355.patch
+net-qmi_wwan-add-olivetti-olicard-500.patch
+net-qmi_wwan-add-alcatel-l800ma.patch
+net-qmi_wwan-add-a-number-of-cmotech-devices.patch
+net-qmi_wwan-add-a-number-of-dell-devices.patch
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Liu Yu <allanyuliu@tencent.com>
+Date: Wed, 30 Apr 2014 17:34:09 +0800
+Subject: tcp_cubic: fix the range of delayed_ack
+
+From: Liu Yu <allanyuliu@tencent.com>
+
+[ Upstream commit 0cda345d1b2201dd15591b163e3c92bad5191745 ]
+
+commit b9f47a3aaeab (tcp_cubic: limit delayed_ack ratio to prevent
+divide error) try to prevent divide error, but there is still a little
+chance that delayed_ack can reach zero. In case the param cnt get
+negative value, then ratio+cnt would overflow and may happen to be zero.
+As a result, min(ratio, ACK_RATIO_LIMIT) will calculate to be zero.
+
+In some old kernels, such as 2.6.32, there is a bug that would
+pass negative param, which then ultimately leads to this divide error.
+
+commit 5b35e1e6e9c (tcp: fix tcp_trim_head() to adjust segment count
+with skb MSS) fixed the negative param issue. However,
+it's safe that we fix the range of delayed_ack as well,
+to make sure we do not hit a divide by zero.
+
+CC: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: Liu Yu <allanyuliu@tencent.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_cubic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_cubic.c
++++ b/net/ipv4/tcp_cubic.c
+@@ -408,7 +408,7 @@ static void bictcp_acked(struct sock *sk
+ ratio -= ca->delayed_ack >> ACK_RATIO_SHIFT;
+ ratio += cnt;
+
+- ca->delayed_ack = min(ratio, ACK_RATIO_LIMIT);
++ ca->delayed_ack = clamp(ratio, 1U, ACK_RATIO_LIMIT);
+ }
+
+ /* Some calls are for duplicates without timetamps */
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Ivan Vecera <ivecera@redhat.com>
+Date: Thu, 17 Apr 2014 14:51:08 +0200
+Subject: tg3: update rx_jumbo_pending ring param only when jumbo frames are enabled
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+The patch fixes a problem with dropped jumbo frames after usage of
+'ethtool -G ... rx'.
+
+Scenario:
+1. ip link set eth0 up
+2. ethtool -G eth0 rx N # <- This zeroes rx-jumbo
+3. ip link set mtu 9000 dev eth0
+
+The ethtool command set rx_jumbo_pending to zero so any received jumbo
+packets are dropped and you need to use 'ethtool -G eth0 rx-jumbo N'
+to workaround the issue.
+The patch changes the logic so rx_jumbo_pending value is changed only if
+jumbo frames are enabled (MTU > 1500).
+
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Acked-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -12073,7 +12073,9 @@ static int tg3_set_ringparam(struct net_
+ if (tg3_flag(tp, MAX_RXPEND_64) &&
+ tp->rx_pending > 63)
+ tp->rx_pending = 63;
+- tp->rx_jumbo_pending = ering->rx_jumbo_pending;
++
++ if (tg3_flag(tp, JUMBO_RING_ENABLE))
++ tp->rx_jumbo_pending = ering->rx_jumbo_pending;
+
+ for (i = 0; i < tp->irq_max; i++)
+ tp->napi[i].tx_pending = ering->tx_pending;
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: dingtianhong <dingtianhong@huawei.com>
+Date: Thu, 17 Apr 2014 18:40:36 +0800
+Subject: vlan: Fix lockdep warning when vlan dev handle notification
+
+From: dingtianhong <dingtianhong@huawei.com>
+
+[ Upstream commit dc8eaaa006350d24030502a4521542e74b5cb39f ]
+
+When I open the LOCKDEP config and run these steps:
+
+modprobe 8021q
+vconfig add eth2 20
+vconfig add eth2.20 30
+ifconfig eth2 xx.xx.xx.xx
+
+then the Call Trace happened:
+
+[32524.386288] =============================================
+[32524.386293] [ INFO: possible recursive locking detected ]
+[32524.386298] 3.14.0-rc2-0.7-default+ #35 Tainted: G O
+[32524.386302] ---------------------------------------------
+[32524.386306] ifconfig/3103 is trying to acquire lock:
+[32524.386310] (&vlan_netdev_addr_lock_key/1){+.....}, at: [<ffffffff814275f4>] dev_mc_sync+0x64/0xb0
+[32524.386326]
+[32524.386326] but task is already holding lock:
+[32524.386330] (&vlan_netdev_addr_lock_key/1){+.....}, at: [<ffffffff8141af83>] dev_set_rx_mode+0x23/0x40
+[32524.386341]
+[32524.386341] other info that might help us debug this:
+[32524.386345] Possible unsafe locking scenario:
+[32524.386345]
+[32524.386350] CPU0
+[32524.386352] ----
+[32524.386354] lock(&vlan_netdev_addr_lock_key/1);
+[32524.386359] lock(&vlan_netdev_addr_lock_key/1);
+[32524.386364]
+[32524.386364] *** DEADLOCK ***
+[32524.386364]
+[32524.386368] May be due to missing lock nesting notation
+[32524.386368]
+[32524.386373] 2 locks held by ifconfig/3103:
+[32524.386376] #0: (rtnl_mutex){+.+.+.}, at: [<ffffffff81431d42>] rtnl_lock+0x12/0x20
+[32524.386387] #1: (&vlan_netdev_addr_lock_key/1){+.....}, at: [<ffffffff8141af83>] dev_set_rx_mode+0x23/0x40
+[32524.386398]
+[32524.386398] stack backtrace:
+[32524.386403] CPU: 1 PID: 3103 Comm: ifconfig Tainted: G O 3.14.0-rc2-0.7-default+ #35
+[32524.386409] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
+[32524.386414] ffffffff81ffae40 ffff8800d9625ae8 ffffffff814f68a2 ffff8800d9625bc8
+[32524.386421] ffffffff810a35fb ffff8800d8a8d9d0 00000000d9625b28 ffff8800d8a8e5d0
+[32524.386428] 000003cc00000000 0000000000000002 ffff8800d8a8e5f8 0000000000000000
+[32524.386435] Call Trace:
+[32524.386441] [<ffffffff814f68a2>] dump_stack+0x6a/0x78
+[32524.386448] [<ffffffff810a35fb>] __lock_acquire+0x7ab/0x1940
+[32524.386454] [<ffffffff810a323a>] ? __lock_acquire+0x3ea/0x1940
+[32524.386459] [<ffffffff810a4874>] lock_acquire+0xe4/0x110
+[32524.386464] [<ffffffff814275f4>] ? dev_mc_sync+0x64/0xb0
+[32524.386471] [<ffffffff814fc07a>] _raw_spin_lock_nested+0x2a/0x40
+[32524.386476] [<ffffffff814275f4>] ? dev_mc_sync+0x64/0xb0
+[32524.386481] [<ffffffff814275f4>] dev_mc_sync+0x64/0xb0
+[32524.386489] [<ffffffffa0500cab>] vlan_dev_set_rx_mode+0x2b/0x50 [8021q]
+[32524.386495] [<ffffffff8141addf>] __dev_set_rx_mode+0x5f/0xb0
+[32524.386500] [<ffffffff8141af8b>] dev_set_rx_mode+0x2b/0x40
+[32524.386506] [<ffffffff8141b3cf>] __dev_open+0xef/0x150
+[32524.386511] [<ffffffff8141b177>] __dev_change_flags+0xa7/0x190
+[32524.386516] [<ffffffff8141b292>] dev_change_flags+0x32/0x80
+[32524.386524] [<ffffffff8149ca56>] devinet_ioctl+0x7d6/0x830
+[32524.386532] [<ffffffff81437b0b>] ? dev_ioctl+0x34b/0x660
+[32524.386540] [<ffffffff814a05b0>] inet_ioctl+0x80/0xa0
+[32524.386550] [<ffffffff8140199d>] sock_do_ioctl+0x2d/0x60
+[32524.386558] [<ffffffff81401a52>] sock_ioctl+0x82/0x2a0
+[32524.386568] [<ffffffff811a7123>] do_vfs_ioctl+0x93/0x590
+[32524.386578] [<ffffffff811b2705>] ? rcu_read_lock_held+0x45/0x50
+[32524.386586] [<ffffffff811b39e5>] ? __fget_light+0x105/0x110
+[32524.386594] [<ffffffff811a76b1>] SyS_ioctl+0x91/0xb0
+[32524.386604] [<ffffffff815057e2>] system_call_fastpath+0x16/0x1b
+
+========================================================================
+
+The reason is that all of the addr_lock_key for vlan dev have the same class,
+so if we change the status for vlan dev, the vlan dev and its real dev will
+hold the same class of addr_lock_key together, so the warning happened.
+
+we should distinguish the lock depth for vlan dev and its real dev.
+
+v1->v2: Convert the vlan_netdev_addr_lock_key to an array of eight elements, which
+ could support to add 8 vlan id on a same vlan dev, I think it is enough for current
+ scene, because a netdev's name is limited to IFNAMSIZ which could not hold 8 vlan id,
+ and the vlan dev would not meet the same class key with its real dev.
+
+ The new function vlan_dev_get_lockdep_subkey() will return the subkey and make the vlan
+ dev could get a suitable class key.
+
+v2->v3: According David's suggestion, I use the subclass to distinguish the lock key for vlan dev
+ and its real dev, but it make no sense, because the difference for subclass in the
+ lock_class_key doesn't mean that the difference class for lock_key, so I use lock_depth
+ to distinguish the different depth for every vlan dev, the same depth of the vlan dev
+ could have the same lock_class_key, I import the MAX_LOCK_DEPTH from the include/linux/sched.h,
+ I think it is enough here, the lockdep should never exceed that value.
+
+v3->v4: Add a huge array of locking keys will waste static kernel memory and is not a appropriate method,
+ we could use _nested() variants to fix the problem, calculate the depth for every vlan dev,
+ and use the depth as the subclass for addr_lock_key.
+
+Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan_dev.c | 46 +++++++++++++++++++++++++++++++++++++++++-----
+ net/core/dev.c | 1 +
+ 2 files changed, 42 insertions(+), 5 deletions(-)
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -512,10 +512,48 @@ static void vlan_dev_change_rx_flags(str
+ }
+ }
+
++static int vlan_calculate_locking_subclass(struct net_device *real_dev)
++{
++ int subclass = 0;
++
++ while (is_vlan_dev(real_dev)) {
++ subclass++;
++ real_dev = vlan_dev_priv(real_dev)->real_dev;
++ }
++
++ return subclass;
++}
++
++static void vlan_dev_mc_sync(struct net_device *to, struct net_device *from)
++{
++ int err = 0, subclass;
++
++ subclass = vlan_calculate_locking_subclass(to);
++
++ spin_lock_nested(&to->addr_list_lock, subclass);
++ err = __hw_addr_sync(&to->mc, &from->mc, to->addr_len);
++ if (!err)
++ __dev_set_rx_mode(to);
++ spin_unlock(&to->addr_list_lock);
++}
++
++static void vlan_dev_uc_sync(struct net_device *to, struct net_device *from)
++{
++ int err = 0, subclass;
++
++ subclass = vlan_calculate_locking_subclass(to);
++
++ spin_lock_nested(&to->addr_list_lock, subclass);
++ err = __hw_addr_sync(&to->uc, &from->uc, to->addr_len);
++ if (!err)
++ __dev_set_rx_mode(to);
++ spin_unlock(&to->addr_list_lock);
++}
++
+ static void vlan_dev_set_rx_mode(struct net_device *vlan_dev)
+ {
+- dev_mc_sync(vlan_dev_priv(vlan_dev)->real_dev, vlan_dev);
+- dev_uc_sync(vlan_dev_priv(vlan_dev)->real_dev, vlan_dev);
++ vlan_dev_mc_sync(vlan_dev_priv(vlan_dev)->real_dev, vlan_dev);
++ vlan_dev_uc_sync(vlan_dev_priv(vlan_dev)->real_dev, vlan_dev);
+ }
+
+ /*
+@@ -624,9 +662,7 @@ static int vlan_dev_init(struct net_devi
+
+ SET_NETDEV_DEVTYPE(dev, &vlan_type);
+
+- if (is_vlan_dev(real_dev))
+- subclass = 1;
+-
++ subclass = vlan_calculate_locking_subclass(dev);
+ vlan_dev_set_lockdep_class(dev, subclass);
+
+ vlan_dev_priv(dev)->vlan_pcpu_stats = alloc_percpu(struct vlan_pcpu_stats);
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -4634,6 +4634,7 @@ void __dev_set_rx_mode(struct net_device
+ if (ops->ndo_set_rx_mode)
+ ops->ndo_set_rx_mode(dev);
+ }
++EXPORT_SYMBOL(__dev_set_rx_mode);
+
+ void dev_set_rx_mode(struct net_device *dev)
+ {
--- /dev/null
+From foo@baz Wed May 28 20:43:09 PDT 2014
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 11 Apr 2014 15:51:19 +0200
+Subject: vti: don't allow to add the same tunnel twice
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit 8d89dcdf80d88007647945a753821a06eb6cc5a5 ]
+
+Before the patch, it was possible to add two times the same tunnel:
+ip l a vti1 type vti remote 10.16.0.121 local 10.16.0.249 key 41
+ip l a vti2 type vti remote 10.16.0.121 local 10.16.0.249 key 41
+
+It was possible, because ip_tunnel_newlink() calls ip_tunnel_find() with the
+argument dev->type, which was set only later (when calling ndo_init handler
+in register_netdevice()). Let's set this type in the setup handler, which is
+called before newlink handler.
+
+Introduced by commit b9959fd3b0fa ("vti: switch to new ip tunnel code").
+
+CC: Cong Wang <amwang@redhat.com>
+CC: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_vti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -579,9 +579,9 @@ static void vti_dev_free(struct net_devi
+ static void vti_tunnel_setup(struct net_device *dev)
+ {
+ dev->netdev_ops = &vti_netdev_ops;
++ dev->type = ARPHRD_TUNNEL;
+ dev->destructor = vti_dev_free;
+
+- dev->type = ARPHRD_TUNNEL;
+ dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr);
+ dev->mtu = ETH_DATA_LEN;
+ dev->flags = IFF_NOARP;
projects / thirdparty / kernel / stable-queue.git / commitdiff
