From: Greg Kroah-Hartman Date: Fri, 9 Aug 2013 00:22:49 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.90~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1b462f8c973396c5da7c4a8951064e20c114308a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: 8139cp-add-dma_mapping_error-checking.patch af_key-more-info-leaks-in-pfkey-messages.patch arcnet-cleanup-sizeof-parameter.patch ipv6-take-rtnl_lock-and-mark-mrt6-table-as-freed-on-namespace-cleanup.patch net_sched-fix-stack-info-leak-in-cbq_dump_wrr.patch net_sched-info-leak-in-atm_tc_dump_class.patch sctp-fully-initialize-sctp_outq-in-sctp_outq_init.patch sysctl-net-keep-tcp_syn_retries-inside-the-boundary.patch usbnet-do-not-pretend-to-support-sg-tso.patch --- diff --git a/queue-3.4/8139cp-add-dma_mapping_error-checking.patch b/queue-3.4/8139cp-add-dma_mapping_error-checking.patch new file mode 100644 index 00000000000..111af40d893 --- /dev/null +++ b/queue-3.4/8139cp-add-dma_mapping_error-checking.patch @@ -0,0 +1,148 @@ +From 3f19fee45b6029a3170e47b95acc14576e324e7f Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Wed, 31 Jul 2013 09:03:56 -0400 +Subject: 8139cp: Add dma_mapping_error checking + +From: Neil Horman + +[ Upstream commit cf3c4c03060b688cbc389ebc5065ebcce5653e96 ] + +Self explanitory dma_mapping_error addition to the 8139 driver, based on this: +https://bugzilla.redhat.com/show_bug.cgi?id=947250 + +It showed several backtraces arising for dma_map_* usage without checking the +return code on the mapping. Add the check and abort the rx/tx operation if its +failed. Untested as I have no hardware and the reporter has wandered off, but +seems pretty straightforward. + +Signed-off-by: Neil Horman +CC: "David S. Miller" +CC: Francois Romieu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/8139cp.c | 48 +++++++++++++++++++++++++++++++--- + 1 file changed, 45 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/realtek/8139cp.c ++++ b/drivers/net/ethernet/realtek/8139cp.c +@@ -478,7 +478,7 @@ rx_status_loop: + + while (1) { + u32 status, len; +- dma_addr_t mapping; ++ dma_addr_t mapping, new_mapping; + struct sk_buff *skb, *new_skb; + struct cp_desc *desc; + const unsigned buflen = cp->rx_buf_sz; +@@ -520,6 +520,13 @@ rx_status_loop: + goto rx_next; + } + ++ new_mapping = dma_map_single(&cp->pdev->dev, new_skb->data, buflen, ++ PCI_DMA_FROMDEVICE); ++ if (dma_mapping_error(&cp->pdev->dev, new_mapping)) { ++ dev->stats.rx_dropped++; ++ goto rx_next; ++ } ++ + dma_unmap_single(&cp->pdev->dev, mapping, + buflen, PCI_DMA_FROMDEVICE); + +@@ -531,12 +538,11 @@ rx_status_loop: + + skb_put(skb, len); + +- mapping = dma_map_single(&cp->pdev->dev, new_skb->data, buflen, +- PCI_DMA_FROMDEVICE); + cp->rx_skb[rx_tail] = new_skb; + + cp_rx_skb(cp, skb, desc); + rx++; ++ mapping = new_mapping; + + rx_next: + cp->rx_ring[rx_tail].opts2 = 0; +@@ -704,6 +710,22 @@ static inline u32 cp_tx_vlan_tag(struct + TxVlanTag | swab16(vlan_tx_tag_get(skb)) : 0x00; + } + ++static void unwind_tx_frag_mapping(struct cp_private *cp, struct sk_buff *skb, ++ int first, int entry_last) ++{ ++ int frag, index; ++ struct cp_desc *txd; ++ skb_frag_t *this_frag; ++ for (frag = 0; frag+first < entry_last; frag++) { ++ index = first+frag; ++ cp->tx_skb[index] = NULL; ++ txd = &cp->tx_ring[index]; ++ this_frag = &skb_shinfo(skb)->frags[frag]; ++ dma_unmap_single(&cp->pdev->dev, le64_to_cpu(txd->addr), ++ skb_frag_size(this_frag), PCI_DMA_TODEVICE); ++ } ++} ++ + static netdev_tx_t cp_start_xmit (struct sk_buff *skb, + struct net_device *dev) + { +@@ -737,6 +759,9 @@ static netdev_tx_t cp_start_xmit (struct + + len = skb->len; + mapping = dma_map_single(&cp->pdev->dev, skb->data, len, PCI_DMA_TODEVICE); ++ if (dma_mapping_error(&cp->pdev->dev, mapping)) ++ goto out_dma_error; ++ + txd->opts2 = opts2; + txd->addr = cpu_to_le64(mapping); + wmb(); +@@ -774,6 +799,9 @@ static netdev_tx_t cp_start_xmit (struct + first_len = skb_headlen(skb); + first_mapping = dma_map_single(&cp->pdev->dev, skb->data, + first_len, PCI_DMA_TODEVICE); ++ if (dma_mapping_error(&cp->pdev->dev, first_mapping)) ++ goto out_dma_error; ++ + cp->tx_skb[entry] = skb; + entry = NEXT_TX(entry); + +@@ -787,6 +815,11 @@ static netdev_tx_t cp_start_xmit (struct + mapping = dma_map_single(&cp->pdev->dev, + skb_frag_address(this_frag), + len, PCI_DMA_TODEVICE); ++ if (dma_mapping_error(&cp->pdev->dev, mapping)) { ++ unwind_tx_frag_mapping(cp, skb, first_entry, entry); ++ goto out_dma_error; ++ } ++ + eor = (entry == (CP_TX_RING_SIZE - 1)) ? RingEnd : 0; + + ctrl = eor | len | DescOwn; +@@ -845,11 +878,16 @@ static netdev_tx_t cp_start_xmit (struct + if (TX_BUFFS_AVAIL(cp) <= (MAX_SKB_FRAGS + 1)) + netif_stop_queue(dev); + ++out_unlock: + spin_unlock_irqrestore(&cp->lock, intr_flags); + + cpw8(TxPoll, NormalTxPoll); + + return NETDEV_TX_OK; ++out_dma_error: ++ kfree_skb(skb); ++ cp->dev->stats.tx_dropped++; ++ goto out_unlock; + } + + /* Set or clear the multicast filter for this adaptor. +@@ -1020,6 +1058,10 @@ static int cp_refill_rx(struct cp_privat + + mapping = dma_map_single(&cp->pdev->dev, skb->data, + cp->rx_buf_sz, PCI_DMA_FROMDEVICE); ++ if (dma_mapping_error(&cp->pdev->dev, mapping)) { ++ kfree_skb(skb); ++ goto err_out; ++ } + cp->rx_skb[i] = skb; + + cp->rx_ring[i].opts2 = 0; diff --git a/queue-3.4/af_key-more-info-leaks-in-pfkey-messages.patch b/queue-3.4/af_key-more-info-leaks-in-pfkey-messages.patch new file mode 100644 index 00000000000..8645efa1ea0 --- /dev/null +++ b/queue-3.4/af_key-more-info-leaks-in-pfkey-messages.patch @@ -0,0 +1,50 @@ +From 9aaadae247d2e9b40c2789df3ad9835572392430 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sun, 28 Jul 2013 23:04:45 +0300 +Subject: af_key: more info leaks in pfkey messages + +From: Dan Carpenter + +[ Upstream commit ff862a4668dd6dba962b1d2d8bd344afa6375683 ] + +This is inspired by a5cc68f3d6 "af_key: fix info leaks in notify +messages". There are some struct members which don't get initialized +and could disclose small amounts of private information. + +Acked-by: Mathias Krause +Signed-off-by: Dan Carpenter +Acked-by: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/key/af_key.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2073,6 +2073,7 @@ static int pfkey_xfrm_policy2msg(struct + pol->sadb_x_policy_type = IPSEC_POLICY_NONE; + } + pol->sadb_x_policy_dir = dir+1; ++ pol->sadb_x_policy_reserved = 0; + pol->sadb_x_policy_id = xp->index; + pol->sadb_x_policy_priority = xp->priority; + +@@ -3108,7 +3109,9 @@ static int pfkey_send_acquire(struct xfr + pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY; + pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; + pol->sadb_x_policy_dir = dir+1; ++ pol->sadb_x_policy_reserved = 0; + pol->sadb_x_policy_id = xp->index; ++ pol->sadb_x_policy_priority = xp->priority; + + /* Set sadb_comb's. */ + if (x->id.proto == IPPROTO_AH) +@@ -3496,6 +3499,7 @@ static int pfkey_send_migrate(const stru + pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY; + pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; + pol->sadb_x_policy_dir = dir + 1; ++ pol->sadb_x_policy_reserved = 0; + pol->sadb_x_policy_id = 0; + pol->sadb_x_policy_priority = 0; + diff --git a/queue-3.4/arcnet-cleanup-sizeof-parameter.patch b/queue-3.4/arcnet-cleanup-sizeof-parameter.patch new file mode 100644 index 00000000000..b6fbcc48ee3 --- /dev/null +++ b/queue-3.4/arcnet-cleanup-sizeof-parameter.patch @@ -0,0 +1,31 @@ +From 6cfeae5b588dc7ab14b0d9ed404fcc8ab50c9403 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 19 Jul 2013 08:48:05 +0300 +Subject: arcnet: cleanup sizeof parameter + +From: Dan Carpenter + +[ Upstream commit 087d273caf4f7d3f2159256f255f1f432bc84a5b ] + +This patch doesn't change the compiled code because ARC_HDR_SIZE is 4 +and sizeof(int) is 4, but the intent was to use the header size and not +the sizeof the header size. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/arcnet/arcnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/arcnet/arcnet.c ++++ b/drivers/net/arcnet/arcnet.c +@@ -1007,7 +1007,7 @@ static void arcnet_rx(struct net_device + + soft = &pkt.soft.rfc1201; + +- lp->hw.copy_from_card(dev, bufnum, 0, &pkt, sizeof(ARC_HDR_SIZE)); ++ lp->hw.copy_from_card(dev, bufnum, 0, &pkt, ARC_HDR_SIZE); + if (pkt.hard.offset[0]) { + ofs = pkt.hard.offset[0]; + length = 256 - ofs; diff --git a/queue-3.4/ipv6-take-rtnl_lock-and-mark-mrt6-table-as-freed-on-namespace-cleanup.patch b/queue-3.4/ipv6-take-rtnl_lock-and-mark-mrt6-table-as-freed-on-namespace-cleanup.patch new file mode 100644 index 00000000000..4868da05eb7 --- /dev/null +++ b/queue-3.4/ipv6-take-rtnl_lock-and-mark-mrt6-table-as-freed-on-namespace-cleanup.patch @@ -0,0 +1,94 @@ +From 92c0c8831ae20201cf1019d88d3e355f38586795 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Mon, 22 Jul 2013 23:45:53 +0200 +Subject: ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup + +From: Hannes Frederic Sowa + +[ Upstream commit 905a6f96a1b18e490a75f810d733ced93c39b0e5 ] + +Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer +which leads to a panic (from Srivatsa S. Bhat): + +BUG: unable to handle kernel paging request at ffff882018552020 +IP: [] ip6mr_sk_done+0x32/0xb0 [ipv6] +PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060 +Oops: 0000 [#1] SMP DEBUG_PAGEALLOC +Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ++ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod +CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4 +Hardware name: IBM -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012 +Workqueue: netns cleanup_net +task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000 +RIP: 0010:[] [] ip6mr_sk_done+0x32/0xb0 [ipv6] +RSP: 0018:ffff881039367bd8 EFLAGS: 00010286 +RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200 +RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68 +RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222 +R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040 +R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0 +Stack: + ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000 + ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0 + ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0 +Call Trace: + [] rawv6_close+0x21/0x40 [ipv6] + [] inet_release+0xfb/0x220 + [] ? inet_release+0x22/0x220 + [] inet6_release+0x3f/0x50 [ipv6] + [] sock_release+0x29/0xa0 + [] sk_release_kernel+0x30/0x70 + [] icmpv6_sk_exit+0x3b/0x80 [ipv6] + [] ops_exit_list+0x39/0x60 + [] cleanup_net+0xfb/0x1a0 + [] process_one_work+0x1da/0x610 + [] ? process_one_work+0x169/0x610 + [] worker_thread+0x120/0x3a0 + [] ? process_one_work+0x610/0x610 + [] kthread+0xee/0x100 + [] ? __init_kthread_worker+0x70/0x70 + [] ret_from_fork+0x7c/0xb0 + [] ? __init_kthread_worker+0x70/0x70 +Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65 +RIP [] ip6mr_sk_done+0x32/0xb0 [ipv6] + RSP +CR2: ffff882018552020 + +Reported-by: Srivatsa S. Bhat +Tested-by: Srivatsa S. Bhat +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6mr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -256,10 +256,12 @@ static void __net_exit ip6mr_rules_exit( + { + struct mr6_table *mrt, *next; + ++ rtnl_lock(); + list_for_each_entry_safe(mrt, next, &net->ipv6.mr6_tables, list) { + list_del(&mrt->list); + ip6mr_free_table(mrt); + } ++ rtnl_unlock(); + fib_rules_unregister(net->ipv6.mr6_rules_ops); + } + #else +@@ -286,7 +288,10 @@ static int __net_init ip6mr_rules_init(s + + static void __net_exit ip6mr_rules_exit(struct net *net) + { ++ rtnl_lock(); + ip6mr_free_table(net->ipv6.mrt6); ++ net->ipv6.mrt6 = NULL; ++ rtnl_unlock(); + } + #endif + diff --git a/queue-3.4/net_sched-fix-stack-info-leak-in-cbq_dump_wrr.patch b/queue-3.4/net_sched-fix-stack-info-leak-in-cbq_dump_wrr.patch new file mode 100644 index 00000000000..cb1b6e2983b --- /dev/null +++ b/queue-3.4/net_sched-fix-stack-info-leak-in-cbq_dump_wrr.patch @@ -0,0 +1,31 @@ +From c2d060e87513c4ceac4792df10959f93e41bf636 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Tue, 30 Jul 2013 00:16:21 -0700 +Subject: net_sched: Fix stack info leak in cbq_dump_wrr(). + +From: "David S. Miller" + +[ Upstream commit a0db856a95a29efb1c23db55c02d9f0ff4f0db48 ] + +Make sure the reserved fields, and padding (if any), are +fully initialized. + +Based upon a patch by Dan Carpenter and feedback from +Joe Perches. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_cbq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -1467,6 +1467,7 @@ static int cbq_dump_wrr(struct sk_buff * + unsigned char *b = skb_tail_pointer(skb); + struct tc_cbq_wrropt opt; + ++ memset(&opt, 0, sizeof(opt)); + opt.flags = 0; + opt.allot = cl->allot; + opt.priority = cl->priority + 1; diff --git a/queue-3.4/net_sched-info-leak-in-atm_tc_dump_class.patch b/queue-3.4/net_sched-info-leak-in-atm_tc_dump_class.patch new file mode 100644 index 00000000000..e48591a82c4 --- /dev/null +++ b/queue-3.4/net_sched-info-leak-in-atm_tc_dump_class.patch @@ -0,0 +1,29 @@ +From f484091fa2c1dcac6c4923ee0892fe35bd613ab6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 30 Jul 2013 13:23:39 +0300 +Subject: net_sched: info leak in atm_tc_dump_class() + +From: Dan Carpenter + +[ Upstream commit 8cb3b9c3642c0263d48f31d525bcee7170eedc20 ] + +The "pvc" struct has a hole after pvc.sap_family which is not cleared. + +Signed-off-by: Dan Carpenter +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_atm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/sch_atm.c ++++ b/net/sched/sch_atm.c +@@ -606,6 +606,7 @@ static int atm_tc_dump_class(struct Qdis + struct sockaddr_atmpvc pvc; + int state; + ++ memset(&pvc, 0, sizeof(pvc)); + pvc.sap_family = AF_ATMPVC; + pvc.sap_addr.itf = flow->vcc->dev ? flow->vcc->dev->number : -1; + pvc.sap_addr.vpi = flow->vcc->vpi; diff --git a/queue-3.4/sctp-fully-initialize-sctp_outq-in-sctp_outq_init.patch b/queue-3.4/sctp-fully-initialize-sctp_outq-in-sctp_outq_init.patch new file mode 100644 index 00000000000..46257c814c7 --- /dev/null +++ b/queue-3.4/sctp-fully-initialize-sctp_outq-in-sctp_outq_init.patch @@ -0,0 +1,58 @@ +From 06f8f3ad8197d1e9e7fe80d8f2df19265eade3f9 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Wed, 12 Jun 2013 14:26:44 -0400 +Subject: sctp: fully initialize sctp_outq in sctp_outq_init + +From: Neil Horman + +[ Upstream commit c5c7774d7eb4397891edca9ebdf750ba90977a69 ] + +In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 +(refactor sctp_outq_teardown to insure proper re-initalization) +we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the +outq structure. Steve West recently asked me why I removed the q->error = 0 +initalization from sctp_outq_teardown. I did so because I was operating under +the impression that sctp_outq_init would properly initalize that value for us, +but it doesn't. sctp_outq_init operates under the assumption that the outq +struct is all 0's (as it is when called from sctp_association_init), but using +it in __sctp_outq_teardown violates that assumption. We should do a memset in +sctp_outq_init to ensure that the entire structure is in a known state there +instead. + +Signed-off-by: Neil Horman +Reported-by: "West, Steve (NSN - US/Fort Worth)" +CC: Vlad Yasevich +CC: netdev@vger.kernel.org +CC: davem@davemloft.net +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/outqueue.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/net/sctp/outqueue.c ++++ b/net/sctp/outqueue.c +@@ -205,6 +205,8 @@ static inline int sctp_cacc_skip(struct + */ + void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q) + { ++ memset(q, 0, sizeof(struct sctp_outq)); ++ + q->asoc = asoc; + INIT_LIST_HEAD(&q->out_chunk_list); + INIT_LIST_HEAD(&q->control_chunk_list); +@@ -212,13 +214,7 @@ void sctp_outq_init(struct sctp_associat + INIT_LIST_HEAD(&q->sacked); + INIT_LIST_HEAD(&q->abandoned); + +- q->fast_rtx = 0; +- q->outstanding_bytes = 0; + q->empty = 1; +- q->cork = 0; +- +- q->malloced = 0; +- q->out_qlen = 0; + } + + /* Free the outqueue structure and any related pending chunks. diff --git a/queue-3.4/series b/queue-3.4/series index de010aa0ad9..eee4a6d4ca8 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -15,3 +15,12 @@ perf-fix-event-group-context-move.patch x86-fpu-correct-the-asm-constraints-for-fxsave-unbreak-mxcsr.daz.patch drm-i915-quirk-no-pch_pwm_enable-for-dell-xps13-backlight.patch perf-use-css_tryget-to-avoid-propping-up-css-refcount.patch +arcnet-cleanup-sizeof-parameter.patch +sysctl-net-keep-tcp_syn_retries-inside-the-boundary.patch +sctp-fully-initialize-sctp_outq-in-sctp_outq_init.patch +ipv6-take-rtnl_lock-and-mark-mrt6-table-as-freed-on-namespace-cleanup.patch +usbnet-do-not-pretend-to-support-sg-tso.patch +net_sched-fix-stack-info-leak-in-cbq_dump_wrr.patch +af_key-more-info-leaks-in-pfkey-messages.patch +net_sched-info-leak-in-atm_tc_dump_class.patch +8139cp-add-dma_mapping_error-checking.patch diff --git a/queue-3.4/sysctl-net-keep-tcp_syn_retries-inside-the-boundary.patch b/queue-3.4/sysctl-net-keep-tcp_syn_retries-inside-the-boundary.patch new file mode 100644 index 00000000000..fc19e0590d4 --- /dev/null +++ b/queue-3.4/sysctl-net-keep-tcp_syn_retries-inside-the-boundary.patch @@ -0,0 +1,41 @@ +From 9867786ec64adfff23fc71dd88dc71b9299629e9 Mon Sep 17 00:00:00 2001 +From: Michal Tesar +Date: Fri, 19 Jul 2013 14:09:01 +0200 +Subject: sysctl net: Keep tcp_syn_retries inside the boundary + +From: Michal Tesar + +[ Upstream commit 651e92716aaae60fc41b9652f54cb6803896e0da ] + +Limit the min/max value passed to the +/proc/sys/net/ipv4/tcp_syn_retries. + +Signed-off-by: Michal Tesar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/sysctl_net_ipv4.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -34,6 +34,8 @@ static int tcp_adv_win_scale_min = -31; + static int tcp_adv_win_scale_max = 31; + static int ip_ttl_min = 1; + static int ip_ttl_max = 255; ++static int tcp_syn_retries_min = 1; ++static int tcp_syn_retries_max = MAX_TCP_SYNCNT; + static int ip_ping_group_range_min[] = { 0, 0 }; + static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; + +@@ -276,7 +278,9 @@ static struct ctl_table ipv4_table[] = { + .data = &sysctl_tcp_syn_retries, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &tcp_syn_retries_min, ++ .extra2 = &tcp_syn_retries_max + }, + { + .procname = "tcp_synack_retries", diff --git a/queue-3.4/usbnet-do-not-pretend-to-support-sg-tso.patch b/queue-3.4/usbnet-do-not-pretend-to-support-sg-tso.patch new file mode 100644 index 00000000000..8953bfb3f7d --- /dev/null +++ b/queue-3.4/usbnet-do-not-pretend-to-support-sg-tso.patch @@ -0,0 +1,70 @@ +From 9ee50cf7b0ac02b2c615517e1bacd6b8cbdcb7ea Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 23 Jul 2013 17:15:54 -0700 +Subject: usbnet: do not pretend to support SG/TSO + +From: Eric Dumazet + +[ Upstream commit 20f0170377264e8449b6987041f0bcc4d746d3ed ] + +usbnet doesn't support yet SG, so drivers should not advertise SG or TSO +capabilities, as they allow TCP stack to build large TSO packets that +need to be linearized and might use order-5 pages. + +This adds an extra copy overhead and possible allocation failures. + +Current code ignore skb_linearize() return code so crashes are even +possible. + +Best is to not pretend SG/TSO is supported, and add this again when/if +usbnet really supports SG for devices who could get a performance gain. + +Based on a prior patch from Freddy Xin + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/smsc75xx.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -43,7 +43,6 @@ + #define EEPROM_MAC_OFFSET (0x01) + #define DEFAULT_TX_CSUM_ENABLE (true) + #define DEFAULT_RX_CSUM_ENABLE (true) +-#define DEFAULT_TSO_ENABLE (true) + #define SMSC75XX_INTERNAL_PHY_ID (1) + #define SMSC75XX_TX_OVERHEAD (8) + #define MAX_RX_FIFO_SIZE (20 * 1024) +@@ -1049,17 +1048,14 @@ static int smsc75xx_bind(struct usbnet * + + INIT_WORK(&pdata->set_multicast, smsc75xx_deferred_multicast_write); + +- if (DEFAULT_TX_CSUM_ENABLE) { ++ if (DEFAULT_TX_CSUM_ENABLE) + dev->net->features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM; +- if (DEFAULT_TSO_ENABLE) +- dev->net->features |= NETIF_F_SG | +- NETIF_F_TSO | NETIF_F_TSO6; +- } ++ + if (DEFAULT_RX_CSUM_ENABLE) + dev->net->features |= NETIF_F_RXCSUM; + + dev->net->hw_features = NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | +- NETIF_F_SG | NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_RXCSUM; ++ NETIF_F_RXCSUM; + + /* Init all registers */ + ret = smsc75xx_reset(dev); +@@ -1184,8 +1180,6 @@ static struct sk_buff *smsc75xx_tx_fixup + { + u32 tx_cmd_a, tx_cmd_b; + +- skb_linearize(skb); +- + if (skb_headroom(skb) < SMSC75XX_TX_OVERHEAD) { + struct sk_buff *skb2 = + skb_copy_expand(skb, SMSC75XX_TX_OVERHEAD, 0, flags);