From 52e0c739edff8f253c6e8264defbc7e9530daa09 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 19 Mar 2014 23:32:51 +0000 Subject: [PATCH] 3.13-stable patches added patches: ip_tunnel-multicast-process-cause-panic-due-to-skb-_skb_refdst-null-pointer.patch ipv4-ipv6-better-estimate-tunnel-header-cut-for-correct-ufo-handling.patch ipv6-ipv6_find_hdr-restore-prev-functionality.patch ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch macvlan-add-support-for-always_on-offload-features.patch neigh-recompute-reachabletime-before-returning-from-neigh_periodic_work.patch net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch net-tcp-fastopen-fix-high-order-allocations.patch rapidio-tsi721-fix-tasklet-termination-in-dma-channel-release.patch sched-fix-double-normalization-of-vruntime.patch sch_tbf-fix-potential-memory-leak-in-tbf_change.patch sfc-check-for-null-efx-ptp_data-in-efx_ptp_event.patch tg3-don-t-check-undefined-error-bits-in-rxbd.patch tun-remove-bogus-hardware-vlan-acceleration-flags-from-vlan_features.patch veth-fix-vlan_features-so-as-to-be-able-to-use-stacked-vlan-interfaces.patch virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch --- ...-due-to-skb-_skb_refdst-null-pointer.patch | 33 ++++ ...-header-cut-for-correct-ufo-handling.patch | 143 ++++++++++++++++++ ..._find_hdr-restore-prev-functionality.patch | 41 +++++ ...ip6_frag_id-from-ip6_ufo_append_data.patch | 38 +++++ ...pport-for-always_on-offload-features.patch | 85 +++++++++++ ...e-returning-from-neigh_periodic_work.patch | 42 +++++ ...to-verify-if-we-peer-is-auth-capable.patch | 137 +++++++++++++++++ ...-fastopen-fix-high-order-allocations.patch | 94 ++++++++++++ ...t-termination-in-dma-channel-release.patch | 131 ++++++++++++++++ ...-potential-memory-leak-in-tbf_change.patch | 63 ++++++++ ...fix-double-normalization-of-vruntime.patch | 60 ++++++++ queue-3.13/series | 16 ++ ...r-null-efx-ptp_data-in-efx_ptp_event.patch | 37 +++++ ...t-check-undefined-error-bits-in-rxbd.patch | 47 ++++++ ...cceleration-flags-from-vlan_features.patch | 39 +++++ ...-able-to-use-stacked-vlan-interfaces.patch | 38 +++++ ...fers-also-when-guest-can-receive-ufo.patch | 39 +++++ 17 files changed, 1083 insertions(+) create mode 100644 queue-3.13/ip_tunnel-multicast-process-cause-panic-due-to-skb-_skb_refdst-null-pointer.patch create mode 100644 queue-3.13/ipv4-ipv6-better-estimate-tunnel-header-cut-for-correct-ufo-handling.patch create mode 100644 queue-3.13/ipv6-ipv6_find_hdr-restore-prev-functionality.patch create mode 100644 queue-3.13/ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch create mode 100644 queue-3.13/macvlan-add-support-for-always_on-offload-features.patch create mode 100644 queue-3.13/neigh-recompute-reachabletime-before-returning-from-neigh_periodic_work.patch create mode 100644 queue-3.13/net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch create mode 100644 queue-3.13/net-tcp-fastopen-fix-high-order-allocations.patch create mode 100644 queue-3.13/rapidio-tsi721-fix-tasklet-termination-in-dma-channel-release.patch create mode 100644 queue-3.13/sch_tbf-fix-potential-memory-leak-in-tbf_change.patch create mode 100644 queue-3.13/sched-fix-double-normalization-of-vruntime.patch create mode 100644 queue-3.13/sfc-check-for-null-efx-ptp_data-in-efx_ptp_event.patch create mode 100644 queue-3.13/tg3-don-t-check-undefined-error-bits-in-rxbd.patch create mode 100644 queue-3.13/tun-remove-bogus-hardware-vlan-acceleration-flags-from-vlan_features.patch create mode 100644 queue-3.13/veth-fix-vlan_features-so-as-to-be-able-to-use-stacked-vlan-interfaces.patch create mode 100644 queue-3.13/virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch diff --git a/queue-3.13/ip_tunnel-multicast-process-cause-panic-due-to-skb-_skb_refdst-null-pointer.patch b/queue-3.13/ip_tunnel-multicast-process-cause-panic-due-to-skb-_skb_refdst-null-pointer.patch new file mode 100644 index 00000000000..1f1599c3252 --- /dev/null +++ b/queue-3.13/ip_tunnel-multicast-process-cause-panic-due-to-skb-_skb_refdst-null-pointer.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Xin Long +Date: Mon, 3 Mar 2014 20:18:36 +0800 +Subject: ip_tunnel:multicast process cause panic due to skb->_skb_refdst NULL pointer + +From: Xin Long + +[ Upstream commit 10ddceb22bab11dab10ba645c7df2e4a8e7a5db5 ] + +when ip_tunnel process multicast packets, it may check if the packet is looped +back packet though 'rt_is_output_route(skb_rtable(skb))' in ip_tunnel_rcv(), +but before that , skb->_skb_refdst has been dropped in iptunnel_pull_header(), +so which leads to a panic. + +fix the bug: https://bugzilla.kernel.org/show_bug.cgi?id=70681 + +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel_core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -109,7 +109,6 @@ int iptunnel_pull_header(struct sk_buff + secpath_reset(skb); + if (!skb->l4_rxhash) + skb->rxhash = 0; +- skb_dst_drop(skb); + skb->vlan_tci = 0; + skb_set_queue_mapping(skb, 0); + skb->pkt_type = PACKET_HOST; diff --git a/queue-3.13/ipv4-ipv6-better-estimate-tunnel-header-cut-for-correct-ufo-handling.patch b/queue-3.13/ipv4-ipv6-better-estimate-tunnel-header-cut-for-correct-ufo-handling.patch new file mode 100644 index 00000000000..7e3705a6f98 --- /dev/null +++ b/queue-3.13/ipv4-ipv6-better-estimate-tunnel-header-cut-for-correct-ufo-handling.patch @@ -0,0 +1,143 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Hannes Frederic Sowa +Date: Mon, 24 Feb 2014 00:48:05 +0100 +Subject: ipv4: ipv6: better estimate tunnel header cut for correct ufo handling + +From: Hannes Frederic Sowa + +[ Upstream commit 91a48a2e85a3b70ce10ead34b4ab5347f8d215c9 ] + +Currently the UFO fragmentation process does not correctly handle inner +UDP frames. + +(The following tcpdumps are captured on the parent interface with ufo +disabled while tunnel has ufo enabled, 2000 bytes payload, mtu 1280, +both sit device): + +IPv6: +16:39:10.031613 IP (tos 0x0, ttl 64, id 3208, offset 0, flags [DF], proto IPv6 (41), length 1300) + 192.168.122.151 > 1.1.1.1: IP6 (hlim 64, next-header Fragment (44) payload length: 1240) 2001::1 > 2001::8: frag (0x00000001:0|1232) 44883 > distinct: UDP, length 2000 +16:39:10.031709 IP (tos 0x0, ttl 64, id 3209, offset 0, flags [DF], proto IPv6 (41), length 844) + 192.168.122.151 > 1.1.1.1: IP6 (hlim 64, next-header Fragment (44) payload length: 784) 2001::1 > 2001::8: frag (0x00000001:0|776) 58979 > 46366: UDP, length 5471 + +We can see that fragmentation header offset is not correctly updated. +(fragmentation id handling is corrected by 916e4cf46d0204 ("ipv6: reuse +ip6_frag_id from ip6_ufo_append_data")). + +IPv4: +16:39:57.737761 IP (tos 0x0, ttl 64, id 3209, offset 0, flags [DF], proto IPIP (4), length 1296) + 192.168.122.151 > 1.1.1.1: IP (tos 0x0, ttl 64, id 57034, offset 0, flags [none], proto UDP (17), length 1276) + 192.168.99.1.35961 > 192.168.99.2.distinct: UDP, length 2000 +16:39:57.738028 IP (tos 0x0, ttl 64, id 3210, offset 0, flags [DF], proto IPIP (4), length 792) + 192.168.122.151 > 1.1.1.1: IP (tos 0x0, ttl 64, id 57035, offset 0, flags [none], proto UDP (17), length 772) + 192.168.99.1.13531 > 192.168.99.2.20653: UDP, length 51109 + +In this case fragmentation id is incremented and offset is not updated. + +First, I aligned inet_gso_segment and ipv6_gso_segment: +* align naming of flags +* ipv6_gso_segment: setting skb->encapsulation is unnecessary, as we + always ensure that the state of this flag is left untouched when + returning from upper gso segmenation function +* ipv6_gso_segment: move skb_reset_inner_headers below updating the + fragmentation header data, we don't care for updating fragmentation + header data +* remove currently unneeded comment indicating skb->encapsulation might + get changed by upper gso_segment callback (gre and udp-tunnel reset + encapsulation after segmentation on each fragment) + +If we encounter an IPIP or SIT gso skb we now check for the protocol == +IPPROTO_UDP and that we at least have already traversed another ip(6) +protocol header. + +The reason why we have to special case GSO_IPIP and GSO_SIT is that +we reset skb->encapsulation to 0 while skb_mac_gso_segment the inner +protocol of GSO_UDP_TUNNEL or GSO_GRE packets. + +Reported-by: Wolfgang Walter +Cc: Cong Wang +Cc: Tom Herbert +Cc: Eric Dumazet +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/af_inet.c | 7 +++++-- + net/ipv6/ip6_offload.c | 20 ++++++++++++-------- + 2 files changed, 17 insertions(+), 10 deletions(-) + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1299,8 +1299,11 @@ static struct sk_buff *inet_gso_segment( + + segs = ERR_PTR(-EPROTONOSUPPORT); + +- /* Note : following gso_segment() might change skb->encapsulation */ +- udpfrag = !skb->encapsulation && proto == IPPROTO_UDP; ++ if (skb->encapsulation && ++ skb_shinfo(skb)->gso_type & (SKB_GSO_SIT|SKB_GSO_IPIP)) ++ udpfrag = proto == IPPROTO_UDP && encap; ++ else ++ udpfrag = proto == IPPROTO_UDP && !skb->encapsulation; + + ops = rcu_dereference(inet_offloads[proto]); + if (likely(ops && ops->callbacks.gso_segment)) +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -89,7 +89,7 @@ static struct sk_buff *ipv6_gso_segment( + unsigned int unfrag_ip6hlen; + u8 *prevhdr; + int offset = 0; +- bool tunnel; ++ bool encap, udpfrag; + int nhoff; + + if (unlikely(skb_shinfo(skb)->gso_type & +@@ -110,8 +110,8 @@ static struct sk_buff *ipv6_gso_segment( + if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h)))) + goto out; + +- tunnel = SKB_GSO_CB(skb)->encap_level > 0; +- if (tunnel) ++ encap = SKB_GSO_CB(skb)->encap_level > 0; ++ if (encap) + features = skb->dev->hw_enc_features & netif_skb_features(skb); + SKB_GSO_CB(skb)->encap_level += sizeof(*ipv6h); + +@@ -121,6 +121,12 @@ static struct sk_buff *ipv6_gso_segment( + + proto = ipv6_gso_pull_exthdrs(skb, ipv6h->nexthdr); + ++ if (skb->encapsulation && ++ skb_shinfo(skb)->gso_type & (SKB_GSO_SIT|SKB_GSO_IPIP)) ++ udpfrag = proto == IPPROTO_UDP && encap; ++ else ++ udpfrag = proto == IPPROTO_UDP && !skb->encapsulation; ++ + ops = rcu_dereference(inet6_offloads[proto]); + if (likely(ops && ops->callbacks.gso_segment)) { + skb_reset_transport_header(skb); +@@ -133,13 +139,9 @@ static struct sk_buff *ipv6_gso_segment( + for (skb = segs; skb; skb = skb->next) { + ipv6h = (struct ipv6hdr *)(skb_mac_header(skb) + nhoff); + ipv6h->payload_len = htons(skb->len - nhoff - sizeof(*ipv6h)); +- if (tunnel) { +- skb_reset_inner_headers(skb); +- skb->encapsulation = 1; +- } + skb->network_header = (u8 *)ipv6h - skb->head; + +- if (!tunnel && proto == IPPROTO_UDP) { ++ if (udpfrag) { + unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); + fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen); + fptr->frag_off = htons(offset); +@@ -148,6 +150,8 @@ static struct sk_buff *ipv6_gso_segment( + offset += (ntohs(ipv6h->payload_len) - + sizeof(struct frag_hdr)); + } ++ if (encap) ++ skb_reset_inner_headers(skb); + } + + out: diff --git a/queue-3.13/ipv6-ipv6_find_hdr-restore-prev-functionality.patch b/queue-3.13/ipv6-ipv6_find_hdr-restore-prev-functionality.patch new file mode 100644 index 00000000000..5fdab359952 --- /dev/null +++ b/queue-3.13/ipv6-ipv6_find_hdr-restore-prev-functionality.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Hans Schillstrom +Date: Thu, 27 Feb 2014 12:57:58 +0100 +Subject: ipv6: ipv6_find_hdr restore prev functionality + +From: Hans Schillstrom + +[ Upstream commit accfe0e356327da5bd53da8852b93fc22de9b5fc ] + +The commit 9195bb8e381d81d5a315f911904cdf0cfcc919b8 ("ipv6: improve +ipv6_find_hdr() to skip empty routing headers") broke ipv6_find_hdr(). + +When a target is specified like IPPROTO_ICMPV6 ipv6_find_hdr() +returns -ENOENT when it's found, not the header as expected. + +A part of IPVS is broken and possible also nft_exthdr_eval(). +When target is -1 which it is most cases, it works. + +This patch exits the do while loop if the specific header is found +so the nexthdr could be returned as expected. + +Reported-by: Art -kwaak- van Breemen +Signed-off-by: Hans Schillstrom +CC:Ansis Atteka +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/exthdrs_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/exthdrs_core.c ++++ b/net/ipv6/exthdrs_core.c +@@ -212,7 +212,7 @@ int ipv6_find_hdr(const struct sk_buff * + found = (nexthdr == target); + + if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) { +- if (target < 0) ++ if (target < 0 || found) + break; + return -ENOENT; + } diff --git a/queue-3.13/ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch b/queue-3.13/ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch new file mode 100644 index 00000000000..d8acfdf7d74 --- /dev/null +++ b/queue-3.13/ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Hannes Frederic Sowa +Date: Fri, 21 Feb 2014 02:55:35 +0100 +Subject: ipv6: reuse ip6_frag_id from ip6_ufo_append_data + +From: Hannes Frederic Sowa + +[ Upstream commit 916e4cf46d0204806c062c8c6c4d1f633852c5b6 ] + +Currently we generate a new fragmentation id on UFO segmentation. It +is pretty hairy to identify the correct net namespace and dst there. +Especially tunnels use IFF_XMIT_DST_RELEASE and thus have no skb_dst +available at all. + +This causes unreliable or very predictable ipv6 fragmentation id +generation while segmentation. + +Luckily we already have pregenerated the ip6_frag_id in +ip6_ufo_append_data and can use it here. + +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/udp_offload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -113,7 +113,7 @@ static struct sk_buff *udp6_ufo_fragment + fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); + fptr->nexthdr = nexthdr; + fptr->reserved = 0; +- ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb)); ++ fptr->identification = skb_shinfo(skb)->ip6_frag_id; + + /* Fragment the skb. ipv6 header and the remaining fields of the + * fragment header are updated in ipv6_gso_segment() diff --git a/queue-3.13/macvlan-add-support-for-always_on-offload-features.patch b/queue-3.13/macvlan-add-support-for-always_on-offload-features.patch new file mode 100644 index 00000000000..976c9959825 --- /dev/null +++ b/queue-3.13/macvlan-add-support-for-always_on-offload-features.patch @@ -0,0 +1,85 @@ +From foo@baz Wed Mar 19 23:31:34 Local time zone must be set--see zic manual page 2014 +From: Vlad Yasevich +Date: Mon, 3 Mar 2014 15:33:53 -0500 +Subject: macvlan: Add support for 'always_on' offload features + +From: Vlad Yasevich + +[ Upstream commit 8b4703e9bd1172a5f8244276ebb94302e6153e26 ] + +Macvlan currently inherits all of its features from the lower +device. When lower device disables offload support, this causes +macvlan to disable offload support as well. This causes +performance regression when using macvlan/macvtap in bridge +mode. + +It can be easily demonstrated by creating 2 namespaces using +macvlan in bridge mode and running netperf between them: + +MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.0.1 () port 0 AF_INET +Recv Send Send +Socket Socket Message Elapsed +Size Size Size Time Throughput +bytes bytes bytes secs. 10^6bits/sec + + 87380 16384 16384 20.00 1204.61 + +To restore the performance, we add software offload features +to the list of "always_on" features for macvlan. This way +when a namespace or a guest using macvtap initially sends a +packet, this packet will not be segmented at macvlan level. +It will only be segmented when macvlan sends the packet +to the lower device. + +MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.0.1 () port 0 AF_INET +Recv Send Send +Socket Socket Message Elapsed +Size Size Size Time Throughput +bytes bytes bytes secs. 10^6bits/sec + + 87380 16384 16384 20.00 5507.35 + +Fixes: 6acf54f1cf0a6747bac9fea26f34cfc5a9029523 (macvtap: Add support of packet capture on macvtap device.) +Fixes: 797f87f83b60685ff8a13fa0572d2f10393c50d3 (macvlan: fix netdev feature propagation from lower device) +CC: Florian Westphal +CC: Christian Borntraeger +CC: Jason Wang +CC: Michael S. Tsirkin +Tested-by: Christian Borntraeger +Signed-off-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -507,6 +507,9 @@ static int macvlan_change_mtu(struct net + static struct lock_class_key macvlan_netdev_xmit_lock_key; + static struct lock_class_key macvlan_netdev_addr_lock_key; + ++#define ALWAYS_ON_FEATURES \ ++ (NETIF_F_SG | NETIF_F_GEN_CSUM | NETIF_F_GSO_SOFTWARE | NETIF_F_LLTX) ++ + #define MACVLAN_FEATURES \ + (NETIF_F_SG | NETIF_F_ALL_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \ + NETIF_F_GSO | NETIF_F_TSO | NETIF_F_UFO | NETIF_F_GSO_ROBUST | \ +@@ -540,7 +543,7 @@ static int macvlan_init(struct net_devic + dev->state = (dev->state & ~MACVLAN_STATE_MASK) | + (lowerdev->state & MACVLAN_STATE_MASK); + dev->features = lowerdev->features & MACVLAN_FEATURES; +- dev->features |= NETIF_F_LLTX; ++ dev->features |= ALWAYS_ON_FEATURES; + dev->gso_max_size = lowerdev->gso_max_size; + dev->iflink = lowerdev->ifindex; + dev->hard_header_len = lowerdev->hard_header_len; +@@ -700,7 +703,7 @@ static netdev_features_t macvlan_fix_fea + features = netdev_increment_features(vlan->lowerdev->features, + features, + mask); +- features |= NETIF_F_LLTX; ++ features |= ALWAYS_ON_FEATURES; + + return features; + } diff --git a/queue-3.13/neigh-recompute-reachabletime-before-returning-from-neigh_periodic_work.patch b/queue-3.13/neigh-recompute-reachabletime-before-returning-from-neigh_periodic_work.patch new file mode 100644 index 00000000000..2a1bd877b72 --- /dev/null +++ b/queue-3.13/neigh-recompute-reachabletime-before-returning-from-neigh_periodic_work.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Duan Jiong +Date: Thu, 27 Feb 2014 17:14:41 +0800 +Subject: neigh: recompute reachabletime before returning from neigh_periodic_work() + +From: Duan Jiong + +[ Upstream commit feff9ab2e7fa773b6a3965f77375fe89f7fd85cf ] + +If the neigh table's entries is less than gc_thresh1, the function +will return directly, and the reachabletime will not be recompute, +so the reachabletime can be guessed. + +Signed-off-by: Duan Jiong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -764,9 +764,6 @@ static void neigh_periodic_work(struct w + nht = rcu_dereference_protected(tbl->nht, + lockdep_is_held(&tbl->lock)); + +- if (atomic_read(&tbl->entries) < tbl->gc_thresh1) +- goto out; +- + /* + * periodically recompute ReachableTime from random function + */ +@@ -779,6 +776,9 @@ static void neigh_periodic_work(struct w + neigh_rand_reach_time(p->base_reachable_time); + } + ++ if (atomic_read(&tbl->entries) < tbl->gc_thresh1) ++ goto out; ++ + for (i = 0 ; i < (1 << nht->hash_shift); i++) { + np = &nht->hash_buckets[i]; + diff --git a/queue-3.13/net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch b/queue-3.13/net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch new file mode 100644 index 00000000000..15235d3dc26 --- /dev/null +++ b/queue-3.13/net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch @@ -0,0 +1,137 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Daniel Borkmann +Date: Mon, 3 Mar 2014 17:23:04 +0100 +Subject: net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable + +From: Daniel Borkmann + +[ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ] + +RFC4895 introduced AUTH chunks for SCTP; during the SCTP +handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS +being optional though): + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + -------------------- COOKIE-ECHO --------------------> + <-------------------- COOKIE-ACK --------------------- + +A special case is when an endpoint requires COOKIE-ECHO +chunks to be authenticated: + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + ------------------ AUTH; COOKIE-ECHO ----------------> + <-------------------- COOKIE-ACK --------------------- + +RFC4895, section 6.3. Receiving Authenticated Chunks says: + + The receiver MUST use the HMAC algorithm indicated in + the HMAC Identifier field. If this algorithm was not + specified by the receiver in the HMAC-ALGO parameter in + the INIT or INIT-ACK chunk during association setup, the + AUTH chunk and all the chunks after it MUST be discarded + and an ERROR chunk SHOULD be sent with the error cause + defined in Section 4.1. [...] If no endpoint pair shared + key has been configured for that Shared Key Identifier, + all authenticated chunks MUST be silently discarded. [...] + + When an endpoint requires COOKIE-ECHO chunks to be + authenticated, some special procedures have to be followed + because the reception of a COOKIE-ECHO chunk might result + in the creation of an SCTP association. If a packet arrives + containing an AUTH chunk as a first chunk, a COOKIE-ECHO + chunk as the second chunk, and possibly more chunks after + them, and the receiver does not have an STCB for that + packet, then authentication is based on the contents of + the COOKIE-ECHO chunk. In this situation, the receiver MUST + authenticate the chunks in the packet by using the RANDOM + parameters, CHUNKS parameters and HMAC_ALGO parameters + obtained from the COOKIE-ECHO chunk, and possibly a local + shared secret as inputs to the authentication procedure + specified in Section 6.3. If authentication fails, then + the packet is discarded. If the authentication is successful, + the COOKIE-ECHO and all the chunks after the COOKIE-ECHO + MUST be processed. If the receiver has an STCB, it MUST + process the AUTH chunk as described above using the STCB + from the existing association to authenticate the + COOKIE-ECHO chunk and all the chunks after it. [...] + +Commit bbd0d59809f9 introduced the possibility to receive +and verification of AUTH chunk, including the edge case for +authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, +the function sctp_sf_do_5_1D_ce() handles processing, +unpacks and creates a new association if it passed sanity +checks and also tests for authentication chunks being +present. After a new association has been processed, it +invokes sctp_process_init() on the new association and +walks through the parameter list it received from the INIT +chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO +and SCTP_PARAM_CHUNKS, and copies them into asoc->peer +meta data (peer_random, peer_hmacs, peer_chunks) in case +sysctl -w net.sctp.auth_enable=1 is set. If in INIT's +SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, +peer_random != NULL and peer_hmacs != NULL the peer is to be +assumed asoc->peer.auth_capable=1, in any other case +asoc->peer.auth_capable=0. + +Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is +available, we set up a fake auth chunk and pass that on to +sctp_sf_authenticate(), which at latest in +sctp_auth_calculate_hmac() reliably dereferences a NULL pointer +at position 0..0008 when setting up the crypto key in +crypto_hash_setkey() by using asoc->asoc_shared_key that is +NULL as condition key_id == asoc->active_key_id is true if +the AUTH chunk was injected correctly from remote. This +happens no matter what net.sctp.auth_enable sysctl says. + +The fix is to check for net->sctp.auth_enable and for +asoc->peer.auth_capable before doing any operations like +sctp_sf_authenticate() as no key is activated in +sctp_auth_asoc_init_active_key() for each case. + +Now as RFC4895 section 6.3 states that if the used HMAC-ALGO +passed from the INIT chunk was not used in the AUTH chunk, we +SHOULD send an error; however in this case it would be better +to just silently discard such a maliciously prepared handshake +as we didn't even receive a parameter at all. Also, as our +endpoint has no shared key configured, section 6.3 says that +MUST silently discard, which we are doing from now onwards. + +Before calling sctp_sf_pdiscard(), we need not only to free +the association, but also the chunk->auth_chunk skb, as +commit bbd0d59809f9 created a skb clone in that case. + +I have tested this locally by using netfilter's nfqueue and +re-injecting packets into the local stack after maliciously +modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) +and the SCTP packet containing the COOKIE_ECHO (injecting +AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. + +Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") +Signed-off-by: Daniel Borkmann +Cc: Vlad Yasevich +Cc: Neil Horman +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_statefuns.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -759,6 +759,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(st + struct sctp_chunk auth; + sctp_ierror_t ret; + ++ /* Make sure that we and the peer are AUTH capable */ ++ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { ++ kfree_skb(chunk->auth_chunk); ++ sctp_association_free(new_asoc); ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ } ++ + /* set-up our fake chunk so that we can process it */ + auth.skb = chunk->auth_chunk; + auth.asoc = chunk->asoc; diff --git a/queue-3.13/net-tcp-fastopen-fix-high-order-allocations.patch b/queue-3.13/net-tcp-fastopen-fix-high-order-allocations.patch new file mode 100644 index 00000000000..faef85a86f5 --- /dev/null +++ b/queue-3.13/net-tcp-fastopen-fix-high-order-allocations.patch @@ -0,0 +1,94 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Eric Dumazet +Date: Thu, 20 Feb 2014 10:09:18 -0800 +Subject: net-tcp: fastopen: fix high order allocations + +From: Eric Dumazet + +[ Upstream commit f5ddcbbb40aa0ba7fbfe22355d287603dbeeaaac ] + +This patch fixes two bugs in fastopen : + +1) The tcp_sendmsg(..., @size) argument was ignored. + + Code was relying on user not fooling the kernel with iovec mismatches + +2) When MTU is about 64KB, tcp_send_syn_data() attempts order-5 +allocations, which are likely to fail when memory gets fragmented. + +Fixes: 783237e8daf13 ("net-tcp: Fast Open client - sending SYN-data") +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Acked-by: Yuchung Cheng +Tested-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 3 ++- + net/ipv4/tcp.c | 8 +++++--- + net/ipv4/tcp_output.c | 7 ++++++- + 3 files changed, 13 insertions(+), 5 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1312,7 +1312,8 @@ struct tcp_fastopen_request { + /* Fast Open cookie. Size 0 means a cookie request */ + struct tcp_fastopen_cookie cookie; + struct msghdr *data; /* data in MSG_FASTOPEN */ +- u16 copied; /* queued in tcp_connect() */ ++ size_t size; ++ int copied; /* queued in tcp_connect() */ + }; + void tcp_free_fastopen_req(struct tcp_sock *tp); + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1002,7 +1002,8 @@ void tcp_free_fastopen_req(struct tcp_so + } + } + +-static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg, int *size) ++static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg, ++ int *copied, size_t size) + { + struct tcp_sock *tp = tcp_sk(sk); + int err, flags; +@@ -1017,11 +1018,12 @@ static int tcp_sendmsg_fastopen(struct s + if (unlikely(tp->fastopen_req == NULL)) + return -ENOBUFS; + tp->fastopen_req->data = msg; ++ tp->fastopen_req->size = size; + + flags = (msg->msg_flags & MSG_DONTWAIT) ? O_NONBLOCK : 0; + err = __inet_stream_connect(sk->sk_socket, msg->msg_name, + msg->msg_namelen, flags); +- *size = tp->fastopen_req->copied; ++ *copied = tp->fastopen_req->copied; + tcp_free_fastopen_req(tp); + return err; + } +@@ -1041,7 +1043,7 @@ int tcp_sendmsg(struct kiocb *iocb, stru + + flags = msg->msg_flags; + if (flags & MSG_FASTOPEN) { +- err = tcp_sendmsg_fastopen(sk, msg, &copied_syn); ++ err = tcp_sendmsg_fastopen(sk, msg, &copied_syn, size); + if (err == -EINPROGRESS && copied_syn > 0) + goto out; + else if (err) +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2887,7 +2887,12 @@ static int tcp_send_syn_data(struct sock + space = __tcp_mtu_to_mss(sk, inet_csk(sk)->icsk_pmtu_cookie) - + MAX_TCP_OPTION_SPACE; + +- syn_data = skb_copy_expand(syn, skb_headroom(syn), space, ++ space = min_t(size_t, space, fo->size); ++ ++ /* limit to order-0 allocations */ ++ space = min_t(size_t, space, SKB_MAX_HEAD(MAX_TCP_HEADER)); ++ ++ syn_data = skb_copy_expand(syn, MAX_TCP_HEADER, space, + sk->sk_allocation); + if (syn_data == NULL) + goto fallback; diff --git a/queue-3.13/rapidio-tsi721-fix-tasklet-termination-in-dma-channel-release.patch b/queue-3.13/rapidio-tsi721-fix-tasklet-termination-in-dma-channel-release.patch new file mode 100644 index 00000000000..d3289ca3943 --- /dev/null +++ b/queue-3.13/rapidio-tsi721-fix-tasklet-termination-in-dma-channel-release.patch @@ -0,0 +1,131 @@ +From 04379dffdd4da820d51a1566ad2e86f3b1ad97ed Mon Sep 17 00:00:00 2001 +From: Alexandre Bounine +Date: Mon, 3 Mar 2014 15:38:36 -0800 +Subject: rapidio/tsi721: fix tasklet termination in dma channel release + +From: Alexandre Bounine + +commit 04379dffdd4da820d51a1566ad2e86f3b1ad97ed upstream. + +This patch is a modification of the patch originally proposed by +Xiaotian Feng : https://lkml.org/lkml/2012/11/5/413 +This new version disables DMA channel interrupts and ensures that the +tasklet wil not be scheduled again before calling tasklet_kill(). + +Unfortunately the updated patch was not released at that time due to +planned rework of Tsi721 mport driver to use threaded interrupts (which +has yet to happen). Recently the issue was reported again: +https://lkml.org/lkml/2014/2/19/762. + +Description from the original Xiaotian's patch: + + "Some drivers use tasklet_disable in device remove/release process, + tasklet_disable will inc tasklet->count and return. If the tasklet is + not handled yet under some softirq pressure, the tasklet will be + placed on the tasklet_vec, never have a chance to be excuted. This + might lead to a heavy loaded ksoftirqd, wakeup with pending_softirq, + but tasklet is disabled. tasklet_kill should be used in this case." + +This patch is applicable to kernel versions starting from v3.5. + +Signed-off-by: Alexandre Bounine +Cc: Matt Porter +Cc: Xiaotian Feng +Reviewed-by: Thomas Gleixner +Cc: Mike Galbraith +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rapidio/devices/tsi721.h | 1 + + drivers/rapidio/devices/tsi721_dma.c | 27 ++++++++++++++++++--------- + 2 files changed, 19 insertions(+), 9 deletions(-) + +--- a/drivers/rapidio/devices/tsi721.h ++++ b/drivers/rapidio/devices/tsi721.h +@@ -678,6 +678,7 @@ struct tsi721_bdma_chan { + struct list_head free_list; + dma_cookie_t completed_cookie; + struct tasklet_struct tasklet; ++ bool active; + }; + + #endif /* CONFIG_RAPIDIO_DMA_ENGINE */ +--- a/drivers/rapidio/devices/tsi721_dma.c ++++ b/drivers/rapidio/devices/tsi721_dma.c +@@ -206,8 +206,8 @@ void tsi721_bdma_handler(struct tsi721_b + { + /* Disable BDMA channel interrupts */ + iowrite32(0, bdma_chan->regs + TSI721_DMAC_INTE); +- +- tasklet_schedule(&bdma_chan->tasklet); ++ if (bdma_chan->active) ++ tasklet_schedule(&bdma_chan->tasklet); + } + + #ifdef CONFIG_PCI_MSI +@@ -562,7 +562,7 @@ static int tsi721_alloc_chan_resources(s + } + #endif /* CONFIG_PCI_MSI */ + +- tasklet_enable(&bdma_chan->tasklet); ++ bdma_chan->active = true; + tsi721_bdma_interrupt_enable(bdma_chan, 1); + + return bdma_chan->bd_num - 1; +@@ -576,9 +576,7 @@ err_out: + static void tsi721_free_chan_resources(struct dma_chan *dchan) + { + struct tsi721_bdma_chan *bdma_chan = to_tsi721_chan(dchan); +-#ifdef CONFIG_PCI_MSI + struct tsi721_device *priv = to_tsi721(dchan->device); +-#endif + LIST_HEAD(list); + + dev_dbg(dchan->device->dev, "%s: Entry\n", __func__); +@@ -589,14 +587,25 @@ static void tsi721_free_chan_resources(s + BUG_ON(!list_empty(&bdma_chan->active_list)); + BUG_ON(!list_empty(&bdma_chan->queue)); + +- tasklet_disable(&bdma_chan->tasklet); ++ tsi721_bdma_interrupt_enable(bdma_chan, 0); ++ bdma_chan->active = false; ++ ++#ifdef CONFIG_PCI_MSI ++ if (priv->flags & TSI721_USING_MSIX) { ++ synchronize_irq(priv->msix[TSI721_VECT_DMA0_DONE + ++ bdma_chan->id].vector); ++ synchronize_irq(priv->msix[TSI721_VECT_DMA0_INT + ++ bdma_chan->id].vector); ++ } else ++#endif ++ synchronize_irq(priv->pdev->irq); ++ ++ tasklet_kill(&bdma_chan->tasklet); + + spin_lock_bh(&bdma_chan->lock); + list_splice_init(&bdma_chan->free_list, &list); + spin_unlock_bh(&bdma_chan->lock); + +- tsi721_bdma_interrupt_enable(bdma_chan, 0); +- + #ifdef CONFIG_PCI_MSI + if (priv->flags & TSI721_USING_MSIX) { + free_irq(priv->msix[TSI721_VECT_DMA0_DONE + +@@ -790,6 +799,7 @@ int tsi721_register_dma(struct tsi721_de + bdma_chan->dchan.cookie = 1; + bdma_chan->dchan.chan_id = i; + bdma_chan->id = i; ++ bdma_chan->active = false; + + spin_lock_init(&bdma_chan->lock); + +@@ -799,7 +809,6 @@ int tsi721_register_dma(struct tsi721_de + + tasklet_init(&bdma_chan->tasklet, tsi721_dma_tasklet, + (unsigned long)bdma_chan); +- tasklet_disable(&bdma_chan->tasklet); + list_add_tail(&bdma_chan->dchan.device_node, + &mport->dma.channels); + } diff --git a/queue-3.13/sch_tbf-fix-potential-memory-leak-in-tbf_change.patch b/queue-3.13/sch_tbf-fix-potential-memory-leak-in-tbf_change.patch new file mode 100644 index 00000000000..e8091828288 --- /dev/null +++ b/queue-3.13/sch_tbf-fix-potential-memory-leak-in-tbf_change.patch @@ -0,0 +1,63 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Hiroaki SHIMODA +Date: Wed, 26 Feb 2014 21:43:42 +0900 +Subject: sch_tbf: Fix potential memory leak in tbf_change(). + +From: Hiroaki SHIMODA + +[ Upstream commit 724b9e1d75ab3401aaa081bd4efb440c1b3509db ] + +The allocated child qdisc is not freed in error conditions. +Defer the allocation after user configuration turns out to be +valid and acceptable. + +Fixes: cc106e441a63b ("net: sched: tbf: fix the calculation of max_size") +Signed-off-by: Hiroaki SHIMODA +Cc: Yang Yingliang +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_tbf.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/net/sched/sch_tbf.c ++++ b/net/sched/sch_tbf.c +@@ -332,18 +332,6 @@ static int tbf_change(struct Qdisc *sch, + qdisc_put_rtab(qdisc_get_rtab(&qopt->peakrate, + tb[TCA_TBF_PTAB])); + +- if (q->qdisc != &noop_qdisc) { +- err = fifo_set_limit(q->qdisc, qopt->limit); +- if (err) +- goto done; +- } else if (qopt->limit > 0) { +- child = fifo_create_dflt(sch, &bfifo_qdisc_ops, qopt->limit); +- if (IS_ERR(child)) { +- err = PTR_ERR(child); +- goto done; +- } +- } +- + buffer = min_t(u64, PSCHED_TICKS2NS(qopt->buffer), ~0U); + mtu = min_t(u64, PSCHED_TICKS2NS(qopt->mtu), ~0U); + +@@ -377,6 +365,18 @@ static int tbf_change(struct Qdisc *sch, + goto done; + } + ++ if (q->qdisc != &noop_qdisc) { ++ err = fifo_set_limit(q->qdisc, qopt->limit); ++ if (err) ++ goto done; ++ } else if (qopt->limit > 0) { ++ child = fifo_create_dflt(sch, &bfifo_qdisc_ops, qopt->limit); ++ if (IS_ERR(child)) { ++ err = PTR_ERR(child); ++ goto done; ++ } ++ } ++ + sch_tree_lock(sch); + if (child) { + qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen); diff --git a/queue-3.13/sched-fix-double-normalization-of-vruntime.patch b/queue-3.13/sched-fix-double-normalization-of-vruntime.patch new file mode 100644 index 00000000000..a0179934fb4 --- /dev/null +++ b/queue-3.13/sched-fix-double-normalization-of-vruntime.patch @@ -0,0 +1,60 @@ +From 791c9e0292671a3bfa95286bb5c08129d8605618 Mon Sep 17 00:00:00 2001 +From: George McCollister +Date: Tue, 18 Feb 2014 17:56:51 -0600 +Subject: sched: Fix double normalization of vruntime + +From: George McCollister + +commit 791c9e0292671a3bfa95286bb5c08129d8605618 upstream. + +dequeue_entity() is called when p->on_rq and sets se->on_rq = 0 +which appears to guarentee that the !se->on_rq condition is met. +If the task has done set_current_state(TASK_INTERRUPTIBLE) without +schedule() the second condition will be met and vruntime will be +incorrectly adjusted twice. + +In certain cases this can result in the task's vruntime never increasing +past the vruntime of other tasks on the CFS' run queue, starving them of +CPU time. + +This patch changes switched_from_fair() to use !p->on_rq instead of +!se->on_rq. + +I'm able to cause a task with a priority of 120 to starve all other +tasks with the same priority on an ARM platform running 3.2.51-rt72 +PREEMPT RT by writing one character at time to a serial tty (16550 UART) +in a tight loop. I'm also able to verify making this change corrects the +problem on that platform and kernel version. + +Signed-off-by: George McCollister +Signed-off-by: Peter Zijlstra +Link: http://lkml.kernel.org/r/1392767811-28916-1-git-send-email-george.mccollister@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/fair.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -7012,15 +7012,15 @@ static void switched_from_fair(struct rq + struct cfs_rq *cfs_rq = cfs_rq_of(se); + + /* +- * Ensure the task's vruntime is normalized, so that when its ++ * Ensure the task's vruntime is normalized, so that when it's + * switched back to the fair class the enqueue_entity(.flags=0) will + * do the right thing. + * +- * If it was on_rq, then the dequeue_entity(.flags=0) will already +- * have normalized the vruntime, if it was !on_rq, then only when ++ * If it's on_rq, then the dequeue_entity(.flags=0) will already ++ * have normalized the vruntime, if it's !on_rq, then only when + * the task is sleeping will it still have non-normalized vruntime. + */ +- if (!se->on_rq && p->state != TASK_RUNNING) { ++ if (!p->on_rq && p->state != TASK_RUNNING) { + /* + * Fix up our vruntime so that the current sleep doesn't + * cause 'unlimited' sleep bonus. diff --git a/queue-3.13/series b/queue-3.13/series index 893ca5e129d..8db3c9d68e4 100644 --- a/queue-3.13/series +++ b/queue-3.13/series @@ -4,3 +4,19 @@ mm-include-vm_mixedmap-flag-in-the-vm_special-list-to-avoid-m-un-locking.patch ocfs2-fix-quota-file-corruption.patch ocfs2-syncs-the-wrong-range.patch memcg-fix-endless-loop-in-__mem_cgroup_iter_next.patch +sched-fix-double-normalization-of-vruntime.patch +rapidio-tsi721-fix-tasklet-termination-in-dma-channel-release.patch +veth-fix-vlan_features-so-as-to-be-able-to-use-stacked-vlan-interfaces.patch +tun-remove-bogus-hardware-vlan-acceleration-flags-from-vlan_features.patch +net-tcp-fastopen-fix-high-order-allocations.patch +neigh-recompute-reachabletime-before-returning-from-neigh_periodic_work.patch +virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch +ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch +ipv4-ipv6-better-estimate-tunnel-header-cut-for-correct-ufo-handling.patch +sfc-check-for-null-efx-ptp_data-in-efx_ptp_event.patch +sch_tbf-fix-potential-memory-leak-in-tbf_change.patch +ipv6-ipv6_find_hdr-restore-prev-functionality.patch +tg3-don-t-check-undefined-error-bits-in-rxbd.patch +ip_tunnel-multicast-process-cause-panic-due-to-skb-_skb_refdst-null-pointer.patch +net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch +macvlan-add-support-for-always_on-offload-features.patch diff --git a/queue-3.13/sfc-check-for-null-efx-ptp_data-in-efx_ptp_event.patch b/queue-3.13/sfc-check-for-null-efx-ptp_data-in-efx_ptp_event.patch new file mode 100644 index 00000000000..44261c4a307 --- /dev/null +++ b/queue-3.13/sfc-check-for-null-efx-ptp_data-in-efx_ptp_event.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Edward Cree +Date: Tue, 25 Feb 2014 13:17:59 +0000 +Subject: sfc: check for NULL efx->ptp_data in efx_ptp_event + +From: Edward Cree + +[ Upstream commit 8f355e5cee63c2c0c145d8206c4245d0189f47ff ] + +If we receive a PTP event from the NIC when we haven't set up PTP state +in the driver, we attempt to read through a NULL pointer efx->ptp_data, +triggering a panic. + +Signed-off-by: Edward Cree +Acked-by: Shradha Shah +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/ptp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/ethernet/sfc/ptp.c ++++ b/drivers/net/ethernet/sfc/ptp.c +@@ -1360,6 +1360,13 @@ void efx_ptp_event(struct efx_nic *efx, + struct efx_ptp_data *ptp = efx->ptp_data; + int code = EFX_QWORD_FIELD(*ev, MCDI_EVENT_CODE); + ++ if (!ptp) { ++ if (net_ratelimit()) ++ netif_warn(efx, drv, efx->net_dev, ++ "Received PTP event but PTP not set up\n"); ++ return; ++ } ++ + if (!ptp->enabled) + return; + diff --git a/queue-3.13/tg3-don-t-check-undefined-error-bits-in-rxbd.patch b/queue-3.13/tg3-don-t-check-undefined-error-bits-in-rxbd.patch new file mode 100644 index 00000000000..852e0b1aeb8 --- /dev/null +++ b/queue-3.13/tg3-don-t-check-undefined-error-bits-in-rxbd.patch @@ -0,0 +1,47 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Michael Chan +Date: Fri, 28 Feb 2014 15:05:10 -0800 +Subject: tg3: Don't check undefined error bits in RXBD + +From: Michael Chan + +[ Upstream commit d7b95315cc7f441418845a165ee56df723941487 ] + +Redefine the RXD_ERR_MASK to include only relevant error bits. This fixes +a customer reported issue of randomly dropping packets on the 5719. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 3 +-- + drivers/net/ethernet/broadcom/tg3.h | 6 +++++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -6827,8 +6827,7 @@ static int tg3_rx(struct tg3_napi *tnapi + + work_mask |= opaque_key; + +- if ((desc->err_vlan & RXD_ERR_MASK) != 0 && +- (desc->err_vlan != RXD_ERR_ODD_NIBBLE_RCVD_MII)) { ++ if (desc->err_vlan & RXD_ERR_MASK) { + drop_it: + tg3_recycle_rx(tnapi, tpr, opaque_key, + desc_idx, *post_ptr); +--- a/drivers/net/ethernet/broadcom/tg3.h ++++ b/drivers/net/ethernet/broadcom/tg3.h +@@ -2601,7 +2601,11 @@ struct tg3_rx_buffer_desc { + #define RXD_ERR_TOO_SMALL 0x00400000 + #define RXD_ERR_NO_RESOURCES 0x00800000 + #define RXD_ERR_HUGE_FRAME 0x01000000 +-#define RXD_ERR_MASK 0xffff0000 ++ ++#define RXD_ERR_MASK (RXD_ERR_BAD_CRC | RXD_ERR_COLLISION | \ ++ RXD_ERR_LINK_LOST | RXD_ERR_PHY_DECODE | \ ++ RXD_ERR_MAC_ABRT | RXD_ERR_TOO_SMALL | \ ++ RXD_ERR_NO_RESOURCES | RXD_ERR_HUGE_FRAME) + + u32 reserved; + u32 opaque; diff --git a/queue-3.13/tun-remove-bogus-hardware-vlan-acceleration-flags-from-vlan_features.patch b/queue-3.13/tun-remove-bogus-hardware-vlan-acceleration-flags-from-vlan_features.patch new file mode 100644 index 00000000000..cc130d2a07c --- /dev/null +++ b/queue-3.13/tun-remove-bogus-hardware-vlan-acceleration-flags-from-vlan_features.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Fernando Luis Vazquez Cao +Date: Tue, 18 Feb 2014 21:20:09 +0900 +Subject: tun: remove bogus hardware vlan acceleration flags from vlan_features + +From: Fernando Luis Vazquez Cao + +[ Upstream commit 6671b2240c54585d4afb5286a29f1569fe5e40a8 ] + +Even though only the outer vlan tag can be HW accelerated in the transmission +path, in the TUN/TAP driver vlan_features mirrors hw_features, which happens +to have the NETIF_F_HW_VLAN_?TAG_TX flags set. Because of this, during packet +tranmisssion through a stacked vlan device dev_hard_start_xmit, (incorrectly) +assuming that the vlan device supports hardware vlan acceleration, does not +add the vlan header to the skb payload and the inner vlan tags are lost +(vlan_tci contains the outer vlan tag when userspace reads the packet from +the tap device). + +Signed-off-by: Fernando Luis Vazquez Cao +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1651,7 +1651,9 @@ static int tun_set_iff(struct net *net, + TUN_USER_FEATURES | NETIF_F_HW_VLAN_CTAG_TX | + NETIF_F_HW_VLAN_STAG_TX; + dev->features = dev->hw_features; +- dev->vlan_features = dev->features; ++ dev->vlan_features = dev->features & ++ ~(NETIF_F_HW_VLAN_CTAG_TX | ++ NETIF_F_HW_VLAN_STAG_TX); + + INIT_LIST_HEAD(&tun->disabled); + err = tun_attach(tun, file, false); diff --git a/queue-3.13/veth-fix-vlan_features-so-as-to-be-able-to-use-stacked-vlan-interfaces.patch b/queue-3.13/veth-fix-vlan_features-so-as-to-be-able-to-use-stacked-vlan-interfaces.patch new file mode 100644 index 00000000000..b3630586eb9 --- /dev/null +++ b/queue-3.13/veth-fix-vlan_features-so-as-to-be-able-to-use-stacked-vlan-interfaces.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Toshiaki Makita +Date: Tue, 18 Feb 2014 21:20:08 +0900 +Subject: veth: Fix vlan_features so as to be able to use stacked vlan interfaces + +From: Toshiaki Makita + +[ Upstream commit 8d0d21f4053c07714802cbe8b1fe26913ec296cc ] + +Even if we create a stacked vlan interface such as veth0.10.20, it sends +single tagged frames (tagged with only vid 10). +Because vlan_features of a veth interface has the +NETIF_F_HW_VLAN_[CTAG/STAG]_TX bits, veth0.10 also has that feature, so +dev_hard_start_xmit(veth0.10) doesn't call __vlan_put_tag() and +vlan_dev_hard_start_xmit(veth0.10) overwrites vlan_tci. +This prevents us from using a combination of 802.1ad and 802.1Q +in containers, etc. + +Signed-off-by: Toshiaki Makita +Acked-by: Flavio Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/veth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -285,7 +285,8 @@ static void veth_setup(struct net_device + dev->ethtool_ops = &veth_ethtool_ops; + dev->features |= NETIF_F_LLTX; + dev->features |= VETH_FEATURES; +- dev->vlan_features = dev->features; ++ dev->vlan_features = dev->features & ++ ~(NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_STAG_TX); + dev->destructor = veth_dev_free; + + dev->hw_features = VETH_FEATURES; diff --git a/queue-3.13/virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch b/queue-3.13/virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch new file mode 100644 index 00000000000..8b4982a371d --- /dev/null +++ b/queue-3.13/virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Mar 19 23:31:33 Local time zone must be set--see zic manual page 2014 +From: Jason Wang +Date: Fri, 21 Feb 2014 13:08:04 +0800 +Subject: virtio-net: alloc big buffers also when guest can receive UFO + +From: Jason Wang + +[ Upstream commit 0e7ede80d929ff0f830c44a543daa1acd590c749 ] + +We should alloc big buffers also when guest can receive UFO +packets to let the big packets fit into guest rx buffer. + +Fixes 5c5167515d80f78f6bb538492c423adcae31ad65 +(virtio-net: Allow UFO feature to be set and advertised.) + +Cc: Rusty Russell +Cc: Michael S. Tsirkin +Cc: Sridhar Samudrala +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Acked-by: Rusty Russell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1645,7 +1645,8 @@ static int virtnet_probe(struct virtio_d + /* If we can receive ANY GSO packets, we must allocate large ones. */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) || + virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6) || +- virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN)) ++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN) || ++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_UFO)) + vi->big_packets = true; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_MRG_RXBUF)) -- 2.47.3