From: Greg Kroah-Hartman Date: Thu, 29 May 2014 04:03:31 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.10.41~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=87faf53de504557bd0218a05725296adb13a5ed0;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: bonding-remove-debug_fs-files-when-module-init-fails.patch bridge-fix-double-free-and-memory-leak-around-br_allowed_ingress.patch bridge-handle-ifla_address-correctly-when-creating-bridge-device.patch filter-prevent-nla-extensions-to-peek-beyond-the-end-of-the-message.patch gre-don-t-allow-to-add-the-same-tunnel-twice.patch ip6_gre-don-t-allow-to-remove-the-fb_tunnel_dev.patch ip6_tunnel-fix-potential-null-pointer-dereference.patch ipv4-fib_semantics-increment-fib_info_cnt-after-fib_info-allocation.patch ipv4-initialise-the-itag-variable-in-__mkroute_input.patch ipv4-return-valid-rta_iif-on-ip-route-get.patch ipv6-fib-fix-fib-dump-restart.patch ipv6-limit-mtu-to-65575-bytes.patch l2tp-take-pmtu-from-tunnel-udp-socket.patch list-introduce-list_next_entry-and-list_prev_entry.patch macvlan-don-t-propagate-iff_allmulti-changes-on-down-interfaces.patch net-cdc_mbim-handle-unaccelerated-vlan-tagged-frames.patch net-core-don-t-account-for-udp-header-size-when-computing-seglen.patch net-fix-ns_capable-check-in-sock_diag_put_filterinfo.patch net-gro-reset-skb-truesize-in-napi_reuse_skb.patch net-ipv4-current-group_info-should-be-put-after-using.patch net-ipv4-ip_forward-fix-inverted-local_df-test.patch net-ipv6-send-pkttoobig-immediately-if-orig-frag-size-mtu.patch net-qmi_wwan-add-alcatel-l800ma.patch net-qmi_wwan-add-a-number-of-cmotech-devices.patch net-qmi_wwan-add-a-number-of-dell-devices.patch net-qmi_wwan-add-olivetti-olicard-500.patch net-qmi_wwan-add-option-gtm681w.patch net-qmi_wwan-add-sierra-wireless-em7355.patch net-qmi_wwan-add-sierra-wireless-mc7305-mc7355.patch net-qmi_wwan-add-sierra-wireless-mc73xx.patch net-qmi_wwan-add-support-for-cinterion-pxs8-and-phs8.patch net-qmi_wwan-add-telit-le920-newer-firmware-support.patch net-qmi_wwan-add-tp-link-ma260.patch net-qmi_wwan-add-zte-mf667.patch net-qmi_wwan-fix-cinterion-plxx-product-id.patch net-qmi_wwan-fixup-sierra-wireless-mc8305-entry.patch net-qmi_wwan-olivetti-olicard-200-support.patch net-sctp-cache-auth_enable-per-endpoint.patch net-sctp-test-if-association-is-dead-in-sctp_wake_up_waiters.patch net-sctp-wake-up-all-assocs-if-sndbuf-policy-is-per-socket.patch qmi_wwan-add-onda-mt689dc-device-id-fwd.patch revert-macvlan-fix-checksums-error-when-we-are-in-bridge-mode.patch rtnetlink-only-supply-ifla_vf_ports-information-when-rtext_filter_vf-is-set.patch rtnetlink-warn-when-interface-s-information-won-t-fit-in-our-packet.patch sctp-reset-flowi4_oif-parameter-on-route-lookup.patch tcp_cubic-fix-the-range-of-delayed_ack.patch tg3-update-rx_jumbo_pending-ring-param-only-when-jumbo-frames-are-enabled.patch vlan-fix-lockdep-warning-when-vlan-dev-handle-notification.patch vti-don-t-allow-to-add-the-same-tunnel-twice.patch --- diff --git a/queue-3.10/bonding-remove-debug_fs-files-when-module-init-fails.patch b/queue-3.10/bonding-remove-debug_fs-files-when-module-init-fails.patch new file mode 100644 index 00000000000..9a81da493ff --- /dev/null +++ b/queue-3.10/bonding-remove-debug_fs-files-when-module-init-fails.patch @@ -0,0 +1,32 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Thomas Richter +Date: Wed, 9 Apr 2014 12:52:59 +0200 +Subject: bonding: Remove debug_fs files when module init fails + +From: Thomas Richter + +[ Upstream commit db29868653394937037d71dc3545768302dda643 ] + +Remove the bonding debug_fs entries when the +module initialization fails. The debug_fs +entries should be removed together with all other +already allocated resources. + +Signed-off-by: Thomas Richter +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4995,6 +4995,7 @@ static int __init bonding_init(void) + out: + return res; + err: ++ bond_destroy_debugfs(); + rtnl_link_unregister(&bond_link_ops); + err_link: + unregister_pernet_subsys(&bond_net_ops); diff --git a/queue-3.10/bridge-fix-double-free-and-memory-leak-around-br_allowed_ingress.patch b/queue-3.10/bridge-fix-double-free-and-memory-leak-around-br_allowed_ingress.patch new file mode 100644 index 00000000000..41674c14dbc --- /dev/null +++ b/queue-3.10/bridge-fix-double-free-and-memory-leak-around-br_allowed_ingress.patch @@ -0,0 +1,70 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Toshiaki Makita +Date: Wed, 9 Apr 2014 17:00:30 +0900 +Subject: bridge: Fix double free and memory leak around br_allowed_ingress + +From: Toshiaki Makita + +[ Upstream commit eb7076182d1ae4bc4641534134ed707100d76acc ] + +br_allowed_ingress() has two problems. + +1. If br_allowed_ingress() is called by br_handle_frame_finish() and +vlan_untag() in br_allowed_ingress() fails, skb will be freed by both +vlan_untag() and br_handle_frame_finish(). + +2. If br_allowed_ingress() is called by br_dev_xmit() and +br_allowed_ingress() fails, the skb will not be freed. + +Fix these two problems by freeing the skb in br_allowed_ingress() +if it fails. + +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_input.c | 2 +- + net/bridge/br_vlan.c | 7 ++++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -71,7 +71,7 @@ int br_handle_frame_finish(struct sk_buf + goto drop; + + if (!br_allowed_ingress(p->br, nbp_get_vlan_info(p), skb, &vid)) +- goto drop; ++ goto out; + + /* insert into forwarding database after filtering to avoid spoofing */ + br = p->br; +--- a/net/bridge/br_vlan.c ++++ b/net/bridge/br_vlan.c +@@ -202,7 +202,7 @@ bool br_allowed_ingress(struct net_bridg + * rejected. + */ + if (!v) +- return false; ++ goto drop; + + if (br_vlan_get_tag(skb, vid)) { + u16 pvid = br_get_pvid(v); +@@ -212,7 +212,7 @@ bool br_allowed_ingress(struct net_bridg + * traffic belongs to. + */ + if (pvid == VLAN_N_VID) +- return false; ++ goto drop; + + /* PVID is set on this port. Any untagged ingress + * frame is considered to belong to this vlan. +@@ -224,7 +224,8 @@ bool br_allowed_ingress(struct net_bridg + /* Frame had a valid vlan tag. See if vlan is allowed */ + if (test_bit(*vid, v->vlan_bitmap)) + return true; +- ++drop: ++ kfree_skb(skb); + return false; + } + diff --git a/queue-3.10/bridge-handle-ifla_address-correctly-when-creating-bridge-device.patch b/queue-3.10/bridge-handle-ifla_address-correctly-when-creating-bridge-device.patch new file mode 100644 index 00000000000..da0dea539e3 --- /dev/null +++ b/queue-3.10/bridge-handle-ifla_address-correctly-when-creating-bridge-device.patch @@ -0,0 +1,53 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Toshiaki Makita +Date: Fri, 25 Apr 2014 17:01:18 +0900 +Subject: bridge: Handle IFLA_ADDRESS correctly when creating bridge device + +From: Toshiaki Makita + +[ Upstream commit 30313a3d5794472c3548d7288e306a5492030370 ] + +When bridge device is created with IFLA_ADDRESS, we are not calling +br_stp_change_bridge_id(), which leads to incorrect local fdb +management and bridge id calculation, and prevents us from receiving +frames on the bridge device. + +Reported-by: Tom Gundersen +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_netlink.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -438,6 +438,20 @@ static int br_validate(struct nlattr *tb + return 0; + } + ++static int br_dev_newlink(struct net *src_net, struct net_device *dev, ++ struct nlattr *tb[], struct nlattr *data[]) ++{ ++ struct net_bridge *br = netdev_priv(dev); ++ ++ if (tb[IFLA_ADDRESS]) { ++ spin_lock_bh(&br->lock); ++ br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS])); ++ spin_unlock_bh(&br->lock); ++ } ++ ++ return register_netdevice(dev); ++} ++ + static size_t br_get_link_af_size(const struct net_device *dev) + { + struct net_port_vlans *pv; +@@ -466,6 +480,7 @@ struct rtnl_link_ops br_link_ops __read_ + .priv_size = sizeof(struct net_bridge), + .setup = br_dev_setup, + .validate = br_validate, ++ .newlink = br_dev_newlink, + .dellink = br_dev_delete, + }; + diff --git a/queue-3.10/filter-prevent-nla-extensions-to-peek-beyond-the-end-of-the-message.patch b/queue-3.10/filter-prevent-nla-extensions-to-peek-beyond-the-end-of-the-message.patch new file mode 100644 index 00000000000..f1f24e672f0 --- /dev/null +++ b/queue-3.10/filter-prevent-nla-extensions-to-peek-beyond-the-end-of-the-message.patch @@ -0,0 +1,88 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Mathias Krause +Date: Sun, 13 Apr 2014 18:23:33 +0200 +Subject: filter: prevent nla extensions to peek beyond the end of the message + +From: Mathias Krause + +[ Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3 ] + +The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check +for a minimal message length before testing the supplied offset to be +within the bounds of the message. This allows the subtraction of the nla +header to underflow and therefore -- as the data type is unsigned -- +allowing far to big offset and length values for the search of the +netlink attribute. + +The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is +also wrong. It has the minuend and subtrahend mixed up, therefore +calculates a huge length value, allowing to overrun the end of the +message while looking for the netlink attribute. + +The following three BPF snippets will trigger the bugs when attached to +a UNIX datagram socket and parsing a message with length 1, 2 or 3. + + ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- + | ld #0x87654321 + | ldx #42 + | ld #nla + | ret a + `--- + + ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- + | ld #0x87654321 + | ldx #42 + | ld #nlan + | ret a + `--- + + ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- + | ; (needs a fake netlink header at offset 0) + | ld #0 + | ldx #42 + | ld #nlan + | ret a + `--- + +Fix the first issue by ensuring the message length fulfills the minimal +size constrains of a nla header. Fix the second bug by getting the math +for the remainder calculation right. + +Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") +Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") +Cc: Patrick McHardy +Cc: Pablo Neira Ayuso +Signed-off-by: Mathias Krause +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -355,6 +355,8 @@ load_b: + + if (skb_is_nonlinear(skb)) + return 0; ++ if (skb->len < sizeof(struct nlattr)) ++ return 0; + if (A > skb->len - sizeof(struct nlattr)) + return 0; + +@@ -371,11 +373,13 @@ load_b: + + if (skb_is_nonlinear(skb)) + return 0; ++ if (skb->len < sizeof(struct nlattr)) ++ return 0; + if (A > skb->len - sizeof(struct nlattr)) + return 0; + + nla = (struct nlattr *)&skb->data[A]; +- if (nla->nla_len > A - skb->len) ++ if (nla->nla_len > skb->len - A) + return 0; + + nla = nla_find_nested(nla, X); diff --git a/queue-3.10/gre-don-t-allow-to-add-the-same-tunnel-twice.patch b/queue-3.10/gre-don-t-allow-to-add-the-same-tunnel-twice.patch new file mode 100644 index 00000000000..bec2fc8643d --- /dev/null +++ b/queue-3.10/gre-don-t-allow-to-add-the-same-tunnel-twice.patch @@ -0,0 +1,46 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Nicolas Dichtel +Date: Fri, 11 Apr 2014 15:51:18 +0200 +Subject: gre: don't allow to add the same tunnel twice + +From: Nicolas Dichtel + +[ Upstream commit 5a4552752d8f7f4cef1d98775ece7adb7616fde2 ] + +Before the patch, it was possible to add two times the same tunnel: +ip l a gre1 type gre remote 10.16.0.121 local 10.16.0.249 +ip l a gre2 type gre remote 10.16.0.121 local 10.16.0.249 + +It was possible, because ip_tunnel_newlink() calls ip_tunnel_find() with the +argument dev->type, which was set only later (when calling ndo_init handler +in register_netdevice()). Let's set this type in the setup handler, which is +called before newlink handler. + +Introduced by commit c54419321455 ("GRE: Refactor GRE tunneling code."). + +CC: Pravin B Shelar +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_gre.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -652,6 +652,7 @@ static const struct net_device_ops ipgre + static void ipgre_tunnel_setup(struct net_device *dev) + { + dev->netdev_ops = &ipgre_netdev_ops; ++ dev->type = ARPHRD_IPGRE; + ip_tunnel_setup(dev, ipgre_net_id); + } + +@@ -690,7 +691,6 @@ static int ipgre_tunnel_init(struct net_ + memcpy(dev->dev_addr, &iph->saddr, 4); + memcpy(dev->broadcast, &iph->daddr, 4); + +- dev->type = ARPHRD_IPGRE; + dev->flags = IFF_NOARP; + dev->priv_flags &= ~IFF_XMIT_DST_RELEASE; + dev->addr_len = 4; diff --git a/queue-3.10/ip6_gre-don-t-allow-to-remove-the-fb_tunnel_dev.patch b/queue-3.10/ip6_gre-don-t-allow-to-remove-the-fb_tunnel_dev.patch new file mode 100644 index 00000000000..23ed72e817d --- /dev/null +++ b/queue-3.10/ip6_gre-don-t-allow-to-remove-the-fb_tunnel_dev.patch @@ -0,0 +1,52 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Nicolas Dichtel +Date: Mon, 14 Apr 2014 17:11:38 +0200 +Subject: ip6_gre: don't allow to remove the fb_tunnel_dev + +From: Nicolas Dichtel + +[ Upstream commit 54d63f787b652755e66eb4dd8892ee6d3f5197fc ] + +It's possible to remove the FB tunnel with the command 'ip link del ip6gre0' but +this is unsafe, the module always supposes that this device exists. For example, +ip6gre_tunnel_lookup() may use it unconditionally. + +Let's add a rtnl handler for dellink, which will never remove the FB tunnel (we +let ip6gre_destroy_tunnels() do the job). + +Introduced by commit c12b395a4664 ("gre: Support GRE over IPv6"). + +CC: Dmitry Kozlov +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1549,6 +1549,15 @@ static int ip6gre_changelink(struct net_ + return 0; + } + ++static void ip6gre_dellink(struct net_device *dev, struct list_head *head) ++{ ++ struct net *net = dev_net(dev); ++ struct ip6gre_net *ign = net_generic(net, ip6gre_net_id); ++ ++ if (dev != ign->fb_tunnel_dev) ++ unregister_netdevice_queue(dev, head); ++} ++ + static size_t ip6gre_get_size(const struct net_device *dev) + { + return +@@ -1626,6 +1635,7 @@ static struct rtnl_link_ops ip6gre_link_ + .validate = ip6gre_tunnel_validate, + .newlink = ip6gre_newlink, + .changelink = ip6gre_changelink, ++ .dellink = ip6gre_dellink, + .get_size = ip6gre_get_size, + .fill_info = ip6gre_fill_info, + }; diff --git a/queue-3.10/ip6_tunnel-fix-potential-null-pointer-dereference.patch b/queue-3.10/ip6_tunnel-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..f0198c75e4a --- /dev/null +++ b/queue-3.10/ip6_tunnel-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,35 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Susant Sahani +Date: Sat, 10 May 2014 00:11:32 +0530 +Subject: ip6_tunnel: fix potential NULL pointer dereference + +From: Susant Sahani + +[ Upstream commit c8965932a2e3b70197ec02c6741c29460279e2a8 ] + +The function ip6_tnl_validate assumes that the rtnl +attribute IFLA_IPTUN_PROTO always be filled . If this +attribute is not filled by the userspace application +kernel get crashed with NULL pointer dereference. This +patch fixes the potential kernel crash when +IFLA_IPTUN_PROTO is missing . + +Signed-off-by: Susant Sahani +Acked-by: Thomas Graf +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1531,7 +1531,7 @@ static int ip6_tnl_validate(struct nlatt + { + u8 proto; + +- if (!data) ++ if (!data || !data[IFLA_IPTUN_PROTO]) + return 0; + + proto = nla_get_u8(data[IFLA_IPTUN_PROTO]); diff --git a/queue-3.10/ipv4-fib_semantics-increment-fib_info_cnt-after-fib_info-allocation.patch b/queue-3.10/ipv4-fib_semantics-increment-fib_info_cnt-after-fib_info-allocation.patch new file mode 100644 index 00000000000..e72617010ee --- /dev/null +++ b/queue-3.10/ipv4-fib_semantics-increment-fib_info_cnt-after-fib_info-allocation.patch @@ -0,0 +1,38 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Sergey Popovich +Date: Tue, 6 May 2014 18:23:08 +0300 +Subject: ipv4: fib_semantics: increment fib_info_cnt after fib_info allocation + +From: Sergey Popovich + +[ Upstream commit aeefa1ecfc799b0ea2c4979617f14cecd5cccbfd ] + +Increment fib_info_cnt in fib_create_info() right after successfuly +alllocating fib_info structure, overwise fib_metrics allocation failure +leads to fib_info_cnt incorrectly decremented in free_fib_info(), called +on error path from fib_create_info(). + +Signed-off-by: Sergey Popovich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_semantics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -818,13 +818,13 @@ struct fib_info *fib_create_info(struct + fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL); + if (fi == NULL) + goto failure; ++ fib_info_cnt++; + if (cfg->fc_mx) { + fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL); + if (!fi->fib_metrics) + goto failure; + } else + fi->fib_metrics = (u32 *) dst_default_metrics; +- fib_info_cnt++; + + fi->fib_net = hold_net(net); + fi->fib_protocol = cfg->fc_protocol; diff --git a/queue-3.10/ipv4-initialise-the-itag-variable-in-__mkroute_input.patch b/queue-3.10/ipv4-initialise-the-itag-variable-in-__mkroute_input.patch new file mode 100644 index 00000000000..9b0e2933dbd --- /dev/null +++ b/queue-3.10/ipv4-initialise-the-itag-variable-in-__mkroute_input.patch @@ -0,0 +1,34 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Li RongQing +Date: Thu, 22 May 2014 16:36:55 +0800 +Subject: ipv4: initialise the itag variable in __mkroute_input + +From: Li RongQing + +[ Upstream commit fbdc0ad095c0a299e9abf5d8ac8f58374951149a ] + +the value of itag is a random value from stack, and may not be initiated by +fib_validate_source, which called fib_combine_itag if CONFIG_IP_ROUTE_CLASSID +is not set + +This will make the cached dst uncertainty + +Signed-off-by: Li RongQing +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1478,7 +1478,7 @@ static int __mkroute_input(struct sk_buf + struct in_device *out_dev; + unsigned int flags = 0; + bool do_cache; +- u32 itag; ++ u32 itag = 0; + + /* get a working reference to the output device */ + out_dev = __in_dev_get_rcu(FIB_RES_DEV(*res)); diff --git a/queue-3.10/ipv4-return-valid-rta_iif-on-ip-route-get.patch b/queue-3.10/ipv4-return-valid-rta_iif-on-ip-route-get.patch new file mode 100644 index 00000000000..8a958c63304 --- /dev/null +++ b/queue-3.10/ipv4-return-valid-rta_iif-on-ip-route-get.patch @@ -0,0 +1,35 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Julian Anastasov +Date: Sun, 13 Apr 2014 18:08:02 +0300 +Subject: ipv4: return valid RTA_IIF on ip route get + +From: Julian Anastasov + +[ Upstream commit 91146153da2feab18efab2e13b0945b6bb704ded ] + +Extend commit 13378cad02afc2adc6c0e07fca03903c7ada0b37 +("ipv4: Change rt->rt_iif encoding.") from 3.6 to return valid +RTA_IIF on 'ip route get ... iif DEVICE' instead of rt_iif 0 +which is displayed as 'iif *'. + +inet_iif is not appropriate to use because skb_iif is not set. +Use the skb->dev->ifindex instead. + +Signed-off-by: Julian Anastasov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2306,7 +2306,7 @@ static int rt_fill_info(struct net *net, + } + } else + #endif +- if (nla_put_u32(skb, RTA_IIF, rt->rt_iif)) ++ if (nla_put_u32(skb, RTA_IIF, skb->dev->ifindex)) + goto nla_put_failure; + } + diff --git a/queue-3.10/ipv6-fib-fix-fib-dump-restart.patch b/queue-3.10/ipv6-fib-fix-fib-dump-restart.patch new file mode 100644 index 00000000000..15608a6eb2a --- /dev/null +++ b/queue-3.10/ipv6-fib-fix-fib-dump-restart.patch @@ -0,0 +1,45 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Kumar Sundararajan +Date: Thu, 24 Apr 2014 09:48:53 -0400 +Subject: ipv6: fib: fix fib dump restart + +From: Kumar Sundararajan + +[ Upstream commit 1c2658545816088477e91860c3a645053719cb54 ] + +When the ipv6 fib changes during a table dump, the walk is +restarted and the number of nodes dumped are skipped. But the existing +code doesn't advance to the next node after a node is skipped. This can +cause the dump to loop or produce lots of duplicates when the fib +is modified during the dump. + +This change advances the walk to the next node if the current node is +skipped after a restart. + +Signed-off-by: Kumar Sundararajan +Signed-off-by: Chris Mason +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1418,7 +1418,7 @@ static int fib6_walk_continue(struct fib + + if (w->skip) { + w->skip--; +- continue; ++ goto skip; + } + + err = w->func(w); +@@ -1428,6 +1428,7 @@ static int fib6_walk_continue(struct fib + w->count++; + continue; + } ++skip: + w->state = FWS_U; + case FWS_U: + if (fn == w->root) diff --git a/queue-3.10/ipv6-limit-mtu-to-65575-bytes.patch b/queue-3.10/ipv6-limit-mtu-to-65575-bytes.patch new file mode 100644 index 00000000000..d98a82697fb --- /dev/null +++ b/queue-3.10/ipv6-limit-mtu-to-65575-bytes.patch @@ -0,0 +1,71 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Eric Dumazet +Date: Thu, 10 Apr 2014 21:23:36 -0700 +Subject: ipv6: Limit mtu to 65575 bytes + +From: Eric Dumazet + +[ Upstream commit 30f78d8ebf7f514801e71b88a10c948275168518 ] + +Francois reported that setting big mtu on loopback device could prevent +tcp sessions making progress. + +We do not support (yet ?) IPv6 Jumbograms and cook corrupted packets. + +We must limit the IPv6 MTU to (65535 + 40) bytes in theory. + +Tested: + +ifconfig lo mtu 70000 +netperf -H ::1 + +Before patch : Throughput : 0.05 Mbits + +After patch : Throughput : 35484 Mbits + +Reported-by: Francois WELLENREITER +Signed-off-by: Eric Dumazet +Acked-by: YOSHIFUJI Hideaki +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip6_route.h | 5 +++++ + net/ipv6/route.c | 5 +++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -32,6 +32,11 @@ struct route_info { + #define RT6_LOOKUP_F_SRCPREF_PUBLIC 0x00000010 + #define RT6_LOOKUP_F_SRCPREF_COA 0x00000020 + ++/* We do not (yet ?) support IPv6 jumbograms (RFC 2675) ++ * Unlike IPv4, hdr->seg_len doesn't include the IPv6 header ++ */ ++#define IP6_MAX_MTU (0xFFFF + sizeof(struct ipv6hdr)) ++ + /* + * rt6_srcprefs2flags() and rt6_flags2srcprefs() translate + * between IPV6_ADDR_PREFERENCES socket option values +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1236,7 +1236,7 @@ static unsigned int ip6_mtu(const struct + unsigned int mtu = dst_metric_raw(dst, RTAX_MTU); + + if (mtu) +- return mtu; ++ goto out; + + mtu = IPV6_MIN_MTU; + +@@ -1246,7 +1246,8 @@ static unsigned int ip6_mtu(const struct + mtu = idev->cnf.mtu6; + rcu_read_unlock(); + +- return mtu; ++out: ++ return min_t(unsigned int, mtu, IP6_MAX_MTU); + } + + static struct dst_entry *icmp6_dst_gc_list; diff --git a/queue-3.10/l2tp-take-pmtu-from-tunnel-udp-socket.patch b/queue-3.10/l2tp-take-pmtu-from-tunnel-udp-socket.patch new file mode 100644 index 00000000000..4ca9b77f234 --- /dev/null +++ b/queue-3.10/l2tp-take-pmtu-from-tunnel-udp-socket.patch @@ -0,0 +1,34 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Dmitry Petukhov +Date: Wed, 9 Apr 2014 02:23:20 +0600 +Subject: l2tp: take PMTU from tunnel UDP socket + +From: Dmitry Petukhov + +[ Upstream commit f34c4a35d87949fbb0e0f31eba3c054e9f8199ba ] + +When l2tp driver tries to get PMTU for the tunnel destination, it uses +the pointer to struct sock that represents PPPoX socket, while it +should use the pointer that represents UDP socket of the tunnel. + +Signed-off-by: Dmitry Petukhov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -754,9 +754,9 @@ static int pppol2tp_connect(struct socke + session->deref = pppol2tp_session_sock_put; + + /* If PMTU discovery was enabled, use the MTU that was discovered */ +- dst = sk_dst_get(sk); ++ dst = sk_dst_get(tunnel->sock); + if (dst != NULL) { +- u32 pmtu = dst_mtu(__sk_dst_get(sk)); ++ u32 pmtu = dst_mtu(__sk_dst_get(tunnel->sock)); + if (pmtu != 0) + session->mtu = session->mru = pmtu - + PPPOL2TP_HEADER_OVERHEAD; diff --git a/queue-3.10/list-introduce-list_next_entry-and-list_prev_entry.patch b/queue-3.10/list-introduce-list_next_entry-and-list_prev_entry.patch new file mode 100644 index 00000000000..67142869a94 --- /dev/null +++ b/queue-3.10/list-introduce-list_next_entry-and-list_prev_entry.patch @@ -0,0 +1,76 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Oleg Nesterov +Date: Tue, 12 Nov 2013 15:10:01 -0800 +Subject: list: introduce list_next_entry() and list_prev_entry() + +From: Oleg Nesterov + +[ Upstream commit 008208c6b26f21c2648c250a09c55e737c02c5f8 ] + +Add two trivial helpers list_next_entry() and list_prev_entry(), they +can have a lot of users including list.h itself. In fact the 1st one is +already defined in events/core.c and bnx2x_sp.c, so the patch simply +moves the definition to list.h. + +Signed-off-by: Oleg Nesterov +Cc: Eilon Greenstein +Cc: Greg Kroah-Hartman +Cc: Peter Zijlstra +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 3 --- + include/linux/list.h | 16 ++++++++++++++++ + kernel/events/core.c | 3 --- + 3 files changed, 16 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c +@@ -1038,9 +1038,6 @@ static void bnx2x_set_one_vlan_mac_e1h(s + ETH_VLAN_FILTER_CLASSIFY, config); + } + +-#define list_next_entry(pos, member) \ +- list_entry((pos)->member.next, typeof(*(pos)), member) +- + /** + * bnx2x_vlan_mac_restore - reconfigure next MAC/VLAN/VLAN-MAC element + * +--- a/include/linux/list.h ++++ b/include/linux/list.h +@@ -373,6 +373,22 @@ static inline void list_splice_tail_init + (!list_empty(ptr) ? list_first_entry(ptr, type, member) : NULL) + + /** ++ * list_next_entry - get the next element in list ++ * @pos: the type * to cursor ++ * @member: the name of the list_struct within the struct. ++ */ ++#define list_next_entry(pos, member) \ ++ list_entry((pos)->member.next, typeof(*(pos)), member) ++ ++/** ++ * list_prev_entry - get the prev element in list ++ * @pos: the type * to cursor ++ * @member: the name of the list_struct within the struct. ++ */ ++#define list_prev_entry(pos, member) \ ++ list_entry((pos)->member.prev, typeof(*(pos)), member) ++ ++/** + * list_for_each - iterate over a list + * @pos: the &struct list_head to use as a loop cursor. + * @head: the head for your list. +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2016,9 +2016,6 @@ static void __perf_event_sync_stat(struc + perf_event_update_userpage(next_event); + } + +-#define list_next_entry(pos, member) \ +- list_entry(pos->member.next, typeof(*pos), member) +- + static void perf_event_sync_stat(struct perf_event_context *ctx, + struct perf_event_context *next_ctx) + { diff --git a/queue-3.10/macvlan-don-t-propagate-iff_allmulti-changes-on-down-interfaces.patch b/queue-3.10/macvlan-don-t-propagate-iff_allmulti-changes-on-down-interfaces.patch new file mode 100644 index 00000000000..334e3f0fc11 --- /dev/null +++ b/queue-3.10/macvlan-don-t-propagate-iff_allmulti-changes-on-down-interfaces.patch @@ -0,0 +1,39 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Peter Christensen +Date: Thu, 8 May 2014 11:15:37 +0200 +Subject: macvlan: Don't propagate IFF_ALLMULTI changes on down interfaces. + +From: Peter Christensen + +[ Upstream commit bbeb0eadcf9fe74fb2b9b1a6fea82cd538b1e556 ] + +Clearing the IFF_ALLMULTI flag on a down interface could cause an allmulti +overflow on the underlying interface. + +Attempting the set IFF_ALLMULTI on the underlying interface would cause an +error and the log message: + +"allmulti touches root, set allmulti failed." + +Signed-off-by: Peter Christensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -420,8 +420,10 @@ static void macvlan_change_rx_flags(stru + struct macvlan_dev *vlan = netdev_priv(dev); + struct net_device *lowerdev = vlan->lowerdev; + +- if (change & IFF_ALLMULTI) +- dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1); ++ if (dev->flags & IFF_UP) { ++ if (change & IFF_ALLMULTI) ++ dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1); ++ } + } + + static void macvlan_set_mac_lists(struct net_device *dev) diff --git a/queue-3.10/net-cdc_mbim-handle-unaccelerated-vlan-tagged-frames.patch b/queue-3.10/net-cdc_mbim-handle-unaccelerated-vlan-tagged-frames.patch new file mode 100644 index 00000000000..95efeea768a --- /dev/null +++ b/queue-3.10/net-cdc_mbim-handle-unaccelerated-vlan-tagged-frames.patch @@ -0,0 +1,108 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 9 May 2014 14:45:00 +0200 +Subject: net: cdc_mbim: handle unaccelerated VLAN tagged frames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 6b5eeb7f874b689403e52a646e485d0191ab9507 ] + +This driver maps 802.1q VLANs to MBIM sessions. The mapping is based on +a bogus assumption that all tagged frames will use the acceleration API +because we enable NETIF_F_HW_VLAN_CTAG_TX. This fails for e.g. frames +tagged in userspace using packet sockets. Such frames will erroneously +be considered as untagged and silently dropped based on not being IP. + +Fix by falling back to looking into the ethernet header for a tag if no +accelerated tag was found. + +Fixes: a82c7ce5bc5b ("net: cdc_ncm: map MBIM IPS SessionID to VLAN ID") +Cc: Greg Suarez +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_mbim.c | 39 ++++++++++++++++++++++++++++----------- + 1 file changed, 28 insertions(+), 11 deletions(-) + +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -120,6 +120,16 @@ static void cdc_mbim_unbind(struct usbne + cdc_ncm_unbind(dev, intf); + } + ++/* verify that the ethernet protocol is IPv4 or IPv6 */ ++static bool is_ip_proto(__be16 proto) ++{ ++ switch (proto) { ++ case htons(ETH_P_IP): ++ case htons(ETH_P_IPV6): ++ return true; ++ } ++ return false; ++} + + static struct sk_buff *cdc_mbim_tx_fixup(struct usbnet *dev, struct sk_buff *skb, gfp_t flags) + { +@@ -128,6 +138,7 @@ static struct sk_buff *cdc_mbim_tx_fixup + struct cdc_ncm_ctx *ctx = info->ctx; + __le32 sign = cpu_to_le32(USB_CDC_MBIM_NDP16_IPS_SIGN); + u16 tci = 0; ++ bool is_ip; + u8 *c; + + if (!ctx) +@@ -137,25 +148,32 @@ static struct sk_buff *cdc_mbim_tx_fixup + if (skb->len <= ETH_HLEN) + goto error; + ++ /* Some applications using e.g. packet sockets will ++ * bypass the VLAN acceleration and create tagged ++ * ethernet frames directly. We primarily look for ++ * the accelerated out-of-band tag, but fall back if ++ * required ++ */ ++ skb_reset_mac_header(skb); ++ if (vlan_get_tag(skb, &tci) < 0 && skb->len > VLAN_ETH_HLEN && ++ __vlan_get_tag(skb, &tci) == 0) { ++ is_ip = is_ip_proto(vlan_eth_hdr(skb)->h_vlan_encapsulated_proto); ++ skb_pull(skb, VLAN_ETH_HLEN); ++ } else { ++ is_ip = is_ip_proto(eth_hdr(skb)->h_proto); ++ skb_pull(skb, ETH_HLEN); ++ } ++ + /* mapping VLANs to MBIM sessions: + * no tag => IPS session <0> + * 1 - 255 => IPS session + * 256 - 511 => DSS session + * 512 - 4095 => unsupported, drop + */ +- vlan_get_tag(skb, &tci); +- + switch (tci & 0x0f00) { + case 0x0000: /* VLAN ID 0 - 255 */ +- /* verify that datagram is IPv4 or IPv6 */ +- skb_reset_mac_header(skb); +- switch (eth_hdr(skb)->h_proto) { +- case htons(ETH_P_IP): +- case htons(ETH_P_IPV6): +- break; +- default: ++ if (!is_ip) + goto error; +- } + c = (u8 *)&sign; + c[3] = tci; + break; +@@ -169,7 +187,6 @@ static struct sk_buff *cdc_mbim_tx_fixup + "unsupported tci=0x%04x\n", tci); + goto error; + } +- skb_pull(skb, ETH_HLEN); + } + + spin_lock_bh(&ctx->mtx); diff --git a/queue-3.10/net-core-don-t-account-for-udp-header-size-when-computing-seglen.patch b/queue-3.10/net-core-don-t-account-for-udp-header-size-when-computing-seglen.patch new file mode 100644 index 00000000000..66aeab809ce --- /dev/null +++ b/queue-3.10/net-core-don-t-account-for-udp-header-size-when-computing-seglen.patch @@ -0,0 +1,50 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Florian Westphal +Date: Wed, 9 Apr 2014 10:28:50 +0200 +Subject: net: core: don't account for udp header size when computing seglen + +From: Florian Westphal + +[ Upstream commit 6d39d589bb76ee8a1c6cde6822006ae0053decff ] + +In case of tcp, gso_size contains the tcpmss. + +For UFO (udp fragmentation offloading) skbs, gso_size is the fragment +payload size, i.e. we must not account for udp header size. + +Otherwise, when using virtio drivers, a to-be-forwarded UFO GSO packet +will be needlessly fragmented in the forward path, because we think its +individual segments are too large for the outgoing link. + +Fixes: fe6cc55f3a9a053 ("net: ip, ipv6: handle gso skbs in forwarding path") +Cc: Eric Dumazet +Reported-by: Tobias Brunner +Signed-off-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3487,12 +3487,14 @@ EXPORT_SYMBOL(skb_try_coalesce); + unsigned int skb_gso_transport_seglen(const struct sk_buff *skb) + { + const struct skb_shared_info *shinfo = skb_shinfo(skb); +- unsigned int hdr_len; + + if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) +- hdr_len = tcp_hdrlen(skb); +- else +- hdr_len = sizeof(struct udphdr); +- return hdr_len + shinfo->gso_size; ++ return tcp_hdrlen(skb) + shinfo->gso_size; ++ ++ /* UFO sets gso_size to the size of the fragmentation ++ * payload, i.e. the size of the L4 (UDP) header is already ++ * accounted for. ++ */ ++ return shinfo->gso_size; + } + EXPORT_SYMBOL_GPL(skb_gso_transport_seglen); diff --git a/queue-3.10/net-fix-ns_capable-check-in-sock_diag_put_filterinfo.patch b/queue-3.10/net-fix-ns_capable-check-in-sock_diag_put_filterinfo.patch new file mode 100644 index 00000000000..bd1acf73a48 --- /dev/null +++ b/queue-3.10/net-fix-ns_capable-check-in-sock_diag_put_filterinfo.patch @@ -0,0 +1,66 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Andrew Lutomirski +Date: Wed, 16 Apr 2014 21:41:34 -0700 +Subject: net: Fix ns_capable check in sock_diag_put_filterinfo + +From: Andrew Lutomirski + +[ Upstream commit 78541c1dc60b65ecfce5a6a096fc260219d6784e ] + +The caller needs capabilities on the namespace being queried, not on +their own namespace. This is a security bug, although it likely has +only a minor impact. + +Cc: stable@vger.kernel.org +Signed-off-by: Andy Lutomirski +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sock_diag.h | 2 +- + net/core/sock_diag.c | 4 ++-- + net/packet/diag.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/include/linux/sock_diag.h ++++ b/include/linux/sock_diag.h +@@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u + void sock_diag_save_cookie(void *sk, __u32 *cookie); + + int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr); +-int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, ++int sock_diag_put_filterinfo(struct sock *sk, + struct sk_buff *skb, int attrtype); + + #endif +--- a/net/core/sock_diag.c ++++ b/net/core/sock_diag.c +@@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *s + } + EXPORT_SYMBOL_GPL(sock_diag_put_meminfo); + +-int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, ++int sock_diag_put_filterinfo(struct sock *sk, + struct sk_buff *skb, int attrtype) + { + struct nlattr *attr; +@@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct user + unsigned int len; + int err = 0; + +- if (!ns_capable(user_ns, CAP_NET_ADMIN)) { ++ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { + nla_reserve(skb, attrtype, 0); + return 0; + } +--- a/net/packet/diag.c ++++ b/net/packet/diag.c +@@ -171,7 +171,7 @@ static int sk_diag_fill(struct sock *sk, + goto out_nlmsg_trim; + + if ((req->pdiag_show & PACKET_SHOW_FILTER) && +- sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER)) ++ sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER)) + goto out_nlmsg_trim; + + return nlmsg_end(skb, nlh); diff --git a/queue-3.10/net-gro-reset-skb-truesize-in-napi_reuse_skb.patch b/queue-3.10/net-gro-reset-skb-truesize-in-napi_reuse_skb.patch new file mode 100644 index 00000000000..5840360a379 --- /dev/null +++ b/queue-3.10/net-gro-reset-skb-truesize-in-napi_reuse_skb.patch @@ -0,0 +1,39 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Eric Dumazet +Date: Thu, 3 Apr 2014 09:28:10 -0700 +Subject: net-gro: reset skb->truesize in napi_reuse_skb() + +From: Eric Dumazet + +[ Upstream commit e33d0ba8047b049c9262fdb1fcafb93cb52ceceb ] + +Recycling skb always had been very tough... + +This time it appears GRO layer can accumulate skb->truesize +adjustments made by drivers when they attach a fragment to skb. + +skb_gro_receive() can only subtract from skb->truesize the used part +of a fragment. + +I spotted this problem seeing TcpExtPruneCalled and +TcpExtTCPRcvCollapsed that were unexpected with a recent kernel, where +TCP receive window should be sized properly to accept traffic coming +from a driver not overshooting skb->truesize. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3898,6 +3898,7 @@ static void napi_reuse_skb(struct napi_s + skb->vlan_tci = 0; + skb->dev = napi->dev; + skb->skb_iif = 0; ++ skb->truesize = SKB_TRUESIZE(skb_end_offset(skb)); + + napi->skb = skb; + } diff --git a/queue-3.10/net-ipv4-current-group_info-should-be-put-after-using.patch b/queue-3.10/net-ipv4-current-group_info-should-be-put-after-using.patch new file mode 100644 index 00000000000..63ca80abf77 --- /dev/null +++ b/queue-3.10/net-ipv4-current-group_info-should-be-put-after-using.patch @@ -0,0 +1,64 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: "Wang, Xiaoming" +Date: Mon, 14 Apr 2014 12:30:45 -0400 +Subject: net: ipv4: current group_info should be put after using. + +From: "Wang, Xiaoming" + +[ Upstream commit b04c46190219a4f845e46a459e3102137b7f6cac ] + +Plug a group_info refcount leak in ping_init. +group_info is only needed during initialization and +the code failed to release the reference on exit. +While here move grabbing the reference to a place +where it is actually needed. + +Signed-off-by: Chuansheng Liu +Signed-off-by: Zhang Dongxing +Signed-off-by: xiaoming wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ping.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -204,26 +204,33 @@ static int ping_init_sock(struct sock *s + { + struct net *net = sock_net(sk); + kgid_t group = current_egid(); +- struct group_info *group_info = get_current_groups(); +- int i, j, count = group_info->ngroups; ++ struct group_info *group_info; ++ int i, j, count; + kgid_t low, high; ++ int ret = 0; + + inet_get_ping_group_range_net(net, &low, &high); + if (gid_lte(low, group) && gid_lte(group, high)) + return 0; + ++ group_info = get_current_groups(); ++ count = group_info->ngroups; + for (i = 0; i < group_info->nblocks; i++) { + int cp_count = min_t(int, NGROUPS_PER_BLOCK, count); + for (j = 0; j < cp_count; j++) { + kgid_t gid = group_info->blocks[i][j]; + if (gid_lte(low, gid) && gid_lte(gid, high)) +- return 0; ++ goto out_release_group; + } + + count -= cp_count; + } + +- return -EACCES; ++ ret = -EACCES; ++ ++out_release_group: ++ put_group_info(group_info); ++ return ret; + } + + static void ping_close(struct sock *sk, long timeout) diff --git a/queue-3.10/net-ipv4-ip_forward-fix-inverted-local_df-test.patch b/queue-3.10/net-ipv4-ip_forward-fix-inverted-local_df-test.patch new file mode 100644 index 00000000000..455b4797a57 --- /dev/null +++ b/queue-3.10/net-ipv4-ip_forward-fix-inverted-local_df-test.patch @@ -0,0 +1,47 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Florian Westphal +Date: Sun, 4 May 2014 23:24:31 +0200 +Subject: net: ipv4: ip_forward: fix inverted local_df test + +From: Florian Westphal + +[ Upstream commit ca6c5d4ad216d5942ae544bbf02503041bd802aa ] + +local_df means 'ignore DF bit if set', so if its set we're +allowed to perform ip fragmentation. + +This wasn't noticed earlier because the output path also drops such skbs +(and emits needed icmp error) and because netfilter ip defrag did not +set local_df until couple of days ago. + +Only difference is that DF-packets-larger-than MTU now discarded +earlier (f.e. we avoid pointless netfilter postrouting trip). + +While at it, drop the repeated test ip_exceeds_mtu, checking it once +is enough... + +Fixes: fe6cc55f3a9 ("net: ip, ipv6: handle gso skbs in forwarding path") +Signed-off-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_forward.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ip_forward.c ++++ b/net/ipv4/ip_forward.c +@@ -42,12 +42,12 @@ + static bool ip_may_fragment(const struct sk_buff *skb) + { + return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) || +- !skb->local_df; ++ skb->local_df; + } + + static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu) + { +- if (skb->len <= mtu || skb->local_df) ++ if (skb->len <= mtu) + return false; + + if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu) diff --git a/queue-3.10/net-ipv6-send-pkttoobig-immediately-if-orig-frag-size-mtu.patch b/queue-3.10/net-ipv6-send-pkttoobig-immediately-if-orig-frag-size-mtu.patch new file mode 100644 index 00000000000..c619eebf458 --- /dev/null +++ b/queue-3.10/net-ipv6-send-pkttoobig-immediately-if-orig-frag-size-mtu.patch @@ -0,0 +1,49 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Florian Westphal +Date: Mon, 5 May 2014 00:03:34 +0200 +Subject: net: ipv6: send pkttoobig immediately if orig frag size > mtu + +From: Florian Westphal + +[ Upstream commit 418a31561d594a2b636c1e2fa94ecd9e1245abb1 ] + +If conntrack defragments incoming ipv6 frags it stores largest original +frag size in ip6cb and sets ->local_df. + +We must thus first test the largest original frag size vs. mtu, and not +vice versa. + +Without this patch PKTTOOBIG is still generated in ip6_fragment() later +in the stack, but + +1) IPSTATS_MIB_INTOOBIGERRORS won't increment +2) packet did (needlessly) traverse netfilter postrouting hook. + +Fixes: fe6cc55f3a9 ("net: ip, ipv6: handle gso skbs in forwarding path") +Signed-off-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -347,12 +347,16 @@ static inline int ip6_forward_finish(str + + static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu) + { +- if (skb->len <= mtu || skb->local_df) ++ if (skb->len <= mtu) + return false; + ++ /* ipv6 conntrack defrag sets max_frag_size + local_df */ + if (IP6CB(skb)->frag_max_size && IP6CB(skb)->frag_max_size > mtu) + return true; + ++ if (skb->local_df) ++ return false; ++ + if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu) + return false; + diff --git a/queue-3.10/net-qmi_wwan-add-a-number-of-cmotech-devices.patch b/queue-3.10/net-qmi_wwan-add-a-number-of-cmotech-devices.patch new file mode 100644 index 00000000000..71df5a0515f --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-a-number-of-cmotech-devices.patch @@ -0,0 +1,48 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 25 Apr 2014 19:00:33 +0200 +Subject: net: qmi_wwan: add a number of CMOTech devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 41be7d90993b1502d445bfc59e58348c258ce66a ] + +A number of older CMOTech modems are based on Qualcomm +chips and exporting a QMI/wwan function. + +Reported-by: Lars Melin +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -649,6 +649,22 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ ++ {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */ ++ {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */ ++ {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */ ++ {QMI_FIXED_INTF(0x16d8, 0x6280, 0)}, /* CMOTech CHU-628 */ ++ {QMI_FIXED_INTF(0x16d8, 0x7001, 0)}, /* CMOTech CHU-720S */ ++ {QMI_FIXED_INTF(0x16d8, 0x7002, 0)}, /* CMOTech 7002 */ ++ {QMI_FIXED_INTF(0x16d8, 0x7003, 4)}, /* CMOTech CHU-629K */ ++ {QMI_FIXED_INTF(0x16d8, 0x7004, 3)}, /* CMOTech 7004 */ ++ {QMI_FIXED_INTF(0x16d8, 0x7006, 5)}, /* CMOTech CGU-629 */ ++ {QMI_FIXED_INTF(0x16d8, 0x700a, 4)}, /* CMOTech CHU-629S */ ++ {QMI_FIXED_INTF(0x16d8, 0x7211, 0)}, /* CMOTech CHU-720I */ ++ {QMI_FIXED_INTF(0x16d8, 0x7212, 0)}, /* CMOTech 7212 */ ++ {QMI_FIXED_INTF(0x16d8, 0x7213, 0)}, /* CMOTech 7213 */ ++ {QMI_FIXED_INTF(0x16d8, 0x7251, 1)}, /* CMOTech 7251 */ ++ {QMI_FIXED_INTF(0x16d8, 0x7252, 1)}, /* CMOTech 7252 */ ++ {QMI_FIXED_INTF(0x16d8, 0x7253, 1)}, /* CMOTech 7253 */ + {QMI_FIXED_INTF(0x19d2, 0x0002, 1)}, + {QMI_FIXED_INTF(0x19d2, 0x0012, 1)}, + {QMI_FIXED_INTF(0x19d2, 0x0017, 3)}, diff --git a/queue-3.10/net-qmi_wwan-add-a-number-of-dell-devices.patch b/queue-3.10/net-qmi_wwan-add-a-number-of-dell-devices.patch new file mode 100644 index 00000000000..baaecea120a --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-a-number-of-dell-devices.patch @@ -0,0 +1,55 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 25 Apr 2014 19:00:34 +0200 +Subject: net: qmi_wwan: add a number of Dell devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 6f10c5d1b1aeddb63d33070abb8bc5a177beeb1f ] + +Dan writes: + +"The Dell drivers use the same configuration for PIDs: + +81A2: Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card +81A3: Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card +81A4: Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card +81A8: Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card +81A9: Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card + +These devices are all clearly Sierra devices, but are also definitely +Gobi-based. The A8 might be the MC7700/7710 and A9 is likely a MC7750. + +>From DellGobi5kSetup.exe from the Dell drivers: + +usbif0: serial/firmware loader? +usbif2: nmea +usbif3: modem/ppp +usbif8: net/QMI" + +Reported-by: AceLan Kao +Reported-by: Dan Williams +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -743,6 +743,11 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x0b3c, 0xc00b, 4)}, /* Olivetti Olicard 500 */ + {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */ + {QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */ ++ {QMI_FIXED_INTF(0x413c, 0x81a2, 8)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ ++ {QMI_FIXED_INTF(0x413c, 0x81a3, 8)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ ++ {QMI_FIXED_INTF(0x413c, 0x81a4, 8)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ ++ {QMI_FIXED_INTF(0x413c, 0x81a8, 8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */ ++ {QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ diff --git a/queue-3.10/net-qmi_wwan-add-alcatel-l800ma.patch b/queue-3.10/net-qmi_wwan-add-alcatel-l800ma.patch new file mode 100644 index 00000000000..ed91e2eb2cb --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-alcatel-l800ma.patch @@ -0,0 +1,35 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 25 Apr 2014 19:00:32 +0200 +Subject: net: qmi_wwan: add Alcatel L800MA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 75573660c47a0db7cc931dcf154945610e02130a ] + +Device interface layout: +0: ff/ff/ff - serial +1: ff/00/00 - serial AT+PPP +2: ff/ff/ff - QMI/wwan +3: 08/06/50 - storage + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -718,6 +718,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */ + {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ ++ {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ diff --git a/queue-3.10/net-qmi_wwan-add-olivetti-olicard-500.patch b/queue-3.10/net-qmi_wwan-add-olivetti-olicard-500.patch new file mode 100644 index 00000000000..721a90e5ba5 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-olivetti-olicard-500.patch @@ -0,0 +1,37 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 25 Apr 2014 19:00:31 +0200 +Subject: net: qmi_wwan: add Olivetti Olicard 500 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit efc0b25c3add97717ece57bf5319792ca98f348e ] + +Device interface layout: +0: ff/ff/ff - serial +1: ff/ff/ff - serial AT+PPP +2: 08/06/50 - storage +3: ff/ff/ff - serial +4: ff/ff/ff - QMI/wwan + +Reported-by: Julio Araujo +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -723,6 +723,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */ ++ {QMI_FIXED_INTF(0x0b3c, 0xc00b, 4)}, /* Olivetti Olicard 500 */ + {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */ + {QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */ + diff --git a/queue-3.10/net-qmi_wwan-add-option-gtm681w.patch b/queue-3.10/net-qmi_wwan-add-option-gtm681w.patch new file mode 100644 index 00000000000..87a2f12055e --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-option-gtm681w.patch @@ -0,0 +1,32 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 28 Jun 2013 17:17:50 +0200 +Subject: net: qmi_wwan: add Option GTM681W +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit aa3aba1cbcbe823bba623c7cab33d84ddf0fb6cd ] + +A standard Gobi 3000 reference design module. + +Reported-by: Richard Weinberger +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -747,6 +747,7 @@ static const struct usb_device_id produc + {QMI_GOBI_DEVICE(0x05c6, 0x9265)}, /* Asus Gobi 2000 Modem device (VR305) */ + {QMI_GOBI_DEVICE(0x05c6, 0x9235)}, /* Top Global Gobi 2000 Modem device (VR306) */ + {QMI_GOBI_DEVICE(0x05c6, 0x9275)}, /* iRex Technologies Gobi 2000 Modem device (VR307) */ ++ {QMI_GOBI_DEVICE(0x0af0, 0x8120)}, /* Option GTM681W */ + {QMI_GOBI_DEVICE(0x1199, 0x68a5)}, /* Sierra Wireless Modem */ + {QMI_GOBI_DEVICE(0x1199, 0x68a9)}, /* Sierra Wireless Modem */ + {QMI_GOBI_DEVICE(0x1199, 0x9001)}, /* Sierra Wireless Gobi 2000 Modem device (VT773) */ diff --git a/queue-3.10/net-qmi_wwan-add-sierra-wireless-em7355.patch b/queue-3.10/net-qmi_wwan-add-sierra-wireless-em7355.patch new file mode 100644 index 00000000000..e07a6d5a6c9 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-sierra-wireless-em7355.patch @@ -0,0 +1,29 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 25 Apr 2014 19:00:28 +0200 +Subject: net: qmi_wwan: add Sierra Wireless EM7355 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit b85f5deaf052340021d025e120a9858f084a1d79 ] + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -711,6 +711,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 19)}, /* Sierra Wireless MC7710 in QMI mode */ + {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */ ++ {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */ + {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ diff --git a/queue-3.10/net-qmi_wwan-add-sierra-wireless-mc7305-mc7355.patch b/queue-3.10/net-qmi_wwan-add-sierra-wireless-mc7305-mc7355.patch new file mode 100644 index 00000000000..3683bb5bbc8 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-sierra-wireless-mc7305-mc7355.patch @@ -0,0 +1,29 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 25 Apr 2014 19:00:30 +0200 +Subject: net: qmi_wwan: add Sierra Wireless MC7305/MC7355 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 9214224e43e4264b02686ea8b455f310935607b5 ] + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -715,6 +715,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1199, 0x68c0, 11)}, /* Sierra Wireless MC73xx */ + {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */ + {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */ ++ {QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */ + {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ diff --git a/queue-3.10/net-qmi_wwan-add-sierra-wireless-mc73xx.patch b/queue-3.10/net-qmi_wwan-add-sierra-wireless-mc73xx.patch new file mode 100644 index 00000000000..c8235565d84 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-sierra-wireless-mc73xx.patch @@ -0,0 +1,31 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 25 Apr 2014 19:00:29 +0200 +Subject: net: qmi_wwan: add Sierra Wireless MC73xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 1c138607a7be64074d7fba68d0d533ec38f9d17b ] + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -710,6 +710,9 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 19)}, /* Sierra Wireless MC7710 in QMI mode */ ++ {QMI_FIXED_INTF(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC73xx */ ++ {QMI_FIXED_INTF(0x1199, 0x68c0, 10)}, /* Sierra Wireless MC73xx */ ++ {QMI_FIXED_INTF(0x1199, 0x68c0, 11)}, /* Sierra Wireless MC73xx */ + {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */ + {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */ + {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */ diff --git a/queue-3.10/net-qmi_wwan-add-support-for-cinterion-pxs8-and-phs8.patch b/queue-3.10/net-qmi_wwan-add-support-for-cinterion-pxs8-and-phs8.patch new file mode 100644 index 00000000000..af1f807fbd2 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-support-for-cinterion-pxs8-and-phs8.patch @@ -0,0 +1,37 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Aleksander Morgado +Date: Wed, 12 Feb 2014 15:55:14 +0100 +Subject: net: qmi_wwan: add support for Cinterion PXS8 and PHS8 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aleksander Morgado + +[ Upstream commit 9b2b6a2d669c909dd0b125fc834da94bcfc0aee7 ] + +When the PXS8 and PHS8 devices show up with PID 0x0053 they will expose both a +QMI port and a WWAN interface. + +CC: Hans-Christoph Schemmel +CC: Christian Schmiedl +CC: Nicolaus Colberg +CC: David McCullough +Signed-off-by: Aleksander Morgado +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -719,6 +719,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */ + {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */ ++ {QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ diff --git a/queue-3.10/net-qmi_wwan-add-telit-le920-newer-firmware-support.patch b/queue-3.10/net-qmi_wwan-add-telit-le920-newer-firmware-support.patch new file mode 100644 index 00000000000..cf776ff72d7 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-telit-le920-newer-firmware-support.patch @@ -0,0 +1,32 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Fabio Porcedda +Date: Wed, 25 Sep 2013 11:21:25 +0200 +Subject: net: qmi_wwan: add Telit LE920 newer firmware support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabio Porcedda + +[ Upstream commit 905468fa4d54c3e572ed3045cd47cce37780716e ] + +Newer firmware use a new pid and a different interface. + +Signed-off-by: Fabio Porcedda +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -715,6 +715,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ ++ {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1e2d, 0x12d1, 4)}, /* Cinterion PLxx */ + + /* 4. Gobi 1000 devices */ diff --git a/queue-3.10/net-qmi_wwan-add-tp-link-ma260.patch b/queue-3.10/net-qmi_wwan-add-tp-link-ma260.patch new file mode 100644 index 00000000000..909ffd0e680 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-tp-link-ma260.patch @@ -0,0 +1,29 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 28 Jun 2013 17:17:51 +0200 +Subject: net: qmi_wwan: add TP-LINK MA260 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit d0b5e516298fba30774e2df22cfbd00ecb09c298 ] + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -712,6 +712,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ ++ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1e2d, 0x12d1, 4)}, /* Cinterion PLxx */ + diff --git a/queue-3.10/net-qmi_wwan-add-zte-mf667.patch b/queue-3.10/net-qmi_wwan-add-zte-mf667.patch new file mode 100644 index 00000000000..69644a13c22 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-zte-mf667.patch @@ -0,0 +1,40 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Raymond Wanyoike +Date: Sun, 9 Feb 2014 00:01:02 +0300 +Subject: net: qmi_wwan: add ZTE MF667 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Raymond Wanyoike + +[ Upstream commit 7653aabfbdc73c1567e29a9790701f5898ba1420 ] + +The driver description files give these descriptions to the vendor specific +ports on this modem: + + VID_19D2&PID_1270&MI_00: "ZTE MF667 Diagnostics Port" + VID_19D2&PID_1270&MI_01: "ZTE MF667 AT Port" + VID_19D2&PID_1270&MI_02: "ZTE MF667 ATExt2 Port" + VID_19D2&PID_1270&MI_03: "ZTE MF667 ATExt Port" + VID_19D2&PID_1270&MI_04: "ZTE MF667 USB Modem" + VID_19D2&PID_1270&MI_05: "ZTE MF667 Network Adapter" + +Signed-off-by: Raymond Wanyoike +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -699,6 +699,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x19d2, 0x1255, 3)}, + {QMI_FIXED_INTF(0x19d2, 0x1255, 4)}, + {QMI_FIXED_INTF(0x19d2, 0x1256, 4)}, ++ {QMI_FIXED_INTF(0x19d2, 0x1270, 5)}, /* ZTE MF667 */ + {QMI_FIXED_INTF(0x19d2, 0x1401, 2)}, + {QMI_FIXED_INTF(0x19d2, 0x1402, 2)}, /* ZTE MF60 */ + {QMI_FIXED_INTF(0x19d2, 0x1424, 2)}, diff --git a/queue-3.10/net-qmi_wwan-fix-cinterion-plxx-product-id.patch b/queue-3.10/net-qmi_wwan-fix-cinterion-plxx-product-id.patch new file mode 100644 index 00000000000..f8e5fcd889c --- /dev/null +++ b/queue-3.10/net-qmi_wwan-fix-cinterion-plxx-product-id.patch @@ -0,0 +1,41 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Aleksander Morgado +Date: Wed, 25 Sep 2013 17:02:36 +0200 +Subject: net: qmi_wwan: fix Cinterion PLXX product ID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aleksander Morgado + +[ Upstream commit 2d77f343343c4f38b8f94be1964bbbc6456a147f ] + +Cinterion PLXX LTE devices have a 0x0060 product ID, not 0x12d1. + +The blacklisting in the serial/option driver does actually use the correct PID, +as per commit 8ff10bdb14a52e3f25d4ce09e0582a8684c1a6db ('USB: Blacklisted +Cinterion's PLxx WWAN Interface'). + +CC: Hans-Christoph Schemmel +CC: Christian Schmiedl +CC: Nicolaus Colberg +Signed-off-by: Aleksander Morgado +Acked-by: Bjørn Mork +Acked-by: Christian Schmiedl +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -716,7 +716,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ +- {QMI_FIXED_INTF(0x1e2d, 0x12d1, 4)}, /* Cinterion PLxx */ ++ {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ diff --git a/queue-3.10/net-qmi_wwan-fixup-sierra-wireless-mc8305-entry.patch b/queue-3.10/net-qmi_wwan-fixup-sierra-wireless-mc8305-entry.patch new file mode 100644 index 00000000000..6cea2128b51 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-fixup-sierra-wireless-mc8305-entry.patch @@ -0,0 +1,41 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 28 Jun 2013 17:17:49 +0200 +Subject: net: qmi_wwan: fixup Sierra Wireless MC8305 entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 5a008ffa73b4401251d548c10cadac6f8a67cfb5 ] + +The MC8305 module got an additional entry added based solely on +information from a Windows driver *.inf file. We now have the +actual descriptor layout from one of these modules, and it +consists of two alternate configurations where cfg #1 is a +normal Gobi 2k layout and cfg #2 is MBIM only, using interface +numbers 5 and 6 for MBIM control and data. The extra Windows +driver entry for interface number 5 was most likely a bug. + +Deleting the bogus entry to avoid unnecessary qmi_wwan probe +failures when using the MBIM configuration. + +Reported-by: Lana Black +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -760,7 +760,6 @@ static const struct usb_device_id produc + {QMI_GOBI_DEVICE(0x1199, 0x9009)}, /* Sierra Wireless Gobi 2000 Modem device (VT773) */ + {QMI_GOBI_DEVICE(0x1199, 0x900a)}, /* Sierra Wireless Gobi 2000 Modem device (VT773) */ + {QMI_GOBI_DEVICE(0x1199, 0x9011)}, /* Sierra Wireless Gobi 2000 Modem device (MC8305) */ +- {QMI_FIXED_INTF(0x1199, 0x9011, 5)}, /* alternate interface number!? */ + {QMI_GOBI_DEVICE(0x16d8, 0x8002)}, /* CMDTech Gobi 2000 Modem device (VU922) */ + {QMI_GOBI_DEVICE(0x05c6, 0x9205)}, /* Gobi 2000 Modem device */ + {QMI_GOBI_DEVICE(0x1199, 0x9013)}, /* Sierra Wireless Gobi 3000 Modem device (MC8355) */ diff --git a/queue-3.10/net-qmi_wwan-olivetti-olicard-200-support.patch b/queue-3.10/net-qmi_wwan-olivetti-olicard-200-support.patch new file mode 100644 index 00000000000..d98006319f8 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-olivetti-olicard-200-support.patch @@ -0,0 +1,33 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Enrico Mioso +Date: Tue, 15 Oct 2013 15:06:48 +0200 +Subject: net: qmi_wwan: Olivetti Olicard 200 support + +From: Enrico Mioso + +[ Upstream commit ce97fef4235378108ed3bd96e1b3eab8fd0a1fbd ] + +This is a QMI device, manufactured by TCT Mobile Phones. +A companion patch blacklisting this device's QMI interface in the option.c +driver has been sent. + +Signed-off-by: Enrico Mioso +Signed-off-by: Antonella Pellizzari +Tested-by: Dan Williams +Acked-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -716,6 +716,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ ++ {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */ + {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */ + + /* 4. Gobi 1000 devices */ diff --git a/queue-3.10/net-sctp-cache-auth_enable-per-endpoint.patch b/queue-3.10/net-sctp-cache-auth_enable-per-endpoint.patch new file mode 100644 index 00000000000..49cbc5ec852 --- /dev/null +++ b/queue-3.10/net-sctp-cache-auth_enable-per-endpoint.patch @@ -0,0 +1,607 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Vlad Yasevich +Date: Thu, 17 Apr 2014 17:26:50 +0200 +Subject: net: sctp: cache auth_enable per endpoint + +From: Vlad Yasevich + +[ Upstream commit b14878ccb7fac0242db82720b784ab62c467c0dc ] + +Currently, it is possible to create an SCTP socket, then switch +auth_enable via sysctl setting to 1 and crash the system on connect: + +Oops[#1]: +CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1 +task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000 +[...] +Call Trace: +[] sctp_auth_asoc_set_default_hmac+0x68/0x80 +[] sctp_process_init+0x5e0/0x8a4 +[] sctp_sf_do_5_1B_init+0x234/0x34c +[] sctp_do_sm+0xb4/0x1e8 +[] sctp_endpoint_bh_rcv+0x1c4/0x214 +[] sctp_rcv+0x588/0x630 +[] sctp6_rcv+0x10/0x24 +[] ip6_input+0x2c0/0x440 +[] __netif_receive_skb_core+0x4a8/0x564 +[] process_backlog+0xb4/0x18c +[] net_rx_action+0x12c/0x210 +[] __do_softirq+0x17c/0x2ac +[] irq_exit+0x54/0xb0 +[] ret_from_irq+0x0/0x4 +[] rm7k_wait_irqoff+0x24/0x48 +[] cpu_startup_entry+0xc0/0x148 +[] start_kernel+0x37c/0x398 +Code: dd0900b8 000330f8 0126302d 50c0fff1 0047182a a48306a0 +03e00008 00000000 +---[ end trace b530b0551467f2fd ]--- +Kernel panic - not syncing: Fatal exception in interrupt + +What happens while auth_enable=0 in that case is, that +ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs() +when endpoint is being created. + +After that point, if an admin switches over to auth_enable=1, +the machine can crash due to NULL pointer dereference during +reception of an INIT chunk. When we enter sctp_process_init() +via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk, +the INIT verification succeeds and while we walk and process +all INIT params via sctp_process_param() we find that +net->sctp.auth_enable is set, therefore do not fall through, +but invoke sctp_auth_asoc_set_default_hmac() instead, and thus, +dereference what we have set to NULL during endpoint +initialization phase. + +The fix is to make auth_enable immutable by caching its value +during endpoint initialization, so that its original value is +being carried along until destruction. The bug seems to originate +from the very first days. + +Fix in joint work with Daniel Borkmann. + +Reported-by: Joshua Kinard +Signed-off-by: Vlad Yasevich +Signed-off-by: Daniel Borkmann +Acked-by: Neil Horman +Tested-by: Joshua Kinard +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sctp/structs.h | 4 ++- + net/sctp/auth.c | 17 +++++--------- + net/sctp/endpointola.c | 3 +- + net/sctp/sm_make_chunk.c | 32 ++++++++++++++------------ + net/sctp/sm_statefuns.c | 6 ++--- + net/sctp/socket.c | 54 +++++++++++++++++++++------------------------ + net/sctp/sysctl.c | 38 ++++++++++++++++++++++++++++++- + 7 files changed, 93 insertions(+), 61 deletions(-) + +--- a/include/net/sctp/structs.h ++++ b/include/net/sctp/structs.h +@@ -1252,6 +1252,7 @@ struct sctp_endpoint { + /* SCTP-AUTH: endpoint shared keys */ + struct list_head endpoint_shared_keys; + __u16 active_key_id; ++ __u8 auth_enable; + }; + + /* Recover the outter endpoint structure. */ +@@ -1280,7 +1281,8 @@ struct sctp_endpoint *sctp_endpoint_is_m + int sctp_has_association(struct net *net, const union sctp_addr *laddr, + const union sctp_addr *paddr); + +-int sctp_verify_init(struct net *net, const struct sctp_association *asoc, ++int sctp_verify_init(struct net *net, const struct sctp_endpoint *ep, ++ const struct sctp_association *asoc, + sctp_cid_t, sctp_init_chunk_t *peer_init, + struct sctp_chunk *chunk, struct sctp_chunk **err_chunk); + int sctp_process_init(struct sctp_association *, struct sctp_chunk *chunk, +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -393,14 +393,13 @@ nomem: + */ + int sctp_auth_asoc_init_active_key(struct sctp_association *asoc, gfp_t gfp) + { +- struct net *net = sock_net(asoc->base.sk); + struct sctp_auth_bytes *secret; + struct sctp_shared_key *ep_key; + + /* If we don't support AUTH, or peer is not capable + * we don't need to do anything. + */ +- if (!net->sctp.auth_enable || !asoc->peer.auth_capable) ++ if (!asoc->ep->auth_enable || !asoc->peer.auth_capable) + return 0; + + /* If the key_id is non-zero and we couldn't find an +@@ -447,16 +446,16 @@ struct sctp_shared_key *sctp_auth_get_sh + */ + int sctp_auth_init_hmacs(struct sctp_endpoint *ep, gfp_t gfp) + { +- struct net *net = sock_net(ep->base.sk); + struct crypto_hash *tfm = NULL; + __u16 id; + +- /* if the transforms are already allocted, we are done */ +- if (!net->sctp.auth_enable) { ++ /* If AUTH extension is disabled, we are done */ ++ if (!ep->auth_enable) { + ep->auth_hmacs = NULL; + return 0; + } + ++ /* If the transforms are already allocated, we are done */ + if (ep->auth_hmacs) + return 0; + +@@ -677,12 +676,10 @@ static int __sctp_auth_cid(sctp_cid_t ch + /* Check if peer requested that this chunk is authenticated */ + int sctp_auth_send_cid(sctp_cid_t chunk, const struct sctp_association *asoc) + { +- struct net *net; + if (!asoc) + return 0; + +- net = sock_net(asoc->base.sk); +- if (!net->sctp.auth_enable || !asoc->peer.auth_capable) ++ if (!asoc->ep->auth_enable || !asoc->peer.auth_capable) + return 0; + + return __sctp_auth_cid(chunk, asoc->peer.peer_chunks); +@@ -691,12 +688,10 @@ int sctp_auth_send_cid(sctp_cid_t chunk, + /* Check if we requested that peer authenticate this chunk. */ + int sctp_auth_recv_cid(sctp_cid_t chunk, const struct sctp_association *asoc) + { +- struct net *net; + if (!asoc) + return 0; + +- net = sock_net(asoc->base.sk); +- if (!net->sctp.auth_enable) ++ if (!asoc->ep->auth_enable) + return 0; + + return __sctp_auth_cid(chunk, +--- a/net/sctp/endpointola.c ++++ b/net/sctp/endpointola.c +@@ -75,7 +75,8 @@ static struct sctp_endpoint *sctp_endpoi + if (!ep->digest) + return NULL; + +- if (net->sctp.auth_enable) { ++ ep->auth_enable = net->sctp.auth_enable; ++ if (ep->auth_enable) { + /* Allocate space for HMACS and CHUNKS authentication + * variables. There are arrays that we encode directly + * into parameters to make the rest of the operations easier. +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -199,6 +199,7 @@ struct sctp_chunk *sctp_make_init(const + gfp_t gfp, int vparam_len) + { + struct net *net = sock_net(asoc->base.sk); ++ struct sctp_endpoint *ep = asoc->ep; + sctp_inithdr_t init; + union sctp_params addrs; + size_t chunksize; +@@ -258,7 +259,7 @@ struct sctp_chunk *sctp_make_init(const + chunksize += vparam_len; + + /* Account for AUTH related parameters */ +- if (net->sctp.auth_enable) { ++ if (ep->auth_enable) { + /* Add random parameter length*/ + chunksize += sizeof(asoc->c.auth_random); + +@@ -343,7 +344,7 @@ struct sctp_chunk *sctp_make_init(const + } + + /* Add SCTP-AUTH chunks to the parameter list */ +- if (net->sctp.auth_enable) { ++ if (ep->auth_enable) { + sctp_addto_chunk(retval, sizeof(asoc->c.auth_random), + asoc->c.auth_random); + if (auth_hmacs) +@@ -1995,7 +1996,7 @@ static void sctp_process_ext_param(struc + /* if the peer reports AUTH, assume that he + * supports AUTH. + */ +- if (net->sctp.auth_enable) ++ if (asoc->ep->auth_enable) + asoc->peer.auth_capable = 1; + break; + case SCTP_CID_ASCONF: +@@ -2087,6 +2088,7 @@ static sctp_ierror_t sctp_process_unk_pa + * SCTP_IERROR_NO_ERROR - continue with the chunk + */ + static sctp_ierror_t sctp_verify_param(struct net *net, ++ const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + union sctp_params param, + sctp_cid_t cid, +@@ -2137,7 +2139,7 @@ static sctp_ierror_t sctp_verify_param(s + goto fallthrough; + + case SCTP_PARAM_RANDOM: +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + goto fallthrough; + + /* SCTP-AUTH: Secion 6.1 +@@ -2154,7 +2156,7 @@ static sctp_ierror_t sctp_verify_param(s + break; + + case SCTP_PARAM_CHUNKS: +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + goto fallthrough; + + /* SCTP-AUTH: Section 3.2 +@@ -2170,7 +2172,7 @@ static sctp_ierror_t sctp_verify_param(s + break; + + case SCTP_PARAM_HMAC_ALGO: +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + goto fallthrough; + + hmacs = (struct sctp_hmac_algo_param *)param.p; +@@ -2204,10 +2206,9 @@ fallthrough: + } + + /* Verify the INIT packet before we process it. */ +-int sctp_verify_init(struct net *net, const struct sctp_association *asoc, +- sctp_cid_t cid, +- sctp_init_chunk_t *peer_init, +- struct sctp_chunk *chunk, ++int sctp_verify_init(struct net *net, const struct sctp_endpoint *ep, ++ const struct sctp_association *asoc, sctp_cid_t cid, ++ sctp_init_chunk_t *peer_init, struct sctp_chunk *chunk, + struct sctp_chunk **errp) + { + union sctp_params param; +@@ -2250,8 +2251,8 @@ int sctp_verify_init(struct net *net, co + + /* Verify all the variable length parameters */ + sctp_walk_params(param, peer_init, init_hdr.params) { +- +- result = sctp_verify_param(net, asoc, param, cid, chunk, errp); ++ result = sctp_verify_param(net, ep, asoc, param, cid, ++ chunk, errp); + switch (result) { + case SCTP_IERROR_ABORT: + case SCTP_IERROR_NOMEM: +@@ -2483,6 +2484,7 @@ static int sctp_process_param(struct sct + struct sctp_af *af; + union sctp_addr_param *addr_param; + struct sctp_transport *t; ++ struct sctp_endpoint *ep = asoc->ep; + + /* We maintain all INIT parameters in network byte order all the + * time. This allows us to not worry about whether the parameters +@@ -2623,7 +2625,7 @@ do_addr_param: + goto fall_through; + + case SCTP_PARAM_RANDOM: +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + goto fall_through; + + /* Save peer's random parameter */ +@@ -2636,7 +2638,7 @@ do_addr_param: + break; + + case SCTP_PARAM_HMAC_ALGO: +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + goto fall_through; + + /* Save peer's HMAC list */ +@@ -2652,7 +2654,7 @@ do_addr_param: + break; + + case SCTP_PARAM_CHUNKS: +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + goto fall_through; + + asoc->peer.peer_chunks = kmemdup(param.p, +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -364,7 +364,7 @@ sctp_disposition_t sctp_sf_do_5_1B_init( + + /* Verify the INIT chunk before processing it. */ + err_chunk = NULL; +- if (!sctp_verify_init(net, asoc, chunk->chunk_hdr->type, ++ if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, + (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, + &err_chunk)) { + /* This chunk contains fatal error. It is to be discarded. +@@ -531,7 +531,7 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(s + + /* Verify the INIT chunk before processing it. */ + err_chunk = NULL; +- if (!sctp_verify_init(net, asoc, chunk->chunk_hdr->type, ++ if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, + (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, + &err_chunk)) { + +@@ -1437,7 +1437,7 @@ static sctp_disposition_t sctp_sf_do_une + + /* Verify the INIT chunk before processing it. */ + err_chunk = NULL; +- if (!sctp_verify_init(net, asoc, chunk->chunk_hdr->type, ++ if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, + (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, + &err_chunk)) { + /* This chunk contains fatal error. It is to be discarded. +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -3318,10 +3318,10 @@ static int sctp_setsockopt_auth_chunk(st + char __user *optval, + unsigned int optlen) + { +- struct net *net = sock_net(sk); ++ struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_authchunk val; + +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + return -EACCES; + + if (optlen != sizeof(struct sctp_authchunk)) +@@ -3338,7 +3338,7 @@ static int sctp_setsockopt_auth_chunk(st + } + + /* add this chunk id to the endpoint */ +- return sctp_auth_ep_add_chunkid(sctp_sk(sk)->ep, val.sauth_chunk); ++ return sctp_auth_ep_add_chunkid(ep, val.sauth_chunk); + } + + /* +@@ -3351,12 +3351,12 @@ static int sctp_setsockopt_hmac_ident(st + char __user *optval, + unsigned int optlen) + { +- struct net *net = sock_net(sk); ++ struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_hmacalgo *hmacs; + u32 idents; + int err; + +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + return -EACCES; + + if (optlen < sizeof(struct sctp_hmacalgo)) +@@ -3373,7 +3373,7 @@ static int sctp_setsockopt_hmac_ident(st + goto out; + } + +- err = sctp_auth_ep_set_hmacs(sctp_sk(sk)->ep, hmacs); ++ err = sctp_auth_ep_set_hmacs(ep, hmacs); + out: + kfree(hmacs); + return err; +@@ -3389,12 +3389,12 @@ static int sctp_setsockopt_auth_key(stru + char __user *optval, + unsigned int optlen) + { +- struct net *net = sock_net(sk); ++ struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_authkey *authkey; + struct sctp_association *asoc; + int ret; + +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + return -EACCES; + + if (optlen <= sizeof(struct sctp_authkey)) +@@ -3415,7 +3415,7 @@ static int sctp_setsockopt_auth_key(stru + goto out; + } + +- ret = sctp_auth_set_key(sctp_sk(sk)->ep, asoc, authkey); ++ ret = sctp_auth_set_key(ep, asoc, authkey); + out: + kzfree(authkey); + return ret; +@@ -3431,11 +3431,11 @@ static int sctp_setsockopt_active_key(st + char __user *optval, + unsigned int optlen) + { +- struct net *net = sock_net(sk); ++ struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_authkeyid val; + struct sctp_association *asoc; + +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + return -EACCES; + + if (optlen != sizeof(struct sctp_authkeyid)) +@@ -3447,8 +3447,7 @@ static int sctp_setsockopt_active_key(st + if (!asoc && val.scact_assoc_id && sctp_style(sk, UDP)) + return -EINVAL; + +- return sctp_auth_set_active_key(sctp_sk(sk)->ep, asoc, +- val.scact_keynumber); ++ return sctp_auth_set_active_key(ep, asoc, val.scact_keynumber); + } + + /* +@@ -3460,11 +3459,11 @@ static int sctp_setsockopt_del_key(struc + char __user *optval, + unsigned int optlen) + { +- struct net *net = sock_net(sk); ++ struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_authkeyid val; + struct sctp_association *asoc; + +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + return -EACCES; + + if (optlen != sizeof(struct sctp_authkeyid)) +@@ -3476,8 +3475,7 @@ static int sctp_setsockopt_del_key(struc + if (!asoc && val.scact_assoc_id && sctp_style(sk, UDP)) + return -EINVAL; + +- return sctp_auth_del_key_id(sctp_sk(sk)->ep, asoc, +- val.scact_keynumber); ++ return sctp_auth_del_key_id(ep, asoc, val.scact_keynumber); + + } + +@@ -5368,16 +5366,16 @@ static int sctp_getsockopt_maxburst(stru + static int sctp_getsockopt_hmac_ident(struct sock *sk, int len, + char __user *optval, int __user *optlen) + { +- struct net *net = sock_net(sk); ++ struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_hmacalgo __user *p = (void __user *)optval; + struct sctp_hmac_algo_param *hmacs; + __u16 data_len = 0; + u32 num_idents; + +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + return -EACCES; + +- hmacs = sctp_sk(sk)->ep->auth_hmacs_list; ++ hmacs = ep->auth_hmacs_list; + data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t); + + if (len < sizeof(struct sctp_hmacalgo) + data_len) +@@ -5398,11 +5396,11 @@ static int sctp_getsockopt_hmac_ident(st + static int sctp_getsockopt_active_key(struct sock *sk, int len, + char __user *optval, int __user *optlen) + { +- struct net *net = sock_net(sk); ++ struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_authkeyid val; + struct sctp_association *asoc; + +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + return -EACCES; + + if (len < sizeof(struct sctp_authkeyid)) +@@ -5417,7 +5415,7 @@ static int sctp_getsockopt_active_key(st + if (asoc) + val.scact_keynumber = asoc->active_key_id; + else +- val.scact_keynumber = sctp_sk(sk)->ep->active_key_id; ++ val.scact_keynumber = ep->active_key_id; + + len = sizeof(struct sctp_authkeyid); + if (put_user(len, optlen)) +@@ -5431,7 +5429,7 @@ static int sctp_getsockopt_active_key(st + static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len, + char __user *optval, int __user *optlen) + { +- struct net *net = sock_net(sk); ++ struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_authchunks __user *p = (void __user *)optval; + struct sctp_authchunks val; + struct sctp_association *asoc; +@@ -5439,7 +5437,7 @@ static int sctp_getsockopt_peer_auth_chu + u32 num_chunks = 0; + char __user *to; + +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + return -EACCES; + + if (len < sizeof(struct sctp_authchunks)) +@@ -5475,7 +5473,7 @@ num: + static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len, + char __user *optval, int __user *optlen) + { +- struct net *net = sock_net(sk); ++ struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_authchunks __user *p = (void __user *)optval; + struct sctp_authchunks val; + struct sctp_association *asoc; +@@ -5483,7 +5481,7 @@ static int sctp_getsockopt_local_auth_ch + u32 num_chunks = 0; + char __user *to; + +- if (!net->sctp.auth_enable) ++ if (!ep->auth_enable) + return -EACCES; + + if (len < sizeof(struct sctp_authchunks)) +@@ -5500,7 +5498,7 @@ static int sctp_getsockopt_local_auth_ch + if (asoc) + ch = (struct sctp_chunks_param*)asoc->c.auth_chunks; + else +- ch = sctp_sk(sk)->ep->auth_chunk_list; ++ ch = ep->auth_chunk_list; + + if (!ch) + goto num; +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -65,8 +65,11 @@ extern int sysctl_sctp_wmem[3]; + static int proc_sctp_do_hmac_alg(ctl_table *ctl, + int write, + void __user *buffer, size_t *lenp, +- + loff_t *ppos); ++static int proc_sctp_do_auth(struct ctl_table *ctl, int write, ++ void __user *buffer, size_t *lenp, ++ loff_t *ppos); ++ + static ctl_table sctp_table[] = { + { + .procname = "sctp_mem", +@@ -267,7 +270,7 @@ static ctl_table sctp_net_table[] = { + .data = &init_net.sctp.auth_enable, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_sctp_do_auth, + }, + { + .procname = "addr_scope_policy", +@@ -346,6 +349,37 @@ static int proc_sctp_do_hmac_alg(ctl_tab + } + + return ret; ++} ++ ++static int proc_sctp_do_auth(struct ctl_table *ctl, int write, ++ void __user *buffer, size_t *lenp, ++ loff_t *ppos) ++{ ++ struct net *net = current->nsproxy->net_ns; ++ struct ctl_table tbl; ++ int new_value, ret; ++ ++ memset(&tbl, 0, sizeof(struct ctl_table)); ++ tbl.maxlen = sizeof(unsigned int); ++ ++ if (write) ++ tbl.data = &new_value; ++ else ++ tbl.data = &net->sctp.auth_enable; ++ ++ ret = proc_dointvec(&tbl, write, buffer, lenp, ppos); ++ ++ if (write) { ++ struct sock *sk = net->sctp.ctl_sock; ++ ++ net->sctp.auth_enable = new_value; ++ /* Update the value in the control socket */ ++ lock_sock(sk); ++ sctp_sk(sk)->ep->auth_enable = new_value; ++ release_sock(sk); ++ } ++ ++ return ret; + } + + int sctp_sysctl_net_register(struct net *net) diff --git a/queue-3.10/net-sctp-test-if-association-is-dead-in-sctp_wake_up_waiters.patch b/queue-3.10/net-sctp-test-if-association-is-dead-in-sctp_wake_up_waiters.patch new file mode 100644 index 00000000000..0714f9bddd4 --- /dev/null +++ b/queue-3.10/net-sctp-test-if-association-is-dead-in-sctp_wake_up_waiters.patch @@ -0,0 +1,81 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Daniel Borkmann +Date: Wed, 9 Apr 2014 16:10:20 +0200 +Subject: net: sctp: test if association is dead in sctp_wake_up_waiters + +From: Daniel Borkmann + +[ Upstream commit 1e1cdf8ac78793e0875465e98a648df64694a8d0 ] + +In function sctp_wake_up_waiters(), we need to involve a test +if the association is declared dead. If so, we don't have any +reference to a possible sibling association anymore and need +to invoke sctp_write_space() instead, and normally walk the +socket's associations and notify them of new wmem space. The +reason for special casing is that otherwise, we could run +into the following issue when a sctp_primitive_SEND() call +from sctp_sendmsg() fails, and tries to flush an association's +outq, i.e. in the following way: + +sctp_association_free() +`-> list_del(&asoc->asocs) <-- poisons list pointer + asoc->base.dead = true + sctp_outq_free(&asoc->outqueue) + `-> __sctp_outq_teardown() + `-> sctp_chunk_free() + `-> consume_skb() + `-> sctp_wfree() + `-> sctp_wake_up_waiters() <-- dereferences poisoned pointers + if asoc->ep->sndbuf_policy=0 + +Therefore, only walk the list in an 'optimized' way if we find +that the current association is still active. We could also use +list_del_init() in addition when we call sctp_association_free(), +but as Vlad suggests, we want to trap such bugs and thus leave +it poisoned as is. + +Why is it safe to resolve the issue by testing for asoc->base.dead? +Parallel calls to sctp_sendmsg() are protected under socket lock, +that is lock_sock()/release_sock(). Only within that path under +lock held, we're setting skb/chunk owner via sctp_set_owner_w(). +Eventually, chunks are freed directly by an association still +under that lock. So when traversing association list on destruction +time from sctp_wake_up_waiters() via sctp_wfree(), a different +CPU can't be running sctp_wfree() while another one calls +sctp_association_free() as both happens under the same lock. +Therefore, this can also not race with setting/testing against +asoc->base.dead as we are guaranteed for this to happen in order, +under lock. Further, Vlad says: the times we check asoc->base.dead +is when we've cached an association pointer for later processing. +In between cache and processing, the association may have been +freed and is simply still around due to reference counts. We check +asoc->base.dead under a lock, so it should always be safe to check +and not race against sctp_association_free(). Stress-testing seems +fine now, too. + +Fixes: cd253f9f357d ("net: sctp: wake up all assocs if sndbuf policy is per socket") +Signed-off-by: Daniel Borkmann +Cc: Vlad Yasevich +Acked-by: Neil Horman +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -6593,6 +6593,12 @@ static void sctp_wake_up_waiters(struct + if (asoc->ep->sndbuf_policy) + return __sctp_write_space(asoc); + ++ /* If association goes down and is just flushing its ++ * outq, then just normally notify others. ++ */ ++ if (asoc->base.dead) ++ return sctp_write_space(sk); ++ + /* Accounting for the sndbuf space is per socket, so we + * need to wake up others, try to be fair and in case of + * other associations, let them have a go first instead diff --git a/queue-3.10/net-sctp-wake-up-all-assocs-if-sndbuf-policy-is-per-socket.patch b/queue-3.10/net-sctp-wake-up-all-assocs-if-sndbuf-policy-is-per-socket.patch new file mode 100644 index 00000000000..6d65411ecd3 --- /dev/null +++ b/queue-3.10/net-sctp-wake-up-all-assocs-if-sndbuf-policy-is-per-socket.patch @@ -0,0 +1,116 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Daniel Borkmann +Date: Tue, 8 Apr 2014 17:26:13 +0200 +Subject: net: sctp: wake up all assocs if sndbuf policy is per socket + +From: Daniel Borkmann + +[ Upstream commit 52c35befb69b005c3fc5afdaae3a5717ad013411 ] + +SCTP charges chunks for wmem accounting via skb->truesize in +sctp_set_owner_w(), and sctp_wfree() respectively as the +reverse operation. If a sender runs out of wmem, it needs to +wait via sctp_wait_for_sndbuf(), and gets woken up by a call +to __sctp_write_space() mostly via sctp_wfree(). + +__sctp_write_space() is being called per association. Although +we assign sk->sk_write_space() to sctp_write_space(), which +is then being done per socket, it is only used if send space +is increased per socket option (SO_SNDBUF), as SOCK_USE_WRITE_QUEUE +is set and therefore not invoked in sock_wfree(). + +Commit 4c3a5bdae293 ("sctp: Don't charge for data in sndbuf +again when transmitting packet") fixed an issue where in case +sctp_packet_transmit() manages to queue up more than sndbuf +bytes, sctp_wait_for_sndbuf() will never be woken up again +unless it is interrupted by a signal. However, a still +remaining issue is that if net.sctp.sndbuf_policy=0, that is +accounting per socket, and one-to-many sockets are in use, +the reclaimed write space from sctp_wfree() is 'unfairly' +handed back on the server to the association that is the lucky +one to be woken up again via __sctp_write_space(), while +the remaining associations are never be woken up again +(unless by a signal). + +The effect disappears with net.sctp.sndbuf_policy=1, that +is wmem accounting per association, as it guarantees a fair +share of wmem among associations. + +Therefore, if we have reclaimed memory in case of per socket +accounting, wake all related associations to a socket in a +fair manner, that is, traverse the socket association list +starting from the current neighbour of the association and +issue a __sctp_write_space() to everyone until we end up +waking ourselves. This guarantees that no association is +preferred over another and even if more associations are +taken into the one-to-many session, all receivers will get +messages from the server and are not stalled forever on +high load. This setting still leaves the advantage of per +socket accounting in touch as an association can still use +up global limits if unused by others. + +Fixes: 4eb701dfc618 ("[SCTP] Fix SCTP sendbuffer accouting.") +Signed-off-by: Daniel Borkmann +Cc: Thomas Graf +Cc: Neil Horman +Cc: Vlad Yasevich +Acked-by: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 36 +++++++++++++++++++++++++++++++++++- + 1 file changed, 35 insertions(+), 1 deletion(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -6582,6 +6582,40 @@ static void __sctp_write_space(struct sc + } + } + ++static void sctp_wake_up_waiters(struct sock *sk, ++ struct sctp_association *asoc) ++{ ++ struct sctp_association *tmp = asoc; ++ ++ /* We do accounting for the sndbuf space per association, ++ * so we only need to wake our own association. ++ */ ++ if (asoc->ep->sndbuf_policy) ++ return __sctp_write_space(asoc); ++ ++ /* Accounting for the sndbuf space is per socket, so we ++ * need to wake up others, try to be fair and in case of ++ * other associations, let them have a go first instead ++ * of just doing a sctp_write_space() call. ++ * ++ * Note that we reach sctp_wake_up_waiters() only when ++ * associations free up queued chunks, thus we are under ++ * lock and the list of associations on a socket is ++ * guaranteed not to change. ++ */ ++ for (tmp = list_next_entry(tmp, asocs); 1; ++ tmp = list_next_entry(tmp, asocs)) { ++ /* Manually skip the head element. */ ++ if (&tmp->asocs == &((sctp_sk(sk))->ep->asocs)) ++ continue; ++ /* Wake up association. */ ++ __sctp_write_space(tmp); ++ /* We've reached the end. */ ++ if (tmp == asoc) ++ break; ++ } ++} ++ + /* Do accounting for the sndbuf space. + * Decrement the used sndbuf space of the corresponding association by the + * data size which was just transmitted(freed). +@@ -6609,7 +6643,7 @@ static void sctp_wfree(struct sk_buff *s + sk_mem_uncharge(sk, skb->truesize); + + sock_wfree(skb); +- __sctp_write_space(asoc); ++ sctp_wake_up_waiters(sk, asoc); + + sctp_association_put(asoc); + } diff --git a/queue-3.10/qmi_wwan-add-onda-mt689dc-device-id-fwd.patch b/queue-3.10/qmi_wwan-add-onda-mt689dc-device-id-fwd.patch new file mode 100644 index 00000000000..ea94d2e65c7 --- /dev/null +++ b/queue-3.10/qmi_wwan-add-onda-mt689dc-device-id-fwd.patch @@ -0,0 +1,39 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Enrico Mioso +Date: Sat, 29 Jun 2013 15:39:19 +0200 +Subject: qmi_wwan: add ONDA MT689DC device ID (fwd) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Enrico Mioso + +[ Upstream commit d8eb8f9963a55ccf6ebafa4bfdb9f70c17067825 ] + +Another QMI-speaking device by ZTE, re-branded by ONDA! + +I'm connected ovr this device's QMI interface right now, so I can say I tested +it! :) + +Note: a follow-up patch was posted to the linux-usb mailing list, to prevent +the option driver from binding to the device's QMI interface, making it +unusable. + +Signed-off-by: Enrico Mioso +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -652,6 +652,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x19d2, 0x0002, 1)}, + {QMI_FIXED_INTF(0x19d2, 0x0012, 1)}, + {QMI_FIXED_INTF(0x19d2, 0x0017, 3)}, ++ {QMI_FIXED_INTF(0x19d2, 0x0019, 3)}, /* ONDA MT689DC */ + {QMI_FIXED_INTF(0x19d2, 0x0021, 4)}, + {QMI_FIXED_INTF(0x19d2, 0x0025, 1)}, + {QMI_FIXED_INTF(0x19d2, 0x0031, 4)}, diff --git a/queue-3.10/revert-macvlan-fix-checksums-error-when-we-are-in-bridge-mode.patch b/queue-3.10/revert-macvlan-fix-checksums-error-when-we-are-in-bridge-mode.patch new file mode 100644 index 00000000000..70f85cdc5e7 --- /dev/null +++ b/queue-3.10/revert-macvlan-fix-checksums-error-when-we-are-in-bridge-mode.patch @@ -0,0 +1,59 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Vlad Yasevich +Date: Tue, 29 Apr 2014 10:09:51 -0400 +Subject: Revert "macvlan : fix checksums error when we are in bridge mode" + +From: Vlad Yasevich + +[ Upstream commit f114890cdf84d753f6b41cd0cc44ba51d16313da ] + +This reverts commit 12a2856b604476c27d85a5f9a57ae1661fc46019. +The commit above doesn't appear to be necessary any more as the +checksums appear to be correctly computed/validated. + +Additionally the above commit breaks kvm configurations where +one VM is using a device that support checksum offload (virtio) and +the other VM does not. +In this case, packets leaving virtio device will have CHECKSUM_PARTIAL +set. The packets is forwarded to a macvtap that has offload features +turned off. Since we use CHECKSUM_UNNECESSARY, the host does does not +update the checksum and thus a bad checksum is passed up to +the guest. + +CC: Daniel Lezcano +CC: Patrick McHardy +CC: Andrian Nord +CC: Eric Dumazet +CC: Michael S. Tsirkin +CC: Jason Wang +Signed-off-by: Vlad Yasevich +Acked-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -261,11 +261,9 @@ static int macvlan_queue_xmit(struct sk_ + const struct macvlan_dev *vlan = netdev_priv(dev); + const struct macvlan_port *port = vlan->port; + const struct macvlan_dev *dest; +- __u8 ip_summed = skb->ip_summed; + + if (vlan->mode == MACVLAN_MODE_BRIDGE) { + const struct ethhdr *eth = (void *)skb->data; +- skb->ip_summed = CHECKSUM_UNNECESSARY; + + /* send to other bridge ports directly */ + if (is_multicast_ether_addr(eth->h_dest)) { +@@ -283,7 +281,6 @@ static int macvlan_queue_xmit(struct sk_ + } + + xmit_world: +- skb->ip_summed = ip_summed; + skb->dev = vlan->lowerdev; + return dev_queue_xmit(skb); + } diff --git a/queue-3.10/rtnetlink-only-supply-ifla_vf_ports-information-when-rtext_filter_vf-is-set.patch b/queue-3.10/rtnetlink-only-supply-ifla_vf_ports-information-when-rtext_filter_vf-is-set.patch new file mode 100644 index 00000000000..ee6c0c50471 --- /dev/null +++ b/queue-3.10/rtnetlink-only-supply-ifla_vf_ports-information-when-rtext_filter_vf-is-set.patch @@ -0,0 +1,98 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: David Gibson +Date: Thu, 24 Apr 2014 10:22:36 +1000 +Subject: rtnetlink: Only supply IFLA_VF_PORTS information when RTEXT_FILTER_VF is set + +From: David Gibson + +[ Upstream commit c53864fd60227de025cb79e05493b13f69843971 ] + +Since 115c9b81928360d769a76c632bae62d15206a94a (rtnetlink: Fix problem with +buffer allocation), RTM_NEWLINK messages only contain the IFLA_VFINFO_LIST +attribute if they were solicited by a GETLINK message containing an +IFLA_EXT_MASK attribute with the RTEXT_FILTER_VF flag. + +That was done because some user programs broke when they received more data +than expected - because IFLA_VFINFO_LIST contains information for each VF +it can become large if there are many VFs. + +However, the IFLA_VF_PORTS attribute, supplied for devices which implement +ndo_get_vf_port (currently the 'enic' driver only), has the same problem. +It supplies per-VF information and can therefore become large, but it is +not currently conditional on the IFLA_EXT_MASK value. + +Worse, it interacts badly with the existing EXT_MASK handling. When +IFLA_EXT_MASK is not supplied, the buffer for netlink replies is fixed at +NLMSG_GOODSIZE. If the information for IFLA_VF_PORTS exceeds this, then +rtnl_fill_ifinfo() returns -EMSGSIZE on the first message in a packet. +netlink_dump() will misinterpret this as having finished the listing and +omit data for this interface and all subsequent ones. That can cause +getifaddrs(3) to enter an infinite loop. + +This patch addresses the problem by only supplying IFLA_VF_PORTS when +IFLA_EXT_MASK is supplied with the RTEXT_FILTER_VF flag set. + +Signed-off-by: David Gibson +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -714,7 +714,8 @@ static inline int rtnl_vfinfo_size(const + return 0; + } + +-static size_t rtnl_port_size(const struct net_device *dev) ++static size_t rtnl_port_size(const struct net_device *dev, ++ u32 ext_filter_mask) + { + size_t port_size = nla_total_size(4) /* PORT_VF */ + + nla_total_size(PORT_PROFILE_MAX) /* PORT_PROFILE */ +@@ -730,7 +731,8 @@ static size_t rtnl_port_size(const struc + size_t port_self_size = nla_total_size(sizeof(struct nlattr)) + + port_size; + +- if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent) ++ if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent || ++ !(ext_filter_mask & RTEXT_FILTER_VF)) + return 0; + if (dev_num_vf(dev->dev.parent)) + return port_self_size + vf_ports_size + +@@ -765,7 +767,7 @@ static noinline size_t if_nlmsg_size(con + + nla_total_size(ext_filter_mask + & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */ + + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */ +- + rtnl_port_size(dev) /* IFLA_VF_PORTS + IFLA_PORT_SELF */ ++ + rtnl_port_size(dev, ext_filter_mask) /* IFLA_VF_PORTS + IFLA_PORT_SELF */ + + rtnl_link_get_size(dev) /* IFLA_LINKINFO */ + + rtnl_link_get_af_size(dev); /* IFLA_AF_SPEC */ + } +@@ -826,11 +828,13 @@ static int rtnl_port_self_fill(struct sk + return 0; + } + +-static int rtnl_port_fill(struct sk_buff *skb, struct net_device *dev) ++static int rtnl_port_fill(struct sk_buff *skb, struct net_device *dev, ++ u32 ext_filter_mask) + { + int err; + +- if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent) ++ if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent || ++ !(ext_filter_mask & RTEXT_FILTER_VF)) + return 0; + + err = rtnl_port_self_fill(skb, dev); +@@ -985,7 +989,7 @@ static int rtnl_fill_ifinfo(struct sk_bu + nla_nest_end(skb, vfinfo); + } + +- if (rtnl_port_fill(skb, dev)) ++ if (rtnl_port_fill(skb, dev, ext_filter_mask)) + goto nla_put_failure; + + if (dev->rtnl_link_ops) { diff --git a/queue-3.10/rtnetlink-warn-when-interface-s-information-won-t-fit-in-our-packet.patch b/queue-3.10/rtnetlink-warn-when-interface-s-information-won-t-fit-in-our-packet.patch new file mode 100644 index 00000000000..8f8fe9ec4e4 --- /dev/null +++ b/queue-3.10/rtnetlink-warn-when-interface-s-information-won-t-fit-in-our-packet.patch @@ -0,0 +1,63 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: David Gibson +Date: Thu, 24 Apr 2014 10:22:35 +1000 +Subject: rtnetlink: Warn when interface's information won't fit in our packet + +From: David Gibson + +[ Upstream commit 973462bbde79bb827824c73b59027a0aed5c9ca6 ] + +Without IFLA_EXT_MASK specified, the information reported for a single +interface in response to RTM_GETLINK is expected to fit within a netlink +packet of NLMSG_GOODSIZE. + +If it doesn't, however, things will go badly wrong, When listing all +interfaces, netlink_dump() will incorrectly treat -EMSGSIZE on the first +message in a packet as the end of the listing and omit information for +that interface and all subsequent ones. This can cause getifaddrs(3) to +enter an infinite loop. + +This patch won't fix the problem, but it will WARN_ON() making it easier to +track down what's going wrong. + +Signed-off-by: David Gibson +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1039,6 +1039,7 @@ static int rtnl_dump_ifinfo(struct sk_bu + struct hlist_head *head; + struct nlattr *tb[IFLA_MAX+1]; + u32 ext_filter_mask = 0; ++ int err; + + s_h = cb->args[0]; + s_idx = cb->args[1]; +@@ -1059,11 +1060,17 @@ static int rtnl_dump_ifinfo(struct sk_bu + hlist_for_each_entry_rcu(dev, head, index_hlist) { + if (idx < s_idx) + goto cont; +- if (rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK, +- NETLINK_CB(cb->skb).portid, +- cb->nlh->nlmsg_seq, 0, +- NLM_F_MULTI, +- ext_filter_mask) <= 0) ++ err = rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK, ++ NETLINK_CB(cb->skb).portid, ++ cb->nlh->nlmsg_seq, 0, ++ NLM_F_MULTI, ++ ext_filter_mask); ++ /* If we ran out of room on the first message, ++ * we're in trouble ++ */ ++ WARN_ON((err == -EMSGSIZE) && (skb->len == 0)); ++ ++ if (err <= 0) + goto out; + + nl_dump_check_consistent(cb, nlmsg_hdr(skb)); diff --git a/queue-3.10/sctp-reset-flowi4_oif-parameter-on-route-lookup.patch b/queue-3.10/sctp-reset-flowi4_oif-parameter-on-route-lookup.patch new file mode 100644 index 00000000000..cd595d91395 --- /dev/null +++ b/queue-3.10/sctp-reset-flowi4_oif-parameter-on-route-lookup.patch @@ -0,0 +1,63 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Xufeng Zhang +Date: Fri, 25 Apr 2014 16:55:41 +0800 +Subject: sctp: reset flowi4_oif parameter on route lookup + +From: Xufeng Zhang + +[ Upstream commit 85350871317a5adb35519d9dc6fc9e80809d42ad ] + +commit 813b3b5db83 (ipv4: Use caller's on-stack flowi as-is +in output route lookups.) introduces another regression which +is very similar to the problem of commit e6b45241c (ipv4: reset +flowi parameters on route connect) wants to fix: +Before we call ip_route_output_key() in sctp_v4_get_dst() to +get a dst that matches a bind address as the source address, +we have already called this function previously and the flowi +parameters have been initialized including flowi4_oif, so when +we call this function again, the process in __ip_route_output_key() +will be different because of the setting of flowi4_oif, and we'll +get a networking device which corresponds to the inputted flowi4_oif +as the output device, this is wrong because we'll never hit this +place if the previously returned source address of dst match one +of the bound addresses. + +To reproduce this problem, a vlan setting is enough: + # ifconfig eth0 up + # route del default + # vconfig add eth0 2 + # vconfig add eth0 3 + # ifconfig eth0.2 10.0.1.14 netmask 255.255.255.0 + # route add default gw 10.0.1.254 dev eth0.2 + # ifconfig eth0.3 10.0.0.14 netmask 255.255.255.0 + # ip rule add from 10.0.0.14 table 4 + # ip route add table 4 default via 10.0.0.254 src 10.0.0.14 dev eth0.3 + # sctp_darn -H 10.0.0.14 -P 36422 -h 10.1.4.134 -p 36422 -s -I +You'll detect that all the flow are routed to eth0.2(10.0.1.254). + +Signed-off-by: Xufeng Zhang +Signed-off-by: Julian Anastasov +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/protocol.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -498,8 +498,13 @@ static void sctp_v4_get_dst(struct sctp_ + continue; + if ((laddr->state == SCTP_ADDR_SRC) && + (AF_INET == laddr->a.sa.sa_family)) { +- fl4->saddr = laddr->a.v4.sin_addr.s_addr; + fl4->fl4_sport = laddr->a.v4.sin_port; ++ flowi4_update_output(fl4, ++ asoc->base.sk->sk_bound_dev_if, ++ RT_CONN_FLAGS(asoc->base.sk), ++ daddr->v4.sin_addr.s_addr, ++ laddr->a.v4.sin_addr.s_addr); ++ + rt = ip_route_output_key(sock_net(sk), fl4); + if (!IS_ERR(rt)) { + dst = &rt->dst; diff --git a/queue-3.10/series b/queue-3.10/series index cbcc2335240..3ab7f13a23b 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -35,3 +35,52 @@ drm-vmwgfx-correct-fb_fix_screeninfo.line_length.patch drm-vmwgfx-make-sure-user-space-can-t-dma-across-buffer-object-boundaries-v2.patch drm-qxl-unset-a-pointer-in-sync_obj_unref.patch drm-radeon-call-drm_edid_to_eld-when-we-update-the-edid.patch +list-introduce-list_next_entry-and-list_prev_entry.patch +net-sctp-wake-up-all-assocs-if-sndbuf-policy-is-per-socket.patch +net-sctp-test-if-association-is-dead-in-sctp_wake_up_waiters.patch +l2tp-take-pmtu-from-tunnel-udp-socket.patch +net-core-don-t-account-for-udp-header-size-when-computing-seglen.patch +bonding-remove-debug_fs-files-when-module-init-fails.patch +bridge-fix-double-free-and-memory-leak-around-br_allowed_ingress.patch +ipv6-limit-mtu-to-65575-bytes.patch +gre-don-t-allow-to-add-the-same-tunnel-twice.patch +vti-don-t-allow-to-add-the-same-tunnel-twice.patch +net-ipv4-current-group_info-should-be-put-after-using.patch +ipv4-return-valid-rta_iif-on-ip-route-get.patch +filter-prevent-nla-extensions-to-peek-beyond-the-end-of-the-message.patch +ip6_gre-don-t-allow-to-remove-the-fb_tunnel_dev.patch +vlan-fix-lockdep-warning-when-vlan-dev-handle-notification.patch +tg3-update-rx_jumbo_pending-ring-param-only-when-jumbo-frames-are-enabled.patch +net-sctp-cache-auth_enable-per-endpoint.patch +net-fix-ns_capable-check-in-sock_diag_put_filterinfo.patch +rtnetlink-warn-when-interface-s-information-won-t-fit-in-our-packet.patch +rtnetlink-only-supply-ifla_vf_ports-information-when-rtext_filter_vf-is-set.patch +ipv6-fib-fix-fib-dump-restart.patch +bridge-handle-ifla_address-correctly-when-creating-bridge-device.patch +sctp-reset-flowi4_oif-parameter-on-route-lookup.patch +revert-macvlan-fix-checksums-error-when-we-are-in-bridge-mode.patch +tcp_cubic-fix-the-range-of-delayed_ack.patch +net-ipv4-ip_forward-fix-inverted-local_df-test.patch +net-ipv6-send-pkttoobig-immediately-if-orig-frag-size-mtu.patch +ipv4-fib_semantics-increment-fib_info_cnt-after-fib_info-allocation.patch +net-cdc_mbim-handle-unaccelerated-vlan-tagged-frames.patch +macvlan-don-t-propagate-iff_allmulti-changes-on-down-interfaces.patch +ip6_tunnel-fix-potential-null-pointer-dereference.patch +ipv4-initialise-the-itag-variable-in-__mkroute_input.patch +net-gro-reset-skb-truesize-in-napi_reuse_skb.patch +net-qmi_wwan-fixup-sierra-wireless-mc8305-entry.patch +net-qmi_wwan-add-option-gtm681w.patch +net-qmi_wwan-add-tp-link-ma260.patch +qmi_wwan-add-onda-mt689dc-device-id-fwd.patch +net-qmi_wwan-add-telit-le920-newer-firmware-support.patch +net-qmi_wwan-fix-cinterion-plxx-product-id.patch +net-qmi_wwan-olivetti-olicard-200-support.patch +net-qmi_wwan-add-zte-mf667.patch +net-qmi_wwan-add-support-for-cinterion-pxs8-and-phs8.patch +net-qmi_wwan-add-sierra-wireless-em7355.patch +net-qmi_wwan-add-sierra-wireless-mc73xx.patch +net-qmi_wwan-add-sierra-wireless-mc7305-mc7355.patch +net-qmi_wwan-add-olivetti-olicard-500.patch +net-qmi_wwan-add-alcatel-l800ma.patch +net-qmi_wwan-add-a-number-of-cmotech-devices.patch +net-qmi_wwan-add-a-number-of-dell-devices.patch diff --git a/queue-3.10/tcp_cubic-fix-the-range-of-delayed_ack.patch b/queue-3.10/tcp_cubic-fix-the-range-of-delayed_ack.patch new file mode 100644 index 00000000000..49a37823c0d --- /dev/null +++ b/queue-3.10/tcp_cubic-fix-the-range-of-delayed_ack.patch @@ -0,0 +1,44 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Liu Yu +Date: Wed, 30 Apr 2014 17:34:09 +0800 +Subject: tcp_cubic: fix the range of delayed_ack + +From: Liu Yu + +[ Upstream commit 0cda345d1b2201dd15591b163e3c92bad5191745 ] + +commit b9f47a3aaeab (tcp_cubic: limit delayed_ack ratio to prevent +divide error) try to prevent divide error, but there is still a little +chance that delayed_ack can reach zero. In case the param cnt get +negative value, then ratio+cnt would overflow and may happen to be zero. +As a result, min(ratio, ACK_RATIO_LIMIT) will calculate to be zero. + +In some old kernels, such as 2.6.32, there is a bug that would +pass negative param, which then ultimately leads to this divide error. + +commit 5b35e1e6e9c (tcp: fix tcp_trim_head() to adjust segment count +with skb MSS) fixed the negative param issue. However, +it's safe that we fix the range of delayed_ack as well, +to make sure we do not hit a divide by zero. + +CC: Stephen Hemminger +Signed-off-by: Liu Yu +Signed-off-by: Eric Dumazet +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_cubic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_cubic.c ++++ b/net/ipv4/tcp_cubic.c +@@ -408,7 +408,7 @@ static void bictcp_acked(struct sock *sk + ratio -= ca->delayed_ack >> ACK_RATIO_SHIFT; + ratio += cnt; + +- ca->delayed_ack = min(ratio, ACK_RATIO_LIMIT); ++ ca->delayed_ack = clamp(ratio, 1U, ACK_RATIO_LIMIT); + } + + /* Some calls are for duplicates without timetamps */ diff --git a/queue-3.10/tg3-update-rx_jumbo_pending-ring-param-only-when-jumbo-frames-are-enabled.patch b/queue-3.10/tg3-update-rx_jumbo_pending-ring-param-only-when-jumbo-frames-are-enabled.patch new file mode 100644 index 00000000000..e041379b472 --- /dev/null +++ b/queue-3.10/tg3-update-rx_jumbo_pending-ring-param-only-when-jumbo-frames-are-enabled.patch @@ -0,0 +1,42 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Ivan Vecera +Date: Thu, 17 Apr 2014 14:51:08 +0200 +Subject: tg3: update rx_jumbo_pending ring param only when jumbo frames are enabled + +From: Ivan Vecera + +The patch fixes a problem with dropped jumbo frames after usage of +'ethtool -G ... rx'. + +Scenario: +1. ip link set eth0 up +2. ethtool -G eth0 rx N # <- This zeroes rx-jumbo +3. ip link set mtu 9000 dev eth0 + +The ethtool command set rx_jumbo_pending to zero so any received jumbo +packets are dropped and you need to use 'ethtool -G eth0 rx-jumbo N' +to workaround the issue. +The patch changes the logic so rx_jumbo_pending value is changed only if +jumbo frames are enabled (MTU > 1500). + +Signed-off-by: Ivan Vecera +Acked-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -12073,7 +12073,9 @@ static int tg3_set_ringparam(struct net_ + if (tg3_flag(tp, MAX_RXPEND_64) && + tp->rx_pending > 63) + tp->rx_pending = 63; +- tp->rx_jumbo_pending = ering->rx_jumbo_pending; ++ ++ if (tg3_flag(tp, JUMBO_RING_ENABLE)) ++ tp->rx_jumbo_pending = ering->rx_jumbo_pending; + + for (i = 0; i < tp->irq_max; i++) + tp->napi[i].tx_pending = ering->tx_pending; diff --git a/queue-3.10/vlan-fix-lockdep-warning-when-vlan-dev-handle-notification.patch b/queue-3.10/vlan-fix-lockdep-warning-when-vlan-dev-handle-notification.patch new file mode 100644 index 00000000000..b383eb6eebf --- /dev/null +++ b/queue-3.10/vlan-fix-lockdep-warning-when-vlan-dev-handle-notification.patch @@ -0,0 +1,185 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: dingtianhong +Date: Thu, 17 Apr 2014 18:40:36 +0800 +Subject: vlan: Fix lockdep warning when vlan dev handle notification + +From: dingtianhong + +[ Upstream commit dc8eaaa006350d24030502a4521542e74b5cb39f ] + +When I open the LOCKDEP config and run these steps: + +modprobe 8021q +vconfig add eth2 20 +vconfig add eth2.20 30 +ifconfig eth2 xx.xx.xx.xx + +then the Call Trace happened: + +[32524.386288] ============================================= +[32524.386293] [ INFO: possible recursive locking detected ] +[32524.386298] 3.14.0-rc2-0.7-default+ #35 Tainted: G O +[32524.386302] --------------------------------------------- +[32524.386306] ifconfig/3103 is trying to acquire lock: +[32524.386310] (&vlan_netdev_addr_lock_key/1){+.....}, at: [] dev_mc_sync+0x64/0xb0 +[32524.386326] +[32524.386326] but task is already holding lock: +[32524.386330] (&vlan_netdev_addr_lock_key/1){+.....}, at: [] dev_set_rx_mode+0x23/0x40 +[32524.386341] +[32524.386341] other info that might help us debug this: +[32524.386345] Possible unsafe locking scenario: +[32524.386345] +[32524.386350] CPU0 +[32524.386352] ---- +[32524.386354] lock(&vlan_netdev_addr_lock_key/1); +[32524.386359] lock(&vlan_netdev_addr_lock_key/1); +[32524.386364] +[32524.386364] *** DEADLOCK *** +[32524.386364] +[32524.386368] May be due to missing lock nesting notation +[32524.386368] +[32524.386373] 2 locks held by ifconfig/3103: +[32524.386376] #0: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x12/0x20 +[32524.386387] #1: (&vlan_netdev_addr_lock_key/1){+.....}, at: [] dev_set_rx_mode+0x23/0x40 +[32524.386398] +[32524.386398] stack backtrace: +[32524.386403] CPU: 1 PID: 3103 Comm: ifconfig Tainted: G O 3.14.0-rc2-0.7-default+ #35 +[32524.386409] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 +[32524.386414] ffffffff81ffae40 ffff8800d9625ae8 ffffffff814f68a2 ffff8800d9625bc8 +[32524.386421] ffffffff810a35fb ffff8800d8a8d9d0 00000000d9625b28 ffff8800d8a8e5d0 +[32524.386428] 000003cc00000000 0000000000000002 ffff8800d8a8e5f8 0000000000000000 +[32524.386435] Call Trace: +[32524.386441] [] dump_stack+0x6a/0x78 +[32524.386448] [] __lock_acquire+0x7ab/0x1940 +[32524.386454] [] ? __lock_acquire+0x3ea/0x1940 +[32524.386459] [] lock_acquire+0xe4/0x110 +[32524.386464] [] ? dev_mc_sync+0x64/0xb0 +[32524.386471] [] _raw_spin_lock_nested+0x2a/0x40 +[32524.386476] [] ? dev_mc_sync+0x64/0xb0 +[32524.386481] [] dev_mc_sync+0x64/0xb0 +[32524.386489] [] vlan_dev_set_rx_mode+0x2b/0x50 [8021q] +[32524.386495] [] __dev_set_rx_mode+0x5f/0xb0 +[32524.386500] [] dev_set_rx_mode+0x2b/0x40 +[32524.386506] [] __dev_open+0xef/0x150 +[32524.386511] [] __dev_change_flags+0xa7/0x190 +[32524.386516] [] dev_change_flags+0x32/0x80 +[32524.386524] [] devinet_ioctl+0x7d6/0x830 +[32524.386532] [] ? dev_ioctl+0x34b/0x660 +[32524.386540] [] inet_ioctl+0x80/0xa0 +[32524.386550] [] sock_do_ioctl+0x2d/0x60 +[32524.386558] [] sock_ioctl+0x82/0x2a0 +[32524.386568] [] do_vfs_ioctl+0x93/0x590 +[32524.386578] [] ? rcu_read_lock_held+0x45/0x50 +[32524.386586] [] ? __fget_light+0x105/0x110 +[32524.386594] [] SyS_ioctl+0x91/0xb0 +[32524.386604] [] system_call_fastpath+0x16/0x1b + +======================================================================== + +The reason is that all of the addr_lock_key for vlan dev have the same class, +so if we change the status for vlan dev, the vlan dev and its real dev will +hold the same class of addr_lock_key together, so the warning happened. + +we should distinguish the lock depth for vlan dev and its real dev. + +v1->v2: Convert the vlan_netdev_addr_lock_key to an array of eight elements, which + could support to add 8 vlan id on a same vlan dev, I think it is enough for current + scene, because a netdev's name is limited to IFNAMSIZ which could not hold 8 vlan id, + and the vlan dev would not meet the same class key with its real dev. + + The new function vlan_dev_get_lockdep_subkey() will return the subkey and make the vlan + dev could get a suitable class key. + +v2->v3: According David's suggestion, I use the subclass to distinguish the lock key for vlan dev + and its real dev, but it make no sense, because the difference for subclass in the + lock_class_key doesn't mean that the difference class for lock_key, so I use lock_depth + to distinguish the different depth for every vlan dev, the same depth of the vlan dev + could have the same lock_class_key, I import the MAX_LOCK_DEPTH from the include/linux/sched.h, + I think it is enough here, the lockdep should never exceed that value. + +v3->v4: Add a huge array of locking keys will waste static kernel memory and is not a appropriate method, + we could use _nested() variants to fix the problem, calculate the depth for every vlan dev, + and use the depth as the subclass for addr_lock_key. + +Signed-off-by: Ding Tianhong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 46 +++++++++++++++++++++++++++++++++++++++++----- + net/core/dev.c | 1 + + 2 files changed, 42 insertions(+), 5 deletions(-) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -512,10 +512,48 @@ static void vlan_dev_change_rx_flags(str + } + } + ++static int vlan_calculate_locking_subclass(struct net_device *real_dev) ++{ ++ int subclass = 0; ++ ++ while (is_vlan_dev(real_dev)) { ++ subclass++; ++ real_dev = vlan_dev_priv(real_dev)->real_dev; ++ } ++ ++ return subclass; ++} ++ ++static void vlan_dev_mc_sync(struct net_device *to, struct net_device *from) ++{ ++ int err = 0, subclass; ++ ++ subclass = vlan_calculate_locking_subclass(to); ++ ++ spin_lock_nested(&to->addr_list_lock, subclass); ++ err = __hw_addr_sync(&to->mc, &from->mc, to->addr_len); ++ if (!err) ++ __dev_set_rx_mode(to); ++ spin_unlock(&to->addr_list_lock); ++} ++ ++static void vlan_dev_uc_sync(struct net_device *to, struct net_device *from) ++{ ++ int err = 0, subclass; ++ ++ subclass = vlan_calculate_locking_subclass(to); ++ ++ spin_lock_nested(&to->addr_list_lock, subclass); ++ err = __hw_addr_sync(&to->uc, &from->uc, to->addr_len); ++ if (!err) ++ __dev_set_rx_mode(to); ++ spin_unlock(&to->addr_list_lock); ++} ++ + static void vlan_dev_set_rx_mode(struct net_device *vlan_dev) + { +- dev_mc_sync(vlan_dev_priv(vlan_dev)->real_dev, vlan_dev); +- dev_uc_sync(vlan_dev_priv(vlan_dev)->real_dev, vlan_dev); ++ vlan_dev_mc_sync(vlan_dev_priv(vlan_dev)->real_dev, vlan_dev); ++ vlan_dev_uc_sync(vlan_dev_priv(vlan_dev)->real_dev, vlan_dev); + } + + /* +@@ -624,9 +662,7 @@ static int vlan_dev_init(struct net_devi + + SET_NETDEV_DEVTYPE(dev, &vlan_type); + +- if (is_vlan_dev(real_dev)) +- subclass = 1; +- ++ subclass = vlan_calculate_locking_subclass(dev); + vlan_dev_set_lockdep_class(dev, subclass); + + vlan_dev_priv(dev)->vlan_pcpu_stats = alloc_percpu(struct vlan_pcpu_stats); +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4634,6 +4634,7 @@ void __dev_set_rx_mode(struct net_device + if (ops->ndo_set_rx_mode) + ops->ndo_set_rx_mode(dev); + } ++EXPORT_SYMBOL(__dev_set_rx_mode); + + void dev_set_rx_mode(struct net_device *dev) + { diff --git a/queue-3.10/vti-don-t-allow-to-add-the-same-tunnel-twice.patch b/queue-3.10/vti-don-t-allow-to-add-the-same-tunnel-twice.patch new file mode 100644 index 00000000000..44398f18f67 --- /dev/null +++ b/queue-3.10/vti-don-t-allow-to-add-the-same-tunnel-twice.patch @@ -0,0 +1,42 @@ +From foo@baz Wed May 28 20:43:09 PDT 2014 +From: Nicolas Dichtel +Date: Fri, 11 Apr 2014 15:51:19 +0200 +Subject: vti: don't allow to add the same tunnel twice + +From: Nicolas Dichtel + +[ Upstream commit 8d89dcdf80d88007647945a753821a06eb6cc5a5 ] + +Before the patch, it was possible to add two times the same tunnel: +ip l a vti1 type vti remote 10.16.0.121 local 10.16.0.249 key 41 +ip l a vti2 type vti remote 10.16.0.121 local 10.16.0.249 key 41 + +It was possible, because ip_tunnel_newlink() calls ip_tunnel_find() with the +argument dev->type, which was set only later (when calling ndo_init handler +in register_netdevice()). Let's set this type in the setup handler, which is +called before newlink handler. + +Introduced by commit b9959fd3b0fa ("vti: switch to new ip tunnel code"). + +CC: Cong Wang +CC: Steffen Klassert +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_vti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -579,9 +579,9 @@ static void vti_dev_free(struct net_devi + static void vti_tunnel_setup(struct net_device *dev) + { + dev->netdev_ops = &vti_netdev_ops; ++ dev->type = ARPHRD_TUNNEL; + dev->destructor = vti_dev_free; + +- dev->type = ARPHRD_TUNNEL; + dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr); + dev->mtu = ETH_DATA_LEN; + dev->flags = IFF_NOARP;