3.0 patches

17 files changed, 1181 insertions, 0 deletions

diff --git a/queue-3.0/arp-fix-rcu-lockdep-splat-in-arp_process.patch b/queue-3.0/arp-fix-rcu-lockdep-splat-in-arp_process.patch
new file mode 100644
index 0000000000..5f3559a716
--- /dev/null
+++ b/queue-3.0/arp-fix-rcu-lockdep-splat-in-arp_process.patch
@@ -0,0 +1,116 @@
+From 8f75e5dfdaa6782c3d3f4efdb3880f2895e7cb02 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Mon, 22 Aug 2011 19:32:42 +0000
+Subject: arp: fix rcu lockdep splat in arp_process()
+
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+[ Upstream commit 20e6074eb8e096b3a595c093d1cb222f378cd671 ]
+
+Dave Jones reported a lockdep splat triggered by an arp_process() call
+from parp_redo().
+
+Commit faa9dcf793be (arp: RCU changes) is the origin of the bug, since
+it assumed arp_process() was called under rcu_read_lock(), which is not
+true in this particular path.
+
+Instead of adding rcu_read_lock() in parp_redo(), I chose to add it in
+neigh_proxy_process() to take care of IPv6 side too.
+
+ ===================================================
+ [ INFO: suspicious rcu_dereference_check() usage. ]
+ ---------------------------------------------------
+ include/linux/inetdevice.h:209 invoked rcu_dereference_check() without
+protection!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 1, debug_locks = 0
+ 4 locks held by setfiles/2123:
+  #0:  (&sb->s_type->i_mutex_key#13){+.+.+.}, at: [<ffffffff8114cbc4>]
+walk_component+0x1ef/0x3e8
+  #1:  (&isec->lock){+.+.+.}, at: [<ffffffff81204bca>]
+inode_doinit_with_dentry+0x3f/0x41f
+  #2:  (&tbl->proxy_timer){+.-...}, at: [<ffffffff8106a803>]
+run_timer_softirq+0x157/0x372
+  #3:  (class){+.-...}, at: [<ffffffff8141f256>] neigh_proxy_process
++0x36/0x103
+
+ stack backtrace:
+ Pid: 2123, comm: setfiles Tainted: G        W
+3.1.0-0.rc2.git7.2.fc16.x86_64 #1
+ Call Trace:
+  <IRQ>  [<ffffffff8108ca23>] lockdep_rcu_dereference+0xa7/0xaf
+  [<ffffffff8146a0b7>] __in_dev_get_rcu+0x55/0x5d
+  [<ffffffff8146a751>] arp_process+0x25/0x4d7
+  [<ffffffff8146ac11>] parp_redo+0xe/0x10
+  [<ffffffff8141f2ba>] neigh_proxy_process+0x9a/0x103
+  [<ffffffff8106a8c4>] run_timer_softirq+0x218/0x372
+  [<ffffffff8106a803>] ? run_timer_softirq+0x157/0x372
+  [<ffffffff8141f220>] ? neigh_stat_seq_open+0x41/0x41
+  [<ffffffff8108f2f0>] ? mark_held_locks+0x6d/0x95
+  [<ffffffff81062bb6>] __do_softirq+0x112/0x25a
+  [<ffffffff8150d27c>] call_softirq+0x1c/0x30
+  [<ffffffff81010bf5>] do_softirq+0x4b/0xa2
+  [<ffffffff81062f65>] irq_exit+0x5d/0xcf
+  [<ffffffff8150dc11>] smp_apic_timer_interrupt+0x7c/0x8a
+  [<ffffffff8150baf3>] apic_timer_interrupt+0x73/0x80
+  <EOI>  [<ffffffff8108f439>] ? trace_hardirqs_on_caller+0x121/0x158
+  [<ffffffff814fc285>] ? __slab_free+0x30/0x24c
+  [<ffffffff814fc283>] ? __slab_free+0x2e/0x24c
+  [<ffffffff81204e74>] ? inode_doinit_with_dentry+0x2e9/0x41f
+  [<ffffffff81204e74>] ? inode_doinit_with_dentry+0x2e9/0x41f
+  [<ffffffff81204e74>] ? inode_doinit_with_dentry+0x2e9/0x41f
+  [<ffffffff81130cb0>] kfree+0x108/0x131
+  [<ffffffff81204e74>] inode_doinit_with_dentry+0x2e9/0x41f
+  [<ffffffff81204fc6>] selinux_d_instantiate+0x1c/0x1e
+  [<ffffffff81200f4f>] security_d_instantiate+0x21/0x23
+  [<ffffffff81154625>] d_instantiate+0x5c/0x61
+  [<ffffffff811563ca>] d_splice_alias+0xbc/0xd2
+  [<ffffffff811b17ff>] ext4_lookup+0xba/0xeb
+  [<ffffffff8114bf1e>] d_alloc_and_lookup+0x45/0x6b
+  [<ffffffff8114cbea>] walk_component+0x215/0x3e8
+  [<ffffffff8114cdf8>] lookup_last+0x3b/0x3d
+  [<ffffffff8114daf3>] path_lookupat+0x82/0x2af
+  [<ffffffff8110fc53>] ? might_fault+0xa5/0xac
+  [<ffffffff8110fc0a>] ? might_fault+0x5c/0xac
+  [<ffffffff8114c564>] ? getname_flags+0x31/0x1ca
+  [<ffffffff8114dd48>] do_path_lookup+0x28/0x97
+  [<ffffffff8114df2c>] user_path_at+0x59/0x96
+  [<ffffffff811467ad>] ? cp_new_stat+0xf7/0x10d
+  [<ffffffff811469a6>] vfs_fstatat+0x44/0x6e
+  [<ffffffff811469ee>] vfs_lstat+0x1e/0x20
+  [<ffffffff81146b3d>] sys_newlstat+0x1a/0x33
+  [<ffffffff8108f439>] ? trace_hardirqs_on_caller+0x121/0x158
+  [<ffffffff812535fe>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+  [<ffffffff8150af82>] system_call_fastpath+0x16/0x1b
+
+Reported-by: Dave Jones <davej@redhat.com>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/neighbour.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -1383,11 +1383,15 @@ static void neigh_proxy_process(unsigned
+ 
+ 		if (tdif <= 0) {
+ 			struct net_device *dev = skb->dev;
++
+ 			__skb_unlink(skb, &tbl->proxy_queue);
+-			if (tbl->proxy_redo && netif_running(dev))
++			if (tbl->proxy_redo && netif_running(dev)) {
++				rcu_read_lock();
+ 				tbl->proxy_redo(skb);
+-			else
++				rcu_read_unlock();
++			} else {
+ 				kfree_skb(skb);
++			}
+ 
+ 			dev_put(dev);
+ 		} else if (!sched_next || tdif < sched_next)
diff --git a/queue-3.0/bridge-fix-a-possible-net_device-leak.patch b/queue-3.0/bridge-fix-a-possible-net_device-leak.patch
new file mode 100644
index 0000000000..1ac1955d25
--- /dev/null
+++ b/queue-3.0/bridge-fix-a-possible-net_device-leak.patch
@@ -0,0 +1,44 @@
+From a6d49182e7fb7179152e3423a7a2c9bbfa4376a1 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Mon, 22 Aug 2011 06:05:59 +0000
+Subject: bridge: fix a possible net_device leak
+
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+[ Upstream commit 11f3a6bdc2528d1ce2af50202dbf7138fdee1b34 ]
+
+Jan Beulich reported a possible net_device leak in bridge code after
+commit bb900b27a2f4 (bridge: allow creating bridge devices with netlink)
+
+Reported-by: Jan Beulich <JBeulich@novell.com>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Acked-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/bridge/br_if.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -231,6 +231,7 @@ static struct net_bridge_port *new_nbp(s
+ int br_add_bridge(struct net *net, const char *name)
+ {
+ 	struct net_device *dev;
++	int res;
+ 
+ 	dev = alloc_netdev(sizeof(struct net_bridge), name,
+ 			   br_dev_setup);
+@@ -240,7 +241,10 @@ int br_add_bridge(struct net *net, const
+ 
+ 	dev_net_set(dev, net);
+ 
+-	return register_netdev(dev);
++	res = register_netdev(dev);
++	if (res)
++		free_netdev(dev);
++	return res;
+ }
+ 
+ int br_del_bridge(struct net *net, const char *name)
diff --git a/queue-3.0/bridge-fix-a-possible-use-after-free.patch b/queue-3.0/bridge-fix-a-possible-use-after-free.patch
new file mode 100644
index 0000000000..7728f8df1d
--- /dev/null
+++ b/queue-3.0/bridge-fix-a-possible-use-after-free.patch
@@ -0,0 +1,55 @@
+From b6dc9dd58adfde59146a759e1a1c1d33d500c465 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Tue, 23 Aug 2011 19:57:05 +0000
+Subject: bridge: fix a possible use after free
+
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+[ Upstream commit 22df13319d1fec30b8f9bcaadc295829647109bb ]
+
+br_multicast_ipv6_rcv() can call pskb_trim_rcsum() and therefore skb
+head can be reallocated.
+
+Cache icmp6_type field instead of dereferencing twice the struct
+icmp6hdr pointer.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/bridge/br_multicast.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1456,7 +1456,7 @@ static int br_multicast_ipv6_rcv(struct
+ {
+ 	struct sk_buff *skb2;
+ 	const struct ipv6hdr *ip6h;
+-	struct icmp6hdr *icmp6h;
++	u8 icmp6_type;
+ 	u8 nexthdr;
+ 	unsigned len;
+ 	int offset;
+@@ -1502,9 +1502,9 @@ static int br_multicast_ipv6_rcv(struct
+ 	__skb_pull(skb2, offset);
+ 	skb_reset_transport_header(skb2);
+ 
+-	icmp6h = icmp6_hdr(skb2);
++	icmp6_type = icmp6_hdr(skb2)->icmp6_type;
+ 
+-	switch (icmp6h->icmp6_type) {
++	switch (icmp6_type) {
+ 	case ICMPV6_MGM_QUERY:
+ 	case ICMPV6_MGM_REPORT:
+ 	case ICMPV6_MGM_REDUCTION:
+@@ -1544,7 +1544,7 @@ static int br_multicast_ipv6_rcv(struct
+ 
+ 	BR_INPUT_SKB_CB(skb)->igmp = 1;
+ 
+-	switch (icmp6h->icmp6_type) {
++	switch (icmp6_type) {
+ 	case ICMPV6_MGM_REPORT:
+ 	    {
+ 		struct mld_msg *mld;
diff --git a/queue-3.0/bridge-pseudo-header-required-for-the-checksum-of-icmpv6.patch b/queue-3.0/bridge-pseudo-header-required-for-the-checksum-of-icmpv6.patch
new file mode 100644
index 0000000000..599252e5a6
--- /dev/null
+++ b/queue-3.0/bridge-pseudo-header-required-for-the-checksum-of-icmpv6.patch
@@ -0,0 +1,50 @@
+From 6000a614b98987b8dca995680d6ab2c44f407582 Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zheng.z.yan@intel.com>
+Date: Tue, 23 Aug 2011 22:54:33 +0000
+Subject: bridge: Pseudo-header required for the checksum of ICMPv6
+
+
+From: "Yan, Zheng" <zheng.z.yan@intel.com>
+
+[ Upstream commit 4b275d7efa1c4412f0d572fcd7f78ed0919370b3 ]
+
+Checksum of ICMPv6 is not properly computed because the pseudo header is not used.
+Thus, the MLD packet gets dropped by the bridge.
+
+Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
+Reported-by: Ang Way Chuang <wcang@sfc.wide.ad.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/bridge/br_multicast.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1520,16 +1520,23 @@ static int br_multicast_ipv6_rcv(struct
+ 		err = pskb_trim_rcsum(skb2, len);
+ 		if (err)
+ 			goto out;
++		err = -EINVAL;
+ 	}
+ 
++	ip6h = ipv6_hdr(skb2);
++
+ 	switch (skb2->ip_summed) {
+ 	case CHECKSUM_COMPLETE:
+-		if (!csum_fold(skb2->csum))
++		if (!csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr, skb2->len,
++					IPPROTO_ICMPV6, skb2->csum))
+ 			break;
+ 		/*FALLTHROUGH*/
+ 	case CHECKSUM_NONE:
+-		skb2->csum = 0;
+-		if (skb_checksum_complete(skb2))
++		skb2->csum = ~csum_unfold(csum_ipv6_magic(&ip6h->saddr,
++							&ip6h->daddr,
++							skb2->len,
++							IPPROTO_ICMPV6, 0));
++		if (__skb_checksum_complete(skb2))
+ 			goto out;
+ 	}
+ 
diff --git a/queue-3.0/fib-fix-bug_on-in-fib_nl_newrule-when-add-new-fib-rule.patch b/queue-3.0/fib-fix-bug_on-in-fib_nl_newrule-when-add-new-fib-rule.patch
new file mode 100644
index 0000000000..74b08246b5
--- /dev/null
+++ b/queue-3.0/fib-fix-bug_on-in-fib_nl_newrule-when-add-new-fib-rule.patch
@@ -0,0 +1,43 @@
+From 547625c470fd5e9eea86abe8435378c3c7a1f6aa Mon Sep 17 00:00:00 2001
+From: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Sun, 11 Sep 2011 15:36:05 +0000
+Subject: fib:fix BUG_ON in fib_nl_newrule when add new fib rule
+
+
+From: Gao feng <gaofeng@cn.fujitsu.com>
+
+[ Upstream commit 561dac2d410ffac0b57a23b85ae0a623c1a076ca ]
+
+add new fib rule can cause BUG_ON happen
+the reproduce shell is
+ip rule add pref 38
+ip rule add pref 38
+ip rule add to 192.168.3.0/24 goto 38
+ip rule del pref 38
+ip rule add to 192.168.3.0/24 goto 38
+ip rule add pref 38
+
+then the BUG_ON will happen
+del BUG_ON and use (ctarget == NULL) identify whether this rule is unresolved
+
+Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/fib_rules.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -384,8 +384,8 @@ static int fib_nl_newrule(struct sk_buff
+ 		 */
+ 		list_for_each_entry(r, &ops->rules_list, list) {
+ 			if (r->action == FR_ACT_GOTO &&
+-			    r->target == rule->pref) {
+-				BUG_ON(rtnl_dereference(r->ctarget) != NULL);
++			    r->target == rule->pref &&
++			    rtnl_dereference(r->ctarget) == NULL) {
+ 				rcu_assign_pointer(r->ctarget, rule);
+ 				if (--ops->unresolved_rules == 0)
+ 					break;
diff --git a/queue-3.0/ipv4-some-rt_iif-rt_route_iif-conversions.patch b/queue-3.0/ipv4-some-rt_iif-rt_route_iif-conversions.patch
new file mode 100644
index 0000000000..b4182614b5
--- /dev/null
+++ b/queue-3.0/ipv4-some-rt_iif-rt_route_iif-conversions.patch
@@ -0,0 +1,72 @@
+From 3f721b34b275c0892de4438063548ceea9888c6e Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Tue, 9 Aug 2011 04:01:16 +0000
+Subject: ipv4: some rt_iif -> rt_route_iif conversions
+
+
+From: Julian Anastasov <ja@ssi.bg>
+
+[ Upstream commit 97a804102021431fa6fa33c21c85df762b0f5cb9 ]
+
+As rt_iif represents input device even for packets
+coming from loopback with output route, it is not an unique
+key specific to input routes. Now rt_route_iif has such role,
+it was fl.iif in 2.6.38, so better to change the checks at
+some places to save CPU cycles and to restore 2.6.38 semantics.
+
+compare_keys:
+	- input routes: only rt_route_iif matters, rt_iif is same
+	- output routes: only rt_oif matters, rt_iif is not
+		used for matching in __ip_route_output_key
+	- now we are back to 2.6.38 state
+
+ip_route_input_common:
+	- matching rt_route_iif implies input route
+	- compared to 2.6.38 we eliminated one rth->fl.oif check
+	because it was not needed even for 2.6.38
+
+compare_hash_inputs:
+	Only the change here is not an optimization, it has
+	effect only for output routes. I assume I'm restoring
+	the original intention to ignore oif, it was using fl.iif
+	- now we are back to 2.6.38 state
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/route.c |    8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -717,7 +717,7 @@ static inline bool compare_hash_inputs(c
+ {
+ 	return ((((__force u32)rt1->rt_key_dst ^ (__force u32)rt2->rt_key_dst) |
+ 		((__force u32)rt1->rt_key_src ^ (__force u32)rt2->rt_key_src) |
+-		(rt1->rt_iif ^ rt2->rt_iif)) == 0);
++		(rt1->rt_route_iif ^ rt2->rt_route_iif)) == 0);
+ }
+ 
+ static inline int compare_keys(struct rtable *rt1, struct rtable *rt2)
+@@ -727,8 +727,7 @@ static inline int compare_keys(struct rt
+ 		(rt1->rt_mark ^ rt2->rt_mark) |
+ 		(rt1->rt_key_tos ^ rt2->rt_key_tos) |
+ 		(rt1->rt_route_iif ^ rt2->rt_route_iif) |
+-		(rt1->rt_oif ^ rt2->rt_oif) |
+-		(rt1->rt_iif ^ rt2->rt_iif)) == 0;
++		(rt1->rt_oif ^ rt2->rt_oif)) == 0;
+ }
+ 
+ static inline int compare_netns(struct rtable *rt1, struct rtable *rt2)
+@@ -2282,9 +2281,8 @@ int ip_route_input_common(struct sk_buff
+ 	     rth = rcu_dereference(rth->dst.rt_next)) {
+ 		if ((((__force u32)rth->rt_key_dst ^ (__force u32)daddr) |
+ 		     ((__force u32)rth->rt_key_src ^ (__force u32)saddr) |
+-		     (rth->rt_iif ^ iif) |
++		     (rth->rt_route_iif ^ iif) |
+ 		     (rth->rt_key_tos ^ tos)) == 0 &&
+-		    rt_is_input_route(rth) &&
+ 		    rth->rt_mark == skb->mark &&
+ 		    net_eq(dev_net(rth->dst.dev), net) &&
+ 		    !rt_is_expired(rth)) {
diff --git a/queue-3.0/ipv6-fix-ipv6_getsockopt-for-ipv6_2292pktoptions.patch b/queue-3.0/ipv6-fix-ipv6_getsockopt-for-ipv6_2292pktoptions.patch
new file mode 100644
index 0000000000..315ea79186
--- /dev/null
+++ b/queue-3.0/ipv6-fix-ipv6_getsockopt-for-ipv6_2292pktoptions.patch
@@ -0,0 +1,64 @@
+From cc9404e5c60f6feec3781751e142d513b6e1d481 Mon Sep 17 00:00:00 2001
+From: Daniel Baluta <dbaluta@ixiacom.com>
+Date: Fri, 19 Aug 2011 03:19:07 -0700
+Subject: ipv6: Fix ipv6_getsockopt for IPV6_2292PKTOPTIONS
+
+
+From: Daniel Baluta <dbaluta@ixiacom.com>
+
+[ Upstream commit 98e77438aed3cd3343cbb86825127b1d9d2bea33 ]
+
+IPV6_2292PKTOPTIONS is broken for 32-bit applications running
+in COMPAT mode on 64-bit kernels.
+
+The same problem was fixed for IPv4 with the patch:
+ipv4: Fix ip_getsockopt for IP_PKTOPTIONS,
+commit dd23198e58cd35259dd09e8892bbdb90f1d57748
+
+Signed-off-by: Sorin Dumitru <sdumitru@ixiacom.com>
+Signed-off-by: Daniel Baluta <dbaluta@ixiacom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv6/ipv6_sockglue.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -913,7 +913,7 @@ static int ipv6_getsockopt_sticky(struct
+ }
+ 
+ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
+-		    char __user *optval, int __user *optlen)
++		    char __user *optval, int __user *optlen, unsigned flags)
+ {
+ 	struct ipv6_pinfo *np = inet6_sk(sk);
+ 	int len;
+@@ -962,7 +962,7 @@ static int do_ipv6_getsockopt(struct soc
+ 
+ 		msg.msg_control = optval;
+ 		msg.msg_controllen = len;
+-		msg.msg_flags = 0;
++		msg.msg_flags = flags;
+ 
+ 		lock_sock(sk);
+ 		skb = np->pktoptions;
+@@ -1222,7 +1222,7 @@ int ipv6_getsockopt(struct sock *sk, int
+ 	if(level != SOL_IPV6)
+ 		return -ENOPROTOOPT;
+ 
+-	err = do_ipv6_getsockopt(sk, level, optname, optval, optlen);
++	err = do_ipv6_getsockopt(sk, level, optname, optval, optlen, 0);
+ #ifdef CONFIG_NETFILTER
+ 	/* we need to exclude all possible ENOPROTOOPTs except default case */
+ 	if (err == -ENOPROTOOPT && optname != IPV6_2292PKTOPTIONS) {
+@@ -1264,7 +1264,8 @@ int compat_ipv6_getsockopt(struct sock *
+ 		return compat_mc_getsockopt(sk, level, optname, optval, optlen,
+ 			ipv6_getsockopt);
+ 
+-	err = do_ipv6_getsockopt(sk, level, optname, optval, optlen);
++	err = do_ipv6_getsockopt(sk, level, optname, optval, optlen,
++				 MSG_CMSG_COMPAT);
+ #ifdef CONFIG_NETFILTER
+ 	/* we need to exclude all possible ENOPROTOOPTs except default case */
+ 	if (err == -ENOPROTOOPT && optname != IPV6_2292PKTOPTIONS) {
diff --git a/queue-3.0/mcast-fix-source-address-selection-for-multicast-listener-report.patch b/queue-3.0/mcast-fix-source-address-selection-for-multicast-listener-report.patch
new file mode 100644
index 0000000000..fca1b25786
--- /dev/null
+++ b/queue-3.0/mcast-fix-source-address-selection-for-multicast-listener-report.patch
@@ -0,0 +1,43 @@
+From 26dd8ba2f771758b66afee7b033448bb0b9c20ae Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zheng.z.yan@intel.com>
+Date: Tue, 23 Aug 2011 22:54:37 +0000
+Subject: mcast: Fix source address selection for multicast listener report
+
+
+From: "Yan, Zheng" <zheng.z.yan@intel.com>
+
+[ Upstream commit e05c4ad3ed874ee4f5e2c969e55d318ec654332c ]
+
+Should check use count of include mode filter instead of total number
+of include mode filters.
+
+Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/igmp.c  |    2 +-
+ net/ipv6/mcast.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -767,7 +767,7 @@ static int igmp_xmarksources(struct ip_m
+ 			break;
+ 		for (i=0; i<nsrcs; i++) {
+ 			/* skip inactive filters */
+-			if (pmc->sfcount[MCAST_INCLUDE] ||
++			if (psf->sf_count[MCAST_INCLUDE] ||
+ 			    pmc->sfcount[MCAST_EXCLUDE] !=
+ 			    psf->sf_count[MCAST_EXCLUDE])
+ 				continue;
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -1059,7 +1059,7 @@ static int mld_xmarksources(struct ifmca
+ 			break;
+ 		for (i=0; i<nsrcs; i++) {
+ 			/* skip inactive filters */
+-			if (pmc->mca_sfcount[MCAST_INCLUDE] ||
++			if (psf->sf_count[MCAST_INCLUDE] ||
+ 			    pmc->mca_sfcount[MCAST_EXCLUDE] !=
+ 			    psf->sf_count[MCAST_EXCLUDE])
+ 				continue;
diff --git a/queue-3.0/net_sched-prio-use-qdisc_dequeue_peeked.patch b/queue-3.0/net_sched-prio-use-qdisc_dequeue_peeked.patch
new file mode 100644
index 0000000000..b65b718cd0
--- /dev/null
+++ b/queue-3.0/net_sched-prio-use-qdisc_dequeue_peeked.patch
@@ -0,0 +1,45 @@
+From 0e8d99a04cab6e4b5ad7fd111c638e3d00030814 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 9 Aug 2011 02:04:43 +0000
+Subject: net_sched: prio: use qdisc_dequeue_peeked
+
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 3557619f0f6f7496ed453d4825e24958ab1884e0 ]
+
+commit 07bd8df5df4369487812bf85a237322ff3569b77
+(sch_sfq: fix peek() implementation) changed sfq to use generic
+peek helper.
+
+This makes HFSC complain about a non-work-conserving child qdisc, if
+prio with sfq child is used within hfsc:
+
+hfsc peeks into prio qdisc, which will then peek into sfq.
+returned skb is stashed in sch->gso_skb.
+
+Next, hfsc tries to dequeue from prio, but prio will call sfq dequeue
+directly, which may return NULL instead of previously peeked-at skb.
+
+Have prio call qdisc_dequeue_peeked, so sfq->dequeue() is
+not called in this case.
+
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/sched/sch_prio.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_prio.c
++++ b/net/sched/sch_prio.c
+@@ -112,7 +112,7 @@ static struct sk_buff *prio_dequeue(stru
+ 
+ 	for (prio = 0; prio < q->bands; prio++) {
+ 		struct Qdisc *qdisc = q->queues[prio];
+-		struct sk_buff *skb = qdisc->dequeue(qdisc);
++		struct sk_buff *skb = qdisc_dequeue_peeked(qdisc);
+ 		if (skb) {
+ 			qdisc_bstats_update(sch, skb);
+ 			sch->q.qlen--;
diff --git a/queue-3.0/netfilter-tcp-and-raw-fix-for-ip_route_me_harder.patch b/queue-3.0/netfilter-tcp-and-raw-fix-for-ip_route_me_harder.patch
new file mode 100644
index 0000000000..1ecf0222de
--- /dev/null
+++ b/queue-3.0/netfilter-tcp-and-raw-fix-for-ip_route_me_harder.patch
@@ -0,0 +1,67 @@
+From 92d8d0a0f9687a594d7e9dfc6407791687c39f1f Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sun, 7 Aug 2011 09:11:00 +0000
+Subject: netfilter: TCP and raw fix for ip_route_me_harder
+
+
+From: Julian Anastasov <ja@ssi.bg>
+
+[ Upstream commit 797fd3913abf2f7036003ab8d3d019cbea41affd ]
+
+TCP in some cases uses different global (raw) socket
+to send RST and ACK. The transparent flag is not set there.
+Currently, it is a problem for rerouting after the previous
+change.
+
+	Fix it by simplifying the checks in ip_route_me_harder
+and use FLOWI_FLAG_ANYSRC even for sockets. It looks safe
+because the initial routing allowed this source address to
+be used and now we just have to make sure the packet is rerouted.
+
+	As a side effect this also allows rerouting for normal
+raw sockets that use spoofed source addresses which was not possible
+even before we eliminated the ip_route_input call.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/netfilter.c |   18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -18,17 +18,15 @@ int ip_route_me_harder(struct sk_buff *s
+ 	struct rtable *rt;
+ 	struct flowi4 fl4 = {};
+ 	__be32 saddr = iph->saddr;
+-	__u8 flags = 0;
++	__u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
+ 	unsigned int hh_len;
+ 
+-	if (!skb->sk && addr_type != RTN_LOCAL) {
+-		if (addr_type == RTN_UNSPEC)
+-			addr_type = inet_addr_type(net, saddr);
+-		if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
+-			flags |= FLOWI_FLAG_ANYSRC;
+-		else
+-			saddr = 0;
+-	}
++	if (addr_type == RTN_UNSPEC)
++		addr_type = inet_addr_type(net, saddr);
++	if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
++		flags |= FLOWI_FLAG_ANYSRC;
++	else
++		saddr = 0;
+ 
+ 	/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
+ 	 * packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook.
+@@ -38,7 +36,7 @@ int ip_route_me_harder(struct sk_buff *s
+ 	fl4.flowi4_tos = RT_TOS(iph->tos);
+ 	fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
+ 	fl4.flowi4_mark = skb->mark;
+-	fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : flags;
++	fl4.flowi4_flags = flags;
+ 	rt = ip_route_output_key(net, &fl4);
+ 	if (IS_ERR(rt))
+ 		return -1;
diff --git a/queue-3.0/revert-sfc-use-write-combining-to-reduce-tx-latency-and-follow-ups.patch b/queue-3.0/revert-sfc-use-write-combining-to-reduce-tx-latency-and-follow-ups.patch
new file mode 100644
index 0000000000..0d64facee9
--- /dev/null
+++ b/queue-3.0/revert-sfc-use-write-combining-to-reduce-tx-latency-and-follow-ups.patch
@@ -0,0 +1,374 @@
+From 6510be733428af8dcceb086a4ccc5291c33ac329 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <bhutchings@solarflare.com>
+Date: Thu, 1 Sep 2011 12:09:29 +0000
+Subject: Revert "sfc: Use write-combining to reduce TX latency" and follow-ups
+
+
+From: Ben Hutchings <bhutchings@solarflare.com>
+
+[ Upstream commit 86c432ca5d6da90a26ac8d3e680f2268b502d9c5 ]
+
+This reverts commits 65f0b417dee94f779ce9b77102b7d73c93723b39,
+d88d6b05fee3cc78e5b0273eb58c31201dcc6b76,
+fcfa060468a4edcf776f0c1211d826d5de1668c1,
+747df2258b1b9a2e25929ef496262c339c380009 and
+867955f5682f7157fdafe8670804b9f8ea077bc7.
+
+Depending on the processor model, write-combining may result in
+reordering that the NIC will not tolerate.  This typically results
+in a DMA error event and reset by the driver, logged as:
+
+sfc 0000:0e:00.0: eth2: TX DMA Q reports TX_EV_PKT_ERR.
+sfc 0000:0e:00.0: eth2: resetting (ALL)
+
+Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/net/sfc/efx.c         |   18 +---------------
+ drivers/net/sfc/io.h          |   15 +++----------
+ drivers/net/sfc/mcdi.c        |   46 +++++++++++++++---------------------------
+ drivers/net/sfc/nic.c         |    7 ------
+ drivers/net/sfc/nic.h         |    2 -
+ drivers/net/sfc/siena.c       |   25 +++-------------------
+ drivers/net/sfc/workarounds.h |    2 -
+ 7 files changed, 27 insertions(+), 88 deletions(-)
+
+--- a/drivers/net/sfc/efx.c
++++ b/drivers/net/sfc/efx.c
+@@ -1051,7 +1051,6 @@ static int efx_init_io(struct efx_nic *e
+ {
+ 	struct pci_dev *pci_dev = efx->pci_dev;
+ 	dma_addr_t dma_mask = efx->type->max_dma_mask;
+-	bool use_wc;
+ 	int rc;
+ 
+ 	netif_dbg(efx, probe, efx->net_dev, "initialising I/O\n");
+@@ -1102,21 +1101,8 @@ static int efx_init_io(struct efx_nic *e
+ 		rc = -EIO;
+ 		goto fail3;
+ 	}
+-
+-	/* bug22643: If SR-IOV is enabled then tx push over a write combined
+-	 * mapping is unsafe. We need to disable write combining in this case.
+-	 * MSI is unsupported when SR-IOV is enabled, and the firmware will
+-	 * have removed the MSI capability. So write combining is safe if
+-	 * there is an MSI capability.
+-	 */
+-	use_wc = (!EFX_WORKAROUND_22643(efx) ||
+-		  pci_find_capability(pci_dev, PCI_CAP_ID_MSI));
+-	if (use_wc)
+-		efx->membase = ioremap_wc(efx->membase_phys,
+-					  efx->type->mem_map_size);
+-	else
+-		efx->membase = ioremap_nocache(efx->membase_phys,
+-					       efx->type->mem_map_size);
++	efx->membase = ioremap_nocache(efx->membase_phys,
++				       efx->type->mem_map_size);
+ 	if (!efx->membase) {
+ 		netif_err(efx, probe, efx->net_dev,
+ 			  "could not map memory BAR at %llx+%x\n",
+--- a/drivers/net/sfc/io.h
++++ b/drivers/net/sfc/io.h
+@@ -48,9 +48,9 @@
+  *   replacing the low 96 bits with zero does not affect functionality.
+  * - If the host writes to the last dword address of such a register
+  *   (i.e. the high 32 bits) the underlying register will always be
+- *   written.  If the collector and the current write together do not
+- *   provide values for all 128 bits of the register, the low 96 bits
+- *   will be written as zero.
++ *   written.  If the collector does not hold values for the low 96
++ *   bits of the register, they will be written as zero.  Writing to
++ *   the last qword does not have this effect and must not be done.
+  * - If the host writes to the address of any other part of such a
+  *   register while the collector already holds values for some other
+  *   register, the write is discarded and the collector maintains its
+@@ -103,7 +103,6 @@ static inline void efx_writeo(struct efx
+ 	_efx_writed(efx, value->u32[2], reg + 8);
+ 	_efx_writed(efx, value->u32[3], reg + 12);
+ #endif
+-	wmb();
+ 	mmiowb();
+ 	spin_unlock_irqrestore(&efx->biu_lock, flags);
+ }
+@@ -126,7 +125,6 @@ static inline void efx_sram_writeq(struc
+ 	__raw_writel((__force u32)value->u32[0], membase + addr);
+ 	__raw_writel((__force u32)value->u32[1], membase + addr + 4);
+ #endif
+-	wmb();
+ 	mmiowb();
+ 	spin_unlock_irqrestore(&efx->biu_lock, flags);
+ }
+@@ -141,7 +139,6 @@ static inline void efx_writed(struct efx
+ 
+ 	/* No lock required */
+ 	_efx_writed(efx, value->u32[0], reg);
+-	wmb();
+ }
+ 
+ /* Read a 128-bit CSR, locking as appropriate. */
+@@ -152,7 +149,6 @@ static inline void efx_reado(struct efx_
+ 
+ 	spin_lock_irqsave(&efx->biu_lock, flags);
+ 	value->u32[0] = _efx_readd(efx, reg + 0);
+-	rmb();
+ 	value->u32[1] = _efx_readd(efx, reg + 4);
+ 	value->u32[2] = _efx_readd(efx, reg + 8);
+ 	value->u32[3] = _efx_readd(efx, reg + 12);
+@@ -175,7 +171,6 @@ static inline void efx_sram_readq(struct
+ 	value->u64[0] = (__force __le64)__raw_readq(membase + addr);
+ #else
+ 	value->u32[0] = (__force __le32)__raw_readl(membase + addr);
+-	rmb();
+ 	value->u32[1] = (__force __le32)__raw_readl(membase + addr + 4);
+ #endif
+ 	spin_unlock_irqrestore(&efx->biu_lock, flags);
+@@ -242,14 +237,12 @@ static inline void _efx_writeo_page(stru
+ 
+ #ifdef EFX_USE_QWORD_IO
+ 	_efx_writeq(efx, value->u64[0], reg + 0);
+-	_efx_writeq(efx, value->u64[1], reg + 8);
+ #else
+ 	_efx_writed(efx, value->u32[0], reg + 0);
+ 	_efx_writed(efx, value->u32[1], reg + 4);
++#endif
+ 	_efx_writed(efx, value->u32[2], reg + 8);
+ 	_efx_writed(efx, value->u32[3], reg + 12);
+-#endif
+-	wmb();
+ }
+ #define efx_writeo_page(efx, value, reg, page)				\
+ 	_efx_writeo_page(efx, value,					\
+--- a/drivers/net/sfc/mcdi.c
++++ b/drivers/net/sfc/mcdi.c
+@@ -50,20 +50,6 @@ static inline struct efx_mcdi_iface *efx
+ 	return &nic_data->mcdi;
+ }
+ 
+-static inline void
+-efx_mcdi_readd(struct efx_nic *efx, efx_dword_t *value, unsigned reg)
+-{
+-	struct siena_nic_data *nic_data = efx->nic_data;
+-	value->u32[0] = (__force __le32)__raw_readl(nic_data->mcdi_smem + reg);
+-}
+-
+-static inline void
+-efx_mcdi_writed(struct efx_nic *efx, const efx_dword_t *value, unsigned reg)
+-{
+-	struct siena_nic_data *nic_data = efx->nic_data;
+-	__raw_writel((__force u32)value->u32[0], nic_data->mcdi_smem + reg);
+-}
+-
+ void efx_mcdi_init(struct efx_nic *efx)
+ {
+ 	struct efx_mcdi_iface *mcdi;
+@@ -84,8 +70,8 @@ static void efx_mcdi_copyin(struct efx_n
+ 			    const u8 *inbuf, size_t inlen)
+ {
+ 	struct efx_mcdi_iface *mcdi = efx_mcdi(efx);
+-	unsigned pdu = MCDI_PDU(efx);
+-	unsigned doorbell = MCDI_DOORBELL(efx);
++	unsigned pdu = FR_CZ_MC_TREG_SMEM + MCDI_PDU(efx);
++	unsigned doorbell = FR_CZ_MC_TREG_SMEM + MCDI_DOORBELL(efx);
+ 	unsigned int i;
+ 	efx_dword_t hdr;
+ 	u32 xflags, seqno;
+@@ -106,28 +92,29 @@ static void efx_mcdi_copyin(struct efx_n
+ 			     MCDI_HEADER_SEQ, seqno,
+ 			     MCDI_HEADER_XFLAGS, xflags);
+ 
+-	efx_mcdi_writed(efx, &hdr, pdu);
++	efx_writed(efx, &hdr, pdu);
+ 
+ 	for (i = 0; i < inlen; i += 4)
+-		efx_mcdi_writed(efx, (const efx_dword_t *)(inbuf + i),
+-				pdu + 4 + i);
++		_efx_writed(efx, *((__le32 *)(inbuf + i)), pdu + 4 + i);
++
++	/* Ensure the payload is written out before the header */
++	wmb();
+ 
+ 	/* ring the doorbell with a distinctive value */
+-	EFX_POPULATE_DWORD_1(hdr, EFX_DWORD_0, 0x45789abc);
+-	efx_mcdi_writed(efx, &hdr, doorbell);
++	_efx_writed(efx, (__force __le32) 0x45789abc, doorbell);
+ }
+ 
+ static void efx_mcdi_copyout(struct efx_nic *efx, u8 *outbuf, size_t outlen)
+ {
+ 	struct efx_mcdi_iface *mcdi = efx_mcdi(efx);
+-	unsigned int pdu = MCDI_PDU(efx);
++	unsigned int pdu = FR_CZ_MC_TREG_SMEM + MCDI_PDU(efx);
+ 	int i;
+ 
+ 	BUG_ON(atomic_read(&mcdi->state) == MCDI_STATE_QUIESCENT);
+ 	BUG_ON(outlen & 3 || outlen >= 0x100);
+ 
+ 	for (i = 0; i < outlen; i += 4)
+-		efx_mcdi_readd(efx, (efx_dword_t *)(outbuf + i), pdu + 4 + i);
++		*((__le32 *)(outbuf + i)) = _efx_readd(efx, pdu + 4 + i);
+ }
+ 
+ static int efx_mcdi_poll(struct efx_nic *efx)
+@@ -135,7 +122,7 @@ static int efx_mcdi_poll(struct efx_nic
+ 	struct efx_mcdi_iface *mcdi = efx_mcdi(efx);
+ 	unsigned int time, finish;
+ 	unsigned int respseq, respcmd, error;
+-	unsigned int pdu = MCDI_PDU(efx);
++	unsigned int pdu = FR_CZ_MC_TREG_SMEM + MCDI_PDU(efx);
+ 	unsigned int rc, spins;
+ 	efx_dword_t reg;
+ 
+@@ -161,7 +148,8 @@ static int efx_mcdi_poll(struct efx_nic
+ 
+ 		time = get_seconds();
+ 
+-		efx_mcdi_readd(efx, &reg, pdu);
++		rmb();
++		efx_readd(efx, &reg, pdu);
+ 
+ 		/* All 1's indicates that shared memory is in reset (and is
+ 		 * not a valid header). Wait for it to come out reset before
+@@ -188,7 +176,7 @@ static int efx_mcdi_poll(struct efx_nic
+ 			  respseq, mcdi->seqno);
+ 		rc = EIO;
+ 	} else if (error) {
+-		efx_mcdi_readd(efx, &reg, pdu + 4);
++		efx_readd(efx, &reg, pdu + 4);
+ 		switch (EFX_DWORD_FIELD(reg, EFX_DWORD_0)) {
+ #define TRANSLATE_ERROR(name)					\
+ 		case MC_CMD_ERR_ ## name:			\
+@@ -222,21 +210,21 @@ out:
+ /* Test and clear MC-rebooted flag for this port/function */
+ int efx_mcdi_poll_reboot(struct efx_nic *efx)
+ {
+-	unsigned int addr = MCDI_REBOOT_FLAG(efx);
++	unsigned int addr = FR_CZ_MC_TREG_SMEM + MCDI_REBOOT_FLAG(efx);
+ 	efx_dword_t reg;
+ 	uint32_t value;
+ 
+ 	if (efx_nic_rev(efx) < EFX_REV_SIENA_A0)
+ 		return false;
+ 
+-	efx_mcdi_readd(efx, &reg, addr);
++	efx_readd(efx, &reg, addr);
+ 	value = EFX_DWORD_FIELD(reg, EFX_DWORD_0);
+ 
+ 	if (value == 0)
+ 		return 0;
+ 
+ 	EFX_ZERO_DWORD(reg);
+-	efx_mcdi_writed(efx, &reg, addr);
++	efx_writed(efx, &reg, addr);
+ 
+ 	if (value == MC_STATUS_DWORD_ASSERT)
+ 		return -EINTR;
+--- a/drivers/net/sfc/nic.c
++++ b/drivers/net/sfc/nic.c
+@@ -1935,13 +1935,6 @@ void efx_nic_get_regs(struct efx_nic *ef
+ 
+ 		size = min_t(size_t, table->step, 16);
+ 
+-		if (table->offset >= efx->type->mem_map_size) {
+-			/* No longer mapped; return dummy data */
+-			memcpy(buf, "\xde\xc0\xad\xde", 4);
+-			buf += table->rows * size;
+-			continue;
+-		}
+-
+ 		for (i = 0; i < table->rows; i++) {
+ 			switch (table->step) {
+ 			case 4: /* 32-bit register or SRAM */
+--- a/drivers/net/sfc/nic.h
++++ b/drivers/net/sfc/nic.h
+@@ -143,12 +143,10 @@ static inline struct falcon_board *falco
+ /**
+  * struct siena_nic_data - Siena NIC state
+  * @mcdi: Management-Controller-to-Driver Interface
+- * @mcdi_smem: MCDI shared memory mapping. The mapping is always uncacheable.
+  * @wol_filter_id: Wake-on-LAN packet filter id
+  */
+ struct siena_nic_data {
+ 	struct efx_mcdi_iface mcdi;
+-	void __iomem *mcdi_smem;
+ 	int wol_filter_id;
+ };
+ 
+--- a/drivers/net/sfc/siena.c
++++ b/drivers/net/sfc/siena.c
+@@ -220,26 +220,12 @@ static int siena_probe_nic(struct efx_ni
+ 	efx_reado(efx, &reg, FR_AZ_CS_DEBUG);
+ 	efx->net_dev->dev_id = EFX_OWORD_FIELD(reg, FRF_CZ_CS_PORT_NUM) - 1;
+ 
+-	/* Initialise MCDI */
+-	nic_data->mcdi_smem = ioremap_nocache(efx->membase_phys +
+-					      FR_CZ_MC_TREG_SMEM,
+-					      FR_CZ_MC_TREG_SMEM_STEP *
+-					      FR_CZ_MC_TREG_SMEM_ROWS);
+-	if (!nic_data->mcdi_smem) {
+-		netif_err(efx, probe, efx->net_dev,
+-			  "could not map MCDI at %llx+%x\n",
+-			  (unsigned long long)efx->membase_phys +
+-			  FR_CZ_MC_TREG_SMEM,
+-			  FR_CZ_MC_TREG_SMEM_STEP * FR_CZ_MC_TREG_SMEM_ROWS);
+-		rc = -ENOMEM;
+-		goto fail1;
+-	}
+ 	efx_mcdi_init(efx);
+ 
+ 	/* Recover from a failed assertion before probing */
+ 	rc = efx_mcdi_handle_assertion(efx);
+ 	if (rc)
+-		goto fail2;
++		goto fail1;
+ 
+ 	/* Let the BMC know that the driver is now in charge of link and
+ 	 * filter settings. We must do this before we reset the NIC */
+@@ -294,7 +280,6 @@ fail4:
+ fail3:
+ 	efx_mcdi_drv_attach(efx, false, NULL);
+ fail2:
+-	iounmap(nic_data->mcdi_smem);
+ fail1:
+ 	kfree(efx->nic_data);
+ 	return rc;
+@@ -374,8 +359,6 @@ static int siena_init_nic(struct efx_nic
+ 
+ static void siena_remove_nic(struct efx_nic *efx)
+ {
+-	struct siena_nic_data *nic_data = efx->nic_data;
+-
+ 	efx_nic_free_buffer(efx, &efx->irq_status);
+ 
+ 	siena_reset_hw(efx, RESET_TYPE_ALL);
+@@ -385,8 +368,7 @@ static void siena_remove_nic(struct efx_
+ 		efx_mcdi_drv_attach(efx, false, NULL);
+ 
+ 	/* Tear down the private nic state */
+-	iounmap(nic_data->mcdi_smem);
+-	kfree(nic_data);
++	kfree(efx->nic_data);
+ 	efx->nic_data = NULL;
+ }
+ 
+@@ -624,7 +606,8 @@ const struct efx_nic_type siena_a0_nic_t
+ 	.default_mac_ops = &efx_mcdi_mac_operations,
+ 
+ 	.revision = EFX_REV_SIENA_A0,
+-	.mem_map_size = FR_CZ_MC_TREG_SMEM, /* MC_TREG_SMEM mapped separately */
++	.mem_map_size = (FR_CZ_MC_TREG_SMEM +
++			 FR_CZ_MC_TREG_SMEM_STEP * FR_CZ_MC_TREG_SMEM_ROWS),
+ 	.txd_ptr_tbl_base = FR_BZ_TX_DESC_PTR_TBL,
+ 	.rxd_ptr_tbl_base = FR_BZ_RX_DESC_PTR_TBL,
+ 	.buf_tbl_base = FR_BZ_BUF_FULL_TBL,
+--- a/drivers/net/sfc/workarounds.h
++++ b/drivers/net/sfc/workarounds.h
+@@ -38,8 +38,6 @@
+ #define EFX_WORKAROUND_15783 EFX_WORKAROUND_ALWAYS
+ /* Legacy interrupt storm when interrupt fifo fills */
+ #define EFX_WORKAROUND_17213 EFX_WORKAROUND_SIENA
+-/* Write combining and sriov=enabled are incompatible */
+-#define EFX_WORKAROUND_22643 EFX_WORKAROUND_SIENA
+ 
+ /* Spurious parity errors in TSORT buffers */
+ #define EFX_WORKAROUND_5129 EFX_WORKAROUND_FALCON_A
diff --git a/queue-3.0/scm-capture-the-full-credentials-of-the-scm-sender.patch b/queue-3.0/scm-capture-the-full-credentials-of-the-scm-sender.patch
new file mode 100644
index 0000000000..789fb18a85
--- /dev/null
+++ b/queue-3.0/scm-capture-the-full-credentials-of-the-scm-sender.patch
@@ -0,0 +1,33 @@
+From f59d0f4f7e0a94103e95e9a305faf91ae619009b Mon Sep 17 00:00:00 2001
+From: Tim Chen <tim.c.chen@linux.intel.com>
+Date: Tue, 9 Aug 2011 06:48:32 +0000
+Subject: scm: Capture the full credentials of the scm sender
+
+
+From: Tim Chen <tim.c.chen@linux.intel.com>
+
+[ Upstream commit e33f7a9f37d486f4c6cce5de18a6eea11d68f64f ]
+
+This patch corrects an erroneous update of credential's gid with uid
+introduced in commit 257b5358b32f17 since 2.6.36.
+
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
+Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
+Reviewed-by: James Morris <jmorris@namei.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/scm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -192,7 +192,7 @@ int __scm_send(struct socket *sock, stru
+ 					goto error;
+ 
+ 				cred->uid = cred->euid = p->creds.uid;
+-				cred->gid = cred->egid = p->creds.uid;
++				cred->gid = cred->egid = p->creds.gid;
+ 				put_cred(p->cred);
+ 				p->cred = cred;
+ 			}
diff --git a/queue-3.0/series b/queue-3.0/series
index 9ebe3bab16..b6a7277d63 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -173,3 +173,19 @@ fcoe-unable-to-select-the-exchangeid-from-offload-pool-for-storage-targets.patch
 mpt2sas-added-did_no_connect-return-when-driver-remove-and-avoid-shutdown-call.patch
 mpt2sas-adding-support-for-customer-specific-branding.patch
 perf-x86-add-model-45-sandybridge-support.patch
+arp-fix-rcu-lockdep-splat-in-arp_process.patch
+bridge-fix-a-possible-net_device-leak.patch
+fib-fix-bug_on-in-fib_nl_newrule-when-add-new-fib-rule.patch
+ipv4-some-rt_iif-rt_route_iif-conversions.patch
+ipv6-fix-ipv6_getsockopt-for-ipv6_2292pktoptions.patch
+mcast-fix-source-address-selection-for-multicast-listener-report.patch
+netfilter-tcp-and-raw-fix-for-ip_route_me_harder.patch
+net_sched-prio-use-qdisc_dequeue_peeked.patch
+revert-sfc-use-write-combining-to-reduce-tx-latency-and-follow-ups.patch
+scm-capture-the-full-credentials-of-the-scm-sender.patch
+tcp-fix-validation-of-d-sack.patch
+tcp-initialize-variable-ecn_ok-in-syncookies-path.patch
+vlan-reset-headers-on-accel-emulation-path.patch
+xfrm-perform-a-replay-check-after-return-from-async-codepaths.patch
+bridge-pseudo-header-required-for-the-checksum-of-icmpv6.patch
+bridge-fix-a-possible-use-after-free.patch
diff --git a/queue-3.0/tcp-fix-validation-of-d-sack.patch b/queue-3.0/tcp-fix-validation-of-d-sack.patch
new file mode 100644
index 0000000000..2981b3db89
--- /dev/null
+++ b/queue-3.0/tcp-fix-validation-of-d-sack.patch
@@ -0,0 +1,32 @@
+From 1f78256b75d0096beb9b55e16f1d65d8f87fa148 Mon Sep 17 00:00:00 2001
+From: Zheng Yan <zheng.z.yan@intel.com>
+Date: Sun, 18 Sep 2011 22:37:34 -0400
+Subject: tcp: fix validation of D-SACK
+
+
+From: Zheng Yan <zheng.z.yan@intel.com>
+
+[ Upstream commit f779b2d60ab95c17f1e025778ed0df3ec2f05d75 ]
+
+D-SACK is allowed to reside below snd_una. But the corresponding check
+in tcp_is_sackblock_valid() is the exact opposite. It looks like a typo.
+
+Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
+Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/tcp_input.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1115,7 +1115,7 @@ static int tcp_is_sackblock_valid(struct
+ 		return 0;
+ 
+ 	/* ...Then it's D-SACK, and must reside below snd_una completely */
+-	if (!after(end_seq, tp->snd_una))
++	if (after(end_seq, tp->snd_una))
+ 		return 0;
+ 
+ 	if (!before(start_seq, tp->undo_marker))
diff --git a/queue-3.0/tcp-initialize-variable-ecn_ok-in-syncookies-path.patch b/queue-3.0/tcp-initialize-variable-ecn_ok-in-syncookies-path.patch
new file mode 100644
index 0000000000..b68f810cb7
--- /dev/null
+++ b/queue-3.0/tcp-initialize-variable-ecn_ok-in-syncookies-path.patch
@@ -0,0 +1,47 @@
+From 3eeab99dbfc26b4ffd50053945d1a27d45de0aed Mon Sep 17 00:00:00 2001
+From: Mike Waychison <mikew@google.com>
+Date: Wed, 10 Aug 2011 21:59:57 -0700
+Subject: tcp: initialize variable ecn_ok in syncookies path
+
+
+From: Mike Waychison <mikew@google.com>
+
+[ Upstream commit f0e3d0689da401f7d1981c2777a714ba295ea5ff ]
+
+Using a gcc 4.4.3, warnings are emitted for a possibly uninitialized use
+of ecn_ok.
+
+This can happen if cookie_check_timestamp() returns due to not having
+seen a timestamp.  Defaulting to ecn off seems like a reasonable thing
+to do in this case, so initialized ecn_ok to false.
+
+Signed-off-by: Mike Waychison <mikew@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/syncookies.c |    2 +-
+ net/ipv6/syncookies.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -276,7 +276,7 @@ struct sock *cookie_v4_check(struct sock
+ 	int mss;
+ 	struct rtable *rt;
+ 	__u8 rcv_wscale;
+-	bool ecn_ok;
++	bool ecn_ok = false;
+ 
+ 	if (!sysctl_tcp_syncookies || !th->ack || th->rst)
+ 		goto out;
+--- a/net/ipv6/syncookies.c
++++ b/net/ipv6/syncookies.c
+@@ -165,7 +165,7 @@ struct sock *cookie_v6_check(struct sock
+ 	int mss;
+ 	struct dst_entry *dst;
+ 	__u8 rcv_wscale;
+-	bool ecn_ok;
++	bool ecn_ok = false;
+ 
+ 	if (!sysctl_tcp_syncookies || !th->ack || th->rst)
+ 		goto out;
diff --git a/queue-3.0/vlan-reset-headers-on-accel-emulation-path.patch b/queue-3.0/vlan-reset-headers-on-accel-emulation-path.patch
new file mode 100644
index 0000000000..8b13c313dc
--- /dev/null
+++ b/queue-3.0/vlan-reset-headers-on-accel-emulation-path.patch
@@ -0,0 +1,37 @@
+From 15a3e2fbaf34f4fe5a78c92dced1b108dd9ec999 Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jpirko@redhat.com>
+Date: Thu, 18 Aug 2011 21:29:27 -0700
+Subject: vlan: reset headers on accel emulation path
+
+
+From: Jiri Pirko <jpirko@redhat.com>
+
+[ Upstream commit c5114cd59d2664f258b0d021d79b1532d94bdc2b ]
+
+It's after all necessary to do reset headers here. The reason is we
+cannot depend that it gets reseted in __netif_receive_skb once skb is
+reinjected. For incoming vlanids without vlan_dev, vlan_do_receive()
+returns false with skb != NULL and __netif_reveive_skb continues, skb is
+not reinjected.
+
+This might be good material for 3.0-stable as well
+
+Reported-by: Mike Auty <mike.auty@gmail.com>
+Signed-off-by: Jiri Pirko <jpirko@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/8021q/vlan_core.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/8021q/vlan_core.c
++++ b/net/8021q/vlan_core.c
+@@ -171,6 +171,8 @@ struct sk_buff *vlan_untag(struct sk_buf
+ 	if (unlikely(!skb))
+ 		goto err_free;
+ 
++	skb_reset_network_header(skb);
++	skb_reset_transport_header(skb);
+ 	return skb;
+ 
+ err_free:
diff --git a/queue-3.0/xfrm-perform-a-replay-check-after-return-from-async-codepaths.patch b/queue-3.0/xfrm-perform-a-replay-check-after-return-from-async-codepaths.patch
new file mode 100644
index 0000000000..64423efa22
--- /dev/null
+++ b/queue-3.0/xfrm-perform-a-replay-check-after-return-from-async-codepaths.patch
@@ -0,0 +1,43 @@
+From 2d96fcc1bff9f13589045bbe1951780c5bf8d179 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue, 20 Sep 2011 23:38:58 +0000
+Subject: xfrm: Perform a replay check after return from async codepaths
+
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit bcf66bf54aabffc150acd1c99e0f4bc51935eada ]
+
+When asyncronous crypto algorithms are used, there might be many
+packets that passed the xfrm replay check, but the replay advance
+function is not called yet for these packets. So the replay check
+function would accept a replay of all of these packets. Also the
+system might crash if there are more packets in async processing
+than the size of the anti replay window, because the replay advance
+function would try to update the replay window beyond the bounds.
+
+This pach adds a second replay check after resuming from the async
+processing to fix these issues.
+
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/xfrm/xfrm_input.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -212,6 +212,11 @@ resume:
+ 		/* only the first xfrm gets the encap type */
+ 		encap_type = 0;
+ 
++		if (async && x->repl->check(x, skb, seq)) {
++			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
++			goto drop_unlock;
++		}
++
+ 		x->repl->advance(x, seq);
+ 
+ 		x->curlft.bytes += skb->len;