diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-09-22 16:17:55 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-09-22 16:17:55 -0700 |
commit | 294ca9a5f3157acae400113fa11f1586c6ffd15e (patch) | |
tree | 5d8d56b37e14e5592e38143edc88cd9f1104fabe | |
parent | f09b31fa971e99069f8dc68a87c7db2cf5ac77a7 (diff) | |
download | stable-queue-294ca9a5f3157acae400113fa11f1586c6ffd15e.tar.gz |
3.0 patches
17 files changed, 1181 insertions, 0 deletions
diff --git a/queue-3.0/arp-fix-rcu-lockdep-splat-in-arp_process.patch b/queue-3.0/arp-fix-rcu-lockdep-splat-in-arp_process.patch new file mode 100644 index 0000000000..5f3559a716 --- /dev/null +++ b/queue-3.0/arp-fix-rcu-lockdep-splat-in-arp_process.patch @@ -0,0 +1,116 @@ +From 8f75e5dfdaa6782c3d3f4efdb3880f2895e7cb02 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Mon, 22 Aug 2011 19:32:42 +0000 +Subject: arp: fix rcu lockdep splat in arp_process() + + +From: Eric Dumazet <eric.dumazet@gmail.com> + +[ Upstream commit 20e6074eb8e096b3a595c093d1cb222f378cd671 ] + +Dave Jones reported a lockdep splat triggered by an arp_process() call +from parp_redo(). + +Commit faa9dcf793be (arp: RCU changes) is the origin of the bug, since +it assumed arp_process() was called under rcu_read_lock(), which is not +true in this particular path. + +Instead of adding rcu_read_lock() in parp_redo(), I chose to add it in +neigh_proxy_process() to take care of IPv6 side too. + + =================================================== + [ INFO: suspicious rcu_dereference_check() usage. ] + --------------------------------------------------- + include/linux/inetdevice.h:209 invoked rcu_dereference_check() without +protection! + + other info that might help us debug this: + + rcu_scheduler_active = 1, debug_locks = 0 + 4 locks held by setfiles/2123: + #0: (&sb->s_type->i_mutex_key#13){+.+.+.}, at: [<ffffffff8114cbc4>] +walk_component+0x1ef/0x3e8 + #1: (&isec->lock){+.+.+.}, at: [<ffffffff81204bca>] +inode_doinit_with_dentry+0x3f/0x41f + #2: (&tbl->proxy_timer){+.-...}, at: [<ffffffff8106a803>] +run_timer_softirq+0x157/0x372 + #3: (class){+.-...}, at: [<ffffffff8141f256>] neigh_proxy_process ++0x36/0x103 + + stack backtrace: + Pid: 2123, comm: setfiles Tainted: G W +3.1.0-0.rc2.git7.2.fc16.x86_64 #1 + Call Trace: + <IRQ> [<ffffffff8108ca23>] lockdep_rcu_dereference+0xa7/0xaf + [<ffffffff8146a0b7>] __in_dev_get_rcu+0x55/0x5d + [<ffffffff8146a751>] arp_process+0x25/0x4d7 + [<ffffffff8146ac11>] parp_redo+0xe/0x10 + [<ffffffff8141f2ba>] neigh_proxy_process+0x9a/0x103 + [<ffffffff8106a8c4>] run_timer_softirq+0x218/0x372 + [<ffffffff8106a803>] ? run_timer_softirq+0x157/0x372 + [<ffffffff8141f220>] ? neigh_stat_seq_open+0x41/0x41 + [<ffffffff8108f2f0>] ? mark_held_locks+0x6d/0x95 + [<ffffffff81062bb6>] __do_softirq+0x112/0x25a + [<ffffffff8150d27c>] call_softirq+0x1c/0x30 + [<ffffffff81010bf5>] do_softirq+0x4b/0xa2 + [<ffffffff81062f65>] irq_exit+0x5d/0xcf + [<ffffffff8150dc11>] smp_apic_timer_interrupt+0x7c/0x8a + [<ffffffff8150baf3>] apic_timer_interrupt+0x73/0x80 + <EOI> [<ffffffff8108f439>] ? trace_hardirqs_on_caller+0x121/0x158 + [<ffffffff814fc285>] ? __slab_free+0x30/0x24c + [<ffffffff814fc283>] ? __slab_free+0x2e/0x24c + [<ffffffff81204e74>] ? inode_doinit_with_dentry+0x2e9/0x41f + [<ffffffff81204e74>] ? inode_doinit_with_dentry+0x2e9/0x41f + [<ffffffff81204e74>] ? inode_doinit_with_dentry+0x2e9/0x41f + [<ffffffff81130cb0>] kfree+0x108/0x131 + [<ffffffff81204e74>] inode_doinit_with_dentry+0x2e9/0x41f + [<ffffffff81204fc6>] selinux_d_instantiate+0x1c/0x1e + [<ffffffff81200f4f>] security_d_instantiate+0x21/0x23 + [<ffffffff81154625>] d_instantiate+0x5c/0x61 + [<ffffffff811563ca>] d_splice_alias+0xbc/0xd2 + [<ffffffff811b17ff>] ext4_lookup+0xba/0xeb + [<ffffffff8114bf1e>] d_alloc_and_lookup+0x45/0x6b + [<ffffffff8114cbea>] walk_component+0x215/0x3e8 + [<ffffffff8114cdf8>] lookup_last+0x3b/0x3d + [<ffffffff8114daf3>] path_lookupat+0x82/0x2af + [<ffffffff8110fc53>] ? might_fault+0xa5/0xac + [<ffffffff8110fc0a>] ? might_fault+0x5c/0xac + [<ffffffff8114c564>] ? getname_flags+0x31/0x1ca + [<ffffffff8114dd48>] do_path_lookup+0x28/0x97 + [<ffffffff8114df2c>] user_path_at+0x59/0x96 + [<ffffffff811467ad>] ? cp_new_stat+0xf7/0x10d + [<ffffffff811469a6>] vfs_fstatat+0x44/0x6e + [<ffffffff811469ee>] vfs_lstat+0x1e/0x20 + [<ffffffff81146b3d>] sys_newlstat+0x1a/0x33 + [<ffffffff8108f439>] ? trace_hardirqs_on_caller+0x121/0x158 + [<ffffffff812535fe>] ? trace_hardirqs_on_thunk+0x3a/0x3f + [<ffffffff8150af82>] system_call_fastpath+0x16/0x1b + +Reported-by: Dave Jones <davej@redhat.com> +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/core/neighbour.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1383,11 +1383,15 @@ static void neigh_proxy_process(unsigned + + if (tdif <= 0) { + struct net_device *dev = skb->dev; ++ + __skb_unlink(skb, &tbl->proxy_queue); +- if (tbl->proxy_redo && netif_running(dev)) ++ if (tbl->proxy_redo && netif_running(dev)) { ++ rcu_read_lock(); + tbl->proxy_redo(skb); +- else ++ rcu_read_unlock(); ++ } else { + kfree_skb(skb); ++ } + + dev_put(dev); + } else if (!sched_next || tdif < sched_next) diff --git a/queue-3.0/bridge-fix-a-possible-net_device-leak.patch b/queue-3.0/bridge-fix-a-possible-net_device-leak.patch new file mode 100644 index 0000000000..1ac1955d25 --- /dev/null +++ b/queue-3.0/bridge-fix-a-possible-net_device-leak.patch @@ -0,0 +1,44 @@ +From a6d49182e7fb7179152e3423a7a2c9bbfa4376a1 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Mon, 22 Aug 2011 06:05:59 +0000 +Subject: bridge: fix a possible net_device leak + + +From: Eric Dumazet <eric.dumazet@gmail.com> + +[ Upstream commit 11f3a6bdc2528d1ce2af50202dbf7138fdee1b34 ] + +Jan Beulich reported a possible net_device leak in bridge code after +commit bb900b27a2f4 (bridge: allow creating bridge devices with netlink) + +Reported-by: Jan Beulich <JBeulich@novell.com> +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Acked-by: Stephen Hemminger <shemminger@vyatta.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/bridge/br_if.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -231,6 +231,7 @@ static struct net_bridge_port *new_nbp(s + int br_add_bridge(struct net *net, const char *name) + { + struct net_device *dev; ++ int res; + + dev = alloc_netdev(sizeof(struct net_bridge), name, + br_dev_setup); +@@ -240,7 +241,10 @@ int br_add_bridge(struct net *net, const + + dev_net_set(dev, net); + +- return register_netdev(dev); ++ res = register_netdev(dev); ++ if (res) ++ free_netdev(dev); ++ return res; + } + + int br_del_bridge(struct net *net, const char *name) diff --git a/queue-3.0/bridge-fix-a-possible-use-after-free.patch b/queue-3.0/bridge-fix-a-possible-use-after-free.patch new file mode 100644 index 0000000000..7728f8df1d --- /dev/null +++ b/queue-3.0/bridge-fix-a-possible-use-after-free.patch @@ -0,0 +1,55 @@ +From b6dc9dd58adfde59146a759e1a1c1d33d500c465 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Tue, 23 Aug 2011 19:57:05 +0000 +Subject: bridge: fix a possible use after free + + +From: Eric Dumazet <eric.dumazet@gmail.com> + +[ Upstream commit 22df13319d1fec30b8f9bcaadc295829647109bb ] + +br_multicast_ipv6_rcv() can call pskb_trim_rcsum() and therefore skb +head can be reallocated. + +Cache icmp6_type field instead of dereferencing twice the struct +icmp6hdr pointer. + +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/bridge/br_multicast.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1456,7 +1456,7 @@ static int br_multicast_ipv6_rcv(struct + { + struct sk_buff *skb2; + const struct ipv6hdr *ip6h; +- struct icmp6hdr *icmp6h; ++ u8 icmp6_type; + u8 nexthdr; + unsigned len; + int offset; +@@ -1502,9 +1502,9 @@ static int br_multicast_ipv6_rcv(struct + __skb_pull(skb2, offset); + skb_reset_transport_header(skb2); + +- icmp6h = icmp6_hdr(skb2); ++ icmp6_type = icmp6_hdr(skb2)->icmp6_type; + +- switch (icmp6h->icmp6_type) { ++ switch (icmp6_type) { + case ICMPV6_MGM_QUERY: + case ICMPV6_MGM_REPORT: + case ICMPV6_MGM_REDUCTION: +@@ -1544,7 +1544,7 @@ static int br_multicast_ipv6_rcv(struct + + BR_INPUT_SKB_CB(skb)->igmp = 1; + +- switch (icmp6h->icmp6_type) { ++ switch (icmp6_type) { + case ICMPV6_MGM_REPORT: + { + struct mld_msg *mld; diff --git a/queue-3.0/bridge-pseudo-header-required-for-the-checksum-of-icmpv6.patch b/queue-3.0/bridge-pseudo-header-required-for-the-checksum-of-icmpv6.patch new file mode 100644 index 0000000000..599252e5a6 --- /dev/null +++ b/queue-3.0/bridge-pseudo-header-required-for-the-checksum-of-icmpv6.patch @@ -0,0 +1,50 @@ +From 6000a614b98987b8dca995680d6ab2c44f407582 Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" <zheng.z.yan@intel.com> +Date: Tue, 23 Aug 2011 22:54:33 +0000 +Subject: bridge: Pseudo-header required for the checksum of ICMPv6 + + +From: "Yan, Zheng" <zheng.z.yan@intel.com> + +[ Upstream commit 4b275d7efa1c4412f0d572fcd7f78ed0919370b3 ] + +Checksum of ICMPv6 is not properly computed because the pseudo header is not used. +Thus, the MLD packet gets dropped by the bridge. + +Signed-off-by: Zheng Yan <zheng.z.yan@intel.com> +Reported-by: Ang Way Chuang <wcang@sfc.wide.ad.jp> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/bridge/br_multicast.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1520,16 +1520,23 @@ static int br_multicast_ipv6_rcv(struct + err = pskb_trim_rcsum(skb2, len); + if (err) + goto out; ++ err = -EINVAL; + } + ++ ip6h = ipv6_hdr(skb2); ++ + switch (skb2->ip_summed) { + case CHECKSUM_COMPLETE: +- if (!csum_fold(skb2->csum)) ++ if (!csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr, skb2->len, ++ IPPROTO_ICMPV6, skb2->csum)) + break; + /*FALLTHROUGH*/ + case CHECKSUM_NONE: +- skb2->csum = 0; +- if (skb_checksum_complete(skb2)) ++ skb2->csum = ~csum_unfold(csum_ipv6_magic(&ip6h->saddr, ++ &ip6h->daddr, ++ skb2->len, ++ IPPROTO_ICMPV6, 0)); ++ if (__skb_checksum_complete(skb2)) + goto out; + } + diff --git a/queue-3.0/fib-fix-bug_on-in-fib_nl_newrule-when-add-new-fib-rule.patch b/queue-3.0/fib-fix-bug_on-in-fib_nl_newrule-when-add-new-fib-rule.patch new file mode 100644 index 0000000000..74b08246b5 --- /dev/null +++ b/queue-3.0/fib-fix-bug_on-in-fib_nl_newrule-when-add-new-fib-rule.patch @@ -0,0 +1,43 @@ +From 547625c470fd5e9eea86abe8435378c3c7a1f6aa Mon Sep 17 00:00:00 2001 +From: Gao feng <gaofeng@cn.fujitsu.com> +Date: Sun, 11 Sep 2011 15:36:05 +0000 +Subject: fib:fix BUG_ON in fib_nl_newrule when add new fib rule + + +From: Gao feng <gaofeng@cn.fujitsu.com> + +[ Upstream commit 561dac2d410ffac0b57a23b85ae0a623c1a076ca ] + +add new fib rule can cause BUG_ON happen +the reproduce shell is +ip rule add pref 38 +ip rule add pref 38 +ip rule add to 192.168.3.0/24 goto 38 +ip rule del pref 38 +ip rule add to 192.168.3.0/24 goto 38 +ip rule add pref 38 + +then the BUG_ON will happen +del BUG_ON and use (ctarget == NULL) identify whether this rule is unresolved + +Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/core/fib_rules.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -384,8 +384,8 @@ static int fib_nl_newrule(struct sk_buff + */ + list_for_each_entry(r, &ops->rules_list, list) { + if (r->action == FR_ACT_GOTO && +- r->target == rule->pref) { +- BUG_ON(rtnl_dereference(r->ctarget) != NULL); ++ r->target == rule->pref && ++ rtnl_dereference(r->ctarget) == NULL) { + rcu_assign_pointer(r->ctarget, rule); + if (--ops->unresolved_rules == 0) + break; diff --git a/queue-3.0/ipv4-some-rt_iif-rt_route_iif-conversions.patch b/queue-3.0/ipv4-some-rt_iif-rt_route_iif-conversions.patch new file mode 100644 index 0000000000..b4182614b5 --- /dev/null +++ b/queue-3.0/ipv4-some-rt_iif-rt_route_iif-conversions.patch @@ -0,0 +1,72 @@ +From 3f721b34b275c0892de4438063548ceea9888c6e Mon Sep 17 00:00:00 2001 +From: Julian Anastasov <ja@ssi.bg> +Date: Tue, 9 Aug 2011 04:01:16 +0000 +Subject: ipv4: some rt_iif -> rt_route_iif conversions + + +From: Julian Anastasov <ja@ssi.bg> + +[ Upstream commit 97a804102021431fa6fa33c21c85df762b0f5cb9 ] + +As rt_iif represents input device even for packets +coming from loopback with output route, it is not an unique +key specific to input routes. Now rt_route_iif has such role, +it was fl.iif in 2.6.38, so better to change the checks at +some places to save CPU cycles and to restore 2.6.38 semantics. + +compare_keys: + - input routes: only rt_route_iif matters, rt_iif is same + - output routes: only rt_oif matters, rt_iif is not + used for matching in __ip_route_output_key + - now we are back to 2.6.38 state + +ip_route_input_common: + - matching rt_route_iif implies input route + - compared to 2.6.38 we eliminated one rth->fl.oif check + because it was not needed even for 2.6.38 + +compare_hash_inputs: + Only the change here is not an optimization, it has + effect only for output routes. I assume I'm restoring + the original intention to ignore oif, it was using fl.iif + - now we are back to 2.6.38 state + +Signed-off-by: Julian Anastasov <ja@ssi.bg> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/ipv4/route.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -717,7 +717,7 @@ static inline bool compare_hash_inputs(c + { + return ((((__force u32)rt1->rt_key_dst ^ (__force u32)rt2->rt_key_dst) | + ((__force u32)rt1->rt_key_src ^ (__force u32)rt2->rt_key_src) | +- (rt1->rt_iif ^ rt2->rt_iif)) == 0); ++ (rt1->rt_route_iif ^ rt2->rt_route_iif)) == 0); + } + + static inline int compare_keys(struct rtable *rt1, struct rtable *rt2) +@@ -727,8 +727,7 @@ static inline int compare_keys(struct rt + (rt1->rt_mark ^ rt2->rt_mark) | + (rt1->rt_key_tos ^ rt2->rt_key_tos) | + (rt1->rt_route_iif ^ rt2->rt_route_iif) | +- (rt1->rt_oif ^ rt2->rt_oif) | +- (rt1->rt_iif ^ rt2->rt_iif)) == 0; ++ (rt1->rt_oif ^ rt2->rt_oif)) == 0; + } + + static inline int compare_netns(struct rtable *rt1, struct rtable *rt2) +@@ -2282,9 +2281,8 @@ int ip_route_input_common(struct sk_buff + rth = rcu_dereference(rth->dst.rt_next)) { + if ((((__force u32)rth->rt_key_dst ^ (__force u32)daddr) | + ((__force u32)rth->rt_key_src ^ (__force u32)saddr) | +- (rth->rt_iif ^ iif) | ++ (rth->rt_route_iif ^ iif) | + (rth->rt_key_tos ^ tos)) == 0 && +- rt_is_input_route(rth) && + rth->rt_mark == skb->mark && + net_eq(dev_net(rth->dst.dev), net) && + !rt_is_expired(rth)) { diff --git a/queue-3.0/ipv6-fix-ipv6_getsockopt-for-ipv6_2292pktoptions.patch b/queue-3.0/ipv6-fix-ipv6_getsockopt-for-ipv6_2292pktoptions.patch new file mode 100644 index 0000000000..315ea79186 --- /dev/null +++ b/queue-3.0/ipv6-fix-ipv6_getsockopt-for-ipv6_2292pktoptions.patch @@ -0,0 +1,64 @@ +From cc9404e5c60f6feec3781751e142d513b6e1d481 Mon Sep 17 00:00:00 2001 +From: Daniel Baluta <dbaluta@ixiacom.com> +Date: Fri, 19 Aug 2011 03:19:07 -0700 +Subject: ipv6: Fix ipv6_getsockopt for IPV6_2292PKTOPTIONS + + +From: Daniel Baluta <dbaluta@ixiacom.com> + +[ Upstream commit 98e77438aed3cd3343cbb86825127b1d9d2bea33 ] + +IPV6_2292PKTOPTIONS is broken for 32-bit applications running +in COMPAT mode on 64-bit kernels. + +The same problem was fixed for IPv4 with the patch: +ipv4: Fix ip_getsockopt for IP_PKTOPTIONS, +commit dd23198e58cd35259dd09e8892bbdb90f1d57748 + +Signed-off-by: Sorin Dumitru <sdumitru@ixiacom.com> +Signed-off-by: Daniel Baluta <dbaluta@ixiacom.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/ipv6/ipv6_sockglue.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -913,7 +913,7 @@ static int ipv6_getsockopt_sticky(struct + } + + static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, +- char __user *optval, int __user *optlen) ++ char __user *optval, int __user *optlen, unsigned flags) + { + struct ipv6_pinfo *np = inet6_sk(sk); + int len; +@@ -962,7 +962,7 @@ static int do_ipv6_getsockopt(struct soc + + msg.msg_control = optval; + msg.msg_controllen = len; +- msg.msg_flags = 0; ++ msg.msg_flags = flags; + + lock_sock(sk); + skb = np->pktoptions; +@@ -1222,7 +1222,7 @@ int ipv6_getsockopt(struct sock *sk, int + if(level != SOL_IPV6) + return -ENOPROTOOPT; + +- err = do_ipv6_getsockopt(sk, level, optname, optval, optlen); ++ err = do_ipv6_getsockopt(sk, level, optname, optval, optlen, 0); + #ifdef CONFIG_NETFILTER + /* we need to exclude all possible ENOPROTOOPTs except default case */ + if (err == -ENOPROTOOPT && optname != IPV6_2292PKTOPTIONS) { +@@ -1264,7 +1264,8 @@ int compat_ipv6_getsockopt(struct sock * + return compat_mc_getsockopt(sk, level, optname, optval, optlen, + ipv6_getsockopt); + +- err = do_ipv6_getsockopt(sk, level, optname, optval, optlen); ++ err = do_ipv6_getsockopt(sk, level, optname, optval, optlen, ++ MSG_CMSG_COMPAT); + #ifdef CONFIG_NETFILTER + /* we need to exclude all possible ENOPROTOOPTs except default case */ + if (err == -ENOPROTOOPT && optname != IPV6_2292PKTOPTIONS) { diff --git a/queue-3.0/mcast-fix-source-address-selection-for-multicast-listener-report.patch b/queue-3.0/mcast-fix-source-address-selection-for-multicast-listener-report.patch new file mode 100644 index 0000000000..fca1b25786 --- /dev/null +++ b/queue-3.0/mcast-fix-source-address-selection-for-multicast-listener-report.patch @@ -0,0 +1,43 @@ +From 26dd8ba2f771758b66afee7b033448bb0b9c20ae Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" <zheng.z.yan@intel.com> +Date: Tue, 23 Aug 2011 22:54:37 +0000 +Subject: mcast: Fix source address selection for multicast listener report + + +From: "Yan, Zheng" <zheng.z.yan@intel.com> + +[ Upstream commit e05c4ad3ed874ee4f5e2c969e55d318ec654332c ] + +Should check use count of include mode filter instead of total number +of include mode filters. + +Signed-off-by: Zheng Yan <zheng.z.yan@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/ipv4/igmp.c | 2 +- + net/ipv6/mcast.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -767,7 +767,7 @@ static int igmp_xmarksources(struct ip_m + break; + for (i=0; i<nsrcs; i++) { + /* skip inactive filters */ +- if (pmc->sfcount[MCAST_INCLUDE] || ++ if (psf->sf_count[MCAST_INCLUDE] || + pmc->sfcount[MCAST_EXCLUDE] != + psf->sf_count[MCAST_EXCLUDE]) + continue; +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1059,7 +1059,7 @@ static int mld_xmarksources(struct ifmca + break; + for (i=0; i<nsrcs; i++) { + /* skip inactive filters */ +- if (pmc->mca_sfcount[MCAST_INCLUDE] || ++ if (psf->sf_count[MCAST_INCLUDE] || + pmc->mca_sfcount[MCAST_EXCLUDE] != + psf->sf_count[MCAST_EXCLUDE]) + continue; diff --git a/queue-3.0/net_sched-prio-use-qdisc_dequeue_peeked.patch b/queue-3.0/net_sched-prio-use-qdisc_dequeue_peeked.patch new file mode 100644 index 0000000000..b65b718cd0 --- /dev/null +++ b/queue-3.0/net_sched-prio-use-qdisc_dequeue_peeked.patch @@ -0,0 +1,45 @@ +From 0e8d99a04cab6e4b5ad7fd111c638e3d00030814 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Tue, 9 Aug 2011 02:04:43 +0000 +Subject: net_sched: prio: use qdisc_dequeue_peeked + + +From: Florian Westphal <fw@strlen.de> + +[ Upstream commit 3557619f0f6f7496ed453d4825e24958ab1884e0 ] + +commit 07bd8df5df4369487812bf85a237322ff3569b77 +(sch_sfq: fix peek() implementation) changed sfq to use generic +peek helper. + +This makes HFSC complain about a non-work-conserving child qdisc, if +prio with sfq child is used within hfsc: + +hfsc peeks into prio qdisc, which will then peek into sfq. +returned skb is stashed in sch->gso_skb. + +Next, hfsc tries to dequeue from prio, but prio will call sfq dequeue +directly, which may return NULL instead of previously peeked-at skb. + +Have prio call qdisc_dequeue_peeked, so sfq->dequeue() is +not called in this case. + +Cc: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/sched/sch_prio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_prio.c ++++ b/net/sched/sch_prio.c +@@ -112,7 +112,7 @@ static struct sk_buff *prio_dequeue(stru + + for (prio = 0; prio < q->bands; prio++) { + struct Qdisc *qdisc = q->queues[prio]; +- struct sk_buff *skb = qdisc->dequeue(qdisc); ++ struct sk_buff *skb = qdisc_dequeue_peeked(qdisc); + if (skb) { + qdisc_bstats_update(sch, skb); + sch->q.qlen--; diff --git a/queue-3.0/netfilter-tcp-and-raw-fix-for-ip_route_me_harder.patch b/queue-3.0/netfilter-tcp-and-raw-fix-for-ip_route_me_harder.patch new file mode 100644 index 0000000000..1ecf0222de --- /dev/null +++ b/queue-3.0/netfilter-tcp-and-raw-fix-for-ip_route_me_harder.patch @@ -0,0 +1,67 @@ +From 92d8d0a0f9687a594d7e9dfc6407791687c39f1f Mon Sep 17 00:00:00 2001 +From: Julian Anastasov <ja@ssi.bg> +Date: Sun, 7 Aug 2011 09:11:00 +0000 +Subject: netfilter: TCP and raw fix for ip_route_me_harder + + +From: Julian Anastasov <ja@ssi.bg> + +[ Upstream commit 797fd3913abf2f7036003ab8d3d019cbea41affd ] + +TCP in some cases uses different global (raw) socket +to send RST and ACK. The transparent flag is not set there. +Currently, it is a problem for rerouting after the previous +change. + + Fix it by simplifying the checks in ip_route_me_harder +and use FLOWI_FLAG_ANYSRC even for sockets. It looks safe +because the initial routing allowed this source address to +be used and now we just have to make sure the packet is rerouted. + + As a side effect this also allows rerouting for normal +raw sockets that use spoofed source addresses which was not possible +even before we eliminated the ip_route_input call. + +Signed-off-by: Julian Anastasov <ja@ssi.bg> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/ipv4/netfilter.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/net/ipv4/netfilter.c ++++ b/net/ipv4/netfilter.c +@@ -18,17 +18,15 @@ int ip_route_me_harder(struct sk_buff *s + struct rtable *rt; + struct flowi4 fl4 = {}; + __be32 saddr = iph->saddr; +- __u8 flags = 0; ++ __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0; + unsigned int hh_len; + +- if (!skb->sk && addr_type != RTN_LOCAL) { +- if (addr_type == RTN_UNSPEC) +- addr_type = inet_addr_type(net, saddr); +- if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST) +- flags |= FLOWI_FLAG_ANYSRC; +- else +- saddr = 0; +- } ++ if (addr_type == RTN_UNSPEC) ++ addr_type = inet_addr_type(net, saddr); ++ if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST) ++ flags |= FLOWI_FLAG_ANYSRC; ++ else ++ saddr = 0; + + /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause + * packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook. +@@ -38,7 +36,7 @@ int ip_route_me_harder(struct sk_buff *s + fl4.flowi4_tos = RT_TOS(iph->tos); + fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0; + fl4.flowi4_mark = skb->mark; +- fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : flags; ++ fl4.flowi4_flags = flags; + rt = ip_route_output_key(net, &fl4); + if (IS_ERR(rt)) + return -1; diff --git a/queue-3.0/revert-sfc-use-write-combining-to-reduce-tx-latency-and-follow-ups.patch b/queue-3.0/revert-sfc-use-write-combining-to-reduce-tx-latency-and-follow-ups.patch new file mode 100644 index 0000000000..0d64facee9 --- /dev/null +++ b/queue-3.0/revert-sfc-use-write-combining-to-reduce-tx-latency-and-follow-ups.patch @@ -0,0 +1,374 @@ +From 6510be733428af8dcceb086a4ccc5291c33ac329 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <bhutchings@solarflare.com> +Date: Thu, 1 Sep 2011 12:09:29 +0000 +Subject: Revert "sfc: Use write-combining to reduce TX latency" and follow-ups + + +From: Ben Hutchings <bhutchings@solarflare.com> + +[ Upstream commit 86c432ca5d6da90a26ac8d3e680f2268b502d9c5 ] + +This reverts commits 65f0b417dee94f779ce9b77102b7d73c93723b39, +d88d6b05fee3cc78e5b0273eb58c31201dcc6b76, +fcfa060468a4edcf776f0c1211d826d5de1668c1, +747df2258b1b9a2e25929ef496262c339c380009 and +867955f5682f7157fdafe8670804b9f8ea077bc7. + +Depending on the processor model, write-combining may result in +reordering that the NIC will not tolerate. This typically results +in a DMA error event and reset by the driver, logged as: + +sfc 0000:0e:00.0: eth2: TX DMA Q reports TX_EV_PKT_ERR. +sfc 0000:0e:00.0: eth2: resetting (ALL) + +Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + drivers/net/sfc/efx.c | 18 +--------------- + drivers/net/sfc/io.h | 15 +++---------- + drivers/net/sfc/mcdi.c | 46 +++++++++++++++--------------------------- + drivers/net/sfc/nic.c | 7 ------ + drivers/net/sfc/nic.h | 2 - + drivers/net/sfc/siena.c | 25 +++------------------- + drivers/net/sfc/workarounds.h | 2 - + 7 files changed, 27 insertions(+), 88 deletions(-) + +--- a/drivers/net/sfc/efx.c ++++ b/drivers/net/sfc/efx.c +@@ -1051,7 +1051,6 @@ static int efx_init_io(struct efx_nic *e + { + struct pci_dev *pci_dev = efx->pci_dev; + dma_addr_t dma_mask = efx->type->max_dma_mask; +- bool use_wc; + int rc; + + netif_dbg(efx, probe, efx->net_dev, "initialising I/O\n"); +@@ -1102,21 +1101,8 @@ static int efx_init_io(struct efx_nic *e + rc = -EIO; + goto fail3; + } +- +- /* bug22643: If SR-IOV is enabled then tx push over a write combined +- * mapping is unsafe. We need to disable write combining in this case. +- * MSI is unsupported when SR-IOV is enabled, and the firmware will +- * have removed the MSI capability. So write combining is safe if +- * there is an MSI capability. +- */ +- use_wc = (!EFX_WORKAROUND_22643(efx) || +- pci_find_capability(pci_dev, PCI_CAP_ID_MSI)); +- if (use_wc) +- efx->membase = ioremap_wc(efx->membase_phys, +- efx->type->mem_map_size); +- else +- efx->membase = ioremap_nocache(efx->membase_phys, +- efx->type->mem_map_size); ++ efx->membase = ioremap_nocache(efx->membase_phys, ++ efx->type->mem_map_size); + if (!efx->membase) { + netif_err(efx, probe, efx->net_dev, + "could not map memory BAR at %llx+%x\n", +--- a/drivers/net/sfc/io.h ++++ b/drivers/net/sfc/io.h +@@ -48,9 +48,9 @@ + * replacing the low 96 bits with zero does not affect functionality. + * - If the host writes to the last dword address of such a register + * (i.e. the high 32 bits) the underlying register will always be +- * written. If the collector and the current write together do not +- * provide values for all 128 bits of the register, the low 96 bits +- * will be written as zero. ++ * written. If the collector does not hold values for the low 96 ++ * bits of the register, they will be written as zero. Writing to ++ * the last qword does not have this effect and must not be done. + * - If the host writes to the address of any other part of such a + * register while the collector already holds values for some other + * register, the write is discarded and the collector maintains its +@@ -103,7 +103,6 @@ static inline void efx_writeo(struct efx + _efx_writed(efx, value->u32[2], reg + 8); + _efx_writed(efx, value->u32[3], reg + 12); + #endif +- wmb(); + mmiowb(); + spin_unlock_irqrestore(&efx->biu_lock, flags); + } +@@ -126,7 +125,6 @@ static inline void efx_sram_writeq(struc + __raw_writel((__force u32)value->u32[0], membase + addr); + __raw_writel((__force u32)value->u32[1], membase + addr + 4); + #endif +- wmb(); + mmiowb(); + spin_unlock_irqrestore(&efx->biu_lock, flags); + } +@@ -141,7 +139,6 @@ static inline void efx_writed(struct efx + + /* No lock required */ + _efx_writed(efx, value->u32[0], reg); +- wmb(); + } + + /* Read a 128-bit CSR, locking as appropriate. */ +@@ -152,7 +149,6 @@ static inline void efx_reado(struct efx_ + + spin_lock_irqsave(&efx->biu_lock, flags); + value->u32[0] = _efx_readd(efx, reg + 0); +- rmb(); + value->u32[1] = _efx_readd(efx, reg + 4); + value->u32[2] = _efx_readd(efx, reg + 8); + value->u32[3] = _efx_readd(efx, reg + 12); +@@ -175,7 +171,6 @@ static inline void efx_sram_readq(struct + value->u64[0] = (__force __le64)__raw_readq(membase + addr); + #else + value->u32[0] = (__force __le32)__raw_readl(membase + addr); +- rmb(); + value->u32[1] = (__force __le32)__raw_readl(membase + addr + 4); + #endif + spin_unlock_irqrestore(&efx->biu_lock, flags); +@@ -242,14 +237,12 @@ static inline void _efx_writeo_page(stru + + #ifdef EFX_USE_QWORD_IO + _efx_writeq(efx, value->u64[0], reg + 0); +- _efx_writeq(efx, value->u64[1], reg + 8); + #else + _efx_writed(efx, value->u32[0], reg + 0); + _efx_writed(efx, value->u32[1], reg + 4); ++#endif + _efx_writed(efx, value->u32[2], reg + 8); + _efx_writed(efx, value->u32[3], reg + 12); +-#endif +- wmb(); + } + #define efx_writeo_page(efx, value, reg, page) \ + _efx_writeo_page(efx, value, \ +--- a/drivers/net/sfc/mcdi.c ++++ b/drivers/net/sfc/mcdi.c +@@ -50,20 +50,6 @@ static inline struct efx_mcdi_iface *efx + return &nic_data->mcdi; + } + +-static inline void +-efx_mcdi_readd(struct efx_nic *efx, efx_dword_t *value, unsigned reg) +-{ +- struct siena_nic_data *nic_data = efx->nic_data; +- value->u32[0] = (__force __le32)__raw_readl(nic_data->mcdi_smem + reg); +-} +- +-static inline void +-efx_mcdi_writed(struct efx_nic *efx, const efx_dword_t *value, unsigned reg) +-{ +- struct siena_nic_data *nic_data = efx->nic_data; +- __raw_writel((__force u32)value->u32[0], nic_data->mcdi_smem + reg); +-} +- + void efx_mcdi_init(struct efx_nic *efx) + { + struct efx_mcdi_iface *mcdi; +@@ -84,8 +70,8 @@ static void efx_mcdi_copyin(struct efx_n + const u8 *inbuf, size_t inlen) + { + struct efx_mcdi_iface *mcdi = efx_mcdi(efx); +- unsigned pdu = MCDI_PDU(efx); +- unsigned doorbell = MCDI_DOORBELL(efx); ++ unsigned pdu = FR_CZ_MC_TREG_SMEM + MCDI_PDU(efx); ++ unsigned doorbell = FR_CZ_MC_TREG_SMEM + MCDI_DOORBELL(efx); + unsigned int i; + efx_dword_t hdr; + u32 xflags, seqno; +@@ -106,28 +92,29 @@ static void efx_mcdi_copyin(struct efx_n + MCDI_HEADER_SEQ, seqno, + MCDI_HEADER_XFLAGS, xflags); + +- efx_mcdi_writed(efx, &hdr, pdu); ++ efx_writed(efx, &hdr, pdu); + + for (i = 0; i < inlen; i += 4) +- efx_mcdi_writed(efx, (const efx_dword_t *)(inbuf + i), +- pdu + 4 + i); ++ _efx_writed(efx, *((__le32 *)(inbuf + i)), pdu + 4 + i); ++ ++ /* Ensure the payload is written out before the header */ ++ wmb(); + + /* ring the doorbell with a distinctive value */ +- EFX_POPULATE_DWORD_1(hdr, EFX_DWORD_0, 0x45789abc); +- efx_mcdi_writed(efx, &hdr, doorbell); ++ _efx_writed(efx, (__force __le32) 0x45789abc, doorbell); + } + + static void efx_mcdi_copyout(struct efx_nic *efx, u8 *outbuf, size_t outlen) + { + struct efx_mcdi_iface *mcdi = efx_mcdi(efx); +- unsigned int pdu = MCDI_PDU(efx); ++ unsigned int pdu = FR_CZ_MC_TREG_SMEM + MCDI_PDU(efx); + int i; + + BUG_ON(atomic_read(&mcdi->state) == MCDI_STATE_QUIESCENT); + BUG_ON(outlen & 3 || outlen >= 0x100); + + for (i = 0; i < outlen; i += 4) +- efx_mcdi_readd(efx, (efx_dword_t *)(outbuf + i), pdu + 4 + i); ++ *((__le32 *)(outbuf + i)) = _efx_readd(efx, pdu + 4 + i); + } + + static int efx_mcdi_poll(struct efx_nic *efx) +@@ -135,7 +122,7 @@ static int efx_mcdi_poll(struct efx_nic + struct efx_mcdi_iface *mcdi = efx_mcdi(efx); + unsigned int time, finish; + unsigned int respseq, respcmd, error; +- unsigned int pdu = MCDI_PDU(efx); ++ unsigned int pdu = FR_CZ_MC_TREG_SMEM + MCDI_PDU(efx); + unsigned int rc, spins; + efx_dword_t reg; + +@@ -161,7 +148,8 @@ static int efx_mcdi_poll(struct efx_nic + + time = get_seconds(); + +- efx_mcdi_readd(efx, ®, pdu); ++ rmb(); ++ efx_readd(efx, ®, pdu); + + /* All 1's indicates that shared memory is in reset (and is + * not a valid header). Wait for it to come out reset before +@@ -188,7 +176,7 @@ static int efx_mcdi_poll(struct efx_nic + respseq, mcdi->seqno); + rc = EIO; + } else if (error) { +- efx_mcdi_readd(efx, ®, pdu + 4); ++ efx_readd(efx, ®, pdu + 4); + switch (EFX_DWORD_FIELD(reg, EFX_DWORD_0)) { + #define TRANSLATE_ERROR(name) \ + case MC_CMD_ERR_ ## name: \ +@@ -222,21 +210,21 @@ out: + /* Test and clear MC-rebooted flag for this port/function */ + int efx_mcdi_poll_reboot(struct efx_nic *efx) + { +- unsigned int addr = MCDI_REBOOT_FLAG(efx); ++ unsigned int addr = FR_CZ_MC_TREG_SMEM + MCDI_REBOOT_FLAG(efx); + efx_dword_t reg; + uint32_t value; + + if (efx_nic_rev(efx) < EFX_REV_SIENA_A0) + return false; + +- efx_mcdi_readd(efx, ®, addr); ++ efx_readd(efx, ®, addr); + value = EFX_DWORD_FIELD(reg, EFX_DWORD_0); + + if (value == 0) + return 0; + + EFX_ZERO_DWORD(reg); +- efx_mcdi_writed(efx, ®, addr); ++ efx_writed(efx, ®, addr); + + if (value == MC_STATUS_DWORD_ASSERT) + return -EINTR; +--- a/drivers/net/sfc/nic.c ++++ b/drivers/net/sfc/nic.c +@@ -1935,13 +1935,6 @@ void efx_nic_get_regs(struct efx_nic *ef + + size = min_t(size_t, table->step, 16); + +- if (table->offset >= efx->type->mem_map_size) { +- /* No longer mapped; return dummy data */ +- memcpy(buf, "\xde\xc0\xad\xde", 4); +- buf += table->rows * size; +- continue; +- } +- + for (i = 0; i < table->rows; i++) { + switch (table->step) { + case 4: /* 32-bit register or SRAM */ +--- a/drivers/net/sfc/nic.h ++++ b/drivers/net/sfc/nic.h +@@ -143,12 +143,10 @@ static inline struct falcon_board *falco + /** + * struct siena_nic_data - Siena NIC state + * @mcdi: Management-Controller-to-Driver Interface +- * @mcdi_smem: MCDI shared memory mapping. The mapping is always uncacheable. + * @wol_filter_id: Wake-on-LAN packet filter id + */ + struct siena_nic_data { + struct efx_mcdi_iface mcdi; +- void __iomem *mcdi_smem; + int wol_filter_id; + }; + +--- a/drivers/net/sfc/siena.c ++++ b/drivers/net/sfc/siena.c +@@ -220,26 +220,12 @@ static int siena_probe_nic(struct efx_ni + efx_reado(efx, ®, FR_AZ_CS_DEBUG); + efx->net_dev->dev_id = EFX_OWORD_FIELD(reg, FRF_CZ_CS_PORT_NUM) - 1; + +- /* Initialise MCDI */ +- nic_data->mcdi_smem = ioremap_nocache(efx->membase_phys + +- FR_CZ_MC_TREG_SMEM, +- FR_CZ_MC_TREG_SMEM_STEP * +- FR_CZ_MC_TREG_SMEM_ROWS); +- if (!nic_data->mcdi_smem) { +- netif_err(efx, probe, efx->net_dev, +- "could not map MCDI at %llx+%x\n", +- (unsigned long long)efx->membase_phys + +- FR_CZ_MC_TREG_SMEM, +- FR_CZ_MC_TREG_SMEM_STEP * FR_CZ_MC_TREG_SMEM_ROWS); +- rc = -ENOMEM; +- goto fail1; +- } + efx_mcdi_init(efx); + + /* Recover from a failed assertion before probing */ + rc = efx_mcdi_handle_assertion(efx); + if (rc) +- goto fail2; ++ goto fail1; + + /* Let the BMC know that the driver is now in charge of link and + * filter settings. We must do this before we reset the NIC */ +@@ -294,7 +280,6 @@ fail4: + fail3: + efx_mcdi_drv_attach(efx, false, NULL); + fail2: +- iounmap(nic_data->mcdi_smem); + fail1: + kfree(efx->nic_data); + return rc; +@@ -374,8 +359,6 @@ static int siena_init_nic(struct efx_nic + + static void siena_remove_nic(struct efx_nic *efx) + { +- struct siena_nic_data *nic_data = efx->nic_data; +- + efx_nic_free_buffer(efx, &efx->irq_status); + + siena_reset_hw(efx, RESET_TYPE_ALL); +@@ -385,8 +368,7 @@ static void siena_remove_nic(struct efx_ + efx_mcdi_drv_attach(efx, false, NULL); + + /* Tear down the private nic state */ +- iounmap(nic_data->mcdi_smem); +- kfree(nic_data); ++ kfree(efx->nic_data); + efx->nic_data = NULL; + } + +@@ -624,7 +606,8 @@ const struct efx_nic_type siena_a0_nic_t + .default_mac_ops = &efx_mcdi_mac_operations, + + .revision = EFX_REV_SIENA_A0, +- .mem_map_size = FR_CZ_MC_TREG_SMEM, /* MC_TREG_SMEM mapped separately */ ++ .mem_map_size = (FR_CZ_MC_TREG_SMEM + ++ FR_CZ_MC_TREG_SMEM_STEP * FR_CZ_MC_TREG_SMEM_ROWS), + .txd_ptr_tbl_base = FR_BZ_TX_DESC_PTR_TBL, + .rxd_ptr_tbl_base = FR_BZ_RX_DESC_PTR_TBL, + .buf_tbl_base = FR_BZ_BUF_FULL_TBL, +--- a/drivers/net/sfc/workarounds.h ++++ b/drivers/net/sfc/workarounds.h +@@ -38,8 +38,6 @@ + #define EFX_WORKAROUND_15783 EFX_WORKAROUND_ALWAYS + /* Legacy interrupt storm when interrupt fifo fills */ + #define EFX_WORKAROUND_17213 EFX_WORKAROUND_SIENA +-/* Write combining and sriov=enabled are incompatible */ +-#define EFX_WORKAROUND_22643 EFX_WORKAROUND_SIENA + + /* Spurious parity errors in TSORT buffers */ + #define EFX_WORKAROUND_5129 EFX_WORKAROUND_FALCON_A diff --git a/queue-3.0/scm-capture-the-full-credentials-of-the-scm-sender.patch b/queue-3.0/scm-capture-the-full-credentials-of-the-scm-sender.patch new file mode 100644 index 0000000000..789fb18a85 --- /dev/null +++ b/queue-3.0/scm-capture-the-full-credentials-of-the-scm-sender.patch @@ -0,0 +1,33 @@ +From f59d0f4f7e0a94103e95e9a305faf91ae619009b Mon Sep 17 00:00:00 2001 +From: Tim Chen <tim.c.chen@linux.intel.com> +Date: Tue, 9 Aug 2011 06:48:32 +0000 +Subject: scm: Capture the full credentials of the scm sender + + +From: Tim Chen <tim.c.chen@linux.intel.com> + +[ Upstream commit e33f7a9f37d486f4c6cce5de18a6eea11d68f64f ] + +This patch corrects an erroneous update of credential's gid with uid +introduced in commit 257b5358b32f17 since 2.6.36. + +Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> +Acked-by: Eric Dumazet <eric.dumazet@gmail.com> +Reviewed-by: James Morris <jmorris@namei.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/core/scm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -192,7 +192,7 @@ int __scm_send(struct socket *sock, stru + goto error; + + cred->uid = cred->euid = p->creds.uid; +- cred->gid = cred->egid = p->creds.uid; ++ cred->gid = cred->egid = p->creds.gid; + put_cred(p->cred); + p->cred = cred; + } diff --git a/queue-3.0/series b/queue-3.0/series index 9ebe3bab16..b6a7277d63 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -173,3 +173,19 @@ fcoe-unable-to-select-the-exchangeid-from-offload-pool-for-storage-targets.patch mpt2sas-added-did_no_connect-return-when-driver-remove-and-avoid-shutdown-call.patch mpt2sas-adding-support-for-customer-specific-branding.patch perf-x86-add-model-45-sandybridge-support.patch +arp-fix-rcu-lockdep-splat-in-arp_process.patch +bridge-fix-a-possible-net_device-leak.patch +fib-fix-bug_on-in-fib_nl_newrule-when-add-new-fib-rule.patch +ipv4-some-rt_iif-rt_route_iif-conversions.patch +ipv6-fix-ipv6_getsockopt-for-ipv6_2292pktoptions.patch +mcast-fix-source-address-selection-for-multicast-listener-report.patch +netfilter-tcp-and-raw-fix-for-ip_route_me_harder.patch +net_sched-prio-use-qdisc_dequeue_peeked.patch +revert-sfc-use-write-combining-to-reduce-tx-latency-and-follow-ups.patch +scm-capture-the-full-credentials-of-the-scm-sender.patch +tcp-fix-validation-of-d-sack.patch +tcp-initialize-variable-ecn_ok-in-syncookies-path.patch +vlan-reset-headers-on-accel-emulation-path.patch +xfrm-perform-a-replay-check-after-return-from-async-codepaths.patch +bridge-pseudo-header-required-for-the-checksum-of-icmpv6.patch +bridge-fix-a-possible-use-after-free.patch diff --git a/queue-3.0/tcp-fix-validation-of-d-sack.patch b/queue-3.0/tcp-fix-validation-of-d-sack.patch new file mode 100644 index 0000000000..2981b3db89 --- /dev/null +++ b/queue-3.0/tcp-fix-validation-of-d-sack.patch @@ -0,0 +1,32 @@ +From 1f78256b75d0096beb9b55e16f1d65d8f87fa148 Mon Sep 17 00:00:00 2001 +From: Zheng Yan <zheng.z.yan@intel.com> +Date: Sun, 18 Sep 2011 22:37:34 -0400 +Subject: tcp: fix validation of D-SACK + + +From: Zheng Yan <zheng.z.yan@intel.com> + +[ Upstream commit f779b2d60ab95c17f1e025778ed0df3ec2f05d75 ] + +D-SACK is allowed to reside below snd_una. But the corresponding check +in tcp_is_sackblock_valid() is the exact opposite. It looks like a typo. + +Signed-off-by: Zheng Yan <zheng.z.yan@intel.com> +Acked-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1115,7 +1115,7 @@ static int tcp_is_sackblock_valid(struct + return 0; + + /* ...Then it's D-SACK, and must reside below snd_una completely */ +- if (!after(end_seq, tp->snd_una)) ++ if (after(end_seq, tp->snd_una)) + return 0; + + if (!before(start_seq, tp->undo_marker)) diff --git a/queue-3.0/tcp-initialize-variable-ecn_ok-in-syncookies-path.patch b/queue-3.0/tcp-initialize-variable-ecn_ok-in-syncookies-path.patch new file mode 100644 index 0000000000..b68f810cb7 --- /dev/null +++ b/queue-3.0/tcp-initialize-variable-ecn_ok-in-syncookies-path.patch @@ -0,0 +1,47 @@ +From 3eeab99dbfc26b4ffd50053945d1a27d45de0aed Mon Sep 17 00:00:00 2001 +From: Mike Waychison <mikew@google.com> +Date: Wed, 10 Aug 2011 21:59:57 -0700 +Subject: tcp: initialize variable ecn_ok in syncookies path + + +From: Mike Waychison <mikew@google.com> + +[ Upstream commit f0e3d0689da401f7d1981c2777a714ba295ea5ff ] + +Using a gcc 4.4.3, warnings are emitted for a possibly uninitialized use +of ecn_ok. + +This can happen if cookie_check_timestamp() returns due to not having +seen a timestamp. Defaulting to ecn off seems like a reasonable thing +to do in this case, so initialized ecn_ok to false. + +Signed-off-by: Mike Waychison <mikew@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/ipv4/syncookies.c | 2 +- + net/ipv6/syncookies.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -276,7 +276,7 @@ struct sock *cookie_v4_check(struct sock + int mss; + struct rtable *rt; + __u8 rcv_wscale; +- bool ecn_ok; ++ bool ecn_ok = false; + + if (!sysctl_tcp_syncookies || !th->ack || th->rst) + goto out; +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -165,7 +165,7 @@ struct sock *cookie_v6_check(struct sock + int mss; + struct dst_entry *dst; + __u8 rcv_wscale; +- bool ecn_ok; ++ bool ecn_ok = false; + + if (!sysctl_tcp_syncookies || !th->ack || th->rst) + goto out; diff --git a/queue-3.0/vlan-reset-headers-on-accel-emulation-path.patch b/queue-3.0/vlan-reset-headers-on-accel-emulation-path.patch new file mode 100644 index 0000000000..8b13c313dc --- /dev/null +++ b/queue-3.0/vlan-reset-headers-on-accel-emulation-path.patch @@ -0,0 +1,37 @@ +From 15a3e2fbaf34f4fe5a78c92dced1b108dd9ec999 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko <jpirko@redhat.com> +Date: Thu, 18 Aug 2011 21:29:27 -0700 +Subject: vlan: reset headers on accel emulation path + + +From: Jiri Pirko <jpirko@redhat.com> + +[ Upstream commit c5114cd59d2664f258b0d021d79b1532d94bdc2b ] + +It's after all necessary to do reset headers here. The reason is we +cannot depend that it gets reseted in __netif_receive_skb once skb is +reinjected. For incoming vlanids without vlan_dev, vlan_do_receive() +returns false with skb != NULL and __netif_reveive_skb continues, skb is +not reinjected. + +This might be good material for 3.0-stable as well + +Reported-by: Mike Auty <mike.auty@gmail.com> +Signed-off-by: Jiri Pirko <jpirko@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/8021q/vlan_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -171,6 +171,8 @@ struct sk_buff *vlan_untag(struct sk_buf + if (unlikely(!skb)) + goto err_free; + ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); + return skb; + + err_free: diff --git a/queue-3.0/xfrm-perform-a-replay-check-after-return-from-async-codepaths.patch b/queue-3.0/xfrm-perform-a-replay-check-after-return-from-async-codepaths.patch new file mode 100644 index 0000000000..64423efa22 --- /dev/null +++ b/queue-3.0/xfrm-perform-a-replay-check-after-return-from-async-codepaths.patch @@ -0,0 +1,43 @@ +From 2d96fcc1bff9f13589045bbe1951780c5bf8d179 Mon Sep 17 00:00:00 2001 +From: Steffen Klassert <steffen.klassert@secunet.com> +Date: Tue, 20 Sep 2011 23:38:58 +0000 +Subject: xfrm: Perform a replay check after return from async codepaths + + +From: Steffen Klassert <steffen.klassert@secunet.com> + +[ Upstream commit bcf66bf54aabffc150acd1c99e0f4bc51935eada ] + +When asyncronous crypto algorithms are used, there might be many +packets that passed the xfrm replay check, but the replay advance +function is not called yet for these packets. So the replay check +function would accept a replay of all of these packets. Also the +system might crash if there are more packets in async processing +than the size of the anti replay window, because the replay advance +function would try to update the replay window beyond the bounds. + +This pach adds a second replay check after resuming from the async +processing to fix these issues. + +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Acked-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + net/xfrm/xfrm_input.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -212,6 +212,11 @@ resume: + /* only the first xfrm gets the encap type */ + encap_type = 0; + ++ if (async && x->repl->check(x, skb, seq)) { ++ XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR); ++ goto drop_unlock; ++ } ++ + x->repl->advance(x, seq); + + x->curlft.bytes += skb->len; |