Cherry-pick various urgent fixes from 3.11 stable queue

svn path=/dists/sid/linux/; revision=20767

debian/changelog

@@ -7,6 +7,22 @@ linux (3.11.6-2) UNRELEASED; urgency=low
     (fixes FTBFS)
   * [armhf] Bump ABI to 1a, as enabling Xen and KVM support changes ABI
   * net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348)
+  * net: do not call sock_put() on TIMEWAIT sockets
+  * l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
+  * net: heap overflow in __audit_sockaddr()
+  * proc connector: fix info leaks
+  * bridge: update mdb expiration timer upon reports.
+  * Revert "bridge: only expire the mdb entry when query is received"
+  * unix_diag: fix info leak
+  * be2net: pass if_id for v1 and V2 versions of TX_CREATE cmd
+  * net: fix cipso packet validation when !NETLABEL
+  * inet: fix possible memory corruption with UDP_CORK and UFO
+  * [arm] 7851/1: check for number of arguments in syscall_get/set_arguments()
+  * ext[34]: fix double put in tmpfile
+  * dm snapshot: fix data corruption (CVE-2013-4299)
+  * i2c: ismt: initialize DMA buffer
+  * mm: fix BUG in __split_huge_page_pmd
+  * writeback: fix negative bdi max pause
 
   [ Aurelien Jarno ]
   * UAPI: include <asm/byteorder.h> in linux/raid/md_p.h.

debian/patches/bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch

@@ -0,0 +1,40 @@
+From b16dd2cff7a4eb3881f43371d71ed242332877dc Mon Sep 17 00:00:00 2001
+From: Vasundhara Volam <vasundhara.volam@emulex.com>
+Date: Thu, 17 Oct 2013 11:47:14 +0530
+Subject: be2net: pass if_id for v1 and V2 versions of TX_CREATE cmd
+
+From: Vasundhara Volam <vasundhara.volam@emulex.com>
+
+[ Upstream commit 0fb88d61bc60779dde88b0fc268da17eb81d0412 ]
+
+It is a required field for all TX_CREATE cmd versions > 0.
+This fixes a driver initialization failure, caused by recent SH-R Firmwares
+(versions > 10.0.639.0) failing the TX_CREATE cmd when if_id field is
+not passed.
+
+Signed-off-by: Sathya Perla <sathya.perla@emulex.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be_cmds.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
+@@ -1150,7 +1150,6 @@ int be_cmd_txq_create(struct be_adapter
+ 
+ 	if (lancer_chip(adapter)) {
+ 		req->hdr.version = 1;
+-		req->if_id = cpu_to_le16(adapter->if_handle);
+ 	} else if (BEx_chip(adapter)) {
+ 		if (adapter->function_caps & BE_FUNCTION_CAPS_SUPER_NIC)
+ 			req->hdr.version = 2;
+@@ -1158,6 +1157,8 @@ int be_cmd_txq_create(struct be_adapter
+ 		req->hdr.version = 2;
+ 	}
+ 
++	if (req->hdr.version > 0)
++		req->if_id = cpu_to_le16(adapter->if_handle);
+ 	req->num_pages = PAGES_4K_SPANNED(q_mem->va, q_mem->size);
+ 	req->ulp_num = BE_ULP1_NUM;
+ 	req->type = BE_ETH_TX_RING_TYPE_STANDARD;

debian/patches/bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch

@@ -0,0 +1,63 @@
+From 74869292aeb07213144e34b0e21e23f7e3c9f61f Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vyasevic@redhat.com>
+Date: Thu, 10 Oct 2013 15:57:59 -0400
+Subject: bridge: update mdb expiration timer upon reports.
+
+From: Vlad Yasevich <vyasevic@redhat.com>
+
+[ Upstream commit f144febd93d5ee534fdf23505ab091b2b9088edc ]
+
+commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b
+	bridge: only expire the mdb entry when query is received
+changed the mdb expiration timer to be armed only when QUERY is
+received.  Howerver, this causes issues in an environment where
+the multicast server socket comes and goes very fast while a client
+is trying to send traffic to it.
+
+The root cause is a race where a sequence of LEAVE followed by REPORT
+messages can race against QUERY messages generated in response to LEAVE.
+The QUERY ends up starting the expiration timer, and that timer can
+potentially expire after the new REPORT message has been received signaling
+the new join operation.  This leads to a significant drop in multicast
+traffic and possible complete stall.
+
+The solution is to have REPORT messages update the expiration timer
+on entries that already exist.
+
+Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
+CC: Cong Wang <xiyou.wangcong@gmail.com>
+CC: Herbert Xu <herbert@gondor.apana.org.au>
+CC: Stephen Hemminger <stephen@networkplumber.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -610,6 +610,9 @@ rehash:
+ 		break;
+ 
+ 	default:
++		/* If we have an existing entry, update it's expire timer */
++		mod_timer(&mp->timer,
++			  jiffies + br->multicast_membership_interval);
+ 		goto out;
+ 	}
+ 
+@@ -679,8 +682,12 @@ static int br_multicast_add_group(struct
+ 	for (pp = &mp->ports;
+ 	     (p = mlock_dereference(*pp, br)) != NULL;
+ 	     pp = &p->next) {
+-		if (p->port == port)
++		if (p->port == port) {
++			/* We already have a portgroup, update the timer.  */
++			mod_timer(&p->timer,
++				  jiffies + br->multicast_membership_interval);
+ 			goto out;
++		}
+ 		if ((unsigned long)p->port < (unsigned long)port)
+ 			break;
+ 	}

debian/patches/bugfix/all/dm-snapshot-fix-data-corruption.patch

@@ -0,0 +1,88 @@
+From e9c6a182649f4259db704ae15a91ac820e63b0ca Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 16 Oct 2013 03:17:47 +0100
+Subject: dm snapshot: fix data corruption
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit e9c6a182649f4259db704ae15a91ac820e63b0ca upstream.
+
+This patch fixes a particular type of data corruption that has been
+encountered when loading a snapshot's metadata from disk.
+
+When we allocate a new chunk in persistent_prepare, we increment
+ps->next_free and we make sure that it doesn't point to a metadata area
+by further incrementing it if necessary.
+
+When we load metadata from disk on device activation, ps->next_free is
+positioned after the last used data chunk. However, if this last used
+data chunk is followed by a metadata area, ps->next_free is positioned
+erroneously to the metadata area. A newly-allocated chunk is placed at
+the same location as the metadata area, resulting in data or metadata
+corruption.
+
+This patch changes the code so that ps->next_free skips the metadata
+area when metadata are loaded in function read_exceptions.
+
+The patch also moves a piece of code from persistent_prepare_exception
+to a separate function skip_metadata to avoid code duplication.
+
+CVE-2013-4299
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-snap-persistent.c |   18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/md/dm-snap-persistent.c
++++ b/drivers/md/dm-snap-persistent.c
+@@ -269,6 +269,14 @@ static chunk_t area_location(struct psto
+ 	return NUM_SNAPSHOT_HDR_CHUNKS + ((ps->exceptions_per_area + 1) * area);
+ }
+ 
++static void skip_metadata(struct pstore *ps)
++{
++	uint32_t stride = ps->exceptions_per_area + 1;
++	chunk_t next_free = ps->next_free;
++	if (sector_div(next_free, stride) == NUM_SNAPSHOT_HDR_CHUNKS)
++		ps->next_free++;
++}
++
+ /*
+  * Read or write a metadata area.  Remembering to skip the first
+  * chunk which holds the header.
+@@ -502,6 +510,8 @@ static int read_exceptions(struct pstore
+ 
+ 	ps->current_area--;
+ 
++	skip_metadata(ps);
++
+ 	return 0;
+ }
+ 
+@@ -616,8 +626,6 @@ static int persistent_prepare_exception(
+ 					struct dm_exception *e)
+ {
+ 	struct pstore *ps = get_info(store);
+-	uint32_t stride;
+-	chunk_t next_free;
+ 	sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev);
+ 
+ 	/* Is there enough room ? */
+@@ -630,10 +638,8 @@ static int persistent_prepare_exception(
+ 	 * Move onto the next free pending, making sure to take
+ 	 * into account the location of the metadata chunks.
+ 	 */
+-	stride = (ps->exceptions_per_area + 1);
+-	next_free = ++ps->next_free;
+-	if (sector_div(next_free, stride) == 1)
+-		ps->next_free++;
++	ps->next_free++;
++	skip_metadata(ps);
+ 
+ 	atomic_inc(&ps->pending_count);
+ 	return 0;

debian/patches/bugfix/all/ext-fix-double-put-in-tmpfile.patch

@@ -0,0 +1,66 @@
+From 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu, 10 Oct 2013 16:48:19 +0200
+Subject: ext[34]: fix double put in tmpfile
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 upstream.
+
+d_tmpfile() already swallowed the inode ref.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext3/namei.c |    5 ++---
+ fs/ext4/namei.c |    5 ++---
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+--- a/fs/ext3/namei.c
++++ b/fs/ext3/namei.c
+@@ -1783,7 +1783,7 @@ retry:
+ 		d_tmpfile(dentry, inode);
+ 		err = ext3_orphan_add(handle, inode);
+ 		if (err)
+-			goto err_drop_inode;
++			goto err_unlock_inode;
+ 		mark_inode_dirty(inode);
+ 		unlock_new_inode(inode);
+ 	}
+@@ -1791,10 +1791,9 @@ retry:
+ 	if (err == -ENOSPC && ext3_should_retry_alloc(dir->i_sb, &retries))
+ 		goto retry;
+ 	return err;
+-err_drop_inode:
++err_unlock_inode:
+ 	ext3_journal_stop(handle);
+ 	unlock_new_inode(inode);
+-	iput(inode);
+ 	return err;
+ }
+ 
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2319,7 +2319,7 @@ retry:
+ 		d_tmpfile(dentry, inode);
+ 		err = ext4_orphan_add(handle, inode);
+ 		if (err)
+-			goto err_drop_inode;
++			goto err_unlock_inode;
+ 		mark_inode_dirty(inode);
+ 		unlock_new_inode(inode);
+ 	}
+@@ -2328,10 +2328,9 @@ retry:
+ 	if (err == -ENOSPC && ext4_should_retry_alloc(dir->i_sb, &retries))
+ 		goto retry;
+ 	return err;
+-err_drop_inode:
++err_unlock_inode:
+ 	ext4_journal_stop(handle);
+ 	unlock_new_inode(inode);
+-	iput(inode);
+ 	return err;
+ }
+ 

debian/patches/bugfix/all/i2c-ismt-initialize-dma-buffer.patch

@@ -0,0 +1,34 @@
+From bf4169100c909667ede6af67668b3ecce6928343 Mon Sep 17 00:00:00 2001
+From: James Ralston <james.d.ralston@intel.com>
+Date: Tue, 24 Sep 2013 16:47:55 -0700
+Subject: i2c: ismt: initialize DMA buffer
+
+From: James Ralston <james.d.ralston@intel.com>
+
+commit bf4169100c909667ede6af67668b3ecce6928343 upstream.
+
+This patch adds code to initialize the DMA buffer to compensate for
+possible hardware data corruption.
+
+Signed-off-by: James Ralston <james.d.ralston@intel.com>
+[wsa: changed to use 'sizeof']
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -393,6 +393,9 @@ static int ismt_access(struct i2c_adapte
+ 
+ 	desc = &priv->hw[priv->head];
+ 
++	/* Initialize the DMA buffer */
++	memset(priv->dma_buffer, 0, sizeof(priv->dma_buffer));
++
+ 	/* Initialize the descriptor */
+ 	memset(desc, 0, sizeof(struct ismt_desc));
+ 	desc->tgtaddr_rw = ISMT_DESC_ADDR_RW(addr, read_write);

debian/patches/bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch

@@ -0,0 +1,76 @@
+From 27e33640a8905b1aeefe9998242551caf24e84a6 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 22 Oct 2013 00:07:47 +0200
+Subject: inet: fix possible memory corruption with UDP_CORK and UFO
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ This is a simplified -stable version of a set of upstream commits. ]
+
+This is a replacement patch only for stable which does fix the problems
+handled by the following two commits in -net:
+
+"ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
+"ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
+
+Three frames are written on a corked udp socket for which the output
+netdevice has UFO enabled.  If the first and third frame are smaller than
+the mtu and the second one is bigger, we enqueue the second frame with
+skb_append_datato_frags without initializing the gso fields. This leads
+to the third frame appended regulary and thus constructing an invalid skb.
+
+This fixes the problem by always using skb_append_datato_frags as soon
+as the first frag got enqueued to the skb without marking the packet
+as SKB_GSO_UDP.
+
+The problem with only two frames for ipv6 was fixed by "ipv6: udp
+packets following an UFO enqueued packet need also be handled by UFO"
+(2811ebac2521ceac84f2bdae402455baa6a7fb47).
+
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h |    5 +++++
+ net/ipv4/ip_output.c   |    2 +-
+ net/ipv6/ip6_output.c  |    2 +-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1316,6 +1316,11 @@ static inline int skb_pagelen(const stru
+ 	return len + skb_headlen(skb);
+ }
+ 
++static inline bool skb_has_frags(const struct sk_buff *skb)
++{
++	return skb_shinfo(skb)->nr_frags;
++}
++
+ /**
+  * __skb_fill_page_desc - initialise a paged fragment in an skb
+  * @skb: buffer containing fragment to be initialised
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -836,7 +836,7 @@ static int __ip_append_data(struct sock
+ 		csummode = CHECKSUM_PARTIAL;
+ 
+ 	cork->length += length;
+-	if (((length > mtu) || (skb && skb_is_gso(skb))) &&
++	if (((length > mtu) || (skb && skb_has_frags(skb))) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
+ 		err = ip_ufo_append_data(sk, queue, getfrag, from, length,
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1252,7 +1252,7 @@ int ip6_append_data(struct sock *sk, int
+ 	skb = skb_peek_tail(&sk->sk_write_queue);
+ 	cork->length += length;
+ 	if (((length > mtu) ||
+-	     (skb && skb_is_gso(skb))) &&
++	     (skb && skb_has_frags(skb))) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO)) {
+ 		err = ip6_ufo_append_data(sk, getfrag, from, length,

debian/patches/bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch

@@ -0,0 +1,141 @@
+From 8be4005ed947924104df5850944a20b7f6570137 Mon Sep 17 00:00:00 2001
+From: François CACHEREUL <f.cachereul@alphalink.fr>
+Date: Wed, 2 Oct 2013 10:16:02 +0200
+Subject: l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
+
+From: François CACHEREUL <f.cachereul@alphalink.fr>
+
+[ Upstream commit e18503f41f9b12132c95d7c31ca6ee5155e44e5c ]
+
+IPv4 mapped addresses cause kernel panic.
+The patch juste check whether the IPv6 address is an IPv4 mapped
+address. If so, use IPv4 API instead of IPv6.
+
+[  940.026915] general protection fault: 0000 [#1]
+[  940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
+[  940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
+[  940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
+[  940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
+[  940.026915] RIP: 0010:[<ffffffff81333780>]  [<ffffffff81333780>] ip6_xmit+0x276/0x326
+[  940.026915] RSP: 0018:ffff88000737fd28  EFLAGS: 00010286
+[  940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
+[  940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
+[  940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
+[  940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
+[  940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
+[  940.026915] FS:  00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
+[  940.026915] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
+[  940.026915] Stack:
+[  940.026915]  ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
+[  940.026915]  11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
+[  940.026915]  ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
+[  940.026915] Call Trace:
+[  940.026915]  [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
+[  940.026915]  [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
+[  940.026915]  [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
+[  940.026915]  [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
+[  940.026915]  [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
+[  940.026915]  [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
+[  940.026915]  [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
+[  940.026915]  [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
+[  940.026915]  [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
+[  940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
+8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
+00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
+[  940.026915] RIP  [<ffffffff81333780>] ip6_xmit+0x276/0x326
+[  940.026915]  RSP <ffff88000737fd28>
+[  940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
+[  940.058583] Kernel panic - not syncing: Fatal exception in interrupt
+
+Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c |   27 +++++++++++++++++++++++----
+ net/l2tp/l2tp_core.h |    3 +++
+ 2 files changed, 26 insertions(+), 4 deletions(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -496,6 +496,7 @@ out:
+ static inline int l2tp_verify_udp_checksum(struct sock *sk,
+ 					   struct sk_buff *skb)
+ {
++	struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data;
+ 	struct udphdr *uh = udp_hdr(skb);
+ 	u16 ulen = ntohs(uh->len);
+ 	__wsum psum;
+@@ -504,7 +505,7 @@ static inline int l2tp_verify_udp_checks
+ 		return 0;
+ 
+ #if IS_ENABLED(CONFIG_IPV6)
+-	if (sk->sk_family == PF_INET6) {
++	if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) {
+ 		if (!uh->check) {
+ 			LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
+ 			return 1;
+@@ -1128,7 +1129,7 @@ static int l2tp_xmit_core(struct l2tp_se
+ 	/* Queue the packet to IP for output */
+ 	skb->local_df = 1;
+ #if IS_ENABLED(CONFIG_IPV6)
+-	if (skb->sk->sk_family == PF_INET6)
++	if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ 		error = inet6_csk_xmit(skb, NULL);
+ 	else
+ #endif
+@@ -1255,7 +1256,7 @@ int l2tp_xmit_skb(struct l2tp_session *s
+ 
+ 		/* Calculate UDP checksum if configured to do so */
+ #if IS_ENABLED(CONFIG_IPV6)
+-		if (sk->sk_family == PF_INET6)
++		if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ 			l2tp_xmit_ipv6_csum(sk, skb, udp_len);
+ 		else
+ #endif
+@@ -1704,6 +1705,24 @@ int l2tp_tunnel_create(struct net *net,
+ 	if (cfg != NULL)
+ 		tunnel->debug = cfg->debug;
+ 
++#if IS_ENABLED(CONFIG_IPV6)
++	if (sk->sk_family == PF_INET6) {
++		struct ipv6_pinfo *np = inet6_sk(sk);
++
++		if (ipv6_addr_v4mapped(&np->saddr) &&
++		    ipv6_addr_v4mapped(&np->daddr)) {
++			struct inet_sock *inet = inet_sk(sk);
++
++			tunnel->v4mapped = true;
++			inet->inet_saddr = np->saddr.s6_addr32[3];
++			inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3];
++			inet->inet_daddr = np->daddr.s6_addr32[3];
++		} else {
++			tunnel->v4mapped = false;
++		}
++	}
++#endif
++
+ 	/* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
+ 	tunnel->encap = encap;
+ 	if (encap == L2TP_ENCAPTYPE_UDP) {
+@@ -1712,7 +1731,7 @@ int l2tp_tunnel_create(struct net *net,
+ 		udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
+ 		udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy;
+ #if IS_ENABLED(CONFIG_IPV6)
+-		if (sk->sk_family == PF_INET6)
++		if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ 			udpv6_encap_enable();
+ 		else
+ #endif
+--- a/net/l2tp/l2tp_core.h
++++ b/net/l2tp/l2tp_core.h
+@@ -194,6 +194,9 @@ struct l2tp_tunnel {
+ 	struct sock		*sock;		/* Parent socket */
+ 	int			fd;		/* Parent fd, if tunnel socket
+ 						 * was created by userspace */
++#if IS_ENABLED(CONFIG_IPV6)
++	bool			v4mapped;
++#endif
+ 
+ 	struct work_struct	del_work;
+ 

debian/patches/bugfix/all/mm-fix-bug-in-__split_huge_page_pmd.patch

@@ -0,0 +1,57 @@
+From 750e8165f5e87b6a142be953640eabb13a9d350a Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Wed, 16 Oct 2013 13:47:08 -0700
+Subject: mm: fix BUG in __split_huge_page_pmd
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 750e8165f5e87b6a142be953640eabb13a9d350a upstream.
+
+Occasionally we hit the BUG_ON(pmd_trans_huge(*pmd)) at the end of
+__split_huge_page_pmd(): seen when doing madvise(,,MADV_DONTNEED).
+
+It's invalid: we don't always have down_write of mmap_sem there: a racing
+do_huge_pmd_wp_page() might have copied-on-write to another huge page
+before our split_huge_page() got the anon_vma lock.
+
+Forget the BUG_ON, just go back and try again if this happens.
+
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: David Rientjes <rientjes@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/huge_memory.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2709,6 +2709,7 @@ void __split_huge_page_pmd(struct vm_are
+ 
+ 	mmun_start = haddr;
+ 	mmun_end   = haddr + HPAGE_PMD_SIZE;
++again:
+ 	mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end);
+ 	spin_lock(&mm->page_table_lock);
+ 	if (unlikely(!pmd_trans_huge(*pmd))) {
+@@ -2731,7 +2732,14 @@ void __split_huge_page_pmd(struct vm_are
+ 	split_huge_page(page);
+ 
+ 	put_page(page);
+-	BUG_ON(pmd_trans_huge(*pmd));
++
++	/*
++	 * We don't always have down_write of mmap_sem here: a racing
++	 * do_huge_pmd_wp_page() might have copied-on-write to another
++	 * huge page before our split_huge_page() got the anon_vma lock.
++	 */
++	if (unlikely(pmd_trans_huge(*pmd)))
++		goto again;
+ }
+ 
+ void split_huge_page_pmd_mm(struct mm_struct *mm, unsigned long address,

debian/patches/bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch

@@ -0,0 +1,44 @@
+From 05c9fdfad860abd64136d8ccd88dbf84e40bd5f5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 1 Oct 2013 21:04:11 -0700
+Subject: net: do not call sock_put() on TIMEWAIT sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 80ad1d61e72d626e30ebe8529a0455e660ca4693 ]
+
+commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
+hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
+
+We should instead use inet_twsk_put()
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_hashtables.c  |    2 +-
+ net/ipv6/inet6_hashtables.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -287,7 +287,7 @@ begintw:
+ 			if (unlikely(!INET_TW_MATCH(sk, net, acookie,
+ 						    saddr, daddr, ports,
+ 						    dif))) {
+-				sock_put(sk);
++				inet_twsk_put(inet_twsk(sk));
+ 				goto begintw;
+ 			}
+ 			goto out;
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -116,7 +116,7 @@ begintw:
+ 			}
+ 			if (unlikely(!INET6_TW_MATCH(sk, net, saddr, daddr,
+ 						     ports, dif))) {
+-				sock_put(sk);
++				inet_twsk_put(inet_twsk(sk));
+ 				goto begintw;
+ 			}
+ 			goto out;

debian/patches/bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch

@@ -0,0 +1,54 @@
+From 7b48750febb4c3387db39fd0b547936c53ba7364 Mon Sep 17 00:00:00 2001
+From: Seif Mazareeb <seif@marvell.com>
+Date: Thu, 17 Oct 2013 20:33:21 -0700
+Subject: net: fix cipso packet validation when !NETLABEL
+
+From: Seif Mazareeb <seif@marvell.com>
+
+[ Upstream commit f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b ]
+
+When CONFIG_NETLABEL is disabled, the cipso_v4_validate() function could loop
+forever in the main loop if opt[opt_iter +1] == 0, this will causing a kernel
+crash in an SMP system, since the CPU executing this function will
+stall /not respond to IPIs.
+
+This problem can be reproduced by running the IP Stack Integrity Checker
+(http://isic.sourceforge.net) using the following command on a Linux machine
+connected to DUT:
+
+"icmpsic -s rand -d <DUT IP address> -r 123456"
+wait (1-2 min)
+
+Signed-off-by: Seif Mazareeb <seif@marvell.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cipso_ipv4.h |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/include/net/cipso_ipv4.h
++++ b/include/net/cipso_ipv4.h
+@@ -290,6 +290,7 @@ static inline int cipso_v4_validate(cons
+ 	unsigned char err_offset = 0;
+ 	u8 opt_len = opt[1];
+ 	u8 opt_iter;
++	u8 tag_len;
+ 
+ 	if (opt_len < 8) {
+ 		err_offset = 1;
+@@ -302,11 +303,12 @@ static inline int cipso_v4_validate(cons
+ 	}
+ 
+ 	for (opt_iter = 6; opt_iter < opt_len;) {
+-		if (opt[opt_iter + 1] > (opt_len - opt_iter)) {
++		tag_len = opt[opt_iter + 1];
++		if ((tag_len == 0) || (opt[opt_iter + 1] > (opt_len - opt_iter))) {
+ 			err_offset = opt_iter + 1;
+ 			goto out;
+ 		}
+-		opt_iter += opt[opt_iter + 1];
++		opt_iter += tag_len;
+ 	}
+ 
+ out:

debian/patches/bugfix/all/net-heap-overflow-in-__audit_sockaddr.patch

@@ -0,0 +1,86 @@
+From b8baf1c21a214c1b836eef390c9d6e153293fef9 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 3 Oct 2013 00:27:20 +0300
+Subject: net: heap overflow in __audit_sockaddr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ]
+
+We need to cap ->msg_namelen or it leads to a buffer overflow when we
+to the memcpy() in __audit_sockaddr().  It requires CAP_AUDIT_CONTROL to
+exploit this bug.
+
+The call tree is:
+___sys_recvmsg()
+  move_addr_to_user()
+    audit_sockaddr()
+      __audit_sockaddr()
+
+Reported-by: Jüri Aedla <juri.aedla@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/compat.c |    2 ++
+ net/socket.c |   24 ++++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -71,6 +71,8 @@ int get_compat_msghdr(struct msghdr *kms
+ 	    __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
+ 	    __get_user(kmsg->msg_flags, &umsg->msg_flags))
+ 		return -EFAULT;
++	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
++		return -EINVAL;
+ 	kmsg->msg_name = compat_ptr(tmp1);
+ 	kmsg->msg_iov = compat_ptr(tmp2);
+ 	kmsg->msg_control = compat_ptr(tmp3);
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1973,6 +1973,16 @@ struct used_address {
+ 	unsigned int name_len;
+ };
+ 
++static int copy_msghdr_from_user(struct msghdr *kmsg,
++				 struct msghdr __user *umsg)
++{
++	if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
++		return -EFAULT;
++	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
++		return -EINVAL;
++	return 0;
++}
++
+ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+ 			 struct msghdr *msg_sys, unsigned int flags,
+ 			 struct used_address *used_address)
+@@ -1991,8 +2001,11 @@ static int ___sys_sendmsg(struct socket
+ 	if (MSG_CMSG_COMPAT & flags) {
+ 		if (get_compat_msghdr(msg_sys, msg_compat))
+ 			return -EFAULT;
+-	} else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
+-		return -EFAULT;
++	} else {
++		err = copy_msghdr_from_user(msg_sys, msg);
++		if (err)
++			return err;
++	}
+ 
+ 	if (msg_sys->msg_iovlen > UIO_FASTIOV) {
+ 		err = -EMSGSIZE;
+@@ -2200,8 +2213,11 @@ static int ___sys_recvmsg(struct socket
+ 	if (MSG_CMSG_COMPAT & flags) {
+ 		if (get_compat_msghdr(msg_sys, msg_compat))
+ 			return -EFAULT;
+-	} else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
+-		return -EFAULT;
++	} else {
++		err = copy_msghdr_from_user(msg_sys, msg);
++		if (err)
++			return err;
++	}
+ 
+ 	if (msg_sys->msg_iovlen > UIO_FASTIOV) {
+ 		err = -EMSGSIZE;

debian/patches/bugfix/all/proc-connector-fix-info-leaks.patch

@@ -0,0 +1,167 @@
+From 6c7e3c3382670fe98debedf2ddaff8abf2944bb4 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 30 Sep 2013 22:03:06 +0200
+Subject: proc connector: fix info leaks
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit e727ca82e0e9616ab4844301e6bae60ca7327682 ]
+
+Initialize event_data for all possible message types to prevent leaking
+kernel stack contents to userland (up to 20 bytes). Also set the flags
+member of the connector message to 0 to prevent leaking two more stack
+bytes this way.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/connector/cn_proc.c |   18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -65,6 +65,7 @@ void proc_fork_connector(struct task_str
+ 
+ 	msg = (struct cn_msg *)buffer;
+ 	ev = (struct proc_event *)msg->data;
++	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ 	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -80,6 +81,7 @@ void proc_fork_connector(struct task_str
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = 0; /* not used */
+ 	msg->len = sizeof(*ev);
++	msg->flags = 0; /* not used */
+ 	/*  If cn_netlink_send() failed, the data is not sent */
+ 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+@@ -96,6 +98,7 @@ void proc_exec_connector(struct task_str
+ 
+ 	msg = (struct cn_msg *)buffer;
+ 	ev = (struct proc_event *)msg->data;
++	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ 	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -106,6 +109,7 @@ void proc_exec_connector(struct task_str
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = 0; /* not used */
+ 	msg->len = sizeof(*ev);
++	msg->flags = 0; /* not used */
+ 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+ 
+@@ -122,6 +126,7 @@ void proc_id_connector(struct task_struc
+ 
+ 	msg = (struct cn_msg *)buffer;
+ 	ev = (struct proc_event *)msg->data;
++	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	ev->what = which_id;
+ 	ev->event_data.id.process_pid = task->pid;
+ 	ev->event_data.id.process_tgid = task->tgid;
+@@ -145,6 +150,7 @@ void proc_id_connector(struct task_struc
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = 0; /* not used */
+ 	msg->len = sizeof(*ev);
++	msg->flags = 0; /* not used */
+ 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+ 
+@@ -160,6 +166,7 @@ void proc_sid_connector(struct task_stru
+ 
+ 	msg = (struct cn_msg *)buffer;
+ 	ev = (struct proc_event *)msg->data;
++	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ 	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -170,6 +177,7 @@ void proc_sid_connector(struct task_stru
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = 0; /* not used */
+ 	msg->len = sizeof(*ev);
++	msg->flags = 0; /* not used */
+ 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+ 
+@@ -185,6 +193,7 @@ void proc_ptrace_connector(struct task_s
+ 
+ 	msg = (struct cn_msg *)buffer;
+ 	ev = (struct proc_event *)msg->data;
++	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ 	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -203,6 +212,7 @@ void proc_ptrace_connector(struct task_s
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = 0; /* not used */
+ 	msg->len = sizeof(*ev);
++	msg->flags = 0; /* not used */
+ 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+ 
+@@ -218,6 +228,7 @@ void proc_comm_connector(struct task_str
+ 
+ 	msg = (struct cn_msg *)buffer;
+ 	ev = (struct proc_event *)msg->data;
++	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ 	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -229,6 +240,7 @@ void proc_comm_connector(struct task_str
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = 0; /* not used */
+ 	msg->len = sizeof(*ev);
++	msg->flags = 0; /* not used */
+ 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+ 
+@@ -244,6 +256,7 @@ void proc_coredump_connector(struct task
+ 
+ 	msg = (struct cn_msg *)buffer;
+ 	ev = (struct proc_event *)msg->data;
++	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ 	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -254,6 +267,7 @@ void proc_coredump_connector(struct task
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = 0; /* not used */
+ 	msg->len = sizeof(*ev);
++	msg->flags = 0; /* not used */
+ 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+ 
+@@ -269,6 +283,7 @@ void proc_exit_connector(struct task_str
+ 
+ 	msg = (struct cn_msg *)buffer;
+ 	ev = (struct proc_event *)msg->data;
++	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ 	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -281,6 +296,7 @@ void proc_exit_connector(struct task_str
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = 0; /* not used */
+ 	msg->len = sizeof(*ev);
++	msg->flags = 0; /* not used */
+ 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+ 
+@@ -304,6 +320,7 @@ static void cn_proc_ack(int err, int rcv
+ 
+ 	msg = (struct cn_msg *)buffer;
+ 	ev = (struct proc_event *)msg->data;
++	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	msg->seq = rcvd_seq;
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+ 	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
+@@ -313,6 +330,7 @@ static void cn_proc_ack(int err, int rcv
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = rcvd_ack + 1;
+ 	msg->len = sizeof(*ev);
++	msg->flags = 0; /* not used */
+ 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
+ }
+ 

debian/patches/bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch

@@ -0,0 +1,207 @@
+From d9f02cfe59400677feea276d4b27981f6d91825a Mon Sep 17 00:00:00 2001
+From: Linus Lüssing <linus.luessing@web.de>
+Date: Sun, 20 Oct 2013 00:58:57 +0200
+Subject: Revert "bridge: only expire the mdb entry when query is received"
+
+From: Linus Lüssing <linus.luessing@web.de>
+
+[ Upstream commit 454594f3b93a49ef568cd190c5af31376b105a7b ]
+
+While this commit was a good attempt to fix issues occuring when no
+multicast querier is present, this commit still has two more issues:
+
+1) There are cases where mdb entries do not expire even if there is a
+querier present. The bridge will unnecessarily continue flooding
+multicast packets on the according ports.
+
+2) Never removing an mdb entry could be exploited for a Denial of
+Service by an attacker on the local link, slowly, but steadily eating up
+all memory.
+
+Actually, this commit became obsolete with
+"bridge: disable snooping if there is no querier" (b00589af3b)
+which included fixes for a few more cases.
+
+Therefore reverting the following commits (the commit stated in the
+commit message plus three of its follow up fixes):
+
+====================
+Revert "bridge: update mdb expiration timer upon reports."
+This reverts commit f144febd93d5ee534fdf23505ab091b2b9088edc.
+Revert "bridge: do not call setup_timer() multiple times"
+This reverts commit 1faabf2aab1fdaa1ace4e8c829d1b9cf7bfec2f1.
+Revert "bridge: fix some kernel warning in multicast timer"
+This reverts commit c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1.
+Revert "bridge: only expire the mdb entry when query is received"
+This reverts commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b.
+====================
+
+CC: Cong Wang <amwang@redhat.com>
+Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_mdb.c       |    2 -
+ net/bridge/br_multicast.c |   47 ++++++++++++++++++++++++++--------------------
+ net/bridge/br_private.h   |    1 
+ 3 files changed, 28 insertions(+), 22 deletions(-)
+
+--- a/net/bridge/br_mdb.c
++++ b/net/bridge/br_mdb.c
+@@ -451,7 +451,7 @@ static int __br_mdb_del(struct net_bridg
+ 		call_rcu_bh(&p->rcu, br_multicast_free_pg);
+ 		err = 0;
+ 
+-		if (!mp->ports && !mp->mglist && mp->timer_armed &&
++		if (!mp->ports && !mp->mglist &&
+ 		    netif_running(br->dev))
+ 			mod_timer(&mp->timer, jiffies);
+ 		break;
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -271,7 +271,7 @@ static void br_multicast_del_pg(struct n
+ 		del_timer(&p->timer);
+ 		call_rcu_bh(&p->rcu, br_multicast_free_pg);
+ 
+-		if (!mp->ports && !mp->mglist && mp->timer_armed &&
++		if (!mp->ports && !mp->mglist &&
+ 		    netif_running(br->dev))
+ 			mod_timer(&mp->timer, jiffies);
+ 
+@@ -610,9 +610,6 @@ rehash:
+ 		break;
+ 
+ 	default:
+-		/* If we have an existing entry, update it's expire timer */
+-		mod_timer(&mp->timer,
+-			  jiffies + br->multicast_membership_interval);
+ 		goto out;
+ 	}
+ 
+@@ -622,7 +619,6 @@ rehash:
+ 
+ 	mp->br = br;
+ 	mp->addr = *group;
+-
+ 	setup_timer(&mp->timer, br_multicast_group_expired,
+ 		    (unsigned long)mp);
+ 
+@@ -662,6 +658,7 @@ static int br_multicast_add_group(struct
+ 	struct net_bridge_mdb_entry *mp;
+ 	struct net_bridge_port_group *p;
+ 	struct net_bridge_port_group __rcu **pp;
++	unsigned long now = jiffies;
+ 	int err;
+ 
+ 	spin_lock(&br->multicast_lock);
+@@ -676,18 +673,15 @@ static int br_multicast_add_group(struct
+ 
+ 	if (!port) {
+ 		mp->mglist = true;
++		mod_timer(&mp->timer, now + br->multicast_membership_interval);
+ 		goto out;
+ 	}
+ 
+ 	for (pp = &mp->ports;
+ 	     (p = mlock_dereference(*pp, br)) != NULL;
+ 	     pp = &p->next) {
+-		if (p->port == port) {
+-			/* We already have a portgroup, update the timer.  */
+-			mod_timer(&p->timer,
+-				  jiffies + br->multicast_membership_interval);
+-			goto out;
+-		}
++		if (p->port == port)
++			goto found;
+ 		if ((unsigned long)p->port < (unsigned long)port)
+ 			break;
+ 	}
+@@ -698,6 +692,8 @@ static int br_multicast_add_group(struct
+ 	rcu_assign_pointer(*pp, p);
+ 	br_mdb_notify(br->dev, port, group, RTM_NEWMDB);
+ 
++found:
++	mod_timer(&p->timer, now + br->multicast_membership_interval);
+ out:
+ 	err = 0;
+ 
+@@ -1197,9 +1193,6 @@ static int br_ip4_multicast_query(struct
+ 	if (!mp)
+ 		goto out;
+ 
+-	mod_timer(&mp->timer, now + br->multicast_membership_interval);
+-	mp->timer_armed = true;
+-
+ 	max_delay *= br->multicast_last_member_count;
+ 
+ 	if (mp->mglist &&
+@@ -1276,9 +1269,6 @@ static int br_ip6_multicast_query(struct
+ 	if (!mp)
+ 		goto out;
+ 
+-	mod_timer(&mp->timer, now + br->multicast_membership_interval);
+-	mp->timer_armed = true;
+-
+ 	max_delay *= br->multicast_last_member_count;
+ 	if (mp->mglist &&
+ 	    (timer_pending(&mp->timer) ?
+@@ -1364,7 +1354,7 @@ static void br_multicast_leave_group(str
+ 			call_rcu_bh(&p->rcu, br_multicast_free_pg);
+ 			br_mdb_notify(br->dev, port, group, RTM_DELMDB);
+ 
+-			if (!mp->ports && !mp->mglist && mp->timer_armed &&
++			if (!mp->ports && !mp->mglist &&
+ 			    netif_running(br->dev))
+ 				mod_timer(&mp->timer, jiffies);
+ 		}
+@@ -1376,12 +1366,30 @@ static void br_multicast_leave_group(str
+ 		     br->multicast_last_member_interval;
+ 
+ 	if (!port) {
+-		if (mp->mglist && mp->timer_armed &&
++		if (mp->mglist &&
+ 		    (timer_pending(&mp->timer) ?
+ 		     time_after(mp->timer.expires, time) :
+ 		     try_to_del_timer_sync(&mp->timer) >= 0)) {
+ 			mod_timer(&mp->timer, time);
+ 		}
++
++		goto out;
++	}
++
++	for (p = mlock_dereference(mp->ports, br);
++	     p != NULL;
++	     p = mlock_dereference(p->next, br)) {
++		if (p->port != port)
++			continue;
++
++		if (!hlist_unhashed(&p->mglist) &&
++		    (timer_pending(&p->timer) ?
++		     time_after(p->timer.expires, time) :
++		     try_to_del_timer_sync(&p->timer) >= 0)) {
++			mod_timer(&p->timer, time);
++		}
++
++		break;
+ 	}
+ out:
+ 	spin_unlock(&br->multicast_lock);
+@@ -1798,7 +1806,6 @@ void br_multicast_stop(struct net_bridge
+ 		hlist_for_each_entry_safe(mp, n, &mdb->mhash[i],
+ 					  hlist[ver]) {
+ 			del_timer(&mp->timer);
+-			mp->timer_armed = false;
+ 			call_rcu_bh(&mp->rcu, br_multicast_free_group);
+ 		}
+ 	}
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -126,7 +126,6 @@ struct net_bridge_mdb_entry
+ 	struct timer_list		timer;
+ 	struct br_ip			addr;
+ 	bool				mglist;
+-	bool				timer_armed;
+ };
+ 
+ struct net_bridge_mdb_htable

debian/patches/bugfix/all/unix_diag-fix-info-leak.patch

@@ -0,0 +1,30 @@
+From e69ccba66791d0edd0d596520de268369aaab610 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 30 Sep 2013 22:05:40 +0200
+Subject: unix_diag: fix info leak
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 6865d1e834be84ddd5808d93d5035b492346c64a ]
+
+When filling the netlink message we miss to wipe the pad field,
+therefore leak one byte of heap memory to userland. Fix this by
+setting pad to 0.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/diag.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -124,6 +124,7 @@ static int sk_diag_fill(struct sock *sk,
+ 	rep->udiag_family = AF_UNIX;
+ 	rep->udiag_type = sk->sk_type;
+ 	rep->udiag_state = sk->sk_state;
++	rep->pad = 0;
+ 	rep->udiag_ino = sk_ino;
+ 	sock_diag_save_cookie(sk, rep->udiag_cookie);
+ 

debian/patches/bugfix/all/writeback-fix-negative-bdi-max-pause.patch

@@ -0,0 +1,93 @@
+From e3b6c655b91e01a1dade056cfa358581b47a5351 Mon Sep 17 00:00:00 2001
+From: Fengguang Wu <fengguang.wu@intel.com>
+Date: Wed, 16 Oct 2013 13:47:03 -0700
+Subject: writeback: fix negative bdi max pause
+
+From: Fengguang Wu <fengguang.wu@intel.com>
+
+commit e3b6c655b91e01a1dade056cfa358581b47a5351 upstream.
+
+Toralf runs trinity on UML/i386.  After some time it hangs and the last
+message line is
+
+	BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child0:1521]
+
+It's found that pages_dirtied becomes very large.  More than 1000000000
+pages in this case:
+
+	period = HZ * pages_dirtied / task_ratelimit;
+	BUG_ON(pages_dirtied > 2000000000);
+	BUG_ON(pages_dirtied > 1000000000);      <---------
+
+UML debug printf shows that we got negative pause here:
+
+	ick: pause : -984
+	ick: pages_dirtied : 0
+	ick: task_ratelimit: 0
+
+	 pause:
+	+       if (pause < 0)  {
+	+               extern int printf(char *, ...);
+	+               printf("ick : pause : %li\n", pause);
+	+               printf("ick: pages_dirtied : %lu\n", pages_dirtied);
+	+               printf("ick: task_ratelimit: %lu\n", task_ratelimit);
+	+               BUG_ON(1);
+	+       }
+	        trace_balance_dirty_pages(bdi,
+
+Since pause is bounded by [min_pause, max_pause] where min_pause is also
+bounded by max_pause.  It's suspected and demonstrated that the
+max_pause calculation goes wrong:
+
+	ick: pause : -717
+	ick: min_pause : -177
+	ick: max_pause : -717
+	ick: pages_dirtied : 14
+	ick: task_ratelimit: 0
+
+The problem lies in the two "long = unsigned long" assignments in
+bdi_max_pause() which might go negative if the highest bit is 1, and the
+min_t(long, ...) check failed to protect it falling under 0.  Fix all of
+them by using "unsigned long" throughout the function.
+
+Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
+Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+Tested-by: Toralf Förster <toralf.foerster@gmx.de>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page-writeback.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -1104,11 +1104,11 @@ static unsigned long dirty_poll_interval
+ 	return 1;
+ }
+ 
+-static long bdi_max_pause(struct backing_dev_info *bdi,
+-			  unsigned long bdi_dirty)
++static unsigned long bdi_max_pause(struct backing_dev_info *bdi,
++				   unsigned long bdi_dirty)
+ {
+-	long bw = bdi->avg_write_bandwidth;
+-	long t;
++	unsigned long bw = bdi->avg_write_bandwidth;
++	unsigned long t;
+ 
+ 	/*
+ 	 * Limit pause time for small memory systems. If sleeping for too long
+@@ -1120,7 +1120,7 @@ static long bdi_max_pause(struct backing
+ 	t = bdi_dirty / (1 + bw / roundup_pow_of_two(1 + HZ / 8));
+ 	t++;
+ 
+-	return min_t(long, t, MAX_PAUSE);
++	return min_t(unsigned long, t, MAX_PAUSE);
+ }
+ 
+ static long bdi_min_pause(struct backing_dev_info *bdi,

debian/patches/series

@@ -81,3 +81,19 @@ features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
 bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
 bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
 bugfix/all/CVE-2013-4348.patch
+bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch
+bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch
+bugfix/all/net-heap-overflow-in-__audit_sockaddr.patch
+bugfix/all/proc-connector-fix-info-leaks.patch
+bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch
+bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch
+bugfix/all/unix_diag-fix-info-leak.patch
+bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch
+bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch
+bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch
+bugfix/arm/arm-7851-1-check-for-number-of-arguments-in-syscall_get-set_arguments.patch
+bugfix/all/ext-fix-double-put-in-tmpfile.patch
+bugfix/all/dm-snapshot-fix-data-corruption.patch
+bugfix/all/i2c-ismt-initialize-dma-buffer.patch
+bugfix/all/mm-fix-bug-in-__split_huge_page_pmd.patch
+bugfix/all/writeback-fix-negative-bdi-max-pause.patch