3.11.9-100.fc18.gnu

11 files changed, 960 insertions, 182 deletions

diff --git a/freed-ora/current/f18/0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch b/freed-ora/current/f18/0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch
new file mode 100644
index 000000000..a19217d12
--- /dev/null
+++ b/freed-ora/current/f18/0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch
@@ -0,0 +1,39 @@
+Bugzilla: 1015905
+Upstream-status: 3.13 (should hit stable)
+
+From 90e4e23d52fd04f228eed2c3d341136c50058b37 Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri@resnulli.us>
+Date: Wed, 6 Nov 2013 17:52:19 +0100
+Subject: [PATCH 1/2] ip6_output: fragment outgoing reassembled skb properly
+
+If reassembled packet would fit into outdev MTU, it is not fragmented
+according the original frag size and it is send as single big packet.
+
+The second case is if skb is gso. In that case fragmentation does not happen
+according to the original frag size.
+
+This patch fixes these.
+
+Signed-off-by: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/ip6_output.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 5b25f85..f80f2fa 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -150,7 +150,8 @@ static int ip6_finish_output2(struct sk_buff *skb)
+ static int ip6_finish_output(struct sk_buff *skb)
+ {
+ 	if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
+-	    dst_allfrag(skb_dst(skb)))
++	    dst_allfrag(skb_dst(skb)) ||
++	    (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))
+ 		return ip6_fragment(skb, ip6_finish_output2);
+ 	else
+ 		return ip6_finish_output2(skb);
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/0002-netfilter-push-reasm-skb-through-instead-of-original.patch b/freed-ora/current/f18/0002-netfilter-push-reasm-skb-through-instead-of-original.patch
new file mode 100644
index 000000000..27fee5173
--- /dev/null
+++ b/freed-ora/current/f18/0002-netfilter-push-reasm-skb-through-instead-of-original.patch
@@ -0,0 +1,499 @@
+Bugzilla: 1015905
+Upstream-status: 3.13 (should hit stable)
+
+From 5c0df04613dd39fba5d2a43eaf90a2dc1dcd8899 Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri@resnulli.us>
+Date: Wed, 6 Nov 2013 17:52:20 +0100
+Subject: [PATCH 2/2] netfilter: push reasm skb through instead of original
+ frag skbs
+
+Pushing original fragments through causes several problems. For example
+for matching, frags may not be matched correctly. Take following
+example:
+
+<example>
+On HOSTA do:
+ip6tables -I INPUT -p icmpv6 -j DROP
+ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT
+
+and on HOSTB you do:
+ping6 HOSTA -s2000    (MTU is 1500)
+
+Incoming echo requests will be filtered out on HOSTA. This issue does
+not occur with smaller packets than MTU (where fragmentation does not happen)
+</example>
+
+As was discussed previously, the only correct solution seems to be to use
+reassembled skb instead of separete frags. Doing this has positive side
+effects in reducing sk_buff by one pointer (nfct_reasm) and also the reams
+dances in ipvs and conntrack can be removed.
+
+Future plan is to remove net/ipv6/netfilter/nf_conntrack_reasm.c
+entirely and use code in net/ipv6/reassembly.c instead.
+
+Signed-off-by: Jiri Pirko <jiri@resnulli.us>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Conflicts:
+	include/net/netfilter/ipv6/nf_defrag_ipv6.h
+	net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+	net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+	net/netfilter/ipvs/ip_vs_core.c
+---
+ include/linux/skbuff.h                         | 32 ---------------
+ include/net/ip_vs.h                            | 32 +--------------
+ include/net/netfilter/ipv6/nf_defrag_ipv6.h    |  5 +--
+ net/core/skbuff.c                              |  3 --
+ net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 54 +------------------------
+ net/ipv6/netfilter/nf_conntrack_reasm.c        | 19 +--------
+ net/ipv6/netfilter/nf_defrag_ipv6_hooks.c      |  7 +++-
+ net/netfilter/ipvs/ip_vs_core.c                | 55 +-------------------------
+ net/netfilter/ipvs/ip_vs_pe_sip.c              |  8 +---
+ 9 files changed, 13 insertions(+), 202 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 6bd165b..37b4517 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -333,11 +333,6 @@ typedef unsigned int sk_buff_data_t;
+ typedef unsigned char *sk_buff_data_t;
+ #endif
+ 
+-#if defined(CONFIG_NF_DEFRAG_IPV4) || defined(CONFIG_NF_DEFRAG_IPV4_MODULE) || \
+-    defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE)
+-#define NET_SKBUFF_NF_DEFRAG_NEEDED 1
+-#endif
+-
+ /** 
+  *	struct sk_buff - socket buffer
+  *	@next: Next buffer in list
+@@ -370,7 +365,6 @@ typedef unsigned char *sk_buff_data_t;
+  *	@protocol: Packet protocol from driver
+  *	@destructor: Destruct function
+  *	@nfct: Associated connection, if any
+- *	@nfct_reasm: netfilter conntrack re-assembly pointer
+  *	@nf_bridge: Saved data about a bridged frame - see br_netfilter.c
+  *	@skb_iif: ifindex of device we arrived on
+  *	@tc_index: Traffic control index
+@@ -459,9 +453,6 @@ struct sk_buff {
+ #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+ 	struct nf_conntrack	*nfct;
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+-	struct sk_buff		*nfct_reasm;
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ 	struct nf_bridge_info	*nf_bridge;
+ #endif
+@@ -2603,18 +2594,6 @@ static inline void nf_conntrack_get(struct nf_conntrack *nfct)
+ 		atomic_inc(&nfct->use);
+ }
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+-static inline void nf_conntrack_get_reasm(struct sk_buff *skb)
+-{
+-	if (skb)
+-		atomic_inc(&skb->users);
+-}
+-static inline void nf_conntrack_put_reasm(struct sk_buff *skb)
+-{
+-	if (skb)
+-		kfree_skb(skb);
+-}
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge)
+ {
+@@ -2633,10 +2612,6 @@ static inline void nf_reset(struct sk_buff *skb)
+ 	nf_conntrack_put(skb->nfct);
+ 	skb->nfct = NULL;
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+-	nf_conntrack_put_reasm(skb->nfct_reasm);
+-	skb->nfct_reasm = NULL;
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ 	nf_bridge_put(skb->nf_bridge);
+ 	skb->nf_bridge = NULL;
+@@ -2658,10 +2633,6 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
+ 	nf_conntrack_get(src->nfct);
+ 	dst->nfctinfo = src->nfctinfo;
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+-	dst->nfct_reasm = src->nfct_reasm;
+-	nf_conntrack_get_reasm(src->nfct_reasm);
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ 	dst->nf_bridge  = src->nf_bridge;
+ 	nf_bridge_get(src->nf_bridge);
+@@ -2673,9 +2644,6 @@ static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src)
+ #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+ 	nf_conntrack_put(dst->nfct);
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+-	nf_conntrack_put_reasm(dst->nfct_reasm);
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ 	nf_bridge_put(dst->nf_bridge);
+ #endif
+diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
+index f0d70f0..ff21521 100644
+--- a/include/net/ip_vs.h
++++ b/include/net/ip_vs.h
+@@ -109,7 +109,6 @@ extern int ip_vs_conn_tab_size;
+ struct ip_vs_iphdr {
+ 	__u32 len;	/* IPv4 simply where L4 starts
+ 			   IPv6 where L4 Transport Header starts */
+-	__u32 thoff_reasm; /* Transport Header Offset in nfct_reasm skb */
+ 	__u16 fragoffs; /* IPv6 fragment offset, 0 if first frag (or not frag)*/
+ 	__s16 protocol;
+ 	__s32 flags;
+@@ -117,34 +116,12 @@ struct ip_vs_iphdr {
+ 	union nf_inet_addr daddr;
+ };
+ 
+-/* Dependency to module: nf_defrag_ipv6 */
+-#if defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE)
+-static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb)
+-{
+-	return skb->nfct_reasm;
+-}
+-static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,
+-				      int len, void *buffer,
+-				      const struct ip_vs_iphdr *ipvsh)
+-{
+-	if (unlikely(ipvsh->fragoffs && skb_nfct_reasm(skb)))
+-		return skb_header_pointer(skb_nfct_reasm(skb),
+-					  ipvsh->thoff_reasm, len, buffer);
+-
+-	return skb_header_pointer(skb, offset, len, buffer);
+-}
+-#else
+-static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb)
+-{
+-	return NULL;
+-}
+ static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,
+ 				      int len, void *buffer,
+ 				      const struct ip_vs_iphdr *ipvsh)
+ {
+ 	return skb_header_pointer(skb, offset, len, buffer);
+ }
+-#endif
+ 
+ static inline void
+ ip_vs_fill_ip4hdr(const void *nh, struct ip_vs_iphdr *iphdr)
+@@ -171,19 +148,12 @@ ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, struct ip_vs_iphdr *iphdr)
+ 			(struct ipv6hdr *)skb_network_header(skb);
+ 		iphdr->saddr.in6 = iph->saddr;
+ 		iphdr->daddr.in6 = iph->daddr;
+-		/* ipv6_find_hdr() updates len, flags, thoff_reasm */
+-		iphdr->thoff_reasm = 0;
++		/* ipv6_find_hdr() updates len, flags */
+ 		iphdr->len	 = 0;
+ 		iphdr->flags	 = 0;
+ 		iphdr->protocol  = ipv6_find_hdr(skb, &iphdr->len, -1,
+ 						 &iphdr->fragoffs,
+ 						 &iphdr->flags);
+-		/* get proto from re-assembled packet and it's offset */
+-		if (skb_nfct_reasm(skb))
+-			iphdr->protocol = ipv6_find_hdr(skb_nfct_reasm(skb),
+-							&iphdr->thoff_reasm,
+-							-1, NULL, NULL);
+-
+ 	} else
+ #endif
+ 	{
+diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+index fd79c9a..17920d8 100644
+--- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
++++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+@@ -6,10 +6,7 @@ extern void nf_defrag_ipv6_enable(void);
+ extern int nf_ct_frag6_init(void);
+ extern void nf_ct_frag6_cleanup(void);
+ extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user);
+-extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
+-			       struct net_device *in,
+-			       struct net_device *out,
+-			       int (*okfn)(struct sk_buff *));
++extern void nf_ct_frag6_consume_orig(struct sk_buff *skb);
+ 
+ struct inet_frags_ctl;
+ 
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 2c3d0f5..a75022e 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -580,9 +580,6 @@ static void skb_release_head_state(struct sk_buff *skb)
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ 	nf_conntrack_put(skb->nfct);
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+-	nf_conntrack_put_reasm(skb->nfct_reasm);
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ 	nf_bridge_put(skb->nf_bridge);
+ #endif
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index c9b6a6e..97cd750 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -172,63 +172,13 @@ out:
+ 	return nf_conntrack_confirm(skb);
+ }
+ 
+-static unsigned int __ipv6_conntrack_in(struct net *net,
+-					unsigned int hooknum,
+-					struct sk_buff *skb,
+-					const struct net_device *in,
+-					const struct net_device *out,
+-					int (*okfn)(struct sk_buff *))
+-{
+-	struct sk_buff *reasm = skb->nfct_reasm;
+-	const struct nf_conn_help *help;
+-	struct nf_conn *ct;
+-	enum ip_conntrack_info ctinfo;
+-
+-	/* This packet is fragmented and has reassembled packet. */
+-	if (reasm) {
+-		/* Reassembled packet isn't parsed yet ? */
+-		if (!reasm->nfct) {
+-			unsigned int ret;
+-
+-			ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm);
+-			if (ret != NF_ACCEPT)
+-				return ret;
+-		}
+-
+-		/* Conntrack helpers need the entire reassembled packet in the
+-		 * POST_ROUTING hook. In case of unconfirmed connections NAT
+-		 * might reassign a helper, so the entire packet is also
+-		 * required.
+-		 */
+-		ct = nf_ct_get(reasm, &ctinfo);
+-		if (ct != NULL && !nf_ct_is_untracked(ct)) {
+-			help = nfct_help(ct);
+-			if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
+-				nf_conntrack_get_reasm(reasm);
+-				NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
+-					       (struct net_device *)in,
+-					       (struct net_device *)out,
+-					       okfn, NF_IP6_PRI_CONNTRACK + 1);
+-				return NF_DROP_ERR(-ECANCELED);
+-			}
+-		}
+-
+-		nf_conntrack_get(reasm->nfct);
+-		skb->nfct = reasm->nfct;
+-		skb->nfctinfo = reasm->nfctinfo;
+-		return NF_ACCEPT;
+-	}
+-
+-	return nf_conntrack_in(net, PF_INET6, hooknum, skb);
+-}
+-
+ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
+ 				      struct sk_buff *skb,
+ 				      const struct net_device *in,
+ 				      const struct net_device *out,
+ 				      int (*okfn)(struct sk_buff *))
+ {
+-	return __ipv6_conntrack_in(dev_net(in), hooknum, skb, in, out, okfn);
++	return nf_conntrack_in(dev_net(in), PF_INET6, hooknum, skb);
+ }
+ 
+ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
+@@ -242,7 +192,7 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
+ 		net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
+ 		return NF_ACCEPT;
+ 	}
+-	return __ipv6_conntrack_in(dev_net(out), hooknum, skb, in, out, okfn);
++	return nf_conntrack_in(dev_net(out), PF_INET6, hooknum, skb);
+ }
+ 
+ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index dffdc1a..253566a 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -621,31 +621,16 @@ ret_orig:
+ 	return skb;
+ }
+ 
+-void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
+-			struct net_device *in, struct net_device *out,
+-			int (*okfn)(struct sk_buff *))
++void nf_ct_frag6_consume_orig(struct sk_buff *skb)
+ {
+ 	struct sk_buff *s, *s2;
+-	unsigned int ret = 0;
+ 
+ 	for (s = NFCT_FRAG6_CB(skb)->orig; s;) {
+-		nf_conntrack_put_reasm(s->nfct_reasm);
+-		nf_conntrack_get_reasm(skb);
+-		s->nfct_reasm = skb;
+-
+ 		s2 = s->next;
+ 		s->next = NULL;
+-
+-		if (ret != -ECANCELED)
+-			ret = NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s,
+-					     in, out, okfn,
+-					     NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
+-		else
+-			kfree_skb(s);
+-
++		consume_skb(s);
+ 		s = s2;
+ 	}
+-	nf_conntrack_put_reasm(skb);
+ }
+ 
+ static int nf_ct_net_init(struct net *net)
+diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+index aacd121..581dd9e 100644
+--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
++++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+@@ -75,8 +75,11 @@ static unsigned int ipv6_defrag(unsigned int hooknum,
+ 	if (reasm == skb)
+ 		return NF_ACCEPT;
+ 
+-	nf_ct_frag6_output(hooknum, reasm, (struct net_device *)in,
+-			   (struct net_device *)out, okfn);
++	nf_ct_frag6_consume_orig(reasm);
++
++	NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
++		       (struct net_device *) in, (struct net_device *) out,
++		       okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
+ 
+ 	return NF_STOLEN;
+ }
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 4f69e83..1517b50 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1131,12 +1131,6 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
+ 	ip_vs_fill_iph_skb(af, skb, &iph);
+ #ifdef CONFIG_IP_VS_IPV6
+ 	if (af == AF_INET6) {
+-		if (!iph.fragoffs && skb_nfct_reasm(skb)) {
+-			struct sk_buff *reasm = skb_nfct_reasm(skb);
+-			/* Save fw mark for coming frags */
+-			reasm->ipvs_property = 1;
+-			reasm->mark = skb->mark;
+-		}
+ 		if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
+ 			int related;
+ 			int verdict = ip_vs_out_icmp_v6(skb, &related,
+@@ -1606,12 +1600,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
+ 
+ #ifdef CONFIG_IP_VS_IPV6
+ 	if (af == AF_INET6) {
+-		if (!iph.fragoffs && skb_nfct_reasm(skb)) {
+-			struct sk_buff *reasm = skb_nfct_reasm(skb);
+-			/* Save fw mark for coming frags. */
+-			reasm->ipvs_property = 1;
+-			reasm->mark = skb->mark;
+-		}
+ 		if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
+ 			int related;
+ 			int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum,
+@@ -1663,9 +1651,8 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
+ 		/* sorry, all this trouble for a no-hit :) */
+ 		IP_VS_DBG_PKT(12, af, pp, skb, 0,
+ 			      "ip_vs_in: packet continues traversal as normal");
+-		if (iph.fragoffs && !skb_nfct_reasm(skb)) {
++		if (iph.fragoffs) {
+ 			/* Fragment that couldn't be mapped to a conn entry
+-			 * and don't have any pointer to a reasm skb
+ 			 * is missing module nf_defrag_ipv6
+ 			 */
+ 			IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
+@@ -1748,38 +1735,6 @@ ip_vs_local_request4(unsigned int hooknum, struct sk_buff *skb,
+ #ifdef CONFIG_IP_VS_IPV6
+ 
+ /*
+- * AF_INET6 fragment handling
+- * Copy info from first fragment, to the rest of them.
+- */
+-static unsigned int
+-ip_vs_preroute_frag6(unsigned int hooknum, struct sk_buff *skb,
+-		     const struct net_device *in,
+-		     const struct net_device *out,
+-		     int (*okfn)(struct sk_buff *))
+-{
+-	struct sk_buff *reasm = skb_nfct_reasm(skb);
+-	struct net *net;
+-
+-	/* Skip if not a "replay" from nf_ct_frag6_output or first fragment.
+-	 * ipvs_property is set when checking first fragment
+-	 * in ip_vs_in() and ip_vs_out().
+-	 */
+-	if (reasm)
+-		IP_VS_DBG(2, "Fragment recv prop:%d\n", reasm->ipvs_property);
+-	if (!reasm || !reasm->ipvs_property)
+-		return NF_ACCEPT;
+-
+-	net = skb_net(skb);
+-	if (!net_ipvs(net)->enable)
+-		return NF_ACCEPT;
+-
+-	/* Copy stored fw mark, saved in ip_vs_{in,out} */
+-	skb->mark = reasm->mark;
+-
+-	return NF_ACCEPT;
+-}
+-
+-/*
+  *	AF_INET6 handler in NF_INET_LOCAL_IN chain
+  *	Schedule and forward packets from remote clients
+  */
+@@ -1916,14 +1871,6 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
+ 		.priority	= 100,
+ 	},
+ #ifdef CONFIG_IP_VS_IPV6
+-	/* After mangle & nat fetch 2:nd fragment and following */
+-	{
+-		.hook		= ip_vs_preroute_frag6,
+-		.owner		= THIS_MODULE,
+-		.pf		= NFPROTO_IPV6,
+-		.hooknum	= NF_INET_PRE_ROUTING,
+-		.priority	= NF_IP6_PRI_NAT_DST + 1,
+-	},
+ 	/* After packet filtering, change source only for VS/NAT */
+ 	{
+ 		.hook		= ip_vs_reply6,
+diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c
+index 9ef22bd..bed5f70 100644
+--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
++++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
+@@ -65,7 +65,6 @@ static int get_callid(const char *dptr, unsigned int dataoff,
+ static int
+ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb)
+ {
+-	struct sk_buff *reasm = skb_nfct_reasm(skb);
+ 	struct ip_vs_iphdr iph;
+ 	unsigned int dataoff, datalen, matchoff, matchlen;
+ 	const char *dptr;
+@@ -79,15 +78,10 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb)
+ 	/* todo: IPv6 fragments:
+ 	 *       I think this only should be done for the first fragment. /HS
+ 	 */
+-	if (reasm) {
+-		skb = reasm;
+-		dataoff = iph.thoff_reasm + sizeof(struct udphdr);
+-	} else
+-		dataoff = iph.len + sizeof(struct udphdr);
++	dataoff = iph.len + sizeof(struct udphdr);
+ 
+ 	if (dataoff >= skb->len)
+ 		return -EINVAL;
+-	/* todo: Check if this will mess-up the reasm skb !!! /HS */
+ 	retc = skb_linearize(skb);
+ 	if (retc < 0)
+ 		return retc;
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch b/freed-ora/current/f18/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
new file mode 100644
index 000000000..65a48c349
--- /dev/null
+++ b/freed-ora/current/f18/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
@@ -0,0 +1,53 @@
+Bugzilla: 967652
+Upstream-status: 3.13 (should hit stable)
+
+From daf727225b8abfdfe424716abac3d15a3ac5626a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 31 Oct 2013 23:05:24 +0100
+Subject: [PATCH] KVM: x86: fix emulation of "movzbl %bpl, %eax"
+
+When I was looking at RHEL5.9's failure to start with
+unrestricted_guest=0/emulate_invalid_guest_state=1, I got it working with a
+slightly older tree than kvm.git.  I now debugged the remaining failure,
+which was introduced by commit 660696d1 (KVM: X86 emulator: fix
+source operand decoding for 8bit mov[zs]x instructions, 2013-04-24)
+introduced a similar mis-emulation to the one in commit 8acb4207 (KVM:
+fix sil/dil/bpl/spl in the mod/rm fields, 2013-05-30).  The incorrect
+decoding occurs in 8-bit movzx/movsx instructions whose 8-bit operand
+is sil/dil/bpl/spl.
+
+Needless to say, "movzbl %bpl, %eax" does occur in RHEL5.9's decompression
+prolog, just a handful of instructions before finally giving control to
+the decompressed vmlinux and getting out of the invalid guest state.
+
+Because OpMem8 bypasses decode_modrm, the same handling of the REX prefix
+must be applied to OpMem8.
+
+Reported-by: Michele Baldessari <michele@redhat.com>
+Cc: stable@vger.kernel.org
+Cc: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+---
+ arch/x86/kvm/emulate.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 16c037e..282d28c 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -4117,7 +4117,10 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
+ 	case OpMem8:
+ 		ctxt->memop.bytes = 1;
+ 		if (ctxt->memop.type == OP_REG) {
+-			ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, 1);
++			int highbyte_regs = ctxt->rex_prefix == 0;
++
++			ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm,
++					       highbyte_regs);
+ 			fetch_register_operand(&ctxt->memop);
+ 		}
+ 		goto mem_common;
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/alx-Reset-phy-speed-after-resume.patch b/freed-ora/current/f18/alx-Reset-phy-speed-after-resume.patch
new file mode 100644
index 000000000..3af169f78
--- /dev/null
+++ b/freed-ora/current/f18/alx-Reset-phy-speed-after-resume.patch
@@ -0,0 +1,33 @@
+Bugzilla: 1011362
+Upstream-status: queued for 3.13
+
+From b54629e226d196e802abdd30c5e34f2a47cddcf2 Mon Sep 17 00:00:00 2001
+From: hahnjo <hahnjo@hahnjo.de>
+Date: Tue, 12 Nov 2013 17:19:24 +0000
+Subject: alx: Reset phy speed after resume
+
+This fixes bug 62491 (https://bugzilla.kernel.org/show_bug.cgi?id=62491).
+After resuming some users got the following error flooding the kernel log:
+alx 0000:02:00.0: invalid PHY speed/duplex: 0xffff
+
+Signed-off-by: Jonas Hahnfeld <linux@hahnjo.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+(limited to 'drivers/net/ethernet/atheros/alx')
+
+diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
+index 5aa5e81..c3c4c26 100644
+--- a/drivers/net/ethernet/atheros/alx/main.c
++++ b/drivers/net/ethernet/atheros/alx/main.c
+@@ -1388,6 +1388,9 @@ static int alx_resume(struct device *dev)
+ {
+ 	struct pci_dev *pdev = to_pci_dev(dev);
+ 	struct alx_priv *alx = pci_get_drvdata(pdev);
++	struct alx_hw *hw = &alx->hw;
++
++	alx_reset_phy(hw);
+ 
+ 	if (!netif_running(alx->dev))
+ 		return 0;
+--
+cgit v0.9.2
diff --git a/freed-ora/current/f18/drm-radeon-24hz-audio-fixes.patch b/freed-ora/current/f18/drm-radeon-24hz-audio-fixes.patch
new file mode 100644
index 000000000..4fd8341ed
--- /dev/null
+++ b/freed-ora/current/f18/drm-radeon-24hz-audio-fixes.patch
@@ -0,0 +1,173 @@
+Bugzilla: 1010679
+Upstream-status: 3.13
+
+From 908171aa738b5bbcc6241cec46f73fcd57dd00d4 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <pierre@ossman.eu>
+Date: Wed, 6 Nov 2013 20:00:32 +0100
+Subject: [PATCH 1/2] drm/radeon/audio: correct ACR table
+
+The values were taken from the HDMI spec, but they assumed
+exact x/1.001 clocks. Since we round the clocks, we also need
+to calculate different N and CTS values.
+
+Note that the N for 25.2/1.001 MHz at 44.1 kHz audio is out of
+spec. Hopefully this mode is rarely used and/or HDMI sinks
+tolerate overly large values of N.
+
+bug:
+https://bugs.freedesktop.org/show_bug.cgi?id=69675
+
+Signed-off-by: Pierre Ossman <pierre@ossman.eu>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+---
+ drivers/gpu/drm/radeon/r600_hdmi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c
+index 4140fe8..e8ca095 100644
+--- a/drivers/gpu/drm/radeon/r600_hdmi.c
++++ b/drivers/gpu/drm/radeon/r600_hdmi.c
+@@ -57,15 +57,15 @@ enum r600_hdmi_iec_status_bits {
+ static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = {
+     /*	     32kHz	  44.1kHz	48kHz    */
+     /* Clock      N     CTS      N     CTS      N     CTS */
+-    {  25175,  4576,  28125,  7007,  31250,  6864,  28125 }, /*  25,20/1.001 MHz */
++    {  25175,  4096,  25175, 28224, 125875,  6144,  25175 }, /*  25,20/1.001 MHz */
+     {  25200,  4096,  25200,  6272,  28000,  6144,  25200 }, /*  25.20       MHz */
+     {  27000,  4096,  27000,  6272,  30000,  6144,  27000 }, /*  27.00       MHz */
+     {  27027,  4096,  27027,  6272,  30030,  6144,  27027 }, /*  27.00*1.001 MHz */
+     {  54000,  4096,  54000,  6272,  60000,  6144,  54000 }, /*  54.00       MHz */
+     {  54054,  4096,  54054,  6272,  60060,  6144,  54054 }, /*  54.00*1.001 MHz */
+-    {  74176, 11648, 210937, 17836, 234375, 11648, 140625 }, /*  74.25/1.001 MHz */
++    {  74176,  4096,  74176,  5733,  75335,  6144,  74176 }, /*  74.25/1.001 MHz */
+     {  74250,  4096,  74250,  6272,  82500,  6144,  74250 }, /*  74.25       MHz */
+-    { 148352, 11648, 421875,  8918, 234375,  5824, 140625 }, /* 148.50/1.001 MHz */
++    { 148352,  4096, 148352,  5733, 150670,  6144, 148352 }, /* 148.50/1.001 MHz */
+     { 148500,  4096, 148500,  6272, 165000,  6144, 148500 }, /* 148.50       MHz */
+     {      0,  4096,      0,  6272,      0,  6144,      0 }  /* Other */
+ };
+-- 
+1.8.3.1
+
+
+From 05e4776357fe7217e531cbaaa163e24f688d10ce Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <pierre@ossman.eu>
+Date: Wed, 6 Nov 2013 20:09:08 +0100
+Subject: [PATCH 2/2] drm/radeon/audio: improve ACR calculation
+
+In order to have any realistic chance of calculating proper
+ACR values, we need to be able to calculate both N and CTS,
+not just CTS. We still aim for the ideal N as specified in
+the HDMI spec though.
+
+bug:
+https://bugs.freedesktop.org/show_bug.cgi?id=69675
+
+Signed-off-by: Pierre Ossman <pierre@ossman.eu>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+---
+ drivers/gpu/drm/radeon/r600_hdmi.c | 68 ++++++++++++++++++++++++++------------
+ 1 file changed, 46 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c
+index e8ca095..92c6df7 100644
+--- a/drivers/gpu/drm/radeon/r600_hdmi.c
++++ b/drivers/gpu/drm/radeon/r600_hdmi.c
+@@ -24,6 +24,7 @@
+  * Authors: Christian König
+  */
+ #include <linux/hdmi.h>
++#include <linux/gcd.h>
+ #include <drm/drmP.h>
+ #include <drm/radeon_drm.h>
+ #include "radeon.h"
+@@ -67,25 +68,47 @@ static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = {
+     {  74250,  4096,  74250,  6272,  82500,  6144,  74250 }, /*  74.25       MHz */
+     { 148352,  4096, 148352,  5733, 150670,  6144, 148352 }, /* 148.50/1.001 MHz */
+     { 148500,  4096, 148500,  6272, 165000,  6144, 148500 }, /* 148.50       MHz */
+-    {      0,  4096,      0,  6272,      0,  6144,      0 }  /* Other */
+ };
+ 
++
+ /*
+- * calculate CTS value if it's not found in the table
++ * calculate CTS and N values if they are not found in the table
+  */
+-static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int N, int freq)
++static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int *N, int freq)
+ {
+-	u64 n;
+-	u32 d;
+-
+-	if (*CTS == 0) {
+-		n = (u64)clock * (u64)N * 1000ULL;
+-		d = 128 * freq;
+-		do_div(n, d);
+-		*CTS = n;
+-	}
+-	DRM_DEBUG("Using ACR timing N=%d CTS=%d for frequency %d\n",
+-		  N, *CTS, freq);
++	int n, cts;
++	unsigned long div, mul;
++
++	/* Safe, but overly large values */
++	n = 128 * freq;
++	cts = clock * 1000;
++
++	/* Smallest valid fraction */
++	div = gcd(n, cts);
++
++	n /= div;
++	cts /= div;
++
++	/*
++	 * The optimal N is 128*freq/1000. Calculate the closest larger
++	 * value that doesn't truncate any bits.
++	 */
++	mul = ((128*freq/1000) + (n-1))/n;
++
++	n *= mul;
++	cts *= mul;
++
++	/* Check that we are in spec (not always possible) */
++	if (n < (128*freq/1500))
++		printk(KERN_WARNING "Calculated ACR N value is too small. You may experience audio problems.\n");
++	if (n > (128*freq/300))
++		printk(KERN_WARNING "Calculated ACR N value is too large. You may experience audio problems.\n");
++
++	*N = n;
++	*CTS = cts;
++
++	DRM_DEBUG("Calculated ACR timing N=%d CTS=%d for frequency %d\n",
++		  *N, *CTS, freq);
+ }
+ 
+ struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock)
+@@ -93,15 +116,16 @@ struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock)
+ 	struct radeon_hdmi_acr res;
+ 	u8 i;
+ 
+-	for (i = 0; r600_hdmi_predefined_acr[i].clock != clock &&
+-	     r600_hdmi_predefined_acr[i].clock != 0; i++)
+-		;
+-	res = r600_hdmi_predefined_acr[i];
++	/* Precalculated values for common clocks */
++	for (i = 0; i < ARRAY_SIZE(r600_hdmi_predefined_acr); i++) {
++		if (r600_hdmi_predefined_acr[i].clock == clock)
++			return r600_hdmi_predefined_acr[i];
++	}
+ 
+-	/* In case some CTS are missing */
+-	r600_hdmi_calc_cts(clock, &res.cts_32khz, res.n_32khz, 32000);
+-	r600_hdmi_calc_cts(clock, &res.cts_44_1khz, res.n_44_1khz, 44100);
+-	r600_hdmi_calc_cts(clock, &res.cts_48khz, res.n_48khz, 48000);
++	/* And odd clocks get manually calculated */
++	r600_hdmi_calc_cts(clock, &res.cts_32khz, &res.n_32khz, 32000);
++	r600_hdmi_calc_cts(clock, &res.cts_44_1khz, &res.n_44_1khz, 44100);
++	r600_hdmi_calc_cts(clock, &res.cts_48khz, &res.n_48khz, 48000);
+ 
+ 	return res;
+ }
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/intel-3.12-stable-fixes.patch b/freed-ora/current/f18/intel-3.12-stable-fixes.patch
deleted file mode 100644
index 24a80dc0f..000000000
--- a/freed-ora/current/f18/intel-3.12-stable-fixes.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 92c64493f41092185230c552c277b42bf6113140 Mon Sep 17 00:00:00 2001
-From: Jani Nikula <jani.nikula@intel.com>
-Date: Mon, 21 Oct 2013 10:52:07 +0300
-Subject: [PATCH 3/5] drm/i915/dp: workaround BIOS eDP bpp clamping issue
-
-This isn't a real fix to the problem, but rather a stopgap measure while
-trying to find a proper solution.
-
-There are several laptops out there that fail to light up the eDP panel
-in UEFI boot mode. They seem to be mostly IVB machines, including but
-apparently not limited to Dell XPS 13, Asus TX300, Asus UX31A, Asus
-UX32VD, Acer Aspire S7. They seem to work in CSM or legacy boot.
-
-The difference between UEFI and CSM is that the BIOS provides a
-different VBT to the kernel. The UEFI VBT typically specifies 18 bpp and
-1.62 GHz link for eDP, while CSM VBT has 24 bpp and 2.7 GHz link. We end
-up clamping to 18 bpp in UEFI mode, which we can fit in the 1.62 Ghz
-link, and for reasons yet unknown fail to light up the panel.
-
-Dithering from 24 to 18 bpp itself seems to work; if we use 18 bpp with
-2.7 GHz link, the eDP panel lights up. So essentially this is a link
-speed issue, and *not* a bpp clamping issue.
-
-The bug raised its head since
-commit 657445fe8660100ad174600ebfa61536392b7624
-Author: Daniel Vetter <daniel.vetter@ffwll.ch>
-Date:   Sat May 4 10:09:18 2013 +0200
-
-    Revert "drm/i915: revert eDP bpp clamping code changes"
-
-which started clamping bpp *before* computing the link requirements, and
-thus affecting the required bandwidth. Clamping after the computations
-kept the link at 2.7 GHz.
-
-Even though the BIOS tells us to use 18 bpp through the VBT, it happily
-boots up at 24 bpp and 2.7 GHz itself! Use this information to
-selectively ignore the VBT provided value.
-
-We can't ignore the VBT eDP bpp altogether, as there are other laptops
-that do require the clamping to be used due to EDID reporting higher bpp
-than the panel can support.
-
-Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=59841
-Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=67950
-Tested-by: Ulf Winkelvos <ulf@winkelvos.de>
-Tested-by: jkp <jkp@iki.fi>
-CC: stable@vger.kernel.org
-Signed-off-by: Jani Nikula <jani.nikula@intel.com>
-Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
----
- drivers/gpu/drm/i915/intel_dp.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
-index 3aed1fe..07eb447 100644
---- a/drivers/gpu/drm/i915/intel_dp.c
-+++ b/drivers/gpu/drm/i915/intel_dp.c
-@@ -1371,6 +1371,26 @@ static void intel_dp_get_config(struct intel_encoder *encoder,
- 	}
- 
- 	pipe_config->adjusted_mode.flags |= flags;
-+
-+	if (is_edp(intel_dp) && dev_priv->vbt.edp_bpp &&
-+	    pipe_config->pipe_bpp > dev_priv->vbt.edp_bpp) {
-+		/*
-+		 * This is a big fat ugly hack.
-+		 *
-+		 * Some machines in UEFI boot mode provide us a VBT that has 18
-+		 * bpp and 1.62 GHz link bandwidth for eDP, which for reasons
-+		 * unknown we fail to light up. Yet the same BIOS boots up with
-+		 * 24 bpp and 2.7 GHz link. Use the same bpp as the BIOS uses as
-+		 * max, not what it tells us to use.
-+		 *
-+		 * Note: This will still be broken if the eDP panel is not lit
-+		 * up by the BIOS, and thus we can't get the mode at module
-+		 * load.
-+		 */
-+		DRM_DEBUG_KMS("pipe has %d bpp for eDP panel, overriding BIOS-provided max %d bpp\n",
-+			      pipe_config->pipe_bpp, dev_priv->vbt.edp_bpp);
-+		dev_priv->vbt.edp_bpp = pipe_config->pipe_bpp;
-+	}
- }
- 
- static void intel_disable_dp(struct intel_encoder *encoder)
--- 
-1.8.3.1
diff --git a/freed-ora/current/f18/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch b/freed-ora/current/f18/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
new file mode 100644
index 000000000..2b030387b
--- /dev/null
+++ b/freed-ora/current/f18/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
@@ -0,0 +1,43 @@
+Bugzilla: 1030015 1030017
+Upstream-status: 3.13
+
+From aeb45260747b0a1bf4d374d5e65298cc254cb4f5 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue, 5 Nov 2013 02:41:27 +0100
+Subject: [PATCH] ipv6: fix headroom calculation in udp6_ufo_fragment
+
+Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
+fragmentation for tunnel traffic.") changed the calculation if
+there is enough space to include a fragment header in the skb from a
+skb->mac_header dervived one to skb_headroom. Because we already peeled
+off the skb to transport_header this is wrong. Change this back to check
+if we have enough room before the mac_header.
+
+This fixes a panic Saran Neti reported. He used the tbf scheduler which
+skb_gso_segments the skb. The offsets get negative and we panic in memcpy
+because the skb was erroneously not expanded at the head.
+
+Reported-by: Saran Neti <Saran.Neti@telus.com>
+Cc: Pravin B Shelar <pshelar@nicira.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/udp_offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index 5d1b8d7..657914b 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -86,7 +86,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+ 
+ 	/* Check if there is enough headroom to insert fragment header. */
+ 	tnl_hlen = skb_tnl_header_len(skb);
+-	if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
++	if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
+ 		if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
+ 			goto out;
+ 	}
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/kernel.spec b/freed-ora/current/f18/kernel.spec
index f17041911..7e054aa1f 100644
--- a/freed-ora/current/f18/kernel.spec
+++ b/freed-ora/current/f18/kernel.spec
@@ -112,7 +112,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 8
+%define stable_update 9
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -834,6 +834,7 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
 
 #rhbz 1010679
 Patch25130: fix-radeon-sound.patch
+Patch25149: drm-radeon-24hz-audio-fixes.patch
 
 #rhbz 1011714
 Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch
@@ -847,12 +848,6 @@ Patch25135: alps-Support-for-Dell-XT2-model.patch
 #rhbz 1011621
 Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch
 
-#rhbz 995782
-Patch25138: intel-3.12-stable-fixes.patch
-
-#CVE-2013-4348 rhbz 1007939 1025647
-Patch25139: net-flow_dissector-fail-on-evil-iph-ihl.patch
-
 #rhbz 1025769
 Patch25142: iwlwifi-dvm-dont-override-mac80211-queue-setting.patch
 
@@ -860,6 +855,22 @@ Patch25143: drm-qxl-backport-fixes-for-Fedora.patch
 
 Patch25144: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
 
+#CVE-2013-4563 rhbz 1030015 1030017
+Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
+
+#rhbz 1015905
+Patch25146: 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch
+Patch25147: 0002-netfilter-push-reasm-skb-through-instead-of-original.patch
+
+#rhbz 1011362
+Patch25148: alx-Reset-phy-speed-after-resume.patch
+
+#rhbz 1031086
+Patch25150: slab_common-Do-not-check-for-duplicate-slab-names.patch
+
+#rhbz 967652
+Patch25151: KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1631,6 +1642,7 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
 
 #rhbz 1010679
 ApplyPatch fix-radeon-sound.patch
+ApplyPatch drm-radeon-24hz-audio-fixes.patch
 
 #rhbz 1011714
 ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch
@@ -1644,12 +1656,6 @@ ApplyPatch alps-Support-for-Dell-XT2-model.patch
 #rhbz 1011621
 ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch
 
-#rhbz 995782
-ApplyPatch intel-3.12-stable-fixes.patch
-
-#CVE-2013-4348 rhbz 1007939 1025647
-ApplyPatch net-flow_dissector-fail-on-evil-iph-ihl.patch
-
 #rhbz 1025769
 ApplyPatch iwlwifi-dvm-dont-override-mac80211-queue-setting.patch
 
@@ -1657,6 +1663,22 @@ ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch
 
 ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
 
+#CVE-2013-4563 rhbz 1030015 1030017
+ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
+
+#rhbz 1015905
+ApplyPatch 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch
+ApplyPatch 0002-netfilter-push-reasm-skb-through-instead-of-original.patch
+
+#rhbz 1011362
+ApplyPatch alx-Reset-phy-speed-after-resume.patch
+
+#rhbz 1031086
+ApplyPatch slab_common-Do-not-check-for-duplicate-slab-names.patch
+
+#rhbz 967652
+ApplyPatch KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2509,6 +2531,19 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Wed Nov 20 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.9-100
+- Linux v3.11.9
+
+* Mon Nov 18 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- Add patch to fix rhel5.9 KVM guests (rhbz 967652)
+- Add patch to fix crash from slab when using md-raid mirrors (rhbz 1031086)
+- Add patches from Pierre Ossman to fix 24Hz/24p radeon audio (rhbz 1010679)
+- Add patch to fix ALX phy issues after resume (rhbz 1011362)
+- Fix ipv6 sit panic with packet size > mtu (from Michele Baldessari) (rbhz 1015905)
+
+* Thu Nov 14 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)
+
 * Wed Nov 13 2013 Justin M. Forbes <jforbes@fedoraproject.org> - 3.11.8-100
 - Linux v3.11.8
 
diff --git a/freed-ora/current/f18/net-flow_dissector-fail-on-evil-iph-ihl.patch b/freed-ora/current/f18/net-flow_dissector-fail-on-evil-iph-ihl.patch
deleted file mode 100644
index aba3ea88b..000000000
--- a/freed-ora/current/f18/net-flow_dissector-fail-on-evil-iph-ihl.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-Path: news.gmane.org!not-for-mail
-From: Jason Wang <jasowang@redhat.com>
-Newsgroups: gmane.linux.kernel,gmane.linux.network
-Subject: [PATCH net] net: flow_dissector: fail on evil iph->ihl
-Date: Fri,  1 Nov 2013 15:01:10 +0800
-Lines: 34
-Approved: news@gmane.org
-Message-ID: <1383289270-18952-1-git-send-email-jasowang@redhat.com>
-NNTP-Posting-Host: plane.gmane.org
-X-Trace: ger.gmane.org 1383289296 18578 80.91.229.3 (1 Nov 2013 07:01:36 GMT)
-X-Complaints-To: usenet@ger.gmane.org
-NNTP-Posting-Date: Fri, 1 Nov 2013 07:01:36 +0000 (UTC)
-Cc: Jason Wang <jasowang@redhat.com>,
-	Petr Matousek <pmatouse@redhat.com>,
-	"Michael S. Tsirkin" <mst@redhat.com>,
-	Daniel Borkmann <dborkman@redhat.com>
-To: davem@davemloft.net, edumazet@google.com, netdev@vger.kernel.org,
-	linux-kernel@vger.kernel.org
-Original-X-From: linux-kernel-owner@vger.kernel.org Fri Nov 01 08:01:39 2013
-Return-path: <linux-kernel-owner@vger.kernel.org>
-Envelope-to: glk-linux-kernel-3@plane.gmane.org
-Original-Received: from vger.kernel.org ([209.132.180.67])
-	by plane.gmane.org with esmtp (Exim 4.69)
-	(envelope-from <linux-kernel-owner@vger.kernel.org>)
-	id 1Vc8jh-00034h-9Y
-	for glk-linux-kernel-3@plane.gmane.org; Fri, 01 Nov 2013 08:01:37 +0100
-Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-	id S1753899Ab3KAHB3 (ORCPT <rfc822;glk-linux-kernel-3@m.gmane.org>);
-	Fri, 1 Nov 2013 03:01:29 -0400
-Original-Received: from mx1.redhat.com ([209.132.183.28]:8081 "EHLO mx1.redhat.com"
-	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
-	id S1752399Ab3KAHB1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
-	Fri, 1 Nov 2013 03:01:27 -0400
-Original-Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
-	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rA171QgE005079
-	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
-	Fri, 1 Nov 2013 03:01:26 -0400
-Original-Received: from jason-ThinkPad-T430s.nay.redhat.com (dhcp-66-71-71.eng.nay.redhat.com [10.66.71.71] (may be forged))
-	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id rA171Jpr015790;
-	Fri, 1 Nov 2013 03:01:20 -0400
-X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
-Original-Sender: linux-kernel-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-kernel.vger.kernel.org>
-X-Mailing-List: linux-kernel@vger.kernel.org
-Xref: news.gmane.org gmane.linux.kernel:1588387 gmane.linux.network:289242
-Archived-At: <http://permalink.gmane.org/gmane.linux.kernel/1588387>
-
-We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
-skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
-is evil (less than 5).
-
-This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
-(rps: support IPIP encapsulation).
-
-Cc: Eric Dumazet <edumazet@google.com>
-Cc: Petr Matousek <pmatouse@redhat.com>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
-This patch is needed for stable.
----
- net/core/flow_dissector.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
-index 8d7d0dd..143b6fd 100644
---- a/net/core/flow_dissector.c
-+++ b/net/core/flow_dissector.c
-@@ -40,7 +40,7 @@ again:
- 		struct iphdr _iph;
- ip:
- 		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
--		if (!iph)
-+		if (!iph || iph->ihl < 5)
- 			return false;
- 
- 		if (ip_is_fragment(iph))
--- 
-1.8.1.2
-
diff --git a/freed-ora/current/f18/slab_common-Do-not-check-for-duplicate-slab-names.patch b/freed-ora/current/f18/slab_common-Do-not-check-for-duplicate-slab-names.patch
new file mode 100644
index 000000000..c99303cc0
--- /dev/null
+++ b/freed-ora/current/f18/slab_common-Do-not-check-for-duplicate-slab-names.patch
@@ -0,0 +1,71 @@
+Bugzilla: 1031086
+Upstream-status: 3.12
+
+From cd8fa0170867ce6e6e2d7edba1dc1a0b87485854 Mon Sep 17 00:00:00 2001
+From: Christoph Lameter <cl@linux.com>
+Date: Sat, 21 Sep 2013 21:56:34 +0000
+Subject: [PATCH] slab_common: Do not check for duplicate slab names
+
+SLUB can alias multiple slab kmem_create_requests to one slab cache to save
+memory and increase the cache hotness. As a result the name of the slab can be
+stale. Only check the name for duplicates if we are in debug mode where we do
+not merge multiple caches.
+
+This fixes the following problem reported by Jonathan Brassow:
+
+  The problem with kmem_cache* is this:
+
+  *) Assume CONFIG_SLUB is set
+  1) kmem_cache_create(name="foo-a")
+  - creates new kmem_cache structure
+  2) kmem_cache_create(name="foo-b")
+  - If identical cache characteristics, it will be merged with the previously
+    created cache associated with "foo-a".  The cache's refcount will be
+    incremented and an alias will be created via sysfs_slab_alias().
+  3) kmem_cache_destroy(<ptr>)
+  - Attempting to destroy cache associated with "foo-a", but instead the
+    refcount is simply decremented.  I don't even think the sysfs aliases are
+    ever removed...
+  4) kmem_cache_create(name="foo-a")
+  - This FAILS because kmem_cache_sanity_check colides with the existing
+    name ("foo-a") associated with the non-removed cache.
+
+  This is a problem for RAID (specifically dm-raid) because the name used
+  for the kmem_cache_create is ("raid%d-%p", level, mddev).  If the cache
+  persists for long enough, the memory address of an old mddev will be
+  reused for a new mddev - causing an identical formulation of the cache
+  name.  Even though kmem_cache_destory had long ago been used to delete
+  the old cache, the merging of caches has cause the name and cache of that
+  old instance to be preserved and causes a colision (and thus failure) in
+  kmem_cache_create().  I see this regularly in my testing.
+
+Reported-by: Jonathan Brassow <jbrassow@redhat.com>
+Signed-off-by: Christoph Lameter <cl@linux.com>
+Signed-off-by: Pekka Enberg <penberg@kernel.org>
+---
+ mm/slab_common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/mm/slab_common.c b/mm/slab_common.c
+index 538bade..d434771 100644
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -55,6 +55,7 @@ static int kmem_cache_sanity_check(struct mem_cgroup *memcg, const char *name,
+ 			continue;
+ 		}
+ 
++#if !defined(CONFIG_SLUB) || !defined(CONFIG_SLUB_DEBUG_ON)
+ 		/*
+ 		 * For simplicity, we won't check this in the list of memcg
+ 		 * caches. We have control over memcg naming, and if there
+@@ -68,6 +69,7 @@ static int kmem_cache_sanity_check(struct mem_cgroup *memcg, const char *name,
+ 			s = NULL;
+ 			return -EINVAL;
+ 		}
++#endif
+ 	}
+ 
+ 	WARN_ON(strchr(name, ' '));	/* It confuses parsers */
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/sources b/freed-ora/current/f18/sources
index ab2c2a4c7..b282e0624 100644
--- a/freed-ora/current/f18/sources
+++ b/freed-ora/current/f18/sources
@@ -1,2 +1,2 @@
 7ec84223c7adcf01a5287eb7af96b7e7  linux-libre-3.11-gnu.tar.xz
-e6c14ecc86eab4cfaf498ba3c70b3f04  patch-3.11.8.xz
+6cea7db9419cefdf4c3a4bcc89bf904b  patch-3.11.9.xz