--- /dev/null
+From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Fri, 12 Apr 2019 15:04:10 +0200
+Subject: bonding: fix event handling for stacked bonds
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 92480b3977fd3884649d404cbbaf839b70035699 ]
+
+When a bond is enslaved to another bond, bond_netdev_event() only
+handles the event as if the bond is a master, and skips treating the
+bond as a slave.
+
+This leads to a refcount leak on the slave, since we don't remove the
+adjacency to its master and the master holds a reference on the slave.
+
+Reproducer:
+ ip link add bondL type bond
+ ip link add bondU type bond
+ ip link set bondL master bondU
+ ip link del bondL
+
+No "Fixes:" tag, this code is older than git history.
+
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2958,8 +2958,12 @@ static int bond_netdev_event(struct noti
+ return NOTIFY_DONE;
+
+ if (event_dev->flags & IFF_MASTER) {
++ int ret;
++
+ netdev_dbg(event_dev, "IFF_MASTER\n");
+- return bond_master_netdev_event(event, event_dev);
++ ret = bond_master_netdev_event(event, event_dev);
++ if (ret != NOTIFY_DONE)
++ return ret;
+ }
+
+ if (event_dev->flags & IFF_SLAVE) {
--- /dev/null
+From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 13 Apr 2019 17:32:21 -0700
+Subject: ipv4: ensure rcu_read_lock() in ipv4_link_failure()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad ]
+
+fib_compute_spec_dst() needs to be called under rcu protection.
+
+syzbot reported :
+
+WARNING: suspicious RCU usage
+5.1.0-rc4+ #165 Not tainted
+include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by swapper/0/0:
+ #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline]
+ #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315
+
+stack backtrace:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162
+ __in_dev_get_rcu include/linux/inetdevice.h:220 [inline]
+ fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294
+ spec_dst_fill net/ipv4/ip_options.c:245 [inline]
+ __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343
+ ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195
+ dst_link_failure include/net/dst.h:427 [inline]
+ arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297
+ neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995
+ neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081
+ call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
+ expire_timers kernel/time/timer.c:1362 [inline]
+ __run_timers kernel/time/timer.c:1681 [inline]
+ __run_timers kernel/time/timer.c:1649 [inline]
+ run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
+ __do_softirq+0x266/0x95a kernel/softirq.c:293
+ invoke_softirq kernel/softirq.c:374 [inline]
+ irq_exit+0x180/0x1d0 kernel/softirq.c:414
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
+
+Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1150,14 +1150,20 @@ static struct dst_entry *ipv4_dst_check(
+
+ static void ipv4_link_failure(struct sk_buff *skb)
+ {
+- struct rtable *rt;
+ struct ip_options opt;
++ struct rtable *rt;
++ int res;
+
+ /* Recompile ip options since IPCB may not be valid anymore.
+ */
+ memset(&opt, 0, sizeof(opt));
+ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
+- if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
++
++ rcu_read_lock();
++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
++ rcu_read_unlock();
++
++ if (res)
+ return;
+
+ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
--- /dev/null
+From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+Date: Fri, 12 Apr 2019 16:19:27 -0400
+Subject: ipv4: recompile ip options in ipv4_link_failure
+
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+
+[ Upstream commit ed0de45a1008991fdaa27a0152befcb74d126a8b ]
+
+Recompile IP options since IPCB may not be valid anymore when
+ipv4_link_failure is called from arp_error_report.
+
+Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error")
+and the commit before that (9ef6b42ad6fd) for a similar issue.
+
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1151,8 +1151,16 @@ static struct dst_entry *ipv4_dst_check(
+ static void ipv4_link_failure(struct sk_buff *skb)
+ {
+ struct rtable *rt;
++ struct ip_options opt;
+
+- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
++ /* Recompile ip options since IPCB may not be valid anymore.
++ */
++ memset(&opt, 0, sizeof(opt));
++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
++ if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
++ return;
++
++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
+
+ rt = skb_rtable(skb);
+ if (rt)
--- /dev/null
+From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Thu, 11 Apr 2019 15:08:25 +0300
+Subject: net: bridge: multicast: use rcu to access port list from br_multicast_start_querier
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 ]
+
+br_multicast_start_querier() walks over the port list but it can be
+called from a timer with only multicast_lock held which doesn't protect
+the port list, so use RCU to walk over it.
+
+Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -2023,7 +2023,8 @@ static void br_multicast_start_querier(s
+
+ __br_multicast_open(br, query);
+
+- list_for_each_entry(port, &br->port_list, list) {
++ rcu_read_lock();
++ list_for_each_entry_rcu(port, &br->port_list, list) {
+ if (port->state == BR_STATE_DISABLED ||
+ port->state == BR_STATE_BLOCKING)
+ continue;
+@@ -2035,6 +2036,7 @@ static void br_multicast_start_querier(s
+ br_multicast_enable(&port->ip6_own_query);
+ #endif
+ }
++ rcu_read_unlock();
+ }
+
+ int br_multicast_toggle(struct net_bridge *br, unsigned long val)
appletalk-fix-compile-regression.patch
crypto-crypto4xx-properly-set-iv-after-de-and-encryp.patch
tpm-tpm_i2c_atmel-return-e2big-when-the-transfer-is-.patch
+bonding-fix-event-handling-for-stacked-bonds.patch
+net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch
+ipv4-recompile-ip-options-in-ipv4_link_failure.patch
+ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch
+tcp-tcp_grow_window-needs-to-respect-tcp_space.patch
--- /dev/null
+From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 16 Apr 2019 10:55:20 -0700
+Subject: tcp: tcp_grow_window() needs to respect tcp_space()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 50ce163a72d817a99e8974222dcf2886d5deb1ae ]
+
+For some reason, tcp_grow_window() correctly tests if enough room
+is present before attempting to increase tp->rcv_ssthresh,
+but does not prevent it to grow past tcp_space()
+
+This is causing hard to debug issues, like failing
+the (__tcp_select_window(sk) >= tp->rcv_wnd) test
+in __tcp_ack_snd_check(), causing ACK delays and possibly
+slow flows.
+
+Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio,
+we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000"
+after about 60 round trips, when the active side no longer sends
+immediate acks.
+
+This bug predates git history.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -358,11 +358,12 @@ static int __tcp_grow_window(const struc
+ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
++ int room;
++
++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh;
+
+ /* Check #1 */
+- if (tp->rcv_ssthresh < tp->window_clamp &&
+- (int)tp->rcv_ssthresh < tcp_space(sk) &&
+- !sk_under_memory_pressure(sk)) {
++ if (room > 0 && !sk_under_memory_pressure(sk)) {
+ int incr;
+
+ /* Check #2. Increase window, if skb with such overhead
+@@ -375,8 +376,7 @@ static void tcp_grow_window(struct sock
+
+ if (incr) {
+ incr = max_t(int, incr, 2 * skb->len);
+- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr,
+- tp->window_clamp);
++ tp->rcv_ssthresh += min(room, incr);
+ inet_csk(sk)->icsk_ack.quick |= 1;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
