--- /dev/null
+From foo@baz Fri Jun 17 20:28:14 PDT 2016
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon, 16 May 2016 17:28:16 +0800
+Subject: netlink: Fix dump skb leak/double free
+Status: RO
+Content-Length: 1415
+Lines: 47
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 92964c79b357efd980812c4de5c1fd2ec8bb5520 ]
+
+When we free cb->skb after a dump, we do it after releasing the
+lock. This means that a new dump could have started in the time
+being and we'll end up freeing their skb instead of ours.
+
+This patch saves the skb and module before we unlock so we free
+the right memory.
+
+Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
+Reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2651,6 +2651,7 @@ static int netlink_dump(struct sock *sk)
+ struct netlink_callback *cb;
+ struct sk_buff *skb = NULL;
+ struct nlmsghdr *nlh;
++ struct module *module;
+ int len, err = -ENOBUFS;
+ int alloc_size;
+
+@@ -2700,9 +2701,11 @@ static int netlink_dump(struct sock *sk)
+ cb->done(cb);
+
+ nlk->cb_running = false;
++ module = cb->module;
++ skb = cb->skb;
+ mutex_unlock(nlk->cb_mutex);
+- module_put(cb->module);
+- consume_skb(cb->skb);
++ module_put(module);
++ consume_skb(skb);
+ return 0;
+
+ errout_skb:
+netlink-fix-dump-skb-leak-double-free.patch
+sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch
+tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch
--- /dev/null
+From foo@baz Fri Jun 17 20:28:14 PDT 2016
+From: Edward Cree <ecree@solarflare.com>
+Date: Tue, 24 May 2016 18:53:36 +0100
+Subject: sfc: on MC reset, clear PIO buffer linkage in TXQs
+Status: RO
+Content-Length: 1705
+Lines: 56
+
+From: Edward Cree <ecree@solarflare.com>
+
+[ Upstream commit c0795bf64cba4d1b796fdc5b74b33772841ed1bb ]
+
+Otherwise, if we fail to allocate new PIO buffers, our TXQs will try to
+use the old ones, which aren't there any more.
+
+Fixes: 183233bec810 "sfc: Allocate and link PIO buffers; map them with write-combining"
+Signed-off-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/ef10.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/net/ethernet/sfc/ef10.c
++++ b/drivers/net/ethernet/sfc/ef10.c
+@@ -451,6 +451,17 @@ fail:
+ return rc;
+ }
+
++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
++{
++ struct efx_channel *channel;
++ struct efx_tx_queue *tx_queue;
++
++ /* All our existing PIO buffers went away */
++ efx_for_each_channel(channel, efx)
++ efx_for_each_channel_tx_queue(tx_queue, channel)
++ tx_queue->piobuf = NULL;
++}
++
+ #else /* !EFX_USE_PIO */
+
+ static int efx_ef10_alloc_piobufs(struct efx_nic *efx, unsigned int n)
+@@ -467,6 +478,10 @@ static void efx_ef10_free_piobufs(struct
+ {
+ }
+
++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
++{
++}
++
+ #endif /* EFX_USE_PIO */
+
+ static void efx_ef10_remove(struct efx_nic *efx)
+@@ -698,6 +713,7 @@ static void efx_ef10_reset_mc_allocation
+ nic_data->must_realloc_vis = true;
+ nic_data->must_restore_filters = true;
+ nic_data->must_restore_piobufs = true;
++ efx_ef10_forget_old_piobufs(efx);
+ nic_data->rx_rss_context = EFX_EF10_RSS_CONTEXT_INVALID;
+ }
+
--- /dev/null
+From foo@baz Fri Jun 17 20:28:14 PDT 2016
+From: Yuchung Cheng <ycheng@google.com>
+Date: Mon, 6 Jun 2016 15:07:18 -0700
+Subject: tcp: record TLP and ER timer stats in v6 stats
+Status: RO
+Content-Length: 1152
+Lines: 32
+
+From: Yuchung Cheng <ycheng@google.com>
+
+[ Upstream commit ce3cf4ec0305919fc69a972f6c2b2efd35d36abc ]
+
+The v6 tcp stats scan do not provide TLP and ER timer information
+correctly like the v4 version . This patch fixes that.
+
+Fixes: 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)")
+Fixes: eed530b6c676 ("tcp: early retransmit")
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/tcp_ipv6.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1783,7 +1783,9 @@ static void get_tcp6_sock(struct seq_fil
+ destp = ntohs(inet->inet_dport);
+ srcp = ntohs(inet->inet_sport);
+
+- if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
++ if (icsk->icsk_pending == ICSK_TIME_RETRANS ||
++ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS ||
++ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) {
+ timer_active = 1;
+ timer_expires = icsk->icsk_timeout;
+ } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
