--- /dev/null
+From 7c7fedd51c02f4418e8b2eed64bdab601f882aa4 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 29 Nov 2016 17:05:20 +0100
+Subject: esp4: Fix integrity verification when ESN are used
+
+From: Tobias Brunner <tobias@strongswan.org>
+
+commit 7c7fedd51c02f4418e8b2eed64bdab601f882aa4 upstream.
+
+When handling inbound packets, the two halves of the sequence number
+stored on the skb are already in network order.
+
+Fixes: 7021b2e1cddd ("esp4: Switch to new AEAD interface")
+Signed-off-by: Tobias Brunner <tobias@strongswan.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/esp4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -476,7 +476,7 @@ static int esp_input(struct xfrm_state *
+ esph = (void *)skb_push(skb, 4);
+ *seqhi = esph->spi;
+ esph->spi = esph->seq_no;
+- esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi);
++ esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi;
+ aead_request_set_callback(req, 0, esp_input_done_esn, skb);
+ }
+
--- /dev/null
+From a55e23864d381c5a4ef110df94b00b2fe121a70d Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 29 Nov 2016 17:05:25 +0100
+Subject: esp6: Fix integrity verification when ESN are used
+
+From: Tobias Brunner <tobias@strongswan.org>
+
+commit a55e23864d381c5a4ef110df94b00b2fe121a70d upstream.
+
+When handling inbound packets, the two halves of the sequence number
+stored on the skb are already in network order.
+
+Fixes: 000ae7b2690e ("esp6: Switch to new AEAD interface")
+Signed-off-by: Tobias Brunner <tobias@strongswan.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/esp6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -418,7 +418,7 @@ static int esp6_input(struct xfrm_state
+ esph = (void *)skb_push(skb, 4);
+ *seqhi = esph->spi;
+ esph->spi = esph->seq_no;
+- esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi);
++ esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi;
+ aead_request_set_callback(req, 0, esp_input_done_esn, skb);
+ }
+
--- /dev/null
+From 6b226487815574193c1da864f2eac274781a2b0c Mon Sep 17 00:00:00 2001
+From: Miroslav Urbanek <mu@miroslavurbanek.com>
+Date: Mon, 21 Nov 2016 15:48:21 +0100
+Subject: flowcache: Increase threshold for refusing new allocations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miroslav Urbanek <mu@miroslavurbanek.com>
+
+commit 6b226487815574193c1da864f2eac274781a2b0c upstream.
+
+The threshold for OOM protection is too small for systems with large
+number of CPUs. Applications report ENOBUFs on connect() every 10
+minutes.
+
+The problem is that the variable net->xfrm.flow_cache_gc_count is a
+global counter while the variable fc->high_watermark is a per-CPU
+constant. Take the number of CPUs into account as well.
+
+Fixes: 6ad3122a08e3 ("flowcache: Avoid OOM condition under preasure")
+Reported-by: Lukáš Koldrt <lk@excello.cz>
+Tested-by: Jan Hejl <jh@excello.cz>
+Signed-off-by: Miroslav Urbanek <mu@miroslavurbanek.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/flow.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/core/flow.c
++++ b/net/core/flow.c
+@@ -95,7 +95,6 @@ static void flow_cache_gc_task(struct wo
+ list_for_each_entry_safe(fce, n, &gc_list, u.gc_list) {
+ flow_entry_kill(fce, xfrm);
+ atomic_dec(&xfrm->flow_cache_gc_count);
+- WARN_ON(atomic_read(&xfrm->flow_cache_gc_count) < 0);
+ }
+ }
+
+@@ -236,9 +235,8 @@ flow_cache_lookup(struct net *net, const
+ if (fcp->hash_count > fc->high_watermark)
+ flow_cache_shrink(fc, fcp);
+
+- if (fcp->hash_count > 2 * fc->high_watermark ||
+- atomic_read(&net->xfrm.flow_cache_gc_count) > fc->high_watermark) {
+- atomic_inc(&net->xfrm.flow_cache_genid);
++ if (atomic_read(&net->xfrm.flow_cache_gc_count) >
++ 2 * num_online_cpus() * fc->high_watermark) {
+ flo = ERR_PTR(-ENOBUFS);
+ goto ret_object;
+ }
--- /dev/null
+From f4180439109aa720774baafdd798b3234ab1a0d2 Mon Sep 17 00:00:00 2001
+From: Eli Cooper <elicooper@gmx.com>
+Date: Thu, 1 Dec 2016 10:05:10 +0800
+Subject: ipv4: Set skb->protocol properly for local output
+
+From: Eli Cooper <elicooper@gmx.com>
+
+commit f4180439109aa720774baafdd798b3234ab1a0d2 upstream.
+
+When xfrm is applied to TSO/GSO packets, it follows this path:
+
+ xfrm_output() -> xfrm_output_gso() -> skb_gso_segment()
+
+where skb_gso_segment() relies on skb->protocol to function properly.
+
+This patch sets skb->protocol to ETH_P_IP before dst_output() is called,
+fixing a bug where GSO packets sent through a sit tunnel are dropped
+when xfrm is involved.
+
+Signed-off-by: Eli Cooper <elicooper@gmx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ip_output.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -98,6 +98,9 @@ int __ip_local_out(struct net *net, stru
+
+ iph->tot_len = htons(skb->len);
+ ip_send_check(iph);
++
++ skb->protocol = htons(ETH_P_IP);
++
+ return nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT,
+ net, sk, skb, NULL, skb_dst(skb)->dev,
+ dst_output);
--- /dev/null
+From b4e479a96fc398ccf83bb1cffb4ffef8631beaf1 Mon Sep 17 00:00:00 2001
+From: Eli Cooper <elicooper@gmx.com>
+Date: Thu, 1 Dec 2016 10:05:11 +0800
+Subject: ipv6: Set skb->protocol properly for local output
+
+From: Eli Cooper <elicooper@gmx.com>
+
+commit b4e479a96fc398ccf83bb1cffb4ffef8631beaf1 upstream.
+
+When xfrm is applied to TSO/GSO packets, it follows this path:
+
+ xfrm_output() -> xfrm_output_gso() -> skb_gso_segment()
+
+where skb_gso_segment() relies on skb->protocol to function properly.
+
+This patch sets skb->protocol to ETH_P_IPV6 before dst_output() is called,
+fixing a bug where GSO packets sent through an ipip6 tunnel are dropped
+when xfrm is involved.
+
+Signed-off-by: Eli Cooper <elicooper@gmx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/output_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -148,6 +148,8 @@ int __ip6_local_out(struct net *net, str
+ ipv6_hdr(skb)->payload_len = htons(len);
+ IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
+
++ skb->protocol = htons(ETH_P_IPV6);
++
+ return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
+ net, sk, skb, NULL, skb_dst(skb)->dev,
+ dst_output);
--- /dev/null
+From 80d1106aeaf689ab5fdf33020c5fecd269b31c88 Mon Sep 17 00:00:00 2001
+From: Eli Cooper <elicooper@gmx.com>
+Date: Thu, 1 Dec 2016 10:05:12 +0800
+Subject: Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()"
+
+From: Eli Cooper <elicooper@gmx.com>
+
+commit 80d1106aeaf689ab5fdf33020c5fecd269b31c88 upstream.
+
+This reverts commit ae148b085876fa771d9ef2c05f85d4b4bf09ce0d
+("ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()").
+
+skb->protocol is now set in __ip_local_out() and __ip6_local_out() before
+dst_output() is called. It is no longer necessary to do it for each tunnel.
+
+Signed-off-by: Eli Cooper <elicooper@gmx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/ip6_tunnel.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1143,7 +1143,6 @@ int ip6_tnl_xmit(struct sk_buff *skb, st
+ if (err)
+ return err;
+
+- skb->protocol = htons(ETH_P_IPV6);
+ skb_push(skb, sizeof(struct ipv6hdr));
+ skb_reset_network_header(skb);
+ ipv6h = ipv6_hdr(skb);
sparc32-fix-inverted-invalid_frame_pointer-checks-on-sigreturns.patch
don-t-feed-anything-but-regular-iovec-s-to-blk_rq_map_user_iov.patch
constify-iov_iter_count-and-iter_is_iovec.patch
+ipv6-set-skb-protocol-properly-for-local-output.patch
+ipv4-set-skb-protocol-properly-for-local-output.patch
+revert-ip6_tunnel-update-skb-protocol-to-eth_p_ipv6-in-ip6_tnl_xmit.patch
+flowcache-increase-threshold-for-refusing-new-allocations.patch
+esp4-fix-integrity-verification-when-esn-are-used.patch
+esp6-fix-integrity-verification-when-esn-are-used.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
