--- /dev/null
+From 60abc0be96e00ca71bac083215ac91ad2e575096 Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed, 21 Jun 2017 14:34:58 -0700
+Subject: ipv6: avoid unregistering inet6_dev for loopback
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+commit 60abc0be96e00ca71bac083215ac91ad2e575096 upstream.
+
+The per netns loopback_dev->ip6_ptr is unregistered and set to
+NULL when its mtu is set to smaller than IPV6_MIN_MTU, this
+leads to that we could set rt->rt6i_idev NULL after a
+rt6_uncached_list_flush_dev() and then crash after another
+call.
+
+In this case we should just bring its inet6_dev down, rather
+than unregistering it, at least prior to commit 176c39af29bc
+("netns: fix addrconf_ifdown kernel panic") we always
+override the case for loopback.
+
+Thanks a lot to Andrey for finding a reliable reproducer.
+
+Fixes: 176c39af29bc ("netns: fix addrconf_ifdown kernel panic")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Cc: Daniel Lezcano <dlezcano@fr.ibm.com>
+Cc: David Ahern <dsahern@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/addrconf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2829,6 +2829,7 @@ static int addrconf_notify(struct notifi
+ {
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ struct inet6_dev *idev = __in6_dev_get(dev);
++ struct net *net = dev_net(dev);
+ int run_pending = 0;
+ int err;
+
+@@ -2925,7 +2926,7 @@ static int addrconf_notify(struct notifi
+ * IPV6_MIN_MTU stop IPv6 on this interface.
+ */
+ if (dev->mtu < IPV6_MIN_MTU)
+- addrconf_ifdown(dev, 1);
++ addrconf_ifdown(dev, dev != net->loopback_dev);
+ }
+ break;
+
--- /dev/null
+From 6f64ec74515925cced6df4571638b5a099a49aae Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 27 Jun 2017 07:02:20 -0700
+Subject: net: prevent sign extension in dev_get_stats()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6f64ec74515925cced6df4571638b5a099a49aae upstream.
+
+Similar to the fix provided by Dominik Heidler in commit
+9b3dc0a17d73 ("l2tp: cast l2tp traffic counter to unsigned")
+we need to take care of 32bit kernels in dev_get_stats().
+
+When using atomic_long_read(), we add a 'long' to u64 and
+might misinterpret high order bit, unless we cast to unsigned.
+
+Fixes: caf586e5f23ce ("net: add a core netdev->rx_dropped counter")
+Fixes: 015f0688f57ca ("net: net: add a core netdev->tx_dropped counter")
+Fixes: 6e7333d315a76 ("net: add rx_nohandler stat counter")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6561,8 +6561,8 @@ struct rtnl_link_stats64 *dev_get_stats(
+ } else {
+ netdev_stats_to_stats64(storage, &dev->stats);
+ }
+- storage->rx_dropped += atomic_long_read(&dev->rx_dropped);
+- storage->tx_dropped += atomic_long_read(&dev->tx_dropped);
++ storage->rx_dropped += (unsigned long)atomic_long_read(&dev->rx_dropped);
++ storage->tx_dropped += (unsigned long)atomic_long_read(&dev->tx_dropped);
+ return storage;
+ }
+ EXPORT_SYMBOL(dev_get_stats);
ipv6-avoid-unregistering-inet6_dev-for-loopback.patch
tcp-reset-sk_rx_dst-in-tcp_disconnect.patch
+net-prevent-sign-extension-in-dev_get_stats.patch
--- /dev/null
+From d747a7a51b00984127a88113cdbbc26f91e9d815 Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Sat, 24 Jun 2017 23:50:30 -0700
+Subject: tcp: reset sk_rx_dst in tcp_disconnect()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+commit d747a7a51b00984127a88113cdbbc26f91e9d815 upstream.
+
+We have to reset the sk->sk_rx_dst when we disconnect a TCP
+connection, because otherwise when we re-connect it this
+dst reference is simply overridden in tcp_finish_connect().
+
+This fixes a dst leak which leads to a loopback dev refcnt
+leak. It is a long-standing bug, Kevin reported a very similar
+(if not same) bug before. Thanks to Andrei for providing such
+a reliable reproducer which greatly narrows down the problem.
+
+Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
+Reported-by: Andrei Vagin <avagin@gmail.com>
+Reported-by: Kevin Xu <kaiwen.xu@hulu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/tcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2268,6 +2268,8 @@ int tcp_disconnect(struct sock *sk, int
+ tcp_init_send_head(sk);
+ memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
+ __sk_dst_reset(sk);
++ dst_release(sk->sk_rx_dst);
++ sk->sk_rx_dst = NULL;
+
+ WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
