Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- net/ipv6/addrconf.c | 3 ++-
+ net/ipv6/addrconf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 78dd9ce1214f7..bbc5dd769ebcd 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
-@@ -949,7 +949,8 @@ check_cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long *expires)
+@@ -949,7 +949,8 @@ check_cleanup_prefix_route(struct inet6_
list_for_each_entry(ifa, &idev->addr_list, if_list) {
if (ifa == ifp)
continue;
ifp->prefix_len))
continue;
if (ifa->flags & (IFA_F_PERMANENT | IFA_F_NOPREFIXROUTE))
---
-2.19.1
-
--- /dev/null
+From foo@baz Thu Feb 21 08:41:54 CET 2019
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Wed, 6 Feb 2019 19:18:04 +0100
+Subject: net: ipv4: use a dedicated counter for icmp_v4 redirect packets
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit c09551c6ff7fe16a79a42133bcecba5fc2fc3291 ]
+
+According to the algorithm described in the comment block at the
+beginning of ip_rt_send_redirect, the host should try to send
+'ip_rt_redirect_number' ICMP redirect packets with an exponential
+backoff and then stop sending them at all assuming that the destination
+ignores redirects.
+If the device has previously sent some ICMP error packets that are
+rate-limited (e.g TTL expired) and continues to receive traffic,
+the redirect packets will never be transmitted. This happens since
+peer->rate_tokens will be typically greater than 'ip_rt_redirect_number'
+and so it will never be reset even if the redirect silence timeout
+(ip_rt_redirect_silence) has elapsed without receiving any packet
+requiring redirects.
+
+Fix it by using a dedicated counter for the number of ICMP redirect
+packets that has been sent by the host
+
+I have not been able to identify a given commit that introduced the
+issue since ip_rt_send_redirect implements the same rate-limiting
+algorithm from commit 1da177e4c3f4 ("Linux-2.6.12-rc2")
+
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inetpeer.h | 1 +
+ net/ipv4/inetpeer.c | 1 +
+ net/ipv4/route.c | 7 +++++--
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/net/inetpeer.h
++++ b/include/net/inetpeer.h
+@@ -35,6 +35,7 @@ struct inet_peer {
+
+ u32 metrics[RTAX_MAX];
+ u32 rate_tokens; /* rate limiting for ICMP */
++ u32 n_redirects;
+ unsigned long rate_last;
+ union {
+ struct list_head gc_list;
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -464,6 +464,7 @@ relookup:
+ atomic_set(&p->rid, 0);
+ p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
+ p->rate_tokens = 0;
++ p->n_redirects = 0;
+ /* 60*HZ is arbitrary, but chosen enough high so that the first
+ * calculation of tokens is at its maximum.
+ */
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -864,13 +864,15 @@ void ip_rt_send_redirect(struct sk_buff
+ /* No redirected packets during ip_rt_redirect_silence;
+ * reset the algorithm.
+ */
+- if (time_after(jiffies, peer->rate_last + ip_rt_redirect_silence))
++ if (time_after(jiffies, peer->rate_last + ip_rt_redirect_silence)) {
+ peer->rate_tokens = 0;
++ peer->n_redirects = 0;
++ }
+
+ /* Too many ignored redirects; do not send anything
+ * set dst.rate_last to the last seen redirected packet.
+ */
+- if (peer->rate_tokens >= ip_rt_redirect_number) {
++ if (peer->n_redirects >= ip_rt_redirect_number) {
+ peer->rate_last = jiffies;
+ goto out_put_peer;
+ }
+@@ -887,6 +889,7 @@ void ip_rt_send_redirect(struct sk_buff
+ icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw);
+ peer->rate_last = jiffies;
+ ++peer->rate_tokens;
++ ++peer->n_redirects;
+ #ifdef CONFIG_IP_ROUTE_VERBOSE
+ if (log_martians &&
+ peer->rate_tokens == ip_rt_redirect_number)
--- /dev/null
+From foo@baz Thu Feb 21 08:41:54 CET 2019
+From: Jose Abreu <jose.abreu@synopsys.com>
+Date: Mon, 18 Feb 2019 14:35:03 +0100
+Subject: net: stmmac: Fix a race in EEE enable callback
+
+From: Jose Abreu <jose.abreu@synopsys.com>
+
+[ Upstream commit 8a7493e58ad688eb23b81e45461c5d314f4402f1 ]
+
+We are saving the status of EEE even before we try to enable it. This
+leads to a race with XMIT function that tries to arm EEE timer before we
+set it up.
+
+Fix this by only saving the EEE parameters after all operations are
+performed with success.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Fixes: d765955d2ae0 ("stmmac: add the Energy Efficient Ethernet support")
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 22 ++++++++++---------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -614,25 +614,27 @@ static int stmmac_ethtool_op_set_eee(str
+ struct ethtool_eee *edata)
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
++ int ret;
+
+- priv->eee_enabled = edata->eee_enabled;
+-
+- if (!priv->eee_enabled)
++ if (!edata->eee_enabled) {
+ stmmac_disable_eee_mode(priv);
+- else {
++ } else {
+ /* We are asking for enabling the EEE but it is safe
+ * to verify all by invoking the eee_init function.
+ * In case of failure it will return an error.
+ */
+- priv->eee_enabled = stmmac_eee_init(priv);
+- if (!priv->eee_enabled)
++ edata->eee_enabled = stmmac_eee_init(priv);
++ if (!edata->eee_enabled)
+ return -EOPNOTSUPP;
+-
+- /* Do not change tx_lpi_timer in case of failure */
+- priv->tx_lpi_timer = edata->tx_lpi_timer;
+ }
+
+- return phy_ethtool_set_eee(priv->phydev, edata);
++ ret = phy_ethtool_set_eee(dev->phydev, edata);
++ if (ret)
++ return ret;
++
++ priv->eee_enabled = edata->eee_enabled;
++ priv->tx_lpi_timer = edata->tx_lpi_timer;
++ return 0;
+ }
+
+ static u32 stmmac_usec2riwt(u32 usec, struct stmmac_priv *priv)
net-fix-ipv6-prefix-route-residue.patch
+sky2-increase-d3-delay-again.patch
+tcp-tcp_v4_err-should-be-more-careful.patch
+tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch
+vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch
+vsock-cope-with-memory-allocation-failure-at-socket-creation-time.patch
+net-stmmac-fix-a-race-in-eee-enable-callback.patch
+net-ipv4-use-a-dedicated-counter-for-icmp_v4-redirect-packets.patch
--- /dev/null
+From foo@baz Thu Feb 21 10:01:20 CET 2019
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 19 Feb 2019 23:45:29 +0800
+Subject: sky2: Increase D3 delay again
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 1765f5dcd00963e33f1b8a4e0f34061fbc0e2f7f ]
+
+Another platform requires even longer delay to make the device work
+correctly after S3.
+
+So increase the delay to 300ms.
+
+BugLink: https://bugs.launchpad.net/bugs/1798921
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -5069,7 +5069,7 @@ static int sky2_probe(struct pci_dev *pd
+ INIT_WORK(&hw->restart_work, sky2_restart);
+
+ pci_set_drvdata(pdev, hw);
+- pdev->d3_delay = 200;
++ pdev->d3_delay = 300;
+
+ return 0;
+
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 15 Feb 2019 13:36:20 -0800
+Subject: tcp: clear icsk_backoff in tcp_write_queue_purge()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 04c03114be82194d4a4858d41dba8e286ad1787c ]
+
+soukjin bae reported a crash in tcp_v4_err() handling
+ICMP_DEST_UNREACH after tcp_write_queue_head(sk)
+returned a NULL pointer.
+
+Current logic should have prevented this :
+
+ if (seq != tp->snd_una || !icsk->icsk_retransmits ||
+ !icsk->icsk_backoff || fastopen)
+ break;
+
+Problem is the write queue might have been purged
+and icsk_backoff has not been cleared.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: soukjin bae <soukjin.bae@samsung.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 1 +
+ net/ipv4/tcp.c | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1379,6 +1379,7 @@ static inline void tcp_write_queue_purge
+ sk_wmem_free_skb(sk, skb);
+ sk_mem_reclaim(sk);
+ tcp_clear_all_retrans_hints(tcp_sk(sk));
++ inet_csk(sk)->icsk_backoff = 0;
+ }
+
+ static inline struct sk_buff *tcp_write_queue_head(const struct sock *sk)
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2258,7 +2258,6 @@ int tcp_disconnect(struct sock *sk, int
+ tp->srtt_us = 0;
+ if ((tp->write_seq += tp->max_window + 2) == 0)
+ tp->write_seq = 1;
+- icsk->icsk_backoff = 0;
+ tp->snd_cwnd = 2;
+ icsk->icsk_probes_out = 0;
+ tp->packets_out = 0;
--- /dev/null
+From foo@baz Thu Feb 21 08:41:54 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 15 Feb 2019 13:36:21 -0800
+Subject: tcp: tcp_v4_err() should be more careful
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2c4cc9712364c051b1de2d175d5fbea6be948ebf ]
+
+ICMP handlers are not very often stressed, we should
+make them more resilient to bugs that might surface in
+the future.
+
+If there is no packet in retransmit queue, we should
+avoid a NULL deref.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: soukjin bae <soukjin.bae@samsung.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ipv4.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -432,14 +432,15 @@ void tcp_v4_err(struct sk_buff *icmp_skb
+ if (sock_owned_by_user(sk))
+ break;
+
++ skb = tcp_write_queue_head(sk);
++ if (WARN_ON_ONCE(!skb))
++ break;
++
+ icsk->icsk_backoff--;
+ icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) :
+ TCP_TIMEOUT_INIT;
+ icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
+
+- skb = tcp_write_queue_head(sk);
+- BUG_ON(!skb);
+-
+ remaining = icsk->icsk_rto -
+ min(icsk->icsk_rto,
+ tcp_time_stamp - tcp_skb_timestamp(skb));
--- /dev/null
+From foo@baz Thu Feb 21 10:01:20 CET 2019
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 7 Feb 2019 14:13:18 +0100
+Subject: vsock: cope with memory allocation failure at socket creation time
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 225d9464268599a5b4d094d02ec17808e44c7553 ]
+
+In the unlikely event that the kmalloc call in vmci_transport_socket_init()
+fails, we end-up calling vmci_transport_destruct() with a NULL vmci_trans()
+and oopsing.
+
+This change addresses the above explicitly checking for zero vmci_trans()
+at destruction time.
+
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/vmci_transport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -1663,6 +1663,10 @@ static int vmci_transport_socket_init(st
+
+ static void vmci_transport_destruct(struct vsock_sock *vsk)
+ {
++ /* transport can be NULL if we hit a failure at init() time */
++ if (!vmci_trans(vsk))
++ return;
++
+ if (vmci_trans(vsk)->attach_sub_id != VMCI_INVALID_ID) {
+ vmci_event_unsubscribe(vmci_trans(vsk)->attach_sub_id);
+ vmci_trans(vsk)->attach_sub_id = VMCI_INVALID_ID;
--- /dev/null
+From foo@baz Thu Feb 21 08:41:54 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 7 Feb 2019 12:27:38 -0800
+Subject: vxlan: test dev->flags & IFF_UP before calling netif_rx()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4179cb5a4c924cd233eaadd081882425bc98f44e ]
+
+netif_rx() must be called under a strict contract.
+
+At device dismantle phase, core networking clears IFF_UP
+and flush_all_backlogs() is called after rcu grace period
+to make sure no incoming packet might be in a cpu backlog
+and still referencing the device.
+
+Most drivers call netif_rx() from their interrupt handler,
+and since the interrupts are disabled at device dismantle,
+netif_rx() does not have to check dev->flags & IFF_UP
+
+Virtual drivers do not have this guarantee, and must
+therefore make the check themselves.
+
+Otherwise we risk use-after-free and/or crashes.
+
+Note this patch also fixes a small issue that came
+with commit ce6502a8f957 ("vxlan: fix a use after free
+in vxlan_encap_bypass"), since the dev->stats.rx_dropped
+change was done on the wrong device.
+
+Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
+Fixes: ce6502a8f957 ("vxlan: fix a use after free in vxlan_encap_bypass")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Petr Machata <petrm@mellanox.com>
+Cc: Ido Schimmel <idosch@mellanox.com>
+Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
+Cc: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1665,7 +1665,7 @@ static void vxlan_encap_bypass(struct sk
+ struct pcpu_sw_netstats *tx_stats, *rx_stats;
+ union vxlan_addr loopback;
+ union vxlan_addr *remote_ip = &dst_vxlan->default_dst.remote_ip;
+- struct net_device *dev = skb->dev;
++ struct net_device *dev;
+ int len = skb->len;
+
+ tx_stats = this_cpu_ptr(src_vxlan->dev->tstats);
+@@ -1685,8 +1685,15 @@ static void vxlan_encap_bypass(struct sk
+ #endif
+ }
+
++ rcu_read_lock();
++ dev = skb->dev;
++ if (unlikely(!(dev->flags & IFF_UP))) {
++ kfree_skb(skb);
++ goto drop;
++ }
++
+ if (dst_vxlan->flags & VXLAN_F_LEARN)
+- vxlan_snoop(skb->dev, &loopback, eth_hdr(skb)->h_source);
++ vxlan_snoop(dev, &loopback, eth_hdr(skb)->h_source);
+
+ u64_stats_update_begin(&tx_stats->syncp);
+ tx_stats->tx_packets++;
+@@ -1699,8 +1706,10 @@ static void vxlan_encap_bypass(struct sk
+ rx_stats->rx_bytes += len;
+ u64_stats_update_end(&rx_stats->syncp);
+ } else {
++drop:
+ dev->stats.rx_dropped++;
+ }
++ rcu_read_unlock();
+ }
+
+ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
projects / thirdparty / kernel / stable-queue.git / commitdiff
