From: Greg Kroah-Hartman Date: Tue, 23 Apr 2019 20:05:47 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.139~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d328e2fb21f6f36d31d76368e9025d6d402578e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: bonding-fix-event-handling-for-stacked-bonds.patch ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch ipv4-recompile-ip-options-in-ipv4_link_failure.patch net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch tcp-tcp_grow_window-needs-to-respect-tcp_space.patch --- diff --git a/queue-3.18/bonding-fix-event-handling-for-stacked-bonds.patch b/queue-3.18/bonding-fix-event-handling-for-stacked-bonds.patch new file mode 100644 index 00000000000..f7ed204bed6 --- /dev/null +++ b/queue-3.18/bonding-fix-event-handling-for-stacked-bonds.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST +From: Sabrina Dubroca +Date: Fri, 12 Apr 2019 15:04:10 +0200 +Subject: bonding: fix event handling for stacked bonds + +From: Sabrina Dubroca + +[ Upstream commit 92480b3977fd3884649d404cbbaf839b70035699 ] + +When a bond is enslaved to another bond, bond_netdev_event() only +handles the event as if the bond is a master, and skips treating the +bond as a slave. + +This leads to a refcount leak on the slave, since we don't remove the +adjacency to its master and the master holds a reference on the slave. + +Reproducer: + ip link add bondL type bond + ip link add bondU type bond + ip link set bondL master bondU + ip link del bondL + +No "Fixes:" tag, this code is older than git history. + +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2958,8 +2958,12 @@ static int bond_netdev_event(struct noti + return NOTIFY_DONE; + + if (event_dev->flags & IFF_MASTER) { ++ int ret; ++ + netdev_dbg(event_dev, "IFF_MASTER\n"); +- return bond_master_netdev_event(event, event_dev); ++ ret = bond_master_netdev_event(event, event_dev); ++ if (ret != NOTIFY_DONE) ++ return ret; + } + + if (event_dev->flags & IFF_SLAVE) { diff --git a/queue-3.18/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch b/queue-3.18/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..25d4e8c59bb --- /dev/null +++ b/queue-3.18/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch @@ -0,0 +1,88 @@ +From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST +From: Eric Dumazet +Date: Sat, 13 Apr 2019 17:32:21 -0700 +Subject: ipv4: ensure rcu_read_lock() in ipv4_link_failure() + +From: Eric Dumazet + +[ Upstream commit c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad ] + +fib_compute_spec_dst() needs to be called under rcu protection. + +syzbot reported : + +WARNING: suspicious RCU usage +5.1.0-rc4+ #165 Not tainted +include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by swapper/0/0: + #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline] + #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315 + +stack backtrace: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162 + __in_dev_get_rcu include/linux/inetdevice.h:220 [inline] + fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294 + spec_dst_fill net/ipv4/ip_options.c:245 [inline] + __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343 + ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195 + dst_link_failure include/net/dst.h:427 [inline] + arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297 + neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995 + neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081 + call_timer_fn+0x190/0x720 kernel/time/timer.c:1325 + expire_timers kernel/time/timer.c:1362 [inline] + __run_timers kernel/time/timer.c:1681 [inline] + __run_timers kernel/time/timer.c:1649 [inline] + run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694 + __do_softirq+0x266/0x95a kernel/softirq.c:293 + invoke_softirq kernel/softirq.c:374 [inline] + irq_exit+0x180/0x1d0 kernel/softirq.c:414 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 + +Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1150,14 +1150,20 @@ static struct dst_entry *ipv4_dst_check( + + static void ipv4_link_failure(struct sk_buff *skb) + { +- struct rtable *rt; + struct ip_options opt; ++ struct rtable *rt; ++ int res; + + /* Recompile ip options since IPCB may not be valid anymore. + */ + memset(&opt, 0, sizeof(opt)); + opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); +- if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL)) ++ ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); ++ ++ if (res) + return; + + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); diff --git a/queue-3.18/ipv4-recompile-ip-options-in-ipv4_link_failure.patch b/queue-3.18/ipv4-recompile-ip-options-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..397fcf550b6 --- /dev/null +++ b/queue-3.18/ipv4-recompile-ip-options-in-ipv4_link_failure.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST +From: Stephen Suryaputra +Date: Fri, 12 Apr 2019 16:19:27 -0400 +Subject: ipv4: recompile ip options in ipv4_link_failure + +From: Stephen Suryaputra + +[ Upstream commit ed0de45a1008991fdaa27a0152befcb74d126a8b ] + +Recompile IP options since IPCB may not be valid anymore when +ipv4_link_failure is called from arp_error_report. + +Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error") +and the commit before that (9ef6b42ad6fd) for a similar issue. + +Signed-off-by: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1151,8 +1151,16 @@ static struct dst_entry *ipv4_dst_check( + static void ipv4_link_failure(struct sk_buff *skb) + { + struct rtable *rt; ++ struct ip_options opt; + +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); ++ /* Recompile ip options since IPCB may not be valid anymore. ++ */ ++ memset(&opt, 0, sizeof(opt)); ++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL)) ++ return; ++ ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); + + rt = skb_rtable(skb); + if (rt) diff --git a/queue-3.18/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch b/queue-3.18/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch new file mode 100644 index 00000000000..db1d9065b63 --- /dev/null +++ b/queue-3.18/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST +From: Nikolay Aleksandrov +Date: Thu, 11 Apr 2019 15:08:25 +0300 +Subject: net: bridge: multicast: use rcu to access port list from br_multicast_start_querier + +From: Nikolay Aleksandrov + +[ Upstream commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 ] + +br_multicast_start_querier() walks over the port list but it can be +called from a timer with only multicast_lock held which doesn't protect +the port list, so use RCU to walk over it. + +Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -2023,7 +2023,8 @@ static void br_multicast_start_querier(s + + __br_multicast_open(br, query); + +- list_for_each_entry(port, &br->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &br->port_list, list) { + if (port->state == BR_STATE_DISABLED || + port->state == BR_STATE_BLOCKING) + continue; +@@ -2035,6 +2036,7 @@ static void br_multicast_start_querier(s + br_multicast_enable(&port->ip6_own_query); + #endif + } ++ rcu_read_unlock(); + } + + int br_multicast_toggle(struct net_bridge *br, unsigned long val) diff --git a/queue-3.18/series b/queue-3.18/series index 7f75c8fea37..ecbd07a49bf 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -87,3 +87,8 @@ inet-update-the-ip-id-generation-algorithm-to-higher-standards.patch appletalk-fix-compile-regression.patch crypto-crypto4xx-properly-set-iv-after-de-and-encryp.patch tpm-tpm_i2c_atmel-return-e2big-when-the-transfer-is-.patch +bonding-fix-event-handling-for-stacked-bonds.patch +net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch +ipv4-recompile-ip-options-in-ipv4_link_failure.patch +ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch +tcp-tcp_grow_window-needs-to-respect-tcp_space.patch diff --git a/queue-3.18/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch b/queue-3.18/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch new file mode 100644 index 00000000000..62428a9ead0 --- /dev/null +++ b/queue-3.18/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch @@ -0,0 +1,63 @@ +From foo@baz Tue 23 Apr 2019 10:04:06 PM CEST +From: Eric Dumazet +Date: Tue, 16 Apr 2019 10:55:20 -0700 +Subject: tcp: tcp_grow_window() needs to respect tcp_space() + +From: Eric Dumazet + +[ Upstream commit 50ce163a72d817a99e8974222dcf2886d5deb1ae ] + +For some reason, tcp_grow_window() correctly tests if enough room +is present before attempting to increase tp->rcv_ssthresh, +but does not prevent it to grow past tcp_space() + +This is causing hard to debug issues, like failing +the (__tcp_select_window(sk) >= tp->rcv_wnd) test +in __tcp_ack_snd_check(), causing ACK delays and possibly +slow flows. + +Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio, +we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000" +after about 60 round trips, when the active side no longer sends +immediate acks. + +This bug predates git history. + +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Acked-by: Neal Cardwell +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -358,11 +358,12 @@ static int __tcp_grow_window(const struc + static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + { + struct tcp_sock *tp = tcp_sk(sk); ++ int room; ++ ++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh; + + /* Check #1 */ +- if (tp->rcv_ssthresh < tp->window_clamp && +- (int)tp->rcv_ssthresh < tcp_space(sk) && +- !sk_under_memory_pressure(sk)) { ++ if (room > 0 && !sk_under_memory_pressure(sk)) { + int incr; + + /* Check #2. Increase window, if skb with such overhead +@@ -375,8 +376,7 @@ static void tcp_grow_window(struct sock + + if (incr) { + incr = max_t(int, incr, 2 * skb->len); +- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr, +- tp->window_clamp); ++ tp->rcv_ssthresh += min(room, incr); + inet_csk(sk)->icsk_ack.quick |= 1; + } + }