From: Greg Kroah-Hartman Date: Thu, 8 Jun 2017 07:33:23 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.57~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c753400c71ca79e50017d656a8a0d3d49f16174;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: bnx2x-fix-multi-cos.patch cxgb4-avoid-enabling-napi-twice-to-the-same-queue.patch ipv6-fix-leak-in-ipv6_gso_segment.patch ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfragopt.patch net-ethoc-enable-napi-before-poll-may-be-scheduled.patch net-ping-do-not-abuse-udp_poll.patch tcp-disallow-cwnd-undo-when-switching-congestion-control.patch --- diff --git a/queue-3.18/bnx2x-fix-multi-cos.patch b/queue-3.18/bnx2x-fix-multi-cos.patch new file mode 100644 index 00000000000..906b5f19762 --- /dev/null +++ b/queue-3.18/bnx2x-fix-multi-cos.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Jun 8 09:17:40 CEST 2017 +From: "Mintz, Yuval" +Date: Thu, 1 Jun 2017 15:57:56 +0300 +Subject: bnx2x: Fix Multi-Cos + +From: "Mintz, Yuval" + + +[ Upstream commit 3968d38917eb9bd0cd391265f6c9c538d9b33ffa ] + +Apparently multi-cos isn't working for bnx2x quite some time - +driver implements ndo_select_queue() to allow queue-selection +for FCoE, but the regular L2 flow would cause it to modulo the +fallback's result by the number of queues. +The fallback would return a queue matching the needed tc +[via __skb_tx_hash()], but since the modulo is by the number of TSS +queues where number of TCs is not accounted, transmission would always +be done by a queue configured into using TC0. + +Fixes: ada7c19e6d27 ("bnx2x: use XPS if possible for bnx2x_select_queue instead of pure hash") +Signed-off-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -1929,7 +1929,7 @@ u16 bnx2x_select_queue(struct net_device + } + + /* select a non-FCoE queue */ +- return fallback(dev, skb) % BNX2X_NUM_ETH_QUEUES(bp); ++ return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos); + } + + void bnx2x_set_num_queues(struct bnx2x *bp) diff --git a/queue-3.18/cxgb4-avoid-enabling-napi-twice-to-the-same-queue.patch b/queue-3.18/cxgb4-avoid-enabling-napi-twice-to-the-same-queue.patch new file mode 100644 index 00000000000..89b4ea6a95f --- /dev/null +++ b/queue-3.18/cxgb4-avoid-enabling-napi-twice-to-the-same-queue.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Jun 8 09:17:40 CEST 2017 +From: Ganesh Goudar +Date: Wed, 31 May 2017 18:26:28 +0530 +Subject: cxgb4: avoid enabling napi twice to the same queue + +From: Ganesh Goudar + + +[ Upstream commit e7519f9926f1d0d11c776eb0475eb098c7760f68 ] + +Take uld mutex to avoid race between cxgb_up() and +cxgb4_register_uld() to enable napi for the same uld +queue. + +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -4580,10 +4580,14 @@ static int cxgb_up(struct adapter *adap) + if (err) + goto irq_err; + } ++ ++ mutex_lock(&uld_mutex); + enable_rx(adap); + t4_sge_start(adap); + t4_intr_enable(adap); + adap->flags |= FULL_INIT_DONE; ++ mutex_unlock(&uld_mutex); ++ + notify_ulds(adap, CXGB4_STATE_UP); + #if IS_ENABLED(CONFIG_IPV6) + update_clip(adap); diff --git a/queue-3.18/ipv6-fix-leak-in-ipv6_gso_segment.patch b/queue-3.18/ipv6-fix-leak-in-ipv6_gso_segment.patch new file mode 100644 index 00000000000..69a6ecec79a --- /dev/null +++ b/queue-3.18/ipv6-fix-leak-in-ipv6_gso_segment.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Jun 8 09:17:40 CEST 2017 +From: "David S. Miller" +Date: Sun, 4 Jun 2017 21:41:10 -0400 +Subject: ipv6: Fix leak in ipv6_gso_segment(). + +From: "David S. Miller" + + +[ Upstream commit e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789 ] + +If ip6_find_1stfragopt() fails and we return an error we have to free +up 'segs' because nobody else is going to. + +Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options") +Reported-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_offload.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -121,8 +121,10 @@ static struct sk_buff *ipv6_gso_segment( + + if (udpfrag) { + int err = ip6_find_1stfragopt(skb, &prevhdr); +- if (err < 0) ++ if (err < 0) { ++ kfree_skb_list(segs); + return ERR_PTR(err); ++ } + fptr = (struct frag_hdr *)((u8 *)ipv6h + err); + fptr->frag_off = htons(offset); + if (skb->next != NULL) diff --git a/queue-3.18/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfragopt.patch b/queue-3.18/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfragopt.patch new file mode 100644 index 00000000000..9d3c29ee596 --- /dev/null +++ b/queue-3.18/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfragopt.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Jun 8 09:17:40 CEST 2017 +From: Ben Hutchings +Date: Wed, 31 May 2017 13:15:41 +0100 +Subject: ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() + +From: Ben Hutchings + + +[ Upstream commit 6e80ac5cc992ab6256c3dae87f7e57db15e1a58c ] + +xfrm6_find_1stfragopt() may now return an error code and we must +not treat it as a length. + +Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options") +Signed-off-by: Ben Hutchings +Acked-by: Craig Gallek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/xfrm6_mode_ro.c | 2 ++ + net/ipv6/xfrm6_mode_transport.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/net/ipv6/xfrm6_mode_ro.c ++++ b/net/ipv6/xfrm6_mode_ro.c +@@ -47,6 +47,8 @@ static int xfrm6_ro_output(struct xfrm_s + iph = ipv6_hdr(skb); + + hdr_len = x->type->hdr_offset(x, skb, &prevhdr); ++ if (hdr_len < 0) ++ return hdr_len; + skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data); + skb_set_network_header(skb, -x->props.header_len); + skb->transport_header = skb->network_header + hdr_len; +--- a/net/ipv6/xfrm6_mode_transport.c ++++ b/net/ipv6/xfrm6_mode_transport.c +@@ -28,6 +28,8 @@ static int xfrm6_transport_output(struct + iph = ipv6_hdr(skb); + + hdr_len = x->type->hdr_offset(x, skb, &prevhdr); ++ if (hdr_len < 0) ++ return hdr_len; + skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data); + skb_set_network_header(skb, -x->props.header_len); + skb->transport_header = skb->network_header + hdr_len; diff --git a/queue-3.18/net-ethoc-enable-napi-before-poll-may-be-scheduled.patch b/queue-3.18/net-ethoc-enable-napi-before-poll-may-be-scheduled.patch new file mode 100644 index 00000000000..209719cd643 --- /dev/null +++ b/queue-3.18/net-ethoc-enable-napi-before-poll-may-be-scheduled.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Jun 8 09:17:40 CEST 2017 +From: Max Filippov +Date: Mon, 5 Jun 2017 18:31:16 -0700 +Subject: net: ethoc: enable NAPI before poll may be scheduled + +From: Max Filippov + + +[ Upstream commit d220b942a4b6a0640aee78841608f4aa5e8e185e ] + +ethoc_reset enables device interrupts, ethoc_interrupt may schedule a +NAPI poll before NAPI is enabled in the ethoc_open, which results in +device being unable to send or receive anything until it's closed and +reopened. In case the device is flooded with ingress packets it may be +unable to recover at all. +Move napi_enable above ethoc_reset in the ethoc_open to fix that. + +Fixes: a1702857724f ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.") +Signed-off-by: Max Filippov +Reviewed-by: Tobias Klauser +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ethoc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ethoc.c ++++ b/drivers/net/ethernet/ethoc.c +@@ -706,6 +706,8 @@ static int ethoc_open(struct net_device + if (ret) + return ret; + ++ napi_enable(&priv->napi); ++ + ethoc_init_ring(priv, dev->mem_start); + ethoc_reset(priv); + +@@ -718,7 +720,6 @@ static int ethoc_open(struct net_device + } + + phy_start(priv->phy); +- napi_enable(&priv->napi); + + if (netif_msg_ifup(priv)) { + dev_info(&dev->dev, "I/O: %08lx Memory: %08lx-%08lx\n", diff --git a/queue-3.18/net-ping-do-not-abuse-udp_poll.patch b/queue-3.18/net-ping-do-not-abuse-udp_poll.patch new file mode 100644 index 00000000000..76dc4b5eaf3 --- /dev/null +++ b/queue-3.18/net-ping-do-not-abuse-udp_poll.patch @@ -0,0 +1,76 @@ +From foo@baz Thu Jun 8 09:17:40 CEST 2017 +From: Eric Dumazet +Date: Sat, 3 Jun 2017 09:29:25 -0700 +Subject: net: ping: do not abuse udp_poll() + +From: Eric Dumazet + + +[ Upstream commit 77d4b1d36926a9b8387c6b53eeba42bcaaffcea3 ] + +Alexander reported various KASAN messages triggered in recent kernels + +The problem is that ping sockets should not use udp_poll() in the first +place, and recent changes in UDP stack finally exposed this old bug. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") +Signed-off-by: Eric Dumazet +Reported-by: Sasha Levin +Cc: Solar Designer +Cc: Vasiliy Kulikov +Cc: Lorenzo Colitti +Acked-By: Lorenzo Colitti +Tested-By: Lorenzo Colitti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ipv6.h | 1 + + net/ipv4/af_inet.c | 2 +- + net/ipv6/ping.c | 2 +- + net/ipv6/raw.c | 2 +- + 4 files changed, 4 insertions(+), 3 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -898,6 +898,7 @@ int inet6_hash_connect(struct inet_timew + */ + extern const struct proto_ops inet6_stream_ops; + extern const struct proto_ops inet6_dgram_ops; ++extern const struct proto_ops inet6_sockraw_ops; + + struct group_source_req; + struct group_filter; +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1016,7 +1016,7 @@ static struct inet_protosw inetsw_array[ + .type = SOCK_DGRAM, + .protocol = IPPROTO_ICMP, + .prot = &ping_prot, +- .ops = &inet_dgram_ops, ++ .ops = &inet_sockraw_ops, + .flags = INET_PROTOSW_REUSE, + }, + +--- a/net/ipv6/ping.c ++++ b/net/ipv6/ping.c +@@ -50,7 +50,7 @@ static struct inet_protosw pingv6_protos + .type = SOCK_DGRAM, + .protocol = IPPROTO_ICMPV6, + .prot = &pingv6_prot, +- .ops = &inet6_dgram_ops, ++ .ops = &inet6_sockraw_ops, + .flags = INET_PROTOSW_REUSE, + }; + +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -1296,7 +1296,7 @@ void raw6_proc_exit(void) + #endif /* CONFIG_PROC_FS */ + + /* Same as inet6_dgram_ops, sans udp_poll. */ +-static const struct proto_ops inet6_sockraw_ops = { ++const struct proto_ops inet6_sockraw_ops = { + .family = PF_INET6, + .owner = THIS_MODULE, + .release = inet6_release, diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..693e9fd5742 --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,7 @@ +bnx2x-fix-multi-cos.patch +ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfragopt.patch +cxgb4-avoid-enabling-napi-twice-to-the-same-queue.patch +tcp-disallow-cwnd-undo-when-switching-congestion-control.patch +ipv6-fix-leak-in-ipv6_gso_segment.patch +net-ping-do-not-abuse-udp_poll.patch +net-ethoc-enable-napi-before-poll-may-be-scheduled.patch diff --git a/queue-3.18/tcp-disallow-cwnd-undo-when-switching-congestion-control.patch b/queue-3.18/tcp-disallow-cwnd-undo-when-switching-congestion-control.patch new file mode 100644 index 00000000000..cfd03be2223 --- /dev/null +++ b/queue-3.18/tcp-disallow-cwnd-undo-when-switching-congestion-control.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Jun 8 09:17:40 CEST 2017 +From: Yuchung Cheng +Date: Wed, 31 May 2017 11:21:27 -0700 +Subject: tcp: disallow cwnd undo when switching congestion control + +From: Yuchung Cheng + + +[ Upstream commit 44abafc4cc094214a99f860f778c48ecb23422fc ] + +When the sender switches its congestion control during loss +recovery, if the recovery is spurious then it may incorrectly +revert cwnd and ssthresh to the older values set by a previous +congestion control. Consider a congestion control (like BBR) +that does not use ssthresh and keeps it infinite: the connection +may incorrectly revert cwnd to an infinite value when switching +from BBR to another congestion control. + +This patch fixes it by disallowing such cwnd undo operation +upon switching congestion control. Note that undo_marker +is not reset s.t. the packets that were incorrectly marked +lost would be corrected. We only avoid undoing the cwnd in +tcp_undo_cwnd_reduction(). + +Signed-off-by: Yuchung Cheng +Signed-off-by: Soheil Hassas Yeganeh +Signed-off-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_cong.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp_cong.c ++++ b/net/ipv4/tcp_cong.c +@@ -103,6 +103,7 @@ void tcp_init_congestion_control(struct + { + const struct inet_connection_sock *icsk = inet_csk(sk); + ++ tcp_sk(sk)->prior_ssthresh = 0; + if (icsk->icsk_ca_ops->init) + icsk->icsk_ca_ops->init(sk); + } diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..e1e27e29ab0 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,19 @@ +bnx2x-fix-multi-cos.patch +ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfragopt.patch +cxgb4-avoid-enabling-napi-twice-to-the-same-queue.patch +tcp-disallow-cwnd-undo-when-switching-congestion-control.patch +vxlan-fix-use-after-free-on-deletion.patch +ipv6-fix-leak-in-ipv6_gso_segment.patch +net-ping-do-not-abuse-udp_poll.patch +net-ethoc-enable-napi-before-poll-may-be-scheduled.patch +net-bridge-start-hello-timer-only-if-device-is-up.patch +sparc64-add-__multi3-for-gcc-7.x-and-later.patch +sparc64-mm-fix-copy_tsb-to-correctly-copy-huge-page-tsbs.patch +sparc-machine-description-indices-can-vary.patch +sparc64-reset-mm-cpumask-after-wrap.patch +sparc64-combine-activate_mm-and-switch_mm.patch +sparc64-redefine-first-version.patch +sparc64-add-per-cpu-mm-of-secondary-contexts.patch +sparc64-new-context-wrap.patch +sparc64-delete-old-wrap-code.patch +arch-sparc-support-nr_cpus-4096.patch