From: Greg Kroah-Hartman Date: Sat, 18 Jun 2016 03:30:19 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.14.73~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=626532a5cc972e78cb9db0c4466e2b0a7c655950;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: netlink-fix-dump-skb-leak-double-free.patch sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch --- diff --git a/queue-3.14/netlink-fix-dump-skb-leak-double-free.patch b/queue-3.14/netlink-fix-dump-skb-leak-double-free.patch new file mode 100644 index 00000000000..2372fea112f --- /dev/null +++ b/queue-3.14/netlink-fix-dump-skb-leak-double-free.patch @@ -0,0 +1,53 @@ +From foo@baz Fri Jun 17 20:28:14 PDT 2016 +From: Herbert Xu +Date: Mon, 16 May 2016 17:28:16 +0800 +Subject: netlink: Fix dump skb leak/double free +Status: RO +Content-Length: 1415 +Lines: 47 + +From: Herbert Xu + +[ Upstream commit 92964c79b357efd980812c4de5c1fd2ec8bb5520 ] + +When we free cb->skb after a dump, we do it after releasing the +lock. This means that a new dump could have started in the time +being and we'll end up freeing their skb instead of ours. + +This patch saves the skb and module before we unlock so we free +the right memory. + +Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.") +Reported-by: Baozeng Ding +Signed-off-by: Herbert Xu +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2651,6 +2651,7 @@ static int netlink_dump(struct sock *sk) + struct netlink_callback *cb; + struct sk_buff *skb = NULL; + struct nlmsghdr *nlh; ++ struct module *module; + int len, err = -ENOBUFS; + int alloc_size; + +@@ -2700,9 +2701,11 @@ static int netlink_dump(struct sock *sk) + cb->done(cb); + + nlk->cb_running = false; ++ module = cb->module; ++ skb = cb->skb; + mutex_unlock(nlk->cb_mutex); +- module_put(cb->module); +- consume_skb(cb->skb); ++ module_put(module); ++ consume_skb(skb); + return 0; + + errout_skb: diff --git a/queue-3.14/series b/queue-3.14/series index e69de29bb2d..22bfb20fb8c 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -0,0 +1,3 @@ +netlink-fix-dump-skb-leak-double-free.patch +sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch +tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch diff --git a/queue-3.14/sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch b/queue-3.14/sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch new file mode 100644 index 00000000000..074e46c39cd --- /dev/null +++ b/queue-3.14/sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch @@ -0,0 +1,62 @@ +From foo@baz Fri Jun 17 20:28:14 PDT 2016 +From: Edward Cree +Date: Tue, 24 May 2016 18:53:36 +0100 +Subject: sfc: on MC reset, clear PIO buffer linkage in TXQs +Status: RO +Content-Length: 1705 +Lines: 56 + +From: Edward Cree + +[ Upstream commit c0795bf64cba4d1b796fdc5b74b33772841ed1bb ] + +Otherwise, if we fail to allocate new PIO buffers, our TXQs will try to +use the old ones, which aren't there any more. + +Fixes: 183233bec810 "sfc: Allocate and link PIO buffers; map them with write-combining" +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/ef10.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -451,6 +451,17 @@ fail: + return rc; + } + ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx) ++{ ++ struct efx_channel *channel; ++ struct efx_tx_queue *tx_queue; ++ ++ /* All our existing PIO buffers went away */ ++ efx_for_each_channel(channel, efx) ++ efx_for_each_channel_tx_queue(tx_queue, channel) ++ tx_queue->piobuf = NULL; ++} ++ + #else /* !EFX_USE_PIO */ + + static int efx_ef10_alloc_piobufs(struct efx_nic *efx, unsigned int n) +@@ -467,6 +478,10 @@ static void efx_ef10_free_piobufs(struct + { + } + ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx) ++{ ++} ++ + #endif /* EFX_USE_PIO */ + + static void efx_ef10_remove(struct efx_nic *efx) +@@ -698,6 +713,7 @@ static void efx_ef10_reset_mc_allocation + nic_data->must_realloc_vis = true; + nic_data->must_restore_filters = true; + nic_data->must_restore_piobufs = true; ++ efx_ef10_forget_old_piobufs(efx); + nic_data->rx_rss_context = EFX_EF10_RSS_CONTEXT_INVALID; + } + diff --git a/queue-3.14/tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch b/queue-3.14/tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch new file mode 100644 index 00000000000..f5647e2544a --- /dev/null +++ b/queue-3.14/tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch @@ -0,0 +1,38 @@ +From foo@baz Fri Jun 17 20:28:14 PDT 2016 +From: Yuchung Cheng +Date: Mon, 6 Jun 2016 15:07:18 -0700 +Subject: tcp: record TLP and ER timer stats in v6 stats +Status: RO +Content-Length: 1152 +Lines: 32 + +From: Yuchung Cheng + +[ Upstream commit ce3cf4ec0305919fc69a972f6c2b2efd35d36abc ] + +The v6 tcp stats scan do not provide TLP and ER timer information +correctly like the v4 version . This patch fixes that. + +Fixes: 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)") +Fixes: eed530b6c676 ("tcp: early retransmit") +Signed-off-by: Yuchung Cheng +Signed-off-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/tcp_ipv6.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1783,7 +1783,9 @@ static void get_tcp6_sock(struct seq_fil + destp = ntohs(inet->inet_dport); + srcp = ntohs(inet->inet_sport); + +- if (icsk->icsk_pending == ICSK_TIME_RETRANS) { ++ if (icsk->icsk_pending == ICSK_TIME_RETRANS || ++ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS || ++ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) { + timer_active = 1; + timer_expires = icsk->icsk_timeout; + } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {