From: Greg Kroah-Hartman Date: Tue, 21 Apr 2015 21:15:38 +0000 (+0200) Subject: 3.14-stable patches X-Git-Tag: v4.0.1~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b296ea995491be1296166cab1555ea905b9a6a40;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: 8139cp-call-dev_kfree_skby_any-instead-of-kfree_skb.patch 8139too-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch benet-call-dev_kfree_skby_any-instead-of-kfree_skb.patch bnx2-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch bonding-call-dev_kfree_skby_any-instead-of-kfree_skb.patch gianfar-carefully-free-skbs-in-functions-called-by-netpoll.patch ipv6-don-t-reduce-hop-limit-for-an-interface.patch ipv6-protect-skb-sk-accesses-from-recursive-dereference-inside-the-stack.patch ixgb-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch mlx4-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch net-mlx4_en-call-register_netdevice-in-the-proper-location.patch r8169-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch tcp-fix-frto-undo-on-cumulative-ack-of-sacked-range.patch tcp-prevent-fetching-dst-twice-in-early-demux-code.patch tcp-tcp_make_synack-should-clear-skb-tstamp.patch tg3-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch --- diff --git a/queue-3.14/8139cp-call-dev_kfree_skby_any-instead-of-kfree_skb.patch b/queue-3.14/8139cp-call-dev_kfree_skby_any-instead-of-kfree_skb.patch new file mode 100644 index 00000000000..f6e68f070e0 --- /dev/null +++ b/queue-3.14/8139cp-call-dev_kfree_skby_any-instead-of-kfree_skb.patch @@ -0,0 +1,28 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:14:58 -0700 +Subject: 8139cp: Call dev_kfree_skby_any instead of kfree_skb. + +From: "Eric W. Biederman" + +Replace kfree_skb with dev_kfree_skb_any in cp_start_xmit +as it can be called in both hard irq and other contexts. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/8139cp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/realtek/8139cp.c ++++ b/drivers/net/ethernet/realtek/8139cp.c +@@ -899,7 +899,7 @@ out_unlock: + + return NETDEV_TX_OK; + out_dma_error: +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + cp->dev->stats.tx_dropped++; + goto out_unlock; + } diff --git a/queue-3.14/8139too-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch b/queue-3.14/8139too-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch new file mode 100644 index 00000000000..d884aefecc8 --- /dev/null +++ b/queue-3.14/8139too-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch @@ -0,0 +1,31 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:15:36 -0700 +Subject: 8139too: Call dev_kfree_skby_any instead of dev_kfree_skb. + +From: "Eric W. Biederman" + +Replace dev_kfree_skb with dev_kfree_skb_any in functions that can +be called in hard irq and other contexts. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/8139too.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/realtek/8139too.c ++++ b/drivers/net/ethernet/realtek/8139too.c +@@ -1717,9 +1717,9 @@ static netdev_tx_t rtl8139_start_xmit (s + if (len < ETH_ZLEN) + memset(tp->tx_buf[entry], 0, ETH_ZLEN); + skb_copy_and_csum_dev(skb, tp->tx_buf[entry]); +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + } else { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } diff --git a/queue-3.14/benet-call-dev_kfree_skby_any-instead-of-kfree_skb.patch b/queue-3.14/benet-call-dev_kfree_skby_any-instead-of-kfree_skb.patch new file mode 100644 index 00000000000..26b0eff8399 --- /dev/null +++ b/queue-3.14/benet-call-dev_kfree_skby_any-instead-of-kfree_skb.patch @@ -0,0 +1,30 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:19:50 -0700 +Subject: benet: Call dev_kfree_skby_any instead of kfree_skb. + +From: "Eric W. Biederman" + +Replace free_skb with dev_kfree_skb_any in be_tx_compl_process as +which can be called in hard irq by netpoll, softirq context +by normal napi polling, and in normal sleepable context +by the network device close method. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1883,7 +1883,7 @@ static u16 be_tx_compl_process(struct be + queue_tail_inc(txq); + } while (cur_index != last_index); + +- kfree_skb(sent_skb); ++ dev_kfree_skb_any(sent_skb); + return num_wrbs; + } + diff --git a/queue-3.14/bnx2-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch b/queue-3.14/bnx2-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch new file mode 100644 index 00000000000..98b92ac3806 --- /dev/null +++ b/queue-3.14/bnx2-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:17:41 -0700 +Subject: bnx2: Call dev_kfree_skby_any instead of dev_kfree_skb. + +From: "Eric W. Biederman" + +Replace dev_kfree_skb with dev_kfree_skb_any in functions that can +be called in hard irq and other contexts. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2.c ++++ b/drivers/net/ethernet/broadcom/bnx2.c +@@ -2886,7 +2886,7 @@ bnx2_tx_int(struct bnx2 *bp, struct bnx2 + sw_cons = BNX2_NEXT_TX_BD(sw_cons); + + tx_bytes += skb->len; +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + tx_pkt++; + if (tx_pkt == budget) + break; +@@ -6640,7 +6640,7 @@ bnx2_start_xmit(struct sk_buff *skb, str + + mapping = dma_map_single(&bp->pdev->dev, skb->data, len, PCI_DMA_TODEVICE); + if (dma_mapping_error(&bp->pdev->dev, mapping)) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +@@ -6733,7 +6733,7 @@ dma_error: + PCI_DMA_TODEVICE); + } + +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + diff --git a/queue-3.14/bonding-call-dev_kfree_skby_any-instead-of-kfree_skb.patch b/queue-3.14/bonding-call-dev_kfree_skby_any-instead-of-kfree_skb.patch new file mode 100644 index 00000000000..f56f189638e --- /dev/null +++ b/queue-3.14/bonding-call-dev_kfree_skby_any-instead-of-kfree_skb.patch @@ -0,0 +1,88 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:16:58 -0700 +Subject: bonding: Call dev_kfree_skby_any instead of kfree_skb. + +From: "Eric W. Biederman" + +Replace kfree_skb with dev_kfree_skb_any in functions that can +be called in hard irq and other contexts. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_3ad.c | 2 +- + drivers/net/bonding/bond_alb.c | 2 +- + drivers/net/bonding/bond_main.c | 10 +++++----- + 3 files changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -2479,7 +2479,7 @@ out: + return NETDEV_TX_OK; + err_free: + /* no suitable interface, frame not sent */ +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + goto out; + } + +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -1479,7 +1479,7 @@ int bond_alb_xmit(struct sk_buff *skb, s + } + + /* no suitable interface, frame not sent */ +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + out: + return NETDEV_TX_OK; + } +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3568,7 +3568,7 @@ static void bond_xmit_slave_id(struct bo + } + } + /* no slave that can tx has been found */ +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + } + + /** +@@ -3650,7 +3650,7 @@ static int bond_xmit_activebackup(struct + if (slave) + bond_dev_queue_xmit(bond, skb, slave->dev); + else +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + + return NETDEV_TX_OK; + } +@@ -3698,7 +3698,7 @@ static int bond_xmit_broadcast(struct sk + if (slave && IS_UP(slave->dev) && slave->link == BOND_LINK_UP) + bond_dev_queue_xmit(bond, skb, slave->dev); + else +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + + return NETDEV_TX_OK; + } +@@ -3785,7 +3785,7 @@ static netdev_tx_t __bond_start_xmit(str + pr_err("%s: Error: Unknown bonding mode %d\n", + dev->name, bond->params.mode); + WARN_ON_ONCE(1); +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + } +@@ -3806,7 +3806,7 @@ static netdev_tx_t bond_start_xmit(struc + if (bond_has_slaves(bond)) + ret = __bond_start_xmit(skb, dev); + else +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + rcu_read_unlock(); + + return ret; diff --git a/queue-3.14/gianfar-carefully-free-skbs-in-functions-called-by-netpoll.patch b/queue-3.14/gianfar-carefully-free-skbs-in-functions-called-by-netpoll.patch new file mode 100644 index 00000000000..3c25f0fabde --- /dev/null +++ b/queue-3.14/gianfar-carefully-free-skbs-in-functions-called-by-netpoll.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:20:26 -0700 +Subject: gianfar: Carefully free skbs in functions called by netpoll. + +From: "Eric W. Biederman" + +netpoll can call functions in hard irq context that are ordinarily +called in lesser contexts. For those functions use dev_kfree_skb_any +and dev_consume_skb_any so skbs are freed safely from hard irq +context. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2152,13 +2152,13 @@ static int gfar_start_xmit(struct sk_buf + skb_new = skb_realloc_headroom(skb, fcb_len); + if (!skb_new) { + dev->stats.tx_errors++; +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + + if (skb->sk) + skb_set_owner_w(skb_new, skb->sk); +- consume_skb(skb); ++ dev_consume_skb_any(skb); + skb = skb_new; + } + diff --git a/queue-3.14/ipv6-don-t-reduce-hop-limit-for-an-interface.patch b/queue-3.14/ipv6-don-t-reduce-hop-limit-for-an-interface.patch new file mode 100644 index 00000000000..ce8e526c662 --- /dev/null +++ b/queue-3.14/ipv6-don-t-reduce-hop-limit-for-an-interface.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "D.S. Ljungmark" +Date: Wed, 25 Mar 2015 09:28:15 +0100 +Subject: ipv6: Don't reduce hop limit for an interface + +From: "D.S. Ljungmark" + +[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ] + +A local route may have a lower hop_limit set than global routes do. + +RFC 3756, Section 4.2.7, "Parameter Spoofing" + +> 1. The attacker includes a Current Hop Limit of one or another small +> number which the attacker knows will cause legitimate packets to +> be dropped before they reach their destination. + +> As an example, one possible approach to mitigate this threat is to +> ignore very small hop limits. The nodes could implement a +> configurable minimum hop limit, and ignore attempts to set it below +> said limit. + +Signed-off-by: D.S. Ljungmark +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1193,7 +1193,14 @@ static void ndisc_router_discovery(struc + if (rt) + rt6_set_expires(rt, jiffies + (HZ * lifetime)); + if (ra_msg->icmph.icmp6_hop_limit) { +- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ /* Only set hop_limit on the interface if it is higher than ++ * the current hop_limit. ++ */ ++ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { ++ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ } else { ++ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n"); ++ } + if (rt) + dst_metric_set(&rt->dst, RTAX_HOPLIMIT, + ra_msg->icmph.icmp6_hop_limit); diff --git a/queue-3.14/ipv6-protect-skb-sk-accesses-from-recursive-dereference-inside-the-stack.patch b/queue-3.14/ipv6-protect-skb-sk-accesses-from-recursive-dereference-inside-the-stack.patch new file mode 100644 index 00000000000..076545c0e40 --- /dev/null +++ b/queue-3.14/ipv6-protect-skb-sk-accesses-from-recursive-dereference-inside-the-stack.patch @@ -0,0 +1,160 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "hannes@stressinduktion.org" +Date: Wed, 1 Apr 2015 17:07:44 +0200 +Subject: ipv6: protect skb->sk accesses from recursive dereference inside the stack + +From: "hannes@stressinduktion.org" + +[ Upstream commit f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90 ] + +We should not consult skb->sk for output decisions in xmit recursion +levels > 0 in the stack. Otherwise local socket settings could influence +the result of e.g. tunnel encapsulation process. + +ipv6 does not conform with this in three places: + +1) ip6_fragment: we do consult ipv6_npinfo for frag_size + +2) sk_mc_loop in ipv6 uses skb->sk and checks if we should + loop the packet back to the local socket + +3) ip6_skb_dst_mtu could query the settings from the user socket and + force a wrong MTU + +Furthermore: +In sk_mc_loop we could potentially land in WARN_ON(1) if we use a +PF_PACKET socket ontop of an IPv6-backed vxlan device. + +Reuse xmit_recursion as we are currently only interested in protecting +tunnel devices. + +Cc: Jiri Pirko +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 6 ++++++ + include/net/ip.h | 16 ---------------- + include/net/ip6_route.h | 3 ++- + include/net/sock.h | 2 ++ + net/core/dev.c | 4 +++- + net/core/sock.c | 19 +++++++++++++++++++ + net/ipv6/ip6_output.c | 3 ++- + 7 files changed, 34 insertions(+), 19 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1880,6 +1880,12 @@ void netdev_freemem(struct net_device *d + void synchronize_net(void); + int init_dummy_netdev(struct net_device *dev); + ++DECLARE_PER_CPU(int, xmit_recursion); ++static inline int dev_recursion_level(void) ++{ ++ return this_cpu_read(xmit_recursion); ++} ++ + struct net_device *dev_get_by_index(struct net *net, int ifindex); + struct net_device *__dev_get_by_index(struct net *net, int ifindex); + struct net_device *dev_get_by_index_rcu(struct net *net, int ifindex); +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -407,22 +407,6 @@ static __inline__ void inet_reset_saddr( + + #endif + +-static inline int sk_mc_loop(struct sock *sk) +-{ +- if (!sk) +- return 1; +- switch (sk->sk_family) { +- case AF_INET: +- return inet_sk(sk)->mc_loop; +-#if IS_ENABLED(CONFIG_IPV6) +- case AF_INET6: +- return inet6_sk(sk)->mc_loop; +-#endif +- } +- WARN_ON(1); +- return 1; +-} +- + bool ip_call_ra_chain(struct sk_buff *skb); + + /* +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -168,7 +168,8 @@ int ip6_fragment(struct sk_buff *skb, in + + static inline int ip6_skb_dst_mtu(struct sk_buff *skb) + { +- struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL; ++ struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ? ++ inet6_sk(skb->sk) : NULL; + + return (np && np->pmtudisc >= IPV6_PMTUDISC_PROBE) ? + skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb)); +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1815,6 +1815,8 @@ struct dst_entry *__sk_dst_check(struct + + struct dst_entry *sk_dst_check(struct sock *sk, u32 cookie); + ++bool sk_mc_loop(struct sock *sk); ++ + static inline bool sk_can_gso(const struct sock *sk) + { + return net_gso_ok(sk->sk_route_caps, sk->sk_gso_type); +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2775,7 +2775,9 @@ static void skb_update_prio(struct sk_bu + #define skb_update_prio(skb) + #endif + +-static DEFINE_PER_CPU(int, xmit_recursion); ++DEFINE_PER_CPU(int, xmit_recursion); ++EXPORT_SYMBOL(xmit_recursion); ++ + #define RECURSION_LIMIT 10 + + /** +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -659,6 +659,25 @@ static inline void sock_valbool_flag(str + sock_reset_flag(sk, bit); + } + ++bool sk_mc_loop(struct sock *sk) ++{ ++ if (dev_recursion_level()) ++ return false; ++ if (!sk) ++ return true; ++ switch (sk->sk_family) { ++ case AF_INET: ++ return inet_sk(sk)->mc_loop; ++#if IS_ENABLED(CONFIG_IPV6) ++ case AF_INET6: ++ return inet6_sk(sk)->mc_loop; ++#endif ++ } ++ WARN_ON(1); ++ return true; ++} ++EXPORT_SYMBOL(sk_mc_loop); ++ + /* + * This is meant for all protocols to use and covers goings on + * at the socket level. Everything here is generic. +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -555,7 +555,8 @@ int ip6_fragment(struct sk_buff *skb, in + { + struct sk_buff *frag; + struct rt6_info *rt = (struct rt6_info*)skb_dst(skb); +- struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL; ++ struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ? ++ inet6_sk(skb->sk) : NULL; + struct ipv6hdr *tmp_hdr; + struct frag_hdr *fh; + unsigned int mtu, hlen, left, len; diff --git a/queue-3.14/ixgb-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch b/queue-3.14/ixgb-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch new file mode 100644 index 00000000000..4868073bd29 --- /dev/null +++ b/queue-3.14/ixgb-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:18:42 -0700 +Subject: ixgb: Call dev_kfree_skby_any instead of dev_kfree_skb. + +From: "Eric W. Biederman" + +Replace dev_kfree_skb with dev_kfree_skb_any in functions that can +be called in hard irq and other contexts. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgb/ixgb_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgb/ixgb_main.c ++++ b/drivers/net/ethernet/intel/ixgb/ixgb_main.c +@@ -1521,12 +1521,12 @@ ixgb_xmit_frame(struct sk_buff *skb, str + int tso; + + if (test_bit(__IXGB_DOWN, &adapter->flags)) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + + if (skb->len <= 0) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +@@ -1543,7 +1543,7 @@ ixgb_xmit_frame(struct sk_buff *skb, str + + tso = ixgb_tso(adapter, skb); + if (tso < 0) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + diff --git a/queue-3.14/mlx4-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch b/queue-3.14/mlx4-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch new file mode 100644 index 00000000000..10482b05a0e --- /dev/null +++ b/queue-3.14/mlx4-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch @@ -0,0 +1,28 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:19:14 -0700 +Subject: mlx4: Call dev_kfree_skby_any instead of dev_kfree_skb. + +From: "Eric W. Biederman" + +Replace dev_kfree_skb with dev_kfree_skb_any in functions that can +be called in hard irq and other contexts. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +@@ -325,7 +325,7 @@ static u32 mlx4_en_free_tx_desc(struct m + } + } + } +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return tx_info->nr_txbb; + } + diff --git a/queue-3.14/net-mlx4_en-call-register_netdevice-in-the-proper-location.patch b/queue-3.14/net-mlx4_en-call-register_netdevice-in-the-proper-location.patch new file mode 100644 index 00000000000..bffd7137a70 --- /dev/null +++ b/queue-3.14/net-mlx4_en-call-register_netdevice-in-the-proper-location.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: Ido Shamay +Date: Tue, 24 Mar 2015 15:18:38 +0200 +Subject: net/mlx4_en: Call register_netdevice in the proper location + +From: Ido Shamay + +[ Upstream commit e5eda89d97ec256ba14e7e861387cc0468259c18 ] + +Netdevice registration should be performed a the end of the driver +initialization flow. If we don't do that, after calling register_netdevice, +device callbacks may be issued by higher layers of the stack before +final configuration of the device is done. + +For example (VXLAN configuration race), mlx4_SET_PORT_VXLAN was issued +after the register_netdev command. System network scripts may configure +the interface (UP) right after the registration, which also attach +unicast VXLAN steering rule, before mlx4_SET_PORT_VXLAN was called, +causing the firmware to fail the rule attachment. + +Fixes: 837052d0ccc5 ("net/mlx4_en: Add netdev support for TCP/IP offloads of vxlan tunneling") +Signed-off-by: Ido Shamay +Signed-off-by: Or Gerlitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -2497,13 +2497,6 @@ int mlx4_en_init_netdev(struct mlx4_en_d + netif_carrier_off(dev); + mlx4_en_set_default_moderation(priv); + +- err = register_netdev(dev); +- if (err) { +- en_err(priv, "Netdev registration failed for port %d\n", port); +- goto out; +- } +- priv->registered = 1; +- + en_warn(priv, "Using %d TX rings\n", prof->tx_ring_num); + en_warn(priv, "Using %d RX rings\n", prof->rx_ring_num); + +@@ -2543,6 +2536,14 @@ int mlx4_en_init_netdev(struct mlx4_en_d + queue_delayed_work(mdev->workqueue, &priv->service_task, + SERVICE_TASK_DELAY); + ++ err = register_netdev(dev); ++ if (err) { ++ en_err(priv, "Netdev registration failed for port %d\n", port); ++ goto out; ++ } ++ ++ priv->registered = 1; ++ + return 0; + + out: diff --git a/queue-3.14/r8169-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch b/queue-3.14/r8169-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch new file mode 100644 index 00000000000..63b375f804e --- /dev/null +++ b/queue-3.14/r8169-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:16:14 -0700 +Subject: r8169: Call dev_kfree_skby_any instead of dev_kfree_skb. + +From: "Eric W. Biederman" + +Replace dev_kfree_skb with dev_kfree_skb_any in functions that can +be called in hard irq and other contexts. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -5834,7 +5834,7 @@ static void rtl8169_tx_clear_range(struc + tp->TxDescArray + entry); + if (skb) { + tp->dev->stats.tx_dropped++; +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + tx_skb->skb = NULL; + } + } +@@ -6059,7 +6059,7 @@ static netdev_tx_t rtl8169_start_xmit(st + err_dma_1: + rtl8169_unmap_tx_skb(d, tp->tx_skb + entry, txd); + err_dma_0: +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + err_update_stats: + dev->stats.tx_dropped++; + return NETDEV_TX_OK; +@@ -6142,7 +6142,7 @@ static void rtl_tx(struct net_device *de + tp->tx_stats.packets++; + tp->tx_stats.bytes += tx_skb->skb->len; + u64_stats_update_end(&tp->tx_stats.syncp); +- dev_kfree_skb(tx_skb->skb); ++ dev_kfree_skb_any(tx_skb->skb); + tx_skb->skb = NULL; + } + dirty_tx++; diff --git a/queue-3.14/tcp-fix-frto-undo-on-cumulative-ack-of-sacked-range.patch b/queue-3.14/tcp-fix-frto-undo-on-cumulative-ack-of-sacked-range.patch new file mode 100644 index 00000000000..c7552dfef0e --- /dev/null +++ b/queue-3.14/tcp-fix-frto-undo-on-cumulative-ack-of-sacked-range.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: Neal Cardwell +Date: Wed, 1 Apr 2015 20:26:46 -0400 +Subject: tcp: fix FRTO undo on cumulative ACK of SACKed range + +From: Neal Cardwell + +[ Upstream commit 666b805150efd62f05810ff0db08f44a2370c937 ] + +On processing cumulative ACKs, the FRTO code was not checking the +SACKed bit, meaning that there could be a spurious FRTO undo on a +cumulative ACK of a previously SACKed skb. + +The FRTO code should only consider a cumulative ACK to indicate that +an original/unretransmitted skb is newly ACKed if the skb was not yet +SACKed. + +The effect of the spurious FRTO undo would typically be to make the +connection think that all previously-sent packets were in flight when +they really weren't, leading to a stall and an RTO. + +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Fixes: e33099f96d99c ("tcp: implement RFC5682 F-RTO") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3064,10 +3064,11 @@ static int tcp_clean_rtx_queue(struct so + if (seq_rtt < 0) { + seq_rtt = ca_seq_rtt; + } +- if (!(sacked & TCPCB_SACKED_ACKED)) ++ if (!(sacked & TCPCB_SACKED_ACKED)) { + reord = min(pkts_acked, reord); +- if (!after(scb->end_seq, tp->high_seq)) +- flag |= FLAG_ORIG_SACK_ACKED; ++ if (!after(scb->end_seq, tp->high_seq)) ++ flag |= FLAG_ORIG_SACK_ACKED; ++ } + } + + if (sacked & TCPCB_SACKED_ACKED) diff --git a/queue-3.14/tcp-prevent-fetching-dst-twice-in-early-demux-code.patch b/queue-3.14/tcp-prevent-fetching-dst-twice-in-early-demux-code.patch new file mode 100644 index 00000000000..4cba18a30d6 --- /dev/null +++ b/queue-3.14/tcp-prevent-fetching-dst-twice-in-early-demux-code.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= +Date: Mon, 23 Mar 2015 15:14:00 +0100 +Subject: tcp: prevent fetching dst twice in early demux code + +From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= + +[ Upstream commit d0c294c53a771ae7e84506dfbd8c18c30f078735 ] + +On s390x, gcc 4.8 compiles this part of tcp_v6_early_demux() + + struct dst_entry *dst = sk->sk_rx_dst; + + if (dst) + dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie); + +to code reading sk->sk_rx_dst twice, once for the test and once for +the argument of ip6_dst_check() (dst_check() is inline). This allows +ip6_dst_check() to be called with null first argument, causing a crash. + +Protect sk->sk_rx_dst access by ACCESS_ONCE() both in IPv4 and IPv6 +TCP early demux code. + +Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.") +Fixes: c7109986db3c ("ipv6: Early TCP socket demux") +Signed-off-by: Michal Kubecek +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv6/tcp_ipv6.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1875,7 +1875,7 @@ void tcp_v4_early_demux(struct sk_buff * + skb->sk = sk; + skb->destructor = sock_edemux; + if (sk->sk_state != TCP_TIME_WAIT) { +- struct dst_entry *dst = sk->sk_rx_dst; ++ struct dst_entry *dst = ACCESS_ONCE(sk->sk_rx_dst); + + if (dst) + dst = dst_check(dst, 0); +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1633,7 +1633,7 @@ static void tcp_v6_early_demux(struct sk + skb->sk = sk; + skb->destructor = sock_edemux; + if (sk->sk_state != TCP_TIME_WAIT) { +- struct dst_entry *dst = sk->sk_rx_dst; ++ struct dst_entry *dst = ACCESS_ONCE(sk->sk_rx_dst); + + if (dst) + dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie); diff --git a/queue-3.14/tcp-tcp_make_synack-should-clear-skb-tstamp.patch b/queue-3.14/tcp-tcp_make_synack-should-clear-skb-tstamp.patch new file mode 100644 index 00000000000..eeaad5717aa --- /dev/null +++ b/queue-3.14/tcp-tcp_make_synack-should-clear-skb-tstamp.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: Eric Dumazet +Date: Thu, 9 Apr 2015 13:31:56 -0700 +Subject: tcp: tcp_make_synack() should clear skb->tstamp + +From: Eric Dumazet + +[ Upstream commit b50edd7812852d989f2ef09dcfc729690f54a42d ] + +I noticed tcpdump was giving funky timestamps for locally +generated SYNACK messages on loopback interface. + +11:42:46.938990 IP 127.0.0.1.48245 > 127.0.0.2.23850: S +945476042:945476042(0) win 43690 + +20:28:58.502209 IP 127.0.0.2.23850 > 127.0.0.1.48245: S +3160535375:3160535375(0) ack 945476043 win 43690 + +This is because we need to clear skb->tstamp before +entering lower stack, otherwise net_timestamp_check() +does not set skb->tstamp. + +Fixes: 7faee5c0d514 ("tcp: remove TCP_SKB_CB(skb)->when") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2796,6 +2796,8 @@ struct sk_buff *tcp_make_synack(struct s + } + #endif + ++ /* Do not fool tcpdump (if any), clean our debris */ ++ skb->tstamp.tv64 = 0; + return skb; + } + EXPORT_SYMBOL(tcp_make_synack); diff --git a/queue-3.14/tg3-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch b/queue-3.14/tg3-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch new file mode 100644 index 00000000000..ea01547bed1 --- /dev/null +++ b/queue-3.14/tg3-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch @@ -0,0 +1,80 @@ +From foo@baz Tue Apr 21 23:05:41 CEST 2015 +From: "Eric W. Biederman" +Date: Tue, 11 Mar 2014 14:18:14 -0700 +Subject: tg3: Call dev_kfree_skby_any instead of dev_kfree_skb. + +From: "Eric W. Biederman" + +Replace dev_kfree_skb with dev_kfree_skb_any in functions that can +be called in hard irq and other contexts. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -6593,7 +6593,7 @@ static void tg3_tx(struct tg3_napi *tnap + pkts_compl++; + bytes_compl += skb->len; + +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + + if (unlikely(tx_bug)) { + tg3_tx_recover(tp); +@@ -6925,7 +6925,7 @@ static int tg3_rx(struct tg3_napi *tnapi + if (len > (tp->dev->mtu + ETH_HLEN) && + skb->protocol != htons(ETH_P_8021Q) && + skb->protocol != htons(ETH_P_8021AD)) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + goto drop_it_no_recycle; + } + +@@ -7808,7 +7808,7 @@ static int tigon3_dma_hwbug_workaround(s + PCI_DMA_TODEVICE); + /* Make sure the mapping succeeded */ + if (pci_dma_mapping_error(tp->pdev, new_addr)) { +- dev_kfree_skb(new_skb); ++ dev_kfree_skb_any(new_skb); + ret = -1; + } else { + u32 save_entry = *entry; +@@ -7823,13 +7823,13 @@ static int tigon3_dma_hwbug_workaround(s + new_skb->len, base_flags, + mss, vlan)) { + tg3_tx_skb_unmap(tnapi, save_entry, -1); +- dev_kfree_skb(new_skb); ++ dev_kfree_skb_any(new_skb); + ret = -1; + } + } + } + +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + *pskb = new_skb; + return ret; + } +@@ -7872,7 +7872,7 @@ static int tg3_tso_bug(struct tg3 *tp, s + } while (segs); + + tg3_tso_bug_end: +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + + return NETDEV_TX_OK; + } +@@ -8110,7 +8110,7 @@ dma_error: + tg3_tx_skb_unmap(tnapi, tnapi->tx_prod, --i); + tnapi->tx_buffers[tnapi->tx_prod].skb = NULL; + drop: +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + drop_nofree: + tp->tx_dropped++; + return NETDEV_TX_OK; diff --git a/queue-4.0/series b/queue-4.0/series new file mode 100644 index 00000000000..f63af7def87 --- /dev/null +++ b/queue-4.0/series @@ -0,0 +1,6 @@ +udptunnels-call-handle_offloads-after-inserting-vlan-tag.patch +tcp-tcp_make_synack-should-clear-skb-tstamp.patch +bnx2x-fix-busy_poll-vs-netpoll.patch +bpf-fix-verifier-memory-corruption.patch +revert-net-reset-secmark-when-scrubbing-packet.patch +skbuff-do-not-scrub-skb-mark-within-the-same-name-space.patch