From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 Dec 2018 08:36:54 +0000 (+0100)
Subject: drop ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch from... 
X-Git-Tag: v4.9.146~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd183cb4e391b0ec1f9605f4a303d62657287588;p=thirdparty%2Fkernel%2Fstable-queue.git

drop ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch from 3.18.y, 4.4.y and 4.9.y
---

diff --git a/queue-3.18/ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch b/queue-3.18/ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
deleted file mode 100644
index b50393b045f..00000000000
--- a/queue-3.18/ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From foo@baz Thu Dec 13 12:24:22 CET 2018
-From: Jiri Wiesner <jwiesner@suse.com>
-Date: Wed, 5 Dec 2018 16:55:29 +0100
-Subject: ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes
-
-From: Jiri Wiesner <jwiesner@suse.com>
-
-[ Upstream commit ebaf39e6032faf77218220707fc3fa22487784e0 ]
-
-The *_frag_reasm() functions are susceptible to miscalculating the byte
-count of packet fragments in case the truesize of a head buffer changes.
-The truesize member may be changed by the call to skb_unclone(), leaving
-the fragment memory limit counter unbalanced even if all fragments are
-processed. This miscalculation goes unnoticed as long as the network
-namespace which holds the counter is not destroyed.
-
-Should an attempt be made to destroy a network namespace that holds an
-unbalanced fragment memory limit counter the cleanup of the namespace
-never finishes. The thread handling the cleanup gets stuck in
-inet_frags_exit_net() waiting for the percpu counter to reach zero. The
-thread is usually in running state with a stacktrace similar to:
-
- PID: 1073   TASK: ffff880626711440  CPU: 1   COMMAND: "kworker/u48:4"
-  #5 [ffff880621563d48] _raw_spin_lock at ffffffff815f5480
-  #6 [ffff880621563d48] inet_evict_bucket at ffffffff8158020b
-  #7 [ffff880621563d80] inet_frags_exit_net at ffffffff8158051c
-  #8 [ffff880621563db0] ops_exit_list at ffffffff814f5856
-  #9 [ffff880621563dd8] cleanup_net at ffffffff814f67c0
- #10 [ffff880621563e38] process_one_work at ffffffff81096f14
-
-It is not possible to create new network namespaces, and processes
-that call unshare() end up being stuck in uninterruptible sleep state
-waiting to acquire the net_mutex.
-
-The bug was observed in the IPv6 netfilter code by Per Sundstrom.
-I thank him for his analysis of the problem. The parts of this patch
-that apply to IPv4 and IPv6 fragment reassembly are preemptive measures.
-
-Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
-Reported-by: Per Sundstrom <per.sundstrom@redqube.se>
-Acked-by: Peter Oskolkov <posk@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/ip_fragment.c                  |    7 +++++++
- net/ipv6/netfilter/nf_conntrack_reasm.c |    8 +++++++-
- net/ipv6/reassembly.c                   |    8 +++++++-
- 3 files changed, 21 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/ip_fragment.c
-+++ b/net/ipv4/ip_fragment.c
-@@ -507,6 +507,7 @@ static int ip_frag_reasm(struct ipq *qp,
- 	struct sk_buff *fp, *head = qp->q.fragments;
- 	int len;
- 	int ihlen;
-+	int delta;
- 	int err;
- 	int sum_truesize;
- 	u8 ecn;
-@@ -548,10 +549,16 @@ static int ip_frag_reasm(struct ipq *qp,
- 	if (len > 65535)
- 		goto out_oversize;
- 
-+	delta = - head->truesize;
-+
- 	/* Head of list must not be cloned. */
- 	if (skb_unclone(head, GFP_ATOMIC))
- 		goto out_nomem;
- 
-+	delta += head->truesize;
-+	if (delta)
-+		add_frag_mem_limit(&qp->q, delta);
-+
- 	/* If the first fragment is fragmented itself, we split
- 	 * it to two chunks: the first with data and paged part
- 	 * and the second, holding only fragments. */
---- a/net/ipv6/netfilter/nf_conntrack_reasm.c
-+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
-@@ -380,7 +380,7 @@ static struct sk_buff *
- nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
- {
- 	struct sk_buff *fp, *op, *head = fq->q.fragments;
--	int    payload_len;
-+	int    payload_len, delta;
- 	u8 ecn;
- 
- 	inet_frag_kill(&fq->q, &nf_frags);
-@@ -401,12 +401,18 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
- 		goto out_oversize;
- 	}
- 
-+	delta = - head->truesize;
-+
- 	/* Head of list must not be cloned. */
- 	if (skb_unclone(head, GFP_ATOMIC)) {
- 		pr_debug("skb is cloned but can't expand head");
- 		goto out_oom;
- 	}
- 
-+	delta += head->truesize;
-+	if (delta)
-+		add_frag_mem_limit(&fq->q, delta);
-+
- 	/* If the first fragment is fragmented itself, we split
- 	 * it to two chunks: the first with data and paged part
- 	 * and the second, holding only fragments. */
---- a/net/ipv6/reassembly.c
-+++ b/net/ipv6/reassembly.c
-@@ -381,7 +381,7 @@ static int ip6_frag_reasm(struct frag_qu
- {
- 	struct net *net = container_of(fq->q.net, struct net, ipv6.frags);
- 	struct sk_buff *fp, *head = fq->q.fragments;
--	int    payload_len;
-+	int    payload_len, delta;
- 	unsigned int nhoff;
- 	int sum_truesize;
- 	u8 ecn;
-@@ -422,10 +422,16 @@ static int ip6_frag_reasm(struct frag_qu
- 	if (payload_len > IPV6_MAXPLEN)
- 		goto out_oversize;
- 
-+	delta = - head->truesize;
-+
- 	/* Head of list must not be cloned. */
- 	if (skb_unclone(head, GFP_ATOMIC))
- 		goto out_oom;
- 
-+	delta += head->truesize;
-+	if (delta)
-+		add_frag_mem_limit(&fq->q, delta);
-+
- 	/* If the first fragment is fragmented itself, we split
- 	 * it to two chunks: the first with data and paged part
- 	 * and the second, holding only fragments. */
diff --git a/queue-3.18/series b/queue-3.18/series
index 4d8d4bc0e96..de5c8ba8155 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -4,7 +4,6 @@ rtnetlink-ndo_dflt_fdb_dump-only-work-for-arphrd_ether-devices.patch
 tun-forbid-iface-creation-with-rtnl-ops.patch
 neighbour-avoid-writing-before-skb-head-in-neigh_hh_output.patch
 ipv6-check-available-headroom-in-ip6_xmit-even-without-options.patch
-ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
 arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch
 arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch
 sysv-return-err-instead-of-0-in-__sysv_write_inode.patch
diff --git a/queue-4.4/ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch b/queue-4.4/ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
deleted file mode 100644
index fbfde35e951..00000000000
--- a/queue-4.4/ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From foo@baz Thu Dec 13 12:24:22 CET 2018
-From: Jiri Wiesner <jwiesner@suse.com>
-Date: Wed, 5 Dec 2018 16:55:29 +0100
-Subject: ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes
-
-From: Jiri Wiesner <jwiesner@suse.com>
-
-[ Upstream commit ebaf39e6032faf77218220707fc3fa22487784e0 ]
-
-The *_frag_reasm() functions are susceptible to miscalculating the byte
-count of packet fragments in case the truesize of a head buffer changes.
-The truesize member may be changed by the call to skb_unclone(), leaving
-the fragment memory limit counter unbalanced even if all fragments are
-processed. This miscalculation goes unnoticed as long as the network
-namespace which holds the counter is not destroyed.
-
-Should an attempt be made to destroy a network namespace that holds an
-unbalanced fragment memory limit counter the cleanup of the namespace
-never finishes. The thread handling the cleanup gets stuck in
-inet_frags_exit_net() waiting for the percpu counter to reach zero. The
-thread is usually in running state with a stacktrace similar to:
-
- PID: 1073   TASK: ffff880626711440  CPU: 1   COMMAND: "kworker/u48:4"
-  #5 [ffff880621563d48] _raw_spin_lock at ffffffff815f5480
-  #6 [ffff880621563d48] inet_evict_bucket at ffffffff8158020b
-  #7 [ffff880621563d80] inet_frags_exit_net at ffffffff8158051c
-  #8 [ffff880621563db0] ops_exit_list at ffffffff814f5856
-  #9 [ffff880621563dd8] cleanup_net at ffffffff814f67c0
- #10 [ffff880621563e38] process_one_work at ffffffff81096f14
-
-It is not possible to create new network namespaces, and processes
-that call unshare() end up being stuck in uninterruptible sleep state
-waiting to acquire the net_mutex.
-
-The bug was observed in the IPv6 netfilter code by Per Sundstrom.
-I thank him for his analysis of the problem. The parts of this patch
-that apply to IPv4 and IPv6 fragment reassembly are preemptive measures.
-
-Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
-Reported-by: Per Sundstrom <per.sundstrom@redqube.se>
-Acked-by: Peter Oskolkov <posk@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/ip_fragment.c                  |    7 +++++++
- net/ipv6/netfilter/nf_conntrack_reasm.c |    8 +++++++-
- net/ipv6/reassembly.c                   |    8 +++++++-
- 3 files changed, 21 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/ip_fragment.c
-+++ b/net/ipv4/ip_fragment.c
-@@ -538,6 +538,7 @@ static int ip_frag_reasm(struct ipq *qp,
- 	struct sk_buff *fp, *head = qp->q.fragments;
- 	int len;
- 	int ihlen;
-+	int delta;
- 	int err;
- 	u8 ecn;
- 
-@@ -578,10 +579,16 @@ static int ip_frag_reasm(struct ipq *qp,
- 	if (len > 65535)
- 		goto out_oversize;
- 
-+	delta = - head->truesize;
-+
- 	/* Head of list must not be cloned. */
- 	if (skb_unclone(head, GFP_ATOMIC))
- 		goto out_nomem;
- 
-+	delta += head->truesize;
-+	if (delta)
-+		add_frag_mem_limit(qp->q.net, delta);
-+
- 	/* If the first fragment is fragmented itself, we split
- 	 * it to two chunks: the first with data and paged part
- 	 * and the second, holding only fragments. */
---- a/net/ipv6/netfilter/nf_conntrack_reasm.c
-+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
-@@ -380,7 +380,7 @@ static struct sk_buff *
- nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
- {
- 	struct sk_buff *fp, *op, *head = fq->q.fragments;
--	int    payload_len;
-+	int    payload_len, delta;
- 	u8 ecn;
- 
- 	inet_frag_kill(&fq->q, &nf_frags);
-@@ -401,12 +401,18 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
- 		goto out_oversize;
- 	}
- 
-+	delta = - head->truesize;
-+
- 	/* Head of list must not be cloned. */
- 	if (skb_unclone(head, GFP_ATOMIC)) {
- 		pr_debug("skb is cloned but can't expand head");
- 		goto out_oom;
- 	}
- 
-+	delta += head->truesize;
-+	if (delta)
-+		add_frag_mem_limit(fq->q.net, delta);
-+
- 	/* If the first fragment is fragmented itself, we split
- 	 * it to two chunks: the first with data and paged part
- 	 * and the second, holding only fragments. */
---- a/net/ipv6/reassembly.c
-+++ b/net/ipv6/reassembly.c
-@@ -381,7 +381,7 @@ static int ip6_frag_reasm(struct frag_qu
- {
- 	struct net *net = container_of(fq->q.net, struct net, ipv6.frags);
- 	struct sk_buff *fp, *head = fq->q.fragments;
--	int    payload_len;
-+	int    payload_len, delta;
- 	unsigned int nhoff;
- 	int sum_truesize;
- 	u8 ecn;
-@@ -422,10 +422,16 @@ static int ip6_frag_reasm(struct frag_qu
- 	if (payload_len > IPV6_MAXPLEN)
- 		goto out_oversize;
- 
-+	delta = - head->truesize;
-+
- 	/* Head of list must not be cloned. */
- 	if (skb_unclone(head, GFP_ATOMIC))
- 		goto out_oom;
- 
-+	delta += head->truesize;
-+	if (delta)
-+		add_frag_mem_limit(fq->q.net, delta);
-+
- 	/* If the first fragment is fragmented itself, we split
- 	 * it to two chunks: the first with data and paged part
- 	 * and the second, holding only fragments. */
diff --git a/queue-4.4/series b/queue-4.4/series
index b82557a6ab1..3195456b265 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -6,7 +6,6 @@ rtnetlink-ndo_dflt_fdb_dump-only-work-for-arphrd_ether-devices.patch
 tcp-fix-null-ref-in-tail-loss-probe.patch
 tun-forbid-iface-creation-with-rtnl-ops.patch
 neighbour-avoid-writing-before-skb-head-in-neigh_hh_output.patch
-ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
 arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch
 arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch
 sysv-return-err-instead-of-0-in-__sysv_write_inode.patch
diff --git a/queue-4.9/ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch b/queue-4.9/ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
deleted file mode 100644
index 2f5b6aeede0..00000000000
--- a/queue-4.9/ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From foo@baz Thu Dec 13 12:16:38 CET 2018
-From: Jiri Wiesner <jwiesner@suse.com>
-Date: Wed, 5 Dec 2018 16:55:29 +0100
-Subject: ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes
-
-From: Jiri Wiesner <jwiesner@suse.com>
-
-[ Upstream commit ebaf39e6032faf77218220707fc3fa22487784e0 ]
-
-The *_frag_reasm() functions are susceptible to miscalculating the byte
-count of packet fragments in case the truesize of a head buffer changes.
-The truesize member may be changed by the call to skb_unclone(), leaving
-the fragment memory limit counter unbalanced even if all fragments are
-processed. This miscalculation goes unnoticed as long as the network
-namespace which holds the counter is not destroyed.
-
-Should an attempt be made to destroy a network namespace that holds an
-unbalanced fragment memory limit counter the cleanup of the namespace
-never finishes. The thread handling the cleanup gets stuck in
-inet_frags_exit_net() waiting for the percpu counter to reach zero. The
-thread is usually in running state with a stacktrace similar to:
-
- PID: 1073   TASK: ffff880626711440  CPU: 1   COMMAND: "kworker/u48:4"
-  #5 [ffff880621563d48] _raw_spin_lock at ffffffff815f5480
-  #6 [ffff880621563d48] inet_evict_bucket at ffffffff8158020b
-  #7 [ffff880621563d80] inet_frags_exit_net at ffffffff8158051c
-  #8 [ffff880621563db0] ops_exit_list at ffffffff814f5856
-  #9 [ffff880621563dd8] cleanup_net at ffffffff814f67c0
- #10 [ffff880621563e38] process_one_work at ffffffff81096f14
-
-It is not possible to create new network namespaces, and processes
-that call unshare() end up being stuck in uninterruptible sleep state
-waiting to acquire the net_mutex.
-
-The bug was observed in the IPv6 netfilter code by Per Sundstrom.
-I thank him for his analysis of the problem. The parts of this patch
-that apply to IPv4 and IPv6 fragment reassembly are preemptive measures.
-
-Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
-Reported-by: Per Sundstrom <per.sundstrom@redqube.se>
-Acked-by: Peter Oskolkov <posk@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/ip_fragment.c                  |    7 +++++++
- net/ipv6/netfilter/nf_conntrack_reasm.c |    8 +++++++-
- net/ipv6/reassembly.c                   |    8 +++++++-
- 3 files changed, 21 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/ip_fragment.c
-+++ b/net/ipv4/ip_fragment.c
-@@ -511,6 +511,7 @@ static int ip_frag_reasm(struct ipq *qp,
- 	struct rb_node *rbn;
- 	int len;
- 	int ihlen;
-+	int delta;
- 	int err;
- 	u8 ecn;
- 
-@@ -552,10 +553,16 @@ static int ip_frag_reasm(struct ipq *qp,
- 	if (len > 65535)
- 		goto out_oversize;
- 
-+	delta = - head->truesize;
-+
- 	/* Head of list must not be cloned. */
- 	if (skb_unclone(head, GFP_ATOMIC))
- 		goto out_nomem;
- 
-+	delta += head->truesize;
-+	if (delta)
-+		add_frag_mem_limit(qp->q.net, delta);
-+
- 	/* If the first fragment is fragmented itself, we split
- 	 * it to two chunks: the first with data and paged part
- 	 * and the second, holding only fragments. */
---- a/net/ipv6/netfilter/nf_conntrack_reasm.c
-+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
-@@ -348,7 +348,7 @@ static bool
- nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev,  struct net_device *dev)
- {
- 	struct sk_buff *fp, *head = fq->q.fragments;
--	int    payload_len;
-+	int    payload_len, delta;
- 	u8 ecn;
- 
- 	inet_frag_kill(&fq->q);
-@@ -370,10 +370,16 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
- 		return false;
- 	}
- 
-+	delta = - head->truesize;
-+
- 	/* Head of list must not be cloned. */
- 	if (skb_unclone(head, GFP_ATOMIC))
- 		return false;
- 
-+	delta += head->truesize;
-+	if (delta)
-+		add_frag_mem_limit(fq->q.net, delta);
-+
- 	/* If the first fragment is fragmented itself, we split
- 	 * it to two chunks: the first with data and paged part
- 	 * and the second, holding only fragments. */
---- a/net/ipv6/reassembly.c
-+++ b/net/ipv6/reassembly.c
-@@ -343,7 +343,7 @@ static int ip6_frag_reasm(struct frag_qu
- {
- 	struct net *net = container_of(fq->q.net, struct net, ipv6.frags);
- 	struct sk_buff *fp, *head = fq->q.fragments;
--	int    payload_len;
-+	int    payload_len, delta;
- 	unsigned int nhoff;
- 	int sum_truesize;
- 	u8 ecn;
-@@ -384,10 +384,16 @@ static int ip6_frag_reasm(struct frag_qu
- 	if (payload_len > IPV6_MAXPLEN)
- 		goto out_oversize;
- 
-+	delta = - head->truesize;
-+
- 	/* Head of list must not be cloned. */
- 	if (skb_unclone(head, GFP_ATOMIC))
- 		goto out_oom;
- 
-+	delta += head->truesize;
-+	if (delta)
-+		add_frag_mem_limit(fq->q.net, delta);
-+
- 	/* If the first fragment is fragmented itself, we split
- 	 * it to two chunks: the first with data and paged part
- 	 * and the second, holding only fragments. */
diff --git a/queue-4.9/series b/queue-4.9/series
index 79f298c56ec..24e1bc822d2 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1,4 +1,3 @@
-ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
 ipv6-check-available-headroom-in-ip6_xmit-even-without-options.patch
 net-8139cp-fix-a-bug-triggered-by-changing-mtu-with-network-traffic.patch
 net-mlx4_core-correctly-set-pfc-param-if-global-pause-is-turned-off.patch