From: Greg Kroah-Hartman Date: Thu, 21 Feb 2019 10:12:35 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v3.18.136~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3d8afe7cd26a1a84d9e3f6bd6fd55ffc35aae00;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: net-ipv4-use-a-dedicated-counter-for-icmp_v4-redirect-packets.patch net-stmmac-fix-a-race-in-eee-enable-callback.patch sky2-increase-d3-delay-again.patch tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch tcp-tcp_v4_err-should-be-more-careful.patch vsock-cope-with-memory-allocation-failure-at-socket-creation-time.patch vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch --- diff --git a/queue-3.18/net-fix-ipv6-prefix-route-residue.patch b/queue-3.18/net-fix-ipv6-prefix-route-residue.patch index cced651d21f..1362a99d3e2 100644 --- a/queue-3.18/net-fix-ipv6-prefix-route-residue.patch +++ b/queue-3.18/net-fix-ipv6-prefix-route-residue.patch @@ -27,14 +27,12 @@ Reported-by: Wenhao Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- - net/ipv6/addrconf.c | 3 ++- + net/ipv6/addrconf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 78dd9ce1214f7..bbc5dd769ebcd 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c -@@ -949,7 +949,8 @@ check_cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long *expires) +@@ -949,7 +949,8 @@ check_cleanup_prefix_route(struct inet6_ list_for_each_entry(ifa, &idev->addr_list, if_list) { if (ifa == ifp) continue; @@ -44,6 +42,3 @@ index 78dd9ce1214f7..bbc5dd769ebcd 100644 ifp->prefix_len)) continue; if (ifa->flags & (IFA_F_PERMANENT | IFA_F_NOPREFIXROUTE)) --- -2.19.1 - diff --git a/queue-3.18/net-ipv4-use-a-dedicated-counter-for-icmp_v4-redirect-packets.patch b/queue-3.18/net-ipv4-use-a-dedicated-counter-for-icmp_v4-redirect-packets.patch new file mode 100644 index 00000000000..34f725ea02a --- /dev/null +++ b/queue-3.18/net-ipv4-use-a-dedicated-counter-for-icmp_v4-redirect-packets.patch @@ -0,0 +1,86 @@ +From foo@baz Thu Feb 21 08:41:54 CET 2019 +From: Lorenzo Bianconi +Date: Wed, 6 Feb 2019 19:18:04 +0100 +Subject: net: ipv4: use a dedicated counter for icmp_v4 redirect packets + +From: Lorenzo Bianconi + +[ Upstream commit c09551c6ff7fe16a79a42133bcecba5fc2fc3291 ] + +According to the algorithm described in the comment block at the +beginning of ip_rt_send_redirect, the host should try to send +'ip_rt_redirect_number' ICMP redirect packets with an exponential +backoff and then stop sending them at all assuming that the destination +ignores redirects. +If the device has previously sent some ICMP error packets that are +rate-limited (e.g TTL expired) and continues to receive traffic, +the redirect packets will never be transmitted. This happens since +peer->rate_tokens will be typically greater than 'ip_rt_redirect_number' +and so it will never be reset even if the redirect silence timeout +(ip_rt_redirect_silence) has elapsed without receiving any packet +requiring redirects. + +Fix it by using a dedicated counter for the number of ICMP redirect +packets that has been sent by the host + +I have not been able to identify a given commit that introduced the +issue since ip_rt_send_redirect implements the same rate-limiting +algorithm from commit 1da177e4c3f4 ("Linux-2.6.12-rc2") + +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inetpeer.h | 1 + + net/ipv4/inetpeer.c | 1 + + net/ipv4/route.c | 7 +++++-- + 3 files changed, 7 insertions(+), 2 deletions(-) + +--- a/include/net/inetpeer.h ++++ b/include/net/inetpeer.h +@@ -35,6 +35,7 @@ struct inet_peer { + + u32 metrics[RTAX_MAX]; + u32 rate_tokens; /* rate limiting for ICMP */ ++ u32 n_redirects; + unsigned long rate_last; + union { + struct list_head gc_list; +--- a/net/ipv4/inetpeer.c ++++ b/net/ipv4/inetpeer.c +@@ -464,6 +464,7 @@ relookup: + atomic_set(&p->rid, 0); + p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW; + p->rate_tokens = 0; ++ p->n_redirects = 0; + /* 60*HZ is arbitrary, but chosen enough high so that the first + * calculation of tokens is at its maximum. + */ +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -864,13 +864,15 @@ void ip_rt_send_redirect(struct sk_buff + /* No redirected packets during ip_rt_redirect_silence; + * reset the algorithm. + */ +- if (time_after(jiffies, peer->rate_last + ip_rt_redirect_silence)) ++ if (time_after(jiffies, peer->rate_last + ip_rt_redirect_silence)) { + peer->rate_tokens = 0; ++ peer->n_redirects = 0; ++ } + + /* Too many ignored redirects; do not send anything + * set dst.rate_last to the last seen redirected packet. + */ +- if (peer->rate_tokens >= ip_rt_redirect_number) { ++ if (peer->n_redirects >= ip_rt_redirect_number) { + peer->rate_last = jiffies; + goto out_put_peer; + } +@@ -887,6 +889,7 @@ void ip_rt_send_redirect(struct sk_buff + icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw); + peer->rate_last = jiffies; + ++peer->rate_tokens; ++ ++peer->n_redirects; + #ifdef CONFIG_IP_ROUTE_VERBOSE + if (log_martians && + peer->rate_tokens == ip_rt_redirect_number) diff --git a/queue-3.18/net-stmmac-fix-a-race-in-eee-enable-callback.patch b/queue-3.18/net-stmmac-fix-a-race-in-eee-enable-callback.patch new file mode 100644 index 00000000000..12eeb5532a5 --- /dev/null +++ b/queue-3.18/net-stmmac-fix-a-race-in-eee-enable-callback.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Feb 21 08:41:54 CET 2019 +From: Jose Abreu +Date: Mon, 18 Feb 2019 14:35:03 +0100 +Subject: net: stmmac: Fix a race in EEE enable callback + +From: Jose Abreu + +[ Upstream commit 8a7493e58ad688eb23b81e45461c5d314f4402f1 ] + +We are saving the status of EEE even before we try to enable it. This +leads to a race with XMIT function that tries to arm EEE timer before we +set it up. + +Fix this by only saving the EEE parameters after all operations are +performed with success. + +Signed-off-by: Jose Abreu +Fixes: d765955d2ae0 ("stmmac: add the Energy Efficient Ethernet support") +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 22 ++++++++++--------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -614,25 +614,27 @@ static int stmmac_ethtool_op_set_eee(str + struct ethtool_eee *edata) + { + struct stmmac_priv *priv = netdev_priv(dev); ++ int ret; + +- priv->eee_enabled = edata->eee_enabled; +- +- if (!priv->eee_enabled) ++ if (!edata->eee_enabled) { + stmmac_disable_eee_mode(priv); +- else { ++ } else { + /* We are asking for enabling the EEE but it is safe + * to verify all by invoking the eee_init function. + * In case of failure it will return an error. + */ +- priv->eee_enabled = stmmac_eee_init(priv); +- if (!priv->eee_enabled) ++ edata->eee_enabled = stmmac_eee_init(priv); ++ if (!edata->eee_enabled) + return -EOPNOTSUPP; +- +- /* Do not change tx_lpi_timer in case of failure */ +- priv->tx_lpi_timer = edata->tx_lpi_timer; + } + +- return phy_ethtool_set_eee(priv->phydev, edata); ++ ret = phy_ethtool_set_eee(dev->phydev, edata); ++ if (ret) ++ return ret; ++ ++ priv->eee_enabled = edata->eee_enabled; ++ priv->tx_lpi_timer = edata->tx_lpi_timer; ++ return 0; + } + + static u32 stmmac_usec2riwt(u32 usec, struct stmmac_priv *priv) diff --git a/queue-3.18/series b/queue-3.18/series index 9aaeefacddd..f56f36f2637 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -1 +1,8 @@ net-fix-ipv6-prefix-route-residue.patch +sky2-increase-d3-delay-again.patch +tcp-tcp_v4_err-should-be-more-careful.patch +tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch +vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch +vsock-cope-with-memory-allocation-failure-at-socket-creation-time.patch +net-stmmac-fix-a-race-in-eee-enable-callback.patch +net-ipv4-use-a-dedicated-counter-for-icmp_v4-redirect-packets.patch diff --git a/queue-3.18/sky2-increase-d3-delay-again.patch b/queue-3.18/sky2-increase-d3-delay-again.patch new file mode 100644 index 00000000000..993be56d4c5 --- /dev/null +++ b/queue-3.18/sky2-increase-d3-delay-again.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Feb 21 10:01:20 CET 2019 +From: Kai-Heng Feng +Date: Tue, 19 Feb 2019 23:45:29 +0800 +Subject: sky2: Increase D3 delay again + +From: Kai-Heng Feng + +[ Upstream commit 1765f5dcd00963e33f1b8a4e0f34061fbc0e2f7f ] + +Another platform requires even longer delay to make the device work +correctly after S3. + +So increase the delay to 300ms. + +BugLink: https://bugs.launchpad.net/bugs/1798921 + +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -5069,7 +5069,7 @@ static int sky2_probe(struct pci_dev *pd + INIT_WORK(&hw->restart_work, sky2_restart); + + pci_set_drvdata(pdev, hw); +- pdev->d3_delay = 200; ++ pdev->d3_delay = 300; + + return 0; + diff --git a/queue-3.18/tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch b/queue-3.18/tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch new file mode 100644 index 00000000000..1b9427ab28c --- /dev/null +++ b/queue-3.18/tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch @@ -0,0 +1,52 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Eric Dumazet +Date: Fri, 15 Feb 2019 13:36:20 -0800 +Subject: tcp: clear icsk_backoff in tcp_write_queue_purge() + +From: Eric Dumazet + +[ Upstream commit 04c03114be82194d4a4858d41dba8e286ad1787c ] + +soukjin bae reported a crash in tcp_v4_err() handling +ICMP_DEST_UNREACH after tcp_write_queue_head(sk) +returned a NULL pointer. + +Current logic should have prevented this : + + if (seq != tp->snd_una || !icsk->icsk_retransmits || + !icsk->icsk_backoff || fastopen) + break; + +Problem is the write queue might have been purged +and icsk_backoff has not been cleared. + +Signed-off-by: Eric Dumazet +Reported-by: soukjin bae +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 1 + + net/ipv4/tcp.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1379,6 +1379,7 @@ static inline void tcp_write_queue_purge + sk_wmem_free_skb(sk, skb); + sk_mem_reclaim(sk); + tcp_clear_all_retrans_hints(tcp_sk(sk)); ++ inet_csk(sk)->icsk_backoff = 0; + } + + static inline struct sk_buff *tcp_write_queue_head(const struct sock *sk) +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2258,7 +2258,6 @@ int tcp_disconnect(struct sock *sk, int + tp->srtt_us = 0; + if ((tp->write_seq += tp->max_window + 2) == 0) + tp->write_seq = 1; +- icsk->icsk_backoff = 0; + tp->snd_cwnd = 2; + icsk->icsk_probes_out = 0; + tp->packets_out = 0; diff --git a/queue-3.18/tcp-tcp_v4_err-should-be-more-careful.patch b/queue-3.18/tcp-tcp_v4_err-should-be-more-careful.patch new file mode 100644 index 00000000000..269e91114da --- /dev/null +++ b/queue-3.18/tcp-tcp_v4_err-should-be-more-careful.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Feb 21 08:41:54 CET 2019 +From: Eric Dumazet +Date: Fri, 15 Feb 2019 13:36:21 -0800 +Subject: tcp: tcp_v4_err() should be more careful + +From: Eric Dumazet + +[ Upstream commit 2c4cc9712364c051b1de2d175d5fbea6be948ebf ] + +ICMP handlers are not very often stressed, we should +make them more resilient to bugs that might surface in +the future. + +If there is no packet in retransmit queue, we should +avoid a NULL deref. + +Signed-off-by: Eric Dumazet +Reported-by: soukjin bae +Acked-by: Neal Cardwell +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -432,14 +432,15 @@ void tcp_v4_err(struct sk_buff *icmp_skb + if (sock_owned_by_user(sk)) + break; + ++ skb = tcp_write_queue_head(sk); ++ if (WARN_ON_ONCE(!skb)) ++ break; ++ + icsk->icsk_backoff--; + icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) : + TCP_TIMEOUT_INIT; + icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX); + +- skb = tcp_write_queue_head(sk); +- BUG_ON(!skb); +- + remaining = icsk->icsk_rto - + min(icsk->icsk_rto, + tcp_time_stamp - tcp_skb_timestamp(skb)); diff --git a/queue-3.18/vsock-cope-with-memory-allocation-failure-at-socket-creation-time.patch b/queue-3.18/vsock-cope-with-memory-allocation-failure-at-socket-creation-time.patch new file mode 100644 index 00000000000..24f7aa6be8e --- /dev/null +++ b/queue-3.18/vsock-cope-with-memory-allocation-failure-at-socket-creation-time.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Feb 21 10:01:20 CET 2019 +From: Paolo Abeni +Date: Thu, 7 Feb 2019 14:13:18 +0100 +Subject: vsock: cope with memory allocation failure at socket creation time + +From: Paolo Abeni + +[ Upstream commit 225d9464268599a5b4d094d02ec17808e44c7553 ] + +In the unlikely event that the kmalloc call in vmci_transport_socket_init() +fails, we end-up calling vmci_transport_destruct() with a NULL vmci_trans() +and oopsing. + +This change addresses the above explicitly checking for zero vmci_trans() +at destruction time. + +Reported-by: Xiumei Mu +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Paolo Abeni +Reviewed-by: Stefano Garzarella +Reviewed-by: Jorgen Hansen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/vmci_transport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -1663,6 +1663,10 @@ static int vmci_transport_socket_init(st + + static void vmci_transport_destruct(struct vsock_sock *vsk) + { ++ /* transport can be NULL if we hit a failure at init() time */ ++ if (!vmci_trans(vsk)) ++ return; ++ + if (vmci_trans(vsk)->attach_sub_id != VMCI_INVALID_ID) { + vmci_event_unsubscribe(vmci_trans(vsk)->attach_sub_id); + vmci_trans(vsk)->attach_sub_id = VMCI_INVALID_ID; diff --git a/queue-3.18/vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch b/queue-3.18/vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch new file mode 100644 index 00000000000..d913f7cff5b --- /dev/null +++ b/queue-3.18/vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch @@ -0,0 +1,82 @@ +From foo@baz Thu Feb 21 08:41:54 CET 2019 +From: Eric Dumazet +Date: Thu, 7 Feb 2019 12:27:38 -0800 +Subject: vxlan: test dev->flags & IFF_UP before calling netif_rx() + +From: Eric Dumazet + +[ Upstream commit 4179cb5a4c924cd233eaadd081882425bc98f44e ] + +netif_rx() must be called under a strict contract. + +At device dismantle phase, core networking clears IFF_UP +and flush_all_backlogs() is called after rcu grace period +to make sure no incoming packet might be in a cpu backlog +and still referencing the device. + +Most drivers call netif_rx() from their interrupt handler, +and since the interrupts are disabled at device dismantle, +netif_rx() does not have to check dev->flags & IFF_UP + +Virtual drivers do not have this guarantee, and must +therefore make the check themselves. + +Otherwise we risk use-after-free and/or crashes. + +Note this patch also fixes a small issue that came +with commit ce6502a8f957 ("vxlan: fix a use after free +in vxlan_encap_bypass"), since the dev->stats.rx_dropped +change was done on the wrong device. + +Fixes: d342894c5d2f ("vxlan: virtual extensible lan") +Fixes: ce6502a8f957 ("vxlan: fix a use after free in vxlan_encap_bypass") +Signed-off-by: Eric Dumazet +Cc: Petr Machata +Cc: Ido Schimmel +Cc: Roopa Prabhu +Cc: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1665,7 +1665,7 @@ static void vxlan_encap_bypass(struct sk + struct pcpu_sw_netstats *tx_stats, *rx_stats; + union vxlan_addr loopback; + union vxlan_addr *remote_ip = &dst_vxlan->default_dst.remote_ip; +- struct net_device *dev = skb->dev; ++ struct net_device *dev; + int len = skb->len; + + tx_stats = this_cpu_ptr(src_vxlan->dev->tstats); +@@ -1685,8 +1685,15 @@ static void vxlan_encap_bypass(struct sk + #endif + } + ++ rcu_read_lock(); ++ dev = skb->dev; ++ if (unlikely(!(dev->flags & IFF_UP))) { ++ kfree_skb(skb); ++ goto drop; ++ } ++ + if (dst_vxlan->flags & VXLAN_F_LEARN) +- vxlan_snoop(skb->dev, &loopback, eth_hdr(skb)->h_source); ++ vxlan_snoop(dev, &loopback, eth_hdr(skb)->h_source); + + u64_stats_update_begin(&tx_stats->syncp); + tx_stats->tx_packets++; +@@ -1699,8 +1706,10 @@ static void vxlan_encap_bypass(struct sk + rx_stats->rx_bytes += len; + u64_stats_update_end(&rx_stats->syncp); + } else { ++drop: + dev->stats.rx_dropped++; + } ++ rcu_read_unlock(); + } + + static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,