From: Greg Kroah-Hartman Date: Tue, 24 Mar 2015 10:05:14 +0000 (+0100) Subject: 3.19-stable patches X-Git-Tag: v3.19.3~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5c5beed1da1bb55ad63e437ed2e97929588e6f9;p=thirdparty%2Fkernel%2Fstable-queue.git 3.19-stable patches added patches: caif-fix-msg_oob-test-in-caif_seqpkt_recvmsg.patch inet_diag-fix-possible-overflow-in-inet_diag_dump_one_icsk.patch ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in-udp6_ufo_fragment.patch ipv6-fix-backtracking-for-throw-routes.patch net-compat-update-get_compat_msghdr-to-match-copy_msghdr_from_user-behaviour.patch net-fec-fix-receive-vlan-ctag-hw-acceleration-issue.patch net-mlx4_en-fix-off-by-one-in-ethtool-statistics-display.patch net-sysctl_net_core-check-sndbuf-and-rcvbuf-for-min-length.patch net-validate-the-range-we-feed-to-iov_iter_init-in-sys_sendto-sys_recvfrom.patch net_sched-fix-struct-tc_u_hnode-layout-in-u32.patch rds-avoid-potential-stack-overflow.patch revert-net-cx82310_eth-use-common-match-macro.patch rxrpc-bogus-msg_peek-test-in-rxrpc_recvmsg.patch tcp-fix-tcp-fin-memory-accounting.patch tcp-fix-tcp_cong_avoid_ai-credit-accumulation-bug-with-decreases-in-w.patch tcp-restore-1.5x-per-rtt-limit-to-cubic-cwnd-growth-in-congestion-avoidance.patch virtio-net-correctly-delete-napi-hash.patch --- diff --git a/queue-3.19/caif-fix-msg_oob-test-in-caif_seqpkt_recvmsg.patch b/queue-3.19/caif-fix-msg_oob-test-in-caif_seqpkt_recvmsg.patch new file mode 100644 index 00000000000..e48cac0bf9d --- /dev/null +++ b/queue-3.19/caif-fix-msg_oob-test-in-caif_seqpkt_recvmsg.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Al Viro +Date: Sat, 14 Mar 2015 05:22:21 +0000 +Subject: caif: fix MSG_OOB test in caif_seqpkt_recvmsg() + +From: Al Viro + +[ Upstream commit 3eeff778e00c956875c70b145c52638c313dfb23 ] + +It should be checking flags, not msg->msg_flags. It's ->sendmsg() +instances that need to look for that in ->msg_flags, ->recvmsg() ones +(including the other ->recvmsg() instance in that file, as well as +unix_dgram_recvmsg() this one claims to be imitating) check in flags. +Braino had been introduced in commit dcda13 ("caif: Bugfix - use MSG_TRUNC +in receive") back in 2010, so it goes quite a while back. + +Signed-off-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -281,7 +281,7 @@ static int caif_seqpkt_recvmsg(struct ki + int copylen; + + ret = -EOPNOTSUPP; +- if (m->msg_flags&MSG_OOB) ++ if (flags & MSG_OOB) + goto read_error; + + skb = skb_recv_datagram(sk, flags, 0 , &ret); diff --git a/queue-3.19/inet_diag-fix-possible-overflow-in-inet_diag_dump_one_icsk.patch b/queue-3.19/inet_diag-fix-possible-overflow-in-inet_diag_dump_one_icsk.patch new file mode 100644 index 00000000000..82a5bd19b2b --- /dev/null +++ b/queue-3.19/inet_diag-fix-possible-overflow-in-inet_diag_dump_one_icsk.patch @@ -0,0 +1,58 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Eric Dumazet +Date: Fri, 13 Mar 2015 09:49:59 -0700 +Subject: inet_diag: fix possible overflow in inet_diag_dump_one_icsk() + +From: Eric Dumazet + +[ Upstream commit c8e2c80d7ec00d020320f905822bf49c5ad85250 ] + +inet_diag_dump_one_icsk() allocates too small skb. + +Add inet_sk_attr_size() helper right before inet_sk_diag_fill() +so that it can be updated if/when new attributes are added. + +iproute2/ss currently does not use this dump_one() interface, +this might explain nobody noticed this problem yet. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_diag.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_hand + mutex_unlock(&inet_diag_table_mutex); + } + ++static size_t inet_sk_attr_size(void) ++{ ++ return nla_total_size(sizeof(struct tcp_info)) ++ + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ ++ + nla_total_size(1) /* INET_DIAG_TOS */ ++ + nla_total_size(1) /* INET_DIAG_TCLASS */ ++ + nla_total_size(sizeof(struct inet_diag_meminfo)) ++ + nla_total_size(sizeof(struct inet_diag_msg)) ++ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32)) ++ + nla_total_size(TCP_CA_NAME_MAX) ++ + nla_total_size(sizeof(struct tcpvegas_info)) ++ + 64; ++} ++ + int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, + struct sk_buff *skb, struct inet_diag_req_v2 *req, + struct user_namespace *user_ns, +@@ -324,9 +338,7 @@ int inet_diag_dump_one_icsk(struct inet_ + if (err) + goto out; + +- rep = nlmsg_new(sizeof(struct inet_diag_msg) + +- sizeof(struct inet_diag_meminfo) + +- sizeof(struct tcp_info) + 64, GFP_KERNEL); ++ rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL); + if (!rep) { + err = -ENOMEM; + goto out; diff --git a/queue-3.19/ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in-udp6_ufo_fragment.patch b/queue-3.19/ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in-udp6_ufo_fragment.patch new file mode 100644 index 00000000000..7f9350ab7dc --- /dev/null +++ b/queue-3.19/ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in-udp6_ufo_fragment.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Sabrina Dubroca +Date: Thu, 19 Mar 2015 11:22:32 +0100 +Subject: ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment + +From: Sabrina Dubroca + +[ Upstream commit 8e199dfd82ee097b522b00344af6448715d8ee0c ] + +Matt Grant reported frequent crashes in ipv6_select_ident when +udp6_ufo_fragment is called from openvswitch on a skb that doesn't +have a dst_entry set. + +ipv6_proxy_select_ident generates the frag_id without using the dst +associated with the skb. This approach was suggested by Vladislav +Yasevich. + +Fixes: 0508c07f5e0c ("ipv6: Select fragment id during UFO segmentation if not set.") +Cc: Vladislav Yasevich +Reported-by: Matt Grant +Tested-by: Matt Grant +Signed-off-by: Sabrina Dubroca +Acked-by: Vladislav Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/udp_offload.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -112,11 +112,9 @@ static struct sk_buff *udp6_ufo_fragment + fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); + fptr->nexthdr = nexthdr; + fptr->reserved = 0; +- if (skb_shinfo(skb)->ip6_frag_id) +- fptr->identification = skb_shinfo(skb)->ip6_frag_id; +- else +- ipv6_select_ident(fptr, +- (struct rt6_info *)skb_dst(skb)); ++ if (!skb_shinfo(skb)->ip6_frag_id) ++ ipv6_proxy_select_ident(skb); ++ fptr->identification = skb_shinfo(skb)->ip6_frag_id; + + /* Fragment the skb. ipv6 header and the remaining fields of the + * fragment header are updated in ipv6_gso_segment() diff --git a/queue-3.19/ipv6-fix-backtracking-for-throw-routes.patch b/queue-3.19/ipv6-fix-backtracking-for-throw-routes.patch new file mode 100644 index 00000000000..1d580563525 --- /dev/null +++ b/queue-3.19/ipv6-fix-backtracking-for-throw-routes.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Steven Barth +Date: Thu, 19 Mar 2015 16:16:04 +0100 +Subject: ipv6: fix backtracking for throw routes + +From: Steven Barth + +[ Upstream commit 73ba57bfae4a1914f6a6dac71e3168dd900e00af ] + +for throw routes to trigger evaluation of other policy rules +EAGAIN needs to be propagated up to fib_rules_lookup +similar to how its done for IPv4 + +A simple testcase for verification is: + +ip -6 rule add lookup 33333 priority 33333 +ip -6 route add throw 2001:db8::1 +ip -6 route add 2001:db8::1 via fe80::1 dev wlan0 table 33333 +ip route get 2001:db8::1 + +Signed-off-by: Steven Barth +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/fib6_rules.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/fib6_rules.c ++++ b/net/ipv6/fib6_rules.c +@@ -104,6 +104,7 @@ static int fib6_rule_action(struct fib_r + goto again; + flp6->saddr = saddr; + } ++ err = rt->dst.error; + goto out; + } + again: diff --git a/queue-3.19/net-compat-update-get_compat_msghdr-to-match-copy_msghdr_from_user-behaviour.patch b/queue-3.19/net-compat-update-get_compat_msghdr-to-match-copy_msghdr_from_user-behaviour.patch new file mode 100644 index 00000000000..efd646a8621 --- /dev/null +++ b/queue-3.19/net-compat-update-get_compat_msghdr-to-match-copy_msghdr_from_user-behaviour.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Catalin Marinas +Date: Fri, 20 Mar 2015 16:48:13 +0000 +Subject: net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour + +From: Catalin Marinas + +[ Upstream commit 91edd096e224941131f896b86838b1e59553696a ] + +Commit db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an +error) introduced the clamping of msg_namelen when the unsigned value +was larger than sizeof(struct sockaddr_storage). This caused a +msg_namelen of -1 to be valid. The native code was subsequently fixed by +commit dbb490b96584 (net: socket: error on a negative msg_namelen). + +In addition, the native code sets msg_namelen to 0 when msg_name is +NULL. This was done in commit (6a2a2b3ae075 net:socket: set msg_namelen +to 0 if msg_name is passed as NULL in msghdr struct from userland) and +subsequently updated by 08adb7dabd48 (fold verify_iovec() into +copy_msghdr_from_user()). + +This patch brings the get_compat_msghdr() in line with +copy_msghdr_from_user(). + +Fixes: db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an error) +Cc: David S. Miller +Cc: Dan Carpenter +Signed-off-by: Catalin Marinas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/compat.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/compat.c ++++ b/net/compat.c +@@ -49,6 +49,13 @@ ssize_t get_compat_msghdr(struct msghdr + __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; ++ ++ if (!uaddr) ++ kmsg->msg_namelen = 0; ++ ++ if (kmsg->msg_namelen < 0) ++ return -EINVAL; ++ + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) + kmsg->msg_namelen = sizeof(struct sockaddr_storage); + kmsg->msg_control = compat_ptr(tmp3); diff --git a/queue-3.19/net-fec-fix-receive-vlan-ctag-hw-acceleration-issue.patch b/queue-3.19/net-fec-fix-receive-vlan-ctag-hw-acceleration-issue.patch new file mode 100644 index 00000000000..bff8ed82107 --- /dev/null +++ b/queue-3.19/net-fec-fix-receive-vlan-ctag-hw-acceleration-issue.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Nimrod Andy +Date: Tue, 10 Mar 2015 19:09:41 +0800 +Subject: net: fec: fix receive VLAN CTAG HW acceleration issue + +From: Nimrod Andy + +[ Upstream commit af5cbc9822f6bbe399925760a4d5ee82c21f258c ] + +The current driver support receive VLAN CTAG HW acceleration feature +(NETIF_F_HW_VLAN_CTAG_RX) through software simulation. There calls the +api .skb_copy_to_linear_data_offset() to skip the VLAN tag, but there +have overlap between the two memory data point range. The patch just fix +the issue. + +V2: +Michael Grzeschik suggest to use memmove() instead of skb_copy_to_linear_data_offset(). + +Reported-by: Michael Grzeschik +Fixes: 1b7bde6d659d ("net: fec: implement rx_copybreak to improve rx performance") +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1448,8 +1448,7 @@ fec_enet_rx_queue(struct net_device *nde + + vlan_packet_rcvd = true; + +- skb_copy_to_linear_data_offset(skb, VLAN_HLEN, +- data, (2 * ETH_ALEN)); ++ memmove(skb->data + VLAN_HLEN, data, ETH_ALEN * 2); + skb_pull(skb, VLAN_HLEN); + } + diff --git a/queue-3.19/net-mlx4_en-fix-off-by-one-in-ethtool-statistics-display.patch b/queue-3.19/net-mlx4_en-fix-off-by-one-in-ethtool-statistics-display.patch new file mode 100644 index 00000000000..5b9bf8bb165 --- /dev/null +++ b/queue-3.19/net-mlx4_en-fix-off-by-one-in-ethtool-statistics-display.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Eran Ben Elisha +Date: Wed, 18 Mar 2015 16:51:36 +0200 +Subject: net/mlx4_en: Fix off-by-one in ethtool statistics display + +From: Eran Ben Elisha + +[ Upstream commit a16f3565703cfc3094938fb3c979cbb90f6d9eb4 ] + +NUM_PORT_STATS was 9 instead of 10, which caused off-by-one bug when +displaying the statistics starting from tx_chksum_offload in ethtool. + +Fixes: f8c6455bb04b ('net/mlx4_en: Extend checksum offloading by CHECKSUM COMPLETE') +Signed-off-by: Eran Ben Elisha +Signed-off-by: Hadar Hen Zion +Signed-off-by: Or Gerlitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h ++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +@@ -451,7 +451,7 @@ struct mlx4_en_port_stats { + unsigned long rx_chksum_none; + unsigned long rx_chksum_complete; + unsigned long tx_chksum_offload; +-#define NUM_PORT_STATS 9 ++#define NUM_PORT_STATS 10 + }; + + struct mlx4_en_perf_stats { diff --git a/queue-3.19/net-sysctl_net_core-check-sndbuf-and-rcvbuf-for-min-length.patch b/queue-3.19/net-sysctl_net_core-check-sndbuf-and-rcvbuf-for-min-length.patch new file mode 100644 index 00000000000..60f7cc899d5 --- /dev/null +++ b/queue-3.19/net-sysctl_net_core-check-sndbuf-and-rcvbuf-for-min-length.patch @@ -0,0 +1,116 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Alexey Kodanev +Date: Wed, 11 Mar 2015 14:29:17 +0300 +Subject: net: sysctl_net_core: check SNDBUF and RCVBUF for min length + +From: Alexey Kodanev + +[ Upstream commit b1cb59cf2efe7971d3d72a7b963d09a512d994c9 ] + +sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be +set to incorrect values. Given that 'struct sk_buff' allocates from +rcvbuf, incorrectly set buffer length could result to memory +allocation failures. For example, set them as follows: + + # sysctl net.core.rmem_default=64 + net.core.wmem_default = 64 + # sysctl net.core.wmem_default=64 + net.core.wmem_default = 64 + # ping localhost -s 1024 -i 0 > /dev/null + +This could result to the following failure: + +skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32 +head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev: +kernel BUG at net/core/skbuff.c:102! +invalid opcode: 0000 [#1] SMP +... +task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000 +RIP: 0010:[] [] skb_put+0xa1/0xb0 +RSP: 0018:ffff88003ae8bc68 EFLAGS: 00010296 +RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000 +RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8 +RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000 +R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900 +FS: 00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0 +Stack: + ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d + ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550 + ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00 +Call Trace: + [] unix_stream_sendmsg+0x2c4/0x470 + [] sock_write_iter+0x146/0x160 + [] new_sync_write+0x92/0xd0 + [] vfs_write+0xd6/0x180 + [] SyS_write+0x59/0xd0 + [] system_call_fastpath+0x12/0x17 +Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00 + 00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b + eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83 +RIP [] skb_put+0xa1/0xb0 +RSP +Kernel panic - not syncing: Fatal exception + +Moreover, the possible minimum is 1, so we can get another kernel panic: +... +BUG: unable to handle kernel paging request at ffff88013caee5c0 +IP: [] __alloc_skb+0x12f/0x1f0 +... + +Signed-off-by: Alexey Kodanev +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sysctl_net_core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -25,6 +25,8 @@ + static int zero = 0; + static int one = 1; + static int ushort_max = USHRT_MAX; ++static int min_sndbuf = SOCK_MIN_SNDBUF; ++static int min_rcvbuf = SOCK_MIN_RCVBUF; + + static int net_msg_warn; /* Unused, but still a sysctl */ + +@@ -237,7 +239,7 @@ static struct ctl_table net_core_table[] + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_max", +@@ -245,7 +247,7 @@ static struct ctl_table net_core_table[] + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "wmem_default", +@@ -253,7 +255,7 @@ static struct ctl_table net_core_table[] + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_default", +@@ -261,7 +263,7 @@ static struct ctl_table net_core_table[] + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "dev_weight", diff --git a/queue-3.19/net-validate-the-range-we-feed-to-iov_iter_init-in-sys_sendto-sys_recvfrom.patch b/queue-3.19/net-validate-the-range-we-feed-to-iov_iter_init-in-sys_sendto-sys_recvfrom.patch new file mode 100644 index 00000000000..79a2df2d82c --- /dev/null +++ b/queue-3.19/net-validate-the-range-we-feed-to-iov_iter_init-in-sys_sendto-sys_recvfrom.patch @@ -0,0 +1,37 @@ +From 4de930efc23b92ddf88ce91c405ee645fe6e27ea Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 20 Mar 2015 17:41:43 +0000 +Subject: net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom + +From: Al Viro + +commit 4de930efc23b92ddf88ce91c405ee645fe6e27ea upstream. + +Signed-off-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __ + + if (len > INT_MAX) + len = INT_MAX; ++ if (unlikely(!access_ok(VERIFY_READ, buff, len))) ++ return -EFAULT; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; +@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void + + if (size > INT_MAX) + size = INT_MAX; ++ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) ++ return -EFAULT; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; diff --git a/queue-3.19/net_sched-fix-struct-tc_u_hnode-layout-in-u32.patch b/queue-3.19/net_sched-fix-struct-tc_u_hnode-layout-in-u32.patch new file mode 100644 index 00000000000..aa1759b57ca --- /dev/null +++ b/queue-3.19/net_sched-fix-struct-tc_u_hnode-layout-in-u32.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: WANG Cong +Date: Mon, 9 Mar 2015 17:03:40 -0700 +Subject: net_sched: fix struct tc_u_hnode layout in u32 + +From: WANG Cong + +[ Upstream commit 5778d39d070b4ac5f889928175b7f2d53ae7504e ] + +We dynamically allocate divisor+1 entries for ->ht[] in tc_u_hnode: + + ht = kzalloc(sizeof(*ht) + divisor*sizeof(void *), GFP_KERNEL); + +So ->ht is supposed to be the last field of this struct, however +this is broken, since an rcu head is appended after it. + +Fixes: 1ce87720d456 ("net: sched: make cls_u32 lockless") +Cc: Jamal Hadi Salim +Cc: John Fastabend +Signed-off-by: Cong Wang +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_u32.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -78,8 +78,11 @@ struct tc_u_hnode { + struct tc_u_common *tp_c; + int refcnt; + unsigned int divisor; +- struct tc_u_knode __rcu *ht[1]; + struct rcu_head rcu; ++ /* The 'ht' field MUST be the last field in structure to allow for ++ * more entries allocated at end of structure. ++ */ ++ struct tc_u_knode __rcu *ht[1]; + }; + + struct tc_u_common { diff --git a/queue-3.19/rds-avoid-potential-stack-overflow.patch b/queue-3.19/rds-avoid-potential-stack-overflow.patch new file mode 100644 index 00000000000..a96ecde9417 --- /dev/null +++ b/queue-3.19/rds-avoid-potential-stack-overflow.patch @@ -0,0 +1,116 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Arnd Bergmann +Date: Wed, 11 Mar 2015 22:46:59 +0100 +Subject: rds: avoid potential stack overflow + +From: Arnd Bergmann + +[ Upstream commit f862e07cf95d5b62a5fc5e981dd7d0dbaf33a501 ] + +The rds_iw_update_cm_id function stores a large 'struct rds_sock' object +on the stack in order to pass a pair of addresses. This happens to just +fit withint the 1024 byte stack size warning limit on x86, but just +exceed that limit on ARM, which gives us this warning: + +net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=] + +As the use of this large variable is basically bogus, we can rearrange +the code to not do that. Instead of passing an rds socket into +rds_iw_get_device, we now just pass the two addresses that we have +available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly, +to create two address structures on the stack there. + +Signed-off-by: Arnd Bergmann +Acked-by: Sowmini Varadhan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/iw_rdma.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +--- a/net/rds/iw_rdma.c ++++ b/net/rds/iw_rdma.c +@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg + int *unpinned); + static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); + +-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) ++static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, ++ struct rds_iw_device **rds_iwdev, ++ struct rdma_cm_id **cm_id) + { + struct rds_iw_device *iwdev; + struct rds_iw_cm_id *i_cm_id; +@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_ + src_addr->sin_port, + dst_addr->sin_addr.s_addr, + dst_addr->sin_port, +- rs->rs_bound_addr, +- rs->rs_bound_port, +- rs->rs_conn_addr, +- rs->rs_conn_port); ++ src->sin_addr.s_addr, ++ src->sin_port, ++ dst->sin_addr.s_addr, ++ dst->sin_port); + #ifdef WORKING_TUPLE_DETECTION +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && +- src_addr->sin_port == rs->rs_bound_port && +- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && +- dst_addr->sin_port == rs->rs_conn_port) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && ++ src_addr->sin_port == src->sin_port && ++ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && ++ dst_addr->sin_port == dst->sin_port) { + #else + /* FIXME - needs to compare the local and remote + * ipaddr/port tuple, but the ipaddr is the only +@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_ + * zero'ed. It doesn't appear to be properly populated + * during connection setup... + */ +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { + #endif + spin_unlock_irq(&iwdev->spinlock); + *rds_iwdev = iwdev; +@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_de + { + struct sockaddr_in *src_addr, *dst_addr; + struct rds_iw_device *rds_iwdev_old; +- struct rds_sock rs; + struct rdma_cm_id *pcm_id; + int rc; + + src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; + dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; + +- rs.rs_bound_addr = src_addr->sin_addr.s_addr; +- rs.rs_bound_port = src_addr->sin_port; +- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; +- rs.rs_conn_port = dst_addr->sin_port; +- +- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); ++ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); + if (rc) + rds_iw_remove_cm_id(rds_iwdev, cm_id); + +@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist * + struct rds_iw_device *rds_iwdev; + struct rds_iw_mr *ibmr = NULL; + struct rdma_cm_id *cm_id; ++ struct sockaddr_in src = { ++ .sin_addr.s_addr = rs->rs_bound_addr, ++ .sin_port = rs->rs_bound_port, ++ }; ++ struct sockaddr_in dst = { ++ .sin_addr.s_addr = rs->rs_conn_addr, ++ .sin_port = rs->rs_conn_port, ++ }; + int ret; + +- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); ++ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); + if (ret || !cm_id) { + ret = -ENODEV; + goto out; diff --git a/queue-3.19/revert-net-cx82310_eth-use-common-match-macro.patch b/queue-3.19/revert-net-cx82310_eth-use-common-match-macro.patch new file mode 100644 index 00000000000..43884dd9cc8 --- /dev/null +++ b/queue-3.19/revert-net-cx82310_eth-use-common-match-macro.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Ondrej Zary +Date: Wed, 18 Mar 2015 23:01:01 +0100 +Subject: Revert "net: cx82310_eth: use common match macro" + +From: Ondrej Zary + +[ Upstream commit 8d006e0105978619fb472e150c88b0d49337fe2b ] + +This reverts commit 11ad714b98f6d9ca0067568442afe3e70eb94845 because +it breaks cx82310_eth. + +The custom USB_DEVICE_CLASS macro matches +bDeviceClass, bDeviceSubClass and bDeviceProtocol +but the common USB_DEVICE_AND_INTERFACE_INFO matches +bInterfaceClass, bInterfaceSubClass and bInterfaceProtocol instead, which are +not specified. + +Signed-off-by: Ondrej Zary +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cx82310_eth.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/cx82310_eth.c ++++ b/drivers/net/usb/cx82310_eth.c +@@ -300,9 +300,18 @@ static const struct driver_info cx82310_ + .tx_fixup = cx82310_tx_fixup, + }; + ++#define USB_DEVICE_CLASS(vend, prod, cl, sc, pr) \ ++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | \ ++ USB_DEVICE_ID_MATCH_DEV_INFO, \ ++ .idVendor = (vend), \ ++ .idProduct = (prod), \ ++ .bDeviceClass = (cl), \ ++ .bDeviceSubClass = (sc), \ ++ .bDeviceProtocol = (pr) ++ + static const struct usb_device_id products[] = { + { +- USB_DEVICE_AND_INTERFACE_INFO(0x0572, 0xcb01, 0xff, 0, 0), ++ USB_DEVICE_CLASS(0x0572, 0xcb01, 0xff, 0, 0), + .driver_info = (unsigned long) &cx82310_info + }, + { }, diff --git a/queue-3.19/rxrpc-bogus-msg_peek-test-in-rxrpc_recvmsg.patch b/queue-3.19/rxrpc-bogus-msg_peek-test-in-rxrpc_recvmsg.patch new file mode 100644 index 00000000000..6f81a847929 --- /dev/null +++ b/queue-3.19/rxrpc-bogus-msg_peek-test-in-rxrpc_recvmsg.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Al Viro +Date: Sat, 14 Mar 2015 05:34:56 +0000 +Subject: rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg() + +From: Al Viro + +[ Upstream commit 7d985ed1dca5c90535d67ce92ef6ca520302340a ] + +[I would really like an ACK on that one from dhowells; it appears to be +quite straightforward, but...] + +MSG_PEEK isn't passed to ->recvmsg() via msg->msg_flags; as the matter of +fact, neither the kernel users of rxrpc, nor the syscalls ever set that bit +in there. It gets passed via flags; in fact, another such check in the same +function is done correctly - as flags & MSG_PEEK. + +It had been that way (effectively disabled) for 8 years, though, so the patch +needs beating up - that case had never been tested. If it is correct, it's +-stable fodder. + +Signed-off-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/ar-recvmsg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rxrpc/ar-recvmsg.c ++++ b/net/rxrpc/ar-recvmsg.c +@@ -87,7 +87,7 @@ int rxrpc_recvmsg(struct kiocb *iocb, st + if (!skb) { + /* nothing remains on the queue */ + if (copied && +- (msg->msg_flags & MSG_PEEK || timeo == 0)) ++ (flags & MSG_PEEK || timeo == 0)) + goto out; + + /* wait for a message to turn up */ diff --git a/queue-3.19/series b/queue-3.19/series index 5721d9b01a5..1d176ddfde9 100644 --- a/queue-3.19/series +++ b/queue-3.19/series @@ -3,3 +3,20 @@ sparc-perf-remove-redundant-perf_pmu_-en-dis-able-calls.patch sparc-perf-make-counting-mode-actually-work.patch sparc-touch-nmi-watchdog-when-walking-cpus-and-calling-printk.patch sparc64-fix-several-bugs-in-memmove.patch +net_sched-fix-struct-tc_u_hnode-layout-in-u32.patch +net-fec-fix-receive-vlan-ctag-hw-acceleration-issue.patch +tcp-fix-tcp_cong_avoid_ai-credit-accumulation-bug-with-decreases-in-w.patch +tcp-restore-1.5x-per-rtt-limit-to-cubic-cwnd-growth-in-congestion-avoidance.patch +net-sysctl_net_core-check-sndbuf-and-rcvbuf-for-min-length.patch +rds-avoid-potential-stack-overflow.patch +virtio-net-correctly-delete-napi-hash.patch +inet_diag-fix-possible-overflow-in-inet_diag_dump_one_icsk.patch +caif-fix-msg_oob-test-in-caif_seqpkt_recvmsg.patch +rxrpc-bogus-msg_peek-test-in-rxrpc_recvmsg.patch +net-mlx4_en-fix-off-by-one-in-ethtool-statistics-display.patch +revert-net-cx82310_eth-use-common-match-macro.patch +ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in-udp6_ufo_fragment.patch +ipv6-fix-backtracking-for-throw-routes.patch +tcp-fix-tcp-fin-memory-accounting.patch +net-compat-update-get_compat_msghdr-to-match-copy_msghdr_from_user-behaviour.patch +net-validate-the-range-we-feed-to-iov_iter_init-in-sys_sendto-sys_recvfrom.patch diff --git a/queue-3.19/tcp-fix-tcp-fin-memory-accounting.patch b/queue-3.19/tcp-fix-tcp-fin-memory-accounting.patch new file mode 100644 index 00000000000..a948c36df27 --- /dev/null +++ b/queue-3.19/tcp-fix-tcp-fin-memory-accounting.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Josh Hunt +Date: Thu, 19 Mar 2015 19:19:30 -0400 +Subject: tcp: fix tcp fin memory accounting + +From: Josh Hunt + +[ Upstream commit d22e1537181188e5dc8cbc51451832625035bdc2 ] + +tcp_send_fin() does not account for the memory it allocates properly, so +sk_forward_alloc can be negative in cases where we've sent a FIN: + +ss example output (ss -amn | grep -B1 f4294): +tcp FIN-WAIT-1 0 1 192.168.0.1:45520 192.0.2.1:8080 + skmem:(r0,rb87380,t0,tb87380,f4294966016,w1280,o0,bl0) +Acked-by: Eric Dumazet + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2775,15 +2775,11 @@ void tcp_send_fin(struct sock *sk) + } else { + /* Socket is locked, keep trying until memory is available. */ + for (;;) { +- skb = alloc_skb_fclone(MAX_TCP_HEADER, +- sk->sk_allocation); ++ skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation); + if (skb) + break; + yield(); + } +- +- /* Reserve space for headers and prepare control bits. */ +- skb_reserve(skb, MAX_TCP_HEADER); + /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */ + tcp_init_nondata_skb(skb, tp->write_seq, + TCPHDR_ACK | TCPHDR_FIN); diff --git a/queue-3.19/tcp-fix-tcp_cong_avoid_ai-credit-accumulation-bug-with-decreases-in-w.patch b/queue-3.19/tcp-fix-tcp_cong_avoid_ai-credit-accumulation-bug-with-decreases-in-w.patch new file mode 100644 index 00000000000..721f65851e9 --- /dev/null +++ b/queue-3.19/tcp-fix-tcp_cong_avoid_ai-credit-accumulation-bug-with-decreases-in-w.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Neal Cardwell +Date: Tue, 10 Mar 2015 17:17:03 -0400 +Subject: tcp: fix tcp_cong_avoid_ai() credit accumulation bug with decreases in w + +From: Neal Cardwell + +[ Upstream commit 9949afa42be0b76f5832db112ce51bb6b35b2abb ] + +The recent change to tcp_cong_avoid_ai() to handle stretch ACKs +introduced a bug where snd_cwnd_cnt could accumulate a very large +value while w was large, and then if w was reduced snd_cwnd could be +incremented by a large delta, leading to a large burst and high packet +loss. This was tickled when CUBIC's bictcp_update() sets "ca->cnt = +100 * cwnd". + +This bug crept in while preparing the upstream version of +814d488c6126. + +Testing: This patch has been tested in datacenter netperf transfers +and live youtube.com and google.com servers. + +Fixes: 814d488c6126 ("tcp: fix the timid additive increase on stretch ACKs") +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_cong.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv4/tcp_cong.c ++++ b/net/ipv4/tcp_cong.c +@@ -309,6 +309,12 @@ EXPORT_SYMBOL_GPL(tcp_slow_start); + */ + void tcp_cong_avoid_ai(struct tcp_sock *tp, u32 w, u32 acked) + { ++ /* If credits accumulated at a higher w, apply them gently now. */ ++ if (tp->snd_cwnd_cnt >= w) { ++ tp->snd_cwnd_cnt = 0; ++ tp->snd_cwnd++; ++ } ++ + tp->snd_cwnd_cnt += acked; + if (tp->snd_cwnd_cnt >= w) { + u32 delta = tp->snd_cwnd_cnt / w; diff --git a/queue-3.19/tcp-restore-1.5x-per-rtt-limit-to-cubic-cwnd-growth-in-congestion-avoidance.patch b/queue-3.19/tcp-restore-1.5x-per-rtt-limit-to-cubic-cwnd-growth-in-congestion-avoidance.patch new file mode 100644 index 00000000000..66c8aae471f --- /dev/null +++ b/queue-3.19/tcp-restore-1.5x-per-rtt-limit-to-cubic-cwnd-growth-in-congestion-avoidance.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Neal Cardwell +Date: Tue, 10 Mar 2015 17:17:04 -0400 +Subject: tcp: restore 1.5x per RTT limit to CUBIC cwnd growth in congestion avoidance + +From: Neal Cardwell + +[ Upstream commit d578e18ce93f5d33a7120fd57c453e22a4c0fc37 ] + +Commit 814d488c6126 ("tcp: fix the timid additive increase on stretch +ACKs") fixed a bug where tcp_cong_avoid_ai() would either credit a +connection with an increase of snd_cwnd_cnt, or increase snd_cwnd, but +not both, resulting in cwnd increasing by 1 packet on at most every +alternate invocation of tcp_cong_avoid_ai(). + +Although the commit correctly implemented the CUBIC algorithm, which +can increase cwnd by as much as 1 packet per 1 packet ACKed (2x per +RTT), in practice that could be too aggressive: in tests on network +paths with small buffers, YouTube server retransmission rates nearly +doubled. + +This commit restores CUBIC to a maximum cwnd growth rate of 1 packet +per 2 packets ACKed (1.5x per RTT). In YouTube tests this restored +retransmit rates to low levels. + +Testing: This patch has been tested in datacenter netperf transfers +and live youtube.com and google.com servers. + +Fixes: 9cd981dcf174 ("tcp: fix stretch ACK bugs in CUBIC") +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_cubic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_cubic.c ++++ b/net/ipv4/tcp_cubic.c +@@ -306,8 +306,10 @@ tcp_friendliness: + } + } + +- if (ca->cnt == 0) /* cannot be zero */ +- ca->cnt = 1; ++ /* The maximum rate of cwnd increase CUBIC allows is 1 packet per ++ * 2 packets ACKed, meaning cwnd grows at 1.5x per RTT. ++ */ ++ ca->cnt = max(ca->cnt, 2U); + } + + static void bictcp_cong_avoid(struct sock *sk, u32 ack, u32 acked) diff --git a/queue-3.19/virtio-net-correctly-delete-napi-hash.patch b/queue-3.19/virtio-net-correctly-delete-napi-hash.patch new file mode 100644 index 00000000000..82789ac2bff --- /dev/null +++ b/queue-3.19/virtio-net-correctly-delete-napi-hash.patch @@ -0,0 +1,75 @@ +From foo@baz Tue Mar 24 11:00:07 CET 2015 +From: Jason Wang +Date: Thu, 12 Mar 2015 13:57:44 +0800 +Subject: virtio-net: correctly delete napi hash + +From: Jason Wang + +[ Upstream commit ab3971b1e7d72270a2a259a29c1a40351b889740 ] + +We don't delete napi from hash list during module exit. This will +cause the following panic when doing module load and unload: + +BUG: unable to handle kernel paging request at 0000004e00000075 +IP: [] napi_hash_add+0x6b/0xf0 +PGD 3c5d5067 PUD 0 +Oops: 0000 [#1] SMP +... +Call Trace: +[] init_vqs+0x107/0x490 [virtio_net] +[] virtnet_probe+0x562/0x791815639d880be [virtio_net] +[] virtio_dev_probe+0x137/0x200 +[] driver_probe_device+0x7a/0x250 +[] __driver_attach+0x93/0xa0 +[] ? __device_attach+0x40/0x40 +[] bus_for_each_dev+0x63/0xa0 +[] driver_attach+0x19/0x20 +[] bus_add_driver+0x170/0x220 +[] ? 0xffffffffa0a60000 +[] driver_register+0x5f/0xf0 +[] register_virtio_driver+0x1b/0x30 +[] virtio_net_driver_init+0x10/0x12 [virtio_net] + +This patch fixes this by doing this in virtnet_free_queues(). And also +don't delete napi in virtnet_freeze() since it will call +virtnet_free_queues() which has already did this. + +Fixes 91815639d880 ("virtio-net: rx busy polling support") +Cc: Rusty Russell +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Reviewed-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1444,8 +1444,10 @@ static void virtnet_free_queues(struct v + { + int i; + +- for (i = 0; i < vi->max_queue_pairs; i++) ++ for (i = 0; i < vi->max_queue_pairs; i++) { ++ napi_hash_del(&vi->rq[i].napi); + netif_napi_del(&vi->rq[i].napi); ++ } + + kfree(vi->rq); + kfree(vi->sq); +@@ -1936,11 +1938,8 @@ static int virtnet_freeze(struct virtio_ + cancel_delayed_work_sync(&vi->refill); + + if (netif_running(vi->dev)) { +- for (i = 0; i < vi->max_queue_pairs; i++) { ++ for (i = 0; i < vi->max_queue_pairs; i++) + napi_disable(&vi->rq[i].napi); +- napi_hash_del(&vi->rq[i].napi); +- netif_napi_del(&vi->rq[i].napi); +- } + } + + remove_vq_common(vi);