From 76eeb1428735dfbbfa5bc16a2f2ec21a644a0eb7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 9 Dec 2016 16:54:09 +0100 Subject: [PATCH] 4.8-stable patches added patches: esp4-fix-integrity-verification-when-esn-are-used.patch esp6-fix-integrity-verification-when-esn-are-used.patch flowcache-increase-threshold-for-refusing-new-allocations.patch ipv4-set-skb-protocol-properly-for-local-output.patch ipv6-set-skb-protocol-properly-for-local-output.patch revert-ip6_tunnel-update-skb-protocol-to-eth_p_ipv6-in-ip6_tnl_xmit.patch --- ...grity-verification-when-esn-are-used.patch | 33 ++++++++++++ ...grity-verification-when-esn-are-used.patch | 33 ++++++++++++ ...reshold-for-refusing-new-allocations.patch | 53 +++++++++++++++++++ ...b-protocol-properly-for-local-output.patch | 39 ++++++++++++++ ...b-protocol-properly-for-local-output.patch | 38 +++++++++++++ ...otocol-to-eth_p_ipv6-in-ip6_tnl_xmit.patch | 33 ++++++++++++ queue-4.8/series | 6 +++ 7 files changed, 235 insertions(+) create mode 100644 queue-4.8/esp4-fix-integrity-verification-when-esn-are-used.patch create mode 100644 queue-4.8/esp6-fix-integrity-verification-when-esn-are-used.patch create mode 100644 queue-4.8/flowcache-increase-threshold-for-refusing-new-allocations.patch create mode 100644 queue-4.8/ipv4-set-skb-protocol-properly-for-local-output.patch create mode 100644 queue-4.8/ipv6-set-skb-protocol-properly-for-local-output.patch create mode 100644 queue-4.8/revert-ip6_tunnel-update-skb-protocol-to-eth_p_ipv6-in-ip6_tnl_xmit.patch diff --git a/queue-4.8/esp4-fix-integrity-verification-when-esn-are-used.patch b/queue-4.8/esp4-fix-integrity-verification-when-esn-are-used.patch new file mode 100644 index 00000000000..49f4bc68a46 --- /dev/null +++ b/queue-4.8/esp4-fix-integrity-verification-when-esn-are-used.patch @@ -0,0 +1,33 @@ +From 7c7fedd51c02f4418e8b2eed64bdab601f882aa4 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 29 Nov 2016 17:05:20 +0100 +Subject: esp4: Fix integrity verification when ESN are used + +From: Tobias Brunner + +commit 7c7fedd51c02f4418e8b2eed64bdab601f882aa4 upstream. + +When handling inbound packets, the two halves of the sequence number +stored on the skb are already in network order. + +Fixes: 7021b2e1cddd ("esp4: Switch to new AEAD interface") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/esp4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -476,7 +476,7 @@ static int esp_input(struct xfrm_state * + esph = (void *)skb_push(skb, 4); + *seqhi = esph->spi; + esph->spi = esph->seq_no; +- esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi); ++ esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi; + aead_request_set_callback(req, 0, esp_input_done_esn, skb); + } + diff --git a/queue-4.8/esp6-fix-integrity-verification-when-esn-are-used.patch b/queue-4.8/esp6-fix-integrity-verification-when-esn-are-used.patch new file mode 100644 index 00000000000..632cb3d6264 --- /dev/null +++ b/queue-4.8/esp6-fix-integrity-verification-when-esn-are-used.patch @@ -0,0 +1,33 @@ +From a55e23864d381c5a4ef110df94b00b2fe121a70d Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 29 Nov 2016 17:05:25 +0100 +Subject: esp6: Fix integrity verification when ESN are used + +From: Tobias Brunner + +commit a55e23864d381c5a4ef110df94b00b2fe121a70d upstream. + +When handling inbound packets, the two halves of the sequence number +stored on the skb are already in network order. + +Fixes: 000ae7b2690e ("esp6: Switch to new AEAD interface") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/esp6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -418,7 +418,7 @@ static int esp6_input(struct xfrm_state + esph = (void *)skb_push(skb, 4); + *seqhi = esph->spi; + esph->spi = esph->seq_no; +- esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi); ++ esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi; + aead_request_set_callback(req, 0, esp_input_done_esn, skb); + } + diff --git a/queue-4.8/flowcache-increase-threshold-for-refusing-new-allocations.patch b/queue-4.8/flowcache-increase-threshold-for-refusing-new-allocations.patch new file mode 100644 index 00000000000..09f23472152 --- /dev/null +++ b/queue-4.8/flowcache-increase-threshold-for-refusing-new-allocations.patch @@ -0,0 +1,53 @@ +From 6b226487815574193c1da864f2eac274781a2b0c Mon Sep 17 00:00:00 2001 +From: Miroslav Urbanek +Date: Mon, 21 Nov 2016 15:48:21 +0100 +Subject: flowcache: Increase threshold for refusing new allocations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miroslav Urbanek + +commit 6b226487815574193c1da864f2eac274781a2b0c upstream. + +The threshold for OOM protection is too small for systems with large +number of CPUs. Applications report ENOBUFs on connect() every 10 +minutes. + +The problem is that the variable net->xfrm.flow_cache_gc_count is a +global counter while the variable fc->high_watermark is a per-CPU +constant. Take the number of CPUs into account as well. + +Fixes: 6ad3122a08e3 ("flowcache: Avoid OOM condition under preasure") +Reported-by: Lukáš Koldrt +Tested-by: Jan Hejl +Signed-off-by: Miroslav Urbanek +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/flow.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/core/flow.c ++++ b/net/core/flow.c +@@ -95,7 +95,6 @@ static void flow_cache_gc_task(struct wo + list_for_each_entry_safe(fce, n, &gc_list, u.gc_list) { + flow_entry_kill(fce, xfrm); + atomic_dec(&xfrm->flow_cache_gc_count); +- WARN_ON(atomic_read(&xfrm->flow_cache_gc_count) < 0); + } + } + +@@ -236,9 +235,8 @@ flow_cache_lookup(struct net *net, const + if (fcp->hash_count > fc->high_watermark) + flow_cache_shrink(fc, fcp); + +- if (fcp->hash_count > 2 * fc->high_watermark || +- atomic_read(&net->xfrm.flow_cache_gc_count) > fc->high_watermark) { +- atomic_inc(&net->xfrm.flow_cache_genid); ++ if (atomic_read(&net->xfrm.flow_cache_gc_count) > ++ 2 * num_online_cpus() * fc->high_watermark) { + flo = ERR_PTR(-ENOBUFS); + goto ret_object; + } diff --git a/queue-4.8/ipv4-set-skb-protocol-properly-for-local-output.patch b/queue-4.8/ipv4-set-skb-protocol-properly-for-local-output.patch new file mode 100644 index 00000000000..086c58c12d4 --- /dev/null +++ b/queue-4.8/ipv4-set-skb-protocol-properly-for-local-output.patch @@ -0,0 +1,39 @@ +From f4180439109aa720774baafdd798b3234ab1a0d2 Mon Sep 17 00:00:00 2001 +From: Eli Cooper +Date: Thu, 1 Dec 2016 10:05:10 +0800 +Subject: ipv4: Set skb->protocol properly for local output + +From: Eli Cooper + +commit f4180439109aa720774baafdd798b3234ab1a0d2 upstream. + +When xfrm is applied to TSO/GSO packets, it follows this path: + + xfrm_output() -> xfrm_output_gso() -> skb_gso_segment() + +where skb_gso_segment() relies on skb->protocol to function properly. + +This patch sets skb->protocol to ETH_P_IP before dst_output() is called, +fixing a bug where GSO packets sent through a sit tunnel are dropped +when xfrm is involved. + +Signed-off-by: Eli Cooper +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_output.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -98,6 +98,9 @@ int __ip_local_out(struct net *net, stru + + iph->tot_len = htons(skb->len); + ip_send_check(iph); ++ ++ skb->protocol = htons(ETH_P_IP); ++ + return nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, + net, sk, skb, NULL, skb_dst(skb)->dev, + dst_output); diff --git a/queue-4.8/ipv6-set-skb-protocol-properly-for-local-output.patch b/queue-4.8/ipv6-set-skb-protocol-properly-for-local-output.patch new file mode 100644 index 00000000000..5cff552d0f7 --- /dev/null +++ b/queue-4.8/ipv6-set-skb-protocol-properly-for-local-output.patch @@ -0,0 +1,38 @@ +From b4e479a96fc398ccf83bb1cffb4ffef8631beaf1 Mon Sep 17 00:00:00 2001 +From: Eli Cooper +Date: Thu, 1 Dec 2016 10:05:11 +0800 +Subject: ipv6: Set skb->protocol properly for local output + +From: Eli Cooper + +commit b4e479a96fc398ccf83bb1cffb4ffef8631beaf1 upstream. + +When xfrm is applied to TSO/GSO packets, it follows this path: + + xfrm_output() -> xfrm_output_gso() -> skb_gso_segment() + +where skb_gso_segment() relies on skb->protocol to function properly. + +This patch sets skb->protocol to ETH_P_IPV6 before dst_output() is called, +fixing a bug where GSO packets sent through an ipip6 tunnel are dropped +when xfrm is involved. + +Signed-off-by: Eli Cooper +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/output_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -148,6 +148,8 @@ int __ip6_local_out(struct net *net, str + ipv6_hdr(skb)->payload_len = htons(len); + IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); + ++ skb->protocol = htons(ETH_P_IPV6); ++ + return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, + net, sk, skb, NULL, skb_dst(skb)->dev, + dst_output); diff --git a/queue-4.8/revert-ip6_tunnel-update-skb-protocol-to-eth_p_ipv6-in-ip6_tnl_xmit.patch b/queue-4.8/revert-ip6_tunnel-update-skb-protocol-to-eth_p_ipv6-in-ip6_tnl_xmit.patch new file mode 100644 index 00000000000..58ffabafe21 --- /dev/null +++ b/queue-4.8/revert-ip6_tunnel-update-skb-protocol-to-eth_p_ipv6-in-ip6_tnl_xmit.patch @@ -0,0 +1,33 @@ +From 80d1106aeaf689ab5fdf33020c5fecd269b31c88 Mon Sep 17 00:00:00 2001 +From: Eli Cooper +Date: Thu, 1 Dec 2016 10:05:12 +0800 +Subject: Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()" + +From: Eli Cooper + +commit 80d1106aeaf689ab5fdf33020c5fecd269b31c88 upstream. + +This reverts commit ae148b085876fa771d9ef2c05f85d4b4bf09ce0d +("ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()"). + +skb->protocol is now set in __ip_local_out() and __ip6_local_out() before +dst_output() is called. It is no longer necessary to do it for each tunnel. + +Signed-off-by: Eli Cooper +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_tunnel.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1143,7 +1143,6 @@ int ip6_tnl_xmit(struct sk_buff *skb, st + if (err) + return err; + +- skb->protocol = htons(ETH_P_IPV6); + skb_push(skb, sizeof(struct ipv6hdr)); + skb_reset_network_header(skb); + ipv6h = ipv6_hdr(skb); diff --git a/queue-4.8/series b/queue-4.8/series index 011091005d9..3f09ebeaf3c 100644 --- a/queue-4.8/series +++ b/queue-4.8/series @@ -37,3 +37,9 @@ sparc64-fix-compile-warning-section-mismatch-in-find_node.patch sparc32-fix-inverted-invalid_frame_pointer-checks-on-sigreturns.patch don-t-feed-anything-but-regular-iovec-s-to-blk_rq_map_user_iov.patch constify-iov_iter_count-and-iter_is_iovec.patch +ipv6-set-skb-protocol-properly-for-local-output.patch +ipv4-set-skb-protocol-properly-for-local-output.patch +revert-ip6_tunnel-update-skb-protocol-to-eth_p_ipv6-in-ip6_tnl_xmit.patch +flowcache-increase-threshold-for-refusing-new-allocations.patch +esp4-fix-integrity-verification-when-esn-are-used.patch +esp6-fix-integrity-verification-when-esn-are-used.patch -- 2.47.3