From 7cb1bc7303490d86558f95caa43a0bf83c069132 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 17 Jun 2016 08:36:13 -0700 Subject: [PATCH] 4.6-stable patches added patches: bpf-inode-disallow-userns-mounts.patch bpf-trace-use-read_once-for-retrieving-file-ptr.patch bpf-use-mount_nodev-not-mount_ns-to-mount-the-bpf-filesystem.patch bridge-don-t-insert-unnecessary-local-fdb-entry-on-changing-mac-address.patch ipv4-fix-non-initialized-ttl-when-config_sysctl-n.patch ipv6-skip-xfrm-lookup-if-dst_entry-in-socket-cache-is-valid.patch l2tp-fix-configuration-passed-to-setup_udp_tunnel_sock.patch macsec-fix-netlink-attribute-for-key-id.patch net-alx-use-custom-skb-allocator.patch net-hwbm-fix-unbalanced-spinlock-in-error-case.patch net-mvneta-fix-lacking-spinlock-initialization.patch net-nps_enet-disable-interrupts-before-napi-reschedule.patch net-stmmac-fix-incorrect-memcpy-source-memory.patch netlink-fix-dump-skb-leak-double-free.patch sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch switchdev-pass-pointer-to-fib_info-instead-of-copy.patch tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch team-don-t-call-netdev_change_features-under-team-lock.patch tipc-check-nl-sock-before-parsing-nested-attributes.patch tipc-fix-nametable-publication-field-in-nl-compat.patch tuntap-correctly-wake-up-process-during-uninit.patch uapi-glibc-compat-fix-compilation-when-__use_misc-in-glibc.patch udp-prevent-skbs-lingering-in-tunnel-socket-queues.patch vxlan-accept-user-specified-mtu-value-when-create-new-vxlan-link.patch --- .../bpf-inode-disallow-userns-mounts.patch | 49 +++++ ...se-read_once-for-retrieving-file-ptr.patch | 48 +++++ ...mount_ns-to-mount-the-bpf-filesystem.patch | 52 ++++++ ...al-fdb-entry-on-changing-mac-address.patch | 34 ++++ ...initialized-ttl-when-config_sysctl-n.patch | 70 +++++++ ...f-dst_entry-in-socket-cache-is-valid.patch | 102 +++++++++++ ...tion-passed-to-setup_udp_tunnel_sock.patch | 91 +++++++++ ...sec-fix-netlink-attribute-for-key-id.patch | 40 ++++ .../net-alx-use-custom-skb-allocator.patch | 173 ++++++++++++++++++ ...ix-unbalanced-spinlock-in-error-case.patch | 46 +++++ ...-fix-lacking-spinlock-initialization.patch | 55 ++++++ ...le-interrupts-before-napi-reschedule.patch | 40 ++++ ...c-fix-incorrect-memcpy-source-memory.patch | 37 ++++ ...etlink-fix-dump-skb-leak-double-free.patch | 50 +++++ queue-4.6/series | 24 +++ ...set-clear-pio-buffer-linkage-in-txqs.patch | 59 ++++++ ...-pointer-to-fib_info-instead-of-copy.patch | 95 ++++++++++ ...d-tlp-and-er-timer-stats-in-v6-stats.patch | 35 ++++ ...tdev_change_features-under-team-lock.patch | 89 +++++++++ ...ock-before-parsing-nested-attributes.patch | 36 ++++ ...table-publication-field-in-nl-compat.patch | 32 ++++ ...rectly-wake-up-process-during-uninit.patch | 68 +++++++ ...compilation-when-__use_misc-in-glibc.patch | 37 ++++ ...bs-lingering-in-tunnel-socket-queues.patch | 103 +++++++++++ ...mtu-value-when-create-new-vxlan-link.patch | 39 ++++ 25 files changed, 1504 insertions(+) create mode 100644 queue-4.6/bpf-inode-disallow-userns-mounts.patch create mode 100644 queue-4.6/bpf-trace-use-read_once-for-retrieving-file-ptr.patch create mode 100644 queue-4.6/bpf-use-mount_nodev-not-mount_ns-to-mount-the-bpf-filesystem.patch create mode 100644 queue-4.6/bridge-don-t-insert-unnecessary-local-fdb-entry-on-changing-mac-address.patch create mode 100644 queue-4.6/ipv4-fix-non-initialized-ttl-when-config_sysctl-n.patch create mode 100644 queue-4.6/ipv6-skip-xfrm-lookup-if-dst_entry-in-socket-cache-is-valid.patch create mode 100644 queue-4.6/l2tp-fix-configuration-passed-to-setup_udp_tunnel_sock.patch create mode 100644 queue-4.6/macsec-fix-netlink-attribute-for-key-id.patch create mode 100644 queue-4.6/net-alx-use-custom-skb-allocator.patch create mode 100644 queue-4.6/net-hwbm-fix-unbalanced-spinlock-in-error-case.patch create mode 100644 queue-4.6/net-mvneta-fix-lacking-spinlock-initialization.patch create mode 100644 queue-4.6/net-nps_enet-disable-interrupts-before-napi-reschedule.patch create mode 100644 queue-4.6/net-stmmac-fix-incorrect-memcpy-source-memory.patch create mode 100644 queue-4.6/netlink-fix-dump-skb-leak-double-free.patch create mode 100644 queue-4.6/sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch create mode 100644 queue-4.6/switchdev-pass-pointer-to-fib_info-instead-of-copy.patch create mode 100644 queue-4.6/tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch create mode 100644 queue-4.6/team-don-t-call-netdev_change_features-under-team-lock.patch create mode 100644 queue-4.6/tipc-check-nl-sock-before-parsing-nested-attributes.patch create mode 100644 queue-4.6/tipc-fix-nametable-publication-field-in-nl-compat.patch create mode 100644 queue-4.6/tuntap-correctly-wake-up-process-during-uninit.patch create mode 100644 queue-4.6/uapi-glibc-compat-fix-compilation-when-__use_misc-in-glibc.patch create mode 100644 queue-4.6/udp-prevent-skbs-lingering-in-tunnel-socket-queues.patch create mode 100644 queue-4.6/vxlan-accept-user-specified-mtu-value-when-create-new-vxlan-link.patch diff --git a/queue-4.6/bpf-inode-disallow-userns-mounts.patch b/queue-4.6/bpf-inode-disallow-userns-mounts.patch new file mode 100644 index 00000000000..a7bc54dbe3c --- /dev/null +++ b/queue-4.6/bpf-inode-disallow-userns-mounts.patch @@ -0,0 +1,49 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Daniel Borkmann +Date: Sun, 22 May 2016 23:16:18 +0200 +Subject: bpf, inode: disallow userns mounts + +From: Daniel Borkmann + +[ Upstream commit 612bacad78ba6d0a91166fc4487af114bac172a8 ] + +Follow-up to commit e27f4a942a0e ("bpf: Use mount_nodev not mount_ns +to mount the bpf filesystem"), which removes the FS_USERNS_MOUNT flag. + +The original idea was to have a per mountns instance instead of a +single global fs instance, but that didn't work out and we had to +switch to mount_nodev() model. The intent of that middle ground was +that we avoid users who don't play nice to create endless instances +of bpf fs which are difficult to control and discover from an admin +point of view, but at the same time it would have allowed us to be +more flexible with regard to namespaces. + +Therefore, since we now did the switch to mount_nodev() as a fix +where individual instances are created, we also need to remove userns +mount flag along with it to avoid running into mentioned situation. +I don't expect any breakage at this early point in time with removing +the flag and we can revisit this later should the requirement for +this come up with future users. This and commit e27f4a942a0e have +been split to facilitate tracking should any of them run into the +unlikely case of causing a regression. + +Fixes: b2197755b263 ("bpf: add support for persistent maps/progs") +Signed-off-by: Daniel Borkmann +Acked-by: Hannes Frederic Sowa +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/inode.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/kernel/bpf/inode.c ++++ b/kernel/bpf/inode.c +@@ -386,7 +386,6 @@ static struct file_system_type bpf_fs_ty + .name = "bpf", + .mount = bpf_mount, + .kill_sb = kill_litter_super, +- .fs_flags = FS_USERNS_MOUNT, + }; + + MODULE_ALIAS_FS("bpf"); diff --git a/queue-4.6/bpf-trace-use-read_once-for-retrieving-file-ptr.patch b/queue-4.6/bpf-trace-use-read_once-for-retrieving-file-ptr.patch new file mode 100644 index 00000000000..5571e8d7cbd --- /dev/null +++ b/queue-4.6/bpf-trace-use-read_once-for-retrieving-file-ptr.patch @@ -0,0 +1,48 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Daniel Borkmann +Date: Sat, 4 Jun 2016 20:50:59 +0200 +Subject: bpf, trace: use READ_ONCE for retrieving file ptr + +From: Daniel Borkmann + +[ Upstream commit 5b6c1b4d46b0dae4edea636a776d09f2064f4cd7 ] + +In bpf_perf_event_read() and bpf_perf_event_output(), we must use +READ_ONCE() for fetching the struct file pointer, which could get +updated concurrently, so we must prevent the compiler from potential +refetching. + +We already do this with tail calls for fetching the related bpf_prog, +but not so on stored perf events. Semantics for both are the same +with regards to updates. + +Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") +Fixes: 35578d798400 ("bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter") +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/bpf_trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -194,7 +194,7 @@ static u64 bpf_perf_event_read(u64 r1, u + if (unlikely(index >= array->map.max_entries)) + return -E2BIG; + +- file = (struct file *)array->ptrs[index]; ++ file = READ_ONCE(array->ptrs[index]); + if (unlikely(!file)) + return -ENOENT; + +@@ -238,7 +238,7 @@ static u64 bpf_perf_event_output(u64 r1, + if (unlikely(index >= array->map.max_entries)) + return -E2BIG; + +- file = (struct file *)array->ptrs[index]; ++ file = READ_ONCE(array->ptrs[index]); + if (unlikely(!file)) + return -ENOENT; + diff --git a/queue-4.6/bpf-use-mount_nodev-not-mount_ns-to-mount-the-bpf-filesystem.patch b/queue-4.6/bpf-use-mount_nodev-not-mount_ns-to-mount-the-bpf-filesystem.patch new file mode 100644 index 00000000000..acaedf2eeed --- /dev/null +++ b/queue-4.6/bpf-use-mount_nodev-not-mount_ns-to-mount-the-bpf-filesystem.patch @@ -0,0 +1,52 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: "Eric W. Biederman" +Date: Fri, 20 May 2016 17:22:48 -0500 +Subject: bpf: Use mount_nodev not mount_ns to mount the bpf filesystem + +From: "Eric W. Biederman" + +[ Upstream commit e27f4a942a0ee4b84567a3c6cfa84f273e55cbb7 ] + +While reviewing the filesystems that set FS_USERNS_MOUNT I spotted the +bpf filesystem. Looking at the code I saw a broken usage of mount_ns +with current->nsproxy->mnt_ns. As the code does not acquire a +reference to the mount namespace it can not possibly be correct to +store the mount namespace on the superblock as it does. + +Replace mount_ns with mount_nodev so that each mount of the bpf +filesystem returns a distinct instance, and the code is not buggy. + +In discussion with Hannes Frederic Sowa it was reported that the use +of mount_ns was an attempt to have one bpf instance per mount +namespace, in an attempt to keep resources that pin resources from +hiding. That intent simply does not work, the vfs is not built to +allow that kind of behavior. Which means that the bpf filesystem +really is buggy both semantically and in it's implemenation as it does +not nor can it implement the original intent. + +This change is userspace visible, but my experience with similar +filesystems leads me to believe nothing will break with a model of each +mount of the bpf filesystem is distinct from all others. + +Fixes: b2197755b263 ("bpf: add support for persistent maps/progs") +Cc: Hannes Frederic Sowa +Acked-by: Daniel Borkmann +Signed-off-by: "Eric W. Biederman" +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/inode.c ++++ b/kernel/bpf/inode.c +@@ -378,7 +378,7 @@ static int bpf_fill_super(struct super_b + static struct dentry *bpf_mount(struct file_system_type *type, int flags, + const char *dev_name, void *data) + { +- return mount_ns(type, flags, current->nsproxy->mnt_ns, bpf_fill_super); ++ return mount_nodev(type, flags, data, bpf_fill_super); + } + + static struct file_system_type bpf_fs_type = { diff --git a/queue-4.6/bridge-don-t-insert-unnecessary-local-fdb-entry-on-changing-mac-address.patch b/queue-4.6/bridge-don-t-insert-unnecessary-local-fdb-entry-on-changing-mac-address.patch new file mode 100644 index 00000000000..ab9bd74cda6 --- /dev/null +++ b/queue-4.6/bridge-don-t-insert-unnecessary-local-fdb-entry-on-changing-mac-address.patch @@ -0,0 +1,34 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Toshiaki Makita +Date: Tue, 7 Jun 2016 19:14:17 +0900 +Subject: bridge: Don't insert unnecessary local fdb entry on changing mac address + +From: Toshiaki Makita + +[ Upstream commit 0b148def403153a4d1565f1640356cb78ce5109f ] + +The missing br_vlan_should_use() test caused creation of an unneeded +local fdb entry on changing mac address of a bridge device when there is +a vlan which is configured on a bridge port but not on the bridge +device. + +Fixes: 2594e9064a57 ("bridge: vlan: add per-vlan struct and move to rhashtables") +Signed-off-by: Toshiaki Makita +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_fdb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -279,6 +279,8 @@ void br_fdb_change_mac_address(struct ne + * change from under us. + */ + list_for_each_entry(v, &vg->vlan_list, vlist) { ++ if (!br_vlan_should_use(v)) ++ continue; + f = __br_fdb_get(br, br->dev->dev_addr, v->vid); + if (f && f->is_local && !f->dst) + fdb_delete_local(br, NULL, f); diff --git a/queue-4.6/ipv4-fix-non-initialized-ttl-when-config_sysctl-n.patch b/queue-4.6/ipv4-fix-non-initialized-ttl-when-config_sysctl-n.patch new file mode 100644 index 00000000000..cf3549a3e25 --- /dev/null +++ b/queue-4.6/ipv4-fix-non-initialized-ttl-when-config_sysctl-n.patch @@ -0,0 +1,70 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Ezequiel Garcia +Date: Fri, 20 May 2016 13:21:10 -0300 +Subject: ipv4: Fix non-initialized TTL when CONFIG_SYSCTL=n + +From: Ezequiel Garcia + +[ Upstream commit 049bbf589ec651685205bd8ce73221fdd62345cf ] + +Commit fa50d974d104 ("ipv4: Namespaceify ip_default_ttl sysctl knob") +moves the default TTL assignment, and as side-effect IPv4 TTL now +has a default value only if sysctl support is enabled (CONFIG_SYSCTL=y). + +The sysctl_ip_default_ttl is fundamental for IP to work properly, +as it provides the TTL to be used as default. The defautl TTL may be +used in ip_selected_ttl, through the following flow: + + ip_select_ttl + ip4_dst_hoplimit + net->ipv4.sysctl_ip_default_ttl + +This commit fixes the issue by assigning net->ipv4.sysctl_ip_default_ttl +in net_init_net, called during ipv4's initialization. + +Without this commit, a kernel built without sysctl support will send +all IP packets with zero TTL (unless a TTL is explicitly set, e.g. +with setsockopt). + +Given a similar issue might appear on the other knobs that were +namespaceify, this commit also moves them. + +Fixes: fa50d974d104 ("ipv4: Namespaceify ip_default_ttl sysctl knob") +Signed-off-by: Ezequiel Garcia +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/af_inet.c | 8 ++++++++ + net/ipv4/sysctl_net_ipv4.c | 4 ---- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1660,6 +1660,14 @@ static __net_init int inet_init_net(stru + */ + net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 1); + net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 0); ++ ++ /* Default values for sysctl-controlled parameters. ++ * We set them here, in case sysctl is not compiled. ++ */ ++ net->ipv4.sysctl_ip_default_ttl = IPDEFTTL; ++ net->ipv4.sysctl_ip_dynaddr = 0; ++ net->ipv4.sysctl_ip_early_demux = 1; ++ + return 0; + } + +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -988,10 +988,6 @@ static __net_init int ipv4_sysctl_init_n + if (!net->ipv4.sysctl_local_reserved_ports) + goto err_ports; + +- net->ipv4.sysctl_ip_default_ttl = IPDEFTTL; +- net->ipv4.sysctl_ip_dynaddr = 0; +- net->ipv4.sysctl_ip_early_demux = 1; +- + return 0; + + err_ports: diff --git a/queue-4.6/ipv6-skip-xfrm-lookup-if-dst_entry-in-socket-cache-is-valid.patch b/queue-4.6/ipv6-skip-xfrm-lookup-if-dst_entry-in-socket-cache-is-valid.patch new file mode 100644 index 00000000000..d80ca4c614e --- /dev/null +++ b/queue-4.6/ipv6-skip-xfrm-lookup-if-dst_entry-in-socket-cache-is-valid.patch @@ -0,0 +1,102 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Jakub Sitnicki +Date: Wed, 8 Jun 2016 15:13:34 +0200 +Subject: ipv6: Skip XFRM lookup if dst_entry in socket cache is valid + +From: Jakub Sitnicki + +[ Upstream commit 00bc0ef5880dc7b82f9c320dead4afaad48e47be ] + +At present we perform an xfrm_lookup() for each UDPv6 message we +send. The lookup involves querying the flow cache (flow_cache_lookup) +and, in case of a cache miss, creating an XFRM bundle. + +If we miss the flow cache, we can end up creating a new bundle and +deriving the path MTU (xfrm_init_pmtu) from on an already transformed +dst_entry, which we pass from the socket cache (sk->sk_dst_cache) down +to xfrm_lookup(). This can happen only if we're caching the dst_entry +in the socket, that is when we're using a connected UDP socket. + +To put it another way, the path MTU shrinks each time we miss the flow +cache, which later on leads to incorrectly fragmented payload. It can +be observed with ESPv6 in transport mode: + + 1) Set up a transformation and lower the MTU to trigger fragmentation + # ip xfrm policy add dir out src ::1 dst ::1 \ + tmpl src ::1 dst ::1 proto esp spi 1 + # ip xfrm state add src ::1 dst ::1 \ + proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b + # ip link set dev lo mtu 1500 + + 2) Monitor the packet flow and set up an UDP sink + # tcpdump -ni lo -ttt & + # socat udp6-listen:12345,fork /dev/null & + + 3) Send a datagram that needs fragmentation with a connected socket + # perl -e 'print "@" x 1470 | socat - udp6:[::1]:12345 + 2016/06/07 18:52:52 socat[724] E read(3, 0x555bb3d5ba00, 8192): Protocol error + 00:00:00.000000 IP6 ::1 > ::1: frag (0|1448) ESP(spi=0x00000001,seq=0x2), length 1448 + 00:00:00.000014 IP6 ::1 > ::1: frag (1448|32) + 00:00:00.000050 IP6 ::1 > ::1: ESP(spi=0x00000001,seq=0x3), length 1272 + (^ ICMPv6 Parameter Problem) + 00:00:00.000022 IP6 ::1 > ::1: ESP(spi=0x00000001,seq=0x5), length 136 + + 4) Compare it to a non-connected socket + # perl -e 'print "@" x 1500' | socat - udp6-sendto:[::1]:12345 + 00:00:40.535488 IP6 ::1 > ::1: frag (0|1448) ESP(spi=0x00000001,seq=0x6), length 1448 + 00:00:00.000010 IP6 ::1 > ::1: frag (1448|64) + +What happens in step (3) is: + + 1) when connecting the socket in __ip6_datagram_connect(), we + perform an XFRM lookup, miss the flow cache, create an XFRM + bundle, and cache the destination, + + 2) afterwards, when sending the datagram, we perform an XFRM lookup, + again, miss the flow cache (due to mismatch of flowi6_iif and + flowi6_oif, which is an issue of its own), and recreate an XFRM + bundle based on the cached (and already transformed) destination. + +To prevent the recreation of an XFRM bundle, avoid an XFRM lookup +altogether whenever we already have a destination entry cached in the +socket. This prevents the path MTU shrinkage and brings us on par with +UDPv4. + +The fix also benefits connected PINGv6 sockets, another user of +ip6_sk_dst_lookup_flow(), who also suffer messages being transformed +twice. + +Joint work with Hannes Frederic Sowa. + +Reported-by: Jan Tluka +Signed-off-by: Jakub Sitnicki +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1071,17 +1071,12 @@ struct dst_entry *ip6_sk_dst_lookup_flow + const struct in6_addr *final_dst) + { + struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie); +- int err; + + dst = ip6_sk_dst_check(sk, dst, fl6); ++ if (!dst) ++ dst = ip6_dst_lookup_flow(sk, fl6, final_dst); + +- err = ip6_dst_lookup_tail(sock_net(sk), sk, &dst, fl6); +- if (err) +- return ERR_PTR(err); +- if (final_dst) +- fl6->daddr = *final_dst; +- +- return xfrm_lookup_route(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0); ++ return dst; + } + EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow); + diff --git a/queue-4.6/l2tp-fix-configuration-passed-to-setup_udp_tunnel_sock.patch b/queue-4.6/l2tp-fix-configuration-passed-to-setup_udp_tunnel_sock.patch new file mode 100644 index 00000000000..a8e9ef9108d --- /dev/null +++ b/queue-4.6/l2tp-fix-configuration-passed-to-setup_udp_tunnel_sock.patch @@ -0,0 +1,91 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Guillaume Nault +Date: Wed, 8 Jun 2016 12:59:17 +0200 +Subject: l2tp: fix configuration passed to setup_udp_tunnel_sock() + +From: Guillaume Nault + +[ Upstream commit a5c5e2da8551eb69e5d5d09d51d526140b5db9fb ] + +Unused fields of udp_cfg must be all zeros. Otherwise +setup_udp_tunnel_sock() fills ->gro_receive and ->gro_complete +callbacks with garbage, eventually resulting in panic when used by +udp_gro_receive(). + +[ 72.694123] BUG: unable to handle kernel paging request at ffff880033f87d78 +[ 72.695518] IP: [] 0xffff880033f87d78 +[ 72.696530] PGD 26e2067 PUD 26e3067 PMD 342ed063 PTE 8000000033f87163 +[ 72.696530] Oops: 0011 [#1] SMP KASAN +[ 72.696530] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core ip6_udp_tunnel udp_tunnel pptp gre pppox ppp_generic slhc crc32c_intel ghash_clmulni_intel jitterentropy_rng sha256_generic hmac drbg ansi_cprng aesni_intel evdev aes_x86_64 ablk_helper cryptd lrw gf128mul glue_helper serio_raw acpi_cpufreq button proc\ +essor ext4 crc16 jbd2 mbcache virtio_blk virtio_net virtio_pci virtio_ring virtio +[ 72.696530] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.7.0-rc1 #1 +[ 72.696530] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014 +[ 72.696530] task: ffff880035b59700 ti: ffff880035b70000 task.ti: ffff880035b70000 +[ 72.696530] RIP: 0010:[] [] 0xffff880033f87d78 +[ 72.696530] RSP: 0018:ffff880035f87bc0 EFLAGS: 00010246 +[ 72.696530] RAX: ffffed000698f996 RBX: ffff88003326b840 RCX: ffffffff814cc823 +[ 72.696530] RDX: ffff88003326b840 RSI: ffff880033e48038 RDI: ffff880034c7c780 +[ 72.696530] RBP: ffff880035f87c18 R08: 000000000000a506 R09: 0000000000000000 +[ 72.696530] R10: ffff880035f87b38 R11: ffff880034b9344d R12: 00000000ebfea715 +[ 72.696530] R13: 0000000000000000 R14: ffff880034c7c780 R15: 0000000000000000 +[ 72.696530] FS: 0000000000000000(0000) GS:ffff880035f80000(0000) knlGS:0000000000000000 +[ 72.696530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 72.696530] CR2: ffff880033f87d78 CR3: 0000000033c98000 CR4: 00000000000406a0 +[ 72.696530] Stack: +[ 72.696530] ffffffff814cc834 ffff880034b93468 0000001481416818 ffff88003326b874 +[ 72.696530] ffff880034c7ccb0 ffff880033e48038 ffff88003326b840 ffff880034b93462 +[ 72.696530] ffff88003326b88a ffff88003326b88c ffff880034b93468 ffff880035f87c70 +[ 72.696530] Call Trace: +[ 72.696530] +[ 72.696530] [] ? udp_gro_receive+0x1c6/0x1f9 +[ 72.696530] [] udp4_gro_receive+0x2b5/0x310 +[ 72.696530] [] inet_gro_receive+0x4a3/0x4cd +[ 72.696530] [] dev_gro_receive+0x584/0x7a3 +[ 72.696530] [] ? __lock_is_held+0x29/0x64 +[ 72.696530] [] napi_gro_receive+0x124/0x21d +[ 72.696530] [] virtnet_receive+0x8df/0x8f6 [virtio_net] +[ 72.696530] [] virtnet_poll+0x1d/0x8d [virtio_net] +[ 72.696530] [] net_rx_action+0x15b/0x3b9 +[ 72.696530] [] __do_softirq+0x216/0x546 +[ 72.696530] [] irq_exit+0x49/0xb6 +[ 72.696530] [] do_IRQ+0xe2/0xfa +[ 72.696530] [] common_interrupt+0x89/0x89 +[ 72.696530] +[ 72.696530] [] ? trace_hardirqs_on_caller+0x229/0x270 +[ 72.696530] [] ? default_idle+0x1c/0x2d +[ 72.696530] [] ? default_idle+0x1a/0x2d +[ 72.696530] [] arch_cpu_idle+0xa/0xc +[ 72.696530] [] default_idle_call+0x1a/0x1c +[ 72.696530] [] cpu_startup_entry+0x15b/0x20f +[ 72.696530] [] start_secondary+0x12c/0x133 +[ 72.696530] Code: ff ff ff ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f 00 7e f8 33 00 88 ff ff 6d 61 58 81 ff ff ff ff 5e de 0a 81 ff ff ff ff <00> 5c e2 34 00 88 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 72.696530] RIP [] 0xffff880033f87d78 +[ 72.696530] RSP +[ 72.696530] CR2: ffff880033f87d78 +[ 72.696530] ---[ end trace ad7758b9a1dccf99 ]--- +[ 72.696530] Kernel panic - not syncing: Fatal exception in interrupt +[ 72.696530] Kernel Offset: disabled +[ 72.696530] ---[ end Kernel panic - not syncing: Fatal exception in interrupt + +v2: use empty initialiser instead of "{ NULL }" to avoid relying on + first field's type. + +Fixes: 38fd2af24fcf ("udp: Add socket based GRO and config") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1581,7 +1581,7 @@ int l2tp_tunnel_create(struct net *net, + /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ + tunnel->encap = encap; + if (encap == L2TP_ENCAPTYPE_UDP) { +- struct udp_tunnel_sock_cfg udp_cfg; ++ struct udp_tunnel_sock_cfg udp_cfg = { }; + + udp_cfg.sk_user_data = tunnel; + udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP; diff --git a/queue-4.6/macsec-fix-netlink-attribute-for-key-id.patch b/queue-4.6/macsec-fix-netlink-attribute-for-key-id.patch new file mode 100644 index 00000000000..5119633428d --- /dev/null +++ b/queue-4.6/macsec-fix-netlink-attribute-for-key-id.patch @@ -0,0 +1,40 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Sabrina Dubroca +Date: Wed, 18 May 2016 13:34:40 +0200 +Subject: macsec: fix netlink attribute for key id + +From: Sabrina Dubroca + +[ Upstream commit 1968a0b8b6ca088bc029bd99ee696f1aca4090d0 ] + +In my last commit I replaced MACSEC_SA_ATTR_KEYID by +MACSEC_SA_ATTR_KEY. + +Fixes: 8acca6acebd0 ("macsec: key identifier is 128 bits, not 64") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1645,7 +1645,7 @@ static int macsec_add_rxsa(struct sk_buf + if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) + rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]); + +- nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEY], MACSEC_KEYID_LEN); ++ nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); + rx_sa->sc = rx_sc; + rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa); + +@@ -1784,7 +1784,7 @@ static int macsec_add_txsa(struct sk_buf + return -ENOMEM; + } + +- nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEY], MACSEC_KEYID_LEN); ++ nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); + + spin_lock_bh(&tx_sa->lock); + tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]); diff --git a/queue-4.6/net-alx-use-custom-skb-allocator.patch b/queue-4.6/net-alx-use-custom-skb-allocator.patch new file mode 100644 index 00000000000..3ae8425ea41 --- /dev/null +++ b/queue-4.6/net-alx-use-custom-skb-allocator.patch @@ -0,0 +1,173 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Feng Tang +Date: Wed, 25 May 2016 14:49:54 +0800 +Subject: net: alx: use custom skb allocator + +From: Feng Tang + +[ Upstream commit 26c5f03b2ae8018418ceb25b2e6a48560e8c2f5b ] + +This patch follows Eric Dumazet's commit 7b70176421 for Atheros +atl1c driver to fix one exactly same bug in alx driver, that the +network link will be lost in 1-5 minutes after the device is up. + +My laptop Lenovo Y580 with Atheros AR8161 ethernet device hit the +same problem with kernel 4.4, and it will be cured by Jarod Wilson's +commit c406700c for alx driver which get merged in 4.5. But there +are still some alx devices can't function well even with Jarod's +patch, while this patch could make them work fine. More details on + https://bugzilla.kernel.org/show_bug.cgi?id=70761 + +The debug shows the issue is very likely to be related with the RX +DMA address, specifically 0x...f80, if RX buffer get 0x...f80 several +times, their will be RX overflow error and device will stop working. + +For kernel 4.5.0 with Jarod's patch which works fine with my +AR8161/Lennov Y580, if I made some change to the + __netdev_alloc_skb + --> __alloc_page_frag() +to make the allocated buffer can get an address with 0x...f80, +then the same error happens. If I make it to 0x...f40 or 0x....fc0, +everything will be still fine. So I tend to believe that the +0x..f80 address cause the silicon to behave abnormally. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=70761 +Cc: Eric Dumazet +Cc: Johannes Berg +Cc: Jarod Wilson +Signed-off-by: Feng Tang +Tested-by: Ole Lukoie +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/alx/alx.h | 4 ++ + drivers/net/ethernet/atheros/alx/main.c | 48 +++++++++++++++++++++++++++++++- + 2 files changed, 51 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/atheros/alx/alx.h ++++ b/drivers/net/ethernet/atheros/alx/alx.h +@@ -96,6 +96,10 @@ struct alx_priv { + unsigned int rx_ringsz; + unsigned int rxbuf_size; + ++ struct page *rx_page; ++ unsigned int rx_page_offset; ++ unsigned int rx_frag_size; ++ + struct napi_struct napi; + struct alx_tx_queue txq; + struct alx_rx_queue rxq; +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -70,6 +70,35 @@ static void alx_free_txbuf(struct alx_pr + } + } + ++static struct sk_buff *alx_alloc_skb(struct alx_priv *alx, gfp_t gfp) ++{ ++ struct sk_buff *skb; ++ struct page *page; ++ ++ if (alx->rx_frag_size > PAGE_SIZE) ++ return __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp); ++ ++ page = alx->rx_page; ++ if (!page) { ++ alx->rx_page = page = alloc_page(gfp); ++ if (unlikely(!page)) ++ return NULL; ++ alx->rx_page_offset = 0; ++ } ++ ++ skb = build_skb(page_address(page) + alx->rx_page_offset, ++ alx->rx_frag_size); ++ if (likely(skb)) { ++ alx->rx_page_offset += alx->rx_frag_size; ++ if (alx->rx_page_offset >= PAGE_SIZE) ++ alx->rx_page = NULL; ++ else ++ get_page(page); ++ } ++ return skb; ++} ++ ++ + static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp) + { + struct alx_rx_queue *rxq = &alx->rxq; +@@ -86,7 +115,7 @@ static int alx_refill_rx_ring(struct alx + while (!cur_buf->skb && next != rxq->read_idx) { + struct alx_rfd *rfd = &rxq->rfd[cur]; + +- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp); ++ skb = alx_alloc_skb(alx, gfp); + if (!skb) + break; + dma = dma_map_single(&alx->hw.pdev->dev, +@@ -124,6 +153,7 @@ static int alx_refill_rx_ring(struct alx + alx_write_mem16(&alx->hw, ALX_RFD_PIDX, cur); + } + ++ + return count; + } + +@@ -592,6 +622,11 @@ static void alx_free_rings(struct alx_pr + kfree(alx->txq.bufs); + kfree(alx->rxq.bufs); + ++ if (alx->rx_page) { ++ put_page(alx->rx_page); ++ alx->rx_page = NULL; ++ } ++ + dma_free_coherent(&alx->hw.pdev->dev, + alx->descmem.size, + alx->descmem.virt, +@@ -646,6 +681,7 @@ static int alx_request_irq(struct alx_pr + alx->dev->name, alx); + if (!err) + goto out; ++ + /* fall back to legacy interrupt */ + pci_disable_msi(alx->hw.pdev); + } +@@ -689,6 +725,7 @@ static int alx_init_sw(struct alx_priv * + struct pci_dev *pdev = alx->hw.pdev; + struct alx_hw *hw = &alx->hw; + int err; ++ unsigned int head_size; + + err = alx_identify_hw(alx); + if (err) { +@@ -704,7 +741,12 @@ static int alx_init_sw(struct alx_priv * + + hw->smb_timer = 400; + hw->mtu = alx->dev->mtu; ++ + alx->rxbuf_size = ALX_MAX_FRAME_LEN(hw->mtu); ++ head_size = SKB_DATA_ALIGN(alx->rxbuf_size + NET_SKB_PAD) + ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); ++ alx->rx_frag_size = roundup_pow_of_two(head_size); ++ + alx->tx_ringsz = 256; + alx->rx_ringsz = 512; + hw->imt = 200; +@@ -806,6 +848,7 @@ static int alx_change_mtu(struct net_dev + { + struct alx_priv *alx = netdev_priv(netdev); + int max_frame = ALX_MAX_FRAME_LEN(mtu); ++ unsigned int head_size; + + if ((max_frame < ALX_MIN_FRAME_SIZE) || + (max_frame > ALX_MAX_FRAME_SIZE)) +@@ -817,6 +860,9 @@ static int alx_change_mtu(struct net_dev + netdev->mtu = mtu; + alx->hw.mtu = mtu; + alx->rxbuf_size = max(max_frame, ALX_DEF_RXBUF_SIZE); ++ head_size = SKB_DATA_ALIGN(alx->rxbuf_size + NET_SKB_PAD) + ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); ++ alx->rx_frag_size = roundup_pow_of_two(head_size); + netdev_update_features(netdev); + if (netif_running(netdev)) + alx_reinit(alx); diff --git a/queue-4.6/net-hwbm-fix-unbalanced-spinlock-in-error-case.patch b/queue-4.6/net-hwbm-fix-unbalanced-spinlock-in-error-case.patch new file mode 100644 index 00000000000..7c843c614fa --- /dev/null +++ b/queue-4.6/net-hwbm-fix-unbalanced-spinlock-in-error-case.patch @@ -0,0 +1,46 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Gregory CLEMENT +Date: Tue, 24 May 2016 18:03:26 +0200 +Subject: net: hwbm: Fix unbalanced spinlock in error case + +From: Gregory CLEMENT + +[ Upstream commit b388fc7405e901c7d6f7817d05193c054e761815 ] + +When hwbm_pool_add exited in error the spinlock was not released. This +patch fixes this issue. + +Fixes: 8cb2d8bf57e6 ("net: add a hardware buffer management helper API") +Reported-by: Jean-Jacques Hiblot +Cc: +Signed-off-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/hwbm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/hwbm.c ++++ b/net/core/hwbm.c +@@ -55,18 +55,21 @@ int hwbm_pool_add(struct hwbm_pool *bm_p + spin_lock_irqsave(&bm_pool->lock, flags); + if (bm_pool->buf_num == bm_pool->size) { + pr_warn("pool already filled\n"); ++ spin_unlock_irqrestore(&bm_pool->lock, flags); + return bm_pool->buf_num; + } + + if (buf_num + bm_pool->buf_num > bm_pool->size) { + pr_warn("cannot allocate %d buffers for pool\n", + buf_num); ++ spin_unlock_irqrestore(&bm_pool->lock, flags); + return 0; + } + + if ((buf_num + bm_pool->buf_num) < bm_pool->buf_num) { + pr_warn("Adding %d buffers to the %d current buffers will overflow\n", + buf_num, bm_pool->buf_num); ++ spin_unlock_irqrestore(&bm_pool->lock, flags); + return 0; + } + diff --git a/queue-4.6/net-mvneta-fix-lacking-spinlock-initialization.patch b/queue-4.6/net-mvneta-fix-lacking-spinlock-initialization.patch new file mode 100644 index 00000000000..9568b386a64 --- /dev/null +++ b/queue-4.6/net-mvneta-fix-lacking-spinlock-initialization.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Gregory CLEMENT +Date: Tue, 24 May 2016 18:03:25 +0200 +Subject: net: mvneta: Fix lacking spinlock initialization + +From: Gregory CLEMENT + +[ Upstream commit 91c45e38b9478ff507e05f10151d64cd0d1aad7b ] + +The spinlock used by the hwbm functions must be initialized by the +network driver. This commit fixes this lack and the following erros when +lockdep is enabled: + +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0xb4/0xe0) +[] (dump_stack) from [] (__lock_acquire+0x1f58/0x2060) +[] (__lock_acquire) from [] (lock_acquire+0xa4/0xd0) +[] (lock_acquire) from [] (_raw_spin_lock_irqsave+0x54/0x68) +[] (_raw_spin_lock_irqsave) from [] (hwbm_pool_add+0x1c/0xdc) +[] (hwbm_pool_add) from [] (mvneta_bm_pool_use+0x338/0x490) +[] (mvneta_bm_pool_use) from [] (mvneta_probe+0x654/0x1284) +[] (mvneta_probe) from [] (platform_drv_probe+0x4c/0xb0) +[] (platform_drv_probe) from [] (driver_probe_device+0x214/0x2c0) +[] (driver_probe_device) from [] (__driver_attach+0xc0/0xc4) +[] (__driver_attach) from [] (bus_for_each_dev+0x68/0x9c) +[] (bus_for_each_dev) from [] (bus_add_driver+0x1a0/0x218) +[] (bus_add_driver) from [] (driver_register+0x78/0xf8) +[] (driver_register) from [] (do_one_initcall+0x90/0x1dc) +[] (do_one_initcall) from [] (kernel_init_freeable+0x15c/0x1fc) +[] (kernel_init_freeable) from [] (kernel_init+0x8/0x114) +[] (kernel_init) from [] (ret_from_fork+0x14/0x24) + +Fixes: baa11ebc0c76 ("net: mvneta: Use the new hwbm framework") +Reported-by: Russell King +Cc: +Signed-off-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta_bm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/marvell/mvneta_bm.c ++++ b/drivers/net/ethernet/marvell/mvneta_bm.c +@@ -189,6 +189,7 @@ struct mvneta_bm_pool *mvneta_bm_pool_us + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); + hwbm_pool->construct = mvneta_bm_construct; + hwbm_pool->priv = new_pool; ++ spin_lock_init(&hwbm_pool->lock); + + /* Create new pool */ + err = mvneta_bm_pool_create(priv, new_pool); diff --git a/queue-4.6/net-nps_enet-disable-interrupts-before-napi-reschedule.patch b/queue-4.6/net-nps_enet-disable-interrupts-before-napi-reschedule.patch new file mode 100644 index 00000000000..18138e2fd45 --- /dev/null +++ b/queue-4.6/net-nps_enet-disable-interrupts-before-napi-reschedule.patch @@ -0,0 +1,40 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Elad Kanfi +Date: Thu, 26 May 2016 15:00:06 +0300 +Subject: net: nps_enet: Disable interrupts before napi reschedule + +From: Elad Kanfi + +[ Upstream commit 86651650d16a359e4142c6a8b0467c87e48c4c94 ] + +Since NAPI works by shutting down event interrupts when theres +work and turning them on when theres none, the net driver must +make sure that interrupts are disabled when it reschedules polling. +By calling napi_reschedule, the driver switches to polling mode, +therefor there should be no interrupt interference. +Any received packets will be handled in nps_enet_poll by polling the HW +indication of received packet until all packets are handled. + +Signed-off-by: Elad Kanfi +Acked-by: Noam Camus +Tested-by: Alexey Brodkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ezchip/nps_enet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ezchip/nps_enet.c ++++ b/drivers/net/ethernet/ezchip/nps_enet.c +@@ -205,8 +205,10 @@ static int nps_enet_poll(struct napi_str + * re-adding ourselves to the poll list. + */ + +- if (priv->tx_skb && !tx_ctrl_ct) ++ if (priv->tx_skb && !tx_ctrl_ct) { ++ nps_enet_reg_set(priv, NPS_ENET_REG_BUF_INT_ENABLE, 0); + napi_reschedule(napi); ++ } + } + + return work_done; diff --git a/queue-4.6/net-stmmac-fix-incorrect-memcpy-source-memory.patch b/queue-4.6/net-stmmac-fix-incorrect-memcpy-source-memory.patch new file mode 100644 index 00000000000..d8aedeeacae --- /dev/null +++ b/queue-4.6/net-stmmac-fix-incorrect-memcpy-source-memory.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Marek Vasut +Date: Thu, 26 May 2016 00:40:23 +0200 +Subject: net: stmmac: Fix incorrect memcpy source memory + +From: Marek Vasut + +[ Upstream commit 643d60bf575daaba93c1ac0d0e1c4b1d4ded1f75 ] + +The memcpy() currently copies mdio_bus_data into new_bus->irq, which +makes no sense, since the mdio_bus_data structure contains more than +just irqs. The code was likely supposed to copy mdio_bus_data->irqs +into the new_bus->irq instead, so fix this. + +Fixes: e7f4dc3536a4 ("mdio: Move allocation of interrupts into core") +Signed-off-by: Marek Vasut +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +@@ -209,7 +209,7 @@ int stmmac_mdio_register(struct net_devi + return -ENOMEM; + + if (mdio_bus_data->irqs) +- memcpy(new_bus->irq, mdio_bus_data, sizeof(new_bus->irq)); ++ memcpy(new_bus->irq, mdio_bus_data->irqs, sizeof(new_bus->irq)); + + #ifdef CONFIG_OF + if (priv->device->of_node) diff --git a/queue-4.6/netlink-fix-dump-skb-leak-double-free.patch b/queue-4.6/netlink-fix-dump-skb-leak-double-free.patch new file mode 100644 index 00000000000..f4582ea52c0 --- /dev/null +++ b/queue-4.6/netlink-fix-dump-skb-leak-double-free.patch @@ -0,0 +1,50 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Herbert Xu +Date: Mon, 16 May 2016 17:28:16 +0800 +Subject: netlink: Fix dump skb leak/double free + +From: Herbert Xu + +[ Upstream commit 92964c79b357efd980812c4de5c1fd2ec8bb5520 ] + +When we free cb->skb after a dump, we do it after releasing the +lock. This means that a new dump could have started in the time +being and we'll end up freeing their skb instead of ours. + +This patch saves the skb and module before we unlock so we free +the right memory. + +Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.") +Reported-by: Baozeng Ding +Signed-off-by: Herbert Xu +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2059,6 +2059,7 @@ static int netlink_dump(struct sock *sk) + struct netlink_callback *cb; + struct sk_buff *skb = NULL; + struct nlmsghdr *nlh; ++ struct module *module; + int len, err = -ENOBUFS; + int alloc_min_size; + int alloc_size; +@@ -2134,9 +2135,11 @@ static int netlink_dump(struct sock *sk) + cb->done(cb); + + nlk->cb_running = false; ++ module = cb->module; ++ skb = cb->skb; + mutex_unlock(nlk->cb_mutex); +- module_put(cb->module); +- consume_skb(cb->skb); ++ module_put(module); ++ consume_skb(skb); + return 0; + + errout_skb: diff --git a/queue-4.6/series b/queue-4.6/series index 6067fd370fb..ae7b13d7ef2 100644 --- a/queue-4.6/series +++ b/queue-4.6/series @@ -1,2 +1,26 @@ scsi_lib-correctly-retry-failed-zero-length-req_type_fs-commands.patch scsi-add-qemu-cd-rom-to-vpd-inquiry-blacklist.patch +tipc-check-nl-sock-before-parsing-nested-attributes.patch +netlink-fix-dump-skb-leak-double-free.patch +tipc-fix-nametable-publication-field-in-nl-compat.patch +switchdev-pass-pointer-to-fib_info-instead-of-copy.patch +macsec-fix-netlink-attribute-for-key-id.patch +tuntap-correctly-wake-up-process-during-uninit.patch +bpf-use-mount_nodev-not-mount_ns-to-mount-the-bpf-filesystem.patch +udp-prevent-skbs-lingering-in-tunnel-socket-queues.patch +uapi-glibc-compat-fix-compilation-when-__use_misc-in-glibc.patch +ipv4-fix-non-initialized-ttl-when-config_sysctl-n.patch +bpf-inode-disallow-userns-mounts.patch +net-mvneta-fix-lacking-spinlock-initialization.patch +net-hwbm-fix-unbalanced-spinlock-in-error-case.patch +sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch +team-don-t-call-netdev_change_features-under-team-lock.patch +net-alx-use-custom-skb-allocator.patch +net-stmmac-fix-incorrect-memcpy-source-memory.patch +vxlan-accept-user-specified-mtu-value-when-create-new-vxlan-link.patch +net-nps_enet-disable-interrupts-before-napi-reschedule.patch +bpf-trace-use-read_once-for-retrieving-file-ptr.patch +tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch +bridge-don-t-insert-unnecessary-local-fdb-entry-on-changing-mac-address.patch +l2tp-fix-configuration-passed-to-setup_udp_tunnel_sock.patch +ipv6-skip-xfrm-lookup-if-dst_entry-in-socket-cache-is-valid.patch diff --git a/queue-4.6/sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch b/queue-4.6/sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch new file mode 100644 index 00000000000..20f5b440bd6 --- /dev/null +++ b/queue-4.6/sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch @@ -0,0 +1,59 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Edward Cree +Date: Tue, 24 May 2016 18:53:36 +0100 +Subject: sfc: on MC reset, clear PIO buffer linkage in TXQs + +From: Edward Cree + +[ Upstream commit c0795bf64cba4d1b796fdc5b74b33772841ed1bb ] + +Otherwise, if we fail to allocate new PIO buffers, our TXQs will try to +use the old ones, which aren't there any more. + +Fixes: 183233bec810 "sfc: Allocate and link PIO buffers; map them with write-combining" +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/ef10.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -619,6 +619,17 @@ fail: + return rc; + } + ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx) ++{ ++ struct efx_channel *channel; ++ struct efx_tx_queue *tx_queue; ++ ++ /* All our existing PIO buffers went away */ ++ efx_for_each_channel(channel, efx) ++ efx_for_each_channel_tx_queue(tx_queue, channel) ++ tx_queue->piobuf = NULL; ++} ++ + #else /* !EFX_USE_PIO */ + + static int efx_ef10_alloc_piobufs(struct efx_nic *efx, unsigned int n) +@@ -635,6 +646,10 @@ static void efx_ef10_free_piobufs(struct + { + } + ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx) ++{ ++} ++ + #endif /* EFX_USE_PIO */ + + static void efx_ef10_remove(struct efx_nic *efx) +@@ -1018,6 +1033,7 @@ static void efx_ef10_reset_mc_allocation + nic_data->must_realloc_vis = true; + nic_data->must_restore_filters = true; + nic_data->must_restore_piobufs = true; ++ efx_ef10_forget_old_piobufs(efx); + nic_data->rx_rss_context = EFX_EF10_RSS_CONTEXT_INVALID; + + /* Driver-created vswitches and vports must be re-created */ diff --git a/queue-4.6/switchdev-pass-pointer-to-fib_info-instead-of-copy.patch b/queue-4.6/switchdev-pass-pointer-to-fib_info-instead-of-copy.patch new file mode 100644 index 00000000000..14d064c2593 --- /dev/null +++ b/queue-4.6/switchdev-pass-pointer-to-fib_info-instead-of-copy.patch @@ -0,0 +1,95 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Jiri Pirko +Date: Tue, 17 May 2016 18:58:08 +0200 +Subject: switchdev: pass pointer to fib_info instead of copy + +From: Jiri Pirko + +[ Upstream commit da4ed55165d41b1073f9a476f1c18493e9bf8c8e ] + +The problem is that fib_info->nh is [0] so the struct fib_info +allocation size depends on number of nexthops. If we just copy fib_info, +we do not copy the nexthops info and driver accesses memory which is not +ours. + +Given the fact that fib4 does not defer operations and therefore it does +not need copy, just pass the pointer down to drivers as it was done +before. + +Fixes: 850d0cbc91 ("switchdev: remove pointers from switchdev objects") +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/rocker/rocker_ofdpa.c | 4 ++-- + include/net/switchdev.h | 2 +- + net/switchdev/switchdev.c | 6 ++---- + 3 files changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c ++++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c +@@ -2727,7 +2727,7 @@ static int ofdpa_port_obj_fib4_add(struc + + return ofdpa_port_fib_ipv4(ofdpa_port, trans, + htonl(fib4->dst), fib4->dst_len, +- &fib4->fi, fib4->tb_id, 0); ++ fib4->fi, fib4->tb_id, 0); + } + + static int ofdpa_port_obj_fib4_del(struct rocker_port *rocker_port, +@@ -2737,7 +2737,7 @@ static int ofdpa_port_obj_fib4_del(struc + + return ofdpa_port_fib_ipv4(ofdpa_port, NULL, + htonl(fib4->dst), fib4->dst_len, +- &fib4->fi, fib4->tb_id, ++ fib4->fi, fib4->tb_id, + OFDPA_OP_FLAG_REMOVE); + } + +--- a/include/net/switchdev.h ++++ b/include/net/switchdev.h +@@ -97,7 +97,7 @@ struct switchdev_obj_ipv4_fib { + struct switchdev_obj obj; + u32 dst; + int dst_len; +- struct fib_info fi; ++ struct fib_info *fi; + u8 tos; + u8 type; + u32 nlflags; +--- a/net/switchdev/switchdev.c ++++ b/net/switchdev/switchdev.c +@@ -1188,6 +1188,7 @@ int switchdev_fib_ipv4_add(u32 dst, int + .obj.id = SWITCHDEV_OBJ_ID_IPV4_FIB, + .dst = dst, + .dst_len = dst_len, ++ .fi = fi, + .tos = tos, + .type = type, + .nlflags = nlflags, +@@ -1196,8 +1197,6 @@ int switchdev_fib_ipv4_add(u32 dst, int + struct net_device *dev; + int err = 0; + +- memcpy(&ipv4_fib.fi, fi, sizeof(ipv4_fib.fi)); +- + /* Don't offload route if using custom ip rules or if + * IPv4 FIB offloading has been disabled completely. + */ +@@ -1242,6 +1241,7 @@ int switchdev_fib_ipv4_del(u32 dst, int + .obj.id = SWITCHDEV_OBJ_ID_IPV4_FIB, + .dst = dst, + .dst_len = dst_len, ++ .fi = fi, + .tos = tos, + .type = type, + .nlflags = 0, +@@ -1250,8 +1250,6 @@ int switchdev_fib_ipv4_del(u32 dst, int + struct net_device *dev; + int err = 0; + +- memcpy(&ipv4_fib.fi, fi, sizeof(ipv4_fib.fi)); +- + if (!(fi->fib_flags & RTNH_F_OFFLOAD)) + return 0; + diff --git a/queue-4.6/tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch b/queue-4.6/tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch new file mode 100644 index 00000000000..9236ad705b4 --- /dev/null +++ b/queue-4.6/tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Yuchung Cheng +Date: Mon, 6 Jun 2016 15:07:18 -0700 +Subject: tcp: record TLP and ER timer stats in v6 stats + +From: Yuchung Cheng + +[ Upstream commit ce3cf4ec0305919fc69a972f6c2b2efd35d36abc ] + +The v6 tcp stats scan do not provide TLP and ER timer information +correctly like the v4 version . This patch fixes that. + +Fixes: 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)") +Fixes: eed530b6c676 ("tcp: early retransmit") +Signed-off-by: Yuchung Cheng +Signed-off-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/tcp_ipv6.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1717,7 +1717,9 @@ static void get_tcp6_sock(struct seq_fil + destp = ntohs(inet->inet_dport); + srcp = ntohs(inet->inet_sport); + +- if (icsk->icsk_pending == ICSK_TIME_RETRANS) { ++ if (icsk->icsk_pending == ICSK_TIME_RETRANS || ++ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS || ++ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) { + timer_active = 1; + timer_expires = icsk->icsk_timeout; + } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) { diff --git a/queue-4.6/team-don-t-call-netdev_change_features-under-team-lock.patch b/queue-4.6/team-don-t-call-netdev_change_features-under-team-lock.patch new file mode 100644 index 00000000000..3db91eb68e6 --- /dev/null +++ b/queue-4.6/team-don-t-call-netdev_change_features-under-team-lock.patch @@ -0,0 +1,89 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Ivan Vecera +Date: Wed, 25 May 2016 21:21:52 +0200 +Subject: team: don't call netdev_change_features under team->lock + +From: Ivan Vecera + +[ Upstream commit f6988cb63a4e698d8a62a1d085d263d1fcc351ea ] + +The team_device_event() notifier calls team_compute_features() to fix +vlan_features under team->lock to protect team->port_list. The problem is +that subsequent __team_compute_features() calls netdev_change_features() +to propagate vlan_features to upper vlan devices while team->lock is still +taken. This can lead to deadlock when NETIF_F_LRO is modified on lower +devices or team device itself. + +Example: +The team0 as active backup with eth0 and eth1 NICs. Both eth0 & eth1 are +LRO capable and LRO is enabled. Thus LRO is also enabled on team0. + +The command 'ethtool -K team0 lro off' now hangs due to this deadlock: + +dev_ethtool() +-> ethtool_set_features() + -> __netdev_update_features(team) + -> netdev_sync_lower_features() + -> netdev_update_features(lower_1) + -> __netdev_update_features(lower_1) + -> netdev_features_change(lower_1) + -> call_netdevice_notifiers(...) + -> team_device_event(lower_1) + -> team_compute_features(team) [TAKES team->lock] + -> netdev_change_features(team) + -> __netdev_update_features(team) + -> netdev_sync_lower_features() + -> netdev_update_features(lower_2) + -> __netdev_update_features(lower_2) + -> netdev_features_change(lower_2) + -> call_netdevice_notifiers(...) + -> team_device_event(lower_2) + -> team_compute_features(team) [DEADLOCK] + +The bug is present in team from the beginning but it appeared after the commit +fd867d5 (net/core: generic support for disabling netdev features down stack) +that adds synchronization of features with lower devices. + +Fixes: fd867d5 (net/core: generic support for disabling netdev features down stack) +Cc: Jiri Pirko +Signed-off-by: Ivan Vecera +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -990,7 +990,7 @@ static void team_port_disable(struct tea + #define TEAM_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ + NETIF_F_RXCSUM | NETIF_F_ALL_TSO) + +-static void __team_compute_features(struct team *team) ++static void ___team_compute_features(struct team *team) + { + struct team_port *port; + u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL; +@@ -1021,15 +1021,20 @@ static void __team_compute_features(stru + team->dev->priv_flags &= ~IFF_XMIT_DST_RELEASE; + if (dst_release_flag == (IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM)) + team->dev->priv_flags |= IFF_XMIT_DST_RELEASE; ++} + ++static void __team_compute_features(struct team *team) ++{ ++ ___team_compute_features(team); + netdev_change_features(team->dev); + } + + static void team_compute_features(struct team *team) + { + mutex_lock(&team->lock); +- __team_compute_features(team); ++ ___team_compute_features(team); + mutex_unlock(&team->lock); ++ netdev_change_features(team->dev); + } + + static int team_port_enter(struct team *team, struct team_port *port) diff --git a/queue-4.6/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/queue-4.6/tipc-check-nl-sock-before-parsing-nested-attributes.patch new file mode 100644 index 00000000000..ba132171f7e --- /dev/null +++ b/queue-4.6/tipc-check-nl-sock-before-parsing-nested-attributes.patch @@ -0,0 +1,36 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Richard Alpe +Date: Mon, 16 May 2016 11:14:54 +0200 +Subject: tipc: check nl sock before parsing nested attributes + +From: Richard Alpe + +[ Upstream commit 45e093ae2830cd1264677d47ff9a95a71f5d9f9c ] + +Make sure the socket for which the user is listing publication exists +before parsing the socket netlink attributes. + +Prior to this patch a call without any socket caused a NULL pointer +dereference in tipc_nl_publ_dump(). + +Tested-and-reported-by: Baozeng Ding +Signed-off-by: Richard Alpe +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2807,6 +2807,9 @@ int tipc_nl_publ_dump(struct sk_buff *sk + if (err) + return err; + ++ if (!attrs[TIPC_NLA_SOCK]) ++ return -EINVAL; ++ + err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, + attrs[TIPC_NLA_SOCK], + tipc_nl_sock_policy); diff --git a/queue-4.6/tipc-fix-nametable-publication-field-in-nl-compat.patch b/queue-4.6/tipc-fix-nametable-publication-field-in-nl-compat.patch new file mode 100644 index 00000000000..4d88006b0e6 --- /dev/null +++ b/queue-4.6/tipc-fix-nametable-publication-field-in-nl-compat.patch @@ -0,0 +1,32 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Richard Alpe +Date: Tue, 17 May 2016 16:57:37 +0200 +Subject: tipc: fix nametable publication field in nl compat + +From: Richard Alpe + +[ Upstream commit 03aaaa9b941e136757b55c4cf775aab6068dfd94 ] + +The publication field of the old netlink API should contain the +publication key and not the publication reference. + +Fixes: 44a8ae94fd55 (tipc: convert legacy nl name table dump to nl compat) +Signed-off-by: Richard Alpe +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink_compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -802,7 +802,7 @@ static int tipc_nl_compat_name_table_dum + goto out; + + tipc_tlv_sprintf(msg->rep, "%-10u %s", +- nla_get_u32(publ[TIPC_NLA_PUBL_REF]), ++ nla_get_u32(publ[TIPC_NLA_PUBL_KEY]), + scope_str[nla_get_u32(publ[TIPC_NLA_PUBL_SCOPE])]); + out: + tipc_tlv_sprintf(msg->rep, "\n"); diff --git a/queue-4.6/tuntap-correctly-wake-up-process-during-uninit.patch b/queue-4.6/tuntap-correctly-wake-up-process-during-uninit.patch new file mode 100644 index 00000000000..7f63aafa214 --- /dev/null +++ b/queue-4.6/tuntap-correctly-wake-up-process-during-uninit.patch @@ -0,0 +1,68 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Jason Wang +Date: Thu, 19 May 2016 13:36:51 +0800 +Subject: tuntap: correctly wake up process during uninit + +From: Jason Wang + +[ Upstream commit addf8fc4acb1cf79492ac64966f07178793cb3d7 ] + +We used to check dev->reg_state against NETREG_REGISTERED after each +time we are woke up. But after commit 9e641bdcfa4e ("net-tun: +restructure tun_do_read for better sleep/wakeup efficiency"), it uses +skb_recv_datagram() which does not check dev->reg_state. This will +result if we delete a tun/tap device after a process is blocked in the +reading. The device will wait for the reference count which was held +by that process for ever. + +Fixes this by using RCV_SHUTDOWN which will be checked during +sk_recv_datagram() before trying to wake up the process during uninit. + +Fixes: 9e641bdcfa4e ("net-tun: restructure tun_do_read for better +sleep/wakeup efficiency") +Cc: Eric Dumazet +Cc: Xi Wang +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Eric Dumazet +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -568,11 +568,13 @@ static void tun_detach_all(struct net_de + for (i = 0; i < n; i++) { + tfile = rtnl_dereference(tun->tfiles[i]); + BUG_ON(!tfile); ++ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN; + tfile->socket.sk->sk_data_ready(tfile->socket.sk); + RCU_INIT_POINTER(tfile->tun, NULL); + --tun->numqueues; + } + list_for_each_entry(tfile, &tun->disabled, next) { ++ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN; + tfile->socket.sk->sk_data_ready(tfile->socket.sk); + RCU_INIT_POINTER(tfile->tun, NULL); + } +@@ -628,6 +630,7 @@ static int tun_attach(struct tun_struct + goto out; + } + tfile->queue_index = tun->numqueues; ++ tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN; + rcu_assign_pointer(tfile->tun, tun); + rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile); + tun->numqueues++; +@@ -1425,9 +1428,6 @@ static ssize_t tun_do_read(struct tun_st + if (!iov_iter_count(to)) + return 0; + +- if (tun->dev->reg_state != NETREG_REGISTERED) +- return -EIO; +- + /* Read frames from queue */ + skb = __skb_recv_datagram(tfile->socket.sk, noblock ? MSG_DONTWAIT : 0, + &peeked, &off, &err); diff --git a/queue-4.6/uapi-glibc-compat-fix-compilation-when-__use_misc-in-glibc.patch b/queue-4.6/uapi-glibc-compat-fix-compilation-when-__use_misc-in-glibc.patch new file mode 100644 index 00000000000..bf94e5f7acd --- /dev/null +++ b/queue-4.6/uapi-glibc-compat-fix-compilation-when-__use_misc-in-glibc.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Nicolas Dichtel +Date: Thu, 19 May 2016 17:26:29 +0200 +Subject: uapi glibc compat: fix compilation when !__USE_MISC in glibc + +From: Nicolas Dichtel + +[ Upstream commit f0a3fdca794d1e68ae284ef4caefe681f7c18e89 ] + +These structures are defined only if __USE_MISC is set in glibc net/if.h +headers, ie when _BSD_SOURCE or _SVID_SOURCE are defined. + +CC: Jan Engelhardt +CC: Josh Boyer +CC: Stephen Hemminger +CC: Waldemar Brodkorb +CC: Gabriel Laskar +CC: Mikko Rapeli +Fixes: 4a91cb61bb99 ("uapi glibc compat: fix compile errors when glibc net/if.h included before linux/if.h") +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/libc-compat.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/linux/libc-compat.h ++++ b/include/uapi/linux/libc-compat.h +@@ -52,7 +52,7 @@ + #if defined(__GLIBC__) + + /* Coordinate with glibc net/if.h header. */ +-#if defined(_NET_IF_H) ++#if defined(_NET_IF_H) && defined(__USE_MISC) + + /* GLIBC headers included first so don't define anything + * that would already be defined. */ diff --git a/queue-4.6/udp-prevent-skbs-lingering-in-tunnel-socket-queues.patch b/queue-4.6/udp-prevent-skbs-lingering-in-tunnel-socket-queues.patch new file mode 100644 index 00000000000..c23215b3d44 --- /dev/null +++ b/queue-4.6/udp-prevent-skbs-lingering-in-tunnel-socket-queues.patch @@ -0,0 +1,103 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Hannes Frederic Sowa +Date: Thu, 19 May 2016 15:58:33 +0200 +Subject: udp: prevent skbs lingering in tunnel socket queues + +From: Hannes Frederic Sowa + +[ Upstream commit e5aed006be918af163eb397e45aa5ea6cefd5e01 ] + +In case we find a socket with encapsulation enabled we should call +the encap_recv function even if just a udp header without payload is +available. The callbacks are responsible for correctly verifying and +dropping the packets. + +Also, in case the header validation fails for geneve and vxlan we +shouldn't put the skb back into the socket queue, no one will pick +them up there. Instead we can simply discard them in the respective +encap_recv functions. + +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 10 +++------- + drivers/net/vxlan.c | 4 ++-- + net/ipv4/udp.c | 2 +- + net/ipv6/udp.c | 2 +- + 4 files changed, 7 insertions(+), 11 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -336,15 +336,15 @@ static int geneve_udp_encap_recv(struct + + /* Need Geneve and inner Ethernet header to be present */ + if (unlikely(!pskb_may_pull(skb, GENEVE_BASE_HLEN))) +- goto error; ++ goto drop; + + /* Return packets with reserved bits set */ + geneveh = geneve_hdr(skb); + if (unlikely(geneveh->ver != GENEVE_VER)) +- goto error; ++ goto drop; + + if (unlikely(geneveh->proto_type != htons(ETH_P_TEB))) +- goto error; ++ goto drop; + + gs = rcu_dereference_sk_user_data(sk); + if (!gs) +@@ -367,10 +367,6 @@ drop: + /* Consume bad packet */ + kfree_skb(skb); + return 0; +- +-error: +- /* Let the UDP layer deal with the skb */ +- return 1; + } + + static struct socket *geneve_create_sock(struct net *net, bool ipv6, +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1262,7 +1262,7 @@ static int vxlan_rcv(struct sock *sk, st + + /* Need Vxlan and inner Ethernet header to be present */ + if (!pskb_may_pull(skb, VXLAN_HLEN)) +- return 1; ++ goto drop; + + unparsed = *vxlan_hdr(skb); + /* VNI flag always required to be set */ +@@ -1271,7 +1271,7 @@ static int vxlan_rcv(struct sock *sk, st + ntohl(vxlan_hdr(skb)->vx_flags), + ntohl(vxlan_hdr(skb)->vx_vni)); + /* Return non vxlan pkt */ +- return 1; ++ goto drop; + } + unparsed.vx_flags &= ~VXLAN_HF_VNI; + unparsed.vx_vni &= ~VXLAN_VNI_MASK; +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1616,7 +1616,7 @@ int udp_queue_rcv_skb(struct sock *sk, s + + /* if we're overly short, let UDP handle it */ + encap_rcv = ACCESS_ONCE(up->encap_rcv); +- if (skb->len > sizeof(struct udphdr) && encap_rcv) { ++ if (encap_rcv) { + int ret; + + /* Verify checksum before giving to encap */ +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -653,7 +653,7 @@ int udpv6_queue_rcv_skb(struct sock *sk, + + /* if we're overly short, let UDP handle it */ + encap_rcv = ACCESS_ONCE(up->encap_rcv); +- if (skb->len > sizeof(struct udphdr) && encap_rcv) { ++ if (encap_rcv) { + int ret; + + /* Verify checksum before giving to encap */ diff --git a/queue-4.6/vxlan-accept-user-specified-mtu-value-when-create-new-vxlan-link.patch b/queue-4.6/vxlan-accept-user-specified-mtu-value-when-create-new-vxlan-link.patch new file mode 100644 index 00000000000..a23ef9be184 --- /dev/null +++ b/queue-4.6/vxlan-accept-user-specified-mtu-value-when-create-new-vxlan-link.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Jun 17 08:34:39 PDT 2016 +From: Chen Haiquan +Date: Fri, 27 May 2016 10:49:11 +0800 +Subject: vxlan: Accept user specified MTU value when create new vxlan link + +From: Chen Haiquan + +[ Upstream commit ce577668a426c6a9e2470a09dcd07fbd6e45272a ] + +When create a new vxlan link, example: + ip link add vtap mtu 1440 type vxlan vni 1 dev eth0 + +The argument "mtu" has no effect, because it is not set to conf->mtu. The +default value is used in vxlan_dev_configure function. + +This problem was introduced by commit 0dfbdf4102b9 (vxlan: Factor out device +configuration). + +Fixes: 0dfbdf4102b9 (vxlan: Factor out device configuration) +Signed-off-by: Chen Haiquan +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2959,6 +2959,9 @@ static int vxlan_newlink(struct net *src + if (data[IFLA_VXLAN_REMCSUM_NOPARTIAL]) + conf.flags |= VXLAN_F_REMCSUM_NOPARTIAL; + ++ if (tb[IFLA_MTU]) ++ conf.mtu = nla_get_u32(tb[IFLA_MTU]); ++ + err = vxlan_dev_configure(src_net, dev, &conf); + switch (err) { + case -ENODEV: -- 2.47.2