From bf1e68bf409aa14ef0097a0803b805c672e1350c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 6 Jul 2016 16:56:40 -0700 Subject: [PATCH] 4.6-stable patches added patches: act_ipt-fix-a-bind-refcnt-leak.patch ax.25-close-socket-connection-on-session-completion.patch bpf-perf-delay-release-of-bpf-prog-after-grace-period.patch bridge-fix-ipv6-mc-snooping-if-bridge-has-no-ipv6-address.patch crypto-user-re-add-size-check-for-crypto_msg_getalg.patch crypto-ux500-memmove-the-right-size.patch crypto-vmx-increase-priority-of-aes-cbc-cipher.patch esp-fix-esn-generation-under-udp-encapsulation.patch ipmr-ip6mr-initialize-the-last-assert-time-of-mfc-entries.patch kcm-fix-proc-memory-leak.patch neigh-explicitly-declare-rcu-bh-read-side-critical-section-in-neigh_xmit.patch net-don-t-forget-pr_fmt-on-net_dbg_ratelimited-for-config_dynamic_debug.patch net_sched-fix-pfifo_head_drop-behavior-vs-backlog.patch netem-fix-a-use-after-free.patch sit-correct-ip-protocol-used-in-ipip6_err.patch sock_diag-do-not-broadcast-raw-socket-destruction.patch --- .../act_ipt-fix-a-bind-refcnt-leak.patch | 39 ++++ ...ket-connection-on-session-completion.patch | 107 +++++++++++ ...lease-of-bpf-prog-after-grace-period.patch | 53 ++++++ ...ooping-if-bridge-has-no-ipv6-address.patch | 118 +++++++++++++ ...add-size-check-for-crypto_msg_getalg.patch | 39 ++++ .../crypto-ux500-memmove-the-right-size.patch | 43 +++++ ...-increase-priority-of-aes-cbc-cipher.patch | 57 ++++++ ...n-generation-under-udp-encapsulation.patch | 166 ++++++++++++++++++ ...-the-last-assert-time-of-mfc-entries.patch | 44 +++++ queue-4.6/kcm-fix-proc-memory-leak.patch | 49 ++++++ ...-side-critical-section-in-neigh_xmit.patch | 67 +++++++ ...ratelimited-for-config_dynamic_debug.patch | 44 +++++ ...-pfifo_head_drop-behavior-vs-backlog.patch | 47 +++++ queue-4.6/netem-fix-a-use-after-free.patch | 48 +++++ ...orrect-ip-protocol-used-in-ipip6_err.patch | 58 ++++++ ...not-broadcast-raw-socket-destruction.patch | 45 +++++ 16 files changed, 1024 insertions(+) create mode 100644 queue-4.6/act_ipt-fix-a-bind-refcnt-leak.patch create mode 100644 queue-4.6/ax.25-close-socket-connection-on-session-completion.patch create mode 100644 queue-4.6/bpf-perf-delay-release-of-bpf-prog-after-grace-period.patch create mode 100644 queue-4.6/bridge-fix-ipv6-mc-snooping-if-bridge-has-no-ipv6-address.patch create mode 100644 queue-4.6/crypto-user-re-add-size-check-for-crypto_msg_getalg.patch create mode 100644 queue-4.6/crypto-ux500-memmove-the-right-size.patch create mode 100644 queue-4.6/crypto-vmx-increase-priority-of-aes-cbc-cipher.patch create mode 100644 queue-4.6/esp-fix-esn-generation-under-udp-encapsulation.patch create mode 100644 queue-4.6/ipmr-ip6mr-initialize-the-last-assert-time-of-mfc-entries.patch create mode 100644 queue-4.6/kcm-fix-proc-memory-leak.patch create mode 100644 queue-4.6/neigh-explicitly-declare-rcu-bh-read-side-critical-section-in-neigh_xmit.patch create mode 100644 queue-4.6/net-don-t-forget-pr_fmt-on-net_dbg_ratelimited-for-config_dynamic_debug.patch create mode 100644 queue-4.6/net_sched-fix-pfifo_head_drop-behavior-vs-backlog.patch create mode 100644 queue-4.6/netem-fix-a-use-after-free.patch create mode 100644 queue-4.6/sit-correct-ip-protocol-used-in-ipip6_err.patch create mode 100644 queue-4.6/sock_diag-do-not-broadcast-raw-socket-destruction.patch diff --git a/queue-4.6/act_ipt-fix-a-bind-refcnt-leak.patch b/queue-4.6/act_ipt-fix-a-bind-refcnt-leak.patch new file mode 100644 index 00000000000..3c512a4ba2c --- /dev/null +++ b/queue-4.6/act_ipt-fix-a-bind-refcnt-leak.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: WANG Cong +Date: Mon, 13 Jun 2016 13:44:14 -0700 +Subject: act_ipt: fix a bind refcnt leak + +From: WANG Cong + +[ Upstream commit d15eccea69b96a5116169688dcc9baf6d1ce2751 ] + +And avoid calling tcf_hash_check() twice. + +Fixes: a57f19d30b2d ("net sched: ipt action fix late binding") +Cc: Jamal Hadi Salim +Signed-off-by: Cong Wang +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ipt.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/sched/act_ipt.c ++++ b/net/sched/act_ipt.c +@@ -121,10 +121,13 @@ static int __tcf_ipt_init(struct tc_acti + } + + td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]); +- if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) ++ if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) { ++ if (exists) ++ tcf_hash_release(a, bind); + return -EINVAL; ++ } + +- if (!tcf_hash_check(tn, index, a, bind)) { ++ if (!exists) { + ret = tcf_hash_create(tn, index, est, a, sizeof(*ipt), bind, + false); + if (ret) diff --git a/queue-4.6/ax.25-close-socket-connection-on-session-completion.patch b/queue-4.6/ax.25-close-socket-connection-on-session-completion.patch new file mode 100644 index 00000000000..2e62bad2976 --- /dev/null +++ b/queue-4.6/ax.25-close-socket-connection-on-session-completion.patch @@ -0,0 +1,107 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: Basil Gunn +Date: Thu, 16 Jun 2016 09:42:30 -0700 +Subject: AX.25: Close socket connection on session completion + +From: Basil Gunn + +[ Upstream commit 4a7d99ea1b27734558feb6833f180cd38a159940 ] + +A socket connection made in ax.25 is not closed when session is +completed. The heartbeat timer is stopped prematurely and this is +where the socket gets closed. Allow heatbeat timer to run to close +socket. Symptom occurs in kernels >= 4.2.0 + +Originally sent 6/15/2016. Resend with distribution list matching +scripts/maintainer.pl output. + +Signed-off-by: Basil Gunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 3 ++- + net/ax25/ax25_ds_timer.c | 5 ++++- + net/ax25/ax25_std_timer.c | 5 ++++- + net/ax25/ax25_subr.c | 3 ++- + 4 files changed, 12 insertions(+), 4 deletions(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -976,7 +976,8 @@ static int ax25_release(struct socket *s + release_sock(sk); + ax25_disconnect(ax25, 0); + lock_sock(sk); +- ax25_destroy_socket(ax25); ++ if (!sock_flag(ax25->sk, SOCK_DESTROY)) ++ ax25_destroy_socket(ax25); + break; + + case AX25_STATE_3: +--- a/net/ax25/ax25_ds_timer.c ++++ b/net/ax25/ax25_ds_timer.c +@@ -102,6 +102,7 @@ void ax25_ds_heartbeat_expiry(ax25_cb *a + switch (ax25->state) { + + case AX25_STATE_0: ++ case AX25_STATE_2: + /* Magic here: If we listen() and a new link dies before it + is accepted() it isn't 'dead' so doesn't get removed. */ + if (!sk || sock_flag(sk, SOCK_DESTROY) || +@@ -111,6 +112,7 @@ void ax25_ds_heartbeat_expiry(ax25_cb *a + sock_hold(sk); + ax25_destroy_socket(ax25); + bh_unlock_sock(sk); ++ /* Ungrab socket and destroy it */ + sock_put(sk); + } else + ax25_destroy_socket(ax25); +@@ -213,7 +215,8 @@ void ax25_ds_t1_timeout(ax25_cb *ax25) + case AX25_STATE_2: + if (ax25->n2count == ax25->n2) { + ax25_send_control(ax25, AX25_DISC, AX25_POLLON, AX25_COMMAND); +- ax25_disconnect(ax25, ETIMEDOUT); ++ if (!sock_flag(ax25->sk, SOCK_DESTROY)) ++ ax25_disconnect(ax25, ETIMEDOUT); + return; + } else { + ax25->n2count++; +--- a/net/ax25/ax25_std_timer.c ++++ b/net/ax25/ax25_std_timer.c +@@ -38,6 +38,7 @@ void ax25_std_heartbeat_expiry(ax25_cb * + + switch (ax25->state) { + case AX25_STATE_0: ++ case AX25_STATE_2: + /* Magic here: If we listen() and a new link dies before it + is accepted() it isn't 'dead' so doesn't get removed. */ + if (!sk || sock_flag(sk, SOCK_DESTROY) || +@@ -47,6 +48,7 @@ void ax25_std_heartbeat_expiry(ax25_cb * + sock_hold(sk); + ax25_destroy_socket(ax25); + bh_unlock_sock(sk); ++ /* Ungrab socket and destroy it */ + sock_put(sk); + } else + ax25_destroy_socket(ax25); +@@ -144,7 +146,8 @@ void ax25_std_t1timer_expiry(ax25_cb *ax + case AX25_STATE_2: + if (ax25->n2count == ax25->n2) { + ax25_send_control(ax25, AX25_DISC, AX25_POLLON, AX25_COMMAND); +- ax25_disconnect(ax25, ETIMEDOUT); ++ if (!sock_flag(ax25->sk, SOCK_DESTROY)) ++ ax25_disconnect(ax25, ETIMEDOUT); + return; + } else { + ax25->n2count++; +--- a/net/ax25/ax25_subr.c ++++ b/net/ax25/ax25_subr.c +@@ -264,7 +264,8 @@ void ax25_disconnect(ax25_cb *ax25, int + { + ax25_clear_queues(ax25); + +- ax25_stop_heartbeat(ax25); ++ if (!sock_flag(ax25->sk, SOCK_DESTROY)) ++ ax25_stop_heartbeat(ax25); + ax25_stop_t1timer(ax25); + ax25_stop_t2timer(ax25); + ax25_stop_t3timer(ax25); diff --git a/queue-4.6/bpf-perf-delay-release-of-bpf-prog-after-grace-period.patch b/queue-4.6/bpf-perf-delay-release-of-bpf-prog-after-grace-period.patch new file mode 100644 index 00000000000..93bd7479fe1 --- /dev/null +++ b/queue-4.6/bpf-perf-delay-release-of-bpf-prog-after-grace-period.patch @@ -0,0 +1,53 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: Daniel Borkmann +Date: Mon, 27 Jun 2016 21:38:11 +0200 +Subject: bpf, perf: delay release of BPF prog after grace period + +From: Daniel Borkmann + +[ Upstream commit ceb56070359b7329b5678b5d95a376fcb24767be ] + +Commit dead9f29ddcc ("perf: Fix race in BPF program unregister") moved +destruction of BPF program from free_event_rcu() callback to __free_event(), +which is problematic if used with tail calls: if prog A is attached as +trace event directly, but at the same time present in a tail call map used +by another trace event program elsewhere, then we need to delay destruction +via RCU grace period since it can still be in use by the program doing the +tail call (the prog first needs to be dropped from the tail call map, then +trace event with prog A attached destroyed, so we get immediate destruction). + +Fixes: dead9f29ddcc ("perf: Fix race in BPF program unregister") +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Cc: Jann Horn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/bpf.h | 4 ++++ + kernel/events/core.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -229,6 +229,10 @@ static inline struct bpf_prog *bpf_prog_ + static inline void bpf_prog_put(struct bpf_prog *prog) + { + } ++ ++static inline void bpf_prog_put_rcu(struct bpf_prog *prog) ++{ ++} + #endif /* CONFIG_BPF_SYSCALL */ + + /* verifier prototypes for helper functions called from eBPF programs */ +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7143,7 +7143,7 @@ static void perf_event_free_bpf_prog(str + prog = event->tp_event->prog; + if (prog) { + event->tp_event->prog = NULL; +- bpf_prog_put(prog); ++ bpf_prog_put_rcu(prog); + } + } + diff --git a/queue-4.6/bridge-fix-ipv6-mc-snooping-if-bridge-has-no-ipv6-address.patch b/queue-4.6/bridge-fix-ipv6-mc-snooping-if-bridge-has-no-ipv6-address.patch new file mode 100644 index 00000000000..165475dd5b7 --- /dev/null +++ b/queue-4.6/bridge-fix-ipv6-mc-snooping-if-bridge-has-no-ipv6-address.patch @@ -0,0 +1,118 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: daniel +Date: Fri, 24 Jun 2016 12:35:18 +0200 +Subject: Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: daniel + +[ Upstream commit 0888d5f3c0f183ea6177355752ada433d370ac89 ] + +The bridge is falsly dropping ipv6 mulitcast packets if there is: + 1. No ipv6 address assigned on the brigde. + 2. No external mld querier present. + 3. The internal querier enabled. + +When the bridge fails to build mld queries, because it has no +ipv6 address, it slilently returns, but keeps the local querier enabled. +This specific case causes confusing packet loss. + +Ipv6 multicast snooping can only work if: + a) An external querier is present + OR + b) The bridge has an ipv6 address an is capable of sending own queries + +Otherwise it has to forward/flood the ipv6 multicast traffic, +because snooping cannot work. + +This patch fixes the issue by adding a flag to the bridge struct that +indicates that there is currently no ipv6 address assinged to the bridge +and returns a false state for the local querier in +__br_multicast_querier_exists(). + +Special thanks to Linus Lüssing. + +Fixes: d1d81d4c3dd8 ("bridge: check return value of ipv6_dev_get_saddr()") +Signed-off-by: Daniel Danzberger +Acked-by: Linus Lüssing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 4 ++++ + net/bridge/br_private.h | 23 +++++++++++++++++++---- + 2 files changed, 23 insertions(+), 4 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -464,8 +464,11 @@ static struct sk_buff *br_ip6_multicast_ + if (ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0, + &ip6h->saddr)) { + kfree_skb(skb); ++ br->has_ipv6_addr = 0; + return NULL; + } ++ ++ br->has_ipv6_addr = 1; + ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest); + + hopopt = (u8 *)(ip6h + 1); +@@ -1745,6 +1748,7 @@ void br_multicast_init(struct net_bridge + br->ip6_other_query.delay_time = 0; + br->ip6_querier.port = NULL; + #endif ++ br->has_ipv6_addr = 1; + + spin_lock_init(&br->multicast_lock); + setup_timer(&br->multicast_router_timer, +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -304,6 +304,7 @@ struct net_bridge + u8 multicast_disabled:1; + u8 multicast_querier:1; + u8 multicast_query_use_ifaddr:1; ++ u8 has_ipv6_addr:1; + + u32 hash_elasticity; + u32 hash_max; +@@ -577,10 +578,22 @@ static inline bool br_multicast_is_route + + static inline bool + __br_multicast_querier_exists(struct net_bridge *br, +- struct bridge_mcast_other_query *querier) ++ struct bridge_mcast_other_query *querier, ++ const bool is_ipv6) + { ++ bool own_querier_enabled; ++ ++ if (br->multicast_querier) { ++ if (is_ipv6 && !br->has_ipv6_addr) ++ own_querier_enabled = false; ++ else ++ own_querier_enabled = true; ++ } else { ++ own_querier_enabled = false; ++ } ++ + return time_is_before_jiffies(querier->delay_time) && +- (br->multicast_querier || timer_pending(&querier->timer)); ++ (own_querier_enabled || timer_pending(&querier->timer)); + } + + static inline bool br_multicast_querier_exists(struct net_bridge *br, +@@ -588,10 +601,12 @@ static inline bool br_multicast_querier_ + { + switch (eth->h_proto) { + case (htons(ETH_P_IP)): +- return __br_multicast_querier_exists(br, &br->ip4_other_query); ++ return __br_multicast_querier_exists(br, ++ &br->ip4_other_query, false); + #if IS_ENABLED(CONFIG_IPV6) + case (htons(ETH_P_IPV6)): +- return __br_multicast_querier_exists(br, &br->ip6_other_query); ++ return __br_multicast_querier_exists(br, ++ &br->ip6_other_query, true); + #endif + default: + return false; diff --git a/queue-4.6/crypto-user-re-add-size-check-for-crypto_msg_getalg.patch b/queue-4.6/crypto-user-re-add-size-check-for-crypto_msg_getalg.patch new file mode 100644 index 00000000000..aa8037835ff --- /dev/null +++ b/queue-4.6/crypto-user-re-add-size-check-for-crypto_msg_getalg.patch @@ -0,0 +1,39 @@ +From 055ddaace03580455a7b7dbea8e93d62acee61fc Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Wed, 22 Jun 2016 20:29:37 +0200 +Subject: crypto: user - re-add size check for CRYPTO_MSG_GETALG + +From: Mathias Krause + +commit 055ddaace03580455a7b7dbea8e93d62acee61fc upstream. + +Commit 9aa867e46565 ("crypto: user - Add CRYPTO_MSG_DELRNG") +accidentally removed the minimum size check for CRYPTO_MSG_GETALG +netlink messages. This allows userland to send a truncated +CRYPTO_MSG_GETALG message as short as a netlink header only making +crypto_report() operate on uninitialized memory by accessing data +beyond the end of the netlink message. + +Fix this be re-adding the minimum required size of CRYPTO_MSG_GETALG +messages to the crypto_msg_min[] array. + +Fixes: 9aa867e46565 ("crypto: user - Add CRYPTO_MSG_DELRNG") +Signed-off-by: Mathias Krause +Cc: Steffen Klassert +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/crypto_user.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -455,6 +455,7 @@ static const int crypto_msg_min[CRYPTO_N + [CRYPTO_MSG_NEWALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg), + [CRYPTO_MSG_DELALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg), + [CRYPTO_MSG_UPDATEALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg), ++ [CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg), + [CRYPTO_MSG_DELRNG - CRYPTO_MSG_BASE] = 0, + }; + diff --git a/queue-4.6/crypto-ux500-memmove-the-right-size.patch b/queue-4.6/crypto-ux500-memmove-the-right-size.patch new file mode 100644 index 00000000000..d21c40a267f --- /dev/null +++ b/queue-4.6/crypto-ux500-memmove-the-right-size.patch @@ -0,0 +1,43 @@ +From 19ced623db2fe91604d69f7d86b03144c5107739 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 8 Jun 2016 14:56:39 +0200 +Subject: crypto: ux500 - memmove the right size + +From: Linus Walleij + +commit 19ced623db2fe91604d69f7d86b03144c5107739 upstream. + +The hash buffer is really HASH_BLOCK_SIZE bytes, someone +must have thought that memmove takes n*u32 words by mistake. +Tests work as good/bad as before after this patch. + +Cc: Joakim Bech +Reported-by: David Binderman +Signed-off-by: Linus Walleij +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ux500/hash/hash_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -781,7 +781,7 @@ static int hash_process_data(struct hash + &device_data->state); + memmove(req_ctx->state.buffer, + device_data->state.buffer, +- HASH_BLOCK_SIZE / sizeof(u32)); ++ HASH_BLOCK_SIZE); + if (ret) { + dev_err(device_data->dev, + "%s: hash_resume_state() failed!\n", +@@ -832,7 +832,7 @@ static int hash_process_data(struct hash + + memmove(device_data->state.buffer, + req_ctx->state.buffer, +- HASH_BLOCK_SIZE / sizeof(u32)); ++ HASH_BLOCK_SIZE); + if (ret) { + dev_err(device_data->dev, "%s: hash_save_state() failed!\n", + __func__); diff --git a/queue-4.6/crypto-vmx-increase-priority-of-aes-cbc-cipher.patch b/queue-4.6/crypto-vmx-increase-priority-of-aes-cbc-cipher.patch new file mode 100644 index 00000000000..3db271a879e --- /dev/null +++ b/queue-4.6/crypto-vmx-increase-priority-of-aes-cbc-cipher.patch @@ -0,0 +1,57 @@ +From 12d3f49e1ffbbf8cbbb60acae5a21103c5c841ac Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Fri, 10 Jun 2016 16:47:03 +1000 +Subject: crypto: vmx - Increase priority of aes-cbc cipher + +From: Anton Blanchard + +commit 12d3f49e1ffbbf8cbbb60acae5a21103c5c841ac upstream. + +All of the VMX AES ciphers (AES, AES-CBC and AES-CTR) are set at +priority 1000. Unfortunately this means we never use AES-CBC and +AES-CTR, because the base AES-CBC cipher that is implemented on +top of AES inherits its priority. + +To fix this, AES-CBC and AES-CTR have to be a higher priority. Set +them to 2000. + +Testing on a POWER8 with: + +cryptsetup benchmark --cipher aes --key-size 256 + +Shows decryption speed increase from 402.4 MB/s to 3069.2 MB/s, +over 7x faster. Thanks to Mike Strosaker for helping me debug +this issue. + +Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module") +Signed-off-by: Anton Blanchard +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/vmx/aes_cbc.c | 2 +- + drivers/crypto/vmx/aes_ctr.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/vmx/aes_cbc.c ++++ b/drivers/crypto/vmx/aes_cbc.c +@@ -182,7 +182,7 @@ struct crypto_alg p8_aes_cbc_alg = { + .cra_name = "cbc(aes)", + .cra_driver_name = "p8_aes_cbc", + .cra_module = THIS_MODULE, +- .cra_priority = 1000, ++ .cra_priority = 2000, + .cra_type = &crypto_blkcipher_type, + .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER | CRYPTO_ALG_NEED_FALLBACK, + .cra_alignmask = 0, +--- a/drivers/crypto/vmx/aes_ctr.c ++++ b/drivers/crypto/vmx/aes_ctr.c +@@ -166,7 +166,7 @@ struct crypto_alg p8_aes_ctr_alg = { + .cra_name = "ctr(aes)", + .cra_driver_name = "p8_aes_ctr", + .cra_module = THIS_MODULE, +- .cra_priority = 1000, ++ .cra_priority = 2000, + .cra_type = &crypto_blkcipher_type, + .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER | CRYPTO_ALG_NEED_FALLBACK, + .cra_alignmask = 0, diff --git a/queue-4.6/esp-fix-esn-generation-under-udp-encapsulation.patch b/queue-4.6/esp-fix-esn-generation-under-udp-encapsulation.patch new file mode 100644 index 00000000000..f232e91ec51 --- /dev/null +++ b/queue-4.6/esp-fix-esn-generation-under-udp-encapsulation.patch @@ -0,0 +1,166 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: Herbert Xu +Date: Sat, 18 Jun 2016 13:03:36 +0800 +Subject: esp: Fix ESN generation under UDP encapsulation + +From: Herbert Xu + +[ Upstream commit 962fcef33b03395051367181a0549d29d109d9a4 ] + +Blair Steven noticed that ESN in conjunction with UDP encapsulation +is broken because we set the temporary ESP header to the wrong spot. + +This patch fixes this by first of all using the right spot, i.e., +4 bytes off the real ESP header, and then saving this information +so that after encryption we can restore it properly. + +Fixes: 7021b2e1cddd ("esp4: Switch to new AEAD interface") +Reported-by: Blair Steven +Signed-off-by: Herbert Xu +Acked-by: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/esp4.c | 52 ++++++++++++++++++++++++++++++++-------------------- + 1 file changed, 32 insertions(+), 20 deletions(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -23,6 +23,11 @@ struct esp_skb_cb { + void *tmp; + }; + ++struct esp_output_extra { ++ __be32 seqhi; ++ u32 esphoff; ++}; ++ + #define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0])) + + static u32 esp4_get_mtu(struct xfrm_state *x, int mtu); +@@ -35,11 +40,11 @@ static u32 esp4_get_mtu(struct xfrm_stat + * + * TODO: Use spare space in skb for this where possible. + */ +-static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int seqhilen) ++static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int extralen) + { + unsigned int len; + +- len = seqhilen; ++ len = extralen; + + len += crypto_aead_ivsize(aead); + +@@ -57,15 +62,16 @@ static void *esp_alloc_tmp(struct crypto + return kmalloc(len, GFP_ATOMIC); + } + +-static inline __be32 *esp_tmp_seqhi(void *tmp) ++static inline void *esp_tmp_extra(void *tmp) + { +- return PTR_ALIGN((__be32 *)tmp, __alignof__(__be32)); ++ return PTR_ALIGN(tmp, __alignof__(struct esp_output_extra)); + } +-static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp, int seqhilen) ++ ++static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp, int extralen) + { + return crypto_aead_ivsize(aead) ? +- PTR_ALIGN((u8 *)tmp + seqhilen, +- crypto_aead_alignmask(aead) + 1) : tmp + seqhilen; ++ PTR_ALIGN((u8 *)tmp + extralen, ++ crypto_aead_alignmask(aead) + 1) : tmp + extralen; + } + + static inline struct aead_request *esp_tmp_req(struct crypto_aead *aead, u8 *iv) +@@ -99,7 +105,7 @@ static void esp_restore_header(struct sk + { + struct ip_esp_hdr *esph = (void *)(skb->data + offset); + void *tmp = ESP_SKB_CB(skb)->tmp; +- __be32 *seqhi = esp_tmp_seqhi(tmp); ++ __be32 *seqhi = esp_tmp_extra(tmp); + + esph->seq_no = esph->spi; + esph->spi = *seqhi; +@@ -107,7 +113,11 @@ static void esp_restore_header(struct sk + + static void esp_output_restore_header(struct sk_buff *skb) + { +- esp_restore_header(skb, skb_transport_offset(skb) - sizeof(__be32)); ++ void *tmp = ESP_SKB_CB(skb)->tmp; ++ struct esp_output_extra *extra = esp_tmp_extra(tmp); ++ ++ esp_restore_header(skb, skb_transport_offset(skb) + extra->esphoff - ++ sizeof(__be32)); + } + + static void esp_output_done_esn(struct crypto_async_request *base, int err) +@@ -121,6 +131,7 @@ static void esp_output_done_esn(struct c + static int esp_output(struct xfrm_state *x, struct sk_buff *skb) + { + int err; ++ struct esp_output_extra *extra; + struct ip_esp_hdr *esph; + struct crypto_aead *aead; + struct aead_request *req; +@@ -137,8 +148,7 @@ static int esp_output(struct xfrm_state + int tfclen; + int nfrags; + int assoclen; +- int seqhilen; +- __be32 *seqhi; ++ int extralen; + __be64 seqno; + + /* skb is pure payload to encrypt */ +@@ -166,21 +176,21 @@ static int esp_output(struct xfrm_state + nfrags = err; + + assoclen = sizeof(*esph); +- seqhilen = 0; ++ extralen = 0; + + if (x->props.flags & XFRM_STATE_ESN) { +- seqhilen += sizeof(__be32); +- assoclen += seqhilen; ++ extralen += sizeof(*extra); ++ assoclen += sizeof(__be32); + } + +- tmp = esp_alloc_tmp(aead, nfrags, seqhilen); ++ tmp = esp_alloc_tmp(aead, nfrags, extralen); + if (!tmp) { + err = -ENOMEM; + goto error; + } + +- seqhi = esp_tmp_seqhi(tmp); +- iv = esp_tmp_iv(aead, tmp, seqhilen); ++ extra = esp_tmp_extra(tmp); ++ iv = esp_tmp_iv(aead, tmp, extralen); + req = esp_tmp_req(aead, iv); + sg = esp_req_sg(aead, req); + +@@ -247,8 +257,10 @@ static int esp_output(struct xfrm_state + * encryption. + */ + if ((x->props.flags & XFRM_STATE_ESN)) { +- esph = (void *)(skb_transport_header(skb) - sizeof(__be32)); +- *seqhi = esph->spi; ++ extra->esphoff = (unsigned char *)esph - ++ skb_transport_header(skb); ++ esph = (struct ip_esp_hdr *)((unsigned char *)esph - 4); ++ extra->seqhi = esph->spi; + esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.hi); + aead_request_set_callback(req, 0, esp_output_done_esn, skb); + } +@@ -445,7 +457,7 @@ static int esp_input(struct xfrm_state * + goto out; + + ESP_SKB_CB(skb)->tmp = tmp; +- seqhi = esp_tmp_seqhi(tmp); ++ seqhi = esp_tmp_extra(tmp); + iv = esp_tmp_iv(aead, tmp, seqhilen); + req = esp_tmp_req(aead, iv); + sg = esp_req_sg(aead, req); diff --git a/queue-4.6/ipmr-ip6mr-initialize-the-last-assert-time-of-mfc-entries.patch b/queue-4.6/ipmr-ip6mr-initialize-the-last-assert-time-of-mfc-entries.patch new file mode 100644 index 00000000000..93da2a57448 --- /dev/null +++ b/queue-4.6/ipmr-ip6mr-initialize-the-last-assert-time-of-mfc-entries.patch @@ -0,0 +1,44 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: Tom Goff +Date: Thu, 23 Jun 2016 16:11:57 -0400 +Subject: ipmr/ip6mr: Initialize the last assert time of mfc entries. + +From: Tom Goff + +[ Upstream commit 70a0dec45174c976c64b4c8c1d0898581f759948 ] + +This fixes wrong-interface signaling on 32-bit platforms for entries +created when jiffies > 2^31 + MFC_ASSERT_THRESH. + +Signed-off-by: Tom Goff +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipmr.c | 4 +++- + net/ipv6/ip6mr.c | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -891,8 +891,10 @@ static struct mfc_cache *ipmr_cache_allo + { + struct mfc_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL); + +- if (c) ++ if (c) { ++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1; + c->mfc_un.res.minvif = MAXVIFS; ++ } + return c; + } + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1074,6 +1074,7 @@ static struct mfc6_cache *ip6mr_cache_al + struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL); + if (!c) + return NULL; ++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1; + c->mfc_un.res.minvif = MAXMIFS; + return c; + } diff --git a/queue-4.6/kcm-fix-proc-memory-leak.patch b/queue-4.6/kcm-fix-proc-memory-leak.patch new file mode 100644 index 00000000000..82f8bd09731 --- /dev/null +++ b/queue-4.6/kcm-fix-proc-memory-leak.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: Jiri Slaby +Date: Mon, 20 Jun 2016 11:36:28 +0200 +Subject: kcm: fix /proc memory leak + +From: Jiri Slaby + +[ Upstream commit d19af0a76444fde629667ecb823c0ee28f9f67d8 ] + +Every open of /proc/net/kcm leaks 16 bytes of memory as is reported by +kmemleak: +unreferenced object 0xffff88059c0e3458 (size 192): + comm "cat", pid 1401, jiffies 4294935742 (age 310.720s) + hex dump (first 32 bytes): + 28 45 71 96 05 88 ff ff 00 10 00 00 00 00 00 00 (Eq............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmem_cache_alloc_trace+0x16e/0x230 + [] seq_open+0x79/0x1d0 + [] kcm_seq_open+0x0/0x30 [kcm] + [] seq_open+0x79/0x1d0 + [] __seq_open_private+0x2f/0xa0 + [] seq_open_net+0x38/0xa0 +... + +It is caused by a missing free in the ->release path. So fix it by +providing seq_release_net as the ->release method. + +Signed-off-by: Jiri Slaby +Fixes: cd6e111bf5 (kcm: Add statistics and proc interfaces) +Cc: "David S. Miller" +Cc: Tom Herbert +Cc: netdev@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/kcm/kcmproc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/kcm/kcmproc.c ++++ b/net/kcm/kcmproc.c +@@ -241,6 +241,7 @@ static const struct file_operations kcm_ + .open = kcm_seq_open, + .read = seq_read, + .llseek = seq_lseek, ++ .release = seq_release_net, + }; + + static struct kcm_seq_muxinfo kcm_seq_muxinfo = { diff --git a/queue-4.6/neigh-explicitly-declare-rcu-bh-read-side-critical-section-in-neigh_xmit.patch b/queue-4.6/neigh-explicitly-declare-rcu-bh-read-side-critical-section-in-neigh_xmit.patch new file mode 100644 index 00000000000..7b7d8e35aac --- /dev/null +++ b/queue-4.6/neigh-explicitly-declare-rcu-bh-read-side-critical-section-in-neigh_xmit.patch @@ -0,0 +1,67 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: David Barroso +Date: Tue, 28 Jun 2016 11:16:43 +0300 +Subject: neigh: Explicitly declare RCU-bh read side critical section in neigh_xmit() + +From: David Barroso + +[ Upstream commit b560f03ddfb072bca65e9440ff0dc4f9b1d1f056 ] + +neigh_xmit() expects to be called inside an RCU-bh read side critical +section, and while one of its two current callers gets this right, the +other one doesn't. + +More specifically, neigh_xmit() has two callers, mpls_forward() and +mpls_output(), and while both callers call neigh_xmit() under +rcu_read_lock(), this provides sufficient protection for neigh_xmit() +only in the case of mpls_forward(), as that is always called from +softirq context and therefore doesn't need explicit BH protection, +while mpls_output() can be called from process context with softirqs +enabled. + +When mpls_output() is called from process context, with softirqs +enabled, we can be preempted by a softirq at any time, and RCU-bh +considers the completion of a softirq as signaling the end of any +pending read-side critical sections, so if we do get a softirq +while we are in the part of neigh_xmit() that expects to be run inside +an RCU-bh read side critical section, we can end up with an unexpected +RCU grace period running right in the middle of that critical section, +making things go boom. + +This patch fixes this impedance mismatch in the callee, by making +neigh_xmit() always take rcu_read_{,un}lock_bh() around the code that +expects to be treated as an RCU-bh read side critical section, as this +seems a safer option than fixing it in the callers. + +Fixes: 4fd3d7d9e868f ("neigh: Add helper function neigh_xmit") +Signed-off-by: David Barroso +Signed-off-by: Lennert Buytenhek +Acked-by: David Ahern +Acked-by: Robert Shearman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2467,13 +2467,17 @@ int neigh_xmit(int index, struct net_dev + tbl = neigh_tables[index]; + if (!tbl) + goto out; ++ rcu_read_lock_bh(); + neigh = __neigh_lookup_noref(tbl, addr, dev); + if (!neigh) + neigh = __neigh_create(tbl, addr, dev, false); + err = PTR_ERR(neigh); +- if (IS_ERR(neigh)) ++ if (IS_ERR(neigh)) { ++ rcu_read_unlock_bh(); + goto out_kfree_skb; ++ } + err = neigh->output(neigh, skb); ++ rcu_read_unlock_bh(); + } + else if (index == NEIGH_LINK_TABLE) { + err = dev_hard_header(skb, dev, ntohs(skb->protocol), diff --git a/queue-4.6/net-don-t-forget-pr_fmt-on-net_dbg_ratelimited-for-config_dynamic_debug.patch b/queue-4.6/net-don-t-forget-pr_fmt-on-net_dbg_ratelimited-for-config_dynamic_debug.patch new file mode 100644 index 00000000000..a5d899f34f2 --- /dev/null +++ b/queue-4.6/net-don-t-forget-pr_fmt-on-net_dbg_ratelimited-for-config_dynamic_debug.patch @@ -0,0 +1,44 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: "Jason A. Donenfeld" +Date: Wed, 15 Jun 2016 11:14:53 +0200 +Subject: net: Don't forget pr_fmt on net_dbg_ratelimited for CONFIG_DYNAMIC_DEBUG + +From: "Jason A. Donenfeld" + +[ Upstream commit daddef76c3deaaa7922f9d7b18edbf0a061215c3 ] + +The implementation of net_dbg_ratelimited in the CONFIG_DYNAMIC_DEBUG +case was added with 2c94b5373 ("net: Implement net_dbg_ratelimited() for +CONFIG_DYNAMIC_DEBUG case"). The implementation strategy was to take the +usual definition of the dynamic_pr_debug macro, but alter it by adding a +call to "net_ratelimit()" in the if statement. This is, in fact, the +correct approach. + +However, while doing this, the author of the commit forgot to surround +fmt by pr_fmt, resulting in unprefixed log messages appearing in the +console. So, this commit adds back the pr_fmt(fmt) invocation, making +net_dbg_ratelimited properly consistent across DEBUG, no DEBUG, and +DYNAMIC_DEBUG cases, and bringing parity with the behavior of +dynamic_pr_debug as well. + +Fixes: 2c94b5373 ("net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case") +Signed-off-by: Jason A. Donenfeld +Cc: Tim Bingham +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/net.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/net.h ++++ b/include/linux/net.h +@@ -252,7 +252,8 @@ do { \ + DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \ + if (unlikely(descriptor.flags & _DPRINTK_FLAGS_PRINT) && \ + net_ratelimit()) \ +- __dynamic_pr_debug(&descriptor, fmt, ##__VA_ARGS__); \ ++ __dynamic_pr_debug(&descriptor, pr_fmt(fmt), \ ++ ##__VA_ARGS__); \ + } while (0) + #elif defined(DEBUG) + #define net_dbg_ratelimited(fmt, ...) \ diff --git a/queue-4.6/net_sched-fix-pfifo_head_drop-behavior-vs-backlog.patch b/queue-4.6/net_sched-fix-pfifo_head_drop-behavior-vs-backlog.patch new file mode 100644 index 00000000000..b87c81cba6c --- /dev/null +++ b/queue-4.6/net_sched-fix-pfifo_head_drop-behavior-vs-backlog.patch @@ -0,0 +1,47 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: Eric Dumazet +Date: Sun, 12 Jun 2016 20:01:25 -0700 +Subject: net_sched: fix pfifo_head_drop behavior vs backlog + +From: Eric Dumazet + +[ Upstream commit 6c0d54f1897d229748d4f41ef919078db6db2123 ] + +When the qdisc is full, we drop a packet at the head of the queue, +queue the current skb and return NET_XMIT_CN + +Now we track backlog on upper qdiscs, we need to call +qdisc_tree_reduce_backlog(), even if the qlen did not change. + +Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") +Signed-off-by: Eric Dumazet +Cc: WANG Cong +Cc: Jamal Hadi Salim +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fifo.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sched/sch_fifo.c ++++ b/net/sched/sch_fifo.c +@@ -37,14 +37,18 @@ static int pfifo_enqueue(struct sk_buff + + static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc *sch) + { ++ unsigned int prev_backlog; ++ + if (likely(skb_queue_len(&sch->q) < sch->limit)) + return qdisc_enqueue_tail(skb, sch); + ++ prev_backlog = sch->qstats.backlog; + /* queue full, remove one skb to fulfill the limit */ + __qdisc_queue_drop_head(sch, &sch->q); + qdisc_qstats_drop(sch); + qdisc_enqueue_tail(skb, sch); + ++ qdisc_tree_reduce_backlog(sch, 0, prev_backlog - sch->qstats.backlog); + return NET_XMIT_CN; + } + diff --git a/queue-4.6/netem-fix-a-use-after-free.patch b/queue-4.6/netem-fix-a-use-after-free.patch new file mode 100644 index 00000000000..877e73e67c0 --- /dev/null +++ b/queue-4.6/netem-fix-a-use-after-free.patch @@ -0,0 +1,48 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: Eric Dumazet +Date: Mon, 20 Jun 2016 15:00:43 -0700 +Subject: netem: fix a use after free + +From: Eric Dumazet + +[ Upstream commit 21de12ee5568fd1aec47890c72967abf791ac80a ] + +If the packet was dropped by lower qdisc, then we must not +access it later. + +Save qdisc_pkt_len(skb) in a temp variable. + +Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") +Signed-off-by: Eric Dumazet +Cc: WANG Cong +Cc: Jamal Hadi Salim +Cc: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_netem.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -650,14 +650,14 @@ deliver: + #endif + + if (q->qdisc) { ++ unsigned int pkt_len = qdisc_pkt_len(skb); + int err = qdisc_enqueue(skb, q->qdisc); + +- if (unlikely(err != NET_XMIT_SUCCESS)) { +- if (net_xmit_drop_count(err)) { +- qdisc_qstats_drop(sch); +- qdisc_tree_reduce_backlog(sch, 1, +- qdisc_pkt_len(skb)); +- } ++ if (err != NET_XMIT_SUCCESS && ++ net_xmit_drop_count(err)) { ++ qdisc_qstats_drop(sch); ++ qdisc_tree_reduce_backlog(sch, 1, ++ pkt_len); + } + goto tfifo_dequeue; + } diff --git a/queue-4.6/sit-correct-ip-protocol-used-in-ipip6_err.patch b/queue-4.6/sit-correct-ip-protocol-used-in-ipip6_err.patch new file mode 100644 index 00000000000..651a7c8b3ad --- /dev/null +++ b/queue-4.6/sit-correct-ip-protocol-used-in-ipip6_err.patch @@ -0,0 +1,58 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: Simon Horman +Date: Thu, 16 Jun 2016 17:06:19 +0900 +Subject: sit: correct IP protocol used in ipip6_err + +From: Simon Horman + +[ Upstream commit d5d8760b78d0cfafe292f965f599988138b06a70 ] + +Since 32b8a8e59c9c ("sit: add IPv4 over IPv4 support") +ipip6_err() may be called for packets whose IP protocol is +IPPROTO_IPIP as well as those whose IP protocol is IPPROTO_IPV6. + +In the case of IPPROTO_IPIP packets the correct protocol value is not +passed to ipv4_update_pmtu() or ipv4_redirect(). + +This patch resolves this problem by using the IP protocol of the packet +rather than a hard-coded value. This appears to be consistent +with the usage of the protocol of a packet by icmp_socket_deliver() +the caller of ipip6_err(). + +I was able to exercise the redirect case by using a setup where an ICMP +redirect was received for the destination of the encapsulated packet. +However, it appears that although incorrect the protocol field is not used +in this case and thus no problem manifests. On inspection it does not +appear that a problem will manifest in the fragmentation needed/update pmtu +case either. + +In short I believe this is a cosmetic fix. None the less, the use of +IPPROTO_IPV6 seems wrong and confusing. + +Reviewed-by: Dinan Gunawardena +Signed-off-by: Simon Horman +Acked-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -560,13 +560,13 @@ static int ipip6_err(struct sk_buff *skb + + if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) { + ipv4_update_pmtu(skb, dev_net(skb->dev), info, +- t->parms.link, 0, IPPROTO_IPV6, 0); ++ t->parms.link, 0, iph->protocol, 0); + err = 0; + goto out; + } + if (type == ICMP_REDIRECT) { + ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0, +- IPPROTO_IPV6, 0); ++ iph->protocol, 0); + err = 0; + goto out; + } diff --git a/queue-4.6/sock_diag-do-not-broadcast-raw-socket-destruction.patch b/queue-4.6/sock_diag-do-not-broadcast-raw-socket-destruction.patch new file mode 100644 index 00000000000..8da6f919713 --- /dev/null +++ b/queue-4.6/sock_diag-do-not-broadcast-raw-socket-destruction.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Jul 6 16:50:56 PDT 2016 +From: Willem de Bruijn +Date: Fri, 24 Jun 2016 16:02:35 -0400 +Subject: sock_diag: do not broadcast raw socket destruction + +From: Willem de Bruijn + +[ Upstream commit 9a0fee2b552b1235fb1706ae1fc664ae74573be8 ] + +Diag intends to broadcast tcp_sk and udp_sk socket destruction. +Testing sk->sk_protocol for IPPROTO_TCP/IPPROTO_UDP alone is not +sufficient for this. Raw sockets can have the same type. + +Add a test for sk->sk_type. + +Fixes: eb4cb008529c ("sock_diag: define destruction multicast groups") +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sock_diag.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/include/linux/sock_diag.h ++++ b/include/linux/sock_diag.h +@@ -36,6 +36,9 @@ enum sknetlink_groups sock_diag_destroy_ + { + switch (sk->sk_family) { + case AF_INET: ++ if (sk->sk_type == SOCK_RAW) ++ return SKNLGRP_NONE; ++ + switch (sk->sk_protocol) { + case IPPROTO_TCP: + return SKNLGRP_INET_TCP_DESTROY; +@@ -45,6 +48,9 @@ enum sknetlink_groups sock_diag_destroy_ + return SKNLGRP_NONE; + } + case AF_INET6: ++ if (sk->sk_type == SOCK_RAW) ++ return SKNLGRP_NONE; ++ + switch (sk->sk_protocol) { + case IPPROTO_TCP: + return SKNLGRP_INET6_TCP_DESTROY; -- 2.47.3