From eb4e5538eb5f91b9e16a4f63b9c53e07428526d4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 11 Aug 2017 10:17:02 -0700 Subject: [PATCH] 4.4-stable patches added patches: --- ...jit-branch-offset-related-to-ldimm64.patch | 82 +++++++++++++++++ ...n_bad_offload-false-positives-on-ufo.patch | 74 +++++++++++++++ ...epalive-code-vs-tcp_fastopen_connect.patch | 89 +++++++++++++++++++ ...r.nft_compat-as-0-in-ipt_init_target.patch | 46 ++++++++++ ...x-tp_reserve-race-in-packet_set_ring.patch | 51 +++++++++++ ..._ip_append_data-and-ip_finish_output.patch | 30 +++++++ ...t-skb-length-when-deciding-about-ufo.patch | 44 +++++++++ queue-4.4/series | 10 +++ ...ssthresh-after-cwnd-reduction-states.patch | 39 ++++++++ ...n-tcp_connect-must-refresh-the-route.patch | 51 +++++++++++ ...sistently-apply-ufo-or-fragmentation.patch | 89 +++++++++++++++++++ 11 files changed, 605 insertions(+) create mode 100644 queue-4.4/bpf-s390-fix-jit-branch-offset-related-to-ldimm64.patch create mode 100644 queue-4.4/net-avoid-skb_warn_bad_offload-false-positives-on-ufo.patch create mode 100644 queue-4.4/net-fix-keepalive-code-vs-tcp_fastopen_connect.patch create mode 100644 queue-4.4/net-sched-set-xt_tgchk_param-par.nft_compat-as-0-in-ipt_init_target.patch create mode 100644 queue-4.4/packet-fix-tp_reserve-race-in-packet_set_ring.patch create mode 100644 queue-4.4/revert-ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch create mode 100644 queue-4.4/revert-net-account-for-current-skb-length-when-deciding-about-ufo.patch create mode 100644 queue-4.4/series create mode 100644 queue-4.4/tcp-avoid-setting-cwnd-to-invalid-ssthresh-after-cwnd-reduction-states.patch create mode 100644 queue-4.4/tcp-fastopen-tcp_connect-must-refresh-the-route.patch create mode 100644 queue-4.4/udp-consistently-apply-ufo-or-fragmentation.patch diff --git a/queue-4.4/bpf-s390-fix-jit-branch-offset-related-to-ldimm64.patch b/queue-4.4/bpf-s390-fix-jit-branch-offset-related-to-ldimm64.patch new file mode 100644 index 00000000000..fe05068b89d --- /dev/null +++ b/queue-4.4/bpf-s390-fix-jit-branch-offset-related-to-ldimm64.patch @@ -0,0 +1,82 @@ +From foo@baz Fri Aug 11 09:41:52 PDT 2017 +From: Daniel Borkmann +Date: Fri, 4 Aug 2017 14:20:54 +0200 +Subject: bpf, s390: fix jit branch offset related to ldimm64 + +From: Daniel Borkmann + + +[ Upstream commit b0a0c2566f28e71e5e32121992ac8060cec75510 ] + +While testing some other work that required JIT modifications, I +run into test_bpf causing a hang when JIT enabled on s390. The +problematic test case was the one from ddc665a4bb4b (bpf, arm64: +fix jit branch offset related to ldimm64), and turns out that we +do have a similar issue on s390 as well. In bpf_jit_prog() we +update next instruction address after returning from bpf_jit_insn() +with an insn_count. bpf_jit_insn() returns either -1 in case of +error (e.g. unsupported insn), 1 or 2. The latter is only the +case for ldimm64 due to spanning 2 insns, however, next address +is only set to i + 1 not taking actual insn_count into account, +thus fix is to use insn_count instead of 1. bpf_jit_enable in +mode 2 provides also disasm on s390: + +Before fix: + + 000003ff800349b6: a7f40003 brc 15,3ff800349bc ; target + 000003ff800349ba: 0000 unknown + 000003ff800349bc: e3b0f0700024 stg %r11,112(%r15) + 000003ff800349c2: e3e0f0880024 stg %r14,136(%r15) + 000003ff800349c8: 0db0 basr %r11,%r0 + 000003ff800349ca: c0ef00000000 llilf %r14,0 + 000003ff800349d0: e320b0360004 lg %r2,54(%r11) + 000003ff800349d6: e330b03e0004 lg %r3,62(%r11) + 000003ff800349dc: ec23ffeda065 clgrj %r2,%r3,10,3ff800349b6 ; jmp + 000003ff800349e2: e3e0b0460004 lg %r14,70(%r11) + 000003ff800349e8: e3e0b04e0004 lg %r14,78(%r11) + 000003ff800349ee: b904002e lgr %r2,%r14 + 000003ff800349f2: e3b0f0700004 lg %r11,112(%r15) + 000003ff800349f8: e3e0f0880004 lg %r14,136(%r15) + 000003ff800349fe: 07fe bcr 15,%r14 + +After fix: + + 000003ff80ef3db4: a7f40003 brc 15,3ff80ef3dba + 000003ff80ef3db8: 0000 unknown + 000003ff80ef3dba: e3b0f0700024 stg %r11,112(%r15) + 000003ff80ef3dc0: e3e0f0880024 stg %r14,136(%r15) + 000003ff80ef3dc6: 0db0 basr %r11,%r0 + 000003ff80ef3dc8: c0ef00000000 llilf %r14,0 + 000003ff80ef3dce: e320b0360004 lg %r2,54(%r11) + 000003ff80ef3dd4: e330b03e0004 lg %r3,62(%r11) + 000003ff80ef3dda: ec230006a065 clgrj %r2,%r3,10,3ff80ef3de6 ; jmp + 000003ff80ef3de0: e3e0b0460004 lg %r14,70(%r11) + 000003ff80ef3de6: e3e0b04e0004 lg %r14,78(%r11) ; target + 000003ff80ef3dec: b904002e lgr %r2,%r14 + 000003ff80ef3df0: e3b0f0700004 lg %r11,112(%r15) + 000003ff80ef3df6: e3e0f0880004 lg %r14,136(%r15) + 000003ff80ef3dfc: 07fe bcr 15,%r14 + +test_bpf.ko suite runs fine after the fix. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Daniel Borkmann +Tested-by: Michael Holzheu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/net/bpf_jit_comp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -1250,7 +1250,8 @@ static int bpf_jit_prog(struct bpf_jit * + insn_count = bpf_jit_insn(jit, fp, i); + if (insn_count < 0) + return -1; +- jit->addrs[i + 1] = jit->prg; /* Next instruction address */ ++ /* Next instruction address */ ++ jit->addrs[i + insn_count] = jit->prg; + } + bpf_jit_epilogue(jit); + diff --git a/queue-4.4/net-avoid-skb_warn_bad_offload-false-positives-on-ufo.patch b/queue-4.4/net-avoid-skb_warn_bad_offload-false-positives-on-ufo.patch new file mode 100644 index 00000000000..73aae5eed42 --- /dev/null +++ b/queue-4.4/net-avoid-skb_warn_bad_offload-false-positives-on-ufo.patch @@ -0,0 +1,74 @@ +From foo@baz Fri Aug 11 09:41:52 PDT 2017 +From: Willem de Bruijn +Date: Tue, 8 Aug 2017 14:22:55 -0400 +Subject: net: avoid skb_warn_bad_offload false positives on UFO + +From: Willem de Bruijn + + +[ Upstream commit 8d63bee643f1fb53e472f0e135cae4eb99d62d19 ] + +skb_warn_bad_offload triggers a warning when an skb enters the GSO +stack at __skb_gso_segment that does not have CHECKSUM_PARTIAL +checksum offload set. + +Commit b2504a5dbef3 ("net: reduce skb_warn_bad_offload() noise") +observed that SKB_GSO_DODGY producers can trigger the check and +that passing those packets through the GSO handlers will fix it +up. But, the software UFO handler will set ip_summed to +CHECKSUM_NONE. + +When __skb_gso_segment is called from the receive path, this +triggers the warning again. + +Make UFO set CHECKSUM_UNNECESSARY instead of CHECKSUM_NONE. On +Tx these two are equivalent. On Rx, this better matches the +skb state (checksum computed), as CHECKSUM_NONE here means no +checksum computed. + +See also this thread for context: +http://patchwork.ozlabs.org/patch/799015/ + +Fixes: b2504a5dbef3 ("net: reduce skb_warn_bad_offload() noise") +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + net/ipv4/udp_offload.c | 2 +- + net/ipv6/udp_offload.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2551,7 +2551,7 @@ static inline bool skb_needs_check(struc + { + if (tx_path) + return skb->ip_summed != CHECKSUM_PARTIAL && +- skb->ip_summed != CHECKSUM_NONE; ++ skb->ip_summed != CHECKSUM_UNNECESSARY; + + return skb->ip_summed == CHECKSUM_NONE; + } +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -231,7 +231,7 @@ static struct sk_buff *udp4_ufo_fragment + if (uh->check == 0) + uh->check = CSUM_MANGLED_0; + +- skb->ip_summed = CHECKSUM_NONE; ++ skb->ip_summed = CHECKSUM_UNNECESSARY; + + /* Fragment the skb. IP headers of the fragments are updated in + * inet_gso_segment() +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -86,7 +86,7 @@ static struct sk_buff *udp6_ufo_fragment + if (uh->check == 0) + uh->check = CSUM_MANGLED_0; + +- skb->ip_summed = CHECKSUM_NONE; ++ skb->ip_summed = CHECKSUM_UNNECESSARY; + + /* Check if there is enough headroom to insert fragment header. */ + tnl_hlen = skb_tnl_header_len(skb); diff --git a/queue-4.4/net-fix-keepalive-code-vs-tcp_fastopen_connect.patch b/queue-4.4/net-fix-keepalive-code-vs-tcp_fastopen_connect.patch new file mode 100644 index 00000000000..a0a8d76ea87 --- /dev/null +++ b/queue-4.4/net-fix-keepalive-code-vs-tcp_fastopen_connect.patch @@ -0,0 +1,89 @@ +From foo@baz Fri Aug 11 09:41:52 PDT 2017 +From: Eric Dumazet +Date: Wed, 2 Aug 2017 23:10:46 -0700 +Subject: net: fix keepalive code vs TCP_FASTOPEN_CONNECT + +From: Eric Dumazet + + +[ Upstream commit 2dda640040876cd8ae646408b69eea40c24f9ae9 ] + +syzkaller was able to trigger a divide by 0 in TCP stack [1] + +Issue here is that keepalive timer needs to be updated to not attempt +to send a probe if the connection setup was deferred using +TCP_FASTOPEN_CONNECT socket option added in linux-4.11 + +[1] + divide error: 0000 [#1] SMP + CPU: 18 PID: 0 Comm: swapper/18 Not tainted + task: ffff986f62f4b040 ti: ffff986f62fa2000 task.ti: ffff986f62fa2000 + RIP: 0010:[] [] __tcp_select_window+0x8d/0x160 + Call Trace: + + [] tcp_transmit_skb+0x11/0x20 + [] tcp_xmit_probe_skb+0xc1/0xe0 + [] tcp_write_wakeup+0x68/0x160 + [] tcp_keepalive_timer+0x17b/0x230 + [] call_timer_fn+0x39/0xf0 + [] run_timer_softirq+0x1d7/0x280 + [] __do_softirq+0xcb/0x257 + [] irq_exit+0x9c/0xb0 + [] smp_apic_timer_interrupt+0x6a/0x80 + [] apic_timer_interrupt+0x7f/0x90 + + [] ? cpuidle_enter_state+0x13a/0x3b0 + [] ? cpuidle_enter_state+0x11d/0x3b0 + +Tested: + +Following packetdrill no longer crashes the kernel + +`echo 0 >/proc/sys/net/ipv4/tcp_timestamps` + +// Cache warmup: send a Fast Open cookie request + 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 + +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 + +0 setsockopt(3, SOL_TCP, TCP_FASTOPEN_CONNECT, [1], 4) = 0 + +0 connect(3, ..., ...) = -1 EINPROGRESS (Operation is now in progress) + +0 > S 0:0(0) + +.01 < S. 123:123(0) ack 1 win 14600 + +0 > . 1:1(0) ack 1 + +0 close(3) = 0 + +0 > F. 1:1(0) ack 1 + +0 < F. 1:1(0) ack 2 win 92 + +0 > . 2:2(0) ack 2 + + +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 4 + +0 fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 + +0 setsockopt(4, SOL_TCP, TCP_FASTOPEN_CONNECT, [1], 4) = 0 + +0 setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 + +.01 connect(4, ..., ...) = 0 + +0 setsockopt(4, SOL_TCP, TCP_KEEPIDLE, [5], 4) = 0 + +10 close(4) = 0 + +`echo 1 >/proc/sys/net/ipv4/tcp_timestamps` + +Fixes: 19f6d3f3c842 ("net/tcp-fastopen: Add new API support") +Signed-off-by: Eric Dumazet +Reported-by: Dmitry Vyukov +Cc: Wei Wang +Cc: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_timer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -606,7 +606,8 @@ static void tcp_keepalive_timer (unsigne + goto death; + } + +- if (!sock_flag(sk, SOCK_KEEPOPEN) || sk->sk_state == TCP_CLOSE) ++ if (!sock_flag(sk, SOCK_KEEPOPEN) || ++ ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_SYN_SENT))) + goto out; + + elapsed = keepalive_time_when(tp); diff --git a/queue-4.4/net-sched-set-xt_tgchk_param-par.nft_compat-as-0-in-ipt_init_target.patch b/queue-4.4/net-sched-set-xt_tgchk_param-par.nft_compat-as-0-in-ipt_init_target.patch new file mode 100644 index 00000000000..327d7c7c904 --- /dev/null +++ b/queue-4.4/net-sched-set-xt_tgchk_param-par.nft_compat-as-0-in-ipt_init_target.patch @@ -0,0 +1,46 @@ +From foo@baz Fri Aug 11 09:41:52 PDT 2017 +From: Xin Long +Date: Wed, 9 Aug 2017 18:15:19 +0800 +Subject: net: sched: set xt_tgchk_param par.nft_compat as 0 in ipt_init_target + +From: Xin Long + + +[ Upstream commit 96d9703050a0036a3360ec98bb41e107c90664fe ] + +Commit 55917a21d0cc ("netfilter: x_tables: add context to know if +extension runs from nft_compat") introduced a member nft_compat to +xt_tgchk_param structure. + +But it didn't set it's value for ipt_init_target. With unexpected +value in par.nft_compat, it may return unexpected result in some +target's checkentry. + +This patch is to set all it's fields as 0 and only initialize the +non-zero fields in ipt_init_target. + +v1->v2: + As Wang Cong's suggestion, fix it by setting all it's fields as + 0 and only initializing the non-zero fields. + +Fixes: 55917a21d0cc ("netfilter: x_tables: add context to know if extension runs from nft_compat") +Suggested-by: Cong Wang +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ipt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_ipt.c ++++ b/net/sched/act_ipt.c +@@ -42,8 +42,8 @@ static int ipt_init_target(struct xt_ent + return PTR_ERR(target); + + t->u.kernel.target = target; ++ memset(&par, 0, sizeof(par)); + par.table = table; +- par.entryinfo = NULL; + par.target = target; + par.targinfo = t->data; + par.hook_mask = hook; diff --git a/queue-4.4/packet-fix-tp_reserve-race-in-packet_set_ring.patch b/queue-4.4/packet-fix-tp_reserve-race-in-packet_set_ring.patch new file mode 100644 index 00000000000..8116a27d953 --- /dev/null +++ b/queue-4.4/packet-fix-tp_reserve-race-in-packet_set_ring.patch @@ -0,0 +1,51 @@ +From foo@baz Fri Aug 11 09:41:52 PDT 2017 +From: Willem de Bruijn +Date: Thu, 10 Aug 2017 12:41:58 -0400 +Subject: packet: fix tp_reserve race in packet_set_ring + +From: Willem de Bruijn + + +[ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] + +Updates to tp_reserve can race with reads of the field in +packet_set_ring. Avoid this by holding the socket lock during +updates in setsockopt PACKET_RESERVE. + +This bug was discovered by syzkaller. + +Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") +Reported-by: Andrey Konovalov +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3622,14 +3622,19 @@ packet_setsockopt(struct socket *sock, i + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + if (val > INT_MAX) + return -EINVAL; +- po->tp_reserve = val; +- return 0; ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_reserve = val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_LOSS: + { diff --git a/queue-4.4/revert-ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch b/queue-4.4/revert-ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch new file mode 100644 index 00000000000..9d741f942a2 --- /dev/null +++ b/queue-4.4/revert-ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch @@ -0,0 +1,30 @@ +From foo@baz Fri Aug 11 09:19:02 PDT 2017 +Date: Fri, 11 Aug 2017 09:19:02 -0700 +To: Greg KH +From: Greg Kroah-Hartman +Subject: revert "ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output" + +This reverts commit f102bb7164c9020e12662998f0fd99c3be72d4f6 which is +commit 0a28cfd51e17f4f0a056bcf66bfbe492c3b99f38 upstream as there is +another patch that needs to be applied instead of this one. + +Cc: Zheng Li +Cc: David S. Miller +Cc: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -922,7 +922,7 @@ static int __ip_append_data(struct sock + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if ((((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb))) && ++ if (((length > mtu) || (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && + (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { diff --git a/queue-4.4/revert-net-account-for-current-skb-length-when-deciding-about-ufo.patch b/queue-4.4/revert-net-account-for-current-skb-length-when-deciding-about-ufo.patch new file mode 100644 index 00000000000..d55fc235b32 --- /dev/null +++ b/queue-4.4/revert-net-account-for-current-skb-length-when-deciding-about-ufo.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Aug 11 09:14:09 PDT 2017 +Date: Fri, 11 Aug 2017 09:14:09 -0700 +To: Greg KH +From: Greg Kroah-Hartman +Subject: revert "net: account for current skb length when deciding about UFO" + +This reverts commit ef09c9ff343122a0b245416066992d096416ff19 which is +commit a5cb659bbc1c8644efa0c3138a757a1e432a4880 upstream as it causes +merge issues with later patches that are much more important... + +Cc: Michal Kubecek +Cc: Vlad Yasevich +Cc: David S. Miller +Cc: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_output.c | 3 +-- + net/ipv6/ip6_output.c | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -922,8 +922,7 @@ static int __ip_append_data(struct sock + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) || +- (skb && skb_is_gso(skb))) && ++ if ((((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && + (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1357,7 +1357,7 @@ emsgsize: + */ + + cork->length += length; +- if ((((length + (skb ? skb->len : headersize)) > mtu) || ++ if ((((length + fragheaderlen) > mtu) || + (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..cecfc459dc4 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,10 @@ +tcp-avoid-setting-cwnd-to-invalid-ssthresh-after-cwnd-reduction-states.patch +net-fix-keepalive-code-vs-tcp_fastopen_connect.patch +bpf-s390-fix-jit-branch-offset-related-to-ldimm64.patch +net-sched-set-xt_tgchk_param-par.nft_compat-as-0-in-ipt_init_target.patch +tcp-fastopen-tcp_connect-must-refresh-the-route.patch +net-avoid-skb_warn_bad_offload-false-positives-on-ufo.patch +packet-fix-tp_reserve-race-in-packet_set_ring.patch +revert-net-account-for-current-skb-length-when-deciding-about-ufo.patch +revert-ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch +udp-consistently-apply-ufo-or-fragmentation.patch diff --git a/queue-4.4/tcp-avoid-setting-cwnd-to-invalid-ssthresh-after-cwnd-reduction-states.patch b/queue-4.4/tcp-avoid-setting-cwnd-to-invalid-ssthresh-after-cwnd-reduction-states.patch new file mode 100644 index 00000000000..e30fc028d69 --- /dev/null +++ b/queue-4.4/tcp-avoid-setting-cwnd-to-invalid-ssthresh-after-cwnd-reduction-states.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Aug 11 09:41:52 PDT 2017 +From: Yuchung Cheng +Date: Tue, 1 Aug 2017 13:22:32 -0700 +Subject: tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states + +From: Yuchung Cheng + + +[ Upstream commit ed254971edea92c3ac5c67c6a05247a92aa6075e ] + +If the sender switches the congestion control during ECN-triggered +cwnd-reduction state (CA_CWR), upon exiting recovery cwnd is set to +the ssthresh value calculated by the previous congestion control. If +the previous congestion control is BBR that always keep ssthresh +to TCP_INIFINITE_SSTHRESH, cwnd ends up being infinite. The safe +step is to avoid assigning invalid ssthresh value when recovery ends. + +Signed-off-by: Yuchung Cheng +Signed-off-by: Neal Cardwell +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2503,8 +2503,8 @@ static inline void tcp_end_cwnd_reductio + struct tcp_sock *tp = tcp_sk(sk); + + /* Reset cwnd to ssthresh in CWR or Recovery (unless it's undone) */ +- if (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR || +- (tp->undo_marker && tp->snd_ssthresh < TCP_INFINITE_SSTHRESH)) { ++ if (tp->snd_ssthresh < TCP_INFINITE_SSTHRESH && ++ (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR || tp->undo_marker)) { + tp->snd_cwnd = tp->snd_ssthresh; + tp->snd_cwnd_stamp = tcp_time_stamp; + } diff --git a/queue-4.4/tcp-fastopen-tcp_connect-must-refresh-the-route.patch b/queue-4.4/tcp-fastopen-tcp_connect-must-refresh-the-route.patch new file mode 100644 index 00000000000..5495c6c30b0 --- /dev/null +++ b/queue-4.4/tcp-fastopen-tcp_connect-must-refresh-the-route.patch @@ -0,0 +1,51 @@ +From foo@baz Fri Aug 11 09:41:52 PDT 2017 +From: Eric Dumazet +Date: Tue, 8 Aug 2017 01:41:58 -0700 +Subject: tcp: fastopen: tcp_connect() must refresh the route + +From: Eric Dumazet + + +[ Upstream commit 8ba60924710cde564a3905588b6219741d6356d0 ] + +With new TCP_FASTOPEN_CONNECT socket option, there is a possibility +to call tcp_connect() while socket sk_dst_cache is either NULL +or invalid. + + +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 4 + +0 fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 + +0 setsockopt(4, SOL_TCP, TCP_FASTOPEN_CONNECT, [1], 4) = 0 + +0 connect(4, ..., ...) = 0 + +<< sk->sk_dst_cache becomes obsolete, or even set to NULL >> + + +1 sendto(4, ..., 1000, MSG_FASTOPEN, ..., ...) = 1000 + +We need to refresh the route otherwise bad things can happen, +especially when syzkaller is running on the host :/ + +Fixes: 19f6d3f3c8422 ("net/tcp-fastopen: Add new API support") +Reported-by: Dmitry Vyukov +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Cc: Yuchung Cheng +Acked-by: Wei Wang +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3256,6 +3256,9 @@ int tcp_connect(struct sock *sk) + struct sk_buff *buff; + int err; + ++ if (inet_csk(sk)->icsk_af_ops->rebuild_header(sk)) ++ return -EHOSTUNREACH; /* Routing failure or similar. */ ++ + tcp_connect_init(sk); + + if (unlikely(tp->repair)) { diff --git a/queue-4.4/udp-consistently-apply-ufo-or-fragmentation.patch b/queue-4.4/udp-consistently-apply-ufo-or-fragmentation.patch new file mode 100644 index 00000000000..2e67ada8ca2 --- /dev/null +++ b/queue-4.4/udp-consistently-apply-ufo-or-fragmentation.patch @@ -0,0 +1,89 @@ +From foo@baz Fri Aug 11 09:41:52 PDT 2017 +From: Willem de Bruijn +Date: Thu, 10 Aug 2017 12:29:19 -0400 +Subject: udp: consistently apply ufo or fragmentation + +From: Willem de Bruijn + + +[ Upstream commit 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa ] + +When iteratively building a UDP datagram with MSG_MORE and that +datagram exceeds MTU, consistently choose UFO or fragmentation. + +Once skb_is_gso, always apply ufo. Conversely, once a datagram is +split across multiple skbs, do not consider ufo. + +Sendpage already maintains the first invariant, only add the second. +IPv6 does not have a sendpage implementation to modify. + +A gso skb must have a partial checksum, do not follow sk_no_check_tx +in udp_send_skb. + +Found by syzkaller. + +Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") +Reported-by: Andrey Konovalov +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 7 +++++-- + net/ipv4/udp.c | 2 +- + net/ipv6/ip6_output.c | 7 ++++--- + 3 files changed, 10 insertions(+), 6 deletions(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -922,10 +922,12 @@ static int __ip_append_data(struct sock + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if (((length > mtu) || (skb && skb_is_gso(skb))) && ++ if ((skb && skb_is_gso(skb)) || ++ ((length > mtu) && ++ (skb_queue_len(queue) <= 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && +- (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { ++ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) { + err = ip_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, transhdrlen, + maxfraglen, flags); +@@ -1241,6 +1243,7 @@ ssize_t ip_append_page(struct sock *sk, + return -EINVAL; + + if ((size + skb->len > mtu) && ++ (skb_queue_len(&sk->sk_write_queue) == 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO)) { + if (skb->ip_summed != CHECKSUM_PARTIAL) +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -819,7 +819,7 @@ static int udp_send_skb(struct sk_buff * + if (is_udplite) /* UDP-Lite */ + csum = udplite_csum(skb); + +- else if (sk->sk_no_check_tx) { /* UDP csum disabled */ ++ else if (sk->sk_no_check_tx && !skb_is_gso(skb)) { /* UDP csum off */ + + skb->ip_summed = CHECKSUM_NONE; + goto send; +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1357,11 +1357,12 @@ emsgsize: + */ + + cork->length += length; +- if ((((length + fragheaderlen) > mtu) || +- (skb && skb_is_gso(skb))) && ++ if ((skb && skb_is_gso(skb)) || ++ (((length + fragheaderlen) > mtu) && ++ (skb_queue_len(queue) <= 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && +- (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) { ++ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) { + err = ip6_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, exthdrlen, + transhdrlen, mtu, flags, fl6); -- 2.47.3