From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 15 Jan 2021 09:20:55 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.252~27
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=137b4c0b32b98a837103027e36cd1cc93005382e;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	net-fix-pmtu-check-in-nopmtudisc-mode.patch
	net-ip-always-refragment-ip-defragmented-packets.patch
---

diff --git a/queue-4.4/net-fix-pmtu-check-in-nopmtudisc-mode.patch b/queue-4.4/net-fix-pmtu-check-in-nopmtudisc-mode.patch
new file mode 100644
index 00000000000..0b6190c00fd
--- /dev/null
+++ b/queue-4.4/net-fix-pmtu-check-in-nopmtudisc-mode.patch
@@ -0,0 +1,61 @@
+From foo@baz Fri Jan 15 09:43:29 AM CET 2021
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 6 Jan 2021 00:15:22 +0100
+Subject: net: fix pmtu check in nopmtudisc mode
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 50c661670f6a3908c273503dfa206dfc7aa54c07 ]
+
+For some reason ip_tunnel insist on setting the DF bit anyway when the
+inner header has the DF bit set, EVEN if the tunnel was configured with
+'nopmtudisc'.
+
+This means that the script added in the previous commit
+cannot be made to work by adding the 'nopmtudisc' flag to the
+ip tunnel configuration. Doing so breaks connectivity even for the
+without-conntrack/netfilter scenario.
+
+When nopmtudisc is set, the tunnel will skip the mtu check, so no
+icmp error is sent to client. Then, because inner header has DF set,
+the outer header gets added with DF bit set as well.
+
+IP stack then sends an error to itself because the packet exceeds
+the device MTU.
+
+Fixes: 23a3647bc4f93 ("ip_tunnels: Use skb-len to PMTU check.")
+Cc: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -708,7 +708,11 @@ void ip_tunnel_xmit(struct sk_buff *skb,
+ 		goto tx_error;
+ 	}
+ 
+-	if (tnl_update_pmtu(dev, skb, rt, tnl_params->frag_off, inner_iph)) {
++	df = tnl_params->frag_off;
++	if (skb->protocol == htons(ETH_P_IP))
++		df |= (inner_iph->frag_off & htons(IP_DF));
++
++	if (tnl_update_pmtu(dev, skb, rt, df, inner_iph)) {
+ 		ip_rt_put(rt);
+ 		goto tx_error;
+ 	}
+@@ -736,10 +740,6 @@ void ip_tunnel_xmit(struct sk_buff *skb,
+ 			ttl = ip4_dst_hoplimit(&rt->dst);
+ 	}
+ 
+-	df = tnl_params->frag_off;
+-	if (skb->protocol == htons(ETH_P_IP))
+-		df |= (inner_iph->frag_off&htons(IP_DF));
+-
+ 	max_headroom = LL_RESERVED_SPACE(rt->dst.dev) + sizeof(struct iphdr)
+ 			+ rt->dst.header_len + ip_encap_hlen(&tunnel->encap);
+ 	if (max_headroom > dev->needed_headroom)
diff --git a/queue-4.4/net-ip-always-refragment-ip-defragmented-packets.patch b/queue-4.4/net-ip-always-refragment-ip-defragmented-packets.patch
new file mode 100644
index 00000000000..6c7bbf93d14
--- /dev/null
+++ b/queue-4.4/net-ip-always-refragment-ip-defragmented-packets.patch
@@ -0,0 +1,67 @@
+From foo@baz Fri Jan 15 10:18:10 AM CET 2021
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 6 Jan 2021 00:15:23 +0100
+Subject: net: ip: always refragment ip defragmented packets
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit bb4cc1a18856a73f0ff5137df0c2a31f4c50f6cf ]
+
+Conntrack reassembly records the largest fragment size seen in IPCB.
+However, when this gets forwarded/transmitted, fragmentation will only
+be forced if one of the fragmented packets had the DF bit set.
+
+In that case, a flag in IPCB will force fragmentation even if the
+MTU is large enough.
+
+This should work fine, but this breaks with ip tunnels.
+Consider client that sends a UDP datagram of size X to another host.
+
+The client fragments the datagram, so two packets, of size y and z, are
+sent. DF bit is not set on any of these packets.
+
+Middlebox netfilter reassembles those packets back to single size-X
+packet, before routing decision.
+
+packet-size-vs-mtu checks in ip_forward are irrelevant, because DF bit
+isn't set.  At output time, ip refragmentation is skipped as well
+because x is still smaller than the mtu of the output device.
+
+If ttransmit device is an ip tunnel, the packet size increases to
+x+overhead.
+
+Also, tunnel might be configured to force DF bit on outer header.
+
+In this case, packet will be dropped (exceeds MTU) and an ICMP error is
+generated back to sender.
+
+But sender already respects the announced MTU, all the packets that
+it sent did fit the announced mtu.
+
+Force refragmentation as per original sizes unconditionally so ip tunnel
+will encapsulate the fragments instead.
+
+The only other solution I see is to place ip refragmentation in
+the ip_tunnel code to handle this case.
+
+Fixes: d6b915e29f4ad ("ip_fragment: don't forward defragmented DF packet")
+Reported-by: Christian Perle <christian.perle@secunet.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_output.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -283,7 +283,7 @@ static int ip_finish_output(struct net *
+ 	if (skb_is_gso(skb))
+ 		return ip_finish_output_gso(net, sk, skb, mtu);
+ 
+-	if (skb->len > mtu || (IPCB(skb)->flags & IPSKB_FRAG_PMTU))
++	if (skb->len > mtu || IPCB(skb)->frag_max_size)
+ 		return ip_fragment(net, sk, skb, mtu, ip_finish_output2);
+ 
+ 	return ip_finish_output2(net, sk, skb);
diff --git a/queue-4.4/powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__s.patch b/queue-4.4/powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__s.patch
index 112871a6314..d1d1ae78f5a 100644
--- a/queue-4.4/powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__s.patch
+++ b/queue-4.4/powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__s.patch
@@ -28,14 +28,12 @@ Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
 Link: https://lore.kernel.org/r/96354bd77977a6a933fe9020da57629007fdb920.1603358942.git.christophe.leroy@csgroup.eu
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- arch/powerpc/include/asm/pgtable.h | 4 ++--
+ arch/powerpc/include/asm/pgtable.h |    4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h
-index b64b4212b71f6..408f9e1fa24ac 100644
 --- a/arch/powerpc/include/asm/pgtable.h
 +++ b/arch/powerpc/include/asm/pgtable.h
-@@ -149,9 +149,9 @@ static inline void __set_pte_at(struct mm_struct *mm, unsigned long addr,
+@@ -149,9 +149,9 @@ static inline void __set_pte_at(struct m
  		flush_hash_entry(mm, ptep, addr);
  #endif
  	__asm__ __volatile__("\
@@ -47,6 +45,3 @@ index b64b4212b71f6..408f9e1fa24ac 100644
  	: "=m" (*ptep), "=m" (*((unsigned char *)ptep+4))
  	: "r" (pte) : "memory");
  
--- 
-2.27.0
-
diff --git a/queue-4.4/series b/queue-4.4/series
index b4a4825f35f..2e293b86882 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -5,3 +5,5 @@ target-use-xcopy-segment-descriptor-cscd-ids.patch
 xcopy-loop-over-devices-using-idr-helper.patch
 scsi-target-fix-xcopy-naa-identifier-lookup.patch
 powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__s.patch
+net-ip-always-refragment-ip-defragmented-packets.patch
+net-fix-pmtu-check-in-nopmtudisc-mode.patch