From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 17 Feb 2017 01:11:44 +0000 (-0800)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.11~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=459fa4a71da6265f9d6ce7c3426033200f516793;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	tcp-don-t-annotate-mark-on-control-socket-from-tcp_v6_send_response.patch
	x86-fpu-xstate-fix-xcomp_bv-in-xsaves-header.patch
---

diff --git a/queue-4.9/series b/queue-4.9/series
index 82d0d017501..c6308f79c3e 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -30,3 +30,5 @@ mld-do-not-remove-mld-souce-list-info-when-set-link-down.patch
 igmp-mld-fix-memory-leak-in-igmpv3-mld_del_delrec.patch
 tcp-fix-mark-propagation-with-fwmark_reflect-enabled.patch
 net-mlx5-don-t-unlock-fte-while-still-using-it.patch
+tcp-don-t-annotate-mark-on-control-socket-from-tcp_v6_send_response.patch
+x86-fpu-xstate-fix-xcomp_bv-in-xsaves-header.patch
diff --git a/queue-4.9/tcp-don-t-annotate-mark-on-control-socket-from-tcp_v6_send_response.patch b/queue-4.9/tcp-don-t-annotate-mark-on-control-socket-from-tcp_v6_send_response.patch
new file mode 100644
index 00000000000..43c6a07f6bd
--- /dev/null
+++ b/queue-4.9/tcp-don-t-annotate-mark-on-control-socket-from-tcp_v6_send_response.patch
@@ -0,0 +1,127 @@
+From 92e55f412cffd016cc245a74278cb4d7b89bb3bc Mon Sep 17 00:00:00 2001
+From: Pablo Neira <pablo@netfilter.org>
+Date: Thu, 26 Jan 2017 22:56:21 +0100
+Subject: tcp: don't annotate mark on control socket from tcp_v6_send_response()
+
+From: Pablo Neira <pablo@netfilter.org>
+
+commit 92e55f412cffd016cc245a74278cb4d7b89bb3bc upstream.
+
+Unlike ipv4, this control socket is shared by all cpus so we cannot use
+it as scratchpad area to annotate the mark that we pass to ip6_xmit().
+
+Add a new parameter to ip6_xmit() to indicate the mark. The SCTP socket
+family caches the flowi6 structure in the sctp_transport structure, so
+we cannot use to carry the mark unless we later on reset it back, which
+I discarded since it looks ugly to me.
+
+Fixes: bf99b4ded5f8 ("tcp: fix mark propagation with fwmark_reflect enabled")
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/ipv6.h               |    2 +-
+ net/dccp/ipv6.c                  |    4 ++--
+ net/ipv6/inet6_connection_sock.c |    2 +-
+ net/ipv6/ip6_output.c            |    4 ++--
+ net/ipv6/tcp_ipv6.c              |    5 ++---
+ net/sctp/ipv6.c                  |    3 ++-
+ 6 files changed, 10 insertions(+), 10 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -871,7 +871,7 @@ int ip6_rcv_finish(struct net *net, stru
+  *	upper-layer output functions
+  */
+ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
+-	     struct ipv6_txoptions *opt, int tclass);
++	     __u32 mark, struct ipv6_txoptions *opt, int tclass);
+ 
+ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr);
+ 
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -227,7 +227,7 @@ static int dccp_v6_send_response(const s
+ 		opt = ireq->ipv6_opt;
+ 		if (!opt)
+ 			opt = rcu_dereference(np->opt);
+-		err = ip6_xmit(sk, skb, &fl6, opt, np->tclass);
++		err = ip6_xmit(sk, skb, &fl6, sk->sk_mark, opt, np->tclass);
+ 		rcu_read_unlock();
+ 		err = net_xmit_eval(err);
+ 	}
+@@ -281,7 +281,7 @@ static void dccp_v6_ctl_send_reset(const
+ 	dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
+ 	if (!IS_ERR(dst)) {
+ 		skb_dst_set(skb, dst);
+-		ip6_xmit(ctl_sk, skb, &fl6, NULL, 0);
++		ip6_xmit(ctl_sk, skb, &fl6, 0, NULL, 0);
+ 		DCCP_INC_STATS(DCCP_MIB_OUTSEGS);
+ 		DCCP_INC_STATS(DCCP_MIB_OUTRSTS);
+ 		return;
+--- a/net/ipv6/inet6_connection_sock.c
++++ b/net/ipv6/inet6_connection_sock.c
+@@ -173,7 +173,7 @@ int inet6_csk_xmit(struct sock *sk, stru
+ 	/* Restore final destination back after routing done */
+ 	fl6.daddr = sk->sk_v6_daddr;
+ 
+-	res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
++	res = ip6_xmit(sk, skb, &fl6, sk->sk_mark, rcu_dereference(np->opt),
+ 		       np->tclass);
+ 	rcu_read_unlock();
+ 	return res;
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -163,7 +163,7 @@ int ip6_output(struct net *net, struct s
+  * which are using proper atomic operations or spinlocks.
+  */
+ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
+-	     struct ipv6_txoptions *opt, int tclass)
++	     __u32 mark, struct ipv6_txoptions *opt, int tclass)
+ {
+ 	struct net *net = sock_net(sk);
+ 	const struct ipv6_pinfo *np = inet6_sk(sk);
+@@ -230,7 +230,7 @@ int ip6_xmit(const struct sock *sk, stru
+ 
+ 	skb->protocol = htons(ETH_P_IPV6);
+ 	skb->priority = sk->sk_priority;
+-	skb->mark = sk->sk_mark;
++	skb->mark = mark;
+ 
+ 	mtu = dst_mtu(dst);
+ 	if ((skb->len <= mtu) || skb->ignore_df || skb_is_gso(skb)) {
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -467,7 +467,7 @@ static int tcp_v6_send_synack(const stru
+ 		opt = ireq->ipv6_opt;
+ 		if (!opt)
+ 			opt = rcu_dereference(np->opt);
+-		err = ip6_xmit(sk, skb, fl6, opt, np->tclass);
++		err = ip6_xmit(sk, skb, fl6, sk->sk_mark, opt, np->tclass);
+ 		rcu_read_unlock();
+ 		err = net_xmit_eval(err);
+ 	}
+@@ -837,8 +837,7 @@ static void tcp_v6_send_response(const s
+ 	dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
+ 	if (!IS_ERR(dst)) {
+ 		skb_dst_set(buff, dst);
+-		ctl_sk->sk_mark = fl6.flowi6_mark;
+-		ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass);
++		ip6_xmit(ctl_sk, buff, &fl6, fl6.flowi6_mark, NULL, tclass);
+ 		TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
+ 		if (rst)
+ 			TCP_INC_STATS(net, TCP_MIB_OUTRSTS);
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -222,7 +222,8 @@ static int sctp_v6_xmit(struct sk_buff *
+ 	SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS);
+ 
+ 	rcu_read_lock();
+-	res = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), np->tclass);
++	res = ip6_xmit(sk, skb, fl6, sk->sk_mark, rcu_dereference(np->opt),
++		       np->tclass);
+ 	rcu_read_unlock();
+ 	return res;
+ }
diff --git a/queue-4.9/x86-fpu-xstate-fix-xcomp_bv-in-xsaves-header.patch b/queue-4.9/x86-fpu-xstate-fix-xcomp_bv-in-xsaves-header.patch
new file mode 100644
index 00000000000..c0b62133025
--- /dev/null
+++ b/queue-4.9/x86-fpu-xstate-fix-xcomp_bv-in-xsaves-header.patch
@@ -0,0 +1,72 @@
+From dffba9a31c7769be3231c420d4b364c92ba3f1ac Mon Sep 17 00:00:00 2001
+From: Yu-cheng Yu <yu-cheng.yu@intel.com>
+Date: Mon, 23 Jan 2017 14:54:44 -0800
+Subject: x86/fpu/xstate: Fix xcomp_bv in XSAVES header
+
+From: Yu-cheng Yu <yu-cheng.yu@intel.com>
+
+commit dffba9a31c7769be3231c420d4b364c92ba3f1ac upstream.
+
+The compacted-format XSAVES area is determined at boot time and
+never changed after.  The field xsave.header.xcomp_bv indicates
+which components are in the fixed XSAVES format.
+
+In fpstate_init() we did not set xcomp_bv to reflect the XSAVES
+format since at the time there is no valid data.
+
+However, after we do copy_init_fpstate_to_fpregs() in fpu__clear(),
+as in commit:
+
+  b22cbe404a9c x86/fpu: Fix invalid FPU ptrace state after execve()
+
+and when __fpu_restore_sig() does fpu__restore() for a COMPAT-mode
+app, a #GP occurs.  This can be easily triggered by doing valgrind on
+a COMPAT-mode "Hello World," as reported by Joakim Tjernlund and
+others:
+
+	https://bugzilla.kernel.org/show_bug.cgi?id=190061
+
+Fix it by setting xcomp_bv correctly.
+
+This patch also moves the xcomp_bv initialization to the proper
+place, which was in copyin_to_xsaves() as of:
+
+  4c833368f0bf x86/fpu: Set the xcomp_bv when we fake up a XSAVES area
+
+which fixed the bug too, but it's more efficient and cleaner to
+initialize things once per boot, not for every signal handling
+operation.
+
+Reported-by: Kevin Hao <haokexin@gmail.com>
+Reported-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi V. Shankar <ravi.v.shankar@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: haokexin@gmail.com
+Link: http://lkml.kernel.org/r/1485212084-4418-1-git-send-email-yu-cheng.yu@intel.com
+[ Combined it with 4c833368f0bf. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/fpu/core.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/fpu/core.c
++++ b/arch/x86/kernel/fpu/core.c
+@@ -236,7 +236,8 @@ void fpstate_init(union fpregs_state *st
+ 	 * it will #GP. Make sure it is replaced after the memset().
+ 	 */
+ 	if (static_cpu_has(X86_FEATURE_XSAVES))
+-		state->xsave.header.xcomp_bv = XCOMP_BV_COMPACTED_FORMAT;
++		state->xsave.header.xcomp_bv = XCOMP_BV_COMPACTED_FORMAT |
++					       xfeatures_mask;
+ 
+ 	if (static_cpu_has(X86_FEATURE_FXSR))
+ 		fpstate_init_fxstate(&state->fxsave);