From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 18 Jul 2017 08:11:24 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.12.3~29
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=79be7bf1499f0475b3f1429f32f56e6ae6ac9842;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	ipv6-avoid-unregistering-inet6_dev-for-loopback.patch
	net-prevent-sign-extension-in-dev_get_stats.patch
	tcp-reset-sk_rx_dst-in-tcp_disconnect.patch
---

diff --git a/queue-3.18/ipv6-avoid-unregistering-inet6_dev-for-loopback.patch b/queue-3.18/ipv6-avoid-unregistering-inet6_dev-for-loopback.patch
new file mode 100644
index 00000000000..9037f9c0245
--- /dev/null
+++ b/queue-3.18/ipv6-avoid-unregistering-inet6_dev-for-loopback.patch
@@ -0,0 +1,56 @@
+From 60abc0be96e00ca71bac083215ac91ad2e575096 Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed, 21 Jun 2017 14:34:58 -0700
+Subject: ipv6: avoid unregistering inet6_dev for loopback
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+commit 60abc0be96e00ca71bac083215ac91ad2e575096 upstream.
+
+The per netns loopback_dev->ip6_ptr is unregistered and set to
+NULL when its mtu is set to smaller than IPV6_MIN_MTU, this
+leads to that we could set rt->rt6i_idev NULL after a
+rt6_uncached_list_flush_dev() and then crash after another
+call.
+
+In this case we should just bring its inet6_dev down, rather
+than unregistering it, at least prior to commit 176c39af29bc
+("netns: fix addrconf_ifdown kernel panic") we always
+override the case for loopback.
+
+Thanks a lot to Andrey for finding a reliable reproducer.
+
+Fixes: 176c39af29bc ("netns: fix addrconf_ifdown kernel panic")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Cc: Daniel Lezcano <dlezcano@fr.ibm.com>
+Cc: David Ahern <dsahern@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/addrconf.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2829,6 +2829,7 @@ static int addrconf_notify(struct notifi
+ {
+ 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ 	struct inet6_dev *idev = __in6_dev_get(dev);
++	struct net *net = dev_net(dev);
+ 	int run_pending = 0;
+ 	int err;
+ 
+@@ -2925,7 +2926,7 @@ static int addrconf_notify(struct notifi
+ 			 * IPV6_MIN_MTU stop IPv6 on this interface.
+ 			 */
+ 			if (dev->mtu < IPV6_MIN_MTU)
+-				addrconf_ifdown(dev, 1);
++				addrconf_ifdown(dev, dev != net->loopback_dev);
+ 		}
+ 		break;
+ 
diff --git a/queue-3.18/net-prevent-sign-extension-in-dev_get_stats.patch b/queue-3.18/net-prevent-sign-extension-in-dev_get_stats.patch
new file mode 100644
index 00000000000..391b2e1a2e0
--- /dev/null
+++ b/queue-3.18/net-prevent-sign-extension-in-dev_get_stats.patch
@@ -0,0 +1,41 @@
+From 6f64ec74515925cced6df4571638b5a099a49aae Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 27 Jun 2017 07:02:20 -0700
+Subject: net: prevent sign extension in dev_get_stats()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6f64ec74515925cced6df4571638b5a099a49aae upstream.
+
+Similar to the fix provided by Dominik Heidler in commit
+9b3dc0a17d73 ("l2tp: cast l2tp traffic counter to unsigned")
+we need to take care of 32bit kernels in dev_get_stats().
+
+When using atomic_long_read(), we add a 'long' to u64 and
+might misinterpret high order bit, unless we cast to unsigned.
+
+Fixes: caf586e5f23ce ("net: add a core netdev->rx_dropped counter")
+Fixes: 015f0688f57ca ("net: net: add a core netdev->tx_dropped counter")
+Fixes: 6e7333d315a76 ("net: add rx_nohandler stat counter")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/dev.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6561,8 +6561,8 @@ struct rtnl_link_stats64 *dev_get_stats(
+ 	} else {
+ 		netdev_stats_to_stats64(storage, &dev->stats);
+ 	}
+-	storage->rx_dropped += atomic_long_read(&dev->rx_dropped);
+-	storage->tx_dropped += atomic_long_read(&dev->tx_dropped);
++	storage->rx_dropped += (unsigned long)atomic_long_read(&dev->rx_dropped);
++	storage->tx_dropped += (unsigned long)atomic_long_read(&dev->tx_dropped);
+ 	return storage;
+ }
+ EXPORT_SYMBOL(dev_get_stats);
diff --git a/queue-3.18/series b/queue-3.18/series
index 8a23afeffd0..a8d598ce529 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -1,2 +1,3 @@
 ipv6-avoid-unregistering-inet6_dev-for-loopback.patch
 tcp-reset-sk_rx_dst-in-tcp_disconnect.patch
+net-prevent-sign-extension-in-dev_get_stats.patch
diff --git a/queue-3.18/tcp-reset-sk_rx_dst-in-tcp_disconnect.patch b/queue-3.18/tcp-reset-sk_rx_dst-in-tcp_disconnect.patch
new file mode 100644
index 00000000000..f24d8778605
--- /dev/null
+++ b/queue-3.18/tcp-reset-sk_rx_dst-in-tcp_disconnect.patch
@@ -0,0 +1,40 @@
+From d747a7a51b00984127a88113cdbbc26f91e9d815 Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Sat, 24 Jun 2017 23:50:30 -0700
+Subject: tcp: reset sk_rx_dst in tcp_disconnect()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+commit d747a7a51b00984127a88113cdbbc26f91e9d815 upstream.
+
+We have to reset the sk->sk_rx_dst when we disconnect a TCP
+connection, because otherwise when we re-connect it this
+dst reference is simply overridden in tcp_finish_connect().
+
+This fixes a dst leak which leads to a loopback dev refcnt
+leak. It is a long-standing bug, Kevin reported a very similar
+(if not same) bug before. Thanks to Andrei for providing such
+a reliable reproducer which greatly narrows down the problem.
+
+Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
+Reported-by: Andrei Vagin <avagin@gmail.com>
+Reported-by: Kevin Xu <kaiwen.xu@hulu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/tcp.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2268,6 +2268,8 @@ int tcp_disconnect(struct sock *sk, int
+ 	tcp_init_send_head(sk);
+ 	memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
+ 	__sk_dst_reset(sk);
++	dst_release(sk->sk_rx_dst);
++	sk->sk_rx_dst = NULL;
+ 
+ 	WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
+