Merge remote-tracking branch 'origin/f24' into f24-user-thl-vanilla-fedorakernel-4.6.7-300.vanilla.knurd.1.fc24

5 files changed, 64 insertions, 191 deletions

diff --git a/kernel.spec b/kernel.spec
index eecad142e..cbe30e1c6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -59,7 +59,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 6
+%define stable_update 7
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -655,10 +655,6 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch
 Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch
 Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch
 
-#CVE-2016-5389 CVE-2016-5969 rhbz 1354708 1355615
-Patch835: tcp-make-challenge-acks-less-predictable.patch
-Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
-
 # https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org/message/A4YCP7OGMX6JLFT5V44H57GOMAQLC3M4/
 Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch
 Patch837: drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
@@ -670,6 +666,9 @@ Patch841: audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
 Patch842: kvm-ppc-Book3S-HV-Pull-out-TM-state-save.patch
 Patch843: kvm-ppc-Book3S-HV-Save-restore-TM-state.patch
 
+#rhbz 1361414
+Patch844: openstack_fix.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2198,6 +2197,12 @@ fi
 #
 # 
 %changelog
+* Tue Aug 16 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.7-300
+- Linux v4.6.7
+
+* Thu Aug 11 2016 Laura Abbott <labbott@fedoraproject.org>
+- Fix for crash seen with Open Stack (rhbz 1361414)
+
 * Wed Aug 10 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.6-300
 - Linux v4.6.6
 
diff --git a/openstack_fix.patch b/openstack_fix.patch
new file mode 100644
index 000000000..a967c350e
--- /dev/null
+++ b/openstack_fix.patch
@@ -0,0 +1,53 @@
+From 5ef9f289c4e698054e5687edb54f0da3cdc9173a Mon Sep 17 00:00:00 2001
+From: Ian Wienand <iwienand@redhat.com>
+Date: Wed, 3 Aug 2016 15:44:57 +1000
+Subject: OVS: Ignore negative headroom value
+
+net_device->ndo_set_rx_headroom (introduced in
+871b642adebe300be2e50aa5f65a418510f636ec) says
+
+  "Setting a negtaive value reset the rx headroom
+   to the default value".
+
+It seems that the OVS implementation in
+3a927bc7cf9d0fbe8f4a8189dd5f8440228f64e7 overlooked this and sets
+dev->needed_headroom unconditionally.
+
+This doesn't have an immediate effect, but can mess up later
+LL_RESERVED_SPACE calculations, such as done in
+net/ipv6/mcast.c:mld_newpack.  For reference, this issue was found
+from a skb_panic raised there after the length calculations had given
+the wrong result.
+
+Note the other current users of this interface
+(drivers/net/tun.c:tun_set_headroom and
+drivers/net/veth.c:veth_set_rx_headroom) are both checking this
+correctly thus need no modification.
+
+Thanks to Ben for some pointers from the crash dumps!
+
+Cc: Benjamin Poirier <bpoirier@suse.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1361414
+Signed-off-by: Ian Wienand <iwienand@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/openvswitch/vport-internal_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
+index 434e04c..95c3614 100644
+--- a/net/openvswitch/vport-internal_dev.c
++++ b/net/openvswitch/vport-internal_dev.c
+@@ -140,7 +140,7 @@ internal_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ 
+ static void internal_set_rx_headroom(struct net_device *dev, int new_hr)
+ {
+-	dev->needed_headroom = new_hr;
++	dev->needed_headroom = new_hr < 0 ? 0 : new_hr;
+ }
+ 
+ static const struct net_device_ops internal_dev_netdev_ops = {
+-- 
+cgit v0.12
+
diff --git a/sources b/sources
index dbcebdf2e..378381dd9 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 d2927020e24a76da4ab482a8bc3e9ef3  linux-4.6.tar.xz
 fd23b14b9d474c3dfacb6e8ee82d3a51  perf-man-4.6.tar.gz
-84f23eb772635b1348d3ea7c5bd67930  patch-4.6.6.xz
+3fc1fcb7ef83c4ef4c05d8bd57e1b985  patch-4.6.7.xz
diff --git a/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch b/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
deleted file mode 100644
index 0a5eab8aa..000000000
--- a/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 8272c58d085e5611a7f839fa32e148ae62446375 Mon Sep 17 00:00:00 2001
-From: Jason Baron <jbaron@akamai.com>
-Date: Thu, 14 Jul 2016 11:38:40 -0400
-Subject: [PATCH] tcp: enable per-socket rate limiting of all 'challenge acks'
-
-The per-socket rate limit for 'challenge acks' was introduced in the
-context of limiting ack loops:
-
-commit f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock")
-
-And I think it can be extended to rate limit all 'challenge acks' on a
-per-socket basis.
-
-Since we have the global tcp_challenge_ack_limit, this patch allows for
-tcp_challenge_ack_limit to be set to a large value and effectively rely on
-the per-socket limit, or set tcp_challenge_ack_limit to a lower value and
-still prevents a single connections from consuming the entire challenge ack
-quota.
-
-It further moves in the direction of eliminating the global limit at some
-point, as Eric Dumazet has suggested. This a follow-up to:
-Subject: tcp: make challenge acks less predictable
-
-Cc: Eric Dumazet <edumazet@google.com>
-Cc: David S. Miller <davem@davemloft.net>
-Cc: Neal Cardwell <ncardwell@google.com>
-Cc: Yuchung Cheng <ycheng@google.com>
-Cc: Yue Cao <ycao009@ucr.edu>
-Signed-off-by: Jason Baron <jbaron@akamai.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++-----------------
- 1 file changed, 22 insertions(+), 17 deletions(-)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 8c011359646b..796315104ad7 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -3423,6 +3423,23 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32
- 	return flag;
- }
- 
-+static bool __tcp_oow_rate_limited(struct net *net, int mib_idx,
-+				   u32 *last_oow_ack_time)
-+{
-+	if (*last_oow_ack_time) {
-+		s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time);
-+
-+		if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) {
-+			NET_INC_STATS(net, mib_idx);
-+			return true;	/* rate-limited: don't send yet! */
-+		}
-+	}
-+
-+	*last_oow_ack_time = tcp_time_stamp;
-+
-+	return false;	/* not rate-limited: go ahead, send dupack now! */
-+}
-+
- /* Return true if we're currently rate-limiting out-of-window ACKs and
-  * thus shouldn't send a dupack right now. We rate-limit dupacks in
-  * response to out-of-window SYNs or ACKs to mitigate ACK loops or DoS
-@@ -3436,21 +3453,9 @@ bool tcp_oow_rate_limited(struct net *net, const struct sk_buff *skb,
- 	/* Data packets without SYNs are not likely part of an ACK loop. */
- 	if ((TCP_SKB_CB(skb)->seq != TCP_SKB_CB(skb)->end_seq) &&
- 	    !tcp_hdr(skb)->syn)
--		goto not_rate_limited;
--
--	if (*last_oow_ack_time) {
--		s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time);
--
--		if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) {
--			NET_INC_STATS_BH(net, mib_idx);
--			return true;	/* rate-limited: don't send yet! */
--		}
--	}
--
--	*last_oow_ack_time = tcp_time_stamp;
-+		return false;
- 
--not_rate_limited:
--	return false;	/* not rate-limited: go ahead, send dupack now! */
-+	return __tcp_oow_rate_limited(net, mib_idx, last_oow_ack_time);
- }
- 
- /* RFC 5961 7 [ACK Throttling] */
-@@ -3463,9 +3468,9 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
- 	u32 count, now;
- 
- 	/* First check our per-socket dupack rate limit. */
--	if (tcp_oow_rate_limited(sock_net(sk), skb,
--				 LINUX_MIB_TCPACKSKIPPEDCHALLENGE,
--				 &tp->last_oow_ack_time))
-+	if (__tcp_oow_rate_limited(sock_net(sk),
-+				   LINUX_MIB_TCPACKSKIPPEDCHALLENGE,
-+				   &tp->last_oow_ack_time))
- 		return;
- 
- 	/* Then check host-wide RFC 5961 rate limit. */
--- 
-2.7.4
-
diff --git a/tcp-make-challenge-acks-less-predictable.patch b/tcp-make-challenge-acks-less-predictable.patch
deleted file mode 100644
index 992e4f522..000000000
--- a/tcp-make-challenge-acks-less-predictable.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 771209218b9ec051a573b9fddc149682a534190e Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 10 Jul 2016 10:04:02 +0200
-Subject: [PATCH] tcp: make challenge acks less predictable
-
-Yue Cao claims that current host rate limiting of challenge ACKS
-(RFC 5961) could leak enough information to allow a patient attacker
-to hijack TCP sessions. He will soon provide details in an academic
-paper.
-
-This patch increases the default limit from 100 to 1000, and adds
-some randomization so that the attacker can no longer hijack
-sessions without spending a considerable amount of probes.
-
-Based on initial analysis and patch from Linus.
-
-Note that we also have per socket rate limiting, so it is tempting
-to remove the host limit in the future.
-
-v2: randomize the count of challenge acks per second, not the period.
-
-Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
-Reported-by: Yue Cao <ycao009@ucr.edu>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Yuchung Cheng <ycheng@google.com>
-Cc: Neal Cardwell <ncardwell@google.com>
-Acked-by: Neal Cardwell <ncardwell@google.com>
-Acked-by: Yuchung Cheng <ycheng@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/tcp_input.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index c124c3c12f7c..8c011359646b 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
- EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
- 
- /* rfc5961 challenge ack rate limiting */
--int sysctl_tcp_challenge_ack_limit = 100;
-+int sysctl_tcp_challenge_ack_limit = 1000;
- 
- int sysctl_tcp_stdurg __read_mostly;
- int sysctl_tcp_rfc1337 __read_mostly;
-@@ -3460,7 +3460,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
- 	static u32 challenge_timestamp;
- 	static unsigned int challenge_count;
- 	struct tcp_sock *tp = tcp_sk(sk);
--	u32 now;
-+	u32 count, now;
- 
- 	/* First check our per-socket dupack rate limit. */
- 	if (tcp_oow_rate_limited(sock_net(sk), skb,
-@@ -3468,14 +3468,19 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
- 				 &tp->last_oow_ack_time))
- 		return;
- 
--	/* Then check the check host-wide RFC 5961 rate limit. */
-+	/* Then check host-wide RFC 5961 rate limit. */
- 	now = jiffies / HZ;
- 	if (now != challenge_timestamp) {
-+		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
-+
- 		challenge_timestamp = now;
--		challenge_count = 0;
-+		WRITE_ONCE(challenge_count, half +
-+			   prandom_u32_max(sysctl_tcp_challenge_ack_limit));
- 	}
--	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
--		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
-+	count = READ_ONCE(challenge_count);
-+	if (count > 0) {
-+		WRITE_ONCE(challenge_count, count - 1);
-+		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
- 		tcp_send_ack(sk);
- 	}
- }
--- 
-2.5.5
-