Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.6.7-200.vanilla.knurd.1.fc23

8 files changed, 132 insertions, 467 deletions

diff --git a/Revert-ALSA-hda-remove-controller-dependency-on-i915.patch b/Revert-ALSA-hda-remove-controller-dependency-on-i915.patch
deleted file mode 100644
index 339f84c40..000000000
--- a/Revert-ALSA-hda-remove-controller-dependency-on-i915.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From c0afc8df2c54301034e0ad8a537c7b817b72e06a Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Tue, 12 Jul 2016 22:40:01 +0200
-Subject: [PATCH] Revert "ALSA: hda - remove controller dependency on i915
- power well for SKL"
-
-This reverts commit 03b135cebc47d75ea2dc346770374ab741966955.
----
- sound/pci/hda/hda_intel.c  | 4 +++-
- sound/pci/hda/patch_hdmi.c | 3 +--
- 2 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
-index 94089fc71884..139ab83626fd 100644
---- a/sound/pci/hda/hda_intel.c
-+++ b/sound/pci/hda/hda_intel.c
-@@ -361,7 +361,9 @@ enum {
- #define CONTROLLER_IN_GPU(pci) (((pci)->device == 0x0a0c) || \
- 					((pci)->device == 0x0c0c) || \
- 					((pci)->device == 0x0d0c) || \
--					((pci)->device == 0x160c))
-+					((pci)->device == 0x160c) || \
-+					((pci)->device == 0xa170) || \
-+					((pci)->device == 0x9d70))
- 
- #define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170)
- #define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70)
-diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
-index a010d704e0e2..6ee685a49a08 100644
---- a/sound/pci/hda/patch_hdmi.c
-+++ b/sound/pci/hda/patch_hdmi.c
-@@ -2285,8 +2285,7 @@ static int patch_generic_hdmi(struct hda_codec *codec)
- 	 * can cover the codec power request, and so need not set this flag.
- 	 * For previous platforms, there is no such power well feature.
- 	 */
--	if (is_valleyview_plus(codec) || is_skylake(codec) ||
--			is_broxton(codec))
-+	if (is_valleyview_plus(codec) || is_broxton(codec))
- 		codec->core.link_power_control = 1;
- 
- 	if (hdmi_parse_codec(codec) < 0) {
--- 
-2.7.4
-
diff --git a/drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch b/drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
new file mode 100644
index 000000000..a5dc6f3a2
--- /dev/null
+++ b/drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
@@ -0,0 +1,64 @@
+From 74f829a6e44fe217b6161f8935524fc807be0648 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Sat, 9 Jul 2016 11:01:20 +0100
+Subject: [PATCH] drm/i915: Acquire audio powerwell for HD-Audio registers
+
+On Haswell/Broadwell, the HD-Audio block is inside the HDMI/display
+power well and so the sna-hda audio codec acquires the display power
+well while it is operational. However, Skylake separates the powerwells
+again, but yet we still need the audio powerwell to setup the registers.
+(But then the hardware uses those registers even while powered off???)
+
+v2: Grab both rpm wakelock and audio wakelock
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96214
+Fixes: 03b135cebc47 "ALSA: hda - remove dependency on i915 power well for SKL")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Libin Yang <libin.yang@intel.com>
+Cc: Takashi Iwai <tiwai@suse.de>
+Cc: Marius Vlad <marius.c.vlad@intel.com>
+---
+ drivers/gpu/drm/i915/intel_audio.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/intel_audio.c b/drivers/gpu/drm/i915/intel_audio.c
+index 5d5f6bc10e85..948a7a52e3f8 100644
+--- a/drivers/gpu/drm/i915/intel_audio.c
++++ b/drivers/gpu/drm/i915/intel_audio.c
+@@ -600,6 +600,8 @@ static void i915_audio_component_codec_wake_override(struct device *dev,
+ 	if (!IS_SKYLAKE(dev_priv) && !IS_KABYLAKE(dev_priv))
+ 		return;
+ 
++	i915_audio_component_get_power(dev);
++
+ 	/*
+ 	 * Enable/disable generating the codec wake signal, overriding the
+ 	 * internal logic to generate the codec wake to controller.
+@@ -615,6 +617,8 @@ static void i915_audio_component_codec_wake_override(struct device *dev,
+ 		I915_WRITE(HSW_AUD_CHICKENBIT, tmp);
+ 		usleep_range(1000, 1500);
+ 	}
++
++	i915_audio_component_put_power(dev);
+ }
+ 
+ /* Get CDCLK in kHz  */
+@@ -648,6 +652,7 @@ static int i915_audio_component_sync_audio_rate(struct device *dev,
+ 	    !IS_HASWELL(dev_priv))
+ 		return 0;
+ 
++	i915_audio_component_get_power(dev);
+ 	mutex_lock(&dev_priv->av_mutex);
+ 	/* 1. get the pipe */
+ 	intel_encoder = dev_priv->dig_port_map[port];
+@@ -698,6 +703,7 @@ static int i915_audio_component_sync_audio_rate(struct device *dev,
+ 
+  unlock:
+ 	mutex_unlock(&dev_priv->av_mutex);
++	i915_audio_component_put_power(dev);
+ 	return err;
+ }
+ 
+-- 
+2.8.1
+
diff --git a/drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch b/drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch
deleted file mode 100644
index 24b19522b..000000000
--- a/drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch
+++ /dev/null
@@ -1,230 +0,0 @@
-From bd363ae4ea5d124d5b284dd3aa7d2766ff2c19d7 Mon Sep 17 00:00:00 2001
-From: "cpaul@redhat.com" <cpaul@redhat.com>
-Date: Tue, 12 Jul 2016 13:36:03 -0400
-Subject: [PATCH] drm/i915/skl: Add support for the SAGV, fix underrun hangs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since the watermark calculations for Skylake are still broken, we're apt
-to hitting underruns very easily under multi-monitor configurations.
-While it would be lovely if this was fixed, it's not. Another problem
-that's been coming from this however, is the mysterious issue of
-underruns causing full system hangs. An easy way to reproduce this with
-a skylake system:
-
-- Get a laptop with a skylake GPU, and hook up two external monitors to
-  it
-- Move the cursor from the built-in LCD to one of the external displays
-  as quickly as you can
-- You'll get a few pipe underruns, and eventually the entire system will
-  just freeze.
-
-After doing a lot of investigation and reading through the bspec, I
-found the existence of the SAGV, which is responsible for adjusting the
-system agent voltage and clock frequencies depending on how much power
-we need. According to the bspec:
-
-"The display engine access to system memory is blocked during the
- adjustment time. SAGV defaults to enabled. Software must use the
- GT-driver pcode mailbox to disable SAGV when the display engine is not
- able to tolerate the blocking time."
-
-The rest of the bspec goes on to explain that software can simply leave
-the SAGV enabled, and disable it when we use interlaced pipes/have more
-then one pipe active.
-
-Sure enough, with this patchset the system hangs resulting from pipe
-underruns on Skylake have completely vanished on my T460s. Additionally,
-the bspec mentions turning off the SAGV	with more then one pipe enabled
-as a workaround for display underruns. While this patch doesn't entirely
-fix that, it looks like it does improve the situation a little bit so
-it's likely this is going to be required to make watermarks on Skylake
-fully functional.
-
-Changes since v2:
- - Really apply minor style nitpicks to patch this time
-Changes since v1:
- - Added comments about this probably being one of the requirements to
-   fixing Skylake's watermark issues
- - Minor style nitpicks from Matt Roper
- - Disable these functions on Broxton, since it doesn't have an SAGV
-
-Cc: Matt Roper <matthew.d.roper@intel.com>
-Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
-Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
-Signed-off-by: Lyude <cpaul@redhat.com>
-Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
----
- drivers/gpu/drm/i915/i915_drv.h |   2 +
- drivers/gpu/drm/i915/i915_reg.h |   5 ++
- drivers/gpu/drm/i915/intel_pm.c | 110 ++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 117 insertions(+)
-
-diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
-index 59092cbfeda1..d94e5598511f 100644
---- a/drivers/gpu/drm/i915/i915_drv.h
-+++ b/drivers/gpu/drm/i915/i915_drv.h
-@@ -1954,6 +1954,8 @@ struct drm_i915_private {
- 	struct i915_suspend_saved_registers regfile;
- 	struct vlv_s0ix_state vlv_s0ix_state;
- 
-+	bool skl_sagv_enabled;
-+
- 	struct {
- 		/*
- 		 * Raw watermark latency values:
-diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
-index 363bd79dea2e..3d13d0e551be 100644
---- a/drivers/gpu/drm/i915/i915_reg.h
-+++ b/drivers/gpu/drm/i915/i915_reg.h
-@@ -7029,6 +7029,11 @@ enum skl_disp_power_wells {
- #define   HSW_PCODE_DE_WRITE_FREQ_REQ		0x17
- #define   DISPLAY_IPS_CONTROL			0x19
- #define	  HSW_PCODE_DYNAMIC_DUTY_CYCLE_CONTROL	0x1A
-+#define   GEN9_PCODE_SAGV_CONTROL		0x21
-+#define     GEN9_SAGV_DISABLE			0x0
-+#define     GEN9_SAGV_LOW_FREQ			0x1
-+#define     GEN9_SAGV_HIGH_FREQ			0x2
-+#define     GEN9_SAGV_DYNAMIC_FREQ              0x3
- #define GEN6_PCODE_DATA				_MMIO(0x138128)
- #define   GEN6_PCODE_FREQ_IA_RATIO_SHIFT	8
- #define   GEN6_PCODE_FREQ_RING_RATIO_SHIFT	16
-diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
-index 70dcd2e23cca..38e0b448f461 100644
---- a/drivers/gpu/drm/i915/intel_pm.c
-+++ b/drivers/gpu/drm/i915/intel_pm.c
-@@ -2786,6 +2786,109 @@ skl_wm_plane_id(const struct intel_plane *plane)
- }
- 
- static void
-+skl_sagv_get_hw_state(struct drm_i915_private *dev_priv)
-+{
-+	u32 temp;
-+	int ret;
-+
-+	if (IS_BROXTON(dev_priv))
-+		return;
-+
-+	mutex_lock(&dev_priv->rps.hw_lock);
-+	ret = sandybridge_pcode_read(dev_priv, GEN9_PCODE_SAGV_CONTROL, &temp);
-+	mutex_unlock(&dev_priv->rps.hw_lock);
-+
-+	if (!ret) {
-+		dev_priv->skl_sagv_enabled = !!(temp & GEN9_SAGV_DYNAMIC_FREQ);
-+	} else {
-+		/*
-+		 * If for some reason we can't access the SAGV state, follow
-+		 * the bspec and assume it's enabled
-+		 */
-+		DRM_ERROR("Failed to get SAGV state, assuming enabled\n");
-+		dev_priv->skl_sagv_enabled = true;
-+	}
-+}
-+
-+/*
-+ * SAGV dynamically adjusts the system agent voltage and clock frequencies
-+ * depending on power and performance requirements. The display engine access
-+ * to system memory is blocked during the adjustment time. Having this enabled
-+ * in multi-pipe configurations can cause issues (such as underruns causing
-+ * full system hangs), and the bspec also suggests that software disable it
-+ * when more then one pipe is enabled.
-+ */
-+static int
-+skl_enable_sagv(struct drm_i915_private *dev_priv)
-+{
-+	int ret;
-+
-+	if (IS_BROXTON(dev_priv))
-+		return 0;
-+	if (dev_priv->skl_sagv_enabled)
-+		return 0;
-+
-+	mutex_lock(&dev_priv->rps.hw_lock);
-+	DRM_DEBUG_KMS("Enabling the SAGV\n");
-+
-+	ret = sandybridge_pcode_write(dev_priv, GEN9_PCODE_SAGV_CONTROL,
-+				      GEN9_SAGV_DYNAMIC_FREQ);
-+	if (!ret)
-+		dev_priv->skl_sagv_enabled = true;
-+	else
-+		DRM_ERROR("Failed to enable the SAGV\n");
-+
-+	/* We don't need to wait for SAGV when enabling */
-+	mutex_unlock(&dev_priv->rps.hw_lock);
-+	return ret;
-+}
-+
-+static int
-+skl_disable_sagv(struct drm_i915_private *dev_priv)
-+{
-+	int ret = 0;
-+	unsigned long timeout;
-+	u32 temp;
-+
-+	if (IS_BROXTON(dev_priv))
-+		return 0;
-+	if (!dev_priv->skl_sagv_enabled)
-+		return 0;
-+
-+	mutex_lock(&dev_priv->rps.hw_lock);
-+	DRM_DEBUG_KMS("Disabling the SAGV\n");
-+
-+	/* bspec says to keep retrying for at least 1 ms */
-+	timeout = jiffies + msecs_to_jiffies(1);
-+	do {
-+		ret = sandybridge_pcode_write(dev_priv, GEN9_PCODE_SAGV_CONTROL,
-+					      GEN9_SAGV_DISABLE);
-+		if (ret) {
-+			DRM_ERROR("Failed to disable the SAGV\n");
-+			goto out;
-+		}
-+
-+		ret = sandybridge_pcode_read(dev_priv, GEN9_PCODE_SAGV_CONTROL,
-+					     &temp);
-+		if (ret) {
-+			DRM_ERROR("Failed to check the status of the SAGV\n");
-+			goto out;
-+		}
-+	} while (!(temp & 0x1) && jiffies < timeout);
-+
-+	if (temp & 0x1) {
-+		dev_priv->skl_sagv_enabled = false;
-+	} else {
-+		ret = -1;
-+		DRM_ERROR("Request to disable SAGV timed out\n");
-+	}
-+
-+out:
-+	mutex_unlock(&dev_priv->rps.hw_lock);
-+	return ret;
-+}
-+
-+static void
- skl_ddb_get_pipe_allocation_limits(struct drm_device *dev,
- 				   const struct intel_crtc_state *cstate,
- 				   struct skl_ddb_entry *alloc, /* out */
-@@ -3464,6 +3567,11 @@ static void skl_write_wm_values(struct drm_i915_private *dev_priv,
- 	struct drm_device *dev = dev_priv->dev;
- 	struct intel_crtc *crtc;
- 
-+	if (dev_priv->active_crtcs == 1)
-+		skl_enable_sagv(dev_priv);
-+	else
-+		skl_disable_sagv(dev_priv);
-+
- 	for_each_intel_crtc(dev, crtc) {
- 		int i, level, max_level = ilk_wm_max_level(dev);
- 		enum pipe pipe = crtc->pipe;
-@@ -4008,6 +4116,8 @@ void skl_wm_get_hw_state(struct drm_device *dev)
- 				skl_plane_relative_data_rate(cstate, pstate, 1);
- 		}
- 	}
-+
-+	skl_sagv_get_hw_state(dev_priv);
- }
- 
- static void ilk_pipe_wm_get_hw_state(struct drm_crtc *crtc)
--- 
-2.7.4
-
diff --git a/kernel.spec b/kernel.spec
index f9d7782d7..feec8fc39 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -60,7 +60,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 6
+%define stable_update 7
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -655,14 +655,9 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch
 Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch
 Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch
 
-#CVE-2016-5389 CVE-2016-5969 rhbz 1354708 1355615
-Patch835: tcp-make-challenge-acks-less-predictable.patch
-Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
-
 # https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org/message/A4YCP7OGMX6JLFT5V44H57GOMAQLC3M4/
 Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch
-Patch837: drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch
-Patch838: Revert-ALSA-hda-remove-controller-dependency-on-i915.patch
+Patch837: drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
 
 #CVE-2016-6136 rhbz 1353533 1353534
 Patch841: audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
@@ -671,6 +666,9 @@ Patch841: audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
 Patch842: kvm-ppc-Book3S-HV-Pull-out-TM-state-save.patch
 Patch843: kvm-ppc-Book3S-HV-Save-restore-TM-state.patch
 
+#rhbz 1361414
+Patch844: openstack_fix.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2194,6 +2192,15 @@ fi
 #
 # 
 %changelog
+* Tue Aug 16 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.7-200
+- Linux v4.6.7
+- Fix for crash seen with Open Stack (rhbz 1361414)
+
+* Fri Aug 12 2016 Laura Abbott <labbott@fedoraproject.org>
+- Bring in fixes from f24
+ - Sync skylake hdaudio __unclaimed_reg WARN_ON fix with latest upstream version
+ - Drop drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch for now
+
 * Wed Aug 10 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.6-200
 - Linux v4.6.6
 
diff --git a/openstack_fix.patch b/openstack_fix.patch
new file mode 100644
index 000000000..a967c350e
--- /dev/null
+++ b/openstack_fix.patch
@@ -0,0 +1,53 @@
+From 5ef9f289c4e698054e5687edb54f0da3cdc9173a Mon Sep 17 00:00:00 2001
+From: Ian Wienand <iwienand@redhat.com>
+Date: Wed, 3 Aug 2016 15:44:57 +1000
+Subject: OVS: Ignore negative headroom value
+
+net_device->ndo_set_rx_headroom (introduced in
+871b642adebe300be2e50aa5f65a418510f636ec) says
+
+  "Setting a negtaive value reset the rx headroom
+   to the default value".
+
+It seems that the OVS implementation in
+3a927bc7cf9d0fbe8f4a8189dd5f8440228f64e7 overlooked this and sets
+dev->needed_headroom unconditionally.
+
+This doesn't have an immediate effect, but can mess up later
+LL_RESERVED_SPACE calculations, such as done in
+net/ipv6/mcast.c:mld_newpack.  For reference, this issue was found
+from a skb_panic raised there after the length calculations had given
+the wrong result.
+
+Note the other current users of this interface
+(drivers/net/tun.c:tun_set_headroom and
+drivers/net/veth.c:veth_set_rx_headroom) are both checking this
+correctly thus need no modification.
+
+Thanks to Ben for some pointers from the crash dumps!
+
+Cc: Benjamin Poirier <bpoirier@suse.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1361414
+Signed-off-by: Ian Wienand <iwienand@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/openvswitch/vport-internal_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
+index 434e04c..95c3614 100644
+--- a/net/openvswitch/vport-internal_dev.c
++++ b/net/openvswitch/vport-internal_dev.c
+@@ -140,7 +140,7 @@ internal_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ 
+ static void internal_set_rx_headroom(struct net_device *dev, int new_hr)
+ {
+-	dev->needed_headroom = new_hr;
++	dev->needed_headroom = new_hr < 0 ? 0 : new_hr;
+ }
+ 
+ static const struct net_device_ops internal_dev_netdev_ops = {
+-- 
+cgit v0.12
+
diff --git a/sources b/sources
index dbcebdf2e..378381dd9 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 d2927020e24a76da4ab482a8bc3e9ef3  linux-4.6.tar.xz
 fd23b14b9d474c3dfacb6e8ee82d3a51  perf-man-4.6.tar.gz
-84f23eb772635b1348d3ea7c5bd67930  patch-4.6.6.xz
+3fc1fcb7ef83c4ef4c05d8bd57e1b985  patch-4.6.7.xz
diff --git a/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch b/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
deleted file mode 100644
index 0a5eab8aa..000000000
--- a/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 8272c58d085e5611a7f839fa32e148ae62446375 Mon Sep 17 00:00:00 2001
-From: Jason Baron <jbaron@akamai.com>
-Date: Thu, 14 Jul 2016 11:38:40 -0400
-Subject: [PATCH] tcp: enable per-socket rate limiting of all 'challenge acks'
-
-The per-socket rate limit for 'challenge acks' was introduced in the
-context of limiting ack loops:
-
-commit f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock")
-
-And I think it can be extended to rate limit all 'challenge acks' on a
-per-socket basis.
-
-Since we have the global tcp_challenge_ack_limit, this patch allows for
-tcp_challenge_ack_limit to be set to a large value and effectively rely on
-the per-socket limit, or set tcp_challenge_ack_limit to a lower value and
-still prevents a single connections from consuming the entire challenge ack
-quota.
-
-It further moves in the direction of eliminating the global limit at some
-point, as Eric Dumazet has suggested. This a follow-up to:
-Subject: tcp: make challenge acks less predictable
-
-Cc: Eric Dumazet <edumazet@google.com>
-Cc: David S. Miller <davem@davemloft.net>
-Cc: Neal Cardwell <ncardwell@google.com>
-Cc: Yuchung Cheng <ycheng@google.com>
-Cc: Yue Cao <ycao009@ucr.edu>
-Signed-off-by: Jason Baron <jbaron@akamai.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++-----------------
- 1 file changed, 22 insertions(+), 17 deletions(-)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 8c011359646b..796315104ad7 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -3423,6 +3423,23 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32
- 	return flag;
- }
- 
-+static bool __tcp_oow_rate_limited(struct net *net, int mib_idx,
-+				   u32 *last_oow_ack_time)
-+{
-+	if (*last_oow_ack_time) {
-+		s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time);
-+
-+		if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) {
-+			NET_INC_STATS(net, mib_idx);
-+			return true;	/* rate-limited: don't send yet! */
-+		}
-+	}
-+
-+	*last_oow_ack_time = tcp_time_stamp;
-+
-+	return false;	/* not rate-limited: go ahead, send dupack now! */
-+}
-+
- /* Return true if we're currently rate-limiting out-of-window ACKs and
-  * thus shouldn't send a dupack right now. We rate-limit dupacks in
-  * response to out-of-window SYNs or ACKs to mitigate ACK loops or DoS
-@@ -3436,21 +3453,9 @@ bool tcp_oow_rate_limited(struct net *net, const struct sk_buff *skb,
- 	/* Data packets without SYNs are not likely part of an ACK loop. */
- 	if ((TCP_SKB_CB(skb)->seq != TCP_SKB_CB(skb)->end_seq) &&
- 	    !tcp_hdr(skb)->syn)
--		goto not_rate_limited;
--
--	if (*last_oow_ack_time) {
--		s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time);
--
--		if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) {
--			NET_INC_STATS_BH(net, mib_idx);
--			return true;	/* rate-limited: don't send yet! */
--		}
--	}
--
--	*last_oow_ack_time = tcp_time_stamp;
-+		return false;
- 
--not_rate_limited:
--	return false;	/* not rate-limited: go ahead, send dupack now! */
-+	return __tcp_oow_rate_limited(net, mib_idx, last_oow_ack_time);
- }
- 
- /* RFC 5961 7 [ACK Throttling] */
-@@ -3463,9 +3468,9 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
- 	u32 count, now;
- 
- 	/* First check our per-socket dupack rate limit. */
--	if (tcp_oow_rate_limited(sock_net(sk), skb,
--				 LINUX_MIB_TCPACKSKIPPEDCHALLENGE,
--				 &tp->last_oow_ack_time))
-+	if (__tcp_oow_rate_limited(sock_net(sk),
-+				   LINUX_MIB_TCPACKSKIPPEDCHALLENGE,
-+				   &tp->last_oow_ack_time))
- 		return;
- 
- 	/* Then check host-wide RFC 5961 rate limit. */
--- 
-2.7.4
-
diff --git a/tcp-make-challenge-acks-less-predictable.patch b/tcp-make-challenge-acks-less-predictable.patch
deleted file mode 100644
index 992e4f522..000000000
--- a/tcp-make-challenge-acks-less-predictable.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 771209218b9ec051a573b9fddc149682a534190e Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 10 Jul 2016 10:04:02 +0200
-Subject: [PATCH] tcp: make challenge acks less predictable
-
-Yue Cao claims that current host rate limiting of challenge ACKS
-(RFC 5961) could leak enough information to allow a patient attacker
-to hijack TCP sessions. He will soon provide details in an academic
-paper.
-
-This patch increases the default limit from 100 to 1000, and adds
-some randomization so that the attacker can no longer hijack
-sessions without spending a considerable amount of probes.
-
-Based on initial analysis and patch from Linus.
-
-Note that we also have per socket rate limiting, so it is tempting
-to remove the host limit in the future.
-
-v2: randomize the count of challenge acks per second, not the period.
-
-Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
-Reported-by: Yue Cao <ycao009@ucr.edu>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Yuchung Cheng <ycheng@google.com>
-Cc: Neal Cardwell <ncardwell@google.com>
-Acked-by: Neal Cardwell <ncardwell@google.com>
-Acked-by: Yuchung Cheng <ycheng@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/tcp_input.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index c124c3c12f7c..8c011359646b 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
- EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
- 
- /* rfc5961 challenge ack rate limiting */
--int sysctl_tcp_challenge_ack_limit = 100;
-+int sysctl_tcp_challenge_ack_limit = 1000;
- 
- int sysctl_tcp_stdurg __read_mostly;
- int sysctl_tcp_rfc1337 __read_mostly;
-@@ -3460,7 +3460,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
- 	static u32 challenge_timestamp;
- 	static unsigned int challenge_count;
- 	struct tcp_sock *tp = tcp_sk(sk);
--	u32 now;
-+	u32 count, now;
- 
- 	/* First check our per-socket dupack rate limit. */
- 	if (tcp_oow_rate_limited(sock_net(sk), skb,
-@@ -3468,14 +3468,19 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
- 				 &tp->last_oow_ack_time))
- 		return;
- 
--	/* Then check the check host-wide RFC 5961 rate limit. */
-+	/* Then check host-wide RFC 5961 rate limit. */
- 	now = jiffies / HZ;
- 	if (now != challenge_timestamp) {
-+		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
-+
- 		challenge_timestamp = now;
--		challenge_count = 0;
-+		WRITE_ONCE(challenge_count, half +
-+			   prandom_u32_max(sysctl_tcp_challenge_ack_limit));
- 	}
--	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
--		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
-+	count = READ_ONCE(challenge_count);
-+	if (count > 0) {
-+		WRITE_ONCE(challenge_count, count - 1);
-+		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
- 		tcp_send_ack(sk);
- 	}
- }
--- 
-2.5.5
-