diff options
| -rw-r--r-- | 0001-dccp-tcp-do-not-inherit-mc_list-from-parent.patch | 41 | ||||
| -rw-r--r-- | 0001-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch | 231 | ||||
| -rw-r--r-- | 0001-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch | 64 | ||||
| -rw-r--r-- | 0001-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch | 33 | ||||
| -rw-r--r-- | kernel.spec | 22 | ||||
| -rw-r--r-- | net-v2-ip6_tunnel-ip6_gre-fix-setting-of-DSCP-on-encapsulated-packets.patch | 156 | ||||
| -rw-r--r-- | sources | 2 |
7 files changed, 6 insertions, 543 deletions
diff --git a/0001-dccp-tcp-do-not-inherit-mc_list-from-parent.patch b/0001-dccp-tcp-do-not-inherit-mc_list-from-parent.patch deleted file mode 100644 index 677841397..000000000 --- a/0001-dccp-tcp-do-not-inherit-mc_list-from-parent.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 657831ffc38e30092a2d5f03d385d710eb88b09a Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Tue, 9 May 2017 06:29:19 -0700 -Subject: [PATCH] dccp/tcp: do not inherit mc_list from parent - -syzkaller found a way to trigger double frees from ip_mc_drop_socket() - -It turns out that leave a copy of parent mc_list at accept() time, -which is very bad. - -Very similar to commit 8b485ce69876 ("tcp: do not inherit -fastopen_req from parent") - -Initial report from Pray3r, completed by Andrey one. -Thanks a lot to them ! - -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Pray3r <pray3r.z@gmail.com> -Reported-by: Andrey Konovalov <andreyknvl@google.com> -Tested-by: Andrey Konovalov <andreyknvl@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv4/inet_connection_sock.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c -index 5e313c1..1054d33 100644 ---- a/net/ipv4/inet_connection_sock.c -+++ b/net/ipv4/inet_connection_sock.c -@@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, - /* listeners have SOCK_RCU_FREE, not the children */ - sock_reset_flag(newsk, SOCK_RCU_FREE); - -+ inet_sk(newsk)->mc_list = NULL; -+ - newsk->sk_mark = inet_rsk(req)->ir_mark; - atomic64_set(&newsk->sk_cookie, - atomic64_read(&inet_rsk(req)->ir_cookie)); --- -2.9.4 - diff --git a/0001-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch b/0001-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch deleted file mode 100644 index b388a6910..000000000 --- a/0001-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 2423496af35d94a87156b063ea5cedffc10a70a1 Mon Sep 17 00:00:00 2001 -From: Craig Gallek <kraig@google.com> -Date: Tue, 16 May 2017 14:36:23 -0400 -Subject: [PATCH] ipv6: Prevent overrun when parsing v6 header options - -The KASAN warning repoted below was discovered with a syzkaller -program. The reproducer is basically: - int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP); - send(s, &one_byte_of_data, 1, MSG_MORE); - send(s, &more_than_mtu_bytes_data, 2000, 0); - -The socket() call sets the nexthdr field of the v6 header to -NEXTHDR_HOP, the first send call primes the payload with a non zero -byte of data, and the second send call triggers the fragmentation path. - -The fragmentation code tries to parse the header options in order -to figure out where to insert the fragment option. Since nexthdr points -to an invalid option, the calculation of the size of the network header -can made to be much larger than the linear section of the skb and data -is read outside of it. - -This fix makes ip6_find_1stfrag return an error if it detects -running out-of-bounds. - -[ 42.361487] ================================================================== -[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730 -[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789 -[ 42.366469] -[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41 -[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014 -[ 42.368824] Call Trace: -[ 42.369183] dump_stack+0xb3/0x10b -[ 42.369664] print_address_description+0x73/0x290 -[ 42.370325] kasan_report+0x252/0x370 -[ 42.370839] ? ip6_fragment+0x11c8/0x3730 -[ 42.371396] check_memory_region+0x13c/0x1a0 -[ 42.371978] memcpy+0x23/0x50 -[ 42.372395] ip6_fragment+0x11c8/0x3730 -[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110 -[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0 -[ 42.374263] ? ip6_forward+0x2e30/0x2e30 -[ 42.374803] ip6_finish_output+0x584/0x990 -[ 42.375350] ip6_output+0x1b7/0x690 -[ 42.375836] ? ip6_finish_output+0x990/0x990 -[ 42.376411] ? ip6_fragment+0x3730/0x3730 -[ 42.376968] ip6_local_out+0x95/0x160 -[ 42.377471] ip6_send_skb+0xa1/0x330 -[ 42.377969] ip6_push_pending_frames+0xb3/0xe0 -[ 42.378589] rawv6_sendmsg+0x2051/0x2db0 -[ 42.379129] ? rawv6_bind+0x8b0/0x8b0 -[ 42.379633] ? _copy_from_user+0x84/0xe0 -[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290 -[ 42.380878] ? ___sys_sendmsg+0x162/0x930 -[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120 -[ 42.382074] ? sock_has_perm+0x1f6/0x290 -[ 42.382614] ? ___sys_sendmsg+0x167/0x930 -[ 42.383173] ? lock_downgrade+0x660/0x660 -[ 42.383727] inet_sendmsg+0x123/0x500 -[ 42.384226] ? inet_sendmsg+0x123/0x500 -[ 42.384748] ? inet_recvmsg+0x540/0x540 -[ 42.385263] sock_sendmsg+0xca/0x110 -[ 42.385758] SYSC_sendto+0x217/0x380 -[ 42.386249] ? SYSC_connect+0x310/0x310 -[ 42.386783] ? __might_fault+0x110/0x1d0 -[ 42.387324] ? lock_downgrade+0x660/0x660 -[ 42.387880] ? __fget_light+0xa1/0x1f0 -[ 42.388403] ? __fdget+0x18/0x20 -[ 42.388851] ? sock_common_setsockopt+0x95/0xd0 -[ 42.389472] ? SyS_setsockopt+0x17f/0x260 -[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe -[ 42.390650] SyS_sendto+0x40/0x50 -[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe -[ 42.391731] RIP: 0033:0x7fbbb711e383 -[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c -[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383 -[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003 -[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018 -[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad -[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00 -[ 42.397257] -[ 42.397411] Allocated by task 3789: -[ 42.397702] save_stack_trace+0x16/0x20 -[ 42.398005] save_stack+0x46/0xd0 -[ 42.398267] kasan_kmalloc+0xad/0xe0 -[ 42.398548] kasan_slab_alloc+0x12/0x20 -[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380 -[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0 -[ 42.399654] __alloc_skb+0xf8/0x580 -[ 42.400003] sock_wmalloc+0xab/0xf0 -[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0 -[ 42.400813] ip6_append_data+0x1a8/0x2f0 -[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0 -[ 42.401505] inet_sendmsg+0x123/0x500 -[ 42.401860] sock_sendmsg+0xca/0x110 -[ 42.402209] ___sys_sendmsg+0x7cb/0x930 -[ 42.402582] __sys_sendmsg+0xd9/0x190 -[ 42.402941] SyS_sendmsg+0x2d/0x50 -[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe -[ 42.403718] -[ 42.403871] Freed by task 1794: -[ 42.404146] save_stack_trace+0x16/0x20 -[ 42.404515] save_stack+0x46/0xd0 -[ 42.404827] kasan_slab_free+0x72/0xc0 -[ 42.405167] kfree+0xe8/0x2b0 -[ 42.405462] skb_free_head+0x74/0xb0 -[ 42.405806] skb_release_data+0x30e/0x3a0 -[ 42.406198] skb_release_all+0x4a/0x60 -[ 42.406563] consume_skb+0x113/0x2e0 -[ 42.406910] skb_free_datagram+0x1a/0xe0 -[ 42.407288] netlink_recvmsg+0x60d/0xe40 -[ 42.407667] sock_recvmsg+0xd7/0x110 -[ 42.408022] ___sys_recvmsg+0x25c/0x580 -[ 42.408395] __sys_recvmsg+0xd6/0x190 -[ 42.408753] SyS_recvmsg+0x2d/0x50 -[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe -[ 42.409513] -[ 42.409665] The buggy address belongs to the object at ffff88000969e780 -[ 42.409665] which belongs to the cache kmalloc-512 of size 512 -[ 42.410846] The buggy address is located 24 bytes inside of -[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980) -[ 42.411941] The buggy address belongs to the page: -[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 -[ 42.413298] flags: 0x100000000008100(slab|head) -[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c -[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000 -[ 42.415074] page dumped because: kasan: bad access detected -[ 42.415604] -[ 42.415757] Memory state around the buggy address: -[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc -[ 42.418273] ^ -[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 42.419882] ================================================================== - -Reported-by: Andrey Konovalov <andreyknvl@google.com> -Signed-off-by: Craig Gallek <kraig@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv6/ip6_offload.c | 2 ++ - net/ipv6/ip6_output.c | 4 ++++ - net/ipv6/output_core.c | 14 ++++++++------ - net/ipv6/udp_offload.c | 2 ++ - 4 files changed, 16 insertions(+), 6 deletions(-) - -diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c -index 93e58a5..eab36ab 100644 ---- a/net/ipv6/ip6_offload.c -+++ b/net/ipv6/ip6_offload.c -@@ -117,6 +117,8 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, - - if (udpfrag) { - unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); -+ if (unfrag_ip6hlen < 0) -+ return ERR_PTR(unfrag_ip6hlen); - fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen); - fptr->frag_off = htons(offset); - if (skb->next) -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 58f6288..01deecd 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -598,6 +598,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, - u8 *prevhdr, nexthdr = 0; - - hlen = ip6_find_1stfragopt(skb, &prevhdr); -+ if (hlen < 0) { -+ err = hlen; -+ goto fail; -+ } - nexthdr = *prevhdr; - - mtu = ip6_skb_dst_mtu(skb); -diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c -index cd42523..e9065b8 100644 ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident); - int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - { - u16 offset = sizeof(struct ipv6hdr); -- struct ipv6_opt_hdr *exthdr = -- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1); - unsigned int packet_len = skb_tail_pointer(skb) - - skb_network_header(skb); - int found_rhdr = 0; - *nexthdr = &ipv6_hdr(skb)->nexthdr; - -- while (offset + 1 <= packet_len) { -+ while (offset <= packet_len) { -+ struct ipv6_opt_hdr *exthdr; - - switch (**nexthdr) { - -@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - return offset; - } - -- offset += ipv6_optlen(exthdr); -- *nexthdr = &exthdr->nexthdr; -+ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len) -+ return -EINVAL; -+ - exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + - offset); -+ offset += ipv6_optlen(exthdr); -+ *nexthdr = &exthdr->nexthdr; - } - -- return offset; -+ return -EINVAL; - } - EXPORT_SYMBOL(ip6_find_1stfragopt); - -diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c -index ac858c4..b348cff 100644 ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -91,6 +91,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, - * bytes to insert fragment header. - */ - unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); -+ if (unfrag_ip6hlen < 0) -+ return ERR_PTR(unfrag_ip6hlen); - nexthdr = *prevhdr; - *prevhdr = NEXTHDR_FRAGMENT; - unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) + --- -2.9.4 - diff --git a/0001-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch b/0001-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch deleted file mode 100644 index e0492c870..000000000 --- a/0001-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 83eaddab4378db256d00d295bda6ca997cd13a52 Mon Sep 17 00:00:00 2001 -From: WANG Cong <xiyou.wangcong@gmail.com> -Date: Tue, 9 May 2017 16:59:54 -0700 -Subject: [PATCH] ipv6/dccp: do not inherit ipv6_mc_list from parent - -Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent") -we should clear ipv6_mc_list etc. for IPv6 sockets too. - -Cc: Eric Dumazet <edumazet@google.com> -Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> -Acked-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/dccp/ipv6.c | 6 ++++++ - net/ipv6/tcp_ipv6.c | 2 ++ - 2 files changed, 8 insertions(+) - -diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c -index d9b6a4e..b6bbb71 100644 ---- a/net/dccp/ipv6.c -+++ b/net/dccp/ipv6.c -@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, - newsk->sk_backlog_rcv = dccp_v4_do_rcv; - newnp->pktoptions = NULL; - newnp->opt = NULL; -+ newnp->ipv6_mc_list = NULL; -+ newnp->ipv6_ac_list = NULL; -+ newnp->ipv6_fl_list = NULL; - newnp->mcast_oif = inet6_iif(skb); - newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; - -@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, - /* Clone RX bits */ - newnp->rxopt.all = np->rxopt.all; - -+ newnp->ipv6_mc_list = NULL; -+ newnp->ipv6_ac_list = NULL; -+ newnp->ipv6_fl_list = NULL; - newnp->pktoptions = NULL; - newnp->opt = NULL; - newnp->mcast_oif = inet6_iif(skb); -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index aeb9497..df5a9ff 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * - newtp->af_specific = &tcp_sock_ipv6_mapped_specific; - #endif - -+ newnp->ipv6_mc_list = NULL; - newnp->ipv6_ac_list = NULL; - newnp->ipv6_fl_list = NULL; - newnp->pktoptions = NULL; -@@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * - First: no IPv4 options. - */ - newinet->inet_opt = NULL; -+ newnp->ipv6_mc_list = NULL; - newnp->ipv6_ac_list = NULL; - newnp->ipv6_fl_list = NULL; - --- -2.9.4 - diff --git a/0001-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch b/0001-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch deleted file mode 100644 index 8c4339f64..000000000 --- a/0001-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch +++ /dev/null @@ -1,33 +0,0 @@ -From fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 17 May 2017 07:16:40 -0700 -Subject: [PATCH] sctp: do not inherit ipv6_{mc|ac|fl}_list from parent - -SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit -ipv6_mc_list from parent"), otherwise bad things can happen. - -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Andrey Konovalov <andreyknvl@google.com> -Tested-by: Andrey Konovalov <andreyknvl@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/sctp/ipv6.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index 142b70e..f5b45b8 100644 ---- a/net/sctp/ipv6.c -+++ b/net/sctp/ipv6.c -@@ -677,6 +677,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, - newnp = inet6_sk(newsk); - - memcpy(newnp, np, sizeof(struct ipv6_pinfo)); -+ newnp->ipv6_mc_list = NULL; -+ newnp->ipv6_ac_list = NULL; -+ newnp->ipv6_fl_list = NULL; - - rcu_read_lock(); - opt = rcu_dereference(np->opt); --- -2.9.4 - diff --git a/kernel.spec b/kernel.spec index 4ca38df8f..f2e556852 100644 --- a/kernel.spec +++ b/kernel.spec @@ -44,7 +44,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 302 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -656,27 +656,12 @@ Patch668: CVE-2017-7477.patch Patch669: 0001-SUNRPC-Refactor-svc_set_num_threads.patch Patch670: 0002-NFSv4-Fix-callback-server-shutdown.patch -#CVE-2017-8890 rhbz 1450972 -Patch671: 0001-dccp-tcp-do-not-inherit-mc_list-from-parent.patch - -#CVE-2017-9074 rhbz 1452679 -Patch672: 0001-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch - -#CVE-2017-9075 rhbz 1452691 -Patch673: 0001-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch - -#CVE-2017-9076 CVE-2017-9077 rhbz 1452688 1452744 -Patch674: 0001-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch - #Fix broadwell issues Patch675: drm-i915-Do-not-drop-pagetables-when-empty.patch # rhbz 1455780 Patch676: 2-2-nvme-Quirk-APST-on-Intel-600P-P3100-devices.patch -# Networking fix reported on bodhi -Patch678: net-v2-ip6_tunnel-ip6_gre-fix-setting-of-DSCP-on-encapsulated-packets.patch - # rhbz 1458222 1458499 # As linked from http://marc.info/?l=linux-netdev&m=149336766030175&w=2 Patch679: actual_udpencap_fix.patch @@ -2253,6 +2238,9 @@ fi # # %changelog +* Wed Jun 07 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.4-300 +- Linux v4.11.4 + * Wed Jun 7 2017 Peter Robinson <pbrobinson@fedoraproject.org> - Add upstream patch set to fix WiFi on HiKey - Patch set to fix Raspberry Pi PCM Audio clocking diff --git a/net-v2-ip6_tunnel-ip6_gre-fix-setting-of-DSCP-on-encapsulated-packets.patch b/net-v2-ip6_tunnel-ip6_gre-fix-setting-of-DSCP-on-encapsulated-packets.patch deleted file mode 100644 index ce6ff6cb6..000000000 --- a/net-v2-ip6_tunnel-ip6_gre-fix-setting-of-DSCP-on-encapsulated-packets.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 479c281e52ae159f09bb7467c1ef47e3d77ef23a Mon Sep 17 00:00:00 2001 -From: Peter Dawson <petedaws@gmail.com> -Date: Fri, 26 May 2017 06:35:18 +1000 -Subject: [PATCH] ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated - packets - -This fix addresses two problems in the way the DSCP field is formulated - on the encapsulating header of IPv6 tunnels. -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195661 - -1) The IPv6 tunneling code was manipulating the DSCP field of the - encapsulating packet using the 32b flowlabel. Since the flowlabel is - only the lower 20b it was incorrect to assume that the upper 12b - containing the DSCP and ECN fields would remain intact when formulating - the encapsulating header. This fix handles the 'inherit' and - 'fixed-value' DSCP cases explicitly using the extant dsfield u8 variable. - -2) The use of INET_ECN_encapsulate(0, dsfield) in ip6_tnl_xmit was - incorrect and resulted in the DSCP value always being set to 0. - -Commit 90427ef5d2a4 ("ipv6: fix flow labels when the traffic class - is non-0") caused the regression by masking out the flowlabel - which exposed the incorrect handling of the DSCP portion of the - flowlabel in ip6_tunnel and ip6_gre. - -Fixes: 90427ef5d2a4 ("ipv6: fix flow labels when the traffic class is non-0") -Signed-off-by: Peter Dawson <peter.a.dawson@boeing.com> ---- - net/ipv6/ip6_gre.c | 13 +++++++------ - net/ipv6/ip6_tunnel.c | 21 +++++++++++++-------- - 2 files changed, 20 insertions(+), 14 deletions(-) - -diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index 6fcb7cb..4d60164 100644 ---- a/net/ipv6/ip6_gre.c -+++ b/net/ipv6/ip6_gre.c -@@ -537,11 +537,10 @@ static inline int ip6gre_xmit_ipv4(struct sk_buff *skb, struct net_device *dev) - - memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6)); - -- dsfield = ipv4_get_dsfield(iph); -- - if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) -- fl6.flowlabel |= htonl((__u32)iph->tos << IPV6_TCLASS_SHIFT) -- & IPV6_TCLASS_MASK; -+ dsfield = ipv4_get_dsfield(iph); -+ else -+ dsfield = ip6_tclass(t->parms.flowinfo); - if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK) - fl6.flowi6_mark = skb->mark; - -@@ -596,9 +595,11 @@ static inline int ip6gre_xmit_ipv6(struct sk_buff *skb, struct net_device *dev) - - memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6)); - -- dsfield = ipv6_get_dsfield(ipv6h); - if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) -- fl6.flowlabel |= (*(__be32 *) ipv6h & IPV6_TCLASS_MASK); -+ dsfield = ipv6_get_dsfield(ipv6h); -+ else -+ dsfield = ip6_tclass(t->parms.flowinfo); -+ - if (t->parms.flags & IP6_TNL_F_USE_ORIG_FLOWLABEL) - fl6.flowlabel |= ip6_flowlabel(ipv6h); - if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK) -diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c -index a9692ec..15ff339 100644 ---- a/net/ipv6/ip6_tunnel.c -+++ b/net/ipv6/ip6_tunnel.c -@@ -1196,7 +1196,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield, - skb_push(skb, sizeof(struct ipv6hdr)); - skb_reset_network_header(skb); - ipv6h = ipv6_hdr(skb); -- ip6_flow_hdr(ipv6h, INET_ECN_encapsulate(0, dsfield), -+ ip6_flow_hdr(ipv6h, dsfield, - ip6_make_flowlabel(net, skb, fl6->flowlabel, true, fl6)); - ipv6h->hop_limit = hop_limit; - ipv6h->nexthdr = proto; -@@ -1231,8 +1231,6 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) - if (tproto != IPPROTO_IPIP && tproto != 0) - return -1; - -- dsfield = ipv4_get_dsfield(iph); -- - if (t->parms.collect_md) { - struct ip_tunnel_info *tun_info; - const struct ip_tunnel_key *key; -@@ -1246,6 +1244,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) - fl6.flowi6_proto = IPPROTO_IPIP; - fl6.daddr = key->u.ipv6.dst; - fl6.flowlabel = key->label; -+ dsfield = ip6_tclass(key->label); - } else { - if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT)) - encap_limit = t->parms.encap_limit; -@@ -1254,8 +1253,9 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) - fl6.flowi6_proto = IPPROTO_IPIP; - - if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) -- fl6.flowlabel |= htonl((__u32)iph->tos << IPV6_TCLASS_SHIFT) -- & IPV6_TCLASS_MASK; -+ dsfield = ipv4_get_dsfield(iph); -+ else -+ dsfield = ip6_tclass(t->parms.flowinfo); - if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK) - fl6.flowi6_mark = skb->mark; - } -@@ -1265,6 +1265,8 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) - if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) - return -1; - -+ dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph)); -+ - skb_set_inner_ipproto(skb, IPPROTO_IPIP); - - err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, -@@ -1298,8 +1300,6 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) - ip6_tnl_addr_conflict(t, ipv6h)) - return -1; - -- dsfield = ipv6_get_dsfield(ipv6h); -- - if (t->parms.collect_md) { - struct ip_tunnel_info *tun_info; - const struct ip_tunnel_key *key; -@@ -1313,6 +1313,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) - fl6.flowi6_proto = IPPROTO_IPV6; - fl6.daddr = key->u.ipv6.dst; - fl6.flowlabel = key->label; -+ dsfield = ip6_tclass(key->label); - } else { - offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); - /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */ -@@ -1335,7 +1336,9 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) - fl6.flowi6_proto = IPPROTO_IPV6; - - if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) -- fl6.flowlabel |= (*(__be32 *)ipv6h & IPV6_TCLASS_MASK); -+ dsfield = ipv6_get_dsfield(ipv6h); -+ else -+ dsfield = ip6_tclass(t->parms.flowinfo); - if (t->parms.flags & IP6_TNL_F_USE_ORIG_FLOWLABEL) - fl6.flowlabel |= ip6_flowlabel(ipv6h); - if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK) -@@ -1347,6 +1350,8 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) - if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) - return -1; - -+ dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h)); -+ - skb_set_inner_ipproto(skb, IPPROTO_IPV6); - - err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, --- -2.7.5 - @@ -1,3 +1,3 @@ SHA512 (perf-man-4.11.tar.gz) = 0b070d2f10a743329de2f532e2d7e19ef385a3e6ef3c700b591ae2697604dbe542b36e31121b3e37517ee8071ab800386fa8663c24a5b36520a18e096c6eefc8 SHA512 (linux-4.11.tar.xz) = 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3 -SHA512 (patch-4.11.3.xz) = d1beb9b48ce12e87bb6ec53f0cf03d5650fd421edd8757d31dda20821c9a9f5b5c3dc8f131058ea8b9de45d67c43424ad246baf5c33e0174372f952cce26ad72 +SHA512 (patch-4.11.4.xz) = d38c48994e852c51f126d362faae0ee939043917287223e68eac84c59b43cda5908e5a31af6aa6b0fc1aeecbbc6d89b6c6351fefbc51c0becb9a7223f38a2c7b |