Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2017-06-02 15:28:38 +0200
committerTakashi Iwai <tiwai@suse.de>2017-06-02 15:28:38 +0200
commit9e92120115cc7e66ebac3d18344f2896a865346d (patch)
tree76643c6e4502aa2bd1088aba18b9ce309b173a53
parent9a996084b4e394b98452f300434d87c798c26fa5 (diff)
parente86c78331716d2c1916cb43b3bc19a6cad16a06f (diff)
Merge branch 'users/mkubecek/SLE12-SP3/for-next' into SLE12-SP3
Pull net fixes from Michal Kubecek (bsc#1042286).
-rw-r--r--blacklist.conf4
-rw-r--r--patches.drivers/bonding-allow-notifications-for-bond_set_slave_link_.patch45
-rw-r--r--patches.fixes/bonding-avoid-defaulting-hard_header_len-to-ETH_HLEN.patch91
-rw-r--r--patches.fixes/bonding-don-t-use-stale-speed-and-duplex-information.patch59
-rw-r--r--patches.fixes/bonding-prevent-out-of-bound-accesses.patch122
-rw-r--r--patches.fixes/ipv4-add-reference-counting-to-metrics.patch265
-rw-r--r--patches.fixes/ipv6-Don-t-use-ufo-handling-on-later-transformed-pac.patch67
-rw-r--r--patches.fixes/ipv6-fix-endianness-error-in-icmpv6_err.patch37
-rw-r--r--patches.fixes/l2tp-fix-race-in-l2tp_recv_common.patch269
-rw-r--r--patches.fixes/net-ipv6-set-route-type-for-anycast-routes.patch36
-rw-r--r--patches.fixes/netfilter-nf_conntrack_sip-extend-request-line-valid.patch47
-rw-r--r--patches.fixes/netfilter-nf_ct_expect-remove-the-redundant-slash-wh.patch39
-rw-r--r--patches.fixes/netfilter-nf_dup_ipv6-set-again-FLOWI_FLAG_KNOWN_NH-.patch39
-rw-r--r--patches.fixes/netfilter-nf_nat_snmp-Fix-panic-when-snmp_trap_helpe.patch67
-rw-r--r--patches.fixes/netfilter-nfnetlink_queue-reject-verdict-request-fro.patch41
-rw-r--r--patches.fixes/netfilter-restart-search-if-moved-to-other-chain.patch50
-rw-r--r--patches.fixes/netfilter-use-fwmark_reflect-in-nf_send_reset.patch58
-rw-r--r--patches.fixes/rtnl-reset-calcit-fptr-in-rtnl_unregister.patch40
-rw-r--r--patches.fixes/tcp-account-for-ts-offset-only-if-tsecr-not-zero.patch36
-rw-r--r--patches.fixes/tcp-fastopen-accept-data-FIN-present-in-SYNACK-messa.patch155
-rw-r--r--patches.fixes/tcp-fastopen-avoid-negative-sk_forward_alloc.patch42
-rw-r--r--patches.fixes/tcp-fastopen-call-tcp_fin-if-FIN-present-in-SYNACK.patch70
-rw-r--r--patches.fixes/tcp-fastopen-fix-rcv_wup-initialization-for-TFO-serv.patch47
-rw-r--r--patches.fixes/udp-avoid-ufo-handling-on-IP-payload-compression-pac.patch80
-rw-r--r--patches.fixes/udplite-call-proper-backlog-handlers.patch121
-rw-r--r--patches.fixes/xfrm-Fix-memory-leak-of-aead-algorithm-name.patch41
-rw-r--r--series.conf24
27 files changed, 1973 insertions, 19 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 39ca4791fb..9d61804314 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -160,6 +160,10 @@ b32e4482aadfd1322357f46d4ed8a990603664d9 # fs/crypto is not in 4.4 yet
4a6772f514891eaacf26bcb7c2c808c557d23c6f # duplicated defines cleanup; no need
9c2abe2f7159a6013004b6189a9867e880085e96 # not really - it is to MAINTAINERS
43e24e82f35291d4c1ca78877ce1b20d3aeb78f1 # API change
+36b701fae12ac763a568037e4e7c96b5727a8b3e # nftables unsupported
+61f9e2924f4981d626b3a931fed935f2fa3cb4de # nftables unsupported
+b73b8a1ba598236296a46103d81c10d629d9a470 # nftables unsupported
+82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875 # reverted by 32f1bc0f3d26
# Blacklisted Commits (SLE12-SP3)
# -------------------------------
diff --git a/patches.drivers/bonding-allow-notifications-for-bond_set_slave_link_.patch b/patches.drivers/bonding-allow-notifications-for-bond_set_slave_link_.patch
index aecc16c450..d3c9618055 100644
--- a/patches.drivers/bonding-allow-notifications-for-bond_set_slave_link_.patch
+++ b/patches.drivers/bonding-allow-notifications-for-bond_set_slave_link_.patch
@@ -16,13 +16,15 @@ Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Benjamin Poirier <bpoirier@suse.com>
---
- drivers/net/bonding/bond_main.c | 54 ++++++++++++++++++++++++++--------------
- include/net/bonding.h | 32 +++++++++++++++++++++--
+ drivers/net/bonding/bond_main.c | 54 +++++++++++++++++++++++++++--------------
+ include/net/bonding.h | 32 +++++++++++++++++++++---
2 files changed, 65 insertions(+), 21 deletions(-)
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index d3dbd2335c43..44127a909de6 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
-@@ -832,7 +832,8 @@ void bond_change_active_slave(struct bon
+@@ -832,7 +832,8 @@ void bond_change_active_slave(struct bonding *bond, struct slave *new_active)
}
new_active->delay = 0;
@@ -32,7 +34,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
if (BOND_MODE(bond) == BOND_MODE_8023AD)
bond_3ad_handle_link_change(new_active, BOND_LINK_UP);
-@@ -1594,21 +1595,26 @@ int bond_enslave(struct net_device *bond
+@@ -1594,21 +1595,26 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
if (bond_check_dev_link(bond, slave_dev, 0) == BMSR_LSTATUS) {
if (bond->params.updelay) {
bond_set_slave_link_state(new_slave,
@@ -64,7 +66,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
}
if (new_slave->link != BOND_LINK_DOWN)
-@@ -2028,7 +2034,8 @@ static int bond_miimon_inspect(struct bo
+@@ -2028,7 +2034,8 @@ static int bond_miimon_inspect(struct bonding *bond)
if (link_state)
continue;
@@ -74,7 +76,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
slave->delay = bond->params.downdelay;
if (slave->delay) {
netdev_info(bond->dev, "link status down for %sinterface %s, disabling it in %d ms\n",
-@@ -2043,7 +2050,8 @@ static int bond_miimon_inspect(struct bo
+@@ -2043,7 +2050,8 @@ static int bond_miimon_inspect(struct bonding *bond)
case BOND_LINK_FAIL:
if (link_state) {
/* recovered before downdelay expired */
@@ -84,7 +86,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
slave->last_link_up = jiffies;
netdev_info(bond->dev, "link status up again after %d ms for interface %s\n",
(bond->params.downdelay - slave->delay) *
-@@ -2065,7 +2073,8 @@ static int bond_miimon_inspect(struct bo
+@@ -2065,7 +2073,8 @@ static int bond_miimon_inspect(struct bonding *bond)
if (!link_state)
continue;
@@ -94,7 +96,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
slave->delay = bond->params.updelay;
if (slave->delay) {
-@@ -2079,7 +2088,8 @@ static int bond_miimon_inspect(struct bo
+@@ -2079,7 +2088,8 @@ static int bond_miimon_inspect(struct bonding *bond)
case BOND_LINK_BACK:
if (!link_state) {
bond_set_slave_link_state(slave,
@@ -104,17 +106,17 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
netdev_info(bond->dev, "link status down again after %d ms for interface %s\n",
(bond->params.updelay - slave->delay) *
bond->params.miimon,
-@@ -2117,7 +2127,8 @@ static void bond_miimon_commit(struct bo
- continue;
+@@ -2118,7 +2128,8 @@ static void bond_miimon_commit(struct bonding *bond)
case BOND_LINK_UP:
+ bond_update_speed_duplex(slave);
- bond_set_slave_link_state(slave, BOND_LINK_UP);
+ bond_set_slave_link_state(slave, BOND_LINK_UP,
+ BOND_SLAVE_NOTIFY_NOW);
slave->last_link_up = jiffies;
primary = rtnl_dereference(bond->primary_slave);
-@@ -2157,7 +2168,8 @@ static void bond_miimon_commit(struct bo
+@@ -2158,7 +2169,8 @@ static void bond_miimon_commit(struct bonding *bond)
if (slave->link_failure_count < UINT_MAX)
slave->link_failure_count++;
@@ -124,7 +126,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP ||
BOND_MODE(bond) == BOND_MODE_8023AD)
-@@ -2755,7 +2767,8 @@ static void bond_ab_arp_commit(struct bo
+@@ -2756,7 +2768,8 @@ static void bond_ab_arp_commit(struct bonding *bond)
struct slave *current_arp_slave;
current_arp_slave = rtnl_dereference(bond->current_arp_slave);
@@ -134,7 +136,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
if (current_arp_slave) {
bond_set_slave_inactive_flags(
current_arp_slave,
-@@ -2778,7 +2791,8 @@ static void bond_ab_arp_commit(struct bo
+@@ -2779,7 +2792,8 @@ static void bond_ab_arp_commit(struct bonding *bond)
if (slave->link_failure_count < UINT_MAX)
slave->link_failure_count++;
@@ -144,7 +146,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
bond_set_slave_inactive_flags(slave,
BOND_SLAVE_NOTIFY_NOW);
-@@ -2857,7 +2871,8 @@ static bool bond_ab_arp_probe(struct bon
+@@ -2858,7 +2872,8 @@ static bool bond_ab_arp_probe(struct bonding *bond)
* up when it is actually down
*/
if (!bond_slave_is_up(slave) && slave->link == BOND_LINK_UP) {
@@ -154,7 +156,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
if (slave->link_failure_count < UINT_MAX)
slave->link_failure_count++;
-@@ -2877,7 +2892,8 @@ static bool bond_ab_arp_probe(struct bon
+@@ -2878,7 +2893,8 @@ static bool bond_ab_arp_probe(struct bonding *bond)
if (!new_slave)
goto check_state;
@@ -164,7 +166,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
bond_set_slave_active_flags(new_slave, BOND_SLAVE_NOTIFY_LATER);
bond_arp_send_all(bond, new_slave);
new_slave->last_link_up = jiffies;
-@@ -2885,7 +2901,7 @@ static bool bond_ab_arp_probe(struct bon
+@@ -2886,7 +2902,7 @@ static bool bond_ab_arp_probe(struct bonding *bond)
check_state:
bond_for_each_slave_rcu(bond, slave, iter) {
@@ -173,7 +175,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
should_notify_rtnl = BOND_SLAVE_NOTIFY_NOW;
break;
}
-@@ -2940,8 +2956,10 @@ re_arm:
+@@ -2941,8 +2957,10 @@ re_arm:
if (should_notify_peers)
call_netdevice_notifiers(NETDEV_NOTIFY_PEERS,
bond->dev);
@@ -185,9 +187,11 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
rtnl_unlock();
}
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index 51d02bf03d07..9f76d69e75e7 100644
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
-@@ -165,7 +165,8 @@ struct slave {
+@@ -170,7 +170,8 @@ struct slave {
u8 backup:1, /* indicates backup slave. Value corresponds with
BOND_STATE_ACTIVE and BOND_STATE_BACKUP */
inactive:1, /* indicates inactive slave */
@@ -197,7 +201,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
u8 duplex;
u32 original_mtu;
u32 link_failure_count;
-@@ -505,10 +506,35 @@ static inline bool bond_is_slave_inactiv
+@@ -510,10 +511,35 @@ static inline bool bond_is_slave_inactive(struct slave *slave)
return slave->inactive;
}
@@ -235,3 +239,6 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
}
static inline __be32 bond_confirm_addr(struct net_device *dev, __be32 dst, __be32 local)
+--
+2.13.0
+
diff --git a/patches.fixes/bonding-avoid-defaulting-hard_header_len-to-ETH_HLEN.patch b/patches.fixes/bonding-avoid-defaulting-hard_header_len-to-ETH_HLEN.patch
new file mode 100644
index 0000000000..8057ef36da
--- /dev/null
+++ b/patches.fixes/bonding-avoid-defaulting-hard_header_len-to-ETH_HLEN.patch
@@ -0,0 +1,91 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 27 Apr 2017 19:29:34 +0200
+Subject: bonding: avoid defaulting hard_header_len to ETH_HLEN on slave removal
+Patch-mainline: v4.11
+Git-commit: 19cdead3e2ef8ed765c5d1ce48057ca9d97b5094
+References: bsc#1042286
+
+On slave list updates, the bonding driver computes its hard_header_len
+as the maximum of all enslaved devices's hard_header_len.
+If the slave list is empty, e.g. on last enslaved device removal,
+ETH_HLEN is used.
+
+Since the bonding header_ops are set only when the first enslaved
+device is attached, the above can lead to header_ops->create()
+being called with the wrong skb headroom in place.
+
+If bond0 is configured on top of ipoib devices, with the
+following commands:
+
+ifup bond0
+for slave in $BOND_SLAVES_LIST; do
+ ip link set dev $slave nomaster
+done
+ping -c 1 <ip on bond0 subnet>
+
+we will obtain a skb_under_panic() with a similar call trace:
+ skb_push+0x3d/0x40
+ push_pseudo_header+0x17/0x30 [ib_ipoib]
+ ipoib_hard_header+0x4e/0x80 [ib_ipoib]
+ arp_create+0x12f/0x220
+ arp_send_dst.part.19+0x28/0x50
+ arp_solicit+0x115/0x290
+ neigh_probe+0x4d/0x70
+ __neigh_event_send+0xa7/0x230
+ neigh_resolve_output+0x12e/0x1c0
+ ip_finish_output2+0x14b/0x390
+ ip_finish_output+0x136/0x1e0
+ ip_output+0x76/0xe0
+ ip_local_out+0x35/0x40
+ ip_send_skb+0x19/0x40
+ ip_push_pending_frames+0x33/0x40
+ raw_sendmsg+0x7d3/0xb50
+ inet_sendmsg+0x31/0xb0
+ sock_sendmsg+0x38/0x50
+ SYSC_sendto+0x102/0x190
+ SyS_sendto+0xe/0x10
+ do_syscall_64+0x67/0x180
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+This change addresses the issue avoiding updating the bonding device
+hard_header_len when the slaves list become empty, forbidding to
+shrink it below the value used by header_ops->create().
+
+The bug is there since commit 54ef31371407 ("[PATCH] bonding: Handle large
+hard_header_len") but the panic can be triggered only since
+commit fc791b633515 ("IB/ipoib: move back IB LL address into the hard
+header").
+
+Reported-by: Norbert P <noe@physik.uzh.ch>
+Fixes: 54ef31371407 ("[PATCH] bonding: Handle large hard_header_len")
+Fixes: fc791b633515 ("IB/ipoib: move back IB LL address into the hard header")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 0946409d9479..ad0116e48dd1 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1106,11 +1106,11 @@ static void bond_compute_features(struct bonding *bond)
+ gso_max_size = min(gso_max_size, slave->dev->gso_max_size);
+ gso_max_segs = min(gso_max_segs, slave->dev->gso_max_segs);
+ }
++ bond_dev->hard_header_len = max_hard_header_len;
+
+ done:
+ bond_dev->vlan_features = vlan_features;
+ bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL;
+- bond_dev->hard_header_len = max_hard_header_len;
+ bond_dev->gso_max_segs = gso_max_segs;
+ netif_set_gso_max_size(bond_dev, gso_max_size);
+
+--
+2.13.0
+
diff --git a/patches.fixes/bonding-don-t-use-stale-speed-and-duplex-information.patch b/patches.fixes/bonding-don-t-use-stale-speed-and-duplex-information.patch
new file mode 100644
index 0000000000..81845def9e
--- /dev/null
+++ b/patches.fixes/bonding-don-t-use-stale-speed-and-duplex-information.patch
@@ -0,0 +1,59 @@
+From: Jay Vosburgh <jay.vosburgh@canonical.com>
+Date: Mon, 8 Feb 2016 12:10:02 -0800
+Subject: bonding: don't use stale speed and duplex information
+Patch-mainline: v4.5-rc6
+Git-commit: 266b495f11d6706018f66250cb02a788ff2490d7
+References: bsc#1042286
+
+There is presently a race condition between the bonding periodic
+link monitor and the updating of a slave's speed and duplex. The former
+occurs on a periodic basis, and the latter in response to a driver's
+calling of netif_carrier_on.
+
+ It is possible for the periodic monitor to run between the
+driver call of netif_carrier_on and the receipt of the NETDEV_CHANGE
+event that causes bonding to update the slave's speed and duplex. This
+manifests most notably as a report that a slave is up and "0 Mbps full
+duplex" after enslavement, but in principle could report an incorrect
+speed and duplex after any link up event if the device comes up with a
+different speed or duplex. This affects the 802.3ad aggregator
+selection, as the speed and duplex are selection criteria.
+
+ This is fixed by updating the speed and duplex in the periodic
+monitor, prior to using that information.
+
+ This was done historically in bonding, but the call to
+bond_update_speed_duplex was removed in commit 876254ae2758 ("bonding:
+don't call update_speed_duplex() under spinlocks"), as it might sleep
+under lock. Later, the locking was changed to only hold RTNL, and so
+after commit 876254ae2758 ("bonding: don't call update_speed_duplex()
+under spinlocks") this call is again safe.
+
+Tested-by: "Tantilov, Emil S" <emil.s.tantilov@intel.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: dingtianhong <dingtianhong@huawei.com>
+Fixes: 876254ae2758 ("bonding: don't call update_speed_duplex() under spinlocks")
+Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Acked-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ drivers/net/bonding/bond_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 5dca77e0ffed..0946409d9479 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2091,6 +2091,7 @@ static void bond_miimon_commit(struct bonding *bond)
+ continue;
+
+ case BOND_LINK_UP:
++ bond_update_speed_duplex(slave);
+ bond_set_slave_link_state(slave, BOND_LINK_UP);
+ slave->last_link_up = jiffies;
+
+--
+2.13.0
+
diff --git a/patches.fixes/bonding-prevent-out-of-bound-accesses.patch b/patches.fixes/bonding-prevent-out-of-bound-accesses.patch
new file mode 100644
index 0000000000..4c4be163f4
--- /dev/null
+++ b/patches.fixes/bonding-prevent-out-of-bound-accesses.patch
@@ -0,0 +1,122 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 30 Jun 2016 16:13:41 +0200
+Subject: bonding: prevent out of bound accesses
+Patch-mainline: v4.7-rc7
+Git-commit: f87fda00b6ed232a817c655b8d179b48bde8fdbe
+References: bsc#1042286
+
+ether_addr_equal_64bits() requires some care about its arguments,
+namely that 8 bytes might be read, even if last 2 byte values are not
+used.
+
+KASan detected a violation with null_mac_addr and lacpdu_mcast_addr
+in bond_3ad.c
+
+Same problem with mac_bcast[] and mac_v6_allmcast[] in bond_alb.c :
+Although the 8-byte alignment was there, KASan would detect out
+of bound accesses.
+
+Fixes: 815117adaf5b ("bonding: use ether_addr_equal_unaligned for bond addr compare")
+Fixes: bb54e58929f3 ("bonding: Verify RX LACPDU has proper dest mac-addr")
+Fixes: 885a136c52a8 ("bonding: use compare_ether_addr_64bits() in ALB")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Acked-by: Dmitry Vyukov <dvyukov@google.com>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ drivers/net/bonding/bond_3ad.c | 11 +++++++----
+ drivers/net/bonding/bond_alb.c | 7 ++-----
+ include/net/bonding.h | 7 ++++++-
+ 3 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
+index 1e5a8048e54f..f840797b5ebd 100644
+--- a/drivers/net/bonding/bond_3ad.c
++++ b/drivers/net/bonding/bond_3ad.c
+@@ -100,11 +100,14 @@ enum ad_link_speed_type {
+ #define MAC_ADDRESS_EQUAL(A, B) \
+ ether_addr_equal_64bits((const u8 *)A, (const u8 *)B)
+
+-static struct mac_addr null_mac_addr = { { 0, 0, 0, 0, 0, 0 } };
++static const u8 null_mac_addr[ETH_ALEN + 2] __long_aligned = {
++ 0, 0, 0, 0, 0, 0
++};
+ static u16 ad_ticks_per_sec;
+ static const int ad_delta_in_ticks = (AD_TIMER_INTERVAL * HZ) / 1000;
+
+-static const u8 lacpdu_mcast_addr[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
++static const u8 lacpdu_mcast_addr[ETH_ALEN + 2] __long_aligned =
++ MULTICAST_LACPDU_ADDR;
+
+ /* ================= main 802.3ad protocol functions ================== */
+ static int ad_lacpdu_send(struct port *port);
+@@ -1722,7 +1725,7 @@ static void ad_clear_agg(struct aggregator *aggregator)
+ aggregator->is_individual = false;
+ aggregator->actor_admin_aggregator_key = 0;
+ aggregator->actor_oper_aggregator_key = 0;
+- aggregator->partner_system = null_mac_addr;
++ eth_zero_addr(aggregator->partner_system.mac_addr_value);
+ aggregator->partner_system_priority = 0;
+ aggregator->partner_oper_aggregator_key = 0;
+ aggregator->receive_state = 0;
+@@ -1744,7 +1747,7 @@ static void ad_initialize_agg(struct aggregator *aggregator)
+ if (aggregator) {
+ ad_clear_agg(aggregator);
+
+- aggregator->aggregator_mac_address = null_mac_addr;
++ eth_zero_addr(aggregator->aggregator_mac_address.mac_addr_value);
+ aggregator->aggregator_identifier = 0;
+ aggregator->slave = NULL;
+ }
+diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c
+index bb9e9fc45e1b..bcfbc1c871c0 100644
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -42,13 +42,10 @@
+
+
+
+-#ifndef __long_aligned
+-#define __long_aligned __attribute__((aligned((sizeof(long)))))
+-#endif
+-static const u8 mac_bcast[ETH_ALEN] __long_aligned = {
++static const u8 mac_bcast[ETH_ALEN + 2] __long_aligned = {
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+ };
+-static const u8 mac_v6_allmcast[ETH_ALEN] __long_aligned = {
++static const u8 mac_v6_allmcast[ETH_ALEN + 2] __long_aligned = {
+ 0x33, 0x33, 0x00, 0x00, 0x00, 0x01
+ };
+ static const int alb_delta_in_ticks = HZ / ALB_TIMER_TICKS_PER_SEC;
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index 93abe5f6188d..51d02bf03d07 100644
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -34,6 +34,9 @@
+
+ #define BOND_DEFAULT_MIIMON 100
+
++#ifndef __long_aligned
++#define __long_aligned __attribute__((aligned((sizeof(long)))))
++#endif
+ /*
+ * Less bad way to call ioctl from within the kernel; this needs to be
+ * done some other way to get the call out of interrupt context.
+@@ -138,7 +141,9 @@ struct bond_params {
+ struct reciprocal_value reciprocal_packets_per_slave;
+ u16 ad_actor_sys_prio;
+ u16 ad_user_port_key;
+- u8 ad_actor_system[ETH_ALEN];
++
++ /* 2 bytes of padding : see ether_addr_equal_64bits() */
++ u8 ad_actor_system[ETH_ALEN + 2];
+ };
+
+ struct bond_parm_tbl {
+--
+2.13.0
+
diff --git a/patches.fixes/ipv4-add-reference-counting-to-metrics.patch b/patches.fixes/ipv4-add-reference-counting-to-metrics.patch
new file mode 100644
index 0000000000..fb3519c78f
--- /dev/null
+++ b/patches.fixes/ipv4-add-reference-counting-to-metrics.patch
@@ -0,0 +1,265 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 25 May 2017 14:27:35 -0700
+Subject: ipv4: add reference counting to metrics
+Patch-mainline: v4.12-rc3
+Git-commit: 3fb07daff8e99243366a081e5129560734de4ada
+References: bsc#1042286
+
+Andrey Konovalov reported crashes in ipv4_mtu()
+
+I could reproduce the issue with KASAN kernels, between
+10.246.7.151 and 10.246.7.152 :
+
+1) 20 concurrent netperf -t TCP_RR -H 10.246.7.152 -l 1000 &
+
+2) At the same time run following loop :
+while :
+do
+ ip ro add 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
+ ip ro del 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
+done
+
+Cong Wang attempted to add back rt->fi in commit
+82486aa6f1b9 ("ipv4: restore rt->fi for reference counting")
+but this proved to add some issues that were complex to solve.
+
+Instead, I suggested to add a refcount to the metrics themselves,
+being a standalone object (in particular, no reference to other objects)
+
+I tried to make this patch as small as possible to ease its backport,
+instead of being super clean. Note that we believe that only ipv4 dst
+need to take care of the metric refcount. But if this is wrong,
+this patch adds the basic infrastructure to extend this to other
+families.
+
+Many thanks to Julian Anastasov for reviewing this patch, and Cong Wang
+for his efforts on this problem.
+
+Fixes: 2860583fe840 ("ipv4: Kill rt->fi")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/net/dst.h | 8 +++++++-
+ include/net/ip_fib.h | 10 +++++-----
+ net/core/dst.c | 23 ++++++++++++++---------
+ net/ipv4/fib_semantics.c | 17 ++++++++++-------
+ net/ipv4/route.c | 10 +++++++++-
+ 5 files changed, 45 insertions(+), 23 deletions(-)
+
+diff --git a/include/net/dst.h b/include/net/dst.h
+index c7329dcd90cc..e4f450617919 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -110,10 +110,16 @@ struct dst_entry {
+ };
+ };
+
++struct dst_metrics {
++ u32 metrics[RTAX_MAX];
++ atomic_t refcnt;
++};
++extern const struct dst_metrics dst_default_metrics;
++
+ u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old);
+-extern const u32 dst_default_metrics[];
+
+ #define DST_METRICS_READ_ONLY 0x1UL
++#define DST_METRICS_REFCOUNTED 0x2UL
+ #define DST_METRICS_FLAGS 0x3UL
+ #define __DST_METRICS_PTR(Y) \
+ ((u32 *)((Y) & ~DST_METRICS_FLAGS))
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index 3f98233388fb..bda1721e9622 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -112,11 +112,11 @@ struct fib_info {
+ unsigned char fib_type;
+ __be32 fib_prefsrc;
+ u32 fib_priority;
+- u32 *fib_metrics;
+-#define fib_mtu fib_metrics[RTAX_MTU-1]
+-#define fib_window fib_metrics[RTAX_WINDOW-1]
+-#define fib_rtt fib_metrics[RTAX_RTT-1]
+-#define fib_advmss fib_metrics[RTAX_ADVMSS-1]
++ struct dst_metrics *fib_metrics;
++#define fib_mtu fib_metrics->metrics[RTAX_MTU-1]
++#define fib_window fib_metrics->metrics[RTAX_WINDOW-1]
++#define fib_rtt fib_metrics->metrics[RTAX_RTT-1]
++#define fib_advmss fib_metrics->metrics[RTAX_ADVMSS-1]
+ int fib_nhs;
+ #ifdef CONFIG_IP_ROUTE_MULTIPATH
+ int fib_weight;
+diff --git a/net/core/dst.c b/net/core/dst.c
+index a1656e3b8d72..d7ad628bf64e 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -151,13 +151,13 @@ int dst_discard_out(struct net *net, struct sock *sk, struct sk_buff *skb)
+ }
+ EXPORT_SYMBOL(dst_discard_out);
+
+-const u32 dst_default_metrics[RTAX_MAX + 1] = {
++const struct dst_metrics dst_default_metrics = {
+ /* This initializer is needed to force linker to place this variable
+ * into const section. Otherwise it might end into bss section.
+ * We really want to avoid false sharing on this variable, and catch
+ * any writes on it.
+ */
+- [RTAX_MAX] = 0xdeadbeef,
++ .refcnt = ATOMIC_INIT(1),
+ };
+
+ void dst_init(struct dst_entry *dst, struct dst_ops *ops,
+@@ -169,7 +169,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops,
+ if (dev)
+ dev_hold(dev);
+ dst->ops = ops;
+- dst_init_metrics(dst, dst_default_metrics, true);
++ dst_init_metrics(dst, dst_default_metrics.metrics, true);
+ dst->expires = 0UL;
+ dst->path = dst;
+ dst->from = NULL;
+@@ -315,25 +315,30 @@ EXPORT_SYMBOL(dst_release);
+
+ u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old)
+ {
+- u32 *p = kmalloc(sizeof(u32) * RTAX_MAX, GFP_ATOMIC);
++ struct dst_metrics *p = kmalloc(sizeof(*p), GFP_ATOMIC);
+
+ if (p) {
+- u32 *old_p = __DST_METRICS_PTR(old);
++ struct dst_metrics *old_p = (struct dst_metrics *)__DST_METRICS_PTR(old);
+ unsigned long prev, new;
+
+- memcpy(p, old_p, sizeof(u32) * RTAX_MAX);
++ atomic_set(&p->refcnt, 1);
++ memcpy(p->metrics, old_p->metrics, sizeof(p->metrics));
+
+ new = (unsigned long) p;
+ prev = cmpxchg(&dst->_metrics, old, new);
+
+ if (prev != old) {
+ kfree(p);
+- p = __DST_METRICS_PTR(prev);
++ p = (struct dst_metrics *)__DST_METRICS_PTR(prev);
+ if (prev & DST_METRICS_READ_ONLY)
+ p = NULL;
++ } else if (prev & DST_METRICS_REFCOUNTED) {
++ if (atomic_dec_and_test(&old_p->refcnt))
++ kfree(old_p);
+ }
+ }
+- return p;
++ BUILD_BUG_ON(offsetof(struct dst_metrics, metrics) != 0);
++ return (u32 *)p;
+ }
+ EXPORT_SYMBOL(dst_cow_metrics_generic);
+
+@@ -342,7 +347,7 @@ void __dst_destroy_metrics_generic(struct dst_entry *dst, unsigned long old)
+ {
+ unsigned long prev, new;
+
+- new = ((unsigned long) dst_default_metrics) | DST_METRICS_READ_ONLY;
++ new = ((unsigned long) &dst_default_metrics) | DST_METRICS_READ_ONLY;
+ prev = cmpxchg(&dst->_metrics, old, new);
+ if (prev == old)
+ kfree(__DST_METRICS_PTR(old));
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 9558530b4ba8..ae933b911172 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -204,6 +204,7 @@ static void rt_fibinfo_free_cpus(struct rtable __rcu * __percpu *rtp)
+ static void free_fib_info_rcu(struct rcu_head *head)
+ {
+ struct fib_info *fi = container_of(head, struct fib_info, rcu);
++ struct dst_metrics *m;
+
+ change_nexthops(fi) {
+ if (nexthop_nh->nh_dev)
+@@ -214,8 +215,9 @@ static void free_fib_info_rcu(struct rcu_head *head)
+ rt_fibinfo_free(&nexthop_nh->nh_rth_input);
+ } endfor_nexthops(fi);
+
+- if (fi->fib_metrics != (u32 *) dst_default_metrics)
+- kfree(fi->fib_metrics);
++ m = fi->fib_metrics;
++ if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
++ kfree(m);
+ kfree(fi);
+ }
+
+@@ -982,11 +984,11 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg)
+ val = 255;
+ if (type == RTAX_FEATURES && (val & ~RTAX_FEATURE_MASK))
+ return -EINVAL;
+- fi->fib_metrics[type - 1] = val;
++ fi->fib_metrics->metrics[type - 1] = val;
+ }
+
+ if (ecn_ca)
+- fi->fib_metrics[RTAX_FEATURES - 1] |= DST_FEATURE_ECN_CA;
++ fi->fib_metrics->metrics[RTAX_FEATURES - 1] |= DST_FEATURE_ECN_CA;
+
+ return 0;
+ }
+@@ -1044,11 +1046,12 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
+ goto failure;
+ fib_info_cnt++;
+ if (cfg->fc_mx) {
+- fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL);
++ fi->fib_metrics = kzalloc(sizeof(*fi->fib_metrics), GFP_KERNEL);
+ if (!fi->fib_metrics)
+ goto failure;
++ atomic_set(&fi->fib_metrics->refcnt, 1);
+ } else
+- fi->fib_metrics = (u32 *) dst_default_metrics;
++ fi->fib_metrics = (struct dst_metrics *)&dst_default_metrics;
+
+ fi->fib_net = net;
+ fi->fib_protocol = cfg->fc_protocol;
+@@ -1251,7 +1254,7 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
+ if (fi->fib_priority &&
+ nla_put_u32(skb, RTA_PRIORITY, fi->fib_priority))
+ goto nla_put_failure;
+- if (rtnetlink_put_metrics(skb, fi->fib_metrics) < 0)
++ if (rtnetlink_put_metrics(skb, fi->fib_metrics->metrics) < 0)
+ goto nla_put_failure;
+
+ if (fi->fib_prefsrc &&
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 2b8946ed599e..1661291c6df0 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1356,8 +1356,12 @@ static void rt_add_uncached_list(struct rtable *rt)
+
+ static void ipv4_dst_destroy(struct dst_entry *dst)
+ {
++ struct dst_metrics *p = (struct dst_metrics *)DST_METRICS_PTR(dst);
+ struct rtable *rt = (struct rtable *) dst;
+
++ if (p != &dst_default_metrics && atomic_dec_and_test(&p->refcnt))
++ kfree(p);
++
+ if (!list_empty(&rt->rt_uncached)) {
+ struct uncached_list *ul = rt->rt_uncached_list;
+
+@@ -1409,7 +1413,11 @@ static void rt_set_nexthop(struct rtable *rt, __be32 daddr,
+ rt->rt_gateway = nh->nh_gw;
+ rt->rt_uses_gateway = 1;
+ }
+- dst_init_metrics(&rt->dst, fi->fib_metrics, true);
++ dst_init_metrics(&rt->dst, fi->fib_metrics->metrics, true);
++ if (fi->fib_metrics != &dst_default_metrics) {
++ rt->dst._metrics |= DST_METRICS_REFCOUNTED;
++ atomic_inc(&fi->fib_metrics->refcnt);
++ }
+ #ifdef CONFIG_IP_ROUTE_CLASSID
+ rt->dst.tclassid = nh->nh_tclassid;
+ #endif
+--
+2.13.0
+
diff --git a/patches.fixes/ipv6-Don-t-use-ufo-handling-on-later-transformed-pac.patch b/patches.fixes/ipv6-Don-t-use-ufo-handling-on-later-transformed-pac.patch
new file mode 100644
index 0000000000..9977503398
--- /dev/null
+++ b/patches.fixes/ipv6-Don-t-use-ufo-handling-on-later-transformed-pac.patch
@@ -0,0 +1,67 @@
+From: Jakub Sitnicki <jkbs@redhat.com>
+Date: Wed, 26 Oct 2016 11:21:14 +0200
+Subject: ipv6: Don't use ufo handling on later transformed packets
+Patch-mainline: v4.9-rc6
+Git-commit: f89c56ce710afa65e1b2ead555b52c4807f34ff7
+References: bsc#1042286
+
+Similar to commit c146066ab802 ("ipv4: Don't use ufo handling on later
+transformed packets"), don't perform UFO on packets that will be IPsec
+transformed. To detect it we rely on the fact that headerlen in
+dst_entry is non-zero only for transformation bundles (xfrm_dst
+objects).
+
+Unwanted segmentation can be observed with a NETIF_F_UFO capable device,
+such as a dummy device:
+
+ DEV=dum0 LEN=1493
+
+ ip li add $DEV type dummy
+ ip addr add fc00::1/64 dev $DEV nodad
+ ip link set $DEV up
+ ip xfrm policy add dir out src fc00::1 dst fc00::2 \
+ tmpl src fc00::1 dst fc00::2 proto esp spi 1
+ ip xfrm state add src fc00::1 dst fc00::2 \
+ proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+
+ tcpdump -n -nn -i $DEV -t &
+ socat /dev/zero,readbytes=$LEN udp6:[fc00::2]:$LEN
+
+tcpdump output before:
+
+ IP6 fc00::1 > fc00::2: frag (0|1448) ESP(spi=0x00000001,seq=0x1), length 1448
+ IP6 fc00::1 > fc00::2: frag (1448|48)
+ IP6 fc00::1 > fc00::2: ESP(spi=0x00000001,seq=0x2), length 88
+
+... and after:
+
+ IP6 fc00::1 > fc00::2: frag (0|1448) ESP(spi=0x00000001,seq=0x1), length 1448
+ IP6 fc00::1 > fc00::2: frag (1448|80)
+
+Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
+
+Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv6/ip6_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 1db17efe36c1..dc5859472991 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1359,7 +1359,7 @@ emsgsize:
+ if (((length > mtu) ||
+ (skb && skb_is_gso(skb))) &&
+ (sk->sk_protocol == IPPROTO_UDP) &&
+- (rt->dst.dev->features & NETIF_F_UFO) &&
++ (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
+ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
+ err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
+ hh_len, fragheaderlen, exthdrlen,
+--
+2.13.0
+
diff --git a/patches.fixes/ipv6-fix-endianness-error-in-icmpv6_err.patch b/patches.fixes/ipv6-fix-endianness-error-in-icmpv6_err.patch
new file mode 100644
index 0000000000..9b0e952f37
--- /dev/null
+++ b/patches.fixes/ipv6-fix-endianness-error-in-icmpv6_err.patch
@@ -0,0 +1,37 @@
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Sat, 11 Jun 2016 20:32:06 +0200
+Subject: ipv6: fix endianness error in icmpv6_err
+Patch-mainline: v4.7-rc6
+Git-commit: dcb94b88c09ce82a80e188d49bcffdc83ba215a6
+References: bsc#1042286
+
+IPv6 ping socket error handler doesn't correctly convert the new 32 bit
+mtu to host endianness before using.
+
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Fixes: 6d0bfe22611602f ("net: ipv6: Add IPv6 support to the ping socket.")
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv6/icmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+index 7ab502e49075..fa96e05cf22b 100644
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -98,7 +98,7 @@ static void icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+
+ if (!(type & ICMPV6_INFOMSG_MASK))
+ if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST)
+- ping_err(skb, offset, info);
++ ping_err(skb, offset, ntohl(info));
+ }
+
+ static int icmpv6_rcv(struct sk_buff *skb);
+--
+2.13.0
+
diff --git a/patches.fixes/l2tp-fix-race-in-l2tp_recv_common.patch b/patches.fixes/l2tp-fix-race-in-l2tp_recv_common.patch
new file mode 100644
index 0000000000..bd3178607b
--- /dev/null
+++ b/patches.fixes/l2tp-fix-race-in-l2tp_recv_common.patch
@@ -0,0 +1,269 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri, 31 Mar 2017 13:02:25 +0200
+Subject: l2tp: fix race in l2tp_recv_common()
+Patch-mainline: v4.11-rc6
+Git-commit: 61b9a047729bb230978178bca6729689d0c50ca2
+References: bsc#1042286
+
+Taking a reference on sessions in l2tp_recv_common() is racy; this
+has to be done by the callers.
+
+To this end, a new function is required (l2tp_session_get()) to
+atomically lookup a session and take a reference on it. Callers then
+have to manually drop this reference.
+
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ net/l2tp/l2tp_core.c | 73 ++++++++++++++++++++++++++++++++++++++++++----------
+ net/l2tp/l2tp_core.h | 3 +++
+ net/l2tp/l2tp_ip.c | 17 ++++++++----
+ net/l2tp/l2tp_ip6.c | 16 +++++++++---
+ 4 files changed, 87 insertions(+), 22 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index d3dec414fd44..28f0eae009c3 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -278,6 +278,55 @@ struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunn
+ }
+ EXPORT_SYMBOL_GPL(l2tp_session_find);
+
++/* Like l2tp_session_find() but takes a reference on the returned session.
++ * Optionally calls session->ref() too if do_ref is true.
++ */
++struct l2tp_session *l2tp_session_get(struct net *net,
++ struct l2tp_tunnel *tunnel,
++ u32 session_id, bool do_ref)
++{
++ struct hlist_head *session_list;
++ struct l2tp_session *session;
++
++ if (!tunnel) {
++ struct l2tp_net *pn = l2tp_pernet(net);
++
++ session_list = l2tp_session_id_hash_2(pn, session_id);
++
++ rcu_read_lock_bh();
++ hlist_for_each_entry_rcu(session, session_list, global_hlist) {
++ if (session->session_id == session_id) {
++ l2tp_session_inc_refcount(session);
++ if (do_ref && session->ref)
++ session->ref(session);
++ rcu_read_unlock_bh();
++
++ return session;
++ }
++ }
++ rcu_read_unlock_bh();
++
++ return NULL;
++ }
++
++ session_list = l2tp_session_id_hash(tunnel, session_id);
++ read_lock_bh(&tunnel->hlist_lock);
++ hlist_for_each_entry(session, session_list, hlist) {
++ if (session->session_id == session_id) {
++ l2tp_session_inc_refcount(session);
++ if (do_ref && session->ref)
++ session->ref(session);
++ read_unlock_bh(&tunnel->hlist_lock);
++
++ return session;
++ }
++ }
++ read_unlock_bh(&tunnel->hlist_lock);
++
++ return NULL;
++}
++EXPORT_SYMBOL_GPL(l2tp_session_get);
++
+ struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
+ bool do_ref)
+ {
+@@ -637,6 +686,9 @@ discard:
+ * a data (not control) frame before coming here. Fields up to the
+ * session-id have already been parsed and ptr points to the data
+ * after the session-id.
++ *
++ * session->ref() must have been called prior to l2tp_recv_common().
++ * session->deref() will be called automatically after skb is processed.
+ */
+ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
+ unsigned char *ptr, unsigned char *optr, u16 hdrflags,
+@@ -646,14 +698,6 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
+ int offset;
+ u32 ns, nr;
+
+- /* The ref count is increased since we now hold a pointer to
+- * the session. Take care to decrement the refcnt when exiting
+- * this function from now on...
+- */
+- l2tp_session_inc_refcount(session);
+- if (session->ref)
+- (*session->ref)(session);
+-
+ /* Parse and check optional cookie */
+ if (session->peer_cookie_len > 0) {
+ if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
+@@ -806,8 +850,6 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
+ /* Try to dequeue as many skbs from reorder_q as we can. */
+ l2tp_recv_dequeue(session);
+
+- l2tp_session_dec_refcount(session);
+-
+ return;
+
+ discard:
+@@ -816,8 +858,6 @@ discard:
+
+ if (session->deref)
+ (*session->deref)(session);
+-
+- l2tp_session_dec_refcount(session);
+ }
+ EXPORT_SYMBOL(l2tp_recv_common);
+
+@@ -924,8 +964,14 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
+ }
+
+ /* Find the session context */
+- session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
++ session = l2tp_session_get(tunnel->l2tp_net, tunnel, session_id, true);
+ if (!session || !session->recv_skb) {
++ if (session) {
++ if (session->deref)
++ session->deref(session);
++ l2tp_session_dec_refcount(session);
++ }
++
+ /* Not found? Pass to userspace to deal with */
+ l2tp_info(tunnel, L2TP_MSG_DATA,
+ "%s: no session found (%u/%u). Passing up.\n",
+@@ -934,6 +980,7 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
+ }
+
+ l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
++ l2tp_session_dec_refcount(session);
+
+ return 0;
+
+diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
+index 555d962a62d2..08dc6f1b76b4 100644
+--- a/net/l2tp/l2tp_core.h
++++ b/net/l2tp/l2tp_core.h
+@@ -240,6 +240,9 @@ out:
+ return tunnel;
+ }
+
++struct l2tp_session *l2tp_session_get(struct net *net,
++ struct l2tp_tunnel *tunnel,
++ u32 session_id, bool do_ref);
+ struct l2tp_session *l2tp_session_find(struct net *net,
+ struct l2tp_tunnel *tunnel,
+ u32 session_id);
+diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
+index 6cef4f17fbd2..472bf8f899f6 100644
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -143,19 +143,19 @@ static int l2tp_ip_recv(struct sk_buff *skb)
+ }
+
+ /* Ok, this is a data packet. Lookup the session. */
+- session = l2tp_session_find(net, NULL, session_id);
+- if (session == NULL)
++ session = l2tp_session_get(net, NULL, session_id, true);
++ if (!session)
+ goto discard;
+
+ tunnel = session->tunnel;
+- if (tunnel == NULL)
+- goto discard;
++ if (!tunnel)
++ goto discard_sess;
+
+ /* Trace packet contents, if enabled */
+ if (tunnel->debug & L2TP_MSG_DATA) {
+ length = min(32u, skb->len);
+ if (!pskb_may_pull(skb, length))
+- goto discard;
++ goto discard_sess;
+
+ /* Point to L2TP header */
+ optr = ptr = skb->data;
+@@ -165,6 +165,7 @@ static int l2tp_ip_recv(struct sk_buff *skb)
+ }
+
+ l2tp_recv_common(session, skb, ptr, optr, 0, skb->len, tunnel->recv_payload_hook);
++ l2tp_session_dec_refcount(session);
+
+ return 0;
+
+@@ -203,6 +204,12 @@ pass_up:
+
+ return sk_receive_skb(sk, skb, 1);
+
++discard_sess:
++ if (session->deref)
++ session->deref(session);
++ l2tp_session_dec_refcount(session);
++ goto discard;
++
+ discard_put:
+ sock_put(sk);
+
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index 7a29ae3da4e4..65669a49a0c0 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -154,19 +154,19 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
+ }
+
+ /* Ok, this is a data packet. Lookup the session. */
+- session = l2tp_session_find(&init_net, NULL, session_id);
++ session = l2tp_session_get(&init_net, NULL, session_id, true);
+ if (session == NULL)
+ goto discard;
+
+ tunnel = session->tunnel;
+- if (tunnel == NULL)
+- goto discard;
++ if (!tunnel)
++ goto discard_sess;
+
+ /* Trace packet contents, if enabled */
+ if (tunnel->debug & L2TP_MSG_DATA) {
+ length = min(32u, skb->len);
+ if (!pskb_may_pull(skb, length))
+- goto discard;
++ goto discard_sess;
+
+ /* Point to L2TP header */
+ optr = ptr = skb->data;
+@@ -177,6 +177,8 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
+
+ l2tp_recv_common(session, skb, ptr, optr, 0, skb->len,
+ tunnel->recv_payload_hook);
++ l2tp_session_dec_refcount(session);
++
+ return 0;
+
+ pass_up:
+@@ -214,6 +216,12 @@ pass_up:
+
+ return sk_receive_skb(sk, skb, 1);
+
++discard_sess:
++ if (session->deref)
++ session->deref(session);
++ l2tp_session_dec_refcount(session);
++ goto discard;
++
+ discard_put:
+ sock_put(sk);
+
+--
+2.13.0
+
diff --git a/patches.fixes/net-ipv6-set-route-type-for-anycast-routes.patch b/patches.fixes/net-ipv6-set-route-type-for-anycast-routes.patch
new file mode 100644
index 0000000000..a1b7bea7bb
--- /dev/null
+++ b/patches.fixes/net-ipv6-set-route-type-for-anycast-routes.patch
@@ -0,0 +1,36 @@
+From: David Ahern <dsa@cumulusnetworks.com>
+Date: Wed, 15 Mar 2017 18:14:33 -0700
+Subject: net: ipv6: set route type for anycast routes
+Patch-mainline: v4.11-rc4
+Git-commit: 4ee39733fbecf04cf9f346de2d64788c35028079
+References: bsc#1042286
+
+Anycast routes have the RTF_ANYCAST flag set, but when dumping routes
+for userspace the route type is not set to RTN_ANYCAST. Make it so.
+
+Fixes: 58c4fb86eabcb ("[IPV6]: Flag RTF_ANYCAST for anycast routes")
+CC: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv6/route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 8f4177a1d4f5..57dafe439cbb 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3103,6 +3103,8 @@ static int rt6_fill_node(struct net *net,
+ }
+ else if (rt->rt6i_flags & RTF_LOCAL)
+ rtm->rtm_type = RTN_LOCAL;
++ else if (rt->rt6i_flags & RTF_ANYCAST)
++ rtm->rtm_type = RTN_ANYCAST;
+ else if (rt->dst.dev && (rt->dst.dev->flags & IFF_LOOPBACK))
+ rtm->rtm_type = RTN_LOCAL;
+ else
+--
+2.13.0
+
diff --git a/patches.fixes/netfilter-nf_conntrack_sip-extend-request-line-valid.patch b/patches.fixes/netfilter-nf_conntrack_sip-extend-request-line-valid.patch
new file mode 100644
index 0000000000..c73eab1c01
--- /dev/null
+++ b/patches.fixes/netfilter-nf_conntrack_sip-extend-request-line-valid.patch
@@ -0,0 +1,47 @@
+From: Ulrich Weber <ulrich.weber@riverbed.com>
+Date: Mon, 24 Oct 2016 18:07:23 +0200
+Subject: netfilter: nf_conntrack_sip: extend request line validation
+Patch-mainline: v4.9-rc6
+Git-commit: 444f901742d054a4cd5ff045871eac5131646cfb
+References: bsc#1042286
+
+on SIP requests, so a fragmented TCP SIP packet from an allow header starting with
+ INVITE,NOTIFY,OPTIONS,REFER,REGISTER,UPDATE,SUBSCRIBE
+ Content-Length: 0
+
+will not bet interpreted as an INVITE request. Also Request-URI must start with an alphabetic character.
+
+Confirm with RFC 3261
+ Request-Line = Method SP Request-URI SP SIP-Version CRLF
+
+Fixes: 30f33e6dee80 ("[NETFILTER]: nf_conntrack_sip: support method specific request/response handling")
+Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>
+Acked-by: Marco Angaroni <marcoangaroni@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/netfilter/nf_conntrack_sip.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index 885b4aba3695..1665c2159e4b 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1434,9 +1434,12 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
+ handler = &sip_handlers[i];
+ if (handler->request == NULL)
+ continue;
+- if (*datalen < handler->len ||
++ if (*datalen < handler->len + 2 ||
+ strncasecmp(*dptr, handler->method, handler->len))
+ continue;
++ if ((*dptr)[handler->len] != ' ' ||
++ !isalpha((*dptr)[handler->len+1]))
++ continue;
+
+ if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
+ &matchoff, &matchlen) <= 0) {
+--
+2.13.0
+
diff --git a/patches.fixes/netfilter-nf_ct_expect-remove-the-redundant-slash-wh.patch b/patches.fixes/netfilter-nf_ct_expect-remove-the-redundant-slash-wh.patch
new file mode 100644
index 0000000000..62c9151d47
--- /dev/null
+++ b/patches.fixes/netfilter-nf_ct_expect-remove-the-redundant-slash-wh.patch
@@ -0,0 +1,39 @@
+From: Liping Zhang <liping.zhang@spreadtrum.com>
+Date: Mon, 8 Aug 2016 21:57:58 +0800
+Subject: netfilter: nf_ct_expect: remove the redundant slash when policy name is empty
+Patch-mainline: v4.8-rc3
+Git-commit: b173a28f62cf929324a8a6adcc45adadce311d16
+References: bsc#1042286
+
+The 'name' filed in struct nf_conntrack_expect_policy{} is not a
+pointer, so check it is NULL or not will always return true. Even if the
+name is empty, slash will always be displayed like follows:
+ # cat /proc/net/nf_conntrack_expect
+ 297 l3proto = 2 proto=6 src=1.1.1.1 dst=2.2.2.2 sport=1 dport=1025 ftp/
+ ^
+
+Fixes: 3a8fc53a45c4 ("netfilter: nf_ct_helper: allocate 16 bytes for the helper and policy names")
+Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/netfilter/nf_conntrack_expect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
+index acf5c7b3f378..fbbb16b58696 100644
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -560,7 +560,7 @@ static int exp_seq_show(struct seq_file *s, void *v)
+ helper = rcu_dereference(nfct_help(expect->master)->helper);
+ if (helper) {
+ seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
+- if (helper->expect_policy[expect->class].name)
++ if (helper->expect_policy[expect->class].name[0])
+ seq_printf(s, "/%s",
+ helper->expect_policy[expect->class].name);
+ }
+--
+2.13.0
+
diff --git a/patches.fixes/netfilter-nf_dup_ipv6-set-again-FLOWI_FLAG_KNOWN_NH-.patch b/patches.fixes/netfilter-nf_dup_ipv6-set-again-FLOWI_FLAG_KNOWN_NH-.patch
new file mode 100644
index 0000000000..b35908e514
--- /dev/null
+++ b/patches.fixes/netfilter-nf_dup_ipv6-set-again-FLOWI_FLAG_KNOWN_NH-.patch
@@ -0,0 +1,39 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 26 May 2016 19:08:10 +0200
+Subject: netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags
+Patch-mainline: v4.7-rc3
+Git-commit: 83170f3beccccd7ceb4f9a0ac0c4dc736afde90c
+References: bsc#1042286
+
+With the commit 48e8aa6e3137 ("ipv6: Set FLOWI_FLAG_KNOWN_NH at
+flowi6_flags") ip6_pol_route() callers were asked to to set the
+FLOWI_FLAG_KNOWN_NH properly and xt_TEE was updated accordingly,
+but with the later refactor in commit bbde9fc1824a ("netfilter:
+factor out packet duplication for IPv4/IPv6") the flowi6_flags
+update was lost.
+This commit re-add it just before the routing decision.
+
+Fixes: bbde9fc1824a ("netfilter: factor out packet duplication for IPv4/IPv6")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv6/netfilter/nf_dup_ipv6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c
+index 6989c70ae29f..4a84b5ad9ecb 100644
+--- a/net/ipv6/netfilter/nf_dup_ipv6.c
++++ b/net/ipv6/netfilter/nf_dup_ipv6.c
+@@ -33,6 +33,7 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb,
+ fl6.daddr = *gw;
+ fl6.flowlabel = (__force __be32)(((iph->flow_lbl[0] & 0xF) << 16) |
+ (iph->flow_lbl[1] << 8) | iph->flow_lbl[2]);
++ fl6.flowi6_flags = FLOWI_FLAG_KNOWN_NH;
+ dst = ip6_route_output(net, NULL, &fl6);
+ if (dst->error) {
+ dst_release(dst);
+--
+2.13.0
+
diff --git a/patches.fixes/netfilter-nf_nat_snmp-Fix-panic-when-snmp_trap_helpe.patch b/patches.fixes/netfilter-nf_nat_snmp-Fix-panic-when-snmp_trap_helpe.patch
new file mode 100644
index 0000000000..9678506966
--- /dev/null
+++ b/patches.fixes/netfilter-nf_nat_snmp-Fix-panic-when-snmp_trap_helpe.patch
@@ -0,0 +1,67 @@
+From: Gao Feng <fgao@ikuai8.com>
+Date: Sat, 25 Mar 2017 18:24:36 +0800
+Subject: netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register
+Patch-mainline: v4.11-rc6
+Git-commit: 75c689dca98851d65ef5a27e5ce26b625b68751c
+References: bsc#1042286
+
+In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp
+helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
+snmp_helper is never registered. But it still tries to unregister the
+snmp_helper, it could cause the panic.
+
+Now remove the useless snmp_helper and the unregister call in the
+error handler.
+
+Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper")
+Signed-off-by: Gao Feng <fgao@ikuai8.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/netfilter/nf_nat_snmp_basic.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+index ddb894ac1458..50d185fa369e 100644
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+@@ -1260,16 +1260,6 @@ static const struct nf_conntrack_expect_policy snmp_exp_policy = {
+ .timeout = 180,
+ };
+
+-static struct nf_conntrack_helper snmp_helper __read_mostly = {
+- .me = THIS_MODULE,
+- .help = help,
+- .expect_policy = &snmp_exp_policy,
+- .name = "snmp",
+- .tuple.src.l3num = AF_INET,
+- .tuple.src.u.udp.port = cpu_to_be16(SNMP_PORT),
+- .tuple.dst.protonum = IPPROTO_UDP,
+-};
+-
+ static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
+ .me = THIS_MODULE,
+ .help = help,
+@@ -1288,17 +1278,10 @@ static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
+
+ static int __init nf_nat_snmp_basic_init(void)
+ {
+- int ret = 0;
+-
+ BUG_ON(nf_nat_snmp_hook != NULL);
+ RCU_INIT_POINTER(nf_nat_snmp_hook, help);
+
+- ret = nf_conntrack_helper_register(&snmp_trap_helper);
+- if (ret < 0) {
+- nf_conntrack_helper_unregister(&snmp_helper);
+- return ret;
+- }
+- return ret;
++ return nf_conntrack_helper_register(&snmp_trap_helper);
+ }
+
+ static void __exit nf_nat_snmp_basic_fini(void)
+--
+2.13.0
+
diff --git a/patches.fixes/netfilter-nfnetlink_queue-reject-verdict-request-fro.patch b/patches.fixes/netfilter-nfnetlink_queue-reject-verdict-request-fro.patch
new file mode 100644
index 0000000000..f3d8e25311
--- /dev/null
+++ b/patches.fixes/netfilter-nfnetlink_queue-reject-verdict-request-fro.patch
@@ -0,0 +1,41 @@
+From: Liping Zhang <liping.zhang@spreadtrum.com>
+Date: Mon, 8 Aug 2016 22:07:27 +0800
+Subject: netfilter: nfnetlink_queue: reject verdict request from different portid
+Patch-mainline: v4.8-rc3
+Git-commit: 00a3101f561816e58de054a470484996f78eb5eb
+References: bsc#1042286
+
+Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
+request when the portid is not same with the initial portid(maybe
+from another process).
+
+Fixes: 97d32cf9440d ("netfilter: nfnetlink_queue: batch verdict support")
+Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/netfilter/nfnetlink_queue.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index 861c6615253b..e4a680dba6f1 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -1048,10 +1048,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
+ struct net *net = sock_net(ctnl);
+ struct nfnl_queue_net *q = nfnl_queue_pernet(net);
+
+- queue = instance_lookup(q, queue_num);
+- if (!queue)
+- queue = verdict_instance_lookup(q, queue_num,
+- NETLINK_CB(skb).portid);
++ queue = verdict_instance_lookup(q, queue_num,
++ NETLINK_CB(skb).portid);
+ if (IS_ERR(queue))
+ return PTR_ERR(queue);
+
+--
+2.13.0
+
diff --git a/patches.fixes/netfilter-restart-search-if-moved-to-other-chain.patch b/patches.fixes/netfilter-restart-search-if-moved-to-other-chain.patch
new file mode 100644
index 0000000000..93f62c05ac
--- /dev/null
+++ b/patches.fixes/netfilter-restart-search-if-moved-to-other-chain.patch
@@ -0,0 +1,50 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 25 Aug 2016 15:33:29 +0200
+Subject: netfilter: restart search if moved to other chain
+Patch-mainline: v4.9-rc1
+Git-commit: 95a8d19f28e6b29377a880c6264391a62e07fccc
+References: bsc#1042286
+
+In case nf_conntrack_tuple_taken did not find a conflicting entry
+check that all entries in this hash slot were tested and restart
+in case an entry was moved to another chain.
+
+Reported-by: Eric Dumazet <edumazet@google.com>
+Fixes: ea781f197d6a ("netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu()")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/netfilter/nf_conntrack_core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 86a3c6f0c871..5f747089024f 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -719,6 +719,7 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
+ * least once for the stats anyway.
+ */
+ rcu_read_lock_bh();
++ begin:
+ hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) {
+ ct = nf_ct_tuplehash_to_ctrack(h);
+ if (ct != ignored_conntrack &&
+@@ -730,6 +731,12 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
+ }
+ NF_CT_STAT_INC(net, searched);
+ }
++
++ if (get_nulls_value(n) != hash) {
++ NF_CT_STAT_INC(net, search_restart);
++ goto begin;
++ }
++
+ rcu_read_unlock_bh();
+
+ return 0;
+--
+2.13.0
+
diff --git a/patches.fixes/netfilter-use-fwmark_reflect-in-nf_send_reset.patch b/patches.fixes/netfilter-use-fwmark_reflect-in-nf_send_reset.patch
new file mode 100644
index 0000000000..b37b2b3a1b
--- /dev/null
+++ b/patches.fixes/netfilter-use-fwmark_reflect-in-nf_send_reset.patch
@@ -0,0 +1,58 @@
+From: Pau Espin Pedrol <pau.espin@tessares.net>
+Date: Fri, 6 Jan 2017 20:33:27 +0100
+Subject: netfilter: use fwmark_reflect in nf_send_reset
+Patch-mainline: v4.10-rc6
+Git-commit: cc31d43b4154ad5a7d8aa5543255a93b7e89edc2
+References: bsc#1042286
+
+Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
+the routing is checked later in the same code path.
+
+Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
+ net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
+index c747b2d9eb77..d4acf38b60fd 100644
+--- a/net/ipv4/netfilter/nf_reject_ipv4.c
++++ b/net/ipv4/netfilter/nf_reject_ipv4.c
+@@ -124,6 +124,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
+ /* ip_route_me_harder expects skb->dst to be set */
+ skb_dst_set_noref(nskb, skb_dst(oldskb));
+
++ nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);
++
+ skb_reserve(nskb, LL_MAX_HEADER);
+ niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
+ ip4_dst_hoplimit(skb_dst(nskb)));
+diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
+index e0f922b777e3..7117e5bef412 100644
+--- a/net/ipv6/netfilter/nf_reject_ipv6.c
++++ b/net/ipv6/netfilter/nf_reject_ipv6.c
+@@ -157,6 +157,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
+ fl6.daddr = oip6h->saddr;
+ fl6.fl6_sport = otcph->dest;
+ fl6.fl6_dport = otcph->source;
++ fl6.flowi6_mark = IP6_REPLY_MARK(net, oldskb->mark);
+ security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6));
+ dst = ip6_route_output(net, NULL, &fl6);
+ if (dst == NULL || dst->error) {
+@@ -180,6 +181,8 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
+
+ skb_dst_set(nskb, dst);
+
++ nskb->mark = fl6.flowi6_mark;
++
+ skb_reserve(nskb, hh_len + dst->header_len);
+ ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
+ ip6_dst_hoplimit(dst));
+--
+2.13.0
+
diff --git a/patches.fixes/rtnl-reset-calcit-fptr-in-rtnl_unregister.patch b/patches.fixes/rtnl-reset-calcit-fptr-in-rtnl_unregister.patch
new file mode 100644
index 0000000000..44cbcd644a
--- /dev/null
+++ b/patches.fixes/rtnl-reset-calcit-fptr-in-rtnl_unregister.patch
@@ -0,0 +1,40 @@
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 7 Nov 2016 23:22:19 +0100
+Subject: rtnl: reset calcit fptr in rtnl_unregister()
+Patch-mainline: v4.9-rc6
+Git-commit: f567e950bf51290755a2539ff2aaef4c26f735d3
+References: bsc#1042286
+
+To avoid having dangling function pointers left behind, reset calcit in
+rtnl_unregister(), too.
+
+This is no issue so far, as only the rtnl core registers a netlink
+handler with a calcit hook which won't be unregistered, but may become
+one if new code makes use of the calcit hook.
+
+Fixes: c7ac8679bec9 ("rtnetlink: Compute and store minimum ifinfo...")
+Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Cc: Greg Rose <gregory.v.rose@intel.com>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/core/rtnetlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index c9a92fcea3fc..bcac89dda4d6 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -253,6 +253,7 @@ int rtnl_unregister(int protocol, int msgtype)
+
+ rtnl_msg_handlers[protocol][msgindex].doit = NULL;
+ rtnl_msg_handlers[protocol][msgindex].dumpit = NULL;
++ rtnl_msg_handlers[protocol][msgindex].calcit = NULL;
+
+ return 0;
+ }
+--
+2.13.0
+
diff --git a/patches.fixes/tcp-account-for-ts-offset-only-if-tsecr-not-zero.patch b/patches.fixes/tcp-account-for-ts-offset-only-if-tsecr-not-zero.patch
new file mode 100644
index 0000000000..11e7699950
--- /dev/null
+++ b/patches.fixes/tcp-account-for-ts-offset-only-if-tsecr-not-zero.patch
@@ -0,0 +1,36 @@
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Wed, 22 Feb 2017 13:23:56 +0300
+Subject: tcp: account for ts offset only if tsecr not zero
+Patch-mainline: v4.11-rc1
+Git-commit: eee2faabc63d863a129000b698a2bca54dff643d
+References: bsc#1042286
+
+We can get SYN with zero tsecr, don't apply offset in this case.
+
+Fixes: ee684b6f2830 ("tcp: send packets with a socket timestamp")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/tcp_minisocks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
+index 4c1c94fa8f08..ab90f1e57011 100644
+--- a/net/ipv4/tcp_minisocks.c
++++ b/net/ipv4/tcp_minisocks.c
+@@ -109,7 +109,8 @@ tcp_timewait_state_process(struct inet_timewait_sock *tw, struct sk_buff *skb,
+ tcp_parse_options(skb, &tmp_opt, 0, NULL);
+
+ if (tmp_opt.saw_tstamp) {
+- tmp_opt.rcv_tsecr -= tcptw->tw_ts_offset;
++ if (tmp_opt.rcv_tsecr)
++ tmp_opt.rcv_tsecr -= tcptw->tw_ts_offset;
+ tmp_opt.ts_recent = tcptw->tw_ts_recent;
+ tmp_opt.ts_recent_stamp = tcptw->tw_ts_recent_stamp;
+ paws_reject = tcp_paws_reject(&tmp_opt, th->rst);
+--
+2.13.0
+
diff --git a/patches.fixes/tcp-fastopen-accept-data-FIN-present-in-SYNACK-messa.patch b/patches.fixes/tcp-fastopen-accept-data-FIN-present-in-SYNACK-messa.patch
new file mode 100644
index 0000000000..fd03e7836b
--- /dev/null
+++ b/patches.fixes/tcp-fastopen-accept-data-FIN-present-in-SYNACK-messa.patch
@@ -0,0 +1,155 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 1 Feb 2016 21:03:07 -0800
+Subject: tcp: fastopen: accept data/FIN present in SYNACK message
+Patch-mainline: v4.6-rc1
+Git-commit: 61d2bcae99f66a640b3dd9632180209143fb5512
+References: bsc#1042286
+
+RFC 7413 (TCP Fast Open) 4.2.2 states that the SYNACK message
+MAY include data and/or FIN
+
+This patch adds support for the client side :
+
+If we receive a SYNACK with payload or FIN, queue the skb instead
+of ignoring it.
+
+Since we already support the same for SYN, we refactor the existing
+code and reuse it. Note we need to clone the skb, so this operation
+might fail under memory pressure.
+
+Sara Dickinson pointed out FreeBSD server Fast Open implementation
+was planned to generate such SYNACK in the future.
+
+The server side might be implemented on linux later.
+
+Reported-by: Sara Dickinson <sara@sinodun.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/net/tcp.h | 1 +
+ net/ipv4/tcp_fastopen.c | 64 ++++++++++++++++++++++++++-----------------------
+ net/ipv4/tcp_input.c | 3 +++
+ 3 files changed, 38 insertions(+), 30 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index e9d7a8ef9a6d..c494cab5428d 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1432,6 +1432,7 @@ void tcp_free_fastopen_req(struct tcp_sock *tp);
+
+ extern struct tcp_fastopen_context __rcu *tcp_fastopen_ctx;
+ int tcp_fastopen_reset_cipher(void *key, unsigned int len);
++void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb);
+ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
+ struct request_sock *req,
+ struct tcp_fastopen_cookie *foc,
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index fca618272a01..3225dd2ec3ab 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -124,6 +124,35 @@ static bool tcp_fastopen_cookie_gen(struct request_sock *req,
+ return false;
+ }
+
++
++/* If an incoming SYN or SYNACK frame contains a payload and/or FIN,
++ * queue this additional data / FIN.
++ */
++void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb)
++{
++ struct tcp_sock *tp = tcp_sk(sk);
++
++ if (TCP_SKB_CB(skb)->end_seq == tp->rcv_nxt)
++ return;
++
++ skb = skb_clone(skb, GFP_ATOMIC);
++ if (!skb)
++ return;
++
++ skb_dst_drop(skb);
++ __skb_pull(skb, tcp_hdrlen(skb));
++ skb_set_owner_r(skb, sk);
++
++ tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
++ __skb_queue_tail(&sk->sk_receive_queue, skb);
++ tp->syn_data_acked = 1;
++
++ /* u64_stats_update_begin(&tp->syncp) not needed here,
++ * as we certainly are not changing upper 32bit value (0)
++ */
++ tp->bytes_received = skb->len;
++}
++
+ static struct sock *tcp_fastopen_create_child(struct sock *sk,
+ struct sk_buff *skb,
+ struct dst_entry *dst,
+@@ -132,7 +161,6 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk,
+ struct tcp_sock *tp;
+ struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
+ struct sock *child;
+- u32 end_seq;
+ bool own_req;
+
+ req->num_retrans = 0;
+@@ -179,35 +207,11 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk,
+ tcp_init_metrics(child);
+ tcp_init_buffer_space(child);
+
+- /* Queue the data carried in the SYN packet.
+- * We used to play tricky games with skb_get().
+- * With lockless listener, it is a dead end.
+- * Do not think about it.
+- *
+- * XXX (TFO) - we honor a zero-payload TFO request for now,
+- * (any reason not to?) but no need to queue the skb since
+- * there is no data. How about SYN+FIN?
+- */
+- end_seq = TCP_SKB_CB(skb)->end_seq;
+- if (end_seq != TCP_SKB_CB(skb)->seq + 1) {
+- struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
+-
+- if (likely(skb2)) {
+- skb_dst_drop(skb2);
+- __skb_pull(skb2, tcp_hdrlen(skb));
+- skb_set_owner_r(skb2, child);
+- __skb_queue_tail(&child->sk_receive_queue, skb2);
+- tp->syn_data_acked = 1;
+-
+- /* u64_stats_update_begin(&tp->syncp) not needed here,
+- * as we certainly are not changing upper 32bit value (0)
+- */
+- tp->bytes_received = end_seq - TCP_SKB_CB(skb)->seq - 1;
+- } else {
+- end_seq = TCP_SKB_CB(skb)->seq + 1;
+- }
+- }
+- tcp_rsk(req)->rcv_nxt = tp->rcv_nxt = end_seq;
++ tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;
++
++ tcp_fastopen_add_skb(child, skb);
++
++ tcp_rsk(req)->rcv_nxt = tp->rcv_nxt;
+ /* tcp_conn_request() is sending the SYNACK,
+ * and queues the child into listener accept queue.
+ */
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 818630cec54f..f421811eaab5 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5521,6 +5521,9 @@ static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
+ tp->syn_data_acked = tp->syn_data;
+ if (tp->syn_data_acked)
+ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPFASTOPENACTIVE);
++
++ tcp_fastopen_add_skb(sk, synack);
++
+ return false;
+ }
+
+--
+2.13.0
+
diff --git a/patches.fixes/tcp-fastopen-avoid-negative-sk_forward_alloc.patch b/patches.fixes/tcp-fastopen-avoid-negative-sk_forward_alloc.patch
new file mode 100644
index 0000000000..82dc91440b
--- /dev/null
+++ b/patches.fixes/tcp-fastopen-avoid-negative-sk_forward_alloc.patch
@@ -0,0 +1,42 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 7 Sep 2016 08:34:11 -0700
+Subject: tcp: fastopen: avoid negative sk_forward_alloc
+Patch-mainline: v4.8-rc7
+Git-commit: 76061f631c2ea4ab9c4d66f3a96ecc5737f5aaf7
+References: bsc#1042286
+
+When DATA and/or FIN are carried in a SYN/ACK message or SYN message,
+we append an skb in socket receive queue, but we forget to call
+sk_forced_mem_schedule().
+
+Effect is that the socket has a negative sk->sk_forward_alloc as long as
+the message is not read by the application.
+
+Josh Hunt fixed a similar issue in commit d22e15371811 ("tcp: fix tcp
+fin memory accounting")
+
+Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Josh Hunt <johunt@akamai.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/tcp_fastopen.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index 13cde1bd208a..5777da1cce7c 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -141,6 +141,7 @@ void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb)
+
+ skb_dst_drop(skb);
+ __skb_pull(skb, tcp_hdrlen(skb));
++ sk_forced_mem_schedule(sk, skb->truesize);
+ skb_set_owner_r(skb, sk);
+
+ tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
+--
+2.13.0
+
diff --git a/patches.fixes/tcp-fastopen-call-tcp_fin-if-FIN-present-in-SYNACK.patch b/patches.fixes/tcp-fastopen-call-tcp_fin-if-FIN-present-in-SYNACK.patch
new file mode 100644
index 0000000000..4f967aec4c
--- /dev/null
+++ b/patches.fixes/tcp-fastopen-call-tcp_fin-if-FIN-present-in-SYNACK.patch
@@ -0,0 +1,70 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 6 Feb 2016 11:16:28 -0800
+Subject: tcp: fastopen: call tcp_fin() if FIN present in SYNACK
+Patch-mainline: v4.6-rc1
+Git-commit: e3e17b773bfe45462b7f3fae20c550025975cb13
+References: bsc#1042286
+
+When we acknowledge a FIN, it is not enough to ack the sequence number
+and queue the skb into receive queue. We also have to call tcp_fin()
+to properly update socket state and send proper poll() notifications.
+
+It seems we also had the problem if we received a SYN packet with the
+FIN flag set, but it does not seem an urgent issue, as no known
+implementation can do that.
+
+Fixes: 61d2bcae99f6 ("tcp: fastopen: accept data/FIN present in SYNACK message")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/net/tcp.h | 1 +
+ net/ipv4/tcp_fastopen.c | 3 +++
+ net/ipv4/tcp_input.c | 2 +-
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index c494cab5428d..dc7df299fe20 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -570,6 +570,7 @@ void tcp_rearm_rto(struct sock *sk);
+ void tcp_synack_rtt_meas(struct sock *sk, struct request_sock *req);
+ void tcp_reset(struct sock *sk);
+ void tcp_skb_mark_lost_uncond_verify(struct tcp_sock *tp, struct sk_buff *skb);
++void tcp_fin(struct sock *sk);
+
+ /* tcp_timer.c */
+ void tcp_init_xmit_timers(struct sock *);
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index 3225dd2ec3ab..da7f8f4f4f8b 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -151,6 +151,9 @@ void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb)
+ * as we certainly are not changing upper 32bit value (0)
+ */
+ tp->bytes_received = skb->len;
++
++ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
++ tcp_fin(sk);
+ }
+
+ static struct sock *tcp_fastopen_create_child(struct sock *sk,
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index f421811eaab5..52de87a0bd3f 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4006,7 +4006,7 @@ void tcp_reset(struct sock *sk)
+ *
+ * If we are in FINWAIT-2, a received FIN moves us to TIME-WAIT.
+ */
+-static void tcp_fin(struct sock *sk)
++void tcp_fin(struct sock *sk)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+
+--
+2.13.0
+
diff --git a/patches.fixes/tcp-fastopen-fix-rcv_wup-initialization-for-TFO-serv.patch b/patches.fixes/tcp-fastopen-fix-rcv_wup-initialization-for-TFO-serv.patch
new file mode 100644
index 0000000000..abe80cce67
--- /dev/null
+++ b/patches.fixes/tcp-fastopen-fix-rcv_wup-initialization-for-TFO-serv.patch
@@ -0,0 +1,47 @@
+From: Neal Cardwell <ncardwell@google.com>
+Date: Tue, 30 Aug 2016 11:55:23 -0400
+Subject: tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data
+Patch-mainline: v4.8-rc7
+Git-commit: 28b346cbc0715ae45b2814d857f1d8a7e6817ed8
+References: bsc#1042286
+
+Yuchung noticed that on the first TFO server data packet sent after
+the (TFO) handshake, the server echoed the TCP timestamp value in the
+SYN/data instead of the timestamp value in the final ACK of the
+handshake. This problem did not happen on regular opens.
+
+The tcp_replace_ts_recent() logic that decides whether to remember an
+incoming TS value needs tp->rcv_wup to hold the latest receive
+sequence number that we have ACKed (latest tp->rcv_nxt we have
+ACKed). This commit fixes this issue by ensuring that a TFO server
+properly updates tp->rcv_wup to match tp->rcv_nxt at the time it sends
+a SYN/ACK for the SYN/data.
+
+Reported-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
+Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/tcp_fastopen.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index da7f8f4f4f8b..13cde1bd208a 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -215,6 +215,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk,
+ tcp_fastopen_add_skb(child, skb);
+
+ tcp_rsk(req)->rcv_nxt = tp->rcv_nxt;
++ tp->rcv_wup = tp->rcv_nxt;
+ /* tcp_conn_request() is sending the SYNACK,
+ * and queues the child into listener accept queue.
+ */
+--
+2.13.0
+
diff --git a/patches.fixes/udp-avoid-ufo-handling-on-IP-payload-compression-pac.patch b/patches.fixes/udp-avoid-ufo-handling-on-IP-payload-compression-pac.patch
new file mode 100644
index 0000000000..1cabf2824f
--- /dev/null
+++ b/patches.fixes/udp-avoid-ufo-handling-on-IP-payload-compression-pac.patch
@@ -0,0 +1,80 @@
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Thu, 9 Mar 2017 13:56:46 +0300
+Subject: udp: avoid ufo handling on IP payload compression packets
+Patch-mainline: v4.11-rc3
+Git-commit: 4b3b45edba9222e518a1ec72df841eba3609fe34
+References: bsc#1042286
+
+commit c146066ab802 ("ipv4: Don't use ufo handling on later transformed
+packets") and commit f89c56ce710a ("ipv6: Don't use ufo handling on
+later transformed packets") added a check that 'rt->dst.header_len' isn't
+zero in order to skip UFO, but it doesn't include IPcomp in transport mode
+where it equals zero.
+
+Packets, after payload compression, may not require further fragmentation,
+and if original length exceeds MTU, later compressed packets will be
+transmitted incorrectly. This can be reproduced with LTP udp_ipsec.sh test
+on veth device with enabled UFO, MTU is 1500 and UDP payload is 2000:
+
+* IPv4 case, offset is wrong + unnecessary fragmentation
+ udp_ipsec.sh -p comp -m transport -s 2000 &
+ tcpdump -ni ltp_ns_veth2
+ ...
+ IP (tos 0x0, ttl 64, id 45203, offset 0, flags [+],
+ proto Compressed IP (108), length 49)
+ 10.0.0.2 > 10.0.0.1: IPComp(cpi=0x1000)
+ IP (tos 0x0, ttl 64, id 45203, offset 1480, flags [none],
+ proto UDP (17), length 21) 10.0.0.2 > 10.0.0.1: ip-proto-17
+
+* IPv6 case, sending small fragments
+ udp_ipsec.sh -6 -p comp -m transport -s 2000 &
+ tcpdump -ni ltp_ns_veth2
+ ...
+ IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
+ payload length: 37) fd00::2 > fd00::1: IPComp(cpi=0x1000)
+ IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
+ payload length: 21) fd00::2 > fd00::1: IPComp(cpi=0x1000)
+
+Fix it by checking 'rt->dst.xfrm' pointer to 'xfrm_state' struct, skip UFO
+if xfrm is set. So the new check will include both cases: IPcomp and IPsec.
+
+Fixes: c146066ab802 ("ipv4: Don't use ufo handling on later transformed packets")
+Fixes: f89c56ce710a ("ipv6: Don't use ufo handling on later transformed packets")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/ip_output.c | 2 +-
+ net/ipv6/ip6_output.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 2b7283303650..cd0b17f35513 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -924,7 +924,7 @@ static int __ip_append_data(struct sock *sk,
+ cork->length += length;
+ if (((length > mtu) || (skb && skb_is_gso(skb))) &&
+ (sk->sk_protocol == IPPROTO_UDP) &&
+- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
++ (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
+ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
+ err = ip_ufo_append_data(sk, queue, getfrag, from, length,
+ hh_len, fragheaderlen, transhdrlen,
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index dc5859472991..ab09f731b458 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1359,7 +1359,7 @@ emsgsize:
+ if (((length > mtu) ||
+ (skb && skb_is_gso(skb))) &&
+ (sk->sk_protocol == IPPROTO_UDP) &&
+- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
++ (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
+ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
+ err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
+ hh_len, fragheaderlen, exthdrlen,
+--
+2.13.0
+
diff --git a/patches.fixes/udplite-call-proper-backlog-handlers.patch b/patches.fixes/udplite-call-proper-backlog-handlers.patch
new file mode 100644
index 0000000000..1948e0bd0c
--- /dev/null
+++ b/patches.fixes/udplite-call-proper-backlog-handlers.patch
@@ -0,0 +1,121 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 22 Nov 2016 09:06:45 -0800
+Subject: udplite: call proper backlog handlers
+Patch-mainline: v4.9-rc7
+Git-commit: 30c7be26fd3587abcb69587f781098e3ca2d565b
+References: bsc#1042286
+
+In commits 93821778def10 ("udp: Fix rcv socket locking") and
+f7ad74fef3af ("net/ipv6/udp: UDP encapsulation: break backlog_rcv into
+__udpv6_queue_rcv_skb") UDP backlog handlers were renamed, but UDPlite
+was forgotten.
+
+This leads to crashes if UDPlite header is pulled twice, which happens
+starting from commit e6afc8ace6dd ("udp: remove headers from UDP packets
+before queueing")
+
+Bug found by syzkaller team, thanks a lot guys !
+
+Note that backlog use in UDP/UDPlite is scheduled to be removed starting
+from linux-4.10, so this patch is only needed up to linux-4.9
+
+Fixes: 93821778def1 ("udp: Fix rcv socket locking")
+Fixes: f7ad74fef3af ("net/ipv6/udp: UDP encapsulation: break backlog_rcv into __udpv6_queue_rcv_skb")
+Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Benjamin LaHaise <bcrl@kvack.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/udp.c | 2 +-
+ net/ipv4/udp_impl.h | 2 +-
+ net/ipv4/udplite.c | 2 +-
+ net/ipv6/udp.c | 2 +-
+ net/ipv6/udp_impl.h | 2 +-
+ net/ipv6/udplite.c | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 885c8cad941f..d43a989c0341 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1460,7 +1460,7 @@ static void udp_v4_rehash(struct sock *sk)
+ udp_lib_rehash(sk, new_hash);
+ }
+
+-static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
++int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+ {
+ int rc;
+
+diff --git a/net/ipv4/udp_impl.h b/net/ipv4/udp_impl.h
+index 7e0fe4bdd967..feb50a16398d 100644
+--- a/net/ipv4/udp_impl.h
++++ b/net/ipv4/udp_impl.h
+@@ -25,7 +25,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
+ int flags, int *addr_len);
+ int udp_sendpage(struct sock *sk, struct page *page, int offset, size_t size,
+ int flags);
+-int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
++int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
+ void udp_destroy_sock(struct sock *sk);
+
+ #ifdef CONFIG_PROC_FS
+diff --git a/net/ipv4/udplite.c b/net/ipv4/udplite.c
+index 3b3efbda48e1..78766b32b78b 100644
+--- a/net/ipv4/udplite.c
++++ b/net/ipv4/udplite.c
+@@ -50,7 +50,7 @@ struct proto udplite_prot = {
+ .sendmsg = udp_sendmsg,
+ .recvmsg = udp_recvmsg,
+ .sendpage = udp_sendpage,
+- .backlog_rcv = udp_queue_rcv_skb,
++ .backlog_rcv = __udp_queue_rcv_skb,
+ .hash = udp_lib_hash,
+ .unhash = udp_lib_unhash,
+ .get_port = udp_v4_get_port,
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 1ab7123c0fe0..73f41898e6a6 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -585,7 +585,7 @@ out:
+ sock_put(sk);
+ }
+
+-static int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
++int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+ {
+ int rc;
+
+diff --git a/net/ipv6/udp_impl.h b/net/ipv6/udp_impl.h
+index 0682c031ccdc..3c1dbc9f74cf 100644
+--- a/net/ipv6/udp_impl.h
++++ b/net/ipv6/udp_impl.h
+@@ -26,7 +26,7 @@ int compat_udpv6_getsockopt(struct sock *sk, int level, int optname,
+ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len);
+ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
+ int flags, int *addr_len);
+-int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
++int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
+ void udpv6_destroy_sock(struct sock *sk);
+
+ void udp_v6_clear_sk(struct sock *sk, int size);
+diff --git a/net/ipv6/udplite.c b/net/ipv6/udplite.c
+index 9cf097e206e9..d1eaeeaa34d2 100644
+--- a/net/ipv6/udplite.c
++++ b/net/ipv6/udplite.c
+@@ -45,7 +45,7 @@ struct proto udplitev6_prot = {
+ .getsockopt = udpv6_getsockopt,
+ .sendmsg = udpv6_sendmsg,
+ .recvmsg = udpv6_recvmsg,
+- .backlog_rcv = udpv6_queue_rcv_skb,
++ .backlog_rcv = __udpv6_queue_rcv_skb,
+ .hash = udp_lib_hash,
+ .unhash = udp_lib_unhash,
+ .get_port = udp_v6_get_port,
+--
+2.13.0
+
diff --git a/patches.fixes/xfrm-Fix-memory-leak-of-aead-algorithm-name.patch b/patches.fixes/xfrm-Fix-memory-leak-of-aead-algorithm-name.patch
new file mode 100644
index 0000000000..800261cea0
--- /dev/null
+++ b/patches.fixes/xfrm-Fix-memory-leak-of-aead-algorithm-name.patch
@@ -0,0 +1,41 @@
+From: Ilan Tayari <ilant@mellanox.com>
+Date: Sun, 18 Sep 2016 07:42:53 +0000
+Subject: xfrm: Fix memory leak of aead algorithm name
+Patch-mainline: v4.8-rc8
+Git-commit: b588479358ce26f32138e0f0a7ab0678f8e3e601
+References: bsc#1042286
+
+commit 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms")
+introduced aead. The function attach_aead kmemdup()s the algorithm
+name during xfrm_state_construct().
+However this memory is never freed.
+Implementation has since been slightly modified in
+commit ee5c23176fcc ("xfrm: Clone states properly on migration")
+without resolving this leak.
+This patch adds a kfree() call for the aead algorithm name.
+
+Fixes: 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms")
+Signed-off-by: Ilan Tayari <ilant@mellanox.com>
+Acked-by: Rami Rosen <roszenrami@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/xfrm/xfrm_state.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 9895a8c56d8c..a30f898dc1c5 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -332,6 +332,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
+ {
+ tasklet_hrtimer_cancel(&x->mtimer);
+ del_timer_sync(&x->rtimer);
++ kfree(x->aead);
+ kfree(x->aalg);
+ kfree(x->ealg);
+ kfree(x->calg);
+--
+2.13.0
+
diff --git a/series.conf b/series.conf
index 370b70dccf..b74fec38f6 100644
--- a/series.conf
+++ b/series.conf
@@ -3229,6 +3229,23 @@
patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
patches.fixes/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
+ patches.fixes/bonding-don-t-use-stale-speed-and-duplex-information.patch
+ patches.fixes/ipv6-fix-endianness-error-in-icmpv6_err.patch
+ patches.fixes/bonding-prevent-out-of-bound-accesses.patch
+ patches.fixes/tcp-fastopen-accept-data-FIN-present-in-SYNACK-messa.patch
+ patches.fixes/tcp-fastopen-call-tcp_fin-if-FIN-present-in-SYNACK.patch
+ patches.fixes/tcp-fastopen-fix-rcv_wup-initialization-for-TFO-serv.patch
+ patches.fixes/tcp-fastopen-avoid-negative-sk_forward_alloc.patch
+ patches.fixes/xfrm-Fix-memory-leak-of-aead-algorithm-name.patch
+ patches.fixes/ipv6-Don-t-use-ufo-handling-on-later-transformed-pac.patch
+ patches.fixes/udp-avoid-ufo-handling-on-IP-payload-compression-pac.patch
+ patches.fixes/rtnl-reset-calcit-fptr-in-rtnl_unregister.patch
+ patches.fixes/udplite-call-proper-backlog-handlers.patch
+ patches.fixes/tcp-account-for-ts-offset-only-if-tsecr-not-zero.patch
+ patches.fixes/net-ipv6-set-route-type-for-anycast-routes.patch
+ patches.fixes/l2tp-fix-race-in-l2tp_recv_common.patch
+ patches.fixes/bonding-avoid-defaulting-hard_header_len-to-ETH_HLEN.patch
+ patches.fixes/ipv4-add-reference-counting-to-metrics.patch
########################################################
# Netfilter
@@ -3238,6 +3255,13 @@
patches.fixes/netfilter-x_tables-speed-up-jump-target-validation.patch
patches.fixes/netfilter-allow-logging-from-non-init-namespaces.patch
patches.fixes/netfilter-arp_tables-fix-invoking-32bit-iptable-P-IN.patch
+ patches.fixes/netfilter-nf_dup_ipv6-set-again-FLOWI_FLAG_KNOWN_NH-.patch
+ patches.fixes/netfilter-nf_ct_expect-remove-the-redundant-slash-wh.patch
+ patches.fixes/netfilter-nfnetlink_queue-reject-verdict-request-fro.patch
+ patches.fixes/netfilter-restart-search-if-moved-to-other-chain.patch
+ patches.fixes/netfilter-nf_conntrack_sip-extend-request-line-valid.patch
+ patches.fixes/netfilter-use-fwmark_reflect-in-nf_send_reset.patch
+ patches.fixes/netfilter-nf_nat_snmp-Fix-panic-when-snmp_trap_helpe.patch
########################################################