new file mode 100644

@@ -0,0 +1,52 @@

+From b8cba75bdf6a48ea4811bbefb11a94a5c7281b68 Mon Sep 17 00:00:00 2001

+From: Jesse Gross <jesse@kernel.org>

+Date: Sat, 19 Mar 2016 09:32:00 -0700

+Subject: ipip: Properly mark ipip GRO packets as encapsulated.

+

+ipip encapsulated packets can be merged together by GRO but the result

+does not have the proper GSO type set or even marked as being

+encapsulated at all. Later retransmission of these packets will likely

+fail if the device does not support ipip offloads. This is similar to

+the issue resolved in IPv6 sit in feec0cb3

+("ipv6: gro: support sit protocol").

+

+Reported-by: Patrick Boutilier <boutilpj@ednet.ns.ca>

+Fixes: 9667e9bb ("ipip: Add gro callbacks to ipip offload")

+Tested-by: Patrick Boutilier <boutilpj@ednet.ns.ca>

+Acked-by: Eric Dumazet <edumazet@google.com>

+Signed-off-by: Jesse Gross <jesse@kernel.org>

+Signed-off-by: David S. Miller <davem@davemloft.net>

+---

+ net/ipv4/af_inet.c | 9 ++++++++-

+ 1 file changed, 8 insertions(+), 1 deletion(-)

+

+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c

+index 0cc923f..9659233 100644

+--- a/net/ipv4/af_inet.c

+@@ -1448,6 +1448,13 @@ out_unlock:

+ 	return err;

+ }

+ 

++static int ipip_gro_complete(struct sk_buff *skb, int nhoff)

++{

++	skb->encapsulation = 1;

++	skb_shinfo(skb)->gso_type |= SKB_GSO_IPIP;

++	return inet_gro_complete(skb, nhoff);

++}

++

+ int inet_ctl_sock_create(struct sock **sk, unsigned short family,

+ 			 unsigned short type, unsigned char protocol,

+ 			 struct net *net)

+@@ -1676,7 +1683,7 @@ static const struct net_offload ipip_offload = {

+ 	.callbacks = {

+ 		.gso_segment	= inet_gso_segment,

+ 		.gro_receive	= inet_gro_receive,

+-		.gro_complete	= inet_gro_complete,

++		.gro_complete	= ipip_gro_complete,

+ 	},

+ };

+ 

+-- 

+cgit v0.12

+

@@ -2,7 +2,7 @@

 Summary:       Kernel

 Name:          linux-esx

 Version:       4.4.20

-Release:       5%{?dist}

+Release:       6%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

@@ -35,6 +35,10 @@ Patch18:       vmxnet3-1.4.8.0-segCnt-can-be-1-for-LRO-packets.patch

 Patch19:       keys-fix-asn.1-indefinite-length-object-parsing.patch

 Patch20:       vmci-1.1.4.0-use-32bit-atomics-for-queue-headers.patch

 Patch21:       vmci-1.1.5.0-doorbell-create-and-destroy-fixes.patch

+#fixes CVE-2016-8666

+Patch22:       ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch

+#fixes CVE-2016-8666

+Patch23:       tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch

 BuildRequires: bc

 BuildRequires: kbd

 BuildRequires: kmod

@@ -91,6 +95,8 @@ The Linux package contains the Linux kernel doc files

 %patch19 -p1

 %patch20 -p1

 %patch21 -p1

+%patch22 -p1

+%patch23 -p1

 %build

 # patch vmw_balloon driver

@@ -162,6 +168,9 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg

 /usr/src/%{name}-headers-%{version}-%{release}

 %changelog

+*   Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-6

+-   ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch

+-   tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch

 *   Thu Oct  6 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-5

 -   .config: added ADM PCnet32 support

 -   vmci-1.1.4.0-use-32bit-atomics-for-queue-headers.patch

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:    	4.4.20

-Release:    	4%{?dist}

+Release:    	5%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -31,6 +31,10 @@ Patch14:        vmxnet3-1.4.8.0-segCnt-can-be-1-for-LRO-packets.patch

 Patch15:        apparmor-fix-oops-validate-buffer-size-in-apparmor_setprocattr.patch

 #fixes CVE-2016-0758

 Patch16:        keys-fix-asn.1-indefinite-length-object-parsing.patch

+#fixes CVE-2016-8666

+Patch17:        ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch

+#fixes CVE-2016-8666

+Patch18:        tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch

 BuildRequires:  bc

 BuildRequires:  kbd

 BuildRequires:  kmod

@@ -103,6 +107,8 @@ Kernel driver for oprofile, a statistical profiler for Linux systems

 %patch14 -p1

 %patch15 -p1

 %patch16 -p1

+%patch17 -p1

+%patch18 -p1

 %build

 make mrproper

@@ -200,6 +206,9 @@ ln -s /usr/lib/debug/lib/modules/%{version}/vmlinux-%{version}-%{release}.debug

 /lib/modules/%{version}/kernel/arch/x86/oprofile/

 %changelog

+*   Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-5

+-   ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch

+-   tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch

 *   Mon Oct  3 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-4

 -   Package vmlinux with PROGBITS sections in -debuginfo subpackage

 *   Tue Sep 27 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-3

new file mode 100644

@@ -0,0 +1,167 @@

+From fac8e0f579695a3ecbc4d3cac369139d7f819971 Mon Sep 17 00:00:00 2001

+From: Jesse Gross <jesse@kernel.org>

+Date: Sat, 19 Mar 2016 09:32:01 -0700

+Subject: tunnels: Don't apply GRO to multiple layers of encapsulation.

+

+When drivers express support for TSO of encapsulated packets, they

+only mean that they can do it for one layer of encapsulation.

+Supporting additional levels would mean updating, at a minimum,

+more IP length fields and they are unaware of this.

+

+No encapsulation device expresses support for handling offloaded

+encapsulated packets, so we won't generate these types of frames

+in the transmit path. However, GRO doesn't have a check for

+multiple levels of encapsulation and will attempt to build them.

+

+UDP tunnel GRO actually does prevent this situation but it only

+handles multiple UDP tunnels stacked on top of each other. This

+generalizes that solution to prevent any kind of tunnel stacking

+that would cause problems.

+

+Fixes: bf5a755f ("net-gre-gro: Add GRE support to the GRO stack")

+Signed-off-by: Jesse Gross <jesse@kernel.org>

+Signed-off-by: David S. Miller <davem@davemloft.net>

+---

+ include/linux/netdevice.h |  4 ++--

+ net/core/dev.c            |  2 +-

+ net/ipv4/af_inet.c        | 15 ++++++++++++++-

+ net/ipv4/gre_offload.c    |  5 +++++

+ net/ipv4/udp_offload.c    |  6 +++---

+ net/ipv6/ip6_offload.c    | 15 ++++++++++++++-

+ 6 files changed, 39 insertions(+), 8 deletions(-)

+

+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h

+index be693b3..f9eebd5 100644

+--- a/include/linux/netdevice.h

+@@ -2096,8 +2096,8 @@ struct napi_gro_cb {

+ 	/* This is non-zero if the packet may be of the same flow. */

+ 	u8	same_flow:1;

+ 

+-	/* Used in udp_gro_receive */

+-	u8	udp_mark:1;

++	/* Used in tunnel GRO receive */

++	u8	encap_mark:1;

+ 

+ 	/* GRO checksum is valid */

+ 	u8	csum_valid:1;

+diff --git a/net/core/dev.c b/net/core/dev.c

+index edb7179..43c74ca 100644

+--- a/net/core/dev.c

+@@ -4438,7 +4438,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff

+ 		NAPI_GRO_CB(skb)->same_flow = 0;

+ 		NAPI_GRO_CB(skb)->flush = 0;

+ 		NAPI_GRO_CB(skb)->free = 0;

+-		NAPI_GRO_CB(skb)->udp_mark = 0;

++		NAPI_GRO_CB(skb)->encap_mark = 0;

+ 		NAPI_GRO_CB(skb)->gro_remcsum_start = 0;

+ 

+ 		/* Setup for GRO checksum validation */

+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c

+index 9659233..0fefba6 100644

+--- a/net/ipv4/af_inet.c

+@@ -1380,6 +1380,19 @@ out:

+ 	return pp;

+ }

+ 

++static struct sk_buff **ipip_gro_receive(struct sk_buff **head,

++					 struct sk_buff *skb)

++{

++	if (NAPI_GRO_CB(skb)->encap_mark) {

++		NAPI_GRO_CB(skb)->flush = 1;

++		return NULL;

++	}

++

++	NAPI_GRO_CB(skb)->encap_mark = 1;

++

++	return inet_gro_receive(head, skb);

++}

++

+ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)

+ {

+ 	if (sk->sk_family == AF_INET)

+@@ -1682,7 +1695,7 @@ static struct packet_offload ip_packet_offload __read_mostly = {

+ static const struct net_offload ipip_offload = {

+ 	.callbacks = {

+ 		.gso_segment	= inet_gso_segment,

+-		.gro_receive	= inet_gro_receive,

++		.gro_receive	= ipip_gro_receive,

+ 		.gro_complete	= ipip_gro_complete,

+ 	},

+ };

+diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c

+index 540866d..dd03161 100644

+--- a/net/ipv4/gre_offload.c

+@@ -126,6 +126,11 @@ static struct sk_buff **gre_gro_receive(struct sk_buff **head,

+ 	struct packet_offload *ptype;

+ 	__be16 type;

+ 

++	if (NAPI_GRO_CB(skb)->encap_mark)

++		goto out;

++

++	NAPI_GRO_CB(skb)->encap_mark = 1;

++

+ 	off = skb_gro_offset(skb);

+ 	hlen = off + sizeof(*greh);

+ 	greh = skb_gro_header_fast(skb, off);

+diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c

+index 8a3405a..8007f73 100644

+--- a/net/ipv4/udp_offload.c

+@@ -311,14 +311,14 @@ struct sk_buff **udp_gro_receive(struct sk_buff **head, struct sk_buff *skb,

+ 	unsigned int off = skb_gro_offset(skb);

+ 	int flush = 1;

+ 

+-	if (NAPI_GRO_CB(skb)->udp_mark ||

++	if (NAPI_GRO_CB(skb)->encap_mark ||

+ 	    (skb->ip_summed != CHECKSUM_PARTIAL &&

+ 	     NAPI_GRO_CB(skb)->csum_cnt == 0 &&

+ 	     !NAPI_GRO_CB(skb)->csum_valid))

+ 		goto out;

+ 

+-	/* mark that this skb passed once through the udp gro layer */

+-	NAPI_GRO_CB(skb)->udp_mark = 1;

++	/* mark that this skb passed once through the tunnel gro layer */

++	NAPI_GRO_CB(skb)->encap_mark = 1;

+ 

+ 	rcu_read_lock();

+ 	uo_priv = rcu_dereference(udp_offload_base);

+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c

+index eeca943..82e9f30 100644

+--- a/net/ipv6/ip6_offload.c

+@@ -258,6 +258,19 @@ out:

+ 	return pp;

+ }

+ 

++static struct sk_buff **sit_gro_receive(struct sk_buff **head,

++					struct sk_buff *skb)

++{

++	if (NAPI_GRO_CB(skb)->encap_mark) {

++		NAPI_GRO_CB(skb)->flush = 1;

++		return NULL;

++	}

++

++	NAPI_GRO_CB(skb)->encap_mark = 1;

++

++	return ipv6_gro_receive(head, skb);

++}

++

+ static int ipv6_gro_complete(struct sk_buff *skb, int nhoff)

+ {

+ 	const struct net_offload *ops;

+@@ -302,7 +315,7 @@ static struct packet_offload ipv6_packet_offload __read_mostly = {

+ static const struct net_offload sit_offload = {

+ 	.callbacks = {

+ 		.gso_segment	= ipv6_gso_segment,

+-		.gro_receive    = ipv6_gro_receive,

++		.gro_receive    = sit_gro_receive,

+ 		.gro_complete   = sit_gro_complete,

+ 	},

+ };

+-- 

+cgit v0.12

+