Change-Id: I988f06baece9b6c0c72f34b1b99d1381a0dc2f60
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1532
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
(cherry picked from commit 12ce123c43001aabb6c686e610a6c3a860aa9c84)
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1539
Reviewed-by: suezzelur <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,52 @@ |
0 |
+From b8cba75bdf6a48ea4811bbefb11a94a5c7281b68 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Jesse Gross <jesse@kernel.org> |
|
2 |
+Date: Sat, 19 Mar 2016 09:32:00 -0700 |
|
3 |
+Subject: ipip: Properly mark ipip GRO packets as encapsulated. |
|
4 |
+ |
|
5 |
+ipip encapsulated packets can be merged together by GRO but the result |
|
6 |
+does not have the proper GSO type set or even marked as being |
|
7 |
+encapsulated at all. Later retransmission of these packets will likely |
|
8 |
+fail if the device does not support ipip offloads. This is similar to |
|
9 |
+the issue resolved in IPv6 sit in feec0cb3 |
|
10 |
+("ipv6: gro: support sit protocol"). |
|
11 |
+ |
|
12 |
+Reported-by: Patrick Boutilier <boutilpj@ednet.ns.ca> |
|
13 |
+Fixes: 9667e9bb ("ipip: Add gro callbacks to ipip offload") |
|
14 |
+Tested-by: Patrick Boutilier <boutilpj@ednet.ns.ca> |
|
15 |
+Acked-by: Eric Dumazet <edumazet@google.com> |
|
16 |
+Signed-off-by: Jesse Gross <jesse@kernel.org> |
|
17 |
+Signed-off-by: David S. Miller <davem@davemloft.net> |
|
18 |
+--- |
|
19 |
+ net/ipv4/af_inet.c | 9 ++++++++- |
|
20 |
+ 1 file changed, 8 insertions(+), 1 deletion(-) |
|
21 |
+ |
|
22 |
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c |
|
23 |
+index 0cc923f..9659233 100644 |
|
24 |
+--- a/net/ipv4/af_inet.c |
|
25 |
+@@ -1448,6 +1448,13 @@ out_unlock: |
|
26 |
+ return err; |
|
27 |
+ } |
|
28 |
+ |
|
29 |
++static int ipip_gro_complete(struct sk_buff *skb, int nhoff) |
|
30 |
++{ |
|
31 |
++ skb->encapsulation = 1; |
|
32 |
++ skb_shinfo(skb)->gso_type |= SKB_GSO_IPIP; |
|
33 |
++ return inet_gro_complete(skb, nhoff); |
|
34 |
++} |
|
35 |
++ |
|
36 |
+ int inet_ctl_sock_create(struct sock **sk, unsigned short family, |
|
37 |
+ unsigned short type, unsigned char protocol, |
|
38 |
+ struct net *net) |
|
39 |
+@@ -1676,7 +1683,7 @@ static const struct net_offload ipip_offload = { |
|
40 |
+ .callbacks = { |
|
41 |
+ .gso_segment = inet_gso_segment, |
|
42 |
+ .gro_receive = inet_gro_receive, |
|
43 |
+- .gro_complete = inet_gro_complete, |
|
44 |
++ .gro_complete = ipip_gro_complete, |
|
45 |
+ }, |
|
46 |
+ }; |
|
47 |
+ |
|
48 |
+-- |
|
49 |
+cgit v0.12 |
|
50 |
+ |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.4.20 |
5 |
-Release: 5%{?dist} |
|
5 |
+Release: 6%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -35,6 +35,10 @@ Patch18: vmxnet3-1.4.8.0-segCnt-can-be-1-for-LRO-packets.patch |
35 | 35 |
Patch19: keys-fix-asn.1-indefinite-length-object-parsing.patch |
36 | 36 |
Patch20: vmci-1.1.4.0-use-32bit-atomics-for-queue-headers.patch |
37 | 37 |
Patch21: vmci-1.1.5.0-doorbell-create-and-destroy-fixes.patch |
38 |
+#fixes CVE-2016-8666 |
|
39 |
+Patch22: ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch |
|
40 |
+#fixes CVE-2016-8666 |
|
41 |
+Patch23: tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch |
|
38 | 42 |
BuildRequires: bc |
39 | 43 |
BuildRequires: kbd |
40 | 44 |
BuildRequires: kmod |
... | ... |
@@ -91,6 +95,8 @@ The Linux package contains the Linux kernel doc files |
91 | 91 |
%patch19 -p1 |
92 | 92 |
%patch20 -p1 |
93 | 93 |
%patch21 -p1 |
94 |
+%patch22 -p1 |
|
95 |
+%patch23 -p1 |
|
94 | 96 |
|
95 | 97 |
%build |
96 | 98 |
# patch vmw_balloon driver |
... | ... |
@@ -162,6 +168,9 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg |
162 | 162 |
/usr/src/%{name}-headers-%{version}-%{release} |
163 | 163 |
|
164 | 164 |
%changelog |
165 |
+* Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-6 |
|
166 |
+- ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch |
|
167 |
+- tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch |
|
165 | 168 |
* Thu Oct 6 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-5 |
166 | 169 |
- .config: added ADM PCnet32 support |
167 | 170 |
- vmci-1.1.4.0-use-32bit-atomics-for-queue-headers.patch |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.4.20 |
5 |
-Release: 4%{?dist} |
|
5 |
+Release: 5%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -31,6 +31,10 @@ Patch14: vmxnet3-1.4.8.0-segCnt-can-be-1-for-LRO-packets.patch |
31 | 31 |
Patch15: apparmor-fix-oops-validate-buffer-size-in-apparmor_setprocattr.patch |
32 | 32 |
#fixes CVE-2016-0758 |
33 | 33 |
Patch16: keys-fix-asn.1-indefinite-length-object-parsing.patch |
34 |
+#fixes CVE-2016-8666 |
|
35 |
+Patch17: ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch |
|
36 |
+#fixes CVE-2016-8666 |
|
37 |
+Patch18: tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch |
|
34 | 38 |
BuildRequires: bc |
35 | 39 |
BuildRequires: kbd |
36 | 40 |
BuildRequires: kmod |
... | ... |
@@ -103,6 +107,8 @@ Kernel driver for oprofile, a statistical profiler for Linux systems |
103 | 103 |
%patch14 -p1 |
104 | 104 |
%patch15 -p1 |
105 | 105 |
%patch16 -p1 |
106 |
+%patch17 -p1 |
|
107 |
+%patch18 -p1 |
|
106 | 108 |
|
107 | 109 |
%build |
108 | 110 |
make mrproper |
... | ... |
@@ -200,6 +206,9 @@ ln -s /usr/lib/debug/lib/modules/%{version}/vmlinux-%{version}-%{release}.debug |
200 | 200 |
/lib/modules/%{version}/kernel/arch/x86/oprofile/ |
201 | 201 |
|
202 | 202 |
%changelog |
203 |
+* Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-5 |
|
204 |
+- ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch |
|
205 |
+- tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch |
|
203 | 206 |
* Mon Oct 3 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-4 |
204 | 207 |
- Package vmlinux with PROGBITS sections in -debuginfo subpackage |
205 | 208 |
* Tue Sep 27 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-3 |
206 | 209 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,167 @@ |
0 |
+From fac8e0f579695a3ecbc4d3cac369139d7f819971 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Jesse Gross <jesse@kernel.org> |
|
2 |
+Date: Sat, 19 Mar 2016 09:32:01 -0700 |
|
3 |
+Subject: tunnels: Don't apply GRO to multiple layers of encapsulation. |
|
4 |
+ |
|
5 |
+When drivers express support for TSO of encapsulated packets, they |
|
6 |
+only mean that they can do it for one layer of encapsulation. |
|
7 |
+Supporting additional levels would mean updating, at a minimum, |
|
8 |
+more IP length fields and they are unaware of this. |
|
9 |
+ |
|
10 |
+No encapsulation device expresses support for handling offloaded |
|
11 |
+encapsulated packets, so we won't generate these types of frames |
|
12 |
+in the transmit path. However, GRO doesn't have a check for |
|
13 |
+multiple levels of encapsulation and will attempt to build them. |
|
14 |
+ |
|
15 |
+UDP tunnel GRO actually does prevent this situation but it only |
|
16 |
+handles multiple UDP tunnels stacked on top of each other. This |
|
17 |
+generalizes that solution to prevent any kind of tunnel stacking |
|
18 |
+that would cause problems. |
|
19 |
+ |
|
20 |
+Fixes: bf5a755f ("net-gre-gro: Add GRE support to the GRO stack") |
|
21 |
+Signed-off-by: Jesse Gross <jesse@kernel.org> |
|
22 |
+Signed-off-by: David S. Miller <davem@davemloft.net> |
|
23 |
+--- |
|
24 |
+ include/linux/netdevice.h | 4 ++-- |
|
25 |
+ net/core/dev.c | 2 +- |
|
26 |
+ net/ipv4/af_inet.c | 15 ++++++++++++++- |
|
27 |
+ net/ipv4/gre_offload.c | 5 +++++ |
|
28 |
+ net/ipv4/udp_offload.c | 6 +++--- |
|
29 |
+ net/ipv6/ip6_offload.c | 15 ++++++++++++++- |
|
30 |
+ 6 files changed, 39 insertions(+), 8 deletions(-) |
|
31 |
+ |
|
32 |
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h |
|
33 |
+index be693b3..f9eebd5 100644 |
|
34 |
+--- a/include/linux/netdevice.h |
|
35 |
+@@ -2096,8 +2096,8 @@ struct napi_gro_cb { |
|
36 |
+ /* This is non-zero if the packet may be of the same flow. */ |
|
37 |
+ u8 same_flow:1; |
|
38 |
+ |
|
39 |
+- /* Used in udp_gro_receive */ |
|
40 |
+- u8 udp_mark:1; |
|
41 |
++ /* Used in tunnel GRO receive */ |
|
42 |
++ u8 encap_mark:1; |
|
43 |
+ |
|
44 |
+ /* GRO checksum is valid */ |
|
45 |
+ u8 csum_valid:1; |
|
46 |
+diff --git a/net/core/dev.c b/net/core/dev.c |
|
47 |
+index edb7179..43c74ca 100644 |
|
48 |
+--- a/net/core/dev.c |
|
49 |
+@@ -4438,7 +4438,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff |
|
50 |
+ NAPI_GRO_CB(skb)->same_flow = 0; |
|
51 |
+ NAPI_GRO_CB(skb)->flush = 0; |
|
52 |
+ NAPI_GRO_CB(skb)->free = 0; |
|
53 |
+- NAPI_GRO_CB(skb)->udp_mark = 0; |
|
54 |
++ NAPI_GRO_CB(skb)->encap_mark = 0; |
|
55 |
+ NAPI_GRO_CB(skb)->gro_remcsum_start = 0; |
|
56 |
+ |
|
57 |
+ /* Setup for GRO checksum validation */ |
|
58 |
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c |
|
59 |
+index 9659233..0fefba6 100644 |
|
60 |
+--- a/net/ipv4/af_inet.c |
|
61 |
+@@ -1380,6 +1380,19 @@ out: |
|
62 |
+ return pp; |
|
63 |
+ } |
|
64 |
+ |
|
65 |
++static struct sk_buff **ipip_gro_receive(struct sk_buff **head, |
|
66 |
++ struct sk_buff *skb) |
|
67 |
++{ |
|
68 |
++ if (NAPI_GRO_CB(skb)->encap_mark) { |
|
69 |
++ NAPI_GRO_CB(skb)->flush = 1; |
|
70 |
++ return NULL; |
|
71 |
++ } |
|
72 |
++ |
|
73 |
++ NAPI_GRO_CB(skb)->encap_mark = 1; |
|
74 |
++ |
|
75 |
++ return inet_gro_receive(head, skb); |
|
76 |
++} |
|
77 |
++ |
|
78 |
+ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) |
|
79 |
+ { |
|
80 |
+ if (sk->sk_family == AF_INET) |
|
81 |
+@@ -1682,7 +1695,7 @@ static struct packet_offload ip_packet_offload __read_mostly = { |
|
82 |
+ static const struct net_offload ipip_offload = { |
|
83 |
+ .callbacks = { |
|
84 |
+ .gso_segment = inet_gso_segment, |
|
85 |
+- .gro_receive = inet_gro_receive, |
|
86 |
++ .gro_receive = ipip_gro_receive, |
|
87 |
+ .gro_complete = ipip_gro_complete, |
|
88 |
+ }, |
|
89 |
+ }; |
|
90 |
+diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c |
|
91 |
+index 540866d..dd03161 100644 |
|
92 |
+--- a/net/ipv4/gre_offload.c |
|
93 |
+@@ -126,6 +126,11 @@ static struct sk_buff **gre_gro_receive(struct sk_buff **head, |
|
94 |
+ struct packet_offload *ptype; |
|
95 |
+ __be16 type; |
|
96 |
+ |
|
97 |
++ if (NAPI_GRO_CB(skb)->encap_mark) |
|
98 |
++ goto out; |
|
99 |
++ |
|
100 |
++ NAPI_GRO_CB(skb)->encap_mark = 1; |
|
101 |
++ |
|
102 |
+ off = skb_gro_offset(skb); |
|
103 |
+ hlen = off + sizeof(*greh); |
|
104 |
+ greh = skb_gro_header_fast(skb, off); |
|
105 |
+diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c |
|
106 |
+index 8a3405a..8007f73 100644 |
|
107 |
+--- a/net/ipv4/udp_offload.c |
|
108 |
+@@ -311,14 +311,14 @@ struct sk_buff **udp_gro_receive(struct sk_buff **head, struct sk_buff *skb, |
|
109 |
+ unsigned int off = skb_gro_offset(skb); |
|
110 |
+ int flush = 1; |
|
111 |
+ |
|
112 |
+- if (NAPI_GRO_CB(skb)->udp_mark || |
|
113 |
++ if (NAPI_GRO_CB(skb)->encap_mark || |
|
114 |
+ (skb->ip_summed != CHECKSUM_PARTIAL && |
|
115 |
+ NAPI_GRO_CB(skb)->csum_cnt == 0 && |
|
116 |
+ !NAPI_GRO_CB(skb)->csum_valid)) |
|
117 |
+ goto out; |
|
118 |
+ |
|
119 |
+- /* mark that this skb passed once through the udp gro layer */ |
|
120 |
+- NAPI_GRO_CB(skb)->udp_mark = 1; |
|
121 |
++ /* mark that this skb passed once through the tunnel gro layer */ |
|
122 |
++ NAPI_GRO_CB(skb)->encap_mark = 1; |
|
123 |
+ |
|
124 |
+ rcu_read_lock(); |
|
125 |
+ uo_priv = rcu_dereference(udp_offload_base); |
|
126 |
+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c |
|
127 |
+index eeca943..82e9f30 100644 |
|
128 |
+--- a/net/ipv6/ip6_offload.c |
|
129 |
+@@ -258,6 +258,19 @@ out: |
|
130 |
+ return pp; |
|
131 |
+ } |
|
132 |
+ |
|
133 |
++static struct sk_buff **sit_gro_receive(struct sk_buff **head, |
|
134 |
++ struct sk_buff *skb) |
|
135 |
++{ |
|
136 |
++ if (NAPI_GRO_CB(skb)->encap_mark) { |
|
137 |
++ NAPI_GRO_CB(skb)->flush = 1; |
|
138 |
++ return NULL; |
|
139 |
++ } |
|
140 |
++ |
|
141 |
++ NAPI_GRO_CB(skb)->encap_mark = 1; |
|
142 |
++ |
|
143 |
++ return ipv6_gro_receive(head, skb); |
|
144 |
++} |
|
145 |
++ |
|
146 |
+ static int ipv6_gro_complete(struct sk_buff *skb, int nhoff) |
|
147 |
+ { |
|
148 |
+ const struct net_offload *ops; |
|
149 |
+@@ -302,7 +315,7 @@ static struct packet_offload ipv6_packet_offload __read_mostly = { |
|
150 |
+ static const struct net_offload sit_offload = { |
|
151 |
+ .callbacks = { |
|
152 |
+ .gso_segment = ipv6_gso_segment, |
|
153 |
+- .gro_receive = ipv6_gro_receive, |
|
154 |
++ .gro_receive = sit_gro_receive, |
|
155 |
+ .gro_complete = sit_gro_complete, |
|
156 |
+ }, |
|
157 |
+ }; |
|
158 |
+-- |
|
159 |
+cgit v0.12 |
|
160 |
+ |