<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net, branch linux-3.7.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>p54usb: corrected USB ID for T-Com Sinus 154 data II</title>
<updated>2013-02-27T17:21:10+00:00</updated>
<author>
<name>Tomasz Guszkowski</name>
<email>tsg@o2.pl</email>
</author>
<published>2013-02-05T21:10:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=da89d452d6552a96216f79a823807b1887ef32bd'/>
<id>da89d452d6552a96216f79a823807b1887ef32bd</id>
<content type='text'>
commit 008e33f733ca51acb2dd9d88ea878693b04d1d2a upstream.

Corrected USB ID for T-Com Sinus 154 data II. ISL3887-based. The
device was tested in managed mode with no security, WEP 128
bit and WPA-PSK (TKIP) with firmware 2.13.1.0.lm87.arm (md5sum:
7d676323ac60d6e1a3b6d61e8c528248). It works.

Signed-off-by: Tomasz Guszkowski &lt;tsg@o2.pl&gt;
Acked-By: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 008e33f733ca51acb2dd9d88ea878693b04d1d2a upstream.

Corrected USB ID for T-Com Sinus 154 data II. ISL3887-based. The
device was tested in managed mode with no security, WEP 128
bit and WPA-PSK (TKIP) with firmware 2.13.1.0.lm87.arm (md5sum:
7d676323ac60d6e1a3b6d61e8c528248). It works.

Signed-off-by: Tomasz Guszkowski &lt;tsg@o2.pl&gt;
Acked-By: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>rtlwifi: usb: allocate URB control message setup_packet and data buffer separately</title>
<updated>2013-02-27T17:21:07+00:00</updated>
<author>
<name>Jussi Kivilinna</name>
<email>jussi.kivilinna@mbnet.fi</email>
</author>
<published>2013-02-18T08:29:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d3b1b29819924e0224648d9c33bb15ec768cfe33'/>
<id>d3b1b29819924e0224648d9c33bb15ec768cfe33</id>
<content type='text'>
commit bc6b89237acb3dee6af6e64e51a18255fef89cc2 upstream.

rtlwifi allocates both setup_packet and data buffer of control message urb,
using shared kmalloc in _usbctrl_vendorreq_async_write. Structure used for
allocating is:
	struct {
		u8 data[254];
		struct usb_ctrlrequest dr;
	};

Because 'struct usb_ctrlrequest' is __packed, setup packet is unaligned and
DMA mapping of both 'data' and 'dr' confuses ARM/sunxi, leading to memory
corruptions and freezes.

Patch changes setup packet to be allocated separately.

[v2]:
 - Use WARN_ON_ONCE instead of WARN_ON

Signed-off-by: Jussi Kivilinna &lt;jussi.kivilinna@mbnet.fi&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit bc6b89237acb3dee6af6e64e51a18255fef89cc2 upstream.

rtlwifi allocates both setup_packet and data buffer of control message urb,
using shared kmalloc in _usbctrl_vendorreq_async_write. Structure used for
allocating is:
	struct {
		u8 data[254];
		struct usb_ctrlrequest dr;
	};

Because 'struct usb_ctrlrequest' is __packed, setup packet is unaligned and
DMA mapping of both 'data' and 'dr' confuses ARM/sunxi, leading to memory
corruptions and freezes.

Patch changes setup packet to be allocated separately.

[v2]:
 - Use WARN_ON_ONCE instead of WARN_ON

Signed-off-by: Jussi Kivilinna &lt;jussi.kivilinna@mbnet.fi&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>rtlwifi: rtl8192cu: Add new USB ID</title>
<updated>2013-02-27T17:21:07+00:00</updated>
<author>
<name>Larry Finger</name>
<email>Larry.Finger@lwfinger.net</email>
</author>
<published>2013-02-08T18:28:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=25813769478011277a394700e001b91892d393a5'/>
<id>25813769478011277a394700e001b91892d393a5</id>
<content type='text'>
commit 8708aac79e4572ba673d7a21e94ddca9f3abb7fc upstream.

A new model of the RTL8188CUS has appeared.

Reported-and-tested-by: Thomas Rosenkrantz &lt;tom.rosary@googlemail.com&gt;
Signed-off-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8708aac79e4572ba673d7a21e94ddca9f3abb7fc upstream.

A new model of the RTL8188CUS has appeared.

Reported-and-tested-by: Thomas Rosenkrantz &lt;tom.rosary@googlemail.com&gt;
Signed-off-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>b43: Increase number of RX DMA slots</title>
<updated>2013-02-27T17:21:07+00:00</updated>
<author>
<name>Larry Finger</name>
<email>Larry.Finger@lwfinger.net</email>
</author>
<published>2013-02-17T17:01:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5ef7f3fcbd361463db3e205484343df0d64c6b31'/>
<id>5ef7f3fcbd361463db3e205484343df0d64c6b31</id>
<content type='text'>
commit ccae0e50c16a7f7adb029c169147400d1ce9f703 upstream.

Bastian Bittorf reported that some of the silent freezes on a Linksys WRT54G
were due to overflow of the RX DMA ring buffer, which was created with 64
slots. That finding reminded me that I was seeing similar crashed on a netbook,
which also has a relatively slow processor. After increasing the number of
slots to 128, runs on the netbook that previously failed now worked; however,
I found that 109 slots had been used in one test. For that reason, the number
of slots is being increased to 256.

Signed-off-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Cc: Bastian Bittorf &lt;bittorf@bluebottle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ccae0e50c16a7f7adb029c169147400d1ce9f703 upstream.

Bastian Bittorf reported that some of the silent freezes on a Linksys WRT54G
were due to overflow of the RX DMA ring buffer, which was created with 64
slots. That finding reminded me that I was seeing similar crashed on a netbook,
which also has a relatively slow processor. After increasing the number of
slots to 128, runs on the netbook that previously failed now worked; however,
I found that 109 slots had been used in one test. For that reason, the number
of slots is being increased to 256.

Signed-off-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Cc: Bastian Bittorf &lt;bittorf@bluebottle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netback: correct netbk_tx_err to handle wrap around.</title>
<updated>2013-02-14T18:48:29+00:00</updated>
<author>
<name>Ian Campbell</name>
<email>Ian.Campbell@citrix.com</email>
</author>
<published>2013-02-06T23:41:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8bd686bf8a379fe7fe0fb79b6e1ced508eddec4a'/>
<id>8bd686bf8a379fe7fe0fb79b6e1ced508eddec4a</id>
<content type='text'>
[ Upstream commit b9149729ebdcfce63f853aa54a404c6a8f6ebbf3 ]

Signed-off-by: Ian Campbell &lt;ian.campbell@citrix.com&gt;
Acked-by: Jan Beulich &lt;JBeulich@suse.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b9149729ebdcfce63f853aa54a404c6a8f6ebbf3 ]

Signed-off-by: Ian Campbell &lt;ian.campbell@citrix.com&gt;
Acked-by: Jan Beulich &lt;JBeulich@suse.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xen/netback: free already allocated memory on failure in xen_netbk_get_requests</title>
<updated>2013-02-14T18:48:28+00:00</updated>
<author>
<name>Ian Campbell</name>
<email>Ian.Campbell@citrix.com</email>
</author>
<published>2013-02-06T23:41:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5847062310d46afd500e3177fdea8e710127f831'/>
<id>5847062310d46afd500e3177fdea8e710127f831</id>
<content type='text'>
[ Upstream commit 4cc7c1cb7b11b6f3515bd9075527576a1eecc4aa ]

Signed-off-by: Ian Campbell &lt;ian.campbell@citrix.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4cc7c1cb7b11b6f3515bd9075527576a1eecc4aa ]

Signed-off-by: Ian Campbell &lt;ian.campbell@citrix.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.</title>
<updated>2013-02-14T18:48:25+00:00</updated>
<author>
<name>Matthew Daley</name>
<email>mattjd@gmail.com</email>
</author>
<published>2013-02-06T23:41:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bf23a4d77d92acc048bd74c604e840ab3dd6bade'/>
<id>bf23a4d77d92acc048bd74c604e840ab3dd6bade</id>
<content type='text'>
[ Upstream commit 7d5145d8eb2b9791533ffe4dc003b129b9696c48 ]

Signed-off-by: Matthew Daley &lt;mattjd@gmail.com&gt;
Reviewed-by: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Acked-by: Ian Campbell &lt;ian.campbell@citrix.com&gt;
Acked-by: Jan Beulich &lt;JBeulich@suse.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 7d5145d8eb2b9791533ffe4dc003b129b9696c48 ]

Signed-off-by: Matthew Daley &lt;mattjd@gmail.com&gt;
Reviewed-by: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Acked-by: Ian Campbell &lt;ian.campbell@citrix.com&gt;
Acked-by: Jan Beulich &lt;JBeulich@suse.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xen/netback: shutdown the ring if it contains garbage.</title>
<updated>2013-02-14T18:48:19+00:00</updated>
<author>
<name>Ian Campbell</name>
<email>Ian.Campbell@citrix.com</email>
</author>
<published>2013-02-06T23:41:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=036610027dd4ada9996ded5a80b75dd8911980af'/>
<id>036610027dd4ada9996ded5a80b75dd8911980af</id>
<content type='text'>
[ Upstream commit 48856286b64e4b66ec62b94e504d0b29c1ade664 ]

A buggy or malicious frontend should not be able to confuse netback.
If we spot anything which is not as it should be then shutdown the
device and don't try to continue with the ring in a potentially
hostile state. Well behaved and non-hostile frontends will not be
penalised.

As well as making the existing checks for such errors fatal also add a
new check that ensures that there isn't an insane number of requests
on the ring (i.e. more than would fit in the ring). If the ring
contains garbage then previously is was possible to loop over this
insane number, getting an error each time and therefore not generating
any more pending requests and therefore not exiting the loop in
xen_netbk_tx_build_gops for an externded period.

Also turn various netdev_dbg calls which no precipitate a fatal error
into netdev_err, they are rate limited because the device is shutdown
afterwards.

This fixes at least one known DoS/softlockup of the backend domain.

Signed-off-by: Ian Campbell &lt;ian.campbell@citrix.com&gt;
Reviewed-by: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Acked-by: Jan Beulich &lt;JBeulich@suse.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 48856286b64e4b66ec62b94e504d0b29c1ade664 ]

A buggy or malicious frontend should not be able to confuse netback.
If we spot anything which is not as it should be then shutdown the
device and don't try to continue with the ring in a potentially
hostile state. Well behaved and non-hostile frontends will not be
penalised.

As well as making the existing checks for such errors fatal also add a
new check that ensures that there isn't an insane number of requests
on the ring (i.e. more than would fit in the ring). If the ring
contains garbage then previously is was possible to loop over this
insane number, getting an error each time and therefore not generating
any more pending requests and therefore not exiting the loop in
xen_netbk_tx_build_gops for an externded period.

Also turn various netdev_dbg calls which no precipitate a fatal error
into netdev_err, they are rate limited because the device is shutdown
afterwards.

This fixes at least one known DoS/softlockup of the backend domain.

Signed-off-by: Ian Campbell &lt;ian.campbell@citrix.com&gt;
Reviewed-by: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Acked-by: Jan Beulich &lt;JBeulich@suse.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>via-rhine: Fix bugs in NAPI support.</title>
<updated>2013-02-14T18:48:18+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2013-01-30T03:58:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bec1a03d483aa8e50657f2599d228fc879d385ea'/>
<id>bec1a03d483aa8e50657f2599d228fc879d385ea</id>
<content type='text'>
[ Upstream commit 559bcac35facfed49ab4f408e162971612dcfdf3 ]

1) rhine_tx() should use dev_kfree_skb() not dev_kfree_skb_irq()

2) rhine_slow_event_task's NAPI triggering logic is racey, it
   should just hit the interrupt mask register.  This is the
   same as commit 7dbb491878a2c51d372a8890fa45a8ff80358af1
   ("r8169: avoid NAPI scheduling delay.") made to fix the same
   problem in the r8169 driver.  From Francois Romieu.

Reported-by: Jamie Gloudon &lt;jamie.gloudon@gmail.com&gt;
Tested-by: Jamie Gloudon &lt;jamie.gloudon@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 559bcac35facfed49ab4f408e162971612dcfdf3 ]

1) rhine_tx() should use dev_kfree_skb() not dev_kfree_skb_irq()

2) rhine_slow_event_task's NAPI triggering logic is racey, it
   should just hit the interrupt mask register.  This is the
   same as commit 7dbb491878a2c51d372a8890fa45a8ff80358af1
   ("r8169: avoid NAPI scheduling delay.") made to fix the same
   problem in the r8169 driver.  From Francois Romieu.

Reported-by: Jamie Gloudon &lt;jamie.gloudon@gmail.com&gt;
Tested-by: Jamie Gloudon &lt;jamie.gloudon@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: loopback: fix a dst refcounting issue</title>
<updated>2013-02-14T18:48:15+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2013-01-25T07:44:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=be730f3d2049d1161ea22ada338dd1aeaef20065'/>
<id>be730f3d2049d1161ea22ada338dd1aeaef20065</id>
<content type='text'>
[ Upstream commit 794ed393b707f01858f5ebe2ae5eabaf89d00022 ]

Ben Greear reported crashes in ip_rcv_finish() on a stress
test involving many macvlans.

We tracked the bug to a dst use after free. ip_rcv_finish()
was calling dst-&gt;input() and got garbage for dst-&gt;input value.

It appears the bug is in loopback driver, lacking
a skb_dst_force() before calling netif_rx().

As a result, a non refcounted dst, normally protected by a
RCU read_lock section, was escaping this section and could
be freed before the packet being processed.

  [&lt;ffffffff813a3c4d&gt;] loopback_xmit+0x64/0x83
  [&lt;ffffffff81477364&gt;] dev_hard_start_xmit+0x26c/0x35e
  [&lt;ffffffff8147771a&gt;] dev_queue_xmit+0x2c4/0x37c
  [&lt;ffffffff81477456&gt;] ? dev_hard_start_xmit+0x35e/0x35e
  [&lt;ffffffff8148cfa6&gt;] ? eth_header+0x28/0xb6
  [&lt;ffffffff81480f09&gt;] neigh_resolve_output+0x176/0x1a7
  [&lt;ffffffff814ad835&gt;] ip_finish_output2+0x297/0x30d
  [&lt;ffffffff814ad6d5&gt;] ? ip_finish_output2+0x137/0x30d
  [&lt;ffffffff814ad90e&gt;] ip_finish_output+0x63/0x68
  [&lt;ffffffff814ae412&gt;] ip_output+0x61/0x67
  [&lt;ffffffff814ab904&gt;] dst_output+0x17/0x1b
  [&lt;ffffffff814adb6d&gt;] ip_local_out+0x1e/0x23
  [&lt;ffffffff814ae1c4&gt;] ip_queue_xmit+0x315/0x353
  [&lt;ffffffff814adeaf&gt;] ? ip_send_unicast_reply+0x2cc/0x2cc
  [&lt;ffffffff814c018f&gt;] tcp_transmit_skb+0x7ca/0x80b
  [&lt;ffffffff814c3571&gt;] tcp_connect+0x53c/0x587
  [&lt;ffffffff810c2f0c&gt;] ? getnstimeofday+0x44/0x7d
  [&lt;ffffffff810c2f56&gt;] ? ktime_get_real+0x11/0x3e
  [&lt;ffffffff814c6f9b&gt;] tcp_v4_connect+0x3c2/0x431
  [&lt;ffffffff814d6913&gt;] __inet_stream_connect+0x84/0x287
  [&lt;ffffffff814d6b38&gt;] ? inet_stream_connect+0x22/0x49
  [&lt;ffffffff8108d695&gt;] ? _local_bh_enable_ip+0x84/0x9f
  [&lt;ffffffff8108d6c8&gt;] ? local_bh_enable+0xd/0x11
  [&lt;ffffffff8146763c&gt;] ? lock_sock_nested+0x6e/0x79
  [&lt;ffffffff814d6b38&gt;] ? inet_stream_connect+0x22/0x49
  [&lt;ffffffff814d6b49&gt;] inet_stream_connect+0x33/0x49
  [&lt;ffffffff814632c6&gt;] sys_connect+0x75/0x98

This bug was introduced in linux-2.6.35, in commit
7fee226ad2397b (net: add a noref bit on skb dst)

skb_dst_force() is enforced in dev_queue_xmit() for devices having a
qdisc.

Reported-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Tested-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 794ed393b707f01858f5ebe2ae5eabaf89d00022 ]

Ben Greear reported crashes in ip_rcv_finish() on a stress
test involving many macvlans.

We tracked the bug to a dst use after free. ip_rcv_finish()
was calling dst-&gt;input() and got garbage for dst-&gt;input value.

It appears the bug is in loopback driver, lacking
a skb_dst_force() before calling netif_rx().

As a result, a non refcounted dst, normally protected by a
RCU read_lock section, was escaping this section and could
be freed before the packet being processed.

  [&lt;ffffffff813a3c4d&gt;] loopback_xmit+0x64/0x83
  [&lt;ffffffff81477364&gt;] dev_hard_start_xmit+0x26c/0x35e
  [&lt;ffffffff8147771a&gt;] dev_queue_xmit+0x2c4/0x37c
  [&lt;ffffffff81477456&gt;] ? dev_hard_start_xmit+0x35e/0x35e
  [&lt;ffffffff8148cfa6&gt;] ? eth_header+0x28/0xb6
  [&lt;ffffffff81480f09&gt;] neigh_resolve_output+0x176/0x1a7
  [&lt;ffffffff814ad835&gt;] ip_finish_output2+0x297/0x30d
  [&lt;ffffffff814ad6d5&gt;] ? ip_finish_output2+0x137/0x30d
  [&lt;ffffffff814ad90e&gt;] ip_finish_output+0x63/0x68
  [&lt;ffffffff814ae412&gt;] ip_output+0x61/0x67
  [&lt;ffffffff814ab904&gt;] dst_output+0x17/0x1b
  [&lt;ffffffff814adb6d&gt;] ip_local_out+0x1e/0x23
  [&lt;ffffffff814ae1c4&gt;] ip_queue_xmit+0x315/0x353
  [&lt;ffffffff814adeaf&gt;] ? ip_send_unicast_reply+0x2cc/0x2cc
  [&lt;ffffffff814c018f&gt;] tcp_transmit_skb+0x7ca/0x80b
  [&lt;ffffffff814c3571&gt;] tcp_connect+0x53c/0x587
  [&lt;ffffffff810c2f0c&gt;] ? getnstimeofday+0x44/0x7d
  [&lt;ffffffff810c2f56&gt;] ? ktime_get_real+0x11/0x3e
  [&lt;ffffffff814c6f9b&gt;] tcp_v4_connect+0x3c2/0x431
  [&lt;ffffffff814d6913&gt;] __inet_stream_connect+0x84/0x287
  [&lt;ffffffff814d6b38&gt;] ? inet_stream_connect+0x22/0x49
  [&lt;ffffffff8108d695&gt;] ? _local_bh_enable_ip+0x84/0x9f
  [&lt;ffffffff8108d6c8&gt;] ? local_bh_enable+0xd/0x11
  [&lt;ffffffff8146763c&gt;] ? lock_sock_nested+0x6e/0x79
  [&lt;ffffffff814d6b38&gt;] ? inet_stream_connect+0x22/0x49
  [&lt;ffffffff814d6b49&gt;] inet_stream_connect+0x33/0x49
  [&lt;ffffffff814632c6&gt;] sys_connect+0x75/0x98

This bug was introduced in linux-2.6.35, in commit
7fee226ad2397b (net: add a noref bit on skb dst)

skb_dst_force() is enforced in dev_queue_xmit() for devices having a
qdisc.

Reported-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Tested-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
