<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/include/net, branch v3.18.25</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ipv6: add complete rcu protection around np-&gt;opt</title>
<updated>2015-12-14T17:19:26+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-11-30T03:37:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=46ddb98e2018a5a62cefa75b3c80882850c91e39'/>
<id>46ddb98e2018a5a62cefa75b3c80882850c91e39</id>
<content type='text'>
[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]

This patch addresses multiple problems :

UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
while socket is not locked : Other threads can change np-&gt;opt
concurrently. Dmitry posted a syzkaller
(http://github.com/google/syzkaller) program desmonstrating
use-after-free.

Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
and dccp_v6_request_recv_sock() also need to use RCU protection
to dereference np-&gt;opt once (before calling ipv6_dup_options())

This patch adds full RCU protection to np-&gt;opt

Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]

This patch addresses multiple problems :

UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
while socket is not locked : Other threads can change np-&gt;opt
concurrently. Dmitry posted a syzkaller
(http://github.com/google/syzkaller) program desmonstrating
use-after-free.

Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
and dccp_v6_request_recv_sock() also need to use RCU protection
to dereference np-&gt;opt once (before calling ipv6_dup_options())

This patch adds full RCU protection to np-&gt;opt

Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: distinguish frag queues by device for multicast and link-local packets</title>
<updated>2015-12-14T17:19:26+00:00</updated>
<author>
<name>Michal Kubeček</name>
<email>mkubecek@suse.cz</email>
</author>
<published>2015-11-24T14:07:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e33c9be772f35cab83e100160b2b42e03f1eb2cc'/>
<id>e33c9be772f35cab83e100160b2b42e03f1eb2cc</id>
<content type='text'>
[ Upstream commit 264640fc2c5f4f913db5c73fa3eb1ead2c45e9d7 ]

If a fragmented multicast packet is received on an ethernet device which
has an active macvlan on top of it, each fragment is duplicated and
received both on the underlying device and the macvlan. If some
fragments for macvlan are processed before the whole packet for the
underlying device is reassembled, the "overlapping fragments" test in
ip6_frag_queue() discards the whole fragment queue.

To resolve this, add device ifindex to the search key and require it to
match reassembling multicast packets and packets to link-local
addresses.

Note: similar patch has been already submitted by Yoshifuji Hideaki in

  http://patchwork.ozlabs.org/patch/220979/

but got lost and forgotten for some reason.

Signed-off-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 264640fc2c5f4f913db5c73fa3eb1ead2c45e9d7 ]

If a fragmented multicast packet is received on an ethernet device which
has an active macvlan on top of it, each fragment is duplicated and
received both on the underlying device and the macvlan. If some
fragments for macvlan are processed before the whole packet for the
underlying device is reassembled, the "overlapping fragments" test in
ip6_frag_queue() discards the whole fragment queue.

To resolve this, add device ifindex to the search key and require it to
match reassembling multicast packets and packets to link-local
addresses.

Note: similar patch has been already submitted by Yoshifuji Hideaki in

  http://patchwork.ozlabs.org/patch/220979/

but got lost and forgotten for some reason.

Signed-off-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ip_tunnel: disable preemption when updating per-cpu tstats</title>
<updated>2015-12-14T17:19:23+00:00</updated>
<author>
<name>Jason A. Donenfeld</name>
<email>Jason@zx2c4.com</email>
</author>
<published>2015-11-12T16:35:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6cc44e6968fa1daa77fe2931a3c42da0821c4fdc'/>
<id>6cc44e6968fa1daa77fe2931a3c42da0821c4fdc</id>
<content type='text'>
[ Upstream commit b4fe85f9c9146f60457e9512fb6055e69e6a7a65 ]

Drivers like vxlan use the recently introduced
udp_tunnel_xmit_skb/udp_tunnel6_xmit_skb APIs. udp_tunnel6_xmit_skb
makes use of ip6tunnel_xmit, and ip6tunnel_xmit, after sending the
packet, updates the struct stats using the usual
u64_stats_update_begin/end calls on this_cpu_ptr(dev-&gt;tstats).
udp_tunnel_xmit_skb makes use of iptunnel_xmit, which doesn't touch
tstats, so drivers like vxlan, immediately after, call
iptunnel_xmit_stats, which does the same thing - calls
u64_stats_update_begin/end on this_cpu_ptr(dev-&gt;tstats).

While vxlan is probably fine (I don't know?), calling a similar function
from, say, an unbound workqueue, on a fully preemptable kernel causes
real issues:

[  188.434537] BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u8:0/6
[  188.435579] caller is debug_smp_processor_id+0x17/0x20
[  188.435583] CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.2.6 #2
[  188.435607] Call Trace:
[  188.435611]  [&lt;ffffffff8234e936&gt;] dump_stack+0x4f/0x7b
[  188.435615]  [&lt;ffffffff81915f3d&gt;] check_preemption_disabled+0x19d/0x1c0
[  188.435619]  [&lt;ffffffff81915f77&gt;] debug_smp_processor_id+0x17/0x20

The solution would be to protect the whole
this_cpu_ptr(dev-&gt;tstats)/u64_stats_update_begin/end blocks with
disabling preemption and then reenabling it.

Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b4fe85f9c9146f60457e9512fb6055e69e6a7a65 ]

Drivers like vxlan use the recently introduced
udp_tunnel_xmit_skb/udp_tunnel6_xmit_skb APIs. udp_tunnel6_xmit_skb
makes use of ip6tunnel_xmit, and ip6tunnel_xmit, after sending the
packet, updates the struct stats using the usual
u64_stats_update_begin/end calls on this_cpu_ptr(dev-&gt;tstats).
udp_tunnel_xmit_skb makes use of iptunnel_xmit, which doesn't touch
tstats, so drivers like vxlan, immediately after, call
iptunnel_xmit_stats, which does the same thing - calls
u64_stats_update_begin/end on this_cpu_ptr(dev-&gt;tstats).

While vxlan is probably fine (I don't know?), calling a similar function
from, say, an unbound workqueue, on a fully preemptable kernel causes
real issues:

[  188.434537] BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u8:0/6
[  188.435579] caller is debug_smp_processor_id+0x17/0x20
[  188.435583] CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.2.6 #2
[  188.435607] Call Trace:
[  188.435611]  [&lt;ffffffff8234e936&gt;] dump_stack+0x4f/0x7b
[  188.435615]  [&lt;ffffffff81915f3d&gt;] check_preemption_disabled+0x19d/0x1c0
[  188.435619]  [&lt;ffffffff81915f77&gt;] debug_smp_processor_id+0x17/0x20

The solution would be to protect the whole
this_cpu_ptr(dev-&gt;tstats)/u64_stats_update_begin/end blocks with
disabling preemption and then reenabling it.

Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: avoid NULL deref in inet_ctl_sock_destroy()</title>
<updated>2015-12-03T15:17:20+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-10-02T23:54:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b2567c1c3e78d35dab01ac1f3f8331d42d3df062'/>
<id>b2567c1c3e78d35dab01ac1f3f8331d42d3df062</id>
<content type='text'>
[ Upstream commit 8fa677d2706d325d71dab91bf6e6512c05214e37 ]

Under low memory conditions, tcp_sk_init() and icmp_sk_init()
can both iterate on all possible cpus and call inet_ctl_sock_destroy(),
with eventual NULL pointer.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8fa677d2706d325d71dab91bf6e6512c05214e37 ]

Under low memory conditions, tcp_sk_init() and icmp_sk_init()
can both iterate on all possible cpus and call inet_ctl_sock_destroy(),
with eventual NULL pointer.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: add pfmemalloc check in sk_add_backlog()</title>
<updated>2015-11-13T18:16:51+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-09-30T01:52:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d48fa362803dafca999f5c336833b6e409065ecb'/>
<id>d48fa362803dafca999f5c336833b6e409065ecb</id>
<content type='text'>
[ Upstream commit c7c49b8fde26b74277188bdc6c9dca38db6fa35b ]

Greg reported crashes hitting the following check in __sk_backlog_rcv()

	BUG_ON(!sock_flag(sk, SOCK_MEMALLOC));

The pfmemalloc bit is currently checked in sk_filter().

This works correctly for TCP, because sk_filter() is ran in
tcp_v[46]_rcv() before hitting the prequeue or backlog checks.

For UDP or other protocols, this does not work, because the sk_filter()
is ran from sock_queue_rcv_skb(), which might be called _after_ backlog
queuing if socket is owned by user by the time packet is processed by
softirq handler.

Fixes: b4b9e35585089 ("netvm: set PF_MEMALLOC as appropriate during SKB processing")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Greg Thelen &lt;gthelen@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c7c49b8fde26b74277188bdc6c9dca38db6fa35b ]

Greg reported crashes hitting the following check in __sk_backlog_rcv()

	BUG_ON(!sock_flag(sk, SOCK_MEMALLOC));

The pfmemalloc bit is currently checked in sk_filter().

This works correctly for TCP, because sk_filter() is ran in
tcp_v[46]_rcv() before hitting the prequeue or backlog checks.

For UDP or other protocols, this does not work, because the sk_filter()
is ran from sock_queue_rcv_skb(), which might be called _after_ backlog
queuing if socket is owned by user by the time packet is processed by
softirq handler.

Fixes: b4b9e35585089 ("netvm: set PF_MEMALLOC as appropriate during SKB processing")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Greg Thelen &lt;gthelen@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>af_unix: Convert the unix_sk macro to an inline function for type safety</title>
<updated>2015-11-13T18:15:50+00:00</updated>
<author>
<name>Aaron Conole</name>
<email>aconole@bytheb.org</email>
</author>
<published>2015-09-26T22:50:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0a97833af00d0e7da580ea39a4551c2cf7439108'/>
<id>0a97833af00d0e7da580ea39a4551c2cf7439108</id>
<content type='text'>
[ Upstream commit 4613012db1d911f80897f9446a49de817b2c4c47 ]

As suggested by Eric Dumazet this change replaces the
#define with a static inline function to enjoy
complaints by the compiler when misusing the API.

Signed-off-by: Aaron Conole &lt;aconole@bytheb.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4613012db1d911f80897f9446a49de817b2c4c47 ]

As suggested by Eric Dumazet this change replaces the
#define with a static inline function to enjoy
complaints by the compiler when misusing the API.

Signed-off-by: Aaron Conole &lt;aconole@bytheb.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: lock socket in ip6_datagram_connect()</title>
<updated>2015-09-28T22:57:01+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-07-14T06:10:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4bbded3d6ce48179a0e7067305e5e33860f2c490'/>
<id>4bbded3d6ce48179a0e7067305e5e33860f2c490</id>
<content type='text'>
[ Upstream commit 03645a11a570d52e70631838cb786eb4253eb463 ]

ip6_datagram_connect() is doing a lot of socket changes without
socket being locked.

This looks wrong, at least for udp_lib_rehash() which could corrupt
lists because of concurrent udp_sk(sk)-&gt;udp_portaddr_hash accesses.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 03645a11a570d52e70631838cb786eb4253eb463 ]

ip6_datagram_connect() is doing a lot of socket changes without
socket being locked.

This looks wrong, at least for udp_lib_rehash() which could corrupt
lists because of concurrent udp_sk(sk)-&gt;udp_portaddr_hash accesses.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: fix ASCONF list handling</title>
<updated>2015-07-05T14:12:58+00:00</updated>
<author>
<name>Marcelo Ricardo Leitner</name>
<email>marcelo.leitner@gmail.com</email>
</author>
<published>2015-06-12T13:16:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=720e1669baa8f2658d737825e49edb018cf3aa1d'/>
<id>720e1669baa8f2658d737825e49edb018cf3aa1d</id>
<content type='text'>
[ Upstream commit 2d45a02d0166caf2627fe91897c6ffc3b19514c4 ]

-&gt;auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.

Also, the call to inet_sk_copy_descendant() was backuping
-&gt;auto_asconf_list through the copy but was not honoring
-&gt;do_auto_asconf, which could lead to list corruption if it was
different between both sockets.

This commit thus fixes the list handling by using -&gt;addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().

Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().

Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.

Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
Reported-by: Ji Jianwen &lt;jiji@redhat.com&gt;
Suggested-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Suggested-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2d45a02d0166caf2627fe91897c6ffc3b19514c4 ]

-&gt;auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.

Also, the call to inet_sk_copy_descendant() was backuping
-&gt;auto_asconf_list through the copy but was not honoring
-&gt;do_auto_asconf, which could lead to list corruption if it was
different between both sockets.

This commit thus fixes the list handling by using -&gt;addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().

Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().

Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.

Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
Reported-by: Ji Jianwen &lt;jiji@redhat.com&gt;
Suggested-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Suggested-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook</title>
<updated>2015-07-05T14:12:48+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2015-06-19T19:03:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b396bdb5f1e1692d38b2c2d11c67c7fc182546b7'/>
<id>b396bdb5f1e1692d38b2c2d11c67c7fc182546b7</id>
<content type='text'>
[ Upstream commit 8405a8fff3f8545c888a872d6e3c0c8eecd4d348 ]

Add code to nf_unregister_hook to flush the nf_queue when a hook is
unregistered.  This guarantees that the pointer that the nf_queue code
retains into the nf_hook list will remain valid while a packet is
queued.

I tested what would happen if we do not flush queued packets and was
trivially able to obtain the oops below.  All that was required was
to stop the nf_queue listening process, to delete all of the nf_tables,
and to awaken the nf_queue listening process.

&gt; BUG: unable to handle kernel paging request at 0000000100000001
&gt; IP: [&lt;0000000100000001&gt;] 0x100000001
&gt; PGD b9c35067 PUD 0
&gt; Oops: 0010 [#1] SMP
&gt; Modules linked in:
&gt; CPU: 0 PID: 519 Comm: lt-nfqnl_test Not tainted
&gt; task: ffff8800b9c8c050 ti: ffff8800ba9d8000 task.ti: ffff8800ba9d8000
&gt; RIP: 0010:[&lt;0000000100000001&gt;]  [&lt;0000000100000001&gt;] 0x100000001
&gt; RSP: 0018:ffff8800ba9dba40  EFLAGS: 00010a16
&gt; RAX: ffff8800bab48a00 RBX: ffff8800ba9dba90 RCX: ffff8800ba9dba90
&gt; RDX: ffff8800b9c10128 RSI: ffff8800ba940900 RDI: ffff8800bab48a00
&gt; RBP: ffff8800b9c10128 R08: ffffffff82976660 R09: ffff8800ba9dbb28
&gt; R10: dead000000100100 R11: dead000000200200 R12: ffff8800ba940900
&gt; R13: ffffffff8313fd50 R14: ffff8800b9c95200 R15: 0000000000000000
&gt; FS:  00007fb91fc34700(0000) GS:ffff8800bfa00000(0000) knlGS:0000000000000000
&gt; CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
&gt; CR2: 0000000100000001 CR3: 00000000babfb000 CR4: 00000000000007f0
&gt; Stack:
&gt;  ffffffff8206ab0f ffffffff82982240 ffff8800bab48a00 ffff8800b9c100a8
&gt;  ffff8800b9c10100 0000000000000001 ffff8800ba940900 ffff8800b9c10128
&gt;  ffffffff8206bd65 ffff8800bfb0d5e0 ffff8800bab48a00 0000000000014dc0
&gt; Call Trace:
&gt;  [&lt;ffffffff8206ab0f&gt;] ? nf_iterate+0x4f/0xa0
&gt;  [&lt;ffffffff8206bd65&gt;] ? nf_reinject+0x125/0x190
&gt;  [&lt;ffffffff8206dee5&gt;] ? nfqnl_recv_verdict+0x255/0x360
&gt;  [&lt;ffffffff81386290&gt;] ? nla_parse+0x80/0xf0
&gt;  [&lt;ffffffff8206c42c&gt;] ? nfnetlink_rcv_msg+0x13c/0x240
&gt;  [&lt;ffffffff811b2fec&gt;] ? __memcg_kmem_get_cache+0x4c/0x150
&gt;  [&lt;ffffffff8206c2f0&gt;] ? nfnl_lock+0x20/0x20
&gt;  [&lt;ffffffff82068159&gt;] ? netlink_rcv_skb+0xa9/0xc0
&gt;  [&lt;ffffffff820677bf&gt;] ? netlink_unicast+0x12f/0x1c0
&gt;  [&lt;ffffffff82067ade&gt;] ? netlink_sendmsg+0x28e/0x650
&gt;  [&lt;ffffffff81fdd814&gt;] ? sock_sendmsg+0x44/0x50
&gt;  [&lt;ffffffff81fde07b&gt;] ? ___sys_sendmsg+0x2ab/0x2c0
&gt;  [&lt;ffffffff810e8f73&gt;] ? __wake_up+0x43/0x70
&gt;  [&lt;ffffffff8141a134&gt;] ? tty_write+0x1c4/0x2a0
&gt;  [&lt;ffffffff81fde9f4&gt;] ? __sys_sendmsg+0x44/0x80
&gt;  [&lt;ffffffff823ff8d7&gt;] ? system_call_fastpath+0x12/0x6a
&gt; Code:  Bad RIP value.
&gt; RIP  [&lt;0000000100000001&gt;] 0x100000001
&gt;  RSP &lt;ffff8800ba9dba40&gt;
&gt; CR2: 0000000100000001
&gt; ---[ end trace 08eb65d42362793f ]---

Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8405a8fff3f8545c888a872d6e3c0c8eecd4d348 ]

Add code to nf_unregister_hook to flush the nf_queue when a hook is
unregistered.  This guarantees that the pointer that the nf_queue code
retains into the nf_hook list will remain valid while a packet is
queued.

I tested what would happen if we do not flush queued packets and was
trivially able to obtain the oops below.  All that was required was
to stop the nf_queue listening process, to delete all of the nf_tables,
and to awaken the nf_queue listening process.

&gt; BUG: unable to handle kernel paging request at 0000000100000001
&gt; IP: [&lt;0000000100000001&gt;] 0x100000001
&gt; PGD b9c35067 PUD 0
&gt; Oops: 0010 [#1] SMP
&gt; Modules linked in:
&gt; CPU: 0 PID: 519 Comm: lt-nfqnl_test Not tainted
&gt; task: ffff8800b9c8c050 ti: ffff8800ba9d8000 task.ti: ffff8800ba9d8000
&gt; RIP: 0010:[&lt;0000000100000001&gt;]  [&lt;0000000100000001&gt;] 0x100000001
&gt; RSP: 0018:ffff8800ba9dba40  EFLAGS: 00010a16
&gt; RAX: ffff8800bab48a00 RBX: ffff8800ba9dba90 RCX: ffff8800ba9dba90
&gt; RDX: ffff8800b9c10128 RSI: ffff8800ba940900 RDI: ffff8800bab48a00
&gt; RBP: ffff8800b9c10128 R08: ffffffff82976660 R09: ffff8800ba9dbb28
&gt; R10: dead000000100100 R11: dead000000200200 R12: ffff8800ba940900
&gt; R13: ffffffff8313fd50 R14: ffff8800b9c95200 R15: 0000000000000000
&gt; FS:  00007fb91fc34700(0000) GS:ffff8800bfa00000(0000) knlGS:0000000000000000
&gt; CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
&gt; CR2: 0000000100000001 CR3: 00000000babfb000 CR4: 00000000000007f0
&gt; Stack:
&gt;  ffffffff8206ab0f ffffffff82982240 ffff8800bab48a00 ffff8800b9c100a8
&gt;  ffff8800b9c10100 0000000000000001 ffff8800ba940900 ffff8800b9c10128
&gt;  ffffffff8206bd65 ffff8800bfb0d5e0 ffff8800bab48a00 0000000000014dc0
&gt; Call Trace:
&gt;  [&lt;ffffffff8206ab0f&gt;] ? nf_iterate+0x4f/0xa0
&gt;  [&lt;ffffffff8206bd65&gt;] ? nf_reinject+0x125/0x190
&gt;  [&lt;ffffffff8206dee5&gt;] ? nfqnl_recv_verdict+0x255/0x360
&gt;  [&lt;ffffffff81386290&gt;] ? nla_parse+0x80/0xf0
&gt;  [&lt;ffffffff8206c42c&gt;] ? nfnetlink_rcv_msg+0x13c/0x240
&gt;  [&lt;ffffffff811b2fec&gt;] ? __memcg_kmem_get_cache+0x4c/0x150
&gt;  [&lt;ffffffff8206c2f0&gt;] ? nfnl_lock+0x20/0x20
&gt;  [&lt;ffffffff82068159&gt;] ? netlink_rcv_skb+0xa9/0xc0
&gt;  [&lt;ffffffff820677bf&gt;] ? netlink_unicast+0x12f/0x1c0
&gt;  [&lt;ffffffff82067ade&gt;] ? netlink_sendmsg+0x28e/0x650
&gt;  [&lt;ffffffff81fdd814&gt;] ? sock_sendmsg+0x44/0x50
&gt;  [&lt;ffffffff81fde07b&gt;] ? ___sys_sendmsg+0x2ab/0x2c0
&gt;  [&lt;ffffffff810e8f73&gt;] ? __wake_up+0x43/0x70
&gt;  [&lt;ffffffff8141a134&gt;] ? tty_write+0x1c4/0x2a0
&gt;  [&lt;ffffffff81fde9f4&gt;] ? __sys_sendmsg+0x44/0x80
&gt;  [&lt;ffffffff823ff8d7&gt;] ? system_call_fastpath+0x12/0x6a
&gt; Code:  Bad RIP value.
&gt; RIP  [&lt;0000000100000001&gt;] 0x100000001
&gt;  RSP &lt;ffff8800ba9dba40&gt;
&gt; CR2: 0000000100000001
&gt; ---[ end trace 08eb65d42362793f ]---

Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: add sk_fullsock() helper</title>
<updated>2015-06-28T17:39:21+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-03-16T04:12:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2ed8cb3d22b59eda73c203412d02add4d0901255'/>
<id>2ed8cb3d22b59eda73c203412d02add4d0901255</id>
<content type='text'>
[ Upstream commit 1d0ab253872cdd3d8e7913f59c266c7fd01771d0 ]

We have many places where we want to check if a socket is
not a timewait or request socket. Use a helper to avoid
hard coding this.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1d0ab253872cdd3d8e7913f59c266c7fd01771d0 ]

We have many places where we want to check if a socket is
not a timewait or request socket. Use a helper to avoid
hard coding this.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
