<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/core, branch linux-4.8.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>flowcache: Increase threshold for refusing new allocations</title>
<updated>2016-12-10T18:09:44+00:00</updated>
<author>
<name>Miroslav Urbanek</name>
<email>mu@miroslavurbanek.com</email>
</author>
<published>2016-11-21T14:48:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=be5339492b2919a910bf06630a861d5da8a478bd'/>
<id>be5339492b2919a910bf06630a861d5da8a478bd</id>
<content type='text'>
commit 6b226487815574193c1da864f2eac274781a2b0c upstream.

The threshold for OOM protection is too small for systems with large
number of CPUs. Applications report ENOBUFs on connect() every 10
minutes.

The problem is that the variable net-&gt;xfrm.flow_cache_gc_count is a
global counter while the variable fc-&gt;high_watermark is a per-CPU
constant. Take the number of CPUs into account as well.

Fixes: 6ad3122a08e3 ("flowcache: Avoid OOM condition under preasure")
Reported-by: Lukáš Koldrt &lt;lk@excello.cz&gt;
Tested-by: Jan Hejl &lt;jh@excello.cz&gt;
Signed-off-by: Miroslav Urbanek &lt;mu@miroslavurbanek.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6b226487815574193c1da864f2eac274781a2b0c upstream.

The threshold for OOM protection is too small for systems with large
number of CPUs. Applications report ENOBUFs on connect() every 10
minutes.

The problem is that the variable net-&gt;xfrm.flow_cache_gc_count is a
global counter while the variable fc-&gt;high_watermark is a per-CPU
constant. Take the number of CPUs into account as well.

Fixes: 6ad3122a08e3 ("flowcache: Avoid OOM condition under preasure")
Reported-by: Lukáš Koldrt &lt;lk@excello.cz&gt;
Tested-by: Jan Hejl &lt;jh@excello.cz&gt;
Signed-off-by: Miroslav Urbanek &lt;mu@miroslavurbanek.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>net: avoid signed overflows for SO_{SND|RCV}BUFFORCE</title>
<updated>2016-12-10T18:09:42+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-12-02T17:44:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f818e5d86aef49c067296d29f1e277c7ee1713e8'/>
<id>f818e5d86aef49c067296d29f1e277c7ee1713e8</id>
<content type='text'>
[ Upstream commit b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 ]

CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...

Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.

This needs to be backported to all known linux kernels.

Again, many thanks to syzkaller team for discovering this gem.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 ]

CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...

Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.

This needs to be backported to all known linux kernels.

Again, many thanks to syzkaller team for discovering this gem.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rtnl: fix the loop index update error in rtnl_dump_ifinfo()</title>
<updated>2016-12-10T18:09:38+00:00</updated>
<author>
<name>Zhang Shengju</name>
<email>zhangshengju@cmss.chinamobile.com</email>
</author>
<published>2016-11-19T15:28:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=58c8cc33de6caa707cec2008782f918432668962'/>
<id>58c8cc33de6caa707cec2008782f918432668962</id>
<content type='text'>
[ Upstream commit 3f0ae05d6fea0ed5b19efdbc9c9f8e02685a3af3 ]

If the link is filtered out, loop index should also be updated. If not,
loop index will not be correct.

Fixes: dc599f76c22b0 ("net: Add support for filtering link dump by master device and kind")
Signed-off-by: Zhang Shengju &lt;zhangshengju@cmss.chinamobile.com&gt;
Acked-by: David Ahern &lt;dsa@cumulusnetworks.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 3f0ae05d6fea0ed5b19efdbc9c9f8e02685a3af3 ]

If the link is filtered out, loop index should also be updated. If not,
loop index will not be correct.

Fixes: dc599f76c22b0 ("net: Add support for filtering link dump by master device and kind")
Signed-off-by: Zhang Shengju &lt;zhangshengju@cmss.chinamobile.com&gt;
Acked-by: David Ahern &lt;dsa@cumulusnetworks.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rtnetlink: fix FDB size computation</title>
<updated>2016-12-10T18:09:38+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2016-11-18T14:50:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7f8b251a09859816e52a21b3f77eeb0dc579cd1a'/>
<id>7f8b251a09859816e52a21b3f77eeb0dc579cd1a</id>
<content type='text'>
[ Upstream commit f82ef3e10a870acc19fa04f80ef5877eaa26f41e ]

Add missing NDA_VLAN attribute's size.

Fixes: 1e53d5bb8878 ("net: Pass VLAN ID to rtnl_fdb_notify.")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit f82ef3e10a870acc19fa04f80ef5877eaa26f41e ]

Add missing NDA_VLAN attribute's size.

Fixes: 1e53d5bb8878 ("net: Pass VLAN ID to rtnl_fdb_notify.")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: check dead netns for peernet2id_alloc()</title>
<updated>2016-12-10T18:09:37+00:00</updated>
<author>
<name>WANG Cong</name>
<email>xiyou.wangcong@gmail.com</email>
</author>
<published>2016-11-16T18:27:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1b079d5b9fc18b8af94f415f637b13be77ff04b5'/>
<id>1b079d5b9fc18b8af94f415f637b13be77ff04b5</id>
<content type='text'>
[ Upstream commit cfc44a4d147ea605d66ccb917cc24467d15ff867 ]

Andrei reports we still allocate netns ID from idr after we destroy
it in cleanup_net().

cleanup_net():
  ...
  idr_destroy(&amp;net-&gt;netns_ids);
  ...
  list_for_each_entry_reverse(ops, &amp;pernet_list, list)
    ops_exit_list(ops, &amp;net_exit_list);
      -&gt; rollback_registered_many()
        -&gt; rtmsg_ifinfo_build_skb()
         -&gt; rtnl_fill_ifinfo()
           -&gt; peernet2id_alloc()

After that point we should not even access net-&gt;netns_ids, we
should check the death of the current netns as early as we can in
peernet2id_alloc().

For net-next we can consider to avoid sending rtmsg totally,
it is a good optimization for netns teardown path.

Fixes: 0c7aecd4bde4 ("netns: add rtnl cmd to add and get peer netns ids")
Reported-by: Andrei Vagin &lt;avagin@gmail.com&gt;
Cc: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Acked-by: Andrei Vagin &lt;avagin@openvz.org&gt;
Signed-off-by: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit cfc44a4d147ea605d66ccb917cc24467d15ff867 ]

Andrei reports we still allocate netns ID from idr after we destroy
it in cleanup_net().

cleanup_net():
  ...
  idr_destroy(&amp;net-&gt;netns_ids);
  ...
  list_for_each_entry_reverse(ops, &amp;pernet_list, list)
    ops_exit_list(ops, &amp;net_exit_list);
      -&gt; rollback_registered_many()
        -&gt; rtmsg_ifinfo_build_skb()
         -&gt; rtnl_fill_ifinfo()
           -&gt; peernet2id_alloc()

After that point we should not even access net-&gt;netns_ids, we
should check the death of the current netns as early as we can in
peernet2id_alloc().

For net-next we can consider to avoid sending rtmsg totally,
it is a good optimization for netns teardown path.

Fixes: 0c7aecd4bde4 ("netns: add rtnl cmd to add and get peer netns ids")
Reported-by: Andrei Vagin &lt;avagin@gmail.com&gt;
Cc: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Acked-by: Andrei Vagin &lt;avagin@openvz.org&gt;
Signed-off-by: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>flow_dissect: call init_default_flow_dissectors() earlier</title>
<updated>2016-12-02T08:10:33+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-11-22T19:17:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3de3eebb10fd21155ce2dee2c19ff92c31b7091e'/>
<id>3de3eebb10fd21155ce2dee2c19ff92c31b7091e</id>
<content type='text'>
commit c9b8af1330198ae241cd545e1f040019010d44d9 upstream.

Andre Noll reported panics after my recent fix (commit 34fad54c2537
"net: __skb_flow_dissect() must cap its return value")

After some more headaches, Alexander root caused the problem to
init_default_flow_dissectors() being called too late, in case
a network driver like IGB is not a module and receives DHCP message
very early.

Fix is to call init_default_flow_dissectors() much earlier,
as it is a core infrastructure and does not depend on another
kernel service.

Fixes: 06635a35d13d4 ("flow_dissect: use programable dissector in skb_flow_dissect and friends")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andre Noll &lt;maan@tuebingen.mpg.de&gt;
Diagnosed-by: Alexander Duyck &lt;alexander.h.duyck@intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c9b8af1330198ae241cd545e1f040019010d44d9 upstream.

Andre Noll reported panics after my recent fix (commit 34fad54c2537
"net: __skb_flow_dissect() must cap its return value")

After some more headaches, Alexander root caused the problem to
init_default_flow_dissectors() being called too late, in case
a network driver like IGB is not a module and receives DHCP message
very early.

Fix is to call init_default_flow_dissectors() much earlier,
as it is a core infrastructure and does not depend on another
kernel service.

Fixes: 06635a35d13d4 ("flow_dissect: use programable dissector in skb_flow_dissect and friends")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andre Noll &lt;maan@tuebingen.mpg.de&gt;
Diagnosed-by: Alexander Duyck &lt;alexander.h.duyck@intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>net: __skb_flow_dissect() must cap its return value</title>
<updated>2016-11-21T09:11:36+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-11-10T00:04:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bccb4093d464ca8b33a096999c4bb317f84ad652'/>
<id>bccb4093d464ca8b33a096999c4bb317f84ad652</id>
<content type='text'>
[ Upstream commit 34fad54c2537f7c99d07375e50cb30aa3c23bd83 ]

After Tom patch, thoff field could point past the end of the buffer,
this could fool some callers.

If an skb was provided, skb-&gt;len should be the upper limit.
If not, hlen is supposed to be the upper limit.

Fixes: a6e544b0a88b ("flow_dissector: Jump to exit code in __skb_flow_dissect")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Yibin Yang &lt;yibyang@cisco.com
Acked-by: Alexander Duyck &lt;alexander.h.duyck@intel.com&gt;
Acked-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 34fad54c2537f7c99d07375e50cb30aa3c23bd83 ]

After Tom patch, thoff field could point past the end of the buffer,
this could fool some callers.

If an skb was provided, skb-&gt;len should be the upper limit.
If not, hlen is supposed to be the upper limit.

Fixes: a6e544b0a88b ("flow_dissector: Jump to exit code in __skb_flow_dissect")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Yibin Yang &lt;yibyang@cisco.com
Acked-by: Alexander Duyck &lt;alexander.h.duyck@intel.com&gt;
Acked-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>dccp: do not release listeners too soon</title>
<updated>2016-11-21T09:11:34+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-11-03T00:14:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=72b03e549b9582ab257219cbe4236a6e0f683ad0'/>
<id>72b03e549b9582ab257219cbe4236a6e0f683ad0</id>
<content type='text'>
[ Upstream commit c3f24cfb3e508c70c26ee8569d537c8ca67a36c6 ]

Andrey Konovalov reported following error while fuzzing with syzkaller :

IPv4: Attempt to release alive inet socket ffff880068e98940
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 3905 Comm: a.out Not tainted 4.9.0-rc3+ #333
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006b9e0000 task.stack: ffff880068770000
RIP: 0010:[&lt;ffffffff819ead5f&gt;]  [&lt;ffffffff819ead5f&gt;]
selinux_socket_sock_rcv_skb+0xff/0x6a0 security/selinux/hooks.c:4639
RSP: 0018:ffff8800687771c8  EFLAGS: 00010202
RAX: ffff88006b9e0000 RBX: 1ffff1000d0eee3f RCX: 1ffff1000d1d312a
RDX: 1ffff1000d1d31a6 RSI: dffffc0000000000 RDI: 0000000000000010
RBP: ffff880068777360 R08: 0000000000000000 R09: 0000000000000002
R10: dffffc0000000000 R11: 0000000000000006 R12: ffff880068e98940
R13: 0000000000000002 R14: ffff880068777338 R15: 0000000000000000
FS:  00007f00ff760700(0000) GS:ffff88006cd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020008000 CR3: 000000006a308000 CR4: 00000000000006e0
Stack:
 ffff8800687771e0 ffffffff812508a5 ffff8800686f3168 0000000000000007
 ffff88006ac8cdfc ffff8800665ea500 0000000041b58ab3 ffffffff847b5480
 ffffffff819eac60 ffff88006b9e0860 ffff88006b9e0868 ffff88006b9e07f0
Call Trace:
 [&lt;ffffffff819c8dd5&gt;] security_sock_rcv_skb+0x75/0xb0 security/security.c:1317
 [&lt;ffffffff82c2a9e7&gt;] sk_filter_trim_cap+0x67/0x10e0 net/core/filter.c:81
 [&lt;ffffffff82b81e60&gt;] __sk_receive_skb+0x30/0xa00 net/core/sock.c:460
 [&lt;ffffffff838bbf12&gt;] dccp_v4_rcv+0xdb2/0x1910 net/dccp/ipv4.c:873
 [&lt;ffffffff83069d22&gt;] ip_local_deliver_finish+0x332/0xad0
net/ipv4/ip_input.c:216
 [&lt;     inline     &gt;] NF_HOOK_THRESH ./include/linux/netfilter.h:232
 [&lt;     inline     &gt;] NF_HOOK ./include/linux/netfilter.h:255
 [&lt;ffffffff8306abd2&gt;] ip_local_deliver+0x1c2/0x4b0 net/ipv4/ip_input.c:257
 [&lt;     inline     &gt;] dst_input ./include/net/dst.h:507
 [&lt;ffffffff83068500&gt;] ip_rcv_finish+0x750/0x1c40 net/ipv4/ip_input.c:396
 [&lt;     inline     &gt;] NF_HOOK_THRESH ./include/linux/netfilter.h:232
 [&lt;     inline     &gt;] NF_HOOK ./include/linux/netfilter.h:255
 [&lt;ffffffff8306b82f&gt;] ip_rcv+0x96f/0x12f0 net/ipv4/ip_input.c:487
 [&lt;ffffffff82bd9fb7&gt;] __netif_receive_skb_core+0x1897/0x2a50 net/core/dev.c:4213
 [&lt;ffffffff82bdb19a&gt;] __netif_receive_skb+0x2a/0x170 net/core/dev.c:4251
 [&lt;ffffffff82bdb493&gt;] netif_receive_skb_internal+0x1b3/0x390 net/core/dev.c:4279
 [&lt;ffffffff82bdb6b8&gt;] netif_receive_skb+0x48/0x250 net/core/dev.c:4303
 [&lt;ffffffff8241fc75&gt;] tun_get_user+0xbd5/0x28a0 drivers/net/tun.c:1308
 [&lt;ffffffff82421b5a&gt;] tun_chr_write_iter+0xda/0x190 drivers/net/tun.c:1332
 [&lt;     inline     &gt;] new_sync_write fs/read_write.c:499
 [&lt;ffffffff8151bd44&gt;] __vfs_write+0x334/0x570 fs/read_write.c:512
 [&lt;ffffffff8151f85b&gt;] vfs_write+0x17b/0x500 fs/read_write.c:560
 [&lt;     inline     &gt;] SYSC_write fs/read_write.c:607
 [&lt;ffffffff81523184&gt;] SyS_write+0xd4/0x1a0 fs/read_write.c:599
 [&lt;ffffffff83fc02c1&gt;] entry_SYSCALL_64_fastpath+0x1f/0xc2

It turns out DCCP calls __sk_receive_skb(), and this broke when
lookups no longer took a reference on listeners.

Fix this issue by adding a @refcounted parameter to __sk_receive_skb(),
so that sock_put() is used only when needed.

Fixes: 3b24d854cb35 ("tcp/dccp: do not touch listener sk_refcnt under synflood")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c3f24cfb3e508c70c26ee8569d537c8ca67a36c6 ]

Andrey Konovalov reported following error while fuzzing with syzkaller :

IPv4: Attempt to release alive inet socket ffff880068e98940
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 3905 Comm: a.out Not tainted 4.9.0-rc3+ #333
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006b9e0000 task.stack: ffff880068770000
RIP: 0010:[&lt;ffffffff819ead5f&gt;]  [&lt;ffffffff819ead5f&gt;]
selinux_socket_sock_rcv_skb+0xff/0x6a0 security/selinux/hooks.c:4639
RSP: 0018:ffff8800687771c8  EFLAGS: 00010202
RAX: ffff88006b9e0000 RBX: 1ffff1000d0eee3f RCX: 1ffff1000d1d312a
RDX: 1ffff1000d1d31a6 RSI: dffffc0000000000 RDI: 0000000000000010
RBP: ffff880068777360 R08: 0000000000000000 R09: 0000000000000002
R10: dffffc0000000000 R11: 0000000000000006 R12: ffff880068e98940
R13: 0000000000000002 R14: ffff880068777338 R15: 0000000000000000
FS:  00007f00ff760700(0000) GS:ffff88006cd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020008000 CR3: 000000006a308000 CR4: 00000000000006e0
Stack:
 ffff8800687771e0 ffffffff812508a5 ffff8800686f3168 0000000000000007
 ffff88006ac8cdfc ffff8800665ea500 0000000041b58ab3 ffffffff847b5480
 ffffffff819eac60 ffff88006b9e0860 ffff88006b9e0868 ffff88006b9e07f0
Call Trace:
 [&lt;ffffffff819c8dd5&gt;] security_sock_rcv_skb+0x75/0xb0 security/security.c:1317
 [&lt;ffffffff82c2a9e7&gt;] sk_filter_trim_cap+0x67/0x10e0 net/core/filter.c:81
 [&lt;ffffffff82b81e60&gt;] __sk_receive_skb+0x30/0xa00 net/core/sock.c:460
 [&lt;ffffffff838bbf12&gt;] dccp_v4_rcv+0xdb2/0x1910 net/dccp/ipv4.c:873
 [&lt;ffffffff83069d22&gt;] ip_local_deliver_finish+0x332/0xad0
net/ipv4/ip_input.c:216
 [&lt;     inline     &gt;] NF_HOOK_THRESH ./include/linux/netfilter.h:232
 [&lt;     inline     &gt;] NF_HOOK ./include/linux/netfilter.h:255
 [&lt;ffffffff8306abd2&gt;] ip_local_deliver+0x1c2/0x4b0 net/ipv4/ip_input.c:257
 [&lt;     inline     &gt;] dst_input ./include/net/dst.h:507
 [&lt;ffffffff83068500&gt;] ip_rcv_finish+0x750/0x1c40 net/ipv4/ip_input.c:396
 [&lt;     inline     &gt;] NF_HOOK_THRESH ./include/linux/netfilter.h:232
 [&lt;     inline     &gt;] NF_HOOK ./include/linux/netfilter.h:255
 [&lt;ffffffff8306b82f&gt;] ip_rcv+0x96f/0x12f0 net/ipv4/ip_input.c:487
 [&lt;ffffffff82bd9fb7&gt;] __netif_receive_skb_core+0x1897/0x2a50 net/core/dev.c:4213
 [&lt;ffffffff82bdb19a&gt;] __netif_receive_skb+0x2a/0x170 net/core/dev.c:4251
 [&lt;ffffffff82bdb493&gt;] netif_receive_skb_internal+0x1b3/0x390 net/core/dev.c:4279
 [&lt;ffffffff82bdb6b8&gt;] netif_receive_skb+0x48/0x250 net/core/dev.c:4303
 [&lt;ffffffff8241fc75&gt;] tun_get_user+0xbd5/0x28a0 drivers/net/tun.c:1308
 [&lt;ffffffff82421b5a&gt;] tun_chr_write_iter+0xda/0x190 drivers/net/tun.c:1332
 [&lt;     inline     &gt;] new_sync_write fs/read_write.c:499
 [&lt;ffffffff8151bd44&gt;] __vfs_write+0x334/0x570 fs/read_write.c:512
 [&lt;ffffffff8151f85b&gt;] vfs_write+0x17b/0x500 fs/read_write.c:560
 [&lt;     inline     &gt;] SYSC_write fs/read_write.c:607
 [&lt;ffffffff81523184&gt;] SyS_write+0xd4/0x1a0 fs/read_write.c:599
 [&lt;ffffffff83fc02c1&gt;] entry_SYSCALL_64_fastpath+0x1f/0xc2

It turns out DCCP calls __sk_receive_skb(), and this broke when
lookups no longer took a reference on listeners.

Fix this issue by adding a @refcounted parameter to __sk_receive_skb(),
so that sock_put() is used only when needed.

Fixes: 3b24d854cb35 ("tcp/dccp: do not touch listener sk_refcnt under synflood")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: mangle zero checksum in skb_checksum_help()</title>
<updated>2016-11-21T09:11:34+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-10-29T18:02:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0c7f764d2c6affb393e7031519a14935c5fa2586'/>
<id>0c7f764d2c6affb393e7031519a14935c5fa2586</id>
<content type='text'>
[ Upstream commit 4f2e4ad56a65f3b7d64c258e373cb71e8d2499f4 ]

Sending zero checksum is ok for TCP, but not for UDP.

UDPv6 receiver should by default drop a frame with a 0 checksum,
and UDPv4 would not verify the checksum and might accept a corrupted
packet.

Simply replace such checksum by 0xffff, regardless of transport.

This error was caught on SIT tunnels, but seems generic.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Maciej Żenczykowski &lt;maze@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Maciej Żenczykowski &lt;maze@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4f2e4ad56a65f3b7d64c258e373cb71e8d2499f4 ]

Sending zero checksum is ok for TCP, but not for UDP.

UDPv6 receiver should by default drop a frame with a 0 checksum,
and UDPv4 would not verify the checksum and might accept a corrupted
packet.

Simply replace such checksum by 0xffff, regardless of transport.

This error was caught on SIT tunnels, but seems generic.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Maciej Żenczykowski &lt;maze@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Maciej Żenczykowski &lt;maze@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: clear sk_err_soft in sk_clone_lock()</title>
<updated>2016-11-21T09:11:34+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-10-28T20:40:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ac22a3ba07964d39e8c2cf2abda7c610d861eefe'/>
<id>ac22a3ba07964d39e8c2cf2abda7c610d861eefe</id>
<content type='text'>
[ Upstream commit e551c32d57c88923f99f8f010e89ca7ed0735e83 ]

At accept() time, it is possible the parent has a non zero
sk_err_soft, leftover from a prior error.

Make sure we do not leave this value in the child, as it
makes future getsockopt(SO_ERROR) calls quite unreliable.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Soheil Hassas Yeganeh &lt;soheil@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e551c32d57c88923f99f8f010e89ca7ed0735e83 ]

At accept() time, it is possible the parent has a non zero
sk_err_soft, leftover from a prior error.

Make sure we do not leave this value in the child, as it
makes future getsockopt(SO_ERROR) calls quite unreliable.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Soheil Hassas Yeganeh &lt;soheil@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
