<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/ipv4/af_inet.c, branch linux-4.1.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>net: ping: do not abuse udp_poll()</title>
<updated>2017-06-25T04:25:36+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-06-03T16:29:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=169a7e245c7fa97b0fcf1527bfa1d45a40b02405'/>
<id>169a7e245c7fa97b0fcf1527bfa1d45a40b02405</id>
<content type='text'>
[ Upstream commit 77d4b1d36926a9b8387c6b53eeba42bcaaffcea3 ]

Alexander reported various KASAN messages triggered in recent kernels

The problem is that ping sockets should not use udp_poll() in the first
place, and recent changes in UDP stack finally exposed this old bug.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Cc: Solar Designer &lt;solar@openwall.com&gt;
Cc: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Cc: Lorenzo Colitti &lt;lorenzo@google.com&gt;
Acked-By: Lorenzo Colitti &lt;lorenzo@google.com&gt;
Tested-By: Lorenzo Colitti &lt;lorenzo@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 77d4b1d36926a9b8387c6b53eeba42bcaaffcea3 ]

Alexander reported various KASAN messages triggered in recent kernels

The problem is that ping sockets should not use udp_poll() in the first
place, and recent changes in UDP stack finally exposed this old bug.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Cc: Solar Designer &lt;solar@openwall.com&gt;
Cc: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Cc: Lorenzo Colitti &lt;lorenzo@google.com&gt;
Acked-By: Lorenzo Colitti &lt;lorenzo@google.com&gt;
Tested-By: Lorenzo Colitti &lt;lorenzo@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tunnels: Don't apply GRO to multiple layers of encapsulation.</title>
<updated>2017-01-13T17:21:58+00:00</updated>
<author>
<name>Jesse Gross</name>
<email>jesse@kernel.org</email>
</author>
<published>2016-03-19T16:32:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=066b300e5be43cb61697539e2a3a9aac5afb422f'/>
<id>066b300e5be43cb61697539e2a3a9aac5afb422f</id>
<content type='text'>
[ Upstream commit fac8e0f579695a3ecbc4d3cac369139d7f819971 ]

When drivers express support for TSO of encapsulated packets, they
only mean that they can do it for one layer of encapsulation.
Supporting additional levels would mean updating, at a minimum,
more IP length fields and they are unaware of this.

No encapsulation device expresses support for handling offloaded
encapsulated packets, so we won't generate these types of frames
in the transmit path. However, GRO doesn't have a check for
multiple levels of encapsulation and will attempt to build them.

UDP tunnel GRO actually does prevent this situation but it only
handles multiple UDP tunnels stacked on top of each other. This
generalizes that solution to prevent any kind of tunnel stacking
that would cause problems.

Fixes: bf5a755f ("net-gre-gro: Add GRE support to the GRO stack")
Signed-off-by: Jesse Gross &lt;jesse@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit fac8e0f579695a3ecbc4d3cac369139d7f819971 ]

When drivers express support for TSO of encapsulated packets, they
only mean that they can do it for one layer of encapsulation.
Supporting additional levels would mean updating, at a minimum,
more IP length fields and they are unaware of this.

No encapsulation device expresses support for handling offloaded
encapsulated packets, so we won't generate these types of frames
in the transmit path. However, GRO doesn't have a check for
multiple levels of encapsulation and will attempt to build them.

UDP tunnel GRO actually does prevent this situation but it only
handles multiple UDP tunnels stacked on top of each other. This
generalizes that solution to prevent any kind of tunnel stacking
that would cause problems.

Fixes: bf5a755f ("net-gre-gro: Add GRE support to the GRO stack")
Signed-off-by: Jesse Gross &lt;jesse@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: ipv4: Convert IP network timestamps to be y2038 safe</title>
<updated>2017-01-13T17:21:08+00:00</updated>
<author>
<name>Deepa Dinamani</name>
<email>deepa.kernel@gmail.com</email>
</author>
<published>2016-02-27T08:32:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b11e1542feca30e7ea0baf1b412e44e7b27f93c2'/>
<id>b11e1542feca30e7ea0baf1b412e44e7b27f93c2</id>
<content type='text'>
[ Upstream commit 822c868532cae2cc1c51f4f18ab61c194d98aaf6 ]

ICMP timestamp messages and IP source route options require
timestamps to be in milliseconds modulo 24 hours from
midnight UT format.

Add inet_current_timestamp() function to support this. The function
returns the required timestamp in network byte order.

Timestamp calculation is also changed to call ktime_get_real_ts64()
which uses struct timespec64. struct timespec64 is y2038 safe.
Previously it called getnstimeofday() which uses struct timespec.
struct timespec is not y2038 safe.

Signed-off-by: Deepa Dinamani &lt;deepa.kernel@gmail.com&gt;
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: Alexey Kuznetsov &lt;kuznet@ms2.inr.ac.ru&gt;
Cc: Hideaki YOSHIFUJI &lt;yoshfuji@linux-ipv6.org&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Cc: Patrick McHardy &lt;kaber@trash.net&gt;
Acked-by: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Acked-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 822c868532cae2cc1c51f4f18ab61c194d98aaf6 ]

ICMP timestamp messages and IP source route options require
timestamps to be in milliseconds modulo 24 hours from
midnight UT format.

Add inet_current_timestamp() function to support this. The function
returns the required timestamp in network byte order.

Timestamp calculation is also changed to call ktime_get_real_ts64()
which uses struct timespec64. struct timespec64 is y2038 safe.
Previously it called getnstimeofday() which uses struct timespec.
struct timespec is not y2038 safe.

Signed-off-by: Deepa Dinamani &lt;deepa.kernel@gmail.com&gt;
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: Alexey Kuznetsov &lt;kuznet@ms2.inr.ac.ru&gt;
Cc: Hideaki YOSHIFUJI &lt;yoshfuji@linux-ipv6.org&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Cc: Patrick McHardy &lt;kaber@trash.net&gt;
Acked-by: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Acked-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipip: Properly mark ipip GRO packets as encapsulated.</title>
<updated>2017-01-13T17:21:08+00:00</updated>
<author>
<name>Jesse Gross</name>
<email>jesse@kernel.org</email>
</author>
<published>2016-03-19T16:32:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5023ae270216fd980d51770aec1806acaf90846c'/>
<id>5023ae270216fd980d51770aec1806acaf90846c</id>
<content type='text'>
[ Upstream commit b8cba75bdf6a48ea4811bbefb11a94a5c7281b68 ]

ipip encapsulated packets can be merged together by GRO but the result
does not have the proper GSO type set or even marked as being
encapsulated at all. Later retransmission of these packets will likely
fail if the device does not support ipip offloads. This is similar to
the issue resolved in IPv6 sit in feec0cb3
("ipv6: gro: support sit protocol").

Reported-by: Patrick Boutilier &lt;boutilpj@ednet.ns.ca&gt;
Fixes: 9667e9bb ("ipip: Add gro callbacks to ipip offload")
Tested-by: Patrick Boutilier &lt;boutilpj@ednet.ns.ca&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Jesse Gross &lt;jesse@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b8cba75bdf6a48ea4811bbefb11a94a5c7281b68 ]

ipip encapsulated packets can be merged together by GRO but the result
does not have the proper GSO type set or even marked as being
encapsulated at all. Later retransmission of these packets will likely
fail if the device does not support ipip offloads. This is similar to
the issue resolved in IPv6 sit in feec0cb3
("ipv6: gro: support sit protocol").

Reported-by: Patrick Boutilier &lt;boutilpj@ednet.ns.ca&gt;
Fixes: 9667e9bb ("ipip: Add gro callbacks to ipip offload")
Tested-by: Patrick Boutilier &lt;boutilpj@ednet.ns.ca&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Jesse Gross &lt;jesse@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: add recursion limit to GRO</title>
<updated>2016-12-23T13:56:36+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2016-12-14T12:24:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fabaaaa96d54077b4a9f2c811e55dc09ff2874db'/>
<id>fabaaaa96d54077b4a9f2c811e55dc09ff2874db</id>
<content type='text'>
[ Debian: net-add-recursion-limit-to-gro.patch ]

Currently, GRO can do unlimited recursion through the gro_receive
handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem.  Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.

This patch adds a recursion counter to the GRO layer to prevent stack
overflow.  When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.

Thanks to Vladimír Beneš &lt;vbenes@redhat.com&gt; for the initial bug report.

Fixes: CVE-2016-7039
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Reviewed-by: Jiri Benc &lt;jbenc@redhat.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Philipp Hahn &lt;hahn@univention.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Debian: net-add-recursion-limit-to-gro.patch ]

Currently, GRO can do unlimited recursion through the gro_receive
handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem.  Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.

This patch adds a recursion counter to the GRO layer to prevent stack
overflow.  When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.

Thanks to Vladimír Beneš &lt;vbenes@redhat.com&gt; for the initial bug report.

Fixes: CVE-2016-7039
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Reviewed-by: Jiri Benc &lt;jbenc@redhat.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Philipp Hahn &lt;hahn@univention.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: add validation for the socket syscall protocol argument</title>
<updated>2016-01-23T04:54:13+00:00</updated>
<author>
<name>Hannes Frederic Sowa</name>
<email>hannes@stressinduktion.org</email>
</author>
<published>2015-12-14T21:03:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bc8f79b522b57ca79a676615003d85b08162ff5a'/>
<id>bc8f79b522b57ca79a676615003d85b08162ff5a</id>
<content type='text'>
[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ]

郭永刚 reported that one could simply crash the kernel as root by
using a simple program:

	int socket_fd;
	struct sockaddr_in addr;
	addr.sin_port = 0;
	addr.sin_addr.s_addr = INADDR_ANY;
	addr.sin_family = 10;

	socket_fd = socket(10,3,0x40000000);
	connect(socket_fd , &amp;addr,16);

AF_INET, AF_INET6 sockets actually only support 8-bit protocol
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
thus larger protocol identifiers simply cut off the higher bits and
store a zero in the protocol fields.

This could lead to e.g. NULL function pointer because as a result of
the cut off inet_num is zero and we call down to inet_autobind, which
is NULL for raw sockets.

kernel: Call Trace:
kernel:  [&lt;ffffffff816db90e&gt;] ? inet_autobind+0x2e/0x70
kernel:  [&lt;ffffffff816db9a4&gt;] inet_dgram_connect+0x54/0x80
kernel:  [&lt;ffffffff81645069&gt;] SYSC_connect+0xd9/0x110
kernel:  [&lt;ffffffff810ac51b&gt;] ? ptrace_notify+0x5b/0x80
kernel:  [&lt;ffffffff810236d8&gt;] ? syscall_trace_enter_phase2+0x108/0x200
kernel:  [&lt;ffffffff81645e0e&gt;] SyS_connect+0xe/0x10
kernel:  [&lt;ffffffff81779515&gt;] tracesys_phase2+0x84/0x89

I found no particular commit which introduced this problem.

CVE: CVE-2015-8543
Cc: Cong Wang &lt;cwang@twopensource.com&gt;
Reported-by: 郭永刚 &lt;guoyonggang@360.cn&gt;
Signed-off-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ]

郭永刚 reported that one could simply crash the kernel as root by
using a simple program:

	int socket_fd;
	struct sockaddr_in addr;
	addr.sin_port = 0;
	addr.sin_addr.s_addr = INADDR_ANY;
	addr.sin_family = 10;

	socket_fd = socket(10,3,0x40000000);
	connect(socket_fd , &amp;addr,16);

AF_INET, AF_INET6 sockets actually only support 8-bit protocol
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
thus larger protocol identifiers simply cut off the higher bits and
store a zero in the protocol fields.

This could lead to e.g. NULL function pointer because as a result of
the cut off inet_num is zero and we call down to inet_autobind, which
is NULL for raw sockets.

kernel: Call Trace:
kernel:  [&lt;ffffffff816db90e&gt;] ? inet_autobind+0x2e/0x70
kernel:  [&lt;ffffffff816db9a4&gt;] inet_dgram_connect+0x54/0x80
kernel:  [&lt;ffffffff81645069&gt;] SYSC_connect+0xd9/0x110
kernel:  [&lt;ffffffff810ac51b&gt;] ? ptrace_notify+0x5b/0x80
kernel:  [&lt;ffffffff810236d8&gt;] ? syscall_trace_enter_phase2+0x108/0x200
kernel:  [&lt;ffffffff81645e0e&gt;] SyS_connect+0xe/0x10
kernel:  [&lt;ffffffff81779515&gt;] tracesys_phase2+0x84/0x89

I found no particular commit which introduced this problem.

CVE: CVE-2015-8543
Cc: Cong Wang &lt;cwang@twopensource.com&gt;
Reported-by: 郭永刚 &lt;guoyonggang@360.cn&gt;
Signed-off-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: Do not call tcp_fastopen_reset_cipher from interrupt context</title>
<updated>2015-07-10T16:49:29+00:00</updated>
<author>
<name>Christoph Paasch</name>
<email>cpaasch@apple.com</email>
</author>
<published>2015-06-18T16:15:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c31967d447989b85b631dda39487a319df21e03a'/>
<id>c31967d447989b85b631dda39487a319df21e03a</id>
<content type='text'>
[ Upstream commit dfea2aa654243f70dc53b8648d0bbdeec55a7df1 ]

tcp_fastopen_reset_cipher really cannot be called from interrupt
context. It allocates the tcp_fastopen_context with GFP_KERNEL and
calls crypto_alloc_cipher, which allocates all kind of stuff with
GFP_KERNEL.

Thus, we might sleep when the key-generation is triggered by an
incoming TFO cookie-request which would then happen in interrupt-
context, as shown by enabling CONFIG_DEBUG_ATOMIC_SLEEP:

[   36.001813] BUG: sleeping function called from invalid context at mm/slub.c:1266
[   36.003624] in_atomic(): 1, irqs_disabled(): 0, pid: 1016, name: packetdrill
[   36.004859] CPU: 1 PID: 1016 Comm: packetdrill Not tainted 4.1.0-rc7 #14
[   36.006085] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
[   36.008250]  00000000000004f2 ffff88007f8838a8 ffffffff8171d53a ffff880075a084a8
[   36.009630]  ffff880075a08000 ffff88007f8838c8 ffffffff810967d3 ffff88007f883928
[   36.011076]  0000000000000000 ffff88007f8838f8 ffffffff81096892 ffff88007f89be00
[   36.012494] Call Trace:
[   36.012953]  &lt;IRQ&gt;  [&lt;ffffffff8171d53a&gt;] dump_stack+0x4f/0x6d
[   36.014085]  [&lt;ffffffff810967d3&gt;] ___might_sleep+0x103/0x170
[   36.015117]  [&lt;ffffffff81096892&gt;] __might_sleep+0x52/0x90
[   36.016117]  [&lt;ffffffff8118e887&gt;] kmem_cache_alloc_trace+0x47/0x190
[   36.017266]  [&lt;ffffffff81680d82&gt;] ? tcp_fastopen_reset_cipher+0x42/0x130
[   36.018485]  [&lt;ffffffff81680d82&gt;] tcp_fastopen_reset_cipher+0x42/0x130
[   36.019679]  [&lt;ffffffff81680f01&gt;] tcp_fastopen_init_key_once+0x61/0x70
[   36.020884]  [&lt;ffffffff81680f2c&gt;] __tcp_fastopen_cookie_gen+0x1c/0x60
[   36.022058]  [&lt;ffffffff816814ff&gt;] tcp_try_fastopen+0x58f/0x730
[   36.023118]  [&lt;ffffffff81671788&gt;] tcp_conn_request+0x3e8/0x7b0
[   36.024185]  [&lt;ffffffff810e3872&gt;] ? __module_text_address+0x12/0x60
[   36.025327]  [&lt;ffffffff8167b2e1&gt;] tcp_v4_conn_request+0x51/0x60
[   36.026410]  [&lt;ffffffff816727e0&gt;] tcp_rcv_state_process+0x190/0xda0
[   36.027556]  [&lt;ffffffff81661f97&gt;] ? __inet_lookup_established+0x47/0x170
[   36.028784]  [&lt;ffffffff8167c2ad&gt;] tcp_v4_do_rcv+0x16d/0x3d0
[   36.029832]  [&lt;ffffffff812e6806&gt;] ? security_sock_rcv_skb+0x16/0x20
[   36.030936]  [&lt;ffffffff8167cc8a&gt;] tcp_v4_rcv+0x77a/0x7b0
[   36.031875]  [&lt;ffffffff816af8c3&gt;] ? iptable_filter_hook+0x33/0x70
[   36.032953]  [&lt;ffffffff81657d22&gt;] ip_local_deliver_finish+0x92/0x1f0
[   36.034065]  [&lt;ffffffff81657f1a&gt;] ip_local_deliver+0x9a/0xb0
[   36.035069]  [&lt;ffffffff81657c90&gt;] ? ip_rcv+0x3d0/0x3d0
[   36.035963]  [&lt;ffffffff81657569&gt;] ip_rcv_finish+0x119/0x330
[   36.036950]  [&lt;ffffffff81657ba7&gt;] ip_rcv+0x2e7/0x3d0
[   36.037847]  [&lt;ffffffff81610652&gt;] __netif_receive_skb_core+0x552/0x930
[   36.038994]  [&lt;ffffffff81610a57&gt;] __netif_receive_skb+0x27/0x70
[   36.040033]  [&lt;ffffffff81610b72&gt;] process_backlog+0xd2/0x1f0
[   36.041025]  [&lt;ffffffff81611482&gt;] net_rx_action+0x122/0x310
[   36.042007]  [&lt;ffffffff81076743&gt;] __do_softirq+0x103/0x2f0
[   36.042978]  [&lt;ffffffff81723e3c&gt;] do_softirq_own_stack+0x1c/0x30

This patch moves the call to tcp_fastopen_init_key_once to the places
where a listener socket creates its TFO-state, which always happens in
user-context (either from the setsockopt, or implicitly during the
listen()-call)

Cc: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Fixes: 222e83d2e0ae ("tcp: switch tcp_fastopen key generation to net_get_random_once")
Signed-off-by: Christoph Paasch &lt;cpaasch@apple.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit dfea2aa654243f70dc53b8648d0bbdeec55a7df1 ]

tcp_fastopen_reset_cipher really cannot be called from interrupt
context. It allocates the tcp_fastopen_context with GFP_KERNEL and
calls crypto_alloc_cipher, which allocates all kind of stuff with
GFP_KERNEL.

Thus, we might sleep when the key-generation is triggered by an
incoming TFO cookie-request which would then happen in interrupt-
context, as shown by enabling CONFIG_DEBUG_ATOMIC_SLEEP:

[   36.001813] BUG: sleeping function called from invalid context at mm/slub.c:1266
[   36.003624] in_atomic(): 1, irqs_disabled(): 0, pid: 1016, name: packetdrill
[   36.004859] CPU: 1 PID: 1016 Comm: packetdrill Not tainted 4.1.0-rc7 #14
[   36.006085] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
[   36.008250]  00000000000004f2 ffff88007f8838a8 ffffffff8171d53a ffff880075a084a8
[   36.009630]  ffff880075a08000 ffff88007f8838c8 ffffffff810967d3 ffff88007f883928
[   36.011076]  0000000000000000 ffff88007f8838f8 ffffffff81096892 ffff88007f89be00
[   36.012494] Call Trace:
[   36.012953]  &lt;IRQ&gt;  [&lt;ffffffff8171d53a&gt;] dump_stack+0x4f/0x6d
[   36.014085]  [&lt;ffffffff810967d3&gt;] ___might_sleep+0x103/0x170
[   36.015117]  [&lt;ffffffff81096892&gt;] __might_sleep+0x52/0x90
[   36.016117]  [&lt;ffffffff8118e887&gt;] kmem_cache_alloc_trace+0x47/0x190
[   36.017266]  [&lt;ffffffff81680d82&gt;] ? tcp_fastopen_reset_cipher+0x42/0x130
[   36.018485]  [&lt;ffffffff81680d82&gt;] tcp_fastopen_reset_cipher+0x42/0x130
[   36.019679]  [&lt;ffffffff81680f01&gt;] tcp_fastopen_init_key_once+0x61/0x70
[   36.020884]  [&lt;ffffffff81680f2c&gt;] __tcp_fastopen_cookie_gen+0x1c/0x60
[   36.022058]  [&lt;ffffffff816814ff&gt;] tcp_try_fastopen+0x58f/0x730
[   36.023118]  [&lt;ffffffff81671788&gt;] tcp_conn_request+0x3e8/0x7b0
[   36.024185]  [&lt;ffffffff810e3872&gt;] ? __module_text_address+0x12/0x60
[   36.025327]  [&lt;ffffffff8167b2e1&gt;] tcp_v4_conn_request+0x51/0x60
[   36.026410]  [&lt;ffffffff816727e0&gt;] tcp_rcv_state_process+0x190/0xda0
[   36.027556]  [&lt;ffffffff81661f97&gt;] ? __inet_lookup_established+0x47/0x170
[   36.028784]  [&lt;ffffffff8167c2ad&gt;] tcp_v4_do_rcv+0x16d/0x3d0
[   36.029832]  [&lt;ffffffff812e6806&gt;] ? security_sock_rcv_skb+0x16/0x20
[   36.030936]  [&lt;ffffffff8167cc8a&gt;] tcp_v4_rcv+0x77a/0x7b0
[   36.031875]  [&lt;ffffffff816af8c3&gt;] ? iptable_filter_hook+0x33/0x70
[   36.032953]  [&lt;ffffffff81657d22&gt;] ip_local_deliver_finish+0x92/0x1f0
[   36.034065]  [&lt;ffffffff81657f1a&gt;] ip_local_deliver+0x9a/0xb0
[   36.035069]  [&lt;ffffffff81657c90&gt;] ? ip_rcv+0x3d0/0x3d0
[   36.035963]  [&lt;ffffffff81657569&gt;] ip_rcv_finish+0x119/0x330
[   36.036950]  [&lt;ffffffff81657ba7&gt;] ip_rcv+0x2e7/0x3d0
[   36.037847]  [&lt;ffffffff81610652&gt;] __netif_receive_skb_core+0x552/0x930
[   36.038994]  [&lt;ffffffff81610a57&gt;] __netif_receive_skb+0x27/0x70
[   36.040033]  [&lt;ffffffff81610b72&gt;] process_backlog+0xd2/0x1f0
[   36.041025]  [&lt;ffffffff81611482&gt;] net_rx_action+0x122/0x310
[   36.042007]  [&lt;ffffffff81076743&gt;] __do_softirq+0x103/0x2f0
[   36.042978]  [&lt;ffffffff81723e3c&gt;] do_softirq_own_stack+0x1c/0x30

This patch moves the call to tcp_fastopen_init_key_once to the places
where a listener socket creates its TFO-state, which always happens in
user-context (either from the setsockopt, or implicitly during the
listen()-call)

Cc: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Fixes: 222e83d2e0ae ("tcp: switch tcp_fastopen key generation to net_get_random_once")
Signed-off-by: Christoph Paasch &lt;cpaasch@apple.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4: coding style: comparison for inequality with NULL</title>
<updated>2015-04-03T16:11:15+00:00</updated>
<author>
<name>Ian Morris</name>
<email>ipm@chirality.org.uk</email>
</author>
<published>2015-04-03T08:17:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=00db41243e8d5032c2e0f5bf6063bb19324bfdb3'/>
<id>00db41243e8d5032c2e0f5bf6063bb19324bfdb3</id>
<content type='text'>
The ipv4 code uses a mixture of coding styles. In some instances check
for non-NULL pointer is done as x != NULL and sometimes as x. x is
preferred according to checkpatch and this patch makes the code
consistent by adopting the latter form.

No changes detected by objdiff.

Signed-off-by: Ian Morris &lt;ipm@chirality.org.uk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The ipv4 code uses a mixture of coding styles. In some instances check
for non-NULL pointer is done as x != NULL and sometimes as x. x is
preferred according to checkpatch and this patch makes the code
consistent by adopting the latter form.

No changes detected by objdiff.

Signed-off-by: Ian Morris &lt;ipm@chirality.org.uk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4: coding style: comparison for equality with NULL</title>
<updated>2015-04-03T16:11:15+00:00</updated>
<author>
<name>Ian Morris</name>
<email>ipm@chirality.org.uk</email>
</author>
<published>2015-04-03T08:17:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=51456b2914a34d16b1255b7c55d5cbf6a681d306'/>
<id>51456b2914a34d16b1255b7c55d5cbf6a681d306</id>
<content type='text'>
The ipv4 code uses a mixture of coding styles. In some instances check
for NULL pointer is done as x == NULL and sometimes as !x. !x is
preferred according to checkpatch and this patch makes the code
consistent by adopting the latter form.

No changes detected by objdiff.

Signed-off-by: Ian Morris &lt;ipm@chirality.org.uk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The ipv4 code uses a mixture of coding styles. In some instances check
for NULL pointer is done as x == NULL and sometimes as !x. !x is
preferred according to checkpatch and this patch makes the code
consistent by adopting the latter form.

No changes detected by objdiff.

Signed-off-by: Ian Morris &lt;ipm@chirality.org.uk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Remove iocb argument from sendmsg and recvmsg</title>
<updated>2015-03-02T18:06:31+00:00</updated>
<author>
<name>Ying Xue</name>
<email>ying.xue@windriver.com</email>
</author>
<published>2015-03-02T07:37:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1b784140474e4fc94281a49e96c67d29df0efbde'/>
<id>1b784140474e4fc94281a49e96c67d29df0efbde</id>
<content type='text'>
After TIPC doesn't depend on iocb argument in its internal
implementations of sendmsg() and recvmsg() hooks defined in proto
structure, no any user is using iocb argument in them at all now.
Then we can drop the redundant iocb argument completely from kinds of
implementations of both sendmsg() and recvmsg() in the entire
networking stack.

Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Suggested-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Ying Xue &lt;ying.xue@windriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After TIPC doesn't depend on iocb argument in its internal
implementations of sendmsg() and recvmsg() hooks defined in proto
structure, no any user is using iocb argument in them at all now.
Then we can drop the redundant iocb argument completely from kinds of
implementations of both sendmsg() and recvmsg() in the entire
networking stack.

Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Suggested-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Ying Xue &lt;ying.xue@windriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
