<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/ipv6/addrconf.c, branch linux-3.0.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ipv6: remove max_addresses check from ipv6_create_tempaddr</title>
<updated>2013-09-14T12:50:48+00:00</updated>
<author>
<name>Hannes Frederic Sowa</name>
<email>hannes@stressinduktion.org</email>
</author>
<published>2013-08-16T11:02:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9b7bb7587b9165ad6325b2908a19849dbded3ce0'/>
<id>9b7bb7587b9165ad6325b2908a19849dbded3ce0</id>
<content type='text'>
[ Upstream commit 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ]

Because of the max_addresses check attackers were able to disable privacy
extensions on an interface by creating enough autoconfigured addresses:

&lt;http://seclists.org/oss-sec/2012/q4/292&gt;

But the check is not actually needed: max_addresses protects the
kernel to install too many ipv6 addresses on an interface and guards
addrconf_prefix_rcv to install further addresses as soon as this limit
is reached. We only generate temporary addresses in direct response of
a new address showing up. As soon as we filled up the maximum number of
addresses of an interface, we stop installing more addresses and thus
also stop generating more temp addresses.

Even if the attacker tries to generate a lot of temporary addresses
by announcing a prefix and removing it again (lifetime == 0) we won't
install more temp addresses, because the temporary addresses do count
to the maximum number of addresses, thus we would stop installing new
autoconfigured addresses when the limit is reached.

This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
possible).

Thanks to Ding Tianhong to bring this topic up again.

Signed-off-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Ding Tianhong &lt;dingtianhong@huawei.com&gt;
Cc: George Kargiotakis &lt;kargig@void.gr&gt;
Cc: P J P &lt;ppandit@redhat.com&gt;
Cc: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Acked-by: Ding Tianhong &lt;dingtianhong@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ]

Because of the max_addresses check attackers were able to disable privacy
extensions on an interface by creating enough autoconfigured addresses:

&lt;http://seclists.org/oss-sec/2012/q4/292&gt;

But the check is not actually needed: max_addresses protects the
kernel to install too many ipv6 addresses on an interface and guards
addrconf_prefix_rcv to install further addresses as soon as this limit
is reached. We only generate temporary addresses in direct response of
a new address showing up. As soon as we filled up the maximum number of
addresses of an interface, we stop installing more addresses and thus
also stop generating more temp addresses.

Even if the attacker tries to generate a lot of temporary addresses
by announcing a prefix and removing it again (lifetime == 0) we won't
install more temp addresses, because the temporary addresses do count
to the maximum number of addresses, thus we would stop installing new
autoconfigured addresses when the limit is reached.

This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
possible).

Thanks to Ding Tianhong to bring this topic up again.

Signed-off-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Ding Tianhong &lt;dingtianhong@huawei.com&gt;
Cc: George Kargiotakis &lt;kargig@void.gr&gt;
Cc: P J P &lt;ppandit@redhat.com&gt;
Cc: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Acked-by: Ding Tianhong &lt;dingtianhong@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6,mcast: always hold idev-&gt;lock before mca_lock</title>
<updated>2013-07-28T23:18:37+00:00</updated>
<author>
<name>Amerigo Wang</name>
<email>amwang@redhat.com</email>
</author>
<published>2013-06-29T13:30:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=52ef39eeff06aecc56266902bba6bf28891cabd3'/>
<id>52ef39eeff06aecc56266902bba6bf28891cabd3</id>
<content type='text'>
[ Upstream commit 8965779d2c0e6ab246c82a405236b1fb2adae6b2, with
  some bits from commit b7b1bfce0bb68bd8f6e62a28295922785cc63781
  ("ipv6: split duplicate address detection and router solicitation timer")
  to get the __ipv6_get_lladdr() used by this patch. ]

dingtianhong reported the following deadlock detected by lockdep:

 ======================================================
 [ INFO: possible circular locking dependency detected ]
 3.4.24.05-0.1-default #1 Not tainted
 -------------------------------------------------------
 ksoftirqd/0/3 is trying to acquire lock:
  (&amp;ndev-&gt;lock){+.+...}, at: [&lt;ffffffff8147f804&gt;] ipv6_get_lladdr+0x74/0x120

 but task is already holding lock:
  (&amp;mc-&gt;mca_lock){+.+...}, at: [&lt;ffffffff8149d130&gt;] mld_send_report+0x40/0x150

 which lock already depends on the new lock.

 the existing dependency chain (in reverse order) is:

 -&gt; #1 (&amp;mc-&gt;mca_lock){+.+...}:
        [&lt;ffffffff810a8027&gt;] validate_chain+0x637/0x730
        [&lt;ffffffff810a8417&gt;] __lock_acquire+0x2f7/0x500
        [&lt;ffffffff810a8734&gt;] lock_acquire+0x114/0x150
        [&lt;ffffffff814f691a&gt;] rt_spin_lock+0x4a/0x60
        [&lt;ffffffff8149e4bb&gt;] igmp6_group_added+0x3b/0x120
        [&lt;ffffffff8149e5d8&gt;] ipv6_mc_up+0x38/0x60
        [&lt;ffffffff81480a4d&gt;] ipv6_find_idev+0x3d/0x80
        [&lt;ffffffff81483175&gt;] addrconf_notify+0x3d5/0x4b0
        [&lt;ffffffff814fae3f&gt;] notifier_call_chain+0x3f/0x80
        [&lt;ffffffff81073471&gt;] raw_notifier_call_chain+0x11/0x20
        [&lt;ffffffff813d8722&gt;] call_netdevice_notifiers+0x32/0x60
        [&lt;ffffffff813d92d4&gt;] __dev_notify_flags+0x34/0x80
        [&lt;ffffffff813d9360&gt;] dev_change_flags+0x40/0x70
        [&lt;ffffffff813ea627&gt;] do_setlink+0x237/0x8a0
        [&lt;ffffffff813ebb6c&gt;] rtnl_newlink+0x3ec/0x600
        [&lt;ffffffff813eb4d0&gt;] rtnetlink_rcv_msg+0x160/0x310
        [&lt;ffffffff814040b9&gt;] netlink_rcv_skb+0x89/0xb0
        [&lt;ffffffff813eb357&gt;] rtnetlink_rcv+0x27/0x40
        [&lt;ffffffff81403e20&gt;] netlink_unicast+0x140/0x180
        [&lt;ffffffff81404a9e&gt;] netlink_sendmsg+0x33e/0x380
        [&lt;ffffffff813c4252&gt;] sock_sendmsg+0x112/0x130
        [&lt;ffffffff813c537e&gt;] __sys_sendmsg+0x44e/0x460
        [&lt;ffffffff813c5544&gt;] sys_sendmsg+0x44/0x70
        [&lt;ffffffff814feab9&gt;] system_call_fastpath+0x16/0x1b

 -&gt; #0 (&amp;ndev-&gt;lock){+.+...}:
        [&lt;ffffffff810a798e&gt;] check_prev_add+0x3de/0x440
        [&lt;ffffffff810a8027&gt;] validate_chain+0x637/0x730
        [&lt;ffffffff810a8417&gt;] __lock_acquire+0x2f7/0x500
        [&lt;ffffffff810a8734&gt;] lock_acquire+0x114/0x150
        [&lt;ffffffff814f6c82&gt;] rt_read_lock+0x42/0x60
        [&lt;ffffffff8147f804&gt;] ipv6_get_lladdr+0x74/0x120
        [&lt;ffffffff8149b036&gt;] mld_newpack+0xb6/0x160
        [&lt;ffffffff8149b18b&gt;] add_grhead+0xab/0xc0
        [&lt;ffffffff8149d03b&gt;] add_grec+0x3ab/0x460
        [&lt;ffffffff8149d14a&gt;] mld_send_report+0x5a/0x150
        [&lt;ffffffff8149f99e&gt;] igmp6_timer_handler+0x4e/0xb0
        [&lt;ffffffff8105705a&gt;] call_timer_fn+0xca/0x1d0
        [&lt;ffffffff81057b9f&gt;] run_timer_softirq+0x1df/0x2e0
        [&lt;ffffffff8104e8c7&gt;] handle_pending_softirqs+0xf7/0x1f0
        [&lt;ffffffff8104ea3b&gt;] __do_softirq_common+0x7b/0xf0
        [&lt;ffffffff8104f07f&gt;] __thread_do_softirq+0x1af/0x210
        [&lt;ffffffff8104f1c1&gt;] run_ksoftirqd+0xe1/0x1f0
        [&lt;ffffffff8106c7de&gt;] kthread+0xae/0xc0
        [&lt;ffffffff814fff74&gt;] kernel_thread_helper+0x4/0x10

actually we can just hold idev-&gt;lock before taking pmc-&gt;mca_lock,
and avoid taking idev-&gt;lock again when iterating idev-&gt;addr_list,
since the upper callers of mld_newpack() already take
read_lock_bh(&amp;idev-&gt;lock).

Reported-by: dingtianhong &lt;dingtianhong@huawei.com&gt;
Cc: dingtianhong &lt;dingtianhong@huawei.com&gt;
Cc: Hideaki YOSHIFUJI &lt;yoshfuji@linux-ipv6.org&gt;
Cc: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Tested-by: Ding Tianhong &lt;dingtianhong@huawei.com&gt;
Tested-by: Chen Weilong &lt;chenweilong@huawei.com&gt;
Signed-off-by: Cong Wang &lt;amwang@redhat.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8965779d2c0e6ab246c82a405236b1fb2adae6b2, with
  some bits from commit b7b1bfce0bb68bd8f6e62a28295922785cc63781
  ("ipv6: split duplicate address detection and router solicitation timer")
  to get the __ipv6_get_lladdr() used by this patch. ]

dingtianhong reported the following deadlock detected by lockdep:

 ======================================================
 [ INFO: possible circular locking dependency detected ]
 3.4.24.05-0.1-default #1 Not tainted
 -------------------------------------------------------
 ksoftirqd/0/3 is trying to acquire lock:
  (&amp;ndev-&gt;lock){+.+...}, at: [&lt;ffffffff8147f804&gt;] ipv6_get_lladdr+0x74/0x120

 but task is already holding lock:
  (&amp;mc-&gt;mca_lock){+.+...}, at: [&lt;ffffffff8149d130&gt;] mld_send_report+0x40/0x150

 which lock already depends on the new lock.

 the existing dependency chain (in reverse order) is:

 -&gt; #1 (&amp;mc-&gt;mca_lock){+.+...}:
        [&lt;ffffffff810a8027&gt;] validate_chain+0x637/0x730
        [&lt;ffffffff810a8417&gt;] __lock_acquire+0x2f7/0x500
        [&lt;ffffffff810a8734&gt;] lock_acquire+0x114/0x150
        [&lt;ffffffff814f691a&gt;] rt_spin_lock+0x4a/0x60
        [&lt;ffffffff8149e4bb&gt;] igmp6_group_added+0x3b/0x120
        [&lt;ffffffff8149e5d8&gt;] ipv6_mc_up+0x38/0x60
        [&lt;ffffffff81480a4d&gt;] ipv6_find_idev+0x3d/0x80
        [&lt;ffffffff81483175&gt;] addrconf_notify+0x3d5/0x4b0
        [&lt;ffffffff814fae3f&gt;] notifier_call_chain+0x3f/0x80
        [&lt;ffffffff81073471&gt;] raw_notifier_call_chain+0x11/0x20
        [&lt;ffffffff813d8722&gt;] call_netdevice_notifiers+0x32/0x60
        [&lt;ffffffff813d92d4&gt;] __dev_notify_flags+0x34/0x80
        [&lt;ffffffff813d9360&gt;] dev_change_flags+0x40/0x70
        [&lt;ffffffff813ea627&gt;] do_setlink+0x237/0x8a0
        [&lt;ffffffff813ebb6c&gt;] rtnl_newlink+0x3ec/0x600
        [&lt;ffffffff813eb4d0&gt;] rtnetlink_rcv_msg+0x160/0x310
        [&lt;ffffffff814040b9&gt;] netlink_rcv_skb+0x89/0xb0
        [&lt;ffffffff813eb357&gt;] rtnetlink_rcv+0x27/0x40
        [&lt;ffffffff81403e20&gt;] netlink_unicast+0x140/0x180
        [&lt;ffffffff81404a9e&gt;] netlink_sendmsg+0x33e/0x380
        [&lt;ffffffff813c4252&gt;] sock_sendmsg+0x112/0x130
        [&lt;ffffffff813c537e&gt;] __sys_sendmsg+0x44e/0x460
        [&lt;ffffffff813c5544&gt;] sys_sendmsg+0x44/0x70
        [&lt;ffffffff814feab9&gt;] system_call_fastpath+0x16/0x1b

 -&gt; #0 (&amp;ndev-&gt;lock){+.+...}:
        [&lt;ffffffff810a798e&gt;] check_prev_add+0x3de/0x440
        [&lt;ffffffff810a8027&gt;] validate_chain+0x637/0x730
        [&lt;ffffffff810a8417&gt;] __lock_acquire+0x2f7/0x500
        [&lt;ffffffff810a8734&gt;] lock_acquire+0x114/0x150
        [&lt;ffffffff814f6c82&gt;] rt_read_lock+0x42/0x60
        [&lt;ffffffff8147f804&gt;] ipv6_get_lladdr+0x74/0x120
        [&lt;ffffffff8149b036&gt;] mld_newpack+0xb6/0x160
        [&lt;ffffffff8149b18b&gt;] add_grhead+0xab/0xc0
        [&lt;ffffffff8149d03b&gt;] add_grec+0x3ab/0x460
        [&lt;ffffffff8149d14a&gt;] mld_send_report+0x5a/0x150
        [&lt;ffffffff8149f99e&gt;] igmp6_timer_handler+0x4e/0xb0
        [&lt;ffffffff8105705a&gt;] call_timer_fn+0xca/0x1d0
        [&lt;ffffffff81057b9f&gt;] run_timer_softirq+0x1df/0x2e0
        [&lt;ffffffff8104e8c7&gt;] handle_pending_softirqs+0xf7/0x1f0
        [&lt;ffffffff8104ea3b&gt;] __do_softirq_common+0x7b/0xf0
        [&lt;ffffffff8104f07f&gt;] __thread_do_softirq+0x1af/0x210
        [&lt;ffffffff8104f1c1&gt;] run_ksoftirqd+0xe1/0x1f0
        [&lt;ffffffff8106c7de&gt;] kthread+0xae/0xc0
        [&lt;ffffffff814fff74&gt;] kernel_thread_helper+0x4/0x10

actually we can just hold idev-&gt;lock before taking pmc-&gt;mca_lock,
and avoid taking idev-&gt;lock again when iterating idev-&gt;addr_list,
since the upper callers of mld_newpack() already take
read_lock_bh(&amp;idev-&gt;lock).

Reported-by: dingtianhong &lt;dingtianhong@huawei.com&gt;
Cc: dingtianhong &lt;dingtianhong@huawei.com&gt;
Cc: Hideaki YOSHIFUJI &lt;yoshfuji@linux-ipv6.org&gt;
Cc: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Tested-by: Ding Tianhong &lt;dingtianhong@huawei.com&gt;
Tested-by: Chen Weilong &lt;chenweilong@huawei.com&gt;
Signed-off-by: Cong Wang &lt;amwang@redhat.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: don't call addrconf_dst_alloc again when enable lo</title>
<updated>2013-07-28T23:18:33+00:00</updated>
<author>
<name>Gao feng</name>
<email>gaofeng@cn.fujitsu.com</email>
</author>
<published>2013-06-16T03:14:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f9ebf8ce570a993023dd8bb20a7378f710bba4ac'/>
<id>f9ebf8ce570a993023dd8bb20a7378f710bba4ac</id>
<content type='text'>
[ Upstream commit a881ae1f625c599b460cc8f8a7fcb1c438f699ad ]

If we disable all of the net interfaces, and enable
un-lo interface before lo interface, we already allocated
the addrconf dst in ipv6_add_addr. So we shouldn't allocate
it again when we enable lo interface.

Otherwise the message below will be triggered.
unregister_netdevice: waiting for sit1 to become free. Usage count = 1

This problem is introduced by commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f
"net IPv6 : Fix broken IPv6 routing table after loopback down-up"

Signed-off-by: Gao feng &lt;gaofeng@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a881ae1f625c599b460cc8f8a7fcb1c438f699ad ]

If we disable all of the net interfaces, and enable
un-lo interface before lo interface, we already allocated
the addrconf dst in ipv6_add_addr. So we shouldn't allocate
it again when we enable lo interface.

Otherwise the message below will be triggered.
unregister_netdevice: waiting for sit1 to become free. Usage count = 1

This problem is introduced by commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f
"net IPv6 : Fix broken IPv6 routing table after loopback down-up"

Signed-off-by: Gao feng &lt;gaofeng@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: assign rt6_info to inet6_ifaddr in init_loopback</title>
<updated>2013-06-27T17:34:33+00:00</updated>
<author>
<name>Gao feng</name>
<email>gaofeng@cn.fujitsu.com</email>
</author>
<published>2013-06-02T22:16:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0e7d0e50a7502671ff7deed63595ed2d20ac1e8c'/>
<id>0e7d0e50a7502671ff7deed63595ed2d20ac1e8c</id>
<content type='text'>
[ Upstream commit 534c877928a16ae5f9776436a497109639bf67dc ]

Commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f
"net IPv6 : Fix broken IPv6 routing table after loopback down-up"
forgot to assign rt6_info to the inet6_ifaddr.
When disable the net device, the rt6_info which allocated
in init_loopback will not be destroied in __ipv6_ifa_notify.

This will trigger the waring message below
[23527.916091] unregister_netdevice: waiting for tap0 to become free. Usage count = 1

Reported-by: Arkadiusz Miskiewicz &lt;a.miskiewicz@gmail.com&gt;
Signed-off-by: Gao feng &lt;gaofeng@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 534c877928a16ae5f9776436a497109639bf67dc ]

Commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f
"net IPv6 : Fix broken IPv6 routing table after loopback down-up"
forgot to assign rt6_info to the inet6_ifaddr.
When disable the net device, the rt6_info which allocated
in init_loopback will not be destroied in __ipv6_ifa_notify.

This will trigger the waring message below
[23527.916091] unregister_netdevice: waiting for tap0 to become free. Usage count = 1

Reported-by: Arkadiusz Miskiewicz &lt;a.miskiewicz@gmail.com&gt;
Signed-off-by: Gao feng &lt;gaofeng@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net IPv6 : Fix broken IPv6 routing table after loopback down-up</title>
<updated>2013-05-01T15:56:36+00:00</updated>
<author>
<name>Balakumaran Kannan</name>
<email>kumaran.4353@gmail.com</email>
</author>
<published>2013-04-02T10:45:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6ac784dcc8f749f83bc551684044f15a544fc5fd'/>
<id>6ac784dcc8f749f83bc551684044f15a544fc5fd</id>
<content type='text'>
[ Upstream commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f ]

IPv6 Routing table becomes broken once we do ifdown, ifup of the loopback(lo)
interface. After down-up, routes of other interface's IPv6 addresses through
'lo' are lost.

IPv6 addresses assigned to all interfaces are routed through 'lo' for internal
communication. Once 'lo' is down, those routing entries are removed from routing
table. But those removed entries are not being re-created properly when 'lo' is
brought up. So IPv6 addresses of other interfaces becomes unreachable from the
same machine. Also this breaks communication with other machines because of
NDISC packet processing failure.

This patch fixes this issue by reading all interface's IPv6 addresses and adding
them to IPv6 routing table while bringing up 'lo'.

==Testing==
Before applying the patch:
$ route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2000::20/128                   ::                         U    256 0     0 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
::1/128                        ::                         Un   0   1     0 lo
2000::20/128                   ::                         Un   0   1     0 lo
fe80::xxxx:xxxx:xxxx:xxxx/128  ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
$ sudo ifdown lo
$ sudo ifup lo
$ route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2000::20/128                   ::                         U    256 0     0 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
::1/128                        ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
$

After applying the patch:
$ route -A inet6
Kernel IPv6 routing
table
Destination                    Next Hop                   Flag Met Ref Use If
2000::20/128                   ::                         U    256 0     0 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
::1/128                        ::                         Un   0   1     0 lo
2000::20/128                   ::                         Un   0   1     0 lo
fe80::xxxx:xxxx:xxxx:xxxx/128  ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
$ sudo ifdown lo
$ sudo ifup lo
$ route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2000::20/128                   ::                         U    256 0     0 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
::1/128                        ::                         Un   0   1     0 lo
2000::20/128                   ::                         Un   0   1     0 lo
fe80::xxxx:xxxx:xxxx:xxxx/128  ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
$

Signed-off-by: Balakumaran Kannan &lt;Balakumaran.Kannan@ap.sony.com&gt;
Signed-off-by: Maruthi Thotad &lt;Maruthi.Thotad@ap.sony.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f ]

IPv6 Routing table becomes broken once we do ifdown, ifup of the loopback(lo)
interface. After down-up, routes of other interface's IPv6 addresses through
'lo' are lost.

IPv6 addresses assigned to all interfaces are routed through 'lo' for internal
communication. Once 'lo' is down, those routing entries are removed from routing
table. But those removed entries are not being re-created properly when 'lo' is
brought up. So IPv6 addresses of other interfaces becomes unreachable from the
same machine. Also this breaks communication with other machines because of
NDISC packet processing failure.

This patch fixes this issue by reading all interface's IPv6 addresses and adding
them to IPv6 routing table while bringing up 'lo'.

==Testing==
Before applying the patch:
$ route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2000::20/128                   ::                         U    256 0     0 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
::1/128                        ::                         Un   0   1     0 lo
2000::20/128                   ::                         Un   0   1     0 lo
fe80::xxxx:xxxx:xxxx:xxxx/128  ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
$ sudo ifdown lo
$ sudo ifup lo
$ route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2000::20/128                   ::                         U    256 0     0 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
::1/128                        ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
$

After applying the patch:
$ route -A inet6
Kernel IPv6 routing
table
Destination                    Next Hop                   Flag Met Ref Use If
2000::20/128                   ::                         U    256 0     0 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
::1/128                        ::                         Un   0   1     0 lo
2000::20/128                   ::                         Un   0   1     0 lo
fe80::xxxx:xxxx:xxxx:xxxx/128  ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
$ sudo ifdown lo
$ sudo ifup lo
$ route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2000::20/128                   ::                         U    256 0     0 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
::1/128                        ::                         Un   0   1     0 lo
2000::20/128                   ::                         Un   0   1     0 lo
fe80::xxxx:xxxx:xxxx:xxxx/128  ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     1 lo
$

Signed-off-by: Balakumaran Kannan &lt;Balakumaran.Kannan@ap.sony.com&gt;
Signed-off-by: Maruthi Thotad &lt;Maruthi.Thotad@ap.sony.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: fix bad free of addrconf_init_net</title>
<updated>2013-04-05T17:16:53+00:00</updated>
<author>
<name>Hong Zhiguo</name>
<email>honkiko@gmail.com</email>
</author>
<published>2013-03-25T17:52:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=79f0840fe9b4b304df53d24034744b6759352e17'/>
<id>79f0840fe9b4b304df53d24034744b6759352e17</id>
<content type='text'>
[ Upstream commit a79ca223e029aa4f09abb337accf1812c900a800 ]

Signed-off-by: Hong Zhiguo &lt;honkiko@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a79ca223e029aa4f09abb337accf1812c900a800 ]

Signed-off-by: Hong Zhiguo &lt;honkiko@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rtnetlink: Compute and store minimum ifinfo dump size</title>
<updated>2013-01-17T16:43:58+00:00</updated>
<author>
<name>Greg Rose</name>
<email>gregory.v.rose@intel.com</email>
</author>
<published>2013-01-04T00:32:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2e3cbdeae8e4d13087657d95ed7a5be57dc9695e'/>
<id>2e3cbdeae8e4d13087657d95ed7a5be57dc9695e</id>
<content type='text'>
commit c7ac8679bec9397afe8918f788cbcef88c38da54 upstream.

The message size allocated for rtnl ifinfo dumps was limited to
a single page.  This is not enough for additional interface info
available with devices that support SR-IOV and caused a bug in
which VF info would not be displayed if more than approximately
40 VFs were created per interface.

Implement a new function pointer for the rtnl_register service that will
calculate the amount of data required for the ifinfo dump and allocate
enough data to satisfy the request.

Signed-off-by: Greg Rose &lt;gregory.v.rose@intel.com&gt;
Signed-off-by: Jeff Kirsher &lt;jeffrey.t.kirsher@intel.com&gt;
Cc: Ben Hutchings &lt;bhutchings@solarflare.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c7ac8679bec9397afe8918f788cbcef88c38da54 upstream.

The message size allocated for rtnl ifinfo dumps was limited to
a single page.  This is not enough for additional interface info
available with devices that support SR-IOV and caused a bug in
which VF info would not be displayed if more than approximately
40 VFs were created per interface.

Implement a new function pointer for the rtnl_register service that will
calculate the amount of data required for the ifinfo dump and allocate
enough data to satisfy the request.

Signed-off-by: Greg Rose &lt;gregory.v.rose@intel.com&gt;
Signed-off-by: Jeff Kirsher &lt;jeffrey.t.kirsher@intel.com&gt;
Cc: Ben Hutchings &lt;bhutchings@solarflare.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: addrconf: Avoid calling netdevice notifiers with RCU read-side lock</title>
<updated>2012-10-02T16:47:05+00:00</updated>
<author>
<name>Ben Hutchings</name>
<email>bhutchings@solarflare.com</email>
</author>
<published>2012-08-14T08:54:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f9b6caca04a5444f61c1b08ebf04c6f2c6ff2ec9'/>
<id>f9b6caca04a5444f61c1b08ebf04c6f2c6ff2ec9</id>
<content type='text'>
[ Upstream commit 4acd4945cd1e1f92b20d14e349c6c6a52acbd42d ]

Cong Wang reports that lockdep detected suspicious RCU usage while
enabling IPV6 forwarding:

 [ 1123.310275] ===============================
 [ 1123.442202] [ INFO: suspicious RCU usage. ]
 [ 1123.558207] 3.6.0-rc1+ #109 Not tainted
 [ 1123.665204] -------------------------------
 [ 1123.768254] include/linux/rcupdate.h:430 Illegal context switch in RCU read-side critical section!
 [ 1123.992320]
 [ 1123.992320] other info that might help us debug this:
 [ 1123.992320]
 [ 1124.307382]
 [ 1124.307382] rcu_scheduler_active = 1, debug_locks = 0
 [ 1124.522220] 2 locks held by sysctl/5710:
 [ 1124.648364]  #0:  (rtnl_mutex){+.+.+.}, at: [&lt;ffffffff81768498&gt;] rtnl_trylock+0x15/0x17
 [ 1124.882211]  #1:  (rcu_read_lock){.+.+.+}, at: [&lt;ffffffff81871df8&gt;] rcu_lock_acquire+0x0/0x29
 [ 1125.085209]
 [ 1125.085209] stack backtrace:
 [ 1125.332213] Pid: 5710, comm: sysctl Not tainted 3.6.0-rc1+ #109
 [ 1125.441291] Call Trace:
 [ 1125.545281]  [&lt;ffffffff8109d915&gt;] lockdep_rcu_suspicious+0x109/0x112
 [ 1125.667212]  [&lt;ffffffff8107c240&gt;] rcu_preempt_sleep_check+0x45/0x47
 [ 1125.781838]  [&lt;ffffffff8107c260&gt;] __might_sleep+0x1e/0x19b
[...]
 [ 1127.445223]  [&lt;ffffffff81757ac5&gt;] call_netdevice_notifiers+0x4a/0x4f
[...]
 [ 1127.772188]  [&lt;ffffffff8175e125&gt;] dev_disable_lro+0x32/0x6b
 [ 1127.885174]  [&lt;ffffffff81872d26&gt;] dev_forward_change+0x30/0xcb
 [ 1128.013214]  [&lt;ffffffff818738c4&gt;] addrconf_forward_change+0x85/0xc5
[...]

addrconf_forward_change() uses RCU iteration over the netdev list,
which is unnecessary since it already holds the RTNL lock.  We also
cannot reasonably require netdevice notifier functions not to sleep.

Reported-by: Cong Wang &lt;amwang@redhat.com&gt;
Signed-off-by: Ben Hutchings &lt;bhutchings@solarflare.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4acd4945cd1e1f92b20d14e349c6c6a52acbd42d ]

Cong Wang reports that lockdep detected suspicious RCU usage while
enabling IPV6 forwarding:

 [ 1123.310275] ===============================
 [ 1123.442202] [ INFO: suspicious RCU usage. ]
 [ 1123.558207] 3.6.0-rc1+ #109 Not tainted
 [ 1123.665204] -------------------------------
 [ 1123.768254] include/linux/rcupdate.h:430 Illegal context switch in RCU read-side critical section!
 [ 1123.992320]
 [ 1123.992320] other info that might help us debug this:
 [ 1123.992320]
 [ 1124.307382]
 [ 1124.307382] rcu_scheduler_active = 1, debug_locks = 0
 [ 1124.522220] 2 locks held by sysctl/5710:
 [ 1124.648364]  #0:  (rtnl_mutex){+.+.+.}, at: [&lt;ffffffff81768498&gt;] rtnl_trylock+0x15/0x17
 [ 1124.882211]  #1:  (rcu_read_lock){.+.+.+}, at: [&lt;ffffffff81871df8&gt;] rcu_lock_acquire+0x0/0x29
 [ 1125.085209]
 [ 1125.085209] stack backtrace:
 [ 1125.332213] Pid: 5710, comm: sysctl Not tainted 3.6.0-rc1+ #109
 [ 1125.441291] Call Trace:
 [ 1125.545281]  [&lt;ffffffff8109d915&gt;] lockdep_rcu_suspicious+0x109/0x112
 [ 1125.667212]  [&lt;ffffffff8107c240&gt;] rcu_preempt_sleep_check+0x45/0x47
 [ 1125.781838]  [&lt;ffffffff8107c260&gt;] __might_sleep+0x1e/0x19b
[...]
 [ 1127.445223]  [&lt;ffffffff81757ac5&gt;] call_netdevice_notifiers+0x4a/0x4f
[...]
 [ 1127.772188]  [&lt;ffffffff8175e125&gt;] dev_disable_lro+0x32/0x6b
 [ 1127.885174]  [&lt;ffffffff81872d26&gt;] dev_forward_change+0x30/0xcb
 [ 1128.013214]  [&lt;ffffffff818738c4&gt;] addrconf_forward_change+0x85/0xc5
[...]

addrconf_forward_change() uses RCU iteration over the netdev list,
which is unnecessary since it already holds the RTNL lock.  We also
cannot reasonably require netdevice notifier functions not to sleep.

Reported-by: Cong Wang &lt;amwang@redhat.com&gt;
Signed-off-by: Ben Hutchings &lt;bhutchings@solarflare.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>IPv6: Fix not join all-router mcast group when forwarding set.</title>
<updated>2012-03-19T15:57:46+00:00</updated>
<author>
<name>Li Wei</name>
<email>lw@cn.fujitsu.com</email>
</author>
<published>2012-03-05T14:45:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=94962718da9d6df11a3a30511016707e4e9451dc'/>
<id>94962718da9d6df11a3a30511016707e4e9451dc</id>
<content type='text'>
[ Upstream commit d6ddef9e641d1229d4ec841dc75ae703171c3e92 ]

When forwarding was set and a new net device is register,
we need add this device to the all-router mcast group.

Signed-off-by: Li Wei &lt;lw@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d6ddef9e641d1229d4ec841dc75ae703171c3e92 ]

When forwarding was set and a new net device is register,
we need add this device to the all-router mcast group.

Signed-off-by: Li Wei &lt;lw@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: fix NULL dereferences in check_peer_redir()</title>
<updated>2012-02-13T19:06:13+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2012-02-09T21:13:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8a533666d1591cf4ea596c6bd710e2fe682cb56a'/>
<id>8a533666d1591cf4ea596c6bd710e2fe682cb56a</id>
<content type='text'>
[ Upstream commit d3aaeb38c40e5a6c08dd31a1b64da65c4352be36, along
  with dependent backports of commits:
     69cce1d1404968f78b177a0314f5822d5afdbbfb
     9de79c127cccecb11ae6a21ab1499e87aa222880
     218fa90f072e4aeff9003d57e390857f4f35513e
     580da35a31f91a594f3090b7a2c39b85cb051a12
     f7e57044eeb1841847c24aa06766c8290c202583
     e049f28883126c689cf95859480d9ee4ab23b7fa ]

Gergely Kalman reported crashes in check_peer_redir().

It appears commit f39925dbde778 (ipv4: Cache learned redirect
information in inetpeer.) added a race, leading to possible NULL ptr
dereference.

Since we can now change dst neighbour, we should make sure a reader can
safely use a neighbour.

Add RCU protection to dst neighbour, and make sure check_peer_redir()
can be called safely by different cpus in parallel.

As neighbours are already freed after one RCU grace period, this patch
should not add typical RCU penalty (cache cold effects)

Many thanks to Gergely for providing a pretty report pointing to the
bug.

Reported-by: Gergely Kalman &lt;synapse@hippy.csoma.elte.hu&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d3aaeb38c40e5a6c08dd31a1b64da65c4352be36, along
  with dependent backports of commits:
     69cce1d1404968f78b177a0314f5822d5afdbbfb
     9de79c127cccecb11ae6a21ab1499e87aa222880
     218fa90f072e4aeff9003d57e390857f4f35513e
     580da35a31f91a594f3090b7a2c39b85cb051a12
     f7e57044eeb1841847c24aa06766c8290c202583
     e049f28883126c689cf95859480d9ee4ab23b7fa ]

Gergely Kalman reported crashes in check_peer_redir().

It appears commit f39925dbde778 (ipv4: Cache learned redirect
information in inetpeer.) added a race, leading to possible NULL ptr
dereference.

Since we can now change dst neighbour, we should make sure a reader can
safely use a neighbour.

Add RCU protection to dst neighbour, and make sure check_peer_redir()
can be called safely by different cpus in parallel.

As neighbours are already freed after one RCU grace period, this patch
should not add typical RCU penalty (cache cold effects)

Many thanks to Gergely for providing a pretty report pointing to the
bug.

Reported-by: Gergely Kalman &lt;synapse@hippy.csoma.elte.hu&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
