<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/sctp, branch linux-4.7.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>sctp: fix overrun in sctp_diag_dump_one()</title>
<updated>2016-09-24T08:09:25+00:00</updated>
<author>
<name>Lance Richardson</name>
<email>lrichard@redhat.com</email>
</author>
<published>2016-08-23T15:40:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e7a47a811157a6034212e1fb7228a51ce6e9efda'/>
<id>e7a47a811157a6034212e1fb7228a51ce6e9efda</id>
<content type='text'>
[ Upstream commit 232cb53a45965f8789fbf0a9a1962f8c67ab1a3c ]

The function sctp_diag_dump_one() currently performs a memcpy()
of 64 bytes from a 16 byte field into another 16 byte field. Fix
by using correct size, use sizeof to obtain correct size instead
of using a hard-coded constant.

Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Signed-off-by: Lance Richardson &lt;lrichard@redhat.com&gt;
Reviewed-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 232cb53a45965f8789fbf0a9a1962f8c67ab1a3c ]

The function sctp_diag_dump_one() currently performs a memcpy()
of 64 bytes from a 16 byte field into another 16 byte field. Fix
by using correct size, use sizeof to obtain correct size instead
of using a hard-coded constant.

Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Signed-off-by: Lance Richardson &lt;lrichard@redhat.com&gt;
Reviewed-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net/sctp: always initialise sctp_ht_iter::start_fail</title>
<updated>2016-09-24T08:09:24+00:00</updated>
<author>
<name>Vegard Nossum</name>
<email>vegard.nossum@oracle.com</email>
</author>
<published>2016-08-12T07:50:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b200d3a9ae76e764ee622761d87c7d521ed6c198'/>
<id>b200d3a9ae76e764ee622761d87c7d521ed6c198</id>
<content type='text'>
[ Upstream commit 54236ab09e9696a27baaae693c288920a26e8588 ]

sctp_transport_seq_start() does not currently clear iter-&gt;start_fail on
success, but relies on it being zero when it is allocated (by
seq_open_net()).

This can be a problem in the following sequence:

    open() // allocates iter (and implicitly sets iter-&gt;start_fail = 0)
    read()
     - iter-&gt;start() // fails and sets iter-&gt;start_fail = 1
     - iter-&gt;stop() // doesn't call sctp_transport_walk_stop() (correct)
    read() again
     - iter-&gt;start() // succeeds, but doesn't change iter-&gt;start_fail
     - iter-&gt;stop() // doesn't call sctp_transport_walk_stop() (wrong)

We should initialize sctp_ht_iter::start_fail to zero if -&gt;start()
succeeds, otherwise it's possible that we leave an old value of 1 there,
which will cause -&gt;stop() to not call sctp_transport_walk_stop(), which
causes all sorts of problems like not calling rcu_read_unlock() (and
preempt_enable()), eventually leading to more warnings like this:

    BUG: sleeping function called from invalid context at mm/slab.h:388
    in_atomic(): 0, irqs_disabled(): 0, pid: 16551, name: trinity-c2
    Preemption disabled at:[&lt;ffffffff819bceb6&gt;] rhashtable_walk_start+0x46/0x150

     [&lt;ffffffff81149abb&gt;] preempt_count_add+0x1fb/0x280
     [&lt;ffffffff83295892&gt;] _raw_spin_lock+0x12/0x40
     [&lt;ffffffff819bceb6&gt;] rhashtable_walk_start+0x46/0x150
     [&lt;ffffffff82ec665f&gt;] sctp_transport_walk_start+0x2f/0x60
     [&lt;ffffffff82edda1d&gt;] sctp_transport_seq_start+0x4d/0x150
     [&lt;ffffffff81439e50&gt;] traverse+0x170/0x850
     [&lt;ffffffff8143aeec&gt;] seq_read+0x7cc/0x1180
     [&lt;ffffffff814f996c&gt;] proc_reg_read+0xbc/0x180
     [&lt;ffffffff813d0384&gt;] do_loop_readv_writev+0x134/0x210
     [&lt;ffffffff813d2a95&gt;] do_readv_writev+0x565/0x660
     [&lt;ffffffff813d6857&gt;] vfs_readv+0x67/0xa0
     [&lt;ffffffff813d6c16&gt;] do_preadv+0x126/0x170
     [&lt;ffffffff813d710c&gt;] SyS_preadv+0xc/0x10
     [&lt;ffffffff8100334c&gt;] do_syscall_64+0x19c/0x410
     [&lt;ffffffff83296225&gt;] return_from_SYSCALL_64+0x0/0x6a
     [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

Notice that this is a subtly different stacktrace from the one in commit
5fc382d875 ("net/sctp: terminate rhashtable walk correctly").

Cc: Xin Long &lt;lucien.xin@gmail.com&gt;
Cc: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Cc: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Cc: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Acked-By: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 54236ab09e9696a27baaae693c288920a26e8588 ]

sctp_transport_seq_start() does not currently clear iter-&gt;start_fail on
success, but relies on it being zero when it is allocated (by
seq_open_net()).

This can be a problem in the following sequence:

    open() // allocates iter (and implicitly sets iter-&gt;start_fail = 0)
    read()
     - iter-&gt;start() // fails and sets iter-&gt;start_fail = 1
     - iter-&gt;stop() // doesn't call sctp_transport_walk_stop() (correct)
    read() again
     - iter-&gt;start() // succeeds, but doesn't change iter-&gt;start_fail
     - iter-&gt;stop() // doesn't call sctp_transport_walk_stop() (wrong)

We should initialize sctp_ht_iter::start_fail to zero if -&gt;start()
succeeds, otherwise it's possible that we leave an old value of 1 there,
which will cause -&gt;stop() to not call sctp_transport_walk_stop(), which
causes all sorts of problems like not calling rcu_read_unlock() (and
preempt_enable()), eventually leading to more warnings like this:

    BUG: sleeping function called from invalid context at mm/slab.h:388
    in_atomic(): 0, irqs_disabled(): 0, pid: 16551, name: trinity-c2
    Preemption disabled at:[&lt;ffffffff819bceb6&gt;] rhashtable_walk_start+0x46/0x150

     [&lt;ffffffff81149abb&gt;] preempt_count_add+0x1fb/0x280
     [&lt;ffffffff83295892&gt;] _raw_spin_lock+0x12/0x40
     [&lt;ffffffff819bceb6&gt;] rhashtable_walk_start+0x46/0x150
     [&lt;ffffffff82ec665f&gt;] sctp_transport_walk_start+0x2f/0x60
     [&lt;ffffffff82edda1d&gt;] sctp_transport_seq_start+0x4d/0x150
     [&lt;ffffffff81439e50&gt;] traverse+0x170/0x850
     [&lt;ffffffff8143aeec&gt;] seq_read+0x7cc/0x1180
     [&lt;ffffffff814f996c&gt;] proc_reg_read+0xbc/0x180
     [&lt;ffffffff813d0384&gt;] do_loop_readv_writev+0x134/0x210
     [&lt;ffffffff813d2a95&gt;] do_readv_writev+0x565/0x660
     [&lt;ffffffff813d6857&gt;] vfs_readv+0x67/0xa0
     [&lt;ffffffff813d6c16&gt;] do_preadv+0x126/0x170
     [&lt;ffffffff813d710c&gt;] SyS_preadv+0xc/0x10
     [&lt;ffffffff8100334c&gt;] do_syscall_64+0x19c/0x410
     [&lt;ffffffff83296225&gt;] return_from_SYSCALL_64+0x0/0x6a
     [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

Notice that this is a subtly different stacktrace from the one in commit
5fc382d875 ("net/sctp: terminate rhashtable walk correctly").

Cc: Xin Long &lt;lucien.xin@gmail.com&gt;
Cc: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Cc: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Cc: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Acked-By: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net/sctp: terminate rhashtable walk correctly</title>
<updated>2016-08-16T07:34:58+00:00</updated>
<author>
<name>Vegard Nossum</name>
<email>vegard.nossum@oracle.com</email>
</author>
<published>2016-07-23T07:42:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=77719251041381423bf6fb4ae9d529e2a42adb55'/>
<id>77719251041381423bf6fb4ae9d529e2a42adb55</id>
<content type='text'>
[ Upstream commit 5fc382d87517707ad77ea4c9c12e2a3fde2c838a ]

I was seeing a lot of these:

    BUG: sleeping function called from invalid context at mm/slab.h:388
    in_atomic(): 0, irqs_disabled(): 0, pid: 14971, name: trinity-c2
    Preemption disabled at:[&lt;ffffffff819bcd46&gt;] rhashtable_walk_start+0x46/0x150

     [&lt;ffffffff81149abb&gt;] preempt_count_add+0x1fb/0x280
     [&lt;ffffffff83295722&gt;] _raw_spin_lock+0x12/0x40
     [&lt;ffffffff811aac87&gt;] console_unlock+0x2f7/0x930
     [&lt;ffffffff811ab5bb&gt;] vprintk_emit+0x2fb/0x520
     [&lt;ffffffff811aba6a&gt;] vprintk_default+0x1a/0x20
     [&lt;ffffffff812c171a&gt;] printk+0x94/0xb0
     [&lt;ffffffff811d6ed0&gt;] print_stack_trace+0xe0/0x170
     [&lt;ffffffff8115835e&gt;] ___might_sleep+0x3be/0x460
     [&lt;ffffffff81158490&gt;] __might_sleep+0x90/0x1a0
     [&lt;ffffffff8139b823&gt;] kmem_cache_alloc+0x153/0x1e0
     [&lt;ffffffff819bca1e&gt;] rhashtable_walk_init+0xfe/0x2d0
     [&lt;ffffffff82ec64de&gt;] sctp_transport_walk_start+0x1e/0x60
     [&lt;ffffffff82edd8ad&gt;] sctp_transport_seq_start+0x4d/0x150
     [&lt;ffffffff8143a82b&gt;] seq_read+0x27b/0x1180
     [&lt;ffffffff814f97fc&gt;] proc_reg_read+0xbc/0x180
     [&lt;ffffffff813d471b&gt;] __vfs_read+0xdb/0x610
     [&lt;ffffffff813d4d3a&gt;] vfs_read+0xea/0x2d0
     [&lt;ffffffff813d615b&gt;] SyS_pread64+0x11b/0x150
     [&lt;ffffffff8100334c&gt;] do_syscall_64+0x19c/0x410
     [&lt;ffffffff832960a5&gt;] return_from_SYSCALL_64+0x0/0x6a
     [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

Apparently we always need to call rhashtable_walk_stop(), even when
rhashtable_walk_start() fails:

 * rhashtable_walk_start - Start a hash table walk
 * @iter:       Hash table iterator
 *
 * Start a hash table walk.  Note that we take the RCU lock in all
 * cases including when we return an error.  So you must always call
 * rhashtable_walk_stop to clean up.

otherwise we never call rcu_read_unlock() and we get the splat above.

Fixes: 53fa1036 ("sctp: fix some rhashtable functions using in sctp proc/diag")
See-also: 53fa1036 ("sctp: fix some rhashtable functions using in sctp proc/diag")
See-also: f2dba9c6 ("rhashtable: Introduce rhashtable_walk_*")
Cc: Xin Long &lt;lucien.xin@gmail.com&gt;
Cc: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 5fc382d87517707ad77ea4c9c12e2a3fde2c838a ]

I was seeing a lot of these:

    BUG: sleeping function called from invalid context at mm/slab.h:388
    in_atomic(): 0, irqs_disabled(): 0, pid: 14971, name: trinity-c2
    Preemption disabled at:[&lt;ffffffff819bcd46&gt;] rhashtable_walk_start+0x46/0x150

     [&lt;ffffffff81149abb&gt;] preempt_count_add+0x1fb/0x280
     [&lt;ffffffff83295722&gt;] _raw_spin_lock+0x12/0x40
     [&lt;ffffffff811aac87&gt;] console_unlock+0x2f7/0x930
     [&lt;ffffffff811ab5bb&gt;] vprintk_emit+0x2fb/0x520
     [&lt;ffffffff811aba6a&gt;] vprintk_default+0x1a/0x20
     [&lt;ffffffff812c171a&gt;] printk+0x94/0xb0
     [&lt;ffffffff811d6ed0&gt;] print_stack_trace+0xe0/0x170
     [&lt;ffffffff8115835e&gt;] ___might_sleep+0x3be/0x460
     [&lt;ffffffff81158490&gt;] __might_sleep+0x90/0x1a0
     [&lt;ffffffff8139b823&gt;] kmem_cache_alloc+0x153/0x1e0
     [&lt;ffffffff819bca1e&gt;] rhashtable_walk_init+0xfe/0x2d0
     [&lt;ffffffff82ec64de&gt;] sctp_transport_walk_start+0x1e/0x60
     [&lt;ffffffff82edd8ad&gt;] sctp_transport_seq_start+0x4d/0x150
     [&lt;ffffffff8143a82b&gt;] seq_read+0x27b/0x1180
     [&lt;ffffffff814f97fc&gt;] proc_reg_read+0xbc/0x180
     [&lt;ffffffff813d471b&gt;] __vfs_read+0xdb/0x610
     [&lt;ffffffff813d4d3a&gt;] vfs_read+0xea/0x2d0
     [&lt;ffffffff813d615b&gt;] SyS_pread64+0x11b/0x150
     [&lt;ffffffff8100334c&gt;] do_syscall_64+0x19c/0x410
     [&lt;ffffffff832960a5&gt;] return_from_SYSCALL_64+0x0/0x6a
     [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

Apparently we always need to call rhashtable_walk_stop(), even when
rhashtable_walk_start() fails:

 * rhashtable_walk_start - Start a hash table walk
 * @iter:       Hash table iterator
 *
 * Start a hash table walk.  Note that we take the RCU lock in all
 * cases including when we return an error.  So you must always call
 * rhashtable_walk_stop to clean up.

otherwise we never call rcu_read_unlock() and we get the splat above.

Fixes: 53fa1036 ("sctp: fix some rhashtable functions using in sctp proc/diag")
See-also: 53fa1036 ("sctp: fix some rhashtable functions using in sctp proc/diag")
See-also: f2dba9c6 ("rhashtable: Introduce rhashtable_walk_*")
Cc: Xin Long &lt;lucien.xin@gmail.com&gt;
Cc: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: fix BH handling on socket backlog</title>
<updated>2016-08-16T07:34:58+00:00</updated>
<author>
<name>Marcelo Ricardo Leitner</name>
<email>marcelo.leitner@gmail.com</email>
</author>
<published>2016-07-23T03:32:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f9abe462b23e1f78cc55de4d92de58a63c9b710'/>
<id>2f9abe462b23e1f78cc55de4d92de58a63c9b710</id>
<content type='text'>
[ Upstream commit eefc1b1d105ee4d2ce907833ce675f1e9599b5e3 ]

Now that the backlog processing is called with BH enabled, we have to
disable BH before taking the socket lock via bh_lock_sock() otherwise
it may dead lock:

sctp_backlog_rcv()
                bh_lock_sock(sk);

                if (sock_owned_by_user(sk)) {
                        if (sk_add_backlog(sk, skb, sk-&gt;sk_rcvbuf))
                                sctp_chunk_free(chunk);
                        else
                                backloged = 1;
                } else
                        sctp_inq_push(inqueue, chunk);

                bh_unlock_sock(sk);

while sctp_inq_push() was disabling/enabling BH, but enabling BH
triggers pending softirq, which then may try to re-lock the socket in
sctp_rcv().

[  219.187215]  &lt;IRQ&gt;
[  219.187217]  [&lt;ffffffff817ca3e0&gt;] _raw_spin_lock+0x20/0x30
[  219.187223]  [&lt;ffffffffa041888c&gt;] sctp_rcv+0x48c/0xba0 [sctp]
[  219.187225]  [&lt;ffffffff816e7db2&gt;] ? nf_iterate+0x62/0x80
[  219.187226]  [&lt;ffffffff816f1b14&gt;] ip_local_deliver_finish+0x94/0x1e0
[  219.187228]  [&lt;ffffffff816f1e1f&gt;] ip_local_deliver+0x6f/0xf0
[  219.187229]  [&lt;ffffffff816f1a80&gt;] ? ip_rcv_finish+0x3b0/0x3b0
[  219.187230]  [&lt;ffffffff816f17a8&gt;] ip_rcv_finish+0xd8/0x3b0
[  219.187232]  [&lt;ffffffff816f2122&gt;] ip_rcv+0x282/0x3a0
[  219.187233]  [&lt;ffffffff810d8bb6&gt;] ? update_curr+0x66/0x180
[  219.187235]  [&lt;ffffffff816abac4&gt;] __netif_receive_skb_core+0x524/0xa90
[  219.187236]  [&lt;ffffffff810d8e00&gt;] ? update_cfs_shares+0x30/0xf0
[  219.187237]  [&lt;ffffffff810d557c&gt;] ? __enqueue_entity+0x6c/0x70
[  219.187239]  [&lt;ffffffff810dc454&gt;] ? enqueue_entity+0x204/0xdf0
[  219.187240]  [&lt;ffffffff816ac048&gt;] __netif_receive_skb+0x18/0x60
[  219.187242]  [&lt;ffffffff816ad1ce&gt;] process_backlog+0x9e/0x140
[  219.187243]  [&lt;ffffffff816ac8ec&gt;] net_rx_action+0x22c/0x370
[  219.187245]  [&lt;ffffffff817cd352&gt;] __do_softirq+0x112/0x2e7
[  219.187247]  [&lt;ffffffff817cc3bc&gt;] do_softirq_own_stack+0x1c/0x30
[  219.187247]  &lt;EOI&gt;
[  219.187248]  [&lt;ffffffff810aa1c8&gt;] do_softirq.part.14+0x38/0x40
[  219.187249]  [&lt;ffffffff810aa24d&gt;] __local_bh_enable_ip+0x7d/0x80
[  219.187254]  [&lt;ffffffffa0408428&gt;] sctp_inq_push+0x68/0x80 [sctp]
[  219.187258]  [&lt;ffffffffa04190f1&gt;] sctp_backlog_rcv+0x151/0x1c0 [sctp]
[  219.187260]  [&lt;ffffffff81692b07&gt;] __release_sock+0x87/0xf0
[  219.187261]  [&lt;ffffffff81692ba0&gt;] release_sock+0x30/0xa0
[  219.187265]  [&lt;ffffffffa040e46d&gt;] sctp_accept+0x17d/0x210 [sctp]
[  219.187266]  [&lt;ffffffff810e7510&gt;] ? prepare_to_wait_event+0xf0/0xf0
[  219.187268]  [&lt;ffffffff8172d52c&gt;] inet_accept+0x3c/0x130
[  219.187269]  [&lt;ffffffff8168d7a3&gt;] SYSC_accept4+0x103/0x210
[  219.187271]  [&lt;ffffffff817ca2ba&gt;] ? _raw_spin_unlock_bh+0x1a/0x20
[  219.187272]  [&lt;ffffffff81692bfc&gt;] ? release_sock+0x8c/0xa0
[  219.187276]  [&lt;ffffffffa0413e22&gt;] ? sctp_inet_listen+0x62/0x1b0 [sctp]
[  219.187277]  [&lt;ffffffff8168f2d0&gt;] SyS_accept+0x10/0x20

Fixes: 860fbbc343bf ("sctp: prepare for socket backlog behavior change")
Cc: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit eefc1b1d105ee4d2ce907833ce675f1e9599b5e3 ]

Now that the backlog processing is called with BH enabled, we have to
disable BH before taking the socket lock via bh_lock_sock() otherwise
it may dead lock:

sctp_backlog_rcv()
                bh_lock_sock(sk);

                if (sock_owned_by_user(sk)) {
                        if (sk_add_backlog(sk, skb, sk-&gt;sk_rcvbuf))
                                sctp_chunk_free(chunk);
                        else
                                backloged = 1;
                } else
                        sctp_inq_push(inqueue, chunk);

                bh_unlock_sock(sk);

while sctp_inq_push() was disabling/enabling BH, but enabling BH
triggers pending softirq, which then may try to re-lock the socket in
sctp_rcv().

[  219.187215]  &lt;IRQ&gt;
[  219.187217]  [&lt;ffffffff817ca3e0&gt;] _raw_spin_lock+0x20/0x30
[  219.187223]  [&lt;ffffffffa041888c&gt;] sctp_rcv+0x48c/0xba0 [sctp]
[  219.187225]  [&lt;ffffffff816e7db2&gt;] ? nf_iterate+0x62/0x80
[  219.187226]  [&lt;ffffffff816f1b14&gt;] ip_local_deliver_finish+0x94/0x1e0
[  219.187228]  [&lt;ffffffff816f1e1f&gt;] ip_local_deliver+0x6f/0xf0
[  219.187229]  [&lt;ffffffff816f1a80&gt;] ? ip_rcv_finish+0x3b0/0x3b0
[  219.187230]  [&lt;ffffffff816f17a8&gt;] ip_rcv_finish+0xd8/0x3b0
[  219.187232]  [&lt;ffffffff816f2122&gt;] ip_rcv+0x282/0x3a0
[  219.187233]  [&lt;ffffffff810d8bb6&gt;] ? update_curr+0x66/0x180
[  219.187235]  [&lt;ffffffff816abac4&gt;] __netif_receive_skb_core+0x524/0xa90
[  219.187236]  [&lt;ffffffff810d8e00&gt;] ? update_cfs_shares+0x30/0xf0
[  219.187237]  [&lt;ffffffff810d557c&gt;] ? __enqueue_entity+0x6c/0x70
[  219.187239]  [&lt;ffffffff810dc454&gt;] ? enqueue_entity+0x204/0xdf0
[  219.187240]  [&lt;ffffffff816ac048&gt;] __netif_receive_skb+0x18/0x60
[  219.187242]  [&lt;ffffffff816ad1ce&gt;] process_backlog+0x9e/0x140
[  219.187243]  [&lt;ffffffff816ac8ec&gt;] net_rx_action+0x22c/0x370
[  219.187245]  [&lt;ffffffff817cd352&gt;] __do_softirq+0x112/0x2e7
[  219.187247]  [&lt;ffffffff817cc3bc&gt;] do_softirq_own_stack+0x1c/0x30
[  219.187247]  &lt;EOI&gt;
[  219.187248]  [&lt;ffffffff810aa1c8&gt;] do_softirq.part.14+0x38/0x40
[  219.187249]  [&lt;ffffffff810aa24d&gt;] __local_bh_enable_ip+0x7d/0x80
[  219.187254]  [&lt;ffffffffa0408428&gt;] sctp_inq_push+0x68/0x80 [sctp]
[  219.187258]  [&lt;ffffffffa04190f1&gt;] sctp_backlog_rcv+0x151/0x1c0 [sctp]
[  219.187260]  [&lt;ffffffff81692b07&gt;] __release_sock+0x87/0xf0
[  219.187261]  [&lt;ffffffff81692ba0&gt;] release_sock+0x30/0xa0
[  219.187265]  [&lt;ffffffffa040e46d&gt;] sctp_accept+0x17d/0x210 [sctp]
[  219.187266]  [&lt;ffffffff810e7510&gt;] ? prepare_to_wait_event+0xf0/0xf0
[  219.187268]  [&lt;ffffffff8172d52c&gt;] inet_accept+0x3c/0x130
[  219.187269]  [&lt;ffffffff8168d7a3&gt;] SYSC_accept4+0x103/0x210
[  219.187271]  [&lt;ffffffff817ca2ba&gt;] ? _raw_spin_unlock_bh+0x1a/0x20
[  219.187272]  [&lt;ffffffff81692bfc&gt;] ? release_sock+0x8c/0xa0
[  219.187276]  [&lt;ffffffffa0413e22&gt;] ? sctp_inet_listen+0x62/0x1b0 [sctp]
[  219.187277]  [&lt;ffffffff8168f2d0&gt;] SyS_accept+0x10/0x20

Fixes: 860fbbc343bf ("sctp: prepare for socket backlog behavior change")
Cc: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: load transport header after sk_filter</title>
<updated>2016-07-19T05:46:52+00:00</updated>
<author>
<name>Willem de Bruijn</name>
<email>willemb@google.com</email>
</author>
<published>2016-07-16T21:33:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c74bfbdba0e8d056e4ba579a666b5cdb8ec3cd35'/>
<id>c74bfbdba0e8d056e4ba579a666b5cdb8ec3cd35</id>
<content type='text'>
Do not cache pointers into the skb linear segment across sk_filter.
The function call can trigger pskb_expand_head.

Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Do not cache pointers into the skb linear segment across sk_filter.
The function call can trigger pskb_expand_head.

Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: diag: add missing declarations</title>
<updated>2016-06-11T06:22:55+00:00</updated>
<author>
<name>Ben Dooks</name>
<email>ben.dooks@codethink.co.uk</email>
</author>
<published>2016-06-09T17:05:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c3ec5e5ce9cea1f369a5a8ad69d6471680796bc6'/>
<id>c3ec5e5ce9cea1f369a5a8ad69d6471680796bc6</id>
<content type='text'>
The functions inet_diag_msg_common_fill and inet_diag_msg_attrs_fill
seem to have been missed from the include/linux/inet_diag.h header
file. Add them to fix the following warnings:

net/ipv4/inet_diag.c:69:6: warning: symbol 'inet_diag_msg_common_fill' was not declared. Should it be static?
net/ipv4/inet_diag.c:108:5: warning: symbol 'inet_diag_msg_attrs_fill' was not declared. Should it be static?

Signed-off-by: Ben Dooks &lt;ben.dooks@codethink.co.uk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The functions inet_diag_msg_common_fill and inet_diag_msg_attrs_fill
seem to have been missed from the include/linux/inet_diag.h header
file. Add them to fix the following warnings:

net/ipv4/inet_diag.c:69:6: warning: symbol 'inet_diag_msg_common_fill' was not declared. Should it be static?
net/ipv4/inet_diag.c:108:5: warning: symbol 'inet_diag_msg_attrs_fill' was not declared. Should it be static?

Signed-off-by: Ben Dooks &lt;ben.dooks@codethink.co.uk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: sctp_diag should dump sctp socket type</title>
<updated>2016-05-31T18:59:06+00:00</updated>
<author>
<name>Xin Long</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2016-05-29T09:42:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=40eb90e9ccc3f96f937ea1db79d0f9cb61553ed5'/>
<id>40eb90e9ccc3f96f937ea1db79d0f9cb61553ed5</id>
<content type='text'>
Now we cannot distinguish that one sk is a udp or sctp style when
we use ss to dump sctp_info. it's necessary to dump it as well.

For sctp_diag, ss support is not officially available, thus there
are no official users of this yet, so we can add this field in the
middle of sctp_info without breaking user API.

v1-&gt;v2:
  - move 'sctpi_s_type' field to the end of struct sctp_info, so
    that it won't cause incompatibility with applications already
    built.
  - add __reserved3 in sctp_info to make sure sctp_info is 8-byte
    alignment.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Now we cannot distinguish that one sk is a udp or sctp style when
we use ss to dump sctp_info. it's necessary to dump it as well.

For sctp_diag, ss support is not officially available, thus there
are no official users of this yet, so we can add this field in the
middle of sctp_info without breaking user API.

v1-&gt;v2:
  - move 'sctpi_s_type' field to the end of struct sctp_info, so
    that it won't cause incompatibility with applications already
    built.
  - add __reserved3 in sctp_info to make sure sctp_info is 8-byte
    alignment.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: fix double EPs display in sctp_diag</title>
<updated>2016-05-26T05:14:31+00:00</updated>
<author>
<name>Xin Long</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2016-05-25T19:09:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bed187b540167eb10320f6a2177604421650772e'/>
<id>bed187b540167eb10320f6a2177604421650772e</id>
<content type='text'>
We have this situation: that EP hash table, contains only the EPs
that are listening, while the transports one, has the opposite.
We have to traverse both to dump all.

But when we traverse the transports one we will also get EPs that are
in the EP hash if they are listening. In this case, the EP is dumped
twice.

We will fix it by checking if the endpoint that is in the endpoint
hash table contains any ep-&gt;asoc in there, as it means we will also
find it via transport hash, and thus we can/should skip it, depending
on the filters used, like 'ss -l'.

Still, we should NOT skip it if the user is listing only listening
endpoints, because then we are not traversing the transport hash.
so we have to check idiag_states there also.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We have this situation: that EP hash table, contains only the EPs
that are listening, while the transports one, has the opposite.
We have to traverse both to dump all.

But when we traverse the transports one we will also get EPs that are
in the EP hash if they are listening. In this case, the EP is dumped
twice.

We will fix it by checking if the endpoint that is in the endpoint
hash table contains any ep-&gt;asoc in there, as it means we will also
find it via transport hash, and thus we can/should skip it, depending
on the filters used, like 'ss -l'.

Still, we should NOT skip it if the user is listing only listening
endpoints, because then we are not traversing the transport hash.
so we have to check idiag_states there also.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: prepare for socket backlog behavior change</title>
<updated>2016-05-02T21:02:26+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-04-29T21:16:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=860fbbc343bf05a71b31555579ff4878194be01b'/>
<id>860fbbc343bf05a71b31555579ff4878194be01b</id>
<content type='text'>
sctp_inq_push() will soon be called without BH being blocked
when generic socket code flushes the socket backlog.

It is very possible SCTP can be converted to not rely on BH,
but this needs to be done by SCTP experts.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
sctp_inq_push() will soon be called without BH being blocked
when generic socket code flushes the socket backlog.

It is very possible SCTP can be converted to not rely on BH,
but this needs to be done by SCTP experts.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: signal sk_data_ready earlier on data chunks reception</title>
<updated>2016-05-02T01:06:10+00:00</updated>
<author>
<name>Marcelo Ricardo Leitner</name>
<email>marcelo.leitner@gmail.com</email>
</author>
<published>2016-04-29T17:17:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0970f5b3665933f5f0d069607c78fb10bd918b62'/>
<id>0970f5b3665933f5f0d069607c78fb10bd918b62</id>
<content type='text'>
Dave Miller pointed out that fb586f25300f ("sctp: delay calls to
sk_data_ready() as much as possible") may insert latency specially if
the receiving application is running on another CPU and that it would be
better if we signalled as early as possible.

This patch thus basically inverts the logic on fb586f25300f and signals
it as early as possible, similar to what we had before.

Fixes: fb586f25300f ("sctp: delay calls to sk_data_ready() as much as possible")
Reported-by: Dave Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Dave Miller pointed out that fb586f25300f ("sctp: delay calls to
sk_data_ready() as much as possible") may insert latency specially if
the receiving application is running on another CPU and that it would be
better if we signalled as early as possible.

This patch thus basically inverts the logic on fb586f25300f and signals
it as early as possible, similar to what we had before.

Fixes: fb586f25300f ("sctp: delay calls to sk_data_ready() as much as possible")
Reported-by: Dave Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
