<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v3.0.40</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>tcp: perform DMA to userspace only if there is a task waiting for it</title>
<updated>2012-08-09T15:27:52+00:00</updated>
<author>
<name>Jiri Kosina</name>
<email>jkosina@suse.cz</email>
</author>
<published>2012-07-27T10:38:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=41f079a0e1089bf0ed2b795cc427bf40b72efe0e'/>
<id>41f079a0e1089bf0ed2b795cc427bf40b72efe0e</id>
<content type='text'>
[ Upstream commit 59ea33a68a9083ac98515e4861c00e71efdc49a1 ]

Back in 2006, commit 1a2449a87b ("[I/OAT]: TCP recv offload to I/OAT")
added support for receive offloading to IOAT dma engine if available.

The code in tcp_rcv_established() tries to perform early DMA copy if
applicable. It however does so without checking whether the userspace
task is actually expecting the data in the buffer.

This is not a problem under normal circumstances, but there is a corner
case where this doesn't work -- and that's when MSG_TRUNC flag to
recvmsg() is used.

If the IOAT dma engine is not used, the code properly checks whether
there is a valid ucopy.task and the socket is owned by userspace, but
misses the check in the dmaengine case.

This problem can be observed in real trivially -- for example 'tbench' is a
good reproducer, as it makes a heavy use of MSG_TRUNC. On systems utilizing
IOAT, you will soon find tbench waiting indefinitely in sk_wait_data(), as they
have been already early-copied in tcp_rcv_established() using dma engine.

This patch introduces the same check we are performing in the simple
iovec copy case to the IOAT case as well. It fixes the indefinite
recvmsg(MSG_TRUNC) hangs.

Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 59ea33a68a9083ac98515e4861c00e71efdc49a1 ]

Back in 2006, commit 1a2449a87b ("[I/OAT]: TCP recv offload to I/OAT")
added support for receive offloading to IOAT dma engine if available.

The code in tcp_rcv_established() tries to perform early DMA copy if
applicable. It however does so without checking whether the userspace
task is actually expecting the data in the buffer.

This is not a problem under normal circumstances, but there is a corner
case where this doesn't work -- and that's when MSG_TRUNC flag to
recvmsg() is used.

If the IOAT dma engine is not used, the code properly checks whether
there is a valid ucopy.task and the socket is owned by userspace, but
misses the check in the dmaengine case.

This problem can be observed in real trivially -- for example 'tbench' is a
good reproducer, as it makes a heavy use of MSG_TRUNC. On systems utilizing
IOAT, you will soon find tbench waiting indefinitely in sk_wait_data(), as they
have been already early-copied in tcp_rcv_established() using dma engine.

This patch introduces the same check we are performing in the simple
iovec copy case to the IOAT case as well. It fixes the indefinite
recvmsg(MSG_TRUNC) hangs.

Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: fix rtnetlink IFF_PROMISC and IFF_ALLMULTI handling</title>
<updated>2012-08-09T15:27:52+00:00</updated>
<author>
<name>Jiri Benc</name>
<email>jbenc@redhat.com</email>
</author>
<published>2012-07-27T02:58:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c94eb3f964dd7c08486d7c1227c7b5b69d09aabe'/>
<id>c94eb3f964dd7c08486d7c1227c7b5b69d09aabe</id>
<content type='text'>
[ Upstream commit b1beb681cba5358f62e6187340660ade226a5fcc ]

When device flags are set using rtnetlink, IFF_PROMISC and IFF_ALLMULTI
flags are handled specially. Function dev_change_flags sets IFF_PROMISC and
IFF_ALLMULTI bits in dev-&gt;gflags according to the passed value but
do_setlink passes a result of rtnl_dev_combine_flags which takes those bits
from dev-&gt;flags.

This can be easily trigerred by doing:

tcpdump -i eth0 &amp;
ip l s up eth0

ip sets IFF_UP flag in ifi_flags and ifi_change, which is combined with
IFF_PROMISC by rtnl_dev_combine_flags, causing __dev_change_flags to set
IFF_PROMISC in gflags.

Reported-by: Max Matveev &lt;makc@redhat.com&gt;
Signed-off-by: Jiri Benc &lt;jbenc@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b1beb681cba5358f62e6187340660ade226a5fcc ]

When device flags are set using rtnetlink, IFF_PROMISC and IFF_ALLMULTI
flags are handled specially. Function dev_change_flags sets IFF_PROMISC and
IFF_ALLMULTI bits in dev-&gt;gflags according to the passed value but
do_setlink passes a result of rtnl_dev_combine_flags which takes those bits
from dev-&gt;flags.

This can be easily trigerred by doing:

tcpdump -i eth0 &amp;
ip l s up eth0

ip sets IFF_UP flag in ifi_flags and ifi_change, which is combined with
IFF_PROMISC by rtnl_dev_combine_flags, causing __dev_change_flags to set
IFF_PROMISC in gflags.

Reported-by: Max Matveev &lt;makc@redhat.com&gt;
Signed-off-by: Jiri Benc &lt;jbenc@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: Add TCP_USER_TIMEOUT negative value check</title>
<updated>2012-08-09T15:27:52+00:00</updated>
<author>
<name>Hangbin Liu</name>
<email>liuhangbin@gmail.com</email>
</author>
<published>2012-07-26T22:52:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8d7c99de6821880884e6f9ade1c6f269d40ebbae'/>
<id>8d7c99de6821880884e6f9ade1c6f269d40ebbae</id>
<content type='text'>
[ Upstream commit 42493570100b91ef663c4c6f0c0fdab238f9d3c2 ]

TCP_USER_TIMEOUT is a TCP level socket option that takes an unsigned int. But
patch "tcp: Add TCP_USER_TIMEOUT socket option"(dca43c75) didn't check the negative
values. If a user assign -1 to it, the socket will set successfully and wait
for 4294967295 miliseconds. This patch add a negative value check to avoid
this issue.

Signed-off-by: Hangbin Liu &lt;liuhangbin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 42493570100b91ef663c4c6f0c0fdab238f9d3c2 ]

TCP_USER_TIMEOUT is a TCP level socket option that takes an unsigned int. But
patch "tcp: Add TCP_USER_TIMEOUT socket option"(dca43c75) didn't check the negative
values. If a user assign -1 to it, the socket will set successfully and wait
for 4294967295 miliseconds. This patch add a negative value check to avoid
this issue.

Signed-off-by: Hangbin Liu &lt;liuhangbin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>wanmain: comparing array with NULL</title>
<updated>2012-08-09T15:27:52+00:00</updated>
<author>
<name>Alan Cox</name>
<email>alan@linux.intel.com</email>
</author>
<published>2012-07-24T08:16:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8a22bda491f4fb197c31c2d50c18a816be494a75'/>
<id>8a22bda491f4fb197c31c2d50c18a816be494a75</id>
<content type='text'>
[ Upstream commit 8b72ff6484fe303e01498b58621810a114f3cf09 ]

gcc really should warn about these !

Signed-off-by: Alan Cox &lt;alan@linux.intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8b72ff6484fe303e01498b58621810a114f3cf09 ]

gcc really should warn about these !

Signed-off-by: Alan Cox &lt;alan@linux.intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cipso: don't follow a NULL pointer when setsockopt() is called</title>
<updated>2012-08-09T15:27:52+00:00</updated>
<author>
<name>Paul Moore</name>
<email>pmoore@redhat.com</email>
</author>
<published>2012-07-17T11:07:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bca8ae51a3761a9fc4795641541a3478001975c1'/>
<id>bca8ae51a3761a9fc4795641541a3478001975c1</id>
<content type='text'>
[ Upstream commit 89d7ae34cdda4195809a5a987f697a517a2a3177 ]

As reported by Alan Cox, and verified by Lin Ming, when a user
attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL
tag the kernel dies a terrible death when it attempts to follow a NULL
pointer (the skb argument to cipso_v4_validate() is NULL when called via
the setsockopt() syscall).

This patch fixes this by first checking to ensure that the skb is
non-NULL before using it to find the incoming network interface.  In
the unlikely case where the skb is NULL and the user attempts to add
a CIPSO option with the _TAG_LOCAL tag we return an error as this is
not something we want to allow.

A simple reproducer, kindly supplied by Lin Ming, although you must
have the CIPSO DOI #3 configure on the system first or you will be
caught early in cipso_v4_validate():

	#include &lt;sys/types.h&gt;
	#include &lt;sys/socket.h&gt;
	#include &lt;linux/ip.h&gt;
	#include &lt;linux/in.h&gt;
	#include &lt;string.h&gt;

	struct local_tag {
		char type;
		char length;
		char info[4];
	};

	struct cipso {
		char type;
		char length;
		char doi[4];
		struct local_tag local;
	};

	int main(int argc, char **argv)
	{
		int sockfd;
		struct cipso cipso = {
			.type = IPOPT_CIPSO,
			.length = sizeof(struct cipso),
			.local = {
				.type = 128,
				.length = sizeof(struct local_tag),
			},
		};

		memset(cipso.doi, 0, 4);
		cipso.doi[3] = 3;

		sockfd = socket(AF_INET, SOCK_DGRAM, 0);
		#define SOL_IP 0
		setsockopt(sockfd, SOL_IP, IP_OPTIONS,
			&amp;cipso, sizeof(struct cipso));

		return 0;
	}

CC: Lin Ming &lt;mlin@ss.pku.edu.cn&gt;
Reported-by: Alan Cox &lt;alan@lxorguk.ukuu.org.uk&gt;
Signed-off-by: Paul Moore &lt;pmoore@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 89d7ae34cdda4195809a5a987f697a517a2a3177 ]

As reported by Alan Cox, and verified by Lin Ming, when a user
attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL
tag the kernel dies a terrible death when it attempts to follow a NULL
pointer (the skb argument to cipso_v4_validate() is NULL when called via
the setsockopt() syscall).

This patch fixes this by first checking to ensure that the skb is
non-NULL before using it to find the incoming network interface.  In
the unlikely case where the skb is NULL and the user attempts to add
a CIPSO option with the _TAG_LOCAL tag we return an error as this is
not something we want to allow.

A simple reproducer, kindly supplied by Lin Ming, although you must
have the CIPSO DOI #3 configure on the system first or you will be
caught early in cipso_v4_validate():

	#include &lt;sys/types.h&gt;
	#include &lt;sys/socket.h&gt;
	#include &lt;linux/ip.h&gt;
	#include &lt;linux/in.h&gt;
	#include &lt;string.h&gt;

	struct local_tag {
		char type;
		char length;
		char info[4];
	};

	struct cipso {
		char type;
		char length;
		char doi[4];
		struct local_tag local;
	};

	int main(int argc, char **argv)
	{
		int sockfd;
		struct cipso cipso = {
			.type = IPOPT_CIPSO,
			.length = sizeof(struct cipso),
			.local = {
				.type = 128,
				.length = sizeof(struct local_tag),
			},
		};

		memset(cipso.doi, 0, 4);
		cipso.doi[3] = 3;

		sockfd = socket(AF_INET, SOCK_DGRAM, 0);
		#define SOL_IP 0
		setsockopt(sockfd, SOL_IP, IP_OPTIONS,
			&amp;cipso, sizeof(struct cipso));

		return 0;
	}

CC: Lin Ming &lt;mlin@ss.pku.edu.cn&gt;
Reported-by: Alan Cox &lt;alan@lxorguk.ukuu.org.uk&gt;
Signed-off-by: Paul Moore &lt;pmoore@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>caif: Fix access to freed pernet memory</title>
<updated>2012-08-09T15:27:51+00:00</updated>
<author>
<name>Sjur Brændeland</name>
<email>sjur.brandeland@stericsson.com</email>
</author>
<published>2012-07-15T10:10:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=22cb83b5a318697b09fe1d6e237703d8371ab1fe'/>
<id>22cb83b5a318697b09fe1d6e237703d8371ab1fe</id>
<content type='text'>
[ Upstream commit 96f80d123eff05c3cd4701463786b87952a6c3ac ]

unregister_netdevice_notifier() must be called before
unregister_pernet_subsys() to avoid accessing already freed
pernet memory. This fixes the following oops when doing rmmod:

Call Trace:
 [&lt;ffffffffa0f802bd&gt;] caif_device_notify+0x4d/0x5a0 [caif]
 [&lt;ffffffff81552ba9&gt;] unregister_netdevice_notifier+0xb9/0x100
 [&lt;ffffffffa0f86dcc&gt;] caif_device_exit+0x1c/0x250 [caif]
 [&lt;ffffffff810e7734&gt;] sys_delete_module+0x1a4/0x300
 [&lt;ffffffff810da82d&gt;] ? trace_hardirqs_on_caller+0x15d/0x1e0
 [&lt;ffffffff813517de&gt;] ? trace_hardirqs_on_thunk+0x3a/0x3
 [&lt;ffffffff81696bad&gt;] system_call_fastpath+0x1a/0x1f

RIP
 [&lt;ffffffffa0f7f561&gt;] caif_get+0x51/0xb0 [caif]

Signed-off-by: Sjur Brændeland &lt;sjur.brandeland@stericsson.com&gt;
Acked-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 96f80d123eff05c3cd4701463786b87952a6c3ac ]

unregister_netdevice_notifier() must be called before
unregister_pernet_subsys() to avoid accessing already freed
pernet memory. This fixes the following oops when doing rmmod:

Call Trace:
 [&lt;ffffffffa0f802bd&gt;] caif_device_notify+0x4d/0x5a0 [caif]
 [&lt;ffffffff81552ba9&gt;] unregister_netdevice_notifier+0xb9/0x100
 [&lt;ffffffffa0f86dcc&gt;] caif_device_exit+0x1c/0x250 [caif]
 [&lt;ffffffff810e7734&gt;] sys_delete_module+0x1a4/0x300
 [&lt;ffffffff810da82d&gt;] ? trace_hardirqs_on_caller+0x15d/0x1e0
 [&lt;ffffffff813517de&gt;] ? trace_hardirqs_on_thunk+0x3a/0x3
 [&lt;ffffffff81696bad&gt;] system_call_fastpath+0x1a/0x1f

RIP
 [&lt;ffffffffa0f7f561&gt;] caif_get+0x51/0xb0 [caif]

Signed-off-by: Sjur Brændeland &lt;sjur.brandeland@stericsson.com&gt;
Acked-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: Fix list corruption resulting from freeing an association on a list</title>
<updated>2012-08-09T15:27:51+00:00</updated>
<author>
<name>Neil Horman</name>
<email>nhorman@tuxdriver.com</email>
</author>
<published>2012-07-16T09:13:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f890d2777247beb207be1c99835a0c5e09d340c'/>
<id>2f890d2777247beb207be1c99835a0c5e09d340c</id>
<content type='text'>
[ Upstream commit 2eebc1e188e9e45886ee00662519849339884d6d ]

A few days ago Dave Jones reported this oops:

[22766.294255] general protection fault: 0000 [#1] PREEMPT SMP
[22766.295376] CPU 0
[22766.295384] Modules linked in:
[22766.387137]  ffffffffa169f292 6b6b6b6b6b6b6b6b ffff880147c03a90
ffff880147c03a74
[22766.387135] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000
[22766.387136] Process trinity-watchdo (pid: 10896, threadinfo ffff88013e7d2000,
[22766.387137] Stack:
[22766.387140]  ffff880147c03a10
[22766.387140]  ffffffffa169f2b6
[22766.387140]  ffff88013ed95728
[22766.387143]  0000000000000002
[22766.387143]  0000000000000000
[22766.387143]  ffff880003fad062
[22766.387144]  ffff88013c120000
[22766.387144]
[22766.387145] Call Trace:
[22766.387145]  &lt;IRQ&gt;
[22766.387150]  [&lt;ffffffffa169f292&gt;] ? __sctp_lookup_association+0x62/0xd0
[sctp]
[22766.387154]  [&lt;ffffffffa169f2b6&gt;] __sctp_lookup_association+0x86/0xd0 [sctp]
[22766.387157]  [&lt;ffffffffa169f597&gt;] sctp_rcv+0x207/0xbb0 [sctp]
[22766.387161]  [&lt;ffffffff810d4da8&gt;] ? trace_hardirqs_off_caller+0x28/0xd0
[22766.387163]  [&lt;ffffffff815827e3&gt;] ? nf_hook_slow+0x133/0x210
[22766.387166]  [&lt;ffffffff815902fc&gt;] ? ip_local_deliver_finish+0x4c/0x4c0
[22766.387168]  [&lt;ffffffff8159043d&gt;] ip_local_deliver_finish+0x18d/0x4c0
[22766.387169]  [&lt;ffffffff815902fc&gt;] ? ip_local_deliver_finish+0x4c/0x4c0
[22766.387171]  [&lt;ffffffff81590a07&gt;] ip_local_deliver+0x47/0x80
[22766.387172]  [&lt;ffffffff8158fd80&gt;] ip_rcv_finish+0x150/0x680
[22766.387174]  [&lt;ffffffff81590c54&gt;] ip_rcv+0x214/0x320
[22766.387176]  [&lt;ffffffff81558c07&gt;] __netif_receive_skb+0x7b7/0x910
[22766.387178]  [&lt;ffffffff8155856c&gt;] ? __netif_receive_skb+0x11c/0x910
[22766.387180]  [&lt;ffffffff810d423e&gt;] ? put_lock_stats.isra.25+0xe/0x40
[22766.387182]  [&lt;ffffffff81558f83&gt;] netif_receive_skb+0x23/0x1f0
[22766.387183]  [&lt;ffffffff815596a9&gt;] ? dev_gro_receive+0x139/0x440
[22766.387185]  [&lt;ffffffff81559280&gt;] napi_skb_finish+0x70/0xa0
[22766.387187]  [&lt;ffffffff81559cb5&gt;] napi_gro_receive+0xf5/0x130
[22766.387218]  [&lt;ffffffffa01c4679&gt;] e1000_receive_skb+0x59/0x70 [e1000e]
[22766.387242]  [&lt;ffffffffa01c5aab&gt;] e1000_clean_rx_irq+0x28b/0x460 [e1000e]
[22766.387266]  [&lt;ffffffffa01c9c18&gt;] e1000e_poll+0x78/0x430 [e1000e]
[22766.387268]  [&lt;ffffffff81559fea&gt;] net_rx_action+0x1aa/0x3d0
[22766.387270]  [&lt;ffffffff810a495f&gt;] ? account_system_vtime+0x10f/0x130
[22766.387273]  [&lt;ffffffff810734d0&gt;] __do_softirq+0xe0/0x420
[22766.387275]  [&lt;ffffffff8169826c&gt;] call_softirq+0x1c/0x30
[22766.387278]  [&lt;ffffffff8101db15&gt;] do_softirq+0xd5/0x110
[22766.387279]  [&lt;ffffffff81073bc5&gt;] irq_exit+0xd5/0xe0
[22766.387281]  [&lt;ffffffff81698b03&gt;] do_IRQ+0x63/0xd0
[22766.387283]  [&lt;ffffffff8168ee2f&gt;] common_interrupt+0x6f/0x6f
[22766.387283]  &lt;EOI&gt;
[22766.387284]
[22766.387285]  [&lt;ffffffff8168eed9&gt;] ? retint_swapgs+0x13/0x1b
[22766.387285] Code: c0 90 5d c3 66 0f 1f 44 00 00 4c 89 c8 5d c3 0f 1f 00 55 48
89 e5 48 83
ec 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 &lt;0f&gt; b7 87 98 00 00 00
48 89 fb
49 89 f5 66 c1 c0 08 66 39 46 02
[22766.387307]
[22766.387307] RIP
[22766.387311]  [&lt;ffffffffa168a2c9&gt;] sctp_assoc_is_match+0x19/0x90 [sctp]
[22766.387311]  RSP &lt;ffff880147c039b0&gt;
[22766.387142]  ffffffffa16ab120
[22766.599537] ---[ end trace 3f6dae82e37b17f5 ]---
[22766.601221] Kernel panic - not syncing: Fatal exception in interrupt

It appears from his analysis and some staring at the code that this is likely
occuring because an association is getting freed while still on the
sctp_assoc_hashtable.  As a result, we get a gpf when traversing the hashtable
while a freed node corrupts part of the list.

Nominally I would think that an mibalanced refcount was responsible for this,
but I can't seem to find any obvious imbalance.  What I did note however was
that the two places where we create an association using
sctp_primitive_ASSOCIATE (__sctp_connect and sctp_sendmsg), have failure paths
which free a newly created association after calling sctp_primitive_ASSOCIATE.
sctp_primitive_ASSOCIATE brings us into the sctp_sf_do_prm_asoc path, which
issues a SCTP_CMD_NEW_ASOC side effect, which in turn adds a new association to
the aforementioned hash table.  the sctp command interpreter that process side
effects has not way to unwind previously processed commands, so freeing the
association from the __sctp_connect or sctp_sendmsg error path would lead to a
freed association remaining on this hash table.

I've fixed this but modifying sctp_[un]hash_established to use hlist_del_init,
which allows us to proerly use hlist_unhashed to check if the node is on a
hashlist safely during a delete.  That in turn alows us to safely call
sctp_unhash_established in the __sctp_connect and sctp_sendmsg error paths
before freeing them, regardles of what the associations state is on the hash
list.

I noted, while I was doing this, that the __sctp_unhash_endpoint was using
hlist_unhsashed in a simmilar fashion, but never nullified any removed nodes
pointers to make that function work properly, so I fixed that up in a simmilar
fashion.

I attempted to test this using a virtual guest running the SCTP_RR test from
netperf in a loop while running the trinity fuzzer, both in a loop.  I wasn't
able to recreate the problem prior to this fix, nor was I able to trigger the
failure after (neither of which I suppose is suprising).  Given the trace above
however, I think its likely that this is what we hit.

Signed-off-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Reported-by: davej@redhat.com
CC: davej@redhat.com
CC: "David S. Miller" &lt;davem@davemloft.net&gt;
CC: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
CC: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
CC: linux-sctp@vger.kernel.org
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2eebc1e188e9e45886ee00662519849339884d6d ]

A few days ago Dave Jones reported this oops:

[22766.294255] general protection fault: 0000 [#1] PREEMPT SMP
[22766.295376] CPU 0
[22766.295384] Modules linked in:
[22766.387137]  ffffffffa169f292 6b6b6b6b6b6b6b6b ffff880147c03a90
ffff880147c03a74
[22766.387135] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000
[22766.387136] Process trinity-watchdo (pid: 10896, threadinfo ffff88013e7d2000,
[22766.387137] Stack:
[22766.387140]  ffff880147c03a10
[22766.387140]  ffffffffa169f2b6
[22766.387140]  ffff88013ed95728
[22766.387143]  0000000000000002
[22766.387143]  0000000000000000
[22766.387143]  ffff880003fad062
[22766.387144]  ffff88013c120000
[22766.387144]
[22766.387145] Call Trace:
[22766.387145]  &lt;IRQ&gt;
[22766.387150]  [&lt;ffffffffa169f292&gt;] ? __sctp_lookup_association+0x62/0xd0
[sctp]
[22766.387154]  [&lt;ffffffffa169f2b6&gt;] __sctp_lookup_association+0x86/0xd0 [sctp]
[22766.387157]  [&lt;ffffffffa169f597&gt;] sctp_rcv+0x207/0xbb0 [sctp]
[22766.387161]  [&lt;ffffffff810d4da8&gt;] ? trace_hardirqs_off_caller+0x28/0xd0
[22766.387163]  [&lt;ffffffff815827e3&gt;] ? nf_hook_slow+0x133/0x210
[22766.387166]  [&lt;ffffffff815902fc&gt;] ? ip_local_deliver_finish+0x4c/0x4c0
[22766.387168]  [&lt;ffffffff8159043d&gt;] ip_local_deliver_finish+0x18d/0x4c0
[22766.387169]  [&lt;ffffffff815902fc&gt;] ? ip_local_deliver_finish+0x4c/0x4c0
[22766.387171]  [&lt;ffffffff81590a07&gt;] ip_local_deliver+0x47/0x80
[22766.387172]  [&lt;ffffffff8158fd80&gt;] ip_rcv_finish+0x150/0x680
[22766.387174]  [&lt;ffffffff81590c54&gt;] ip_rcv+0x214/0x320
[22766.387176]  [&lt;ffffffff81558c07&gt;] __netif_receive_skb+0x7b7/0x910
[22766.387178]  [&lt;ffffffff8155856c&gt;] ? __netif_receive_skb+0x11c/0x910
[22766.387180]  [&lt;ffffffff810d423e&gt;] ? put_lock_stats.isra.25+0xe/0x40
[22766.387182]  [&lt;ffffffff81558f83&gt;] netif_receive_skb+0x23/0x1f0
[22766.387183]  [&lt;ffffffff815596a9&gt;] ? dev_gro_receive+0x139/0x440
[22766.387185]  [&lt;ffffffff81559280&gt;] napi_skb_finish+0x70/0xa0
[22766.387187]  [&lt;ffffffff81559cb5&gt;] napi_gro_receive+0xf5/0x130
[22766.387218]  [&lt;ffffffffa01c4679&gt;] e1000_receive_skb+0x59/0x70 [e1000e]
[22766.387242]  [&lt;ffffffffa01c5aab&gt;] e1000_clean_rx_irq+0x28b/0x460 [e1000e]
[22766.387266]  [&lt;ffffffffa01c9c18&gt;] e1000e_poll+0x78/0x430 [e1000e]
[22766.387268]  [&lt;ffffffff81559fea&gt;] net_rx_action+0x1aa/0x3d0
[22766.387270]  [&lt;ffffffff810a495f&gt;] ? account_system_vtime+0x10f/0x130
[22766.387273]  [&lt;ffffffff810734d0&gt;] __do_softirq+0xe0/0x420
[22766.387275]  [&lt;ffffffff8169826c&gt;] call_softirq+0x1c/0x30
[22766.387278]  [&lt;ffffffff8101db15&gt;] do_softirq+0xd5/0x110
[22766.387279]  [&lt;ffffffff81073bc5&gt;] irq_exit+0xd5/0xe0
[22766.387281]  [&lt;ffffffff81698b03&gt;] do_IRQ+0x63/0xd0
[22766.387283]  [&lt;ffffffff8168ee2f&gt;] common_interrupt+0x6f/0x6f
[22766.387283]  &lt;EOI&gt;
[22766.387284]
[22766.387285]  [&lt;ffffffff8168eed9&gt;] ? retint_swapgs+0x13/0x1b
[22766.387285] Code: c0 90 5d c3 66 0f 1f 44 00 00 4c 89 c8 5d c3 0f 1f 00 55 48
89 e5 48 83
ec 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 &lt;0f&gt; b7 87 98 00 00 00
48 89 fb
49 89 f5 66 c1 c0 08 66 39 46 02
[22766.387307]
[22766.387307] RIP
[22766.387311]  [&lt;ffffffffa168a2c9&gt;] sctp_assoc_is_match+0x19/0x90 [sctp]
[22766.387311]  RSP &lt;ffff880147c039b0&gt;
[22766.387142]  ffffffffa16ab120
[22766.599537] ---[ end trace 3f6dae82e37b17f5 ]---
[22766.601221] Kernel panic - not syncing: Fatal exception in interrupt

It appears from his analysis and some staring at the code that this is likely
occuring because an association is getting freed while still on the
sctp_assoc_hashtable.  As a result, we get a gpf when traversing the hashtable
while a freed node corrupts part of the list.

Nominally I would think that an mibalanced refcount was responsible for this,
but I can't seem to find any obvious imbalance.  What I did note however was
that the two places where we create an association using
sctp_primitive_ASSOCIATE (__sctp_connect and sctp_sendmsg), have failure paths
which free a newly created association after calling sctp_primitive_ASSOCIATE.
sctp_primitive_ASSOCIATE brings us into the sctp_sf_do_prm_asoc path, which
issues a SCTP_CMD_NEW_ASOC side effect, which in turn adds a new association to
the aforementioned hash table.  the sctp command interpreter that process side
effects has not way to unwind previously processed commands, so freeing the
association from the __sctp_connect or sctp_sendmsg error path would lead to a
freed association remaining on this hash table.

I've fixed this but modifying sctp_[un]hash_established to use hlist_del_init,
which allows us to proerly use hlist_unhashed to check if the node is on a
hashlist safely during a delete.  That in turn alows us to safely call
sctp_unhash_established in the __sctp_connect and sctp_sendmsg error paths
before freeing them, regardles of what the associations state is on the hash
list.

I noted, while I was doing this, that the __sctp_unhash_endpoint was using
hlist_unhsashed in a simmilar fashion, but never nullified any removed nodes
pointers to make that function work properly, so I fixed that up in a simmilar
fashion.

I attempted to test this using a virtual guest running the SCTP_RR test from
netperf in a loop while running the trinity fuzzer, both in a loop.  I wasn't
able to recreate the problem prior to this fix, nor was I able to trigger the
failure after (neither of which I suppose is suprising).  Given the trace above
however, I think its likely that this is what we hit.

Signed-off-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Reported-by: davej@redhat.com
CC: davej@redhat.com
CC: "David S. Miller" &lt;davem@davemloft.net&gt;
CC: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
CC: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
CC: linux-sctp@vger.kernel.org
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sch_sfb: Fix missing NULL check</title>
<updated>2012-08-09T15:27:51+00:00</updated>
<author>
<name>Alan Cox</name>
<email>alan@linux.intel.com</email>
</author>
<published>2012-07-12T03:39:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9b9f676623b92483d890d1a3a52611c09fc190f3'/>
<id>9b9f676623b92483d890d1a3a52611c09fc190f3</id>
<content type='text'>
[ Upstream commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d ]

Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=44461

Signed-off-by: Alan Cox &lt;alan@linux.intel.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d ]

Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=44461

Signed-off-by: Alan Cox &lt;alan@linux.intel.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>nfs: skip commit in releasepage if we're freeing memory for fs-related reasons</title>
<updated>2012-08-09T15:27:51+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@redhat.com</email>
</author>
<published>2012-07-23T17:58:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eb65b85e1bce06b665b3568c19a249cd886fa6ff'/>
<id>eb65b85e1bce06b665b3568c19a249cd886fa6ff</id>
<content type='text'>
commit 5cf02d09b50b1ee1c2d536c9cf64af5a7d433f56 upstream.

We've had some reports of a deadlock where rpciod ends up with a stack
trace like this:

    PID: 2507   TASK: ffff88103691ab40  CPU: 14  COMMAND: "rpciod/14"
     #0 [ffff8810343bf2f0] schedule at ffffffff814dabd9
     #1 [ffff8810343bf3b8] nfs_wait_bit_killable at ffffffffa038fc04 [nfs]
     #2 [ffff8810343bf3c8] __wait_on_bit at ffffffff814dbc2f
     #3 [ffff8810343bf418] out_of_line_wait_on_bit at ffffffff814dbcd8
     #4 [ffff8810343bf488] nfs_commit_inode at ffffffffa039e0c1 [nfs]
     #5 [ffff8810343bf4f8] nfs_release_page at ffffffffa038bef6 [nfs]
     #6 [ffff8810343bf528] try_to_release_page at ffffffff8110c670
     #7 [ffff8810343bf538] shrink_page_list.clone.0 at ffffffff81126271
     #8 [ffff8810343bf668] shrink_inactive_list at ffffffff81126638
     #9 [ffff8810343bf818] shrink_zone at ffffffff8112788f
    #10 [ffff8810343bf8c8] do_try_to_free_pages at ffffffff81127b1e
    #11 [ffff8810343bf958] try_to_free_pages at ffffffff8112812f
    #12 [ffff8810343bfa08] __alloc_pages_nodemask at ffffffff8111fdad
    #13 [ffff8810343bfb28] kmem_getpages at ffffffff81159942
    #14 [ffff8810343bfb58] fallback_alloc at ffffffff8115a55a
    #15 [ffff8810343bfbd8] ____cache_alloc_node at ffffffff8115a2d9
    #16 [ffff8810343bfc38] kmem_cache_alloc at ffffffff8115b09b
    #17 [ffff8810343bfc78] sk_prot_alloc at ffffffff81411808
    #18 [ffff8810343bfcb8] sk_alloc at ffffffff8141197c
    #19 [ffff8810343bfce8] inet_create at ffffffff81483ba6
    #20 [ffff8810343bfd38] __sock_create at ffffffff8140b4a7
    #21 [ffff8810343bfd98] xs_create_sock at ffffffffa01f649b [sunrpc]
    #22 [ffff8810343bfdd8] xs_tcp_setup_socket at ffffffffa01f6965 [sunrpc]
    #23 [ffff8810343bfe38] worker_thread at ffffffff810887d0
    #24 [ffff8810343bfee8] kthread at ffffffff8108dd96
    #25 [ffff8810343bff48] kernel_thread at ffffffff8100c1ca

rpciod is trying to allocate memory for a new socket to talk to the
server. The VM ends up calling -&gt;releasepage to get more memory, and it
tries to do a blocking commit. That commit can't succeed however without
a connected socket, so we deadlock.

Fix this by setting PF_FSTRANS on the workqueue task prior to doing the
socket allocation, and having nfs_release_page check for that flag when
deciding whether to do a commit call. Also, set PF_FSTRANS
unconditionally in rpc_async_schedule since that function can also do
allocations sometimes.

Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5cf02d09b50b1ee1c2d536c9cf64af5a7d433f56 upstream.

We've had some reports of a deadlock where rpciod ends up with a stack
trace like this:

    PID: 2507   TASK: ffff88103691ab40  CPU: 14  COMMAND: "rpciod/14"
     #0 [ffff8810343bf2f0] schedule at ffffffff814dabd9
     #1 [ffff8810343bf3b8] nfs_wait_bit_killable at ffffffffa038fc04 [nfs]
     #2 [ffff8810343bf3c8] __wait_on_bit at ffffffff814dbc2f
     #3 [ffff8810343bf418] out_of_line_wait_on_bit at ffffffff814dbcd8
     #4 [ffff8810343bf488] nfs_commit_inode at ffffffffa039e0c1 [nfs]
     #5 [ffff8810343bf4f8] nfs_release_page at ffffffffa038bef6 [nfs]
     #6 [ffff8810343bf528] try_to_release_page at ffffffff8110c670
     #7 [ffff8810343bf538] shrink_page_list.clone.0 at ffffffff81126271
     #8 [ffff8810343bf668] shrink_inactive_list at ffffffff81126638
     #9 [ffff8810343bf818] shrink_zone at ffffffff8112788f
    #10 [ffff8810343bf8c8] do_try_to_free_pages at ffffffff81127b1e
    #11 [ffff8810343bf958] try_to_free_pages at ffffffff8112812f
    #12 [ffff8810343bfa08] __alloc_pages_nodemask at ffffffff8111fdad
    #13 [ffff8810343bfb28] kmem_getpages at ffffffff81159942
    #14 [ffff8810343bfb58] fallback_alloc at ffffffff8115a55a
    #15 [ffff8810343bfbd8] ____cache_alloc_node at ffffffff8115a2d9
    #16 [ffff8810343bfc38] kmem_cache_alloc at ffffffff8115b09b
    #17 [ffff8810343bfc78] sk_prot_alloc at ffffffff81411808
    #18 [ffff8810343bfcb8] sk_alloc at ffffffff8141197c
    #19 [ffff8810343bfce8] inet_create at ffffffff81483ba6
    #20 [ffff8810343bfd38] __sock_create at ffffffff8140b4a7
    #21 [ffff8810343bfd98] xs_create_sock at ffffffffa01f649b [sunrpc]
    #22 [ffff8810343bfdd8] xs_tcp_setup_socket at ffffffffa01f6965 [sunrpc]
    #23 [ffff8810343bfe38] worker_thread at ffffffff810887d0
    #24 [ffff8810343bfee8] kthread at ffffffff8108dd96
    #25 [ffff8810343bff48] kernel_thread at ffffffff8100c1ca

rpciod is trying to allocate memory for a new socket to talk to the
server. The VM ends up calling -&gt;releasepage to get more memory, and it
tries to do a blocking commit. That commit can't succeed however without
a connected socket, so we deadlock.

Fix this by setting PF_FSTRANS on the workqueue task prior to doing the
socket allocation, and having nfs_release_page check for that flag when
deciding whether to do a commit call. Also, set PF_FSTRANS
unconditionally in rpc_async_schedule since that function can also do
allocations sometimes.

Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: check iface combinations only when iface is running</title>
<updated>2012-07-19T15:58:22+00:00</updated>
<author>
<name>Michal Kazior</name>
<email>michal.kazior@tieto.com</email>
</author>
<published>2012-06-08T08:55:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=31b83ef7cfda5a7b74446ca70c1e231b24450cbd'/>
<id>31b83ef7cfda5a7b74446ca70c1e231b24450cbd</id>
<content type='text'>
commit f8cdddb8d61d16a156229f0910f7ecfc7a82c003 upstream.

Don't validate interface combinations on a stopped
interface. Otherwise we might end up being able to
create a new interface with a certain type, but
won't be able to change an existing interface
into that type.

This also skips some other functions when
interface is stopped and changing interface type.

Signed-off-by: Michal Kazior &lt;michal.kazior@tieto.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
[Fixes regression introduced by cherry pick of 463454b5dbd8]
Signed-off-by: Paul Gortmaker &lt;paul.gortmaker@windriver.com&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f8cdddb8d61d16a156229f0910f7ecfc7a82c003 upstream.

Don't validate interface combinations on a stopped
interface. Otherwise we might end up being able to
create a new interface with a certain type, but
won't be able to change an existing interface
into that type.

This also skips some other functions when
interface is stopped and changing interface type.

Signed-off-by: Michal Kazior &lt;michal.kazior@tieto.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
[Fixes regression introduced by cherry pick of 463454b5dbd8]
Signed-off-by: Paul Gortmaker &lt;paul.gortmaker@windriver.com&gt;

</pre>
</div>
</content>
</entry>
</feed>
