<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v3.10.83</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ipv6: update ip6_rt_last_gc every time GC is run</title>
<updated>2015-07-04T02:48:09+00:00</updated>
<author>
<name>Michal Kubeček</name>
<email>mkubecek@suse.cz</email>
</author>
<published>2013-08-01T08:04:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c1e1eb159efadf28f0da0de550d696abdb30aefc'/>
<id>c1e1eb159efadf28f0da0de550d696abdb30aefc</id>
<content type='text'>
commit 49a18d86f66d33a20144ecb5a34bba0d1856b260 upstream.

As pointed out by Eric Dumazet, net-&gt;ipv6.ip6_rt_last_gc should
hold the last time garbage collector was run so that we should
update it whenever fib6_run_gc() calls fib6_clean_all(), not only
if we got there from ip6_dst_gc().

Signed-off-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Konstantin Khlebnikov &lt;khlebnikov@yandex-team.ru&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 49a18d86f66d33a20144ecb5a34bba0d1856b260 upstream.

As pointed out by Eric Dumazet, net-&gt;ipv6.ip6_rt_last_gc should
hold the last time garbage collector was run so that we should
update it whenever fib6_run_gc() calls fib6_clean_all(), not only
if we got there from ip6_dst_gc().

Signed-off-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Konstantin Khlebnikov &lt;khlebnikov@yandex-team.ru&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: prevent fib6_run_gc() contention</title>
<updated>2015-07-04T02:48:09+00:00</updated>
<author>
<name>Michal Kubeček</name>
<email>mkubecek@suse.cz</email>
</author>
<published>2013-08-01T08:04:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ba310bc86f54169bf4ec414683bd61dcd2f8675f'/>
<id>ba310bc86f54169bf4ec414683bd61dcd2f8675f</id>
<content type='text'>
commit 2ac3ac8f86f2fe065d746d9a9abaca867adec577 upstream.

On a high-traffic router with many processors and many IPv6 dst
entries, soft lockup in fib6_run_gc() can occur when number of
entries reaches gc_thresh.

This happens because fib6_run_gc() uses fib6_gc_lock to allow
only one thread to run the garbage collector but ip6_dst_gc()
doesn't update net-&gt;ipv6.ip6_rt_last_gc until fib6_run_gc()
returns. On a system with many entries, this can take some time
so that in the meantime, other threads pass the tests in
ip6_dst_gc() (ip6_rt_last_gc is still not updated) and wait for
the lock. They then have to run the garbage collector one after
another which blocks them for quite long.

Resolve this by replacing special value ~0UL of expire parameter
to fib6_run_gc() by explicit "force" parameter to choose between
spin_lock_bh() and spin_trylock_bh() and call fib6_run_gc() with
force=false if gc_thresh is reached but not max_size.

Signed-off-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Konstantin Khlebnikov &lt;khlebnikov@yandex-team.ru&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2ac3ac8f86f2fe065d746d9a9abaca867adec577 upstream.

On a high-traffic router with many processors and many IPv6 dst
entries, soft lockup in fib6_run_gc() can occur when number of
entries reaches gc_thresh.

This happens because fib6_run_gc() uses fib6_gc_lock to allow
only one thread to run the garbage collector but ip6_dst_gc()
doesn't update net-&gt;ipv6.ip6_rt_last_gc until fib6_run_gc()
returns. On a system with many entries, this can take some time
so that in the meantime, other threads pass the tests in
ip6_dst_gc() (ip6_rt_last_gc is still not updated) and wait for
the lock. They then have to run the garbage collector one after
another which blocks them for quite long.

Resolve this by replacing special value ~0UL of expire parameter
to fib6_run_gc() by explicit "force" parameter to choose between
spin_lock_bh() and spin_trylock_bh() and call fib6_run_gc() with
force=false if gc_thresh is reached but not max_size.

Signed-off-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Konstantin Khlebnikov &lt;khlebnikov@yandex-team.ru&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm: Increase the garbage collector threshold</title>
<updated>2015-07-04T02:48:09+00:00</updated>
<author>
<name>Steffen Klassert</name>
<email>steffen.klassert@secunet.com</email>
</author>
<published>2013-10-25T08:21:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=528555d05bde69c436bb0126ea95635da24d889e'/>
<id>528555d05bde69c436bb0126ea95635da24d889e</id>
<content type='text'>
commit eeb1b73378b560e00ff1da2ef09fed9254f4e128 upstream.

With the removal of the routing cache, we lost the
option to tweak the garbage collector threshold
along with the maximum routing cache size. So git
commit 703fb94ec ("xfrm: Fix the gc threshold value
for ipv4") moved back to a static threshold.

It turned out that the current threshold before we
start garbage collecting is much to small for some
workloads, so increase it from 1024 to 32768. This
means that we start the garbage collector if we have
more than 32768 dst entries in the system and refuse
new allocations if we are above 65536.

Reported-by: Wolfgang Walter &lt;linux@stwm.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Cc: Stephen Hemminger &lt;shemming@brocade.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit eeb1b73378b560e00ff1da2ef09fed9254f4e128 upstream.

With the removal of the routing cache, we lost the
option to tweak the garbage collector threshold
along with the maximum routing cache size. So git
commit 703fb94ec ("xfrm: Fix the gc threshold value
for ipv4") moved back to a static threshold.

It turned out that the current threshold before we
start garbage collecting is much to small for some
workloads, so increase it from 1024 to 32768. This
means that we start the garbage collector if we have
more than 32768 dst entries in the system and refuse
new allocations if we are above 65536.

Reported-by: Wolfgang Walter &lt;linux@stwm.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Cc: Stephen Hemminger &lt;shemming@brocade.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()</title>
<updated>2015-07-04T02:48:08+00:00</updated>
<author>
<name>Ian Wilson</name>
<email>iwilson@brocade.com</email>
</author>
<published>2015-03-12T09:37:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7c6300bb4934b8f9f881b1645c087b2ddba922f9'/>
<id>7c6300bb4934b8f9f881b1645c087b2ddba922f9</id>
<content type='text'>
commit 78146572b9cd20452da47951812f35b1ad4906be upstream.

nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(),
nfnl_cthelper_get() and nfnl_cthelper_del().  In each case they pass
a pointer to an nf_conntrack_tuple data structure local variable:

    struct nf_conntrack_tuple tuple;
    ...
    ret = nfnl_cthelper_parse_tuple(&amp;tuple, tb[NFCTH_TUPLE]);

The problem is that this local variable is not initialized, and
nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and
dst.protonum.  This leaves all other fields with undefined values
based on whatever is on the stack:

    tuple-&gt;src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
    tuple-&gt;dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);

The symptom observed was that when the rpc and tns helpers were added
then traffic to port 1536 was being sent to user-space.

Signed-off-by: Ian Wilson &lt;iwilson@brocade.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 78146572b9cd20452da47951812f35b1ad4906be upstream.

nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(),
nfnl_cthelper_get() and nfnl_cthelper_del().  In each case they pass
a pointer to an nf_conntrack_tuple data structure local variable:

    struct nf_conntrack_tuple tuple;
    ...
    ret = nfnl_cthelper_parse_tuple(&amp;tuple, tb[NFCTH_TUPLE]);

The problem is that this local variable is not initialized, and
nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and
dst.protonum.  This leaves all other fields with undefined values
based on whatever is on the stack:

    tuple-&gt;src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
    tuple-&gt;dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);

The symptom observed was that when the rpc and tns helpers were added
then traffic to port 1536 was being sent to user-space.

Signed-off-by: Ian Wilson &lt;iwilson@brocade.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nfnetlink_cthelper: Remove 'const' and '&amp;' to avoid warnings</title>
<updated>2015-07-04T02:48:08+00:00</updated>
<author>
<name>Chen Gang</name>
<email>gang.chen.5i5j@gmail.com</email>
</author>
<published>2014-12-24T15:04:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59bc21951c78625486741b33eafdacbe57ce688d'/>
<id>59bc21951c78625486741b33eafdacbe57ce688d</id>
<content type='text'>
commit b18c5d15e8714336365d9d51782d5b53afa0443c upstream.

The related code can be simplified, and also can avoid related warnings
(with allmodconfig under parisc):

    CC [M]  net/netfilter/nfnetlink_cthelper.o
  net/netfilter/nfnetlink_cthelper.c: In function ‘nfnl_cthelper_from_nlattr’:
  net/netfilter/nfnetlink_cthelper.c:97:9: warning: passing argument 1 o ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers]
    memcpy(&amp;help-&gt;data, nla_data(attr), help-&gt;helper-&gt;data_len);
           ^
  In file included from include/linux/string.h:17:0,
                   from include/uapi/linux/uuid.h:25,
                   from include/linux/uuid.h:23,
                   from include/linux/mod_devicetable.h:12,
                   from ./arch/parisc/include/asm/hardware.h:4,
                   from ./arch/parisc/include/asm/processor.h:15,
                   from ./arch/parisc/include/asm/spinlock.h:6,
                   from ./arch/parisc/include/asm/atomic.h:21,
                   from include/linux/atomic.h:4,
                   from ./arch/parisc/include/asm/bitops.h:12,
                   from include/linux/bitops.h:36,
                   from include/linux/kernel.h:10,
                   from include/linux/list.h:8,
                   from include/linux/module.h:9,
                   from net/netfilter/nfnetlink_cthelper.c:11:
  ./arch/parisc/include/asm/string.h:8:8: note: expected ‘void *’ but argument is of type ‘const char (*)[]’
   void * memcpy(void * dest,const void *src,size_t count);
          ^

Signed-off-by: Chen Gang &lt;gang.chen.5i5j@gmail.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@soleta.eu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b18c5d15e8714336365d9d51782d5b53afa0443c upstream.

The related code can be simplified, and also can avoid related warnings
(with allmodconfig under parisc):

    CC [M]  net/netfilter/nfnetlink_cthelper.o
  net/netfilter/nfnetlink_cthelper.c: In function ‘nfnl_cthelper_from_nlattr’:
  net/netfilter/nfnetlink_cthelper.c:97:9: warning: passing argument 1 o ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers]
    memcpy(&amp;help-&gt;data, nla_data(attr), help-&gt;helper-&gt;data_len);
           ^
  In file included from include/linux/string.h:17:0,
                   from include/uapi/linux/uuid.h:25,
                   from include/linux/uuid.h:23,
                   from include/linux/mod_devicetable.h:12,
                   from ./arch/parisc/include/asm/hardware.h:4,
                   from ./arch/parisc/include/asm/processor.h:15,
                   from ./arch/parisc/include/asm/spinlock.h:6,
                   from ./arch/parisc/include/asm/atomic.h:21,
                   from include/linux/atomic.h:4,
                   from ./arch/parisc/include/asm/bitops.h:12,
                   from include/linux/bitops.h:36,
                   from include/linux/kernel.h:10,
                   from include/linux/list.h:8,
                   from include/linux/module.h:9,
                   from net/netfilter/nfnetlink_cthelper.c:11:
  ./arch/parisc/include/asm/string.h:8:8: note: expected ‘void *’ but argument is of type ‘const char (*)[]’
   void * memcpy(void * dest,const void *src,size_t count);
          ^

Signed-off-by: Chen Gang &lt;gang.chen.5i5j@gmail.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@soleta.eu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: wext: clear sinfo struct before calling driver</title>
<updated>2015-06-22T23:55:54+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2015-06-09T19:35:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=98d94f20a39ab94559783c0556142f7bf4d0788f'/>
<id>98d94f20a39ab94559783c0556142f7bf4d0788f</id>
<content type='text'>
commit 9c5a18a31b321f120efda412281bb9f610f84aa0 upstream.

Until recently, mac80211 overwrote all the statistics it could
provide when getting called, but it now relies on the struct
having been zeroed by the caller. This was always the case in
nl80211, but wext used a static struct which could even cause
values from one device leak to another.

Using a static struct is OK (as even documented in a comment)
since the whole usage of this function and its return value is
always locked under RTNL. Not clearing the struct for calling
the driver has always been wrong though, since drivers were
free to only fill values they could report, so calling this
for one device and then for another would always have leaked
values from one to the other.

Fix this by initializing the structure in question before the
driver method call.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=99691

Reported-by: Gerrit Renker &lt;gerrit@erg.abdn.ac.uk&gt;
Reported-by: Alexander Kaltsas &lt;alexkaltsas@gmail.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9c5a18a31b321f120efda412281bb9f610f84aa0 upstream.

Until recently, mac80211 overwrote all the statistics it could
provide when getting called, but it now relies on the struct
having been zeroed by the caller. This was always the case in
nl80211, but wext used a static struct which could even cause
values from one device leak to another.

Using a static struct is OK (as even documented in a comment)
since the whole usage of this function and its return value is
always locked under RTNL. Not clearing the struct for calling
the driver has always been wrong though, since drivers were
free to only fill values they could report, so calling this
for one device and then for another would always have leaked
values from one to the other.

Fix this by initializing the structure in question before the
driver method call.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=99691

Reported-by: Gerrit Renker &lt;gerrit@erg.abdn.ac.uk&gt;
Reported-by: Alexander Kaltsas &lt;alexkaltsas@gmail.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>udp: fix behavior of wrong checksums</title>
<updated>2015-06-22T23:55:51+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-05-30T16:16:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a3cfde2a311c3679b414b46e29d1a184edf29b0a'/>
<id>a3cfde2a311c3679b414b46e29d1a184edf29b0a</id>
<content type='text'>
[ Upstream commit beb39db59d14990e401e235faf66a6b9b31240b0 ]

We have two problems in UDP stack related to bogus checksums :

1) We return -EAGAIN to application even if receive queue is not empty.
   This breaks applications using edge trigger epoll()

2) Under UDP flood, we can loop forever without yielding to other
   processes, potentially hanging the host, especially on non SMP.

This patch is an attempt to make things better.

We might in the future add extra support for rt applications
wanting to better control time spent doing a recv() in a hostile
environment. For example we could validate checksums before queuing
packets in socket receive queue.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit beb39db59d14990e401e235faf66a6b9b31240b0 ]

We have two problems in UDP stack related to bogus checksums :

1) We return -EAGAIN to application even if receive queue is not empty.
   This breaks applications using edge trigger epoll()

2) Under UDP flood, we can loop forever without yielding to other
   processes, potentially hanging the host, especially on non SMP.

This patch is an attempt to make things better.

We might in the future add extra support for rt applications
wanting to better control time spent doing a recv() in a hostile
environment. For example we could validate checksums before queuing
packets in socket receive queue.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net_sched: invoke -&gt;attach() after setting dev-&gt;qdisc</title>
<updated>2015-06-22T23:55:51+00:00</updated>
<author>
<name>WANG Cong</name>
<email>xiyou.wangcong@gmail.com</email>
</author>
<published>2015-05-26T23:08:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=09982800fda01085d538c5bdced6cef621233e6a'/>
<id>09982800fda01085d538c5bdced6cef621233e6a</id>
<content type='text'>
[ Upstream commit 86e363dc3b50bfd50a1f315934583fbda673ab8d ]

For mq qdisc, we add per tx queue qdisc to root qdisc
for display purpose, however, that happens too early,
before the new dev-&gt;qdisc is finally set, this causes
q-&gt;list points to an old root qdisc which is going to be
freed right before assigning with a new one.

Fix this by moving -&gt;attach() after setting dev-&gt;qdisc.

For the record, this fixes the following crash:

 ------------[ cut here ]------------
 WARNING: CPU: 1 PID: 975 at lib/list_debug.c:59 __list_del_entry+0x5a/0x98()
 list_del corruption. prev-&gt;next should be ffff8800d1998ae8, but was 6b6b6b6b6b6b6b6b
 CPU: 1 PID: 975 Comm: tc Not tainted 4.1.0-rc4+ #1019
 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
  0000000000000009 ffff8800d73fb928 ffffffff81a44e7f 0000000047574756
  ffff8800d73fb978 ffff8800d73fb968 ffffffff810790da ffff8800cfc4cd20
  ffffffff814e725b ffff8800d1998ae8 ffffffff82381250 0000000000000000
 Call Trace:
  [&lt;ffffffff81a44e7f&gt;] dump_stack+0x4c/0x65
  [&lt;ffffffff810790da&gt;] warn_slowpath_common+0x9c/0xb6
  [&lt;ffffffff814e725b&gt;] ? __list_del_entry+0x5a/0x98
  [&lt;ffffffff81079162&gt;] warn_slowpath_fmt+0x46/0x48
  [&lt;ffffffff81820eb0&gt;] ? dev_graft_qdisc+0x5e/0x6a
  [&lt;ffffffff814e725b&gt;] __list_del_entry+0x5a/0x98
  [&lt;ffffffff814e72a7&gt;] list_del+0xe/0x2d
  [&lt;ffffffff81822f05&gt;] qdisc_list_del+0x1e/0x20
  [&lt;ffffffff81820cd1&gt;] qdisc_destroy+0x30/0xd6
  [&lt;ffffffff81822676&gt;] qdisc_graft+0x11d/0x243
  [&lt;ffffffff818233c1&gt;] tc_get_qdisc+0x1a6/0x1d4
  [&lt;ffffffff810b5eaf&gt;] ? mark_lock+0x2e/0x226
  [&lt;ffffffff817ff8f5&gt;] rtnetlink_rcv_msg+0x181/0x194
  [&lt;ffffffff817ff72e&gt;] ? rtnl_lock+0x17/0x19
  [&lt;ffffffff817ff72e&gt;] ? rtnl_lock+0x17/0x19
  [&lt;ffffffff817ff774&gt;] ? __rtnl_unlock+0x17/0x17
  [&lt;ffffffff81855dc6&gt;] netlink_rcv_skb+0x4d/0x93
  [&lt;ffffffff817ff756&gt;] rtnetlink_rcv+0x26/0x2d
  [&lt;ffffffff818544b2&gt;] netlink_unicast+0xcb/0x150
  [&lt;ffffffff81161db9&gt;] ? might_fault+0x59/0xa9
  [&lt;ffffffff81854f78&gt;] netlink_sendmsg+0x4fa/0x51c
  [&lt;ffffffff817d6e09&gt;] sock_sendmsg_nosec+0x12/0x1d
  [&lt;ffffffff817d8967&gt;] sock_sendmsg+0x29/0x2e
  [&lt;ffffffff817d8cf3&gt;] ___sys_sendmsg+0x1b4/0x23a
  [&lt;ffffffff8100a1b8&gt;] ? native_sched_clock+0x35/0x37
  [&lt;ffffffff810a1d83&gt;] ? sched_clock_local+0x12/0x72
  [&lt;ffffffff810a1fd4&gt;] ? sched_clock_cpu+0x9e/0xb7
  [&lt;ffffffff810def2a&gt;] ? current_kernel_time+0xe/0x32
  [&lt;ffffffff810b4bc5&gt;] ? lock_release_holdtime.part.29+0x71/0x7f
  [&lt;ffffffff810ddebf&gt;] ? read_seqcount_begin.constprop.27+0x5f/0x76
  [&lt;ffffffff810b6292&gt;] ? trace_hardirqs_on_caller+0x17d/0x199
  [&lt;ffffffff811b14d5&gt;] ? __fget_light+0x50/0x78
  [&lt;ffffffff817d9808&gt;] __sys_sendmsg+0x42/0x60
  [&lt;ffffffff817d9838&gt;] SyS_sendmsg+0x12/0x1c
  [&lt;ffffffff81a50e97&gt;] system_call_fastpath+0x12/0x6f
 ---[ end trace ef29d3fb28e97ae7 ]---

For long term, we probably need to clean up the qdisc_graft() code
in case it hides other bugs like this.

Fixes: 95dc19299f74 ("pkt_sched: give visibility to mq slave qdiscs")
Cc: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 86e363dc3b50bfd50a1f315934583fbda673ab8d ]

For mq qdisc, we add per tx queue qdisc to root qdisc
for display purpose, however, that happens too early,
before the new dev-&gt;qdisc is finally set, this causes
q-&gt;list points to an old root qdisc which is going to be
freed right before assigning with a new one.

Fix this by moving -&gt;attach() after setting dev-&gt;qdisc.

For the record, this fixes the following crash:

 ------------[ cut here ]------------
 WARNING: CPU: 1 PID: 975 at lib/list_debug.c:59 __list_del_entry+0x5a/0x98()
 list_del corruption. prev-&gt;next should be ffff8800d1998ae8, but was 6b6b6b6b6b6b6b6b
 CPU: 1 PID: 975 Comm: tc Not tainted 4.1.0-rc4+ #1019
 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
  0000000000000009 ffff8800d73fb928 ffffffff81a44e7f 0000000047574756
  ffff8800d73fb978 ffff8800d73fb968 ffffffff810790da ffff8800cfc4cd20
  ffffffff814e725b ffff8800d1998ae8 ffffffff82381250 0000000000000000
 Call Trace:
  [&lt;ffffffff81a44e7f&gt;] dump_stack+0x4c/0x65
  [&lt;ffffffff810790da&gt;] warn_slowpath_common+0x9c/0xb6
  [&lt;ffffffff814e725b&gt;] ? __list_del_entry+0x5a/0x98
  [&lt;ffffffff81079162&gt;] warn_slowpath_fmt+0x46/0x48
  [&lt;ffffffff81820eb0&gt;] ? dev_graft_qdisc+0x5e/0x6a
  [&lt;ffffffff814e725b&gt;] __list_del_entry+0x5a/0x98
  [&lt;ffffffff814e72a7&gt;] list_del+0xe/0x2d
  [&lt;ffffffff81822f05&gt;] qdisc_list_del+0x1e/0x20
  [&lt;ffffffff81820cd1&gt;] qdisc_destroy+0x30/0xd6
  [&lt;ffffffff81822676&gt;] qdisc_graft+0x11d/0x243
  [&lt;ffffffff818233c1&gt;] tc_get_qdisc+0x1a6/0x1d4
  [&lt;ffffffff810b5eaf&gt;] ? mark_lock+0x2e/0x226
  [&lt;ffffffff817ff8f5&gt;] rtnetlink_rcv_msg+0x181/0x194
  [&lt;ffffffff817ff72e&gt;] ? rtnl_lock+0x17/0x19
  [&lt;ffffffff817ff72e&gt;] ? rtnl_lock+0x17/0x19
  [&lt;ffffffff817ff774&gt;] ? __rtnl_unlock+0x17/0x17
  [&lt;ffffffff81855dc6&gt;] netlink_rcv_skb+0x4d/0x93
  [&lt;ffffffff817ff756&gt;] rtnetlink_rcv+0x26/0x2d
  [&lt;ffffffff818544b2&gt;] netlink_unicast+0xcb/0x150
  [&lt;ffffffff81161db9&gt;] ? might_fault+0x59/0xa9
  [&lt;ffffffff81854f78&gt;] netlink_sendmsg+0x4fa/0x51c
  [&lt;ffffffff817d6e09&gt;] sock_sendmsg_nosec+0x12/0x1d
  [&lt;ffffffff817d8967&gt;] sock_sendmsg+0x29/0x2e
  [&lt;ffffffff817d8cf3&gt;] ___sys_sendmsg+0x1b4/0x23a
  [&lt;ffffffff8100a1b8&gt;] ? native_sched_clock+0x35/0x37
  [&lt;ffffffff810a1d83&gt;] ? sched_clock_local+0x12/0x72
  [&lt;ffffffff810a1fd4&gt;] ? sched_clock_cpu+0x9e/0xb7
  [&lt;ffffffff810def2a&gt;] ? current_kernel_time+0xe/0x32
  [&lt;ffffffff810b4bc5&gt;] ? lock_release_holdtime.part.29+0x71/0x7f
  [&lt;ffffffff810ddebf&gt;] ? read_seqcount_begin.constprop.27+0x5f/0x76
  [&lt;ffffffff810b6292&gt;] ? trace_hardirqs_on_caller+0x17d/0x199
  [&lt;ffffffff811b14d5&gt;] ? __fget_light+0x50/0x78
  [&lt;ffffffff817d9808&gt;] __sys_sendmsg+0x42/0x60
  [&lt;ffffffff817d9838&gt;] SyS_sendmsg+0x12/0x1c
  [&lt;ffffffff81a50e97&gt;] system_call_fastpath+0x12/0x6f
 ---[ end trace ef29d3fb28e97ae7 ]---

For long term, we probably need to clean up the qdisc_graft() code
in case it hides other bugs like this.

Fixes: 95dc19299f74 ("pkt_sched: give visibility to mq slave qdiscs")
Cc: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>unix/caif: sk_socket can disappear when state is unlocked</title>
<updated>2015-06-22T23:55:51+00:00</updated>
<author>
<name>Mark Salyzyn</name>
<email>salyzyn@android.com</email>
</author>
<published>2015-05-26T15:22:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7659c93447344c3e6344e3e2dcdd53fe984eba7c'/>
<id>7659c93447344c3e6344e3e2dcdd53fe984eba7c</id>
<content type='text'>
[ Upstream commit b48732e4a48d80ed4a14812f0bab09560846514e ]

got a rare NULL pointer dereference in clear_bit

Signed-off-by: Mark Salyzyn &lt;salyzyn@android.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
----
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b48732e4a48d80ed4a14812f0bab09560846514e ]

got a rare NULL pointer dereference in clear_bit

Signed-off-by: Mark Salyzyn &lt;salyzyn@android.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
----
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bridge: fix parsing of MLDv2 reports</title>
<updated>2015-06-22T23:55:51+00:00</updated>
<author>
<name>Thadeu Lima de Souza Cascardo</name>
<email>cascardo@redhat.com</email>
</author>
<published>2015-05-22T15:18:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f5f714f6d7d18111c93bde581a534591b862458'/>
<id>2f5f714f6d7d18111c93bde581a534591b862458</id>
<content type='text'>
[ Upstream commit 47cc84ce0c2fe75c99ea5963c4b5704dd78ead54 ]

When more than a multicast address is present in a MLDv2 report, all but
the first address is ignored, because the code breaks out of the loop if
there has not been an error adding that address.

This has caused failures when two guests connected through the bridge
tried to communicate using IPv6. Neighbor discoveries would not be
transmitted to the other guest when both used a link-local address and a
static address.

This only happens when there is a MLDv2 querier in the network.

The fix will only break out of the loop when there is a failure adding a
multicast address.

The mdb before the patch:

dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
dev ovirtmgmt port bond0.86 grp ff02::2 temp

After the patch:

dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
dev ovirtmgmt port bond0.86 grp ff02::fb temp
dev ovirtmgmt port bond0.86 grp ff02::2 temp
dev ovirtmgmt port bond0.86 grp ff02::d temp
dev ovirtmgmt port vnet0 grp ff02::1:ff00:76 temp
dev ovirtmgmt port bond0.86 grp ff02::16 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff00:77 temp
dev ovirtmgmt port bond0.86 grp ff02::1:ff00:def temp
dev ovirtmgmt port bond0.86 grp ff02::1:ffa1:40bf temp

Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.")
Reported-by: Rik Theys &lt;Rik.Theys@esat.kuleuven.be&gt;
Signed-off-by: Thadeu Lima de Souza Cascardo &lt;cascardo@redhat.com&gt;
Tested-by: Rik Theys &lt;Rik.Theys@esat.kuleuven.be&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 47cc84ce0c2fe75c99ea5963c4b5704dd78ead54 ]

When more than a multicast address is present in a MLDv2 report, all but
the first address is ignored, because the code breaks out of the loop if
there has not been an error adding that address.

This has caused failures when two guests connected through the bridge
tried to communicate using IPv6. Neighbor discoveries would not be
transmitted to the other guest when both used a link-local address and a
static address.

This only happens when there is a MLDv2 querier in the network.

The fix will only break out of the loop when there is a failure adding a
multicast address.

The mdb before the patch:

dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
dev ovirtmgmt port bond0.86 grp ff02::2 temp

After the patch:

dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
dev ovirtmgmt port bond0.86 grp ff02::fb temp
dev ovirtmgmt port bond0.86 grp ff02::2 temp
dev ovirtmgmt port bond0.86 grp ff02::d temp
dev ovirtmgmt port vnet0 grp ff02::1:ff00:76 temp
dev ovirtmgmt port bond0.86 grp ff02::16 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff00:77 temp
dev ovirtmgmt port bond0.86 grp ff02::1:ff00:def temp
dev ovirtmgmt port bond0.86 grp ff02::1:ffa1:40bf temp

Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.")
Reported-by: Rik Theys &lt;Rik.Theys@esat.kuleuven.be&gt;
Signed-off-by: Thadeu Lima de Souza Cascardo &lt;cascardo@redhat.com&gt;
Tested-by: Rik Theys &lt;Rik.Theys@esat.kuleuven.be&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
