<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v3.10.89</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>rds: rds_ib_device.refcount overflow</title>
<updated>2015-08-10T19:20:31+00:00</updated>
<author>
<name>Wengang Wang</name>
<email>wen.gang.wang@oracle.com</email>
</author>
<published>2015-07-06T06:35:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6c3498f9eef9381a5d45d5b2ca23b455a36795c5'/>
<id>6c3498f9eef9381a5d45d5b2ca23b455a36795c5</id>
<content type='text'>
commit 4fabb59449aa44a585b3603ffdadd4c5f4d0c033 upstream.

Fixes: 3e0249f9c05c ("RDS/IB: add refcount tracking to struct rds_ib_device")

There lacks a dropping on rds_ib_device.refcount in case rds_ib_alloc_fmr
failed(mr pool running out). this lead to the refcount overflow.

A complain in line 117(see following) is seen. From vmcore:
s_ib_rdma_mr_pool_depleted is 2147485544 and rds_ibdev-&gt;refcount is -2147475448.
That is the evidence the mr pool is used up. so rds_ib_alloc_fmr is very likely
to return ERR_PTR(-EAGAIN).

115 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
116 {
117         BUG_ON(atomic_read(&amp;rds_ibdev-&gt;refcount) &lt;= 0);
118         if (atomic_dec_and_test(&amp;rds_ibdev-&gt;refcount))
119                 queue_work(rds_wq, &amp;rds_ibdev-&gt;free_work);
120 }

fix is to drop refcount when rds_ib_alloc_fmr failed.

Signed-off-by: Wengang Wang &lt;wen.gang.wang@oracle.com&gt;
Reviewed-by: Haggai Eran &lt;haggaie@mellanox.com&gt;
Signed-off-by: Doug Ledford &lt;dledford@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4fabb59449aa44a585b3603ffdadd4c5f4d0c033 upstream.

Fixes: 3e0249f9c05c ("RDS/IB: add refcount tracking to struct rds_ib_device")

There lacks a dropping on rds_ib_device.refcount in case rds_ib_alloc_fmr
failed(mr pool running out). this lead to the refcount overflow.

A complain in line 117(see following) is seen. From vmcore:
s_ib_rdma_mr_pool_depleted is 2147485544 and rds_ibdev-&gt;refcount is -2147475448.
That is the evidence the mr pool is used up. so rds_ib_alloc_fmr is very likely
to return ERR_PTR(-EAGAIN).

115 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
116 {
117         BUG_ON(atomic_read(&amp;rds_ibdev-&gt;refcount) &lt;= 0);
118         if (atomic_dec_and_test(&amp;rds_ibdev-&gt;refcount))
119                 queue_work(rds_wq, &amp;rds_ibdev-&gt;free_work);
120 }

fix is to drop refcount when rds_ib_alloc_fmr failed.

Signed-off-by: Wengang Wang &lt;wen.gang.wang@oracle.com&gt;
Reviewed-by: Haggai Eran &lt;haggaie@mellanox.com&gt;
Signed-off-by: Doug Ledford &lt;dledford@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: clear subdir_stations when removing debugfs</title>
<updated>2015-08-10T19:20:30+00:00</updated>
<author>
<name>Tom Hughes</name>
<email>tom@compton.nu</email>
</author>
<published>2015-06-29T18:41:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b07016348b0bec192414ade9fb0e385fdc8c4a52'/>
<id>b07016348b0bec192414ade9fb0e385fdc8c4a52</id>
<content type='text'>
commit 4479004e6409087d1b4986881dc98c6c15dffb28 upstream.

If we don't do this, and we then fail to recreate the debugfs
directory during a mode change, then we will fail later trying
to add stations to this now bogus directory:

BUG: unable to handle kernel NULL pointer dereference at 0000006c
IP: [&lt;c0a92202&gt;] mutex_lock+0x12/0x30
Call Trace:
[&lt;c0678ab4&gt;] start_creating+0x44/0xc0
[&lt;c0679203&gt;] debugfs_create_dir+0x13/0xf0
[&lt;f8a938ae&gt;] ieee80211_sta_debugfs_add+0x6e/0x490 [mac80211]

Signed-off-by: Tom Hughes &lt;tom@compton.nu&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4479004e6409087d1b4986881dc98c6c15dffb28 upstream.

If we don't do this, and we then fail to recreate the debugfs
directory during a mode change, then we will fail later trying
to add stations to this now bogus directory:

BUG: unable to handle kernel NULL pointer dereference at 0000006c
IP: [&lt;c0a92202&gt;] mutex_lock+0x12/0x30
Call Trace:
[&lt;c0678ab4&gt;] start_creating+0x44/0xc0
[&lt;c0679203&gt;] debugfs_create_dir+0x13/0xf0
[&lt;f8a938ae&gt;] ieee80211_sta_debugfs_add+0x6e/0x490 [mac80211]

Signed-off-by: Tom Hughes &lt;tom@compton.nu&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>9p: forgetting to cancel request on interrupted zero-copy RPC</title>
<updated>2015-08-03T16:29:47+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2015-07-04T20:04:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=693f66d6213c20cc83a33ef18e8ae01d78883e3d'/>
<id>693f66d6213c20cc83a33ef18e8ae01d78883e3d</id>
<content type='text'>
commit a84b69cb6e0a41e86bc593904faa6def3b957343 upstream.

If we'd already sent a request and decide to abort it, we *must*
issue TFLUSH properly and not just blindly reuse the tag, or
we'll get seriously screwed when response eventually arrives
and we confuse it for response to later request that had reused
the same tag.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a84b69cb6e0a41e86bc593904faa6def3b957343 upstream.

If we'd already sent a request and decide to abort it, we *must*
issue TFLUSH properly and not just blindly reuse the tag, or
we'll get seriously screwed when response eventually arrives
and we confuse it for response to later request that had reused
the same tag.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: Fix a memory leak in the backchannel code</title>
<updated>2015-08-03T16:29:47+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2015-06-01T19:10:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=13d0b6aae666e69c0156a3c6d1b6116a2e64078a'/>
<id>13d0b6aae666e69c0156a3c6d1b6116a2e64078a</id>
<content type='text'>
commit 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd upstream.

req-&gt;rq_private_buf isn't initialised when xprt_setup_backchannel calls
xprt_free_allocation.

Fixes: fb7a0b9addbdb ("nfs41: New backchannel helper routines")
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd upstream.

req-&gt;rq_private_buf isn't initialised when xprt_setup_backchannel calls
xprt_free_allocation.

Fixes: fb7a0b9addbdb ("nfs41: New backchannel helper routines")
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: prevent possible crypto tx tailroom corruption</title>
<updated>2015-08-03T16:29:46+00:00</updated>
<author>
<name>Michal Kazior</name>
<email>michal.kazior@tieto.com</email>
</author>
<published>2015-05-22T08:22:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5c817fb317292d051103e738e825d8d543a51304'/>
<id>5c817fb317292d051103e738e825d8d543a51304</id>
<content type='text'>
commit ab499db80fcf07c18e4053f91a619500f663e90e upstream.

There was a possible race between
ieee80211_reconfig() and
ieee80211_delayed_tailroom_dec(). This could
result in inability to transmit data if driver
crashed during roaming or rekeying and subsequent
skbs with insufficient tailroom appeared.

This race was probably never seen in the wild
because a device driver would have to crash AND
recover within 0.5s which is very unlikely.

I was able to prove this race exists after
changing the delay to 10s locally and crashing
ath10k via debugfs immediately after GTK
rekeying. In case of ath10k the counter went below
0. This was harmless but other drivers which
actually require tailroom (e.g. for WEP ICV or
MMIC) could end up with the counter at 0 instead
of &gt;0 and introduce insufficient skb tailroom
failures because mac80211 would not resize skbs
appropriately anymore.

Fixes: 8d1f7ecd2af5 ("mac80211: defer tailroom counter manipulation when roaming")
Signed-off-by: Michal Kazior &lt;michal.kazior@tieto.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ab499db80fcf07c18e4053f91a619500f663e90e upstream.

There was a possible race between
ieee80211_reconfig() and
ieee80211_delayed_tailroom_dec(). This could
result in inability to transmit data if driver
crashed during roaming or rekeying and subsequent
skbs with insufficient tailroom appeared.

This race was probably never seen in the wild
because a device driver would have to crash AND
recover within 0.5s which is very unlikely.

I was able to prove this race exists after
changing the delay to 10s locally and crashing
ath10k via debugfs immediately after GTK
rekeying. In case of ath10k the counter went below
0. This was harmless but other drivers which
actually require tailroom (e.g. for WEP ICV or
MMIC) could end up with the counter at 0 instead
of &gt;0 and introduce insufficient skb tailroom
failures because mac80211 would not resize skbs
appropriately anymore.

Fixes: 8d1f7ecd2af5 ("mac80211: defer tailroom counter manipulation when roaming")
Signed-off-by: Michal Kazior &lt;michal.kazior@tieto.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>crush: fix a bug in tree bucket decode</title>
<updated>2015-08-03T16:29:46+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2015-06-29T16:30:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7546f8cb2dff62ad20c50bf3d6170ad8dadb9cc8'/>
<id>7546f8cb2dff62ad20c50bf3d6170ad8dadb9cc8</id>
<content type='text'>
commit 82cd003a77173c91b9acad8033fb7931dac8d751 upstream.

struct crush_bucket_tree::num_nodes is u8, so ceph_decode_8_safe()
should be used.  -Wconversion catches this, but I guess it went
unnoticed in all the noise it spews.  The actual problem (at least for
common crushmaps) isn't the u32 -&gt; u8 truncation though - it's the
advancement by 4 bytes instead of 1 in the crushmap buffer.

Fixes: http://tracker.ceph.com/issues/2759

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Josh Durgin &lt;jdurgin@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 82cd003a77173c91b9acad8033fb7931dac8d751 upstream.

struct crush_bucket_tree::num_nodes is u8, so ceph_decode_8_safe()
should be used.  -Wconversion catches this, but I guess it went
unnoticed in all the noise it spews.  The actual problem (at least for
common crushmaps) isn't the u32 -&gt; u8 truncation though - it's the
advancement by 4 bytes instead of 1 in the crushmap buffer.

Fixes: http://tracker.ceph.com/issues/2759

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Josh Durgin &lt;jdurgin@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: Fix race between OOTB responce and route removal</title>
<updated>2015-07-10T17:40:21+00:00</updated>
<author>
<name>Alexander Sverdlin</name>
<email>alexander.sverdlin@nokia.com</email>
</author>
<published>2015-06-29T08:41:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59a460c394a771501ffcd81e68c83fa2ed91e384'/>
<id>59a460c394a771501ffcd81e68c83fa2ed91e384</id>
<content type='text'>
[ Upstream commit 29c4afc4e98f4dc0ea9df22c631841f9c220b944 ]

There is NULL pointer dereference possible during statistics update if the route
used for OOTB responce is removed at unfortunate time. If the route exists when
we receive OOTB packet and we finally jump into sctp_packet_transmit() to send
ABORT, but in the meantime route is removed under our feet, we take "no_route"
path and try to update stats with IP_INC_STATS(sock_net(asoc-&gt;base.sk), ...).

But sctp_ootb_pkt_new() used to prepare responce packet doesn't call
sctp_transport_set_owner() and therefore there is no asoc associated with this
packet. Probably temporary asoc just for OOTB responces is overkill, so just
introduce a check like in all other places in sctp_packet_transmit(), where
"asoc" is dereferenced.

To reproduce this, one needs to
0. ensure that sctp module is loaded (otherwise ABORT is not generated)
1. remove default route on the machine
2. while true; do
     ip route del [interface-specific route]
     ip route add [interface-specific route]
   done
3. send enough OOTB packets (i.e. HB REQs) from another host to trigger ABORT
   responce

On x86_64 the crash looks like this:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
PGD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ...
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O    4.0.5-1-ARCH #1
Hardware name: ...
task: ffffffff818124c0 ti: ffffffff81800000 task.ti: ffffffff81800000
RIP: 0010:[&lt;ffffffffa05ec9ac&gt;]  [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
RSP: 0018:ffff880127c037b8  EFLAGS: 00010296
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000015ff66b480
RDX: 00000015ff66b400 RSI: ffff880127c17200 RDI: ffff880123403700
RBP: ffff880127c03888 R08: 0000000000017200 R09: ffffffff814625af
R10: ffffea00047e4680 R11: 00000000ffffff80 R12: ffff8800b0d38a28
R13: ffff8800b0d38a28 R14: ffff8800b3e88000 R15: ffffffffa05f24e0
FS:  0000000000000000(0000) GS:ffff880127c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000020 CR3: 00000000c855b000 CR4: 00000000000007f0
Stack:
 ffff880127c03910 ffff8800b0d38a28 ffffffff8189d240 ffff88011f91b400
 ffff880127c03828 ffffffffa05c94c5 0000000000000000 ffff8800baa1c520
 0000000000000000 0000000000000001 0000000000000000 0000000000000000
Call Trace:
 &lt;IRQ&gt;
 [&lt;ffffffffa05c94c5&gt;] ? sctp_sf_tabort_8_4_8.isra.20+0x85/0x140 [sctp]
 [&lt;ffffffffa05d6b42&gt;] ? sctp_transport_put+0x52/0x80 [sctp]
 [&lt;ffffffffa05d0bfc&gt;] sctp_do_sm+0xb8c/0x19a0 [sctp]
 [&lt;ffffffff810b0e00&gt;] ? trigger_load_balance+0x90/0x210
 [&lt;ffffffff810e0329&gt;] ? update_process_times+0x59/0x60
 [&lt;ffffffff812c7a40&gt;] ? timerqueue_add+0x60/0xb0
 [&lt;ffffffff810e0549&gt;] ? enqueue_hrtimer+0x29/0xa0
 [&lt;ffffffff8101f599&gt;] ? read_tsc+0x9/0x10
 [&lt;ffffffff8116d4b5&gt;] ? put_page+0x55/0x60
 [&lt;ffffffff810ee1ad&gt;] ? clockevents_program_event+0x6d/0x100
 [&lt;ffffffff81462b68&gt;] ? skb_free_head+0x58/0x80
 [&lt;ffffffffa029a10b&gt;] ? chksum_update+0x1b/0x27 [crc32c_generic]
 [&lt;ffffffff81283f3e&gt;] ? crypto_shash_update+0xce/0xf0
 [&lt;ffffffffa05d3993&gt;] sctp_endpoint_bh_rcv+0x113/0x280 [sctp]
 [&lt;ffffffffa05dd4e6&gt;] sctp_inq_push+0x46/0x60 [sctp]
 [&lt;ffffffffa05ed7a0&gt;] sctp_rcv+0x880/0x910 [sctp]
 [&lt;ffffffffa05ecb50&gt;] ? sctp_packet_transmit_chunk+0xb0/0xb0 [sctp]
 [&lt;ffffffffa05ecb70&gt;] ? sctp_csum_update+0x20/0x20 [sctp]
 [&lt;ffffffff814b05a5&gt;] ? ip_route_input_noref+0x235/0xd30
 [&lt;ffffffff81051d6b&gt;] ? ack_ioapic_level+0x7b/0x150
 [&lt;ffffffff814b27be&gt;] ip_local_deliver_finish+0xae/0x210
 [&lt;ffffffff814b2e15&gt;] ip_local_deliver+0x35/0x90
 [&lt;ffffffff814b2a15&gt;] ip_rcv_finish+0xf5/0x370
 [&lt;ffffffff814b3128&gt;] ip_rcv+0x2b8/0x3a0
 [&lt;ffffffff81474193&gt;] __netif_receive_skb_core+0x763/0xa50
 [&lt;ffffffff81476c28&gt;] __netif_receive_skb+0x18/0x60
 [&lt;ffffffff81476cb0&gt;] netif_receive_skb_internal+0x40/0xd0
 [&lt;ffffffff814776c8&gt;] napi_gro_receive+0xe8/0x120
 [&lt;ffffffffa03946aa&gt;] rtl8169_poll+0x2da/0x660 [r8169]
 [&lt;ffffffff8147896a&gt;] net_rx_action+0x21a/0x360
 [&lt;ffffffff81078dc1&gt;] __do_softirq+0xe1/0x2d0
 [&lt;ffffffff8107912d&gt;] irq_exit+0xad/0xb0
 [&lt;ffffffff8157d158&gt;] do_IRQ+0x58/0xf0
 [&lt;ffffffff8157b06d&gt;] common_interrupt+0x6d/0x6d
 &lt;EOI&gt;
 [&lt;ffffffff810e1218&gt;] ? hrtimer_start+0x18/0x20
 [&lt;ffffffffa05d65f9&gt;] ? sctp_transport_destroy_rcu+0x29/0x30 [sctp]
 [&lt;ffffffff81020c50&gt;] ? mwait_idle+0x60/0xa0
 [&lt;ffffffff810216ef&gt;] arch_cpu_idle+0xf/0x20
 [&lt;ffffffff810b731c&gt;] cpu_startup_entry+0x3ec/0x480
 [&lt;ffffffff8156b365&gt;] rest_init+0x85/0x90
 [&lt;ffffffff818eb035&gt;] start_kernel+0x48b/0x4ac
 [&lt;ffffffff818ea120&gt;] ? early_idt_handlers+0x120/0x120
 [&lt;ffffffff818ea339&gt;] x86_64_start_reservations+0x2a/0x2c
 [&lt;ffffffff818ea49c&gt;] x86_64_start_kernel+0x161/0x184
Code: 90 48 8b 80 b8 00 00 00 48 89 85 70 ff ff ff 48 83 bd 70 ff ff ff 00 0f 85 cd fa ff ff 48 89 df 31 db e8 18 63 e7 e0 48 8b 45 80 &lt;48&gt; 8b 40 20 48 8b 40 30 48 8b 80 68 01 00 00 65 48 ff 40 78 e9
RIP  [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
 RSP &lt;ffff880127c037b8&gt;
CR2: 0000000000000020
---[ end trace 5aec7fd2dc983574 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
drm_kms_helper: panic occurred, switching back to text console
---[ end Kernel panic - not syncing: Fatal exception in interrupt

Signed-off-by: Alexander Sverdlin &lt;alexander.sverdlin@nokia.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 29c4afc4e98f4dc0ea9df22c631841f9c220b944 ]

There is NULL pointer dereference possible during statistics update if the route
used for OOTB responce is removed at unfortunate time. If the route exists when
we receive OOTB packet and we finally jump into sctp_packet_transmit() to send
ABORT, but in the meantime route is removed under our feet, we take "no_route"
path and try to update stats with IP_INC_STATS(sock_net(asoc-&gt;base.sk), ...).

But sctp_ootb_pkt_new() used to prepare responce packet doesn't call
sctp_transport_set_owner() and therefore there is no asoc associated with this
packet. Probably temporary asoc just for OOTB responces is overkill, so just
introduce a check like in all other places in sctp_packet_transmit(), where
"asoc" is dereferenced.

To reproduce this, one needs to
0. ensure that sctp module is loaded (otherwise ABORT is not generated)
1. remove default route on the machine
2. while true; do
     ip route del [interface-specific route]
     ip route add [interface-specific route]
   done
3. send enough OOTB packets (i.e. HB REQs) from another host to trigger ABORT
   responce

On x86_64 the crash looks like this:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
PGD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ...
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O    4.0.5-1-ARCH #1
Hardware name: ...
task: ffffffff818124c0 ti: ffffffff81800000 task.ti: ffffffff81800000
RIP: 0010:[&lt;ffffffffa05ec9ac&gt;]  [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
RSP: 0018:ffff880127c037b8  EFLAGS: 00010296
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000015ff66b480
RDX: 00000015ff66b400 RSI: ffff880127c17200 RDI: ffff880123403700
RBP: ffff880127c03888 R08: 0000000000017200 R09: ffffffff814625af
R10: ffffea00047e4680 R11: 00000000ffffff80 R12: ffff8800b0d38a28
R13: ffff8800b0d38a28 R14: ffff8800b3e88000 R15: ffffffffa05f24e0
FS:  0000000000000000(0000) GS:ffff880127c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000020 CR3: 00000000c855b000 CR4: 00000000000007f0
Stack:
 ffff880127c03910 ffff8800b0d38a28 ffffffff8189d240 ffff88011f91b400
 ffff880127c03828 ffffffffa05c94c5 0000000000000000 ffff8800baa1c520
 0000000000000000 0000000000000001 0000000000000000 0000000000000000
Call Trace:
 &lt;IRQ&gt;
 [&lt;ffffffffa05c94c5&gt;] ? sctp_sf_tabort_8_4_8.isra.20+0x85/0x140 [sctp]
 [&lt;ffffffffa05d6b42&gt;] ? sctp_transport_put+0x52/0x80 [sctp]
 [&lt;ffffffffa05d0bfc&gt;] sctp_do_sm+0xb8c/0x19a0 [sctp]
 [&lt;ffffffff810b0e00&gt;] ? trigger_load_balance+0x90/0x210
 [&lt;ffffffff810e0329&gt;] ? update_process_times+0x59/0x60
 [&lt;ffffffff812c7a40&gt;] ? timerqueue_add+0x60/0xb0
 [&lt;ffffffff810e0549&gt;] ? enqueue_hrtimer+0x29/0xa0
 [&lt;ffffffff8101f599&gt;] ? read_tsc+0x9/0x10
 [&lt;ffffffff8116d4b5&gt;] ? put_page+0x55/0x60
 [&lt;ffffffff810ee1ad&gt;] ? clockevents_program_event+0x6d/0x100
 [&lt;ffffffff81462b68&gt;] ? skb_free_head+0x58/0x80
 [&lt;ffffffffa029a10b&gt;] ? chksum_update+0x1b/0x27 [crc32c_generic]
 [&lt;ffffffff81283f3e&gt;] ? crypto_shash_update+0xce/0xf0
 [&lt;ffffffffa05d3993&gt;] sctp_endpoint_bh_rcv+0x113/0x280 [sctp]
 [&lt;ffffffffa05dd4e6&gt;] sctp_inq_push+0x46/0x60 [sctp]
 [&lt;ffffffffa05ed7a0&gt;] sctp_rcv+0x880/0x910 [sctp]
 [&lt;ffffffffa05ecb50&gt;] ? sctp_packet_transmit_chunk+0xb0/0xb0 [sctp]
 [&lt;ffffffffa05ecb70&gt;] ? sctp_csum_update+0x20/0x20 [sctp]
 [&lt;ffffffff814b05a5&gt;] ? ip_route_input_noref+0x235/0xd30
 [&lt;ffffffff81051d6b&gt;] ? ack_ioapic_level+0x7b/0x150
 [&lt;ffffffff814b27be&gt;] ip_local_deliver_finish+0xae/0x210
 [&lt;ffffffff814b2e15&gt;] ip_local_deliver+0x35/0x90
 [&lt;ffffffff814b2a15&gt;] ip_rcv_finish+0xf5/0x370
 [&lt;ffffffff814b3128&gt;] ip_rcv+0x2b8/0x3a0
 [&lt;ffffffff81474193&gt;] __netif_receive_skb_core+0x763/0xa50
 [&lt;ffffffff81476c28&gt;] __netif_receive_skb+0x18/0x60
 [&lt;ffffffff81476cb0&gt;] netif_receive_skb_internal+0x40/0xd0
 [&lt;ffffffff814776c8&gt;] napi_gro_receive+0xe8/0x120
 [&lt;ffffffffa03946aa&gt;] rtl8169_poll+0x2da/0x660 [r8169]
 [&lt;ffffffff8147896a&gt;] net_rx_action+0x21a/0x360
 [&lt;ffffffff81078dc1&gt;] __do_softirq+0xe1/0x2d0
 [&lt;ffffffff8107912d&gt;] irq_exit+0xad/0xb0
 [&lt;ffffffff8157d158&gt;] do_IRQ+0x58/0xf0
 [&lt;ffffffff8157b06d&gt;] common_interrupt+0x6d/0x6d
 &lt;EOI&gt;
 [&lt;ffffffff810e1218&gt;] ? hrtimer_start+0x18/0x20
 [&lt;ffffffffa05d65f9&gt;] ? sctp_transport_destroy_rcu+0x29/0x30 [sctp]
 [&lt;ffffffff81020c50&gt;] ? mwait_idle+0x60/0xa0
 [&lt;ffffffff810216ef&gt;] arch_cpu_idle+0xf/0x20
 [&lt;ffffffff810b731c&gt;] cpu_startup_entry+0x3ec/0x480
 [&lt;ffffffff8156b365&gt;] rest_init+0x85/0x90
 [&lt;ffffffff818eb035&gt;] start_kernel+0x48b/0x4ac
 [&lt;ffffffff818ea120&gt;] ? early_idt_handlers+0x120/0x120
 [&lt;ffffffff818ea339&gt;] x86_64_start_reservations+0x2a/0x2c
 [&lt;ffffffff818ea49c&gt;] x86_64_start_kernel+0x161/0x184
Code: 90 48 8b 80 b8 00 00 00 48 89 85 70 ff ff ff 48 83 bd 70 ff ff ff 00 0f 85 cd fa ff ff 48 89 df 31 db e8 18 63 e7 e0 48 8b 45 80 &lt;48&gt; 8b 40 20 48 8b 40 30 48 8b 80 68 01 00 00 65 48 ff 40 78 e9
RIP  [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
 RSP &lt;ffff880127c037b8&gt;
CR2: 0000000000000020
---[ end trace 5aec7fd2dc983574 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
drm_kms_helper: panic occurred, switching back to text console
---[ end Kernel panic - not syncing: Fatal exception in interrupt

Signed-off-by: Alexander Sverdlin &lt;alexander.sverdlin@nokia.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: avoid out of bounds read in round robin fanout</title>
<updated>2015-07-10T17:40:20+00:00</updated>
<author>
<name>Willem de Bruijn</name>
<email>willemb@google.com</email>
</author>
<published>2015-06-17T19:59:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4552ddd07a1f2f502243cb8d4609f1e3fad57958'/>
<id>4552ddd07a1f2f502243cb8d4609f1e3fad57958</id>
<content type='text'>
[ Upstream commit 468479e6043c84f5a65299cc07cb08a22a28c2b1 ]

PACKET_FANOUT_LB computes f-&gt;rr_cur such that it is modulo
f-&gt;num_members. It returns the old value unconditionally, but
f-&gt;num_members may have changed since the last store. Ensure
that the return value is always &lt; num.

When modifying the logic, simplify it further by replacing the loop
with an unconditional atomic increment.

Fixes: dc99f600698d ("packet: Add fanout support.")
Suggested-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 468479e6043c84f5a65299cc07cb08a22a28c2b1 ]

PACKET_FANOUT_LB computes f-&gt;rr_cur such that it is modulo
f-&gt;num_members. It returns the old value unconditionally, but
f-&gt;num_members may have changed since the last store. Ensure
that the return value is always &lt; num.

When modifying the logic, simplify it further by replacing the loop
with an unconditional atomic increment.

Fixes: dc99f600698d ("packet: Add fanout support.")
Suggested-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: read num_members once in packet_rcv_fanout()</title>
<updated>2015-07-10T17:40:20+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-06-16T14:59:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7eee92bf2e54235ab90f90d4b97b9256f51b076d'/>
<id>7eee92bf2e54235ab90f90d4b97b9256f51b076d</id>
<content type='text'>
[ Upstream commit f98f4514d07871da7a113dd9e3e330743fd70ae4 ]

We need to tell compiler it must not read f-&gt;num_members multiple
times. Otherwise testing if num is not zero is flaky, and we could
attempt an invalid divide by 0 in fanout_demux_cpu()

Note bug was present in packet_rcv_fanout_hash() and
packet_rcv_fanout_lb() but final 3.1 had a simple location
after commit 95ec3eb417115fb ("packet: Add 'cpu' fanout policy.")

Fixes: dc99f600698dc ("packet: Add fanout support.")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit f98f4514d07871da7a113dd9e3e330743fd70ae4 ]

We need to tell compiler it must not read f-&gt;num_members multiple
times. Otherwise testing if num is not zero is flaky, and we could
attempt an invalid divide by 0 in fanout_demux_cpu()

Note bug was present in packet_rcv_fanout_hash() and
packet_rcv_fanout_lb() but final 3.1 had a simple location
after commit 95ec3eb417115fb ("packet: Add 'cpu' fanout policy.")

Fixes: dc99f600698dc ("packet: Add fanout support.")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bridge: fix br_stp_set_bridge_priority race conditions</title>
<updated>2015-07-10T17:40:20+00:00</updated>
<author>
<name>Nikolay Aleksandrov</name>
<email>razor@blackwall.org</email>
</author>
<published>2015-06-15T17:28:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=019b1332afd4dc4c80fa83379866d01984933694'/>
<id>019b1332afd4dc4c80fa83379866d01984933694</id>
<content type='text'>
[ Upstream commit 2dab80a8b486f02222a69daca6859519e05781d9 ]

After the -&gt;set() spinlocks were removed br_stp_set_bridge_priority
was left running without any protection when used via sysfs. It can
race with port add/del and could result in use-after-free cases and
corrupted lists. Tested by running port add/del in a loop with stp
enabled while setting priority in a loop, crashes are easily
reproducible.
The spinlocks around sysfs -&gt;set() were removed in commit:
14f98f258f19 ("bridge: range check STP parameters")
There's also a race condition in the netlink priority support that is
fixed by this change, but it was introduced recently and the fixes tag
covers it, just in case it's needed the commit is:
af615762e972 ("bridge: add ageing_time, stp_state, priority over netlink")

Signed-off-by: Nikolay Aleksandrov &lt;razor@blackwall.org&gt;
Fixes: 14f98f258f19 ("bridge: range check STP parameters")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2dab80a8b486f02222a69daca6859519e05781d9 ]

After the -&gt;set() spinlocks were removed br_stp_set_bridge_priority
was left running without any protection when used via sysfs. It can
race with port add/del and could result in use-after-free cases and
corrupted lists. Tested by running port add/del in a loop with stp
enabled while setting priority in a loop, crashes are easily
reproducible.
The spinlocks around sysfs -&gt;set() were removed in commit:
14f98f258f19 ("bridge: range check STP parameters")
There's also a race condition in the netlink priority support that is
fixed by this change, but it was introduced recently and the fixes tag
covers it, just in case it's needed the commit is:
af615762e972 ("bridge: add ageing_time, stp_state, priority over netlink")

Signed-off-by: Nikolay Aleksandrov &lt;razor@blackwall.org&gt;
Fixes: 14f98f258f19 ("bridge: range check STP parameters")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
