<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v3.12.73</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ipv4: igmp: Allow removing groups from a removed interface</title>
<updated>2017-04-11T06:04:35+00:00</updated>
<author>
<name>Andrew Lunn</name>
<email>andrew@lunn.ch</email>
</author>
<published>2015-12-01T15:31:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e5742a855b77d5f313552dd379d7bdd05ce6c340'/>
<id>e5742a855b77d5f313552dd379d7bdd05ce6c340</id>
<content type='text'>
commit 4eba7bb1d72d9bde67d810d09bf62dc207b63c5c upstream.

When a multicast group is joined on a socket, a struct ip_mc_socklist
is appended to the sockets mc_list containing information about the
joined group.

If the interface is hot unplugged, this entry becomes stale. Prior to
commit 52ad353a5344f ("igmp: fix the problem when mc leave group") it
was possible to remove the stale entry by performing a
IP_DROP_MEMBERSHIP, passing either the old ifindex or ip address on
the interface. However, this fix enforces that the interface must
still exist. Thus with time, the number of stale entries grows, until
sysctl_igmp_max_memberships is reached and then it is not possible to
join and more groups.

The previous patch fixes an issue where a IP_DROP_MEMBERSHIP is
performed without specifying the interface, either by ifindex or ip
address. However here we do supply one of these. So loosen the
restriction on device existence to only apply when the interface has
not been specified. This then restores the ability to clean up the
stale entries.

Signed-off-by: Andrew Lunn &lt;andrew@lunn.ch&gt;
Fixes: 52ad353a5344f "(igmp: fix the problem when mc leave group")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4eba7bb1d72d9bde67d810d09bf62dc207b63c5c upstream.

When a multicast group is joined on a socket, a struct ip_mc_socklist
is appended to the sockets mc_list containing information about the
joined group.

If the interface is hot unplugged, this entry becomes stale. Prior to
commit 52ad353a5344f ("igmp: fix the problem when mc leave group") it
was possible to remove the stale entry by performing a
IP_DROP_MEMBERSHIP, passing either the old ifindex or ip address on
the interface. However, this fix enforces that the interface must
still exist. Thus with time, the number of stale entries grows, until
sysctl_igmp_max_memberships is reached and then it is not possible to
join and more groups.

The previous patch fixes an issue where a IP_DROP_MEMBERSHIP is
performed without specifying the interface, either by ifindex or ip
address. However here we do supply one of these. So loosen the
restriction on device existence to only apply when the interface has
not been specified. This then restores the ability to clean up the
stale entries.

Signed-off-by: Andrew Lunn &lt;andrew@lunn.ch&gt;
Fixes: 52ad353a5344f "(igmp: fix the problem when mc leave group")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: force GFP_NOIO for socket allocations</title>
<updated>2017-04-07T12:33:55+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2017-03-21T12:44:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=80899b3aee901cd751768315aa73080f428ca417'/>
<id>80899b3aee901cd751768315aa73080f428ca417</id>
<content type='text'>
commit 633ee407b9d15a75ac9740ba9d3338815e1fcb95 upstream.

sock_alloc_inode() allocates socket+inode and socket_wq with
GFP_KERNEL, which is not allowed on the writeback path:

    Workqueue: ceph-msgr con_work [libceph]
    ffff8810871cb018 0000000000000046 0000000000000000 ffff881085d40000
    0000000000012b00 ffff881025cad428 ffff8810871cbfd8 0000000000012b00
    ffff880102fc1000 ffff881085d40000 ffff8810871cb038 ffff8810871cb148
    Call Trace:
    [&lt;ffffffff816dd629&gt;] schedule+0x29/0x70
    [&lt;ffffffff816e066d&gt;] schedule_timeout+0x1bd/0x200
    [&lt;ffffffff81093ffc&gt;] ? ttwu_do_wakeup+0x2c/0x120
    [&lt;ffffffff81094266&gt;] ? ttwu_do_activate.constprop.135+0x66/0x70
    [&lt;ffffffff816deb5f&gt;] wait_for_completion+0xbf/0x180
    [&lt;ffffffff81097cd0&gt;] ? try_to_wake_up+0x390/0x390
    [&lt;ffffffff81086335&gt;] flush_work+0x165/0x250
    [&lt;ffffffff81082940&gt;] ? worker_detach_from_pool+0xd0/0xd0
    [&lt;ffffffffa03b65b1&gt;] xlog_cil_force_lsn+0x81/0x200 [xfs]
    [&lt;ffffffff816d6b42&gt;] ? __slab_free+0xee/0x234
    [&lt;ffffffffa03b4b1d&gt;] _xfs_log_force_lsn+0x4d/0x2c0 [xfs]
    [&lt;ffffffff811adc1e&gt;] ? lookup_page_cgroup_used+0xe/0x30
    [&lt;ffffffffa039a723&gt;] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa03b4dcf&gt;] xfs_log_force_lsn+0x3f/0xf0 [xfs]
    [&lt;ffffffffa039a723&gt;] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa03a62c6&gt;] xfs_iunpin_wait+0xc6/0x1a0 [xfs]
    [&lt;ffffffff810aa250&gt;] ? wake_atomic_t_function+0x40/0x40
    [&lt;ffffffffa039a723&gt;] xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa039ac07&gt;] xfs_reclaim_inodes_ag+0x257/0x3d0 [xfs]
    [&lt;ffffffffa039bb13&gt;] xfs_reclaim_inodes_nr+0x33/0x40 [xfs]
    [&lt;ffffffffa03ab745&gt;] xfs_fs_free_cached_objects+0x15/0x20 [xfs]
    [&lt;ffffffff811c0c18&gt;] super_cache_scan+0x178/0x180
    [&lt;ffffffff8115912e&gt;] shrink_slab_node+0x14e/0x340
    [&lt;ffffffff811afc3b&gt;] ? mem_cgroup_iter+0x16b/0x450
    [&lt;ffffffff8115af70&gt;] shrink_slab+0x100/0x140
    [&lt;ffffffff8115e425&gt;] do_try_to_free_pages+0x335/0x490
    [&lt;ffffffff8115e7f9&gt;] try_to_free_pages+0xb9/0x1f0
    [&lt;ffffffff816d56e4&gt;] ? __alloc_pages_direct_compact+0x69/0x1be
    [&lt;ffffffff81150cba&gt;] __alloc_pages_nodemask+0x69a/0xb40
    [&lt;ffffffff8119743e&gt;] alloc_pages_current+0x9e/0x110
    [&lt;ffffffff811a0ac5&gt;] new_slab+0x2c5/0x390
    [&lt;ffffffff816d71c4&gt;] __slab_alloc+0x33b/0x459
    [&lt;ffffffff815b906d&gt;] ? sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff8164bda1&gt;] ? inet_sendmsg+0x71/0xc0
    [&lt;ffffffff815b906d&gt;] ? sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff811a21f2&gt;] kmem_cache_alloc+0x1a2/0x1b0
    [&lt;ffffffff815b906d&gt;] sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff811d8566&gt;] alloc_inode+0x26/0xa0
    [&lt;ffffffff811da04a&gt;] new_inode_pseudo+0x1a/0x70
    [&lt;ffffffff815b933e&gt;] sock_alloc+0x1e/0x80
    [&lt;ffffffff815ba855&gt;] __sock_create+0x95/0x220
    [&lt;ffffffff815baa04&gt;] sock_create_kern+0x24/0x30
    [&lt;ffffffffa04794d9&gt;] con_work+0xef9/0x2050 [libceph]
    [&lt;ffffffffa04aa9ec&gt;] ? rbd_img_request_submit+0x4c/0x60 [rbd]
    [&lt;ffffffff81084c19&gt;] process_one_work+0x159/0x4f0
    [&lt;ffffffff8108561b&gt;] worker_thread+0x11b/0x530
    [&lt;ffffffff81085500&gt;] ? create_worker+0x1d0/0x1d0
    [&lt;ffffffff8108b6f9&gt;] kthread+0xc9/0xe0
    [&lt;ffffffff8108b630&gt;] ? flush_kthread_worker+0x90/0x90
    [&lt;ffffffff816e1b98&gt;] ret_from_fork+0x58/0x90
    [&lt;ffffffff8108b630&gt;] ? flush_kthread_worker+0x90/0x90

Use memalloc_noio_{save,restore}() to temporarily force GFP_NOIO here.

Link: http://tracker.ceph.com/issues/19309
Reported-by: Sergey Jerusalimov &lt;wintchester@gmail.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 633ee407b9d15a75ac9740ba9d3338815e1fcb95 upstream.

sock_alloc_inode() allocates socket+inode and socket_wq with
GFP_KERNEL, which is not allowed on the writeback path:

    Workqueue: ceph-msgr con_work [libceph]
    ffff8810871cb018 0000000000000046 0000000000000000 ffff881085d40000
    0000000000012b00 ffff881025cad428 ffff8810871cbfd8 0000000000012b00
    ffff880102fc1000 ffff881085d40000 ffff8810871cb038 ffff8810871cb148
    Call Trace:
    [&lt;ffffffff816dd629&gt;] schedule+0x29/0x70
    [&lt;ffffffff816e066d&gt;] schedule_timeout+0x1bd/0x200
    [&lt;ffffffff81093ffc&gt;] ? ttwu_do_wakeup+0x2c/0x120
    [&lt;ffffffff81094266&gt;] ? ttwu_do_activate.constprop.135+0x66/0x70
    [&lt;ffffffff816deb5f&gt;] wait_for_completion+0xbf/0x180
    [&lt;ffffffff81097cd0&gt;] ? try_to_wake_up+0x390/0x390
    [&lt;ffffffff81086335&gt;] flush_work+0x165/0x250
    [&lt;ffffffff81082940&gt;] ? worker_detach_from_pool+0xd0/0xd0
    [&lt;ffffffffa03b65b1&gt;] xlog_cil_force_lsn+0x81/0x200 [xfs]
    [&lt;ffffffff816d6b42&gt;] ? __slab_free+0xee/0x234
    [&lt;ffffffffa03b4b1d&gt;] _xfs_log_force_lsn+0x4d/0x2c0 [xfs]
    [&lt;ffffffff811adc1e&gt;] ? lookup_page_cgroup_used+0xe/0x30
    [&lt;ffffffffa039a723&gt;] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa03b4dcf&gt;] xfs_log_force_lsn+0x3f/0xf0 [xfs]
    [&lt;ffffffffa039a723&gt;] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa03a62c6&gt;] xfs_iunpin_wait+0xc6/0x1a0 [xfs]
    [&lt;ffffffff810aa250&gt;] ? wake_atomic_t_function+0x40/0x40
    [&lt;ffffffffa039a723&gt;] xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa039ac07&gt;] xfs_reclaim_inodes_ag+0x257/0x3d0 [xfs]
    [&lt;ffffffffa039bb13&gt;] xfs_reclaim_inodes_nr+0x33/0x40 [xfs]
    [&lt;ffffffffa03ab745&gt;] xfs_fs_free_cached_objects+0x15/0x20 [xfs]
    [&lt;ffffffff811c0c18&gt;] super_cache_scan+0x178/0x180
    [&lt;ffffffff8115912e&gt;] shrink_slab_node+0x14e/0x340
    [&lt;ffffffff811afc3b&gt;] ? mem_cgroup_iter+0x16b/0x450
    [&lt;ffffffff8115af70&gt;] shrink_slab+0x100/0x140
    [&lt;ffffffff8115e425&gt;] do_try_to_free_pages+0x335/0x490
    [&lt;ffffffff8115e7f9&gt;] try_to_free_pages+0xb9/0x1f0
    [&lt;ffffffff816d56e4&gt;] ? __alloc_pages_direct_compact+0x69/0x1be
    [&lt;ffffffff81150cba&gt;] __alloc_pages_nodemask+0x69a/0xb40
    [&lt;ffffffff8119743e&gt;] alloc_pages_current+0x9e/0x110
    [&lt;ffffffff811a0ac5&gt;] new_slab+0x2c5/0x390
    [&lt;ffffffff816d71c4&gt;] __slab_alloc+0x33b/0x459
    [&lt;ffffffff815b906d&gt;] ? sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff8164bda1&gt;] ? inet_sendmsg+0x71/0xc0
    [&lt;ffffffff815b906d&gt;] ? sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff811a21f2&gt;] kmem_cache_alloc+0x1a2/0x1b0
    [&lt;ffffffff815b906d&gt;] sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff811d8566&gt;] alloc_inode+0x26/0xa0
    [&lt;ffffffff811da04a&gt;] new_inode_pseudo+0x1a/0x70
    [&lt;ffffffff815b933e&gt;] sock_alloc+0x1e/0x80
    [&lt;ffffffff815ba855&gt;] __sock_create+0x95/0x220
    [&lt;ffffffff815baa04&gt;] sock_create_kern+0x24/0x30
    [&lt;ffffffffa04794d9&gt;] con_work+0xef9/0x2050 [libceph]
    [&lt;ffffffffa04aa9ec&gt;] ? rbd_img_request_submit+0x4c/0x60 [rbd]
    [&lt;ffffffff81084c19&gt;] process_one_work+0x159/0x4f0
    [&lt;ffffffff8108561b&gt;] worker_thread+0x11b/0x530
    [&lt;ffffffff81085500&gt;] ? create_worker+0x1d0/0x1d0
    [&lt;ffffffff8108b6f9&gt;] kthread+0xc9/0xe0
    [&lt;ffffffff8108b630&gt;] ? flush_kthread_worker+0x90/0x90
    [&lt;ffffffff816e1b98&gt;] ret_from_fork+0x58/0x90
    [&lt;ffffffff8108b630&gt;] ? flush_kthread_worker+0x90/0x90

Use memalloc_noio_{save,restore}() to temporarily force GFP_NOIO here.

Link: http://tracker.ceph.com/issues/19309
Reported-by: Sergey Jerusalimov &lt;wintchester@gmail.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder</title>
<updated>2017-04-07T08:59:34+00:00</updated>
<author>
<name>Andy Whitcroft</name>
<email>apw@canonical.com</email>
</author>
<published>2017-03-23T07:45:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1b2150972c265d0e477c52d59b7061bdb6889c35'/>
<id>1b2150972c265d0e477c52d59b7061bdb6889c35</id>
<content type='text'>
commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.

Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues.  To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.

CVE-2017-7184
Signed-off-by: Andy Whitcroft &lt;apw@canonical.com&gt;
Acked-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.

Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues.  To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.

CVE-2017-7184
Signed-off-by: Andy Whitcroft &lt;apw@canonical.com&gt;
Acked-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window</title>
<updated>2017-04-07T08:59:33+00:00</updated>
<author>
<name>Andy Whitcroft</name>
<email>apw@canonical.com</email>
</author>
<published>2017-03-22T07:29:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=be4f4140ab3e8d4142f47c79b0a29f0ec53540b5'/>
<id>be4f4140ab3e8d4142f47c79b0a29f0ec53540b5</id>
<content type='text'>
commit 677e806da4d916052585301785d847c3b3e6186a upstream.

When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer.  However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents.  We do
not at this point check that the replay_window is within the allocated
memory.  This leads to out-of-bounds reads and writes triggered by
netlink packets.  This leads to memory corruption and the potential for
priviledge escalation.

We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn.  It however does not check the replay_window
remains within that buffer.  Add validation of the contained
replay_window.

CVE-2017-7184
Signed-off-by: Andy Whitcroft &lt;apw@canonical.com&gt;
Acked-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 677e806da4d916052585301785d847c3b3e6186a upstream.

When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer.  However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents.  We do
not at this point check that the replay_window is within the allocated
memory.  This leads to out-of-bounds reads and writes triggered by
netlink packets.  This leads to memory corruption and the potential for
priviledge escalation.

We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn.  It however does not check the replay_window
remains within that buffer.  Add validation of the contained
replay_window.

CVE-2017-7184
Signed-off-by: Andy Whitcroft &lt;apw@canonical.com&gt;
Acked-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>nl80211: fix dumpit error path RTNL deadlocks</title>
<updated>2017-04-07T08:38:27+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2017-03-15T13:26:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a7756258a9f602ee99bf2b329f1010864770dd23'/>
<id>a7756258a9f602ee99bf2b329f1010864770dd23</id>
<content type='text'>
commit ea90e0dc8cecba6359b481e24d9c37160f6f524f upstream.

Sowmini pointed out Dmitry's RTNL deadlock report to me, and it turns out
to be perfectly accurate - there are various error paths that miss unlock
of the RTNL.

To fix those, change the locking a bit to not be conditional in all those
nl80211_prepare_*_dump() functions, but make those require the RTNL to
start with, and fix the buggy error paths. This also let me use sparse
(by appropriately overriding the rtnl_lock/rtnl_unlock functions) to
validate the changes.

[js] no mpp and vendor dumps in 3.12 yet

Reported-by: Sowmini Varadhan &lt;sowmini.varadhan@oracle.com&gt;
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ea90e0dc8cecba6359b481e24d9c37160f6f524f upstream.

Sowmini pointed out Dmitry's RTNL deadlock report to me, and it turns out
to be perfectly accurate - there are various error paths that miss unlock
of the RTNL.

To fix those, change the locking a bit to not be conditional in all those
nl80211_prepare_*_dump() functions, but make those require the RTNL to
start with, and fix the buggy error paths. This also let me use sparse
(by appropriately overriding the rtnl_lock/rtnl_unlock functions) to
validate the changes.

[js] no mpp and vendor dumps in 3.12 yet

Reported-by: Sowmini Varadhan &lt;sowmini.varadhan@oracle.com&gt;
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: don't set weight to IN when OSD is destroyed</title>
<updated>2017-04-07T07:17:58+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2017-03-01T16:33:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5db1728dca77306e06e341609484cb4746a268f3'/>
<id>5db1728dca77306e06e341609484cb4746a268f3</id>
<content type='text'>
commit b581a5854eee4b7851dedb0f8c2ceb54fb902c06 upstream.

Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
This changes the result of applying an incremental for clients, not
just OSDs.  Because CRUSH computations are obviously affected,
pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
object placement, resulting in misdirected requests.

Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.

Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals")
Link: http://tracker.ceph.com/issues/19122
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b581a5854eee4b7851dedb0f8c2ceb54fb902c06 upstream.

Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
This changes the result of applying an incremental for clients, not
just OSDs.  Because CRUSH computations are obviously affected,
pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
object placement, resulting in misdirected requests.

Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.

Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals")
Link: http://tracker.ceph.com/issues/19122
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: initialize icsk_ack.lrcvtime at session start time</title>
<updated>2017-04-07T07:17:58+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-03-22T15:10:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=111aa29e009f29919d56240054914d2aae2a4d6e'/>
<id>111aa29e009f29919d56240054914d2aae2a4d6e</id>
<content type='text'>
[ Upstream commit 15bb7745e94a665caf42bfaabf0ce062845b533b ]

icsk_ack.lrcvtime has a 0 value at socket creation time.

tcpi_last_data_recv can have bogus value if no payload is ever received.

This patch initializes icsk_ack.lrcvtime for active sessions
in tcp_finish_connect(), and for passive sessions in
tcp_create_openreq_child()

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 15bb7745e94a665caf42bfaabf0ce062845b533b ]

icsk_ack.lrcvtime has a 0 value at socket creation time.

tcpi_last_data_recv can have bogus value if no payload is ever received.

This patch initializes icsk_ack.lrcvtime for active sessions
in tcp_finish_connect(), and for passive sessions in
tcp_create_openreq_child()

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4: provide stronger user input validation in nl_fib_input()</title>
<updated>2017-04-07T07:17:57+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-03-22T02:22:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=083b7de74780d65dfdd6f448288489464fa2da40'/>
<id>083b7de74780d65dfdd6f448288489464fa2da40</id>
<content type='text'>
[ Upstream commit c64c0b3cac4c5b8cb093727d2c19743ea3965c0b ]

Alexander reported a KMSAN splat caused by reads of uninitialized
field (tb_id_in) from user provided struct fib_result_nl

It turns out nl_fib_input() sanity tests on user input is a bit
wrong :

User can pretend nlh-&gt;nlmsg_len is big enough, but provide
at sendmsg() time a too small buffer.

Reported-by: Alexander Potapenko &lt;glider@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c64c0b3cac4c5b8cb093727d2c19743ea3965c0b ]

Alexander reported a KMSAN splat caused by reads of uninitialized
field (tb_id_in) from user provided struct fib_result_nl

It turns out nl_fib_input() sanity tests on user input is a bit
wrong :

User can pretend nlh-&gt;nlmsg_len is big enough, but provide
at sendmsg() time a too small buffer.

Reported-by: Alexander Potapenko &lt;glider@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: unix: properly re-increment inflight counter of GC discarded candidates</title>
<updated>2017-04-07T07:17:55+00:00</updated>
<author>
<name>Andrey Ulanov</name>
<email>andreyu@google.com</email>
</author>
<published>2017-03-15T03:16:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c2c0754bf36ebafedf95fcffa7e7f1ab93740955'/>
<id>c2c0754bf36ebafedf95fcffa7e7f1ab93740955</id>
<content type='text'>
[ Upstream commit 7df9c24625b9981779afb8fcdbe2bb4765e61147 ]

Dmitry has reported that a BUG_ON() condition in unix_notinflight()
may be triggered by a simple code that forwards unix socket in an
SCM_RIGHTS message.
That is caused by incorrect unix socket GC implementation in unix_gc().

The GC first collects list of candidates, then (a) decrements their
"children's" inflight counter, (b) checks which inflight counters are
now 0, and then (c) increments all inflight counters back.
(a) and (c) are done by calling scan_children() with inc_inflight or
dec_inflight as the second argument.

Commit 6209344f5a37 ("net: unix: fix inflight counting bug in garbage
collector") changed scan_children() such that it no longer considers
sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block
of code that that unsets this flag _before_ invoking
scan_children(, dec_iflight, ). This may lead to incorrect inflight
counters for some sockets.

This change fixes this bug by changing order of operations:
UNIX_GC_CANDIDATE is now unset only after all inflight counters are
restored to the original state.

  kernel BUG at net/unix/garbage.c:149!
  RIP: 0010:[&lt;ffffffff8717ebf4&gt;]  [&lt;ffffffff8717ebf4&gt;]
  unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149
  Call Trace:
   [&lt;ffffffff8716cfbf&gt;] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487
   [&lt;ffffffff8716f6a9&gt;] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496
   [&lt;ffffffff86a90a01&gt;] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655
   [&lt;ffffffff86a9808a&gt;] skb_release_all+0x1a/0x60 net/core/skbuff.c:668
   [&lt;ffffffff86a980ea&gt;] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684
   [&lt;ffffffff86a98284&gt;] kfree_skb+0x184/0x570 net/core/skbuff.c:705
   [&lt;ffffffff871789d5&gt;] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559
   [&lt;ffffffff87179039&gt;] unix_release+0x49/0x90 net/unix/af_unix.c:836
   [&lt;ffffffff86a694b2&gt;] sock_release+0x92/0x1f0 net/socket.c:570
   [&lt;ffffffff86a6962b&gt;] sock_close+0x1b/0x20 net/socket.c:1017
   [&lt;ffffffff81a76b8e&gt;] __fput+0x34e/0x910 fs/file_table.c:208
   [&lt;ffffffff81a771da&gt;] ____fput+0x1a/0x20 fs/file_table.c:244
   [&lt;ffffffff81483ab0&gt;] task_work_run+0x1a0/0x280 kernel/task_work.c:116
   [&lt;     inline     &gt;] exit_task_work include/linux/task_work.h:21
   [&lt;ffffffff8141287a&gt;] do_exit+0x183a/0x2640 kernel/exit.c:828
   [&lt;ffffffff8141383e&gt;] do_group_exit+0x14e/0x420 kernel/exit.c:931
   [&lt;ffffffff814429d3&gt;] get_signal+0x663/0x1880 kernel/signal.c:2307
   [&lt;ffffffff81239b45&gt;] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807
   [&lt;ffffffff8100666a&gt;] exit_to_usermode_loop+0x1ea/0x2d0
  arch/x86/entry/common.c:156
   [&lt;     inline     &gt;] prepare_exit_to_usermode arch/x86/entry/common.c:190
   [&lt;ffffffff81009693&gt;] syscall_return_slowpath+0x4d3/0x570
  arch/x86/entry/common.c:259
   [&lt;ffffffff881478e6&gt;] entry_SYSCALL_64_fastpath+0xc4/0xc6

Link: https://lkml.org/lkml/2017/3/6/252
Signed-off-by: Andrey Ulanov &lt;andreyu@google.com&gt;
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Fixes: 6209344 ("net: unix: fix inflight counting bug in garbage collector")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 7df9c24625b9981779afb8fcdbe2bb4765e61147 ]

Dmitry has reported that a BUG_ON() condition in unix_notinflight()
may be triggered by a simple code that forwards unix socket in an
SCM_RIGHTS message.
That is caused by incorrect unix socket GC implementation in unix_gc().

The GC first collects list of candidates, then (a) decrements their
"children's" inflight counter, (b) checks which inflight counters are
now 0, and then (c) increments all inflight counters back.
(a) and (c) are done by calling scan_children() with inc_inflight or
dec_inflight as the second argument.

Commit 6209344f5a37 ("net: unix: fix inflight counting bug in garbage
collector") changed scan_children() such that it no longer considers
sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block
of code that that unsets this flag _before_ invoking
scan_children(, dec_iflight, ). This may lead to incorrect inflight
counters for some sockets.

This change fixes this bug by changing order of operations:
UNIX_GC_CANDIDATE is now unset only after all inflight counters are
restored to the original state.

  kernel BUG at net/unix/garbage.c:149!
  RIP: 0010:[&lt;ffffffff8717ebf4&gt;]  [&lt;ffffffff8717ebf4&gt;]
  unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149
  Call Trace:
   [&lt;ffffffff8716cfbf&gt;] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487
   [&lt;ffffffff8716f6a9&gt;] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496
   [&lt;ffffffff86a90a01&gt;] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655
   [&lt;ffffffff86a9808a&gt;] skb_release_all+0x1a/0x60 net/core/skbuff.c:668
   [&lt;ffffffff86a980ea&gt;] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684
   [&lt;ffffffff86a98284&gt;] kfree_skb+0x184/0x570 net/core/skbuff.c:705
   [&lt;ffffffff871789d5&gt;] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559
   [&lt;ffffffff87179039&gt;] unix_release+0x49/0x90 net/unix/af_unix.c:836
   [&lt;ffffffff86a694b2&gt;] sock_release+0x92/0x1f0 net/socket.c:570
   [&lt;ffffffff86a6962b&gt;] sock_close+0x1b/0x20 net/socket.c:1017
   [&lt;ffffffff81a76b8e&gt;] __fput+0x34e/0x910 fs/file_table.c:208
   [&lt;ffffffff81a771da&gt;] ____fput+0x1a/0x20 fs/file_table.c:244
   [&lt;ffffffff81483ab0&gt;] task_work_run+0x1a0/0x280 kernel/task_work.c:116
   [&lt;     inline     &gt;] exit_task_work include/linux/task_work.h:21
   [&lt;ffffffff8141287a&gt;] do_exit+0x183a/0x2640 kernel/exit.c:828
   [&lt;ffffffff8141383e&gt;] do_group_exit+0x14e/0x420 kernel/exit.c:931
   [&lt;ffffffff814429d3&gt;] get_signal+0x663/0x1880 kernel/signal.c:2307
   [&lt;ffffffff81239b45&gt;] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807
   [&lt;ffffffff8100666a&gt;] exit_to_usermode_loop+0x1ea/0x2d0
  arch/x86/entry/common.c:156
   [&lt;     inline     &gt;] prepare_exit_to_usermode arch/x86/entry/common.c:190
   [&lt;ffffffff81009693&gt;] syscall_return_slowpath+0x4d3/0x570
  arch/x86/entry/common.c:259
   [&lt;ffffffff881478e6&gt;] entry_SYSCALL_64_fastpath+0xc4/0xc6

Link: https://lkml.org/lkml/2017/3/6/252
Signed-off-by: Andrey Ulanov &lt;andreyu@google.com&gt;
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Fixes: 6209344 ("net: unix: fix inflight counting bug in garbage collector")
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: properly release sk_frag.page</title>
<updated>2017-04-07T07:17:54+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-03-15T20:21:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e2d987feb108a136a769ca6722793b7cf5904940'/>
<id>e2d987feb108a136a769ca6722793b7cf5904940</id>
<content type='text'>
[ Upstream commit 22a0e18eac7a9e986fec76c60fa4a2926d1291e2 ]

I mistakenly added the code to release sk-&gt;sk_frag in
sk_common_release() instead of sk_destruct()

TCP sockets using sk-&gt;sk_allocation == GFP_ATOMIC do no call
sk_common_release() at close time, thus leaking one (order-3) page.

iSCSI is using such sockets.

Fixes: 5640f7685831 ("net: use a per task frag allocator")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 22a0e18eac7a9e986fec76c60fa4a2926d1291e2 ]

I mistakenly added the code to release sk-&gt;sk_frag in
sk_common_release() instead of sk_destruct()

TCP sockets using sk-&gt;sk_allocation == GFP_ATOMIC do no call
sk_common_release() at close time, thus leaking one (order-3) page.

iSCSI is using such sockets.

Fixes: 5640f7685831 ("net: use a per task frag allocator")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
