<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v3.13.6</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>SUNRPC: Ensure that gss_auth isn't freed before its upcall messages</title>
<updated>2014-03-07T06:06:20+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2014-02-16T17:14:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=620ec68c41ae63b88b8671e2032c60bfc5f9f612'/>
<id>620ec68c41ae63b88b8671e2032c60bfc5f9f612</id>
<content type='text'>
commit 9eb2ddb48ce3a7bd745c14a933112994647fa3cd upstream.

Fix a race in which the RPC client is shutting down while the
gss daemon is processing a downcall. If the RPC client manages to
shut down before the gss daemon is done, then the struct gss_auth
used in gss_release_msg() may have already been freed.

Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com
Reported-by: John &lt;da_audiophile@yahoo.com&gt;
Reported-by: Borislav Petkov &lt;bp@alien8.de&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9eb2ddb48ce3a7bd745c14a933112994647fa3cd upstream.

Fix a race in which the RPC client is shutting down while the
gss daemon is processing a downcall. If the RPC client manages to
shut down before the gss daemon is done, then the struct gss_auth
used in gss_release_msg() may have already been freed.

Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com
Reported-by: John &lt;da_audiophile@yahoo.com&gt;
Reported-by: Borislav Petkov &lt;bp@alien8.de&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: Fix races in xs_nospace()</title>
<updated>2014-03-07T06:06:20+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2014-02-11T14:15:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a57401ef4a206089f2e075be65ca55b21c3ae209'/>
<id>a57401ef4a206089f2e075be65ca55b21c3ae209</id>
<content type='text'>
commit 06ea0bfe6e6043cb56a78935a19f6f8ebc636226 upstream.

When a send failure occurs due to the socket being out of buffer space,
we call xs_nospace() in order to have the RPC task wait until the
socket has drained enough to make it worth while trying again.
The current patch fixes a race in which the socket is drained before
we get round to setting up the machinery in xs_nospace(), and which
is reported to cause hangs.

Link: http://lkml.kernel.org/r/20140210170315.33dfc621@notabene.brown
Fixes: a9a6b52ee1ba (SUNRPC: Don't start the retransmission timer...)
Reported-by: Neil Brown &lt;neilb@suse.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 06ea0bfe6e6043cb56a78935a19f6f8ebc636226 upstream.

When a send failure occurs due to the socket being out of buffer space,
we call xs_nospace() in order to have the RPC task wait until the
socket has drained enough to make it worth while trying again.
The current patch fixes a race in which the socket is drained before
we get round to setting up the machinery in xs_nospace(), and which
is reported to cause hangs.

Link: http://lkml.kernel.org/r/20140210170315.33dfc621@notabene.brown
Fixes: a9a6b52ee1ba (SUNRPC: Don't start the retransmission timer...)
Reported-by: Neil Brown &lt;neilb@suse.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>batman-adv: fix potential kernel paging error for unicast transmissions</title>
<updated>2014-03-07T06:06:16+00:00</updated>
<author>
<name>Antonio Quartulli</name>
<email>antonio@meshcoding.com</email>
</author>
<published>2014-02-15T20:50:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=944734c3d3554e6776f7c5a570abb572492e3988'/>
<id>944734c3d3554e6776f7c5a570abb572492e3988</id>
<content type='text'>
[ Upstream commit 70b271a78beba787155d6696aacd7c4d4a251c50 ]

batadv_send_skb_prepare_unicast(_4addr) might reallocate the
skb's data. If it does then our ethhdr pointer is not valid
anymore in batadv_send_skb_unicast(), resulting in a kernel
paging error.

Fixing this by refetching the ethhdr pointer after the
potential reallocation.

Signed-off-by: Linus Lüssing &lt;linus.luessing@web.de&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 70b271a78beba787155d6696aacd7c4d4a251c50 ]

batadv_send_skb_prepare_unicast(_4addr) might reallocate the
skb's data. If it does then our ethhdr pointer is not valid
anymore in batadv_send_skb_unicast(), resulting in a kernel
paging error.

Fixing this by refetching the ethhdr pointer after the
potential reallocation.

Signed-off-by: Linus Lüssing &lt;linus.luessing@web.de&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>batman-adv: avoid double free when orig_node initialization fails</title>
<updated>2014-03-07T06:06:16+00:00</updated>
<author>
<name>Antonio Quartulli</name>
<email>antonio@meshcoding.com</email>
</author>
<published>2014-02-15T01:17:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3bf167762750638933cfbca080e46fdc00374b11'/>
<id>3bf167762750638933cfbca080e46fdc00374b11</id>
<content type='text'>
[ Upstream commit a5a5cb8cab526af2f6cbe9715f8ca843192f0d81 ]

In the failure path of the orig_node initialization routine
the orig_node-&gt;bat_iv.bcast_own field is free'd twice: first
in batadv_iv_ogm_orig_get() and then later in
batadv_orig_node_free_rcu().

Fix it by removing the kfree in batadv_iv_ogm_orig_get().

Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a5a5cb8cab526af2f6cbe9715f8ca843192f0d81 ]

In the failure path of the orig_node initialization routine
the orig_node-&gt;bat_iv.bcast_own field is free'd twice: first
in batadv_iv_ogm_orig_get() and then later in
batadv_orig_node_free_rcu().

Fix it by removing the kfree in batadv_iv_ogm_orig_get().

Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>batman-adv: free skb on TVLV parsing success</title>
<updated>2014-03-07T06:06:16+00:00</updated>
<author>
<name>Antonio Quartulli</name>
<email>antonio@open-mesh.com</email>
</author>
<published>2014-02-11T16:05:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d74be7ef96bd38e40a3b19f431fc0e696249bed8'/>
<id>d74be7ef96bd38e40a3b19f431fc0e696249bed8</id>
<content type='text'>
[ Upstream commit 05c3c8a636aa9ee35ce13f65afc5b665615cc786 ]

When the TVLV parsing routine succeed the skb is left
untouched thus leading to a memory leak.

Fix this by consuming the skb in case of success.

Introduced by ef26157747d42254453f6b3ac2bd8bd3c53339c3
("batman-adv: tvlv - basic infrastructure")

Reported-by: Russel Senior &lt;russell@personaltelco.net&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@open-mesh.com&gt;
Tested-by: Russell Senior &lt;russell@personaltelco.net&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 05c3c8a636aa9ee35ce13f65afc5b665615cc786 ]

When the TVLV parsing routine succeed the skb is left
untouched thus leading to a memory leak.

Fix this by consuming the skb in case of success.

Introduced by ef26157747d42254453f6b3ac2bd8bd3c53339c3
("batman-adv: tvlv - basic infrastructure")

Reported-by: Russel Senior &lt;russell@personaltelco.net&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@open-mesh.com&gt;
Tested-by: Russell Senior &lt;russell@personaltelco.net&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>batman-adv: fix TT CRC computation by ensuring byte order</title>
<updated>2014-03-07T06:06:16+00:00</updated>
<author>
<name>Antonio Quartulli</name>
<email>antonio@open-mesh.com</email>
</author>
<published>2014-02-11T16:05:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=176890fa4f29c7dbbbe6a6d5eb761d8c064c1efa'/>
<id>176890fa4f29c7dbbbe6a6d5eb761d8c064c1efa</id>
<content type='text'>
[ Upstream commit a30e22ca8464c2dc573e0144a972221c2f06c2cd ]

When computing the CRC on a 2byte variable the order of
the bytes obviously alters the final result. This means
that computing the CRC over the same value on two archs
having different endianess leads to different numbers.

The global and local translation table CRC computation
routine makes this mistake while processing the clients
VIDs. The result is a continuous CRC mismatching between
nodes having different endianess.

Fix this by converting the VID to Network Order before
processing it. This guarantees that every node uses the same
byte order.

Introduced by 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b
("batman-adv: make the TT CRC logic VLAN specific")

Reported-by: Russel Senior &lt;russell@personaltelco.net&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@open-mesh.com&gt;
Tested-by: Russell Senior &lt;russell@personaltelco.net&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a30e22ca8464c2dc573e0144a972221c2f06c2cd ]

When computing the CRC on a 2byte variable the order of
the bytes obviously alters the final result. This means
that computing the CRC over the same value on two archs
having different endianess leads to different numbers.

The global and local translation table CRC computation
routine makes this mistake while processing the clients
VIDs. The result is a continuous CRC mismatching between
nodes having different endianess.

Fix this by converting the VID to Network Order before
processing it. This guarantees that every node uses the same
byte order.

Introduced by 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b
("batman-adv: make the TT CRC logic VLAN specific")

Reported-by: Russel Senior &lt;russell@personaltelco.net&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@open-mesh.com&gt;
Tested-by: Russell Senior &lt;russell@personaltelco.net&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>batman-adv: fix potential orig_node reference leak</title>
<updated>2014-03-07T06:06:16+00:00</updated>
<author>
<name>Simon Wunderlich</name>
<email>sw@simonwunderlich.de</email>
</author>
<published>2014-02-08T15:45:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=456252dff8921cbd59a6ccd88016d49130d974ba'/>
<id>456252dff8921cbd59a6ccd88016d49130d974ba</id>
<content type='text'>
[ Upstream commit b2262df7fcf2c395eca564df83238e931d88d7bf ]

Since batadv_orig_node_new() sets the refcount to two, assuming that
the calling function will use a reference for putting the orig_node into
a hash or similar, both references must be freed if initialization of
the orig_node fails. Otherwise that object may be leaked in that error
case.

Reported-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Simon Wunderlich &lt;sw@simonwunderlich.de&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b2262df7fcf2c395eca564df83238e931d88d7bf ]

Since batadv_orig_node_new() sets the refcount to two, assuming that
the calling function will use a reference for putting the orig_node into
a hash or similar, both references must be freed if initialization of
the orig_node fails. Otherwise that object may be leaked in that error
case.

Reported-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Simon Wunderlich &lt;sw@simonwunderlich.de&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>batman-adv: avoid potential race condition when adding a new neighbour</title>
<updated>2014-03-07T06:06:16+00:00</updated>
<author>
<name>Antonio Quartulli</name>
<email>antonio@open-mesh.com</email>
</author>
<published>2014-01-29T10:25:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=45756c3dfa56ecc4a1f813d1051d9944f538153d'/>
<id>45756c3dfa56ecc4a1f813d1051d9944f538153d</id>
<content type='text'>
[ Upstream commit 08bf0ed29c7ded45c477d08618220dd200c3524a ]

When adding a new neighbour it is important to atomically
perform the following:
- check if the neighbour already exists
- append the neighbour to the proper list

If the two operations are not performed in an atomic context
it is possible that two concurrent insertions add the same
neighbour twice.

Signed-off-by: Antonio Quartulli &lt;antonio@open-mesh.com&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 08bf0ed29c7ded45c477d08618220dd200c3524a ]

When adding a new neighbour it is important to atomically
perform the following:
- check if the neighbour already exists
- append the neighbour to the proper list

If the two operations are not performed in an atomic context
it is possible that two concurrent insertions add the same
neighbour twice.

Signed-off-by: Antonio Quartulli &lt;antonio@open-mesh.com&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>batman-adv: properly check pskb_may_pull return value</title>
<updated>2014-03-07T06:06:16+00:00</updated>
<author>
<name>Antonio Quartulli</name>
<email>antonio@meshcoding.com</email>
</author>
<published>2014-01-29T23:12:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7a2f20aab51e33ee083d5f285275dc8b54f74be4'/>
<id>7a2f20aab51e33ee083d5f285275dc8b54f74be4</id>
<content type='text'>
[ Upstream commit f1791425cf0bcda43ab9a9a37df1ad3ccb1f6654 ]

pskb_may_pull() returns 1 on success and 0 in case of failure,
therefore checking for the return value being negative does
not make sense at all.

This way if the function fails we will probably read beyond the current
skb data buffer. Fix this by doing the proper check.

Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit f1791425cf0bcda43ab9a9a37df1ad3ccb1f6654 ]

pskb_may_pull() returns 1 on success and 0 in case of failure,
therefore checking for the return value being negative does
not make sense at all.

This way if the function fails we will probably read beyond the current
skb data buffer. Fix this by doing the proper check.

Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>batman-adv: release vlan object after checking the CRC</title>
<updated>2014-03-07T06:06:15+00:00</updated>
<author>
<name>Antonio Quartulli</name>
<email>antonio@meshcoding.com</email>
</author>
<published>2014-01-28T01:06:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b6cd79c3db913215ab2f162e58155527895d7f68'/>
<id>b6cd79c3db913215ab2f162e58155527895d7f68</id>
<content type='text'>
[ Upstream commit 91c2b1a9f680ff105369d49abc7e19ca7efb33e1 ]

There is a refcounter unbalance in the CRC checking routine
invoked on OGM reception. A vlan object is retrieved (thus
its refcounter is increased by one) but it is never properly
released. This leads to a memleak because the vlan object
will never be free'd.

Fix this by releasing the vlan object after having read the
CRC.

Reported-by: Russell Senior &lt;russell@personaltelco.net&gt;
Reported-by: Daniel &lt;daniel@makrotopia.org&gt;
Reported-by: cmsv &lt;cmsv@wirelesspt.net&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 91c2b1a9f680ff105369d49abc7e19ca7efb33e1 ]

There is a refcounter unbalance in the CRC checking routine
invoked on OGM reception. A vlan object is retrieved (thus
its refcounter is increased by one) but it is never properly
released. This leads to a memleak because the vlan object
will never be free'd.

Fix this by releasing the vlan object after having read the
CRC.

Reported-by: Russell Senior &lt;russell@personaltelco.net&gt;
Reported-by: Daniel &lt;daniel@makrotopia.org&gt;
Reported-by: cmsv &lt;cmsv@wirelesspt.net&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@meshcoding.com&gt;
Signed-off-by: Marek Lindner &lt;mareklindner@neomailbox.ch&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
