<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v3.18.5</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ipvs: uninitialized data with IP_VS_IPV6</title>
<updated>2015-01-30T01:40:46+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2014-12-06T13:49:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=34be58049a912ddde6c9f8827b556935e2ac51a6'/>
<id>34be58049a912ddde6c9f8827b556935e2ac51a6</id>
<content type='text'>
commit 3b05ac3824ed9648c0d9c02d51d9b54e4e7e874f upstream.

The app_tcp_pkt_out() function expects "*diff" to be set and ends up
using uninitialized data if CONFIG_IP_VS_IPV6 is turned on.

The same issue is there in app_tcp_pkt_in().  Thanks to Julian Anastasov
for noticing that.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Simon Horman &lt;horms@verge.net.au&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3b05ac3824ed9648c0d9c02d51d9b54e4e7e874f upstream.

The app_tcp_pkt_out() function expects "*diff" to be set and ends up
using uninitialized data if CONFIG_IP_VS_IPV6 is turned on.

The same issue is there in app_tcp_pkt_in().  Thanks to Julian Anastasov
for noticing that.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Simon Horman &lt;horms@verge.net.au&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: conntrack: fix race between confirmation and flush</title>
<updated>2015-01-30T01:40:46+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2014-11-24T23:14:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4270214a955aa60b1547391870b003e15f21b220'/>
<id>4270214a955aa60b1547391870b003e15f21b220</id>
<content type='text'>
commit 8ca3f5e974f2b4b7f711589f4abff920db36637a upstream.

Commit 5195c14c8b27c ("netfilter: conntrack: fix race in
__nf_conntrack_confirm against get_next_corpse") aimed to resolve the
race condition between the confirmation (packet path) and the flush
command (from control plane). However, it introduced a crash when
several packets race to add a new conntrack, which seems easier to
reproduce when nf_queue is in place.

Fix this race, in __nf_conntrack_confirm(), by removing the CT
from unconfirmed list before checking the DYING bit. In case
race occured, re-add the CT to the dying list

This patch also changes the verdict from NF_ACCEPT to NF_DROP when
we lose race. Basically, the confirmation happens for the first packet
that we see in a flow. If you just invoked conntrack -F once (which
should be the common case), then this is likely to be the first packet
of the flow (unless you already called flush anytime soon in the past).
This should be hard to trigger, but better drop this packet, otherwise
we leave things in inconsistent state since the destination will likely
reply to this packet, but it will find no conntrack, unless the origin
retransmits.

The change of the verdict has been discussed in:
https://www.marc.info/?l=linux-netdev&amp;m=141588039530056&amp;w=2

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8ca3f5e974f2b4b7f711589f4abff920db36637a upstream.

Commit 5195c14c8b27c ("netfilter: conntrack: fix race in
__nf_conntrack_confirm against get_next_corpse") aimed to resolve the
race condition between the confirmation (packet path) and the flush
command (from control plane). However, it introduced a crash when
several packets race to add a new conntrack, which seems easier to
reproduce when nf_queue is in place.

Fix this race, in __nf_conntrack_confirm(), by removing the CT
from unconfirmed list before checking the DYING bit. In case
race occured, re-add the CT to the dying list

This patch also changes the verdict from NF_ACCEPT to NF_DROP when
we lose race. Basically, the confirmation happens for the first packet
that we see in a flow. If you just invoked conntrack -F once (which
should be the common case), then this is likely to be the first packet
of the flow (unless you already called flush anytime soon in the past).
This should be hard to trigger, but better drop this packet, otherwise
we leave things in inconsistent state since the destination will likely
reply to this packet, but it will find no conntrack, unless the origin
retransmits.

The change of the verdict has been discussed in:
https://www.marc.info/?l=linux-netdev&amp;m=141588039530056&amp;w=2

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nfnetlink: relax strict multicast group check from netlink_bind</title>
<updated>2015-01-30T01:40:46+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2015-01-04T14:20:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9eed1585b50df5c909579c43637bda2d088019ee'/>
<id>9eed1585b50df5c909579c43637bda2d088019ee</id>
<content type='text'>
commit 62924af247e95de7041a6d6f2d06cdd05152e2dc upstream.

Relax the checking that was introduced in 97840cb ("netfilter:
nfnetlink: fix insufficient validation in nfnetlink_bind") when the
subscription bitmask is used. Existing userspace code code may request
to listen to all of the existing netlink groups by setting an all to one
subscription group bitmask. Netlink already validates subscription via
setsockopt() for us.

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 62924af247e95de7041a6d6f2d06cdd05152e2dc upstream.

Relax the checking that was introduced in 97840cb ("netfilter:
nfnetlink: fix insufficient validation in nfnetlink_bind") when the
subscription bitmask is used. Existing userspace code code may request
to listen to all of the existing netlink groups by setting an all to one
subscription group bitmask. Netlink already validates subscription via
setsockopt() for us.

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_tables: fix flush ruleset chain dependencies</title>
<updated>2015-01-30T01:40:46+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2015-01-04T14:14:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=436322eeda54e4c8ebb09c7a293dc169afeabb7a'/>
<id>436322eeda54e4c8ebb09c7a293dc169afeabb7a</id>
<content type='text'>
commit a2f18db0c68fec96631c10cad9384c196e9008ac upstream.

Jumping between chains doesn't mix well with flush ruleset. Rules
from a different chain and set elements may still refer to us.

[  353.373791] ------------[ cut here ]------------
[  353.373845] kernel BUG at net/netfilter/nf_tables_api.c:1159!
[  353.373896] invalid opcode: 0000 [#1] SMP
[  353.373942] Modules linked in: intel_powerclamp uas iwldvm iwlwifi
[  353.374017] CPU: 0 PID: 6445 Comm: 31c3.nft Not tainted 3.18.0 #98
[  353.374069] Hardware name: LENOVO 5129CTO/5129CTO, BIOS 6QET47WW (1.17 ) 07/14/2010
[...]
[  353.375018] Call Trace:
[  353.375046]  [&lt;ffffffff81964c31&gt;] ? nf_tables_commit+0x381/0x540
[  353.375101]  [&lt;ffffffff81949118&gt;] nfnetlink_rcv+0x3d8/0x4b0
[  353.375150]  [&lt;ffffffff81943fc5&gt;] netlink_unicast+0x105/0x1a0
[  353.375200]  [&lt;ffffffff8194438e&gt;] netlink_sendmsg+0x32e/0x790
[  353.375253]  [&lt;ffffffff818f398e&gt;] sock_sendmsg+0x8e/0xc0
[  353.375300]  [&lt;ffffffff818f36b9&gt;] ? move_addr_to_kernel.part.20+0x19/0x70
[  353.375357]  [&lt;ffffffff818f44f9&gt;] ? move_addr_to_kernel+0x19/0x30
[  353.375410]  [&lt;ffffffff819016d2&gt;] ? verify_iovec+0x42/0xd0
[  353.375459]  [&lt;ffffffff818f3e10&gt;] ___sys_sendmsg+0x3f0/0x400
[  353.375510]  [&lt;ffffffff810615fa&gt;] ? native_sched_clock+0x2a/0x90
[  353.375563]  [&lt;ffffffff81176697&gt;] ? acct_account_cputime+0x17/0x20
[  353.375616]  [&lt;ffffffff8110dc78&gt;] ? account_user_time+0x88/0xa0
[  353.375667]  [&lt;ffffffff818f4bbd&gt;] __sys_sendmsg+0x3d/0x80
[  353.375719]  [&lt;ffffffff81b184f4&gt;] ? int_check_syscall_exit_work+0x34/0x3d
[  353.375776]  [&lt;ffffffff818f4c0d&gt;] SyS_sendmsg+0xd/0x20
[  353.375823]  [&lt;ffffffff81b1826d&gt;] system_call_fastpath+0x16/0x1b

Release objects in this order: rules -&gt; sets -&gt; chains -&gt; tables, to
make sure no references to chains are held anymore.

Reported-by: Asbjoern Sloth Toennesen &lt;asbjorn@asbjorn.biz&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a2f18db0c68fec96631c10cad9384c196e9008ac upstream.

Jumping between chains doesn't mix well with flush ruleset. Rules
from a different chain and set elements may still refer to us.

[  353.373791] ------------[ cut here ]------------
[  353.373845] kernel BUG at net/netfilter/nf_tables_api.c:1159!
[  353.373896] invalid opcode: 0000 [#1] SMP
[  353.373942] Modules linked in: intel_powerclamp uas iwldvm iwlwifi
[  353.374017] CPU: 0 PID: 6445 Comm: 31c3.nft Not tainted 3.18.0 #98
[  353.374069] Hardware name: LENOVO 5129CTO/5129CTO, BIOS 6QET47WW (1.17 ) 07/14/2010
[...]
[  353.375018] Call Trace:
[  353.375046]  [&lt;ffffffff81964c31&gt;] ? nf_tables_commit+0x381/0x540
[  353.375101]  [&lt;ffffffff81949118&gt;] nfnetlink_rcv+0x3d8/0x4b0
[  353.375150]  [&lt;ffffffff81943fc5&gt;] netlink_unicast+0x105/0x1a0
[  353.375200]  [&lt;ffffffff8194438e&gt;] netlink_sendmsg+0x32e/0x790
[  353.375253]  [&lt;ffffffff818f398e&gt;] sock_sendmsg+0x8e/0xc0
[  353.375300]  [&lt;ffffffff818f36b9&gt;] ? move_addr_to_kernel.part.20+0x19/0x70
[  353.375357]  [&lt;ffffffff818f44f9&gt;] ? move_addr_to_kernel+0x19/0x30
[  353.375410]  [&lt;ffffffff819016d2&gt;] ? verify_iovec+0x42/0xd0
[  353.375459]  [&lt;ffffffff818f3e10&gt;] ___sys_sendmsg+0x3f0/0x400
[  353.375510]  [&lt;ffffffff810615fa&gt;] ? native_sched_clock+0x2a/0x90
[  353.375563]  [&lt;ffffffff81176697&gt;] ? acct_account_cputime+0x17/0x20
[  353.375616]  [&lt;ffffffff8110dc78&gt;] ? account_user_time+0x88/0xa0
[  353.375667]  [&lt;ffffffff818f4bbd&gt;] __sys_sendmsg+0x3d/0x80
[  353.375719]  [&lt;ffffffff81b184f4&gt;] ? int_check_syscall_exit_work+0x34/0x3d
[  353.375776]  [&lt;ffffffff818f4c0d&gt;] SyS_sendmsg+0xd/0x20
[  353.375823]  [&lt;ffffffff81b1826d&gt;] system_call_fastpath+0x16/0x1b

Release objects in this order: rules -&gt; sets -&gt; chains -&gt; tables, to
make sure no references to chains are held anymore.

Reported-by: Asbjoern Sloth Toennesen &lt;asbjorn@asbjorn.biz&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nfnetlink: validate nfnetlink header from batch</title>
<updated>2015-01-30T01:40:46+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2015-01-04T14:20:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7266a6b028384bec87fe23128266f00589580f74'/>
<id>7266a6b028384bec87fe23128266f00589580f74</id>
<content type='text'>
commit 9ea2aa8b7dba9e99544c4187cc298face254569f upstream.

Make sure there is enough room for the nfnetlink header in the
netlink messages that are part of the batch. There is a similar
check in netlink_rcv_skb().

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9ea2aa8b7dba9e99544c4187cc298face254569f upstream.

Make sure there is enough room for the nfnetlink header in the
netlink messages that are part of the batch. There is a similar
check in netlink_rcv_skb().

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: Fix 160 MHz channels with 80+80 and 160 MHz drivers</title>
<updated>2015-01-27T16:29:36+00:00</updated>
<author>
<name>Jouni Malinen</name>
<email>jouni@qca.qualcomm.com</email>
</author>
<published>2014-12-11T21:48:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fff824488bc9831fd9eadf4b748f43416d13cdeb'/>
<id>fff824488bc9831fd9eadf4b748f43416d13cdeb</id>
<content type='text'>
commit 08f6f147773b23b765b94633a8eaa82e7defcf4c upstream.

The VHT supported channel width field is a two bit integer, not a
bitfield. cfg80211_chandef_usable() was interpreting it incorrectly and
ended up rejecting 160 MHz channel width if the driver indicated support
for both 160 and 80+80 MHz channels.

Fixes: 3d9d1d6656a73 ("nl80211/cfg80211: support VHT channel configuration")
       (however, no real drivers had 160 MHz support it until 3.16)
Signed-off-by: Jouni Malinen &lt;jouni@qca.qualcomm.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 08f6f147773b23b765b94633a8eaa82e7defcf4c upstream.

The VHT supported channel width field is a two bit integer, not a
bitfield. cfg80211_chandef_usable() was interpreting it incorrectly and
ended up rejecting 160 MHz channel width if the driver indicated support
for both 160 and 80+80 MHz channels.

Fixes: 3d9d1d6656a73 ("nl80211/cfg80211: support VHT channel configuration")
       (however, no real drivers had 160 MHz support it until 3.16)
Signed-off-by: Jouni Malinen &lt;jouni@qca.qualcomm.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: avoid mem leak on driver hint set</title>
<updated>2015-01-27T16:29:36+00:00</updated>
<author>
<name>Arik Nemtsov</name>
<email>arik@wizery.com</email>
</author>
<published>2014-12-04T10:22:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a7b2c7ffae7c8a48a2064adfea0eecfadc042b08'/>
<id>a7b2c7ffae7c8a48a2064adfea0eecfadc042b08</id>
<content type='text'>
commit 34f05f543f02350e920bddb7660ffdd4697aaf60 upstream.

In the already-set and intersect case of a driver-hint, the previous
wiphy regdomain was not freed before being reset with a copy of the
cfg80211 regdomain.

Signed-off-by: Arik Nemtsov &lt;arikx.nemtsov@intel.com&gt;
Acked-by: Luis R. Rodriguez &lt;mcgrof@suse.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 34f05f543f02350e920bddb7660ffdd4697aaf60 upstream.

In the already-set and intersect case of a driver-hint, the previous
wiphy regdomain was not freed before being reset with a copy of the
cfg80211 regdomain.

Signed-off-by: Arik Nemtsov &lt;arikx.nemtsov@intel.com&gt;
Acked-by: Luis R. Rodriguez &lt;mcgrof@suse.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: don't WARN about two consecutive Country IE hint</title>
<updated>2015-01-27T16:29:36+00:00</updated>
<author>
<name>Emmanuel Grumbach</name>
<email>emmanuel.grumbach@intel.com</email>
</author>
<published>2014-12-02T07:53:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0a57c26d6410712a5b4ed42d961284d2204b4a7c'/>
<id>0a57c26d6410712a5b4ed42d961284d2204b4a7c</id>
<content type='text'>
commit 70dcec5a488a7b81779190ac8089475fe4b8b962 upstream.

This can happen and there is no point in added more
detection code lower in the stack. Catching these in one
single point (cfg80211) is enough. Stop WARNING about this
case.

This fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=89001

Fixes: 2f1c6c572d7b ("cfg80211: process non country IE conflicting first")
Signed-off-by: Emmanuel Grumbach &lt;emmanuel.grumbach@intel.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 70dcec5a488a7b81779190ac8089475fe4b8b962 upstream.

This can happen and there is no point in added more
detection code lower in the stack. Catching these in one
single point (cfg80211) is enough. Stop WARNING about this
case.

This fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=89001

Fixes: 2f1c6c572d7b ("cfg80211: process non country IE conflicting first")
Signed-off-by: Emmanuel Grumbach &lt;emmanuel.grumbach@intel.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>nl80211: check matches array length before acessing it</title>
<updated>2015-01-27T16:29:36+00:00</updated>
<author>
<name>Luciano Coelho</name>
<email>luciano.coelho@intel.com</email>
</author>
<published>2014-12-01T09:32:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=65a39b355999b72e9cd325de29870a39cc3c3686'/>
<id>65a39b355999b72e9cd325de29870a39cc3c3686</id>
<content type='text'>
commit f89f46cf3a23d8d7c98f924a461fd931e1331746 upstream.

If the userspace passes a malformed sched scan request (or a net
detect wowlan configuration) by adding a NL80211_ATTR_SCHED_SCAN_MATCH
attribute without any nested matchsets, a NULL pointer dereference
will occur.  Fix this by checking that we do have matchsets in our
array before trying to access it.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
IP: [&lt;ffffffffa002fd69&gt;] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
PGD 865c067 PUD 865b067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [last unloaded: compat]
CPU: 2 PID: 2442 Comm: iw Tainted: G           O   3.17.2 #31
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff880013800790 ti: ffff880008d80000 task.ti: ffff880008d80000
RIP: 0010:[&lt;ffffffffa002fd69&gt;]  [&lt;ffffffffa002fd69&gt;] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
RSP: 0018:ffff880008d838d0  EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000143c RSI: 0000000000000000 RDI: ffff880008ee8dd0
RBP: ffff880008d83948 R08: 0000000000000002 R09: 0000000000000019
R10: ffff88001d1b3c40 R11: 0000000000000002 R12: ffff880019e85e00
R13: 00000000fffffed4 R14: ffff880009757800 R15: 0000000000001388
FS:  00007fa3b6d13700(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000024 CR3: 0000000008670000 CR4: 00000000000006e0
Stack:
 ffff880009757800 ffff880000000001 0000000000000000 ffff880008ee84e0
 0000000000000000 ffff880009757800 00000000fffffed4 ffff880008d83948
 ffffffff814689c9 ffff880009757800 ffff880008ee8000 0000000000000000
Call Trace:
 [&lt;ffffffff814689c9&gt;] ? nla_parse+0xb9/0x120
 [&lt;ffffffffa00306de&gt;] nl80211_set_wowlan+0x75e/0x960 [cfg80211]
 [&lt;ffffffff810bf3d5&gt;] ? mark_held_locks+0x75/0xa0
 [&lt;ffffffff8161a77b&gt;] genl_family_rcv_msg+0x18b/0x360
 [&lt;ffffffff810bf66d&gt;] ? trace_hardirqs_on+0xd/0x10
 [&lt;ffffffff8161a9d4&gt;] genl_rcv_msg+0x84/0xc0
 [&lt;ffffffff8161a950&gt;] ? genl_family_rcv_msg+0x360/0x360
 [&lt;ffffffff81618e79&gt;] netlink_rcv_skb+0xa9/0xd0
 [&lt;ffffffff81619458&gt;] genl_rcv+0x28/0x40
 [&lt;ffffffff816184a5&gt;] netlink_unicast+0x105/0x180
 [&lt;ffffffff8161886f&gt;] netlink_sendmsg+0x34f/0x7a0
 [&lt;ffffffff8105a097&gt;] ? kvm_clock_read+0x27/0x40
 [&lt;ffffffff815c644d&gt;] sock_sendmsg+0x8d/0xc0
 [&lt;ffffffff811a75c9&gt;] ? might_fault+0xb9/0xc0
 [&lt;ffffffff811a756e&gt;] ? might_fault+0x5e/0xc0
 [&lt;ffffffff815d5d26&gt;] ? verify_iovec+0x56/0xe0
 [&lt;ffffffff815c73e0&gt;] ___sys_sendmsg+0x3d0/0x3e0
 [&lt;ffffffff810a7be8&gt;] ? sched_clock_cpu+0x98/0xd0
 [&lt;ffffffff810611b4&gt;] ? __do_page_fault+0x254/0x580
 [&lt;ffffffff810bb39f&gt;] ? up_read+0x1f/0x40
 [&lt;ffffffff810611b4&gt;] ? __do_page_fault+0x254/0x580
 [&lt;ffffffff812146ed&gt;] ? __fget_light+0x13d/0x160
 [&lt;ffffffff815c7b02&gt;] __sys_sendmsg+0x42/0x80
 [&lt;ffffffff815c7b52&gt;] SyS_sendmsg+0x12/0x20
 [&lt;ffffffff81751f69&gt;] system_call_fastpath+0x16/0x1b

Fixes: ea73cbce4e1f ("nl80211: fix scheduled scan RSSI matchset attribute confusion")
Signed-off-by: Luciano Coelho &lt;luciano.coelho@intel.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f89f46cf3a23d8d7c98f924a461fd931e1331746 upstream.

If the userspace passes a malformed sched scan request (or a net
detect wowlan configuration) by adding a NL80211_ATTR_SCHED_SCAN_MATCH
attribute without any nested matchsets, a NULL pointer dereference
will occur.  Fix this by checking that we do have matchsets in our
array before trying to access it.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
IP: [&lt;ffffffffa002fd69&gt;] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
PGD 865c067 PUD 865b067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [last unloaded: compat]
CPU: 2 PID: 2442 Comm: iw Tainted: G           O   3.17.2 #31
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff880013800790 ti: ffff880008d80000 task.ti: ffff880008d80000
RIP: 0010:[&lt;ffffffffa002fd69&gt;]  [&lt;ffffffffa002fd69&gt;] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
RSP: 0018:ffff880008d838d0  EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000143c RSI: 0000000000000000 RDI: ffff880008ee8dd0
RBP: ffff880008d83948 R08: 0000000000000002 R09: 0000000000000019
R10: ffff88001d1b3c40 R11: 0000000000000002 R12: ffff880019e85e00
R13: 00000000fffffed4 R14: ffff880009757800 R15: 0000000000001388
FS:  00007fa3b6d13700(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000024 CR3: 0000000008670000 CR4: 00000000000006e0
Stack:
 ffff880009757800 ffff880000000001 0000000000000000 ffff880008ee84e0
 0000000000000000 ffff880009757800 00000000fffffed4 ffff880008d83948
 ffffffff814689c9 ffff880009757800 ffff880008ee8000 0000000000000000
Call Trace:
 [&lt;ffffffff814689c9&gt;] ? nla_parse+0xb9/0x120
 [&lt;ffffffffa00306de&gt;] nl80211_set_wowlan+0x75e/0x960 [cfg80211]
 [&lt;ffffffff810bf3d5&gt;] ? mark_held_locks+0x75/0xa0
 [&lt;ffffffff8161a77b&gt;] genl_family_rcv_msg+0x18b/0x360
 [&lt;ffffffff810bf66d&gt;] ? trace_hardirqs_on+0xd/0x10
 [&lt;ffffffff8161a9d4&gt;] genl_rcv_msg+0x84/0xc0
 [&lt;ffffffff8161a950&gt;] ? genl_family_rcv_msg+0x360/0x360
 [&lt;ffffffff81618e79&gt;] netlink_rcv_skb+0xa9/0xd0
 [&lt;ffffffff81619458&gt;] genl_rcv+0x28/0x40
 [&lt;ffffffff816184a5&gt;] netlink_unicast+0x105/0x180
 [&lt;ffffffff8161886f&gt;] netlink_sendmsg+0x34f/0x7a0
 [&lt;ffffffff8105a097&gt;] ? kvm_clock_read+0x27/0x40
 [&lt;ffffffff815c644d&gt;] sock_sendmsg+0x8d/0xc0
 [&lt;ffffffff811a75c9&gt;] ? might_fault+0xb9/0xc0
 [&lt;ffffffff811a756e&gt;] ? might_fault+0x5e/0xc0
 [&lt;ffffffff815d5d26&gt;] ? verify_iovec+0x56/0xe0
 [&lt;ffffffff815c73e0&gt;] ___sys_sendmsg+0x3d0/0x3e0
 [&lt;ffffffff810a7be8&gt;] ? sched_clock_cpu+0x98/0xd0
 [&lt;ffffffff810611b4&gt;] ? __do_page_fault+0x254/0x580
 [&lt;ffffffff810bb39f&gt;] ? up_read+0x1f/0x40
 [&lt;ffffffff810611b4&gt;] ? __do_page_fault+0x254/0x580
 [&lt;ffffffff812146ed&gt;] ? __fget_light+0x13d/0x160
 [&lt;ffffffff815c7b02&gt;] __sys_sendmsg+0x42/0x80
 [&lt;ffffffff815c7b52&gt;] SyS_sendmsg+0x12/0x20
 [&lt;ffffffff81751f69&gt;] system_call_fastpath+0x16/0x1b

Fixes: ea73cbce4e1f ("nl80211: fix scheduled scan RSSI matchset attribute confusion")
Signed-off-by: Luciano Coelho &lt;luciano.coelho@intel.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: Do not apply TSO segment limit to non-TSO packets</title>
<updated>2015-01-27T16:29:33+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2014-12-31T13:39:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=04e5427dbe91e600cf5c03e7e97095ce3865af92'/>
<id>04e5427dbe91e600cf5c03e7e97095ce3865af92</id>
<content type='text'>
[ Upstream commit 843925f33fcc293d80acf2c5c8a78adf3344d49b ]

Thomas Jarosch reported IPsec TCP stalls when a PMTU event occurs.

In fact the problem was completely unrelated to IPsec.  The bug is
also reproducible if you just disable TSO/GSO.

The problem is that when the MSS goes down, existing queued packet
on the TX queue that have not been transmitted yet all look like
TSO packets and get treated as such.

This then triggers a bug where tcp_mss_split_point tells us to
generate a zero-sized packet on the TX queue.  Once that happens
we're screwed because the zero-sized packet can never be removed
by ACKs.

Fixes: 1485348d242 ("tcp: Apply device TSO segment limit earlier")
Reported-by: Thomas Jarosch &lt;thomas.jarosch@intra2net.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;

Cheers,
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 843925f33fcc293d80acf2c5c8a78adf3344d49b ]

Thomas Jarosch reported IPsec TCP stalls when a PMTU event occurs.

In fact the problem was completely unrelated to IPsec.  The bug is
also reproducible if you just disable TSO/GSO.

The problem is that when the MSS goes down, existing queued packet
on the TX queue that have not been transmitted yet all look like
TSO packets and get treated as such.

This then triggers a bug where tcp_mss_split_point tells us to
generate a zero-sized packet on the TX queue.  Once that happens
we're screwed because the zero-sized packet can never be removed
by ACKs.

Fixes: 1485348d242 ("tcp: Apply device TSO segment limit earlier")
Reported-by: Thomas Jarosch &lt;thomas.jarosch@intra2net.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;

Cheers,
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
