<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v4.6.5</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>af_unix: fix hard linked sockets on overlay</title>
<updated>2016-07-27T15:42:16+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2016-05-20T20:13:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d808791ed068f7dabcc54fe07f07636fa436ddbb'/>
<id>d808791ed068f7dabcc54fe07f07636fa436ddbb</id>
<content type='text'>
commit eb0a4a47ae89aaa0674ab3180de6a162f3be2ddf upstream.

Overlayfs uses separate inodes even in the case of hard links on the
underlying filesystems.  This is a problem for AF_UNIX socket
implementation which indexes sockets based on the inode.  This resulted in
hard linked sockets not working.

The fix is to use the real, underlying inode.

Test case follows:

-- ovl-sock-test.c --
#include &lt;unistd.h&gt;
#include &lt;err.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;sys/un.h&gt;

#define SOCK "test-sock"
#define SOCK2 "test-sock2"

int main(void)
{
	int fd, fd2;
	struct sockaddr_un addr = {
		.sun_family = AF_UNIX,
		.sun_path = SOCK,
	};
	struct sockaddr_un addr2 = {
		.sun_family = AF_UNIX,
		.sun_path = SOCK2,
	};

	unlink(SOCK);
	unlink(SOCK2);
	if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
		err(1, "socket");
	if (bind(fd, (struct sockaddr *) &amp;addr, sizeof(addr)) == -1)
		err(1, "bind");
	if (listen(fd, 0) == -1)
		err(1, "listen");
	if (link(SOCK, SOCK2) == -1)
		err(1, "link");
	if ((fd2 = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
		err(1, "socket");
	if (connect(fd2, (struct sockaddr *) &amp;addr2, sizeof(addr2)) == -1)
		err (1, "connect");
	return 0;
}
----

Reported-by: Alexander Morozov &lt;alexandr.morozov@docker.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit eb0a4a47ae89aaa0674ab3180de6a162f3be2ddf upstream.

Overlayfs uses separate inodes even in the case of hard links on the
underlying filesystems.  This is a problem for AF_UNIX socket
implementation which indexes sockets based on the inode.  This resulted in
hard linked sockets not working.

The fix is to use the real, underlying inode.

Test case follows:

-- ovl-sock-test.c --
#include &lt;unistd.h&gt;
#include &lt;err.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;sys/un.h&gt;

#define SOCK "test-sock"
#define SOCK2 "test-sock2"

int main(void)
{
	int fd, fd2;
	struct sockaddr_un addr = {
		.sun_family = AF_UNIX,
		.sun_path = SOCK,
	};
	struct sockaddr_un addr2 = {
		.sun_family = AF_UNIX,
		.sun_path = SOCK2,
	};

	unlink(SOCK);
	unlink(SOCK2);
	if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
		err(1, "socket");
	if (bind(fd, (struct sockaddr *) &amp;addr, sizeof(addr)) == -1)
		err(1, "bind");
	if (listen(fd, 0) == -1)
		err(1, "listen");
	if (link(SOCK, SOCK2) == -1)
		err(1, "link");
	if ((fd2 = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
		err(1, "socket");
	if (connect(fd2, (struct sockaddr *) &amp;addr2, sizeof(addr2)) == -1)
		err (1, "connect");
	return 0;
}
----

Reported-by: Alexander Morozov &lt;alexandr.morozov@docker.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: Fix mem leak in rt6i_pcpu</title>
<updated>2016-07-27T15:42:14+00:00</updated>
<author>
<name>Martin KaFai Lau</name>
<email>kafai@fb.com</email>
</author>
<published>2016-07-05T19:10:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2ac4d627cd27cfee683add65ad972de71e4df5c1'/>
<id>2ac4d627cd27cfee683add65ad972de71e4df5c1</id>
<content type='text'>
[ Upstream commit 903ce4abdf374e3365d93bcb3df56c62008835ba ]

It was first reported and reproduced by Petr (thanks!) in
https://bugzilla.kernel.org/show_bug.cgi?id=119581

free_percpu(rt-&gt;rt6i_pcpu) used to always happen in ip6_dst_destroy().

However, after fixing a deadlock bug in
commit 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt"),
free_percpu() is not called before setting non_pcpu_rt-&gt;rt6i_pcpu to NULL.

It is worth to note that rt6i_pcpu is protected by table-&gt;tb6_lock.

kmemleak somehow did not report it.  We nailed it down by
observing the pcpu entries in /proc/vmallocinfo (first suggested
by Hannes, thanks!).

Signed-off-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Fixes: 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt")
Reported-by: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Tested-by: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 903ce4abdf374e3365d93bcb3df56c62008835ba ]

It was first reported and reproduced by Petr (thanks!) in
https://bugzilla.kernel.org/show_bug.cgi?id=119581

free_percpu(rt-&gt;rt6i_pcpu) used to always happen in ip6_dst_destroy().

However, after fixing a deadlock bug in
commit 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt"),
free_percpu() is not called before setting non_pcpu_rt-&gt;rt6i_pcpu to NULL.

It is worth to note that rt6i_pcpu is protected by table-&gt;tb6_lock.

kmemleak somehow did not report it.  We nailed it down by
observing the pcpu entries in /proc/vmallocinfo (first suggested
by Hannes, thanks!).

Signed-off-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Fixes: 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt")
Reported-by: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Tested-by: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net_sched: fix mirrored packets checksum</title>
<updated>2016-07-27T15:42:13+00:00</updated>
<author>
<name>WANG Cong</name>
<email>xiyou.wangcong@gmail.com</email>
</author>
<published>2016-06-30T17:15:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=49729eccc9d7ef545d484fe3d277697fa2701840'/>
<id>49729eccc9d7ef545d484fe3d277697fa2701840</id>
<content type='text'>
[ Upstream commit 82a31b9231f02d9c1b7b290a46999d517b0d312a ]

Similar to commit 9b368814b336 ("net: fix bridge multicast packet checksum validation")
we need to fixup the checksum for CHECKSUM_COMPLETE when
pushing skb on RX path. Otherwise we get similar splats.

Cc: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Cc: Tom Herbert &lt;tom@herbertland.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Acked-by: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 82a31b9231f02d9c1b7b290a46999d517b0d312a ]

Similar to commit 9b368814b336 ("net: fix bridge multicast packet checksum validation")
we need to fixup the checksum for CHECKSUM_COMPLETE when
pushing skb on RX path. Otherwise we get similar splats.

Cc: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Cc: Tom Herbert &lt;tom@herbertland.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Acked-by: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: Use symmetric hash for PACKET_FANOUT_HASH.</title>
<updated>2016-07-27T15:42:13+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2016-07-01T20:07:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=74a601e604a228bacdb79323ec9667756eb3e162'/>
<id>74a601e604a228bacdb79323ec9667756eb3e162</id>
<content type='text'>
[ Upstream commit eb70db8756717b90c01ccc765fdefc4dd969fc74 ]

People who use PACKET_FANOUT_HASH want a symmetric hash, meaning that
they want packets going in both directions on a flow to hash to the
same bucket.

The core kernel SKB hash became non-symmetric when the ipv6 flow label
and other entities were incorporated into the standard flow hash order
to increase entropy.

But there are no users of PACKET_FANOUT_HASH who want an assymetric
hash, they all want a symmetric one.

Therefore, use the flow dissector to compute a flat symmetric hash
over only the protocol, addresses and ports.  This hash does not get
installed into and override the normal skb hash, so this change has
no effect whatsoever on the rest of the stack.

Reported-by: Eric Leblond &lt;eric@regit.org&gt;
Tested-by: Eric Leblond &lt;eric@regit.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit eb70db8756717b90c01ccc765fdefc4dd969fc74 ]

People who use PACKET_FANOUT_HASH want a symmetric hash, meaning that
they want packets going in both directions on a flow to hash to the
same bucket.

The core kernel SKB hash became non-symmetric when the ipv6 flow label
and other entities were incorporated into the standard flow hash order
to increase entropy.

But there are no users of PACKET_FANOUT_HASH who want an assymetric
hash, they all want a symmetric one.

Therefore, use the flow dissector to compute a flat symmetric hash
over only the protocol, addresses and ports.  This hash does not get
installed into and override the normal skb hash, so this change has
no effect whatsoever on the rest of the stack.

Reported-by: Eric Leblond &lt;eric@regit.org&gt;
Tested-by: Eric Leblond &lt;eric@regit.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rpc: share one xps between all backchannels</title>
<updated>2016-07-27T15:42:12+00:00</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2016-05-17T16:38:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ea22632f041a5f6e436ea308aaf7d84aaa6009b1'/>
<id>ea22632f041a5f6e436ea308aaf7d84aaa6009b1</id>
<content type='text'>
commit 39a9beab5acb83176e8b9a4f0778749a09341f1f upstream.

The spec allows backchannels for multiple clients to share the same tcp
connection.  When that happens, we need to use the same xprt for all of
them.  Similarly, we need the same xps.

This fixes list corruption introduced by the multipath code.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Acked-by: Trond Myklebust &lt;trondmy@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 39a9beab5acb83176e8b9a4f0778749a09341f1f upstream.

The spec allows backchannels for multiple clients to share the same tcp
connection.  When that happens, we need to use the same xprt for all of
them.  Similarly, we need the same xps.

This fixes list corruption introduced by the multipath code.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Acked-by: Trond Myklebust &lt;trondmy@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: fix xprt leak on xps allocation failure</title>
<updated>2016-07-27T15:42:12+00:00</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2016-05-20T21:07:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=863af7a779f0f0b6f2d49d32c8c23f4dd68507e5'/>
<id>863af7a779f0f0b6f2d49d32c8c23f4dd68507e5</id>
<content type='text'>
commit 1208fd569c07ab84aa5d024abd863267c2953b4a upstream.

Callers of rpc_create_xprt expect it to put the xprt on success and
failure.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Acked-by: Trond Myklebust &lt;trondmy@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1208fd569c07ab84aa5d024abd863267c2953b4a upstream.

Callers of rpc_create_xprt expect it to put the xprt on success and
failure.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Acked-by: Trond Myklebust &lt;trondmy@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>nfsd4/rpc: move backchannel create logic into rpc code</title>
<updated>2016-07-27T15:42:11+00:00</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2016-05-16T21:03:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2de09ffe78ed319167f329f79dcefae32221fd55'/>
<id>2de09ffe78ed319167f329f79dcefae32221fd55</id>
<content type='text'>
commit d50039ea5ee63c589b0434baa5ecf6e5075bb6f9 upstream.

Also simplify the logic a bit.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Acked-by: Trond Myklebust &lt;trondmy@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d50039ea5ee63c589b0434baa5ecf6e5075bb6f9 upstream.

Also simplify the logic a bit.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Acked-by: Trond Myklebust &lt;trondmy@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: fix proto in ieee80211_data_to_8023 for frames without LLC header</title>
<updated>2016-07-27T15:42:07+00:00</updated>
<author>
<name>Felix Fietkau</name>
<email>nbd@nbd.name</email>
</author>
<published>2016-06-29T08:36:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ac2b80507d990bcc2d682cc1506741afcbcf2904'/>
<id>ac2b80507d990bcc2d682cc1506741afcbcf2904</id>
<content type='text'>
commit c041778c966c92c964033f1cdfee60a9f2b5e465 upstream.

The PDU length of incoming LLC frames is set to the total skb payload size
in __ieee80211_data_to_8023() of net/wireless/util.c which incorrectly
includes the length of the IEEE 802.11 header.

The resulting LLC frame header has a too large PDU length, causing the
llc_fixup_skb() function of net/llc/llc_input.c to reject the incoming
skb, effectively breaking STP.

Solve the problem by properly substracting the IEEE 802.11 frame header size
from the PDU length, allowing the LLC processor to pick up the incoming
control messages.

Special thanks to Gerry Rozema for tracking down the regression and proposing
a suitable patch.

Fixes: 2d1c304cb2d5 ("cfg80211: add function for 802.3 conversion with separate output buffer")
Reported-by: Gerry Rozema &lt;gerryr@rozeware.com&gt;
Signed-off-by: Felix Fietkau &lt;nbd@nbd.name&gt;
Signed-off-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c041778c966c92c964033f1cdfee60a9f2b5e465 upstream.

The PDU length of incoming LLC frames is set to the total skb payload size
in __ieee80211_data_to_8023() of net/wireless/util.c which incorrectly
includes the length of the IEEE 802.11 header.

The resulting LLC frame header has a too large PDU length, causing the
llc_fixup_skb() function of net/llc/llc_input.c to reject the incoming
skb, effectively breaking STP.

Solve the problem by properly substracting the IEEE 802.11 frame header size
from the PDU length, allowing the LLC processor to pick up the incoming
control messages.

Special thanks to Gerry Rozema for tracking down the regression and proposing
a suitable patch.

Fixes: 2d1c304cb2d5 ("cfg80211: add function for 802.3 conversion with separate output buffer")
Reported-by: Gerry Rozema &lt;gerryr@rozeware.com&gt;
Signed-off-by: Felix Fietkau &lt;nbd@nbd.name&gt;
Signed-off-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: Fix mesh estab_plinks counting in STA removal case</title>
<updated>2016-07-27T15:42:07+00:00</updated>
<author>
<name>Jouni Malinen</name>
<email>j@w1.fi</email>
</author>
<published>2016-06-19T20:51:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=18c1df61dd764c2dcd97a90af91ac5a64ad95fd6'/>
<id>18c1df61dd764c2dcd97a90af91ac5a64ad95fd6</id>
<content type='text'>
commit 126e7557328a1cd576be4fca95b133a2695283ff upstream.

If a user space program (e.g., wpa_supplicant) deletes a STA entry that
is currently in NL80211_PLINK_ESTAB state, the number of established
plinks counter was not decremented and this could result in rejecting
new plink establishment before really hitting the real maximum plink
limit. For !user_mpm case, this decrementation is handled by
mesh_plink_deactive().

Fix this by decrementing estab_plinks on STA deletion
(mesh_sta_cleanup() gets called from there) so that the counter has a
correct value and the Beacon frame advertisement in Mesh Configuration
element shows the proper value for capability to accept additional
peers.

Signed-off-by: Jouni Malinen &lt;j@w1.fi&gt;
Signed-off-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 126e7557328a1cd576be4fca95b133a2695283ff upstream.

If a user space program (e.g., wpa_supplicant) deletes a STA entry that
is currently in NL80211_PLINK_ESTAB state, the number of established
plinks counter was not decremented and this could result in rejecting
new plink establishment before really hitting the real maximum plink
limit. For !user_mpm case, this decrementation is handled by
mesh_plink_deactive().

Fix this by decrementing estab_plinks on STA deletion
(mesh_sta_cleanup() gets called from there) so that the counter has a
correct value and the Beacon frame advertisement in Mesh Configuration
element shows the proper value for capability to accept additional
peers.

Signed-off-by: Jouni Malinen &lt;j@w1.fi&gt;
Signed-off-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: mesh: flush mesh paths unconditionally</title>
<updated>2016-07-27T15:42:07+00:00</updated>
<author>
<name>Bob Copeland</name>
<email>me@bobcopeland.com</email>
</author>
<published>2016-05-15T17:19:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a7db982a262e939e687b014b1c501e701d085578'/>
<id>a7db982a262e939e687b014b1c501e701d085578</id>
<content type='text'>
commit fe7a7c57629e8dcbc0e297363a9b2366d67a6dc5 upstream.

Currently, the mesh paths associated with a nexthop station are cleaned
up in the following code path:

    __sta_info_destroy_part1
    synchronize_net()
    __sta_info_destroy_part2
     -&gt; cleanup_single_sta
       -&gt; mesh_sta_cleanup
         -&gt; mesh_plink_deactivate
           -&gt; mesh_path_flush_by_nexthop

However, there are a couple of problems here:

1) the paths aren't flushed at all if the MPM is running in userspace
   (e.g. when using wpa_supplicant or authsae)

2) there is no synchronize_rcu between removing the path and readers
   accessing the nexthop, which means the following race is possible:

CPU0                            CPU1
~~~~                            ~~~~
                                sta_info_destroy_part1()
                                synchronize_net()
rcu_read_lock()
mesh_nexthop_resolve()
  mpath = mesh_path_lookup()
                                [...] -&gt; mesh_path_flush_by_nexthop()
  sta = rcu_dereference(
    mpath-&gt;next_hop)
                                kfree(sta)
  access sta &lt;-- CRASH

Fix both of these by unconditionally flushing paths before destroying
the sta, and by adding a synchronize_net() after path flush to ensure
no active readers can still dereference the sta.

Fixes this crash:

[  348.529295] BUG: unable to handle kernel paging request at 00020040
[  348.530014] IP: [&lt;f929245d&gt;] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
[  348.530014] *pde = 00000000
[  348.530014] Oops: 0000 [#1] PREEMPT
[  348.530014] Modules linked in: drbg ansi_cprng ctr ccm ppp_generic slhc ipt_MASQUERADE nf_nat_masquerade_ipv4 8021q ]
[  348.530014] CPU: 0 PID: 20597 Comm: wget Tainted: G           O 4.6.0-rc5-wt=V1 #1
[  348.530014] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016  11/07/2014
[  348.530014] task: f64fa280 ti: f4f9c000 task.ti: f4f9c000
[  348.530014] EIP: 0060:[&lt;f929245d&gt;] EFLAGS: 00010246 CPU: 0
[  348.530014] EIP is at ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
[  348.530014] EAX: f4ce63e0 EBX: 00000088 ECX: f3788416 EDX: 00020008
[  348.530014] ESI: 00000000 EDI: 00000088 EBP: f6409a4c ESP: f6409a40
[  348.530014]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  348.530014] CR0: 80050033 CR2: 00020040 CR3: 33190000 CR4: 00000690
[  348.530014] Stack:
[  348.530014]  00000000 f4ce63e0 f5f9bd80 f6409a64 f9291d80 0000ce67 f5d51e00 f4ce63e0
[  348.530014]  f3788416 f6409a80 f9291dc1 f4ce8320 f4ce63e0 f5d51e00 f4ce63e0 f4ce8320
[  348.530014]  f6409a98 f9277f6f 00000000 00000000 0000007c 00000000 f6409b2c f9278dd1
[  348.530014] Call Trace:
[  348.530014]  [&lt;f9291d80&gt;] mesh_nexthop_lookup+0xbb/0xc8 [mac80211]
[  348.530014]  [&lt;f9291dc1&gt;] mesh_nexthop_resolve+0x34/0xd8 [mac80211]
[  348.530014]  [&lt;f9277f6f&gt;] ieee80211_xmit+0x92/0xc1 [mac80211]
[  348.530014]  [&lt;f9278dd1&gt;] __ieee80211_subif_start_xmit+0x807/0x83c [mac80211]
[  348.530014]  [&lt;c04df012&gt;] ? sch_direct_xmit+0xd7/0x1b3
[  348.530014]  [&lt;c022a8c6&gt;] ? __local_bh_enable_ip+0x5d/0x7b
[  348.530014]  [&lt;f956870c&gt;] ? nf_nat_ipv4_out+0x4c/0xd0 [nf_nat_ipv4]
[  348.530014]  [&lt;f957e036&gt;] ? iptable_nat_ipv4_fn+0xf/0xf [iptable_nat]
[  348.530014]  [&lt;c04c6f45&gt;] ? netif_skb_features+0x14d/0x30a
[  348.530014]  [&lt;f9278e10&gt;] ieee80211_subif_start_xmit+0xa/0xe [mac80211]
[  348.530014]  [&lt;c04c769c&gt;] dev_hard_start_xmit+0x1f8/0x267
[  348.530014]  [&lt;c04c7261&gt;] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
[  348.530014]  [&lt;c04defc6&gt;] sch_direct_xmit+0x8b/0x1b3
[  348.530014]  [&lt;c04c7a9c&gt;] __dev_queue_xmit+0x2c8/0x513
[  348.530014]  [&lt;c04c7cfb&gt;] dev_queue_xmit+0xa/0xc
[  348.530014]  [&lt;f91bfc7a&gt;] batadv_send_skb_packet+0xd6/0xec [batman_adv]
[  348.530014]  [&lt;f91bfdc4&gt;] batadv_send_unicast_skb+0x15/0x4a [batman_adv]
[  348.530014]  [&lt;f91b5938&gt;] batadv_dat_send_data+0x27e/0x310 [batman_adv]
[  348.530014]  [&lt;f91c30b5&gt;] ? batadv_tt_global_hash_find.isra.11+0x8/0xa [batman_adv]
[  348.530014]  [&lt;f91b63f3&gt;] batadv_dat_snoop_outgoing_arp_request+0x208/0x23d [batman_adv]
[  348.530014]  [&lt;f91c0cd9&gt;] batadv_interface_tx+0x206/0x385 [batman_adv]
[  348.530014]  [&lt;c04c769c&gt;] dev_hard_start_xmit+0x1f8/0x267
[  348.530014]  [&lt;c04c7261&gt;] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
[  348.530014]  [&lt;c04defc6&gt;] sch_direct_xmit+0x8b/0x1b3
[  348.530014]  [&lt;c04c7a9c&gt;] __dev_queue_xmit+0x2c8/0x513
[  348.530014]  [&lt;f80cbd2a&gt;] ? igb_xmit_frame+0x57/0x72 [igb]
[  348.530014]  [&lt;c04c7cfb&gt;] dev_queue_xmit+0xa/0xc
[  348.530014]  [&lt;f843a326&gt;] br_dev_queue_push_xmit+0xeb/0xfb [bridge]
[  348.530014]  [&lt;f843a35f&gt;] br_forward_finish+0x29/0x74 [bridge]
[  348.530014]  [&lt;f843a23b&gt;] ? deliver_clone+0x3b/0x3b [bridge]
[  348.530014]  [&lt;f843a714&gt;] __br_forward+0x89/0xe7 [bridge]
[  348.530014]  [&lt;f843a336&gt;] ? br_dev_queue_push_xmit+0xfb/0xfb [bridge]
[  348.530014]  [&lt;f843a234&gt;] deliver_clone+0x34/0x3b [bridge]
[  348.530014]  [&lt;f843a68b&gt;] ? br_flood+0x95/0x95 [bridge]
[  348.530014]  [&lt;f843a66d&gt;] br_flood+0x77/0x95 [bridge]
[  348.530014]  [&lt;f843a809&gt;] br_flood_forward+0x13/0x1a [bridge]
[  348.530014]  [&lt;f843a68b&gt;] ? br_flood+0x95/0x95 [bridge]
[  348.530014]  [&lt;f843b877&gt;] br_handle_frame_finish+0x392/0x3db [bridge]
[  348.530014]  [&lt;c04e9b2b&gt;] ? nf_iterate+0x2b/0x6b
[  348.530014]  [&lt;f843baa6&gt;] br_handle_frame+0x1e6/0x240 [bridge]
[  348.530014]  [&lt;f843b4e5&gt;] ? br_handle_local_finish+0x6a/0x6a [bridge]
[  348.530014]  [&lt;c04c4ba0&gt;] __netif_receive_skb_core+0x43a/0x66b
[  348.530014]  [&lt;f843b8c0&gt;] ? br_handle_frame_finish+0x3db/0x3db [bridge]
[  348.530014]  [&lt;c023cea4&gt;] ? resched_curr+0x19/0x37
[  348.530014]  [&lt;c0240707&gt;] ? check_preempt_wakeup+0xbf/0xfe
[  348.530014]  [&lt;c0255dec&gt;] ? ktime_get_with_offset+0x5c/0xfc
[  348.530014]  [&lt;c04c4fc1&gt;] __netif_receive_skb+0x47/0x55
[  348.530014]  [&lt;c04c57ba&gt;] netif_receive_skb_internal+0x40/0x5a
[  348.530014]  [&lt;c04c61ef&gt;] napi_gro_receive+0x3a/0x94
[  348.530014]  [&lt;f80ce8d5&gt;] igb_poll+0x6fd/0x9ad [igb]
[  348.530014]  [&lt;c0242bd8&gt;] ? swake_up_locked+0x14/0x26
[  348.530014]  [&lt;c04c5d29&gt;] net_rx_action+0xde/0x250
[  348.530014]  [&lt;c022a743&gt;] __do_softirq+0x8a/0x163
[  348.530014]  [&lt;c022a6b9&gt;] ? __hrtimer_tasklet_trampoline+0x19/0x19
[  348.530014]  [&lt;c021100f&gt;] do_softirq_own_stack+0x26/0x2c
[  348.530014]  &lt;IRQ&gt;
[  348.530014]  [&lt;c022a957&gt;] irq_exit+0x31/0x6f
[  348.530014]  [&lt;c0210eb2&gt;] do_IRQ+0x8d/0xa0
[  348.530014]  [&lt;c058152c&gt;] common_interrupt+0x2c/0x40
[  348.530014] Code: e7 8c 00 66 81 ff 88 00 75 12 85 d2 75 0e b2 c3 b8 83 e9 29 f9 e8 a7 5f f9 c6 eb 74 66 81 e3 8c 005
[  348.530014] EIP: [&lt;f929245d&gt;] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211] SS:ESP 0068:f6409a40
[  348.530014] CR2: 0000000000020040
[  348.530014] ---[ end trace 48556ac26779732e ]---
[  348.530014] Kernel panic - not syncing: Fatal exception in interrupt
[  348.530014] Kernel Offset: disabled

Reported-by: Fred Veldini &lt;fred.veldini@gmail.com&gt;
Tested-by: Fred Veldini &lt;fred.veldini@gmail.com&gt;
Signed-off-by: Bob Copeland &lt;me@bobcopeland.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit fe7a7c57629e8dcbc0e297363a9b2366d67a6dc5 upstream.

Currently, the mesh paths associated with a nexthop station are cleaned
up in the following code path:

    __sta_info_destroy_part1
    synchronize_net()
    __sta_info_destroy_part2
     -&gt; cleanup_single_sta
       -&gt; mesh_sta_cleanup
         -&gt; mesh_plink_deactivate
           -&gt; mesh_path_flush_by_nexthop

However, there are a couple of problems here:

1) the paths aren't flushed at all if the MPM is running in userspace
   (e.g. when using wpa_supplicant or authsae)

2) there is no synchronize_rcu between removing the path and readers
   accessing the nexthop, which means the following race is possible:

CPU0                            CPU1
~~~~                            ~~~~
                                sta_info_destroy_part1()
                                synchronize_net()
rcu_read_lock()
mesh_nexthop_resolve()
  mpath = mesh_path_lookup()
                                [...] -&gt; mesh_path_flush_by_nexthop()
  sta = rcu_dereference(
    mpath-&gt;next_hop)
                                kfree(sta)
  access sta &lt;-- CRASH

Fix both of these by unconditionally flushing paths before destroying
the sta, and by adding a synchronize_net() after path flush to ensure
no active readers can still dereference the sta.

Fixes this crash:

[  348.529295] BUG: unable to handle kernel paging request at 00020040
[  348.530014] IP: [&lt;f929245d&gt;] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
[  348.530014] *pde = 00000000
[  348.530014] Oops: 0000 [#1] PREEMPT
[  348.530014] Modules linked in: drbg ansi_cprng ctr ccm ppp_generic slhc ipt_MASQUERADE nf_nat_masquerade_ipv4 8021q ]
[  348.530014] CPU: 0 PID: 20597 Comm: wget Tainted: G           O 4.6.0-rc5-wt=V1 #1
[  348.530014] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016  11/07/2014
[  348.530014] task: f64fa280 ti: f4f9c000 task.ti: f4f9c000
[  348.530014] EIP: 0060:[&lt;f929245d&gt;] EFLAGS: 00010246 CPU: 0
[  348.530014] EIP is at ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
[  348.530014] EAX: f4ce63e0 EBX: 00000088 ECX: f3788416 EDX: 00020008
[  348.530014] ESI: 00000000 EDI: 00000088 EBP: f6409a4c ESP: f6409a40
[  348.530014]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  348.530014] CR0: 80050033 CR2: 00020040 CR3: 33190000 CR4: 00000690
[  348.530014] Stack:
[  348.530014]  00000000 f4ce63e0 f5f9bd80 f6409a64 f9291d80 0000ce67 f5d51e00 f4ce63e0
[  348.530014]  f3788416 f6409a80 f9291dc1 f4ce8320 f4ce63e0 f5d51e00 f4ce63e0 f4ce8320
[  348.530014]  f6409a98 f9277f6f 00000000 00000000 0000007c 00000000 f6409b2c f9278dd1
[  348.530014] Call Trace:
[  348.530014]  [&lt;f9291d80&gt;] mesh_nexthop_lookup+0xbb/0xc8 [mac80211]
[  348.530014]  [&lt;f9291dc1&gt;] mesh_nexthop_resolve+0x34/0xd8 [mac80211]
[  348.530014]  [&lt;f9277f6f&gt;] ieee80211_xmit+0x92/0xc1 [mac80211]
[  348.530014]  [&lt;f9278dd1&gt;] __ieee80211_subif_start_xmit+0x807/0x83c [mac80211]
[  348.530014]  [&lt;c04df012&gt;] ? sch_direct_xmit+0xd7/0x1b3
[  348.530014]  [&lt;c022a8c6&gt;] ? __local_bh_enable_ip+0x5d/0x7b
[  348.530014]  [&lt;f956870c&gt;] ? nf_nat_ipv4_out+0x4c/0xd0 [nf_nat_ipv4]
[  348.530014]  [&lt;f957e036&gt;] ? iptable_nat_ipv4_fn+0xf/0xf [iptable_nat]
[  348.530014]  [&lt;c04c6f45&gt;] ? netif_skb_features+0x14d/0x30a
[  348.530014]  [&lt;f9278e10&gt;] ieee80211_subif_start_xmit+0xa/0xe [mac80211]
[  348.530014]  [&lt;c04c769c&gt;] dev_hard_start_xmit+0x1f8/0x267
[  348.530014]  [&lt;c04c7261&gt;] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
[  348.530014]  [&lt;c04defc6&gt;] sch_direct_xmit+0x8b/0x1b3
[  348.530014]  [&lt;c04c7a9c&gt;] __dev_queue_xmit+0x2c8/0x513
[  348.530014]  [&lt;c04c7cfb&gt;] dev_queue_xmit+0xa/0xc
[  348.530014]  [&lt;f91bfc7a&gt;] batadv_send_skb_packet+0xd6/0xec [batman_adv]
[  348.530014]  [&lt;f91bfdc4&gt;] batadv_send_unicast_skb+0x15/0x4a [batman_adv]
[  348.530014]  [&lt;f91b5938&gt;] batadv_dat_send_data+0x27e/0x310 [batman_adv]
[  348.530014]  [&lt;f91c30b5&gt;] ? batadv_tt_global_hash_find.isra.11+0x8/0xa [batman_adv]
[  348.530014]  [&lt;f91b63f3&gt;] batadv_dat_snoop_outgoing_arp_request+0x208/0x23d [batman_adv]
[  348.530014]  [&lt;f91c0cd9&gt;] batadv_interface_tx+0x206/0x385 [batman_adv]
[  348.530014]  [&lt;c04c769c&gt;] dev_hard_start_xmit+0x1f8/0x267
[  348.530014]  [&lt;c04c7261&gt;] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
[  348.530014]  [&lt;c04defc6&gt;] sch_direct_xmit+0x8b/0x1b3
[  348.530014]  [&lt;c04c7a9c&gt;] __dev_queue_xmit+0x2c8/0x513
[  348.530014]  [&lt;f80cbd2a&gt;] ? igb_xmit_frame+0x57/0x72 [igb]
[  348.530014]  [&lt;c04c7cfb&gt;] dev_queue_xmit+0xa/0xc
[  348.530014]  [&lt;f843a326&gt;] br_dev_queue_push_xmit+0xeb/0xfb [bridge]
[  348.530014]  [&lt;f843a35f&gt;] br_forward_finish+0x29/0x74 [bridge]
[  348.530014]  [&lt;f843a23b&gt;] ? deliver_clone+0x3b/0x3b [bridge]
[  348.530014]  [&lt;f843a714&gt;] __br_forward+0x89/0xe7 [bridge]
[  348.530014]  [&lt;f843a336&gt;] ? br_dev_queue_push_xmit+0xfb/0xfb [bridge]
[  348.530014]  [&lt;f843a234&gt;] deliver_clone+0x34/0x3b [bridge]
[  348.530014]  [&lt;f843a68b&gt;] ? br_flood+0x95/0x95 [bridge]
[  348.530014]  [&lt;f843a66d&gt;] br_flood+0x77/0x95 [bridge]
[  348.530014]  [&lt;f843a809&gt;] br_flood_forward+0x13/0x1a [bridge]
[  348.530014]  [&lt;f843a68b&gt;] ? br_flood+0x95/0x95 [bridge]
[  348.530014]  [&lt;f843b877&gt;] br_handle_frame_finish+0x392/0x3db [bridge]
[  348.530014]  [&lt;c04e9b2b&gt;] ? nf_iterate+0x2b/0x6b
[  348.530014]  [&lt;f843baa6&gt;] br_handle_frame+0x1e6/0x240 [bridge]
[  348.530014]  [&lt;f843b4e5&gt;] ? br_handle_local_finish+0x6a/0x6a [bridge]
[  348.530014]  [&lt;c04c4ba0&gt;] __netif_receive_skb_core+0x43a/0x66b
[  348.530014]  [&lt;f843b8c0&gt;] ? br_handle_frame_finish+0x3db/0x3db [bridge]
[  348.530014]  [&lt;c023cea4&gt;] ? resched_curr+0x19/0x37
[  348.530014]  [&lt;c0240707&gt;] ? check_preempt_wakeup+0xbf/0xfe
[  348.530014]  [&lt;c0255dec&gt;] ? ktime_get_with_offset+0x5c/0xfc
[  348.530014]  [&lt;c04c4fc1&gt;] __netif_receive_skb+0x47/0x55
[  348.530014]  [&lt;c04c57ba&gt;] netif_receive_skb_internal+0x40/0x5a
[  348.530014]  [&lt;c04c61ef&gt;] napi_gro_receive+0x3a/0x94
[  348.530014]  [&lt;f80ce8d5&gt;] igb_poll+0x6fd/0x9ad [igb]
[  348.530014]  [&lt;c0242bd8&gt;] ? swake_up_locked+0x14/0x26
[  348.530014]  [&lt;c04c5d29&gt;] net_rx_action+0xde/0x250
[  348.530014]  [&lt;c022a743&gt;] __do_softirq+0x8a/0x163
[  348.530014]  [&lt;c022a6b9&gt;] ? __hrtimer_tasklet_trampoline+0x19/0x19
[  348.530014]  [&lt;c021100f&gt;] do_softirq_own_stack+0x26/0x2c
[  348.530014]  &lt;IRQ&gt;
[  348.530014]  [&lt;c022a957&gt;] irq_exit+0x31/0x6f
[  348.530014]  [&lt;c0210eb2&gt;] do_IRQ+0x8d/0xa0
[  348.530014]  [&lt;c058152c&gt;] common_interrupt+0x2c/0x40
[  348.530014] Code: e7 8c 00 66 81 ff 88 00 75 12 85 d2 75 0e b2 c3 b8 83 e9 29 f9 e8 a7 5f f9 c6 eb 74 66 81 e3 8c 005
[  348.530014] EIP: [&lt;f929245d&gt;] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211] SS:ESP 0068:f6409a40
[  348.530014] CR2: 0000000000020040
[  348.530014] ---[ end trace 48556ac26779732e ]---
[  348.530014] Kernel panic - not syncing: Fatal exception in interrupt
[  348.530014] Kernel Offset: disabled

Reported-by: Fred Veldini &lt;fred.veldini@gmail.com&gt;
Tested-by: Fred Veldini &lt;fred.veldini@gmail.com&gt;
Signed-off-by: Bob Copeland &lt;me@bobcopeland.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
