<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v4.9.46</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Bluetooth: bnep: fix possible might sleep error in bnep_session</title>
<updated>2017-08-30T08:21:52+00:00</updated>
<author>
<name>Jeffy Chen</name>
<email>jeffy.chen@rock-chips.com</email>
</author>
<published>2017-06-27T09:34:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=242cea2d666f9e9a61513f8d96d549122589daca'/>
<id>242cea2d666f9e9a61513f8d96d549122589daca</id>
<content type='text'>
commit 25717382c1dd0ddced2059053e3ca5088665f7a5 upstream.

It looks like bnep_session has same pattern as the issue reported in
old rfcomm:

	while (1) {
		set_current_state(TASK_INTERRUPTIBLE);
		if (condition)
			break;
		// may call might_sleep here
		schedule();
	}
	__set_current_state(TASK_RUNNING);

Which fixed at:
	dfb2fae Bluetooth: Fix nested sleeps

So let's fix it at the same way, also follow the suggestion of:
https://lwn.net/Articles/628628/

Signed-off-by: Jeffy Chen &lt;jeffy.chen@rock-chips.com&gt;
Reviewed-by: Brian Norris &lt;briannorris@chromium.org&gt;
Reviewed-by: AL Yu-Chen Cho &lt;acho@suse.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 25717382c1dd0ddced2059053e3ca5088665f7a5 upstream.

It looks like bnep_session has same pattern as the issue reported in
old rfcomm:

	while (1) {
		set_current_state(TASK_INTERRUPTIBLE);
		if (condition)
			break;
		// may call might_sleep here
		schedule();
	}
	__set_current_state(TASK_RUNNING);

Which fixed at:
	dfb2fae Bluetooth: Fix nested sleeps

So let's fix it at the same way, also follow the suggestion of:
https://lwn.net/Articles/628628/

Signed-off-by: Jeffy Chen &lt;jeffy.chen@rock-chips.com&gt;
Reviewed-by: Brian Norris &lt;briannorris@chromium.org&gt;
Reviewed-by: AL Yu-Chen Cho &lt;acho@suse.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: cmtp: fix possible might sleep error in cmtp_session</title>
<updated>2017-08-30T08:21:52+00:00</updated>
<author>
<name>Jeffy Chen</name>
<email>jeffy.chen@rock-chips.com</email>
</author>
<published>2017-06-27T09:34:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ffb7640acbc3f8a3366258ae0f281b1e98472ad4'/>
<id>ffb7640acbc3f8a3366258ae0f281b1e98472ad4</id>
<content type='text'>
commit f06d977309d09253c744e54e75c5295ecc52b7b4 upstream.

It looks like cmtp_session has same pattern as the issue reported in
old rfcomm:

	while (1) {
		set_current_state(TASK_INTERRUPTIBLE);
		if (condition)
			break;
		// may call might_sleep here
		schedule();
	}
	__set_current_state(TASK_RUNNING);

Which fixed at:
	dfb2fae Bluetooth: Fix nested sleeps

So let's fix it at the same way, also follow the suggestion of:
https://lwn.net/Articles/628628/

Signed-off-by: Jeffy Chen &lt;jeffy.chen@rock-chips.com&gt;
Reviewed-by: Brian Norris &lt;briannorris@chromium.org&gt;
Reviewed-by: AL Yu-Chen Cho &lt;acho@suse.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f06d977309d09253c744e54e75c5295ecc52b7b4 upstream.

It looks like cmtp_session has same pattern as the issue reported in
old rfcomm:

	while (1) {
		set_current_state(TASK_INTERRUPTIBLE);
		if (condition)
			break;
		// may call might_sleep here
		schedule();
	}
	__set_current_state(TASK_RUNNING);

Which fixed at:
	dfb2fae Bluetooth: Fix nested sleeps

So let's fix it at the same way, also follow the suggestion of:
https://lwn.net/Articles/628628/

Signed-off-by: Jeffy Chen &lt;jeffy.chen@rock-chips.com&gt;
Reviewed-by: Brian Norris &lt;briannorris@chromium.org&gt;
Reviewed-by: AL Yu-Chen Cho &lt;acho@suse.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: fix possible might sleep error in hidp_session_thread</title>
<updated>2017-08-30T08:21:52+00:00</updated>
<author>
<name>Jeffy Chen</name>
<email>jeffy.chen@rock-chips.com</email>
</author>
<published>2017-06-27T09:34:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1b5fcb3b25f794957acbeec78800a18d4d0903b3'/>
<id>1b5fcb3b25f794957acbeec78800a18d4d0903b3</id>
<content type='text'>
commit 5da8e47d849d3d37b14129f038782a095b9ad049 upstream.

It looks like hidp_session_thread has same pattern as the issue reported in
old rfcomm:

	while (1) {
		set_current_state(TASK_INTERRUPTIBLE);
		if (condition)
			break;
		// may call might_sleep here
		schedule();
	}
	__set_current_state(TASK_RUNNING);

Which fixed at:
	dfb2fae Bluetooth: Fix nested sleeps

So let's fix it at the same way, also follow the suggestion of:
https://lwn.net/Articles/628628/

Signed-off-by: Jeffy Chen &lt;jeffy.chen@rock-chips.com&gt;
Tested-by: AL Yu-Chen Cho &lt;acho@suse.com&gt;
Tested-by: Rohit Vaswani &lt;rvaswani@nvidia.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5da8e47d849d3d37b14129f038782a095b9ad049 upstream.

It looks like hidp_session_thread has same pattern as the issue reported in
old rfcomm:

	while (1) {
		set_current_state(TASK_INTERRUPTIBLE);
		if (condition)
			break;
		// may call might_sleep here
		schedule();
	}
	__set_current_state(TASK_RUNNING);

Which fixed at:
	dfb2fae Bluetooth: Fix nested sleeps

So let's fix it at the same way, also follow the suggestion of:
https://lwn.net/Articles/628628/

Signed-off-by: Jeffy Chen &lt;jeffy.chen@rock-chips.com&gt;
Tested-by: AL Yu-Chen Cho &lt;acho@suse.com&gt;
Tested-by: Rohit Vaswani &lt;rvaswani@nvidia.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nat: fix src map lookup</title>
<updated>2017-08-30T08:21:51+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2017-07-07T11:07:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5f81b1f51b9cfcbfbe7a1abea09962c91bf485e7'/>
<id>5f81b1f51b9cfcbfbe7a1abea09962c91bf485e7</id>
<content type='text'>
commit 97772bcd56efa21d9d8976db6f205574ea602f51 upstream.

When doing initial conversion to rhashtable I replaced the bucket
walk with a single rhashtable_lookup_fast().

When moving to rhlist I failed to properly walk the list of identical
tuples, but that is what is needed for this to work correctly.
The table contains the original tuples, so the reply tuples are all
distinct.

We currently decide that mapping is (not) in range only based on the
first entry, but in case its not we need to try the reply tuple of the
next entry until we either find an in-range mapping or we checked
all the entries.

This bug makes nat core attempt collision resolution while it might be
able to use the mapping as-is.

Fixes: 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Reported-by: Jaco Kroon &lt;jaco@uls.co.za&gt;
Tested-by: Jaco Kroon &lt;jaco@uls.co.za&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 97772bcd56efa21d9d8976db6f205574ea602f51 upstream.

When doing initial conversion to rhashtable I replaced the bucket
walk with a single rhashtable_lookup_fast().

When moving to rhlist I failed to properly walk the list of identical
tuples, but that is what is needed for this to work correctly.
The table contains the original tuples, so the reply tuples are all
distinct.

We currently decide that mapping is (not) in range only based on the
first entry, but in case its not we need to try the reply tuple of the
next entry until we either find an in-range mapping or we checked
all the entries.

This bug makes nat core attempt collision resolution while it might be
able to use the mapping as-is.

Fixes: 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Reported-by: Jaco Kroon &lt;jaco@uls.co.za&gt;
Tested-by: Jaco Kroon &lt;jaco@uls.co.za&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>net: sunrpc: svcsock: fix NULL-pointer exception</title>
<updated>2017-08-30T08:21:51+00:00</updated>
<author>
<name>Vadim Lomovtsev</name>
<email>vlomovts@redhat.com</email>
</author>
<published>2017-08-21T11:23:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d4c5c26c5f0905f7582291f78e64a0a250cb0fc2'/>
<id>d4c5c26c5f0905f7582291f78e64a0a250cb0fc2</id>
<content type='text'>
commit eebe53e87f97975ee58a21693e44797608bf679c upstream.

While running nfs/connectathon tests kernel NULL-pointer exception
has been observed due to races in svcsock.c.

Race is appear when kernel accepts connection by kernel_accept
(which creates new socket) and start queuing ingress packets
to new socket. This happens in ksoftirq context which could run
concurrently on a different core while new socket setup is not done yet.

The fix is to re-order socket user data init sequence and add
write/read barrier calls to be sure that we got proper values
for callback pointers before actually calling them.

Test results: nfs/connectathon reports '0' failed tests for about 200+ iterations.

Crash log:
---&lt;-snip-&gt;---
[ 6708.638984] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 6708.647093] pgd = ffff0000094e0000
[ 6708.650497] [00000000] *pgd=0000010ffff90003, *pud=0000010ffff90003, *pmd=0000010ffff80003, *pte=0000000000000000
[ 6708.660761] Internal error: Oops: 86000005 [#1] SMP
[ 6708.665630] Modules linked in: nfsv3 nfnetlink_queue nfnetlink_log nfnetlink rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache overlay xt_CONNSECMARK xt_SECMARK xt_conntrack iptable_security ip_tables ah4 xfrm4_mode_transport sctp tun binfmt_misc ext4 jbd2 mbcache loop tcp_diag udp_diag inet_diag rpcrdma ib_isert iscsi_target_mod ib_iser rdma_cm iw_cm libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib ib_ucm ib_uverbs ib_umad ib_cm ib_core nls_koi8_u nls_cp932 ts_kmp nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack vfat fat ghash_ce sha2_ce sha1_ce cavium_rng_vf i2c_thunderx sg thunderx_edac i2c_smbus edac_core cavium_rng nfsd auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c nicvf nicpf ast i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops
[ 6708.736446]  ttm drm i2c_core thunder_bgx thunder_xcv mdio_thunder mdio_cavium dm_mirror dm_region_hash dm_log dm_mod [last unloaded: stap_3c300909c5b3f46dcacd49aab3334af_87021]
[ 6708.752275] CPU: 84 PID: 0 Comm: swapper/84 Tainted: G        W  OE   4.11.0-4.el7.aarch64 #1
[ 6708.760787] Hardware name: www.cavium.com CRB-2S/CRB-2S, BIOS 0.3 Mar 13 2017
[ 6708.767910] task: ffff810006842e80 task.stack: ffff81000689c000
[ 6708.773822] PC is at 0x0
[ 6708.776739] LR is at svc_data_ready+0x38/0x88 [sunrpc]
[ 6708.781866] pc : [&lt;0000000000000000&gt;] lr : [&lt;ffff0000029d7378&gt;] pstate: 60000145
[ 6708.789248] sp : ffff810ffbad3900
[ 6708.792551] x29: ffff810ffbad3900 x28: ffff000008c73d58
[ 6708.797853] x27: 0000000000000000 x26: ffff81000bbe1e00
[ 6708.803156] x25: 0000000000000020 x24: ffff800f7410bf28
[ 6708.808458] x23: ffff000008c63000 x22: ffff000008c63000
[ 6708.813760] x21: ffff800f7410bf28 x20: ffff81000bbe1e00
[ 6708.819063] x19: ffff810012412400 x18: 00000000d82a9df2
[ 6708.824365] x17: 0000000000000000 x16: 0000000000000000
[ 6708.829667] x15: 0000000000000000 x14: 0000000000000001
[ 6708.834969] x13: 0000000000000000 x12: 722e736f622e676e
[ 6708.840271] x11: 00000000f814dd99 x10: 0000000000000000
[ 6708.845573] x9 : 7374687225000000 x8 : 0000000000000000
[ 6708.850875] x7 : 0000000000000000 x6 : 0000000000000000
[ 6708.856177] x5 : 0000000000000028 x4 : 0000000000000000
[ 6708.861479] x3 : 0000000000000000 x2 : 00000000e5000000
[ 6708.866781] x1 : 0000000000000000 x0 : ffff81000bbe1e00
[ 6708.872084]
[ 6708.873565] Process swapper/84 (pid: 0, stack limit = 0xffff81000689c000)
[ 6708.880341] Stack: (0xffff810ffbad3900 to 0xffff8100068a0000)
[ 6708.886075] Call trace:
[ 6708.888513] Exception stack(0xffff810ffbad3710 to 0xffff810ffbad3840)
[ 6708.894942] 3700:                                   ffff810012412400 0001000000000000
[ 6708.902759] 3720: ffff810ffbad3900 0000000000000000 0000000060000145 ffff800f79300000
[ 6708.910577] 3740: ffff000009274d00 00000000000003ea 0000000000000015 ffff000008c63000
[ 6708.918395] 3760: ffff810ffbad3830 ffff800f79300000 000000000000004d 0000000000000000
[ 6708.926212] 3780: ffff810ffbad3890 ffff0000080f88dc ffff800f79300000 000000000000004d
[ 6708.934030] 37a0: ffff800f7930093c ffff000008c63000 0000000000000000 0000000000000140
[ 6708.941848] 37c0: ffff000008c2c000 0000000000040b00 ffff81000bbe1e00 0000000000000000
[ 6708.949665] 37e0: 00000000e5000000 0000000000000000 0000000000000000 0000000000000028
[ 6708.957483] 3800: 0000000000000000 0000000000000000 0000000000000000 7374687225000000
[ 6708.965300] 3820: 0000000000000000 00000000f814dd99 722e736f622e676e 0000000000000000
[ 6708.973117] [&lt;          (null)&gt;]           (null)
[ 6708.977824] [&lt;ffff0000086f9fa4&gt;] tcp_data_queue+0x754/0xc5c
[ 6708.983386] [&lt;ffff0000086fa64c&gt;] tcp_rcv_established+0x1a0/0x67c
[ 6708.989384] [&lt;ffff000008704120&gt;] tcp_v4_do_rcv+0x15c/0x22c
[ 6708.994858] [&lt;ffff000008707418&gt;] tcp_v4_rcv+0xaf0/0xb58
[ 6709.000077] [&lt;ffff0000086df784&gt;] ip_local_deliver_finish+0x10c/0x254
[ 6709.006419] [&lt;ffff0000086dfea4&gt;] ip_local_deliver+0xf0/0xfc
[ 6709.011980] [&lt;ffff0000086dfad4&gt;] ip_rcv_finish+0x208/0x3a4
[ 6709.017454] [&lt;ffff0000086e018c&gt;] ip_rcv+0x2dc/0x3c8
[ 6709.022328] [&lt;ffff000008692fc8&gt;] __netif_receive_skb_core+0x2f8/0xa0c
[ 6709.028758] [&lt;ffff000008696068&gt;] __netif_receive_skb+0x38/0x84
[ 6709.034580] [&lt;ffff00000869611c&gt;] netif_receive_skb_internal+0x68/0xdc
[ 6709.041010] [&lt;ffff000008696bc0&gt;] napi_gro_receive+0xcc/0x1a8
[ 6709.046690] [&lt;ffff0000014b0fc4&gt;] nicvf_cq_intr_handler+0x59c/0x730 [nicvf]
[ 6709.053559] [&lt;ffff0000014b1380&gt;] nicvf_poll+0x38/0xb8 [nicvf]
[ 6709.059295] [&lt;ffff000008697a6c&gt;] net_rx_action+0x2f8/0x464
[ 6709.064771] [&lt;ffff000008081824&gt;] __do_softirq+0x11c/0x308
[ 6709.070164] [&lt;ffff0000080d14e4&gt;] irq_exit+0x12c/0x174
[ 6709.075206] [&lt;ffff00000813101c&gt;] __handle_domain_irq+0x78/0xc4
[ 6709.081027] [&lt;ffff000008081608&gt;] gic_handle_irq+0x94/0x190
[ 6709.086501] Exception stack(0xffff81000689fdf0 to 0xffff81000689ff20)
[ 6709.092929] fde0:                                   0000810ff2ec0000 ffff000008c10000
[ 6709.100747] fe00: ffff000008c70ef4 0000000000000001 0000000000000000 ffff810ffbad9b18
[ 6709.108565] fe20: ffff810ffbad9c70 ffff8100169d3800 ffff810006843ab0 ffff81000689fe80
[ 6709.116382] fe40: 0000000000000bd0 0000ffffdf979cd0 183f5913da192500 0000ffff8a254ce4
[ 6709.124200] fe60: 0000ffff8a254b78 0000aaab10339808 0000000000000000 0000ffff8a0c2a50
[ 6709.132018] fe80: 0000ffffdf979b10 ffff000008d6d450 ffff000008c10000 ffff000008d6d000
[ 6709.139836] fea0: 0000000000000054 ffff000008cd3dbc 0000000000000000 0000000000000000
[ 6709.147653] fec0: 0000000000000000 0000000000000000 0000000000000000 ffff81000689ff20
[ 6709.155471] fee0: ffff000008085240 ffff81000689ff20 ffff000008085244 0000000060000145
[ 6709.163289] ff00: ffff81000689ff10 ffff00000813f1e4 ffffffffffffffff ffff00000813f238
[ 6709.171107] [&lt;ffff000008082eb4&gt;] el1_irq+0xb4/0x140
[ 6709.175976] [&lt;ffff000008085244&gt;] arch_cpu_idle+0x44/0x11c
[ 6709.181368] [&lt;ffff0000087bf3b8&gt;] default_idle_call+0x20/0x30
[ 6709.187020] [&lt;ffff000008116d50&gt;] do_idle+0x158/0x1e4
[ 6709.191973] [&lt;ffff000008116ff4&gt;] cpu_startup_entry+0x2c/0x30
[ 6709.197624] [&lt;ffff00000808e7cc&gt;] secondary_start_kernel+0x13c/0x160
[ 6709.203878] [&lt;0000000001bc71c4&gt;] 0x1bc71c4
[ 6709.207967] Code: bad PC value
[ 6709.211061] SMP: stopping secondary CPUs
[ 6709.218830] Starting crashdump kernel...
[ 6709.222749] Bye!
---&lt;-snip&gt;---

Signed-off-by: Vadim Lomovtsev &lt;vlomovts@redhat.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit eebe53e87f97975ee58a21693e44797608bf679c upstream.

While running nfs/connectathon tests kernel NULL-pointer exception
has been observed due to races in svcsock.c.

Race is appear when kernel accepts connection by kernel_accept
(which creates new socket) and start queuing ingress packets
to new socket. This happens in ksoftirq context which could run
concurrently on a different core while new socket setup is not done yet.

The fix is to re-order socket user data init sequence and add
write/read barrier calls to be sure that we got proper values
for callback pointers before actually calling them.

Test results: nfs/connectathon reports '0' failed tests for about 200+ iterations.

Crash log:
---&lt;-snip-&gt;---
[ 6708.638984] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 6708.647093] pgd = ffff0000094e0000
[ 6708.650497] [00000000] *pgd=0000010ffff90003, *pud=0000010ffff90003, *pmd=0000010ffff80003, *pte=0000000000000000
[ 6708.660761] Internal error: Oops: 86000005 [#1] SMP
[ 6708.665630] Modules linked in: nfsv3 nfnetlink_queue nfnetlink_log nfnetlink rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache overlay xt_CONNSECMARK xt_SECMARK xt_conntrack iptable_security ip_tables ah4 xfrm4_mode_transport sctp tun binfmt_misc ext4 jbd2 mbcache loop tcp_diag udp_diag inet_diag rpcrdma ib_isert iscsi_target_mod ib_iser rdma_cm iw_cm libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib ib_ucm ib_uverbs ib_umad ib_cm ib_core nls_koi8_u nls_cp932 ts_kmp nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack vfat fat ghash_ce sha2_ce sha1_ce cavium_rng_vf i2c_thunderx sg thunderx_edac i2c_smbus edac_core cavium_rng nfsd auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c nicvf nicpf ast i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops
[ 6708.736446]  ttm drm i2c_core thunder_bgx thunder_xcv mdio_thunder mdio_cavium dm_mirror dm_region_hash dm_log dm_mod [last unloaded: stap_3c300909c5b3f46dcacd49aab3334af_87021]
[ 6708.752275] CPU: 84 PID: 0 Comm: swapper/84 Tainted: G        W  OE   4.11.0-4.el7.aarch64 #1
[ 6708.760787] Hardware name: www.cavium.com CRB-2S/CRB-2S, BIOS 0.3 Mar 13 2017
[ 6708.767910] task: ffff810006842e80 task.stack: ffff81000689c000
[ 6708.773822] PC is at 0x0
[ 6708.776739] LR is at svc_data_ready+0x38/0x88 [sunrpc]
[ 6708.781866] pc : [&lt;0000000000000000&gt;] lr : [&lt;ffff0000029d7378&gt;] pstate: 60000145
[ 6708.789248] sp : ffff810ffbad3900
[ 6708.792551] x29: ffff810ffbad3900 x28: ffff000008c73d58
[ 6708.797853] x27: 0000000000000000 x26: ffff81000bbe1e00
[ 6708.803156] x25: 0000000000000020 x24: ffff800f7410bf28
[ 6708.808458] x23: ffff000008c63000 x22: ffff000008c63000
[ 6708.813760] x21: ffff800f7410bf28 x20: ffff81000bbe1e00
[ 6708.819063] x19: ffff810012412400 x18: 00000000d82a9df2
[ 6708.824365] x17: 0000000000000000 x16: 0000000000000000
[ 6708.829667] x15: 0000000000000000 x14: 0000000000000001
[ 6708.834969] x13: 0000000000000000 x12: 722e736f622e676e
[ 6708.840271] x11: 00000000f814dd99 x10: 0000000000000000
[ 6708.845573] x9 : 7374687225000000 x8 : 0000000000000000
[ 6708.850875] x7 : 0000000000000000 x6 : 0000000000000000
[ 6708.856177] x5 : 0000000000000028 x4 : 0000000000000000
[ 6708.861479] x3 : 0000000000000000 x2 : 00000000e5000000
[ 6708.866781] x1 : 0000000000000000 x0 : ffff81000bbe1e00
[ 6708.872084]
[ 6708.873565] Process swapper/84 (pid: 0, stack limit = 0xffff81000689c000)
[ 6708.880341] Stack: (0xffff810ffbad3900 to 0xffff8100068a0000)
[ 6708.886075] Call trace:
[ 6708.888513] Exception stack(0xffff810ffbad3710 to 0xffff810ffbad3840)
[ 6708.894942] 3700:                                   ffff810012412400 0001000000000000
[ 6708.902759] 3720: ffff810ffbad3900 0000000000000000 0000000060000145 ffff800f79300000
[ 6708.910577] 3740: ffff000009274d00 00000000000003ea 0000000000000015 ffff000008c63000
[ 6708.918395] 3760: ffff810ffbad3830 ffff800f79300000 000000000000004d 0000000000000000
[ 6708.926212] 3780: ffff810ffbad3890 ffff0000080f88dc ffff800f79300000 000000000000004d
[ 6708.934030] 37a0: ffff800f7930093c ffff000008c63000 0000000000000000 0000000000000140
[ 6708.941848] 37c0: ffff000008c2c000 0000000000040b00 ffff81000bbe1e00 0000000000000000
[ 6708.949665] 37e0: 00000000e5000000 0000000000000000 0000000000000000 0000000000000028
[ 6708.957483] 3800: 0000000000000000 0000000000000000 0000000000000000 7374687225000000
[ 6708.965300] 3820: 0000000000000000 00000000f814dd99 722e736f622e676e 0000000000000000
[ 6708.973117] [&lt;          (null)&gt;]           (null)
[ 6708.977824] [&lt;ffff0000086f9fa4&gt;] tcp_data_queue+0x754/0xc5c
[ 6708.983386] [&lt;ffff0000086fa64c&gt;] tcp_rcv_established+0x1a0/0x67c
[ 6708.989384] [&lt;ffff000008704120&gt;] tcp_v4_do_rcv+0x15c/0x22c
[ 6708.994858] [&lt;ffff000008707418&gt;] tcp_v4_rcv+0xaf0/0xb58
[ 6709.000077] [&lt;ffff0000086df784&gt;] ip_local_deliver_finish+0x10c/0x254
[ 6709.006419] [&lt;ffff0000086dfea4&gt;] ip_local_deliver+0xf0/0xfc
[ 6709.011980] [&lt;ffff0000086dfad4&gt;] ip_rcv_finish+0x208/0x3a4
[ 6709.017454] [&lt;ffff0000086e018c&gt;] ip_rcv+0x2dc/0x3c8
[ 6709.022328] [&lt;ffff000008692fc8&gt;] __netif_receive_skb_core+0x2f8/0xa0c
[ 6709.028758] [&lt;ffff000008696068&gt;] __netif_receive_skb+0x38/0x84
[ 6709.034580] [&lt;ffff00000869611c&gt;] netif_receive_skb_internal+0x68/0xdc
[ 6709.041010] [&lt;ffff000008696bc0&gt;] napi_gro_receive+0xcc/0x1a8
[ 6709.046690] [&lt;ffff0000014b0fc4&gt;] nicvf_cq_intr_handler+0x59c/0x730 [nicvf]
[ 6709.053559] [&lt;ffff0000014b1380&gt;] nicvf_poll+0x38/0xb8 [nicvf]
[ 6709.059295] [&lt;ffff000008697a6c&gt;] net_rx_action+0x2f8/0x464
[ 6709.064771] [&lt;ffff000008081824&gt;] __do_softirq+0x11c/0x308
[ 6709.070164] [&lt;ffff0000080d14e4&gt;] irq_exit+0x12c/0x174
[ 6709.075206] [&lt;ffff00000813101c&gt;] __handle_domain_irq+0x78/0xc4
[ 6709.081027] [&lt;ffff000008081608&gt;] gic_handle_irq+0x94/0x190
[ 6709.086501] Exception stack(0xffff81000689fdf0 to 0xffff81000689ff20)
[ 6709.092929] fde0:                                   0000810ff2ec0000 ffff000008c10000
[ 6709.100747] fe00: ffff000008c70ef4 0000000000000001 0000000000000000 ffff810ffbad9b18
[ 6709.108565] fe20: ffff810ffbad9c70 ffff8100169d3800 ffff810006843ab0 ffff81000689fe80
[ 6709.116382] fe40: 0000000000000bd0 0000ffffdf979cd0 183f5913da192500 0000ffff8a254ce4
[ 6709.124200] fe60: 0000ffff8a254b78 0000aaab10339808 0000000000000000 0000ffff8a0c2a50
[ 6709.132018] fe80: 0000ffffdf979b10 ffff000008d6d450 ffff000008c10000 ffff000008d6d000
[ 6709.139836] fea0: 0000000000000054 ffff000008cd3dbc 0000000000000000 0000000000000000
[ 6709.147653] fec0: 0000000000000000 0000000000000000 0000000000000000 ffff81000689ff20
[ 6709.155471] fee0: ffff000008085240 ffff81000689ff20 ffff000008085244 0000000060000145
[ 6709.163289] ff00: ffff81000689ff10 ffff00000813f1e4 ffffffffffffffff ffff00000813f238
[ 6709.171107] [&lt;ffff000008082eb4&gt;] el1_irq+0xb4/0x140
[ 6709.175976] [&lt;ffff000008085244&gt;] arch_cpu_idle+0x44/0x11c
[ 6709.181368] [&lt;ffff0000087bf3b8&gt;] default_idle_call+0x20/0x30
[ 6709.187020] [&lt;ffff000008116d50&gt;] do_idle+0x158/0x1e4
[ 6709.191973] [&lt;ffff000008116ff4&gt;] cpu_startup_entry+0x2c/0x30
[ 6709.197624] [&lt;ffff00000808e7cc&gt;] secondary_start_kernel+0x13c/0x160
[ 6709.203878] [&lt;0000000001bc71c4&gt;] 0x1bc71c4
[ 6709.207967] Code: bad PC value
[ 6709.211061] SMP: stopping secondary CPUs
[ 6709.218830] Starting crashdump kernel...
[ 6709.222749] Bye!
---&lt;-snip&gt;---

Signed-off-by: Vadim Lomovtsev &lt;vlomovts@redhat.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>net: sched: fix NULL pointer dereference when action calls some targets</title>
<updated>2017-08-30T08:21:42+00:00</updated>
<author>
<name>Xin Long</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2017-08-18T03:01:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3e00bf91fefced104ba91721674efe4502cb416a'/>
<id>3e00bf91fefced104ba91721674efe4502cb416a</id>
<content type='text'>
[ Upstream commit 4f8a881acc9d1adaf1e552349a0b1df28933a04c ]

As we know in some target's checkentry it may dereference par.entryinfo
to check entry stuff inside. But when sched action calls xt_check_target,
par.entryinfo is set with NULL. It would cause kernel panic when calling
some targets.

It can be reproduce with:
  # tc qd add dev eth1 ingress handle ffff:
  # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \
    -j ECN --ecn-tcp-remove

It could also crash kernel when using target CLUSTERIP or TPROXY.

By now there's no proper value for par.entryinfo in ipt_init_target,
but it can not be set with NULL. This patch is to void all these
panics by setting it with an ipt_entry obj with all members = 0.

Note that this issue has been there since the very beginning.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4f8a881acc9d1adaf1e552349a0b1df28933a04c ]

As we know in some target's checkentry it may dereference par.entryinfo
to check entry stuff inside. But when sched action calls xt_check_target,
par.entryinfo is set with NULL. It would cause kernel panic when calling
some targets.

It can be reproduce with:
  # tc qd add dev eth1 ingress handle ffff:
  # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \
    -j ECN --ecn-tcp-remove

It could also crash kernel when using target CLUSTERIP or TPROXY.

By now there's no proper value for par.entryinfo in ipt_init_target,
but it can not be set with NULL. This patch is to void all these
panics by setting it with an ipt_entry obj with all members = 0.

Note that this issue has been there since the very beginning.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>irda: do not leak initialized list.dev to userspace</title>
<updated>2017-08-30T08:21:42+00:00</updated>
<author>
<name>Colin Ian King</name>
<email>colin.king@canonical.com</email>
</author>
<published>2017-08-17T22:14:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f3f5bf2755c75d43930aab28f1affd0602e6fd27'/>
<id>f3f5bf2755c75d43930aab28f1affd0602e6fd27</id>
<content type='text'>
[ Upstream commit b024d949a3c24255a7ef1a470420eb478949aa4c ]

list.dev has not been initialized and so the copy_to_user is copying
data from the stack back to user space which is a potential
information leak. Fix this ensuring all of list is initialized to
zero.

Detected by CoverityScan, CID#1357894 ("Uninitialized scalar variable")

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b024d949a3c24255a7ef1a470420eb478949aa4c ]

list.dev has not been initialized and so the copy_to_user is copying
data from the stack back to user space which is a potential
information leak. Fix this ensuring all of list is initialized to
zero.

Detected by CoverityScan, CID#1357894 ("Uninitialized scalar variable")

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP</title>
<updated>2017-08-30T08:21:42+00:00</updated>
<author>
<name>Neal Cardwell</name>
<email>ncardwell@google.com</email>
</author>
<published>2017-08-16T21:53:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=aadbe1fe91e785c95f12308b1e1589cfb3984984'/>
<id>aadbe1fe91e785c95f12308b1e1589cfb3984984</id>
<content type='text'>
[ Upstream commit cdbeb633ca71a02b7b63bfeb94994bf4e1a0b894 ]

In some situations tcp_send_loss_probe() can realize that it's unable
to send a loss probe (TLP), and falls back to calling tcp_rearm_rto()
to schedule an RTO timer. In such cases, sometimes tcp_rearm_rto()
realizes that the RTO was eligible to fire immediately or at some
point in the past (delta_us &lt;= 0). Previously in such cases
tcp_rearm_rto() was scheduling such "overdue" RTOs to happen at now +
icsk_rto, which caused needless delays of hundreds of milliseconds
(and non-linear behavior that made reproducible testing
difficult). This commit changes the logic to schedule "overdue" RTOs
ASAP, rather than at now + icsk_rto.

Fixes: 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)")
Suggested-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit cdbeb633ca71a02b7b63bfeb94994bf4e1a0b894 ]

In some situations tcp_send_loss_probe() can realize that it's unable
to send a loss probe (TLP), and falls back to calling tcp_rearm_rto()
to schedule an RTO timer. In such cases, sometimes tcp_rearm_rto()
realizes that the RTO was eligible to fire immediately or at some
point in the past (delta_us &lt;= 0). Previously in such cases
tcp_rearm_rto() was scheduling such "overdue" RTOs to happen at now +
icsk_rto, which caused needless delays of hundreds of milliseconds
(and non-linear behavior that made reproducible testing
difficult). This commit changes the logic to schedule "overdue" RTOs
ASAP, rather than at now + icsk_rto.

Fixes: 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)")
Suggested-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: repair fib6 tree in failure case</title>
<updated>2017-08-30T08:21:41+00:00</updated>
<author>
<name>Wei Wang</name>
<email>weiwan@google.com</email>
</author>
<published>2017-08-19T00:14:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1c18f93675202d2327932dbfc060e67796238d89'/>
<id>1c18f93675202d2327932dbfc060e67796238d89</id>
<content type='text'>
[ Upstream commit 348a4002729ccab8b888b38cbc099efa2f2a2036 ]

In fib6_add(), it is possible that fib6_add_1() picks an intermediate
node and sets the node's fn-&gt;leaf to NULL in order to add this new
route. However, if fib6_add_rt2node() fails to add the new
route for some reason, fn-&gt;leaf will be left as NULL and could
potentially cause crash when fn-&gt;leaf is accessed in fib6_locate().
This patch makes sure fib6_repair_tree() is called to properly repair
fn-&gt;leaf in the above failure case.

Here is the syzkaller reported general protection fault in fib6_locate:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 40937 Comm: syz-executor3 Not tainted
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d7d64100 ti: ffff8801d01a0000 task.ti: ffff8801d01a0000
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] __ipv6_prefix_equal64_half include/net/ipv6.h:475 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] ipv6_prefix_equal include/net/ipv6.h:492 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] fib6_locate_1 net/ipv6/ip6_fib.c:1210 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] fib6_locate+0x281/0x3c0 net/ipv6/ip6_fib.c:1233
RSP: 0018:ffff8801d01a36a8  EFLAGS: 00010202
RAX: 0000000000000020 RBX: ffff8801bc790e00 RCX: ffffc90002983000
RDX: 0000000000001219 RSI: ffff8801d01a37a0 RDI: 0000000000000100
RBP: ffff8801d01a36f0 R08: 00000000000000ff R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000001
R13: dffffc0000000000 R14: ffff8801d01a37a0 R15: 0000000000000000
FS:  00007f6afd68c700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c6340 CR3: 00000000ba41f000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801d01a37a8 ffff8801d01a3780 ffffed003a0346f5 0000000c82a23ea0
 ffff8800b7bd7700 ffff8801d01a3780 ffff8800b6a1c940 ffffffff82a23ea0
 ffff8801d01a3920 ffff8801d01a3748 ffffffff82a223d6 ffff8801d7d64988
Call Trace:
 [&lt;ffffffff82a223d6&gt;] ip6_route_del+0x106/0x570 net/ipv6/route.c:2109
 [&lt;ffffffff82a23f9d&gt;] inet6_rtm_delroute+0xfd/0x100 net/ipv6/route.c:3075
 [&lt;ffffffff82621359&gt;] rtnetlink_rcv_msg+0x549/0x7a0 net/core/rtnetlink.c:3450
 [&lt;ffffffff8274c1d1&gt;] netlink_rcv_skb+0x141/0x370 net/netlink/af_netlink.c:2281
 [&lt;ffffffff82613ddf&gt;] rtnetlink_rcv+0x2f/0x40 net/core/rtnetlink.c:3456
 [&lt;ffffffff8274ad38&gt;] netlink_unicast_kernel net/netlink/af_netlink.c:1206 [inline]
 [&lt;ffffffff8274ad38&gt;] netlink_unicast+0x518/0x750 net/netlink/af_netlink.c:1232
 [&lt;ffffffff8274b83e&gt;] netlink_sendmsg+0x8ce/0xc30 net/netlink/af_netlink.c:1778
 [&lt;ffffffff82564aff&gt;] sock_sendmsg_nosec net/socket.c:609 [inline]
 [&lt;ffffffff82564aff&gt;] sock_sendmsg+0xcf/0x110 net/socket.c:619
 [&lt;ffffffff82564d62&gt;] sock_write_iter+0x222/0x3a0 net/socket.c:834
 [&lt;ffffffff8178523d&gt;] new_sync_write+0x1dd/0x2b0 fs/read_write.c:478
 [&lt;ffffffff817853f4&gt;] __vfs_write+0xe4/0x110 fs/read_write.c:491
 [&lt;ffffffff81786c38&gt;] vfs_write+0x178/0x4b0 fs/read_write.c:538
 [&lt;ffffffff817892a9&gt;] SYSC_write fs/read_write.c:585 [inline]
 [&lt;ffffffff817892a9&gt;] SyS_write+0xd9/0x1b0 fs/read_write.c:577
 [&lt;ffffffff82c71e32&gt;] entry_SYSCALL_64_fastpath+0x12/0x17

Note: there is no "Fixes" tag as this seems to be a bug introduced
very early.

Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 348a4002729ccab8b888b38cbc099efa2f2a2036 ]

In fib6_add(), it is possible that fib6_add_1() picks an intermediate
node and sets the node's fn-&gt;leaf to NULL in order to add this new
route. However, if fib6_add_rt2node() fails to add the new
route for some reason, fn-&gt;leaf will be left as NULL and could
potentially cause crash when fn-&gt;leaf is accessed in fib6_locate().
This patch makes sure fib6_repair_tree() is called to properly repair
fn-&gt;leaf in the above failure case.

Here is the syzkaller reported general protection fault in fib6_locate:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 40937 Comm: syz-executor3 Not tainted
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d7d64100 ti: ffff8801d01a0000 task.ti: ffff8801d01a0000
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] __ipv6_prefix_equal64_half include/net/ipv6.h:475 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] ipv6_prefix_equal include/net/ipv6.h:492 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] fib6_locate_1 net/ipv6/ip6_fib.c:1210 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] fib6_locate+0x281/0x3c0 net/ipv6/ip6_fib.c:1233
RSP: 0018:ffff8801d01a36a8  EFLAGS: 00010202
RAX: 0000000000000020 RBX: ffff8801bc790e00 RCX: ffffc90002983000
RDX: 0000000000001219 RSI: ffff8801d01a37a0 RDI: 0000000000000100
RBP: ffff8801d01a36f0 R08: 00000000000000ff R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000001
R13: dffffc0000000000 R14: ffff8801d01a37a0 R15: 0000000000000000
FS:  00007f6afd68c700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c6340 CR3: 00000000ba41f000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801d01a37a8 ffff8801d01a3780 ffffed003a0346f5 0000000c82a23ea0
 ffff8800b7bd7700 ffff8801d01a3780 ffff8800b6a1c940 ffffffff82a23ea0
 ffff8801d01a3920 ffff8801d01a3748 ffffffff82a223d6 ffff8801d7d64988
Call Trace:
 [&lt;ffffffff82a223d6&gt;] ip6_route_del+0x106/0x570 net/ipv6/route.c:2109
 [&lt;ffffffff82a23f9d&gt;] inet6_rtm_delroute+0xfd/0x100 net/ipv6/route.c:3075
 [&lt;ffffffff82621359&gt;] rtnetlink_rcv_msg+0x549/0x7a0 net/core/rtnetlink.c:3450
 [&lt;ffffffff8274c1d1&gt;] netlink_rcv_skb+0x141/0x370 net/netlink/af_netlink.c:2281
 [&lt;ffffffff82613ddf&gt;] rtnetlink_rcv+0x2f/0x40 net/core/rtnetlink.c:3456
 [&lt;ffffffff8274ad38&gt;] netlink_unicast_kernel net/netlink/af_netlink.c:1206 [inline]
 [&lt;ffffffff8274ad38&gt;] netlink_unicast+0x518/0x750 net/netlink/af_netlink.c:1232
 [&lt;ffffffff8274b83e&gt;] netlink_sendmsg+0x8ce/0xc30 net/netlink/af_netlink.c:1778
 [&lt;ffffffff82564aff&gt;] sock_sendmsg_nosec net/socket.c:609 [inline]
 [&lt;ffffffff82564aff&gt;] sock_sendmsg+0xcf/0x110 net/socket.c:619
 [&lt;ffffffff82564d62&gt;] sock_write_iter+0x222/0x3a0 net/socket.c:834
 [&lt;ffffffff8178523d&gt;] new_sync_write+0x1dd/0x2b0 fs/read_write.c:478
 [&lt;ffffffff817853f4&gt;] __vfs_write+0xe4/0x110 fs/read_write.c:491
 [&lt;ffffffff81786c38&gt;] vfs_write+0x178/0x4b0 fs/read_write.c:538
 [&lt;ffffffff817892a9&gt;] SYSC_write fs/read_write.c:585 [inline]
 [&lt;ffffffff817892a9&gt;] SyS_write+0xd9/0x1b0 fs/read_write.c:577
 [&lt;ffffffff82c71e32&gt;] entry_SYSCALL_64_fastpath+0x12/0x17

Note: there is no "Fixes" tag as this seems to be a bug introduced
very early.

Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: reset fn-&gt;rr_ptr when replacing route</title>
<updated>2017-08-30T08:21:41+00:00</updated>
<author>
<name>Wei Wang</name>
<email>weiwan@google.com</email>
</author>
<published>2017-08-16T18:18:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=62e9a28baa283a510d31cecc157d9e4270ca3126'/>
<id>62e9a28baa283a510d31cecc157d9e4270ca3126</id>
<content type='text'>
[ Upstream commit 383143f31d7d3525a1dbff733d52fff917f82f15 ]

syzcaller reported the following use-after-free issue in rt6_select():
BUG: KASAN: use-after-free in rt6_select net/ipv6/route.c:755 [inline] at addr ffff8800bc6994e8
BUG: KASAN: use-after-free in ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084 at addr ffff8800bc6994e8
Read of size 4 by task syz-executor1/439628
CPU: 0 PID: 439628 Comm: syz-executor1 Not tainted 4.3.5+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88018fe435b0 ffffffff81ca384d ffff8801d3588c00
 ffff8800bc699380 ffff8800bc699500 dffffc0000000000 ffff8801d40a47c0
 ffff88018fe435d8 ffffffff81735751 ffff88018fe43660 ffff8800bc699380
Call Trace:
 [&lt;ffffffff81ca384d&gt;] __dump_stack lib/dump_stack.c:15 [inline]
 [&lt;ffffffff81ca384d&gt;] dump_stack+0xc1/0x124 lib/dump_stack.c:51
sctp: [Deprecated]: syz-executor0 (pid 439615) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
 [&lt;ffffffff81735751&gt;] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
 [&lt;ffffffff817359c4&gt;] print_address_description mm/kasan/report.c:196 [inline]
 [&lt;ffffffff817359c4&gt;] kasan_report_error+0x1b4/0x4a0 mm/kasan/report.c:285
 [&lt;ffffffff81735d93&gt;] kasan_report mm/kasan/report.c:305 [inline]
 [&lt;ffffffff81735d93&gt;] __asan_report_load4_noabort+0x43/0x50 mm/kasan/report.c:325
 [&lt;ffffffff82a28e39&gt;] rt6_select net/ipv6/route.c:755 [inline]
 [&lt;ffffffff82a28e39&gt;] ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084
 [&lt;ffffffff82a28fb1&gt;] ip6_pol_route_output+0x81/0xb0 net/ipv6/route.c:1203
 [&lt;ffffffff82ab0a50&gt;] fib6_rule_action+0x1f0/0x680 net/ipv6/fib6_rules.c:95
 [&lt;ffffffff8265cbb6&gt;] fib_rules_lookup+0x2a6/0x7a0 net/core/fib_rules.c:223
 [&lt;ffffffff82ab1430&gt;] fib6_rule_lookup+0xd0/0x250 net/ipv6/fib6_rules.c:41
 [&lt;ffffffff82a22006&gt;] ip6_route_output+0x1d6/0x2c0 net/ipv6/route.c:1224
 [&lt;ffffffff829e83d2&gt;] ip6_dst_lookup_tail+0x4d2/0x890 net/ipv6/ip6_output.c:943
 [&lt;ffffffff829e889a&gt;] ip6_dst_lookup_flow+0x9a/0x250 net/ipv6/ip6_output.c:1079
 [&lt;ffffffff82a9f7d8&gt;] ip6_datagram_dst_update+0x538/0xd40 net/ipv6/datagram.c:91
 [&lt;ffffffff82aa0978&gt;] __ip6_datagram_connect net/ipv6/datagram.c:251 [inline]
 [&lt;ffffffff82aa0978&gt;] ip6_datagram_connect+0x518/0xe50 net/ipv6/datagram.c:272
 [&lt;ffffffff82aa1313&gt;] ip6_datagram_connect_v6_only+0x63/0x90 net/ipv6/datagram.c:284
 [&lt;ffffffff8292f790&gt;] inet_dgram_connect+0x170/0x1f0 net/ipv4/af_inet.c:564
 [&lt;ffffffff82565547&gt;] SYSC_connect+0x1a7/0x2f0 net/socket.c:1582
 [&lt;ffffffff8256a649&gt;] SyS_connect+0x29/0x30 net/socket.c:1563
 [&lt;ffffffff82c72032&gt;] entry_SYSCALL_64_fastpath+0x12/0x17
Object at ffff8800bc699380, in cache ip6_dst_cache size: 384

The root cause of it is that in fib6_add_rt2node(), when it replaces an
existing route with the new one, it does not update fn-&gt;rr_ptr.
This commit resets fn-&gt;rr_ptr to NULL when it points to a route which is
replaced in fib6_add_rt2node().

Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 383143f31d7d3525a1dbff733d52fff917f82f15 ]

syzcaller reported the following use-after-free issue in rt6_select():
BUG: KASAN: use-after-free in rt6_select net/ipv6/route.c:755 [inline] at addr ffff8800bc6994e8
BUG: KASAN: use-after-free in ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084 at addr ffff8800bc6994e8
Read of size 4 by task syz-executor1/439628
CPU: 0 PID: 439628 Comm: syz-executor1 Not tainted 4.3.5+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88018fe435b0 ffffffff81ca384d ffff8801d3588c00
 ffff8800bc699380 ffff8800bc699500 dffffc0000000000 ffff8801d40a47c0
 ffff88018fe435d8 ffffffff81735751 ffff88018fe43660 ffff8800bc699380
Call Trace:
 [&lt;ffffffff81ca384d&gt;] __dump_stack lib/dump_stack.c:15 [inline]
 [&lt;ffffffff81ca384d&gt;] dump_stack+0xc1/0x124 lib/dump_stack.c:51
sctp: [Deprecated]: syz-executor0 (pid 439615) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
 [&lt;ffffffff81735751&gt;] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
 [&lt;ffffffff817359c4&gt;] print_address_description mm/kasan/report.c:196 [inline]
 [&lt;ffffffff817359c4&gt;] kasan_report_error+0x1b4/0x4a0 mm/kasan/report.c:285
 [&lt;ffffffff81735d93&gt;] kasan_report mm/kasan/report.c:305 [inline]
 [&lt;ffffffff81735d93&gt;] __asan_report_load4_noabort+0x43/0x50 mm/kasan/report.c:325
 [&lt;ffffffff82a28e39&gt;] rt6_select net/ipv6/route.c:755 [inline]
 [&lt;ffffffff82a28e39&gt;] ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084
 [&lt;ffffffff82a28fb1&gt;] ip6_pol_route_output+0x81/0xb0 net/ipv6/route.c:1203
 [&lt;ffffffff82ab0a50&gt;] fib6_rule_action+0x1f0/0x680 net/ipv6/fib6_rules.c:95
 [&lt;ffffffff8265cbb6&gt;] fib_rules_lookup+0x2a6/0x7a0 net/core/fib_rules.c:223
 [&lt;ffffffff82ab1430&gt;] fib6_rule_lookup+0xd0/0x250 net/ipv6/fib6_rules.c:41
 [&lt;ffffffff82a22006&gt;] ip6_route_output+0x1d6/0x2c0 net/ipv6/route.c:1224
 [&lt;ffffffff829e83d2&gt;] ip6_dst_lookup_tail+0x4d2/0x890 net/ipv6/ip6_output.c:943
 [&lt;ffffffff829e889a&gt;] ip6_dst_lookup_flow+0x9a/0x250 net/ipv6/ip6_output.c:1079
 [&lt;ffffffff82a9f7d8&gt;] ip6_datagram_dst_update+0x538/0xd40 net/ipv6/datagram.c:91
 [&lt;ffffffff82aa0978&gt;] __ip6_datagram_connect net/ipv6/datagram.c:251 [inline]
 [&lt;ffffffff82aa0978&gt;] ip6_datagram_connect+0x518/0xe50 net/ipv6/datagram.c:272
 [&lt;ffffffff82aa1313&gt;] ip6_datagram_connect_v6_only+0x63/0x90 net/ipv6/datagram.c:284
 [&lt;ffffffff8292f790&gt;] inet_dgram_connect+0x170/0x1f0 net/ipv4/af_inet.c:564
 [&lt;ffffffff82565547&gt;] SYSC_connect+0x1a7/0x2f0 net/socket.c:1582
 [&lt;ffffffff8256a649&gt;] SyS_connect+0x29/0x30 net/socket.c:1563
 [&lt;ffffffff82c72032&gt;] entry_SYSCALL_64_fastpath+0x12/0x17
Object at ffff8800bc699380, in cache ip6_dst_cache size: 384

The root cause of it is that in fib6_add_rt2node(), when it replaces an
existing route with the new one, it does not update fn-&gt;rr_ptr.
This commit resets fn-&gt;rr_ptr to NULL when it points to a route which is
replaced in fib6_add_rt2node().

Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
