<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/ipv4, branch v4.5-rc3</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net</title>
<updated>2016-02-01T23:56:08+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2016-02-01T23:56:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=34229b277480f46c1e9a19f027f30b074512e68b'/>
<id>34229b277480f46c1e9a19f027f30b074512e68b</id>
<content type='text'>
Pull networking fixes from David Miller:
 "This looks like a lot but it's a mixture of regression fixes as well
  as fixes for longer standing issues.

   1) Fix on-channel cancellation in mac80211, from Johannes Berg.

   2) Handle CHECKSUM_COMPLETE properly in xt_TCPMSS netfilter xtables
      module, from Eric Dumazet.

   3) Avoid infinite loop in UDP SO_REUSEPORT logic, also from Eric
      Dumazet.

   4) Avoid a NULL deref if we try to set SO_REUSEPORT after a socket is
      bound, from Craig Gallek.

   5) GRO key comparisons don't take lightweight tunnels into account,
      from Jesse Gross.

   6) Fix struct pid leak via SCM credentials in AF_UNIX, from Eric
      Dumazet.

   7) We need to set the rtnl_link_ops of ipv6 SIT tunnels before we
      register them, otherwise the NEWLINK netlink message is missing
      the proper attributes.  From Thadeu Lima de Souza Cascardo.

   8) Several Spectrum chip bug fixes for mlxsw switch driver, from Ido
      Schimmel

   9) Handle fragments properly in ipv4 easly socket demux, from Eric
      Dumazet.

  10) Don't ignore the ifindex key specifier on ipv6 output route
      lookups, from Paolo Abeni"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (128 commits)
  tcp: avoid cwnd undo after receiving ECN
  irda: fix a potential use-after-free in ircomm_param_request
  net: tg3: avoid uninitialized variable warning
  net: nb8800: avoid uninitialized variable warning
  net: vxge: avoid unused function warnings
  net: bgmac: clarify CONFIG_BCMA dependency
  net: hp100: remove unnecessary #ifdefs
  net: davinci_cpdma: use dma_addr_t for DMA address
  ipv6/udp: use sticky pktinfo egress ifindex on connect()
  ipv6: enforce flowi6_oif usage in ip6_dst_lookup_tail()
  netlink: not trim skb for mmaped socket when dump
  vxlan: fix a out of bounds access in __vxlan_find_mac
  net: dsa: mv88e6xxx: fix port VLAN maps
  fib_trie: Fix shift by 32 in fib_table_lookup
  net: moxart: use correct accessors for DMA memory
  ipv4: ipconfig: avoid unused ic_proto_used symbol
  bnxt_en: Fix crash in bnxt_free_tx_skbs() during tx timeout.
  bnxt_en: Exclude rx_drop_pkts hw counter from the stack's rx_dropped counter.
  bnxt_en: Ring free response from close path should use completion ring
  net_sched: drr: check for NULL pointer in drr_dequeue
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull networking fixes from David Miller:
 "This looks like a lot but it's a mixture of regression fixes as well
  as fixes for longer standing issues.

   1) Fix on-channel cancellation in mac80211, from Johannes Berg.

   2) Handle CHECKSUM_COMPLETE properly in xt_TCPMSS netfilter xtables
      module, from Eric Dumazet.

   3) Avoid infinite loop in UDP SO_REUSEPORT logic, also from Eric
      Dumazet.

   4) Avoid a NULL deref if we try to set SO_REUSEPORT after a socket is
      bound, from Craig Gallek.

   5) GRO key comparisons don't take lightweight tunnels into account,
      from Jesse Gross.

   6) Fix struct pid leak via SCM credentials in AF_UNIX, from Eric
      Dumazet.

   7) We need to set the rtnl_link_ops of ipv6 SIT tunnels before we
      register them, otherwise the NEWLINK netlink message is missing
      the proper attributes.  From Thadeu Lima de Souza Cascardo.

   8) Several Spectrum chip bug fixes for mlxsw switch driver, from Ido
      Schimmel

   9) Handle fragments properly in ipv4 easly socket demux, from Eric
      Dumazet.

  10) Don't ignore the ifindex key specifier on ipv6 output route
      lookups, from Paolo Abeni"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (128 commits)
  tcp: avoid cwnd undo after receiving ECN
  irda: fix a potential use-after-free in ircomm_param_request
  net: tg3: avoid uninitialized variable warning
  net: nb8800: avoid uninitialized variable warning
  net: vxge: avoid unused function warnings
  net: bgmac: clarify CONFIG_BCMA dependency
  net: hp100: remove unnecessary #ifdefs
  net: davinci_cpdma: use dma_addr_t for DMA address
  ipv6/udp: use sticky pktinfo egress ifindex on connect()
  ipv6: enforce flowi6_oif usage in ip6_dst_lookup_tail()
  netlink: not trim skb for mmaped socket when dump
  vxlan: fix a out of bounds access in __vxlan_find_mac
  net: dsa: mv88e6xxx: fix port VLAN maps
  fib_trie: Fix shift by 32 in fib_table_lookup
  net: moxart: use correct accessors for DMA memory
  ipv4: ipconfig: avoid unused ic_proto_used symbol
  bnxt_en: Fix crash in bnxt_free_tx_skbs() during tx timeout.
  bnxt_en: Exclude rx_drop_pkts hw counter from the stack's rx_dropped counter.
  bnxt_en: Ring free response from close path should use completion ring
  net_sched: drr: check for NULL pointer in drr_dequeue
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: avoid cwnd undo after receiving ECN</title>
<updated>2016-01-30T07:03:56+00:00</updated>
<author>
<name>Yuchung Cheng</name>
<email>ycheng@google.com</email>
</author>
<published>2016-01-29T23:11:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=99b4dd9f2423130875ac486fe587cd103c64f753'/>
<id>99b4dd9f2423130875ac486fe587cd103c64f753</id>
<content type='text'>
RFC 4015 section 3.4 says the TCP sender MUST refrain from
reversing the congestion control state when the ACK signals
congestion through the ECN-Echo flag. Currently we may not
always do that when prior_ssthresh is reset upon receiving
ACKs with ECE marks. This patch fixes that.

Signed-off-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
RFC 4015 section 3.4 says the TCP sender MUST refrain from
reversing the congestion control state when the ACK signals
congestion through the ECN-Echo flag. Currently we may not
always do that when prior_ssthresh is reset upon receiving
ACKs with ECE marks. This patch fixes that.

Signed-off-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fib_trie: Fix shift by 32 in fib_table_lookup</title>
<updated>2016-01-30T03:41:00+00:00</updated>
<author>
<name>Alexander Duyck</name>
<email>aduyck@mirantis.com</email>
</author>
<published>2016-01-28T21:42:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a5829f536b3d11a57617e83d4bcb2b7d70671e98'/>
<id>a5829f536b3d11a57617e83d4bcb2b7d70671e98</id>
<content type='text'>
The fib_table_lookup function had a shift by 32 that triggered a UBSAN
warning.  This was due to the fact that I had placed the shift first and
then followed it with the check for the suffix length to ignore the
undefined behavior.  If we reorder this so that we verify the suffix is
less than 32 before shifting the value we can avoid the issue.

Reported-by: Toralf Förster &lt;toralf.foerster@gmx.de&gt;
Signed-off-by: Alexander Duyck &lt;aduyck@mirantis.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The fib_table_lookup function had a shift by 32 that triggered a UBSAN
warning.  This was due to the fact that I had placed the shift first and
then followed it with the check for the suffix length to ignore the
undefined behavior.  If we reorder this so that we verify the suffix is
less than 32 before shifting the value we can avoid the issue.

Reported-by: Toralf Förster &lt;toralf.foerster@gmx.de&gt;
Signed-off-by: Alexander Duyck &lt;aduyck@mirantis.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4: ipconfig: avoid unused ic_proto_used symbol</title>
<updated>2016-01-30T03:39:09+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2016-01-28T16:39:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=52b79e2bdf92b07b37c805c50811eaf69a33683d'/>
<id>52b79e2bdf92b07b37c805c50811eaf69a33683d</id>
<content type='text'>
When CONFIG_PROC_FS, CONFIG_IP_PNP_BOOTP, CONFIG_IP_PNP_DHCP and
CONFIG_IP_PNP_RARP are all disabled, we get a warning about the
ic_proto_used variable being unused:

net/ipv4/ipconfig.c:146:12: error: 'ic_proto_used' defined but not used [-Werror=unused-variable]

This avoids the warning, by making the definition conditional on
whether a dynamic IP configuration protocol is configured. If not,
we know that the value is always zero, so we can optimize away the
variable and all code that depends on it.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When CONFIG_PROC_FS, CONFIG_IP_PNP_BOOTP, CONFIG_IP_PNP_DHCP and
CONFIG_IP_PNP_RARP are all disabled, we get a warning about the
ic_proto_used variable being unused:

net/ipv4/ipconfig.c:146:12: error: 'ic_proto_used' defined but not used [-Werror=unused-variable]

This avoids the warning, by making the definition conditional on
whether a dynamic IP configuration protocol is configured. If not,
we know that the value is always zero, so we can optimize away the
variable and all code that depends on it.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4: early demux should be aware of fragments</title>
<updated>2016-01-29T20:14:20+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-01-27T00:59:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=63e51b6a24f1bee5363056b7aee3a468b12c546b'/>
<id>63e51b6a24f1bee5363056b7aee3a468b12c546b</id>
<content type='text'>
We should not assume a valid protocol header is present,
as this is not the case for IPv4 fragments.

Lets avoid extra cache line misses and potential bugs
if we actually find a socket and incorrectly uses its dst.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We should not assume a valid protocol header is present,
as this is not the case for IPv4 fragments.

Lets avoid extra cache line misses and potential bugs
if we actually find a socket and incorrectly uses its dst.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: beware of alignments in tcp_get_info()</title>
<updated>2016-01-29T06:49:30+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-01-27T18:52:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ff5d749772018602c47509bdc0093ff72acd82ec'/>
<id>ff5d749772018602c47509bdc0093ff72acd82ec</id>
<content type='text'>
With some combinations of user provided flags in netlink command,
it is possible to call tcp_get_info() with a buffer that is not 8-bytes
aligned.

It does matter on some arches, so we need to use put_unaligned() to
store the u64 fields.

Current iproute2 package does not trigger this particular issue.

Fixes: 0df48c26d841 ("tcp: add tcpi_bytes_acked to tcp_info")
Fixes: 977cb0ecf82e ("tcp: add pacing_rate information into tcp_info")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
With some combinations of user provided flags in netlink command,
it is possible to call tcp_get_info() with a buffer that is not 8-bytes
aligned.

It does matter on some arches, so we need to use put_unaligned() to
store the u64 fields.

Current iproute2 package does not trigger this particular issue.

Fixes: 0df48c26d841 ("tcp: add tcpi_bytes_acked to tcp_info")
Fixes: 977cb0ecf82e ("tcp: add pacing_rate information into tcp_info")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: fix tcp_mark_head_lost to check skb len before fragmenting</title>
<updated>2016-01-29T00:02:48+00:00</updated>
<author>
<name>Neal Cardwell</name>
<email>ncardwell@google.com</email>
</author>
<published>2016-01-25T22:01:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d88270eef4b56bd7973841dd1fed387ccfa83709'/>
<id>d88270eef4b56bd7973841dd1fed387ccfa83709</id>
<content type='text'>
This commit fixes a corner case in tcp_mark_head_lost() which was
causing the WARN_ON(len &gt; skb-&gt;len) in tcp_fragment() to fire.

tcp_mark_head_lost() was assuming that if a packet has
tcp_skb_pcount(skb) of N, then it's safe to fragment off a prefix of
M*mss bytes, for any M &lt; N. But with the tricky way TCP pcounts are
maintained, this is not always true.

For example, suppose the sender sends 4 1-byte packets and have the
last 3 packet sacked. It will merge the last 3 packets in the write
queue into an skb with pcount = 3 and len = 3 bytes. If another
recovery happens after a sack reneging event, tcp_mark_head_lost()
may attempt to split the skb assuming it has more than 2*MSS bytes.

This sounds very counterintuitive, but as the commit description for
the related commit c0638c247f55 ("tcp: don't fragment SACKed skbs in
tcp_mark_head_lost()") notes, this is because tcp_shifted_skb()
coalesces adjacent regions of SACKed skbs, and when doing this it
preserves the sum of their packet counts in order to reflect the
real-world dynamics on the wire. The c0638c247f55 commit tried to
avoid problems by not fragmenting SACKed skbs, since SACKed skbs are
where the non-proportionality between pcount and skb-&gt;len/mss is known
to be possible. However, that commit did not handle the case where
during a reneging event one of these weird SACKed skbs becomes an
un-SACKed skb, which tcp_mark_head_lost() can then try to fragment.

The fix is to simply mark the entire skb lost when this happens.
This makes the recovery slightly more aggressive in such corner
cases before we detect reordering. But once we detect reordering
this code path is by-passed because FACK is disabled.

Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This commit fixes a corner case in tcp_mark_head_lost() which was
causing the WARN_ON(len &gt; skb-&gt;len) in tcp_fragment() to fire.

tcp_mark_head_lost() was assuming that if a packet has
tcp_skb_pcount(skb) of N, then it's safe to fragment off a prefix of
M*mss bytes, for any M &lt; N. But with the tricky way TCP pcounts are
maintained, this is not always true.

For example, suppose the sender sends 4 1-byte packets and have the
last 3 packet sacked. It will merge the last 3 packets in the write
queue into an skb with pcount = 3 and len = 3 bytes. If another
recovery happens after a sack reneging event, tcp_mark_head_lost()
may attempt to split the skb assuming it has more than 2*MSS bytes.

This sounds very counterintuitive, but as the commit description for
the related commit c0638c247f55 ("tcp: don't fragment SACKed skbs in
tcp_mark_head_lost()") notes, this is because tcp_shifted_skb()
coalesces adjacent regions of SACKed skbs, and when doing this it
preserves the sum of their packet counts in order to reflect the
real-world dynamics on the wire. The c0638c247f55 commit tried to
avoid problems by not fragmenting SACKed skbs, since SACKed skbs are
where the non-proportionality between pcount and skb-&gt;len/mss is known
to be possible. However, that commit did not handle the case where
during a reneging event one of these weird SACKed skbs becomes an
un-SACKed skb, which tcp_mark_head_lost() can then try to fragment.

The fix is to simply mark the entire skb lost when this happens.
This makes the recovery slightly more aggressive in such corner
cases before we detect reordering. But once we detect reordering
this code path is by-passed because FACK is disabled.

Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>inet: frag: Always orphan skbs inside ip_defrag()</title>
<updated>2016-01-29T00:00:46+00:00</updated>
<author>
<name>Joe Stringer</name>
<email>joe@ovn.org</email>
</author>
<published>2016-01-22T23:49:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8282f27449bf15548cb82c77b6e04ee0ab827bdc'/>
<id>8282f27449bf15548cb82c77b6e04ee0ab827bdc</id>
<content type='text'>
Later parts of the stack (including fragmentation) expect that there is
never a socket attached to frag in a frag_list, however this invariant
was not enforced on all defrag paths. This could lead to the
BUG_ON(skb-&gt;sk) during ip_do_fragment(), as per the call stack at the
end of this commit message.

While the call could be added to openvswitch to fix this particular
error, the head and tail of the frags list are already orphaned
indirectly inside ip_defrag(), so it seems like the remaining fragments
should all be orphaned in all circumstances.

kernel BUG at net/ipv4/ip_output.c:586!
[...]
Call Trace:
 &lt;IRQ&gt;
 [&lt;ffffffffa0205270&gt;] ? do_output.isra.29+0x1b0/0x1b0 [openvswitch]
 [&lt;ffffffffa02167a7&gt;] ovs_fragment+0xcc/0x214 [openvswitch]
 [&lt;ffffffff81667830&gt;] ? dst_discard_out+0x20/0x20
 [&lt;ffffffff81667810&gt;] ? dst_ifdown+0x80/0x80
 [&lt;ffffffffa0212072&gt;] ? find_bucket.isra.2+0x62/0x70 [openvswitch]
 [&lt;ffffffff810e0ba5&gt;] ? mod_timer_pending+0x65/0x210
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffffa03205a2&gt;] ? nf_conntrack_in+0x252/0x500 [nf_conntrack]
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffffa02051a3&gt;] do_output.isra.29+0xe3/0x1b0 [openvswitch]
 [&lt;ffffffffa0206411&gt;] do_execute_actions+0xe11/0x11f0 [openvswitch]
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffffa0206822&gt;] ovs_execute_actions+0x32/0xd0 [openvswitch]
 [&lt;ffffffffa020b505&gt;] ovs_dp_process_packet+0x85/0x140 [openvswitch]
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffffa02068a2&gt;] ovs_execute_actions+0xb2/0xd0 [openvswitch]
 [&lt;ffffffffa020b505&gt;] ovs_dp_process_packet+0x85/0x140 [openvswitch]
 [&lt;ffffffffa0215019&gt;] ? ovs_ct_get_labels+0x49/0x80 [openvswitch]
 [&lt;ffffffffa0213a1d&gt;] ovs_vport_receive+0x5d/0xa0 [openvswitch]
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffffa0214895&gt;] ? internal_dev_xmit+0x5/0x140 [openvswitch]
 [&lt;ffffffffa02148fc&gt;] internal_dev_xmit+0x6c/0x140 [openvswitch]
 [&lt;ffffffffa0214895&gt;] ? internal_dev_xmit+0x5/0x140 [openvswitch]
 [&lt;ffffffff81660299&gt;] dev_hard_start_xmit+0x2b9/0x5e0
 [&lt;ffffffff8165fc21&gt;] ? netif_skb_features+0xd1/0x1f0
 [&lt;ffffffff81660f20&gt;] __dev_queue_xmit+0x800/0x930
 [&lt;ffffffff81660770&gt;] ? __dev_queue_xmit+0x50/0x930
 [&lt;ffffffff810b53f1&gt;] ? mark_held_locks+0x71/0x90
 [&lt;ffffffff81669876&gt;] ? neigh_resolve_output+0x106/0x220
 [&lt;ffffffff81661060&gt;] dev_queue_xmit+0x10/0x20
 [&lt;ffffffff816698e8&gt;] neigh_resolve_output+0x178/0x220
 [&lt;ffffffff816a8e6f&gt;] ? ip_finish_output2+0x1ff/0x590
 [&lt;ffffffff816a8e6f&gt;] ip_finish_output2+0x1ff/0x590
 [&lt;ffffffff816a8cee&gt;] ? ip_finish_output2+0x7e/0x590
 [&lt;ffffffff816a9a31&gt;] ip_do_fragment+0x831/0x8a0
 [&lt;ffffffff816a8c70&gt;] ? ip_copy_metadata+0x1b0/0x1b0
 [&lt;ffffffff816a9ae3&gt;] ip_fragment.constprop.49+0x43/0x80
 [&lt;ffffffff816a9c9c&gt;] ip_finish_output+0x17c/0x340
 [&lt;ffffffff8169a6f4&gt;] ? nf_hook_slow+0xe4/0x190
 [&lt;ffffffff816ab4c0&gt;] ip_output+0x70/0x110
 [&lt;ffffffff816a9b20&gt;] ? ip_fragment.constprop.49+0x80/0x80
 [&lt;ffffffff816aa9f9&gt;] ip_local_out+0x39/0x70
 [&lt;ffffffff816abf89&gt;] ip_send_skb+0x19/0x40
 [&lt;ffffffff816abfe3&gt;] ip_push_pending_frames+0x33/0x40
 [&lt;ffffffff816df21a&gt;] icmp_push_reply+0xea/0x120
 [&lt;ffffffff816df93d&gt;] icmp_reply.constprop.23+0x1ed/0x230
 [&lt;ffffffff816df9ce&gt;] icmp_echo.part.21+0x4e/0x50
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffff810d5f9e&gt;] ? rcu_read_lock_held+0x5e/0x70
 [&lt;ffffffff816dfa06&gt;] icmp_echo+0x36/0x70
 [&lt;ffffffff816e0d11&gt;] icmp_rcv+0x271/0x450
 [&lt;ffffffff816a4ca7&gt;] ip_local_deliver_finish+0x127/0x3a0
 [&lt;ffffffff816a4bc1&gt;] ? ip_local_deliver_finish+0x41/0x3a0
 [&lt;ffffffff816a5160&gt;] ip_local_deliver+0x60/0xd0
 [&lt;ffffffff816a4b80&gt;] ? ip_rcv_finish+0x560/0x560
 [&lt;ffffffff816a46fd&gt;] ip_rcv_finish+0xdd/0x560
 [&lt;ffffffff816a5453&gt;] ip_rcv+0x283/0x3e0
 [&lt;ffffffff810b6302&gt;] ? match_held_lock+0x192/0x200
 [&lt;ffffffff816a4620&gt;] ? inet_del_offload+0x40/0x40
 [&lt;ffffffff8165d062&gt;] __netif_receive_skb_core+0x392/0xae0
 [&lt;ffffffff8165e68e&gt;] ? process_backlog+0x8e/0x230
 [&lt;ffffffff810b53f1&gt;] ? mark_held_locks+0x71/0x90
 [&lt;ffffffff8165d7c8&gt;] __netif_receive_skb+0x18/0x60
 [&lt;ffffffff8165e678&gt;] process_backlog+0x78/0x230
 [&lt;ffffffff8165e6dd&gt;] ? process_backlog+0xdd/0x230
 [&lt;ffffffff8165e355&gt;] net_rx_action+0x155/0x400
 [&lt;ffffffff8106b48c&gt;] __do_softirq+0xcc/0x420
 [&lt;ffffffff816a8e87&gt;] ? ip_finish_output2+0x217/0x590
 [&lt;ffffffff8178e78c&gt;] do_softirq_own_stack+0x1c/0x30
 &lt;EOI&gt;
 [&lt;ffffffff8106b88e&gt;] do_softirq+0x4e/0x60
 [&lt;ffffffff8106b948&gt;] __local_bh_enable_ip+0xa8/0xb0
 [&lt;ffffffff816a8eb0&gt;] ip_finish_output2+0x240/0x590
 [&lt;ffffffff816a9a31&gt;] ? ip_do_fragment+0x831/0x8a0
 [&lt;ffffffff816a9a31&gt;] ip_do_fragment+0x831/0x8a0
 [&lt;ffffffff816a8c70&gt;] ? ip_copy_metadata+0x1b0/0x1b0
 [&lt;ffffffff816a9ae3&gt;] ip_fragment.constprop.49+0x43/0x80
 [&lt;ffffffff816a9c9c&gt;] ip_finish_output+0x17c/0x340
 [&lt;ffffffff8169a6f4&gt;] ? nf_hook_slow+0xe4/0x190
 [&lt;ffffffff816ab4c0&gt;] ip_output+0x70/0x110
 [&lt;ffffffff816a9b20&gt;] ? ip_fragment.constprop.49+0x80/0x80
 [&lt;ffffffff816aa9f9&gt;] ip_local_out+0x39/0x70
 [&lt;ffffffff816abf89&gt;] ip_send_skb+0x19/0x40
 [&lt;ffffffff816abfe3&gt;] ip_push_pending_frames+0x33/0x40
 [&lt;ffffffff816d55d3&gt;] raw_sendmsg+0x7d3/0xc30
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffff816e7557&gt;] ? inet_sendmsg+0xc7/0x1d0
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffff816e759a&gt;] inet_sendmsg+0x10a/0x1d0
 [&lt;ffffffff816e7495&gt;] ? inet_sendmsg+0x5/0x1d0
 [&lt;ffffffff8163e398&gt;] sock_sendmsg+0x38/0x50
 [&lt;ffffffff8163ec5f&gt;] ___sys_sendmsg+0x25f/0x270
 [&lt;ffffffff811aadad&gt;] ? handle_mm_fault+0x8dd/0x1320
 [&lt;ffffffff8178c147&gt;] ? _raw_spin_unlock+0x27/0x40
 [&lt;ffffffff810529b2&gt;] ? __do_page_fault+0x1e2/0x460
 [&lt;ffffffff81204886&gt;] ? __fget_light+0x66/0x90
 [&lt;ffffffff8163f8e2&gt;] __sys_sendmsg+0x42/0x80
 [&lt;ffffffff8163f932&gt;] SyS_sendmsg+0x12/0x20
 [&lt;ffffffff8178cb17&gt;] entry_SYSCALL_64_fastpath+0x12/0x6f
Code: 00 00 44 89 e0 e9 7c fb ff ff 4c 89 ff e8 e7 e7 ff ff 41 8b 9d 80 00 00 00 2b 5d d4 89 d8 c1 f8 03 0f b7 c0 e9 33 ff ff f
 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48
RIP  [&lt;ffffffff816a9a92&gt;] ip_do_fragment+0x892/0x8a0
 RSP &lt;ffff88006d603170&gt;

Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
Signed-off-by: Joe Stringer &lt;joe@ovn.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Later parts of the stack (including fragmentation) expect that there is
never a socket attached to frag in a frag_list, however this invariant
was not enforced on all defrag paths. This could lead to the
BUG_ON(skb-&gt;sk) during ip_do_fragment(), as per the call stack at the
end of this commit message.

While the call could be added to openvswitch to fix this particular
error, the head and tail of the frags list are already orphaned
indirectly inside ip_defrag(), so it seems like the remaining fragments
should all be orphaned in all circumstances.

kernel BUG at net/ipv4/ip_output.c:586!
[...]
Call Trace:
 &lt;IRQ&gt;
 [&lt;ffffffffa0205270&gt;] ? do_output.isra.29+0x1b0/0x1b0 [openvswitch]
 [&lt;ffffffffa02167a7&gt;] ovs_fragment+0xcc/0x214 [openvswitch]
 [&lt;ffffffff81667830&gt;] ? dst_discard_out+0x20/0x20
 [&lt;ffffffff81667810&gt;] ? dst_ifdown+0x80/0x80
 [&lt;ffffffffa0212072&gt;] ? find_bucket.isra.2+0x62/0x70 [openvswitch]
 [&lt;ffffffff810e0ba5&gt;] ? mod_timer_pending+0x65/0x210
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffffa03205a2&gt;] ? nf_conntrack_in+0x252/0x500 [nf_conntrack]
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffffa02051a3&gt;] do_output.isra.29+0xe3/0x1b0 [openvswitch]
 [&lt;ffffffffa0206411&gt;] do_execute_actions+0xe11/0x11f0 [openvswitch]
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffffa0206822&gt;] ovs_execute_actions+0x32/0xd0 [openvswitch]
 [&lt;ffffffffa020b505&gt;] ovs_dp_process_packet+0x85/0x140 [openvswitch]
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffffa02068a2&gt;] ovs_execute_actions+0xb2/0xd0 [openvswitch]
 [&lt;ffffffffa020b505&gt;] ovs_dp_process_packet+0x85/0x140 [openvswitch]
 [&lt;ffffffffa0215019&gt;] ? ovs_ct_get_labels+0x49/0x80 [openvswitch]
 [&lt;ffffffffa0213a1d&gt;] ovs_vport_receive+0x5d/0xa0 [openvswitch]
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffffa0214895&gt;] ? internal_dev_xmit+0x5/0x140 [openvswitch]
 [&lt;ffffffffa02148fc&gt;] internal_dev_xmit+0x6c/0x140 [openvswitch]
 [&lt;ffffffffa0214895&gt;] ? internal_dev_xmit+0x5/0x140 [openvswitch]
 [&lt;ffffffff81660299&gt;] dev_hard_start_xmit+0x2b9/0x5e0
 [&lt;ffffffff8165fc21&gt;] ? netif_skb_features+0xd1/0x1f0
 [&lt;ffffffff81660f20&gt;] __dev_queue_xmit+0x800/0x930
 [&lt;ffffffff81660770&gt;] ? __dev_queue_xmit+0x50/0x930
 [&lt;ffffffff810b53f1&gt;] ? mark_held_locks+0x71/0x90
 [&lt;ffffffff81669876&gt;] ? neigh_resolve_output+0x106/0x220
 [&lt;ffffffff81661060&gt;] dev_queue_xmit+0x10/0x20
 [&lt;ffffffff816698e8&gt;] neigh_resolve_output+0x178/0x220
 [&lt;ffffffff816a8e6f&gt;] ? ip_finish_output2+0x1ff/0x590
 [&lt;ffffffff816a8e6f&gt;] ip_finish_output2+0x1ff/0x590
 [&lt;ffffffff816a8cee&gt;] ? ip_finish_output2+0x7e/0x590
 [&lt;ffffffff816a9a31&gt;] ip_do_fragment+0x831/0x8a0
 [&lt;ffffffff816a8c70&gt;] ? ip_copy_metadata+0x1b0/0x1b0
 [&lt;ffffffff816a9ae3&gt;] ip_fragment.constprop.49+0x43/0x80
 [&lt;ffffffff816a9c9c&gt;] ip_finish_output+0x17c/0x340
 [&lt;ffffffff8169a6f4&gt;] ? nf_hook_slow+0xe4/0x190
 [&lt;ffffffff816ab4c0&gt;] ip_output+0x70/0x110
 [&lt;ffffffff816a9b20&gt;] ? ip_fragment.constprop.49+0x80/0x80
 [&lt;ffffffff816aa9f9&gt;] ip_local_out+0x39/0x70
 [&lt;ffffffff816abf89&gt;] ip_send_skb+0x19/0x40
 [&lt;ffffffff816abfe3&gt;] ip_push_pending_frames+0x33/0x40
 [&lt;ffffffff816df21a&gt;] icmp_push_reply+0xea/0x120
 [&lt;ffffffff816df93d&gt;] icmp_reply.constprop.23+0x1ed/0x230
 [&lt;ffffffff816df9ce&gt;] icmp_echo.part.21+0x4e/0x50
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffff810d5f9e&gt;] ? rcu_read_lock_held+0x5e/0x70
 [&lt;ffffffff816dfa06&gt;] icmp_echo+0x36/0x70
 [&lt;ffffffff816e0d11&gt;] icmp_rcv+0x271/0x450
 [&lt;ffffffff816a4ca7&gt;] ip_local_deliver_finish+0x127/0x3a0
 [&lt;ffffffff816a4bc1&gt;] ? ip_local_deliver_finish+0x41/0x3a0
 [&lt;ffffffff816a5160&gt;] ip_local_deliver+0x60/0xd0
 [&lt;ffffffff816a4b80&gt;] ? ip_rcv_finish+0x560/0x560
 [&lt;ffffffff816a46fd&gt;] ip_rcv_finish+0xdd/0x560
 [&lt;ffffffff816a5453&gt;] ip_rcv+0x283/0x3e0
 [&lt;ffffffff810b6302&gt;] ? match_held_lock+0x192/0x200
 [&lt;ffffffff816a4620&gt;] ? inet_del_offload+0x40/0x40
 [&lt;ffffffff8165d062&gt;] __netif_receive_skb_core+0x392/0xae0
 [&lt;ffffffff8165e68e&gt;] ? process_backlog+0x8e/0x230
 [&lt;ffffffff810b53f1&gt;] ? mark_held_locks+0x71/0x90
 [&lt;ffffffff8165d7c8&gt;] __netif_receive_skb+0x18/0x60
 [&lt;ffffffff8165e678&gt;] process_backlog+0x78/0x230
 [&lt;ffffffff8165e6dd&gt;] ? process_backlog+0xdd/0x230
 [&lt;ffffffff8165e355&gt;] net_rx_action+0x155/0x400
 [&lt;ffffffff8106b48c&gt;] __do_softirq+0xcc/0x420
 [&lt;ffffffff816a8e87&gt;] ? ip_finish_output2+0x217/0x590
 [&lt;ffffffff8178e78c&gt;] do_softirq_own_stack+0x1c/0x30
 &lt;EOI&gt;
 [&lt;ffffffff8106b88e&gt;] do_softirq+0x4e/0x60
 [&lt;ffffffff8106b948&gt;] __local_bh_enable_ip+0xa8/0xb0
 [&lt;ffffffff816a8eb0&gt;] ip_finish_output2+0x240/0x590
 [&lt;ffffffff816a9a31&gt;] ? ip_do_fragment+0x831/0x8a0
 [&lt;ffffffff816a9a31&gt;] ip_do_fragment+0x831/0x8a0
 [&lt;ffffffff816a8c70&gt;] ? ip_copy_metadata+0x1b0/0x1b0
 [&lt;ffffffff816a9ae3&gt;] ip_fragment.constprop.49+0x43/0x80
 [&lt;ffffffff816a9c9c&gt;] ip_finish_output+0x17c/0x340
 [&lt;ffffffff8169a6f4&gt;] ? nf_hook_slow+0xe4/0x190
 [&lt;ffffffff816ab4c0&gt;] ip_output+0x70/0x110
 [&lt;ffffffff816a9b20&gt;] ? ip_fragment.constprop.49+0x80/0x80
 [&lt;ffffffff816aa9f9&gt;] ip_local_out+0x39/0x70
 [&lt;ffffffff816abf89&gt;] ip_send_skb+0x19/0x40
 [&lt;ffffffff816abfe3&gt;] ip_push_pending_frames+0x33/0x40
 [&lt;ffffffff816d55d3&gt;] raw_sendmsg+0x7d3/0xc30
 [&lt;ffffffff810b732b&gt;] ? __lock_acquire+0x3db/0x1b90
 [&lt;ffffffff816e7557&gt;] ? inet_sendmsg+0xc7/0x1d0
 [&lt;ffffffff810b63c4&gt;] ? __lock_is_held+0x54/0x70
 [&lt;ffffffff816e759a&gt;] inet_sendmsg+0x10a/0x1d0
 [&lt;ffffffff816e7495&gt;] ? inet_sendmsg+0x5/0x1d0
 [&lt;ffffffff8163e398&gt;] sock_sendmsg+0x38/0x50
 [&lt;ffffffff8163ec5f&gt;] ___sys_sendmsg+0x25f/0x270
 [&lt;ffffffff811aadad&gt;] ? handle_mm_fault+0x8dd/0x1320
 [&lt;ffffffff8178c147&gt;] ? _raw_spin_unlock+0x27/0x40
 [&lt;ffffffff810529b2&gt;] ? __do_page_fault+0x1e2/0x460
 [&lt;ffffffff81204886&gt;] ? __fget_light+0x66/0x90
 [&lt;ffffffff8163f8e2&gt;] __sys_sendmsg+0x42/0x80
 [&lt;ffffffff8163f932&gt;] SyS_sendmsg+0x12/0x20
 [&lt;ffffffff8178cb17&gt;] entry_SYSCALL_64_fastpath+0x12/0x6f
Code: 00 00 44 89 e0 e9 7c fb ff ff 4c 89 ff e8 e7 e7 ff ff 41 8b 9d 80 00 00 00 2b 5d d4 89 d8 c1 f8 03 0f b7 c0 e9 33 ff ff f
 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48
RIP  [&lt;ffffffff816a9a92&gt;] ip_do_fragment+0x892/0x8a0
 RSP &lt;ffff88006d603170&gt;

Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
Signed-off-by: Joe Stringer &lt;joe@ovn.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV</title>
<updated>2016-01-25T18:45:41+00:00</updated>
<author>
<name>Thomas Egerer</name>
<email>hakke_007@gmx.de</email>
</author>
<published>2016-01-25T11:58:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=32b6170ca59ccf07d0e394561e54b2cd9726038c'/>
<id>32b6170ca59ccf07d0e394561e54b2cd9726038c</id>
<content type='text'>
The ESP algorithms using CBC mode require echainiv. Hence INET*_ESP have
to select CRYPTO_ECHAINIV in order to work properly. This solves the
issues caused by a misconfiguration as described in [1].
The original approach, patching crypto/Kconfig was turned down by
Herbert Xu [2].

[1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html
[2] http://marc.info/?l=linux-crypto-vger&amp;m=145224655809562&amp;w=2

Signed-off-by: Thomas Egerer &lt;hakke_007@gmx.de&gt;
Acked-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The ESP algorithms using CBC mode require echainiv. Hence INET*_ESP have
to select CRYPTO_ECHAINIV in order to work properly. This solves the
issues caused by a misconfiguration as described in [1].
The original approach, patching crypto/Kconfig was turned down by
Herbert Xu [2].

[1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html
[2] http://marc.info/?l=linux-crypto-vger&amp;m=145224655809562&amp;w=2

Signed-off-by: Thomas Egerer &lt;hakke_007@gmx.de&gt;
Acked-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tree wide: use kvfree() than conditional kfree()/vfree()</title>
<updated>2016-01-23T01:02:18+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@i-love.sakura.ne.jp</email>
</author>
<published>2016-01-22T23:11:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1d5cfdb076288df5eb95545a547a39905e95c930'/>
<id>1d5cfdb076288df5eb95545a547a39905e95c930</id>
<content type='text'>
There are many locations that do

  if (memory_was_allocated_by_vmalloc)
    vfree(ptr);
  else
    kfree(ptr);

but kvfree() can handle both kmalloc()ed memory and vmalloc()ed memory
using is_vmalloc_addr().  Unless callers have special reasons, we can
replace this branch with kvfree().  Please check and reply if you found
problems.

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Acked-by: Michal Hocko &lt;mhocko@suse.com&gt;
Acked-by: Jan Kara &lt;jack@suse.com&gt;
Acked-by: Russell King &lt;rmk+kernel@arm.linux.org.uk&gt;
Reviewed-by: Andreas Dilger &lt;andreas.dilger@intel.com&gt;
Acked-by: "Rafael J. Wysocki" &lt;rjw@rjwysocki.net&gt;
Acked-by: David Rientjes &lt;rientjes@google.com&gt;
Cc: "Luck, Tony" &lt;tony.luck@intel.com&gt;
Cc: Oleg Drokin &lt;oleg.drokin@intel.com&gt;
Cc: Boris Petkov &lt;bp@suse.de&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There are many locations that do

  if (memory_was_allocated_by_vmalloc)
    vfree(ptr);
  else
    kfree(ptr);

but kvfree() can handle both kmalloc()ed memory and vmalloc()ed memory
using is_vmalloc_addr().  Unless callers have special reasons, we can
replace this branch with kvfree().  Please check and reply if you found
problems.

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Acked-by: Michal Hocko &lt;mhocko@suse.com&gt;
Acked-by: Jan Kara &lt;jack@suse.com&gt;
Acked-by: Russell King &lt;rmk+kernel@arm.linux.org.uk&gt;
Reviewed-by: Andreas Dilger &lt;andreas.dilger@intel.com&gt;
Acked-by: "Rafael J. Wysocki" &lt;rjw@rjwysocki.net&gt;
Acked-by: David Rientjes &lt;rientjes@google.com&gt;
Cc: "Luck, Tony" &lt;tony.luck@intel.com&gt;
Cc: Oleg Drokin &lt;oleg.drokin@intel.com&gt;
Cc: Boris Petkov &lt;bp@suse.de&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
