<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/sctp, branch v4.2</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state</title>
<updated>2015-08-28T00:11:44+00:00</updated>
<author>
<name>lucien</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2015-08-26T20:52:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f648f807f61e64d247d26611e34cc97e4ed03401'/>
<id>f648f807f61e64d247d26611e34cc97e4ed03401</id>
<content type='text'>
Commit f8d960524328 ("sctp: Enforce retransmission limit during shutdown")
fixed a problem with excessive retransmissions in the SHUTDOWN_PENDING by not
resetting the association overall_error_count.  This allowed the association
to better enforce assoc.max_retrans limit.

However, the same issue still exists when the association is in SHUTDOWN_RECEIVED
state.  In this state, HB-ACKs will continue to reset the overall_error_count
for the association would extend the lifetime of association unnecessarily.

This patch solves this by resetting the overall_error_count whenever the current
state is small then SCTP_STATE_SHUTDOWN_PENDING.  As a small side-effect, we
end up also handling SCTP_STATE_SHUTDOWN_ACK_SENT and SCTP_STATE_SHUTDOWN_SENT
states, but they are not really impacted because we disable Heartbeats in those
states.

Fixes: Commit f8d960524328 ("sctp: Enforce retransmission limit during shutdown")
Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit f8d960524328 ("sctp: Enforce retransmission limit during shutdown")
fixed a problem with excessive retransmissions in the SHUTDOWN_PENDING by not
resetting the association overall_error_count.  This allowed the association
to better enforce assoc.max_retrans limit.

However, the same issue still exists when the association is in SHUTDOWN_RECEIVED
state.  In this state, HB-ACKs will continue to reset the overall_error_count
for the association would extend the lifetime of association unnecessarily.

This patch solves this by resetting the overall_error_count whenever the current
state is small then SCTP_STATE_SHUTDOWN_PENDING.  As a small side-effect, we
end up also handling SCTP_STATE_SHUTDOWN_ACK_SENT and SCTP_STATE_SHUTDOWN_SENT
states, but they are not really impacted because we disable Heartbeats in those
states.

Fixes: Commit f8d960524328 ("sctp: Enforce retransmission limit during shutdown")
Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: asconf's process should verify address parameter is in the beginning</title>
<updated>2015-08-27T20:59:33+00:00</updated>
<author>
<name>lucien</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2015-08-27T08:26:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ce7b4ccc4f62775f4167495a06fbee0025f87175'/>
<id>ce7b4ccc4f62775f4167495a06fbee0025f87175</id>
<content type='text'>
in sctp_process_asconf(), we get address parameter from the beginning of
the addip params. but we never check if it's really there. if the addr
param is not there, it still can pass sctp_verify_asconf(), then to be
handled by sctp_process_asconf(), it will not be safe.

so add a code in sctp_verify_asconf() to check the address parameter is in
the beginning, or return false to send abort.

note that this can also detect multiple address parameters, and reject it.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;mleitner@redhat.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
in sctp_process_asconf(), we get address parameter from the beginning of
the addip params. but we never check if it's really there. if the addr
param is not there, it still can pass sctp_verify_asconf(), then to be
handled by sctp_process_asconf(), it will not be safe.

so add a code in sctp_verify_asconf() to check the address parameter is in
the beginning, or return false to send abort.

note that this can also detect multiple address parameters, and reject it.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;mleitner@redhat.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sctp: stop spamming klog with rfc6458, 5.3.2. deprecation warnings</title>
<updated>2015-07-26T23:32:41+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>daniel@iogearbox.net</email>
</author>
<published>2015-07-22T14:31:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=81296fc67319d96ea6f7f43a07494394e1236a19'/>
<id>81296fc67319d96ea6f7f43a07494394e1236a19</id>
<content type='text'>
Back then when we added support for SCTP_SNDINFO/SCTP_RCVINFO from
RFC6458 5.3.4/5.3.5, we decided to add a deprecation warning for the
(as per RFC deprecated) SCTP_SNDRCV via commit bbbea41d5e53 ("net:
sctp: deprecate rfc6458, 5.3.2. SCTP_SNDRCV support"), see [1].

Imho, it was not a good idea, and we should just revert that message
for a couple of reasons:

  1) It's uapi and therefore set in stone forever.

  2) To be able to run on older and newer kernels, an SCTP application
     would need to probe for both, SCTP_SNDRCV, but also SCTP_SNDINFO/
     SCTP_RCVINFO support, so that on older kernels, it can make use
     of SCTP_SNDRCV, and on newer kernels SCTP_SNDINFO/SCTP_RCVINFO.
     In my (limited) experience, a lot of SCTP appliances are migrating
     to newer kernels only ve(ee)ry slowly.

  3) Some people don't have the chance to change their applications,
     f.e. due to proprietary legacy stuff. So, they'll hit this warning
     in fast path and are stuck with older kernels.

But i.e. due to point 1) I really fail to see the benefit of a warning.
So just revert that for now, the issue was reported up Jamal.

  [1] http://thread.gmane.org/gmane.linux.network/321960/

Reported-by: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Cc: Michael Tuexen &lt;tuexen@fh-muenster.de&gt;
Acked-by: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Back then when we added support for SCTP_SNDINFO/SCTP_RCVINFO from
RFC6458 5.3.4/5.3.5, we decided to add a deprecation warning for the
(as per RFC deprecated) SCTP_SNDRCV via commit bbbea41d5e53 ("net:
sctp: deprecate rfc6458, 5.3.2. SCTP_SNDRCV support"), see [1].

Imho, it was not a good idea, and we should just revert that message
for a couple of reasons:

  1) It's uapi and therefore set in stone forever.

  2) To be able to run on older and newer kernels, an SCTP application
     would need to probe for both, SCTP_SNDRCV, but also SCTP_SNDINFO/
     SCTP_RCVINFO support, so that on older kernels, it can make use
     of SCTP_SNDRCV, and on newer kernels SCTP_SNDINFO/SCTP_RCVINFO.
     In my (limited) experience, a lot of SCTP appliances are migrating
     to newer kernels only ve(ee)ry slowly.

  3) Some people don't have the chance to change their applications,
     f.e. due to proprietary legacy stuff. So, they'll hit this warning
     in fast path and are stuck with older kernels.

But i.e. due to point 1) I really fail to see the benefit of a warning.
So just revert that for now, the issue was reported up Jamal.

  [1] http://thread.gmane.org/gmane.linux.network/321960/

Reported-by: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Cc: Michael Tuexen &lt;tuexen@fh-muenster.de&gt;
Acked-by: Jamal Hadi Salim &lt;jhs@mojatatu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: Fix race between OOTB responce and route removal</title>
<updated>2015-06-29T16:28:42+00:00</updated>
<author>
<name>Alexander Sverdlin</name>
<email>alexander.sverdlin@nokia.com</email>
</author>
<published>2015-06-29T08:41:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=29c4afc4e98f4dc0ea9df22c631841f9c220b944'/>
<id>29c4afc4e98f4dc0ea9df22c631841f9c220b944</id>
<content type='text'>
There is NULL pointer dereference possible during statistics update if the route
used for OOTB responce is removed at unfortunate time. If the route exists when
we receive OOTB packet and we finally jump into sctp_packet_transmit() to send
ABORT, but in the meantime route is removed under our feet, we take "no_route"
path and try to update stats with IP_INC_STATS(sock_net(asoc-&gt;base.sk), ...).

But sctp_ootb_pkt_new() used to prepare responce packet doesn't call
sctp_transport_set_owner() and therefore there is no asoc associated with this
packet. Probably temporary asoc just for OOTB responces is overkill, so just
introduce a check like in all other places in sctp_packet_transmit(), where
"asoc" is dereferenced.

To reproduce this, one needs to
0. ensure that sctp module is loaded (otherwise ABORT is not generated)
1. remove default route on the machine
2. while true; do
     ip route del [interface-specific route]
     ip route add [interface-specific route]
   done
3. send enough OOTB packets (i.e. HB REQs) from another host to trigger ABORT
   responce

On x86_64 the crash looks like this:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
PGD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ...
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O    4.0.5-1-ARCH #1
Hardware name: ...
task: ffffffff818124c0 ti: ffffffff81800000 task.ti: ffffffff81800000
RIP: 0010:[&lt;ffffffffa05ec9ac&gt;]  [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
RSP: 0018:ffff880127c037b8  EFLAGS: 00010296
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000015ff66b480
RDX: 00000015ff66b400 RSI: ffff880127c17200 RDI: ffff880123403700
RBP: ffff880127c03888 R08: 0000000000017200 R09: ffffffff814625af
R10: ffffea00047e4680 R11: 00000000ffffff80 R12: ffff8800b0d38a28
R13: ffff8800b0d38a28 R14: ffff8800b3e88000 R15: ffffffffa05f24e0
FS:  0000000000000000(0000) GS:ffff880127c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000020 CR3: 00000000c855b000 CR4: 00000000000007f0
Stack:
 ffff880127c03910 ffff8800b0d38a28 ffffffff8189d240 ffff88011f91b400
 ffff880127c03828 ffffffffa05c94c5 0000000000000000 ffff8800baa1c520
 0000000000000000 0000000000000001 0000000000000000 0000000000000000
Call Trace:
 &lt;IRQ&gt;
 [&lt;ffffffffa05c94c5&gt;] ? sctp_sf_tabort_8_4_8.isra.20+0x85/0x140 [sctp]
 [&lt;ffffffffa05d6b42&gt;] ? sctp_transport_put+0x52/0x80 [sctp]
 [&lt;ffffffffa05d0bfc&gt;] sctp_do_sm+0xb8c/0x19a0 [sctp]
 [&lt;ffffffff810b0e00&gt;] ? trigger_load_balance+0x90/0x210
 [&lt;ffffffff810e0329&gt;] ? update_process_times+0x59/0x60
 [&lt;ffffffff812c7a40&gt;] ? timerqueue_add+0x60/0xb0
 [&lt;ffffffff810e0549&gt;] ? enqueue_hrtimer+0x29/0xa0
 [&lt;ffffffff8101f599&gt;] ? read_tsc+0x9/0x10
 [&lt;ffffffff8116d4b5&gt;] ? put_page+0x55/0x60
 [&lt;ffffffff810ee1ad&gt;] ? clockevents_program_event+0x6d/0x100
 [&lt;ffffffff81462b68&gt;] ? skb_free_head+0x58/0x80
 [&lt;ffffffffa029a10b&gt;] ? chksum_update+0x1b/0x27 [crc32c_generic]
 [&lt;ffffffff81283f3e&gt;] ? crypto_shash_update+0xce/0xf0
 [&lt;ffffffffa05d3993&gt;] sctp_endpoint_bh_rcv+0x113/0x280 [sctp]
 [&lt;ffffffffa05dd4e6&gt;] sctp_inq_push+0x46/0x60 [sctp]
 [&lt;ffffffffa05ed7a0&gt;] sctp_rcv+0x880/0x910 [sctp]
 [&lt;ffffffffa05ecb50&gt;] ? sctp_packet_transmit_chunk+0xb0/0xb0 [sctp]
 [&lt;ffffffffa05ecb70&gt;] ? sctp_csum_update+0x20/0x20 [sctp]
 [&lt;ffffffff814b05a5&gt;] ? ip_route_input_noref+0x235/0xd30
 [&lt;ffffffff81051d6b&gt;] ? ack_ioapic_level+0x7b/0x150
 [&lt;ffffffff814b27be&gt;] ip_local_deliver_finish+0xae/0x210
 [&lt;ffffffff814b2e15&gt;] ip_local_deliver+0x35/0x90
 [&lt;ffffffff814b2a15&gt;] ip_rcv_finish+0xf5/0x370
 [&lt;ffffffff814b3128&gt;] ip_rcv+0x2b8/0x3a0
 [&lt;ffffffff81474193&gt;] __netif_receive_skb_core+0x763/0xa50
 [&lt;ffffffff81476c28&gt;] __netif_receive_skb+0x18/0x60
 [&lt;ffffffff81476cb0&gt;] netif_receive_skb_internal+0x40/0xd0
 [&lt;ffffffff814776c8&gt;] napi_gro_receive+0xe8/0x120
 [&lt;ffffffffa03946aa&gt;] rtl8169_poll+0x2da/0x660 [r8169]
 [&lt;ffffffff8147896a&gt;] net_rx_action+0x21a/0x360
 [&lt;ffffffff81078dc1&gt;] __do_softirq+0xe1/0x2d0
 [&lt;ffffffff8107912d&gt;] irq_exit+0xad/0xb0
 [&lt;ffffffff8157d158&gt;] do_IRQ+0x58/0xf0
 [&lt;ffffffff8157b06d&gt;] common_interrupt+0x6d/0x6d
 &lt;EOI&gt;
 [&lt;ffffffff810e1218&gt;] ? hrtimer_start+0x18/0x20
 [&lt;ffffffffa05d65f9&gt;] ? sctp_transport_destroy_rcu+0x29/0x30 [sctp]
 [&lt;ffffffff81020c50&gt;] ? mwait_idle+0x60/0xa0
 [&lt;ffffffff810216ef&gt;] arch_cpu_idle+0xf/0x20
 [&lt;ffffffff810b731c&gt;] cpu_startup_entry+0x3ec/0x480
 [&lt;ffffffff8156b365&gt;] rest_init+0x85/0x90
 [&lt;ffffffff818eb035&gt;] start_kernel+0x48b/0x4ac
 [&lt;ffffffff818ea120&gt;] ? early_idt_handlers+0x120/0x120
 [&lt;ffffffff818ea339&gt;] x86_64_start_reservations+0x2a/0x2c
 [&lt;ffffffff818ea49c&gt;] x86_64_start_kernel+0x161/0x184
Code: 90 48 8b 80 b8 00 00 00 48 89 85 70 ff ff ff 48 83 bd 70 ff ff ff 00 0f 85 cd fa ff ff 48 89 df 31 db e8 18 63 e7 e0 48 8b 45 80 &lt;48&gt; 8b 40 20 48 8b 40 30 48 8b 80 68 01 00 00 65 48 ff 40 78 e9
RIP  [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
 RSP &lt;ffff880127c037b8&gt;
CR2: 0000000000000020
---[ end trace 5aec7fd2dc983574 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
drm_kms_helper: panic occurred, switching back to text console
---[ end Kernel panic - not syncing: Fatal exception in interrupt

Signed-off-by: Alexander Sverdlin &lt;alexander.sverdlin@nokia.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There is NULL pointer dereference possible during statistics update if the route
used for OOTB responce is removed at unfortunate time. If the route exists when
we receive OOTB packet and we finally jump into sctp_packet_transmit() to send
ABORT, but in the meantime route is removed under our feet, we take "no_route"
path and try to update stats with IP_INC_STATS(sock_net(asoc-&gt;base.sk), ...).

But sctp_ootb_pkt_new() used to prepare responce packet doesn't call
sctp_transport_set_owner() and therefore there is no asoc associated with this
packet. Probably temporary asoc just for OOTB responces is overkill, so just
introduce a check like in all other places in sctp_packet_transmit(), where
"asoc" is dereferenced.

To reproduce this, one needs to
0. ensure that sctp module is loaded (otherwise ABORT is not generated)
1. remove default route on the machine
2. while true; do
     ip route del [interface-specific route]
     ip route add [interface-specific route]
   done
3. send enough OOTB packets (i.e. HB REQs) from another host to trigger ABORT
   responce

On x86_64 the crash looks like this:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
PGD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ...
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O    4.0.5-1-ARCH #1
Hardware name: ...
task: ffffffff818124c0 ti: ffffffff81800000 task.ti: ffffffff81800000
RIP: 0010:[&lt;ffffffffa05ec9ac&gt;]  [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
RSP: 0018:ffff880127c037b8  EFLAGS: 00010296
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000015ff66b480
RDX: 00000015ff66b400 RSI: ffff880127c17200 RDI: ffff880123403700
RBP: ffff880127c03888 R08: 0000000000017200 R09: ffffffff814625af
R10: ffffea00047e4680 R11: 00000000ffffff80 R12: ffff8800b0d38a28
R13: ffff8800b0d38a28 R14: ffff8800b3e88000 R15: ffffffffa05f24e0
FS:  0000000000000000(0000) GS:ffff880127c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000020 CR3: 00000000c855b000 CR4: 00000000000007f0
Stack:
 ffff880127c03910 ffff8800b0d38a28 ffffffff8189d240 ffff88011f91b400
 ffff880127c03828 ffffffffa05c94c5 0000000000000000 ffff8800baa1c520
 0000000000000000 0000000000000001 0000000000000000 0000000000000000
Call Trace:
 &lt;IRQ&gt;
 [&lt;ffffffffa05c94c5&gt;] ? sctp_sf_tabort_8_4_8.isra.20+0x85/0x140 [sctp]
 [&lt;ffffffffa05d6b42&gt;] ? sctp_transport_put+0x52/0x80 [sctp]
 [&lt;ffffffffa05d0bfc&gt;] sctp_do_sm+0xb8c/0x19a0 [sctp]
 [&lt;ffffffff810b0e00&gt;] ? trigger_load_balance+0x90/0x210
 [&lt;ffffffff810e0329&gt;] ? update_process_times+0x59/0x60
 [&lt;ffffffff812c7a40&gt;] ? timerqueue_add+0x60/0xb0
 [&lt;ffffffff810e0549&gt;] ? enqueue_hrtimer+0x29/0xa0
 [&lt;ffffffff8101f599&gt;] ? read_tsc+0x9/0x10
 [&lt;ffffffff8116d4b5&gt;] ? put_page+0x55/0x60
 [&lt;ffffffff810ee1ad&gt;] ? clockevents_program_event+0x6d/0x100
 [&lt;ffffffff81462b68&gt;] ? skb_free_head+0x58/0x80
 [&lt;ffffffffa029a10b&gt;] ? chksum_update+0x1b/0x27 [crc32c_generic]
 [&lt;ffffffff81283f3e&gt;] ? crypto_shash_update+0xce/0xf0
 [&lt;ffffffffa05d3993&gt;] sctp_endpoint_bh_rcv+0x113/0x280 [sctp]
 [&lt;ffffffffa05dd4e6&gt;] sctp_inq_push+0x46/0x60 [sctp]
 [&lt;ffffffffa05ed7a0&gt;] sctp_rcv+0x880/0x910 [sctp]
 [&lt;ffffffffa05ecb50&gt;] ? sctp_packet_transmit_chunk+0xb0/0xb0 [sctp]
 [&lt;ffffffffa05ecb70&gt;] ? sctp_csum_update+0x20/0x20 [sctp]
 [&lt;ffffffff814b05a5&gt;] ? ip_route_input_noref+0x235/0xd30
 [&lt;ffffffff81051d6b&gt;] ? ack_ioapic_level+0x7b/0x150
 [&lt;ffffffff814b27be&gt;] ip_local_deliver_finish+0xae/0x210
 [&lt;ffffffff814b2e15&gt;] ip_local_deliver+0x35/0x90
 [&lt;ffffffff814b2a15&gt;] ip_rcv_finish+0xf5/0x370
 [&lt;ffffffff814b3128&gt;] ip_rcv+0x2b8/0x3a0
 [&lt;ffffffff81474193&gt;] __netif_receive_skb_core+0x763/0xa50
 [&lt;ffffffff81476c28&gt;] __netif_receive_skb+0x18/0x60
 [&lt;ffffffff81476cb0&gt;] netif_receive_skb_internal+0x40/0xd0
 [&lt;ffffffff814776c8&gt;] napi_gro_receive+0xe8/0x120
 [&lt;ffffffffa03946aa&gt;] rtl8169_poll+0x2da/0x660 [r8169]
 [&lt;ffffffff8147896a&gt;] net_rx_action+0x21a/0x360
 [&lt;ffffffff81078dc1&gt;] __do_softirq+0xe1/0x2d0
 [&lt;ffffffff8107912d&gt;] irq_exit+0xad/0xb0
 [&lt;ffffffff8157d158&gt;] do_IRQ+0x58/0xf0
 [&lt;ffffffff8157b06d&gt;] common_interrupt+0x6d/0x6d
 &lt;EOI&gt;
 [&lt;ffffffff810e1218&gt;] ? hrtimer_start+0x18/0x20
 [&lt;ffffffffa05d65f9&gt;] ? sctp_transport_destroy_rcu+0x29/0x30 [sctp]
 [&lt;ffffffff81020c50&gt;] ? mwait_idle+0x60/0xa0
 [&lt;ffffffff810216ef&gt;] arch_cpu_idle+0xf/0x20
 [&lt;ffffffff810b731c&gt;] cpu_startup_entry+0x3ec/0x480
 [&lt;ffffffff8156b365&gt;] rest_init+0x85/0x90
 [&lt;ffffffff818eb035&gt;] start_kernel+0x48b/0x4ac
 [&lt;ffffffff818ea120&gt;] ? early_idt_handlers+0x120/0x120
 [&lt;ffffffff818ea339&gt;] x86_64_start_reservations+0x2a/0x2c
 [&lt;ffffffff818ea49c&gt;] x86_64_start_kernel+0x161/0x184
Code: 90 48 8b 80 b8 00 00 00 48 89 85 70 ff ff ff 48 83 bd 70 ff ff ff 00 0f 85 cd fa ff ff 48 89 df 31 db e8 18 63 e7 e0 48 8b 45 80 &lt;48&gt; 8b 40 20 48 8b 40 30 48 8b 80 68 01 00 00 65 48 ff 40 78 e9
RIP  [&lt;ffffffffa05ec9ac&gt;] sctp_packet_transmit+0x63c/0x730 [sctp]
 RSP &lt;ffff880127c037b8&gt;
CR2: 0000000000000020
---[ end trace 5aec7fd2dc983574 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
drm_kms_helper: panic occurred, switching back to text console
---[ end Kernel panic - not syncing: Fatal exception in interrupt

Signed-off-by: Alexander Sverdlin &lt;alexander.sverdlin@nokia.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Kill sock-&gt;sk_protinfo</title>
<updated>2015-06-28T23:55:44+00:00</updated>
<author>
<name>David Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2015-06-25T13:19:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1830fcea5bbed2719a9dc32aebe802f72ddf14ab'/>
<id>1830fcea5bbed2719a9dc32aebe802f72ddf14ab</id>
<content type='text'>
No more users, so it can now be removed.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
No more users, so it can now be removed.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net</title>
<updated>2015-06-24T09:58:51+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2015-06-24T09:58:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3a07bd6fead4f00f67b1bf5f551e686661c4f52c'/>
<id>3a07bd6fead4f00f67b1bf5f551e686661c4f52c</id>
<content type='text'>
Conflicts:
	drivers/net/ethernet/mellanox/mlx4/main.c
	net/packet/af_packet.c

Both conflicts were cases of simple overlapping changes.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Conflicts:
	drivers/net/ethernet/mellanox/mlx4/main.c
	net/packet/af_packet.c

Both conflicts were cases of simple overlapping changes.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: fix ASCONF list handling</title>
<updated>2015-06-14T19:55:49+00:00</updated>
<author>
<name>Marcelo Ricardo Leitner</name>
<email>marcelo.leitner@gmail.com</email>
</author>
<published>2015-06-12T13:16:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2d45a02d0166caf2627fe91897c6ffc3b19514c4'/>
<id>2d45a02d0166caf2627fe91897c6ffc3b19514c4</id>
<content type='text'>
-&gt;auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.

Also, the call to inet_sk_copy_descendant() was backuping
-&gt;auto_asconf_list through the copy but was not honoring
-&gt;do_auto_asconf, which could lead to list corruption if it was
different between both sockets.

This commit thus fixes the list handling by using -&gt;addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().

Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().

Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.

Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
Reported-by: Ji Jianwen &lt;jiji@redhat.com&gt;
Suggested-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Suggested-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
-&gt;auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.

Also, the call to inet_sk_copy_descendant() was backuping
-&gt;auto_asconf_list through the copy but was not honoring
-&gt;do_auto_asconf, which could lead to list corruption if it was
different between both sockets.

This commit thus fixes the list handling by using -&gt;addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().

Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().

Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.

Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
Reported-by: Ji Jianwen &lt;jiji@redhat.com&gt;
Suggested-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Suggested-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net</title>
<updated>2015-06-14T06:56:52+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2015-06-14T06:56:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=25c43bf13b1657d9a2f6a2565e9159ce31517aa5'/>
<id>25c43bf13b1657d9a2f6a2565e9159ce31517aa5</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: allow authenticating DATA chunks that are bundled with COOKIE_ECHO</title>
<updated>2015-06-12T21:18:20+00:00</updated>
<author>
<name>Marcelo Ricardo Leitner</name>
<email>marcelo.leitner@gmail.com</email>
</author>
<published>2015-06-11T17:49:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ae36806a622aea5ac79f279cfccc82144967b6e7'/>
<id>ae36806a622aea5ac79f279cfccc82144967b6e7</id>
<content type='text'>
Currently, we can ask to authenticate DATA chunks and we can send DATA
chunks on the same packet as COOKIE_ECHO, but if you try to combine
both, the DATA chunk will be sent unauthenticated and peer won't accept
it, leading to a communication failure.

This happens because even though the data was queued after it was
requested to authenticate DATA chunks, it was also queued before we
could know that remote peer can handle authenticating, so
sctp_auth_send_cid() returns false.

The fix is whenever we set up an active key, re-check send queue for
chunks that now should be authenticated. As a result, such packet will
now contain COOKIE_ECHO + AUTH + DATA chunks, in that order.

Reported-by: Liu Wei &lt;weliu@redhat.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Currently, we can ask to authenticate DATA chunks and we can send DATA
chunks on the same packet as COOKIE_ECHO, but if you try to combine
both, the DATA chunk will be sent unauthenticated and peer won't accept
it, leading to a communication failure.

This happens because even though the data was queued after it was
requested to authenticate DATA chunks, it was also queued before we
could know that remote peer can handle authenticating, so
sctp_auth_send_cid() returns false.

The fix is whenever we set up an active key, re-check send queue for
chunks that now should be authenticated. As a result, such packet will
now contain COOKIE_ECHO + AUTH + DATA chunks, in that order.

Reported-by: Liu Wei &lt;weliu@redhat.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: Add rt6_get_cookie() function</title>
<updated>2015-05-25T17:25:34+00:00</updated>
<author>
<name>Martin KaFai Lau</name>
<email>kafai@fb.com</email>
</author>
<published>2015-05-23T03:56:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b197df4f0f3782782e9ea8996e91b65ae33e8dd9'/>
<id>b197df4f0f3782782e9ea8996e91b65ae33e8dd9</id>
<content type='text'>
Instead of doing the rt6-&gt;rt6i_node check whenever we need
to get the route's cookie.  Refactor it into rt6_get_cookie().
It is a prep work to handle FLOWI_FLAG_KNOWN_NH and also
percpu rt6_info later.

Signed-off-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Cc: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Instead of doing the rt6-&gt;rt6i_node check whenever we need
to get the route's cookie.  Refactor it into rt6_get_cookie().
It is a prep work to handle FLOWI_FLAG_KNOWN_NH and also
percpu rt6_info later.

Signed-off-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Cc: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
