<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/net/ipv6, branch v3.0.24</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/net/ipv6?h=v3.0.24</id>
<link rel='self' href='https://git.amat.us/linux/atom/net/ipv6?h=v3.0.24'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2012-03-01T00:33:51Z</updated>
<entry>
<title>ipv6-multicast: Fix memory leak in IPv6 multicast.</title>
<updated>2012-03-01T00:33:51Z</updated>
<author>
<name>Ben Greear</name>
<email>greearb@candelatech.com</email>
</author>
<published>2011-09-23T13:11:01Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=24190a04c967d91e718bbe7a871e418edb9424aa'/>
<id>urn:sha1:24190a04c967d91e718bbe7a871e418edb9424aa</id>
<content type='text'>
[ Upstream commit 67928c4041606f02725f3c95c4c0404e4532df1b ]

If reg_vif_xmit cannot find a routing entry, be sure to
free the skb before returning the error.

Signed-off-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ipv6-multicast: Fix memory leak in input path.</title>
<updated>2012-03-01T00:33:48Z</updated>
<author>
<name>Ben Greear</name>
<email>greearb@candelatech.com</email>
</author>
<published>2011-09-27T19:16:08Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=23b139ecf944b097a0493262cbc04886363bd8e6'/>
<id>urn:sha1:23b139ecf944b097a0493262cbc04886363bd8e6</id>
<content type='text'>
[ Upstream commit 2015de5fe2a47086a3260802275932bfd810884e ]

Have to free the skb before returning if we fail
the fib lookup.

Signed-off-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>net: fix NULL dereferences in check_peer_redir()</title>
<updated>2012-02-13T19:06:13Z</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2012-02-09T21:13:19Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=8a533666d1591cf4ea596c6bd710e2fe682cb56a'/>
<id>urn:sha1:8a533666d1591cf4ea596c6bd710e2fe682cb56a</id>
<content type='text'>
[ Upstream commit d3aaeb38c40e5a6c08dd31a1b64da65c4352be36, along
  with dependent backports of commits:
     69cce1d1404968f78b177a0314f5822d5afdbbfb
     9de79c127cccecb11ae6a21ab1499e87aa222880
     218fa90f072e4aeff9003d57e390857f4f35513e
     580da35a31f91a594f3090b7a2c39b85cb051a12
     f7e57044eeb1841847c24aa06766c8290c202583
     e049f28883126c689cf95859480d9ee4ab23b7fa ]

Gergely Kalman reported crashes in check_peer_redir().

It appears commit f39925dbde778 (ipv4: Cache learned redirect
information in inetpeer.) added a race, leading to possible NULL ptr
dereference.

Since we can now change dst neighbour, we should make sure a reader can
safely use a neighbour.

Add RCU protection to dst neighbour, and make sure check_peer_redir()
can be called safely by different cpus in parallel.

As neighbours are already freed after one RCU grace period, this patch
should not add typical RCU penalty (cache cold effects)

Many thanks to Gergely for providing a pretty report pointing to the
bug.

Reported-by: Gergely Kalman &lt;synapse@hippy.csoma.elte.hu&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>tcp: md5: using remote adress for md5 lookup in rst packet</title>
<updated>2012-02-03T17:19:04Z</updated>
<author>
<name>shawnlu</name>
<email>shawn.lu@ericsson.com</email>
</author>
<published>2012-01-20T12:22:04Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=81ecd154d0b07bd5dab6e4f09336cb068b70bcb9'/>
<id>urn:sha1:81ecd154d0b07bd5dab6e4f09336cb068b70bcb9</id>
<content type='text'>
[ Upstream commit 8a622e71f58ec9f092fc99eacae0e6cf14f6e742 ]

md5 key is added in socket through remote address.
remote address should be used in finding md5 key when
sending out reset packet.

Signed-off-by: shawnlu &lt;shawn.lu@ericsson.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ah: Don't return NET_XMIT_DROP on input.</title>
<updated>2012-02-03T17:18:54Z</updated>
<author>
<name>Nick Bowler</name>
<email>nbowler@elliptictech.com</email>
</author>
<published>2011-11-10T09:01:27Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ffee9a18f29a0645c2d117083e025f557c738018'/>
<id>urn:sha1:ffee9a18f29a0645c2d117083e025f557c738018</id>
<content type='text'>
commit 4b90a603a1b21d63cf743cc833680cb195a729f6 upstream.

When the ahash driver returns -EBUSY, AH4/6 input functions return
NET_XMIT_DROP, presumably copied from the output code path.  But
returning transmit codes on input doesn't make a lot of sense.
Since NET_XMIT_DROP is a positive int, this gets interpreted as
the next header type (i.e., success).  As that can only end badly,
remove the check.

Signed-off-by: Nick Bowler &lt;nbowler@elliptictech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>ah: Read nexthdr value before overwriting it in ahash input callback.</title>
<updated>2012-01-26T01:24:51Z</updated>
<author>
<name>Nick Bowler</name>
<email>nbowler@elliptictech.com</email>
</author>
<published>2011-11-08T12:12:45Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=c0ab420c6822529fa5aba05668e1e983b065460f'/>
<id>urn:sha1:c0ab420c6822529fa5aba05668e1e983b065460f</id>
<content type='text'>
commit b7ea81a58adc123a4e980cb0eff9eb5c144b5dc7 upstream.

The AH4/6 ahash input callbacks read out the nexthdr field from the AH
header *after* they overwrite that header.  This is obviously not going
to end well.  Fix it up.

Signed-off-by: Nick Bowler &lt;nbowler@elliptictech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>ah: Correctly pass error codes in ahash output callback.</title>
<updated>2012-01-26T01:24:51Z</updated>
<author>
<name>Nick Bowler</name>
<email>nbowler@elliptictech.com</email>
</author>
<published>2011-11-08T12:12:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d253520a7b2c2223fb4f704f06d10f2c547bdeef'/>
<id>urn:sha1:d253520a7b2c2223fb4f704f06d10f2c547bdeef</id>
<content type='text'>
commit 069294e813ed5f27f82613b027609bcda5f1b914 upstream.

The AH4/6 ahash output callbacks pass nexthdr to xfrm_output_resume
instead of the error code.  This appears to be a copy+paste error from
the input case, where nexthdr is expected.  This causes the driver to
continuously add AH headers to the datagram until either an allocation
fails and the packet is dropped or the ahash driver hits a synchronous
fallback and the resulting monstrosity is transmitted.

Correct this issue by simply passing the error code unadulterated.

Signed-off-by: Nick Bowler &lt;nbowler@elliptictech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>ipip, sit: copy parms.name after register_netdevice</title>
<updated>2012-01-06T22:13:45Z</updated>
<author>
<name>Ted Feng</name>
<email>artisdom@gmail.com</email>
</author>
<published>2011-12-08T00:46:21Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=919130981e72465867038ac1dec823dbd7a87eb5'/>
<id>urn:sha1:919130981e72465867038ac1dec823dbd7a87eb5</id>
<content type='text'>
commit 72b36015ba43a3cca5303f5534d2c3e1899eae29 upstream.

Same fix as 731abb9cb2 for ipip and sit tunnel.
Commit 1c5cae815d removed an explicit call to dev_alloc_name in
ipip_tunnel_locate and ipip6_tunnel_locate, because register_netdevice
will now create a valid name, however the tunnel keeps a copy of the
name in the private parms structure. Fix this by copying the name back
after register_netdevice has successfully returned.

This shows up if you do a simple tunnel add, followed by a tunnel show:

$ sudo ip tunnel add mode ipip remote 10.2.20.211
$ ip tunnel
tunl0: ip/ip  remote any  local any  ttl inherit  nopmtudisc
tunl%d: ip/ip  remote 10.2.20.211  local any  ttl inherit
$ sudo ip tunnel add mode sit remote 10.2.20.212
$ ip tunnel
sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc 6rd-prefix 2002::/16
sit%d: ioctl 89f8 failed: No such device
sit%d: ipv6/ip  remote 10.2.20.212  local any  ttl inherit

Signed-off-by: Ted Feng &lt;artisdom@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>ip6_tunnel: copy parms.name after register_netdevice</title>
<updated>2011-11-26T17:09:55Z</updated>
<author>
<name>Josh Boyer</name>
<email>jwboyer@redhat.com</email>
</author>
<published>2011-11-10T15:10:23Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d11d8cff78f91d5b956975b5c9e4c271e15f864e'/>
<id>urn:sha1:d11d8cff78f91d5b956975b5c9e4c271e15f864e</id>
<content type='text'>
commit 731abb9cb27aef6013ce60808a04e04a545f3f4e upstream.

Commit 1c5cae815d removed an explicit call to dev_alloc_name in ip6_tnl_create
because register_netdevice will now create a valid name.  This works for the
net_device itself.

However the tunnel keeps a copy of the name in the parms structure for the
ip6_tnl associated with the tunnel.  parms.name is set by copying the net_device
name in ip6_tnl_dev_init_gen.  That function is called from ip6_tnl_dev_init in
ip6_tnl_create, but it is done before register_netdevice is called so the name
is set to a bogus value in the parms.name structure.

This shows up if you do a simple tunnel add, followed by a tunnel show:

[root@localhost ~]# ip -6 tunnel add remote fec0::100 local fec0::200
[root@localhost ~]# ip -6 tunnel show
ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
ip6tnl%d: ipv6/ipv6 remote fec0::100 local fec0::200 encaplimit 4 hoplimit 64 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
[root@localhost ~]#

Fix this by moving the strcpy out of ip6_tnl_dev_init_gen, and calling it after
register_netdevice has successfully returned.

Signed-off-by: Josh Boyer &lt;jwboyer@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>ipv6: nullify ipv6_ac_list and ipv6_fl_list when creating new socket</title>
<updated>2011-11-11T17:36:28Z</updated>
<author>
<name>Yan, Zheng</name>
<email>zheng.z.yan@intel.com</email>
</author>
<published>2011-09-25T02:21:30Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=2146d4667b5fbdb0e186ca8bc6d9cbe7ac42dfdc'/>
<id>urn:sha1:2146d4667b5fbdb0e186ca8bc6d9cbe7ac42dfdc</id>
<content type='text'>
[ Upstream commit 676a1184e8afd4fed7948232df1ff91517400859 ]

ipv6_ac_list and ipv6_fl_list from listening socket are inadvertently
shared with new socket created for connection.

Signed-off-by: Zheng Yan &lt;zheng.z.yan@intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
</feed>
