<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/net, branch v3.0.19</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/net?h=v3.0.19</id>
<link rel='self' href='https://git.amat.us/linux/atom/net?h=v3.0.19'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2012-02-03T17:19:04Z</updated>
<entry>
<title>tcp: md5: using remote adress for md5 lookup in rst packet</title>
<updated>2012-02-03T17:19:04Z</updated>
<author>
<name>shawnlu</name>
<email>shawn.lu@ericsson.com</email>
</author>
<published>2012-01-20T12:22:04Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=81ecd154d0b07bd5dab6e4f09336cb068b70bcb9'/>
<id>urn:sha1:81ecd154d0b07bd5dab6e4f09336cb068b70bcb9</id>
<content type='text'>
[ Upstream commit 8a622e71f58ec9f092fc99eacae0e6cf14f6e742 ]

md5 key is added in socket through remote address.
remote address should be used in finding md5 key when
sending out reset packet.

Signed-off-by: shawnlu &lt;shawn.lu@ericsson.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>tcp: fix tcp_trim_head() to adjust segment count with skb MSS</title>
<updated>2012-02-03T17:19:04Z</updated>
<author>
<name>Neal Cardwell</name>
<email>ncardwell@google.com</email>
</author>
<published>2012-01-28T17:29:46Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=8b4bb350e120fe0b32a0b1b8d227e65af03e3993'/>
<id>urn:sha1:8b4bb350e120fe0b32a0b1b8d227e65af03e3993</id>
<content type='text'>
[ Upstream commit 5b35e1e6e9ca651e6b291c96d1106043c9af314a ]

This commit fixes tcp_trim_head() to recalculate the number of
segments in the skb with the skb's existing MSS, so trimming the head
causes the skb segment count to be monotonically non-increasing - it
should stay the same or go down, but not increase.

Previously tcp_trim_head() used the current MSS of the connection. But
if there was a decrease in MSS between original transmission and ACK
(e.g. due to PMTUD), this could cause tcp_trim_head() to
counter-intuitively increase the segment count when trimming bytes off
the head of an skb. This violated assumptions in tcp_tso_acked() that
tcp_trim_head() only decreases the packet count, so that packets_acked
in tcp_tso_acked() could underflow, leading tcp_clean_rtx_queue() to
pass u32 pkts_acked values as large as 0xffffffff to
ca_ops-&gt;pkts_acked().

As an aside, if tcp_trim_head() had really wanted the skb to reflect
the current MSS, it should have called tcp_set_skb_tso_segs()
unconditionally, since a decrease in MSS would mean that a
single-packet skb should now be sliced into multiple segments.

Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Acked-by: Nandita Dukkipati &lt;nanditad@google.com&gt;
Acked-by: Ilpo Järvinen &lt;ilpo.jarvinen@helsinki.fi&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>rds: Make rds_sock_lock BH rather than IRQ safe.</title>
<updated>2012-02-03T17:19:04Z</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2012-01-24T22:03:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=f217c4711d71aa6811b6e71d219b9efafa5d55a6'/>
<id>urn:sha1:f217c4711d71aa6811b6e71d219b9efafa5d55a6</id>
<content type='text'>
[ Upstream commit efc3dbc37412c027e363736b4f4c74ee5e8ecffc ]

rds_sock_info() triggers locking warnings because we try to perform a
local_bh_enable() (via sock_i_ino()) while hardware interrupts are
disabled (via taking rds_sock_lock).

There is no reason for rds_sock_lock to be a hardware IRQ disabling
lock, none of these access paths run in hardware interrupt context.

Therefore making it a BH disabling lock is safe and sufficient to
fix this bug.

Reported-by: Kumar Sanghvi &lt;kumaras@chelsio.com&gt;
Reported-by: Josh Boyer &lt;jwboyer@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>l2tp: l2tp_ip - fix possible oops on packet receive</title>
<updated>2012-02-03T17:19:04Z</updated>
<author>
<name>James Chapman</name>
<email>jchapman@katalix.com</email>
</author>
<published>2012-01-25T02:39:05Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=1334533665277ccc5568c5104cd2358788a02e02'/>
<id>urn:sha1:1334533665277ccc5568c5104cd2358788a02e02</id>
<content type='text'>
[ Upstream commit 68315801dbf3ab2001679fd2074c9dc5dcf87dfa ]

When a packet is received on an L2TP IP socket (L2TPv3 IP link
encapsulation), the l2tpip socket's backlog_rcv function calls
xfrm4_policy_check(). This is not necessary, since it was called
before the skb was added to the backlog. With CONFIG_NET_NS enabled,
xfrm4_policy_check() will oops if skb-&gt;dev is null, so this trivial
patch removes the call.

This bug has always been present, but only when CONFIG_NET_NS is
enabled does it cause problems. Most users are probably using UDP
encapsulation for L2TP, hence the problem has only recently
surfaced.

EIP: 0060:[&lt;c12bb62b&gt;] EFLAGS: 00210246 CPU: 0
EIP is at l2tp_ip_recvmsg+0xd4/0x2a7
EAX: 00000001 EBX: d77b5180 ECX: 00000000 EDX: 00200246
ESI: 00000000 EDI: d63cbd30 EBP: d63cbd18 ESP: d63cbcf4
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Call Trace:
 [&lt;c1218568&gt;] sock_common_recvmsg+0x31/0x46
 [&lt;c1215c92&gt;] __sock_recvmsg_nosec+0x45/0x4d
 [&lt;c12163a1&gt;] __sock_recvmsg+0x31/0x3b
 [&lt;c1216828&gt;] sock_recvmsg+0x96/0xab
 [&lt;c10b2693&gt;] ? might_fault+0x47/0x81
 [&lt;c10b2693&gt;] ? might_fault+0x47/0x81
 [&lt;c1167fd0&gt;] ? _copy_from_user+0x31/0x115
 [&lt;c121e8c8&gt;] ? copy_from_user+0x8/0xa
 [&lt;c121ebd6&gt;] ? verify_iovec+0x3e/0x78
 [&lt;c1216604&gt;] __sys_recvmsg+0x10a/0x1aa
 [&lt;c1216792&gt;] ? sock_recvmsg+0x0/0xab
 [&lt;c105a99b&gt;] ? __lock_acquire+0xbdf/0xbee
 [&lt;c12d5a99&gt;] ? do_page_fault+0x193/0x375
 [&lt;c10d1200&gt;] ? fcheck_files+0x9b/0xca
 [&lt;c10d1259&gt;] ? fget_light+0x2a/0x9c
 [&lt;c1216bbb&gt;] sys_recvmsg+0x2b/0x43
 [&lt;c1218145&gt;] sys_socketcall+0x16d/0x1a5
 [&lt;c11679f0&gt;] ? trace_hardirqs_on_thunk+0xc/0x10
 [&lt;c100305f&gt;] sysenter_do_call+0x12/0x38
Code: c6 05 8c ea a8 c1 01 e8 0c d4 d9 ff 85 f6 74 07 3e ff 86 80 00 00 00 b9 17 b6 2b c1 ba 01 00 00 00 b8 78 ed 48 c1 e8 23 f6 d9 ff &lt;ff&gt; 76 0c 68 28 e3 30 c1 68 2d 44 41 c1 e8 89 57 01 00 83 c4 0c

Signed-off-by: James Chapman &lt;jchapman@katalix.com&gt;
Acked-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>net caif: Register properly as a pernet subsystem.</title>
<updated>2012-02-03T17:19:03Z</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2012-01-26T14:04:53Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=62252cba2867cec7cc484ebb2d3ec705c41d9684'/>
<id>urn:sha1:62252cba2867cec7cc484ebb2d3ec705c41d9684</id>
<content type='text'>
[ Upstream commit 8a8ee9aff6c3077dd9c2c7a77478e8ed362b96c6 ]

caif is a subsystem and as such it needs to register with
register_pernet_subsys instead of register_pernet_device.

Among other problems using register_pernet_device was resulting in
net_generic being called before the caif_net structure was allocated.
Which has been causing net_generic to fail with either BUG_ON's or by
return NULL pointers.

A more ugly problem that could be caused is packets in flight why the
subsystem is shutting down.

To remove confusion also remove the cruft cause by inappropriately
trying to fix this bug.

With the aid of the previous patch I have tested this patch and
confirmed that using register_pernet_subsys makes the failure go away as
it should.

Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Acked-by: Sjur Brændeland &lt;sjur.brandeland@stericsson.com&gt;
Tested-by: Sasha Levin &lt;levinsasha928@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>netns: fix net_alloc_generic()</title>
<updated>2012-02-03T17:19:03Z</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2012-01-26T00:41:38Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=561331eae0a03d0c4cf60f3cf485aa3e8aa5ab48'/>
<id>urn:sha1:561331eae0a03d0c4cf60f3cf485aa3e8aa5ab48</id>
<content type='text'>
[ Upstream commit 073862ba5d249c20bd5c49fc6d904ff0e1f6a672 ]

When a new net namespace is created, we should attach to it a "struct
net_generic" with enough slots (even empty), or we can hit the following
BUG_ON() :

[  200.752016] kernel BUG at include/net/netns/generic.h:40!
...
[  200.752016]  [&lt;ffffffff825c3cea&gt;] ? get_cfcnfg+0x3a/0x180
[  200.752016]  [&lt;ffffffff821cf0b0&gt;] ? lockdep_rtnl_is_held+0x10/0x20
[  200.752016]  [&lt;ffffffff825c41be&gt;] caif_device_notify+0x2e/0x530
[  200.752016]  [&lt;ffffffff810d61b7&gt;] notifier_call_chain+0x67/0x110
[  200.752016]  [&lt;ffffffff810d67c1&gt;] raw_notifier_call_chain+0x11/0x20
[  200.752016]  [&lt;ffffffff821bae82&gt;] call_netdevice_notifiers+0x32/0x60
[  200.752016]  [&lt;ffffffff821c2b26&gt;] register_netdevice+0x196/0x300
[  200.752016]  [&lt;ffffffff821c2ca9&gt;] register_netdev+0x19/0x30
[  200.752016]  [&lt;ffffffff81c1c67a&gt;] loopback_net_init+0x4a/0xa0
[  200.752016]  [&lt;ffffffff821b5e62&gt;] ops_init+0x42/0x180
[  200.752016]  [&lt;ffffffff821b600b&gt;] setup_net+0x6b/0x100
[  200.752016]  [&lt;ffffffff821b6466&gt;] copy_net_ns+0x86/0x110
[  200.752016]  [&lt;ffffffff810d5789&gt;] create_new_namespaces+0xd9/0x190

net_alloc_generic() should take into account the maximum index into the
ptr array, as a subsystem might use net_generic() anytime.

This also reduces number of reallocations in net_assign_generic()

Reported-by: Sasha Levin &lt;levinsasha928@gmail.com&gt;
Tested-by: Sasha Levin &lt;levinsasha928@gmail.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Cc: Sjur Brændeland &lt;sjur.brandeland@stericsson.com&gt;
Cc: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Cc: Pavel Emelyanov &lt;xemul@openvz.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>ah: Don't return NET_XMIT_DROP on input.</title>
<updated>2012-02-03T17:18:54Z</updated>
<author>
<name>Nick Bowler</name>
<email>nbowler@elliptictech.com</email>
</author>
<published>2011-11-10T09:01:27Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ffee9a18f29a0645c2d117083e025f557c738018'/>
<id>urn:sha1:ffee9a18f29a0645c2d117083e025f557c738018</id>
<content type='text'>
commit 4b90a603a1b21d63cf743cc833680cb195a729f6 upstream.

When the ahash driver returns -EBUSY, AH4/6 input functions return
NET_XMIT_DROP, presumably copied from the output code path.  But
returning transmit codes on input doesn't make a lot of sense.
Since NET_XMIT_DROP is a positive int, this gets interpreted as
the next header type (i.e., success).  As that can only end badly,
remove the check.

Signed-off-by: Nick Bowler &lt;nbowler@elliptictech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>ah: Read nexthdr value before overwriting it in ahash input callback.</title>
<updated>2012-01-26T01:24:51Z</updated>
<author>
<name>Nick Bowler</name>
<email>nbowler@elliptictech.com</email>
</author>
<published>2011-11-08T12:12:45Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=c0ab420c6822529fa5aba05668e1e983b065460f'/>
<id>urn:sha1:c0ab420c6822529fa5aba05668e1e983b065460f</id>
<content type='text'>
commit b7ea81a58adc123a4e980cb0eff9eb5c144b5dc7 upstream.

The AH4/6 ahash input callbacks read out the nexthdr field from the AH
header *after* they overwrite that header.  This is obviously not going
to end well.  Fix it up.

Signed-off-by: Nick Bowler &lt;nbowler@elliptictech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>ah: Correctly pass error codes in ahash output callback.</title>
<updated>2012-01-26T01:24:51Z</updated>
<author>
<name>Nick Bowler</name>
<email>nbowler@elliptictech.com</email>
</author>
<published>2011-11-08T12:12:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d253520a7b2c2223fb4f704f06d10f2c547bdeef'/>
<id>urn:sha1:d253520a7b2c2223fb4f704f06d10f2c547bdeef</id>
<content type='text'>
commit 069294e813ed5f27f82613b027609bcda5f1b914 upstream.

The AH4/6 ahash output callbacks pass nexthdr to xfrm_output_resume
instead of the error code.  This appears to be a copy+paste error from
the input case, where nexthdr is expected.  This causes the driver to
continuously add AH headers to the datagram until either an allocation
fails and the packet is dropped or the ahash driver hits a synchronous
fallback and the resulting monstrosity is transmitted.

Correct this issue by simply passing the error code unadulterated.

Signed-off-by: Nick Bowler &lt;nbowler@elliptictech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>svcrpc: avoid memory-corruption on pool shutdown</title>
<updated>2012-01-26T01:24:48Z</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2011-11-29T22:00:26Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=a141a5eb3ab45131cb168e7a561d662722b43ec3'/>
<id>urn:sha1:a141a5eb3ab45131cb168e7a561d662722b43ec3</id>
<content type='text'>
commit b4f36f88b3ee7cf26bf0be84e6c7fc15f84dcb71 upstream.

Socket callbacks use svc_xprt_enqueue() to add an xprt to a
pool-&gt;sp_sockets list.  In normal operation a server thread will later
come along and take the xprt off that list.  On shutdown, after all the
threads have exited, we instead manually walk the sv_tempsocks and
sv_permsocks lists to find all the xprt's and delete them.

So the sp_sockets lists don't really matter any more.  As a result,
we've mostly just ignored them and hoped they would go away.

Which has gotten us into trouble; witness for example ebc63e531cc6
"svcrpc: fix list-corrupting race on nfsd shutdown", the result of Ben
Greear noticing that a still-running svc_xprt_enqueue() could re-add an
xprt to an sp_sockets list just before it was deleted.  The fix was to
remove it from the list at the end of svc_delete_xprt().  But that only
made corruption less likely--I can see nothing that prevents a
svc_xprt_enqueue() from adding another xprt to the list at the same
moment that we're removing this xprt from the list.  In fact, despite
the earlier xpo_detach(), I don't even see what guarantees that
svc_xprt_enqueue() couldn't still be running on this xprt.

So, instead, note that svc_xprt_enqueue() essentially does:
	lock sp_lock
		if XPT_BUSY unset
			add to sp_sockets
	unlock sp_lock

So, if we do:

	set XPT_BUSY on every xprt.
	Empty every sp_sockets list, under the sp_socks locks.

Then we're left knowing that the sp_sockets lists are all empty and will
stay that way, since any svc_xprt_enqueue() will check XPT_BUSY under
the sp_lock and see it set.

And *then* we can continue deleting the xprt's.

(Thanks to Jeff Layton for being correctly suspicious of this code....)

Cc: Ben Greear &lt;greearb@candelatech.com&gt;
Cc: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
</feed>
