<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/net, branch v3.0.49</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/net?h=v3.0.49</id>
<link rel='self' href='https://git.amat.us/linux/atom/net?h=v3.0.49'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2012-10-28T17:02:13Z</updated>
<entry>
<title>tcp: resets are misrouted</title>
<updated>2012-10-28T17:02:13Z</updated>
<author>
<name>Alexey Kuznetsov</name>
<email>kuznet@ms2.inr.ac.ru</email>
</author>
<published>2012-10-12T04:34:17Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=4d306c27d6032f5b666e187a8d02bdd288025031'/>
<id>urn:sha1:4d306c27d6032f5b666e187a8d02bdd288025031</id>
<content type='text'>
[ Upstream commit 4c67525849e0b7f4bd4fab2487ec9e43ea52ef29 ]

After commit e2446eaa ("tcp_v4_send_reset: binding oif to iif in no
sock case").. tcp resets are always lost, when routing is asymmetric.
Yes, backing out that patch will result in misrouting of resets for
dead connections which used interface binding when were alive, but we
actually cannot do anything here.  What's died that's died and correct
handling normal unbound connections is obviously a priority.

Comment to comment:
&gt; This has few benefits:
&gt;   1. tcp_v6_send_reset already did that.

It was done to route resets for IPv6 link local addresses. It was a
mistake to do so for global addresses. The patch fixes this as well.

Actually, the problem appears to be even more serious than guaranteed
loss of resets.  As reported by Sergey Soloviev &lt;sol@eqv.ru&gt;, those
misrouted resets create a lot of arp traffic and huge amount of
unresolved arp entires putting down to knees NAT firewalls which use
asymmetric routing.

Signed-off-by: Alexey Kuznetsov &lt;kuznet@ms2.inr.ac.ru&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>RDS: fix rds-ping spinlock recursion</title>
<updated>2012-10-28T17:02:13Z</updated>
<author>
<name>jeff.liu</name>
<email>jeff.liu@oracle.com</email>
</author>
<published>2012-10-08T18:57:27Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=445b290bd3c3470a220049648150eefaec64937a'/>
<id>urn:sha1:445b290bd3c3470a220049648150eefaec64937a</id>
<content type='text'>
[ Upstream commit 5175a5e76bbdf20a614fb47ce7a38f0f39e70226 ]

This is the revised patch for fixing rds-ping spinlock recursion
according to Venkat's suggestions.

RDS ping/pong over TCP feature has been broken for years(2.6.39 to
3.6.0) since we have to set TCP cork and call kernel_sendmsg() between
ping/pong which both need to lock "struct sock *sk". However, this
lock has already been hold before rds_tcp_data_ready() callback is
triggerred. As a result, we always facing spinlock resursion which
would resulting in system panic.

Given that RDS ping is only used to test the connectivity and not for
serious performance measurements, we can queue the pong transmit to
rds_wq as a delayed response.

Reported-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
CC: Venkat Venkatsubra &lt;venkat.x.venkatsubra@oracle.com&gt;
CC: David S. Miller &lt;davem@davemloft.net&gt;
CC: James Morris &lt;james.l.morris@oracle.com&gt;
Signed-off-by: Jie Liu &lt;jeff.liu@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>net: Fix skb_under_panic oops in neigh_resolve_output</title>
<updated>2012-10-28T17:02:12Z</updated>
<author>
<name>ramesh.nagappa@gmail.com</name>
<email>ramesh.nagappa@gmail.com</email>
</author>
<published>2012-10-05T19:10:15Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=5891cb7c82658d26ca323639553b94b7272ebb68'/>
<id>urn:sha1:5891cb7c82658d26ca323639553b94b7272ebb68</id>
<content type='text'>
[ Upstream commit e1f165032c8bade3a6bdf546f8faf61fda4dd01c ]

The retry loop in neigh_resolve_output() and neigh_connected_output()
call dev_hard_header() with out reseting the skb to network_header.
This causes the retry to fail with skb_under_panic. The fix is to
reset the network_header within the retry loop.

Signed-off-by: Ramesh Nagappa &lt;ramesh.nagappa@ericsson.com&gt;
Reviewed-by: Shawn Lu &lt;shawn.lu@ericsson.com&gt;
Reviewed-by: Robert Coulson &lt;robert.coulson@ericsson.com&gt;
Reviewed-by: Billie Alsup &lt;billie.alsup@ericsson.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>SUNRPC: Prevent kernel stack corruption on long values of flush</title>
<updated>2012-10-28T17:02:11Z</updated>
<author>
<name>Sasha Levin</name>
<email>levinsasha928@gmail.com</email>
</author>
<published>2012-07-16T22:01:26Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=7a104fcedf491fe1470dab36605f1b1d55ad893d'/>
<id>urn:sha1:7a104fcedf491fe1470dab36605f1b1d55ad893d</id>
<content type='text'>
commit 212ba90696ab4884e2025b0b13726d67aadc2cd4 upstream.

The buffer size in read_flush() is too small for the longest possible values
for it. This can lead to a kernel stack corruption:

[   43.047329] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff833e64b4
[   43.047329]
[   43.049030] Pid: 6015, comm: trinity-child18 Tainted: G        W    3.5.0-rc7-next-20120716-sasha #221
[   43.050038] Call Trace:
[   43.050435]  [&lt;ffffffff836c60c2&gt;] panic+0xcd/0x1f4
[   43.050931]  [&lt;ffffffff833e64b4&gt;] ? read_flush.isra.7+0xe4/0x100
[   43.051602]  [&lt;ffffffff810e94e6&gt;] __stack_chk_fail+0x16/0x20
[   43.052206]  [&lt;ffffffff833e64b4&gt;] read_flush.isra.7+0xe4/0x100
[   43.052951]  [&lt;ffffffff833e6500&gt;] ? read_flush_pipefs+0x30/0x30
[   43.053594]  [&lt;ffffffff833e652c&gt;] read_flush_procfs+0x2c/0x30
[   43.053596]  [&lt;ffffffff812b9a8c&gt;] proc_reg_read+0x9c/0xd0
[   43.053596]  [&lt;ffffffff812b99f0&gt;] ? proc_reg_write+0xd0/0xd0
[   43.053596]  [&lt;ffffffff81250d5b&gt;] do_loop_readv_writev+0x4b/0x90
[   43.053596]  [&lt;ffffffff81250fd6&gt;] do_readv_writev+0xf6/0x1d0
[   43.053596]  [&lt;ffffffff812510ee&gt;] vfs_readv+0x3e/0x60
[   43.053596]  [&lt;ffffffff812511b8&gt;] sys_readv+0x48/0xb0
[   43.053596]  [&lt;ffffffff8378167d&gt;] system_call_fastpath+0x1a/0x1f

Signed-off-by: Sasha Levin &lt;levinsasha928@gmail.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>netfilter: xt_limit: have r-&gt;cost != 0 case work</title>
<updated>2012-10-21T16:17:11Z</updated>
<author>
<name>Jan Engelhardt</name>
<email>jengelh@inai.de</email>
</author>
<published>2012-09-21T22:26:52Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=dfd5603c251a87fbfcaef5d492656ae9011c9f7a'/>
<id>urn:sha1:dfd5603c251a87fbfcaef5d492656ae9011c9f7a</id>
<content type='text'>
commit 82e6bfe2fbc4d48852114c4f979137cd5bf1d1a8 upstream.

Commit v2.6.19-rc1~1272^2~41 tells us that r-&gt;cost != 0 can happen when
a running state is saved to userspace and then reinstated from there.

Make sure that private xt_limit area is initialized with correct values.
Otherwise, random matchings due to use of uninitialized memory.

Signed-off-by: Jan Engelhardt &lt;jengelh@inai.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Acked-by: David Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>netfilter: limit, hashlimit: avoid duplicated inline</title>
<updated>2012-10-21T16:17:11Z</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2012-05-07T10:51:43Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=fb3c4ac3ad18c262fed504ab6f666edbff304e63'/>
<id>urn:sha1:fb3c4ac3ad18c262fed504ab6f666edbff304e63</id>
<content type='text'>
commit 7a909ac70f6b0823d9f23a43f19598d4b57ac901 upstream.

credit_cap can be set to credit, which avoids inlining user2credits
twice. Also, remove inline keyword and let compiler decide.

old:
    684     192       0     876     36c net/netfilter/xt_limit.o
   4927     344      32    5303    14b7 net/netfilter/xt_hashlimit.o
now:
    668     192       0     860     35c net/netfilter/xt_limit.o
   4793     344      32    5169    1431 net/netfilter/xt_hashlimit.o

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Acked-by: David Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>netfilter: nf_ct_expect: fix possible access to uninitialized timer</title>
<updated>2012-10-21T16:17:11Z</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2012-08-16T00:25:24Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=de07e511bed085d75bb16e7fb499d4a16f0d4475'/>
<id>urn:sha1:de07e511bed085d75bb16e7fb499d4a16f0d4475</id>
<content type='text'>
commit 2614f86490122bf51eb7c12ec73927f1900f4e7d upstream.

In __nf_ct_expect_check, the function refresh_timer returns 1
if a matching expectation is found and its timer is successfully
refreshed. This results in nf_ct_expect_related returning 0.
Note that at this point:

- the passed expectation is not inserted in the expectation table
  and its timer was not initialized, since we have refreshed one
  matching/existing expectation.

- nf_ct_expect_alloc uses kmem_cache_alloc, so the expectation
  timer is in some undefined state just after the allocation,
  until it is appropriately initialized.

This can be a problem for the SIP helper during the expectation
addition:

 ...
 if (nf_ct_expect_related(rtp_exp) == 0) {
         if (nf_ct_expect_related(rtcp_exp) != 0)
                 nf_ct_unexpect_related(rtp_exp);
 ...

Note that nf_ct_expect_related(rtp_exp) may return 0 for the timer refresh
case that is detailed above. Then, if nf_ct_unexpect_related(rtcp_exp)
returns != 0, nf_ct_unexpect_related(rtp_exp) is called, which does:

 spin_lock_bh(&amp;nf_conntrack_lock);
 if (del_timer(&amp;exp-&gt;timeout)) {
         nf_ct_unlink_expect(exp);
         nf_ct_expect_put(exp);
 }
 spin_unlock_bh(&amp;nf_conntrack_lock);

Note that del_timer always returns false if the timer has been
initialized.  However, the timer was not initialized since setup_timer
was not called, therefore, the expectation timer remains in some
undefined state. If I'm not missing anything, this may lead to the
removal an unexistent expectation.

To fix this, the optimization that allows refreshing an expectation
is removed. Now nf_conntrack_expect_related looks more consistent
to me since it always add the expectation in case that it returns
success.

Thanks to Patrick McHardy for participating in the discussion of
this patch.

I think this may be the source of the problem described by:
http://marc.info/?l=netfilter-devel&amp;m=134073514719421&amp;w=2

Reported-by: Rafal Fitt &lt;rafalf@aplusc.com.pl&gt;
Acked-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Acked-by: David Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>netfilter: nf_nat_sip: fix via header translation with multiple parameters</title>
<updated>2012-10-21T16:17:11Z</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2012-08-09T10:08:47Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=01f66df0b96ac087c782c1890c6827d99776ac2f'/>
<id>urn:sha1:01f66df0b96ac087c782c1890c6827d99776ac2f</id>
<content type='text'>
commit f22eb25cf5b1157b29ef88c793b71972efc47143 upstream.

Via-headers are parsed beginning at the first character after the Via-address.
When the address is translated first and its length decreases, the offset to
start parsing at is incorrect and header parameters might be missed.

Update the offset after translating the Via-address to fix this.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Acked-by: David Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation</title>
<updated>2012-10-21T16:17:11Z</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2012-08-29T15:24:09Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=2b3e2b53d651ffe0b5256cbcb94e5b08b9e5d1cc'/>
<id>urn:sha1:2b3e2b53d651ffe0b5256cbcb94e5b08b9e5d1cc</id>
<content type='text'>
commit 3f509c689a07a4aa989b426893d8491a7ffcc410 upstream.

We're hitting bug while trying to reinsert an already existing
expectation:

kernel BUG at kernel/timer.c:895!
invalid opcode: 0000 [#1] SMP
[...]
Call Trace:
 &lt;IRQ&gt;
 [&lt;ffffffffa0069563&gt;] nf_ct_expect_related_report+0x4a0/0x57a [nf_conntrack]
 [&lt;ffffffff812d423a&gt;] ? in4_pton+0x72/0x131
 [&lt;ffffffffa00ca69e&gt;] ip_nat_sdp_media+0xeb/0x185 [nf_nat_sip]
 [&lt;ffffffffa00b5b9b&gt;] set_expected_rtp_rtcp+0x32d/0x39b [nf_conntrack_sip]
 [&lt;ffffffffa00b5f15&gt;] process_sdp+0x30c/0x3ec [nf_conntrack_sip]
 [&lt;ffffffff8103f1eb&gt;] ? irq_exit+0x9a/0x9c
 [&lt;ffffffffa00ca738&gt;] ? ip_nat_sdp_media+0x185/0x185 [nf_nat_sip]

We have to remove the RTP expectation if the RTCP expectation hits EBUSY
since we keep trying with other ports until we succeed.

Reported-by: Rafal Fitt &lt;rafalf@aplusc.com.pl&gt;
Acked-by: David Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>netfilter: nf_ct_ipv4: packets with wrong ihl are invalid</title>
<updated>2012-10-21T16:17:11Z</updated>
<author>
<name>Jozsef Kadlecsik</name>
<email>kadlec@blackhole.kfki.hu</email>
</author>
<published>2012-04-03T20:02:01Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=7e3cf6ea62cdaf3c556e43b09883e5d63c94536f'/>
<id>urn:sha1:7e3cf6ea62cdaf3c556e43b09883e5d63c94536f</id>
<content type='text'>
commit 07153c6ec074257ade76a461429b567cff2b3a1e upstream.

It was reported that the Linux kernel sometimes logs:

klogd: [2629147.402413] kernel BUG at net / netfilter /
nf_conntrack_proto_tcp.c: 447!
klogd: [1072212.887368] kernel BUG at net / netfilter /
nf_conntrack_proto_tcp.c: 392

ipv4_get_l4proto() in nf_conntrack_l3proto_ipv4.c and tcp_error() in
nf_conntrack_proto_tcp.c should catch malformed packets, so the errors
at the indicated lines - TCP options parsing - should not happen.
However, tcp_error() relies on the "dataoff" offset to the TCP header,
calculated by ipv4_get_l4proto().  But ipv4_get_l4proto() does not check
bogus ihl values in IPv4 packets, which then can slip through tcp_error()
and get caught at the TCP options parsing routines.

The patch fixes ipv4_get_l4proto() by invalidating packets with bogus
ihl value.

The patch closes netfilter bugzilla id 771.

Signed-off-by: Jozsef Kadlecsik &lt;kadlec@blackhole.kfki.hu&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Acked-by: David Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
</feed>
