<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/net, branch v3.10.49</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/net?h=v3.10.49</id>
<link rel='self' href='https://git.amat.us/linux/atom/net?h=v3.10.49'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2014-07-09T18:14:01Z</updated>
<entry>
<title>mac80211: fix a memory leak on sta rate selection table</title>
<updated>2014-07-09T18:14:01Z</updated>
<author>
<name>Felix Fietkau</name>
<email>nbd@openwrt.org</email>
</author>
<published>2014-05-27T20:33:57Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=a882e11977492f18b77072c036b42777b6ba9760'/>
<id>urn:sha1:a882e11977492f18b77072c036b42777b6ba9760</id>
<content type='text'>
commit 53d045258ee2e38b1e882617cb0799a04d05f5fa upstream.

If the rate control algorithm uses a selection table, it
is leaked when the station is destroyed - fix that.

Signed-off-by: Felix Fietkau &lt;nbd@openwrt.org&gt;
Reported-by: Christophe Prévotaux &lt;cprevotaux@nltinc.com&gt;
Fixes: 0d528d85c519 ("mac80211: improve the rate control API")
[add commit log entry, remove pointless NULL check]
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>mac80211: don't check netdev state for debugfs read/write</title>
<updated>2014-07-09T18:14:01Z</updated>
<author>
<name>Arik Nemtsov</name>
<email>arik@wizery.com</email>
</author>
<published>2014-05-26T11:40:51Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ec19d1e30e66095c1d6977c067b70359e824c4bf'/>
<id>urn:sha1:ec19d1e30e66095c1d6977c067b70359e824c4bf</id>
<content type='text'>
commit 923eaf367206e01f22c97aee22300e332d071916 upstream.

Doing so will lead to an oops for a p2p-dev interface, since it has
no netdev.

Signed-off-by: Arik Nemtsov &lt;arikx.nemtsov@intel.com&gt;
Signed-off-by: Emmanuel Grumbach &lt;emmanuel.grumbach@intel.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>Bluetooth: Fix locking of hdev when calling into SMP code</title>
<updated>2014-07-09T18:14:01Z</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@intel.com</email>
</author>
<published>2014-06-13T07:22:28Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=f2f90dd36487290ff0bf60e341839a606045aef8'/>
<id>urn:sha1:f2f90dd36487290ff0bf60e341839a606045aef8</id>
<content type='text'>
commit c73f94b8c093a615ce80eabbde0ac6eb9abfe31a upstream.

The SMP code expects hdev to be unlocked since e.g. crypto functions
will try to (re)lock it. Therefore, we need to release the lock before
calling into smp.c from mgmt.c. Without this we risk a deadlock whenever
the smp_user_confirm_reply() function is called.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Tested-by: Lukasz Rymanowski &lt;lukasz.rymanowski@tieto.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>Bluetooth: Fix check for connection encryption</title>
<updated>2014-07-09T18:14:01Z</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@intel.com</email>
</author>
<published>2014-06-10T06:54:24Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=07f5ed51cb551e89d89766ba87e7313aae53e139'/>
<id>urn:sha1:07f5ed51cb551e89d89766ba87e7313aae53e139</id>
<content type='text'>
commit e694788d73efe139b24f78b036deb97fe57fa8cb upstream.

The conn-&gt;link_key variable tracks the type of link key in use. It is
set whenever we respond to a link key request as well as when we get a
link key notification event.

These two events do not however always guarantee that encryption is
enabled: getting a link key request and responding to it may only mean
that the remote side has requested authentication but not encryption. On
the other hand, the encrypt change event is a certain guarantee that
encryption is enabled. The real encryption state is already tracked in
the conn-&gt;link_mode variable through the HCI_LM_ENCRYPT bit.

This patch fixes a check for encryption in the hci_conn_auth function to
use the proper conn-&gt;link_mode value and thereby eliminates the chance
of a false positive result.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>Bluetooth: Fix SSP acceptor just-works confirmation without MITM</title>
<updated>2014-07-09T18:14:00Z</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@intel.com</email>
</author>
<published>2014-06-09T10:58:14Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6ab84785311dc4d0348e6bd4e1c491293b770b98'/>
<id>urn:sha1:6ab84785311dc4d0348e6bd4e1c491293b770b98</id>
<content type='text'>
commit ba15a58b179ed76a7e887177f2b06de12c58ec8f upstream.

From the Bluetooth Core Specification 4.1 page 1958:

"if both devices have set the Authentication_Requirements parameter to
one of the MITM Protection Not Required options, authentication stage 1
shall function as if both devices set their IO capabilities to
DisplayOnly (e.g., Numeric comparison with automatic confirmation on
both devices)"

So far our implementation has done user confirmation for all just-works
cases regardless of the MITM requirements, however following the
specification to the word means that we should not be doing confirmation
when neither side has the MITM flag set.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Tested-by: Szymon Janc &lt;szymon.janc@tieto.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>netfilter: ipt_ULOG: fix info leaks</title>
<updated>2014-07-07T01:54:15Z</updated>
<author>
<name>Mathias Krause</name>
<email>minipli@googlemail.com</email>
</author>
<published>2013-09-30T20:05:08Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=3ca696839223ed38faeaf9b215b35c91ef6a5811'/>
<id>urn:sha1:3ca696839223ed38faeaf9b215b35c91ef6a5811</id>
<content type='text'>
commit 278f2b3e2af5f32ea1afe34fa12a2518153e6e49 upstream.

The ulog messages leak heap bytes by the means of padding bytes and
incompletely filled string arrays. Fix those by memset(0)'ing the
whole struct before filling it.

Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Cc: Jan Tore Morken &lt;jantore@morken.priv.no&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>ipvs: Fix panic due to non-linear skb</title>
<updated>2014-07-07T01:54:15Z</updated>
<author>
<name>Peter Christensen</name>
<email>pch@ordbogen.com</email>
</author>
<published>2014-05-24T19:40:12Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=25ca1ecb9c6f0940657d4b249c50f3233063c839'/>
<id>urn:sha1:25ca1ecb9c6f0940657d4b249c50f3233063c839</id>
<content type='text'>
commit f44a5f45f544561302e855e7bd104e5f506ec01b upstream.

Receiving a ICMP response to an IPIP packet in a non-linear skb could
cause a kernel panic in __skb_pull.

The problem was introduced in
commit f2edb9f7706dcb2c0d9a362b2ba849efe3a97f5e ("ipvs: implement
passive PMTUD for IPIP packets").

Signed-off-by: Peter Christensen &lt;pch@ordbogen.com&gt;
Acked-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Simon Horman &lt;horms@verge.net.au&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>SUNRPC: Fix a module reference leak in svc_handle_xprt</title>
<updated>2014-07-07T01:54:14Z</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2014-05-18T18:05:22Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=44f694330e1eb6f52ab163d87c176469b9da0e94'/>
<id>urn:sha1:44f694330e1eb6f52ab163d87c176469b9da0e94</id>
<content type='text'>
commit c789102c20bbbdda6831a273e046715be9d6af79 upstream.

If the accept() call fails, we need to put the module reference.

Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>skbuff: skb_segment: orphan frags before copying</title>
<updated>2014-07-01T03:09:45Z</updated>
<author>
<name>Michael S. Tsirkin</name>
<email>mst@redhat.com</email>
</author>
<published>2014-03-10T17:28:08Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=b124695c12cb8c4dc0f91cc18eac640f546c6456'/>
<id>urn:sha1:b124695c12cb8c4dc0f91cc18eac640f546c6456</id>
<content type='text'>
commit 1fd819ecb90cc9b822cd84d3056ddba315d3340f upstream.

skb_segment copies frags around, so we need
to copy them carefully to avoid accessing
user memory after reporting completion to userspace
through a callback.

skb_segment doesn't normally happen on datapath:
TSO needs to be disabled - so disabling zero copy
in this case does not look like a big deal.

Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Acked-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.2.  As skb_segment() only supports page-frags *or* a
  frag list, there is no need for the additional frag_skb pointer or the
  preparatory renaming.]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Cc: Eddie Chapman &lt;eddie@ehuk.net&gt; # backported to 3.10
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>Bluetooth: Fix L2CAP deadlock</title>
<updated>2014-07-01T03:09:44Z</updated>
<author>
<name>Jukka Taimisto</name>
<email>jtt@codenomicon.com</email>
</author>
<published>2014-05-22T10:02:39Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=8d26d1a24bd8523902d8987a9b69462380c70fc3'/>
<id>urn:sha1:8d26d1a24bd8523902d8987a9b69462380c70fc3</id>
<content type='text'>
commit 8a96f3cd22878fc0bb564a8478a6e17c0b8dca73 upstream.

-[0x01 Introduction

We have found a programming error causing a deadlock in Bluetooth subsystem
of Linux kernel. The problem is caused by missing release_sock() call when
L2CAP connection creation fails due full accept queue.

The issue can be reproduced with 3.15-rc5 kernel and is also present in
earlier kernels.

-[0x02 Details

The problem occurs when multiple L2CAP connections are created to a PSM which
contains listening socket (like SDP) and left pending, for example,
configuration (the underlying ACL link is not disconnected between
connections).

When L2CAP connection request is received and listening socket is found the
l2cap_sock_new_connection_cb() function (net/bluetooth/l2cap_sock.c) is called.
This function locks the 'parent' socket and then checks if the accept queue
is full.

1178         lock_sock(parent);
1179
1180         /* Check for backlog size */
1181         if (sk_acceptq_is_full(parent)) {
1182                 BT_DBG("backlog full %d", parent-&gt;sk_ack_backlog);
1183                 return NULL;
1184         }

If case the accept queue is full NULL is returned, but the 'parent' socket
is not released. Thus when next L2CAP connection request is received the code
blocks on lock_sock() since the parent is still locked.

Also note that for connections already established and waiting for
configuration to complete a timeout will occur and l2cap_chan_timeout()
(net/bluetooth/l2cap_core.c) will be called. All threads calling this
function will also be blocked waiting for the channel mutex since the thread
which is waiting on lock_sock() alread holds the channel mutex.

We were able to reproduce this by sending continuously L2CAP connection
request followed by disconnection request containing invalid CID. This left
the created connections pending configuration.

After the deadlock occurs it is impossible to kill bluetoothd, btmon will not
get any more data etc. requiring reboot to recover.

-[0x03 Fix

Releasing the 'parent' socket when l2cap_sock_new_connection_cb() returns NULL
seems to fix the issue.

Signed-off-by: Jukka Taimisto &lt;jtt@codenomicon.com&gt;
Reported-by: Tommi Mäkilä &lt;tmakila@codenomicon.com&gt;
Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
</feed>
