Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v3.10 2013-06-25T23:07:44Z 2013-06-25T23:07:44Z Eric Dumazet edumazet@google.com 2013-06-24T13:26:00Z urn:sha1:bd8a7036c06cf15779b31a5397d4afcb12be81ea commit 68c331631143 ("v4 GRE: Add TCP segmentation offload for GRE") added a possible skb leak, because it frees only the head of segment list, in case a skb_linearize() call fails. This patch adds a kfree_skb_list() helper to fix the bug. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Pravin B Shelar <pshelar@nicira.com> Cc: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-06-24T19:45:24Z David S. Miller davem@davemloft.net 2013-06-24T19:45:24Z urn:sha1:a3d9dd89b781bdcb14201847608b658442de812b Pablo Neira Ayuso says: ==================== The following patchset contains five fixes for Netfilter/IPVS, they are: * A skb leak fix in fragmentation handling in case that helpers are in place, it occurs since the IPV6 NAT infrastructure, from Phil Oester. * Fix SCTP port mangling in ICMP packets for IPVS, from Julian Anastasov. * Fix event delivery in ctnetlink regarding the new connlabel infrastructure, from Florian Westphal. * Fix mangling in the SIP NAT helper, from Balazs Peter Odor. * Fix crash in ipt_ULOG introduced while adding netnamespace support, from Gao Feng. I'll take care of passing several of these patches to -stable once they hit Linus' tree. ==================== Signed-off-by: David S. Miller <davem@davemloft.net> 2013-06-24T15:10:44Z Gao feng gaofeng@cn.fujitsu.com 2013-06-24T09:04:02Z urn:sha1:c8fc51cfa758be945c6113a4b446e0159070f768 The parameter of setup_timer should be &ulog->nlgroup[i]. the incorrect parameter will cause kernel panic in ulog_timer. Bug introducted in commit 355430671ad93546b34b4e91bdf720f3a704efa4 "netfilter: ipt_ULOG: add net namespace support for ipt_ULOG" ebt_ULOG doesn't have this problem. [ I have mangled this patch to fix nlgroup != 0 case, we were also crashing there --pablo ] Tested-by: George Spelvin <linux@horizon.com> Reported-by: Borislav Petkov <bp@alien8.de> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-06-20T04:21:53Z Aydin Arik aydin.arik@alliedtelesis.co.nz 2013-06-14T06:56:31Z urn:sha1:c0353c7b5da4cbd2ab8227e84bbc9c79890f24ce MD5 key lookups on a given TCP socket were being performed incorrectly. This fix alters parameter inputs to the MD5 lookup function tcp_md5_do_lookup, which is called by functions tcp_md5_do_add and tcp_md5_do_del. Specifically, the change now inputs the correct address and address family required to make a proper lookup. Signed-off-by: Aydin Arik <aydin.arik@alliedtelesis.co.nz> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-06-13T10:00:59Z Eric Dumazet eric.dumazet@gmail.com 2013-06-07T20:26:05Z urn:sha1:d3b6f6141831b6e2d414edea6cc7af5b9bc6fac2 If CONFIG_NET_NS is not set then __net_init is the same as __init and __net_exit is the same as __exit. These functions will be removed from memory after the module loads or is removed. Functions that are exported for use by other functions should never be labeled for removal. Bug introduced by commit c54419321455631079c ("GRE: Refactor GRE tunneling code.") Reported-by: Steinar H. Gunderson <sgunderson@bigfoot.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-06-13T09:47:46Z Saurabh Mohan saurabh@vyatta.com 2013-06-11T00:45:10Z urn:sha1:baafc77b32f647daa7c45825f7af8cdd55d00817 If users apply shaper to vti tunnel then it will cause a kernel crash. The problem seems to be due to the vti_tunnel_xmit function not clearing skb->opt field before passing the packet to xfrm tunneling code. Signed-off-by: Saurabh Mohan <saurabh@vyatta.com> Acked-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-05-30T23:38:38Z David S. Miller davem@davemloft.net 2013-05-30T23:38:38Z urn:sha1:73ce00d4d6369c1a91c95f9b41e6ce498fbbd56f Pablo Neira Ayuso says: ==================== The following patchset contains Netfilter/IPVS fixes for 3.10-rc3, they are: * fix xt_addrtype with IPv6, from Florian Westphal. This required a new hook for IPv6 functions in the netfilter core to avoid hard dependencies with the ipv6 subsystem when this match is only used for IPv4. * fix connection reuse case in IPVS. Currently, if an reused connection are directed to the same server. If that server is down, those connection would fail. Therefore, clear the connection and choose a new server among the available ones. * fix possible non-nul terminated string sent to user-space if ipt_ULOG is used as the default netfilter logging stub, from Chen Gang. * fix mark logging of IPv6 packets in xt_LOG, from Michal Kubecek. This bug has been there since 2.6.26. * Fix breakage ip_vs_sh due to incorrect structure layout for RCU, from Jan Beulich. ==================== Signed-off-by: David S. Miller <davem@davemloft.net> 2013-05-28T06:39:19Z Michal Kubecek mkubecek@suse.cz 2013-05-28T06:26:49Z urn:sha1:f96ef988cc603487c03a6de07807b06cbe641829 Unlike ipv4_redirect() and ipv4_sk_redirect(), ip_do_redirect() doesn't call __build_flow_key() directly but via ip_rt_build_flow_key() wrapper. This leads to __build_flow_key() getting pointer to IPv4 header of the ICMP redirect packet rather than pointer to the embedded IPv4 header of the packet initiating the redirect. As a result, handling of ICMP redirects initiated by TCP packets is broken. Issue was introduced by 4895c771c ("ipv4: Add FIB nexthop exceptions.") Signed-off-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-05-26T06:26:30Z Eric Dumazet edumazet@google.com 2013-05-24T05:49:58Z urn:sha1:a622260254ee481747cceaaa8609985b29a31565 Daniel Petre reported crashes in icmp_dst_unreach() with following call graph: #3 [ffff88003fc03938] __stack_chk_fail at ffffffff81037f77 #4 [ffff88003fc03948] icmp_send at ffffffff814d5fec #5 [ffff88003fc03ae8] ipv4_link_failure at ffffffff814a1795 #6 [ffff88003fc03af8] ipgre_tunnel_xmit at ffffffff814e7965 #7 [ffff88003fc03b78] dev_hard_start_xmit at ffffffff8146e032 #8 [ffff88003fc03bc8] sch_direct_xmit at ffffffff81487d66 #9 [ffff88003fc03c08] __qdisc_run at ffffffff81487efd #10 [ffff88003fc03c48] dev_queue_xmit at ffffffff8146e5a7 #11 [ffff88003fc03c88] ip_finish_output at ffffffff814ab596 Daniel found a similar problem mentioned in http://lkml.indiana.edu/hypermail/linux/kernel/1007.0/00961.html And indeed this is the root cause : skb->cb[] contains data fooling IP stack. We must clear IPCB in ip_tunnel_xmit() sooner in case dst_link_failure() is called. Or else skb->cb[] might contain garbage from GSO segmentation layer. A similar fix was tested on linux-3.9, but gre code was refactored in linux-3.10. I'll send patches for stable kernels as well. Many thanks to Daniel for providing reports, patches and testing ! Reported-by: Daniel Petre <daniel.petre@rcs-rds.ro> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-05-24T01:29:20Z Eric Dumazet edumazet@google.com 2013-05-23T07:44:20Z urn:sha1:547669d483e5783d722772af1483fa474da7caf9 commit 3853b5841c01a ("xps: Improvements in TX queue selection") introduced ooo_okay flag, but the condition to set it is slightly wrong. In our traces, we have seen ACK packets being received out of order, and RST packets sent in response. We should test if we have any packets still in host queue. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Tom Herbert <therbert@google.com> Cc: Yuchung Cheng <ycheng@google.com> Cc: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>