From 8002656c9d5838e5965c4aa79c62c11458ab1ea0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 Mar 2013 13:05:30 -0700 Subject: [PATCH] 3.8-stable patches added patches: 6lowpan-fix-endianness-issue-in-is_addr_link_local.patch atl1c-restore-buffer-state.patch bonding-fire-netdev_release-event-only-on-0-slaves.patch bridge-fix-mdb-info-leaks.patch bridging-fix-rx_handlers-return-code.patch dcbnl-fix-various-netlink-info-leaks.patch ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch netlabel-correctly-list-all-the-static-label-mappings.patch net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch rds-limit-the-size-allocated-by-rds_message_alloc.patch rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch team-unsyc-the-devices-addresses-when-port-is-removed.patch tun-add-a-missing-nf_reset-in-tun_net_xmit.patch vxlan-fix-oops-when-delete-netns-containing-vxlan.patch --- ...dianness-issue-in-is_addr_link_local.patch | 28 +++++ queue-3.8/atl1c-restore-buffer-state.patch | 31 +++++ ...etdev_release-event-only-on-0-slaves.patch | 44 +++++++ queue-3.8/bridge-fix-mdb-info-leaks.patch | 59 ++++++++++ ...bridging-fix-rx_handlers-return-code.patch | 35 ++++++ ...dcbnl-fix-various-netlink-info-leaks.patch | 95 +++++++++++++++ ...o-process-interface-scoped-addresses.patch | 40 +++++++ ...ocket-refcount-when-sendmsg-succeeds.patch | 41 +++++++ ...-to-prevent-unnecessary-promisc-mode.patch | 31 +++++ ...-purge-default-router-if-accept_ra-2.patch | 37 ++++++ ...ameter-size-for-sctp_get_assoc_stats.patch | 52 ++++++++ ...y-list-all-the-static-label-mappings.patch | 111 ++++++++++++++++++ ...-size-allocated-by-rds_message_alloc.patch | 71 +++++++++++ ...n-rtm_getlink-request-for-vf-devices.patch | 33 ++++++ queue-3.8/series | 18 +++ ...-rtt-when-leaving-receiver-fast-path.patch | 44 +++++++ ...vices-addresses-when-port-is-removed.patch | 33 ++++++ ...d-a-missing-nf_reset-in-tun_net_xmit.patch | 71 +++++++++++ ...s-when-delete-netns-containing-vxlan.patch | 87 ++++++++++++++ 19 files changed, 961 insertions(+) create mode 100644 queue-3.8/6lowpan-fix-endianness-issue-in-is_addr_link_local.patch create mode 100644 queue-3.8/atl1c-restore-buffer-state.patch create mode 100644 queue-3.8/bonding-fire-netdev_release-event-only-on-0-slaves.patch create mode 100644 queue-3.8/bridge-fix-mdb-info-leaks.patch create mode 100644 queue-3.8/bridging-fix-rx_handlers-return-code.patch create mode 100644 queue-3.8/dcbnl-fix-various-netlink-info-leaks.patch create mode 100644 queue-3.8/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch create mode 100644 queue-3.8/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch create mode 100644 queue-3.8/macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch create mode 100644 queue-3.8/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch create mode 100644 queue-3.8/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch create mode 100644 queue-3.8/netlabel-correctly-list-all-the-static-label-mappings.patch create mode 100644 queue-3.8/rds-limit-the-size-allocated-by-rds_message_alloc.patch create mode 100644 queue-3.8/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch create mode 100644 queue-3.8/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch create mode 100644 queue-3.8/team-unsyc-the-devices-addresses-when-port-is-removed.patch create mode 100644 queue-3.8/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch create mode 100644 queue-3.8/vxlan-fix-oops-when-delete-netns-containing-vxlan.patch diff --git a/queue-3.8/6lowpan-fix-endianness-issue-in-is_addr_link_local.patch b/queue-3.8/6lowpan-fix-endianness-issue-in-is_addr_link_local.patch new file mode 100644 index 00000000000..2ad7f7946c1 --- /dev/null +++ b/queue-3.8/6lowpan-fix-endianness-issue-in-is_addr_link_local.patch @@ -0,0 +1,28 @@ +From ad06d6dfb70a018be6e1da740aff32ec97933162 Mon Sep 17 00:00:00 2001 +From: YOSHIFUJI Hideaki +Date: Sat, 9 Mar 2013 09:11:57 +0000 +Subject: 6lowpan: Fix endianness issue in is_addr_link_local(). + + +From: YOSHIFUJI Hideaki + +[ Upstream commit 9026c4927254f5bea695cc3ef2e255280e6a3011 ] + +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/6lowpan.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ieee802154/6lowpan.h ++++ b/net/ieee802154/6lowpan.h +@@ -84,7 +84,7 @@ + (memcmp(addr1, addr2, length >> 3) == 0) + + /* local link, i.e. FE80::/10 */ +-#define is_addr_link_local(a) (((a)->s6_addr16[0]) == 0x80FE) ++#define is_addr_link_local(a) (((a)->s6_addr16[0]) == htons(0xFE80)) + + /* + * check whether we can compress the IID to 16 bits, diff --git a/queue-3.8/atl1c-restore-buffer-state.patch b/queue-3.8/atl1c-restore-buffer-state.patch new file mode 100644 index 00000000000..e1bd4a30117 --- /dev/null +++ b/queue-3.8/atl1c-restore-buffer-state.patch @@ -0,0 +1,31 @@ +From f8859b97916a135166a770ca140a878f5d09c874 Mon Sep 17 00:00:00 2001 +From: "Huang, Xiong" +Date: Tue, 19 Feb 2013 07:23:09 +0000 +Subject: atl1c: restore buffer state + + +From: "Huang, Xiong" + +[ Upstream commit 7cb08d7f3a5ea6131f4f243c2080530ac41cb293 ] + +in the previous commit : f1f220ea1dda078, the BUSY state of buffer is wrongly +deleted. this patch just restore it. + +Signed-off-by: xiong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -2075,7 +2075,7 @@ static int atl1c_tx_map(struct atl1c_ada + if (unlikely(pci_dma_mapping_error(adapter->pdev, + buffer_info->dma))) + goto err_dma; +- ++ ATL1C_SET_BUFFER_STATE(buffer_info, ATL1C_BUFFER_BUSY); + ATL1C_SET_PCIMAP_TYPE(buffer_info, ATL1C_PCIMAP_SINGLE, + ATL1C_PCIMAP_TODEVICE); + mapped_len += map_len; diff --git a/queue-3.8/bonding-fire-netdev_release-event-only-on-0-slaves.patch b/queue-3.8/bonding-fire-netdev_release-event-only-on-0-slaves.patch new file mode 100644 index 00000000000..1558d7bb86a --- /dev/null +++ b/queue-3.8/bonding-fire-netdev_release-event-only-on-0-slaves.patch @@ -0,0 +1,44 @@ +From 14db5b7fcb01ffb283dd7ac2f8401195cce0cef6 Mon Sep 17 00:00:00 2001 +From: Veaceslav Falico +Date: Wed, 6 Mar 2013 07:10:32 +0000 +Subject: bonding: fire NETDEV_RELEASE event only on 0 slaves + + +From: Veaceslav Falico + +[ Upstream commit 80028ea1c0afc24d4ddeb8dd2a9992fff03616ca ] + +Currently, if we set up netconsole over bonding and release a slave, +netconsole will stop logging on the whole bonding device. Change the +behavior to stop the netconsole only when the last slave is released. + +Signed-off-by: Veaceslav Falico +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1943,7 +1943,6 @@ int bond_release(struct net_device *bond + } + + block_netpoll_tx(); +- call_netdevice_notifiers(NETDEV_RELEASE, bond_dev); + write_lock_bh(&bond->lock); + + slave = bond_get_slave_by_dev(bond, slave_dev); +@@ -2047,8 +2046,10 @@ int bond_release(struct net_device *bond + write_unlock_bh(&bond->lock); + unblock_netpoll_tx(); + +- if (bond->slave_cnt == 0) ++ if (bond->slave_cnt == 0) { + call_netdevice_notifiers(NETDEV_CHANGEADDR, bond->dev); ++ call_netdevice_notifiers(NETDEV_RELEASE, bond->dev); ++ } + + bond_compute_features(bond); + if (!(bond_dev->features & NETIF_F_VLAN_CHALLENGED) && diff --git a/queue-3.8/bridge-fix-mdb-info-leaks.patch b/queue-3.8/bridge-fix-mdb-info-leaks.patch new file mode 100644 index 00000000000..cfb076af39d --- /dev/null +++ b/queue-3.8/bridge-fix-mdb-info-leaks.patch @@ -0,0 +1,59 @@ +From 9e989b12e61b81f93750f9eb5fb5aa147afb7cd9 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 9 Mar 2013 05:52:19 +0000 +Subject: bridge: fix mdb info leaks + + +From: Mathias Krause + +[ Upstream commit c085c49920b2f900ba716b4ca1c1a55ece9872cc ] + +The bridging code discloses heap and stack bytes via the RTM_GETMDB +netlink interface and via the notify messages send to group RTNLGRP_MDB +afer a successful add/del. + +Fix both cases by initializing all unset members/padding bytes with +memset(0). + +Cc: Stephen Hemminger +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_mdb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/bridge/br_mdb.c ++++ b/net/bridge/br_mdb.c +@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_bu + port = p->port; + if (port) { + struct br_mdb_entry e; ++ memset(&e, 0, sizeof(e)); + e.ifindex = port->dev->ifindex; + e.state = p->state; + if (p->addr.proto == htons(ETH_P_IP)) +@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *s + break; + + bpm = nlmsg_data(nlh); ++ memset(bpm, 0, sizeof(*bpm)); + bpm->ifindex = dev->ifindex; + if (br_mdb_fill_info(skb, cb, dev) < 0) + goto out; +@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struc + return -EMSGSIZE; + + bpm = nlmsg_data(nlh); ++ memset(bpm, 0, sizeof(*bpm)); + bpm->family = AF_BRIDGE; + bpm->ifindex = dev->ifindex; + nest = nla_nest_start(skb, MDBA_MDB); +@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *de + { + struct br_mdb_entry entry; + ++ memset(&entry, 0, sizeof(entry)); + entry.ifindex = port->dev->ifindex; + entry.addr.proto = group->proto; + entry.addr.u.ip4 = group->u.ip4; diff --git a/queue-3.8/bridging-fix-rx_handlers-return-code.patch b/queue-3.8/bridging-fix-rx_handlers-return-code.patch new file mode 100644 index 00000000000..6856973d154 --- /dev/null +++ b/queue-3.8/bridging-fix-rx_handlers-return-code.patch @@ -0,0 +1,35 @@ +From a371fe97a987919377e9e6d8316f0fd373e84f89 Mon Sep 17 00:00:00 2001 +From: Cristian Bercaru +Date: Fri, 8 Mar 2013 07:03:38 +0000 +Subject: bridging: fix rx_handlers return code + + +From: Cristian Bercaru + +[ Upstream commit 3bc1b1add7a8484cc4a261c3e128dbe1528ce01f ] + +The frames for which rx_handlers return RX_HANDLER_CONSUMED are no longer +counted as dropped. They are counted as successfully received by +'netif_receive_skb'. + +This allows network interface drivers to correctly update their RX-OK and +RX-DRP counters based on the result of 'netif_receive_skb'. + +Signed-off-by: Cristian Bercaru +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3419,6 +3419,7 @@ ncls: + } + switch (rx_handler(&skb)) { + case RX_HANDLER_CONSUMED: ++ ret = NET_RX_SUCCESS; + goto unlock; + case RX_HANDLER_ANOTHER: + goto another_round; diff --git a/queue-3.8/dcbnl-fix-various-netlink-info-leaks.patch b/queue-3.8/dcbnl-fix-various-netlink-info-leaks.patch new file mode 100644 index 00000000000..ac1d43475d7 --- /dev/null +++ b/queue-3.8/dcbnl-fix-various-netlink-info-leaks.patch @@ -0,0 +1,95 @@ +From d6f60f50fead5fb769f447c20aa5b80a1fd627f3 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 9 Mar 2013 05:52:21 +0000 +Subject: dcbnl: fix various netlink info leaks + + +From: Mathias Krause + +[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ] + +The dcb netlink interface leaks stack memory in various places: +* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but + copied completely, +* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, + so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes + for ieee_pfc structs, etc., +* the same is true for CEE -- no in-kernel driver fills the whole + struct, + +Prevent all of the above stack info leaks by properly initializing the +buffers/structures involved. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct n + if (!netdev->dcbnl_ops->getpermhwaddr) + return -EOPNOTSUPP; + ++ memset(perm_addr, 0, sizeof(perm_addr)); + netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); + + return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr); +@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buf + + if (ops->ieee_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_getets(netdev, &ets); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets)) +@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buf + + if (ops->ieee_getmaxrate) { + struct ieee_maxrate maxrate; ++ memset(&maxrate, 0, sizeof(maxrate)); + err = ops->ieee_getmaxrate(netdev, &maxrate); + if (!err) { + err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE, +@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buf + + if (ops->ieee_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_getpfc(netdev, &pfc); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc)) +@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buf + /* get peer info if available */ + if (ops->ieee_peer_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_peer_getets(netdev, &ets); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets)) +@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buf + + if (ops->ieee_peer_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_peer_getpfc(netdev, &pfc); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc)) +@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff + /* peer info if available */ + if (ops->cee_peer_getpg) { + struct cee_pg pg; ++ memset(&pg, 0, sizeof(pg)); + err = ops->cee_peer_getpg(netdev, &pg); + if (!err && + nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg)) +@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff + + if (ops->cee_peer_getpfc) { + struct cee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->cee_peer_getpfc(netdev, &pfc); + if (!err && + nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc)) diff --git a/queue-3.8/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch b/queue-3.8/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch new file mode 100644 index 00000000000..1162a31db1a --- /dev/null +++ b/queue-3.8/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch @@ -0,0 +1,40 @@ +From 873d72b49df7f246b548bba2683ce84731f2e8f3 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 8 Mar 2013 02:07:23 +0000 +Subject: ipv6: stop multicast forwarding to process interface scoped addresses + + +From: Hannes Frederic Sowa + +[ Upstream commit ddf64354af4a702ee0b85d0a285ba74c7278a460 ] + +v2: +a) used struct ipv6_addr_props + +v3: +a) reverted changes for ipv6_addr_props + +v4: +a) do not use __ipv6_addr_needs_scope_id + +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Acked-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -270,7 +270,8 @@ int ip6_mc_input(struct sk_buff *skb) + * IPv6 multicast router mode is now supported ;) + */ + if (dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding && +- !(ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) && ++ !(ipv6_addr_type(&hdr->daddr) & ++ (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) && + likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) { + /* + * Okay, we try to forward - split and duplicate diff --git a/queue-3.8/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch b/queue-3.8/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch new file mode 100644 index 00000000000..fc15c9a2597 --- /dev/null +++ b/queue-3.8/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch @@ -0,0 +1,41 @@ +From 40fa5621b5a987cbf2313e21e90f2dbbf9983f07 Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Fri, 1 Mar 2013 05:02:02 +0000 +Subject: l2tp: Restore socket refcount when sendmsg succeeds + + +From: Guillaume Nault + +[ Upstream commit 8b82547e33e85fc24d4d172a93c796de1fefa81a ] + +The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket +reference counter after successful transmissions. Any successful +sendmsg() call from userspace will then increase the reference counter +forever, thus preventing the kernel's session and tunnel data from +being freed later on. + +The problem only happens when writing directly on L2TP sockets. +PPP sockets attached to L2TP are unaffected as the PPP subsystem +uses pppol2tp_xmit() which symmetrically increase/decrease reference +counters. + +This patch adds the missing call to sock_put() before returning from +pppol2tp_sendmsg(). + +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -355,6 +355,7 @@ static int pppol2tp_sendmsg(struct kiocb + l2tp_xmit_skb(session, skb, session->hdr_len); + + sock_put(ps->tunnel_sock); ++ sock_put(sk); + + return error; + diff --git a/queue-3.8/macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch b/queue-3.8/macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch new file mode 100644 index 00000000000..3e853b3b16b --- /dev/null +++ b/queue-3.8/macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch @@ -0,0 +1,31 @@ +From 055ac17d92eee5e96bb207f2a4d7da92ac64a690 Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Thu, 7 Mar 2013 10:21:48 +0000 +Subject: macvlan: Set IFF_UNICAST_FLT flag to prevent unnecessary promisc mode. + + +From: Vlad Yasevich + +[ Upstream commit 87ab7f6f2874f1115817e394a7ed2dea1c72549e ] + +Macvlan already supports hw address filters. Set the IFF_UNICAST_FLT +so that it doesn't needlesly enter PROMISC mode when macvlans are +stacked. + +Signed-of-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -628,6 +628,7 @@ void macvlan_common_setup(struct net_dev + ether_setup(dev); + + dev->priv_flags &= ~(IFF_XMIT_DST_RELEASE | IFF_TX_SKB_SHARING); ++ dev->priv_flags |= IFF_UNICAST_FLT; + dev->netdev_ops = &macvlan_netdev_ops; + dev->destructor = free_netdev; + dev->header_ops = &macvlan_hard_header_ops, diff --git a/queue-3.8/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch b/queue-3.8/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch new file mode 100644 index 00000000000..17437946dcf --- /dev/null +++ b/queue-3.8/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch @@ -0,0 +1,37 @@ +From 050003433737f47a3e2bc7e46eaf5a1269a7ac02 Mon Sep 17 00:00:00 2001 +From: Lorenzo Colitti +Date: Sun, 3 Mar 2013 20:46:46 +0000 +Subject: net: ipv6: Don't purge default router if accept_ra=2 + + +From: Lorenzo Colitti + +[ Upstream commit 3e8b0ac3e41e3c882222a5522d5df7212438ab51 ] + +Setting net.ipv6.conf..accept_ra=2 causes the kernel +to accept RAs even when forwarding is enabled. However, enabling +forwarding purges all default routes on the system, breaking +connectivity until the next RA is received. Fix this by not +purging default routes on interfaces that have accept_ra=2. + +Signed-off-by: Lorenzo Colitti +Acked-by: YOSHIFUJI Hideaki +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1990,7 +1990,8 @@ void rt6_purge_dflt_routers(struct net * + restart: + read_lock_bh(&table->tb6_lock); + for (rt = table->tb6_root.leaf; rt; rt = rt->dst.rt6_next) { +- if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) { ++ if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF) && ++ (!rt->rt6i_idev || rt->rt6i_idev->cnf.accept_ra != 2)) { + dst_hold(&rt->dst); + read_unlock_bh(&table->tb6_lock); + ip6_del_rt(rt); diff --git a/queue-3.8/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch b/queue-3.8/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch new file mode 100644 index 00000000000..017503bbb2f --- /dev/null +++ b/queue-3.8/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch @@ -0,0 +1,52 @@ +From e5f9811e44fcf067a0dbb8abf55bbad454a1688a Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 27 Feb 2013 10:57:31 +0000 +Subject: net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS + + +From: Guenter Roeck + +commit 726bc6b092da4c093eb74d13c07184b18c1af0f1 upstream. + +Building sctp may fail with: + +In function ‘copy_from_user’, + inlined from ‘sctp_getsockopt_assoc_stats’ at + net/sctp/socket.c:5656:20: +arch/x86/include/asm/uaccess_32.h:211:26: error: call to + ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() + buffer size is not provably correct + +if built with W=1 due to a missing parameter size validation +before the call to copy_from_user. + +Signed-off-by: Guenter Roeck +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(s + if (len < sizeof(sctp_assoc_t)) + return -EINVAL; + ++ /* Allow the struct to grow and fill in as much as possible */ ++ len = min_t(size_t, len, sizeof(sas)); ++ + if (copy_from_user(&sas, optval, len)) + return -EFAULT; + +@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(s + /* Mark beginning of a new observation period */ + asoc->stats.max_obs_rto = asoc->rto_min; + +- /* Allow the struct to grow and fill in as much as possible */ +- len = min_t(size_t, len, sizeof(sas)); +- + if (put_user(len, optlen)) + return -EFAULT; + diff --git a/queue-3.8/netlabel-correctly-list-all-the-static-label-mappings.patch b/queue-3.8/netlabel-correctly-list-all-the-static-label-mappings.patch new file mode 100644 index 00000000000..e61e752d199 --- /dev/null +++ b/queue-3.8/netlabel-correctly-list-all-the-static-label-mappings.patch @@ -0,0 +1,111 @@ +From 3f980ad22fe2c1665b8c1d11adf1ae6d8a25a05c Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Wed, 6 Mar 2013 11:45:24 +0000 +Subject: netlabel: correctly list all the static label mappings + + +From: Paul Moore + +[ Upstream commits 0c1233aba1e948c37f6dc7620cb7c253fcd71ce9 and + a6a8fe950e1b8596bb06f2c89c3a1a4bf2011ba9 ] + +When we have a large number of static label mappings that spill across +the netlink message boundary we fail to properly save our state in the +netlink_callback struct which causes us to repeat the same listings. +This patch fixes this problem by saving the state correctly between +calls to the NetLabel static label netlink "dumpit" routines. + +Signed-off-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlabel/netlabel_unlabeled.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -1189,8 +1189,6 @@ static int netlbl_unlabel_staticlist(str + struct netlbl_unlhsh_walk_arg cb_arg; + u32 skip_bkt = cb->args[0]; + u32 skip_chain = cb->args[1]; +- u32 skip_addr4 = cb->args[2]; +- u32 skip_addr6 = cb->args[3]; + u32 iter_bkt; + u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0; + struct netlbl_unlhsh_iface *iface; +@@ -1215,7 +1213,7 @@ static int netlbl_unlabel_staticlist(str + continue; + netlbl_af4list_foreach_rcu(addr4, + &iface->addr4_list) { +- if (iter_addr4++ < skip_addr4) ++ if (iter_addr4++ < cb->args[2]) + continue; + if (netlbl_unlabel_staticlist_gen( + NLBL_UNLABEL_C_STATICLIST, +@@ -1231,7 +1229,7 @@ static int netlbl_unlabel_staticlist(str + #if IS_ENABLED(CONFIG_IPV6) + netlbl_af6list_foreach_rcu(addr6, + &iface->addr6_list) { +- if (iter_addr6++ < skip_addr6) ++ if (iter_addr6++ < cb->args[3]) + continue; + if (netlbl_unlabel_staticlist_gen( + NLBL_UNLABEL_C_STATICLIST, +@@ -1250,10 +1248,10 @@ static int netlbl_unlabel_staticlist(str + + unlabel_staticlist_return: + rcu_read_unlock(); +- cb->args[0] = skip_bkt; +- cb->args[1] = skip_chain; +- cb->args[2] = skip_addr4; +- cb->args[3] = skip_addr6; ++ cb->args[0] = iter_bkt; ++ cb->args[1] = iter_chain; ++ cb->args[2] = iter_addr4; ++ cb->args[3] = iter_addr6; + return skb->len; + } + +@@ -1273,12 +1271,9 @@ static int netlbl_unlabel_staticlistdef( + { + struct netlbl_unlhsh_walk_arg cb_arg; + struct netlbl_unlhsh_iface *iface; +- u32 skip_addr4 = cb->args[0]; +- u32 skip_addr6 = cb->args[1]; +- u32 iter_addr4 = 0; ++ u32 iter_addr4 = 0, iter_addr6 = 0; + struct netlbl_af4list *addr4; + #if IS_ENABLED(CONFIG_IPV6) +- u32 iter_addr6 = 0; + struct netlbl_af6list *addr6; + #endif + +@@ -1292,7 +1287,7 @@ static int netlbl_unlabel_staticlistdef( + goto unlabel_staticlistdef_return; + + netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) { +- if (iter_addr4++ < skip_addr4) ++ if (iter_addr4++ < cb->args[0]) + continue; + if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, + iface, +@@ -1305,7 +1300,7 @@ static int netlbl_unlabel_staticlistdef( + } + #if IS_ENABLED(CONFIG_IPV6) + netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) { +- if (iter_addr6++ < skip_addr6) ++ if (iter_addr6++ < cb->args[1]) + continue; + if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, + iface, +@@ -1320,8 +1315,8 @@ static int netlbl_unlabel_staticlistdef( + + unlabel_staticlistdef_return: + rcu_read_unlock(); +- cb->args[0] = skip_addr4; +- cb->args[1] = skip_addr6; ++ cb->args[0] = iter_addr4; ++ cb->args[1] = iter_addr6; + return skb->len; + } + diff --git a/queue-3.8/rds-limit-the-size-allocated-by-rds_message_alloc.patch b/queue-3.8/rds-limit-the-size-allocated-by-rds_message_alloc.patch new file mode 100644 index 00000000000..106cfc2200c --- /dev/null +++ b/queue-3.8/rds-limit-the-size-allocated-by-rds_message_alloc.patch @@ -0,0 +1,71 @@ +From 55c315e31dac6ebe4b66c630d2127cab52b02cc3 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sun, 3 Mar 2013 16:18:11 +0000 +Subject: rds: limit the size allocated by rds_message_alloc() + + +From: Cong Wang + +[ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ] + +Dave Jones reported the following bug: + +"When fed mangled socket data, rds will trust what userspace gives it, +and tries to allocate enormous amounts of memory larger than what +kmalloc can satisfy." + +WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() +Hardware name: GA-MA78GM-S2H +Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s +Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 +Call Trace: + [] warn_slowpath_common+0x75/0xa0 + [] warn_slowpath_null+0x1a/0x20 + [] __alloc_pages_nodemask+0xa0d/0xbe0 + [] ? native_sched_clock+0x26/0x90 + [] ? trace_hardirqs_off_caller+0x28/0xc0 + [] ? trace_hardirqs_off+0xd/0x10 + [] alloc_pages_current+0xb8/0x180 + [] __get_free_pages+0x2a/0x80 + [] kmalloc_order_trace+0x3e/0x1a0 + [] __kmalloc+0x2f5/0x3a0 + [] ? local_bh_enable_ip+0x7c/0xf0 + [] rds_message_alloc+0x23/0xb0 [rds] + [] rds_sendmsg+0x2b1/0x990 [rds] + [] ? trace_hardirqs_off+0xd/0x10 + [] sock_sendmsg+0xb0/0xe0 + [] ? get_lock_stats+0x22/0x70 + [] ? put_lock_stats.isra.23+0xe/0x40 + [] sys_sendto+0x130/0x180 + [] ? trace_hardirqs_on+0xd/0x10 + [] ? _raw_spin_unlock_irq+0x3b/0x60 + [] ? sysret_check+0x1b/0x56 + [] ? trace_hardirqs_on_caller+0x115/0x1a0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b +---[ end trace eed6ae990d018c8b ]--- + +Reported-by: Dave Jones +Cc: Dave Jones +Cc: David S. Miller +Cc: Venkat Venkatsubra +Signed-off-by: Cong Wang +Acked-by: Venkat Venkatsubra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/message.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(un + { + struct rds_message *rm; + ++ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message)) ++ return NULL; ++ + rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp); + if (!rm) + goto out; diff --git a/queue-3.8/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch b/queue-3.8/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch new file mode 100644 index 00000000000..7399ad4123a --- /dev/null +++ b/queue-3.8/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch @@ -0,0 +1,33 @@ +From 322aa953dd5565d1029a18d5bda0bd25a0dbb4bb Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 9 Mar 2013 05:52:20 +0000 +Subject: rtnl: fix info leak on RTM_GETLINK request for VF devices + + +From: Mathias Krause + +[ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ] + +Initialize the mac address buffer with 0 as the driver specific function +will probably not fill the whole buffer. In fact, all in-kernel drivers +fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible +bytes. Therefore we currently leak 26 bytes of stack memory to userland +via the netlink interface. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -976,6 +976,7 @@ static int rtnl_fill_ifinfo(struct sk_bu + * report anything. + */ + ivi.spoofchk = -1; ++ memset(ivi.mac, 0, sizeof(ivi.mac)); + if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi)) + break; + vf_mac.vf = diff --git a/queue-3.8/series b/queue-3.8/series index 1a3c5ddb0f2..96941cee3d0 100644 --- a/queue-3.8/series +++ b/queue-3.8/series @@ -53,3 +53,21 @@ net-mlx4_en-disable-rfs-when-running-in-sriov-mode.patch block-use-i_size_write-in-bd_set_size.patch loopdev-fix-a-deadlock.patch loopdev-remove-an-user-triggerable-oops.patch +net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch +l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch +atl1c-restore-buffer-state.patch +rds-limit-the-size-allocated-by-rds_message_alloc.patch +net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch +tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch +tun-add-a-missing-nf_reset-in-tun_net_xmit.patch +vxlan-fix-oops-when-delete-netns-containing-vxlan.patch +bonding-fire-netdev_release-event-only-on-0-slaves.patch +team-unsyc-the-devices-addresses-when-port-is-removed.patch +macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch +netlabel-correctly-list-all-the-static-label-mappings.patch +bridging-fix-rx_handlers-return-code.patch +ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch +bridge-fix-mdb-info-leaks.patch +rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch +dcbnl-fix-various-netlink-info-leaks.patch +6lowpan-fix-endianness-issue-in-is_addr_link_local.patch diff --git a/queue-3.8/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch b/queue-3.8/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch new file mode 100644 index 00000000000..972131ea55a --- /dev/null +++ b/queue-3.8/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch @@ -0,0 +1,44 @@ +From 2d2809452253a92adcabba4d897bf58a5c9794fb Mon Sep 17 00:00:00 2001 +From: Neal Cardwell +Date: Mon, 4 Mar 2013 06:23:05 +0000 +Subject: tcp: fix double-counted receiver RTT when leaving receiver fast path + + +From: Neal Cardwell + +[ Upstream commit aab2b4bf224ef8358d262f95b568b8ad0cecf0a0 ] + +We should not update ts_recent and call tcp_rcv_rtt_measure_ts() both +before and after going to step5. That wastes CPU and double-counts the +receiver-side RTT sample. + +Signed-off-by: Neal Cardwell +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5498,6 +5498,9 @@ int tcp_rcv_established(struct sock *sk, + if (tcp_checksum_complete_user(sk, skb)) + goto csum_error; + ++ if ((int)skb->truesize > sk->sk_forward_alloc) ++ goto step5; ++ + /* Predicted packet is in window by definition. + * seq == rcv_nxt and rcv_wup <= rcv_nxt. + * Hence, check seq<=rcv_wup reduces to: +@@ -5509,9 +5512,6 @@ int tcp_rcv_established(struct sock *sk, + + tcp_rcv_rtt_measure_ts(sk, skb); + +- if ((int)skb->truesize > sk->sk_forward_alloc) +- goto step5; +- + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPHITS); + + /* Bulk data transfer: receiver */ diff --git a/queue-3.8/team-unsyc-the-devices-addresses-when-port-is-removed.patch b/queue-3.8/team-unsyc-the-devices-addresses-when-port-is-removed.patch new file mode 100644 index 00000000000..9a3c53abceb --- /dev/null +++ b/queue-3.8/team-unsyc-the-devices-addresses-when-port-is-removed.patch @@ -0,0 +1,33 @@ +From 716e93f23ee293e0bd2da22306f9be9647be28e9 Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Thu, 7 Mar 2013 07:59:25 +0000 +Subject: team: unsyc the devices addresses when port is removed + + +From: Vlad Yasevich + +[ Upstream commit ba81276b1a5e3cf0674cb0e6d9525e5ae0c98695 ] + +When a team port is removed, unsync all devices addresses that may have +been synched to the port devices. + +CC: Jiri Pirko +Signed-off-by: Vlad Yasevich +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1139,6 +1139,8 @@ static int team_port_del(struct team *te + netdev_set_master(port_dev, NULL); + team_port_disable_netpoll(port); + vlan_vids_del_by_dev(port_dev, dev); ++ dev_uc_unsync(port_dev, dev); ++ dev_mc_unsync(port_dev, dev); + dev_close(port_dev); + team_port_leave(team, port); + team_port_set_orig_dev_addr(port); diff --git a/queue-3.8/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch b/queue-3.8/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch new file mode 100644 index 00000000000..0d28853f778 --- /dev/null +++ b/queue-3.8/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch @@ -0,0 +1,71 @@ +From bb765e4e02251f185577f65240c7882b0b1bf482 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 6 Mar 2013 11:02:37 +0000 +Subject: tun: add a missing nf_reset() in tun_net_xmit() + + +From: Eric Dumazet + +[ Upstream commit f8af75f3517a24838a36eb5797a1a3e60bf9e276 ] + +Dave reported following crash : + +general protection fault: 0000 [#1] SMP +CPU 2 +Pid: 25407, comm: qemu-kvm Not tainted 3.7.9-205.fc18.x86_64 #1 Hewlett-Packard HP Z400 Workstation/0B4Ch +RIP: 0010:[] [] destroy_conntrack+0x35/0x120 [nf_conntrack] +RSP: 0018:ffff880276913d78 EFLAGS: 00010206 +RAX: 50626b6b7876376c RBX: ffff88026e530d68 RCX: ffff88028d158e00 +RDX: ffff88026d0d5470 RSI: 0000000000000011 RDI: 0000000000000002 +RBP: ffff880276913d88 R08: 0000000000000000 R09: ffff880295002900 +R10: 0000000000000000 R11: 0000000000000003 R12: ffffffff81ca3b40 +R13: ffffffff8151a8e0 R14: ffff880270875000 R15: 0000000000000002 +FS: 00007ff3bce38a00(0000) GS:ffff88029fc40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 00007fd1430bd000 CR3: 000000027042b000 CR4: 00000000000027e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process qemu-kvm (pid: 25407, threadinfo ffff880276912000, task ffff88028c369720) +Stack: + ffff880156f59100 ffff880156f59100 ffff880276913d98 ffffffff815534f7 + ffff880276913db8 ffffffff8151a74b ffff880270875000 ffff880156f59100 + ffff880276913dd8 ffffffff8151a5a6 ffff880276913dd8 ffff88026d0d5470 +Call Trace: + [] nf_conntrack_destroy+0x17/0x20 + [] skb_release_head_state+0x7b/0x100 + [] __kfree_skb+0x16/0xa0 + [] kfree_skb+0x36/0xa0 + [] skb_queue_purge+0x20/0x40 + [] __tun_detach+0x117/0x140 [tun] + [] tun_chr_close+0x3c/0xd0 [tun] + [] __fput+0xec/0x240 + [] ____fput+0xe/0x10 + [] task_work_run+0xa7/0xe0 + [] do_notify_resume+0x71/0xb0 + [] int_signal+0x12/0x17 +Code: 00 00 04 48 89 e5 41 54 53 48 89 fb 4c 8b a7 e8 00 00 00 0f 85 de 00 00 00 0f b6 73 3e 0f b7 7b 2a e8 10 40 00 00 48 85 c0 74 0e <48> 8b 40 28 48 85 c0 74 05 48 89 df ff d0 48 c7 c7 08 6a 3a a0 +RIP [] destroy_conntrack+0x35/0x120 [nf_conntrack] + RSP + +This is because tun_net_xmit() needs to call nf_reset() +before queuing skb into receive_queue + +Reported-by: Dave Jones +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -748,6 +748,8 @@ static netdev_tx_t tun_net_xmit(struct s + goto drop; + skb_orphan(skb); + ++ nf_reset(skb); ++ + /* Enqueue packet */ + skb_queue_tail(&tfile->socket.sk->sk_receive_queue, skb); + diff --git a/queue-3.8/vxlan-fix-oops-when-delete-netns-containing-vxlan.patch b/queue-3.8/vxlan-fix-oops-when-delete-netns-containing-vxlan.patch new file mode 100644 index 00000000000..de75ad6102d --- /dev/null +++ b/queue-3.8/vxlan-fix-oops-when-delete-netns-containing-vxlan.patch @@ -0,0 +1,87 @@ +From ce033850e354e2f5241251cd9cc51677caa5ef65 Mon Sep 17 00:00:00 2001 +From: Zang MingJie +Date: Wed, 6 Mar 2013 04:37:37 +0000 +Subject: vxlan: fix oops when delete netns containing vxlan + + +From: Zang MingJie + +[ Upstream commit 9cb6cb7ed11cd3b69c47bb414983603a6ff20b1d ] + +The following script will produce a kernel oops: + + sudo ip netns add v + sudo ip netns exec v ip ad add 127.0.0.1/8 dev lo + sudo ip netns exec v ip link set lo up + sudo ip netns exec v ip ro add 224.0.0.0/4 dev lo + sudo ip netns exec v ip li add vxlan0 type vxlan id 42 group 239.1.1.1 dev lo + sudo ip netns exec v ip link set vxlan0 up + sudo ip netns del v + +where inspect by gdb: + + Program received signal SIGSEGV, Segmentation fault. + [Switching to Thread 107] + 0xffffffffa0289e33 in ?? () + (gdb) bt + #0 vxlan_leave_group (dev=0xffff88001bafa000) at drivers/net/vxlan.c:533 + #1 vxlan_stop (dev=0xffff88001bafa000) at drivers/net/vxlan.c:1087 + #2 0xffffffff812cc498 in __dev_close_many (head=head@entry=0xffff88001f2e7dc8) at net/core/dev.c:1299 + #3 0xffffffff812cd920 in dev_close_many (head=head@entry=0xffff88001f2e7dc8) at net/core/dev.c:1335 + #4 0xffffffff812cef31 in rollback_registered_many (head=head@entry=0xffff88001f2e7dc8) at net/core/dev.c:4851 + #5 0xffffffff812cf040 in unregister_netdevice_many (head=head@entry=0xffff88001f2e7dc8) at net/core/dev.c:5752 + #6 0xffffffff812cf1ba in default_device_exit_batch (net_list=0xffff88001f2e7e18) at net/core/dev.c:6170 + #7 0xffffffff812cab27 in cleanup_net (work=) at net/core/net_namespace.c:302 + #8 0xffffffff810540ef in process_one_work (worker=0xffff88001ba9ed40, work=0xffffffff8167d020) at kernel/workqueue.c:2157 + #9 0xffffffff810549d0 in worker_thread (__worker=__worker@entry=0xffff88001ba9ed40) at kernel/workqueue.c:2276 + #10 0xffffffff8105870c in kthread (_create=0xffff88001f2e5d68) at kernel/kthread.c:168 + #11 + #12 0x0000000000000000 in ?? () + #13 0x0000000000000000 in ?? () + (gdb) fr 0 + #0 vxlan_leave_group (dev=0xffff88001bafa000) at drivers/net/vxlan.c:533 + 533 struct sock *sk = vn->sock->sk; + (gdb) l + 528 static int vxlan_leave_group(struct net_device *dev) + 529 { + 530 struct vxlan_dev *vxlan = netdev_priv(dev); + 531 struct vxlan_net *vn = net_generic(dev_net(dev), vxlan_net_id); + 532 int err = 0; + 533 struct sock *sk = vn->sock->sk; + 534 struct ip_mreqn mreq = { + 535 .imr_multiaddr.s_addr = vxlan->gaddr, + 536 .imr_ifindex = vxlan->link, + 537 }; + (gdb) p vn->sock + $4 = (struct socket *) 0x0 + +The kernel calls `vxlan_exit_net` when deleting the netns before shutting down +vxlan interfaces. Later the removal of all vxlan interfaces, where `vn->sock` +is already gone causes the oops. so we should manually shutdown all interfaces +before deleting `vn->sock` as the patch does. + +Signed-off-by: Zang MingJie +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1491,6 +1491,15 @@ static __net_init int vxlan_init_net(str + static __net_exit void vxlan_exit_net(struct net *net) + { + struct vxlan_net *vn = net_generic(net, vxlan_net_id); ++ struct vxlan_dev *vxlan; ++ struct hlist_node *pos; ++ unsigned h; ++ ++ rtnl_lock(); ++ for (h = 0; h < VNI_HASH_SIZE; ++h) ++ hlist_for_each_entry(vxlan, pos, &vn->vni_list[h], hlist) ++ dev_close(vxlan->dev); ++ rtnl_unlock(); + + if (vn->sock) { + sk_release_kernel(vn->sock->sk); -- 2.47.3