Emese Revfy [Wed, 17 Apr 2013 22:58:36 +0000 (15:58 -0700)]
kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
commit
b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream.
This fixes a kernel memory contents leak via the tkill and tgkill syscalls
for compat processes.
This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
when handling signals delivered from tkill.
The place of the infoleak:
int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
{
...
put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
...
}
Signed-off-by: Emese Revfy <re.emese@gmail.com>
Reviewed-by: PaX Team <pageexec@freemail.hu>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Oleg Nesterov [Wed, 25 May 2011 17:20:21 +0000 (19:20 +0200)]
ptrace: ptrace_resume() shouldn't wake up !TASK_TRACED thread
commit
0666fb51b1483f27506e212cc7f7b2645b5c7acc upstream.
It is not clear why ptrace_resume() does wake_up_process(). Unless the
caller is PTRACE_KILL the tracee should be TASK_TRACED so we can use
wake_up_state(__TASK_TRACED). If sys_ptrace() races with SIGKILL we do
not need the extra and potentionally spurious wakeup.
If the caller is PTRACE_KILL, wake_up_process() is even more wrong.
The tracee can sleep in any state in any place, and if we have a buggy
code which doesn't handle a spurious wakeup correctly PTRACE_KILL can
be used to exploit it. For example:
int main(void)
{
int child, status;
child = fork();
if (!child) {
int ret;
assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0);
ret = pause();
printf("pause: %d %m\n", ret);
return 0x23;
}
sleep(1);
assert(ptrace(PTRACE_KILL, child, 0,0) == 0);
assert(child == wait(&status));
printf("wait: %x\n", status);
return 0;
}
prints "pause: -1 Unknown error 514", -ERESTARTNOHAND leaks to the
userland. In this case sys_pause() is buggy as well and should be
fixed.
I do not know what was the original rationality behind PTRACE_KILL.
The man page is simply wrong and afaics it was always wrong. Imho
it should be deprecated, or may be it should do send_sig(SIGKILL)
as Denys suggests, but in any case I do not think that the current
behaviour was intentional.
Note: there is another problem, ptrace_resume() changes ->exit_code
and this can race with SIGKILL too. Eventually we should change ptrace
to not use ->exit_code.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Kees Cook [Tue, 18 Dec 2012 00:03:20 +0000 (16:03 -0800)]
exec: use -ELOOP for max recursion depth
commit
d740269867021faf4ce38a449353d2b986c34a67 upstream.
To avoid an explosion of request_module calls on a chain of abusive
scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon
as maximum recursion depth is hit, the error will fail all the way back
up the chain, aborting immediately.
This also has the side-effect of stopping the user's shell from attempting
to reexecute the top-level file as a shell script. As seen in the
dash source:
if (cmd != path_bshell && errno == ENOEXEC) {
*argv-- = cmd;
*argv = cmd = path_bshell;
goto repeat;
}
The above logic was designed for running scripts automatically that lacked
the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,
things continue to behave as the shell expects.
Additionally, when tracking recursion, the binfmt handlers should not be
involved. The recursion being tracked is the depth of calls through
search_binary_handler(), so that function should be exclusively responsible
for tracking the depth.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Kees Cook [Thu, 20 Dec 2012 23:05:16 +0000 (15:05 -0800)]
exec: do not leave bprm->interp on stack
commit
b66c5984017533316fd1951770302649baf1aa33 upstream.
If a series of scripts are executed, each triggering module loading via
unprintable bytes in the script header, kernel stack contents can leak
into the command line.
Normally execution of binfmt_script and binfmt_misc happens recursively.
However, when modules are enabled, and unprintable bytes exist in the
bprm->buf, execution will restart after attempting to load matching
binfmt modules. Unfortunately, the logic in binfmt_script and
binfmt_misc does not expect to get restarted. They leave bprm->interp
pointing to their local stack. This means on restart bprm->interp is
left pointing into unused stack memory which can then be copied into the
userspace argv areas.
After additional study, it seems that both recursion and restart remains
the desirable way to handle exec with scripts, misc, and modules. As
such, we need to protect the changes to interp.
This changes the logic to require allocation for any changes to the
bprm->interp. To avoid adding a new kmalloc to every exec, the default
value is left as-is. Only when passing through binfmt_script or
binfmt_misc does an allocation take place.
For a proof of concept, see DoTest.sh from:
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Kees Cook [Thu, 25 Oct 2012 20:38:14 +0000 (13:38 -0700)]
gen_init_cpio: avoid stack overflow when expanding
commit
20f1de659b77364d55d4e7fad2ef657e7730323f upstream.
Fix possible overflow of the buffer used for expanding environment
variables when building file list.
In the extremely unlikely case of an attacker having control over the
environment variables visible to gen_init_cpio, control over the
contents of the file gen_init_cpio parses, and gen_init_cpio was built
without compiler hardening, the attacker can gain arbitrary execution
control via a stack buffer overflow.
$ cat usr/crash.list
file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
$ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
*** buffer overflow detected ***: ./usr/gen_init_cpio terminated
This also replaces the space-indenting with tabs.
Patch based on existing fix extracted from grsecurity.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Thomas Gleixner [Fri, 3 May 2013 13:02:50 +0000 (15:02 +0200)]
tick: Cleanup NOHZ per cpu data on cpu down
commit
4b0c0f294f60abcdd20994a8341a95c8ac5eeb96 upstream.
Prarit reported a crash on CPU offline/online. The reason is that on
CPU down the NOHZ related per cpu data of the dead cpu is not cleaned
up. If at cpu online an interrupt happens before the per cpu tick
device is registered the irq_enter() check potentially sees stale data
and dereferences a NULL pointer.
Cleanup the data after the cpu is dead.
Reported-by: Prarit Bhargava <prarit@redhat.com>
Cc: Mike Galbraith <bitbucket@online.de>
Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1305031451561.2886@ionos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Tirupathi Reddy [Tue, 14 May 2013 08:29:02 +0000 (13:59 +0530)]
timer: Don't reinitialize the cpu base lock during CPU_UP_PREPARE
commit
42a5cf46cd56f46267d2a9fcf2655f4078cd3042 upstream.
An inactive timer's base can refer to a offline cpu's base.
In the current code, cpu_base's lock is blindly reinitialized each
time a CPU is brought up. If a CPU is brought online during the period
that another thread is trying to modify an inactive timer on that CPU
with holding its timer base lock, then the lock will be reinitialized
under its feet. This leads to following SPIN_BUG().
<0> BUG: spinlock already unlocked on CPU#3, kworker/u:3/1466
<0> lock: 0xe3ebe000, .magic:
dead4ead, .owner: kworker/u:3/1466, .owner_cpu: 1
<4> [<
c0013dc4>] (unwind_backtrace+0x0/0x11c) from [<
c026e794>] (do_raw_spin_unlock+0x40/0xcc)
<4> [<
c026e794>] (do_raw_spin_unlock+0x40/0xcc) from [<
c076c160>] (_raw_spin_unlock+0x8/0x30)
<4> [<
c076c160>] (_raw_spin_unlock+0x8/0x30) from [<
c009b858>] (mod_timer+0x294/0x310)
<4> [<
c009b858>] (mod_timer+0x294/0x310) from [<
c00a5e04>] (queue_delayed_work_on+0x104/0x120)
<4> [<
c00a5e04>] (queue_delayed_work_on+0x104/0x120) from [<
c04eae00>] (sdhci_msm_bus_voting+0x88/0x9c)
<4> [<
c04eae00>] (sdhci_msm_bus_voting+0x88/0x9c) from [<
c04d8780>] (sdhci_disable+0x40/0x48)
<4> [<
c04d8780>] (sdhci_disable+0x40/0x48) from [<
c04bf300>] (mmc_release_host+0x4c/0xb0)
<4> [<
c04bf300>] (mmc_release_host+0x4c/0xb0) from [<
c04c7aac>] (mmc_sd_detect+0x90/0xfc)
<4> [<
c04c7aac>] (mmc_sd_detect+0x90/0xfc) from [<
c04c2504>] (mmc_rescan+0x7c/0x2c4)
<4> [<
c04c2504>] (mmc_rescan+0x7c/0x2c4) from [<
c00a6a7c>] (process_one_work+0x27c/0x484)
<4> [<
c00a6a7c>] (process_one_work+0x27c/0x484) from [<
c00a6e94>] (worker_thread+0x210/0x3b0)
<4> [<
c00a6e94>] (worker_thread+0x210/0x3b0) from [<
c00aad9c>] (kthread+0x80/0x8c)
<4> [<
c00aad9c>] (kthread+0x80/0x8c) from [<
c000ea80>] (kernel_thread_exit+0x0/0x8)
As an example, this particular crash occurred when CPU #3 is executing
mod_timer() on an inactive timer whose base is refered to offlined CPU
#2. The code locked the timer_base corresponding to CPU #2. Before it
could proceed, CPU #2 came online and reinitialized the spinlock
corresponding to its base. Thus now CPU #3 held a lock which was
reinitialized. When CPU #3 finally ended up unlocking the old cpu_base
corresponding to CPU #2, we hit the above SPIN_BUG().
CPU #0 CPU #3 CPU #2
------ ------- -------
..... ...... <Offline>
mod_timer()
lock_timer_base
spin_lock_irqsave(&base->lock)
cpu_up(2) ..... ......
init_timers_cpu()
.... ..... spin_lock_init(&base->lock)
..... spin_unlock_irqrestore(&base->lock) ......
<spin_bug>
Allocation of per_cpu timer vector bases is done only once under
"tvec_base_done[]" check. In the current code, spinlock_initialization
of base->lock isn't under this check. When a CPU is up each time the
base lock is reinitialized. Move base spinlock initialization under
the check.
Signed-off-by: Tirupathi Reddy <tirupath@codeaurora.org>
Link: http://lkml.kernel.org/r/1368520142-4136-1-git-send-email-tirupath@codeaurora.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Stanislaw Gruszka [Fri, 15 Feb 2013 10:08:11 +0000 (11:08 +0100)]
posix-cpu-timers: Fix nanosleep task_struct leak
commit
e6c42c295e071dd74a66b5a9fcf4f44049888ed8 upstream.
The trinity fuzzer triggered a task_struct reference leak via
clock_nanosleep with CPU_TIMERs. do_cpu_nanosleep() calls
posic_cpu_timer_create(), but misses a corresponding
posix_cpu_timer_del() which leads to the task_struct reference leak.
Reported-and-tested-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Dave Jones <davej@redhat.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Link: http://lkml.kernel.org/r/20130215100810.GF4392@redhat.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mark Rutland [Thu, 7 Mar 2013 15:09:24 +0000 (15:09 +0000)]
clockevents: Don't allow dummy broadcast timers
commit
a7dc19b8652c862d5b7c4d2339bd3c428bd29c4a upstream.
Currently tick_check_broadcast_device doesn't reject clock_event_devices
with CLOCK_EVT_FEAT_DUMMY, and may select them in preference to real
hardware if they have a higher rating value. In this situation, the
dummy timer is responsible for broadcasting to itself, and the core
clockevents code may attempt to call non-existent callbacks for
programming the dummy, eventually leading to a panic.
This patch makes tick_check_broadcast_device always reject dummy timers,
preventing this problem.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: Jon Medhurst (Tixy) <tixy@linaro.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Vyacheslav Dubeyko [Wed, 17 Apr 2013 22:58:33 +0000 (15:58 -0700)]
hfsplus: fix potential overflow in hfsplus_file_truncate()
commit
12f267a20aecf8b84a2a9069b9011f1661c779b4 upstream.
Change a u32 to loff_t hfsplus_file_truncate().
Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Trond Myklebust [Mon, 20 Dec 2010 21:19:26 +0000 (21:19 +0000)]
kernel panic when mount NFSv4
commit
beb0f0a9fba1fa98b378329a9a5b0a73f25097ae upstream.
On Tue, 2010-12-14 at 16:58 +0800, Mi Jinlong wrote:
> Hi,
>
> When testing NFSv4 at RHEL6 with kernel 2.6.32, I got a kernel panic
> at NFS client's __rpc_create_common function.
>
> The panic place is:
> rpc_mkpipe
> __rpc_lookup_create() <=== find pipefile *idmap*
> __rpc_mkpipe() <=== pipefile is *idmap*
> __rpc_create_common()
> ****** BUG_ON(!d_unhashed(dentry)); ****** *panic*
>
> It means that the dentry's d_flags have be set DCACHE_UNHASHED,
> but it should not be set here.
>
> Is someone known this bug? or give me some idea?
>
> A reproduce program is append, but it can't reproduce the bug every time.
> the export is: "/nfsroot *(rw,no_root_squash,fsid=0,insecure)"
>
> And the panic message is append.
>
> ============================================================================
> #!/bin/sh
>
> LOOPTOTAL=768
> LOOPCOUNT=0
> ret=0
>
> while [ $LOOPCOUNT -ne $LOOPTOTAL ]
> do
> ((LOOPCOUNT += 1))
> service nfs restart
> /usr/sbin/rpc.idmapd
> mount -t nfs4 127.0.0.1:/ /mnt|| return 1;
> ls -l /var/lib/nfs/rpc_pipefs/nfs/*/
> umount /mnt
> echo $LOOPCOUNT
> done
>
> ===============================================================================
> Code: af 60 01 00 00 89 fa 89 f0 e8 64 cf 89 f0 e8 5c 7c 64 cf 31 c0 8b 5c 24 10 8b
> 74 24 14 8b 7c 24 18 8b 6c 24 1c 83 c4 20 c3 <0f> 0b eb fc 8b 46 28 c7 44 24 08 20
> de ee f0 c7 44 24 04 56 ea
> EIP:[<
f0ee92ea>] __rpc_create_common+0x8a/0xc0 [sunrpc] SS:ESP 0068:
eccb5d28
> ---[ end trace
8f5606cd08928ed2]---
> Kernel panic - not syncing: Fatal exception
> Pid:7131, comm: mount.nfs4 Tainted: G D -------------------2.6.32 #1
> Call Trace:
> [<
c080ad18>] ? panic+0x42/0xed
> [<
c080e42c>] ? oops_end+0xbc/0xd0
> [<
c040b090>] ? do_invalid_op+0x0/0x90
> [<
c040b10f>] ? do_invalid_op+0x7f/0x90
> [<
f0ee92ea>] ? __rpc_create_common+0x8a/0xc0[sunrpc]
> [<
f0edc433>] ? rpc_free_task+0x33/0x70[sunrpc]
> [<
f0ed6508>] ? prc_call_sync+0x48/0x60[sunrpc]
> [<
f0ed656e>] ? rpc_ping+0x4e/0x60[sunrpc]
> [<
f0ed6eaf>] ? rpc_create+0x38f/0x4f0[sunrpc]
> [<
c080d80b>] ? error_code+0x73/0x78
> [<
f0ee92ea>] ? __rpc_create_common+0x8a/0xc0[sunrpc]
> [<
c0532bda>] ? d_lookup+0x2a/0x40
> [<
f0ee94b1>] ? rpc_mkpipe+0x111/0x1b0[sunrpc]
> [<
f10a59f4>] ? nfs_create_rpc_client+0xb4/0xf0[nfs]
> [<
f10d6c6d>] ? nfs_fscache_get_client_cookie+0x1d/0x50[nfs]
> [<
f10d3fcb>] ? nfs_idmap_new+0x7b/0x140[nfs]
> [<
c05e76aa>] ? strlcpy+0x3a/0x60
> [<
f10a60ca>] ? nfs4_set_client+0xea/0x2b0[nfs]
> [<
f10a6d0c>] ? nfs4_create_server+0xac/0x1b0[nfs]
> [<
c04f1400>] ? krealloc+0x40/0x50
> [<
f10b0e8b>] ? nfs4_remote_get_sb+0x6b/0x250[nfs]
> [<
c04f14ec>] ? kstrdup+0x3c/0x60
> [<
c0520739>] ? vfs_kern_mount+0x69/0x170
> [<
f10b1a3c>] ? nfs_do_root_mount+0x6c/0xa0[nfs]
> [<
f10b1b47>] ? nfs4_try_mount+0x37/0xa0[nfs]
> [<
f10afe6d>] ? nfs4_validate_text_mount_data+-x7d/0xf0[nfs]
> [<
f10b1c42>] ? nfs4_get_sb+0x92/0x2f0
> [<
c0520739>] ? vfs_kern_mount+0x69/0x170
> [<
c05366d2>] ? get_fs_type+0x32/0xb0
> [<
c052089f>] ? do_kern_mount+0x3f/0xe0
> [<
c053954f>] ? do_mount+0x2ef/0x740
> [<
c0537740>] ? copy_mount_options+0xb0/0x120
> [<
c0539a0e>] ? sys_mount+0x6e/0xa0
Hi,
Does the following patch fix the problem?
Cheers
Trond
--------------------------
SUNRPC: Fix a BUG in __rpc_create_common
From: Trond Myklebust <Trond.Myklebust@netapp.com>
Mi Jinlong reports:
When testing NFSv4 at RHEL6 with kernel 2.6.32, I got a kernel panic
at NFS client's __rpc_create_common function.
The panic place is:
rpc_mkpipe
__rpc_lookup_create() <=== find pipefile *idmap*
__rpc_mkpipe() <=== pipefile is *idmap*
__rpc_create_common()
****** BUG_ON(!d_unhashed(dentry)); ****** *panic*
The test is wrong: we can find ourselves with a hashed negative dentry here
if the idmapper tried to look up the file before we got round to creating
it.
Just replace the BUG_ON() with a d_drop(dentry).
Reported-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Jonathan Nieder [Fri, 11 May 2012 09:20:20 +0000 (04:20 -0500)]
NFSv4: Revalidate uid/gid after open
This is a shorter (and more appropriate for stable kernels) analog to
the following upstream commit:
commit
6926afd1925a54a13684ebe05987868890665e2b
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date: Sat Jan 7 13:22:46 2012 -0500
NFSv4: Save the owner/group name string when doing open
...so that we can do the uid/gid mapping outside the asynchronous RPC
context.
This fixes a bug in the current NFSv4 atomic open code where the client
isn't able to determine what the true uid/gid fields of the file are,
(because the asynchronous nature of the OPEN call denies it the ability
to do an upcall) and so fills them with default values, marking the
inode as needing revalidation.
Unfortunately, in some cases, the VFS will do some additional sanity
checks on the file, and may override the server's decision to allow
the open because it sees the wrong owner/group fields.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Without this patch, logging into two different machines with home
directories mounted over NFS4 and then running "vim" and typing ":q"
in each reliably produces the following error on the second machine:
E137: Viminfo file is not writable: /users/system/rtheys/.viminfo
This regression was introduced by
80e52aced138 ("NFSv4: Don't do
idmapper upcalls for asynchronous RPC calls", merged during the 2.6.32
cycle) --- after the OPEN call, .viminfo has the default values for
st_uid and st_gid (0xfffffffe) cached because we do not want to let
rpciod wait for an idmapper upcall to fill them in.
The fix used in mainline is to save the owner and group as strings and
perform the upcall in _nfs4_proc_open outside the rpciod context,
which takes about 600 lines. For stable, we can do something similar
with a one-liner: make open check for the stale fields and make a
(synchronous) GETATTR call to fill them when needed.
Trond dictated the patch, I typed it in, and Rik tested it.
Addresses http://bugs.debian.org/659111 and
https://bugzilla.redhat.com/789298
Reported-by: Rik Theys <Rik.Theys@esat.kuleuven.be>
Explained-by: David Flyn <davidf@rd.bbc.co.uk>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Tested-by: Rik Theys <Rik.Theys@esat.kuleuven.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[PG: commit
19165bdbb3622cfca0ff66e8b30248d469b849d6 in v3.0.32]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Trond Myklebust [Mon, 20 Aug 2012 16:42:15 +0000 (12:42 -0400)]
NFSv3: Ensure that do_proc_get_root() reports errors correctly
commit
086600430493e04b802bee6e5b3ce0458e4eb77f upstream.
If the rpc call to NFS3PROC_FSINFO fails, then we need to report that
error so that the mount fails. Otherwise we can end up with a
superblock with completely unusable values for block sizes, maxfilesize,
etc.
Reported-by: Yuanming Chen <hikvision_linux@163.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
J. Bruce Fields [Tue, 4 Dec 2012 23:25:10 +0000 (18:25 -0500)]
nfsd4: fix oops on unusual readlike compound
commit
d5f50b0c290431c65377c4afa1c764e2c3fe5305 upstream.
If the argument and reply together exceed the maximum payload size, then
a reply with a read-like operation can overlow the rq_pages array.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Nithin Nayak Sujir [Mon, 14 Jan 2013 17:10:59 +0000 (17:10 +0000)]
tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode
commit
9c13cb8bb477a83b9a3c9e5a5478a4e21294a760 upstream.
When netconsole is enabled, logging messages generated during tg3_open
can result in a null pointer dereference for the uninitialized tg3
status block. Use the irq_sync flag to disable polling in the early
stages. irq_sync is cleared when the driver is enabling interrupts after
all initialization is completed.
Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PG: drivers/net/ethernet/broadcom/tg3.c --> drivers/net/tg3.c in .34]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Larry Finger [Wed, 26 Sep 2012 17:32:02 +0000 (12:32 -0500)]
b43legacy: Fix crash on unload when firmware not available
commit
2d838bb608e2d1f6cb4280e76748cb812dc822e7 upstream.
When b43legacy is loaded without the firmware being available, a following
unload generates a kernel NULL pointer dereference BUG as follows:
[ 214.330789] BUG: unable to handle kernel NULL pointer dereference at
0000004c
[ 214.330997] IP: [<
c104c395>] drain_workqueue+0x15/0x170
[ 214.331179] *pde =
00000000
[ 214.331311] Oops: 0000 [#1] SMP
[ 214.331471] Modules linked in: b43legacy(-) ssb pcmcia mac80211 cfg80211 af_packet mperf arc4 ppdev sr_mod cdrom sg shpchp yenta_socket pcmcia_rsrc pci_hotplug pcmcia_core battery parport_pc parport floppy container ac button edd autofs4 ohci_hcd ehci_hcd usbcore usb_common thermal processor scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_dh fan thermal_sys hwmon ata_generic pata_ali libata [last unloaded: cfg80211]
[ 214.333421] Pid: 3639, comm: modprobe Not tainted 3.6.0-rc6-wl+ #163 Source Technology VIC 9921/ALI Based Notebook
[ 214.333580] EIP: 0060:[<
c104c395>] EFLAGS:
00010246 CPU: 0
[ 214.333687] EIP is at drain_workqueue+0x15/0x170
[ 214.333788] EAX:
c162ac40 EBX:
cdfb8360 ECX:
0000002a EDX:
00002a2a
[ 214.333890] ESI:
00000000 EDI:
00000000 EBP:
cd767e7c ESP:
cd767e5c
[ 214.333957] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 214.333957] CR0:
8005003b CR2:
0000004c CR3:
0c96a000 CR4:
00000090
[ 214.333957] DR0:
00000000 DR1:
00000000 DR2:
00000000 DR3:
00000000
[ 214.333957] DR6:
ffff0ff0 DR7:
00000400
[ 214.333957] Process modprobe (pid: 3639, ti=
cd766000 task=
cf802e90 task.ti=
cd766000)
[ 214.333957] Stack:
[ 214.333957]
00000292 cd767e74 c12c5e09 00000296 00000296 cdfb8360 cdfb9220 00000000
[ 214.333957]
cd767e90 c104c4fd cdfb8360 cdfb9220 cd682800 cd767ea4 d0c10184 cd682800
[ 214.333957]
cd767ea4 cba31064 cd767eb8 d0867908 cba31064 d087e09c cd96f034 cd767ec4
[ 214.333957] Call Trace:
[ 214.333957] [<
c12c5e09>] ? skb_dequeue+0x49/0x60
[ 214.333957] [<
c104c4fd>] destroy_workqueue+0xd/0x150
[ 214.333957] [<
d0c10184>] ieee80211_unregister_hw+0xc4/0x100 [mac80211]
[ 214.333957] [<
d0867908>] b43legacy_remove+0x78/0x80 [b43legacy]
[ 214.333957] [<
d083654d>] ssb_device_remove+0x1d/0x30 [ssb]
[ 214.333957] [<
c126f15a>] __device_release_driver+0x5a/0xb0
[ 214.333957] [<
c126fb07>] driver_detach+0x87/0x90
[ 214.333957] [<
c126ef4c>] bus_remove_driver+0x6c/0xe0
[ 214.333957] [<
c1270120>] driver_unregister+0x40/0x70
[ 214.333957] [<
d083686b>] ssb_driver_unregister+0xb/0x10 [ssb]
[ 214.333957] [<
d087c488>] b43legacy_exit+0xd/0xf [b43legacy]
[ 214.333957] [<
c1089dde>] sys_delete_module+0x14e/0x2b0
[ 214.333957] [<
c110a4a7>] ? vfs_write+0xf7/0x150
[ 214.333957] [<
c1240050>] ? tty_write_lock+0x50/0x50
[ 214.333957] [<
c110a6f8>] ? sys_write+0x38/0x70
[ 214.333957] [<
c1397c55>] syscall_call+0x7/0xb
[ 214.333957] Code: bc 27 00 00 00 00 a1 74 61 56 c1 55 89 e5 e8 a3 fc ff ff 5d c3 90 55 89 e5 57 56 89 c6 53 b8 40 ac 62 c1 83 ec 14 e8 bb b7 34 00 <8b> 46 4c 8d 50 01 85 c0 89 56 4c 75 03 83 0e 40 80 05 40 ac 62
[ 214.333957] EIP: [<
c104c395>] drain_workqueue+0x15/0x170 SS:ESP 0068:
cd767e5c
[ 214.333957] CR2:
000000000000004c
[ 214.341110] ---[ end trace
c7e90ec026d875a6 ]---Index: wireless-testing/drivers/net/wireless/b43legacy/main.c
The problem is fixed by making certain that the ucode pointer is not NULL
before deregistering the driver in mac80211.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Fri, 14 Sep 2012 09:58:32 +0000 (09:58 +0000)]
xfrm_user: return error pointer instead of NULL #2
commit
c25463722509fef0ed630b271576a8c9a70236f3 upstream.
When dump_one_policy() returns an error, e.g. because of a too small
buffer to dump the whole xfrm policy, xfrm_policy_netlink() returns
NULL instead of an error pointer. But its caller expects an error
pointer and therefore continues to operate on a NULL skbuff.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Thu, 13 Sep 2012 11:41:26 +0000 (11:41 +0000)]
xfrm_user: return error pointer instead of NULL
commit
864745d291b5ba80ea0bd0edcbe67273de368836 upstream.
When dump_one_state() returns an error, e.g. because of a too small
buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL
instead of an error pointer. But its callers expect an error pointer
and therefore continue to operate on a NULL skbuff.
This could lead to a privilege escalation (execution of user code in
kernel context) if the attacker has CAP_NET_ADMIN and is able to map
address 0.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Wed, 19 Sep 2012 11:33:41 +0000 (11:33 +0000)]
xfrm_user: fix info leak in copy_to_user_tmpl()
commit
1f86840f897717f86d523a13e99a447e6a5d2fa5 upstream.
The memory used for the template copy is a local stack variable. As
struct xfrm_user_tmpl contains multiple holes added by the compiler for
alignment, not initializing the memory will lead to leaking stack bytes
to userland. Add an explicit memset(0) to avoid the info leak.
Initial version of the patch by Brad Spengler.
Cc: Brad Spengler <spender@grsecurity.net>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Wed, 19 Sep 2012 11:33:40 +0000 (11:33 +0000)]
xfrm_user: fix info leak in copy_to_user_policy()
commit
7b789836f434c87168eab067cfbed1ec4783dffd upstream.
The memory reserved to dump the xfrm policy includes multiple padding
bytes added by the compiler for alignment (padding bytes in struct
xfrm_selector and struct xfrm_userpolicy_info). Add an explicit
memset(0) before filling the buffer to avoid the heap info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Wed, 19 Sep 2012 11:33:39 +0000 (11:33 +0000)]
xfrm_user: fix info leak in copy_to_user_state()
commit
f778a636713a435d3a922c60b1622a91136560c1 upstream.
The memory reserved to dump the xfrm state includes the padding bytes of
struct xfrm_usersa_info added by the compiler for alignment (7 for
amd64, 3 for i386). Add an explicit memset(0) before filling the buffer
to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Mon, 4 Jun 2012 00:18:19 +0000 (00:18 +0000)]
drop_monitor: dont sleep in atomic context
commit
bec4596b4e6770c7037f21f6bd27567b152dc0d6 upstream.
drop_monitor calls several sleeping functions while in atomic context.
BUG: sleeping function called from invalid context at mm/slub.c:943
in_atomic(): 1, irqs_disabled(): 0, pid: 2103, name: kworker/0:2
Pid: 2103, comm: kworker/0:2 Not tainted 3.5.0-rc1+ #55
Call Trace:
[<
ffffffff810697ca>] __might_sleep+0xca/0xf0
[<
ffffffff811345a3>] kmem_cache_alloc_node+0x1b3/0x1c0
[<
ffffffff8105578c>] ? queue_delayed_work_on+0x11c/0x130
[<
ffffffff815343fb>] __alloc_skb+0x4b/0x230
[<
ffffffffa00b0360>] ? reset_per_cpu_data+0x160/0x160 [drop_monitor]
[<
ffffffffa00b022f>] reset_per_cpu_data+0x2f/0x160 [drop_monitor]
[<
ffffffffa00b03ab>] send_dm_alert+0x4b/0xb0 [drop_monitor]
[<
ffffffff810568e0>] process_one_work+0x130/0x4c0
[<
ffffffff81058249>] worker_thread+0x159/0x360
[<
ffffffff810580f0>] ? manage_workers.isra.27+0x240/0x240
[<
ffffffff8105d403>] kthread+0x93/0xa0
[<
ffffffff816be6d4>] kernel_thread_helper+0x4/0x10
[<
ffffffff8105d370>] ? kthread_freezable_should_stop+0x80/0x80
[<
ffffffff816be6d0>] ? gs_change+0xb/0xb
Rework the logic to call the sleeping functions in right context.
Use standard timer/workqueue api to let system chose any cpu to perform
the allocation and netlink send.
Also avoid a loop if reset_per_cpu_data() cannot allocate memory :
use mod_timer() to wait 1/10 second before next try.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PG: diffstat here is less by one line due to blank line removal]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Neil Horman [Tue, 1 May 2012 08:18:02 +0000 (08:18 +0000)]
drop_monitor: prevent init path from scheduling on the wrong cpu
commit
4fdcfa12843bca38d0c9deff70c8720e4e8f515f upstream.
I just noticed after some recent updates, that the init path for the drop
monitor protocol has a minor error. drop monitor maintains a per cpu structure,
that gets initalized from a single cpu. Normally this is fine, as the protocol
isn't in use yet, but I recently made a change that causes a failed skb
allocation to reschedule itself . Given the current code, the implication is
that this workqueue reschedule will take place on the wrong cpu. If drop
monitor is used early during the boot process, its possible that two cpus will
access a single per-cpu structure in parallel, possibly leading to data
corruption.
This patch fixes the situation, by storing the cpu number that a given instance
of this per-cpu data should be accessed from. In the case of a need for a
reschedule, the cpu stored in the struct is assigned the rescheule, rather than
the currently executing cpu
Tested successfully by myself.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: David Miller <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Neil Horman [Fri, 27 Apr 2012 10:11:49 +0000 (10:11 +0000)]
drop_monitor: Make updating data->skb smp safe
commit
3885ca785a3618593226687ced84f3f336dc3860 upstream.
Eric Dumazet pointed out to me that the drop_monitor protocol has some holes in
its smp protections. Specifically, its possible to replace data->skb while its
being written. This patch corrects that by making data->skb an rcu protected
variable. That will prevent it from being overwritten while a tracepoint is
modifying it.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: David Miller <davem@davemloft.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PG: The "__rcu" sparse addition is only present in 2.6.37+ kernels.]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Neil Horman [Fri, 27 Apr 2012 10:11:48 +0000 (10:11 +0000)]
drop_monitor: fix sleeping in invalid context warning
commit
cde2e9a651b76d8db36ae94cd0febc82b637e5dd upstream.
Eric Dumazet pointed out this warning in the drop_monitor protocol to me:
[ 38.352571] BUG: sleeping function called from invalid context at kernel/mutex.c:85
[ 38.352576] in_atomic(): 1, irqs_disabled(): 0, pid: 4415, name: dropwatch
[ 38.352580] Pid: 4415, comm: dropwatch Not tainted 3.4.0-rc2+ #71
[ 38.352582] Call Trace:
[ 38.352592] [<
ffffffff8153aaf0>] ? trace_napi_poll_hit+0xd0/0xd0
[ 38.352599] [<
ffffffff81063f2a>] __might_sleep+0xca/0xf0
[ 38.352606] [<
ffffffff81655b16>] mutex_lock+0x26/0x50
[ 38.352610] [<
ffffffff8153aaf0>] ? trace_napi_poll_hit+0xd0/0xd0
[ 38.352616] [<
ffffffff810b72d9>] tracepoint_probe_register+0x29/0x90
[ 38.352621] [<
ffffffff8153a585>] set_all_monitor_traces+0x105/0x170
[ 38.352625] [<
ffffffff8153a8ca>] net_dm_cmd_trace+0x2a/0x40
[ 38.352630] [<
ffffffff8154a81a>] genl_rcv_msg+0x21a/0x2b0
[ 38.352636] [<
ffffffff810f8029>] ? zone_statistics+0x99/0xc0
[ 38.352640] [<
ffffffff8154a600>] ? genl_rcv+0x30/0x30
[ 38.352645] [<
ffffffff8154a059>] netlink_rcv_skb+0xa9/0xd0
[ 38.352649] [<
ffffffff8154a5f0>] genl_rcv+0x20/0x30
[ 38.352653] [<
ffffffff81549a7e>] netlink_unicast+0x1ae/0x1f0
[ 38.352658] [<
ffffffff81549d76>] netlink_sendmsg+0x2b6/0x310
[ 38.352663] [<
ffffffff8150824f>] sock_sendmsg+0x10f/0x130
[ 38.352668] [<
ffffffff8150abe0>] ? move_addr_to_kernel+0x60/0xb0
[ 38.352673] [<
ffffffff81515f04>] ? verify_iovec+0x64/0xe0
[ 38.352677] [<
ffffffff81509c46>] __sys_sendmsg+0x386/0x390
[ 38.352682] [<
ffffffff810ffaf9>] ? handle_mm_fault+0x139/0x210
[ 38.352687] [<
ffffffff8165b5bc>] ? do_page_fault+0x1ec/0x4f0
[ 38.352693] [<
ffffffff8106ba4d>] ? set_next_entity+0x9d/0xb0
[ 38.352699] [<
ffffffff81310b49>] ? tty_ldisc_deref+0x9/0x10
[ 38.352703] [<
ffffffff8106d363>] ? pick_next_task_fair+0x63/0x140
[ 38.352708] [<
ffffffff8150b8d4>] sys_sendmsg+0x44/0x80
[ 38.352713] [<
ffffffff8165f8e2>] system_call_fastpath+0x16/0x1b
It stems from holding a spinlock (trace_state_lock) while attempting to register
or unregister tracepoint hooks, making in_atomic() true in this context, leading
to the warning when the tracepoint calls might_sleep() while its taking a mutex.
Since we only use the trace_state_lock to prevent trace protocol state races, as
well as hardware stat list updates on an rcu write side, we can just convert the
spinlock to a mutex to avoid this problem.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: David Miller <davem@davemloft.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Willy Tarreau [Thu, 17 May 2012 11:14:14 +0000 (11:14 +0000)]
tcp: do_tcp_sendpages() must try to push data out on oom conditions
commit
bad115cfe5b509043b684d3a007ab54b80090aa1 upstream.
Since recent changes on TCP splicing (starting with commits
2f533844
"tcp: allow splice() to build full TSO packets" and
35f9c09f "tcp:
tcp_sendpages() should call tcp_push() once"), I started seeing
massive stalls when forwarding traffic between two sockets using
splice() when pipe buffers were larger than socket buffers.
Latest changes (net: netdev_alloc_skb() use build_skb()) made the
problem even more apparent.
The reason seems to be that if do_tcp_sendpages() fails on out of memory
condition without being able to send at least one byte, tcp_push() is not
called and the buffers cannot be flushed.
After applying the attached patch, I cannot reproduce the stalls at all
and the data rate it perfectly stable and steady under any condition
which previously caused the problem to be permanent.
The issue seems to have been there since before the kernel migrated to
git, which makes me think that the stalls I occasionally experienced
with tux during stress-tests years ago were probably related to the
same issue.
This issue was first encountered on 3.0.31 and 3.2.17, so please backport
to -stable.
Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Fri, 2 Dec 2011 23:41:42 +0000 (23:41 +0000)]
tcp: drop SYN+FIN messages
commit
fdf5af0daf8019cec2396cdef8fb042d80fe71fa upstream.
Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his
linux machines to their limits.
Dont call conn_request() if the TCP flags includes SYN flag
Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Jiri Kosina [Fri, 27 Jul 2012 10:38:50 +0000 (10:38 +0000)]
tcp: perform DMA to userspace only if there is a task waiting for it
commit
59ea33a68a9083ac98515e4861c00e71efdc49a1 upstream.
Back in 2006, commit
1a2449a87b ("[I/OAT]: TCP recv offload to I/OAT")
added support for receive offloading to IOAT dma engine if available.
The code in tcp_rcv_established() tries to perform early DMA copy if
applicable. It however does so without checking whether the userspace
task is actually expecting the data in the buffer.
This is not a problem under normal circumstances, but there is a corner
case where this doesn't work -- and that's when MSG_TRUNC flag to
recvmsg() is used.
If the IOAT dma engine is not used, the code properly checks whether
there is a valid ucopy.task and the socket is owned by userspace, but
misses the check in the dmaengine case.
This problem can be observed in real trivially -- for example 'tbench' is a
good reproducer, as it makes a heavy use of MSG_TRUNC. On systems utilizing
IOAT, you will soon find tbench waiting indefinitely in sk_wait_data(), as they
have been already early-copied in tcp_rcv_established() using dma engine.
This patch introduces the same check we are performing in the simple
iovec copy case to the IOAT case as well. It fixes the indefinite
recvmsg(MSG_TRUNC) hangs.
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
David S. Miller [Mon, 30 Jul 2012 21:52:48 +0000 (14:52 -0700)]
tun: Fix formatting.
commit
8bbb181308bc348e02bfdbebdedd4e4ec9d452ce upstream.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Sun, 29 Jul 2012 19:45:14 +0000 (19:45 +0000)]
net/tun: fix ioctl() based info leaks
commit
a117dacde0288f3ec60b6e5bcedae8fa37ee0dfc upstream.
The tun module leaks up to 36 bytes of memory by not fully initializing
a structure located on the stack that gets copied to user memory by the
TUNGETIFF and SIOCGIFHWADDR ioctl()s.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Alexey Khoroshilov [Wed, 8 Aug 2012 00:33:25 +0000 (00:33 +0000)]
net/core: Fix potential memory leak in dev_set_alias()
commit
7364e445f62825758fa61195d237a5b8ecdd06ec upstream.
Do not leak memory by updating pointer with potentially NULL realloc return value.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Tue, 5 Mar 2013 07:15:13 +0000 (07:15 +0000)]
net: reduce net_rx_action() latency to 2 HZ
commit
d1f41b67ff7735193bc8b418b98ac99a448833e2 upstream.
We should use time_after_eq() to get maximum latency of two ticks,
instead of three.
Bug added in commit
24f8b2385 (net: increase receive packet quantum)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Thu, 10 Jan 2013 23:26:34 +0000 (15:26 -0800)]
softirq: reduce latencies
commit
c10d73671ad30f54692f7f69f0e09e75d3a8926a upstream.
In various network workloads, __do_softirq() latencies can be up
to 20 ms if HZ=1000, and 200 ms if HZ=100.
This is because we iterate 10 times in the softirq dispatcher,
and some actions can consume a lot of cycles.
This patch changes the fallback to ksoftirqd condition to :
- A time limit of 2 ms.
- need_resched() being set on current task
When one of this condition is met, we wakeup ksoftirqd for further
softirq processing if we still have pending softirqs.
Using need_resched() as the only condition can trigger RCU stalls,
as we can keep BH disabled for too long.
I ran several benchmarks and got no significant difference in
throughput, but a very significant reduction of latencies (one order
of magnitude) :
In following bench, 200 antagonist "netperf -t TCP_RR" are started in
background, using all available cpus.
Then we start one "netperf -t TCP_RR", bound to the cpu handling the NIC
IRQ (hard+soft)
Before patch :
# netperf -H 7.7.7.84 -t TCP_RR -T2,2 -- -k
RT_LATENCY,MIN_LATENCY,MAX_LATENCY,P50_LATENCY,P90_LATENCY,P99_LATENCY,MEAN_LATENCY,STDDEV_LATENCY
MIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET
to 7.7.7.84 () port 0 AF_INET : first burst 0 : cpu bind
RT_LATENCY=550110.424
MIN_LATENCY=146858
MAX_LATENCY=997109
P50_LATENCY=305000
P90_LATENCY=550000
P99_LATENCY=710000
MEAN_LATENCY=376989.12
STDDEV_LATENCY=184046.92
After patch :
# netperf -H 7.7.7.84 -t TCP_RR -T2,2 -- -k
RT_LATENCY,MIN_LATENCY,MAX_LATENCY,P50_LATENCY,P90_LATENCY,P99_LATENCY,MEAN_LATENCY,STDDEV_LATENCY
MIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET
to 7.7.7.84 () port 0 AF_INET : first burst 0 : cpu bind
RT_LATENCY=40545.492
MIN_LATENCY=9834
MAX_LATENCY=78366
P50_LATENCY=33583
P90_LATENCY=59000
P99_LATENCY=69000
MEAN_LATENCY=38364.67
STDDEV_LATENCY=12865.26
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: David Miller <davem@davemloft.net>
Cc: Tom Herbert <therbert@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Thu, 5 Apr 2012 22:17:46 +0000 (22:17 +0000)]
netlink: fix races after skb queueing
commit
4a7e7c2ad540e54c75489a70137bf0ec15d3a127 upstream.
As soon as an skb is queued into socket receive_queue, another thread
can consume it, so we are not allowed to reference skb anymore, or risk
use after free.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
stephen hemminger [Thu, 22 Dec 2011 08:52:03 +0000 (08:52 +0000)]
netlink: wake up netlink listeners sooner (v2)
commit
2c64580046a122fa15bb586d8ca4fd5e4b69a1e7 upstream.
This patch changes it to yield sooner at halfway instead. Still not a cure-all
for listener overrun if listner is slow, but works much reliably.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Fri, 6 Apr 2012 08:49:10 +0000 (10:49 +0200)]
net: fix a race in sock_queue_err_skb()
commit
110c43304db6f06490961529536c362d9ac5732f upstream.
As soon as an skb is queued into socket error queue, another thread
can consume it, so we are not allowed to reference skb anymore, or risk
use after free.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PG: net/core/skbuff.c --> include/net/sock.h on 2.6.34 baseline]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
David Ward [Sun, 15 Apr 2012 12:31:45 +0000 (12:31 +0000)]
net_sched: gred: Fix oops in gred_dump() in WRED mode
commit
244b65dbfede788f2fa3fe2463c44d0809e97c6b upstream.
A parameter set exists for WRED mode, called wred_set, to hold the same
values for qavg and qidlestart across all VQs. The WRED mode values had
been previously held in the VQ for the default DP. After these values
were moved to wred_set, the VQ for the default DP was no longer created
automatically (so that it could be omitted on purpose, to have packets
in the default DP enqueued directly to the device without using RED).
However, gred_dump() was overlooked during that change; in WRED mode it
still reads qavg/qidlestart from the VQ for the default DP, which might
not even exist. As a result, this command sequence will cause an oops:
tc qdisc add dev $DEV handle $HANDLE parent $PARENT gred setup \
DPs 3 default 2 grio
tc qdisc change dev $DEV handle $HANDLE gred DP 0 prio 8 $RED_OPTIONS
tc qdisc change dev $DEV handle $HANDLE gred DP 1 prio 8 $RED_OPTIONS
This fixes gred_dump() in WRED mode to use the values held in wred_set.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PG: in 2.6.34 it is tab[]->parms vs. tab[]->vars of 3.4 baseline]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Sun, 29 Apr 2012 09:08:22 +0000 (09:08 +0000)]
netem: fix possible skb leak
commit
116a0fc31c6c9b8fc821be5a96e5bf0b43260131 upstream.
skb_checksum_help(skb) can return an error, we must free skb in this
case. qdisc_drop(skb, sch) can also be feeded with a NULL skb (if
skb_unshare() failed), so lets use this generic helper.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
danborkmann@iogearbox.net [Fri, 10 Aug 2012 22:48:54 +0000 (22:48 +0000)]
af_packet: remove BUG statement in tpacket_destruct_skb
commit
7f5c3e3a80e6654cf48dfba7cf94f88c6b505467 upstream.
Here's a quote of the comment about the BUG macro from asm-generic/bug.h:
Don't use BUG() or BUG_ON() unless there's really no way out; one
example might be detecting data structure corruption in the middle
of an operation that can't be backed out of. If the (sub)system
can somehow continue operating, perhaps with reduced functionality,
it's probably not BUG-worthy.
If you're tempted to BUG(), think again: is completely giving up
really the *only* solution? There are usually better options, where
users don't need to reboot ASAP and can mostly shut down cleanly.
In our case, the status flag of a ring buffer slot is managed from both sides,
the kernel space and the user space. This means that even though the kernel
side might work as expected, the user space screws up and changes this flag
right between the send(2) is triggered when the flag is changed to
TP_STATUS_SENDING and a given skb is destructed after some time. Then, this
will hit the BUG macro. As David suggested, the best solution is to simply
remove this statement since it cannot be used for kernel side internal
consistency checks. I've tested it and the system still behaves /stable/ in
this case, so in accordance with the above comment, we should rather remove it.
Signed-off-by: Daniel Borkmann <daniel.borkmann@tik.ee.ethz.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Stephen Hemminger [Mon, 11 Feb 2013 08:22:22 +0000 (08:22 +0000)]
bridge: set priority of STP packets
commit
547b4e718115eea74087e28d7fa70aec619200db upstream.
Spanning Tree Protocol packets should have always been marked as
control packets, this causes them to get queued in the high prirority
FIFO. As Radia Perlman mentioned in her LCA talk, STP dies if bridge
gets overloaded and can't communicate. This is a long-standing bug back
to the first versions of Linux bridge.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Hiroaki SHIMODA [Fri, 3 Aug 2012 10:57:52 +0000 (19:57 +0900)]
net_sched: gact: Fix potential panic in tcf_gact().
commit
696ecdc10622d86541f2e35cc16e15b6b3b1b67e upstream.
gact_rand array is accessed by gact->tcfg_ptype whose value
is assumed to less than MAX_RAND, but any range checks are
not performed.
So add a check in tcf_gact_init(). And in tcf_gact(), we can
reduce a branch.
Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Stefan Hasko [Fri, 21 Dec 2012 15:04:59 +0000 (15:04 +0000)]
net: sched: integer overflow fix
commit
d2fe85da52e89b8012ffad010ef352a964725d5f upstream.
Fixed integer overflow in function htb_dequeue
Signed-off-by: Stefan Hasko <hasko.stevo@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Cong Wang [Mon, 7 Jan 2013 21:17:00 +0000 (21:17 +0000)]
net: prevent setting ttl=0 via IP_TTL
commit
c9be4a5c49cf51cc70a993f004c5bb30067a65ce upstream.
A regression is introduced by the following commit:
commit
4d52cfbef6266092d535237ba5a4b981458ab171
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue Jun 2 00:42:16 2009 -0700
net: ipv4/ip_sockglue.c cleanups
Pure cleanups
but it is not a pure cleanup...
- if (val != -1 && (val < 1 || val>255))
+ if (val != -1 && (val < 0 || val > 255))
Since there is no reason provided to allow ttl=0, change it back.
Reported-by: nitin padalia <padalia.nitin@gmail.com>
Cc: nitin padalia <padalia.nitin@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Jesper Dangaard Brouer [Wed, 31 Oct 2012 02:45:32 +0000 (02:45 +0000)]
net: fix divide by zero in tcp algorithm illinois
commit
8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664 upstream.
Reading TCP stats when using TCP Illinois congestion control algorithm
can cause a divide by zero kernel oops.
The division by zero occur in tcp_illinois_info() at:
do_div(t, ca->cnt_rtt);
where ca->cnt_rtt can become zero (when rtt_reset is called)
Steps to Reproduce:
1. Register tcp_illinois:
# sysctl -w net.ipv4.tcp_congestion_control=illinois
2. Monitor internal TCP information via command "ss -i"
# watch -d ss -i
3. Establish new TCP conn to machine
Either it fails at the initial conn, or else it needs to wait
for a loss or a reset.
This is only related to reading stats. The function avg_delay() also
performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its
calling point in update_params(). Thus, simply fix tcp_illinois_info().
Function tcp_illinois_info() / get_info() is called without
socket lock. Thus, eliminate any race condition on ca->cnt_rtt
by using a local stack variable. Simply reuse info.tcpv_rttcnt,
as its already set to ca->cnt_rtt.
Function avg_delay() is not affected by this race condition, as
its called with the socket lock.
Cc: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Mon, 24 Sep 2012 07:00:11 +0000 (07:00 +0000)]
net: guard tcp_set_keepalive() to tcp sockets
commit
3e10986d1d698140747fcfc2761ec9cb64c1d582 upstream.
Its possible to use RAW sockets to get a crash in
tcp_set_keepalive() / sk_reset_timer()
Fix is to make sure socket is a SOCK_STREAM one.
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Wed, 15 Aug 2012 11:31:57 +0000 (11:31 +0000)]
net: fix info leak in compat dev_ifconf()
commit
43da5f2e0d0c69ded3d51907d9552310a6b545e8 upstream.
The implementation of dev_ifconf() for the compat ioctl interface uses
an intermediate ifc structure allocated in userland for the duration of
the syscall. Though, it fails to initialize the padding bytes inserted
for alignment and that for leaks four bytes of kernel stack. Add an
explicit memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Thu, 21 Mar 2013 17:36:09 +0000 (17:36 +0000)]
tcp: preserve ACK clocking in TSO
commit
f4541d60a449afd40448b06496dcd510f505928e upstream.
A long standing problem with TSO is the fact that tcp_tso_should_defer()
rearms the deferred timer, while it should not.
Current code leads to following bad bursty behavior :
20:11:24.484333 IP A > B: . 297161:316921(19760) ack 1 win 119
20:11:24.484337 IP B > A: . ack 263721 win 1117
20:11:24.485086 IP B > A: . ack 265241 win 1117
20:11:24.485925 IP B > A: . ack 266761 win 1117
20:11:24.486759 IP B > A: . ack 268281 win 1117
20:11:24.487594 IP B > A: . ack 269801 win 1117
20:11:24.488430 IP B > A: . ack 271321 win 1117
20:11:24.489267 IP B > A: . ack 272841 win 1117
20:11:24.490104 IP B > A: . ack 274361 win 1117
20:11:24.490939 IP B > A: . ack 275881 win 1117
20:11:24.491775 IP B > A: . ack 277401 win 1117
20:11:24.491784 IP A > B: . 316921:332881(15960) ack 1 win 119
20:11:24.492620 IP B > A: . ack 278921 win 1117
20:11:24.493448 IP B > A: . ack 280441 win 1117
20:11:24.494286 IP B > A: . ack 281961 win 1117
20:11:24.495122 IP B > A: . ack 283481 win 1117
20:11:24.495958 IP B > A: . ack 285001 win 1117
20:11:24.496791 IP B > A: . ack 286521 win 1117
20:11:24.497628 IP B > A: . ack 288041 win 1117
20:11:24.498459 IP B > A: . ack 289561 win 1117
20:11:24.499296 IP B > A: . ack 291081 win 1117
20:11:24.500133 IP B > A: . ack 292601 win 1117
20:11:24.500970 IP B > A: . ack 294121 win 1117
20:11:24.501388 IP B > A: . ack 295641 win 1117
20:11:24.501398 IP A > B: . 332881:351881(19000) ack 1 win 119
While the expected behavior is more like :
20:19:49.259620 IP A > B: . 197601:202161(4560) ack 1 win 119
20:19:49.260446 IP B > A: . ack 154281 win 1212
20:19:49.261282 IP B > A: . ack 155801 win 1212
20:19:49.262125 IP B > A: . ack 157321 win 1212
20:19:49.262136 IP A > B: . 202161:206721(4560) ack 1 win 119
20:19:49.262958 IP B > A: . ack 158841 win 1212
20:19:49.263795 IP B > A: . ack 160361 win 1212
20:19:49.264628 IP B > A: . ack 161881 win 1212
20:19:49.264637 IP A > B: . 206721:211281(4560) ack 1 win 119
20:19:49.265465 IP B > A: . ack 163401 win 1212
20:19:49.265886 IP B > A: . ack 164921 win 1212
20:19:49.266722 IP B > A: . ack 166441 win 1212
20:19:49.266732 IP A > B: . 211281:215841(4560) ack 1 win 119
20:19:49.267559 IP B > A: . ack 167961 win 1212
20:19:49.268394 IP B > A: . ack 169481 win 1212
20:19:49.269232 IP B > A: . ack 171001 win 1212
20:19:49.269241 IP A > B: . 215841:221161(5320) ack 1 win 119
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Van Jacobson <vanj@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Nandita Dukkipati <nanditad@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Sun, 6 Jan 2013 18:21:49 +0000 (18:21 +0000)]
tcp: fix MSG_SENDPAGE_NOTLAST logic
commit
ae62ca7b03217be5e74759dc6d7698c95df498b3 upstream.
commit
35f9c09fe9c72e (tcp: tcp_sendpages() should call tcp_push() once)
added an internal flag : MSG_SENDPAGE_NOTLAST meant to be set on all
frags but the last one for a splice() call.
The condition used to set the flag in pipe_to_sendpage() relied on
splice() user passing the exact number of bytes present in the pipe,
or a smaller one.
But some programs pass an arbitrary high value, and the test fails.
The effect of this bug is a lack of tcp_push() at the end of a
splice(pipe -> socket) call, and possibly very slow or erratic TCP
sessions.
We should both test sd->total_len and fact that another fragment
is in the pipe (pipe->nrbufs > 1)
Many thanks to Willy for providing very clear bug report, bisection
and test programs.
Reported-by: Willy Tarreau <w@1wt.eu>
Bisected-by: Willy Tarreau <w@1wt.eu>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Thu, 5 Apr 2012 03:05:35 +0000 (03:05 +0000)]
tcp: tcp_sendpages() should call tcp_push() once
commit
35f9c09fe9c72eb8ca2b8e89a593e1c151f28fc2 upstream.
commit
2f533844242 (tcp: allow splice() to build full TSO packets) added
a regression for splice() calls using SPLICE_F_MORE.
We need to call tcp_flush() at the end of the last page processed in
tcp_sendpages(), or else transmits can be deferred and future sends
stall.
Add a new internal flag, MSG_SENDPAGE_NOTLAST, acting like MSG_MORE, but
with different semantic.
For all sendpage() providers, its a transparent change. Only
sock_sendpage() and tcp_sendpages() can differentiate the two different
flags provided by pipe_to_sendpage()
Reported-by: Tom Herbert <therbert@google.com>
Cc: Nandita Dukkipati <nanditad@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Tom Herbert <therbert@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: H.K. Jerry Chu <hkchu@google.com>
Cc: Maciej Żenczykowski <maze@google.com>
Cc: Mahesh Bandewar <maheshb@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Tue, 3 Apr 2012 09:37:01 +0000 (09:37 +0000)]
tcp: allow splice() to build full TSO packets
commit
2f53384424251c06038ae612e56231b96ab610ee upstream.
vmsplice()/splice(pipe, socket) call do_tcp_sendpages() one page at a
time, adding at most 4096 bytes to an skb. (assuming PAGE_SIZE=4096)
The call to tcp_push() at the end of do_tcp_sendpages() forces an
immediate xmit when pipe is not already filled, and tso_fragment() try
to split these skb to MSS multiples.
4096 bytes are usually split in a skb with 2 MSS, and a remaining
sub-mss skb (assuming MTU=1500)
This makes slow start suboptimal because many small frames are sent to
qdisc/driver layers instead of big ones (constrained by cwnd and packets
in flight of course)
In fact, applications using sendmsg() (adding an additional memory copy)
instead of vmsplice()/splice()/sendfile() are a bit faster because of
this anomaly, especially if serving small files in environments with
large initial [c]wnd.
Call tcp_push() only if MSG_MORE is not set in the flags parameter.
This bit is automatically provided by splice() internals but for the
last page, or on all pages if user specified SPLICE_F_MORE splice()
flag.
In some workloads, this can reduce number of sent logical packets by an
order of magnitude, making zero-copy TCP actually faster than
one-copy :)
Reported-by: Tom Herbert <therbert@google.com>
Cc: Nandita Dukkipati <nanditad@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Tom Herbert <therbert@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: H.K. Jerry Chu <hkchu@google.com>
Cc: Maciej Żenczykowski <maze@google.com>
Cc: Mahesh Bandewar <maheshb@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Paul Moore [Mon, 25 Mar 2013 03:18:33 +0000 (03:18 +0000)]
unix: fix a race condition in unix_release()
commit
ded34e0fe8fe8c2d595bfa30626654e4b87621e0 upstream.
As reported by Jan, and others over the past few years, there is a
race condition caused by unix_release setting the sock->sk pointer
to NULL before properly marking the socket as dead/orphaned. This
can cause a problem with the LSM hook security_unix_may_send() if
there is another socket attempting to write to this partially
released socket in between when sock->sk is set to NULL and it is
marked as dead/orphaned. This patch fixes this by only setting
sock->sk to NULL after the socket has been marked as dead; I also
take the opportunity to make unix_release_sock() a void function
as it only ever returned 0/success.
Dave, I think this one should go on the -stable pile.
Special thanks to Jan for coming up with a reproducer for this
problem.
Reported-by: Jan Stancek <jan.stancek@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Tommi Rantala [Tue, 27 Nov 2012 04:01:46 +0000 (04:01 +0000)]
sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails
commit
be364c8c0f17a3dd42707b5a090b318028538eb9 upstream.
Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
reproducible e.g. with the sendto() syscall by passing invalid
user space pointer in the second argument:
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
int main(void)
{
int fd;
struct sockaddr_in sa;
fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
if (fd < 0)
return 1;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("127.0.0.1");
sa.sin_port = htons(11111);
sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
return 0;
}
As far as I can tell, the leak has been around since ~2003.
Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Daniel Borkmann [Fri, 8 Feb 2013 03:04:34 +0000 (03:04 +0000)]
net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
commit
6ba542a291a5e558603ac51cda9bded347ce7627 upstream.
In sctp_setsockopt_auth_key, we create a temporary copy of the user
passed shared auth key for the endpoint or association and after
internal setup, we free it right away. Since it's sensitive data, we
should zero out the key before returning the memory back to the
allocator. Thus, use kzfree instead of kfree, just as we do in
sctp_auth_key_put().
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Daniel Borkmann [Fri, 8 Feb 2013 03:04:35 +0000 (03:04 +0000)]
net: sctp: sctp_endpoint_free: zero out secret key data
commit
b5c37fe6e24eec194bb29d22fdd55d73bcc709bf upstream.
On sctp_endpoint_destroy, previously used sensitive keying material
should be zeroed out before the memory is returned, as we already do
with e.g. auth keys when released.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Daniel Borkmann [Thu, 7 Feb 2013 00:55:37 +0000 (00:55 +0000)]
net: sctp: sctp_auth_key_put: use kzfree instead of kfree
commit
586c31f3bf04c290dc0a0de7fc91d20aa9a5ee53 upstream.
For sensitive data like keying material, it is common practice to zero
out keys before returning the memory back to the allocator. Thus, use
kzfree instead of kfree.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Jozsef Kadlecsik [Tue, 3 Apr 2012 20:02:01 +0000 (22:02 +0200)]
netfilter: nf_ct_ipv4: packets with wrong ihl are invalid
commit
07153c6ec074257ade76a461429b567cff2b3a1e upstream.
It was reported that the Linux kernel sometimes logs:
klogd: [
2629147.402413] kernel BUG at net / netfilter /
nf_conntrack_proto_tcp.c: 447!
klogd: [
1072212.887368] kernel BUG at net / netfilter /
nf_conntrack_proto_tcp.c: 392
ipv4_get_l4proto() in nf_conntrack_l3proto_ipv4.c and tcp_error() in
nf_conntrack_proto_tcp.c should catch malformed packets, so the errors
at the indicated lines - TCP options parsing - should not happen.
However, tcp_error() relies on the "dataoff" offset to the TCP header,
calculated by ipv4_get_l4proto(). But ipv4_get_l4proto() does not check
bogus ihl values in IPv4 packets, which then can slip through tcp_error()
and get caught at the TCP options parsing routines.
The patch fixes ipv4_get_l4proto() by invalidating packets with bogus
ihl value.
The patch closes netfilter bugzilla id 771.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Wed, 15 Aug 2012 11:31:56 +0000 (11:31 +0000)]
ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)
commit
2d8a041b7bfe1097af21441cb77d6af95f4f4680 upstream.
If at least one of CONFIG_IP_VS_PROTO_TCP or CONFIG_IP_VS_PROTO_UDP is
not set, __ip_vs_get_timeouts() does not fully initialize the structure
that gets copied to userland and that for leaks up to 12 bytes of kernel
stack. Add an explicit memset(0) before passing the structure to
__ip_vs_get_timeouts() to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Wensong Zhang <wensong@linux-vs.org>
Cc: Simon Horman <horms@verge.net.au>
Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Sun, 7 Apr 2013 01:51:47 +0000 (01:51 +0000)]
atm: update msg_namelen in vcc_recvmsg()
commit
9b3e617f3df53822345a8573b6d358f6b9e5ed87 upstream.
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about vcc_recvmsg() not filling the msg_name in case it was set.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Wed, 15 Aug 2012 11:31:45 +0000 (11:31 +0000)]
atm: fix info leak via getsockname()
commit
3c0c5cfdcd4d69ffc4b9c0907cec99039f30a50a upstream.
The ATM code fails to initialize the two padding bytes of struct
sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Wed, 15 Aug 2012 11:31:44 +0000 (11:31 +0000)]
atm: fix info leak in getsockopt(SO_ATMPVC)
commit
e862f1a9b7df4e8196ebec45ac62295138aa3fc2 upstream.
The ATM code fails to initialize the two padding bytes of struct
sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Sun, 7 Apr 2013 01:51:48 +0000 (01:51 +0000)]
ax25: fix info leak via msg_name in ax25_recvmsg()
commit
ef3313e84acbf349caecae942ab3ab731471f1a1 upstream.
When msg_namelen is non-zero the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of struct
sockaddr_ax25 inserted by the compiler for alignment. Additionally the
msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
not always filled up to this size.
Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.
Fix both issues by initializing the memory with memset(0).
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Wu Fengguang [Thu, 2 Aug 2012 23:10:01 +0000 (23:10 +0000)]
isdnloop: fix and simplify isdnloop_init()
commit
77f00f6324cb97cf1df6f9c4aaeea6ada23abdb2 upstream.
Fix a buffer overflow bug by removing the revision and printk.
[ 22.016214] isdnloop-ISDN-driver Rev 1.11.6.7
[ 22.097508] isdnloop: (loop0) virtual card added
[ 22.174400] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in:
ffffffff83244972
[ 22.174400]
[ 22.436157] Pid: 1, comm: swapper Not tainted
3.5.0-bisect-00018-gfa8bbb1-dirty #129
[ 22.624071] Call Trace:
[ 22.720558] [<
ffffffff832448c3>] ? CallcNew+0x56/0x56
[ 22.815248] [<
ffffffff8222b623>] panic+0x110/0x329
[ 22.914330] [<
ffffffff83244972>] ? isdnloop_init+0xaf/0xb1
[ 23.014800] [<
ffffffff832448c3>] ? CallcNew+0x56/0x56
[ 23.090763] [<
ffffffff8108e24b>] __stack_chk_fail+0x2b/0x30
[ 23.185748] [<
ffffffff83244972>] isdnloop_init+0xaf/0xb1
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Sun, 7 Apr 2013 01:51:54 +0000 (01:51 +0000)]
iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
commit
a5598bd9c087dc0efc250a5221e5d0e6f584ee88 upstream.
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about iucv_sock_recvmsg() not filling the msg_name in case it was set.
Cc: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Sun, 7 Apr 2013 01:51:56 +0000 (01:51 +0000)]
llc: Fix missing msg_namelen update in llc_ui_recvmsg()
commit
c77a4b9cffb6215a15196ec499490d116dfad181 upstream.
For stream sockets the code misses to update the msg_namelen member
to 0 and therefore makes net/socket.c leak the local, uninitialized
sockaddr_storage variable to userland -- 128 bytes of kernel stack
memory. The msg_namelen update is also missing for datagram sockets
in case the socket is shutting down during receive.
Fix both issues by setting msg_namelen to 0 early. It will be
updated later if we're going to fill the msg_name member.
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Wed, 15 Aug 2012 11:31:53 +0000 (11:31 +0000)]
llc: fix info leak via getsockname()
commit
3592aaeb80290bda0f2cf0b5456c97bfc638b192 upstream.
The LLC code wrongly returns 0, i.e. "success", when the socket is
zapped. Together with the uninitialized uaddrlen pointer argument from
sys_getsockname this leads to an arbitrary memory leak of up to 128
bytes kernel stack via the getsockname() syscall.
Return an error instead when the socket is zapped to prevent the info
leak. Also remove the unnecessary memset(0). We don't directly write to
the memory pointed by uaddr but memcpy() a local structure at the end of
the function that is properly initialized.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Weiping Pan [Mon, 23 Jul 2012 02:37:48 +0000 (10:37 +0800)]
rds: set correct msg_namelen
commit
06b6a1cf6e776426766298d055bb3991957d90a7 upstream.
Jay Fenlason (fenlason@redhat.com) found a bug,
that recvfrom() on an RDS socket can return the contents of random kernel
memory to userspace if it was called with a address length larger than
sizeof(struct sockaddr_in).
rds_recvmsg() also fails to set the addr_len paramater properly before
returning, but that's just a bug.
There are also a number of cases wher recvfrom() can return an entirely bogus
address. Anything in rds_recvmsg() that returns a non-negative value but does
not go through the "sin = (struct sockaddr_in *)msg->msg_name;" code path
at the end of the while(1) loop will return up to 128 bytes of kernel memory
to userspace.
And I write two test programs to reproduce this bug, you will see that in
rds_server, fromAddr will be overwritten and the following sock_fd will be
destroyed.
Yes, it is the programmer's fault to set msg_namelen incorrectly, but it is
better to make the kernel copy the real length of address to user space in
such case.
How to run the test programs ?
I test them on 32bit x86 system, 3.5.0-rc7.
1 compile
gcc -o rds_client rds_client.c
gcc -o rds_server rds_server.c
2 run ./rds_server on one console
3 run ./rds_client on another console
4 you will see something like:
server is waiting to receive data...
old socket fd=3
server received data from client:data from client
msg.msg_namelen=32
new socket fd=-
1067277685
sendmsg()
: Bad file descriptor
/***************** rds_client.c ********************/
int main(void)
{
int sock_fd;
struct sockaddr_in serverAddr;
struct sockaddr_in toAddr;
char recvBuffer[128] = "data from client";
struct msghdr msg;
struct iovec iov;
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
if (sock_fd < 0) {
perror("create socket error\n");
exit(1);
}
memset(&serverAddr, 0, sizeof(serverAddr));
serverAddr.sin_family = AF_INET;
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
serverAddr.sin_port = htons(4001);
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
perror("bind() error\n");
close(sock_fd);
exit(1);
}
memset(&toAddr, 0, sizeof(toAddr));
toAddr.sin_family = AF_INET;
toAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
toAddr.sin_port = htons(4000);
msg.msg_name = &toAddr;
msg.msg_namelen = sizeof(toAddr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = strlen(recvBuffer) + 1;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
if (sendmsg(sock_fd, &msg, 0) == -1) {
perror("sendto() error\n");
close(sock_fd);
exit(1);
}
printf("client send data:%s\n", recvBuffer);
memset(recvBuffer, '\0', 128);
msg.msg_name = &toAddr;
msg.msg_namelen = sizeof(toAddr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = 128;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
if (recvmsg(sock_fd, &msg, 0) == -1) {
perror("recvmsg() error\n");
close(sock_fd);
exit(1);
}
printf("receive data from server:%s\n", recvBuffer);
close(sock_fd);
return 0;
}
/***************** rds_server.c ********************/
int main(void)
{
struct sockaddr_in fromAddr;
int sock_fd;
struct sockaddr_in serverAddr;
unsigned int addrLen;
char recvBuffer[128];
struct msghdr msg;
struct iovec iov;
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
if(sock_fd < 0) {
perror("create socket error\n");
exit(0);
}
memset(&serverAddr, 0, sizeof(serverAddr));
serverAddr.sin_family = AF_INET;
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
serverAddr.sin_port = htons(4000);
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
perror("bind error\n");
close(sock_fd);
exit(1);
}
printf("server is waiting to receive data...\n");
msg.msg_name = &fromAddr;
/*
* I add 16 to sizeof(fromAddr), ie 32,
* and pay attention to the definition of fromAddr,
* recvmsg() will overwrite sock_fd,
* since kernel will copy 32 bytes to userspace.
*
* If you just use sizeof(fromAddr), it works fine.
* */
msg.msg_namelen = sizeof(fromAddr) + 16;
/* msg.msg_namelen = sizeof(fromAddr); */
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = 128;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
while (1) {
printf("old socket fd=%d\n", sock_fd);
if (recvmsg(sock_fd, &msg, 0) == -1) {
perror("recvmsg() error\n");
close(sock_fd);
exit(1);
}
printf("server received data from client:%s\n", recvBuffer);
printf("msg.msg_namelen=%d\n", msg.msg_namelen);
printf("new socket fd=%d\n", sock_fd);
strcat(recvBuffer, "--data from server");
if (sendmsg(sock_fd, &msg, 0) == -1) {
perror("sendmsg()\n");
close(sock_fd);
exit(1);
}
}
close(sock_fd);
return 0;
}
Signed-off-by: Weiping Pan <wpan@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Mathias Krause [Sun, 7 Apr 2013 01:51:59 +0000 (01:51 +0000)]
rose: fix info leak via msg_name in rose_recvmsg()
commit
4a184233f21645cf0b719366210ed445d1024d72 upstream.
The code in rose_recvmsg() does not initialize all of the members of
struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
Nor does it initialize the padding bytes of the structure inserted by
the compiler for alignment. This will lead to leaking uninitialized
kernel stack bytes in net/socket.c.
Fix the issue by initializing the memory used for sockaddr info with
memset(0).
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Kees Cook [Wed, 11 Sep 2013 19:56:54 +0000 (21:56 +0200)]
HID: LG: validate HID output report details
commit
0fb6bd06e06792469acc15bbe427361b56ada528 upstream.
A HID device could send a malicious output report that would cause the
lg, lg3, and lg4 HID drivers to write beyond the output report allocation
during an event, causing a heap overflow:
[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
...
[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
Additionally, while lg2 did correctly validate the report details, it was
cleaned up and shortened.
CVE-2013-2893
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[PG: drop hid-lg4ff.c chunk; file not present in 2.6.34 baseline.]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Kees Cook [Wed, 11 Sep 2013 19:56:51 +0000 (21:56 +0200)]
HID: zeroplus: validate output report details
commit
78214e81a1bf43740ce89bb5efda78eac2f8ef83 upstream.
The zeroplus HID driver was not checking the size of allocated values
in fields it used. A HID device could send a malicious output report
that would cause the driver to write beyond the output report allocation
during initialization, causing a heap overflow:
[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
...
[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2889
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Kees Cook [Wed, 11 Sep 2013 19:56:50 +0000 (21:56 +0200)]
HID: provide a helper for validating hid reports
commit
331415ff16a12147d57d5c953f3a961b7ede348b upstream.
Many drivers need to validate the characteristics of their HID report
during initialization to avoid misusing the reports. This adds a common
helper to perform validation of the report exisitng, the field existing,
and the expected number of values within the field.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[PG: in 2.6.34 it is err_hid(), original baseline had hid_err().]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Kees Cook [Wed, 28 Aug 2013 20:30:49 +0000 (22:30 +0200)]
HID: pantherlord: validate output report details
commit
412f30105ec6735224535791eed5cdc02888ecb4 upstream.
A HID device could send a malicious output report that would cause the
pantherlord HID driver to write beyond the output report allocation
during initialization, causing a heap overflow:
[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
...
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2892
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Kees Cook [Wed, 28 Aug 2013 20:29:55 +0000 (22:29 +0200)]
HID: validate HID report id size
commit
43622021d2e2b82ea03d883926605bdd0525e1d1 upstream.
The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:
[ 1347.156239] BUG: unable to handle kernel paging request at
ffff88094958a878
[ 1347.156261] IP: [<
ffffffff813e4da0>] hid_register_report+0x2a/0x8b
CVE-2013-2888
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[PG: hid_err() --> dbg_hid() in 2.6.34 baseline]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Neil Horman [Tue, 17 Sep 2013 12:33:11 +0000 (08:33 -0400)]
crypto: ansi_cprng - Fix off by one error in non-block size request
commit
714b33d15130cbb5ab426456d4e3de842d6c5b8a upstream.
Stephan Mueller reported to me recently a error in random number generation in
the ansi cprng. If several small requests are made that are less than the
instances block size, the remainder for loop code doesn't increment
rand_data_valid in the last iteration, meaning that the last bytes in the
rand_data buffer gets reused on the subsequent smaller-than-a-block request for
random data.
The fix is pretty easy, just re-code the for loop to make sure that
rand_data_valid gets incremented appropriately
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
CC: Stephan Mueller <stephan.mueller@atsec.com>
CC: Petr Matousek <pmatouse@redhat.com>
CC: Herbert Xu <herbert@gondor.apana.org.au>
CC: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eryu Guan [Tue, 1 Nov 2011 23:04:59 +0000 (19:04 -0400)]
jbd/jbd2: validate sb->s_first in journal_get_superblock()
commit
8762202dd0d6e46854f786bdb6fb3780a1625efe upstream.
I hit a J_ASSERT(blocknr != 0) failure in cleanup_journal_tail() when
mounting a fsfuzzed ext3 image. It turns out that the corrupted ext3
image has s_first = 0 in journal superblock, and the 0 is passed to
journal->j_head in journal_reset(), then to blocknr in
cleanup_journal_tail(), in the end the J_ASSERT failed.
So validate s_first after reading journal superblock from disk in
journal_get_superblock() to ensure s_first is valid.
The following script could reproduce it:
fstype=ext3
blocksize=1024
img=$fstype.img
offset=0
found=0
magic="c0 3b 39 98"
dd if=/dev/zero of=$img bs=1M count=8
mkfs -t $fstype -b $blocksize -F $img
filesize=`stat -c %s $img`
while [ $offset -lt $filesize ]
do
if od -j $offset -N 4 -t x1 $img | grep -i "$magic";then
echo "Found journal: $offset"
found=1
break
fi
offset=`echo "$offset+$blocksize" | bc`
done
if [ $found -ne 1 ];then
echo "Magic \"$magic\" not found"
exit 1
fi
dd if=/dev/zero of=$img seek=$(($offset+23)) conv=notrunc bs=1 count=1
mkdir -p ./mnt
mount -o loop $img ./mnt
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Hannes Frederic Sowa [Mon, 1 Jul 2013 18:21:30 +0000 (20:21 +0200)]
ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
commit
8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 upstream.
We accidentally call down to ip6_push_pending_frames when uncorking
pending AF_INET data on a ipv6 socket. This results in the following
splat (from Dave Jones):
skbuff: skb_under_panic: text:
ffffffff816765f6 len:48 put:40 head:
ffff88013deb6df0 data:
ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:126!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
+netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
task:
ffff8801f52c2520 ti:
ffff8801e6430000 task.ti:
ffff8801e6430000
RIP: 0010:[<
ffffffff816e759c>] [<
ffffffff816e759c>] skb_panic+0x63/0x65
RSP: 0018:
ffff8801e6431de8 EFLAGS:
00010282
RAX:
0000000000000086 RBX:
ffff8802353d3cc0 RCX:
0000000000000006
RDX:
0000000000003b90 RSI:
ffff8801f52c2ca0 RDI:
ffff8801f52c2520
RBP:
ffff8801e6431e08 R08:
0000000000000000 R09:
0000000000000000
R10:
0000000000000001 R11:
0000000000000001 R12:
ffff88022ea0c800
R13:
ffff88022ea0cdf8 R14:
ffff8802353ecb40 R15:
ffffffff81cc7800
FS:
00007f5720a10740(0000) GS:
ffff880244c00000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000005862000 CR3:
000000022843c000 CR4:
00000000001407e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000600
Stack:
ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
Call Trace:
[<
ffffffff8159a9aa>] skb_push+0x3a/0x40
[<
ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
[<
ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
[<
ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
[<
ffffffff81694660>] ? udplite_getfrag+0x20/0x20
[<
ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
[<
ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
[<
ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
[<
ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
[<
ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
[<
ffffffff816f5d54>] tracesys+0xdd/0xe2
Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
RIP [<
ffffffff816e759c>] skb_panic+0x63/0x65
RSP <
ffff8801e6431de8>
This patch adds a check if the pending data is of address family AF_INET
and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
if that is the case.
This bug was found by Dave Jones with trinity.
(Also move the initialization of fl6 below the AF_INET check, even if
not strictly necessary.)
Cc: Dave Jones <davej@redhat.com>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PG: The line "flowi6 *fl6 = &inet->cork.fl.u.ip6" was
"flowi *fl = &inet->cork.fl" in 2.6.34 kernel.]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Tyler Hicks [Thu, 20 Jun 2013 20:13:59 +0000 (13:13 -0700)]
libceph: Fix NULL pointer dereference in auth client code
commit
2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream.
A malicious monitor can craft an auth reply message that could cause a
NULL function pointer dereference in the client's kernel.
To prevent this, the auth_none protocol handler needs an empty
ceph_auth_client_ops->build_request() function.
CVE-2013-1059
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Chanam Park <chanam.park@hkpco.kr>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Sage Weil <sage@inktank.com>
[PG: in v2.6.34, file is fs/ceph and not net/ceph]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Paolo Bonzini [Thu, 12 Jan 2012 15:01:29 +0000 (16:01 +0100)]
dm: do not forward ioctls from logical volumes to the underlying device
commit
ec8013beddd717d1740cfefb1a9b900deef85462 upstream.
A logical volume can map to just part of underlying physical volume.
In this case, it must be treated like a partition.
Based on a patch from Alasdair G Kergon.
Cc: Alasdair G Kergon <agk@redhat.com>
Cc: dm-devel@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[PG: drop drivers/md/dm-flakey.c chunk; file not present in 2.6.34]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Paolo Bonzini [Thu, 12 Jan 2012 15:01:28 +0000 (16:01 +0100)]
block: fail SCSI passthrough ioctls on partition devices
commit
0bfc96cb77224736dfa35c3c555d37b3646ef35e upstream.
Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
will pass the command to the underlying block device. This is
well-known, but it is also a large security problem when (via Unix
permissions, ACLs, SELinux or a combination thereof) a program or user
needs to be granted access only to part of the disk.
This patch lets partitions forward a small set of harmless ioctls;
others are logged with printk so that we can see which ioctls are
actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
Of course it was being sent to a (partition on a) hard disk, so it would
have failed with ENOTTY and the patch isn't changing anything in
practice. Still, I'm treating it specially to avoid spamming the logs.
In principle, this restriction should include programs running with
CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
/dev/sdb, it still should not be able to read/write outside the
boundaries of /dev/sda2 independent of the capabilities. However, for
now programs with CAP_SYS_RAWIO will still be allowed to send the
ioctls. Their actions will still be logged.
This patch does not affect the non-libata IDE driver. That driver
however already tests for bd != bd->bd_contains before issuing some
ioctl; it could be restricted further to forbid these ioctls even for
programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
Cc: linux-scsi@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
Cc: James Bottomley <JBottomley@parallels.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ Make it also print the command name when warning - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Paolo Bonzini [Thu, 12 Jan 2012 15:01:27 +0000 (16:01 +0100)]
block: add and use scsi_blk_cmd_ioctl
commit
577ebb374c78314ac4617242f509e2f5e7156649 upstream.
Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
The function will then be enhanced to detect partition block devices
and, in that case, subject the ioctls to whitelisting.
Cc: linux-scsi@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
Cc: James Bottomley <JBottomley@parallels.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Herbert Xu [Fri, 11 Feb 2011 12:36:55 +0000 (12:36 +0000)]
bridge: Fix mglist corruption that leads to memory corruption
commit
6b0d6a9b4296fa16a28d10d416db7a770fc03287 upstream.
The list mp->mglist is used to indicate whether a multicast group
is active on the bridge interface itself as opposed to one of the
constituent interfaces in the bridge.
Unfortunately the operation that adds the mp->mglist node to the
list neglected to check whether it has already been added. This
leads to list corruption in the form of nodes pointing to itself.
Normally this would be quite obvious as it would cause an infinite
loop when walking the list. However, as this list is never actually
walked (which means that we don't really need it, I'll get rid of
it in a subsequent patch), this instead is hidden until we perform
a delete operation on the affected nodes.
As the same node may now be pointed to by more than one node, the
delete operations can then cause modification of freed memory.
This was observed in practice to cause corruption in 512-byte slabs,
most commonly leading to crashes in jbd2.
Thanks to Josef Bacik for pointing me in the right direction.
Reported-by: Ian Page Hands <ihands@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Alex Williamson [Wed, 18 Apr 2012 03:46:44 +0000 (21:46 -0600)]
KVM: lock slots_lock around device assignment
commit
21a1416a1c945c5aeaeaf791b63c64926018eb77 upstream.
As pointed out by Jason Baron, when assigning a device to a guest
we first set the iommu domain pointer, which enables mapping
and unmapping of memory slots to the iommu. This leaves a window
where this path is enabled, but we haven't synchronized the iommu
mappings to the existing memory slots. Thus a slot being removed
at that point could send us down unexpected code paths removing
non-existent pinnings and iommu mappings. Take the slots_lock
around creating the iommu domain and initial mappings as well as
around iommu teardown to avoid this race.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
[PG: drop goto for EPERM check, 2.6.34 doesn't have that code]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Alex Williamson [Wed, 11 Apr 2012 15:51:49 +0000 (09:51 -0600)]
KVM: unmap pages from the iommu when slots are removed
commit
32f6daad4651a748a58a3ab6da0611862175722f upstream.
We've been adding new mappings, but not destroying old mappings.
This can lead to a page leak as pages are pinned using
get_user_pages, but only unpinned with put_page if they still
exist in the memslots list on vm shutdown. A memslot that is
destroyed while an iommu domain is enabled for the guest will
therefore result in an elevated page reference count that is
never cleared.
Additionally, without this fix, the iommu is only programmed
with the first translation for a gpa. This can result in
peer-to-peer errors if a mapping is destroyed and replaced by a
new mapping at the same gpa as the iommu will still be pointing
to the original, pinned memory address.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
[PG: minor tweak since 2.6.34 doesnt have kvm_for_each_memslot]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Paris [Tue, 5 Apr 2011 21:20:50 +0000 (17:20 -0400)]
inotify: fix double free/corruption of stuct user
commit
d0de4dc584ec6aa3b26fffea320a8457827768fc upstream.
On an error path in inotify_init1 a normal user can trigger a double
free of struct user. This is a regression introduced by
a2ae4cc9a16e
("inotify: stop kernel memory leak on file creation failure").
We fix this by making sure that if a group exists the user reference is
dropped when the group is cleaned up. We should not explictly drop the
reference on error and also drop the reference when the group is cleaned
up.
The new lifetime rules are that an inotify group lives from
inotify_new_group to the last fsnotify_put_group. Since the struct user
and inotify_devs are directly tied to this lifetime they are only
changed/updated in those two locations. We get rid of all special
casing of struct user or user->inotify_devs.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric Dumazet [Thu, 21 Apr 2011 09:45:37 +0000 (09:45 +0000)]
inet: add RCU protection to inet->opt
commit
f6d8bd051c391c1c0458a30b2a7abcd939329259 upstream.
We lack proper synchronization to manipulate inet->opt ip_options
Problem is ip_make_skb() calls ip_setup_cork() and
ip_setup_cork() possibly makes a copy of ipc->opt (struct ip_options),
without any protection against another thread manipulating inet->opt.
Another thread can change inet->opt pointer and free old one under us.
Use RCU to protect inet->opt (changed to inet->inet_opt).
Instead of handling atomic refcounts, just copy ip_options when
necessary, to avoid cache line dirtying.
We cant insert an rcu_head in struct ip_options since its included in
skb->cb[], so this patch is large because I had to introduce a new
ip_options_rcu structure.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[dannf/bwh: backported to Debian's 2.6.32]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[PG: use 2.6.32 patch, since it is closer to 2.6.34 than original
baseline; drop net/l2tp/l2tp_ip.c chunk as we don't have that file]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Paul Gortmaker [Tue, 28 Jan 2014 00:19:40 +0000 (19:19 -0500)]
Revert "percpu: fix chunk range calculation"
This reverts commit
264266e6897dd81c894d1c5cbd90b133707b32f3.
The backport had dependencies on other mm/percpu.c restructurings,
like those in commit
020ec6537aa65c18e9084c568d7b94727f2026fd
("percpu: factor out pcpu_addr_in_first/reserved_chunk() and update
per_cpu_ptr_to_phys()"). Rather than drag in more changes, we simply
revert the incomplete backport.
Reported-by: George G. Davis <george_davis@mentor.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
George G. Davis [Fri, 26 Apr 2013 23:00:53 +0000 (19:00 -0400)]
udf: fix udf_error build warnings
The v2.6.34.14 commit "
d7542a6 udf: Avoid run away loop when partition
table length is corrupted" introduced the following build warning due
to a change in the number of args in udf_error/udf_err for v2.6.34.14:
CC fs/udf/super.o
fs/udf/super.c: In function 'udf_load_sparable_map':
fs/udf/super.c:1259: warning: passing argument 3 of 'udf_error' makes pointer from integer without a cast
fs/udf/super.c:1265: warning: passing argument 3 of 'udf_error' makes pointer from integer without a cast
fs/udf/super.c: In function 'udf_load_logicalvol':
fs/udf/super.c:1313: warning: passing argument 3 of 'udf_error' makes pointer from integer without a cast
The above warnings are due to a missing __func__ argument in the above
udf_error function calls. This is because of commit
8076c363da15e7
("udf: Rename udf_error to udf_err") which removed the __func__ arg.
Restore the missing __func__ argument to fix the build warnings.
Signed-off-by: George G. Davis <george_davis@mentor.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Romain Francoise [Thu, 24 Jan 2013 16:35:42 +0000 (11:35 -0500)]
x86, random: make ARCH_RANDOM prompt if EMBEDDED, not EXPERT
Before v2.6.38 CONFIG_EXPERT was known as CONFIG_EMBEDDED but the
Kconfig entry was not changed to match when upstream commit
628c6246d47b85f5357298601df2444d7f4dd3fd ("x86, random: Architectural
inlines to get random integers with RDRAND") was backported.
Signed-off-by: Romain Francoise <romain@orebokech.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Paul Gortmaker [Wed, 16 Jan 2013 21:55:31 +0000 (16:55 -0500)]
Linux 2.6.34.14
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Matthew Garrett [Wed, 6 Jul 2011 20:52:37 +0000 (16:52 -0400)]
x86: Don't use the EFI reboot method by default
commit
f70e957cda22d309c769805cbb932407a5232219 upstream.
Testing suggests that at least some Lenovos and some Intels will
fail to reboot via EFI, attempting to jump to an unmapped
physical address. In the long run we could handle this by
providing a page table with a 1:1 mapping of physical addresses,
but for now it's probably just easier to assume that ACPI or
legacy methods will be present and reboot via those.
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Alan Cox <alan@linux.intel.com>
Link: http://lkml.kernel.org/r/1309985557-15350-1-git-send-email-mjg@redhat.com
Signed-off-by: Ingo Molnar <mingo@elte.hu>
[PG: in 2.6.34, file is x86/platform/efi/efi.c --> x86/kernel/efi.c]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Richard Weinberger [Mon, 23 May 2011 22:18:05 +0000 (00:18 +0200)]
x86: Get rid of asmregparm
commit
1b4ac2a935aaf194241a2f4165d6407ba9650e1a upstream.
As UML does no longer need asmregparm we can remove it.
Signed-off-by: Richard Weinberger <richard@nod.at>
Cc: namhyung@gmail.com
Cc: davem@davemloft.net
Cc: fweisbec@gmail.com
Cc: dhowells@redhat.com
Link: http://lkml.kernel.org/r/%3C1306189085-29896-1-git-send-email-richard%40nod.at%3E
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Richard Weinberger [Mon, 23 May 2011 20:51:33 +0000 (22:51 +0200)]
um: Use RWSEM_GENERIC_SPINLOCK on x86
commit
3a3679078aed2c451ebc32836bbd3b8219a65e01 upstream.
Commit d12337 (rwsem: Remove redundant asmregparm annotation)
broke rwsem on UML.
As we cannot compile UML with -mregparm=3 and keeping asmregparm only
for UML is inadequate the easiest solution is using RWSEM_GENERIC_SPINLOCK.
Thanks to Thomas Gleixner for the idea.
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Tested-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: Richard Weinberger <richard@nod.at>
Cc: user-mode-linux-devel@lists.sourceforge.net
Link: http://lkml.kernel.org/r/%3C1306183893-26655-1-git-send-email-richard%40nod.at%3E
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Thomas Gleixner [Wed, 26 Jan 2011 20:32:01 +0000 (21:32 +0100)]
rwsem: Remove redundant asmregparm annotation
commit
d123375425d7df4b6081a631fc1203fceafa59b2 upstream.
Peter Zijlstra pointed out, that the only user of asmregparm (x86) is
compiling the kernel already with -mregparm=3. So the annotation of
the rwsem functions is redundant. Remove it.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: David Miller <davem@davemloft.net>
Cc: Chris Zankel <chris@zankel.net>
LKML-Reference: <alpine.LFD.2.00.
1101262130450.31804@localhost6.localdomain6>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[PG: fixes compile errors when using newer gcc on 2.6.34 baseline]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Chanho Min [Thu, 5 Jan 2012 11:00:19 +0000 (20:00 +0900)]
sched/rt: Fix task stack corruption under __ARCH_WANT_INTERRUPTS_ON_CTXSW
commit
cb297a3e433dbdcf7ad81e0564e7b804c941ff0d upstream.
This issue happens under the following conditions:
1. preemption is off
2. __ARCH_WANT_INTERRUPTS_ON_CTXSW is defined
3. RT scheduling class
4. SMP system
Sequence is as follows:
1.suppose current task is A. start schedule()
2.task A is enqueued pushable task at the entry of schedule()
__schedule
prev = rq->curr;
...
put_prev_task
put_prev_task_rt
enqueue_pushable_task
4.pick the task B as next task.
next = pick_next_task(rq);
3.rq->curr set to task B and context_switch is started.
rq->curr = next;
4.At the entry of context_swtich, release this cpu's rq->lock.
context_switch
prepare_task_switch
prepare_lock_switch
raw_spin_unlock_irq(&rq->lock);
5.Shortly after rq->lock is released, interrupt is occurred and start IRQ context
6.try_to_wake_up() which called by ISR acquires rq->lock
try_to_wake_up
ttwu_remote
rq = __task_rq_lock(p)
ttwu_do_wakeup(rq, p, wake_flags);
task_woken_rt
7.push_rt_task picks the task A which is enqueued before.
task_woken_rt
push_rt_tasks(rq)
next_task = pick_next_pushable_task(rq)
8.At find_lock_lowest_rq(), If double_lock_balance() returns 0,
lowest_rq can be the remote rq.
(But,If preemption is on, double_lock_balance always return 1 and it
does't happen.)
push_rt_task
find_lock_lowest_rq
if (double_lock_balance(rq, lowest_rq))..
9.find_lock_lowest_rq return the available rq. task A is migrated to
the remote cpu/rq.
push_rt_task
...
deactivate_task(rq, next_task, 0);
set_task_cpu(next_task, lowest_rq->cpu);
activate_task(lowest_rq, next_task, 0);
10. But, task A is on irq context at this cpu.
So, task A is scheduled by two cpus at the same time until restore from IRQ.
Task A's stack is corrupted.
To fix it, don't migrate an RT task if it's still running.
Signed-off-by: Chanho Min <chanho.min@lge.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Link: http://lkml.kernel.org/r/CAOAMb1BHA=5fm7KTewYyke6u-8DP0iUuJMpgQw54vNeXFsGpoQ@mail.gmail.com
Signed-off-by: Ingo Molnar <mingo@elte.hu>
[PG: in 2.6.34, sched/rt.c is just sched_rt.c]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Eric W. Biederman [Sat, 29 Jan 2011 14:57:22 +0000 (14:57 +0000)]
net: Fix ip link add netns oops
commit
13ad17745c2cbd437d9e24b2d97393e0be11c439 upstream.
Ed Swierk <eswierk@bigswitch.com> writes:
> On 2.6.35.7
> ip link add link eth0 netns 9999 type macvlan
> where 9999 is a nonexistent PID triggers an oops and causes all network functions to hang:
> [10663.821898] BUG: unable to handle kernel NULL pointer dereference at
000000000000006d
> [10663.821917] IP: [<
ffffffff8149c2fa>] __dev_alloc_name+0x9a/0x170
> [10663.821933] PGD
1d3927067 PUD
22f5c5067 PMD 0
> [10663.821944] Oops: 0000 [#1] SMP
> [10663.821953] last sysfs file: /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
> [10663.821959] CPU 3
> [10663.821963] Modules linked in: macvlan ip6table_filter ip6_tables rfcomm ipt_MASQUERADE binfmt_misc iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack sco ipt_REJECT bnep l2cap xt_tcpudp iptable_filter ip_tables x_tables bridge stp vboxnetadp vboxnetflt vboxdrv kvm_intel kvm parport_pc ppdev snd_hda_codec_intelhdmi snd_hda_codec_conexant arc4 iwlagn iwlcore mac80211 snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_seq_midi snd_rawmidi i915 snd_seq_midi_event snd_seq thinkpad_acpi drm_kms_helper btusb tpm_tis nvram uvcvideo snd_timer snd_seq_device bluetooth videodev v4l1_compat v4l2_compat_ioctl32 tpm drm tpm_bios snd cfg80211 psmouse serio_raw intel_ips soundcore snd_page_alloc intel_agp i2c_algo_bit video output netconsole configfs lp parport usbhid hid e1000e sdhci_pci ahci libahci sdhci led_class
> [10663.822155]
> [10663.822161] Pid: 6000, comm: ip Not tainted 2.6.35-23-generic #41-Ubuntu 2901CTO/2901CTO
> [10663.822167] RIP: 0010:[<
ffffffff8149c2fa>] [<
ffffffff8149c2fa>] __dev_alloc_name+0x9a/0x170
> [10663.822177] RSP: 0018:
ffff88014aebf7b8 EFLAGS:
00010286
> [10663.822182] RAX:
00000000fffffff4 RBX:
ffff8801ad900800 RCX:
0000000000000000
> [10663.822187] RDX:
ffff880000000000 RSI:
0000000000000000 RDI:
ffff88014ad63000
> [10663.822191] RBP:
ffff88014aebf808 R08:
0000000000000041 R09:
0000000000000041
> [10663.822196] R10:
0000000000000000 R11:
dead000000200200 R12:
ffff88014aebf818
> [10663.822201] R13:
fffffffffffffffd R14:
ffff88014aebf918 R15:
ffff88014ad62000
> [10663.822207] FS:
00007f00c487f700(0000) GS:
ffff880001f80000(0000) knlGS:
0000000000000000
> [10663.822212] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
> [10663.822216] CR2:
000000000000006d CR3:
0000000231f19000 CR4:
00000000000026e0
> [10663.822221] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
> [10663.822226] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
> [10663.822231] Process ip (pid: 6000, threadinfo
ffff88014aebe000, task
ffff88014afb16e0)
> [10663.822236] Stack:
> [10663.822240]
ffff88014aebf808 ffffffff814a2bb5 ffff88014aebf7e8 00000000a00ee8d6
> [10663.822251] <0>
0000000000000000 ffffffffa00ef940 ffff8801ad900800 ffff88014aebf818
> [10663.822265] <0>
ffff88014aebf918 ffff8801ad900800 ffff88014aebf858 ffffffff8149c413
> [10663.822281] Call Trace:
> [10663.822290] [<
ffffffff814a2bb5>] ? dev_addr_init+0x75/0xb0
> [10663.822298] [<
ffffffff8149c413>] dev_alloc_name+0x43/0x90
> [10663.822307] [<
ffffffff814a85ee>] rtnl_create_link+0xbe/0x1b0
> [10663.822314] [<
ffffffff814ab2aa>] rtnl_newlink+0x48a/0x570
> [10663.822321] [<
ffffffff814aafcc>] ? rtnl_newlink+0x1ac/0x570
> [10663.822332] [<
ffffffff81030064>] ? native_x2apic_icr_read+0x4/0x20
> [10663.822339] [<
ffffffff814a8c17>] rtnetlink_rcv_msg+0x177/0x290
> [10663.822346] [<
ffffffff814a8aa0>] ? rtnetlink_rcv_msg+0x0/0x290
> [10663.822354] [<
ffffffff814c25d9>] netlink_rcv_skb+0xa9/0xd0
> [10663.822360] [<
ffffffff814a8a85>] rtnetlink_rcv+0x25/0x40
> [10663.822367] [<
ffffffff814c223e>] netlink_unicast+0x2de/0x2f0
> [10663.822374] [<
ffffffff814c303e>] netlink_sendmsg+0x1fe/0x2e0
> [10663.822383] [<
ffffffff81488533>] sock_sendmsg+0xf3/0x120
> [10663.822391] [<
ffffffff815899fe>] ? _raw_spin_lock+0xe/0x20
> [10663.822400] [<
ffffffff81168656>] ? __d_lookup+0x136/0x150
> [10663.822406] [<
ffffffff815899fe>] ? _raw_spin_lock+0xe/0x20
> [10663.822414] [<
ffffffff812b7a0d>] ? _atomic_dec_and_lock+0x4d/0x80
> [10663.822422] [<
ffffffff8116ea90>] ? mntput_no_expire+0x30/0x110
> [10663.822429] [<
ffffffff81486ff5>] ? move_addr_to_kernel+0x65/0x70
> [10663.822435] [<
ffffffff81493308>] ? verify_iovec+0x88/0xe0
> [10663.822442] [<
ffffffff81489020>] sys_sendmsg+0x240/0x3a0
> [10663.822450] [<
ffffffff8111e2a9>] ? __do_fault+0x479/0x560
> [10663.822457] [<
ffffffff815899fe>] ? _raw_spin_lock+0xe/0x20
> [10663.822465] [<
ffffffff8116cf4a>] ? alloc_fd+0x10a/0x150
> [10663.822473] [<
ffffffff8158d76e>] ? do_page_fault+0x15e/0x350
> [10663.822482] [<
ffffffff8100a0f2>] system_call_fastpath+0x16/0x1b
> [10663.822487] Code: 90 48 8d 78 02 be 25 00 00 00 e8 92 1d e2 ff 48 85 c0 75 cf bf 20 00 00 00 e8 c3 b1 c6 ff 49 89 c7 b8 f4 ff ff ff 4d 85 ff 74 bd <4d> 8b 75 70 49 8d 45 70 48 89 45 b8 49 83 ee 58 eb 28 48 8d 55
> [10663.822618] RIP [<
ffffffff8149c2fa>] __dev_alloc_name+0x9a/0x170
> [10663.822627] RSP <
ffff88014aebf7b8>
> [10663.822631] CR2:
000000000000006d
> [10663.822636] ---[ end trace
3dfd6c3ad5327ca7 ]---
This bug was introduced in:
commit
81adee47dfb608df3ad0b91d230fb3cef75f0060
Author: Eric W. Biederman <ebiederm@aristanetworks.com>
Date: Sun Nov 8 00:53:51 2009 -0800
net: Support specifying the network namespace upon device creation.
There is no good reason to not support userspace specifying the
network namespace during device creation, and it makes it easier
to create a network device and pass it to a child network namespace
with a well known name.
We have to be careful to ensure that the target network namespace
for the new device exists through the life of the call. To keep
that logic clear I have factored out the network namespace grabbing
logic into rtnl_link_get_net.
In addtion we need to continue to pass the source network namespace
to the rtnl_link_ops.newlink method so that we can find the base
device source network namespace.
Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Where apparently I forgot to add error handling to the path where we create
a new network device in a new network namespace, and pass in an invalid pid.
Reported-by: Ed Swierk <eswierk@bigswitch.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Will Deacon [Fri, 10 Aug 2012 14:22:09 +0000 (15:22 +0100)]
mutex: Place lock in contended state after fastpath_lock failure
commit
0bce9c46bf3b15f485d82d7e81dabed6ebcc24b1 upstream.
ARM recently moved to asm-generic/mutex-xchg.h for its mutex
implementation after the previous implementation was found to be missing
some crucial memory barriers. However, this has revealed some problems
running hackbench on SMP platforms due to the way in which the
MUTEX_SPIN_ON_OWNER code operates.
The symptoms are that a bunch of hackbench tasks are left waiting on an
unlocked mutex and therefore never get woken up to claim it. This boils
down to the following sequence of events:
Task A Task B Task C Lock value
0 1
1 lock() 0
2 lock() 0
3 spin(A) 0
4 unlock() 1
5 lock() 0
6 cmpxchg(1,0) 0
7 contended() -1
8 lock() 0
9 spin(C) 0
10 unlock() 1
11 cmpxchg(1,0) 0
12 unlock() 1
At this point, the lock is unlocked, but Task B is in an uninterruptible
sleep with nobody to wake it up.
This patch fixes the problem by ensuring we put the lock into the
contended state if we fail to acquire it on the fastpath, ensuring that
any blocked waiters are woken up when the mutex is released.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Chris Mason <chris.mason@fusionio.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: <stable@vger.kernel.org>
Reviewed-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/n/tip-6e9lrw2avczr0617fzl5vqb8@git.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Stanislaw Gruszka [Wed, 8 Aug 2012 09:27:15 +0000 (11:27 +0200)]
sched: fix divide by zero at {thread_group,task}_times
commit
bea6832cc8c4a0a9a65dd17da6aaa657fe27bc3e upstream.
On architectures where cputime_t is 64 bit type, is possible to trigger
divide by zero on do_div(temp, (__force u32) total) line, if total is a
non zero number but has lower 32 bit's zeroed. Removing casting is not
a good solution since some do_div() implementations do cast to u32
internally.
This problem can be triggered in practice on very long lived processes:
PID: 2331 TASK:
ffff880472814b00 CPU: 2 COMMAND: "oraagent.bin"
#0 [
ffff880472a51b70] machine_kexec at
ffffffff8103214b
#1 [
ffff880472a51bd0] crash_kexec at
ffffffff810b91c2
#2 [
ffff880472a51ca0] oops_end at
ffffffff814f0b00
#3 [
ffff880472a51cd0] die at
ffffffff8100f26b
#4 [
ffff880472a51d00] do_trap at
ffffffff814f03f4
#5 [
ffff880472a51d60] do_divide_error at
ffffffff8100cfff
#6 [
ffff880472a51e00] divide_error at
ffffffff8100be7b
[exception RIP: thread_group_times+0x56]
RIP:
ffffffff81056a16 RSP:
ffff880472a51eb8 RFLAGS:
00010046
RAX:
bc3572c9fe12d194 RBX:
ffff880874150800 RCX:
0000000110266fad
RDX:
0000000000000000 RSI:
ffff880472a51eb8 RDI:
001038ae7d9633dc
RBP:
ffff880472a51ef8 R8:
00000000b10a3a64 R9:
ffff880874150800
R10:
00007fcba27ab680 R11:
0000000000000202 R12:
ffff880472a51f08
R13:
ffff880472a51f10 R14:
0000000000000000 R15:
0000000000000007
ORIG_RAX:
ffffffffffffffff CS: 0010 SS: 0018
#7 [
ffff880472a51f00] do_sys_times at
ffffffff8108845d
#8 [
ffff880472a51f40] sys_times at
ffffffff81088524
#9 [
ffff880472a51f80] system_call_fastpath at
ffffffff8100b0f2
RIP:
0000003808caac3a RSP:
00007fcba27ab6d8 RFLAGS:
00000202
RAX:
0000000000000064 RBX:
ffffffff8100b0f2 RCX:
0000000000000000
RDX:
00007fcba27ab6e0 RSI:
000000000076d58e RDI:
00007fcba27ab6e0
RBP:
00007fcba27ab700 R8:
0000000000000020 R9:
000000000000091b
R10:
00007fcba27ab680 R11:
0000000000000202 R12:
00007fff9ca41940
R13:
0000000000000000 R14:
00007fcba27ac9c0 R15:
00007fff9ca41940
ORIG_RAX:
0000000000000064 CS: 0033 SS: 002b
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/r/20120808092714.GA3580@redhat.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[PG: sched/core.c is just sched.c in 2.6.34; also the do_div() on
__force u32 isn't explicitly seen since that is in v3.3-rc1~191^2~11]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Peter Zijlstra [Tue, 15 Mar 2011 13:37:10 +0000 (14:37 +0100)]
perf: Fix tear-down of inherited group events
commit
38b435b16c36b0d863efcf3f07b34a6fac9873fd upstream.
When destroying inherited events, we need to destroy groups too,
otherwise the event iteration in perf_event_exit_task_context() will
miss group siblings and we leak events with all the consequences.
Reported-and-tested-by: Vince Weaver <vweaver1@eecs.utk.edu>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <
1300196470.2203.61.camel@twins>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Peter Zijlstra [Thu, 27 May 2010 13:47:49 +0000 (15:47 +0200)]
perf_events: Fix races in group composition
commit
8a49542c0554af7d0073aac0ee73ee65b807ef34 upstream.
Group siblings don't pin each-other or the parent, so when we destroy
events we must make sure to clean up all cross referencing pointers.
In particular, for destruction of a group leader we must be able to
find all its siblings and remove their reference to it.
This means that detaching an event from its context must not detach it
from the group, otherwise we can end up failing to clear all pointers.
Solve this by clearly separating the attachment to a context and
attachment to a group, and keep the group composed until we destroy
the events.
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <new-submission>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Jan Kiszka [Wed, 14 Dec 2011 18:25:13 +0000 (19:25 +0100)]
KVM: x86: Prevent starting PIT timers in the absence of irqchip support
commit
0924ab2cfa98b1ece26c033d696651fd62896c69 upstream.
User space may create the PIT and forgets about setting up the irqchips.
In that case, firing PIT IRQs will crash the host:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000128
IP: [<
ffffffffa10f6280>] kvm_set_irq+0x30/0x170 [kvm]
...
Call Trace:
[<
ffffffffa11228c1>] pit_do_work+0x51/0xd0 [kvm]
[<
ffffffff81071431>] process_one_work+0x111/0x4d0
[<
ffffffff81071bb2>] worker_thread+0x152/0x340
[<
ffffffff81075c8e>] kthread+0x7e/0x90
[<
ffffffff815a4474>] kernel_thread_helper+0x4/0x10
Prevent this by checking the irqchip mode before starting a timer. We
can't deny creating the PIT if the irqchips aren't set up yet as
current user land expects this order to work.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Jacek Luczak [Thu, 19 May 2011 09:55:13 +0000 (09:55 +0000)]
SCTP: fix race between sctp_bind_addr_free() and sctp_bind_addr_conflict()
commit
c182f90bc1f22ce5039b8722e45621d5f96862c2 upstream.
During the sctp_close() call, we do not use rcu primitives to
destroy the address list attached to the endpoint. At the same
time, we do the removal of addresses from this list before
attempting to remove the socket from the port hash
As a result, it is possible for another process to find the socket
in the port hash that is in the process of being closed. It then
proceeds to traverse the address list to find the conflict, only
to have that address list suddenly disappear without rcu() critical
section.
Fix issue by closing address list removal inside RCU critical
section.
Race can result in a kernel crash with general protection fault or
kernel NULL pointer dereference:
kernel: general protection fault: 0000 [#1] SMP
kernel: RIP: 0010:[<
ffffffffa02f3dde>] [<
ffffffffa02f3dde>] sctp_bind_addr_conflict+0x64/0x82 [sctp]
kernel: Call Trace:
kernel: [<
ffffffffa02f415f>] ? sctp_get_port_local+0x17b/0x2a3 [sctp]
kernel: [<
ffffffffa02f3d45>] ? sctp_bind_addr_match+0x33/0x68 [sctp]
kernel: [<
ffffffffa02f4416>] ? sctp_do_bind+0xd3/0x141 [sctp]
kernel: [<
ffffffffa02f5030>] ? sctp_bindx_add+0x4d/0x8e [sctp]
kernel: [<
ffffffffa02f5183>] ? sctp_setsockopt_bindx+0x112/0x4a4 [sctp]
kernel: [<
ffffffff81089e82>] ? generic_file_aio_write+0x7f/0x9b
kernel: [<
ffffffffa02f763e>] ? sctp_setsockopt+0x14f/0xfee [sctp]
kernel: [<
ffffffff810c11fb>] ? do_sync_write+0xab/0xeb
kernel: [<
ffffffff810e82ab>] ? fsnotify+0x239/0x282
kernel: [<
ffffffff810c2462>] ? alloc_file+0x18/0xb1
kernel: [<
ffffffff8134a0b1>] ? compat_sys_setsockopt+0x1a5/0x1d9
kernel: [<
ffffffff8134aaf1>] ? compat_sys_socketcall+0x143/0x1a4
kernel: [<
ffffffff810467dc>] ? sysenter_dispatch+0x7/0x32
Signed-off-by: Jacek Luczak <luczak.jacek@gmail.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
CC: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
projects / wrapfs-2.6.34.y.git / log