Eric Lee / smarc-fsl-linux-kernel

12 Apr, 2014

1 commit

  • 676d23690   net: Fix use after free by removing length arg from sk_data_ready callbacks. ... Browse Code »

    Several spots in the kernel perform a sequence like:

    skb_queue_tail(&sk->s_receive_queue, skb);
    sk->sk_data_ready(sk, skb->len);

    But at the moment we place the SKB onto the socket receive queue it
    can be consumed and freed up. So this skb->len access is potentially
    to freed up memory.

    Furthermore, the skb->len can be modified by the consumer so it is
    possible that the value isn't accurate.

    And finally, no actual implementation of this callback actually uses
    the length argument. And since nobody actually cared about it's
    value, lots of call sites pass arbitrary values in such as '0' and
    even '1'.

    So just remove the length argument from the callback, that way there
    is no confusion whatsoever and all of these use-after-free cases get
    fixed as a side effect.

    Based upon a patch by Eric Dumazet and his suggestion to audit this
    issue tree-wide.

    Signed-off-by: David S. Miller

    David S. Miller
     

21 Nov, 2013

1 commit

24 Apr, 2013

1 commit

08 Apr, 2013

2 commits

  • d978a6361   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Browse Code »

    Conflicts:
    drivers/nfc/microread/mei.c
    net/netfilter/nfnetlink_queue_core.c

    Pull in 'net' to get Eric Biederman's AF_UNIX fix, upon which
    some cleanups are going to go on-top.

    Signed-off-by: David S. Miller

    David S. Miller
     
  • 2d6fbfe73   caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() ... Browse Code »

    The current code does not fill the msg_name member in case it is set.
    It also does not set the msg_namelen member to 0 and therefore makes
    net/socket.c leak the local, uninitialized sockaddr_storage variable
    to userland -- 128 bytes of kernel stack memory.

    Fix that by simply setting msg_namelen to 0 as obviously nobody cared
    about caif_seqpkt_recvmsg() not filling the msg_name in case it was
    set.

    Cc: Sjur Braendeland
    Signed-off-by: Mathias Krause
    Signed-off-by: David S. Miller

    Mathias Krause
     

08 Mar, 2013

1 commit

01 Aug, 2012

1 commit

  • c76562b67   netvm: prevent a stream-specific deadlock ... Browse Code »
    43

    This patch series is based on top of "Swap-over-NBD without deadlocking
    v15" as it depends on the same reservation of PF_MEMALLOC reserves logic.

    When a user or administrator requires swap for their application, they
    create a swap partition and file, format it with mkswap and activate it
    with swapon. In diskless systems this is not an option so if swap if
    required then swapping over the network is considered. The two likely
    scenarios are when blade servers are used as part of a cluster where the
    form factor or maintenance costs do not allow the use of disks and thin
    clients.

    The Linux Terminal Server Project recommends the use of the Network Block
    Device (NBD) for swap but this is not always an option. There is no
    guarantee that the network attached storage (NAS) device is running Linux
    or supports NBD. However, it is likely that it supports NFS so there are
    users that want support for swapping over NFS despite any performance
    concern. Some distributions currently carry patches that support swapping
    over NFS but it would be preferable to support it in the mainline kernel.

    Patch 1 avoids a stream-specific deadlock that potentially affects TCP.

    Patch 2 is a small modification to SELinux to avoid using PFMEMALLOC
    reserves.

    Patch 3 adds three helpers for filesystems to handle swap cache pages.
    For example, page_file_mapping() returns page->mapping for
    file-backed pages and the address_space of the underlying
    swap file for swap cache pages.

    Patch 4 adds two address_space_operations to allow a filesystem
    to pin all metadata relevant to a swapfile in memory. Upon
    successful activation, the swapfile is marked SWP_FILE and
    the address space operation ->direct_IO is used for writing
    and ->readpage for reading in swap pages.

    Patch 5 notes that patch 3 is bolting
    filesystem-specific-swapfile-support onto the side and that
    the default handlers have different information to what
    is available to the filesystem. This patch refactors the
    code so that there are generic handlers for each of the new
    address_space operations.

    Patch 6 adds an API to allow a vector of kernel addresses to be
    translated to struct pages and pinned for IO.

    Patch 7 adds support for using highmem pages for swap by kmapping
    the pages before calling the direct_IO handler.

    Patch 8 updates NFS to use the helpers from patch 3 where necessary.

    Patch 9 avoids setting PF_private on PG_swapcache pages within NFS.

    Patch 10 implements the new swapfile-related address_space operations
    for NFS and teaches the direct IO handler how to manage
    kernel addresses.

    Patch 11 prevents page allocator recursions in NFS by using GFP_NOIO
    where appropriate.

    Patch 12 fixes a NULL pointer dereference that occurs when using
    swap-over-NFS.

    With the patches applied, it is possible to mount a swapfile that is on an
    NFS filesystem. Swap performance is not great with a swap stress test
    taking roughly twice as long to complete than if the swap device was
    backed by NBD.

    This patch: netvm: prevent a stream-specific deadlock

    It could happen that all !SOCK_MEMALLOC sockets have buffered so much data
    that we're over the global rmem limit. This will prevent SOCK_MEMALLOC
    buffers from receiving data, which will prevent userspace from running,
    which is needed to reduce the buffered data.

    Fix this by exempting the SOCK_MEMALLOC sockets from the rmem limit. Once
    this change it applied, it is important that sockets that set
    SOCK_MEMALLOC do not clear the flag until the socket is being torn down.
    If this happens, a warning is generated and the tokens reclaimed to avoid
    accounting errors until the bug is fixed.

    [davem@davemloft.net: Warning about clearing SOCK_MEMALLOC]
    Signed-off-by: Peter Zijlstra
    Signed-off-by: Mel Gorman
    Acked-by: David S. Miller
    Acked-by: Rik van Riel
    Cc: Trond Myklebust
    Cc: Neil Brown
    Cc: Christoph Hellwig
    Cc: Mike Christie
    Cc: Eric B Munson
    Cc: Sebastian Andrzej Siewior
    Cc: Mel Gorman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Mel Gorman
     

26 Jun, 2012

1 commit

16 May, 2012

1 commit

16 Apr, 2012

1 commit

13 Apr, 2012

1 commit

  • 447648128   caif: set traffic class for caif packets ... Browse Code »

    Set traffic class for CAIF packets, based on socket
    priority, CAIF protocol type, or type of message.

    Traffic class mapping for different packet types:
    - control: TC_PRIO_CONTROL;
    - flow control: TC_PRIO_CONTROL;
    - at: TC_PRIO_CONTROL;
    - rfm: TC_PRIO_INTERACTIVE_BULK;
    - other sockets: equals to socket's TC;
    - network data: no change.

    Signed-off-by: Dmitry Tarnyagin
    Signed-off-by: David S. Miller

    Dmitry Tarnyagin
     

05 Feb, 2012

2 commits

03 Feb, 2012

1 commit

23 May, 2011

1 commit

  • 54e90fb5c   caif: Fixes freeze on Link layer removal. ... Browse Code »

    CAIF Socket layer - caif_socket.c:
    - Plug mem-leak at reconnect.
    - Always call disconnect to cleanup CAIF stack.
    - Disconnect will always report success.

    CAIF configuration layer - cfcnfg.c
    - Disconnect must dismantle the caif stack correctly
    - Protect against faulty removals (check on id zero)

    CAIF mux layer - cfmuxl.c
    - When inserting new service layer in the MUX remove
    any old entries with the same ID.
    - When removing CAIF Link layer, remove the associated
    service layers before notifying service layers.

    Signed-off-by: Sjur Brændeland
    Signed-off-by: David S. Miller

    sjur.brandeland@stericsson.com
     

16 May, 2011

5 commits

12 Apr, 2011

1 commit

31 Mar, 2011

1 commit

11 Jan, 2011

1 commit

04 Nov, 2010

1 commit

  • f2527ec43   caif: Bugfix for socket priority, bindtodev and dbg channel. ... Browse Code »

    Changes:
    o Bugfix: SO_PRIORITY for SOL_SOCKET could not be handled
    in caif's setsockopt, using the struct sock attribute priority instead.

    o Bugfix: SO_BINDTODEVICE for SOL_SOCKET could not be handled
    in caif's setsockopt, using the struct sock attribute ifindex instead.

    o Wrong assert statement for RFM layer segmentation.

    o CAIF Debug channels was not working over SPI, caif_payload_info
    containing padding info must be initialized.

    o Check on pointer before dereferencing when unregister dev in caif_dev.c

    Signed-off-by: Sjur Braendeland
    Signed-off-by: David S. Miller

    André Carvalho de Matos
     

07 Oct, 2010

1 commit

06 Oct, 2010

1 commit

  • 79315068f   caif: fix two caif_connect() bugs ... Browse Code »

    caif_connect() might dereference a netdevice after dev_put() it.

    It also doesnt check dev_get_by_index() return value and could
    dereference a NULL pointer.

    Fix it, using RCU to avoid taking a reference.

    Signed-off-by: Eric Dumazet
    CC: Sjur Braendeland
    Signed-off-by: David S. Miller

    Eric Dumazet
     

05 Oct, 2010

1 commit

22 Sep, 2010

2 commits

07 Sep, 2010

1 commit

  • b31fa5bad   net/caif: Use pr_fmt ... Browse Code »

    This patch standardizes caif message logging prefixes.

    Add #define pr_fmt(fmt) KBUILD_MODNAME ":%s(): " fmt, __func__
    Add missing "\n"s to some logging messages
    Convert pr_warning to pr_warn

    This changes the logging message prefix from CAIF: to caif:
    for all uses but caif_socket.c and chnl_net.c. Those now use
    their filename without extension.

    Signed-off-by: Joe Perches
    Signed-off-by: David S. Miller

    Joe Perches
     

21 Jun, 2010

2 commits

31 May, 2010

1 commit

  • f5d72af9f   caif: remove unneeded null check in caif_connect() ... Browse Code »

    We already dereferenced uaddr towards the start of the function when we
    checked that "uaddr->sa_family != AF_CAIF". Both the check here and the
    earlier check were added in bece7b2398d0: "caif: Rewritten socket
    implementation". Before that patch, we assumed that we recieved a valid
    pointer for uaddr, and based on that, I have removed this check.

    Signed-off-by: Dan Carpenter
    Acked-by: Sjur Braendeland
    Signed-off-by: David S. Miller

    Dan Carpenter
     

24 May, 2010

4 commits

29 Apr, 2010

1 commit

  • bece7b239   caif: Rewritten socket implementation ... Browse Code »

    Changes:
    This is a complete re-write of the socket layer. Making the socket
    implementation more aligned with the other socket layers and using more
    of the support functions available in sock.c. Lots of code is copied
    from af_unix (and some from af_irda).
    Non-blocking mode should be working as well.

    Signed-off-by: Sjur Braendeland
    Signed-off-by: David S. Miller

    Sjur Braendeland
     

27 Apr, 2010

1 commit

21 Apr, 2010

1 commit

  • aa3951451   net: sk_sleep() helper ... Browse Code »

    Define a new function to return the waitqueue of a "struct sock".

    static inline wait_queue_head_t *sk_sleep(struct sock *sk)
    {
    return sk->sk_sleep;
    }

    Change all read occurrences of sk_sleep by a call to this function.

    Needed for a future RCU conversion. sk_sleep wont be a field directly
    available.

    Signed-off-by: Eric Dumazet
    Signed-off-by: David S. Miller

    Eric Dumazet