Eric Lee / smarc-ti-linux-kernel

12 Apr, 2014

1 commit

  • 676d23690   net: Fix use after free by removing length arg from sk_data_ready callbacks. ... Browse Code »
    13

    Several spots in the kernel perform a sequence like:

    skb_queue_tail(&sk->s_receive_queue, skb);
    sk->sk_data_ready(sk, skb->len);

    But at the moment we place the SKB onto the socket receive queue it
    can be consumed and freed up. So this skb->len access is potentially
    to freed up memory.

    Furthermore, the skb->len can be modified by the consumer so it is
    possible that the value isn't accurate.

    And finally, no actual implementation of this callback actually uses
    the length argument. And since nobody actually cared about it's
    value, lots of call sites pass arbitrary values in such as '0' and
    even '1'.

    So just remove the length argument from the callback, that way there
    is no confusion whatsoever and all of these use-after-free cases get
    fixed as a side effect.

    Based upon a patch by Eric Dumazet and his suggestion to audit this
    issue tree-wide.

    Signed-off-by: David S. Miller

    David S. Miller
     

10 Feb, 2014

2 commits

  • 02fe72c9e   net: Include appropriate header file in caif/cfsrvl.c ... Browse Code »

    Include appropriate header file net/caif/caif_dev.h in caif/cfsrvl.c
    because it has prototype declaration of functions defined in
    caif/cfsrvl.c.

    This eliminates the following warning in caif/cfsrvl.c:
    net/caif/cfsrvl.c:198:6: warning: no previous prototype for ‘caif_free_client’ [-Wmissing-prototypes]
    net/caif/cfsrvl.c:208:6: warning: no previous prototype for ‘caif_client_register_refcnt’ [-Wmissing-prototypes]

    Signed-off-by: Rashika Kheria
    Reviewed-by: Josh Triplett
    Signed-off-by: David S. Miller

    Rashika Kheria
     
  • 8203274e1   net: Include appropriate header file in caif/caif_dev.c ... Browse Code »

    Include appropriate header file net/caif/caif_dev.h in caif/caif_dev.c
    because it has prototype declarations of function defined in
    caif/caif_dev.c.

    This eliminates the following file in caif/caif_dev.c:
    net/caif/caif_dev.c:303:6: warning: no previous prototype for ‘caif_enroll_dev’ [-Wmissing-prototypes]

    Signed-off-by: Rashika Kheria
    Reviewed-by: Josh Triplett
    Signed-off-by: David S. Miller

    Rashika Kheria
     

22 Jan, 2014

2 commits

15 Jan, 2014

1 commit

  • a74e94269   caif: __dev_get_by_index instead of dev_get_by_index to find interface ... Browse Code »

    The following call chains indicate that chnl_net_open() is under
    rtnl_lock protection as __dev_open() is protected by rtnl_lock.
    So if __dev_get_by_index() instead of dev_get_by_index() is used
    to find interface handler in it, this would help us avoid to change
    interface reference counter.

    __dev_open()
    chnl_net_open()

    Cc: Dmitry Tarnyagin
    Signed-off-by: Ying Xue
    Signed-off-by: David S. Miller

    Ying Xue
     

21 Nov, 2013

1 commit

08 Nov, 2013

1 commit

06 Sep, 2013

1 commit

29 May, 2013

1 commit

  • 351638e7d   net: pass info struct via netdevice notifier ... Browse Code »

    So far, only net_device * could be passed along with netdevice notifier
    event. This patch provides a possibility to pass custom structure
    able to provide info that event listener needs to know.

    Signed-off-by: Jiri Pirko

    v2->v3: fix typo on simeth
    shortened dev_getter
    shortened notifier_info struct name
    v1->v2: fix notifier_call parameter in call_netdevice_notifier()
    Signed-off-by: David S. Miller

    Jiri Pirko
     

24 Apr, 2013

2 commits

08 Apr, 2013

2 commits

  • d978a6361   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Browse Code »

    Conflicts:
    drivers/nfc/microread/mei.c
    net/netfilter/nfnetlink_queue_core.c

    Pull in 'net' to get Eric Biederman's AF_UNIX fix, upon which
    some cleanups are going to go on-top.

    Signed-off-by: David S. Miller

    David S. Miller
     
  • 2d6fbfe73   caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() ... Browse Code »

    The current code does not fill the msg_name member in case it is set.
    It also does not set the msg_namelen member to 0 and therefore makes
    net/socket.c leak the local, uninitialized sockaddr_storage variable
    to userland -- 128 bytes of kernel stack memory.

    Fix that by simply setting msg_namelen to 0 as obviously nobody cared
    about caif_seqpkt_recvmsg() not filling the msg_name in case it was
    set.

    Cc: Sjur Braendeland
    Signed-off-by: Mathias Krause
    Signed-off-by: David S. Miller

    Mathias Krause
     

08 Mar, 2013

1 commit

05 Mar, 2013

1 commit

03 Mar, 2013

1 commit

29 Jan, 2013

1 commit

09 Jan, 2013

1 commit

09 Dec, 2012

2 commits

21 Nov, 2012

1 commit

11 Sep, 2012

1 commit

20 Aug, 2012

1 commit

  • d92c7f8aa   caif: Do not dereference NULL in chnl_recv_cb() ... Browse Code »

    In net/caif/chnl_net.c::chnl_recv_cb() we call skb_header_pointer()
    which may return NULL, but we do not check for a NULL pointer before
    dereferencing it.
    This patch adds such a NULL check and properly free's allocated memory
    and return an error (-EINVAL) on failure - much better than crashing..

    Signed-off-by: Jesper Juhl
    Acked-by: Sjur Brændeland
    Signed-off-by: David S. Miller

    Jesper Juhl
     

01 Aug, 2012

1 commit

  • c76562b67   netvm: prevent a stream-specific deadlock ... Browse Code »

    This patch series is based on top of "Swap-over-NBD without deadlocking
    v15" as it depends on the same reservation of PF_MEMALLOC reserves logic.

    When a user or administrator requires swap for their application, they
    create a swap partition and file, format it with mkswap and activate it
    with swapon. In diskless systems this is not an option so if swap if
    required then swapping over the network is considered. The two likely
    scenarios are when blade servers are used as part of a cluster where the
    form factor or maintenance costs do not allow the use of disks and thin
    clients.

    The Linux Terminal Server Project recommends the use of the Network Block
    Device (NBD) for swap but this is not always an option. There is no
    guarantee that the network attached storage (NAS) device is running Linux
    or supports NBD. However, it is likely that it supports NFS so there are
    users that want support for swapping over NFS despite any performance
    concern. Some distributions currently carry patches that support swapping
    over NFS but it would be preferable to support it in the mainline kernel.

    Patch 1 avoids a stream-specific deadlock that potentially affects TCP.

    Patch 2 is a small modification to SELinux to avoid using PFMEMALLOC
    reserves.

    Patch 3 adds three helpers for filesystems to handle swap cache pages.
    For example, page_file_mapping() returns page->mapping for
    file-backed pages and the address_space of the underlying
    swap file for swap cache pages.

    Patch 4 adds two address_space_operations to allow a filesystem
    to pin all metadata relevant to a swapfile in memory. Upon
    successful activation, the swapfile is marked SWP_FILE and
    the address space operation ->direct_IO is used for writing
    and ->readpage for reading in swap pages.

    Patch 5 notes that patch 3 is bolting
    filesystem-specific-swapfile-support onto the side and that
    the default handlers have different information to what
    is available to the filesystem. This patch refactors the
    code so that there are generic handlers for each of the new
    address_space operations.

    Patch 6 adds an API to allow a vector of kernel addresses to be
    translated to struct pages and pinned for IO.

    Patch 7 adds support for using highmem pages for swap by kmapping
    the pages before calling the direct_IO handler.

    Patch 8 updates NFS to use the helpers from patch 3 where necessary.

    Patch 9 avoids setting PF_private on PG_swapcache pages within NFS.

    Patch 10 implements the new swapfile-related address_space operations
    for NFS and teaches the direct IO handler how to manage
    kernel addresses.

    Patch 11 prevents page allocator recursions in NFS by using GFP_NOIO
    where appropriate.

    Patch 12 fixes a NULL pointer dereference that occurs when using
    swap-over-NFS.

    With the patches applied, it is possible to mount a swapfile that is on an
    NFS filesystem. Swap performance is not great with a swap stress test
    taking roughly twice as long to complete than if the swap device was
    backed by NBD.

    This patch: netvm: prevent a stream-specific deadlock

    It could happen that all !SOCK_MEMALLOC sockets have buffered so much data
    that we're over the global rmem limit. This will prevent SOCK_MEMALLOC
    buffers from receiving data, which will prevent userspace from running,
    which is needed to reduce the buffered data.

    Fix this by exempting the SOCK_MEMALLOC sockets from the rmem limit. Once
    this change it applied, it is important that sockets that set
    SOCK_MEMALLOC do not clear the flag until the socket is being torn down.
    If this happens, a warning is generated and the tokens reclaimed to avoid
    accounting errors until the bug is fixed.

    [davem@davemloft.net: Warning about clearing SOCK_MEMALLOC]
    Signed-off-by: Peter Zijlstra
    Signed-off-by: Mel Gorman
    Acked-by: David S. Miller
    Acked-by: Rik van Riel
    Cc: Trond Myklebust
    Cc: Neil Brown
    Cc: Christoph Hellwig
    Cc: Mike Christie
    Cc: Eric B Munson
    Cc: Sebastian Andrzej Siewior
    Cc: Mel Gorman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Mel Gorman
     

20 Jul, 2012

1 commit

17 Jul, 2012

1 commit

  • 96f80d123   caif: Fix access to freed pernet memory ... Browse Code »

    unregister_netdevice_notifier() must be called before
    unregister_pernet_subsys() to avoid accessing already freed
    pernet memory. This fixes the following oops when doing rmmod:

    Call Trace:
    [] caif_device_notify+0x4d/0x5a0 [caif]
    [] unregister_netdevice_notifier+0xb9/0x100
    [] caif_device_exit+0x1c/0x250 [caif]
    [] sys_delete_module+0x1a4/0x300
    [] ? trace_hardirqs_on_caller+0x15d/0x1e0
    [] ? trace_hardirqs_on_thunk+0x3a/0x3
    [] system_call_fastpath+0x1a/0x1f

    RIP
    [] caif_get+0x51/0xb0 [caif]

    Signed-off-by: Sjur Brændeland
    Acked-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Sjur Brændeland
     

29 Jun, 2012

1 commit

  • b26d344c6   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Browse Code »

    Conflicts:
    drivers/net/caif/caif_hsi.c
    drivers/net/usb/qmi_wwan.c

    The qmi_wwan merge was trivial.

    The caif_hsi.c, on the other hand, was not. It's a conflict between
    1c385f1fdf6f9c66d982802cd74349c040980b50 ("caif-hsi: Replace platform
    device with ops structure.") in the net-next tree and commit
    39abbaef19cd0a30be93794aa4773c779c3eb1f3 ("caif-hsi: Postpone init of
    HIS until open()") in the net tree.

    I did my best with that one and will ask Sjur to check it out.

    Signed-off-by: David S. Miller

    David S. Miller
     

26 Jun, 2012

4 commits

18 Jun, 2012

1 commit

23 May, 2012

1 commit

  • e8650a082   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial ... Browse Code »

    Pull trivial updates from Jiri Kosina:
    "As usual, it's mostly typo fixes, redundant code elimination and some
    documentation updates."

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (57 commits)
    edac, mips: don't change code that has been removed in edac/mips tree
    xtensa: Change mail addresses of Hannes Weiner and Oskar Schirmer
    lib: Change mail address of Oskar Schirmer
    net: Change mail address of Oskar Schirmer
    arm/m68k: Change mail address of Sebastian Hess
    i2c: Change mail address of Oskar Schirmer
    net: Fix tcp_build_and_update_options comment in struct tcp_sock
    atomic64_32.h: fix parameter naming mismatch
    Kconfig: replace "--- help ---" with "---help---"
    c2port: fix bogus Kconfig "default no"
    edac: Fix spelling errors.
    qla1280: Remove redundant NULL check before release_firmware() call
    remoteproc: remove redundant NULL check before release_firmware()
    qla2xxx: Remove redundant NULL check before release_firmware() call.
    aic94xx: Get rid of redundant NULL check before release_firmware() call
    tehuti: delete redundant NULL check before release_firmware()
    qlogic: get rid of a redundant test for NULL before call to release_firmware()
    bna: remove redundant NULL test before release_firmware()
    tg3: remove redundant NULL test before release_firmware() call
    typhoon: get rid of redundant conditional before all to release_firmware()
    ...

    Linus Torvalds
     

16 May, 2012

1 commit

07 May, 2012

1 commit

  • d132d7f6f   Kconfig: replace "--- help ---" with "---help---" ... Browse Code »

    There are three Kconfig entries with "--- help ---" attributes, and over
    2000 Kconfig entries with "---help---" attributes. Apparently the three
    attributes with embedded spaces are valid. Still, I see little reason
    for using this obscure variant. And replacing those three attributes
    with the common variant makes grepping Kconfig files for help texts a
    bit easier too.

    Signed-off-by: Paul Bolle
    Signed-off-by: Jiri Kosina

    Paul Bolle
     

16 Apr, 2012

1 commit

13 Apr, 2012

3 commits