1. 24 5月, 2011 1 次提交
    • D
      net: convert %p usage to %pK · 71338aa7
      Dan Rosenberg 提交于
      The %pK format specifier is designed to hide exposed kernel pointers,
      specifically via /proc interfaces.  Exposing these pointers provides an
      easy target for kernel write vulnerabilities, since they reveal the
      locations of writable structures containing easily triggerable function
      pointers.  The behavior of %pK depends on the kptr_restrict sysctl.
      
      If kptr_restrict is set to 0, no deviation from the standard %p behavior
      occurs.  If kptr_restrict is set to 1, the default, if the current user
      (intended to be a reader via seq_printf(), etc.) does not have CAP_SYSLOG
      (currently in the LSM tree), kernel pointers using %pK are printed as 0's.
       If kptr_restrict is set to 2, kernel pointers using %pK are printed as
      0's regardless of privileges.  Replacing with 0's was chosen over the
      default "(null)", which cannot be parsed by userland %p, which expects
      "(nil)".
      
      The supporting code for kptr_restrict and %pK are currently in the -mm
      tree.  This patch converts users of %p in net/ to %pK.  Cases of printing
      pointers to the syslog are not covered, since this would eliminate useful
      information for postmortem debugging and the reading of the syslog is
      already optionally protected by the dmesg_restrict sysctl.
      Signed-off-by: NDan Rosenberg <drosenberg@vsecurity.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Thomas Graf <tgraf@infradead.org>
      Cc: Eugene Teo <eugeneteo@kernel.org>
      Cc: Kees Cook <kees.cook@canonical.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Eric Paris <eparis@parisplace.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      71338aa7
  2. 02 5月, 2011 1 次提交
    • E
      af_unix: Only allow recv on connected seqpacket sockets. · a05d2ad1
      Eric W. Biederman 提交于
      This fixes the following oops discovered by Dan Aloni:
      > Anyway, the following is the output of the Oops that I got on the
      > Ubuntu kernel on which I first detected the problem
      > (2.6.37-12-generic). The Oops that followed will be more useful, I
      > guess.
      
      >[ 5594.669852] BUG: unable to handle kernel NULL pointer dereference
      > at           (null)
      > [ 5594.681606] IP: [<ffffffff81550b7b>] unix_dgram_recvmsg+0x1fb/0x420
      > [ 5594.687576] PGD 2a05d067 PUD 2b951067 PMD 0
      > [ 5594.693720] Oops: 0002 [#1] SMP
      > [ 5594.699888] last sysfs file:
      
      The bug was that unix domain sockets use a pseduo packet for
      connecting and accept uses that psudo packet to get the socket.
      In the buggy seqpacket case we were allowing unconnected
      sockets to call recvmsg and try to receive the pseudo packet.
      
      That is always wrong and as of commit 7361c36c the pseudo
      packet had become enough different from a normal packet
      that the kernel started oopsing.
      
      Do for seqpacket_recv what was done for seqpacket_send in 2.5
      and only allow it on connected seqpacket sockets.
      
      Cc: stable@kernel.org
      Tested-by: NDan Aloni <dan@aloni.org>
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a05d2ad1
  3. 31 3月, 2011 1 次提交
  4. 15 3月, 2011 2 次提交
  5. 14 3月, 2011 1 次提交
  6. 08 3月, 2011 2 次提交
    • H
      6118e35a
    • R
      net: fix multithreaded signal handling in unix recv routines · b3ca9b02
      Rainer Weikusat 提交于
      The unix_dgram_recvmsg and unix_stream_recvmsg routines in
      net/af_unix.c utilize mutex_lock(&u->readlock) calls in order to
      serialize read operations of multiple threads on a single socket. This
      implies that, if all n threads of a process block in an AF_UNIX recv
      call trying to read data from the same socket, one of these threads
      will be sleeping in state TASK_INTERRUPTIBLE and all others in state
      TASK_UNINTERRUPTIBLE. Provided that a particular signal is supposed to
      be handled by a signal handler defined by the process and that none of
      this threads is blocking the signal, the complete_signal routine in
      kernel/signal.c will select the 'first' such thread it happens to
      encounter when deciding which thread to notify that a signal is
      supposed to be handled and if this is one of the TASK_UNINTERRUPTIBLE
      threads, the signal won't be handled until the one thread not blocking
      on the u->readlock mutex is woken up because some data to process has
      arrived (if this ever happens). The included patch fixes this by
      changing mutex_lock to mutex_lock_interruptible and handling possible
      error returns in the same way interruptions are handled by the actual
      receive-code.
      Signed-off-by: NRainer Weikusat <rweikusat@mobileactivedefense.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b3ca9b02
  7. 23 2月, 2011 1 次提交
  8. 20 1月, 2011 1 次提交
  9. 19 1月, 2011 1 次提交
    • A
      af_unix: implement socket filter · d6ae3bae
      Alban Crequy 提交于
      Linux Socket Filters can already be successfully attached and detached on unix
      sockets with setsockopt(sockfd, SOL_SOCKET, SO_{ATTACH,DETACH}_FILTER, ...).
      See: Documentation/networking/filter.txt
      
      But the filter was never used in the unix socket code so it did not work. This
      patch uses sk_filter() to filter buffers before delivery.
      
      This short program demonstrates the problem on SOCK_DGRAM.
      
      int main(void) {
        int i, j, ret;
        int sv[2];
        struct pollfd fds[2];
        char *message = "Hello world!";
        char buffer[64];
        struct sock_filter ins[32] = {{0,},};
        struct sock_fprog filter;
      
        socketpair(AF_UNIX, SOCK_DGRAM, 0, sv);
      
        for (i = 0 ; i < 2 ; i++) {
          fds[i].fd = sv[i];
          fds[i].events = POLLIN;
          fds[i].revents = 0;
        }
      
        for(j = 1 ; j < 13 ; j++) {
      
          /* Set a socket filter to truncate the message */
          memset(ins, 0, sizeof(ins));
          ins[0].code = BPF_RET|BPF_K;
          ins[0].k = j;
          filter.len = 1;
          filter.filter = ins;
          setsockopt(sv[1], SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter));
      
          /* send a message */
          send(sv[0], message, strlen(message) + 1, 0);
      
          /* The filter should let the message pass but truncated. */
          poll(fds, 2, 0);
      
          /* Receive the truncated message*/
          ret = recv(sv[1], buffer, 64, 0);
          printf("received %d bytes, expected %d\n", ret, j);
        }
      
          for (i = 0 ; i < 2 ; i++)
            close(sv[i]);
      
        return 0;
      }
      Signed-off-by: NAlban Crequy <alban.crequy@collabora.co.uk>
      Reviewed-by: NIan Molton <ian.molton@collabora.co.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d6ae3bae
  10. 06 1月, 2011 1 次提交
  11. 30 11月, 2010 1 次提交
  12. 25 11月, 2010 1 次提交
    • E
      af_unix: limit unix_tot_inflight · 9915672d
      Eric Dumazet 提交于
      Vegard Nossum found a unix socket OOM was possible, posting an exploit
      program.
      
      My analysis is we can eat all LOWMEM memory before unix_gc() being
      called from unix_release_sock(). Moreover, the thread blocked in
      unix_gc() can consume huge amount of time to perform cleanup because of
      huge working set.
      
      One way to handle this is to have a sensible limit on unix_tot_inflight,
      tested from wait_for_unix_gc() and to force a call to unix_gc() if this
      limit is hit.
      
      This solves the OOM and also reduce overall latencies, and should not
      slowdown normal workloads.
      Reported-by: NVegard Nossum <vegard.nossum@gmail.com>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9915672d
  13. 09 11月, 2010 3 次提交
  14. 27 10月, 2010 1 次提交
    • E
      fs: allow for more than 2^31 files · 518de9b3
      Eric Dumazet 提交于
      Robin Holt tried to boot a 16TB system and found af_unix was overflowing
      a 32bit value :
      
      <quote>
      
      We were seeing a failure which prevented boot.  The kernel was incapable
      of creating either a named pipe or unix domain socket.  This comes down
      to a common kernel function called unix_create1() which does:
      
              atomic_inc(&unix_nr_socks);
              if (atomic_read(&unix_nr_socks) > 2 * get_max_files())
                      goto out;
      
      The function get_max_files() is a simple return of files_stat.max_files.
      files_stat.max_files is a signed integer and is computed in
      fs/file_table.c's files_init().
      
              n = (mempages * (PAGE_SIZE / 1024)) / 10;
              files_stat.max_files = n;
      
      In our case, mempages (total_ram_pages) is approx 3,758,096,384
      (0xe0000000).  That leaves max_files at approximately 1,503,238,553.
      This causes 2 * get_max_files() to integer overflow.
      
      </quote>
      
      Fix is to let /proc/sys/fs/file-nr & /proc/sys/fs/file-max use long
      integers, and change af_unix to use an atomic_long_t instead of atomic_t.
      
      get_max_files() is changed to return an unsigned long.  get_nr_files() is
      changed to return a long.
      
      unix_nr_socks is changed from atomic_t to atomic_long_t, while not
      strictly needed to address Robin problem.
      
      Before patch (on a 64bit kernel) :
      # echo 2147483648 >/proc/sys/fs/file-max
      # cat /proc/sys/fs/file-max
      -18446744071562067968
      
      After patch:
      # echo 2147483648 >/proc/sys/fs/file-max
      # cat /proc/sys/fs/file-max
      2147483648
      # cat /proc/sys/fs/file-nr
      704     0       2147483648
      Reported-by: NRobin Holt <holt@sgi.com>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Acked-by: NDavid Miller <davem@davemloft.net>
      Reviewed-by: NRobin Holt <holt@sgi.com>
      Tested-by: NRobin Holt <holt@sgi.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      518de9b3
  15. 26 10月, 2010 1 次提交
    • E
      fs: allow for more than 2^31 files · 7e360c38
      Eric Dumazet 提交于
      Andrew,
      
      Could you please review this patch, you probably are the right guy to
      take it, because it crosses fs and net trees.
      
      Note : /proc/sys/fs/file-nr is a read-only file, so this patch doesnt
      depend on previous patch (sysctl: fix min/max handling in
      __do_proc_doulongvec_minmax())
      
      Thanks !
      
      [PATCH V4] fs: allow for more than 2^31 files
      
      Robin Holt tried to boot a 16TB system and found af_unix was overflowing
      a 32bit value :
      
      <quote>
      
      We were seeing a failure which prevented boot.  The kernel was incapable
      of creating either a named pipe or unix domain socket.  This comes down
      to a common kernel function called unix_create1() which does:
      
              atomic_inc(&unix_nr_socks);
              if (atomic_read(&unix_nr_socks) > 2 * get_max_files())
                      goto out;
      
      The function get_max_files() is a simple return of files_stat.max_files.
      files_stat.max_files is a signed integer and is computed in
      fs/file_table.c's files_init().
      
              n = (mempages * (PAGE_SIZE / 1024)) / 10;
              files_stat.max_files = n;
      
      In our case, mempages (total_ram_pages) is approx 3,758,096,384
      (0xe0000000).  That leaves max_files at approximately 1,503,238,553.
      This causes 2 * get_max_files() to integer overflow.
      
      </quote>
      
      Fix is to let /proc/sys/fs/file-nr & /proc/sys/fs/file-max use long
      integers, and change af_unix to use an atomic_long_t instead of
      atomic_t.
      
      get_max_files() is changed to return an unsigned long.
      get_nr_files() is changed to return a long.
      
      unix_nr_socks is changed from atomic_t to atomic_long_t, while not
      strictly needed to address Robin problem.
      
      Before patch (on a 64bit kernel) :
      # echo 2147483648 >/proc/sys/fs/file-max
      # cat /proc/sys/fs/file-max
      -18446744071562067968
      
      After patch:
      # echo 2147483648 >/proc/sys/fs/file-max
      # cat /proc/sys/fs/file-max
      2147483648
      # cat /proc/sys/fs/file-nr
      704     0       2147483648
      Reported-by: NRobin Holt <holt@sgi.com>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Acked-by: NDavid Miller <davem@davemloft.net>
      Reviewed-by: NRobin Holt <holt@sgi.com>
      Tested-by: NRobin Holt <holt@sgi.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      7e360c38
  16. 06 10月, 2010 1 次提交
  17. 08 9月, 2010 1 次提交
    • T
      UNIX: Do not loop forever at unix_autobind(). · 8df73ff9
      Tetsuo Handa 提交于
      We assumed that unix_autobind() never fails if kzalloc() succeeded.
      But unix_autobind() allows only 1048576 names. If /proc/sys/fs/file-max is
      larger than 1048576 (e.g. systems with more than 10GB of RAM), a local user can
      consume all names using fork()/socket()/bind().
      
      If all names are in use, those who call bind() with addr_len == sizeof(short)
      or connect()/sendmsg() with setsockopt(SO_PASSCRED) will continue
      
        while (1)
              yield();
      
      loop at unix_autobind() till a name becomes available.
      This patch adds a loop counter in order to give up after 1048576 attempts.
      
      Calling yield() for once per 256 attempts may not be sufficient when many names
      are already in use, for __unix_find_socket_byname() can take long time under
      such circumstance. Therefore, this patch also adds cond_resched() call.
      
      Note that currently a local user can consume 2GB of kernel memory if the user
      is allowed to create and autobind 1048576 UNIX domain sockets. We should
      consider adding some restriction for autobind operation.
      Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8df73ff9
  18. 07 9月, 2010 1 次提交
  19. 21 7月, 2010 1 次提交
    • N
      drop_monitor: convert some kfree_skb call sites to consume_skb · 70d4bf6d
      Neil Horman 提交于
      Convert a few calls from kfree_skb to consume_skb
      
      Noticed while I was working on dropwatch that I was detecting lots of internal
      skb drops in several places.  While some are legitimate, several were not,
      freeing skbs that were at the end of their life, rather than being discarded due
      to an error.  This patch converts those calls sites from using kfree_skb to
      consume_skb, which quiets the in-kernel drop_monitor code from detecting them as
      drops.  Tested successfully by myself
      Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      70d4bf6d
  20. 17 6月, 2010 3 次提交
  21. 04 5月, 2010 1 次提交
  22. 02 5月, 2010 1 次提交
    • E
      net: sock_def_readable() and friends RCU conversion · 43815482
      Eric Dumazet 提交于
      sk_callback_lock rwlock actually protects sk->sk_sleep pointer, so we
      need two atomic operations (and associated dirtying) per incoming
      packet.
      
      RCU conversion is pretty much needed :
      
      1) Add a new structure, called "struct socket_wq" to hold all fields
      that will need rcu_read_lock() protection (currently: a
      wait_queue_head_t and a struct fasync_struct pointer).
      
      [Future patch will add a list anchor for wakeup coalescing]
      
      2) Attach one of such structure to each "struct socket" created in
      sock_alloc_inode().
      
      3) Respect RCU grace period when freeing a "struct socket_wq"
      
      4) Change sk_sleep pointer in "struct sock" by sk_wq, pointer to "struct
      socket_wq"
      
      5) Change sk_sleep() function to use new sk->sk_wq instead of
      sk->sk_sleep
      
      6) Change sk_has_sleeper() to wq_has_sleeper() that must be used inside
      a rcu_read_lock() section.
      
      7) Change all sk_has_sleeper() callers to :
        - Use rcu_read_lock() instead of read_lock(&sk->sk_callback_lock)
        - Use wq_has_sleeper() to eventually wakeup tasks.
        - Use rcu_read_unlock() instead of read_unlock(&sk->sk_callback_lock)
      
      8) sock_wake_async() is modified to use rcu protection as well.
      
      9) Exceptions :
        macvtap, drivers/net/tun.c, af_unix use integrated "struct socket_wq"
      instead of dynamically allocated ones. They dont need rcu freeing.
      
      Some cleanups or followups are probably needed, (possible
      sk_callback_lock conversion to a spinlock for example...).
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      43815482
  23. 21 4月, 2010 1 次提交
  24. 30 3月, 2010 1 次提交
    • T
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo 提交于
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Guess-its-ok-by: NChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  25. 19 2月, 2010 1 次提交
  26. 18 1月, 2010 1 次提交
  27. 30 11月, 2009 1 次提交
  28. 12 11月, 2009 1 次提交
    • E
      sysctl net: Remove unused binary sysctl code · f8572d8f
      Eric W. Biederman 提交于
      Now that sys_sysctl is a compatiblity wrapper around /proc/sys
      all sysctl strategy routines, and all ctl_name and strategy
      entries in the sysctl tables are unused, and can be
      revmoed.
      
      In addition neigh_sysctl_register has been modified to no longer
      take a strategy argument and it's callers have been modified not
      to pass one.
      
      Cc: "David Miller" <davem@davemloft.net>
      Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
      Cc: netdev@vger.kernel.org
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      f8572d8f
  29. 11 11月, 2009 1 次提交
  30. 06 11月, 2009 1 次提交
  31. 19 10月, 2009 1 次提交
    • T
      AF_UNIX: Fix deadlock on connecting to shutdown socket · 77238f2b
      Tomoki Sekiyama 提交于
      I found a deadlock bug in UNIX domain socket, which makes able to DoS
      attack against the local machine by non-root users.
      
      How to reproduce:
      1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
          namespace(*), and shutdown(2) it.
       2. Repeat connect(2)ing to the listening socket from the other sockets
          until the connection backlog is full-filled.
       3. connect(2) takes the CPU forever. If every core is taken, the
          system hangs.
      
      PoC code: (Run as many times as cores on SMP machines.)
      
      int main(void)
      {
      	int ret;
      	int csd;
      	int lsd;
      	struct sockaddr_un sun;
      
      	/* make an abstruct name address (*) */
      	memset(&sun, 0, sizeof(sun));
      	sun.sun_family = PF_UNIX;
      	sprintf(&sun.sun_path[1], "%d", getpid());
      
      	/* create the listening socket and shutdown */
      	lsd = socket(AF_UNIX, SOCK_STREAM, 0);
      	bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
      	listen(lsd, 1);
      	shutdown(lsd, SHUT_RDWR);
      
      	/* connect loop */
      	alarm(15); /* forcely exit the loop after 15 sec */
      	for (;;) {
      		csd = socket(AF_UNIX, SOCK_STREAM, 0);
      		ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
      		if (-1 == ret) {
      			perror("connect()");
      			break;
      		}
      		puts("Connection OK");
      	}
      	return 0;
      }
      
      (*) Make sun_path[0] = 0 to use the abstruct namespace.
          If a file-based socket is used, the system doesn't deadlock because
          of context switches in the file system layer.
      
      Why this happens:
       Error checks between unix_socket_connect() and unix_wait_for_peer() are
       inconsistent. The former calls the latter to wait until the backlog is
       processed. Despite the latter returns without doing anything when the
       socket is shutdown, the former doesn't check the shutdown state and
       just retries calling the latter forever.
      
      Patch:
       The patch below adds shutdown check into unix_socket_connect(), so
       connect(2) to the shutdown socket will return -ECONREFUSED.
      Signed-off-by: NTomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
      Signed-off-by: NMasanori Yoshida <masanori.yoshida.tv@hitachi.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      77238f2b
  32. 07 10月, 2009 1 次提交
  33. 12 9月, 2009 1 次提交
    • M
      net: unix: fix sending fds in multiple buffers · 8ba69ba6
      Miklos Szeredi 提交于
      Kalle Olavi Niemitalo reported that:
      
        "..., when one process calls sendmsg once to send 43804 bytes of
        data and one file descriptor, and another process then calls recvmsg
        three times to receive the 16032+16032+11740 bytes, each of those
        recvmsg calls returns the file descriptor in the ancillary data.  I
        confirmed this with strace.  The behaviour differs from Linux
        2.6.26, where reportedly only one of those recvmsg calls (I think
        the first one) returned the file descriptor."
      
      This bug was introduced by a patch from me titled "net: unix: fix inflight
      counting bug in garbage collector", commit 6209344f.
      
      And the reason is, quoting Kalle:
      
        "Before your patch, unix_attach_fds() would set scm->fp = NULL, so
        that if the loop in unix_stream_sendmsg() ran multiple iterations,
        it could not call unix_attach_fds() again.  But now,
        unix_attach_fds() leaves scm->fp unchanged, and I think this causes
        it to be called multiple times and duplicate the same file
        descriptors to each struct sk_buff."
      
      Fix this by introducing a flag that is cleared at the start and set
      when the fds attached to the first buffer.  The resulting code should
      work equivalently to the one on 2.6.26.
      Reported-by: NKalle Olavi Niemitalo <kon@iki.fi>
      Signed-off-by: NMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8ba69ba6
  34. 10 7月, 2009 1 次提交
    • J
      net: adding memory barrier to the poll and receive callbacks · a57de0b4
      Jiri Olsa 提交于
      Adding memory barrier after the poll_wait function, paired with
      receive callbacks. Adding fuctions sock_poll_wait and sk_has_sleeper
      to wrap the memory barrier.
      
      Without the memory barrier, following race can happen.
      The race fires, when following code paths meet, and the tp->rcv_nxt
      and __add_wait_queue updates stay in CPU caches.
      
      CPU1                         CPU2
      
      sys_select                   receive packet
        ...                        ...
        __add_wait_queue           update tp->rcv_nxt
        ...                        ...
        tp->rcv_nxt check          sock_def_readable
        ...                        {
        schedule                      ...
                                      if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
                                              wake_up_interruptible(sk->sk_sleep)
                                      ...
                                   }
      
      If there was no cache the code would work ok, since the wait_queue and
      rcv_nxt are opposit to each other.
      
      Meaning that once tp->rcv_nxt is updated by CPU2, the CPU1 either already
      passed the tp->rcv_nxt check and sleeps, or will get the new value for
      tp->rcv_nxt and will return with new data mask.
      In both cases the process (CPU1) is being added to the wait queue, so the
      waitqueue_active (CPU2) call cannot miss and will wake up CPU1.
      
      The bad case is when the __add_wait_queue changes done by CPU1 stay in its
      cache, and so does the tp->rcv_nxt update on CPU2 side.  The CPU1 will then
      endup calling schedule and sleep forever if there are no more data on the
      socket.
      
      Calls to poll_wait in following modules were ommited:
      	net/bluetooth/af_bluetooth.c
      	net/irda/af_irda.c
      	net/irda/irnet/irnet_ppp.c
      	net/mac80211/rc80211_pid_debugfs.c
      	net/phonet/socket.c
      	net/rds/af_rds.c
      	net/rfkill/core.c
      	net/sunrpc/cache.c
      	net/sunrpc/rpc_pipe.c
      	net/tipc/socket.c
      Signed-off-by: NJiri Olsa <jolsa@redhat.com>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a57de0b4