1. 23 5月, 2014 3 次提交
  2. 09 5月, 2014 1 次提交
  3. 12 4月, 2014 1 次提交
    • D
      net: Fix use after free by removing length arg from sk_data_ready callbacks. · 676d2369
      David S. Miller 提交于
      Several spots in the kernel perform a sequence like:
      
      	skb_queue_tail(&sk->s_receive_queue, skb);
      	sk->sk_data_ready(sk, skb->len);
      
      But at the moment we place the SKB onto the socket receive queue it
      can be consumed and freed up.  So this skb->len access is potentially
      to freed up memory.
      
      Furthermore, the skb->len can be modified by the consumer so it is
      possible that the value isn't accurate.
      
      And finally, no actual implementation of this callback actually uses
      the length argument.  And since nobody actually cared about it's
      value, lots of call sites pass arbitrary values in such as '0' and
      even '1'.
      
      So just remove the length argument from the callback, that way there
      is no confusion whatsoever and all of these use-after-free cases get
      fixed as a side effect.
      
      Based upon a patch by Eric Dumazet and his suggestion to audit this
      issue tree-wide.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      676d2369
  4. 01 4月, 2014 1 次提交
    • S
      nfsd: check passed socket's net matches NFSd superblock's one · 30646394
      Stanislav Kinsbursky 提交于
      There could be a case, when NFSd file system is mounted in network, different
      to socket's one, like below:
      
      "ip netns exec" creates new network and mount namespace, which duplicates NFSd
      mount point, created in init_net context. And thus NFS server stop in nested
      network context leads to RPCBIND client destruction in init_net.
      Then, on NFSd start in nested network context, rpc.nfsd process creates socket
      in nested net and passes it into "write_ports", which leads to RPCBIND sockets
      creation in init_net context because of the same reason (NFSd monut point was
      created in init_net context). An attempt to register passed socket in nested
      net leads to panic, because no RPCBIND client present in nexted network
      namespace.
      
      This patch add check that passed socket's net matches NFSd superblock's one.
      And returns -EINVAL error to user psace otherwise.
      
      v2: Put socket on exit.
      Reported-by: NWeng Meiling <wengmeiling.weng@huawei.com>
      Signed-off-by: NStanislav Kinsbursky <skinsbursky@parallels.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      30646394
  5. 30 3月, 2014 4 次提交
  6. 29 3月, 2014 5 次提交
  7. 28 3月, 2014 2 次提交
  8. 21 3月, 2014 2 次提交
  9. 20 3月, 2014 2 次提交
  10. 18 3月, 2014 4 次提交
  11. 17 2月, 2014 2 次提交
  12. 12 2月, 2014 2 次提交
  13. 11 2月, 2014 2 次提交
  14. 10 2月, 2014 1 次提交
  15. 28 1月, 2014 1 次提交
    • J
      sunrpc: turn warn_gssd() log message into a dprintk() · 0ea9de0e
      Jeff Layton 提交于
      The original printk() made sense when the GSSAPI codepaths were called
      only when sec=krb5* was explicitly requested. Now however, in many cases
      the nfs client will try to acquire GSSAPI credentials by default, even
      when it's not requested.
      
      Since we don't have a great mechanism to distinguish between the two
      cases, just turn the pr_warn into a dprintk instead. With this change we
      can also get rid of the ratelimiting.
      
      We do need to keep the EXPORT_SYMBOL(gssd_running) in place since
      auth_gss.ko needs it and sunrpc.ko provides it. We can however,
      eliminate the gssd_running call in the nfs code since that's a bit of a
      layering violation.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NTrond Myklebust <trond.myklebust@primarydata.com>
      0ea9de0e
  16. 25 1月, 2014 1 次提交
  17. 15 1月, 2014 1 次提交
  18. 08 1月, 2014 1 次提交
  19. 07 1月, 2014 3 次提交
  20. 06 1月, 2014 1 次提交
    • W
      sunrpc: Fix infinite loop in RPC state machine · 6ff33b7d
      Weston Andros Adamson 提交于
      When a task enters call_refreshresult with status 0 from call_refresh and
      !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting
      or max number of retries.
      
      Instead of trying forever, make use of the retry path that other errors use.
      
      This only seems to be possible when the crrefresh callback is gss_refresh_null,
      which only happens when destroying the context.
      
      To reproduce:
      
      1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific
         operations).
      
      2) reboot - the client will be stuck and will need to be hard rebooted
      
      BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46]
      Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy
      irq event stamp: 195724
      hardirqs last  enabled at (195723): [<ffffffff814a925c>] restore_args+0x0/0x30
      hardirqs last disabled at (195724): [<ffffffff814b0a6a>] apic_timer_interrupt+0x6a/0x80
      softirqs last  enabled at (195722): [<ffffffff8103f583>] __do_softirq+0x1df/0x276
      softirqs last disabled at (195717): [<ffffffff8103f852>] irq_exit+0x53/0x9a
      CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4
      Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
      Workqueue: rpciod rpc_async_schedule [sunrpc]
      task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000
      RIP: 0010:[<ffffffffa0064fd4>]  [<ffffffffa0064fd4>] __rpc_execute+0x8a/0x362 [sunrpc]
      RSP: 0018:ffff880079003d18  EFLAGS: 00000246
      RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007
      RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900
      RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7
      R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e
      R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900
      FS:  0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0
      Stack:
       ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830
       ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260
       ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000
      Call Trace:
       [<ffffffff81073f47>] ? trace_hardirqs_on_caller+0x145/0x1a1
       [<ffffffffa00652d3>] rpc_async_schedule+0x27/0x32 [sunrpc]
       [<ffffffff81052974>] process_one_work+0x211/0x3a5
       [<ffffffff810528d5>] ? process_one_work+0x172/0x3a5
       [<ffffffff81052eeb>] worker_thread+0x134/0x202
       [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
       [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
       [<ffffffff810584a0>] kthread+0xc9/0xd1
       [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
       [<ffffffff814afd6c>] ret_from_fork+0x7c/0xb0
       [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
      Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00
      
      And the output of "rpcdebug -m rpc -s all":
      
      RPC:    61 call_refresh (status 0)
      RPC:    61 call_refresh (status 0)
      RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
      RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
      RPC:    61 call_refreshresult (status 0)
      RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
      RPC:    61 call_refreshresult (status 0)
      RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
      RPC:    61 call_refresh (status 0)
      RPC:    61 call_refreshresult (status 0)
      RPC:    61 call_refresh (status 0)
      RPC:    61 call_refresh (status 0)
      RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
      RPC:    61 call_refreshresult (status 0)
      RPC:    61 call_refresh (status 0)
      RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
      RPC:    61 call_refresh (status 0)
      RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
      RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
      RPC:    61 call_refreshresult (status 0)
      RPC:    61 call_refresh (status 0)
      RPC:    61 call_refresh (status 0)
      RPC:    61 call_refresh (status 0)
      RPC:    61 call_refresh (status 0)
      RPC:    61 call_refreshresult (status 0)
      RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
      Signed-off-by: NWeston Andros Adamson <dros@netapp.com>
      Cc: stable@vger.kernel.org # 2.6.37+
      Signed-off-by: NTrond Myklebust <trond.myklebust@primarydata.com>
      6ff33b7d