1. 08 2月, 2014 3 次提交
  2. 04 2月, 2014 1 次提交
  3. 31 1月, 2014 1 次提交
    • P
      x86, x32: Correct invalid use of user timespec in the kernel · 2def2ef2
      PaX Team 提交于
      The x32 case for the recvmsg() timout handling is broken:
      
        asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
                                            unsigned int vlen, unsigned int flags,
                                            struct compat_timespec __user *timeout)
        {
                int datagrams;
                struct timespec ktspec;
      
                if (flags & MSG_CMSG_COMPAT)
                        return -EINVAL;
      
                if (COMPAT_USE_64BIT_TIME)
                        return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
                                              flags | MSG_CMSG_COMPAT,
                                              (struct timespec *) timeout);
                ...
      
      The timeout pointer parameter is provided by userland (hence the __user
      annotation) but for x32 syscalls it's simply cast to a kernel pointer
      and is passed to __sys_recvmmsg which will eventually directly
      dereference it for both reading and writing.  Other callers to
      __sys_recvmmsg properly copy from userland to the kernel first.
      
      The bug was introduced by commit ee4fa23c ("compat: Use
      COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels
      since 3.4 (and perhaps vendor kernels if they backported x32 support
      along with this code).
      
      Note that CONFIG_X86_X32_ABI gets enabled at build time and only if
      CONFIG_X86_X32 is enabled and ld can build x32 executables.
      
      Other uses of COMPAT_USE_64BIT_TIME seem fine.
      
      This addresses CVE-2014-0038.
      Signed-off-by: NPaX Team <pageexec@freemail.hu>
      Signed-off-by: NH. Peter Anvin <hpa@linux.intel.com>
      Cc: <stable@vger.kernel.org> # v3.4+
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      2def2ef2
  4. 29 1月, 2014 2 次提交
    • M
      net: Fix warning on make htmldocs caused by skbuff.c · 7fceb4de
      Masanari Iida 提交于
      This patch fixed following Warning while executing "make htmldocs".
      
      Warning(/net/core/skbuff.c:2164): No description found for parameter 'from'
      Warning(/net/core/skbuff.c:2164): Excess function parameter 'source'
      description in 'skb_zerocopy'
      Replace "@source" with "@from" fixed the warning.
      Signed-off-by: NMasanari Iida <standby24x7@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7fceb4de
    • D
      llc: remove noisy WARN from llc_mac_hdr_init · 0f1a24c9
      Dave Jones 提交于
      Sending malformed llc packets triggers this spew, which seems excessive.
      
      WARNING: CPU: 1 PID: 6917 at net/llc/llc_output.c:46 llc_mac_hdr_init+0x85/0x90 [llc]()
      device type not supported: 0
      CPU: 1 PID: 6917 Comm: trinity-c1 Not tainted 3.13.0+ #95
       0000000000000009 00000000007e257d ffff88009232fbe8 ffffffffac737325
       ffff88009232fc30 ffff88009232fc20 ffffffffac06d28d ffff88020e07f180
       ffff88009232fec0 00000000000000c8 0000000000000000 ffff88009232fe70
      Call Trace:
       [<ffffffffac737325>] dump_stack+0x4e/0x7a
       [<ffffffffac06d28d>] warn_slowpath_common+0x7d/0xa0
       [<ffffffffac06d30c>] warn_slowpath_fmt+0x5c/0x80
       [<ffffffffc01736d5>] llc_mac_hdr_init+0x85/0x90 [llc]
       [<ffffffffc0173759>] llc_build_and_send_ui_pkt+0x79/0x90 [llc]
       [<ffffffffc057cdba>] llc_ui_sendmsg+0x23a/0x400 [llc2]
       [<ffffffffac605d8c>] sock_sendmsg+0x9c/0xe0
       [<ffffffffac185a37>] ? might_fault+0x47/0x50
       [<ffffffffac606321>] SYSC_sendto+0x121/0x1c0
       [<ffffffffac011847>] ? syscall_trace_enter+0x207/0x270
       [<ffffffffac6071ce>] SyS_sendto+0xe/0x10
       [<ffffffffac74aaa4>] tracesys+0xdd/0xe2
      
      Until 2009, this was a printk, when it was changed in
      bf9ae538: "llc: use dev_hard_header".
      
      Let userland figure out what -EINVAL means by itself.
      Signed-off-by: NDave Jones <davej@fedoraproject.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0f1a24c9
  5. 28 1月, 2014 13 次提交
  6. 27 1月, 2014 1 次提交
  7. 26 1月, 2014 5 次提交
    • T
      af_rxrpc: Handle frames delivered from another VM · 1ea42735
      Tim Smith 提交于
      On input, CHECKSUM_PARTIAL should be treated the same way as
      CHECKSUM_UNNECESSARY. See include/linux/skbuff.h
      Signed-off-by: NTim Smith <tim@electronghost.co.uk>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      1ea42735
    • T
      af_rxrpc: Avoid setting up double-free on checksum error · 24a9981e
      Tim Smith 提交于
      skb_kill_datagram() does not dequeue the skb when MSG_PEEK is unset.
      This leaves a free'd skb on the queue, resulting a double-free later.
      
      Without this, the following oops can occur:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      IP: [<ffffffff8154fcf7>] skb_dequeue+0x47/0x70
      PGD 0
      Oops: 0002 [#1] SMP
      Modules linked in: af_rxrpc ...
      CPU: 0 PID: 1191 Comm: listen Not tainted 3.12.0+ #4
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      task: ffff8801183536b0 ti: ffff880035c92000 task.ti: ffff880035c92000
      RIP: 0010:[<ffffffff8154fcf7>] skb_dequeue+0x47/0x70
      RSP: 0018:ffff880035c93db8  EFLAGS: 00010097
      RAX: 0000000000000246 RBX: ffff8800d2754b00 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8800d254c084
      RBP: ffff880035c93dd0 R08: ffff880035c93cf0 R09: ffff8800d968f270
      R10: 0000000000000000 R11: 0000000000000293 R12: ffff8800d254c070
      R13: ffff8800d254c084 R14: ffff8800cd861240 R15: ffff880119b39720
      FS:  00007f37a969d740(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000008 CR3: 00000000d4413000 CR4: 00000000000006f0
      Stack:
       ffff8800d254c000 ffff8800d254c070 ffff8800d254c2c0 ffff880035c93df8
       ffffffffa041a5b8 ffff8800cd844c80 ffffffffa04385a0 ffff8800cd844cb0
       ffff880035c93e18 ffffffff81546cef ffff8800d45fea00 0000000000000008
      Call Trace:
       [<ffffffffa041a5b8>] rxrpc_release+0x128/0x2e0 [af_rxrpc]
       [<ffffffff81546cef>] sock_release+0x1f/0x80
       [<ffffffff81546d62>] sock_close+0x12/0x20
       [<ffffffff811aaba1>] __fput+0xe1/0x230
       [<ffffffff811aad3e>] ____fput+0xe/0x10
       [<ffffffff810862cc>] task_work_run+0xbc/0xe0
       [<ffffffff8106a3be>] do_exit+0x2be/0xa10
       [<ffffffff8116dc47>] ? do_munmap+0x297/0x3b0
       [<ffffffff8106ab8f>] do_group_exit+0x3f/0xa0
       [<ffffffff8106ac04>] SyS_exit_group+0x14/0x20
       [<ffffffff8166b069>] system_call_fastpath+0x16/0x1b
      Signed-off-by: NTim Smith <tim@electronghost.co.uk>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      24a9981e
    • A
      RxRPC: do not unlock unheld spinlock in rxrpc_connect_exclusive() · 8f22ba61
      Alexey Khoroshilov 提交于
      If rx->conn is not NULL, rxrpc_connect_exclusive() does not
      acquire the transport's client lock, but it still releases it.
      
      The patch adds locking of the spinlock to this path.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      8f22ba61
    • I
      libceph: dout() is missing a newline · 0b4af2e8
      Ilya Dryomov 提交于
      Add a missing newline to a dout() in __reset_osd().
      Signed-off-by: NIlya Dryomov <ilya.dryomov@inktank.com>
      0b4af2e8
    • I
      libceph: add ceph_kv{malloc,free}() and switch to them · eeb0bed5
      Ilya Dryomov 提交于
      Encapsulate kmalloc vs vmalloc memory allocation and freeing logic into
      two helpers, ceph_kvmalloc() and ceph_kvfree(), and switch to them.
      
      ceph_kvmalloc() kmalloc()'s a maximum of 8 pages, anything bigger is
      vmalloc()'ed with __GFP_HIGHMEM set.  This changes the existing
      behaviour:
      
      - for buffers (ceph_buffer_new()), from trying to kmalloc() everything
        and using vmalloc() just as a fallback
      
      - for messages (ceph_msg_new()), from going to vmalloc() for anything
        bigger than a page
      
      - for messages (ceph_msg_new()), from disallowing vmalloc() to use high
        memory
      Signed-off-by: NIlya Dryomov <ilya.dryomov@inktank.com>
      Reviewed-by: NSage Weil <sage@inktank.com>
      eeb0bed5
  8. 25 1月, 2014 3 次提交
  9. 24 1月, 2014 8 次提交
  10. 23 1月, 2014 3 次提交