1. 14 Oct, 2014 1 commit
  2. 09 Sep, 2014 1 commit
  3. 08 Aug, 2014 1 commit
  4. 12 Jun, 2014 1 commit
  5. 06 Jun, 2014 3 commits
  6. 11 Apr, 2014 1 commit
    • David S. Miller's avatar
      net: Fix use after free by removing length arg from sk_data_ready callbacks. · 676d2369
      David S. Miller authored
      Several spots in the kernel perform a sequence like:
      
      	skb_queue_tail(&sk->s_receive_queue, skb);
      	sk->sk_data_ready(sk, skb->len);
      
      But at the moment we place the SKB onto the socket receive queue it
      can be consumed and freed up.  So this skb->len access is potentially
      to freed up memory.
      
      Furthermore, the skb->len can be modified by the consumer so it is
      possible that the value isn't accurate.
      
      And finally, no actual implementation of this callback actually uses
      the length argument.  And since nobody actually cared about it's
      value, lots of call sites pass arbitrary values in such as '0' and
      even '1'.
      
      So just remove the length argument from the callback, that way there
      is no confusion whatsoever and all of these use-after-free cases get
      fixed as a side effect.
      
      Based upon a patch by Eric Dumazet and his suggestion to audit this
      issue tree-wide.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      676d2369
  7. 14 Feb, 2014 1 commit
  8. 12 Feb, 2014 2 commits
    • Rashika Kheria's avatar
      fs: Include appropriate header file in dlm/ast.c · 95058571
      Rashika Kheria authored
      Include appropriate header file fs/dlm/ast.h in fs/dlm/ast.c because it
      contains function prototypes of some functions defined in fs/dlm/ast.c.
      
      This also eliminates the following warning in fs/dlm/ast:
      fs/dlm/ast.c:52:5: warning: no previous prototype for ‘dlm_add_lkb_callback’ [-Wmissing-prototypes]
      fs/dlm/ast.c:113:5: warning: no previous prototype for ‘dlm_rem_lkb_callback’ [-Wmissing-prototypes]
      fs/dlm/ast.c:174:6: warning: no previous prototype for ‘dlm_add_cb’ [-Wmissing-prototypes]
      fs/dlm/ast.c:212:6: warning: no previous prototype for ‘dlm_callback_work’ [-Wmissing-prototypes]
      fs/dlm/ast.c:267:5: warning: no previous prototype for ‘dlm_callback_start’ [-Wmissing-prototypes]
      fs/dlm/ast.c:278:6: warning: no previous prototype for ‘dlm_callback_stop’ [-Wmissing-prototypes]
      fs/dlm/ast.c:284:6: warning: no previous prototype for ‘dlm_callback_suspend’ [-Wmissing-prototypes]
      fs/dlm/ast.c:292:6: warning: no previous prototype for ‘dlm_callback_resume’ [-Wmissing-prototypes]
      Signed-off-by: default avatarRashika Kheria <rashika.kheria@gmail.com>
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      95058571
    • Dan Carpenter's avatar
      dlm: silence a harmless use after free warning · e8243f32
      Dan Carpenter authored
      We pass the freed "r" pointer back to the caller.  It's harmless but it
      upsets the static checkers.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      e8243f32
  9. 22 Jan, 2014 1 commit
  10. 16 Dec, 2013 1 commit
  11. 19 Nov, 2013 1 commit
  12. 16 Oct, 2013 1 commit
  13. 12 Aug, 2013 1 commit
  14. 09 Aug, 2013 1 commit
    • Oleg Nesterov's avatar
      dlm: kill the unnecessary and wrong device_close()->recalc_sigpending() · 201d3dfa
      Oleg Nesterov authored
      device_close()->recalc_sigpending() is not needed, sigprocmask() takes
      care of TIF_SIGPENDING correctly.
      
      And without ->siglock it is racy and wrong, it can wrongly clear
      TIF_SIGPENDING and miss a signal.
      
      But even with this patch device_close() is still buggy:
      
        1. sigprocmask() should not be used, we have set_task_blocked(),
           but this is minor.
      
        2. We should never block SIGKILL or SIGSTOP, and this is what
           the code tries to do.
      
        3. This can't protect against SIGKILL or SIGSTOP anyway. Another
           thread can do signal_wake_up(), say, do_signal_stop() or
           complete_signal() or debugger.
      
        4. sigprocmask(SIG_BLOCK, allsigs) doesn't necessarily clears
           TIF_SIGPENDING, say, freezing() or ->jobctl.
      
        5. device_write() looks equally wrong by the same reason.
      
      Looks like, this tries to protect some wait_event_interruptible() logic
      from signals, it should be turned into uninterruptible wait.  Or we need
      to implement something like signals_stop/start for such a use-case.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      201d3dfa
  15. 30 Jul, 2013 1 commit
  16. 26 Jun, 2013 1 commit
  17. 25 Jun, 2013 2 commits
  18. 19 Jun, 2013 1 commit
  19. 14 Jun, 2013 6 commits
  20. 09 Apr, 2013 1 commit
    • Daniel Borkmann's avatar
      net: sctp: introduce uapi header for sctp · 1b866434
      Daniel Borkmann authored
      This patch introduces an UAPI header for the SCTP protocol,
      so that we can facilitate the maintenance and development of
      user land applications or libraries, in particular in terms
      of header synchronization.
      
      To not break compatibility, some fragments from lksctp-tools'
      netinet/sctp.h have been carefully included, while taking care
      that neither kernel nor user land breaks, so both compile fine
      with this change (for lksctp-tools I tested with the old
      netinet/sctp.h header and with a newly adapted one that includes
      the uapi sctp header). lksctp-tools smoke test run through
      successfully as well in both cases.
      Suggested-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b866434
  21. 08 Apr, 2013 1 commit
    • David Teigland's avatar
      dlm: avoid unnecessary posix unlock · 90008318
      David Teigland authored
      When the kernel clears flocks/plocks during close, it calls posix
      unlock when there are flocks but no posix locks.  Without this
      patch, that unnecessary posix unlock is passed to userland
      (dlm_controld), across the cluster, and back to the kernel.
      This can create a lot of plock activity, even when no posix
      locks had been used.
      
      This patch copies the nfs approach, and skips the full posix
      unlock if there is no plock found during the vfs unlock phase.
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      90008318
  22. 28 Feb, 2013 4 commits
    • Sasha Levin's avatar
      hlist: drop the node parameter from iterators · b67bfe0d
      Sasha Levin authored
      I'm not sure why, but the hlist for each entry iterators were conceived
      
              list_for_each_entry(pos, head, member)
      
      The hlist ones were greedy and wanted an extra parameter:
      
              hlist_for_each_entry(tpos, pos, head, member)
      
      Why did they need an extra pos parameter? I'm not quite sure. Not only
      they don't really need it, it also prevents the iterator from looking
      exactly like the list iterator, which is unfortunate.
      
      Besides the semantic patch, there was some manual work required:
      
       - Fix up the actual hlist iterators in linux/list.h
       - Fix up the declaration of other iterators based on the hlist ones.
       - A very small amount of places were using the 'node' parameter, this
       was modified to use 'obj->member' instead.
       - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
       properly, so those had to be fixed up manually.
      
      The semantic patch which is mostly the work of Peter Senna Tschudin is here:
      
      @@
      iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
      
      type T;
      expression a,c,d,e;
      identifier b;
      statement S;
      @@
      
      -T b;
          <+... when != b
      (
      hlist_for_each_entry(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue(a,
      - b,
      c) S
      |
      hlist_for_each_entry_from(a,
      - b,
      c) S
      |
      hlist_for_each_entry_rcu(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_rcu_bh(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue_rcu_bh(a,
      - b,
      c) S
      |
      for_each_busy_worker(a, c,
      - b,
      d) S
      |
      ax25_uid_for_each(a,
      - b,
      c) S
      |
      ax25_for_each(a,
      - b,
      c) S
      |
      inet_bind_bucket_for_each(a,
      - b,
      c) S
      |
      sctp_for_each_hentry(a,
      - b,
      c) S
      |
      sk_for_each(a,
      - b,
      c) S
      |
      sk_for_each_rcu(a,
      - b,
      c) S
      |
      sk_for_each_from
      -(a, b)
      +(a)
      S
      + sk_for_each_from(a) S
      |
      sk_for_each_safe(a,
      - b,
      c, d) S
      |
      sk_for_each_bound(a,
      - b,
      c) S
      |
      hlist_for_each_entry_safe(a,
      - b,
      c, d, e) S
      |
      hlist_for_each_entry_continue_rcu(a,
      - b,
      c) S
      |
      nr_neigh_for_each(a,
      - b,
      c) S
      |
      nr_neigh_for_each_safe(a,
      - b,
      c, d) S
      |
      nr_node_for_each(a,
      - b,
      c) S
      |
      nr_node_for_each_safe(a,
      - b,
      c, d) S
      |
      - for_each_gfn_sp(a, c, d, b) S
      + for_each_gfn_sp(a, c, d) S
      |
      - for_each_gfn_indirect_valid_sp(a, c, d, b) S
      + for_each_gfn_indirect_valid_sp(a, c, d) S
      |
      for_each_host(a,
      - b,
      c) S
      |
      for_each_host_safe(a,
      - b,
      c, d) S
      |
      for_each_mesh_entry(a,
      - b,
      c, d) S
      )
          ...+>
      
      [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
      [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
      [akpm@linux-foundation.org: checkpatch fixes]
      [akpm@linux-foundation.org: fix warnings]
      [akpm@linux-foudnation.org: redo intrusive kvm changes]
      Tested-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Acked-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: Gleb Natapov <gleb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b67bfe0d
    • Tejun Heo's avatar
      dlm: convert to idr_alloc() · 2a86b3e7
      Tejun Heo authored
      Convert to the much saner new idr interface.  Error return values from
      recover_idr_add() mix -1 and -errno.  The conversion doesn't change
      that but it looks iffy.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      2a86b3e7
    • Tejun Heo's avatar
      dlm: don't use idr_remove_all() · a67a380e
      Tejun Heo authored
      idr_destroy() can destroy idr by itself and idr_remove_all() is being
      deprecated.
      
      The conversion isn't completely trivial for recover_idr_clear() as it's
      the only place in kernel which makes legitimate use of idr_remove_all()
      w/o idr_destroy().  Replace it with idr_remove() call inside
      idr_for_each_entry() loop.  It goes on top so that it matches the
      operation order in recover_idr_del().
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Christine Caulfield <ccaulfie@redhat.com>
      Cc: David Teigland <teigland@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a67a380e
    • Tejun Heo's avatar
      dlm: use idr_for_each_entry() in recover_idr_clear() error path · cda95406
      Tejun Heo authored
      Convert recover_idr_clear() to use idr_for_each_entry() instead of
      idr_for_each().  It's somewhat less efficient this way but it shouldn't
      matter in an error path.  This is to help with deprecation of
      idr_remove_all().
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Christine Caulfield <ccaulfie@redhat.com>
      Cc: David Teigland <teigland@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cda95406
  23. 26 Feb, 2013 1 commit
  24. 04 Feb, 2013 1 commit
  25. 07 Jan, 2013 1 commit
    • David Teigland's avatar
      dlm: avoid scanning unchanged toss lists · f1172283
      David Teigland authored
      Keep track of whether a toss list contains any
      shrinkable rsbs.  If not, dlm_scand can avoid
      scanning the list for rsbs to shrink.  Unnecessary
      scanning can otherwise waste a lot of time because
      the toss lists can contain a large number of rsbs
      that are non-shrinkable (directory records).
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      f1172283
  26. 16 Nov, 2012 1 commit
    • David Teigland's avatar
      dlm: fix lvb invalidation conditions · da8c6663
      David Teigland authored
      When a node is removed that held a PW/EX lock, the
      existing master node should invalidate the lvb on the
      resource due to the purged lock.
      
      Previously, the existing master node was invalidating
      the lvb if it found only NL/CR locks on the resource
      during recovery for the removed node.  This could lead
      to cases where it invalidated the lvb and shouldn't
      have, or cases where it should have invalidated and
      didn't.
      
      When recovery selects a *new* master node for a
      resource, and that new master finds only NL/CR locks
      on the resource after lock recovery, it should
      invalidate the lvb.  This case was handled correctly
      (but was incorrectly applied to the existing master
      case also.)
      
      When a process exits while holding a PW/EX lock,
      the lvb on the resource should be invalidated.
      This was not happening.
      
      The lvb contents and VALNOTVALID flag should be
      recovered before granting locks in recovery so that
      the recovered lvb state is provided in the callback.
      The lvb was being recovered after the lock was granted.
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      da8c6663
  27. 01 Nov, 2012 2 commits