1. 14 Apr, 2016 1 commit
  2. 11 Apr, 2016 1 commit
  3. 10 Nov, 2015 2 commits
  4. 23 Oct, 2015 1 commit
  5. 11 Apr, 2015 1 commit
  6. 09 Dec, 2014 1 commit
  7. 19 Nov, 2014 1 commit
  8. 28 Aug, 2014 1 commit
  9. 17 Aug, 2014 1 commit
  10. 29 Jul, 2014 2 commits
  11. 18 Jul, 2014 1 commit
  12. 31 May, 2014 1 commit
  13. 22 May, 2014 2 commits
  14. 11 Apr, 2014 1 commit
    • David S. Miller's avatar
      net: Fix use after free by removing length arg from sk_data_ready callbacks. · 676d2369
      David S. Miller authored
      Several spots in the kernel perform a sequence like:
      	skb_queue_tail(&sk->s_receive_queue, skb);
      	sk->sk_data_ready(sk, skb->len);
      But at the moment we place the SKB onto the socket receive queue it
      can be consumed and freed up.  So this skb->len access is potentially
      to freed up memory.
      Furthermore, the skb->len can be modified by the consumer so it is
      possible that the value isn't accurate.
      And finally, no actual implementation of this callback actually uses
      the length argument.  And since nobody actually cared about it's
      value, lots of call sites pass arbitrary values in such as '0' and
      even '1'.
      So just remove the length argument from the callback, that way there
      is no confusion whatsoever and all of these use-after-free cases get
      fixed as a side effect.
      Based upon a patch by Eric Dumazet and his suggestion to audit this
      issue tree-wide.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  15. 31 Mar, 2014 1 commit
    • Stanislav Kinsbursky's avatar
      nfsd: check passed socket's net matches NFSd superblock's one · 30646394
      Stanislav Kinsbursky authored
      There could be a case, when NFSd file system is mounted in network, different
      to socket's one, like below:
      "ip netns exec" creates new network and mount namespace, which duplicates NFSd
      mount point, created in init_net context. And thus NFS server stop in nested
      network context leads to RPCBIND client destruction in init_net.
      Then, on NFSd start in nested network context, rpc.nfsd process creates socket
      in nested net and passes it into "write_ports", which leads to RPCBIND sockets
      creation in init_net context because of the same reason (NFSd monut point was
      created in init_net context). An attempt to register passed socket in nested
      net leads to panic, because no RPCBIND client present in nexted network
      This patch add check that passed socket's net matches NFSd superblock's one.
      And returns -EINVAL error to user psace otherwise.
      v2: Put socket on exit.
      Reported-by: default avatarWeng Meiling <wengmeiling.weng@huawei.com>
      Signed-off-by: default avatarStanislav Kinsbursky <skinsbursky@parallels.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
  16. 09 Oct, 2013 2 commits
    • Eric Dumazet's avatar
      net: fix build errors if ipv6 is disabled · c2bb06db
      Eric Dumazet authored
      CONFIG_IPV6=n is still a valid choice ;)
      It appears we can remove dead code.
      Reported-by: default avatarWu Fengguang <fengguang.wu@intel.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Eric Dumazet's avatar
      ipv6: make lookups simpler and faster · efe4208f
      Eric Dumazet authored
      TCP listener refactoring, part 4 :
      To speed up inet lookups, we moved IPv4 addresses from inet to struct
      Now is time to do the same for IPv6, because it permits us to have fast
      lookups for all kind of sockets, including upcoming SYN_RECV.
      Getting IPv6 addresses in TCP lookups currently requires two extra cache
      lines, plus a dereference (and memory stall).
      inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
      This patch is way bigger than its IPv4 counter part, because for IPv4,
      we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
      it's not doable easily.
      inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
      inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
      And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
      at the same offset.
      We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  17. 01 Aug, 2013 1 commit
    • NeilBrown's avatar
      NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure. · 447383d2
      NeilBrown authored
      Since we enabled auto-tuning for sunrpc TCP connections we do not
      guarantee that there is enough write-space on each connection to
      queue a reply.
      If memory pressure causes the window to shrink too small, the request
      throttling in sunrpc/svc will not accept any requests so no more requests
      will be handled.  Even when pressure decreases the window will not
      grow again until data is sent on the connection.
      This means we get a deadlock:  no requests will be handled until there
      is more space, and no space will be allocated until a request is
      This can be simulated by modifying svc_tcp_has_wspace to inflate the
      number of byte required and removing the 'svc_sock_setbufsize' calls
      in svc_setup_socket.
      I found that multiplying by 16 was enough to make the requirement
      exceed the default allocation.  With this modification in place:
         mount -o vers=3,proto=tcp /mnt
      would block and eventually time out because the nfs server could not
      accept any requests.
      This patch relaxes the request throttling to always allow at least one
      request through per connection.  It does this by checking both
        sk_stream_min_wspace() and xprt->xpt_reserved
      are zero.
      The first is zero when the TCP transmit queue is empty.
      The second is zero when there are no RPC requests being processed.
      When both of these are zero the socket is idle and so one more
      request can safely be allowed through.
      Applying this patch allows the above mount command to succeed cleanly.
      Tracing shows that the allocated write buffer space quickly grows and
      after a few requests are handled, the extra tests are no longer needed
      to permit further requests to be processed.
      The main purpose of request throttling is to handle the case when one
      client is slow at collecting replies and the send queue gets full of
      replies that the client hasn't acknowledged (at the TCP level) yet.
      As we only change behaviour when the send queue is empty this main
      purpose is still preserved.
      Reported-by: default avatarBen Myers <bpm@sgi.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
  18. 25 Jul, 2013 1 commit
  19. 01 Jul, 2013 2 commits
    • J. Bruce Fields's avatar
      svcrpc: don't error out on small tcp fragment · 1f691b07
      J. Bruce Fields authored
      Though clients we care about mostly don't do this, it is possible for
      rpc requests to be sent in multiple fragments.  Here we have a sanity
      check to ensure that the final received rpc isn't too small--except that
      the number we're actually checking is the length of just the final
      fragment, not of the whole rpc.  So a perfectly legal rpc that's
      unluckily fragmented could cause the server to close the connection
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    • J. Bruce Fields's avatar
      svcrpc: fix handling of too-short rpc's · cf3aa02c
      J. Bruce Fields authored
      If we detect that an rpc is too short, we abort and close the
      connection.  Except, there's a bug here: we're leaving sk_datalen
      nonzero without leaving any pages in the sk_pages array.  The most
      likely result of the inconsistency is a subsequent crash in
      Also demote the BUG_ON in svc_tcp_clear_pages to a WARN.
      Cc: stable@kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
  20. 31 Jan, 2013 1 commit
  21. 18 Dec, 2012 1 commit
  22. 17 Dec, 2012 1 commit
  23. 04 Dec, 2012 5 commits
  24. 04 Nov, 2012 1 commit
  25. 10 Sep, 2012 1 commit
    • J. Bruce Fields's avatar
      nfsd: remove unused listener-removal interfaces · eccf50c1
      J. Bruce Fields authored
      You can use nfsd/portlist to give nfsd additional sockets to listen on.
      In theory you can also remove listening sockets this way.  But nobody's
      ever done that as far as I can tell.
      Also this was partially broken in 2.6.25, by
      a217813f "knfsd: Support adding
      transports by writing portlist file".
      (Note that we decide whether to take the "delfd" case by checking for a
      digit--but what's actually expected in that case is something made by
      svc_one_sock_name(), which won't begin with a digit.)
      So, let's just rip out this stuff.
      Acked-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
  26. 21 Aug, 2012 6 commits