[kernel] r12466 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Dec 1 17:28:32 UTC 2008
Author: dannf
Date: Mon Dec 1 17:28:30 2008
New Revision: 12466
Log:
Make sendmsg() block during UNIX garbage collection (CVE-2008-5300)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch
dists/sid/linux-2.6/debian/patches/series/12
Modified:
dists/sid/linux-2.6/debian/changelog
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Mon Dec 1 17:28:30 2008
@@ -3,7 +3,10 @@
[ Ian Campbell ]
* xen: fix ACPI processor throttling for when processor id is -1. (closes: #502849)
- -- Ian Campbell <ijc at hellion.org.uk> Thu, 27 Nov 2008 07:21:22 +0000
+ [ dann frazier ]
+ * Make sendmsg() block during UNIX garbage collection (CVE-2008-5300)
+
+ -- dann frazier <dannf at debian.org> Mon, 01 Dec 2008 09:59:41 -0700
linux-2.6 (2.6.26-11) unstable; urgency=low
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch Mon Dec 1 17:28:30 2008
@@ -0,0 +1,104 @@
+From: dann frazier <dannf at hp.com>
+Date: Wed, 26 Nov 2008 23:32:27 +0000 (-0800)
+Subject: net: Fix soft lockups/OOM issues w/ unix garbage collector
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3
+
+net: Fix soft lockups/OOM issues w/ unix garbage collector
+
+This is an implementation of David Miller's suggested fix in:
+ https://bugzilla.redhat.com/show_bug.cgi?id=470201
+
+It has been updated to use wait_event() instead of
+wait_event_interruptible().
+
+Paraphrasing the description from the above report, it makes sendmsg()
+block while UNIX garbage collection is in progress. This avoids a
+situation where child processes continue to queue new FDs over a
+AF_UNIX socket to a parent which is in the exit path and running
+garbage collection on these FDs. This contention can result in soft
+lockups and oom-killing of unrelated processes.
+
+Signed-off-by: dann frazier <dannf at hp.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/include/net/af_unix.h b/include/net/af_unix.h
+index c29ff1d..1614d78 100644
+--- a/include/net/af_unix.h
++++ b/include/net/af_unix.h
+@@ -9,6 +9,7 @@
+ extern void unix_inflight(struct file *fp);
+ extern void unix_notinflight(struct file *fp);
+ extern void unix_gc(void);
++extern void wait_for_unix_gc(void);
+
+ #define UNIX_HASH_SIZE 256
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index eb90f77..66d5ac4 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1343,6 +1343,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+
+ if (NULL == siocb->scm)
+ siocb->scm = &tmp_scm;
++ wait_for_unix_gc();
+ err = scm_send(sock, msg, siocb->scm);
+ if (err < 0)
+ return err;
+@@ -1493,6 +1494,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
+
+ if (NULL == siocb->scm)
+ siocb->scm = &tmp_scm;
++ wait_for_unix_gc();
+ err = scm_send(sock, msg, siocb->scm);
+ if (err < 0)
+ return err;
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index 6d4a9a8..abb3ab3 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -80,6 +80,7 @@
+ #include <linux/file.h>
+ #include <linux/proc_fs.h>
+ #include <linux/mutex.h>
++#include <linux/wait.h>
+
+ #include <net/sock.h>
+ #include <net/af_unix.h>
+@@ -91,6 +92,7 @@
+ static LIST_HEAD(gc_inflight_list);
+ static LIST_HEAD(gc_candidates);
+ static DEFINE_SPINLOCK(unix_gc_lock);
++static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
+
+ unsigned int unix_tot_inflight;
+
+@@ -266,12 +268,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
+ list_move_tail(&u->link, &gc_candidates);
+ }
+
+-/* The external entry point: unix_gc() */
++static bool gc_in_progress = false;
+
+-void unix_gc(void)
++void wait_for_unix_gc(void)
+ {
+- static bool gc_in_progress = false;
++ wait_event(unix_gc_wait, gc_in_progress == false);
++}
+
++/* The external entry point: unix_gc() */
++void unix_gc(void)
++{
+ struct unix_sock *u;
+ struct unix_sock *next;
+ struct sk_buff_head hitlist;
+@@ -376,6 +382,7 @@ void unix_gc(void)
+ /* All candidates should have been detached by now. */
+ BUG_ON(!list_empty(&gc_candidates));
+ gc_in_progress = false;
++ wake_up(&unix_gc_wait);
+
+ out:
+ spin_unlock(&unix_gc_lock);
Added: dists/sid/linux-2.6/debian/patches/series/12
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/series/12 Mon Dec 1 17:28:30 2008
@@ -0,0 +1 @@
++ bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch
More information about the Kernel-svn-changes
mailing list