[kernel] r12466 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Dec 1 17:28:32 UTC 2008 

Author: dannf
Date: Mon Dec  1 17:28:30 2008
New Revision: 12466

Log:
Make sendmsg() block during UNIX garbage collection (CVE-2008-5300)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch
   dists/sid/linux-2.6/debian/patches/series/12
Modified:
   dists/sid/linux-2.6/debian/changelog

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Mon Dec  1 17:28:30 2008
@@ -3,7 +3,10 @@
   [ Ian Campbell ]
   * xen: fix ACPI processor throttling for when processor id is -1. (closes: #502849)
 
- -- Ian Campbell <ijc at hellion.org.uk>  Thu, 27 Nov 2008 07:21:22 +0000
+  [ dann frazier ]
+  * Make sendmsg() block during UNIX garbage collection (CVE-2008-5300)
+
+ -- dann frazier <dannf at debian.org>  Mon, 01 Dec 2008 09:59:41 -0700
 
 linux-2.6 (2.6.26-11) unstable; urgency=low
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch	Mon Dec  1 17:28:30 2008
@@ -0,0 +1,104 @@
+From: dann frazier <dannf at hp.com>
+Date: Wed, 26 Nov 2008 23:32:27 +0000 (-0800)
+Subject: net: Fix soft lockups/OOM issues w/ unix garbage collector
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3
+
+net: Fix soft lockups/OOM issues w/ unix garbage collector
+
+This is an implementation of David Miller's suggested fix in:
+  https://bugzilla.redhat.com/show_bug.cgi?id=470201
+
+It has been updated to use wait_event() instead of
+wait_event_interruptible().
+
+Paraphrasing the description from the above report, it makes sendmsg()
+block while UNIX garbage collection is in progress. This avoids a
+situation where child processes continue to queue new FDs over a
+AF_UNIX socket to a parent which is in the exit path and running
+garbage collection on these FDs. This contention can result in soft
+lockups and oom-killing of unrelated processes.
+
+Signed-off-by: dann frazier <dannf at hp.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/include/net/af_unix.h b/include/net/af_unix.h
+index c29ff1d..1614d78 100644
+--- a/include/net/af_unix.h
++++ b/include/net/af_unix.h
+@@ -9,6 +9,7 @@
+ extern void unix_inflight(struct file *fp);
+ extern void unix_notinflight(struct file *fp);
+ extern void unix_gc(void);
++extern void wait_for_unix_gc(void);
+ 
+ #define UNIX_HASH_SIZE	256
+ 
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index eb90f77..66d5ac4 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1343,6 +1343,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &tmp_scm;
++	wait_for_unix_gc();
+ 	err = scm_send(sock, msg, siocb->scm);
+ 	if (err < 0)
+ 		return err;
+@@ -1493,6 +1494,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &tmp_scm;
++	wait_for_unix_gc();
+ 	err = scm_send(sock, msg, siocb->scm);
+ 	if (err < 0)
+ 		return err;
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index 6d4a9a8..abb3ab3 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -80,6 +80,7 @@
+ #include <linux/file.h>
+ #include <linux/proc_fs.h>
+ #include <linux/mutex.h>
++#include <linux/wait.h>
+ 
+ #include <net/sock.h>
+ #include <net/af_unix.h>
+@@ -91,6 +92,7 @@
+ static LIST_HEAD(gc_inflight_list);
+ static LIST_HEAD(gc_candidates);
+ static DEFINE_SPINLOCK(unix_gc_lock);
++static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
+ 
+ unsigned int unix_tot_inflight;
+ 
+@@ -266,12 +268,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
+ 		list_move_tail(&u->link, &gc_candidates);
+ }
+ 
+-/* The external entry point: unix_gc() */
++static bool gc_in_progress = false;
+ 
+-void unix_gc(void)
++void wait_for_unix_gc(void)
+ {
+-	static bool gc_in_progress = false;
++	wait_event(unix_gc_wait, gc_in_progress == false);
++}
+ 
++/* The external entry point: unix_gc() */
++void unix_gc(void)
++{
+ 	struct unix_sock *u;
+ 	struct unix_sock *next;
+ 	struct sk_buff_head hitlist;
+@@ -376,6 +382,7 @@ void unix_gc(void)
+ 	/* All candidates should have been detached by now. */
+ 	BUG_ON(!list_empty(&gc_candidates));
+ 	gc_in_progress = false;
++	wake_up(&unix_gc_wait);
+ 
+  out:
+ 	spin_unlock(&unix_gc_lock);

Added: dists/sid/linux-2.6/debian/patches/series/12
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/series/12	Mon Dec  1 17:28:30 2008
@@ -0,0 +1 @@
++ bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch

More information about the Kernel-svn-changes mailing list