[kernel] r12482 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Sat Dec 6 17:27:48 UTC 2008 

Author: dannf
Date: Sat Dec  6 17:27:47 2008
New Revision: 12482

Log:
* Make sendmsg() block during UNIX garbage collection:
   - bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
  See CVE-2008-5300

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/23etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Sat Dec  6 17:27:47 2008
@@ -37,8 +37,11 @@
      - bugfix/net-fix-recursive-descent-in-__scm_destroy.patch
     See CVE-2008-5029
     ** CURRENTLY AN UNHANDLED ABI BREAKER **
+  * Make sendmsg() block during UNIX garbage collection:
+     - bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
+    See CVE-2008-5300
 
- -- dann frazier <dannf at debian.org>  Fri, 14 Nov 2008 16:15:22 -0700
+ -- dann frazier <dannf at debian.org>  Fri, 05 Dec 2008 23:00:02 -0700
 
 linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch	Sat Dec  6 17:27:47 2008
@@ -0,0 +1,103 @@
+From: dann frazier <dannf at hp.com>
+Date: Wed, 26 Nov 2008 23:32:27 +0000 (-0800)
+Subject: net: Fix soft lockups/OOM issues w/ unix garbage collector
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3
+
+net: Fix soft lockups/OOM issues w/ unix garbage collector
+
+This is an implementation of David Miller's suggested fix in:
+  https://bugzilla.redhat.com/show_bug.cgi?id=470201
+
+It has been updated to use wait_event() instead of
+wait_event_interruptible().
+
+Paraphrasing the description from the above report, it makes sendmsg()
+block while UNIX garbage collection is in progress. This avoids a
+situation where child processes continue to queue new FDs over a
+AF_UNIX socket to a parent which is in the exit path and running
+garbage collection on these FDs. This contention can result in soft
+lockups and oom-killing of unrelated processes.
+
+Signed-off-by: dann frazier <dannf at hp.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN a/include/net/af_unix.h b/include/net/af_unix.h
+--- a/include/net/af_unix.h	2008-11-30 23:15:06.000000000 -0700
++++ b/include/net/af_unix.h	2008-11-30 23:16:12.000000000 -0700
+@@ -9,6 +9,7 @@
+ extern void unix_inflight(struct file *fp);
+ extern void unix_notinflight(struct file *fp);
+ extern void unix_gc(void);
++extern void wait_for_unix_gc(void);
+ 
+ #define UNIX_HASH_SIZE	256
+ 
+diff -urpN a/net/unix/af_unix.c b/net/unix/af_unix.c
+--- a/net/unix/af_unix.c	2008-11-30 23:15:06.000000000 -0700
++++ b/net/unix/af_unix.c	2008-11-30 23:16:12.000000000 -0700
+@@ -1287,6 +1287,7 @@ static int unix_dgram_sendmsg(struct kio
+ 
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &tmp_scm;
++	wait_for_unix_gc();
+ 	err = scm_send(sock, msg, siocb->scm);
+ 	if (err < 0)
+ 		return err;
+@@ -1439,6 +1440,7 @@ static int unix_stream_sendmsg(struct ki
+ 
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &tmp_scm;
++	wait_for_unix_gc();
+ 	err = scm_send(sock, msg, siocb->scm);
+ 	if (err < 0)
+ 		return err;
+diff -urpN a/net/unix/garbage.c b/net/unix/garbage.c
+--- a/net/unix/garbage.c	2008-11-30 23:15:06.000000000 -0700
++++ b/net/unix/garbage.c	2008-11-30 23:18:07.000000000 -0700
+@@ -81,6 +81,7 @@
+ #include <linux/file.h>
+ #include <linux/proc_fs.h>
+ #include <linux/mutex.h>
++#include <linux/wait.h>
+ 
+ #include <net/sock.h>
+ #include <net/af_unix.h>
+@@ -92,6 +93,7 @@
+ static LIST_HEAD(gc_inflight_list);
+ static LIST_HEAD(gc_candidates);
+ static DEFINE_SPINLOCK(unix_gc_lock);
++static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
+ 
+ atomic_t unix_tot_inflight = ATOMIC_INIT(0);
+ 
+@@ -267,12 +269,16 @@ static void inc_inflight_move_tail(struc
+ 		list_move_tail(&u->link, &gc_candidates);
+ }
+ 
+-/* The external entry point: unix_gc() */
++static int gc_in_progress = 0;
+ 
+-void unix_gc(void)
++void wait_for_unix_gc(void)
+ {
+-	static int gc_in_progress = 0;
++	wait_event(unix_gc_wait, gc_in_progress == 0);
++}
+ 
++/* The external entry point: unix_gc() */
++void unix_gc(void)
++{
+ 	struct unix_sock *u;
+ 	struct unix_sock *next;
+ 	struct sk_buff_head hitlist;
+@@ -377,6 +383,7 @@ void unix_gc(void)
+ 	/* All candidates should have been detached by now. */
+ 	BUG_ON(!list_empty(&gc_candidates));
+ 	gc_in_progress = 0;
++	wake_up(&unix_gc_wait);
+ 
+  out:
+ 	spin_unlock(&unix_gc_lock);

Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1	Sat Dec  6 17:27:47 2008
@@ -12,3 +12,4 @@
 + bugfix/af_unix-convert-socks-to-unix_socks.patch
 + bugfix/net-unix-fix-inflight-counting-bug-in-garbage-collector.patch
 + bugfix/net-fix-recursive-descent-in-__scm_destroy.patch
++ bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch

More information about the Kernel-svn-changes mailing list