[kernel] r12482 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Dec 6 17:27:48 UTC 2008
Author: dannf
Date: Sat Dec 6 17:27:47 2008
New Revision: 12482
Log:
* Make sendmsg() block during UNIX garbage collection:
- bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
See CVE-2008-5300
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/23etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Sat Dec 6 17:27:47 2008
@@ -37,8 +37,11 @@
- bugfix/net-fix-recursive-descent-in-__scm_destroy.patch
See CVE-2008-5029
** CURRENTLY AN UNHANDLED ABI BREAKER **
+ * Make sendmsg() block during UNIX garbage collection:
+ - bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
+ See CVE-2008-5300
- -- dann frazier <dannf at debian.org> Fri, 14 Nov 2008 16:15:22 -0700
+ -- dann frazier <dannf at debian.org> Fri, 05 Dec 2008 23:00:02 -0700
linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch Sat Dec 6 17:27:47 2008
@@ -0,0 +1,103 @@
+From: dann frazier <dannf at hp.com>
+Date: Wed, 26 Nov 2008 23:32:27 +0000 (-0800)
+Subject: net: Fix soft lockups/OOM issues w/ unix garbage collector
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3
+
+net: Fix soft lockups/OOM issues w/ unix garbage collector
+
+This is an implementation of David Miller's suggested fix in:
+ https://bugzilla.redhat.com/show_bug.cgi?id=470201
+
+It has been updated to use wait_event() instead of
+wait_event_interruptible().
+
+Paraphrasing the description from the above report, it makes sendmsg()
+block while UNIX garbage collection is in progress. This avoids a
+situation where child processes continue to queue new FDs over a
+AF_UNIX socket to a parent which is in the exit path and running
+garbage collection on these FDs. This contention can result in soft
+lockups and oom-killing of unrelated processes.
+
+Signed-off-by: dann frazier <dannf at hp.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN a/include/net/af_unix.h b/include/net/af_unix.h
+--- a/include/net/af_unix.h 2008-11-30 23:15:06.000000000 -0700
++++ b/include/net/af_unix.h 2008-11-30 23:16:12.000000000 -0700
+@@ -9,6 +9,7 @@
+ extern void unix_inflight(struct file *fp);
+ extern void unix_notinflight(struct file *fp);
+ extern void unix_gc(void);
++extern void wait_for_unix_gc(void);
+
+ #define UNIX_HASH_SIZE 256
+
+diff -urpN a/net/unix/af_unix.c b/net/unix/af_unix.c
+--- a/net/unix/af_unix.c 2008-11-30 23:15:06.000000000 -0700
++++ b/net/unix/af_unix.c 2008-11-30 23:16:12.000000000 -0700
+@@ -1287,6 +1287,7 @@ static int unix_dgram_sendmsg(struct kio
+
+ if (NULL == siocb->scm)
+ siocb->scm = &tmp_scm;
++ wait_for_unix_gc();
+ err = scm_send(sock, msg, siocb->scm);
+ if (err < 0)
+ return err;
+@@ -1439,6 +1440,7 @@ static int unix_stream_sendmsg(struct ki
+
+ if (NULL == siocb->scm)
+ siocb->scm = &tmp_scm;
++ wait_for_unix_gc();
+ err = scm_send(sock, msg, siocb->scm);
+ if (err < 0)
+ return err;
+diff -urpN a/net/unix/garbage.c b/net/unix/garbage.c
+--- a/net/unix/garbage.c 2008-11-30 23:15:06.000000000 -0700
++++ b/net/unix/garbage.c 2008-11-30 23:18:07.000000000 -0700
+@@ -81,6 +81,7 @@
+ #include <linux/file.h>
+ #include <linux/proc_fs.h>
+ #include <linux/mutex.h>
++#include <linux/wait.h>
+
+ #include <net/sock.h>
+ #include <net/af_unix.h>
+@@ -92,6 +93,7 @@
+ static LIST_HEAD(gc_inflight_list);
+ static LIST_HEAD(gc_candidates);
+ static DEFINE_SPINLOCK(unix_gc_lock);
++static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
+
+ atomic_t unix_tot_inflight = ATOMIC_INIT(0);
+
+@@ -267,12 +269,16 @@ static void inc_inflight_move_tail(struc
+ list_move_tail(&u->link, &gc_candidates);
+ }
+
+-/* The external entry point: unix_gc() */
++static int gc_in_progress = 0;
+
+-void unix_gc(void)
++void wait_for_unix_gc(void)
+ {
+- static int gc_in_progress = 0;
++ wait_event(unix_gc_wait, gc_in_progress == 0);
++}
+
++/* The external entry point: unix_gc() */
++void unix_gc(void)
++{
+ struct unix_sock *u;
+ struct unix_sock *next;
+ struct sk_buff_head hitlist;
+@@ -377,6 +383,7 @@ void unix_gc(void)
+ /* All candidates should have been detached by now. */
+ BUG_ON(!list_empty(&gc_candidates));
+ gc_in_progress = 0;
++ wake_up(&unix_gc_wait);
+
+ out:
+ spin_unlock(&unix_gc_lock);
Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1 Sat Dec 6 17:27:47 2008
@@ -12,3 +12,4 @@
+ bugfix/af_unix-convert-socks-to-unix_socks.patch
+ bugfix/net-unix-fix-inflight-counting-bug-in-garbage-collector.patch
+ bugfix/net-fix-recursive-descent-in-__scm_destroy.patch
++ bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
More information about the Kernel-svn-changes
mailing list