1. 18 Sep, 2015 31 commits
  2. 03 Jun, 2015 3 commits
    • Willy Tarreau's avatar
      Linux 2.6.32.67 · 00b90e79
      Willy Tarreau authored
      00b90e79
    • Junling Zheng's avatar
      net: socket: Fix the wrong returns for recvmsg and sendmsg · a8226a63
      Junling Zheng authored
      Based on 08adb7da upstream.
      
      We found that after v3.10.73, recvmsg might return -EFAULT while -EINVAL
      was expected.
      
      We tested it through the recvmsg01 testcase come from LTP testsuit. It set
      msg->msg_namelen to -1 and the recvmsg syscall returned errno 14, which is
      unexpected (errno 22 is expected):
      
      recvmsg01    4  TFAIL  :  invalid socket length ; returned -1 (expected -1),
      errno 14 (expected 22)
      
      Linux mainline has no this bug for commit 08adb7da fixes it accidentally.
      However, it is too large and complex to be backported to LTS 3.10.
      
      Commit 281c9c36 (net: compat: Update get_compat_msghdr() to match
      copy_msghdr_from_user() behaviour) made get_compat_msghdr() return
      error if msg_sys->msg_namelen was negative, which changed the behaviors
      of recvmsg and sendmsg syscall in a lib32 system:
      
      Before commit 281c9c36, get_compat_msghdr() wouldn't fail and it would
      return -EINVAL in move_addr_to_user() or somewhere if msg_sys->msg_namelen
      was invalid and then syscall returned -EINVAL, which is correct.
      
      And now, when msg_sys->msg_namelen is negative, get_compat_msghdr() will
      fail and wants to return -EINVAL, however, the outer syscall will return
      -EFAULT directly, which is unexpected.
      
      This patch gets the return value of get_compat_msghdr() as well as
      copy_msghdr_from_user(), then returns this expected value if
      get_compat_msghdr() fails.
      
      Fixes: 281c9c36 (net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour)
      Signed-off-by: default avatarJunling Zheng <zhengjunling@huawei.com>
      Signed-off-by: default avatarHanbing Xu <xuhanbing@huawei.com>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a8226a63
    • Willy Tarreau's avatar
      net: fix incorrect backport of tcp_send_fin in 2.6.32.66 · cb162b71
      Willy Tarreau authored
      Eric forwarded this bug report happening since 2.6.32.66, found that the
      backport of commit 845704a5 ("tcp: avoid looping in tcp_send_fin()") was
      incorrect and proposed this patch to fix it. The bug was also reported by
      starlight.2015q2@binnacle.cx who confirmed the fix.
      
      > Date: Fri, 29 May 2015 09:12:45 +0000
      > From: "bugzilla-daemon@bugzilla.kernel.org" <bugzilla-daemon@bugzilla.kernel.org>
      > To: "shemminger@linux-foundation.org" <shemminger@linux-foundation.org>
      > Subject: [Bug 99161] New: 2.6.32.66 PPC Oops in tcp_send_fin
      >
      >
      > https://bugzilla.kernel.org/show_bug.cgi?id=99161
      >
      >             Bug ID: 99161
      >            Summary: 2.6.32.66 PPC Oops in tcp_send_fin
      >            Product: Networking
      >            Version: 2.5
      >     Kernel Version: 2.6.32.66
      >           Hardware: PPC-32
      >                 OS: Linux
      >               Tree: Mainline
      >             Status: NEW
      >           Severity: normal
      >           Priority: P1
      >          Component: IPV4
      >           Assignee: shemminger@linux-foundation.org
      >           Reporter: varenet@parisc-linux.org
      >         Regression: No
      >
      > I just updated my trusty old PPC box to longterm 2.6.32.66 (was running .65
      > before that with zero issue) and it started spewing oopses at me like hell
      > broke loose. This machine is primarily used as a DNS and MX (albeit under low
      > pressure).
      (...)
      
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      cb162b71
  3. 24 May, 2015 6 commits
    • Willy Tarreau's avatar
      Linux 2.6.32.66 · b4736065
      Willy Tarreau authored
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      b4736065
    • Catalin Marinas's avatar
      net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour · db91e176
      Catalin Marinas authored
      Commit db31c55a (net: clamp ->msg_namelen instead of returning an
      error) introduced the clamping of msg_namelen when the unsigned value
      was larger than sizeof(struct sockaddr_storage). This caused a
      msg_namelen of -1 to be valid. The native code was subsequently fixed by
      commit dbb490b9 (net: socket: error on a negative msg_namelen).
      
      In addition, the native code sets msg_namelen to 0 when msg_name is
      NULL. This was done in commit (6a2a2b3a net:socket: set msg_namelen
      to 0 if msg_name is passed as NULL in msghdr struct from userland) and
      subsequently updated by 08adb7da (fold verify_iovec() into
      copy_msghdr_from_user()).
      
      This patch brings the get_compat_msghdr() in line with
      copy_msghdr_from_user().
      
      Fixes: db31c55a (net: clamp ->msg_namelen instead of returning an error)
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      (cherry picked from commit 91edd096)
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      db91e176
    • Alexey Khoroshilov's avatar
      sound/oss: fix deadlock in sequencer_ioctl(SNDCTL_SEQ_OUTOFBAND) · c8412c6c
      Alexey Khoroshilov authored
      A deadlock can be initiated by userspace via ioctl(SNDCTL_SEQ_OUTOFBAND)
      on /dev/sequencer with TMR_ECHO midi event.
      
      In this case the control flow is:
      sound_ioctl()
      -> case SND_DEV_SEQ:
         case SND_DEV_SEQ2:
           sequencer_ioctl()
           -> case SNDCTL_SEQ_OUTOFBAND:
                spin_lock_irqsave(&lock,flags);
                play_event();
                -> case EV_TIMING:
                     seq_timing_event()
                     -> case TMR_ECHO:
                          seq_copy_to_input()
                          -> spin_lock_irqsave(&lock,flags);
      
      It seems that spin_lock_irqsave() around play_event() is not necessary,
      because the only other call location in seq_startplay() makes the call
      without acquiring spinlock.
      
      So, the patch just removes spinlocks around play_event().
      By the way, it removes unreachable code in seq_timing_event(),
      since (seq_mode == SEQ_2) case is handled in the beginning.
      
      Compile tested only.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      (cherry picked from commit bc26d4d0)
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c8412c6c
    • Sergei Antonov's avatar
      hfsplus: fix B-tree corruption after insertion at position 0 · 533c1137
      Sergei Antonov authored
      commit 98cf21c6 upstream.
      
      Fix B-tree corruption when a new record is inserted at position 0 in the node
      in hfs_brec_insert(). In this case a hfs_brec_update_parent() is called to
      update the parent index node (if exists) and it is passed hfs_find_data with
      a search_key containing a newly inserted key instead of the key to be updated.
      This results in an inconsistent index node. The bug reproduces on my machine
      after an extents overflow record for the catalog file (CNID=4) is inserted into
      the extents overflow B-tree. Because of a low (reserved) value of CNID=4, it
      has to become the first record in the first leaf node.
      The resulting first leaf node is correct:
      ----------------------------------------------------
      | key0.CNID=4 | key1.CNID=123 | key2.CNID=456, ... |
      ----------------------------------------------------
      But the parent index key0 still contains the previous key CNID=123:
      -----------------------
      | key0.CNID=123 | ... |
      -----------------------
      
      A change in hfs_brec_insert() makes hfs_brec_update_parent() work correctly
      by preventing it from getting fd->record=-1 value from __hfs_brec_find().
      
      Along the way, I removed duplicate code with unification of the if condition.
      The resulting code is equivalent to the original code because node is never 0.
      
      Also hfs_brec_update_parent() will now return an error after getting a negative
      fd->record value. However, the return value of hfs_brec_update_parent() is not
      checked anywhere in the file and I'm leaving it unchanged by this patch.
      brec.c lacks error checking after some other calls too, but this issue is of
      less importance than the one being fixed by this patch.
      
      Cc: stable@vger.kernel.org
      Cc: Joe Perches <joe@perches.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
      Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
      Cc: Anton Altaparmakov <aia21@cam.ac.uk>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@infradead.org>
      Signed-off-by: default avatarSergei Antonov <saproj@gmail.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      533c1137
    • Mathias Krause's avatar
      posix-timers: Fix stack info leak in timer_create() · d7733a75
      Mathias Krause authored
      commit 6891c450 upstream.
      
      If userland creates a timer without specifying a sigevent info, we'll
      create one ourself, using a stack local variable. Particularly will we
      use the timer ID as sival_int. But as sigev_value is a union containing
      a pointer and an int, that assignment will only partially initialize
      sigev_value on systems where the size of a pointer is bigger than the
      size of an int. On such systems we'll copy the uninitialized stack bytes
      from the timer_create() call to userland when the timer actually fires
      and we're going to deliver the signal.
      
      Initialize sigev_value with 0 to plug the stack info leak.
      
      Found in the PaX patch, written by the PaX Team.
      
      Fixes: 5a9fa730 ("posix-timers: kill ->it_sigev_signo and...")
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Brad Spengler <spender@grsecurity.net>
      Cc: PaX Team <pageexec@freemail.hu>
      Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      (cherry picked from commit 3cd3a349)
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      d7733a75
    • Jan Kara's avatar
      scsi: Fix error handling in SCSI_IOCTL_SEND_COMMAND · b5f10e98
      Jan Kara authored
      commit 84ce0f0e upstream.
      
      When sg_scsi_ioctl() fails to prepare request to submit in
      blk_rq_map_kern() we jump to a label where we just end up copying
      (luckily zeroed-out) kernel buffer to userspace instead of reporting
      error. Fix the problem by jumping to the right label.
      
      CC: Jens Axboe <axboe@kernel.dk>
      CC: linux-scsi@vger.kernel.org
      Coverity-id: 1226871
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      
      Fixed up the, now unused, out label.
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      (cherry picked from commit d73b032b)
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      b5f10e98