From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, "David S. Miller" <davem@davemloft.net>
Subject: [patch 05/23] net: Fix recursive descent in __scm_destroy().
Date: Fri, 7 Nov 2008 15:15:23 -0800 [thread overview]
Message-ID: <20081107231523.GF1108@kroah.com> (raw)
In-Reply-To: <20081107231457.GA1108@kroah.com>
[-- Attachment #1: net-fix-recursive-descent-in-__scm_destroy.patch --]
[-- Type: text/plain, Size: 2802 bytes --]
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: David Miller <davem@davemloft.net>
commit f8d570a4745835f2238a33b537218a1bb03fc671 and
3b53fbf4314594fa04544b02b2fc6e607912da18 upstream (because once wasn't
good enough...)
__scm_destroy() walks the list of file descriptors in the scm_fp_list
pointed to by the scm_cookie argument.
Those, in turn, can close sockets and invoke __scm_destroy() again.
There is nothing which limits how deeply this can occur.
The idea for how to fix this is from Linus. Basically, we do all of
the fput()s at the top level by collecting all of the scm_fp_list
objects hit by an fput(). Inside of the initial __scm_destroy() we
keep running the list until it is empty.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
include/linux/sched.h | 4 +++-
include/net/scm.h | 5 +++--
net/core/scm.c | 24 +++++++++++++++++++++---
3 files changed, 27 insertions(+), 6 deletions(-)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1288,7 +1288,9 @@ struct task_struct {
atomic_t fs_excl; /* holding fs exclusive resources */
struct rcu_head rcu;
- /*
+ struct list_head *scm_work_list;
+
+/*
* cache last used pipe for splice
*/
struct pipe_inode_info *splice_pipe;
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -14,8 +14,9 @@
struct scm_fp_list
{
- int count;
- struct file *fp[SCM_MAX_FD];
+ struct list_head list;
+ int count;
+ struct file *fp[SCM_MAX_FD];
};
struct scm_cookie
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -75,6 +75,7 @@ static int scm_fp_copy(struct cmsghdr *c
if (!fpl)
return -ENOMEM;
*fplp = fpl;
+ INIT_LIST_HEAD(&fpl->list);
fpl->count = 0;
}
fpp = &fpl->fp[fpl->count];
@@ -106,9 +107,25 @@ void __scm_destroy(struct scm_cookie *sc
if (fpl) {
scm->fp = NULL;
- for (i=fpl->count-1; i>=0; i--)
- fput(fpl->fp[i]);
- kfree(fpl);
+ if (current->scm_work_list) {
+ list_add_tail(&fpl->list, current->scm_work_list);
+ } else {
+ LIST_HEAD(work_list);
+
+ current->scm_work_list = &work_list;
+
+ list_add(&fpl->list, &work_list);
+ while (!list_empty(&work_list)) {
+ fpl = list_first_entry(&work_list, struct scm_fp_list, list);
+
+ list_del(&fpl->list);
+ for (i=fpl->count-1; i>=0; i--)
+ fput(fpl->fp[i]);
+ kfree(fpl);
+ }
+
+ current->scm_work_list = NULL;
+ }
}
}
@@ -284,6 +301,7 @@ struct scm_fp_list *scm_fp_dup(struct sc
new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
if (new_fpl) {
+ INIT_LIST_HEAD(&new_fpl->list);
for (i=fpl->count-1; i>=0; i--)
get_file(fpl->fp[i]);
memcpy(new_fpl, fpl, sizeof(*fpl));
--
next prev parent reply other threads:[~2008-11-07 23:24 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20081107224818.593212310@mini.kroah.org>
2008-11-07 23:14 ` [patch 00/23] 2.6.26.8-stable review Greg KH
2008-11-07 23:15 ` [patch 01/23] gpiolib: fix oops in gpio_get_value_cansleep() Greg KH
2008-11-07 23:15 ` [patch 02/23] ext: Avoid printk floods in the face of directory corruption (CVE-2008-3528) Greg KH
2008-11-10 2:42 ` Eugene Teo
2008-11-10 18:06 ` Greg KH
2008-11-10 18:14 ` Eric Sandeen
2008-11-07 23:15 ` [patch 03/23] edac cell: fix incorrect edac_mode Greg KH
2008-11-07 23:15 ` [patch 04/23] SCSI: qla2xxx: Skip FDMI registration on ISP21xx/22xx parts Greg KH
2008-11-07 23:15 ` Greg KH [this message]
2008-11-07 23:15 ` [patch 06/23] libertas: fix buffer overrun Greg KH
2008-11-07 23:15 ` [patch 07/23] file caps: always start with clear bprm->caps_* Greg KH
2008-11-07 23:15 ` [patch 08/23] ALSA: use correct lock in snd_ctl_dev_disconnect() Greg KH
2008-11-07 23:15 ` [patch 09/23] ACPI: Always report a sync event after a lid state change Greg KH
2008-11-07 23:15 ` [patch 10/23] V4L: pvrusb2: Keep MPEG PTSs from drifting away Greg KH
2008-11-07 23:15 ` [patch 11/23] DVB: s5h1411: bugfix: Setting serial or parallel mode could destroy bits Greg KH
2008-11-07 23:15 ` [patch 12/23] DVB: s5h1411: Perform s5h1411 soft reset after tuning Greg KH
2008-11-07 23:15 ` [patch 13/23] DVB: s5h1411: Power down s5h1411 when not in use Greg KH
2008-11-07 23:15 ` [patch 14/23] scx200_i2c: Add missing class parameter Greg KH
2008-11-07 23:15 ` [patch 15/23] net: Fix netdev_run_todo dead-lock Greg KH
2008-11-07 23:15 ` [patch 16/23] tcpv6: fix option space offsets with md5 Greg KH
2008-11-07 23:15 ` [patch 17/23] math-emu: Fix signalling of underflow and inexact while packing result Greg KH
2008-11-07 23:16 ` [patch 18/23] sparc64: Fix race in arch/sparc64/kernel/trampoline.S Greg KH
2008-11-07 23:16 ` [patch 19/23] ACPI: video: fix brightness allocation Greg KH
2008-11-07 23:16 ` [patch 20/23] ACPI: dock: avoid check _STA method Greg KH
2008-11-11 12:16 ` Holger Macht
2008-11-13 21:23 ` [stable] " Greg KH
2008-11-16 23:36 ` Holger Macht
2008-11-17 4:59 ` Greg KH
2008-11-07 23:16 ` [patch 21/23] netfilter: xt_iprange: fix range inversion match Greg KH
2008-11-07 23:16 ` [patch 22/23] netfilter: snmp nat leaks memory in case of failure Greg KH
2008-11-07 23:16 ` [patch 23/23] netfilter: restore lost ifdef guarding defrag exception Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081107231523.GF1108@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox