From: Tim Gardner <tim.gardner@canonical.com>
To: Andi Kleen <andi@firstfloor.org>
Cc: ebiederm@xmission.com, dan@aloni.org, davem@davemloft.net,
gregkh@suse.de, ak@linux.intel.com, linux-kernel@vger.kernel.org,
stable@kernel.org, tim.bird@am.sony.com, stable@vger.kernel.org
Subject: Re: [stable] [PATCH] [26/98] af_unix: Only allow recv on connected seqpacket sockets.
Date: Wed, 27 Jul 2011 09:58:54 -0600 [thread overview]
Message-ID: <4E3035BE.6090908@canonical.com> (raw)
In-Reply-To: <20110727003518.6DA772403FF@tassilo.jf.intel.com>
On 07/26/2011 06:35 PM, Andi Kleen wrote:
> 2.6.35-longterm review patch. If anyone has any objections, please let me know.
>
> ------------------
> From: Eric W. Biederman<ebiederm@xmission.com>
>
> commit a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 upstream.
>
> This fixes the following oops discovered by Dan Aloni:
>> Anyway, the following is the output of the Oops that I got on the
>> Ubuntu kernel on which I first detected the problem
>> (2.6.37-12-generic). The Oops that followed will be more useful, I
>> guess.
>
>> [ 5594.669852] BUG: unable to handle kernel NULL pointer dereference
>> at      (null)
>> [ 5594.681606] IP: [<ffffffff81550b7b>] unix_dgram_recvmsg+0x1fb/0x420
>> [ 5594.687576] PGD 2a05d067 PUD 2b951067 PMD 0
>> [ 5594.693720] Oops: 0002 [#1] SMP
>> [ 5594.699888] last sysfs file:
>
> The bug was that unix domain sockets use a pseduo packet for
> connecting and accept uses that psudo packet to get the socket.
> In the buggy seqpacket case we were allowing unconnected
> sockets to call recvmsg and try to receive the pseudo packet.
>
> That is always wrong and as of commit 7361c36c5 the pseudo
> packet had become enough different from a normal packet
> that the kernel started oopsing.
>
> Do for seqpacket_recv what was done for seqpacket_send in 2.5
> and only allow it on connected seqpacket sockets.
>
> Tested-by: Dan Aloni<dan@aloni.org>
> Signed-off-by: Eric W. Biederman<ebiederm@xmission.com>
> Signed-off-by: David S. Miller<davem@davemloft.net>
> Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de>
> Signed-off-by: Andi Kleen<ak@linux.intel.com>
>
> ---
> net/unix/af_unix.c | 16 +++++++++++++++-
> 1 file changed, 15 insertions(+), 1 deletion(-)
>
> Index: linux-2.6.35.y/net/unix/af_unix.c
> ===================================================================
> --- linux-2.6.35.y.orig/net/unix/af_unix.c
> +++ linux-2.6.35.y/net/unix/af_unix.c
> @@ -504,6 +504,8 @@ static int unix_dgram_connect(struct soc
> int, int);
> static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *,
> struct msghdr *, size_t);
> +static int unix_seqpacket_recvmsg(struct kiocb *, struct socket *,
> + struct msghdr *, size_t, int);
>
> static const struct proto_ops unix_stream_ops = {
> .family = PF_UNIX,
> @@ -563,7 +565,7 @@ static const struct proto_ops unix_seqpa
> .setsockopt = sock_no_setsockopt,
> .getsockopt = sock_no_getsockopt,
> .sendmsg = unix_seqpacket_sendmsg,
> - .recvmsg = unix_dgram_recvmsg,
> + .recvmsg = unix_seqpacket_recvmsg,
> .mmap = sock_no_mmap,
> .sendpage = sock_no_sendpage,
> };
> @@ -1676,6 +1678,18 @@ static int unix_seqpacket_sendmsg(struct
> return unix_dgram_sendmsg(kiocb, sock, msg, len);
> }
>
> +static int unix_seqpacket_recvmsg(struct kiocb *iocb, struct socket *sock,
> + struct msghdr *msg, size_t size,
> + int flags)
> +{
> + struct sock *sk = sock->sk;
> +
> + if (sk->sk_state != TCP_ESTABLISHED)
> + return -ENOTCONN;
> +
> + return unix_dgram_recvmsg(iocb, sock, msg, size, flags);
> +}
> +
> static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
> {
> struct unix_sock *u = unix_sk(sk);
>
>
>
>
> _______________________________________________
> stable mailing list
> stable@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/stable
Andi - Ubuntu has reverted this patch for both Lucid (2.6.32) and Natty
(2.6.38) as it appears to cause a networking regression, though we never
really figured out root cause. Empirically, reverting the patch solved
the issue. Eric Biederman theorized that it uncovered a user space issue
(trying to read before listen), but the bug reporter seems to have lost
interest in testing kernels so we couldn't ever pin it down.
http://bugs.launchpad.net/bugs/791512
We also decided that reverting this patch was likely OK because we
couldn't find any Launchpad reports of the Ooops mentioned in the patch
commit log, nor does a google search turn up any hits.
rtg
--
Tim Gardner tim.gardner@canonical.com
next prev parent reply other threads:[~2011-07-27 15:59 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-27 0:34 [PATCH] [0/98] 2.6.35.14 longterm review Andi Kleen
2011-07-27 0:34 ` [PATCH] [1/98] kbuild: Disable -Wunused-but-set-variable for gcc 4.6.0 Andi Kleen
2011-07-27 0:34 ` [PATCH] [2/98] kbuild: Fix passing -Wno-* options to gcc 4.4+ Andi Kleen
2011-07-27 0:34 ` [PATCH] [3/98] Add Andi Kleen as 2.6.35 longterm maintainer Andi Kleen
2011-07-27 0:34 ` [PATCH] [4/98] Remove the old V4L1 v4lgrab.c file Andi Kleen
2011-07-27 0:34 ` [PATCH] [5/98] agp: fix arbitrary kernel memory writes Andi Kleen
2011-07-27 0:34 ` [PATCH] [6/98] agp: fix OOM and buffer overflow Andi Kleen
2011-07-27 0:34 ` [PATCH] [7/98] i8k: Tell gcc that *regs gets clobbered Andi Kleen
2011-07-27 0:35 ` [PATCH] [8/98] Fix gcc 4.5.1 miscompiling drivers/char/i8k.c (again) Andi Kleen
2011-07-27 0:35 ` [PATCH] [9/98] USB: serial/usb_wwan, fix tty NULL dereference Andi Kleen
2011-07-27 0:35 ` [PATCH] [10/98] ipv6: add special mode accept_ra=2 to accept RA while configured as router Andi Kleen
2011-07-27 17:41 ` Stephen Clark
2011-07-27 20:11 ` Andi Kleen
2011-07-27 0:35 ` [PATCH] [11/98] mpt2sas: prevent heap overflows and unchecked reads Andi Kleen
2011-07-27 0:35 ` [PATCH] [12/98] slub: fix panic with DISCONTIGMEM Andi Kleen
2011-07-27 21:47 ` David Rientjes
2011-07-27 21:55 ` Andi Kleen
2011-07-27 0:35 ` [PATCH] [13/98] set memory ranges in N_NORMAL_MEMORY when onlined Andi Kleen
2011-07-27 0:35 ` [PATCH] [14/98] FLEXCOP-PCI: fix __xlate_proc_name-warning for flexcop-pci Andi Kleen
2011-07-27 0:35 ` [PATCH] [15/98] m68k/mm: Set all online nodes in N_NORMAL_MEMORY Andi Kleen
2011-07-27 0:35 ` [PATCH] [16/98] nfs: don't lose MS_SYNCHRONOUS on remount of noac mount Andi Kleen
2011-07-27 0:35 ` [PATCH] [17/98] NFSv4.1: Ensure state manager thread dies on last umount Andi Kleen
2011-07-27 0:35 ` [PATCH] [18/98] Input: xen-kbdfront - fix mouse getting stuck after save/restore Andi Kleen
2011-07-27 0:35 ` [PATCH] [19/98] pmcraid: reject negative request size Andi Kleen
2011-07-27 0:35 ` [PATCH] [20/98] put stricter guards on queue dead checks Andi Kleen
2011-07-27 0:35 ` [PATCH] [21/98] mmc: sdhci-pci: Fix error case in sdhci_pci_probe_slot() Andi Kleen
2011-07-27 0:35 ` [PATCH] [22/98] mmc: sdhci: Check mrq->cmd in sdhci_tasklet_finish Andi Kleen
2011-07-27 0:35 ` [PATCH] [23/98] mmc: sdhci: Check mrq != NULL " Andi Kleen
2011-07-27 0:35 ` [PATCH] [24/98] USB: fix regression in usbip by setting has_tt flag Andi Kleen
2011-07-27 0:35 ` [PATCH] [25/98] x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors Andi Kleen
2011-07-27 12:38 ` Boris Ostrovsky
2011-07-27 15:42 ` Andi Kleen
2011-07-27 16:06 ` Boris Ostrovsky
2011-07-27 20:13 ` Andi Kleen
2011-07-27 0:35 ` [PATCH] [26/98] af_unix: Only allow recv on connected seqpacket sockets Andi Kleen
2011-07-27 15:58 ` Tim Gardner [this message]
2011-07-27 16:02 ` [stable] " Andi Kleen
2011-07-27 19:23 ` Eric W. Biederman
2011-08-01 20:08 ` Andi Kleen
2011-08-01 20:43 ` Tim Gardner
2011-07-27 0:35 ` [PATCH] [27/98] ARM: 6891/1: prevent heap corruption in OABI semtimedop Andi Kleen
2011-07-27 0:35 ` [PATCH] [28/98] Open with O_CREAT flag set fails to open existing files on non writable directories Andi Kleen
2011-07-27 0:35 ` [PATCH] [29/98] can: Add missing socket check in can/bcm release Andi Kleen
2011-07-27 0:35 ` [PATCH] [30/98] fs/partitions/ldm.c: fix oops caused by corrupted partition table Andi Kleen
2011-07-27 0:35 ` [PATCH] [31/98] Input: elantech - discard the first 2 positions on some firmwares Andi Kleen
2011-07-27 0:35 ` [PATCH] [32/98] Staging: rtl8192su: Clean up in case of an error in module initialisation Andi Kleen
2011-07-27 0:35 ` [PATCH] [33/98] Staging: rtl8192su: Fix procfs code for interfaces not named wlan0 Andi Kleen
2011-07-27 0:35 ` [PATCH] [34/98] USB: teach "devices" file about Wireless and SuperSpeed USB Andi Kleen
2011-07-27 0:35 ` [PATCH] [35/98] SUNRPC: fix NFS client over TCP hangs due to packet loss (Bug 16494) Andi Kleen
2011-07-27 0:35 ` [PATCH] [36/98] nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3) Andi Kleen
2011-07-27 0:35 ` [PATCH] [37/98] nfs: fix compilation warning Andi Kleen
2011-07-27 0:35 ` [PATCH] [38/98] Fix corrupted OSF partition table parsing Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E3035BE.6090908@canonical.com \
--to=tim.gardner@canonical.com \
--cc=ak@linux.intel.com \
--cc=andi@firstfloor.org \
--cc=dan@aloni.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tim.bird@am.sony.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox