linux-stable.git/net/netlink, branch linux-2.6.35.y Linux kernel stable tree 2.6.35.13 longterm review 2011-04-28T15:21:17+00:00 Chuck Ebbert cebbert@redhat.com 2011-04-27T00:21:50+00:00 47764cfbd17b4796f7f2d90c13832313ea95343f Also please revert the patch "fix-cred-leak-in-af_netlink" from 2.6.35.12. The proper fix was "af_netlink-add-needed-scm_destroy-after-scm_send" which was also added in that release. Here's a revert patch: Signed-off-by: Andi Kleen <ak@linux.intel.com> 
Also please revert the patch "fix-cred-leak-in-af_netlink" from 2.6.35.12.
The proper fix was "af_netlink-add-needed-scm_destroy-after-scm_send" which
was also added in that release. Here's a revert patch:

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Patch cab9e9848b9a8283b0504a2d7c435a9f5ba026de to the 2.6.35.y stable tree 2011-03-31T18:58:52+00:00 David Howells dhowells@redhat.com 2011-03-31T18:58:52+00:00 04d450668aa58e6202916ad870cdfc73621dee26 stored a ref to the current cred struct in struct scm_cookie. This was fine with AF_UNIX as that calls scm_destroy() from its packet sending functions, but AF_NETLINK, which also uses scm_send(), does not call scm_destroy() - meaning that the copied credentials leak each time SCM data is sent over a netlink socket. This can be triggered quite simply on a Fedora 13 or 14 userspace with the 2.6.35.11 kernel (or something based off of that) by calling: #!/bin/bash for ((i=0; i<100; i++)) do su - -c /bin/true cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct' cat /proc/keys | wc -l done This leaks the session key that pam_keyinit creates for 'su -', which appears in /proc/keys as being revoked (has the R flag set against it) afterward su is called. Furthermore, if CONFIG_SLAB=y, then the cred and key slab object usage counts can be viewed and seen to increase. The key slab increases by one object per loop, and this can be seen after the system has had a couple of minutes to stand after the script above has been run on it. If the system is working correctly, the key and cred counts should return to roughly what they were before. This patch from upstream (b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6) is needed to fix the problem: =============================================================================== From: Eric W. Biederman <ebiederm@xmission.com> af_netlink: Add needed scm_destroy after scm_send. scm_send occasionally allocates state in the scm_cookie, so I have modified netlink_sendmsg to guarantee that when scm_send succeeds scm_destory will be called to free that state. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Andi Kleen <ak@linux.intel.com> Reviewed-by: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
stored a ref to the current cred struct in struct scm_cookie.  This was fine
with AF_UNIX as that calls scm_destroy() from its packet sending functions, but
AF_NETLINK, which also uses scm_send(), does not call scm_destroy() - meaning
that the copied credentials leak each time SCM data is sent over a netlink
socket.

This can be triggered quite simply on a Fedora 13 or 14 userspace with the
2.6.35.11 kernel (or something based off of that) by calling:

	#!/bin/bash
	for ((i=0; i<100; i++))
	do
		su - -c /bin/true
		cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct'
		cat /proc/keys | wc -l
	done

This leaks the session key that pam_keyinit creates for 'su -', which appears
in /proc/keys as being revoked (has the R flag set against it) afterward su is
called.

Furthermore, if CONFIG_SLAB=y, then the cred and key slab object usage counts
can be viewed and seen to increase.  The key slab increases by one object per
loop, and this can be seen after the system has had a couple of minutes to
stand after the script above has been run on it.

If the system is working correctly, the key and cred counts should return to
roughly what they were before.

This patch from upstream (b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6) is needed
to fix the problem:

===============================================================================

From: Eric W. Biederman <ebiederm@xmission.com>

af_netlink: Add needed scm_destroy after scm_send.

scm_send occasionally allocates state in the scm_cookie, so I have
modified netlink_sendmsg to guarantee that when scm_send succeeds
scm_destory will be called to free that state.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Reviewed-by: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fix cred leak in AF_NETLINK 2011-03-31T18:57:36+00:00 David Howells dhowells@redhat.com 2011-03-31T18:57:36+00:00 48e6b121605512d87f8da1ccd014313489c19630 Patch cab9e9848b9a8283b0504a2d7c435a9f5ba026de to the 2.6.35.y stable tree stored a ref to the current cred struct in struct scm_cookie. This was fine with AF_UNIX as that calls scm_destroy() from its packet sending functions, but AF_NETLINK, which also uses scm_send(), does not call scm_destroy() - meaning that the copied credentials leak each time SCM data is sent over a netlink socket. This can be triggered quite simply on a Fedora 13 or 14 userspace with the 2.6.35.11 kernel (or something based off of that) by calling: #!/bin/bash for ((i=0; i<100; i++)) do su - -c /bin/true cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct' cat /proc/keys | wc -l done This leaks the session key that pam_keyinit creates for 'su -', which appears in /proc/keys as being revoked (has the R flag set against it) afterward su is called. Furthermore, if CONFIG_SLAB=y, then the cred and key slab object usage counts can be viewed and seen to increase. The key slab increases by one object per loop, and this can be seen after the system has had a couple of minutes to stand after the script above has been run on it. If the system is working correctly, the key and cred counts should return to roughly what they were before. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Andi Kleen <ak@linux.intel.com> 
Patch cab9e9848b9a8283b0504a2d7c435a9f5ba026de to the 2.6.35.y stable tree
stored a ref to the current cred struct in struct scm_cookie.  This was fine
with AF_UNIX as that calls scm_destroy() from its packet sending functions, but
AF_NETLINK, which also uses scm_send(), does not call scm_destroy() - meaning
that the copied credentials leak each time SCM data is sent over a netlink
socket.

This can be triggered quite simply on a Fedora 13 or 14 userspace with the
2.6.35.11 kernel (or something based off of that) by calling:

	#!/bin/bash
	for ((i=0; i<100; i++))
	do
		su - -c /bin/true
		cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct'
		cat /proc/keys | wc -l
	done

This leaks the session key that pam_keyinit creates for 'su -', which appears
in /proc/keys as being revoked (has the R flag set against it) afterward su is
called.

Furthermore, if CONFIG_SLAB=y, then the cred and key slab object usage counts
can be viewed and seen to increase.  The key slab increases by one object per
loop, and this can be seen after the system has had a couple of minutes to
stand after the script above has been run on it.

If the system is working correctly, the key and cred counts should return to
roughly what they were before.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
netlink: fix compat recvmsg 2010-08-26T23:46:20+00:00 Johannes Berg johannes.berg@intel.com 2010-08-15T21:20:44+00:00 185726c288025a315a5d70984c80d49abb9e115d commit 68d6ac6d2740b6a55f3ae92a4e0be6d881904b32 upstream. Since commit 1dacc76d0014a034b8aca14237c127d7c19d7726 Author: Johannes Berg <johannes@sipsolutions.net> Date: Wed Jul 1 11:26:02 2009 +0000 net/compat/wext: send different messages to compat tasks we had a race condition when setting and then restoring frag_list. Eric attempted to fix it, but the fix created even worse problems. However, the original motivation I had when I added the code that turned out to be racy is no longer clear to me, since we only copy up to skb->len to userspace, which doesn't include the frag_list length. As a result, not doing any frag_list clearing and restoring avoids the race condition, while not introducing any other problems. Additionally, while preparing this patch I found that since none of the remaining netlink code is really aware of the frag_list, we need to use the original skb's information for packet information and credentials. This fixes, for example, the group information received by compat tasks. Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 68d6ac6d2740b6a55f3ae92a4e0be6d881904b32 upstream.

Since
commit 1dacc76d0014a034b8aca14237c127d7c19d7726
Author: Johannes Berg <johannes@sipsolutions.net>
Date:   Wed Jul 1 11:26:02 2009 +0000

    net/compat/wext: send different messages to compat tasks

we had a race condition when setting and then
restoring frag_list. Eric attempted to fix it,
but the fix created even worse problems.

However, the original motivation I had when I
added the code that turned out to be racy is
no longer clear to me, since we only copy up
to skb->len to userspace, which doesn't include
the frag_list length. As a result, not doing
any frag_list clearing and restoring avoids
the race condition, while not introducing any
other problems.

Additionally, while preparing this patch I found
that since none of the remaining netlink code is
really aware of the frag_list, we need to use the
original skb's information for packet information
and credentials. This fixes, for example, the
group information received by compat tasks.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
netlink: Implment netlink_broadcast_filtered 2010-05-21T16:37:32+00:00 Eric W. Biederman ebiederm@xmission.com 2010-05-05T00:36:46+00:00 910a7e905f36e51a17d6e8bb4ad6dcd5ac5f1d53 When netlink sockets are used to convey data that is in a namespace we need a way to select a subset of the listening sockets to deliver the packet to. For the network namespace we have been doing this by only transmitting packets in the correct network namespace. For data belonging to other namespaces netlink_bradcast_filtered provides a mechanism that allows us to examine the destination socket and to decide if we should transmit the specified packet to it. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
When netlink sockets are used to convey data that is in a namespace
we need a way to select a subset of the listening sockets to deliver
the packet to.  For the network namespace we have been doing this
by only transmitting packets in the correct network namespace.

For data belonging to other namespaces netlink_bradcast_filtered
provides a mechanism that allows us to examine the destination
socket and to decide if we should transmit the specified packet
to it.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-04-11T21:53:53+00:00 David S. Miller davem@davemloft.net 2010-04-11T21:53:53+00:00 871039f02f8ec4ab2e5e9010718caa8e085786f1 Conflicts: drivers/net/stmmac/stmmac_main.c drivers/net/wireless/wl12xx/wl1271_cmd.c drivers/net/wireless/wl12xx/wl1271_main.c drivers/net/wireless/wl12xx/wl1271_spi.c net/core/ethtool.c net/mac80211/scan.c 
Conflicts:
	drivers/net/stmmac/stmmac_main.c
	drivers/net/wireless/wl12xx/wl1271_cmd.c
	drivers/net/wireless/wl12xx/wl1271_main.c
	drivers/net/wireless/wl12xx/wl1271_spi.c
	net/core/ethtool.c
	net/mac80211/scan.c
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-04-07T06:53:30+00:00 David S. Miller davem@davemloft.net 2010-04-07T06:53:30+00:00 4a35ecf8bf1c4b039503fa554100fe85c761de76 Conflicts: drivers/net/bonding/bond_main.c drivers/net/via-velocity.c drivers/net/wireless/iwlwifi/iwl-agn.c 
Conflicts:
	drivers/net/bonding/bond_main.c
	drivers/net/via-velocity.c
	drivers/net/wireless/iwlwifi/iwl-agn.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-04-06T15:34:06+00:00 Linus Torvalds torvalds@linux-foundation.org 2010-04-06T15:34:06+00:00 cb4361c1dc29cd870f664c004b1817106fbce0fa * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (37 commits) smc91c92_cs: fix the problem of "Unable to find hardware address" r8169: clean up my printk uglyness net: Hook up cxgb4 to Kconfig and Makefile cxgb4: Add main driver file and driver Makefile cxgb4: Add remaining driver headers and L2T management cxgb4: Add packet queues and packet DMA code cxgb4: Add HW and FW support code cxgb4: Add register, message, and FW definitions netlabel: Fix several rcu_dereference() calls used without RCU read locks bonding: fix potential deadlock in bond_uninit() net: check the length of the socket address passed to connect(2) stmmac: add documentation for the driver. stmmac: fix kconfig for crc32 build error be2net: fix bug in vlan rx path for big endian architecture be2net: fix flashing on big endian architectures be2net: fix a bug in flashing the redboot section bonding: bond_xmit_roundrobin() fix drivers/net: Add missing unlock net: gianfar - align BD ring size console messages net: gianfar - initialize per-queue statistics ... 
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (37 commits)
  smc91c92_cs: fix the problem of "Unable to find hardware address"
  r8169: clean up my printk uglyness
  net: Hook up cxgb4 to Kconfig and Makefile
  cxgb4: Add main driver file and driver Makefile
  cxgb4: Add remaining driver headers and L2T management
  cxgb4: Add packet queues and packet DMA code
  cxgb4: Add HW and FW support code
  cxgb4: Add register, message, and FW definitions
  netlabel: Fix several rcu_dereference() calls used without RCU read locks
  bonding: fix potential deadlock in bond_uninit()
  net: check the length of the socket address passed to connect(2)
  stmmac: add documentation for the driver.
  stmmac: fix kconfig for crc32 build error
  be2net: fix bug in vlan rx path for big endian architecture
  be2net: fix flashing on big endian architectures
  be2net: fix a bug in flashing the redboot section
  bonding: bond_xmit_roundrobin() fix
  drivers/net: Add missing unlock
  net: gianfar - align BD ring size console messages
  net: gianfar - initialize per-queue statistics
  ...
netlink: Export genl_lock() API for use by modules 2010-04-03T21:56:05+00:00 James Chapman jchapman@katalix.com 2010-04-02T06:19:05+00:00 f408e0ce40270559ef80f231843c93baa9947bc5 This lets kernel modules which use genl netlink APIs serialize netlink processing. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
This lets kernel modules which use genl netlink APIs serialize netlink
processing.

Signed-off-by: James Chapman <jchapman@katalix.com>
Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: check the length of the socket address passed to connect(2) 2010-04-02T00:26:01+00:00 Changli Gao xiaosuo@gmail.com 2010-03-31T22:58:26+00:00 6503d96168f891ffa3b70ae6c9698a1a722025a0 check the length of the socket address passed to connect(2). Check the length of the socket address passed to connect(2). If the length is invalid, -EINVAL will be returned. Signed-off-by: Changli Gao <xiaosuo@gmail.com> ---- net/bluetooth/l2cap.c | 3 ++- net/bluetooth/rfcomm/sock.c | 3 ++- net/bluetooth/sco.c | 3 ++- net/can/bcm.c | 3 +++ net/ieee802154/af_ieee802154.c | 3 +++ net/ipv4/af_inet.c | 5 +++++ net/netlink/af_netlink.c | 3 +++ 7 files changed, 20 insertions(+), 3 deletions(-) Signed-off-by: David S. Miller <davem@davemloft.net> 
check the length of the socket address passed to connect(2).

Check the length of the socket address passed to connect(2). If the
length is invalid, -EINVAL will be returned.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
----
net/bluetooth/l2cap.c | 3 ++-
net/bluetooth/rfcomm/sock.c | 3 ++-
net/bluetooth/sco.c | 3 ++-
net/can/bcm.c | 3 +++
net/ieee802154/af_ieee802154.c | 3 +++
net/ipv4/af_inet.c | 5 +++++
net/netlink/af_netlink.c | 3 +++
7 files changed, 20 insertions(+), 3 deletions(-)
Signed-off-by: David S. Miller <davem@davemloft.net>