<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/core/sock.c, branch v2.6.34</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>sock.c: potential null dereference</title>
<updated>2010-03-07T23:25:50+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>error27@gmail.com</email>
</author>
<published>2010-03-06T01:04:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=72150e9b7fec217fbd646a29ea2f65a3d4d55ea9'/>
<id>72150e9b7fec217fbd646a29ea2f65a3d4d55ea9</id>
<content type='text'>
We test that "prot-&gt;rsk_prot" is non-null right before we dereference it
on this line.

Signed-off-by: Dan Carpenter &lt;error27@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We test that "prot-&gt;rsk_prot" is non-null right before we dereference it
on this line.

Signed-off-by: Dan Carpenter &lt;error27@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: backlog functions rename</title>
<updated>2010-03-05T21:34:03+00:00</updated>
<author>
<name>Zhu Yi</name>
<email>yi.zhu@intel.com</email>
</author>
<published>2010-03-04T18:01:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a3a858ff18a72a8d388e31ab0d98f7e944841a62'/>
<id>a3a858ff18a72a8d388e31ab0d98f7e944841a62</id>
<content type='text'>
sk_add_backlog -&gt; __sk_add_backlog
sk_add_backlog_limited -&gt; sk_add_backlog

Signed-off-by: Zhu Yi &lt;yi.zhu@intel.com&gt;
Acked-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
sk_add_backlog -&gt; __sk_add_backlog
sk_add_backlog_limited -&gt; sk_add_backlog

Signed-off-by: Zhu Yi &lt;yi.zhu@intel.com&gt;
Acked-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: add limit for socket backlog</title>
<updated>2010-03-05T21:33:59+00:00</updated>
<author>
<name>Zhu Yi</name>
<email>yi.zhu@intel.com</email>
</author>
<published>2010-03-04T18:01:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8eae939f1400326b06d0c9afe53d2a484a326871'/>
<id>8eae939f1400326b06d0c9afe53d2a484a326871</id>
<content type='text'>
We got system OOM while running some UDP netperf testing on the loopback
device. The case is multiple senders sent stream UDP packets to a single
receiver via loopback on local host. Of course, the receiver is not able
to handle all the packets in time. But we surprisingly found that these
packets were not discarded due to the receiver's sk-&gt;sk_rcvbuf limit.
Instead, they are kept queuing to sk-&gt;sk_backlog and finally ate up all
the memory. We believe this is a secure hole that a none privileged user
can crash the system.

The root cause for this problem is, when the receiver is doing
__release_sock() (i.e. after userspace recv, kernel udp_recvmsg -&gt;
skb_free_datagram_locked -&gt; release_sock), it moves skbs from backlog to
sk_receive_queue with the softirq enabled. In the above case, multiple
busy senders will almost make it an endless loop. The skbs in the
backlog end up eat all the system memory.

The issue is not only for UDP. Any protocols using socket backlog is
potentially affected. The patch adds limit for socket backlog so that
the backlog size cannot be expanded endlessly.

Reported-by: Alex Shi &lt;alex.shi@intel.com&gt;
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Arnaldo Carvalho de Melo &lt;acme@ghostprotocols.net&gt;
Cc: Alexey Kuznetsov &lt;kuznet@ms2.inr.ac.ru
Cc: "Pekka Savola (ipv6)" &lt;pekkas@netcore.fi&gt;
Cc: Patrick McHardy &lt;kaber@trash.net&gt;
Cc: Vlad Yasevich &lt;vladislav.yasevich@hp.com&gt;
Cc: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Cc: Jon Maloy &lt;jon.maloy@ericsson.com&gt;
Cc: Allan Stephens &lt;allan.stephens@windriver.com&gt;
Cc: Andrew Hendry &lt;andrew.hendry@gmail.com&gt;
Signed-off-by: Zhu Yi &lt;yi.zhu@intel.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Acked-by: Arnaldo Carvalho de Melo &lt;acme@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We got system OOM while running some UDP netperf testing on the loopback
device. The case is multiple senders sent stream UDP packets to a single
receiver via loopback on local host. Of course, the receiver is not able
to handle all the packets in time. But we surprisingly found that these
packets were not discarded due to the receiver's sk-&gt;sk_rcvbuf limit.
Instead, they are kept queuing to sk-&gt;sk_backlog and finally ate up all
the memory. We believe this is a secure hole that a none privileged user
can crash the system.

The root cause for this problem is, when the receiver is doing
__release_sock() (i.e. after userspace recv, kernel udp_recvmsg -&gt;
skb_free_datagram_locked -&gt; release_sock), it moves skbs from backlog to
sk_receive_queue with the softirq enabled. In the above case, multiple
busy senders will almost make it an endless loop. The skbs in the
backlog end up eat all the system memory.

The issue is not only for UDP. Any protocols using socket backlog is
potentially affected. The patch adds limit for socket backlog so that
the backlog size cannot be expanded endlessly.

Reported-by: Alex Shi &lt;alex.shi@intel.com&gt;
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Arnaldo Carvalho de Melo &lt;acme@ghostprotocols.net&gt;
Cc: Alexey Kuznetsov &lt;kuznet@ms2.inr.ac.ru
Cc: "Pekka Savola (ipv6)" &lt;pekkas@netcore.fi&gt;
Cc: Patrick McHardy &lt;kaber@trash.net&gt;
Cc: Vlad Yasevich &lt;vladislav.yasevich@hp.com&gt;
Cc: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Cc: Jon Maloy &lt;jon.maloy@ericsson.com&gt;
Cc: Allan Stephens &lt;allan.stephens@windriver.com&gt;
Cc: Andrew Hendry &lt;andrew.hendry@gmail.com&gt;
Signed-off-by: Zhu Yi &lt;yi.zhu@intel.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Acked-by: Arnaldo Carvalho de Melo &lt;acme@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'master' of /home/davem/src/GIT/linux-2.6/</title>
<updated>2010-03-01T03:23:06+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2010-03-01T03:23:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=47871889c601d8199c51a4086f77eebd77c29b0b'/>
<id>47871889c601d8199c51a4086f77eebd77c29b0b</id>
<content type='text'>
Conflicts:
	drivers/firmware/iscsi_ibft.c
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Conflicts:
	drivers/firmware/iscsi_ibft.c
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Add checking to rcu_dereference() primitives</title>
<updated>2010-02-25T08:41:03+00:00</updated>
<author>
<name>Paul E. McKenney</name>
<email>paulmck@linux.vnet.ibm.com</email>
</author>
<published>2010-02-23T01:04:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a898def29e4119bc01ebe7ca97423181f4c0ea2d'/>
<id>a898def29e4119bc01ebe7ca97423181f4c0ea2d</id>
<content type='text'>
Update rcu_dereference() primitives to use new lockdep-based
checking. The rcu_dereference() in __in6_dev_get() may be
protected either by rcu_read_lock() or RTNL, per Eric Dumazet.
The rcu_dereference() in __sk_free() is protected by the fact
that it is never reached if an update could change it.  Check
for this by using rcu_dereference_check() to verify that the
struct sock's -&gt;sk_wmem_alloc counter is zero.

Acked-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Paul E. McKenney &lt;paulmck@linux.vnet.ibm.com&gt;
Cc: laijs@cn.fujitsu.com
Cc: dipankar@in.ibm.com
Cc: mathieu.desnoyers@polymtl.ca
Cc: josh@joshtriplett.org
Cc: dvhltc@us.ibm.com
Cc: niv@us.ibm.com
Cc: peterz@infradead.org
Cc: rostedt@goodmis.org
Cc: Valdis.Kletnieks@vt.edu
Cc: dhowells@redhat.com
LKML-Reference: &lt;1266887105-1528-5-git-send-email-paulmck@linux.vnet.ibm.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Update rcu_dereference() primitives to use new lockdep-based
checking. The rcu_dereference() in __in6_dev_get() may be
protected either by rcu_read_lock() or RTNL, per Eric Dumazet.
The rcu_dereference() in __sk_free() is protected by the fact
that it is never reached if an update could change it.  Check
for this by using rcu_dereference_check() to verify that the
struct sock's -&gt;sk_wmem_alloc counter is zero.

Acked-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Paul E. McKenney &lt;paulmck@linux.vnet.ibm.com&gt;
Cc: laijs@cn.fujitsu.com
Cc: dipankar@in.ibm.com
Cc: mathieu.desnoyers@polymtl.ca
Cc: josh@joshtriplett.org
Cc: dvhltc@us.ibm.com
Cc: niv@us.ibm.com
Cc: peterz@infradead.org
Cc: rostedt@goodmis.org
Cc: Valdis.Kletnieks@vt.edu
Cc: dhowells@redhat.com
LKML-Reference: &lt;1266887105-1528-5-git-send-email-paulmck@linux.vnet.ibm.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: use kasprintf() for socket cache names</title>
<updated>2010-02-17T21:27:11+00:00</updated>
<author>
<name>Alexey Dobriyan</name>
<email>adobriyan@gmail.com</email>
</author>
<published>2010-02-17T09:34:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=faf234220fb79a05891477a75180e1d9f7ab4105'/>
<id>faf234220fb79a05891477a75180e1d9f7ab4105</id>
<content type='text'>
kasprintf() makes code smaller.

Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
kasprintf() makes code smaller.

Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: spread __net_init, __net_exit</title>
<updated>2010-01-18T03:16:02+00:00</updated>
<author>
<name>Alexey Dobriyan</name>
<email>adobriyan@gmail.com</email>
</author>
<published>2010-01-17T03:35:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2c8c1e7297e19bdef3c178c3ea41d898a7716e3e'/>
<id>2c8c1e7297e19bdef3c178c3ea41d898a7716e3e</id>
<content type='text'>
__net_init/__net_exit are apparently not going away, so use them
to full extent.

In some cases __net_init was removed, because it was called from
__net_exit code.

Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
__net_init/__net_exit are apparently not going away, so use them
to full extent.

In some cases __net_init was removed, because it was called from
__net_exit code.

Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net/core/sock.c: quiet sparse noise</title>
<updated>2010-01-15T09:08:58+00:00</updated>
<author>
<name>H Hartley Sweeten</name>
<email>hsweeten@visionengravers.com</email>
</author>
<published>2010-01-15T09:08:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4d0392be21d4710121f855c0caf57d32ffd1ced0'/>
<id>4d0392be21d4710121f855c0caf57d32ffd1ced0</id>
<content type='text'>
In sock_getsockopt the symbol 'lv' is declared as an
unsigned int type, probably due to sizeof returning a
size_t which is really an unsigned int.

This produces a sparse warning for SO_PEERNAME due to
the sock-&gt;ops-&gt;getname() call:

warning: incorrect type in argument 3 (different signedness)
   expected int *sockaddr_len
   got unsigned int *&lt;noident&gt;

Quiet the warning by changing the type of 'lv' to an int.

Signed-off-by: H Hartley Sweeten &lt;hsweeten@visionengravers.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In sock_getsockopt the symbol 'lv' is declared as an
unsigned int type, probably due to sizeof returning a
size_t which is really an unsigned int.

This produces a sparse warning for SO_PEERNAME due to
the sock-&gt;ops-&gt;getname() call:

warning: incorrect type in argument 3 (different signedness)
   expected int *sockaddr_len
   got unsigned int *&lt;noident&gt;

Quiet the warning by changing the type of 'lv' to an int.

Signed-off-by: H Hartley Sweeten &lt;hsweeten@visionengravers.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: update the netstamp_needed counter when cloning sockets</title>
<updated>2010-01-08T08:00:09+00:00</updated>
<author>
<name>Octavian Purdila</name>
<email>opurdila@ixiacom.com</email>
</author>
<published>2010-01-08T08:00:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=704da560c0a0120d8869187f511491a00951a1d3'/>
<id>704da560c0a0120d8869187f511491a00951a1d3</id>
<content type='text'>
This fixes a netstamp_needed accounting issue when the listen socket
has SO_TIMESTAMP set:

    s = socket(AF_INET, SOCK_STREAM, 0);
    setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, 1); -&gt; netstamp_needed = 1
    bind(s, ...);
    listen(s, ...);
    s2 = accept(s, ...); -&gt; netstamp_needed = 1
    close(s2); -&gt; netstamp_needed = 0
    close(s); -&gt; netstamp_needed = -1

Signed-off-by: Octavian Purdila &lt;opurdila@ixiacom.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This fixes a netstamp_needed accounting issue when the listen socket
has SO_TIMESTAMP set:

    s = socket(AF_INET, SOCK_STREAM, 0);
    setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, 1); -&gt; netstamp_needed = 1
    bind(s, ...);
    listen(s, ...);
    s2 = accept(s, ...); -&gt; netstamp_needed = 1
    close(s2); -&gt; netstamp_needed = 0
    close(s); -&gt; netstamp_needed = -1

Signed-off-by: Octavian Purdila &lt;opurdila@ixiacom.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Fix build warning in sock_bindtodevice().</title>
<updated>2009-11-06T06:37:11+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2009-11-06T06:37:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=000ba2e43f33901859fd794bb33c885909d53b3b'/>
<id>000ba2e43f33901859fd794bb33c885909d53b3b</id>
<content type='text'>
net/core/sock.c: In function 'sock_setsockopt':
net/core/sock.c:396: warning: 'index' may be used uninitialized in this function
net/core/sock.c:396: note: 'index' was declared here

GCC can't see that all paths initialize index, so just
set it to the default (0) and eliminate the specific
code block that handles the null device name string.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
net/core/sock.c: In function 'sock_setsockopt':
net/core/sock.c:396: warning: 'index' may be used uninitialized in this function
net/core/sock.c:396: note: 'index' was declared here

GCC can't see that all paths initialize index, so just
set it to the default (0) and eliminate the specific
code block that handles the null device name string.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
