lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Tue, 14 Jul 2009 14:07:27 -0500
From:	David Teigland <teigland@...hat.com>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org
Subject: [GIT PULL] dlm fixes for 2.6.31-rc3

Linus,

Please pull three dlm fixes from:

 git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm.git for-linus

One fixes a socket leak people have been reporting, another fix for a posix
lock regression from several releases ago, and a warning removal.  Full
patches included for review.
Thanks,
Dave

Casey Dahlin (1):
      dlm: free socket in error exit path

David Teigland (1):
      dlm: fix plock use-after-free

Steven Whitehouse (1):
      dlm: Fix uninitialised variable warning in lock.c

 fs/dlm/lock.c     |    2 +-
 fs/dlm/lowcomms.c |    4 +++-
 fs/dlm/plock.c    |   17 ++++++++++-------
 3 files changed, 14 insertions(+), 9 deletions(-)



commit a89d63a159b1ba5833be2bef00adf8ad8caac8be
Author: Casey Dahlin <cdahlin@...hat.com>
Date:   Tue Jul 14 12:17:51 2009 -0500

    dlm: free socket in error exit path
    
    In the tcp_connect_to_sock() error exit path, the socket
    allocated at the top of the function was not being freed.
    
    Signed-off-by: Casey Dahlin <cdahlin@...hat.com>
    Signed-off-by: David Teigland <teigland@...hat.com>

diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
index cdb580a..618a60f 100644
--- a/fs/dlm/lowcomms.c
+++ b/fs/dlm/lowcomms.c
@@ -902,7 +902,7 @@ static void tcp_connect_to_sock(struct connection *con)
 	int result = -EHOSTUNREACH;
 	struct sockaddr_storage saddr, src_addr;
 	int addr_len;
-	struct socket *sock;
+	struct socket *sock = NULL;
 
 	if (con->nodeid == 0) {
 		log_print("attempt to connect sock 0 foiled");
@@ -962,6 +962,8 @@ out_err:
 	if (con->sock) {
 		sock_release(con->sock);
 		con->sock = NULL;
+	} else if (sock) {
+		sock_release(sock);
 	}
 	/*
 	 * Some errors are fatal and this list might need adjusting. For other

commit c78a87d0a1fc885dfdbe21fd5e07787691dfb068
Author: David Teigland <teigland@...hat.com>
Date:   Thu Jun 18 13:20:24 2009 -0500

    dlm: fix plock use-after-free
    
    Fix a regression from the original addition of nfs lock support
    586759f03e2e9031ac5589912a51a909ed53c30a.  When a synchronous
    (non-nfs) plock completes, the waiting thread will wake up and
    free the op struct.  This races with the user thread in
    dev_write() which goes on to read the op's callback field to
    check if the lock is async and needs a callback.  This check
    can happen on the freed op.  The fix is to note the callback
    value before the op can be freed.
    
    Signed-off-by: David Teigland <teigland@...hat.com>

diff --git a/fs/dlm/plock.c b/fs/dlm/plock.c
index 894a32d..16f682e 100644
--- a/fs/dlm/plock.c
+++ b/fs/dlm/plock.c
@@ -353,7 +353,7 @@ static ssize_t dev_write(struct file *file, const char __user *u, size_t count,
 {
 	struct dlm_plock_info info;
 	struct plock_op *op;
-	int found = 0;
+	int found = 0, do_callback = 0;
 
 	if (count != sizeof(info))
 		return -EINVAL;
@@ -366,21 +366,24 @@ static ssize_t dev_write(struct file *file, const char __user *u, size_t count,
 
 	spin_lock(&ops_lock);
 	list_for_each_entry(op, &recv_list, list) {
-		if (op->info.fsid == info.fsid && op->info.number == info.number &&
+		if (op->info.fsid == info.fsid &&
+		    op->info.number == info.number &&
 		    op->info.owner == info.owner) {
+			struct plock_xop *xop = (struct plock_xop *)op;
 			list_del_init(&op->list);
-			found = 1;
-			op->done = 1;
 			memcpy(&op->info, &info, sizeof(info));
+			if (xop->callback)
+				do_callback = 1;
+			else
+				op->done = 1;
+			found = 1;
 			break;
 		}
 	}
 	spin_unlock(&ops_lock);
 
 	if (found) {
-		struct plock_xop *xop;
-		xop = (struct plock_xop *)op;
-		if (xop->callback)
+		if (do_callback)
 			dlm_plock_callback(op);
 		else
 			wake_up(&recv_wq);

commit a566a6b11c86147fe9fc9db7ab15f9eecca3e862
Author: Steven Whitehouse <swhiteho@...hat.com>
Date:   Mon Jun 15 08:26:48 2009 +0100

    dlm: Fix uninitialised variable warning in lock.c
    
      CC [M]  fs/dlm/lock.o
    fs/dlm/lock.c: In function ‘find_rsb’:
    fs/dlm/lock.c:438: warning: ‘r’ may be used uninitialized in this function
    
    Since r is used on the error path to set r_ret, set it to NULL.
    
    Signed-off-by: Steven Whitehouse <swhiteho@...hat.com>
    Signed-off-by: David Teigland <teigland@...hat.com>

diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
index 205ec95..eb507c4 100644
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -435,7 +435,7 @@ static int search_rsb(struct dlm_ls *ls, char *name, int len, int b,
 static int find_rsb(struct dlm_ls *ls, char *name, int namelen,
 		    unsigned int flags, struct dlm_rsb **r_ret)
 {
-	struct dlm_rsb *r, *tmp;
+	struct dlm_rsb *r = NULL, *tmp;
 	uint32_t hash, bucket;
 	int error = -EINVAL;
 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ