From 2bb60cb9b7b997bdbc7fd6c8001dcca02a4ea2e1 Mon Sep 17 00:00:00 2001 From: Alexander Duyck Date: Fri, 22 Feb 2013 06:38:44 +0000 Subject: net: Fix locking bug in netif_set_xps_queue Smatch found a locking bug in netif_set_xps_queue in which we were not releasing the lock in the case of an allocation failure. This change corrects that so that we release the xps_map_mutex before returning -ENOMEM in the case of an allocation failure. Signed-off-by: Alexander Duyck Signed-off-by: David S. Miller --- net/core/dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'net/core') diff --git a/net/core/dev.c b/net/core/dev.c index 17bc535115d3..18d8b5acc343 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1882,8 +1882,10 @@ int netif_set_xps_queue(struct net_device *dev, struct cpumask *mask, u16 index) if (!new_dev_maps) new_dev_maps = kzalloc(maps_sz, GFP_KERNEL); - if (!new_dev_maps) + if (!new_dev_maps) { + mutex_unlock(&xps_map_mutex); return -ENOMEM; + } map = dev_maps ? xmap_dereference(dev_maps->cpu_map[cpu]) : NULL; -- cgit v1.2.3 From cbda4eaffa2da9cefb89dd748803da689596d28b Mon Sep 17 00:00:00 2001 From: stephen hemminger Date: Fri, 22 Feb 2013 07:59:10 +0000 Subject: sock: only define socket limit if mem cgroup configured The mem cgroup socket limit is only used if the config option is enabled. Found with sparse Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller --- net/core/sock.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'net/core') diff --git a/net/core/sock.c b/net/core/sock.c index fe96c5d34299..b261a7977746 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -186,8 +186,10 @@ void mem_cgroup_sockets_destroy(struct mem_cgroup *memcg) static struct lock_class_key af_family_keys[AF_MAX]; static struct lock_class_key af_family_slock_keys[AF_MAX]; +#if defined(CONFIG_MEMCG_KMEM) struct static_key memcg_socket_limit_enabled; EXPORT_SYMBOL(memcg_socket_limit_enabled); +#endif /* * Make lock validator output more readable. (we pre-construct these -- cgit v1.2.3 From 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 Mon Sep 17 00:00:00 2001 From: Mathias Krause Date: Sat, 23 Feb 2013 01:13:47 +0000 Subject: sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause Acked-by: Eric Dumazet Signed-off-by: David S. Miller --- net/core/sock_diag.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'net/core') diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c index 602cd637182e..750f44f3aa31 100644 --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (nlmsg_len(nlh) < sizeof(*req)) return -EINVAL; + if (req->sdiag_family >= AF_MAX) + return -EINVAL; + hndl = sock_diag_lock_handler(req->sdiag_family); if (hndl == NULL) err = -ENOENT; -- cgit v1.2.3 From 8e904550d0fffcda2b18d7ab12750b0c75757e89 Mon Sep 17 00:00:00 2001 From: Mathias Krause Date: Sat, 23 Feb 2013 01:13:48 +0000 Subject: sock_diag: Simplify sock_diag_handlers[] handling in __sock_diag_rcv_msg The sock_diag_lock_handler() and sock_diag_unlock_handler() actually make the code less readable. Get rid of them and make the lock usage and access to sock_diag_handlers[] clear on the first sight. Signed-off-by: Mathias Krause Signed-off-by: David S. Miller --- net/core/sock_diag.c | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) (limited to 'net/core') diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c index 750f44f3aa31..a29e90cf36b7 100644 --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -97,21 +97,6 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld) } EXPORT_SYMBOL_GPL(sock_diag_unregister); -static const inline struct sock_diag_handler *sock_diag_lock_handler(int family) -{ - if (sock_diag_handlers[family] == NULL) - request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, - NETLINK_SOCK_DIAG, family); - - mutex_lock(&sock_diag_table_mutex); - return sock_diag_handlers[family]; -} - -static inline void sock_diag_unlock_handler(const struct sock_diag_handler *h) -{ - mutex_unlock(&sock_diag_table_mutex); -} - static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { int err; @@ -124,12 +109,17 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (req->sdiag_family >= AF_MAX) return -EINVAL; - hndl = sock_diag_lock_handler(req->sdiag_family); + if (sock_diag_handlers[req->sdiag_family] == NULL) + request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, + NETLINK_SOCK_DIAG, req->sdiag_family); + + mutex_lock(&sock_diag_table_mutex); + hndl = sock_diag_handlers[req->sdiag_family]; if (hndl == NULL) err = -ENOENT; else err = hndl->dump(skb, nlh); - sock_diag_unlock_handler(hndl); + mutex_unlock(&sock_diag_table_mutex); return err; } -- cgit v1.2.3