hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-sg2042/fs/ocfs2
History
David S. Miller 676d23690f net: Fix use after free by removing length arg from sk_data_ready callbacks. 
Several spots in the kernel perform a sequence like:

	skb_queue_tail(&sk->s_receive_queue, skb);
	sk->sk_data_ready(sk, skb->len);

But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up.  So this skb->len access is potentially
to freed up memory.

Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.

And finally, no actual implementation of this callback actually uses
the length argument.  And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.

So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.

Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.

Signed-off-by: David S. Miller <davem@davemloft.net>
 		2014-04-11 16:15:36 -04:00
..
cluster net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
dlm ocfs2: fix deadlock risk when kmalloc failed in dlm_query_region_handler 2014-04-03 16:20:55 -07:00
dlmfs
Kconfig
Makefile
acl.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
acl.h
alloc.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
alloc.h
aops.c ocfs2: improve fsync efficiency and fix deadlock between aio_write and sync_file 2014-04-03 16:20:53 -07:00
aops.h ocfs2: change ip_unaligned_aio to of type mutex from atomit_t 2014-04-03 16:20:53 -07:00
blockcheck.c
blockcheck.h
buffer_head_io.c ocfs2: do not put bh when buffer_uptodate failed 2014-04-03 16:20:56 -07:00
buffer_head_io.h
dcache.c ocfs2: revert iput deferring code in ocfs2_drop_dentry_lock 2014-04-03 16:20:55 -07:00
dcache.h ocfs2: revert iput deferring code in ocfs2_drop_dentry_lock 2014-04-03 16:20:55 -07:00
dir.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
dir.h
dlmglue.c ocfs2: avoid blocking in ocfs2_mark_lockres_freeing() in downconvert thread 2014-04-03 16:20:55 -07:00
dlmglue.h ocfs2: avoid blocking in ocfs2_mark_lockres_freeing() in downconvert thread 2014-04-03 16:20:55 -07:00
export.c
export.h
extent_map.c
extent_map.h
file.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
file.h
heartbeat.c
heartbeat.h
inode.c mm + fs: store shadow entries in page cache 2014-04-03 16:21:01 -07:00
inode.h ocfs2: remove OCFS2_INODE_SKIP_DELETE flag 2014-04-03 16:20:54 -07:00
ioctl.c ocfs2: iput inode alloc when failed locally 2014-04-03 16:20:57 -07:00
ioctl.h
journal.c ocfs2: remove OCFS2_INODE_SKIP_DELETE flag 2014-04-03 16:20:54 -07:00
journal.h ocfs2: improve fsync efficiency and fix deadlock between aio_write and sync_file 2014-04-03 16:20:53 -07:00
localalloc.c
localalloc.h
locks.c ocfs2: flock: drop cross-node lock when failed locally 2014-04-03 16:20:56 -07:00
locks.h
mmap.c
mmap.h
move_extents.c ocfs2: rollback alloc_dinode counts when ocfs2_block_group_set_bits() failed 2014-04-03 16:20:56 -07:00
move_extents.h
namei.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
namei.h
ocfs1_fs_compat.h
ocfs2.h ocfs2: avoid system inode ref confusion by adding mutex lock 2014-04-03 16:20:57 -07:00
ocfs2_fs.h
ocfs2_ioctl.h
ocfs2_lockid.h
ocfs2_lockingver.h
ocfs2_trace.h
quota.h ocfs2: implement delayed dropping of last dquot reference 2014-04-03 16:20:54 -07:00
quota_global.c ocfs2: implement delayed dropping of last dquot reference 2014-04-03 16:20:54 -07:00
quota_local.c ocfs2: fix quota file corruption 2014-03-04 07:55:48 -08:00
refcounttree.c
refcounttree.h
reservations.c
reservations.h
resize.c
resize.h
slot_map.c
slot_map.h
stack_o2cb.c
stack_user.c
stackglue.c Nothing major: the stricter permissions checking for sysfs broke 2014-04-06 09:38:07 -07:00
stackglue.h
suballoc.c ocfs2: iput inode alloc when failed locally 2014-04-03 16:20:57 -07:00
suballoc.h ocfs2: rollback alloc_dinode counts when ocfs2_block_group_set_bits() failed 2014-04-03 16:20:56 -07:00
super.c Major changes for 3.14 include support for the newly added ZERO_RANGE 2014-04-04 15:39:39 -07:00
super.h
symlink.c
symlink.h
sysfile.c ocfs2: avoid system inode ref confusion by adding mutex lock 2014-04-03 16:20:57 -07:00
sysfile.h
uptodate.c
uptodate.h
xattr.c ocfs2: pass "new" parameter to ocfs2_init_xattr_bucket 2014-04-03 16:20:57 -07:00
xattr.h