linux-hardened/net
Miklos Szeredi 6209344f5a net: unix: fix inflight counting bug in garbage collector
Previously I assumed that the receive queues of candidates don't
change during the GC.  This is only half true, nothing can be received
from the queues (see comment in unix_gc()), but buffers could be added
through the other half of the socket pair, which may still have file
descriptors referring to it.

This can result in inc_inflight_move_tail() erronously increasing the
"inflight" counter for a unix socket for which dec_inflight() wasn't
previously called.  This in turn can trigger the "BUG_ON(total_refs <
inflight_refs)" in a later garbage collection run.

Fix this by only manipulating the "inflight" counter for sockets which
are candidates themselves.  Duplicating the file references in
unix_attach_fds() is also needed to prevent a socket becoming a
candidate for GC while the skb that contains it is not yet queued.

Reported-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
CC: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-11-09 11:17:33 -08:00
..
9p net/9p: fix printk format warnings 2008-11-05 13:19:07 -06:00
802 net/802/fc.c: Fix compilation warnings 2008-10-15 00:13:53 -07:00
8021q net: fix packet socket delivery in rx irq handler 2008-11-04 14:49:57 -08:00
appletalk net: Rationalise email address: Network Specific Parts 2008-10-13 19:01:08 -07:00
atm net/atm/lec.c: drop code after return 2008-09-22 19:24:45 -07:00
ax25 ax25: Quick fix for making sure unaccepted sockets get destroyed. 2008-10-06 12:53:50 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-10-17 08:58:52 -07:00
bridge net: Fix disjunct computation of netdev features 2008-10-23 01:11:29 -07:00
can net: Remove CONFIG_KMOD from net/ (towards removing CONFIG_KMOD entirely) 2008-10-16 15:24:51 -07:00
core net: Fix recursive descent in __scm_destroy(). 2008-11-06 15:45:32 -08:00
dccp dccp: Port redirection support for DCCP 2008-10-19 23:36:47 -07:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-10-17 08:58:52 -07:00
dsa dsa: fix compile bug on s390 2008-10-13 18:58:48 -07:00
econet netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
ethernet dsa: add support for Trailer tagging format 2008-10-08 17:24:16 -07:00
ieee80211 net/ieee80211: adjust error handling 2008-08-22 16:29:49 -04:00
ipv4 tcp: Fix recvmsg MSG_PEEK influence of blocking behavior. 2008-11-05 03:36:01 -08:00
ipv6 ipv6: fix run pending DAD when interface becomes ready 2008-11-05 01:43:57 -08:00
ipx netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
irda Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-07-20 17:43:29 -07:00
iucv iucv: Fix mismerge again. 2008-09-30 03:03:35 -07:00
key key: fix setkey(8) policy set breakage 2008-10-31 16:41:26 -07:00
lapb
llc netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
mac80211 mac80211: correct warnings in minstrel rate control algorithm 2008-10-27 17:46:11 -04:00
netfilter netfilter: netns ct: walk netns list under RTNL 2008-11-05 03:03:18 -08:00
netlabel netlabel: Fix compilation warnings in net/netlabel/netlabel_addrlist.c 2008-10-30 10:44:48 -04:00
netlink net: Remove CONFIG_KMOD from net/ (towards removing CONFIG_KMOD entirely) 2008-10-16 15:24:51 -07:00
netrom netrom: Fix sock_orphan() use in nr_release 2008-10-06 12:54:57 -07:00
packet net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
phonet Phonet: do not reply to indication reset packets 2008-10-26 23:07:25 -07:00
rfkill Fix logic error in rfkill_check_duplicity 2008-11-06 16:37:09 -05:00
rose netdev: Handle ->addr_list_lock just like ->_xmit_lock for lockdep. 2008-07-22 14:16:42 -07:00
rxrpc net/rxrpc: Use an IS_ERR test rather than a NULL test 2008-08-13 02:40:48 -07:00
sched Merge branch 'timers/range-hrtimers' into v28-range-hrtimers-for-linus-v2 2008-10-22 09:48:06 +02:00
sctp sctp: Fix to handle SHUTDOWN in SHUTDOWN_RECEIVED state 2008-10-23 01:01:18 -07:00
sunrpc SUNRPC: Fix potential race in put_rpccred() 2008-10-28 15:21:42 -04:00
tipc tipc: Don't use structure names which easily globally conflict. 2008-09-02 23:38:32 -07:00
unix net: unix: fix inflight counting bug in garbage collector 2008-11-09 11:17:33 -08:00
wanrouter wanmain.c doesn't need syncppp.h 2008-07-23 23:00:36 +02:00
wireless wireless: fix regression caused by regulatory config option 2008-10-26 10:38:52 -07:00
x25 netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
xfrm xfrm: Fix xfrm_policy_gc_lock handling. 2008-11-03 19:11:29 -08:00
compat.c flag parameters: paccept 2008-07-24 10:47:27 -07:00
Kconfig net: Distributed Switch Architecture protocol support 2008-10-08 17:15:19 -07:00
Makefile net: Distributed Switch Architecture protocol support 2008-10-08 17:15:19 -07:00
nonet.c
socket.c saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
sysctl_net.c missing bits of net-namespace / sysctl 2008-07-27 09:45:34 -07:00
TUNABLE