--- /dev/null
+From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 30 Sep 2015 12:48:40 -0400
+Subject: Initialize msg/shm IPC objects before doing ipc_addid()
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b9a532277938798b53178d5a66af6e2915cb27cf upstream.
+
+As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
+having initialized the IPC object state. Yes, we initialize the IPC
+object in a locked state, but with all the lockless RCU lookup work,
+that IPC object lock no longer means that the state cannot be seen.
+
+We already did this for the IPC semaphore code (see commit e8577d1f0329:
+"ipc/sem.c: fully initialize sem_array before making it visible") but we
+clearly forgot about msg and shm.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: Davidlohr Bueso <dbueso@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/msg.c | 14 +++++++-------
+ ipc/shm.c | 12 ++++++------
+ ipc/util.c | 8 ++++----
+ 3 files changed, 17 insertions(+), 17 deletions(-)
+
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -202,13 +202,6 @@ static int newque(struct ipc_namespace *
+ return retval;
+ }
+
+- /* ipc_addid() locks msq upon success. */
+- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
+- if (id < 0) {
+- ipc_rcu_putref(msq, msg_rcu_free);
+- return id;
+- }
+-
+ msq->q_stime = msq->q_rtime = 0;
+ msq->q_ctime = get_seconds();
+ msq->q_cbytes = msq->q_qnum = 0;
+@@ -218,6 +211,13 @@ static int newque(struct ipc_namespace *
+ INIT_LIST_HEAD(&msq->q_receivers);
+ INIT_LIST_HEAD(&msq->q_senders);
+
++ /* ipc_addid() locks msq upon success. */
++ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
++ if (id < 0) {
++ ipc_rcu_putref(msq, msg_rcu_free);
++ return id;
++ }
++
+ ipc_unlock_object(&msq->q_perm);
+ rcu_read_unlock();
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -543,12 +543,6 @@ static int newseg(struct ipc_namespace *
+ if (IS_ERR(file))
+ goto no_file;
+
+- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
+- if (id < 0) {
+- error = id;
+- goto no_id;
+- }
+-
+ shp->shm_cprid = task_tgid_vnr(current);
+ shp->shm_lprid = 0;
+ shp->shm_atim = shp->shm_dtim = 0;
+@@ -558,6 +552,12 @@ static int newseg(struct ipc_namespace *
+ shp->shm_file = file;
+ shp->shm_creator = current;
+
++ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
++ if (id < 0) {
++ error = id;
++ goto no_id;
++ }
++
+ /*
+ * shmid gets reported as "inode#" in /proc/pid/maps.
+ * proc-ps tools use this. Changing this will break them.
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -277,6 +277,10 @@ int ipc_addid(struct ipc_ids *ids, struc
+ rcu_read_lock();
+ spin_lock(&new->lock);
+
++ current_euid_egid(&euid, &egid);
++ new->cuid = new->uid = euid;
++ new->gid = new->cgid = egid;
++
+ id = idr_alloc(&ids->ipcs_idr, new,
+ (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
+ GFP_NOWAIT);
+@@ -289,10 +293,6 @@ int ipc_addid(struct ipc_ids *ids, struc
+
+ ids->in_use++;
+
+- current_euid_egid(&euid, &egid);
+- new->cuid = new->uid = euid;
+- new->gid = new->cgid = egid;
+-
+ if (next_id < 0) {
+ new->seq = ids->seq++;
+ if (ids->seq > IPCID_SEQ_MAX)
--- /dev/null
+From 4754957f04f5f368792a0eb7dab0ae89fb93dcfd Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sat, 27 Jun 2015 14:39:30 +0300
+Subject: ipvs: do not use random local source address for tunnels
+
+From: Julian Anastasov <ja@ssi.bg>
+
+commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd upstream.
+
+Michael Vallaly reports about wrong source address used
+in rare cases for tunneled traffic. Looks like
+__ip_vs_get_out_rt in 3.10+ is providing uninitialized
+dest_dst->dst_saddr.ip because ip_vs_dest_dst_alloc uses
+kmalloc. While we retry after seeing EINVAL from routing
+for data that does not look like valid local address, it
+still succeeded when this memory was previously used from
+other dests and with different local addresses. As result,
+we can use valid local address that is not suitable for
+our real server.
+
+Fix it by providing 0.0.0.0 every time our cache is refreshed.
+By this way we will get preferred source address from routing.
+
+Reported-by: Michael Vallaly <lvs@nolatency.com>
+Fixes: 026ace060dfe ("ipvs: optimize dst usage for real server")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_xmit.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/netfilter/ipvs/ip_vs_xmit.c
++++ b/net/netfilter/ipvs/ip_vs_xmit.c
+@@ -129,7 +129,6 @@ static struct rtable *do_output_route4(s
+
+ memset(&fl4, 0, sizeof(fl4));
+ fl4.daddr = daddr;
+- fl4.saddr = (rt_mode & IP_VS_RT_MODE_CONNECT) ? *saddr : 0;
+ fl4.flowi4_flags = (rt_mode & IP_VS_RT_MODE_KNOWN_NH) ?
+ FLOWI_FLAG_KNOWN_NH : 0;
+
--- /dev/null
+From 56184858d1fc95c46723436b455cb7261cd8be6f Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Wed, 8 Jul 2015 08:31:33 +0300
+Subject: ipvs: fix crash with sync protocol v0 and FTP
+
+From: Julian Anastasov <ja@ssi.bg>
+
+commit 56184858d1fc95c46723436b455cb7261cd8be6f upstream.
+
+Fix crash in 3.5+ if FTP is used after switching
+sync_version to 0.
+
+Fixes: 749c42b620a9 ("ipvs: reduce sync rate with time thresholds")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_sync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -612,7 +612,7 @@ static void ip_vs_sync_conn_v0(struct ne
+ pkts = atomic_add_return(1, &cp->in_pkts);
+ else
+ pkts = sysctl_sync_threshold(ipvs);
+- ip_vs_sync_conn(net, cp->control, pkts);
++ ip_vs_sync_conn(net, cp, pkts);
+ }
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
