From: Greg Kroah-Hartman Date: Sat, 17 Oct 2015 21:07:32 +0000 (-0700) Subject: 4.2-stable patches X-Git-Tag: v3.10.91~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08ac977e5adab235d0480d70aeaa1413495187ba;p=thirdparty%2Fkernel%2Fstable-queue.git 4.2-stable patches added patches: batman-adv-make-dat-capability-changes-atomic.patch initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch --- diff --git a/queue-4.2/batman-adv-make-dat-capability-changes-atomic.patch b/queue-4.2/batman-adv-make-dat-capability-changes-atomic.patch new file mode 100644 index 00000000000..5586baa5502 --- /dev/null +++ b/queue-4.2/batman-adv-make-dat-capability-changes-atomic.patch @@ -0,0 +1,80 @@ +From 65d7d46050704bcdb8121ddbf4110bfbf2b38baa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Tue, 16 Jun 2015 17:10:22 +0200 +Subject: batman-adv: Make DAT capability changes atomic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Linus=20L=C3=BCssing?= + +commit 65d7d46050704bcdb8121ddbf4110bfbf2b38baa upstream. + +Bitwise OR/AND assignments in C aren't guaranteed to be atomic. One +OGM handler might undo the set/clear of a specific bit from another +handler run in between. + +Fix this by using the atomic set_bit()/clear_bit()/test_bit() functions. + +Fixes: 17cf0ea455f1 ("batman-adv: tvlv - add distributed arp table container") +Signed-off-by: Linus Lüssing +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/distributed-arp-table.c | 7 ++++--- + net/batman-adv/types.h | 4 ++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -19,6 +19,7 @@ + #include "main.h" + + #include ++#include + #include + #include + #include +@@ -453,7 +454,7 @@ static bool batadv_is_orig_node_eligible + int j; + + /* check if orig node candidate is running DAT */ +- if (!(candidate->capabilities & BATADV_ORIG_CAPA_HAS_DAT)) ++ if (!test_bit(BATADV_ORIG_CAPA_HAS_DAT, &candidate->capabilities)) + goto out; + + /* Check if this node has already been selected... */ +@@ -713,9 +714,9 @@ static void batadv_dat_tvlv_ogm_handler_ + uint16_t tvlv_value_len) + { + if (flags & BATADV_TVLV_HANDLER_OGM_CIFNOTFND) +- orig->capabilities &= ~BATADV_ORIG_CAPA_HAS_DAT; ++ clear_bit(BATADV_ORIG_CAPA_HAS_DAT, &orig->capabilities); + else +- orig->capabilities |= BATADV_ORIG_CAPA_HAS_DAT; ++ set_bit(BATADV_ORIG_CAPA_HAS_DAT, &orig->capabilities); + } + + /** +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -273,7 +273,7 @@ struct batadv_orig_node { + struct hlist_node mcast_want_all_ipv4_node; + struct hlist_node mcast_want_all_ipv6_node; + #endif +- uint8_t capabilities; ++ unsigned long capabilities; + uint8_t capa_initialized; + atomic_t last_ttvn; + unsigned char *tt_buff; +@@ -313,7 +313,7 @@ struct batadv_orig_node { + * (= orig node announces a tvlv of type BATADV_TVLV_MCAST) + */ + enum batadv_orig_capabilities { +- BATADV_ORIG_CAPA_HAS_DAT = BIT(0), ++ BATADV_ORIG_CAPA_HAS_DAT, + BATADV_ORIG_CAPA_HAS_NC = BIT(1), + BATADV_ORIG_CAPA_HAS_TT = BIT(2), + BATADV_ORIG_CAPA_HAS_MCAST = BIT(3), diff --git a/queue-4.2/initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch b/queue-4.2/initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch new file mode 100644 index 00000000000..4f7c4525326 --- /dev/null +++ b/queue-4.2/initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch @@ -0,0 +1,113 @@ +From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 30 Sep 2015 12:48:40 -0400 +Subject: Initialize msg/shm IPC objects before doing ipc_addid() + +From: Linus Torvalds + +commit b9a532277938798b53178d5a66af6e2915cb27cf upstream. + +As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before +having initialized the IPC object state. Yes, we initialize the IPC +object in a locked state, but with all the lockless RCU lookup work, +that IPC object lock no longer means that the state cannot be seen. + +We already did this for the IPC semaphore code (see commit e8577d1f0329: +"ipc/sem.c: fully initialize sem_array before making it visible") but we +clearly forgot about msg and shm. + +Reported-by: Dmitry Vyukov +Cc: Manfred Spraul +Cc: Davidlohr Bueso +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/msg.c | 14 +++++++------- + ipc/shm.c | 13 +++++++------ + ipc/util.c | 8 ++++---- + 3 files changed, 18 insertions(+), 17 deletions(-) + +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace * + return retval; + } + +- /* ipc_addid() locks msq upon success. */ +- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); +- if (id < 0) { +- ipc_rcu_putref(msq, msg_rcu_free); +- return id; +- } +- + msq->q_stime = msq->q_rtime = 0; + msq->q_ctime = get_seconds(); + msq->q_cbytes = msq->q_qnum = 0; +@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace * + INIT_LIST_HEAD(&msq->q_receivers); + INIT_LIST_HEAD(&msq->q_senders); + ++ /* ipc_addid() locks msq upon success. */ ++ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); ++ if (id < 0) { ++ ipc_rcu_putref(msq, msg_rcu_free); ++ return id; ++ } ++ + ipc_unlock_object(&msq->q_perm); + rcu_read_unlock(); + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -551,12 +551,6 @@ static int newseg(struct ipc_namespace * + if (IS_ERR(file)) + goto no_file; + +- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); +- if (id < 0) { +- error = id; +- goto no_id; +- } +- + shp->shm_cprid = task_tgid_vnr(current); + shp->shm_lprid = 0; + shp->shm_atim = shp->shm_dtim = 0; +@@ -565,6 +559,13 @@ static int newseg(struct ipc_namespace * + shp->shm_nattch = 0; + shp->shm_file = file; + shp->shm_creator = current; ++ ++ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); ++ if (id < 0) { ++ error = id; ++ goto no_id; ++ } ++ + list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist); + + /* +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struc + rcu_read_lock(); + spin_lock(&new->lock); + ++ current_euid_egid(&euid, &egid); ++ new->cuid = new->uid = euid; ++ new->gid = new->cgid = egid; ++ + id = idr_alloc(&ids->ipcs_idr, new, + (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0, + GFP_NOWAIT); +@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struc + + ids->in_use++; + +- current_euid_egid(&euid, &egid); +- new->cuid = new->uid = euid; +- new->gid = new->cgid = egid; +- + if (next_id < 0) { + new->seq = ids->seq++; + if (ids->seq > IPCID_SEQ_MAX) diff --git a/queue-4.2/series b/queue-4.2/series index 234e717636a..93215ff3256 100644 --- a/queue-4.2/series +++ b/queue-4.2/series @@ -160,3 +160,5 @@ usb-xhci-exit-early-in-xhci_setup_device-if-we-re-halted-or-dying.patch xhci-change-xhci-1.0-only-restrictions-to-support-xhci-1.1.patch xhci-init-command-timeout-timer-earlier-to-avoid-deleting-it-uninitialized.patch usb-xhci-add-support-for-urb_zero_packet-to-bulk-sg-transfers.patch +initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch +batman-adv-make-dat-capability-changes-atomic.patch