From 6b87bd30c8f270a0e6dd9576944b7b9acd2380aa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 17 Oct 2015 14:07:22 -0700 Subject: [PATCH] 3.14-stable patches added patches: initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch ipvs-do-not-use-random-local-source-address-for-tunnels.patch ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch --- ...m-ipc-objects-before-doing-ipc_addid.patch | 112 ++++++++++++++++++ ...dom-local-source-address-for-tunnels.patch | 43 +++++++ ...-crash-with-sync-protocol-v0-and-ftp.patch | 32 +++++ queue-3.14/series | 3 + 4 files changed, 190 insertions(+) create mode 100644 queue-3.14/initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch create mode 100644 queue-3.14/ipvs-do-not-use-random-local-source-address-for-tunnels.patch create mode 100644 queue-3.14/ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch diff --git a/queue-3.14/initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch b/queue-3.14/initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch new file mode 100644 index 00000000000..5d5df6fa0b1 --- /dev/null +++ b/queue-3.14/initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch @@ -0,0 +1,112 @@ +From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 30 Sep 2015 12:48:40 -0400 +Subject: Initialize msg/shm IPC objects before doing ipc_addid() + +From: Linus Torvalds + +commit b9a532277938798b53178d5a66af6e2915cb27cf upstream. + +As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before +having initialized the IPC object state. Yes, we initialize the IPC +object in a locked state, but with all the lockless RCU lookup work, +that IPC object lock no longer means that the state cannot be seen. + +We already did this for the IPC semaphore code (see commit e8577d1f0329: +"ipc/sem.c: fully initialize sem_array before making it visible") but we +clearly forgot about msg and shm. + +Reported-by: Dmitry Vyukov +Cc: Manfred Spraul +Cc: Davidlohr Bueso +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/msg.c | 14 +++++++------- + ipc/shm.c | 12 ++++++------ + ipc/util.c | 8 ++++---- + 3 files changed, 17 insertions(+), 17 deletions(-) + +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -202,13 +202,6 @@ static int newque(struct ipc_namespace * + return retval; + } + +- /* ipc_addid() locks msq upon success. */ +- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); +- if (id < 0) { +- ipc_rcu_putref(msq, msg_rcu_free); +- return id; +- } +- + msq->q_stime = msq->q_rtime = 0; + msq->q_ctime = get_seconds(); + msq->q_cbytes = msq->q_qnum = 0; +@@ -218,6 +211,13 @@ static int newque(struct ipc_namespace * + INIT_LIST_HEAD(&msq->q_receivers); + INIT_LIST_HEAD(&msq->q_senders); + ++ /* ipc_addid() locks msq upon success. */ ++ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); ++ if (id < 0) { ++ ipc_rcu_putref(msq, msg_rcu_free); ++ return id; ++ } ++ + ipc_unlock_object(&msq->q_perm); + rcu_read_unlock(); + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -543,12 +543,6 @@ static int newseg(struct ipc_namespace * + if (IS_ERR(file)) + goto no_file; + +- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); +- if (id < 0) { +- error = id; +- goto no_id; +- } +- + shp->shm_cprid = task_tgid_vnr(current); + shp->shm_lprid = 0; + shp->shm_atim = shp->shm_dtim = 0; +@@ -558,6 +552,12 @@ static int newseg(struct ipc_namespace * + shp->shm_file = file; + shp->shm_creator = current; + ++ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); ++ if (id < 0) { ++ error = id; ++ goto no_id; ++ } ++ + /* + * shmid gets reported as "inode#" in /proc/pid/maps. + * proc-ps tools use this. Changing this will break them. +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -277,6 +277,10 @@ int ipc_addid(struct ipc_ids *ids, struc + rcu_read_lock(); + spin_lock(&new->lock); + ++ current_euid_egid(&euid, &egid); ++ new->cuid = new->uid = euid; ++ new->gid = new->cgid = egid; ++ + id = idr_alloc(&ids->ipcs_idr, new, + (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0, + GFP_NOWAIT); +@@ -289,10 +293,6 @@ int ipc_addid(struct ipc_ids *ids, struc + + ids->in_use++; + +- current_euid_egid(&euid, &egid); +- new->cuid = new->uid = euid; +- new->gid = new->cgid = egid; +- + if (next_id < 0) { + new->seq = ids->seq++; + if (ids->seq > IPCID_SEQ_MAX) diff --git a/queue-3.14/ipvs-do-not-use-random-local-source-address-for-tunnels.patch b/queue-3.14/ipvs-do-not-use-random-local-source-address-for-tunnels.patch new file mode 100644 index 00000000000..845f2c7bcde --- /dev/null +++ b/queue-3.14/ipvs-do-not-use-random-local-source-address-for-tunnels.patch @@ -0,0 +1,43 @@ +From 4754957f04f5f368792a0eb7dab0ae89fb93dcfd Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sat, 27 Jun 2015 14:39:30 +0300 +Subject: ipvs: do not use random local source address for tunnels + +From: Julian Anastasov + +commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd upstream. + +Michael Vallaly reports about wrong source address used +in rare cases for tunneled traffic. Looks like +__ip_vs_get_out_rt in 3.10+ is providing uninitialized +dest_dst->dst_saddr.ip because ip_vs_dest_dst_alloc uses +kmalloc. While we retry after seeing EINVAL from routing +for data that does not look like valid local address, it +still succeeded when this memory was previously used from +other dests and with different local addresses. As result, +we can use valid local address that is not suitable for +our real server. + +Fix it by providing 0.0.0.0 every time our cache is refreshed. +By this way we will get preferred source address from routing. + +Reported-by: Michael Vallaly +Fixes: 026ace060dfe ("ipvs: optimize dst usage for real server") +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_xmit.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/netfilter/ipvs/ip_vs_xmit.c ++++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -129,7 +129,6 @@ static struct rtable *do_output_route4(s + + memset(&fl4, 0, sizeof(fl4)); + fl4.daddr = daddr; +- fl4.saddr = (rt_mode & IP_VS_RT_MODE_CONNECT) ? *saddr : 0; + fl4.flowi4_flags = (rt_mode & IP_VS_RT_MODE_KNOWN_NH) ? + FLOWI_FLAG_KNOWN_NH : 0; + diff --git a/queue-3.14/ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch b/queue-3.14/ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch new file mode 100644 index 00000000000..6f6338e9692 --- /dev/null +++ b/queue-3.14/ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch @@ -0,0 +1,32 @@ +From 56184858d1fc95c46723436b455cb7261cd8be6f Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Wed, 8 Jul 2015 08:31:33 +0300 +Subject: ipvs: fix crash with sync protocol v0 and FTP + +From: Julian Anastasov + +commit 56184858d1fc95c46723436b455cb7261cd8be6f upstream. + +Fix crash in 3.5+ if FTP is used after switching +sync_version to 0. + +Fixes: 749c42b620a9 ("ipvs: reduce sync rate with time thresholds") +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -612,7 +612,7 @@ static void ip_vs_sync_conn_v0(struct ne + pkts = atomic_add_return(1, &cp->in_pkts); + else + pkts = sysctl_sync_threshold(ipvs); +- ip_vs_sync_conn(net, cp->control, pkts); ++ ip_vs_sync_conn(net, cp, pkts); + } + } + diff --git a/queue-3.14/series b/queue-3.14/series index 7ac7b38592f..657ee78b087 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -46,3 +46,6 @@ usb-whiteheat-fix-potential-null-deref-at-probe.patch usb-xhci-clear-xhci_state_dying-on-start.patch xhci-change-xhci-1.0-only-restrictions-to-support-xhci-1.1.patch usb-xhci-add-support-for-urb_zero_packet-to-bulk-sg-transfers.patch +initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch +ipvs-do-not-use-random-local-source-address-for-tunnels.patch +ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch -- 2.47.3