date:20170315

[Devel] [PATCH 2/2] ext4/mfsync: Prevent resource abuse

2017-03-15 Thread Dmitry Monakhov

- Mfsync is not standard interface let's hide it from VEs
- Limit number of files in single request.


https://jira.sw.ru/browse/PSBM-59965
https://jira.sw.ru/browse/PSBM-59966
Signed-off-by: Dmitry Monakhov 
---
 fs/ext4/ioctl.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index cd831d5..9232330 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -783,12 +783,17 @@ resize_out:
__u32 __user *usr_fd;
int i, err;
 
+   if (!ve_is_super(get_exec_env()))
+   return -ENOTSUPP;
if (copy_from_user(&mfsync, (struct ext4_ioc_mfsync_info *)arg,
   sizeof(mfsync)))
return -EFAULT;
 
if (mfsync.size == 0)
return 0;
+   if (mfsync.size > NR_FILE)
+   return -ENFILE;
+
usr_fd = (__u32 __user *) (arg + sizeof(__u32));
 
filpp = kzalloc(mfsync.size * sizeof(*filp), GFP_KERNEL);
-- 
1.8.3.1

___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH 1/2] mfsync: cleanup

2017-03-15 Thread Dmitry Monakhov

Long time ago prink was used for debug purposes only, and was merged by 
occasion,
it was cleanedup in b4d7159537296b, but resurected after rebase. Let's kill it 
completely.

Signed-off-by: Dmitry Monakhov 
---
 fs/ext4/ioctl.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index bb372fa..cd831d5 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -784,10 +784,9 @@ resize_out:
int i, err;
 
if (copy_from_user(&mfsync, (struct ext4_ioc_mfsync_info *)arg,
-  sizeof(mfsync))) {
-   printk("%s:%d", __FUNCTION__, __LINE__);
+  sizeof(mfsync)))
return -EFAULT;
-   }
+
if (mfsync.size == 0)
return 0;
usr_fd = (__u32 __user *) (arg + sizeof(__u32));
-- 
1.8.3.1

___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH RHEL7 COMMIT] ms/TTY: n_hdlc, fix lockdep false positive

2017-03-15 Thread Konstantin Khorenko

The commit is pushed to "branch-rh7-3.10.0-514.10.2.vz7.29.x-ovz" and will 
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.10.2.vz7.29.3
-->
commit 7dcc64d7bb8a3dff22453d99046ade62cf72b28c
Author: Jiri Slaby 
Date:   Thu Nov 26 19:28:26 2015 +0100

ms/TTY: n_hdlc, fix lockdep false positive

The class of 4 n_hdls buf locks is the same because a single function
n_hdlc_buf_list_init is used to init all the locks. But since
flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
emits a warning:
=
[ INFO: possible recursive locking detected ]
4.3.0-25.g91e30a7-default #1 Not tainted
-
a.out/1248 is trying to acquire lock:
 (&(&list->spinlock)->rlock){..}, at: [] 
n_hdlc_buf_put+0x20/0x60 [n_hdlc]

but task is already holding lock:
 (&(&list->spinlock)->rlock){..}, at: [] 
n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]

other info that might help us debug this:
 Possible unsafe locking scenario:

   CPU0
   
  lock(&(&list->spinlock)->rlock);
  lock(&(&list->spinlock)->rlock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

2 locks held by a.out/1248:
 #0:  (&tty->ldisc_sem){++}, at: [] 
tty_ldisc_ref_wait+0x20/0x50
 #1:  (&(&list->spinlock)->rlock){..}, at: [] 
n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
...
Call Trace:
...
 [] _raw_spin_lock_irqsave+0x50/0x70
 [] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
 [] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
 [] tty_ioctl+0x3f1/0xe40
...

Fix it by initializing the spin_locks separately. This removes also
reduntand memset of a freshly kzallocated space.

Signed-off-by: Jiri Slaby 
Reported-by: Dmitry Vyukov 
Signed-off-by: Greg Kroah-Hartman 
(cherry picked from commit e9b736d88af1a143530565929390cadf036dc799)

Cleanup, easier to apply next patch with it.
https://jira.sw.ru/browse/PSBM-61963

Signed-off-by: Konstantin Khorenko 
---
 drivers/tty/n_hdlc.c | 19 ---
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 1b2db9a..f26657c 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -159,7 +159,6 @@ struct n_hdlc {
 /*
  * HDLC buffer list manipulation functions
  */
-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
 static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
   struct n_hdlc_buf *buf);
 static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
@@ -855,10 +854,10 @@ static struct n_hdlc *n_hdlc_alloc(void)
 
memset(n_hdlc, 0, sizeof(*n_hdlc));
 
-   n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
-   n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
-   n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
-   n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
+   spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
+   spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
+   spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
+   spin_lock_init(&n_hdlc->tx_buf_list.spinlock);

/* allocate free rx buffer list */
for(i=0;ispinlock);
-}  /* end of n_hdlc_buf_list_init() */
-
-/**
  * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
  * @list - pointer to buffer list
  * @buf- pointer to buffer
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH RHEL7 COMMIT] ms/tty: n_hdlc: get rid of racy n_hdlc.tbuf

2017-03-15 Thread Konstantin Khorenko

The commit is pushed to "branch-rh7-3.10.0-514.10.2.vz7.29.x-ovz" and will 
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.10.2.vz7.29.3
-->
commit 2219f6091fdf33306879af30a15dd97b1941d7c5
Author: Alexander Popov 
Date:   Tue Feb 28 19:54:40 2017 +0300

ms/tty: n_hdlc: get rid of racy n_hdlc.tbuf

Currently N_HDLC line discipline uses a self-made singly linked list for
data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
an error.

The commit be10eb7589337e5defbe214dae038a53dd21add8
("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
one data buffer to tx_free_buf_list twice. That causes double free in
n_hdlc_release().

Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
in case of tx error put current data buffer after the head of tx_buf_list.

Signed-off-by: Alexander Popov 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 
(cherry picked from commit 82f2341c94d270421f383641b7cd670e474db56b)

Fixes CVE-2017-2636
https://jira.sw.ru/browse/PSBM-61962

Signed-off-by:  Vasily Averin 
Acked-by: Konstantin Khorenko 
---
 drivers/tty/n_hdlc.c | 132 +++
 1 file changed, 69 insertions(+), 63 deletions(-)

diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index f26657c..66fb076 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -114,7 +114,7 @@
 #define DEFAULT_TX_BUF_COUNT 3
 
 struct n_hdlc_buf {
-   struct n_hdlc_buf *link;
+   struct list_head  list_item;
int   count;
char  buf[1];
 };
@@ -122,8 +122,7 @@ struct n_hdlc_buf {
 #defineN_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
 
 struct n_hdlc_buf_list {
-   struct n_hdlc_buf *head;
-   struct n_hdlc_buf *tail;
+   struct list_head  list;
int   count;
spinlock_tspinlock;
 };
@@ -136,7 +135,6 @@ struct n_hdlc_buf_list {
  * @backup_tty - TTY to use if tty gets closed
  * @tbusy - reentrancy flag for tx wakeup code
  * @woke_up - FIXME: describe this field
- * @tbuf - currently transmitting tx buffer
  * @tx_buf_list - list of pending transmit frame buffers
  * @rx_buf_list - list of received frame buffers
  * @tx_free_buf_list - list unused transmit frame buffers
@@ -149,7 +147,6 @@ struct n_hdlc {
struct tty_struct   *backup_tty;
int tbusy;
int woke_up;
-   struct n_hdlc_buf   *tbuf;
struct n_hdlc_buf_list  tx_buf_list;
struct n_hdlc_buf_list  rx_buf_list;
struct n_hdlc_buf_list  tx_free_buf_list;
@@ -159,6 +156,8 @@ struct n_hdlc {
 /*
  * HDLC buffer list manipulation functions
  */
+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
+   struct n_hdlc_buf *buf);
 static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
   struct n_hdlc_buf *buf);
 static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty)
 {
struct n_hdlc *n_hdlc = tty2n_hdlc(tty);
struct n_hdlc_buf *buf;
-   unsigned long flags;
 
while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list)))
n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf);
-   spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags);
-   if (n_hdlc->tbuf) {
-   n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf);
-   n_hdlc->tbuf = NULL;
-   }
-   spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
 }
 
 static struct tty_ldisc_ops n_hdlc_ldisc = {
@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc)
} else
break;
}
-   kfree(n_hdlc->tbuf);
kfree(n_hdlc);

 }  /* end of n_hdlc_release() */
@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, 
struct tty_struct *tty)
n_hdlc->woke_up = 0;
spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
 
-   /* get current transmit buffer or get new transmit */
-   /* buffer from list of pending transmit buffers */
-   
-   tbuf = n_hdlc->tbuf;
-   if (!tbuf)
-   tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
-   
+   tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
while (tbuf) {
if (debuglevel >= DEBUG_LEVEL_INFO) 
printk("%s(%d)sending frame %p, count=%d\n",
@@ -420,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, 
struct tty_struct *tty)
 
/* rollback was possible and has been done */
if (actual == -ERESTARTSYS) {
-

[Devel] [PATCH 2/2] ext4/mfsync: Prevent resource abuse

[Devel] [PATCH 1/2] mfsync: cleanup

[Devel] [PATCH RHEL7 COMMIT] ms/TTY: n_hdlc, fix lockdep false positive

[Devel] [PATCH RHEL7 COMMIT] ms/tty: n_hdlc: get rid of racy n_hdlc.tbuf

4 matches

Site Navigation

Mail list logo

Footer information