Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-08 14:13:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b57fdc838c
linux-stable/net
History
J. Bruce Fields b57fdc838c svcrpc: fix double-free on shutdown of nfsd after changing pool mode 
commit 61c8504c42 upstream.

The pool_to and to_pool fields of the global svc_pool_map are freed on
shutdown, but are initialized in nfsd startup only in the
SVC_POOL_PERCPU and SVC_POOL_PERNODE cases.

They *are* initialized to zero on kernel startup.  So as long as you use
only SVC_POOL_GLOBAL (the default), this will never be a problem.

You're also OK if you only ever use SVC_POOL_PERCPU or SVC_POOL_PERNODE.

However, the following sequence events leads to a double-free:

	1. set SVC_POOL_PERCPU or SVC_POOL_PERNODE
	2. start nfsd: both fields are initialized.
	3. shutdown nfsd: both fields are freed.
	4. set SVC_POOL_GLOBAL
	5. start nfsd: the fields are left untouched.
	6. shutdown nfsd: now we try to free them again.

Step 4 is actually unnecessary, since (for some bizarre reason), nfsd
automatically resets the pool mode to SVC_POOL_GLOBAL on shutdown.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
2012-02-11 15:38:28 +01:00
..
9p 9p: fix put_data error handling 2008-09-24 16:22:22 -05:00
802 list_for_each_rcu must die: networking 2008-07-25 10:53:27 -07:00
8021q net: fix packet socket delivery in rx irq handler 2009-02-06 14:00:36 -08:00
appletalk appletalk: Fix skb leak when ipddp interface is not loaded (CVE-2009-2903) 2009-11-09 16:52:22 -08:00
atm ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table 2008-12-13 15:29:17 -08:00
ax25 net: ax25: fix information leak to userland harder 2011-04-30 16:53:40 +02:00
bluetooth Bluetooth: Prevent buffer overflow in l2cap config request 2012-02-11 15:37:50 +01:00
bridge bridge: netfilter: fix information leak 2011-04-30 16:53:29 +02:00
can CAN: Use inode instead of kernel address for /proc file 2011-04-30 16:53:35 +02:00
core filter: make sure filters dont read uninitialized memory 2011-04-30 16:53:03 +02:00
dccp dccp: fix oops on Reset after close 2011-04-30 16:53:11 +02:00
decnet DECnet: don't leak uninitialized stack byte 2010-12-09 13:24:19 -08:00
econet econet: Fix crash in aun_incoming(). 2011-04-30 16:53:35 +02:00
ethernet [NET]: Return more appropriate error from eth_validate_addr(). 2008-04-13 22:45:40 -07:00
ieee80211 wext: Emit event stream entries correctly when compat. 2008-06-16 18:50:49 -07:00
ipv4 net: Fix oops from tcp_collapse() when using splice() 2011-04-30 16:53:40 +02:00
ipv6 ipv6: netfilter: ip6_tables: fix infoleak to userspace 2011-04-30 16:53:31 +02:00
ipx netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
irda irda: prevent integer underflow in IRLMP_ENUMDEVICES 2011-04-30 16:53:35 +02:00
iucv iucv: Fix mismerge again. 2008-09-30 03:03:35 -07:00
key key: fix setkey(8) policy set breakage 2008-12-18 09:13:38 -08:00
lapb [LAPB] net/lapb/lapb_iface.c: use LIST_HEAD instead of LIST_HEAD_INIT 2008-01-28 14:56:52 -08:00
llc NET: llc, zero sockaddr_llc struct 2009-09-08 20:17:41 -07:00
mac80211 mac80211: initialize sta->last_rx in sta_info_alloc 2011-04-30 16:53:24 +02:00
netfilter netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack 2009-05-02 10:23:53 -07:00
netlabel netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
netlink net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
netrom netrom: Fix nr_getname() leak 2009-09-08 20:17:42 -07:00
packet net: packet: fix information leak to userland 2011-04-30 16:53:33 +02:00
rfkill rfkill: update LEDs for all state changes 2008-10-18 10:49:12 -07:00
rose ROSE: prevent heap corruption with bad facilities 2011-04-30 16:53:27 +02:00
rxrpc net/rxrpc: Use an IS_ERR test rather than a NULL test 2008-08-13 02:40:48 -07:00
sched net_sched: Fix qdisc_notify() 2012-02-11 15:37:52 +01:00
sctp sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set 2011-04-30 16:53:33 +02:00
sunrpc svcrpc: fix double-free on shutdown of nfsd after changing pool mode 2012-02-11 15:38:28 +01:00
tipc net: tipc: fix information leak to userland 2011-04-30 16:53:34 +02:00
unix af_unix: Only allow recv on connected seqpacket sockets. 2012-02-11 15:37:16 +01:00
wanrouter wanmain.c doesn't need syncppp.h 2008-07-23 23:00:36 +02:00
wireless wext: fix potential private ioctl memory content leak 2010-10-28 21:04:15 -07:00
x25 x25: Do not reference freed memory. 2011-04-30 16:53:09 +02:00
xfrm ipsec: Fix name of CAST algorithm 2009-07-30 16:06:12 -07:00
compat.c flag parameters: paccept 2008-07-24 10:47:27 -07:00
Kconfig net: Make "networking" one-click deselectable. 2008-07-30 03:27:53 -07:00
Makefile vlan: uninline __vlan_hwaccel_rx 2008-07-08 03:23:36 -07:00
nonet.c
socket.c net: Truncate recvfrom and sendto length to INT_MAX. 2010-12-09 13:24:20 -08:00
sysctl_net.c missing bits of net-namespace / sysctl 2008-07-27 09:45:34 -07:00
TUNABLE