github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-11 08:03:05 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
b64a172c19
linux/net
History
Sasha Levin dd5b0b7317 9p: fix off by one causing access violations and memory corruption 
[ Upstream commit 110ecd69a9 ]

p9_release_pages() would attempt to dereference one value past the end of
pages[]. This would cause the following crashes:

[ 6293.171817] BUG: unable to handle kernel paging request at ffff8807c96f3000
[ 6293.174146] IP: [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
[ 6293.176447] PGD 79c5067 PUD 82c1e3067 PMD 82c197067 PTE 80000007c96f3060
[ 6293.180060] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 6293.180060] Modules linked in:
[ 6293.180060] CPU: 62 PID: 174043 Comm: modprobe Tainted: G        W    3.10.0-next-20130710-sasha #3954
[ 6293.180060] task: ffff8807b803b000 ti: ffff880787dde000 task.ti: ffff880787dde000
[ 6293.180060] RIP: 0010:[<ffffffff8412793b>]  [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
[ 6293.214316] RSP: 0000:ffff880787ddfc28  EFLAGS: 00010202
[ 6293.214316] RAX: 0000000000000001 RBX: ffff8807c96f2ff8 RCX: 0000000000000000
[ 6293.222017] RDX: ffff8807b803b000 RSI: 0000000000000001 RDI: ffffea001c7e3d40
[ 6293.222017] RBP: ffff880787ddfc48 R08: 0000000000000000 R09: 0000000000000000
[ 6293.222017] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001
[ 6293.222017] R13: 0000000000000001 R14: ffff8807cc50c070 R15: ffff8807cc50c070
[ 6293.222017] FS:  00007f572641d700(0000) GS:ffff8807f3600000(0000) knlGS:0000000000000000
[ 6293.256784] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 6293.256784] CR2: ffff8807c96f3000 CR3: 00000007c8e81000 CR4: 00000000000006e0
[ 6293.256784] Stack:
[ 6293.256784]  ffff880787ddfcc8 ffff880787ddfcc8 0000000000000000 ffff880787ddfcc8
[ 6293.256784]  ffff880787ddfd48 ffffffff84128be8 ffff880700000002 0000000000000001
[ 6293.256784]  ffff8807b803b000 ffff880787ddfce0 0000100000000000 0000000000000000
[ 6293.256784] Call Trace:
[ 6293.256784]  [<ffffffff84128be8>] p9_virtio_zc_request+0x598/0x630
[ 6293.256784]  [<ffffffff8115c610>] ? wake_up_bit+0x40/0x40
[ 6293.256784]  [<ffffffff841209b1>] p9_client_zc_rpc+0x111/0x3a0
[ 6293.256784]  [<ffffffff81174b78>] ? sched_clock_cpu+0x108/0x120
[ 6293.256784]  [<ffffffff84122a21>] p9_client_read+0xe1/0x2c0
[ 6293.256784]  [<ffffffff81708a90>] v9fs_file_read+0x90/0xc0
[ 6293.256784]  [<ffffffff812bd073>] vfs_read+0xc3/0x130
[ 6293.256784]  [<ffffffff811a78bd>] ? trace_hardirqs_on+0xd/0x10
[ 6293.256784]  [<ffffffff812bd5a2>] SyS_read+0x62/0xa0
[ 6293.256784]  [<ffffffff841a1a00>] tracesys+0xdd/0xe2
[ 6293.256784] Code: 66 90 48 89 fb 41 89 f5 48 8b 3f 48 85 ff 74 29 85 f6 74 25 45 31 e4 66 0f 1f 84 00 00 00 00 00 e8 eb 14 12 fd 41 ff c4 49 63 c4 <48> 8b 3c c3 48 85 ff 74 05 45 39 e5 75 e7 48 83 c4 08 5b 41 5c
[ 6293.256784] RIP  [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
[ 6293.256784]  RSP <ffff880787ddfc28>
[ 6293.256784] CR2: ffff8807c96f3000
[ 6293.256784] ---[ end trace 50822ee72cd360fc ]---

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-28 16:26:05 -07:00
..
9p 9p: fix off by one causing access violations and memory corruption 2013-07-28 16:26:05 -07:00
802 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-04-02 17:53:39 -07:00
8021q net: vlan,ethtool: netdev_features_t is more than 32 bit 2013-05-19 10:54:45 -07:00
appletalk net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
atm atm: update msg_namelen in vcc_recvmsg() 2013-05-01 09:41:04 -07:00
ax25 ax25: fix info leak via msg_name in ax25_recvmsg() 2013-05-01 09:41:04 -07:00
batman-adv batman-adv: fix random jitter calculation 2013-01-11 09:07:03 -08:00
bluetooth Bluetooth: Fix crash in l2cap_build_cmd() with small MTU 2013-07-03 10:59:00 -07:00
bridge bridge: fix switched interval for MLD Query types 2013-07-28 16:25:53 -07:00
caif caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() 2013-05-01 09:41:04 -07:00
can can: gw: use kmem_cache_free() instead of kfree() 2013-04-12 09:38:47 -07:00
ceph libceph: Fix NULL pointer dereference in auth client code 2013-07-13 11:03:40 -07:00
core neighbour: fix a race in neigh_destroy() 2013-07-28 16:25:58 -07:00
dcb dcbnl: fix various netlink info leaks 2013-03-20 13:05:02 -07:00
dccp inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock 2013-01-11 09:07:14 -08:00
decnet Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
dns_resolver KEYS: Allow special keyrings to be cleared 2012-01-19 14:38:51 +11:00
dsa dsa: Move switch drivers to new directory drivers/net/dsa 2011-11-29 00:21:36 -05:00
econet Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
ethernet Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
ieee802154 6lowpan: Fix endianness issue in is_addr_link_local(). 2013-03-20 13:05:02 -07:00
ipv4 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data 2013-07-28 16:26:02 -07:00
ipv6 ipv6: in case of link failure remove route directly instead of letting it expire 2013-07-28 16:26:05 -07:00
ipx net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
irda irda: Fix missing msg_namelen update in irda_recvmsg_dgram() 2013-05-01 09:41:05 -07:00
iucv iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() 2013-05-01 09:41:05 -07:00
key af_key: fix info leaks in notify messages 2013-07-28 16:25:57 -07:00
l2tp l2tp: add missing .owner to struct pppox_proto 2013-07-28 16:26:02 -07:00
lapb Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
llc llc: Fix missing msg_namelen update in llc_ui_recvmsg() 2013-05-01 09:41:05 -07:00
mac80211 mac80211: close AP_VLAN interfaces before unregistering all 2013-06-07 12:49:49 -07:00
netfilter ipvs: ip_vs_sip_fill_param() BUG: bad check of return value 2013-05-11 13:48:08 -07:00
netlabel netlabel: improve domain mapping validation 2013-06-27 11:27:31 -07:00
netlink thermal: shorten too long mcast group name 2013-04-05 10:04:38 -07:00
netrom netrom: fix invalid use of sizeof in nr_recvmsg() 2013-05-01 09:41:06 -07:00
nfc NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() 2013-05-01 09:41:05 -07:00
openvswitch openvswitch: Reset upper layer protocol info on internal devices. 2012-10-02 10:29:50 -07:00
packet packet: packet_getname_spkt: make sure string is always 0-terminated 2013-06-27 11:27:33 -07:00
phonet phonet: Sort out initiailziation and cleanup code. 2012-04-13 11:01:43 -04:00
rds rds: limit the size allocated by rds_message_alloc() 2013-03-20 13:05:01 -07:00
rfkill device.h: cleanup users outside of linux/include (C files) 2012-03-11 14:27:37 -04:00
rose rose: fix info leak via msg_name in rose_recvmsg() 2013-05-01 09:41:05 -07:00
rxrpc RxRPC: Fix kcalloc parameters swapped 2012-02-14 14:41:55 -05:00
sched net_sched: act_ipt forward compat with xtables 2013-05-19 10:54:45 -07:00
sctp net: sctp: fix NULL pointer dereference in socket destruction 2013-06-27 11:27:32 -07:00
sunrpc SUNRPC: Add barriers to ensure read ordering in rpc_wake_up_task_queue_locked 2013-04-05 10:04:14 -07:00
tipc tipc: fix info leaks via msg_name in recv_msg/recv_stream 2013-05-01 09:41:05 -07:00
unix af_unix: If we don't care about credentials coallesce all messages 2013-05-01 09:41:07 -07:00
wanrouter wanmain: comparing array with NULL 2012-08-09 08:31:51 -07:00
wimax net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
wireless wireless: regulatory: fix channel disabling race condition 2013-05-07 19:51:56 -07:00
x25 x25: Fix broken locking in ioctl error paths. 2013-07-28 16:25:58 -07:00
xfrm xfrm_user: ensure user supplied esn replay window is valid 2012-10-13 05:38:41 +09:00
compat.c net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg 2013-06-27 11:27:32 -07:00
Kconfig net: Add Open vSwitch kernel components. 2011-12-03 09:35:17 -08:00
Makefile net: Add Open vSwitch kernel components. 2011-12-03 09:35:17 -08:00
nonet.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
socket.c net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg 2013-06-27 11:27:32 -07:00
sysctl_net.c sysctl: Modify __register_sysctl_paths to take a set instead of a root and an nsproxy 2012-01-24 16:40:30 -08:00