linux/fs/ocfs2
David S. Miller 676d23690f net: Fix use after free by removing length arg from sk_data_ready callbacks.
Several spots in the kernel perform a sequence like:

	skb_queue_tail(&sk->s_receive_queue, skb);
	sk->sk_data_ready(sk, skb->len);

But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up.  So this skb->len access is potentially
to freed up memory.

Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.

And finally, no actual implementation of this callback actually uses
the length argument.  And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.

So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.

Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-11 16:15:36 -04:00
..
cluster net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
dlm ocfs2: fix deadlock risk when kmalloc failed in dlm_query_region_handler 2014-04-03 16:20:55 -07:00
dlmfs ocfs2: remove versioning information 2014-01-21 16:19:41 -08:00
acl.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
acl.h ocfs2: use generic posix ACL infrastructure 2014-01-25 23:58:21 -05:00
alloc.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
alloc.h
aops.c ocfs2: improve fsync efficiency and fix deadlock between aio_write and sync_file 2014-04-03 16:20:53 -07:00
aops.h ocfs2: change ip_unaligned_aio to of type mutex from atomit_t 2014-04-03 16:20:53 -07:00
blockcheck.c
blockcheck.h
buffer_head_io.c ocfs2: do not put bh when buffer_uptodate failed 2014-04-03 16:20:56 -07:00
buffer_head_io.h
dcache.c ocfs2: revert iput deferring code in ocfs2_drop_dentry_lock 2014-04-03 16:20:55 -07:00
dcache.h ocfs2: revert iput deferring code in ocfs2_drop_dentry_lock 2014-04-03 16:20:55 -07:00
dir.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
dir.h
dlmglue.c ocfs2: avoid blocking in ocfs2_mark_lockres_freeing() in downconvert thread 2014-04-03 16:20:55 -07:00
dlmglue.h ocfs2: avoid blocking in ocfs2_mark_lockres_freeing() in downconvert thread 2014-04-03 16:20:55 -07:00
export.c
export.h
extent_map.c ocfs2: fix the end cluster offset of FIEMAP 2013-09-11 15:56:53 -07:00
extent_map.h
file.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
file.h
heartbeat.c
heartbeat.h
inode.c mm + fs: store shadow entries in page cache 2014-04-03 16:21:01 -07:00
inode.h ocfs2: remove OCFS2_INODE_SKIP_DELETE flag 2014-04-03 16:20:54 -07:00
ioctl.c ocfs2: iput inode alloc when failed locally 2014-04-03 16:20:57 -07:00
ioctl.h
journal.c ocfs2: remove OCFS2_INODE_SKIP_DELETE flag 2014-04-03 16:20:54 -07:00
journal.h ocfs2: improve fsync efficiency and fix deadlock between aio_write and sync_file 2014-04-03 16:20:53 -07:00
Kconfig
localalloc.c ocfs2: free allocated clusters if error occurs after ocfs2_claim_clusters 2014-02-06 13:48:51 -08:00
localalloc.h ocfs2: free allocated clusters if error occurs after ocfs2_claim_clusters 2014-02-06 13:48:51 -08:00
locks.c ocfs2: flock: drop cross-node lock when failed locally 2014-04-03 16:20:56 -07:00
locks.h
Makefile ocfs2: remove versioning information 2014-01-21 16:19:41 -08:00
mmap.c
mmap.h
move_extents.c ocfs2: rollback alloc_dinode counts when ocfs2_block_group_set_bits() failed 2014-04-03 16:20:56 -07:00
move_extents.h
namei.c ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode 2014-04-03 16:20:56 -07:00
namei.h
ocfs1_fs_compat.h
ocfs2_fs.h
ocfs2_ioctl.h
ocfs2_lockid.h
ocfs2_lockingver.h
ocfs2_trace.h ocfs2: lighten up allocate transaction 2013-09-11 15:56:28 -07:00
ocfs2.h ocfs2: avoid system inode ref confusion by adding mutex lock 2014-04-03 16:20:57 -07:00
quota_global.c ocfs2: implement delayed dropping of last dquot reference 2014-04-03 16:20:54 -07:00
quota_local.c ocfs2: fix quota file corruption 2014-03-04 07:55:48 -08:00
quota.h ocfs2: implement delayed dropping of last dquot reference 2014-04-03 16:20:54 -07:00
refcounttree.c ocfs2: use generic posix ACL infrastructure 2014-01-25 23:58:21 -05:00
refcounttree.h ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page 2013-08-13 17:57:49 -07:00
reservations.c
reservations.h
resize.c ocfs2: do not call brelse() if group_bh is not initialized in ocfs2_group_add() 2013-11-13 12:09:01 +09:00
resize.h
slot_map.c
slot_map.h
stack_o2cb.c ocfs2: pass ocfs2_cluster_connection to ocfs2_this_node 2014-01-21 16:19:41 -08:00
stack_user.c ocfs2: fix sparse non static symbol warning 2014-01-21 16:19:42 -08:00
stackglue.c Nothing major: the stricter permissions checking for sysfs broke 2014-04-06 09:38:07 -07:00
stackglue.h ocfs2: pass ocfs2_cluster_connection to ocfs2_this_node 2014-01-21 16:19:41 -08:00
suballoc.c ocfs2: iput inode alloc when failed locally 2014-04-03 16:20:57 -07:00
suballoc.h ocfs2: rollback alloc_dinode counts when ocfs2_block_group_set_bits() failed 2014-04-03 16:20:56 -07:00
super.c Major changes for 3.14 include support for the newly added ZERO_RANGE 2014-04-04 15:39:39 -07:00
super.h
symlink.c
symlink.h
sysfile.c ocfs2: avoid system inode ref confusion by adding mutex lock 2014-04-03 16:20:57 -07:00
sysfile.h
uptodate.c
uptodate.h
xattr.c ocfs2: pass "new" parameter to ocfs2_init_xattr_bucket 2014-04-03 16:20:57 -07:00
xattr.h ocfs2: use generic posix ACL infrastructure 2014-01-25 23:58:21 -05:00