mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 13:55:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Zhu Yi 8eae939f14 net: add limit for socket backlog 
We got system OOM while running some UDP netperf testing on the loopback
device. The case is multiple senders sent stream UDP packets to a single
receiver via loopback on local host. Of course, the receiver is not able
to handle all the packets in time. But we surprisingly found that these
packets were not discarded due to the receiver's sk->sk_rcvbuf limit.
Instead, they are kept queuing to sk->sk_backlog and finally ate up all
the memory. We believe this is a secure hole that a none privileged user
can crash the system.

The root cause for this problem is, when the receiver is doing
__release_sock() (i.e. after userspace recv, kernel udp_recvmsg ->
skb_free_datagram_locked -> release_sock), it moves skbs from backlog to
sk_receive_queue with the softirq enabled. In the above case, multiple
busy senders will almost make it an endless loop. The skbs in the
backlog end up eat all the system memory.

The issue is not only for UDP. Any protocols using socket backlog is
potentially affected. The patch adds limit for socket backlog so that
the backlog size cannot be expanded endlessly.

Reported-by: Alex Shi <alex.shi@intel.com>
Cc: David Miller <davem@davemloft.net>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: Sridhar Samudrala <sri@us.ibm.com>
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Allan Stephens <allan.stephens@windriver.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-03-05 13:33:59 -08:00
..
9p 9p: fix p9_client_destroy unconditional calling v9fs_put_trans 2010-02-08 18:18:34 -06:00
802 sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
8021q percpu: add __percpu sparse annotations to net 2010-02-16 23:05:38 -08:00
appletalk net: appletalk: use seq_hlist_foo() helpers 2010-02-10 11:12:09 -08:00
atm net: atm: use seq_list_foo() helpers 2010-02-10 12:31:10 -08:00
ax25 net: ax25: use seq_hlist_foo() helpers 2010-02-10 11:12:09 -08:00
bluetooth Bluetooth: Use single_open() for inquiry cache within debugfs 2010-03-03 01:04:38 -08:00
bridge bridge: depends on INET 2010-03-03 01:23:22 -08:00
can can: deny filterlist access on non-CAN interfaces 2010-02-02 07:21:34 -08:00
core net: add limit for socket backlog 2010-03-05 13:33:59 -08:00
dcb const: struct nla_policy 2010-02-18 14:30:18 -08:00
dccp percpu: add __percpu sparse annotations to net 2010-02-16 23:05:38 -08:00
decnet net: Add checking to rcu_dereference() primitives 2010-02-25 09:41:03 +01:00
dsa
econet net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
ethernet llc: use dev_hard_header 2009-12-26 20:38:23 -08:00
ieee802154 net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
ipv4 gre: fix hard header destination address checking 2010-03-04 00:53:52 -08:00
ipv6 IPv6: fix race between cleanup and add/delete address 2010-03-04 00:39:34 -08:00
ipx net: ipx: use seq_list_foo() helpers 2010-02-10 12:31:10 -08:00
irda const: struct nla_policy 2010-02-18 14:30:18 -08:00
iucv const: constify remaining dev_pm_ops 2009-12-15 08:53:25 -08:00
key xfrm: SP lookups signature with mark 2010-02-22 16:21:12 -08:00
lapb
llc llc: fix SAP reference counting w.r.t. socket handling 2009-12-26 20:47:23 -08:00
mac80211 mac80211: Fix HT rate control configuration 2010-03-03 15:39:21 -05:00
netfilter Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2010-02-26 09:31:09 -08:00
netlabel net: remove INIT_RCU_HEAD() usage 2010-02-17 00:03:27 -08:00
netlink netlink: Adding inode field to /proc/net/netlink 2010-02-28 01:29:49 -08:00
netrom net: netrom: use seq_hlist_foo() helpers 2010-02-10 11:12:08 -08:00
packet af_packet: move strict addr_len check right before dev_[mc/unicast]_[add/del] 2010-03-03 01:04:38 -08:00
phonet net: spread __net_init, __net_exit 2010-01-17 19:16:02 -08:00
rds net/rds: remove uses of NIPQUAD, use %pI4 2010-02-03 20:16:48 -08:00
rfkill rfkill: Add support for KEY_RFKILL 2010-03-02 14:28:49 -05:00
rose net: rose: use seq_hlist_foo() helpers 2010-02-10 11:12:08 -08:00
rxrpc net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
sched Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-02-09 11:44:44 -08:00
sctp net: remove INIT_RCU_HEAD() usage 2010-02-17 00:03:27 -08:00
sunrpc net: Fix first line of kernel-doc for a few functions 2010-02-14 22:35:47 -08:00
tipc tipc: Fix oops on send prior to entering networked mode (v3) 2010-03-04 00:53:52 -08:00
unix AF_UNIX: update locking comment 2010-02-18 14:12:06 -08:00
wanrouter
wimax const: struct nla_policy 2010-02-18 14:30:18 -08:00
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 2010-02-25 23:26:21 -08:00
x25 X25: Dont let x25_bind use addresses containing characters 2010-02-15 21:49:52 -08:00
xfrm ipsec: Fix bogus bundle flowi 2010-03-03 01:04:37 -08:00
compat.c net: use compat helper functions in compat_sys_recvmmsg 2009-12-11 15:07:57 -08:00
Kconfig
Makefile
nonet.c
socket.c fs: no games with DCACHE_UNHASHED 2009-12-17 10:51:40 -05:00
sysctl_net.c net: spread __net_init, __net_exit 2010-01-17 19:16:02 -08:00
TUNABLE