Linux v4.3.5
This commit is contained in:
parent
0ef7d9675e
commit
a6cd6b36bd
|
@ -1,80 +0,0 @@
|
|||
From 48bb9bb210c6c2f185d891e3e7a401d849409f84 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Tue, 10 Nov 2015 13:22:53 +0100
|
||||
Subject: [PATCH 2/2] KVM: svm: unconditionally intercept #DB
|
||||
|
||||
This is needed to avoid the possibility that the guest triggers
|
||||
an infinite stream of #DB exceptions (CVE-2015-8104).
|
||||
|
||||
VMX is not affected: because it does not save DR6 in the VMCS,
|
||||
it already intercepts #DB unconditionally.
|
||||
|
||||
Reported-by: Jan Beulich <jbeulich@suse.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/svm.c | 14 +++-----------
|
||||
1 file changed, 3 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
|
||||
index 7203b3cc71b5..184e50b3c35a 100644
|
||||
--- a/arch/x86/kvm/svm.c
|
||||
+++ b/arch/x86/kvm/svm.c
|
||||
@@ -1111,6 +1111,7 @@ static void init_vmcb(struct vcpu_svm *svm)
|
||||
set_exception_intercept(svm, UD_VECTOR);
|
||||
set_exception_intercept(svm, MC_VECTOR);
|
||||
set_exception_intercept(svm, AC_VECTOR);
|
||||
+ set_exception_intercept(svm, DB_VECTOR);
|
||||
|
||||
set_intercept(svm, INTERCEPT_INTR);
|
||||
set_intercept(svm, INTERCEPT_NMI);
|
||||
@@ -1645,20 +1646,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
|
||||
mark_dirty(svm->vmcb, VMCB_SEG);
|
||||
}
|
||||
|
||||
-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
|
||||
+static void update_bp_intercept(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
struct vcpu_svm *svm = to_svm(vcpu);
|
||||
|
||||
- clr_exception_intercept(svm, DB_VECTOR);
|
||||
clr_exception_intercept(svm, BP_VECTOR);
|
||||
|
||||
- if (svm->nmi_singlestep)
|
||||
- set_exception_intercept(svm, DB_VECTOR);
|
||||
-
|
||||
if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
|
||||
- if (vcpu->guest_debug &
|
||||
- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
|
||||
- set_exception_intercept(svm, DB_VECTOR);
|
||||
if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
|
||||
set_exception_intercept(svm, BP_VECTOR);
|
||||
} else
|
||||
@@ -1764,7 +1758,6 @@ static int db_interception(struct vcpu_svm *svm)
|
||||
if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
|
||||
svm->vmcb->save.rflags &=
|
||||
~(X86_EFLAGS_TF | X86_EFLAGS_RF);
|
||||
- update_db_bp_intercept(&svm->vcpu);
|
||||
}
|
||||
|
||||
if (svm->vcpu.guest_debug &
|
||||
@@ -3753,7 +3746,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
|
||||
*/
|
||||
svm->nmi_singlestep = true;
|
||||
svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
|
||||
- update_db_bp_intercept(vcpu);
|
||||
}
|
||||
|
||||
static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
|
||||
@@ -4379,7 +4371,7 @@ static struct kvm_x86_ops svm_x86_ops = {
|
||||
.vcpu_load = svm_vcpu_load,
|
||||
.vcpu_put = svm_vcpu_put,
|
||||
|
||||
- .update_db_bp_intercept = update_db_bp_intercept,
|
||||
+ .update_db_bp_intercept = update_bp_intercept,
|
||||
.get_msr = svm_get_msr,
|
||||
.set_msr = svm_set_msr,
|
||||
.get_segment_base = svm_get_segment_base,
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -29,6 +29,7 @@ CONFIG_ARM64_ERRATUM_827319=y
|
|||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_832075=y
|
||||
CONFIG_ARM64_ERRATUM_834220=y
|
||||
CONFIG_ARM64_ERRATUM_843419=y
|
||||
|
||||
# AMBA / VExpress
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
From 59f271755df42fce6d38ebdf5b7502666b1e0c36 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sun, 1 Nov 2015 16:21:24 +0000
|
||||
Subject: [PATCH 1/2] isdn_ppp: Add checks for allocation failure in
|
||||
isdn_ppp_open()
|
||||
|
||||
Compile-tested only.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
|
||||
index c4198fa490bf..86f9abebcb72 100644
|
||||
--- a/drivers/isdn/i4l/isdn_ppp.c
|
||||
+++ b/drivers/isdn/i4l/isdn_ppp.c
|
||||
@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
|
||||
is->compflags = 0;
|
||||
|
||||
is->reset = isdn_ppp_ccp_reset_alloc(is);
|
||||
+ if (!is->reset)
|
||||
+ return -ENOMEM;
|
||||
|
||||
is->lp = NULL;
|
||||
is->mp_seqno = 0; /* MP sequence number */
|
||||
@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
|
||||
* VJ header compression init
|
||||
*/
|
||||
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
|
||||
+ if (!is->slcomp) {
|
||||
+ isdn_ppp_ccp_reset_free(is);
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
#endif
|
||||
#ifdef CONFIG_IPPP_FILTER
|
||||
is->pass_filter = NULL;
|
||||
--
|
||||
2.4.3
|
||||
|
25
kernel.spec
25
kernel.spec
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 4
|
||||
%define stable_update 5
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -598,13 +598,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch
|
|||
|
||||
Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
|
||||
|
||||
#CVE-2015-7799 rhbz 1271134 1271135
|
||||
Patch512: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
|
||||
Patch513: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
|
||||
|
||||
#CVE-2015-8104 rhbz 1278496 1279691
|
||||
Patch551: KVM-svm-unconditionally-intercept-DB.patch
|
||||
|
||||
#rhbz 1269300
|
||||
Patch552: megaraid_sas-Do-not-use-PAGE_SIZE-for-max_sectors.patch
|
||||
|
||||
|
@ -683,9 +676,6 @@ Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
|
|||
Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch
|
||||
Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
|
||||
|
||||
#CVE-2013-4312 rhbz 1297813 1300216
|
||||
Patch636: unix-properly-account-for-FDs-passed-over-unix-socke.patch
|
||||
|
||||
#CVE-2016-0723 rhbz 1296253 1300224
|
||||
Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
|
||||
|
||||
|
@ -1371,13 +1361,6 @@ ApplyPatch drm-i915-turn-off-wc-mmaps.patch
|
|||
|
||||
ApplyPatch kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
|
||||
|
||||
#CVE-2015-7799 rhbz 1271134 1271135
|
||||
ApplyPatch isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
|
||||
ApplyPatch ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
|
||||
|
||||
#CVE-2015-8104 rhbz 1278496 1279691
|
||||
ApplyPatch KVM-svm-unconditionally-intercept-DB.patch
|
||||
|
||||
#rhbz 1269300
|
||||
ApplyPatch megaraid_sas-Do-not-use-PAGE_SIZE-for-max_sectors.patch
|
||||
|
||||
|
@ -1456,9 +1439,6 @@ ApplyPatch SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
|
|||
ApplyPatch btrfs-handle-invalid-num_stripes-in-sys_array.patch
|
||||
ApplyPatch Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
|
||||
|
||||
#CVE-2013-4312 rhbz 1297813 1300216
|
||||
ApplyPatch unix-properly-account-for-FDs-passed-over-unix-socke.patch
|
||||
|
||||
#CVE-2016-0723 rhbz 1296253 1300224
|
||||
ApplyPatch tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
|
||||
|
||||
|
@ -2331,6 +2311,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Sun Jan 31 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.5-200
|
||||
- Linux v4.3.5
|
||||
|
||||
* Fri Jan 29 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Backport HID sony patch to fix some gamepads (rhbz 1255235)
|
||||
|
||||
|
|
|
@ -1,139 +0,0 @@
|
|||
From a8bc90052f18348718412cebf7b569da95bad264 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sun, 1 Nov 2015 16:22:53 +0000
|
||||
Subject: [PATCH 2/2] ppp, slip: Validate VJ compression slot parameters
|
||||
completely
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently slhc_init() treats out-of-range values of rslots and tslots
|
||||
as equivalent to 0, except that if tslots is too large it will
|
||||
dereference a null pointer (CVE-2015-7799).
|
||||
|
||||
Add a range-check at the top of the function and make it return an
|
||||
ERR_PTR() on error instead of NULL. Change the callers accordingly.
|
||||
|
||||
Compile-tested only.
|
||||
|
||||
Reported-by: 郭永刚 <guoyonggang@360.cn>
|
||||
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
drivers/isdn/i4l/isdn_ppp.c | 10 ++++------
|
||||
drivers/net/ppp/ppp_generic.c | 6 ++----
|
||||
drivers/net/slip/slhc.c | 12 ++++++++----
|
||||
drivers/net/slip/slip.c | 2 +-
|
||||
4 files changed, 15 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
|
||||
index 86f9abebcb72..9c1e8adaf4fc 100644
|
||||
--- a/drivers/isdn/i4l/isdn_ppp.c
|
||||
+++ b/drivers/isdn/i4l/isdn_ppp.c
|
||||
@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file)
|
||||
* VJ header compression init
|
||||
*/
|
||||
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
|
||||
- if (!is->slcomp) {
|
||||
+ if (IS_ERR(is->slcomp)) {
|
||||
isdn_ppp_ccp_reset_free(is);
|
||||
- return -ENOMEM;
|
||||
+ return PTR_ERR(is->slcomp);
|
||||
}
|
||||
#endif
|
||||
#ifdef CONFIG_IPPP_FILTER
|
||||
@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
|
||||
is->maxcid = val;
|
||||
#ifdef CONFIG_ISDN_PPP_VJ
|
||||
sltmp = slhc_init(16, val);
|
||||
- if (!sltmp) {
|
||||
- printk(KERN_ERR "ippp, can't realloc slhc struct\n");
|
||||
- return -ENOMEM;
|
||||
- }
|
||||
+ if (IS_ERR(sltmp))
|
||||
+ return PTR_ERR(sltmp);
|
||||
if (is->slcomp)
|
||||
slhc_free(is->slcomp);
|
||||
is->slcomp = sltmp;
|
||||
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
|
||||
index ed00446759b2..9a863c6a6a33 100644
|
||||
--- a/drivers/net/ppp/ppp_generic.c
|
||||
+++ b/drivers/net/ppp/ppp_generic.c
|
||||
@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
||||
val &= 0xffff;
|
||||
}
|
||||
vj = slhc_init(val2+1, val+1);
|
||||
- if (!vj) {
|
||||
- netdev_err(ppp->dev,
|
||||
- "PPP: no memory (VJ compressor)\n");
|
||||
- err = -ENOMEM;
|
||||
+ if (IS_ERR(vj)) {
|
||||
+ err = PTR_ERR(vj);
|
||||
break;
|
||||
}
|
||||
ppp_lock(ppp);
|
||||
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
|
||||
index 079f7adfcde5..27ed25252aac 100644
|
||||
--- a/drivers/net/slip/slhc.c
|
||||
+++ b/drivers/net/slip/slhc.c
|
||||
@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
|
||||
static unsigned char * put16(unsigned char *cp, unsigned short x);
|
||||
static unsigned short pull16(unsigned char **cpp);
|
||||
|
||||
-/* Initialize compression data structure
|
||||
+/* Allocate compression data structure
|
||||
* slots must be in range 0 to 255 (zero meaning no compression)
|
||||
+ * Returns pointer to structure or ERR_PTR() on error.
|
||||
*/
|
||||
struct slcompress *
|
||||
slhc_init(int rslots, int tslots)
|
||||
@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
|
||||
register struct cstate *ts;
|
||||
struct slcompress *comp;
|
||||
|
||||
+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
|
||||
+ return ERR_PTR(-EINVAL);
|
||||
+
|
||||
comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
|
||||
if (! comp)
|
||||
goto out_fail;
|
||||
|
||||
- if ( rslots > 0 && rslots < 256 ) {
|
||||
+ if (rslots > 0) {
|
||||
size_t rsize = rslots * sizeof(struct cstate);
|
||||
comp->rstate = kzalloc(rsize, GFP_KERNEL);
|
||||
if (! comp->rstate)
|
||||
@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
|
||||
comp->rslot_limit = rslots - 1;
|
||||
}
|
||||
|
||||
- if ( tslots > 0 && tslots < 256 ) {
|
||||
+ if (tslots > 0) {
|
||||
size_t tsize = tslots * sizeof(struct cstate);
|
||||
comp->tstate = kzalloc(tsize, GFP_KERNEL);
|
||||
if (! comp->tstate)
|
||||
@@ -141,7 +145,7 @@ out_free2:
|
||||
out_free:
|
||||
kfree(comp);
|
||||
out_fail:
|
||||
- return NULL;
|
||||
+ return ERR_PTR(-ENOMEM);
|
||||
}
|
||||
|
||||
|
||||
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
|
||||
index 05387b1e2e95..a17d86a57734 100644
|
||||
--- a/drivers/net/slip/slip.c
|
||||
+++ b/drivers/net/slip/slip.c
|
||||
@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu)
|
||||
if (cbuff == NULL)
|
||||
goto err_exit;
|
||||
slcomp = slhc_init(16, 16);
|
||||
- if (slcomp == NULL)
|
||||
+ if (IS_ERR(slcomp))
|
||||
goto err_exit;
|
||||
#endif
|
||||
spin_lock_bh(&sl->lock);
|
||||
--
|
||||
2.4.3
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz
|
||||
7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz
|
||||
5bbeeb57b8cff23e5c27430e60810d1b patch-4.3.4.xz
|
||||
4786a4b42da54527d6ca0d1fc1f0fade patch-4.3.5.xz
|
||||
|
|
|
@ -1,140 +0,0 @@
|
|||
From 0cd038d23b86853d68993c94f3c713e4375fd61f Mon Sep 17 00:00:00 2001
|
||||
From: willy tarreau <w@1wt.eu>
|
||||
Date: Sun, 10 Jan 2016 07:54:56 +0100
|
||||
Subject: [PATCH] unix: properly account for FDs passed over unix sockets
|
||||
|
||||
It is possible for a process to allocate and accumulate far more FDs than
|
||||
the process' limit by sending them over a unix socket then closing them
|
||||
to keep the process' fd count low.
|
||||
|
||||
This change addresses this problem by keeping track of the number of FDs
|
||||
in flight per user and preventing non-privileged processes from having
|
||||
more FDs in flight than their configured FD limit.
|
||||
|
||||
Reported-by: socketpair@gmail.com
|
||||
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
||||
Mitigates: CVE-2013-4312 (Linux 2.0+)
|
||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/linux/sched.h | 1 +
|
||||
net/unix/af_unix.c | 24 ++++++++++++++++++++----
|
||||
net/unix/garbage.c | 13 ++++++++-----
|
||||
3 files changed, 29 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/include/linux/sched.h b/include/linux/sched.h
|
||||
index b7b9501b41af..f477e87ca46f 100644
|
||||
--- a/include/linux/sched.h
|
||||
+++ b/include/linux/sched.h
|
||||
@@ -830,6 +830,7 @@ struct user_struct {
|
||||
unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
|
||||
#endif
|
||||
unsigned long locked_shm; /* How many pages of mlocked shm ? */
|
||||
+ unsigned long unix_inflight; /* How many files in flight in unix sockets */
|
||||
|
||||
#ifdef CONFIG_KEYS
|
||||
struct key *uid_keyring; /* UID specific keyring */
|
||||
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
|
||||
index 128b0982c96b..9085de63bb81 100644
|
||||
--- a/net/unix/af_unix.c
|
||||
+++ b/net/unix/af_unix.c
|
||||
@@ -1498,6 +1498,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
|
||||
sock_wfree(skb);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * The "user->unix_inflight" variable is protected by the garbage
|
||||
+ * collection lock, and we just read it locklessly here. If you go
|
||||
+ * over the limit, there might be a tiny race in actually noticing
|
||||
+ * it across threads. Tough.
|
||||
+ */
|
||||
+static inline bool too_many_unix_fds(struct task_struct *p)
|
||||
+{
|
||||
+ struct user_struct *user = current_user();
|
||||
+
|
||||
+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
|
||||
+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
|
||||
+ return false;
|
||||
+}
|
||||
+
|
||||
#define MAX_RECURSION_LEVEL 4
|
||||
|
||||
static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
@@ -1506,6 +1521,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
unsigned char max_level = 0;
|
||||
int unix_sock_count = 0;
|
||||
|
||||
+ if (too_many_unix_fds(current))
|
||||
+ return -ETOOMANYREFS;
|
||||
+
|
||||
for (i = scm->fp->count - 1; i >= 0; i--) {
|
||||
struct sock *sk = unix_get_socket(scm->fp->fp[i]);
|
||||
|
||||
@@ -1527,10 +1545,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
if (!UNIXCB(skb).fp)
|
||||
return -ENOMEM;
|
||||
|
||||
- if (unix_sock_count) {
|
||||
- for (i = scm->fp->count - 1; i >= 0; i--)
|
||||
- unix_inflight(scm->fp->fp[i]);
|
||||
- }
|
||||
+ for (i = scm->fp->count - 1; i >= 0; i--)
|
||||
+ unix_inflight(scm->fp->fp[i]);
|
||||
return max_level;
|
||||
}
|
||||
|
||||
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
|
||||
index a73a226f2d33..8fcdc2283af5 100644
|
||||
--- a/net/unix/garbage.c
|
||||
+++ b/net/unix/garbage.c
|
||||
@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
|
||||
{
|
||||
struct sock *s = unix_get_socket(fp);
|
||||
|
||||
+ spin_lock(&unix_gc_lock);
|
||||
+
|
||||
if (s) {
|
||||
struct unix_sock *u = unix_sk(s);
|
||||
|
||||
- spin_lock(&unix_gc_lock);
|
||||
-
|
||||
if (atomic_long_inc_return(&u->inflight) == 1) {
|
||||
BUG_ON(!list_empty(&u->link));
|
||||
list_add_tail(&u->link, &gc_inflight_list);
|
||||
@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
|
||||
BUG_ON(list_empty(&u->link));
|
||||
}
|
||||
unix_tot_inflight++;
|
||||
- spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
+ fp->f_cred->user->unix_inflight++;
|
||||
+ spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
|
||||
void unix_notinflight(struct file *fp)
|
||||
{
|
||||
struct sock *s = unix_get_socket(fp);
|
||||
|
||||
+ spin_lock(&unix_gc_lock);
|
||||
+
|
||||
if (s) {
|
||||
struct unix_sock *u = unix_sk(s);
|
||||
|
||||
- spin_lock(&unix_gc_lock);
|
||||
BUG_ON(list_empty(&u->link));
|
||||
|
||||
if (atomic_long_dec_and_test(&u->inflight))
|
||||
list_del_init(&u->link);
|
||||
unix_tot_inflight--;
|
||||
- spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
+ fp->f_cred->user->unix_inflight--;
|
||||
+ spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
|
||||
static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
|
||||
--
|
||||
2.5.0
|
||||
|
Loading…
Reference in New Issue