packet: tpacket_v3: do not trigger bug() on wrong header status

Jakub reported that it is fairly easy to trigger the BUG() macro from user space with TPACKET_V3's RX_RING by just giving a wrong header status flag. We already had a similar situation in commit 7f5c3e3a80e6654 (``af_packet: remove BUG statement in tpacket_destruct_skb'') where this was the case in the TX_RING side that could be triggered from user space. So really, don't use BUG() or BUG_ON() unless there's really no way out, and i.e. don't use it for consistency checking when there's user space involved, no excuses, especially not if you're slapping the user with WARN + dump_stack + BUG all at once. The two functions are of concern: prb_retire_current_block() [when block status != TP_STATUS_KERNEL] prb_open_block() [when block_status != TP_STATUS_KERNEL] Calls to prb_open_block() are guarded by ealier checks if block_status is really TP_STATUS_KERNEL (racy!), but the first one BUG() is easily triggable from user space. System behaves still stable after they are removed. Also remove that yoda condition entirely, since it's already guarded. Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Borkmann <dborkman@redhat.com> 2013-05-02 22:57:00 -0400
committer: David S. Miller <davem@davemloft.net> 2013-05-03 16:10:33 -0400
commit: 8da3056c04bfc5f69f840ab038a38389e2de8189 (patch)
tree: 46686ea6065471491e4cc052ab85c8cb29a9d146
parent: c5060cec6ba27ad3f0e7facfdf05d2f18e3e3010 (diff)
1 files changed, 23 insertions, 30 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index dd5cd49b0e09..8ec1bca7f859 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -742,36 +742,33 @@ static void prb_open_block(struct tpacket_kbdq_core *pkc1,
        smp_rmb();
-        if (likely(TP_STATUS_KERNEL == BLOCK_STATUS(pbd1))) {
+        /* We could have just memset this but we will lose the
+         * flexibility of making the priv area sticky
+         */
-                /* We could have just memset this but we will lose the
+        BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++;
-                 * flexibility of making the priv area sticky
+        BLOCK_NUM_PKTS(pbd1) = 0;
-                 */
+        BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
-                BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++;
-                BLOCK_NUM_PKTS(pbd1) = 0;
-                BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
-                getnstimeofday(&ts);
-                h1->ts_first_pkt.ts_sec = ts.tv_sec;
-                h1->ts_first_pkt.ts_nsec = ts.tv_nsec;
-                pkc1->pkblk_start = (char *)pbd1;
-                pkc1->nxt_offset = pkc1->pkblk_start + BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
-                BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
-                BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN;
-                pbd1->version = pkc1->version;
-                pkc1->prev = pkc1->nxt_offset;
-                pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size;
-                prb_thaw_queue(pkc1);
-                _prb_refresh_rx_retire_blk_timer(pkc1);
-                smp_wmb();
+        getnstimeofday(&ts);
-                return;
+        h1->ts_first_pkt.ts_sec = ts.tv_sec;
-        }
+        h1->ts_first_pkt.ts_nsec = ts.tv_nsec;
-        WARN(1, "ERROR block:%p is NOT FREE status:%d kactive_blk_num:%d\n",
+        pkc1->pkblk_start = (char *)pbd1;
-                pbd1, BLOCK_STATUS(pbd1), pkc1->kactive_blk_num);
+        pkc1->nxt_offset = pkc1->pkblk_start + BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
-        dump_stack();
-        BUG();
+        BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
+        BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN;
+        pbd1->version = pkc1->version;
+        pkc1->prev = pkc1->nxt_offset;
+        pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size;
+        prb_thaw_queue(pkc1);
+        _prb_refresh_rx_retire_blk_timer(pkc1);
+        smp_wmb();
 }
 /*
@@ -862,10 +859,6 @@ static void prb_retire_current_block(struct tpacket_kbdq_core *pkc,
                prb_close_block(pkc, pbd, po, status);
                return;
        }
-        WARN(1, "ERROR-pbd[%d]:%p\n", pkc->kactive_blk_num, pbd);
-        dump_stack();
-        BUG();
 }
 static int prb_curr_blk_in_use(struct tpacket_kbdq_core *pkc,
author	Daniel Borkmann <dborkman@redhat.com>	2013-05-02 22:57:00 -0400
committer	David S. Miller <davem@davemloft.net>	2013-05-03 16:10:33 -0400
commit	8da3056c04bfc5f69f840ab038a38389e2de8189 (patch)
tree	46686ea6065471491e4cc052ab85c8cb29a9d146
parent	c5060cec6ba27ad3f0e7facfdf05d2f18e3e3010 (diff)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index dd5cd49b0e09..8ec1bca7f859 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c
@@ -742,36 +742,33 @@ static void prb_open_block(struct tpacket_kbdq_core *pkc1,
742		742
743	smp_rmb();	743	smp_rmb();
744		744
745	if (likely(TP_STATUS_KERNEL == BLOCK_STATUS(pbd1))) {	745	/* We could have just memset this but we will lose the
		746	* flexibility of making the priv area sticky
		747	*/
746		748
747	/* We could have just memset this but we will lose the	749	BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++;
748	* flexibility of making the priv area sticky	750	BLOCK_NUM_PKTS(pbd1) = 0;
749	*/	751	BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
750	BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++;
751	BLOCK_NUM_PKTS(pbd1) = 0;
752	BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
753	getnstimeofday(&ts);
754	h1->ts_first_pkt.ts_sec = ts.tv_sec;
755	h1->ts_first_pkt.ts_nsec = ts.tv_nsec;
756	pkc1->pkblk_start = (char *)pbd1;
757	pkc1->nxt_offset = pkc1->pkblk_start + BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
758	BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
759	BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN;
760	pbd1->version = pkc1->version;
761	pkc1->prev = pkc1->nxt_offset;
762	pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size;
763	prb_thaw_queue(pkc1);
764	_prb_refresh_rx_retire_blk_timer(pkc1);
765		752
766	smp_wmb();	753	getnstimeofday(&ts);
767		754
768	return;	755	h1->ts_first_pkt.ts_sec = ts.tv_sec;
769	}	756	h1->ts_first_pkt.ts_nsec = ts.tv_nsec;
770		757
771	WARN(1, "ERROR block:%p is NOT FREE status:%d kactive_blk_num:%d\n",	758	pkc1->pkblk_start = (char *)pbd1;
772	pbd1, BLOCK_STATUS(pbd1), pkc1->kactive_blk_num);	759	pkc1->nxt_offset = pkc1->pkblk_start + BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
773	dump_stack();	760
774	BUG();	761	BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
		762	BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN;
		763
		764	pbd1->version = pkc1->version;
		765	pkc1->prev = pkc1->nxt_offset;
		766	pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size;
		767
		768	prb_thaw_queue(pkc1);
		769	_prb_refresh_rx_retire_blk_timer(pkc1);
		770
		771	smp_wmb();
775	}	772	}
776		773
777	/*	774	/*
@@ -862,10 +859,6 @@ static void prb_retire_current_block(struct tpacket_kbdq_core *pkc,
862	prb_close_block(pkc, pbd, po, status);	859	prb_close_block(pkc, pbd, po, status);
863	return;	860	return;
864	}	861	}
865
866	WARN(1, "ERROR-pbd[%d]:%p\n", pkc->kactive_blk_num, pbd);
867	dump_stack();
868	BUG();
869	}	862	}
870		863
871	static int prb_curr_blk_in_use(struct tpacket_kbdq_core *pkc,	864	static int prb_curr_blk_in_use(struct tpacket_kbdq_core *pkc,