aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOctavian Purdila <opurdila@ixiacom.com>2010-12-16 17:26:56 -0500
committerDavid S. Miller <davem@davemloft.net>2010-12-16 17:26:56 -0500
commitfcbdf09d9652c8919dcf47072e3ae7dcb4eb98ac (patch)
tree51e3cc1fbd813a880ea09dc31a12683b73d87e05
parent2984961c388381c1830f95e1c2dc2137301b1009 (diff)
net: fix nulls list corruptions in sk_prot_alloc
Special care is taken inside sk_port_alloc to avoid overwriting skc_node/skc_nulls_node. We should also avoid overwriting skc_bind_node/skc_portaddr_node. The patch fixes the following crash: BUG: unable to handle kernel paging request at fffffffffffffff0 IP: [<ffffffff812ec6dd>] udp4_lib_lookup2+0xad/0x370 [<ffffffff812ecc22>] __udp4_lib_lookup+0x282/0x360 [<ffffffff812ed63e>] __udp4_lib_rcv+0x31e/0x700 [<ffffffff812bba45>] ? ip_local_deliver_finish+0x65/0x190 [<ffffffff812bbbf8>] ? ip_local_deliver+0x88/0xa0 [<ffffffff812eda35>] udp_rcv+0x15/0x20 [<ffffffff812bba45>] ip_local_deliver_finish+0x65/0x190 [<ffffffff812bbbf8>] ip_local_deliver+0x88/0xa0 [<ffffffff812bb2cd>] ip_rcv_finish+0x32d/0x6f0 [<ffffffff8128c14c>] ? netif_receive_skb+0x99c/0x11c0 [<ffffffff812bb94b>] ip_rcv+0x2bb/0x350 [<ffffffff8128c14c>] netif_receive_skb+0x99c/0x11c0 Signed-off-by: Leonard Crestez <lcrestez@ixiacom.com> Signed-off-by: Octavian Purdila <opurdila@ixiacom.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/sock.h3
-rw-r--r--net/core/sock.c47
-rw-r--r--net/ipv4/udp.c1
-rw-r--r--net/ipv4/udplite.c1
-rw-r--r--net/ipv6/udp.c1
-rw-r--r--net/ipv6/udplite.c1
6 files changed, 42 insertions, 12 deletions
diff --git a/include/net/sock.h b/include/net/sock.h
index 659d968d95c5..7d3f7ce239b5 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -754,6 +754,7 @@ struct proto {
754 void (*unhash)(struct sock *sk); 754 void (*unhash)(struct sock *sk);
755 void (*rehash)(struct sock *sk); 755 void (*rehash)(struct sock *sk);
756 int (*get_port)(struct sock *sk, unsigned short snum); 756 int (*get_port)(struct sock *sk, unsigned short snum);
757 void (*clear_sk)(struct sock *sk, int size);
757 758
758 /* Keeping track of sockets in use */ 759 /* Keeping track of sockets in use */
759#ifdef CONFIG_PROC_FS 760#ifdef CONFIG_PROC_FS
@@ -852,6 +853,8 @@ static inline void __sk_prot_rehash(struct sock *sk)
852 sk->sk_prot->hash(sk); 853 sk->sk_prot->hash(sk);
853} 854}
854 855
856void sk_prot_clear_portaddr_nulls(struct sock *sk, int size);
857
855/* About 10 seconds */ 858/* About 10 seconds */
856#define SOCK_DESTROY_TIME (10*HZ) 859#define SOCK_DESTROY_TIME (10*HZ)
857 860
diff --git a/net/core/sock.c b/net/core/sock.c
index fb6080111461..e5af8d5d5b50 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1009,6 +1009,36 @@ static void sock_copy(struct sock *nsk, const struct sock *osk)
1009#endif 1009#endif
1010} 1010}
1011 1011
1012/*
1013 * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes
1014 * un-modified. Special care is taken when initializing object to zero.
1015 */
1016static inline void sk_prot_clear_nulls(struct sock *sk, int size)
1017{
1018 if (offsetof(struct sock, sk_node.next) != 0)
1019 memset(sk, 0, offsetof(struct sock, sk_node.next));
1020 memset(&sk->sk_node.pprev, 0,
1021 size - offsetof(struct sock, sk_node.pprev));
1022}
1023
1024void sk_prot_clear_portaddr_nulls(struct sock *sk, int size)
1025{
1026 unsigned long nulls1, nulls2;
1027
1028 nulls1 = offsetof(struct sock, __sk_common.skc_node.next);
1029 nulls2 = offsetof(struct sock, __sk_common.skc_portaddr_node.next);
1030 if (nulls1 > nulls2)
1031 swap(nulls1, nulls2);
1032
1033 if (nulls1 != 0)
1034 memset((char *)sk, 0, nulls1);
1035 memset((char *)sk + nulls1 + sizeof(void *), 0,
1036 nulls2 - nulls1 - sizeof(void *));
1037 memset((char *)sk + nulls2 + sizeof(void *), 0,
1038 size - nulls2 - sizeof(void *));
1039}
1040EXPORT_SYMBOL(sk_prot_clear_portaddr_nulls);
1041
1012static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority, 1042static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
1013 int family) 1043 int family)
1014{ 1044{
@@ -1021,19 +1051,12 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
1021 if (!sk) 1051 if (!sk)
1022 return sk; 1052 return sk;
1023 if (priority & __GFP_ZERO) { 1053 if (priority & __GFP_ZERO) {
1024 /* 1054 if (prot->clear_sk)
1025 * caches using SLAB_DESTROY_BY_RCU should let 1055 prot->clear_sk(sk, prot->obj_size);
1026 * sk_node.next un-modified. Special care is taken 1056 else
1027 * when initializing object to zero. 1057 sk_prot_clear_nulls(sk, prot->obj_size);
1028 */
1029 if (offsetof(struct sock, sk_node.next) != 0)
1030 memset(sk, 0, offsetof(struct sock, sk_node.next));
1031 memset(&sk->sk_node.pprev, 0,
1032 prot->obj_size - offsetof(struct sock,
1033 sk_node.pprev));
1034 } 1058 }
1035 } 1059 } else
1036 else
1037 sk = kmalloc(prot->obj_size, priority); 1060 sk = kmalloc(prot->obj_size, priority);
1038 1061
1039 if (sk != NULL) { 1062 if (sk != NULL) {
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 5e0a3a582a59..2d3ded4d0786 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1899,6 +1899,7 @@ struct proto udp_prot = {
1899 .compat_setsockopt = compat_udp_setsockopt, 1899 .compat_setsockopt = compat_udp_setsockopt,
1900 .compat_getsockopt = compat_udp_getsockopt, 1900 .compat_getsockopt = compat_udp_getsockopt,
1901#endif 1901#endif
1902 .clear_sk = sk_prot_clear_portaddr_nulls,
1902}; 1903};
1903EXPORT_SYMBOL(udp_prot); 1904EXPORT_SYMBOL(udp_prot);
1904 1905
diff --git a/net/ipv4/udplite.c b/net/ipv4/udplite.c
index ab76aa928fa9..aee9963f7f5a 100644
--- a/net/ipv4/udplite.c
+++ b/net/ipv4/udplite.c
@@ -57,6 +57,7 @@ struct proto udplite_prot = {
57 .compat_setsockopt = compat_udp_setsockopt, 57 .compat_setsockopt = compat_udp_setsockopt,
58 .compat_getsockopt = compat_udp_getsockopt, 58 .compat_getsockopt = compat_udp_getsockopt,
59#endif 59#endif
60 .clear_sk = sk_prot_clear_portaddr_nulls,
60}; 61};
61EXPORT_SYMBOL(udplite_prot); 62EXPORT_SYMBOL(udplite_prot);
62 63
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 91def93bec85..cd6cb7c3e563 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1477,6 +1477,7 @@ struct proto udpv6_prot = {
1477 .compat_setsockopt = compat_udpv6_setsockopt, 1477 .compat_setsockopt = compat_udpv6_setsockopt,
1478 .compat_getsockopt = compat_udpv6_getsockopt, 1478 .compat_getsockopt = compat_udpv6_getsockopt,
1479#endif 1479#endif
1480 .clear_sk = sk_prot_clear_portaddr_nulls,
1480}; 1481};
1481 1482
1482static struct inet_protosw udpv6_protosw = { 1483static struct inet_protosw udpv6_protosw = {
diff --git a/net/ipv6/udplite.c b/net/ipv6/udplite.c
index 5f48fadc27f7..986c4de5292e 100644
--- a/net/ipv6/udplite.c
+++ b/net/ipv6/udplite.c
@@ -55,6 +55,7 @@ struct proto udplitev6_prot = {
55 .compat_setsockopt = compat_udpv6_setsockopt, 55 .compat_setsockopt = compat_udpv6_setsockopt,
56 .compat_getsockopt = compat_udpv6_getsockopt, 56 .compat_getsockopt = compat_udpv6_getsockopt,
57#endif 57#endif
58 .clear_sk = sk_prot_clear_portaddr_nulls,
58}; 59};
59 60
60static struct inet_protosw udplite6_protosw = { 61static struct inet_protosw udplite6_protosw = {