diff options
| author | Ralf Baechle <ralf@linux-mips.org> | 2005-08-23 13:11:45 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2005-08-23 13:11:45 -0400 |
| commit | 01d7dd0e9f8c5f1888619d2649c7da389232b408 (patch) | |
| tree | ee4f22a33557bae4883eb2f4fb1359e97ac74186 /net/ax25/ax25_uid.c | |
| parent | 53b924b31fa53ac3007df3fef6870d5074a9adf8 (diff) | |
[AX25]: UID fixes
o Brown paperbag bug - ax25_findbyuid() was always returning a NULL pointer
as the result. Breaks ROSE completly and AX.25 if UID policy set to deny.
o While the list structure of AX.25's UID to callsign mapping table was
properly protected by a spinlock, it's elements were not refcounted
resulting in a race between removal and usage of an element.
Signed-off-by: Ralf Baechle DL5RB <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ax25/ax25_uid.c')
| -rw-r--r-- | net/ax25/ax25_uid.c | 83 |
1 files changed, 36 insertions, 47 deletions
diff --git a/net/ax25/ax25_uid.c b/net/ax25/ax25_uid.c index cea6b7d19729..a8b3822f3ee4 100644 --- a/net/ax25/ax25_uid.c +++ b/net/ax25/ax25_uid.c | |||
| @@ -28,6 +28,7 @@ | |||
| 28 | #include <linux/fcntl.h> | 28 | #include <linux/fcntl.h> |
| 29 | #include <linux/mm.h> | 29 | #include <linux/mm.h> |
| 30 | #include <linux/interrupt.h> | 30 | #include <linux/interrupt.h> |
| 31 | #include <linux/list.h> | ||
| 31 | #include <linux/notifier.h> | 32 | #include <linux/notifier.h> |
| 32 | #include <linux/proc_fs.h> | 33 | #include <linux/proc_fs.h> |
| 33 | #include <linux/seq_file.h> | 34 | #include <linux/seq_file.h> |
| @@ -41,38 +42,41 @@ | |||
| 41 | * Callsign/UID mapper. This is in kernel space for security on multi-amateur machines. | 42 | * Callsign/UID mapper. This is in kernel space for security on multi-amateur machines. |
| 42 | */ | 43 | */ |
| 43 | 44 | ||
| 44 | static ax25_uid_assoc *ax25_uid_list; | 45 | HLIST_HEAD(ax25_uid_list); |
| 45 | static DEFINE_RWLOCK(ax25_uid_lock); | 46 | static DEFINE_RWLOCK(ax25_uid_lock); |
| 46 | 47 | ||
| 47 | int ax25_uid_policy = 0; | 48 | int ax25_uid_policy = 0; |
| 48 | 49 | ||
| 49 | ax25_address *ax25_findbyuid(uid_t uid) | 50 | ax25_uid_assoc *ax25_findbyuid(uid_t uid) |
| 50 | { | 51 | { |
| 51 | ax25_uid_assoc *ax25_uid; | 52 | ax25_uid_assoc *ax25_uid, *res = NULL; |
| 52 | ax25_address *res = NULL; | 53 | struct hlist_node *node; |
| 53 | 54 | ||
| 54 | read_lock(&ax25_uid_lock); | 55 | read_lock(&ax25_uid_lock); |
| 55 | for (ax25_uid = ax25_uid_list; ax25_uid != NULL; ax25_uid = ax25_uid->next) { | 56 | ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) { |
| 56 | if (ax25_uid->uid == uid) { | 57 | if (ax25_uid->uid == uid) { |
| 57 | res = &ax25_uid->call; | 58 | ax25_uid_hold(ax25_uid); |
| 59 | res = ax25_uid; | ||
| 58 | break; | 60 | break; |
| 59 | } | 61 | } |
| 60 | } | 62 | } |
| 61 | read_unlock(&ax25_uid_lock); | 63 | read_unlock(&ax25_uid_lock); |
| 62 | 64 | ||
| 63 | return NULL; | 65 | return res; |
| 64 | } | 66 | } |
| 65 | 67 | ||
| 66 | int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) | 68 | int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) |
| 67 | { | 69 | { |
| 68 | ax25_uid_assoc *s, *ax25_uid; | 70 | ax25_uid_assoc *ax25_uid; |
| 71 | struct hlist_node *node; | ||
| 72 | ax25_uid_assoc *user; | ||
| 69 | unsigned long res; | 73 | unsigned long res; |
| 70 | 74 | ||
| 71 | switch (cmd) { | 75 | switch (cmd) { |
| 72 | case SIOCAX25GETUID: | 76 | case SIOCAX25GETUID: |
| 73 | res = -ENOENT; | 77 | res = -ENOENT; |
| 74 | read_lock(&ax25_uid_lock); | 78 | read_lock(&ax25_uid_lock); |
| 75 | for (ax25_uid = ax25_uid_list; ax25_uid != NULL; ax25_uid = ax25_uid->next) { | 79 | ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) { |
| 76 | if (ax25cmp(&sax->sax25_call, &ax25_uid->call) == 0) { | 80 | if (ax25cmp(&sax->sax25_call, &ax25_uid->call) == 0) { |
| 77 | res = ax25_uid->uid; | 81 | res = ax25_uid->uid; |
| 78 | break; | 82 | break; |
| @@ -85,19 +89,22 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) | |||
| 85 | case SIOCAX25ADDUID: | 89 | case SIOCAX25ADDUID: |
| 86 | if (!capable(CAP_NET_ADMIN)) | 90 | if (!capable(CAP_NET_ADMIN)) |
| 87 | return -EPERM; | 91 | return -EPERM; |
| 88 | if (ax25_findbyuid(sax->sax25_uid)) | 92 | user = ax25_findbyuid(sax->sax25_uid); |
| 93 | if (user) { | ||
| 94 | ax25_uid_put(user); | ||
| 89 | return -EEXIST; | 95 | return -EEXIST; |
| 96 | } | ||
| 90 | if (sax->sax25_uid == 0) | 97 | if (sax->sax25_uid == 0) |
| 91 | return -EINVAL; | 98 | return -EINVAL; |
| 92 | if ((ax25_uid = kmalloc(sizeof(*ax25_uid), GFP_KERNEL)) == NULL) | 99 | if ((ax25_uid = kmalloc(sizeof(*ax25_uid), GFP_KERNEL)) == NULL) |
| 93 | return -ENOMEM; | 100 | return -ENOMEM; |
| 94 | 101 | ||
| 102 | atomic_set(&ax25_uid->refcount, 1); | ||
| 95 | ax25_uid->uid = sax->sax25_uid; | 103 | ax25_uid->uid = sax->sax25_uid; |
| 96 | ax25_uid->call = sax->sax25_call; | 104 | ax25_uid->call = sax->sax25_call; |
| 97 | 105 | ||
| 98 | write_lock(&ax25_uid_lock); | 106 | write_lock(&ax25_uid_lock); |
| 99 | ax25_uid->next = ax25_uid_list; | 107 | hlist_add_head(&ax25_uid->uid_node, &ax25_uid_list); |
| 100 | ax25_uid_list = ax25_uid; | ||
| 101 | write_unlock(&ax25_uid_lock); | 108 | write_unlock(&ax25_uid_lock); |
| 102 | 109 | ||
| 103 | return 0; | 110 | return 0; |
| @@ -106,34 +113,21 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) | |||
| 106 | if (!capable(CAP_NET_ADMIN)) | 113 | if (!capable(CAP_NET_ADMIN)) |
| 107 | return -EPERM; | 114 | return -EPERM; |
| 108 | 115 | ||
| 116 | ax25_uid = NULL; | ||
| 109 | write_lock(&ax25_uid_lock); | 117 | write_lock(&ax25_uid_lock); |
| 110 | for (ax25_uid = ax25_uid_list; ax25_uid != NULL; ax25_uid = ax25_uid->next) { | 118 | ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) { |
| 111 | if (ax25cmp(&sax->sax25_call, &ax25_uid->call) == 0) { | 119 | if (ax25cmp(&sax->sax25_call, &ax25_uid->call) == 0) |
| 112 | break; | 120 | break; |
| 113 | } | ||
| 114 | } | 121 | } |
| 115 | if (ax25_uid == NULL) { | 122 | if (ax25_uid == NULL) { |
| 116 | write_unlock(&ax25_uid_lock); | 123 | write_unlock(&ax25_uid_lock); |
| 117 | return -ENOENT; | 124 | return -ENOENT; |
| 118 | } | 125 | } |
| 119 | if ((s = ax25_uid_list) == ax25_uid) { | 126 | hlist_del_init(&ax25_uid->uid_node); |
| 120 | ax25_uid_list = s->next; | 127 | ax25_uid_put(ax25_uid); |
| 121 | write_unlock(&ax25_uid_lock); | ||
| 122 | kfree(ax25_uid); | ||
| 123 | return 0; | ||
| 124 | } | ||
| 125 | while (s != NULL && s->next != NULL) { | ||
| 126 | if (s->next == ax25_uid) { | ||
| 127 | s->next = ax25_uid->next; | ||
| 128 | write_unlock(&ax25_uid_lock); | ||
| 129 | kfree(ax25_uid); | ||
| 130 | return 0; | ||
| 131 | } | ||
| 132 | s = s->next; | ||
| 133 | } | ||
| 134 | write_unlock(&ax25_uid_lock); | 128 | write_unlock(&ax25_uid_lock); |
| 135 | 129 | ||
| 136 | return -ENOENT; | 130 | return 0; |
| 137 | 131 | ||
| 138 | default: | 132 | default: |
| 139 | return -EINVAL; | 133 | return -EINVAL; |
| @@ -147,13 +141,11 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) | |||
| 147 | static void *ax25_uid_seq_start(struct seq_file *seq, loff_t *pos) | 141 | static void *ax25_uid_seq_start(struct seq_file *seq, loff_t *pos) |
| 148 | { | 142 | { |
| 149 | struct ax25_uid_assoc *pt; | 143 | struct ax25_uid_assoc *pt; |
| 150 | int i = 1; | 144 | struct hlist_node *node; |
| 145 | int i = 0; | ||
| 151 | 146 | ||
| 152 | read_lock(&ax25_uid_lock); | 147 | read_lock(&ax25_uid_lock); |
| 153 | if (*pos == 0) | 148 | ax25_uid_for_each(pt, node, &ax25_uid_list) { |
| 154 | return SEQ_START_TOKEN; | ||
| 155 | |||
| 156 | for (pt = ax25_uid_list; pt != NULL; pt = pt->next) { | ||
| 157 | if (i == *pos) | 149 | if (i == *pos) |
| 158 | return pt; | 150 | return pt; |
| 159 | ++i; | 151 | ++i; |
| @@ -164,8 +156,9 @@ static void *ax25_uid_seq_start(struct seq_file *seq, loff_t *pos) | |||
| 164 | static void *ax25_uid_seq_next(struct seq_file *seq, void *v, loff_t *pos) | 156 | static void *ax25_uid_seq_next(struct seq_file *seq, void *v, loff_t *pos) |
| 165 | { | 157 | { |
| 166 | ++*pos; | 158 | ++*pos; |
| 167 | return (v == SEQ_START_TOKEN) ? ax25_uid_list : | 159 | |
| 168 | ((struct ax25_uid_assoc *) v)->next; | 160 | return hlist_entry(((ax25_uid_assoc *)v)->uid_node.next, |
| 161 | ax25_uid_assoc, uid_node); | ||
| 169 | } | 162 | } |
| 170 | 163 | ||
| 171 | static void ax25_uid_seq_stop(struct seq_file *seq, void *v) | 164 | static void ax25_uid_seq_stop(struct seq_file *seq, void *v) |
| @@ -179,7 +172,6 @@ static int ax25_uid_seq_show(struct seq_file *seq, void *v) | |||
| 179 | seq_printf(seq, "Policy: %d\n", ax25_uid_policy); | 172 | seq_printf(seq, "Policy: %d\n", ax25_uid_policy); |
| 180 | else { | 173 | else { |
| 181 | struct ax25_uid_assoc *pt = v; | 174 | struct ax25_uid_assoc *pt = v; |
| 182 | |||
| 183 | 175 | ||
| 184 | seq_printf(seq, "%6d %s\n", pt->uid, ax2asc(&pt->call)); | 176 | seq_printf(seq, "%6d %s\n", pt->uid, ax2asc(&pt->call)); |
| 185 | } | 177 | } |
| @@ -213,16 +205,13 @@ struct file_operations ax25_uid_fops = { | |||
| 213 | */ | 205 | */ |
| 214 | void __exit ax25_uid_free(void) | 206 | void __exit ax25_uid_free(void) |
| 215 | { | 207 | { |
| 216 | ax25_uid_assoc *s, *ax25_uid; | 208 | ax25_uid_assoc *ax25_uid; |
| 209 | struct hlist_node *node; | ||
| 217 | 210 | ||
| 218 | write_lock(&ax25_uid_lock); | 211 | write_lock(&ax25_uid_lock); |
| 219 | ax25_uid = ax25_uid_list; | 212 | ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) { |
| 220 | while (ax25_uid != NULL) { | 213 | hlist_del_init(&ax25_uid->uid_node); |
| 221 | s = ax25_uid; | 214 | ax25_uid_put(ax25_uid); |
| 222 | ax25_uid = ax25_uid->next; | ||
| 223 | |||
| 224 | kfree(s); | ||
| 225 | } | 215 | } |
| 226 | ax25_uid_list = NULL; | ||
| 227 | write_unlock(&ax25_uid_lock); | 216 | write_unlock(&ax25_uid_lock); |
| 228 | } | 217 | } |