Update 2.6.36 to 2.6.36.4wip-dissipation2-jerickso

author: Jeremy Erickson <jerickso@cs.unc.edu> 2014-04-18 17:06:00 -0400
committer: Jeremy Erickson <jerickso@cs.unc.edu> 2014-04-18 17:06:00 -0400
commit: a215aa7b9ab3759c047201199fba64d3042d7f13 (patch)
tree: bca37493d9b2233450e6d3ffced1261d0e4f71fe /net/econet/af_econet.c
parent: d31199a77ef606f1d06894385f1852181ba6136b (diff)
1 files changed, 49 insertions, 50 deletions
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index dc54bd0d083b..172a6a91a214 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -31,6 +31,7 @@
 #include <linux/skbuff.h>
 #include <linux/udp.h>
 #include <linux/slab.h>
+#include <linux/vmalloc.h>
 #include <net/sock.h>
 #include <net/inet_common.h>
 #include <linux/stat.h>
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 #endif
 #ifdef CONFIG_ECONET_AUNUDP
        struct msghdr udpmsg;
-        struct iovec iov[msg->msg_iovlen+1];
+        struct iovec iov[2];
        struct aunhdr ah;
        struct sockaddr_in udpdest;
        __kernel_size_t size;
-        int i;
        mm_segment_t oldfs;
+        char *userbuf;
 #endif
        /*
@@ -297,23 +298,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        mutex_lock(&econet_mutex);
-        if (saddr == NULL) {
+        if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                struct econet_sock *eo = ec_sk(sk);
+                mutex_unlock(&econet_mutex);
+                return -EINVAL;
-                addr.station = eo->station;
+        }
-                addr.net     = eo->net;
+        addr.station = saddr->addr.station;
-                port         = eo->port;
+        addr.net = saddr->addr.net;
-                cb           = eo->cb;
+        port = saddr->port;
-        } else {
+        cb = saddr->cb;
-                if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                        mutex_unlock(&econet_mutex);
-                        return -EINVAL;
-                }
-                addr.station = saddr->addr.station;
-                addr.net = saddr->addr.net;
-                port = saddr->port;
-                cb = saddr->cb;
-        }
        /* Look for a device with the right network number. */
        dev = net2dev_map[addr.net];
@@ -328,17 +320,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                }
        }
-        if (len + 15 > dev->mtu) {
-                mutex_unlock(&econet_mutex);
-                return -EMSGSIZE;
-        }
        if (dev->type == ARPHRD_ECONET) {
                /* Real hardware Econet.  We're not worthy etc. */
 #ifdef CONFIG_ECONET_NATIVE
                unsigned short proto = 0;
                int res;
+                if (len + 15 > dev->mtu) {
+                        mutex_unlock(&econet_mutex);
+                        return -EMSGSIZE;
+                }
                dev_hold(dev);
                skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
@@ -351,7 +343,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                eb = (struct ec_cb *)&skb->cb;
-                /* BUG: saddr may be NULL */
                eb->cookie = saddr->cookie;
                eb->sec = *saddr;
                eb->sent = ec_tx_done;
@@ -415,6 +406,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                return -ENETDOWN;               /* No socket - can't send */
        }
+        if (len > 32768) {
+                err = -E2BIG;
+                goto error;
+        }
        /* Make up a UDP datagram and hand it off to some higher intellect. */
        memset(&udpdest, 0, sizeof(udpdest));
@@ -446,36 +442,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        /* tack our header on the front of the iovec */
        size = sizeof(struct aunhdr);
-        /*
-         * XXX: that is b0rken.  We can't mix userland and kernel pointers
-         * in iovec, since on a lot of platforms copy_from_user() will
-         * *not* work with the kernel and userland ones at the same time,
-         * regardless of what we do with set_fs().  And we are talking about
-         * econet-over-ethernet here, so "it's only ARM anyway" doesn't
-         * apply.  Any suggestions on fixing that code?         -- AV
-         */
        iov[0].iov_base = (void *)&ah;
        iov[0].iov_len = size;
-        for (i = 0; i < msg->msg_iovlen; i++) {
-                void __user *base = msg->msg_iov[i].iov_base;
+        userbuf = vmalloc(len);
-                size_t iov_len = msg->msg_iov[i].iov_len;
+        if (userbuf == NULL) {
-                /* Check it now since we switch to KERNEL_DS later. */
+                err = -ENOMEM;
-                if (!access_ok(VERIFY_READ, base, iov_len)) {
+                goto error;
-                        mutex_unlock(&econet_mutex);
-                        return -EFAULT;
-                }
-                iov[i+1].iov_base = base;
-                iov[i+1].iov_len = iov_len;
-                size += iov_len;
        }
+        iov[1].iov_base = userbuf;
+        iov[1].iov_len = len;
+        err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
+        if (err)
+                goto error_free_buf;
        /* Get a skbuff (no data, just holds our cb information) */
        if ((skb = sock_alloc_send_skb(sk, 0,
                                       msg->msg_flags & MSG_DONTWAIT,
-                                       &err)) == NULL) {
+                                       &err)) == NULL)
-                mutex_unlock(&econet_mutex);
+                goto error_free_buf;
-                return err;
-        }
        eb = (struct ec_cb *)&skb->cb;
@@ -491,7 +477,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        udpmsg.msg_name = (void *)&udpdest;
        udpmsg.msg_namelen = sizeof(udpdest);
        udpmsg.msg_iov = &iov[0];
-        udpmsg.msg_iovlen = msg->msg_iovlen + 1;
+        udpmsg.msg_iovlen = 2;
        udpmsg.msg_control = NULL;
        udpmsg.msg_controllen = 0;
        udpmsg.msg_flags=0;
@@ -499,9 +485,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        oldfs = get_fs(); set_fs(KERNEL_DS);    /* More privs :-) */
        err = sock_sendmsg(udpsock, &udpmsg, size);
        set_fs(oldfs);
+error_free_buf:
+        vfree(userbuf);
 #else
        err = -EPROTOTYPE;
 #endif
+        error:
        mutex_unlock(&econet_mutex);
        return err;
@@ -671,6 +661,11 @@ static int ec_dev_ioctl(struct socket *sock, unsigned int cmd, void __user *arg)
        err = 0;
        switch (cmd) {
        case SIOCSIFADDR:
+                if (!capable(CAP_NET_ADMIN)) {
+                        err = -EPERM;
+                        break;
+                }
                edev = dev->ec_ptr;
                if (edev == NULL) {
                        /* Magic up a new one. */
@@ -856,9 +851,13 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
 {
        struct iphdr *ip = ip_hdr(skb);
        unsigned char stn = ntohl(ip->saddr) & 0xff;
+        struct dst_entry *dst = skb_dst(skb);
+        struct ec_device *edev = NULL;
        struct sock *sk = NULL;
        struct sk_buff *newskb;
-        struct ec_device *edev = skb->dev->ec_ptr;
+        if (dst)
+                edev = dst->dev->ec_ptr;
        if (! edev)
                goto bad;
author	Jeremy Erickson <jerickso@cs.unc.edu>	2014-04-18 17:06:00 -0400
committer	Jeremy Erickson <jerickso@cs.unc.edu>	2014-04-18 17:06:00 -0400
commit	a215aa7b9ab3759c047201199fba64d3042d7f13 (patch)
tree	bca37493d9b2233450e6d3ffced1261d0e4f71fe /net/econet/af_econet.c
parent	d31199a77ef606f1d06894385f1852181ba6136b (diff)

diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index dc54bd0d083b..172a6a91a214 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c
@@ -31,6 +31,7 @@
31	#include <linux/skbuff.h>	31	#include <linux/skbuff.h>
32	#include <linux/udp.h>	32	#include <linux/udp.h>
33	#include <linux/slab.h>	33	#include <linux/slab.h>
		34	#include <linux/vmalloc.h>
34	#include <net/sock.h>	35	#include <net/sock.h>
35	#include <net/inet_common.h>	36	#include <net/inet_common.h>
36	#include <linux/stat.h>	37	#include <linux/stat.h>
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
276	#endif	277	#endif
277	#ifdef CONFIG_ECONET_AUNUDP	278	#ifdef CONFIG_ECONET_AUNUDP
278	struct msghdr udpmsg;	279	struct msghdr udpmsg;
279	struct iovec iov[msg->msg_iovlen+1];	280	struct iovec iov[2];
280	struct aunhdr ah;	281	struct aunhdr ah;
281	struct sockaddr_in udpdest;	282	struct sockaddr_in udpdest;
282	__kernel_size_t size;	283	__kernel_size_t size;
283	int i;
284	mm_segment_t oldfs;	284	mm_segment_t oldfs;
		285	char *userbuf;
285	#endif	286	#endif
286		287
287	/*	288	/*
@@ -297,23 +298,14 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
297		298
298	mutex_lock(&econet_mutex);	299	mutex_lock(&econet_mutex);
299		300
300	if (saddr == NULL) {	301	if (saddr == NULL \|\| msg->msg_namelen < sizeof(struct sockaddr_ec)) {
301	struct econet_sock *eo = ec_sk(sk);	302	mutex_unlock(&econet_mutex);
302		303	return -EINVAL;
303	addr.station = eo->station;	304	}
304	addr.net = eo->net;	305	addr.station = saddr->addr.station;
305	port = eo->port;	306	addr.net = saddr->addr.net;
306	cb = eo->cb;	307	port = saddr->port;
307	} else {	308	cb = saddr->cb;
308	if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
309	mutex_unlock(&econet_mutex);
310	return -EINVAL;
311	}
312	addr.station = saddr->addr.station;
313	addr.net = saddr->addr.net;
314	port = saddr->port;
315	cb = saddr->cb;
316	}
317		309
318	/* Look for a device with the right network number. */	310	/* Look for a device with the right network number. */
319	dev = net2dev_map[addr.net];	311	dev = net2dev_map[addr.net];
@@ -328,17 +320,17 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
328	}	320	}
329	}	321	}
330		322
331	if (len + 15 > dev->mtu) {
332	mutex_unlock(&econet_mutex);
333	return -EMSGSIZE;
334	}
335
336	if (dev->type == ARPHRD_ECONET) {	323	if (dev->type == ARPHRD_ECONET) {
337	/* Real hardware Econet. We're not worthy etc. */	324	/* Real hardware Econet. We're not worthy etc. */
338	#ifdef CONFIG_ECONET_NATIVE	325	#ifdef CONFIG_ECONET_NATIVE
339	unsigned short proto = 0;	326	unsigned short proto = 0;
340	int res;	327	int res;
341		328
		329	if (len + 15 > dev->mtu) {
		330	mutex_unlock(&econet_mutex);
		331	return -EMSGSIZE;
		332	}
		333
342	dev_hold(dev);	334	dev_hold(dev);
343		335
344	skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),	336	skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
@@ -351,7 +343,6 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
351		343
352	eb = (struct ec_cb *)&skb->cb;	344	eb = (struct ec_cb *)&skb->cb;
353		345
354	/* BUG: saddr may be NULL */
355	eb->cookie = saddr->cookie;	346	eb->cookie = saddr->cookie;
356	eb->sec = *saddr;	347	eb->sec = *saddr;
357	eb->sent = ec_tx_done;	348	eb->sent = ec_tx_done;
@@ -415,6 +406,11 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
415	return -ENETDOWN; /* No socket - can't send */	406	return -ENETDOWN; /* No socket - can't send */
416	}	407	}
417		408
		409	if (len > 32768) {
		410	err = -E2BIG;
		411	goto error;
		412	}
		413
418	/* Make up a UDP datagram and hand it off to some higher intellect. */	414	/* Make up a UDP datagram and hand it off to some higher intellect. */
419		415
420	memset(&udpdest, 0, sizeof(udpdest));	416	memset(&udpdest, 0, sizeof(udpdest));
@@ -446,36 +442,26 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
446		442
447	/* tack our header on the front of the iovec */	443	/* tack our header on the front of the iovec */
448	size = sizeof(struct aunhdr);	444	size = sizeof(struct aunhdr);
449	/*
450	* XXX: that is b0rken. We can't mix userland and kernel pointers
451	* in iovec, since on a lot of platforms copy_from_user() will
452	* not work with the kernel and userland ones at the same time,
453	* regardless of what we do with set_fs(). And we are talking about
454	* econet-over-ethernet here, so "it's only ARM anyway" doesn't
455	* apply. Any suggestions on fixing that code? -- AV
456	*/
457	iov[0].iov_base = (void *)&ah;	445	iov[0].iov_base = (void *)&ah;
458	iov[0].iov_len = size;	446	iov[0].iov_len = size;
459	for (i = 0; i < msg->msg_iovlen; i++) {	447
460	void __user *base = msg->msg_iov[i].iov_base;	448	userbuf = vmalloc(len);
461	size_t iov_len = msg->msg_iov[i].iov_len;	449	if (userbuf == NULL) {
462	/* Check it now since we switch to KERNEL_DS later. */	450	err = -ENOMEM;
463	if (!access_ok(VERIFY_READ, base, iov_len)) {	451	goto error;
464	mutex_unlock(&econet_mutex);
465	return -EFAULT;
466	}
467	iov[i+1].iov_base = base;
468	iov[i+1].iov_len = iov_len;
469	size += iov_len;
470	}	452	}
471		453
		454	iov[1].iov_base = userbuf;
		455	iov[1].iov_len = len;
		456	err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
		457	if (err)
		458	goto error_free_buf;
		459
472	/* Get a skbuff (no data, just holds our cb information) */	460	/* Get a skbuff (no data, just holds our cb information) */
473	if ((skb = sock_alloc_send_skb(sk, 0,	461	if ((skb = sock_alloc_send_skb(sk, 0,
474	msg->msg_flags & MSG_DONTWAIT,	462	msg->msg_flags & MSG_DONTWAIT,
475	&err)) == NULL) {	463	&err)) == NULL)
476	mutex_unlock(&econet_mutex);	464	goto error_free_buf;
477	return err;
478	}
479		465
480	eb = (struct ec_cb *)&skb->cb;	466	eb = (struct ec_cb *)&skb->cb;
481		467
@@ -491,7 +477,7 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
491	udpmsg.msg_name = (void *)&udpdest;	477	udpmsg.msg_name = (void *)&udpdest;
492	udpmsg.msg_namelen = sizeof(udpdest);	478	udpmsg.msg_namelen = sizeof(udpdest);
493	udpmsg.msg_iov = &iov[0];	479	udpmsg.msg_iov = &iov[0];
494	udpmsg.msg_iovlen = msg->msg_iovlen + 1;	480	udpmsg.msg_iovlen = 2;
495	udpmsg.msg_control = NULL;	481	udpmsg.msg_control = NULL;
496	udpmsg.msg_controllen = 0;	482	udpmsg.msg_controllen = 0;
497	udpmsg.msg_flags=0;	483	udpmsg.msg_flags=0;
@@ -499,9 +485,13 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
499	oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */	485	oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */
500	err = sock_sendmsg(udpsock, &udpmsg, size);	486	err = sock_sendmsg(udpsock, &udpmsg, size);
501	set_fs(oldfs);	487	set_fs(oldfs);
		488
		489	error_free_buf:
		490	vfree(userbuf);
502	#else	491	#else
503	err = -EPROTOTYPE;	492	err = -EPROTOTYPE;
504	#endif	493	#endif
		494	error:
505	mutex_unlock(&econet_mutex);	495	mutex_unlock(&econet_mutex);
506		496
507	return err;	497	return err;
@@ -671,6 +661,11 @@ static int ec_dev_ioctl(struct socket sock, unsigned int cmd, void __user arg)
671	err = 0;	661	err = 0;
672	switch (cmd) {	662	switch (cmd) {
673	case SIOCSIFADDR:	663	case SIOCSIFADDR:
		664	if (!capable(CAP_NET_ADMIN)) {
		665	err = -EPERM;
		666	break;
		667	}
		668
674	edev = dev->ec_ptr;	669	edev = dev->ec_ptr;
675	if (edev == NULL) {	670	if (edev == NULL) {
676	/* Magic up a new one. */	671	/* Magic up a new one. */
@@ -856,9 +851,13 @@ static void aun_incoming(struct sk_buff skb, struct aunhdr ah, size_t len)
856	{	851	{
857	struct iphdr *ip = ip_hdr(skb);	852	struct iphdr *ip = ip_hdr(skb);
858	unsigned char stn = ntohl(ip->saddr) & 0xff;	853	unsigned char stn = ntohl(ip->saddr) & 0xff;
		854	struct dst_entry *dst = skb_dst(skb);
		855	struct ec_device *edev = NULL;
859	struct sock *sk = NULL;	856	struct sock *sk = NULL;
860	struct sk_buff *newskb;	857	struct sk_buff *newskb;
861	struct ec_device *edev = skb->dev->ec_ptr;	858
		859	if (dst)
		860	edev = dst->dev->ec_ptr;
862		861
863	if (! edev)	862	if (! edev)
864	goto bad;	863	goto bad;