aboutsummaryrefslogtreecommitdiffstats
path: root/net/netlink/af_netlink.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2010-08-15 17:20:44 -0400
committerDavid S. Miller <davem@davemloft.net>2010-08-19 02:35:58 -0400
commit68d6ac6d2740b6a55f3ae92a4e0be6d881904b32 (patch)
treeacb2b153892b6be2d39220017f30239d7d9a66b6 /net/netlink/af_netlink.c
parente243f5b6de35b6fc394bc2e1e1737afe538e7e0c (diff)
netlink: fix compat recvmsg
Since commit 1dacc76d0014a034b8aca14237c127d7c19d7726 Author: Johannes Berg <johannes@sipsolutions.net> Date: Wed Jul 1 11:26:02 2009 +0000 net/compat/wext: send different messages to compat tasks we had a race condition when setting and then restoring frag_list. Eric attempted to fix it, but the fix created even worse problems. However, the original motivation I had when I added the code that turned out to be racy is no longer clear to me, since we only copy up to skb->len to userspace, which doesn't include the frag_list length. As a result, not doing any frag_list clearing and restoring avoids the race condition, while not introducing any other problems. Additionally, while preparing this patch I found that since none of the remaining netlink code is really aware of the frag_list, we need to use the original skb's information for packet information and credentials. This fixes, for example, the group information received by compat tasks. Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: stable@kernel.org [2.6.31+, for 2.6.35 revert 1235f504aa] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlink/af_netlink.c')
-rw-r--r--net/netlink/af_netlink.c46
1 files changed, 16 insertions, 30 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 8648a9922aab..980fe4ad0016 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1406,7 +1406,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
1406 struct netlink_sock *nlk = nlk_sk(sk); 1406 struct netlink_sock *nlk = nlk_sk(sk);
1407 int noblock = flags&MSG_DONTWAIT; 1407 int noblock = flags&MSG_DONTWAIT;
1408 size_t copied; 1408 size_t copied;
1409 struct sk_buff *skb, *frag __maybe_unused = NULL; 1409 struct sk_buff *skb, *data_skb;
1410 int err; 1410 int err;
1411 1411
1412 if (flags&MSG_OOB) 1412 if (flags&MSG_OOB)
@@ -1418,45 +1418,35 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
1418 if (skb == NULL) 1418 if (skb == NULL)
1419 goto out; 1419 goto out;
1420 1420
1421 data_skb = skb;
1422
1421#ifdef CONFIG_COMPAT_NETLINK_MESSAGES 1423#ifdef CONFIG_COMPAT_NETLINK_MESSAGES
1422 if (unlikely(skb_shinfo(skb)->frag_list)) { 1424 if (unlikely(skb_shinfo(skb)->frag_list)) {
1423 bool need_compat = !!(flags & MSG_CMSG_COMPAT);
1424
1425 /* 1425 /*
1426 * If this skb has a frag_list, then here that means that 1426 * If this skb has a frag_list, then here that means that we
1427 * we will have to use the frag_list skb for compat tasks 1427 * will have to use the frag_list skb's data for compat tasks
1428 * and the regular skb for non-compat tasks. 1428 * and the regular skb's data for normal (non-compat) tasks.
1429 * 1429 *
1430 * The skb might (and likely will) be cloned, so we can't 1430 * If we need to send the compat skb, assign it to the
1431 * just reset frag_list and go on with things -- we need to 1431 * 'data_skb' variable so that it will be used below for data
1432 * keep that. For the compat case that's easy -- simply get 1432 * copying. We keep 'skb' for everything else, including
1433 * a reference to the compat skb and free the regular one 1433 * freeing both later.
1434 * including the frag. For the non-compat case, we need to
1435 * avoid sending the frag to the user -- so assign NULL but
1436 * restore it below before freeing the skb.
1437 */ 1434 */
1438 if (need_compat) { 1435 if (flags & MSG_CMSG_COMPAT)
1439 struct sk_buff *compskb = skb_shinfo(skb)->frag_list; 1436 data_skb = skb_shinfo(skb)->frag_list;
1440 skb_get(compskb);
1441 kfree_skb(skb);
1442 skb = compskb;
1443 } else {
1444 frag = skb_shinfo(skb)->frag_list;
1445 skb_shinfo(skb)->frag_list = NULL;
1446 }
1447 } 1437 }
1448#endif 1438#endif
1449 1439
1450 msg->msg_namelen = 0; 1440 msg->msg_namelen = 0;
1451 1441
1452 copied = skb->len; 1442 copied = data_skb->len;
1453 if (len < copied) { 1443 if (len < copied) {
1454 msg->msg_flags |= MSG_TRUNC; 1444 msg->msg_flags |= MSG_TRUNC;
1455 copied = len; 1445 copied = len;
1456 } 1446 }
1457 1447
1458 skb_reset_transport_header(skb); 1448 skb_reset_transport_header(data_skb);
1459 err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); 1449 err = skb_copy_datagram_iovec(data_skb, 0, msg->msg_iov, copied);
1460 1450
1461 if (msg->msg_name) { 1451 if (msg->msg_name) {
1462 struct sockaddr_nl *addr = (struct sockaddr_nl *)msg->msg_name; 1452 struct sockaddr_nl *addr = (struct sockaddr_nl *)msg->msg_name;
@@ -1476,11 +1466,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
1476 } 1466 }
1477 siocb->scm->creds = *NETLINK_CREDS(skb); 1467 siocb->scm->creds = *NETLINK_CREDS(skb);
1478 if (flags & MSG_TRUNC) 1468 if (flags & MSG_TRUNC)
1479 copied = skb->len; 1469 copied = data_skb->len;
1480
1481#ifdef CONFIG_COMPAT_NETLINK_MESSAGES
1482 skb_shinfo(skb)->frag_list = frag;
1483#endif
1484 1470
1485 skb_free_datagram(sk, skb); 1471 skb_free_datagram(sk, skb);
1486 1472