diff options
author | Johannes Berg <johannes.berg@intel.com> | 2010-08-15 17:20:44 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-08-19 02:35:58 -0400 |
commit | 68d6ac6d2740b6a55f3ae92a4e0be6d881904b32 (patch) | |
tree | acb2b153892b6be2d39220017f30239d7d9a66b6 /net/netlink/af_netlink.c | |
parent | e243f5b6de35b6fc394bc2e1e1737afe538e7e0c (diff) |
netlink: fix compat recvmsg
Since
commit 1dacc76d0014a034b8aca14237c127d7c19d7726
Author: Johannes Berg <johannes@sipsolutions.net>
Date: Wed Jul 1 11:26:02 2009 +0000
net/compat/wext: send different messages to compat tasks
we had a race condition when setting and then
restoring frag_list. Eric attempted to fix it,
but the fix created even worse problems.
However, the original motivation I had when I
added the code that turned out to be racy is
no longer clear to me, since we only copy up
to skb->len to userspace, which doesn't include
the frag_list length. As a result, not doing
any frag_list clearing and restoring avoids
the race condition, while not introducing any
other problems.
Additionally, while preparing this patch I found
that since none of the remaining netlink code is
really aware of the frag_list, we need to use the
original skb's information for packet information
and credentials. This fixes, for example, the
group information received by compat tasks.
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: stable@kernel.org [2.6.31+, for 2.6.35 revert 1235f504aa]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlink/af_netlink.c')
-rw-r--r-- | net/netlink/af_netlink.c | 46 |
1 files changed, 16 insertions, 30 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 8648a9922aab..980fe4ad0016 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c | |||
@@ -1406,7 +1406,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, | |||
1406 | struct netlink_sock *nlk = nlk_sk(sk); | 1406 | struct netlink_sock *nlk = nlk_sk(sk); |
1407 | int noblock = flags&MSG_DONTWAIT; | 1407 | int noblock = flags&MSG_DONTWAIT; |
1408 | size_t copied; | 1408 | size_t copied; |
1409 | struct sk_buff *skb, *frag __maybe_unused = NULL; | 1409 | struct sk_buff *skb, *data_skb; |
1410 | int err; | 1410 | int err; |
1411 | 1411 | ||
1412 | if (flags&MSG_OOB) | 1412 | if (flags&MSG_OOB) |
@@ -1418,45 +1418,35 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, | |||
1418 | if (skb == NULL) | 1418 | if (skb == NULL) |
1419 | goto out; | 1419 | goto out; |
1420 | 1420 | ||
1421 | data_skb = skb; | ||
1422 | |||
1421 | #ifdef CONFIG_COMPAT_NETLINK_MESSAGES | 1423 | #ifdef CONFIG_COMPAT_NETLINK_MESSAGES |
1422 | if (unlikely(skb_shinfo(skb)->frag_list)) { | 1424 | if (unlikely(skb_shinfo(skb)->frag_list)) { |
1423 | bool need_compat = !!(flags & MSG_CMSG_COMPAT); | ||
1424 | |||
1425 | /* | 1425 | /* |
1426 | * If this skb has a frag_list, then here that means that | 1426 | * If this skb has a frag_list, then here that means that we |
1427 | * we will have to use the frag_list skb for compat tasks | 1427 | * will have to use the frag_list skb's data for compat tasks |
1428 | * and the regular skb for non-compat tasks. | 1428 | * and the regular skb's data for normal (non-compat) tasks. |
1429 | * | 1429 | * |
1430 | * The skb might (and likely will) be cloned, so we can't | 1430 | * If we need to send the compat skb, assign it to the |
1431 | * just reset frag_list and go on with things -- we need to | 1431 | * 'data_skb' variable so that it will be used below for data |
1432 | * keep that. For the compat case that's easy -- simply get | 1432 | * copying. We keep 'skb' for everything else, including |
1433 | * a reference to the compat skb and free the regular one | 1433 | * freeing both later. |
1434 | * including the frag. For the non-compat case, we need to | ||
1435 | * avoid sending the frag to the user -- so assign NULL but | ||
1436 | * restore it below before freeing the skb. | ||
1437 | */ | 1434 | */ |
1438 | if (need_compat) { | 1435 | if (flags & MSG_CMSG_COMPAT) |
1439 | struct sk_buff *compskb = skb_shinfo(skb)->frag_list; | 1436 | data_skb = skb_shinfo(skb)->frag_list; |
1440 | skb_get(compskb); | ||
1441 | kfree_skb(skb); | ||
1442 | skb = compskb; | ||
1443 | } else { | ||
1444 | frag = skb_shinfo(skb)->frag_list; | ||
1445 | skb_shinfo(skb)->frag_list = NULL; | ||
1446 | } | ||
1447 | } | 1437 | } |
1448 | #endif | 1438 | #endif |
1449 | 1439 | ||
1450 | msg->msg_namelen = 0; | 1440 | msg->msg_namelen = 0; |
1451 | 1441 | ||
1452 | copied = skb->len; | 1442 | copied = data_skb->len; |
1453 | if (len < copied) { | 1443 | if (len < copied) { |
1454 | msg->msg_flags |= MSG_TRUNC; | 1444 | msg->msg_flags |= MSG_TRUNC; |
1455 | copied = len; | 1445 | copied = len; |
1456 | } | 1446 | } |
1457 | 1447 | ||
1458 | skb_reset_transport_header(skb); | 1448 | skb_reset_transport_header(data_skb); |
1459 | err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); | 1449 | err = skb_copy_datagram_iovec(data_skb, 0, msg->msg_iov, copied); |
1460 | 1450 | ||
1461 | if (msg->msg_name) { | 1451 | if (msg->msg_name) { |
1462 | struct sockaddr_nl *addr = (struct sockaddr_nl *)msg->msg_name; | 1452 | struct sockaddr_nl *addr = (struct sockaddr_nl *)msg->msg_name; |
@@ -1476,11 +1466,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, | |||
1476 | } | 1466 | } |
1477 | siocb->scm->creds = *NETLINK_CREDS(skb); | 1467 | siocb->scm->creds = *NETLINK_CREDS(skb); |
1478 | if (flags & MSG_TRUNC) | 1468 | if (flags & MSG_TRUNC) |
1479 | copied = skb->len; | 1469 | copied = data_skb->len; |
1480 | |||
1481 | #ifdef CONFIG_COMPAT_NETLINK_MESSAGES | ||
1482 | skb_shinfo(skb)->frag_list = frag; | ||
1483 | #endif | ||
1484 | 1470 | ||
1485 | skb_free_datagram(sk, skb); | 1471 | skb_free_datagram(sk, skb); |
1486 | 1472 | ||