diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2010-10-24 00:27:10 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2010-10-24 19:25:39 -0400 |
| commit | 5c398dc8f5a58b5417d8ae0d474704feb6e12a12 (patch) | |
| tree | f4305312340df1ebeae5de3896d3fb4c3da3c6e8 /net | |
| parent | 7f8a688e1e319fcc94dbed83a6ec82cea13f10b9 (diff) | |
netlink: fix netlink_change_ngroups()
commit 6c04bb18ddd633 (netlink: use call_rcu for netlink_change_ngroups)
used a somewhat convoluted and racy way to perform call_rcu().
The old block of memory is freed after a grace period, but the rcu_head
used to track it is located in new block.
This can clash if we call two times or more netlink_change_ngroups(),
and a block is freed before another. call_rcu() called on different cpus
makes no guarantee in order of callbacks.
Fix this using a more standard way of handling this : Each block of
memory contains its own rcu_head, so that no 'use after free' can
happens.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Johannes Berg <johannes@sipsolutions.net>
CC: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netlink/af_netlink.c | 65 |
1 files changed, 24 insertions, 41 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index cd96ed3ccee4..478181d53c55 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c | |||
| @@ -83,9 +83,9 @@ struct netlink_sock { | |||
| 83 | struct module *module; | 83 | struct module *module; |
| 84 | }; | 84 | }; |
| 85 | 85 | ||
| 86 | struct listeners_rcu_head { | 86 | struct listeners { |
| 87 | struct rcu_head rcu_head; | 87 | struct rcu_head rcu; |
| 88 | void *ptr; | 88 | unsigned long masks[0]; |
| 89 | }; | 89 | }; |
| 90 | 90 | ||
| 91 | #define NETLINK_KERNEL_SOCKET 0x1 | 91 | #define NETLINK_KERNEL_SOCKET 0x1 |
| @@ -119,7 +119,7 @@ struct nl_pid_hash { | |||
| 119 | struct netlink_table { | 119 | struct netlink_table { |
| 120 | struct nl_pid_hash hash; | 120 | struct nl_pid_hash hash; |
| 121 | struct hlist_head mc_list; | 121 | struct hlist_head mc_list; |
| 122 | unsigned long *listeners; | 122 | struct listeners __rcu *listeners; |
| 123 | unsigned int nl_nonroot; | 123 | unsigned int nl_nonroot; |
| 124 | unsigned int groups; | 124 | unsigned int groups; |
| 125 | struct mutex *cb_mutex; | 125 | struct mutex *cb_mutex; |
| @@ -338,7 +338,7 @@ netlink_update_listeners(struct sock *sk) | |||
| 338 | if (i < NLGRPLONGS(nlk_sk(sk)->ngroups)) | 338 | if (i < NLGRPLONGS(nlk_sk(sk)->ngroups)) |
| 339 | mask |= nlk_sk(sk)->groups[i]; | 339 | mask |= nlk_sk(sk)->groups[i]; |
| 340 | } | 340 | } |
| 341 | tbl->listeners[i] = mask; | 341 | tbl->listeners->masks[i] = mask; |
| 342 | } | 342 | } |
| 343 | /* this function is only called with the netlink table "grabbed", which | 343 | /* this function is only called with the netlink table "grabbed", which |
| 344 | * makes sure updates are visible before bind or setsockopt return. */ | 344 | * makes sure updates are visible before bind or setsockopt return. */ |
| @@ -936,7 +936,7 @@ EXPORT_SYMBOL(netlink_unicast); | |||
| 936 | int netlink_has_listeners(struct sock *sk, unsigned int group) | 936 | int netlink_has_listeners(struct sock *sk, unsigned int group) |
| 937 | { | 937 | { |
| 938 | int res = 0; | 938 | int res = 0; |
| 939 | unsigned long *listeners; | 939 | struct listeners *listeners; |
| 940 | 940 | ||
| 941 | BUG_ON(!netlink_is_kernel(sk)); | 941 | BUG_ON(!netlink_is_kernel(sk)); |
| 942 | 942 | ||
| @@ -944,7 +944,7 @@ int netlink_has_listeners(struct sock *sk, unsigned int group) | |||
| 944 | listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners); | 944 | listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners); |
| 945 | 945 | ||
| 946 | if (group - 1 < nl_table[sk->sk_protocol].groups) | 946 | if (group - 1 < nl_table[sk->sk_protocol].groups) |
| 947 | res = test_bit(group - 1, listeners); | 947 | res = test_bit(group - 1, listeners->masks); |
| 948 | 948 | ||
| 949 | rcu_read_unlock(); | 949 | rcu_read_unlock(); |
| 950 | 950 | ||
| @@ -1498,7 +1498,7 @@ netlink_kernel_create(struct net *net, int unit, unsigned int groups, | |||
| 1498 | struct socket *sock; | 1498 | struct socket *sock; |
| 1499 | struct sock *sk; | 1499 | struct sock *sk; |
| 1500 | struct netlink_sock *nlk; | 1500 | struct netlink_sock *nlk; |
| 1501 | unsigned long *listeners = NULL; | 1501 | struct listeners *listeners = NULL; |
| 1502 | 1502 | ||
| 1503 | BUG_ON(!nl_table); | 1503 | BUG_ON(!nl_table); |
| 1504 | 1504 | ||
| @@ -1523,8 +1523,7 @@ netlink_kernel_create(struct net *net, int unit, unsigned int groups, | |||
| 1523 | if (groups < 32) | 1523 | if (groups < 32) |
| 1524 | groups = 32; | 1524 | groups = 32; |
| 1525 | 1525 | ||
| 1526 | listeners = kzalloc(NLGRPSZ(groups) + sizeof(struct listeners_rcu_head), | 1526 | listeners = kzalloc(sizeof(*listeners) + NLGRPSZ(groups), GFP_KERNEL); |
| 1527 | GFP_KERNEL); | ||
| 1528 | if (!listeners) | 1527 | if (!listeners) |
| 1529 | goto out_sock_release; | 1528 | goto out_sock_release; |
| 1530 | 1529 | ||
| @@ -1541,7 +1540,7 @@ netlink_kernel_create(struct net *net, int unit, unsigned int groups, | |||
| 1541 | netlink_table_grab(); | 1540 | netlink_table_grab(); |
| 1542 | if (!nl_table[unit].registered) { | 1541 | if (!nl_table[unit].registered) { |
| 1543 | nl_table[unit].groups = groups; | 1542 | nl_table[unit].groups = groups; |
| 1544 | nl_table[unit].listeners = listeners; | 1543 | rcu_assign_pointer(nl_table[unit].listeners, listeners); |
| 1545 | nl_table[unit].cb_mutex = cb_mutex; | 1544 | nl_table[unit].cb_mutex = cb_mutex; |
| 1546 | nl_table[unit].module = module; | 1545 | nl_table[unit].module = module; |
| 1547 | nl_table[unit].registered = 1; | 1546 | nl_table[unit].registered = 1; |
| @@ -1572,43 +1571,28 @@ netlink_kernel_release(struct sock *sk) | |||
| 1572 | EXPORT_SYMBOL(netlink_kernel_release); | 1571 | EXPORT_SYMBOL(netlink_kernel_release); |
| 1573 | 1572 | ||
| 1574 | 1573 | ||
| 1575 | static void netlink_free_old_listeners(struct rcu_head *rcu_head) | 1574 | static void listeners_free_rcu(struct rcu_head *head) |
| 1576 | { | 1575 | { |
| 1577 | struct listeners_rcu_head *lrh; | 1576 | kfree(container_of(head, struct listeners, rcu)); |
| 1578 | |||
| 1579 | lrh = container_of(rcu_head, struct listeners_rcu_head, rcu_head); | ||
| 1580 | kfree(lrh->ptr); | ||
| 1581 | } | 1577 | } |
| 1582 | 1578 | ||
| 1583 | int __netlink_change_ngroups(struct sock *sk, unsigned int groups) | 1579 | int __netlink_change_ngroups(struct sock *sk, unsigned int groups) |
| 1584 | { | 1580 | { |
| 1585 | unsigned long *listeners, *old = NULL; | 1581 | struct listeners *new, *old; |
| 1586 | struct listeners_rcu_head *old_rcu_head; | ||
| 1587 | struct netlink_table *tbl = &nl_table[sk->sk_protocol]; | 1582 | struct netlink_table *tbl = &nl_table[sk->sk_protocol]; |
| 1588 | 1583 | ||
| 1589 | if (groups < 32) | 1584 | if (groups < 32) |
| 1590 | groups = 32; | 1585 | groups = 32; |
| 1591 | 1586 | ||
| 1592 | if (NLGRPSZ(tbl->groups) < NLGRPSZ(groups)) { | 1587 | if (NLGRPSZ(tbl->groups) < NLGRPSZ(groups)) { |
| 1593 | listeners = kzalloc(NLGRPSZ(groups) + | 1588 | new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC); |
| 1594 | sizeof(struct listeners_rcu_head), | 1589 | if (!new) |
| 1595 | GFP_ATOMIC); | ||
| 1596 | if (!listeners) | ||
| 1597 | return -ENOMEM; | 1590 | return -ENOMEM; |
| 1598 | old = tbl->listeners; | 1591 | old = rcu_dereference_raw(tbl->listeners); |
| 1599 | memcpy(listeners, old, NLGRPSZ(tbl->groups)); | 1592 | memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups)); |
| 1600 | rcu_assign_pointer(tbl->listeners, listeners); | 1593 | rcu_assign_pointer(tbl->listeners, new); |
| 1601 | /* | 1594 | |
| 1602 | * Free the old memory after an RCU grace period so we | 1595 | call_rcu(&old->rcu, listeners_free_rcu); |
| 1603 | * don't leak it. We use call_rcu() here in order to be | ||
| 1604 | * able to call this function from atomic contexts. The | ||
| 1605 | * allocation of this memory will have reserved enough | ||
| 1606 | * space for struct listeners_rcu_head at the end. | ||
| 1607 | */ | ||
| 1608 | old_rcu_head = (void *)(tbl->listeners + | ||
| 1609 | NLGRPLONGS(tbl->groups)); | ||
| 1610 | old_rcu_head->ptr = old; | ||
| 1611 | call_rcu(&old_rcu_head->rcu_head, netlink_free_old_listeners); | ||
| 1612 | } | 1596 | } |
| 1613 | tbl->groups = groups; | 1597 | tbl->groups = groups; |
| 1614 | 1598 | ||
| @@ -2104,18 +2088,17 @@ static void __net_exit netlink_net_exit(struct net *net) | |||
| 2104 | 2088 | ||
| 2105 | static void __init netlink_add_usersock_entry(void) | 2089 | static void __init netlink_add_usersock_entry(void) |
| 2106 | { | 2090 | { |
| 2107 | unsigned long *listeners; | 2091 | struct listeners *listeners; |
| 2108 | int groups = 32; | 2092 | int groups = 32; |
| 2109 | 2093 | ||
| 2110 | listeners = kzalloc(NLGRPSZ(groups) + sizeof(struct listeners_rcu_head), | 2094 | listeners = kzalloc(sizeof(*listeners) + NLGRPSZ(groups), GFP_KERNEL); |
| 2111 | GFP_KERNEL); | ||
| 2112 | if (!listeners) | 2095 | if (!listeners) |
| 2113 | panic("netlink_add_usersock_entry: Cannot allocate listneres\n"); | 2096 | panic("netlink_add_usersock_entry: Cannot allocate listeners\n"); |
| 2114 | 2097 | ||
| 2115 | netlink_table_grab(); | 2098 | netlink_table_grab(); |
| 2116 | 2099 | ||
| 2117 | nl_table[NETLINK_USERSOCK].groups = groups; | 2100 | nl_table[NETLINK_USERSOCK].groups = groups; |
| 2118 | nl_table[NETLINK_USERSOCK].listeners = listeners; | 2101 | rcu_assign_pointer(nl_table[NETLINK_USERSOCK].listeners, listeners); |
| 2119 | nl_table[NETLINK_USERSOCK].module = THIS_MODULE; | 2102 | nl_table[NETLINK_USERSOCK].module = THIS_MODULE; |
| 2120 | nl_table[NETLINK_USERSOCK].registered = 1; | 2103 | nl_table[NETLINK_USERSOCK].registered = 1; |
| 2121 | 2104 | ||