1. 22 Aug, 2018 1 commit
  2. 30 May, 2018 1 commit
  3. 19 May, 2018 1 commit
    • Eric Dumazet's avatar
      llc: better deal with too small mtu · 1e22ffab
      Eric Dumazet authored
      [ Upstream commit 2c5d5b13c6eb79f5677e206b8aad59b3a2097f60 ]
      
      syzbot loves to set very small mtu on devices, since it brings joy.
      We must make llc_ui_sendmsg() fool proof.
      
      usercopy: Kernel memory overwrite attempt detected to wrapped address (offset 0, size 18446612139802320068)!
      
      kernel BUG at mm/usercopy.c:100!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 17464 Comm: syz-executor1 Not tainted 4.17.0-rc3+ #36
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:usercopy_abort+0xbb/0xbd mm/usercopy.c:88
      RSP: 0018:ffff8801868bf800 EFLAGS: 00010282
      RAX: 000000000000006c RBX: ffffffff87d2fb00 RCX: 0000000000000000
      RDX: 000000000000006c RSI: ffffffff81610731 RDI: ffffed0030d17ef6
      RBP: ffff8801868bf858 R08: ffff88018daa4200 R09: ffffed003b5c4fb0
      R10: ffffed003b5c4fb0 R11: ffff8801dae27d87 R12: ffffffff87d2f8e0
      R13: ffffffff87d2f7a0 R14: ffffffff87d2f7a0 R15: ffffffff87d2f7a0
      FS:  00007f56a14ac700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b2bc21000 CR3: 00000001abeb1000 CR4: 00000000001426f0
      DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000030602
      Call Trace:
       check_bogus_address mm/usercopy.c:153 [inline]
       __check_object_size+0x5d9/0x5d9 mm/usercopy.c:256
       check_object_size include/linux/thread_info.h:108 [inline]
       check_copy_size include/linux/thread_info.h:139 [inline]
       copy_from_iter_full include/linux/uio.h:121 [inline]
       memcpy_from_msg include/linux/skbuff.h:3305 [inline]
       llc_ui_sendmsg+0x4b1/0x1530 net/llc/af_llc.c:941
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:639
       __sys_sendto+0x3d7/0x670 net/socket.c:1789
       __do_sys_sendto net/socket.c:1801 [inline]
       __se_sys_sendto net/socket.c:1797 [inline]
       __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x455979
      RSP: 002b:00007f56a14abc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007f56a14ac6d4 RCX: 0000000000455979
      RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000018
      RBP: 000000000072bea0 R08: 00000000200012c0 R09: 0000000000000010
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 0000000000000548 R14: 00000000006fbf60 R15: 0000000000000000
      Code: 55 c0 e8 c0 55 bb ff ff 75 c8 48 8b 55 c0 4d 89 f9 ff 75 d0 4d 89 e8 48 89 d9 4c 89 e6 41 56 48 c7 c7 80 fa d2 87 e8 a0 0b a3 ff <0f> 0b e8 95 55 bb ff e8 c0 a8 f7 ff 8b 95 14 ff ff ff 4d 89 e8
      RIP: usercopy_abort+0xbb/0xbd mm/usercopy.c:88 RSP: ffff8801868bf800
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: 's avatarEric Dumazet <edumazet@google.com>
      Reported-by: 's avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e22ffab
  4. 29 Apr, 2018 3 commits
    • Cong Wang's avatar
      llc: fix NULL pointer deref for SOCK_ZAPPED · 7814c479
      Cong Wang authored
      
      [ Upstream commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f ]
      
      For SOCK_ZAPPED socket, we don't need to care about llc->sap,
      so we should just skip these refcount functions in this case.
      
      Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()")
      Reported-by: 's avatarkernel test robot <lkp@intel.com>
      Signed-off-by: 's avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7814c479
    • Cong Wang's avatar
      llc: hold llc_sap before release_sock() · 543a6011
      Cong Wang authored
      
      [ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ]
      
      syzbot reported we still access llc->sap in llc_backlog_rcv()
      after it is freed in llc_sap_remove_socket():
      
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
       llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
       llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
       llc_conn_service net/llc/llc_conn.c:400 [inline]
       llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
       llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
       sk_backlog_rcv include/net/sock.h:909 [inline]
       __release_sock+0x12f/0x3a0 net/core/sock.c:2335
       release_sock+0xa4/0x2b0 net/core/sock.c:2850
       llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
      
      llc->sap is refcount'ed and llc_sap_remove_socket() is paired
      with llc_sap_add_socket(). This can be amended by holding its refcount
      before llc_sap_remove_socket() and releasing it after release_sock().
      
      Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com>
      Signed-off-by: 's avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      543a6011
    • Cong Wang's avatar
      llc: delete timers synchronously in llc_sk_free() · cb225e80
      Cong Wang authored
      
      [ Upstream commit b905ef9ab90115d001c1658259af4b1c65088779 ]
      
      The connection timers of an llc sock could be still flying
      after we delete them in llc_sk_free(), and even possibly
      after we free the sock. We could just wait synchronously
      here in case of troubles.
      
      Note, I leave other call paths as they are, since they may
      not have to wait, at least we can change them to synchronously
      when needed.
      
      Also, move the code to net/llc/llc_conn.c, which is apparently
      a better place.
      
      Reported-by: <syzbot+f922284c18ea23a8e457@syzkaller.appspotmail.com>
      Signed-off-by: 's avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb225e80
  5. 02 Nov, 2017 1 commit
    • Greg Kroah-Hartman's avatar
      License cleanup: add SPDX GPL-2.0 license identifier to files with no license · b2441318
      Greg Kroah-Hartman authored
      Many source files in the tree are missing licensing information, which
      makes it harder for compliance tools to determine the correct license.
      
      By default all files without license information are under the default
      license of the kernel, which is GPL version 2.
      
      Update the files which contain no license information with the 'GPL-2.0'
      SPDX license identifier.  The SPDX identifier is a legally binding
      shorthand, which can be used instead of the full boiler plate text.
      
      This patch is based on work done by Thomas Gleixner and Kate Stewart and
      Philippe Ombredanne.
      
      How this work was done:
      
      Patches were generated and checked against linux-4.14-rc6 for a subset of
      the use cases:
       - file had no licensing information it it.
       - file was a */uapi/* one with no licensing information in it,
       - file was a */uapi/* one with existing licensing information,
      
      Further patches will be generated in subsequent months to fix up cases
      where non-standard license headers were used, and references to license
      had to be inferred by heuristics based on keywords.
      
      The analysis to determine which SPDX License Identifier to be applied to
      a file was done in a spreadsheet of side by side results from of the
      output of two independent scanners (ScanCode & Windriver) producing SPDX
      tag:value files created by Philippe Ombredanne.  Philippe prepared the
      base worksheet, and did an initial spot review of a few 1000 files.
      
      The 4.13 kernel was the starting point of the analysis with 60,537 files
      assessed.  Kate Stewart did a file by file comparison of the scanner
      results in the spreadsheet to determine which SPDX license identifier(s)
      to be applied to the file. She confirmed any determination that was not
      immediately clear with lawyers working with the Linux Foundation.
      
      Criteria used to select files for SPDX license identifier tagging was:
       - Files considered eligible had to be source code files.
       - Make and config files were included as candidates if they contained >5
         lines of source
       - File already had some variant of a license header in it (even if <5
         lines).
      
      All documentation files were explicitly excluded.
      
      The following heuristics were used to determine which SPDX license
      identifiers to apply.
      
       - when both scanners couldn't find any license traces, file was
         considered to have no license information in it, and the top level
         COPYING file license applied.
      
         For non */uapi/* files that summary was:
      
         SPDX license identifier                            # files
         ---------------------------------------------------|-------
         GPL-2.0                                              11139
      
         and resulted in the first patch in this series.
      
         If that file was a */uapi/* path one, it was "GPL-2.0 WITH
         Linux-syscall-note" otherwise it was "GPL-2.0".  Results of that was:
      
         SPDX license identifier                            # files
         ---------------------------------------------------|-------
         GPL-2.0 WITH Linux-syscall-note                        930
      
         and resulted in the second patch in this series.
      
       - if a file had some form of licensing information in it, and was one
         of the */uapi/* ones, it was denoted with the Linux-syscall-note if
         any GPL family license was found in the file or had no licensing in
         it (per prior point).  Results summary:
      
         SPDX license identifier                            # files
         ---------------------------------------------------|------
         GPL-2.0 WITH Linux-syscall-note                       270
         GPL-2.0+ WITH Linux-syscall-note                      169
         ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause)    21
         ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)    17
         LGPL-2.1+ WITH Linux-syscall-note                      15
         GPL-1.0+ WITH Linux-syscall-note                       14
         ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause)    5
         LGPL-2.0+ WITH Linux-syscall-note                       4
         LGPL-2.1 WITH Linux-syscall-note                        3
         ((GPL-2.0 WITH Linux-syscall-note) OR MIT)              3
         ((GPL-2.0 WITH Linux-syscall-note) AND MIT)             1
      
         and that resulted in the third patch in this series.
      
       - when the two scanners agreed on the detected license(s), that became
         the concluded license(s).
      
       - when there was disagreement between the two scanners (one detected a
         license but the other didn't, or they both detected different
         licenses) a manual inspection of the file occurred.
      
       - In most cases a manual inspection of the information in the file
         resulted in a clear resolution of the license that should apply (and
         which scanner probably needed to revisit its heuristics).
      
       - When it was not immediately clear, the license identifier was
         confirmed with lawyers working with the Linux Foundation.
      
       - If there was any question as to the appropriate license identifier,
         the file was flagged for further research and to be revisited later
         in time.
      
      In total, over 70 hours of logged manual review was done on the
      spreadsheet to determine the SPDX license identifiers to apply to the
      source files by Kate, Philippe, Thomas and, in some cases, confirmation
      by lawyers working with the Linux Foundation.
      
      Kate also obtained a third independent scan of the 4.13 code base from
      FOSSology, and compared selected files where the other two scanners
      disagreed against that SPDX file, to see if there was new insights.  The
      Windriver scanner is based on an older version of FOSSology in part, so
      they are related.
      
      Thomas did random spot checks in about 500 files from the spreadsheets
      for the uapi headers and agreed with SPDX license identifier in the
      files he inspected. For the non-uapi files Thomas did random spot checks
      in about 15000 files.
      
      In initial set of patches against 4.14-rc6, 3 files were found to have
      copy/paste license identifier errors, and have been fixed to reflect the
      correct identifier.
      
      Additionally Philippe spent 10 hours this week doing a detailed manual
      inspection and review of the 12,461 patched files from the initial patch
      version early this week with:
       - a full scancode scan run, collecting the matched texts, detected
         license ids and scores
       - reviewing anything where there was a license detected (about 500+
         files) to ensure that the applied SPDX license was correct
       - reviewing anything where there was no detection but the patch license
         was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
         SPDX license was correct
      
      This produced a worksheet with 20 files needing minor correction.  This
      worksheet was then exported into 3 different .csv files for the
      different types of files to be modified.
      
      These .csv files were then reviewed by Greg.  Thomas wrote a script to
      parse the csv files and add the proper SPDX tag to the file, in the
      format that the file expected.  This script was further refined by Greg
      based on the output to detect more types of files automatically and to
      distinguish between header and source .c files (which need different
      comment types.)  Finally Greg ran the script using the .csv files to
      generate the patches.
      Reviewed-by: 's avatarKate Stewart <kstewart@linuxfoundation.org>
      Reviewed-by: 's avatarPhilippe Ombredanne <pombredanne@nexb.com>
      Reviewed-by: 's avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2441318
  6. 04 Jul, 2017 1 commit
  7. 01 Jul, 2017 1 commit
  8. 26 May, 2017 1 commit
    • linzhang's avatar
      net: llc: add lock_sock in llc_ui_bind to avoid a race condition · 0908cf4d
      linzhang authored
      There is a race condition in llc_ui_bind if two or more processes/threads
      try to bind a same socket.
      
      If more processes/threads bind a same socket success that will lead to
      two problems, one is this action is not what we expected, another is
      will lead to kernel in unstable status or oops(in my simple test case,
      cause llc2.ko can't unload).
      
      The current code is test SOCK_ZAPPED bit to avoid a process to
      bind a same socket twice but that is can't avoid more processes/threads
      try to bind a same socket at the same time.
      
      So, add lock_sock in llc_ui_bind like others, such as llc_ui_connect.
      Signed-off-by: 's avatarLin Zhang <xiaolou4617@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      0908cf4d
  9. 18 Apr, 2017 1 commit
    • Paul E. McKenney's avatar
      mm: Rename SLAB_DESTROY_BY_RCU to SLAB_TYPESAFE_BY_RCU · 5f0d5a3a
      Paul E. McKenney authored
      A group of Linux kernel hackers reported chasing a bug that resulted
      from their assumption that SLAB_DESTROY_BY_RCU provided an existence
      guarantee, that is, that no block from such a slab would be reallocated
      during an RCU read-side critical section.  Of course, that is not the
      case.  Instead, SLAB_DESTROY_BY_RCU only prevents freeing of an entire
      slab of blocks.
      
      However, there is a phrase for this, namely "type safety".  This commit
      therefore renames SLAB_DESTROY_BY_RCU to SLAB_TYPESAFE_BY_RCU in order
      to avoid future instances of this sort of confusion.
      Signed-off-by: 's avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: <linux-mm@kvack.org>
      Acked-by: 's avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: 's avatarVlastimil Babka <vbabka@suse.cz>
      [ paulmck: Add comments mentioning the old name, as requested by Eric
        Dumazet, in order to help people familiar with the old name find
        the new one. ]
      Acked-by: 's avatarDavid Rientjes <rientjes@google.com>
      5f0d5a3a
  10. 10 Mar, 2017 1 commit
    • David Howells's avatar
      net: Work around lockdep limitation in sockets that use sockets · cdfbabfb
      David Howells authored
      Lockdep issues a circular dependency warning when AFS issues an operation
      through AF_RXRPC from a context in which the VFS/VM holds the mmap_sem.
      
      The theory lockdep comes up with is as follows:
      
       (1) If the pagefault handler decides it needs to read pages from AFS, it
           calls AFS with mmap_sem held and AFS begins an AF_RXRPC call, but
           creating a call requires the socket lock:
      
      	mmap_sem must be taken before sk_lock-AF_RXRPC
      
       (2) afs_open_socket() opens an AF_RXRPC socket and binds it.  rxrpc_bind()
           binds the underlying UDP socket whilst holding its socket lock.
           inet_bind() takes its own socket lock:
      
      	sk_lock-AF_RXRPC must be taken before sk_lock-AF_INET
      
       (3) Reading from a TCP socket into a userspace buffer might cause a fault
           and thus cause the kernel to take the mmap_sem, but the TCP socket is
           locked whilst doing this:
      
      	sk_lock-AF_INET must be taken before mmap_sem
      
      However, lockdep's theory is wrong in this instance because it deals only
      with lock classes and not individual locks.  The AF_INET lock in (2) isn't
      really equivalent to the AF_INET lock in (3) as the former deals with a
      socket entirely internal to the kernel that never sees userspace.  This is
      a limitation in the design of lockdep.
      
      Fix the general case by:
      
       (1) Double up all the locking keys used in sockets so that one set are
           used if the socket is created by userspace and the other set is used
           if the socket is created by the kernel.
      
       (2) Store the kern parameter passed to sk_alloc() in a variable in the
           sock struct (sk_kern_sock).  This informs sock_lock_init(),
           sock_init_data() and sk_clone_lock() as to the lock keys to be used.
      
           Note that the child created by sk_clone_lock() inherits the parent's
           kern setting.
      
       (3) Add a 'kern' parameter to ->accept() that is analogous to the one
           passed in to ->create() that distinguishes whether kernel_accept() or
           sys_accept4() was the caller and can be passed to sk_alloc().
      
           Note that a lot of accept functions merely dequeue an already
           allocated socket.  I haven't touched these as the new socket already
           exists before we get the parameter.
      
           Note also that there are a couple of places where I've made the accepted
           socket unconditionally kernel-based:
      
      	irda_accept()
      	rds_rcp_accept_one()
      	tcp_accept_from_sock()
      
           because they follow a sock_create_kern() and accept off of that.
      
      Whilst creating this, I noticed that lustre and ocfs don't create sockets
      through sock_create_kern() and thus they aren't marked as for-kernel,
      though they appear to be internal.  I wonder if these should do that so
      that they use the new set of lock keys.
      Signed-off-by: 's avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      cdfbabfb
  11. 02 Mar, 2017 1 commit
  12. 13 Feb, 2017 1 commit
  13. 14 Nov, 2016 1 commit
  14. 17 Sep, 2016 1 commit
  15. 04 May, 2016 1 commit
  16. 14 Apr, 2016 1 commit
  17. 17 Feb, 2016 1 commit
  18. 27 Jul, 2015 1 commit
  19. 11 May, 2015 1 commit
  20. 02 Mar, 2015 1 commit
  21. 25 Jan, 2015 1 commit
  22. 10 Dec, 2014 3 commits
  23. 24 Nov, 2014 1 commit
  24. 05 Nov, 2014 1 commit
    • David S. Miller's avatar
      net: Add and use skb_copy_datagram_msg() helper. · 51f3d02b
      David S. Miller authored
      This encapsulates all of the skb_copy_datagram_iovec() callers
      with call argument signature "skb, offset, msghdr->msg_iov, length".
      
      When we move to iov_iters in the networking, the iov_iter object will
      sit in the msghdr.
      
      Having a helper like this means there will be less places to touch
      during that transformation.
      
      Based upon descriptions and patch from Al Viro.
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      51f3d02b
  25. 24 Oct, 2014 1 commit
  26. 28 Sep, 2014 1 commit
  27. 29 Jan, 2014 1 commit
    • Dave Jones's avatar
      llc: remove noisy WARN from llc_mac_hdr_init · 0f1a24c9
      Dave Jones authored
      Sending malformed llc packets triggers this spew, which seems excessive.
      
      WARNING: CPU: 1 PID: 6917 at net/llc/llc_output.c:46 llc_mac_hdr_init+0x85/0x90 [llc]()
      device type not supported: 0
      CPU: 1 PID: 6917 Comm: trinity-c1 Not tainted 3.13.0+ #95
       0000000000000009 00000000007e257d ffff88009232fbe8 ffffffffac737325
       ffff88009232fc30 ffff88009232fc20 ffffffffac06d28d ffff88020e07f180
       ffff88009232fec0 00000000000000c8 0000000000000000 ffff88009232fe70
      Call Trace:
       [<ffffffffac737325>] dump_stack+0x4e/0x7a
       [<ffffffffac06d28d>] warn_slowpath_common+0x7d/0xa0
       [<ffffffffac06d30c>] warn_slowpath_fmt+0x5c/0x80
       [<ffffffffc01736d5>] llc_mac_hdr_init+0x85/0x90 [llc]
       [<ffffffffc0173759>] llc_build_and_send_ui_pkt+0x79/0x90 [llc]
       [<ffffffffc057cdba>] llc_ui_sendmsg+0x23a/0x400 [llc2]
       [<ffffffffac605d8c>] sock_sendmsg+0x9c/0xe0
       [<ffffffffac185a37>] ? might_fault+0x47/0x50
       [<ffffffffac606321>] SYSC_sendto+0x121/0x1c0
       [<ffffffffac011847>] ? syscall_trace_enter+0x207/0x270
       [<ffffffffac6071ce>] SyS_sendto+0xe/0x10
       [<ffffffffac74aaa4>] tracesys+0xdd/0xe2
      
      Until 2009, this was a printk, when it was changed in
      bf9ae538: "llc: use dev_hard_header".
      
      Let userland figure out what -EINVAL means by itself.
      Signed-off-by: 's avatarDave Jones <davej@fedoraproject.org>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      0f1a24c9
  28. 19 Jan, 2014 1 commit
  29. 04 Jan, 2014 1 commit
  30. 03 Jan, 2014 1 commit
    • Daniel Borkmann's avatar
      net: llc: fix use after free in llc_ui_recvmsg · 4d231b76
      Daniel Borkmann authored
      While commit 30a584d9 fixes datagram interface in LLC, a use
      after free bug has been introduced for SOCK_STREAM sockets that do
      not make use of MSG_PEEK.
      
      The flow is as follow ...
      
        if (!(flags & MSG_PEEK)) {
          ...
          sk_eat_skb(sk, skb, false);
          ...
        }
        ...
        if (used + offset < skb->len)
          continue;
      
      ... where sk_eat_skb() calls __kfree_skb(). Therefore, cache
      original length and work on skb_len to check partial reads.
      
      Fixes: 30a584d9 ("[LLX]: SOCK_DGRAM interface fixes")
      Signed-off-by: 's avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      4d231b76
  31. 27 Dec, 2013 1 commit
  32. 21 Nov, 2013 1 commit
    • Hannes Frederic Sowa's avatar
      net: rework recvmsg handler msg_name and msg_namelen logic · f3d33426
      Hannes Frederic Sowa authored
      This patch now always passes msg->msg_namelen as 0. recvmsg handlers must
      set msg_namelen to the proper size <= sizeof(struct sockaddr_storage)
      to return msg_name to the user.
      
      This prevents numerous uninitialized memory leaks we had in the
      recvmsg handlers and makes it harder for new code to accidentally leak
      uninitialized memory.
      
      Optimize for the case recvfrom is called with NULL as address. We don't
      need to copy the address at all, so set it to NULL before invoking the
      recvmsg handler. We can do so, because all the recvmsg handlers must
      cope with the case a plain read() is called on them. read() also sets
      msg_name to NULL.
      
      Also document these changes in include/linux/net.h as suggested by David
      Miller.
      
      Changes since RFC:
      
      Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
      non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
      affect sendto as it would bail out earlier while trying to copy-in the
      address. It also more naturally reflects the logic by the callers of
      verify_iovec.
      
      With this change in place I could remove "
      if (!uaddr || msg_sys->msg_namelen == 0)
      	msg->msg_name = NULL
      ".
      
      This change does not alter the user visible error logic as we ignore
      msg_namelen as long as msg_name is NULL.
      
      Also remove two unnecessary curly brackets in ___sys_recvmsg and change
      comments to netdev style.
      
      Cc: David Miller <davem@davemloft.net>
      Suggested-by: 's avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: 's avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      f3d33426
  33. 04 Sep, 2013 1 commit
  34. 15 Aug, 2013 1 commit
  35. 07 Apr, 2013 1 commit
    • Mathias Krause's avatar
      llc: Fix missing msg_namelen update in llc_ui_recvmsg() · c77a4b9c
      Mathias Krause authored
      For stream sockets the code misses to update the msg_namelen member
      to 0 and therefore makes net/socket.c leak the local, uninitialized
      sockaddr_storage variable to userland -- 128 bytes of kernel stack
      memory. The msg_namelen update is also missing for datagram sockets
      in case the socket is shutting down during receive.
      
      Fix both issues by setting msg_namelen to 0 early. It will be
      updated later if we're going to fill the msg_name member.
      
      Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Signed-off-by: 's avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      c77a4b9c
  36. 28 Feb, 2013 1 commit
    • Sasha Levin's avatar
      hlist: drop the node parameter from iterators · b67bfe0d
      Sasha Levin authored
      I'm not sure why, but the hlist for each entry iterators were conceived
      
              list_for_each_entry(pos, head, member)
      
      The hlist ones were greedy and wanted an extra parameter:
      
              hlist_for_each_entry(tpos, pos, head, member)
      
      Why did they need an extra pos parameter? I'm not quite sure. Not only
      they don't really need it, it also prevents the iterator from looking
      exactly like the list iterator, which is unfortunate.
      
      Besides the semantic patch, there was some manual work required:
      
       - Fix up the actual hlist iterators in linux/list.h
       - Fix up the declaration of other iterators based on the hlist ones.
       - A very small amount of places were using the 'node' parameter, this
       was modified to use 'obj->member' instead.
       - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
       properly, so those had to be fixed up manually.
      
      The semantic patch which is mostly the work of Peter Senna Tschudin is here:
      
      @@
      iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
      
      type T;
      expression a,c,d,e;
      identifier b;
      statement S;
      @@
      
      -T b;
          <+... when != b
      (
      hlist_for_each_entry(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue(a,
      - b,
      c) S
      |
      hlist_for_each_entry_from(a,
      - b,
      c) S
      |
      hlist_for_each_entry_rcu(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_rcu_bh(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue_rcu_bh(a,
      - b,
      c) S
      |
      for_each_busy_worker(a, c,
      - b,
      d) S
      |
      ax25_uid_for_each(a,
      - b,
      c) S
      |
      ax25_for_each(a,
      - b,
      c) S
      |
      inet_bind_bucket_for_each(a,
      - b,
      c) S
      |
      sctp_for_each_hentry(a,
      - b,
      c) S
      |
      sk_for_each(a,
      - b,
      c) S
      |
      sk_for_each_rcu(a,
      - b,
      c) S
      |
      sk_for_each_from
      -(a, b)
      +(a)
      S
      + sk_for_each_from(a) S
      |
      sk_for_each_safe(a,
      - b,
      c, d) S
      |
      sk_for_each_bound(a,
      - b,
      c) S
      |
      hlist_for_each_entry_safe(a,
      - b,
      c, d, e) S
      |
      hlist_for_each_entry_continue_rcu(a,
      - b,
      c) S
      |
      nr_neigh_for_each(a,
      - b,
      c) S
      |
      nr_neigh_for_each_safe(a,
      - b,
      c, d) S
      |
      nr_node_for_each(a,
      - b,
      c) S
      |
      nr_node_for_each_safe(a,
      - b,
      c, d) S
      |
      - for_each_gfn_sp(a, c, d, b) S
      + for_each_gfn_sp(a, c, d) S
      |
      - for_each_gfn_indirect_valid_sp(a, c, d, b) S
      + for_each_gfn_indirect_valid_sp(a, c, d) S
      |
      for_each_host(a,
      - b,
      c) S
      |
      for_each_host_safe(a,
      - b,
      c, d) S
      |
      for_each_mesh_entry(a,
      - b,
      c, d) S
      )
          ...+>
      
      [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
      [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
      [akpm@linux-foundation.org: checkpatch fixes]
      [akpm@linux-foundation.org: fix warnings]
      [akpm@linux-foudnation.org: redo intrusive kvm changes]
      Tested-by: 's avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Acked-by: 's avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: 's avatarSasha Levin <sasha.levin@oracle.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: Gleb Natapov <gleb@redhat.com>
      Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
      b67bfe0d