Message ID | 1279639232.2498.82.camel@edumazet-laptop |
---|---|
State | Superseded, archived |
Delegated to: | David Miller |
Headers | show |
On Tue, 2010-07-20 at 17:20 +0200, Eric Dumazet wrote: > [PATCH net-next-2.6 v2] netlink: netlink_recvmsg() fix > > commit 1dacc76d0014 > (net/compat/wext: send different messages to compat tasks) > introduced a race condition on netlink, in case MSG_PEEK is used. > > An skb given by skb_recv_datagram() might be shared, we must copy it > before any modification, or risk fatal corruption. Makes sense to me, seeing that if you MSG_PEEK it just increases skb->users. But nothing could touch the other skb at the same time? Although I guess with netlink multicast we have a similar situation. johannes > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> > --- > net/netlink/af_netlink.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c > index 7aeaa83..1537fa5 100644 > --- a/net/netlink/af_netlink.c > +++ b/net/netlink/af_netlink.c > @@ -1405,7 +1405,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, > struct netlink_sock *nlk = nlk_sk(sk); > int noblock = flags&MSG_DONTWAIT; > size_t copied; > - struct sk_buff *skb, *frag __maybe_unused = NULL; > + struct sk_buff *skb; > int err; > > if (flags&MSG_OOB) > @@ -1440,7 +1440,12 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, > kfree_skb(skb); > skb = compskb; > } else { > - frag = skb_shinfo(skb)->frag_list; > + skb = skb_unshare(skb, GFP_KERNEL); > + if (!skb) { > + err = -ENOMEM; > + goto out; > + } > + kfree_skb(skb_shinfo(skb)->frag_list); > skb_shinfo(skb)->frag_list = NULL; > } > } > @@ -1477,10 +1482,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, > if (flags & MSG_TRUNC) > copied = skb->len; > > -#ifdef CONFIG_COMPAT_NETLINK_MESSAGES > - skb_shinfo(skb)->frag_list = frag; > -#endif > - > skb_free_datagram(sk, skb); > > if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) > > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Le mercredi 21 juillet 2010 à 10:05 +0200, Johannes Berg a écrit : > On Tue, 2010-07-20 at 17:20 +0200, Eric Dumazet wrote: > > > [PATCH net-next-2.6 v2] netlink: netlink_recvmsg() fix > > > > commit 1dacc76d0014 > > (net/compat/wext: send different messages to compat tasks) > > introduced a race condition on netlink, in case MSG_PEEK is used. > > > > An skb given by skb_recv_datagram() might be shared, we must copy it > > before any modification, or risk fatal corruption. > > Makes sense to me, seeing that if you MSG_PEEK it just increases > skb->users. But nothing could touch the other skb at the same time? > Although I guess with netlink multicast we have a similar situation. Nothing can touch this skb at the same time but us and our friends (consumers that did a skb_recv_datagram( MSG_PEEK ) operation). Oh well, I see skb_unshare() tests skb_cloned(). This is not what we want. We probably wants something like : if (skb_shared(skb)) { nsbk = skb_copy(skb, GFP_KERNEL); ... } -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 7aeaa83..1537fa5 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1405,7 +1405,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, struct netlink_sock *nlk = nlk_sk(sk); int noblock = flags&MSG_DONTWAIT; size_t copied; - struct sk_buff *skb, *frag __maybe_unused = NULL; + struct sk_buff *skb; int err; if (flags&MSG_OOB) @@ -1440,7 +1440,12 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, kfree_skb(skb); skb = compskb; } else { - frag = skb_shinfo(skb)->frag_list; + skb = skb_unshare(skb, GFP_KERNEL); + if (!skb) { + err = -ENOMEM; + goto out; + } + kfree_skb(skb_shinfo(skb)->frag_list); skb_shinfo(skb)->frag_list = NULL; } } @@ -1477,10 +1482,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, if (flags & MSG_TRUNC) copied = skb->len; -#ifdef CONFIG_COMPAT_NETLINK_MESSAGES - skb_shinfo(skb)->frag_list = frag; -#endif - skb_free_datagram(sk, skb); if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2)