[net-next-2.6] netlink: netlink_recvmsg() fix

Message ID	1279639232.2498.82.camel@edumazet-laptop
State	Superseded, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=xzEI687BDzHI+R3gbi64krhH5duaQ023Qc1/f/hc0AeQZVZO9PTt1abab/tjEWwlR4 I2dXERzoDZlFEI8n5C9qti+UnlIqk5poz+HHQ8diCLRPs+hU+AOBSH2it80SOu4+7Lvd dptL5TkrRXZ8eiMSKsPnftO5UD5a4kXbY8e70= Subject: Re: [PATCH net-next-2.6] netlink: netlink_recvmsg() fix From: Eric Dumazet <eric.dumazet@gmail.com> To: David Miller <davem@davemloft.net> Cc: netdev <netdev@vger.kernel.org>, Johannes Berg <johannes@sipsolutions.net> In-Reply-To: <1279631789.2498.71.camel@edumazet-laptop> References: <1279631789.2498.71.camel@edumazet-laptop> Content-Type: text/plain; charset="UTF-8" Date: Tue, 20 Jul 2010 17:20:32 +0200 Message-ID: <1279639232.2498.82.camel@edumazet-laptop> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

1279639232.2498.82.camel@edumazet-laptop

State

Superseded, archived

Delegated to:

David Miller

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=subject:from:to:cc:in-reply-to:references:content-type:date
	:message-id:mime-version:x-mailer:content-transfer-encoding;
	b=xzEI687BDzHI+R3gbi64krhH5duaQ023Qc1/f/hc0AeQZVZO9PTt1abab/tjEWwlR4
	I2dXERzoDZlFEI8n5C9qti+UnlIqk5poz+HHQ8diCLRPs+hU+AOBSH2it80SOu4+7Lvd
	dptL5TkrRXZ8eiMSKsPnftO5UD5a4kXbY8e70=
Subject: Re: [PATCH net-next-2.6] netlink: netlink_recvmsg() fix
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>,
	Johannes Berg <johannes@sipsolutions.net>
In-Reply-To: <1279631789.2498.71.camel@edumazet-laptop>
References: <1279631789.2498.71.camel@edumazet-laptop>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 20 Jul 2010 17:20:32 +0200
Message-ID: <1279639232.2498.82.camel@edumazet-laptop>
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Eric Dumazet July 20, 2010, 3:20 p.m. UTC

Le mardi 20 juillet 2010 à 15:16 +0200, Eric Dumazet a écrit :
> Please note following potential bug was discovered by code review, and
> my patch not even tested, please double check !
> 
> Thanks
> 
> [PATCH net-next-2.6] netlink: netlink_recvmsg() fix
> 
> commit 1dacc76d0014 
> (net/compat/wext: send different messages to compat tasks)
> introduced a race condition on netlink, in case MSG_PEEK is used.
> 
> An skb given by skb_recv_datagram() might be shared, we must clone it
> before any modification, or risk fatal corruption.
> 
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> ---

Oh well, skb_copy() or skb_unshare() is needed.

[PATCH net-next-2.6 v2] netlink: netlink_recvmsg() fix

commit 1dacc76d0014 
(net/compat/wext: send different messages to compat tasks)
introduced a race condition on netlink, in case MSG_PEEK is used.

An skb given by skb_recv_datagram() might be shared, we must copy it
before any modification, or risk fatal corruption.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
 net/netlink/af_netlink.c |   13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Johannes Berg July 21, 2010, 8:05 a.m. UTC | #1

On Tue, 2010-07-20 at 17:20 +0200, Eric Dumazet wrote:

> [PATCH net-next-2.6 v2] netlink: netlink_recvmsg() fix
> 
> commit 1dacc76d0014 
> (net/compat/wext: send different messages to compat tasks)
> introduced a race condition on netlink, in case MSG_PEEK is used.
> 
> An skb given by skb_recv_datagram() might be shared, we must copy it
> before any modification, or risk fatal corruption.

Makes sense to me, seeing that if you MSG_PEEK it just increases
skb->users. But nothing could touch the other skb at the same time?
Although I guess with netlink multicast we have a similar situation.

johannes

> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> ---
>  net/netlink/af_netlink.c |   13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 7aeaa83..1537fa5 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -1405,7 +1405,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
>  	struct netlink_sock *nlk = nlk_sk(sk);
>  	int noblock = flags&MSG_DONTWAIT;
>  	size_t copied;
> -	struct sk_buff *skb, *frag __maybe_unused = NULL;
> +	struct sk_buff *skb;
>  	int err;
>  
>  	if (flags&MSG_OOB)
> @@ -1440,7 +1440,12 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
>  			kfree_skb(skb);
>  			skb = compskb;
>  		} else {
> -			frag = skb_shinfo(skb)->frag_list;
> +			skb = skb_unshare(skb, GFP_KERNEL);
> +			if (!skb) {
> +				err = -ENOMEM;
> +				goto out;
> +			}
> +			kfree_skb(skb_shinfo(skb)->frag_list);
>  			skb_shinfo(skb)->frag_list = NULL;
>  		}
>  	}
> @@ -1477,10 +1482,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
>  	if (flags & MSG_TRUNC)
>  		copied = skb->len;
>  
> -#ifdef CONFIG_COMPAT_NETLINK_MESSAGES
> -	skb_shinfo(skb)->frag_list = frag;
> -#endif
> -
>  	skb_free_datagram(sk, skb);
>  
>  	if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2)
> 
> 
> 


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Eric Dumazet July 21, 2010, 8:20 a.m. UTC | #2

Le mercredi 21 juillet 2010 à 10:05 +0200, Johannes Berg a écrit :
> On Tue, 2010-07-20 at 17:20 +0200, Eric Dumazet wrote:
> 
> > [PATCH net-next-2.6 v2] netlink: netlink_recvmsg() fix
> > 
> > commit 1dacc76d0014 
> > (net/compat/wext: send different messages to compat tasks)
> > introduced a race condition on netlink, in case MSG_PEEK is used.
> > 
> > An skb given by skb_recv_datagram() might be shared, we must copy it
> > before any modification, or risk fatal corruption.
> 
> Makes sense to me, seeing that if you MSG_PEEK it just increases
> skb->users. But nothing could touch the other skb at the same time?
> Although I guess with netlink multicast we have a similar situation.

Nothing can touch this skb at the same time but us and our friends
(consumers that did a skb_recv_datagram( MSG_PEEK ) operation).

Oh well, I see skb_unshare() tests skb_cloned(). This is not what we
want.

We probably wants something like :

if (skb_shared(skb)) {
	nsbk = skb_copy(skb, GFP_KERNEL);
	...
}



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 7aeaa83..1537fa5 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1405,7 +1405,7 @@  static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
 	struct netlink_sock *nlk = nlk_sk(sk);
 	int noblock = flags&MSG_DONTWAIT;
 	size_t copied;
-	struct sk_buff *skb, *frag __maybe_unused = NULL;
+	struct sk_buff *skb;
 	int err;
 
 	if (flags&MSG_OOB)
@@ -1440,7 +1440,12 @@  static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
 			kfree_skb(skb);
 			skb = compskb;
 		} else {
-			frag = skb_shinfo(skb)->frag_list;
+			skb = skb_unshare(skb, GFP_KERNEL);
+			if (!skb) {
+				err = -ENOMEM;
+				goto out;
+			}
+			kfree_skb(skb_shinfo(skb)->frag_list);
 			skb_shinfo(skb)->frag_list = NULL;
 		}
 	}
@@ -1477,10 +1482,6 @@  static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
 	if (flags & MSG_TRUNC)
 		copied = skb->len;
 
-#ifdef CONFIG_COMPAT_NETLINK_MESSAGES
-	skb_shinfo(skb)->frag_list = frag;
-#endif
-
 	skb_free_datagram(sk, skb);
 
 	if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2)

[net-next-2.6] netlink: netlink_recvmsg() fix

Commit Message

Comments

Patch