Patchwork [net] net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE

login
register
mail settings
Submitter Daniel Borkmann
Date Sept. 7, 2013, 2:44 p.m.
Message ID <1378565099-20987-1-git-send-email-dborkman@redhat.com>
Download mbox | patch
Permalink /patch/273384/
State Accepted
Delegated to: David Miller
Headers show

Comments

Daniel Borkmann - Sept. 7, 2013, 2:44 p.m.
If we do not add braces around ...

  mask |= POLLERR |
          sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;

... then this condition always evaluates to true as POLLERR is
defined as 8 and binary or'd with whatever result comes out of
sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
smatch warnings inside datagram_poll") forgot about SCTP. :-(

Introduced by 7d4c04fc170 ("net: add option to enable error queue
packets waking select").

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Jacob Keller <jacob.e.keller@intel.com>
---
 net/sctp/socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Neil Horman - Sept. 8, 2013, 12:07 p.m.
On Sat, Sep 07, 2013 at 04:44:59PM +0200, Daniel Borkmann wrote:
> If we do not add braces around ...
> 
>   mask |= POLLERR |
>           sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
> 
> ... then this condition always evaluates to true as POLLERR is
> defined as 8 and binary or'd with whatever result comes out of
> sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
> X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
> smatch warnings inside datagram_poll") forgot about SCTP. :-(
> 
> Introduced by 7d4c04fc170 ("net: add option to enable error queue
> packets waking select").
> 
> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
> Cc: Jacob Keller <jacob.e.keller@intel.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>

> ---
>  net/sctp/socket.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index d5d5882..5462bbb 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -6176,7 +6176,7 @@ unsigned int sctp_poll(struct file *file, struct socket *sock, poll_table *wait)
>  	/* Is there any exceptional events?  */
>  	if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue))
>  		mask |= POLLERR |
> -			sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
> +			(sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0);
>  	if (sk->sk_shutdown & RCV_SHUTDOWN)
>  		mask |= POLLRDHUP | POLLIN | POLLRDNORM;
>  	if (sk->sk_shutdown == SHUTDOWN_MASK)
> -- 
> 1.7.11.7
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Vlad Yasevich - Sept. 9, 2013, 1:56 p.m.
On 09/07/2013 10:44 AM, Daniel Borkmann wrote:
> If we do not add braces around ...
>
>    mask |= POLLERR |
>            sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
>
> ... then this condition always evaluates to true as POLLERR is
> defined as 8 and binary or'd with whatever result comes out of
> sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
> X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
> smatch warnings inside datagram_poll") forgot about SCTP. :-(
>
> Introduced by 7d4c04fc170 ("net: add option to enable error queue
> packets waking select").
>
> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
> Cc Jacob Keller <jacob.e.keller@intel.com>

Acked-by: Vlad Yasevich <vyasevich@gmail.com>

-vlad

> ---
>   net/sctp/socket.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index d5d5882..5462bbb 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -6176,7 +6176,7 @@ unsigned int sctp_poll(struct file *file, struct socket *sock, poll_table *wait)
>   	/* Is there any exceptional events?  */
>   	if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue))
>   		mask |= POLLERR |
> -			sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
> +			(sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0);
>   	if (sk->sk_shutdown & RCV_SHUTDOWN)
>   		mask |= POLLRDHUP | POLLIN | POLLRDNORM;
>   	if (sk->sk_shutdown == SHUTDOWN_MASK)
>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Keller, Jacob E - Sept. 9, 2013, 7:12 p.m.
On Mon, 2013-09-09 at 09:56 -0400, Vlad Yasevich wrote:
> On 09/07/2013 10:44 AM, Daniel Borkmann wrote:

> > If we do not add braces around ...

> >

> >    mask |= POLLERR |

> >            sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;

> >

> > ... then this condition always evaluates to true as POLLERR is

> > defined as 8 and binary or'd with whatever result comes out of

> > sock_flag(). Hence instead of (X | Y) ? A : B, transform it into

> > X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix

> > smatch warnings inside datagram_poll") forgot about SCTP. :-(

> >

> > Introduced by 7d4c04fc170 ("net: add option to enable error queue

> > packets waking select").

> >

> > Signed-off-by: Daniel Borkmann <dborkman@redhat.com>

> > Cc Jacob Keller <jacob.e.keller@intel.com>

> 

> Acked-by: Vlad Yasevich <vyasevich@gmail.com>


Acked-by: Jacob Keller <jacob.e.keller@intel.com>


> -vlad

> 

> > ---

> >   net/sctp/socket.c | 2 +-

> >   1 file changed, 1 insertion(+), 1 deletion(-)

> >

> > diff --git a/net/sctp/socket.c b/net/sctp/socket.c

> > index d5d5882..5462bbb 100644

> > --- a/net/sctp/socket.c

> > +++ b/net/sctp/socket.c

> > @@ -6176,7 +6176,7 @@ unsigned int sctp_poll(struct file *file, struct socket *sock, poll_table *wait)

> >   	/* Is there any exceptional events?  */

> >   	if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue))

> >   		mask |= POLLERR |

> > -			sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;

> > +			(sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0);

> >   	if (sk->sk_shutdown & RCV_SHUTDOWN)

> >   		mask |= POLLRDHUP | POLLIN | POLLRDNORM;

> >   	if (sk->sk_shutdown == SHUTDOWN_MASK)

> >

>
David Miller - Sept. 11, 2013, 8:14 p.m.
From: Daniel Borkmann <dborkman@redhat.com>
Date: Sat,  7 Sep 2013 16:44:59 +0200

> If we do not add braces around ...
> 
>   mask |= POLLERR |
>           sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
> 
> ... then this condition always evaluates to true as POLLERR is
> defined as 8 and binary or'd with whatever result comes out of
> sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
> X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
> smatch warnings inside datagram_poll") forgot about SCTP. :-(
> 
> Introduced by 7d4c04fc170 ("net: add option to enable error queue
> packets waking select").
> 
> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>

Applied and queued up for -stable.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index d5d5882..5462bbb 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -6176,7 +6176,7 @@  unsigned int sctp_poll(struct file *file, struct socket *sock, poll_table *wait)
 	/* Is there any exceptional events?  */
 	if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue))
 		mask |= POLLERR |
-			sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
+			(sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0);
 	if (sk->sk_shutdown & RCV_SHUTDOWN)
 		mask |= POLLRDHUP | POLLIN | POLLRDNORM;
 	if (sk->sk_shutdown == SHUTDOWN_MASK)