| Message ID | 1422863977-17668-1-git-send-email-viro@ZenIV.linux.org.uk |
|---|---|
| State | Changes Requested, archived |
| Delegated to: | David Miller |
| Headers | show |
Hello. On 2/2/2015 10:59 AM, Al Viro wrote: > From: Al Viro <viro@zeniv.linux.org.uk> > As it is, zero msg_iovlen means that the first iovec in the kernel > array of iovecs is left uninitialized, so checking if its ->iov_base > is NULL is random. Since the real users of that thing are doing > sendto(fd, NULL, 0, ...), they are getting msg_iovlen = 1 and > msg_iov[0] = {NULL, 0}, which is what this test is trying to catch. > As suggested by davem, let's just check that msg_iovlen was 1 and > msg_iov[0].iov_base was NULL - _that_ is well-defined and it catches > what we want to catch. > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > --- > net/netlink/af_netlink.c | 4 ++++ > 1 file changed, 4 insertions(+) > diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c > index a36777b..af51d58 100644 > --- a/net/netlink/af_netlink.c > +++ b/net/netlink/af_netlink.c > @@ -2298,7 +2298,11 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, > goto out; > } > > + /* It's a really convoluted way for userland to ask for mmaped > + * sendmsg(), but that's what we've got... */ Hmm, not sure why DaveM hasn't commented on this broken comment formatting (perhaps he was going to fix it while applying?). The preferred comment style in the networking code is: /* bla * bla */ WBR, Sergei -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Date: Mon, 02 Feb 2015 16:14:16 +0300 > On 2/2/2015 10:59 AM, Al Viro wrote: > >> From: Al Viro <viro@zeniv.linux.org.uk> > >> + /* It's a really convoluted way for userland to ask for mmaped >> + * sendmsg(), but that's what we've got... */ > > Hmm, not sure why DaveM hasn't commented on this broken comment > formatting (perhaps he was going to fix it while applying?). The > preferred comment style in the networking code is: > > /* bla > * bla > */ Indeed, Al can you please audit your whole series for this issue and respin? Please also explicitly give me the GIT url to pull from each time you post the series. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Feb 03, 2015 at 04:21:02PM -0800, David Miller wrote: > Indeed, Al can you please audit your whole series for this issue and > respin? Done, will repost in followups to this one. > Please also explicitly give me the GIT url to pull from each time you > post the series. OK, it's been force-pushed to git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git for-davem Shortlog: Al Viro (18): netlink: make the check for "send from tx_ring" deterministic ipv4: raw_send_hdrinc(): pass msghdr ipv6: rawv6_send_hdrinc(): pass msghdr vmci: propagate msghdr all way down to __qp_memcpy_to_queue() rxrpc: switch rxrpc_send_data() to iov_iter primitives rxrpc: make the users of rxrpc_kernel_send_data() set kvec-backed msg_iter properly ip: stash a pointer to msghdr in struct ping_fakehdr ip: convert tcp_sendmsg() to iov_iter primitives net: switch memcpy_fromiovec()/memcpy_fromiovecend() users to copy_from_iter() tipc: tipc ->sendmsg() conversion net: bury net/core/iovec.c - nothing in there is used anymore crypto: switch af_alg_make_sg() to iov_iter net/socket.c: fold do_sock_{read,write} into callers net: switch sockets to ->read_iter/->write_iter vhost: switch vhost get_indirect() to iov_iter, kill memcpy_fromiovec() vhost: don't bother with copying iovec in handle_tx() vhost: don't bother copying iovecs in handle_rx(), kill memcpy_toiovecend() vhost: vhost_scsi_handle_vq() should just use copy_from_user() Diffstat: crypto/af_alg.c | 40 ++---- crypto/algif_hash.c | 45 +++--- crypto/algif_skcipher.c | 74 +++++----- drivers/misc/vmw_vmci/vmci_queue_pair.c | 16 +-- drivers/vhost/net.c | 91 ++++--------- drivers/vhost/scsi.c | 2 +- drivers/vhost/vhost.c | 6 +- fs/afs/rxrpc.c | 14 +- include/crypto/if_alg.h | 3 +- include/linux/skbuff.h | 14 +- include/linux/socket.h | 7 - include/linux/uio.h | 6 - include/linux/vmw_vmci_api.h | 2 +- include/net/ping.h | 2 +- include/net/sock.h | 18 ++- include/net/udplite.h | 3 +- lib/Makefile | 2 +- lib/iovec.c | 87 ------------ net/core/Makefile | 2 +- net/core/iovec.c | 137 ------------------- net/ipv4/ip_output.c | 6 +- net/ipv4/ping.c | 17 ++- net/ipv4/raw.c | 7 +- net/ipv4/tcp.c | 233 +++++++++++++++----------------- net/ipv4/tcp_output.c | 11 +- net/ipv6/ping.c | 3 +- net/ipv6/raw.c | 7 +- net/netlink/af_netlink.c | 5 + net/rxrpc/ar-output.c | 46 ++----- net/socket.c | 76 ++++------- net/tipc/msg.c | 7 +- net/tipc/socket.c | 14 +- net/vmw_vsock/vmci_transport.c | 3 +- 33 files changed, 320 insertions(+), 686 deletions(-) delete mode 100644 lib/iovec.c delete mode 100644 net/core/iovec.c -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index a36777b..af51d58 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -2298,7 +2298,11 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, goto out; } + /* It's a really convoluted way for userland to ask for mmaped + * sendmsg(), but that's what we've got... */ if (netlink_tx_is_mmaped(sk) && + msg->msg_iter.type == ITER_IOVEC && + msg->msg_iter.nr_segs == 1 && msg->msg_iter.iov->iov_base == NULL) { err = netlink_mmap_sendmsg(sk, msg, dst_portid, dst_group, &scm);