From patchwork Tue Jul 20 13:16:29 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 59309
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 52CD7B6EF7
	for <patchwork-incoming@ozlabs.org>;
	Tue, 20 Jul 2010 23:16:40 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751251Ab0GTNQe (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 20 Jul 2010 09:16:34 -0400
Received: from mail-ww0-f44.google.com ([74.125.82.44]:41240 "EHLO
	mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750786Ab0GTNQd (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 20 Jul 2010 09:16:33 -0400
Received: by wwj40 with SMTP id 40so829141wwj.1
	for <netdev@vger.kernel.org>; Tue, 20 Jul 2010 06:16:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:subject:from:to:cc
	:content-type:date:message-id:mime-version:x-mailer
	:content-transfer-encoding;
	bh=coaicT4t/vM4aMAXSuYhWBsz5ZLaU5iTxzNb/L7svIo=;
	b=UzBLprpT8M/S7HY7SluIqauDjh8bO4l32dgA0vdeHaBc7pzNCNS1mlZgMn1hWv7k8N
	lO5gMfWd50nMRjmWtvrhovKAjuYGldg9BeRjQ2Fu2VMta/6skkfN4BI+TQsy9B9xQz0k
	HoreszyhjVJLbImrpeMwCQfz4kIrP0xvfAOys=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=subject:from:to:cc:content-type:date:message-id:mime-version
	:x-mailer:content-transfer-encoding;
	b=T1fJB0/lguM5okvHfmODFgNdWWT0TDgT9hUcO0FY37F29eQ+jwaEaa1jkm3DDvxEOg
	ujQX88Lcg4x/H1ZurBnp2l9AtRTbN1FKT3eyGeHXy7OgXIc2sqnekpdzBhIItpGAugZH
	elUXW7w0JD6LztjqLtgVAVlKemXzZmxWEbe7Y=
Received: by 10.227.148.17 with SMTP id n17mr5528145wbv.19.1279631791846;
	Tue, 20 Jul 2010 06:16:31 -0700 (PDT)
Received: from [127.0.0.1] ([85.17.35.125]) by mx.google.com with ESMTPS id
	e31sm47195904wbe.17.2010.07.20.06.16.30
	(version=SSLv3 cipher=RC4-MD5);
	Tue, 20 Jul 2010 06:16:31 -0700 (PDT)
Subject: [PATCH net-next-2.6] netlink: netlink_recvmsg() fix
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>,
	Johannes Berg <johannes@sipsolutions.net>
Date: Tue, 20 Jul 2010 15:16:29 +0200
Message-ID: <1279631789.2498.71.camel@edumazet-laptop>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.3 
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Please note following potential bug was discovered by code review, and
my patch not even tested, please double check !

Thanks

[PATCH net-next-2.6] netlink: netlink_recvmsg() fix

commit 1dacc76d0014 
(net/compat/wext: send different messages to compat tasks)
introduced a race condition on netlink, in case MSG_PEEK is used.

An skb given by skb_recv_datagram() might be shared, we must clone it
before any modification, or risk fatal corruption.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
 net/netlink/af_netlink.c |   19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 7aeaa83..dad5e81 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1405,7 +1405,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
 	struct netlink_sock *nlk = nlk_sk(sk);
 	int noblock = flags&MSG_DONTWAIT;
 	size_t copied;
-	struct sk_buff *skb, *frag __maybe_unused = NULL;
+	struct sk_buff *skb;
 	int err;
 
 	if (flags&MSG_OOB)
@@ -1440,8 +1440,17 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
 			kfree_skb(skb);
 			skb = compskb;
 		} else {
-			frag = skb_shinfo(skb)->frag_list;
-			skb_shinfo(skb)->frag_list = NULL;
+			struct sk_buff *nskb = skb_clone(skb, GFP_KERNEL);
+
+			if (!nskb) {
+				skb_free_datagram(sk, skb);
+				err = -ENOMEM;
+				goto out;
+			}
+			kfree_skb(skb);
+			kfree_skb(skb_shinfo(nskb)->frag_list);
+			skb_shinfo(nskb)->frag_list = NULL;
+			skb = nskb;
 		}
 	}
 #endif
@@ -1477,10 +1486,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
 	if (flags & MSG_TRUNC)
 		copied = skb->len;
 
-#ifdef CONFIG_COMPAT_NETLINK_MESSAGES
-	skb_shinfo(skb)->frag_list = frag;
-#endif
-
 	skb_free_datagram(sk, skb);
 
 	if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2)