Message ID | 151873554032.16545.2581958777736418547.stgit@warthog.procyon.org.uk |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
Series | [net] rxrpc: Work around usercopy check | expand |
From: David Howells <dhowells@redhat.com> Date: Thu, 15 Feb 2018 22:59:00 +0000 > Due to a check recently added to copy_to_user(), it's now not permitted to > copy from slab-held data to userspace unless the slab is whitelisted. This > affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID > control message in the userspace control message buffer. A warning is > generated by usercopy_warn() because the source is the copy of the > user_call_ID retained in the rxrpc_call struct. > > Work around the issue by copying the user_call_ID to a variable on the > stack and passing that to put_cmsg(). > > The warning generated looks like: ... > Reported-by: Jonathan Billings <jsbillings@jsbillings.org> > Signed-off-by: David Howells <dhowells@redhat.com> > Acked-by: Kees Cook <keescook@chromium.org> > Tested-by: Jonathan Billings <jsbillings@jsbillings.org> Applied, thanks David.
diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index cc21e8db25b0..9d45d8b56744 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -517,9 +517,10 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, sizeof(unsigned int), &id32); } else { + unsigned long idl = call->user_call_ID; + ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, - sizeof(unsigned long), - &call->user_call_ID); + sizeof(unsigned long), &idl); } if (ret < 0) goto error_unlock_call;