1. 29 6月, 2015 1 次提交
  2. 19 6月, 2015 1 次提交
  3. 11 5月, 2015 1 次提交
  4. 06 3月, 2015 1 次提交
  5. 04 3月, 2015 1 次提交
    • E
      ax25: Stop using magic neighbour cache operations. · 1d5da757
      Eric W. Biederman 提交于
      Before the ax25 stack calls dev_queue_xmit it always calls
      ax25_type_trans which sets skb->protocol to ETH_P_AX25.
      
      Which means that by looking at the protocol type it is possible to
      detect IP packets that have not been munged by the ax25 stack in
      ndo_start_xmit and call a function to munge them.
      
      Rename ax25_neigh_xmit to ax25_ip_xmit and tweak the return type and
      value to be appropriate for an ndo_start_xmit function.
      
      Update all of the ax25 devices to test the protocol type for ETH_P_IP
      and return ax25_ip_xmit as the first thing they do.  This preserves
      the existing semantics of IP packet processing, but the timing will be
      a little different as the IP packets now pass through the qdisc layer
      before reaching the ax25 ip packet processing.
      
      Remove the now unnecessary ax25 neighbour table operations.
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1d5da757
  6. 03 3月, 2015 7 次提交
  7. 24 11月, 2014 1 次提交
  8. 06 11月, 2014 1 次提交
    • D
      net: Add and use skb_copy_datagram_msg() helper. · 51f3d02b
      David S. Miller 提交于
      This encapsulates all of the skb_copy_datagram_iovec() callers
      with call argument signature "skb, offset, msghdr->msg_iov, length".
      
      When we move to iov_iters in the networking, the iov_iter object will
      sit in the msghdr.
      
      Having a helper like this means there will be less places to touch
      during that transformation.
      
      Based upon descriptions and patch from Al Viro.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      51f3d02b
  9. 12 4月, 2014 1 次提交
    • D
      net: Fix use after free by removing length arg from sk_data_ready callbacks. · 676d2369
      David S. Miller 提交于
      Several spots in the kernel perform a sequence like:
      
      	skb_queue_tail(&sk->s_receive_queue, skb);
      	sk->sk_data_ready(sk, skb->len);
      
      But at the moment we place the SKB onto the socket receive queue it
      can be consumed and freed up.  So this skb->len access is potentially
      to freed up memory.
      
      Furthermore, the skb->len can be modified by the consumer so it is
      possible that the value isn't accurate.
      
      And finally, no actual implementation of this callback actually uses
      the length argument.  And since nobody actually cared about it's
      value, lots of call sites pass arbitrary values in such as '0' and
      even '1'.
      
      So just remove the length argument from the callback, that way there
      is no confusion whatsoever and all of these use-after-free cases get
      fixed as a side effect.
      
      Based upon a patch by Eric Dumazet and his suggestion to audit this
      issue tree-wide.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      676d2369
  10. 19 1月, 2014 1 次提交
  11. 21 11月, 2013 1 次提交
    • H
      net: rework recvmsg handler msg_name and msg_namelen logic · f3d33426
      Hannes Frederic Sowa 提交于
      This patch now always passes msg->msg_namelen as 0. recvmsg handlers must
      set msg_namelen to the proper size <= sizeof(struct sockaddr_storage)
      to return msg_name to the user.
      
      This prevents numerous uninitialized memory leaks we had in the
      recvmsg handlers and makes it harder for new code to accidentally leak
      uninitialized memory.
      
      Optimize for the case recvfrom is called with NULL as address. We don't
      need to copy the address at all, so set it to NULL before invoking the
      recvmsg handler. We can do so, because all the recvmsg handlers must
      cope with the case a plain read() is called on them. read() also sets
      msg_name to NULL.
      
      Also document these changes in include/linux/net.h as suggested by David
      Miller.
      
      Changes since RFC:
      
      Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
      non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
      affect sendto as it would bail out earlier while trying to copy-in the
      address. It also more naturally reflects the logic by the callers of
      verify_iovec.
      
      With this change in place I could remove "
      if (!uaddr || msg_sys->msg_namelen == 0)
      	msg->msg_name = NULL
      ".
      
      This change does not alter the user visible error logic as we ignore
      msg_namelen as long as msg_name is NULL.
      
      Also remove two unnecessary curly brackets in ___sys_recvmsg and change
      comments to netdev style.
      
      Cc: David Miller <davem@davemloft.net>
      Suggested-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f3d33426
  12. 19 10月, 2013 1 次提交
  13. 13 6月, 2013 1 次提交
  14. 29 5月, 2013 1 次提交
  15. 08 4月, 2013 1 次提交
    • M
      ax25: fix info leak via msg_name in ax25_recvmsg() · ef3313e8
      Mathias Krause 提交于
      When msg_namelen is non-zero the sockaddr info gets filled out, as
      requested, but the code fails to initialize the padding bytes of struct
      sockaddr_ax25 inserted by the compiler for alignment. Additionally the
      msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
      not always filled up to this size.
      
      Both issues lead to the fact that the code will leak uninitialized
      kernel stack bytes in net/socket.c.
      
      Fix both issues by initializing the memory with memset(0).
      
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Signed-off-by: NMathias Krause <minipli@googlemail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ef3313e8
  16. 28 2月, 2013 1 次提交
    • S
      hlist: drop the node parameter from iterators · b67bfe0d
      Sasha Levin 提交于
      I'm not sure why, but the hlist for each entry iterators were conceived
      
              list_for_each_entry(pos, head, member)
      
      The hlist ones were greedy and wanted an extra parameter:
      
              hlist_for_each_entry(tpos, pos, head, member)
      
      Why did they need an extra pos parameter? I'm not quite sure. Not only
      they don't really need it, it also prevents the iterator from looking
      exactly like the list iterator, which is unfortunate.
      
      Besides the semantic patch, there was some manual work required:
      
       - Fix up the actual hlist iterators in linux/list.h
       - Fix up the declaration of other iterators based on the hlist ones.
       - A very small amount of places were using the 'node' parameter, this
       was modified to use 'obj->member' instead.
       - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
       properly, so those had to be fixed up manually.
      
      The semantic patch which is mostly the work of Peter Senna Tschudin is here:
      
      @@
      iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
      
      type T;
      expression a,c,d,e;
      identifier b;
      statement S;
      @@
      
      -T b;
          <+... when != b
      (
      hlist_for_each_entry(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue(a,
      - b,
      c) S
      |
      hlist_for_each_entry_from(a,
      - b,
      c) S
      |
      hlist_for_each_entry_rcu(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_rcu_bh(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue_rcu_bh(a,
      - b,
      c) S
      |
      for_each_busy_worker(a, c,
      - b,
      d) S
      |
      ax25_uid_for_each(a,
      - b,
      c) S
      |
      ax25_for_each(a,
      - b,
      c) S
      |
      inet_bind_bucket_for_each(a,
      - b,
      c) S
      |
      sctp_for_each_hentry(a,
      - b,
      c) S
      |
      sk_for_each(a,
      - b,
      c) S
      |
      sk_for_each_rcu(a,
      - b,
      c) S
      |
      sk_for_each_from
      -(a, b)
      +(a)
      S
      + sk_for_each_from(a) S
      |
      sk_for_each_safe(a,
      - b,
      c, d) S
      |
      sk_for_each_bound(a,
      - b,
      c) S
      |
      hlist_for_each_entry_safe(a,
      - b,
      c, d, e) S
      |
      hlist_for_each_entry_continue_rcu(a,
      - b,
      c) S
      |
      nr_neigh_for_each(a,
      - b,
      c) S
      |
      nr_neigh_for_each_safe(a,
      - b,
      c, d) S
      |
      nr_node_for_each(a,
      - b,
      c) S
      |
      nr_node_for_each_safe(a,
      - b,
      c, d) S
      |
      - for_each_gfn_sp(a, c, d, b) S
      + for_each_gfn_sp(a, c, d) S
      |
      - for_each_gfn_indirect_valid_sp(a, c, d, b) S
      + for_each_gfn_indirect_valid_sp(a, c, d) S
      |
      for_each_host(a,
      - b,
      c) S
      |
      for_each_host_safe(a,
      - b,
      c, d) S
      |
      for_each_mesh_entry(a,
      - b,
      c, d) S
      )
          ...+>
      
      [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
      [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
      [akpm@linux-foundation.org: checkpatch fixes]
      [akpm@linux-foundation.org: fix warnings]
      [akpm@linux-foudnation.org: redo intrusive kvm changes]
      Tested-by: NPeter Senna Tschudin <peter.senna@gmail.com>
      Acked-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: NSasha Levin <sasha.levin@oracle.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: Gleb Natapov <gleb@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b67bfe0d
  17. 19 2月, 2013 2 次提交
  18. 15 8月, 2012 1 次提交
  19. 17 7月, 2012 1 次提交
  20. 09 7月, 2012 1 次提交
  21. 04 6月, 2012 1 次提交
  22. 21 4月, 2012 2 次提交
  23. 20 4月, 2012 1 次提交
    • E
      net ax25: Reorder ax25_exit to remove races. · 3adadc08
      Eric W. Biederman 提交于
      While reviewing the sysctl code in ax25 I spotted races in ax25_exit
      where it is possible to receive notifications and packets after already
      freeing up some of the data structures needed to process those
      notifications and updates.
      
      Call unregister_netdevice_notifier early so that the rest of the cleanup
      code does not need to deal with network devices.  This takes advantage
      of my recent enhancement to unregister_netdevice_notifier to send
      unregister notifications of all network devices that are current
      registered.
      
      Move the unregistration for packet types, socket types and protocol
      types before we cleanup any of the ax25 data structures to remove the
      possibilities of other races.
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3adadc08
  24. 16 4月, 2012 1 次提交
  25. 29 3月, 2012 1 次提交
  26. 29 12月, 2011 1 次提交
    • X
      ax25: avoid overflows in ax25_setsockopt() · ba1cffe0
      Xi Wang 提交于
      Commit be639ac6 ("NET: AX.25: Check ioctl arguments to avoid overflows
      further down the road") rejects very large arguments, but doesn't
      completely fix overflows on 64-bit systems.  Consider the AX25_T2 case.
      
      	int opt;
      	...
      	if (opt < 1 || opt > ULONG_MAX / HZ) {
      		res = -EINVAL;
      		break;
      	}
      	ax25->t2 = opt * HZ;
      
      The 32-bit multiplication opt * HZ would overflow before being assigned
      to 64-bit ax25->t2.  This patch changes "opt" to unsigned long.
      Signed-off-by: NXi Wang <xi.wang@gmail.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ba1cffe0
  27. 29 11月, 2011 1 次提交
    • R
      NET: AX.25: Check ioctl arguments to avoid overflows further down the road. · be639ac6
      Ralf Baechle 提交于
      Very large, nonsenical arguments or use in very extreme conditions could
      result in integer overflows.  Check ioctls arguments to avoid such
      overflows and return -EINVAL for too large arguments.
      
      To allow the use of AX.25 for even the most extreme setup (think packet
      radio to the Phase 5E mars probe) we make no further attempt to clamp the
      argument range.
      
      Originally reported by Fan Long <longfancn@gmail.com> and a first patch
      was sent by Xi Wang <xi.wang@gmail.com>.
      Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
      Cc: Xi Wang <xi.wang@gmail.com>
      Cc: Joerg Reuter <jreuter@yaina.de>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Thomas Osterried <thomas@osterried.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      be639ac6
  28. 01 11月, 2011 1 次提交
  29. 17 4月, 2011 1 次提交
  30. 14 4月, 2011 1 次提交
  31. 12 1月, 2011 1 次提交
  32. 11 11月, 2010 1 次提交