1. 11 5月, 2015 1 次提交
  2. 03 3月, 2015 1 次提交
  3. 20 1月, 2015 1 次提交
  4. 18 1月, 2015 1 次提交
    • J
      netlink: make nlmsg_end() and genlmsg_end() void · 053c095a
      Johannes Berg 提交于
      Contrary to common expectations for an "int" return, these functions
      return only a positive value -- if used correctly they cannot even
      return 0 because the message header will necessarily be in the skb.
      
      This makes the very common pattern of
      
        if (genlmsg_end(...) < 0) { ... }
      
      be a whole bunch of dead code. Many places also simply do
      
        return nlmsg_end(...);
      
      and the caller is expected to deal with it.
      
      This also commonly (at least for me) causes errors, because it is very
      common to write
      
        if (my_function(...))
          /* error condition */
      
      and if my_function() does "return nlmsg_end()" this is of course wrong.
      
      Additionally, there's not a single place in the kernel that actually
      needs the message length returned, and if anyone needs it later then
      it'll be very easy to just use skb->len there.
      
      Remove this, and make the functions void. This removes a bunch of dead
      code as described above. The patch adds lines because I did
      
      -	return nlmsg_end(...);
      +	nlmsg_end(...);
      +	return 0;
      
      I could have preserved all the function's return values by returning
      skb->len, but instead I've audited all the places calling the affected
      functions and found that none cared. A few places actually compared
      the return value with <= 0 in dump functionality, but that could just
      be changed to < 0 with no change in behaviour, so I opted for the more
      efficient version.
      
      One instance of the error I've made numerous times now is also present
      in net/phonet/pn_netlink.c in the route_dumpit() function - it didn't
      check for <0 or <=0 and thus broke out of the loop every single time.
      I've preserved this since it will (I think) have caused the messages to
      userspace to be formatted differently with just a single message for
      every SKB returned to userspace. It's possible that this isn't needed
      for the tools that actually use this, but I don't even know what they
      are so couldn't test that changing this behaviour would be acceptable.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      053c095a
  5. 24 11月, 2014 1 次提交
  6. 12 11月, 2014 1 次提交
    • J
      net: Convert LIMIT_NETDEBUG to net_dbg_ratelimited · ba7a46f1
      Joe Perches 提交于
      Use the more common dynamic_debug capable net_dbg_ratelimited
      and remove the LIMIT_NETDEBUG macro.
      
      All messages are still ratelimited.
      
      Some KERN_<LEVEL> uses are changed to KERN_DEBUG.
      
      This may have some negative impact on messages that were
      emitted at KERN_INFO that are not not enabled at all unless
      DEBUG is defined or dynamic_debug is enabled.  Even so,
      these messages are now _not_ emitted by default.
      
      This also eliminates the use of the net_msg_warn sysctl
      "/proc/sys/net/core/warnings".  For backward compatibility,
      the sysctl is not removed, but it has no function.  The extern
      declaration of net_msg_warn is removed from sock.h and made
      static in net/core/sysctl_net_core.c
      
      Miscellanea:
      
      o Update the sysctl documentation
      o Remove the embedded uses of pr_fmt
      o Coalesce format fragments
      o Realign arguments
      Signed-off-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ba7a46f1
  7. 06 11月, 2014 1 次提交
    • D
      net: Add and use skb_copy_datagram_msg() helper. · 51f3d02b
      David S. Miller 提交于
      This encapsulates all of the skb_copy_datagram_iovec() callers
      with call argument signature "skb, offset, msghdr->msg_iov, length".
      
      When we move to iov_iters in the networking, the iov_iter object will
      sit in the msghdr.
      
      Having a helper like this means there will be less places to touch
      during that transformation.
      
      Based upon descriptions and patch from Al Viro.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      51f3d02b
  8. 07 10月, 2014 1 次提交
    • F
      net: fix rcu access on phonet_routes · 79952bca
      Fabian Frederick 提交于
      -Add __rcu annotation on table to fix sparse warnings:
      net/phonet/pn_dev.c:279:25: warning: incorrect type in assignment (different address spaces)
      net/phonet/pn_dev.c:279:25:    expected struct net_device *<noident>
      net/phonet/pn_dev.c:279:25:    got void [noderef] <asn:4>*<noident>
      net/phonet/pn_dev.c:376:17: warning: incorrect type in assignment (different address spaces)
      net/phonet/pn_dev.c:376:17:    expected struct net_device *volatile <noident>
      net/phonet/pn_dev.c:376:17:    got struct net_device [noderef] <asn:4>*<noident>
      net/phonet/pn_dev.c:392:17: warning: incorrect type in assignment (different address spaces)
      net/phonet/pn_dev.c:392:17:    expected struct net_device *<noident>
      net/phonet/pn_dev.c:392:17:    got void [noderef] <asn:4>*<noident>
      
      -Access table with rcu_access_pointer (fixes the following sparse errors):
      net/phonet/pn_dev.c:278:25: error: incompatible types in comparison expression (different address spaces)
      net/phonet/pn_dev.c:391:17: error: incompatible types in comparison expression (different address spaces)
      Suggested-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NFabian Frederick <fabf@skynet.be>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      79952bca
  9. 16 7月, 2014 1 次提交
    • T
      net: set name_assign_type in alloc_netdev() · c835a677
      Tom Gundersen 提交于
      Extend alloc_netdev{,_mq{,s}}() to take name_assign_type as argument, and convert
      all users to pass NET_NAME_UNKNOWN.
      
      Coccinelle patch:
      
      @@
      expression sizeof_priv, name, setup, txqs, rxqs, count;
      @@
      
      (
      -alloc_netdev_mqs(sizeof_priv, name, setup, txqs, rxqs)
      +alloc_netdev_mqs(sizeof_priv, name, NET_NAME_UNKNOWN, setup, txqs, rxqs)
      |
      -alloc_netdev_mq(sizeof_priv, name, setup, count)
      +alloc_netdev_mq(sizeof_priv, name, NET_NAME_UNKNOWN, setup, count)
      |
      -alloc_netdev(sizeof_priv, name, setup)
      +alloc_netdev(sizeof_priv, name, NET_NAME_UNKNOWN, setup)
      )
      
      v9: move comments here from the wrong commit
      Signed-off-by: NTom Gundersen <teg@jklm.no>
      Reviewed-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c835a677
  10. 25 4月, 2014 1 次提交
  11. 12 4月, 2014 1 次提交
    • D
      net: Fix use after free by removing length arg from sk_data_ready callbacks. · 676d2369
      David S. Miller 提交于
      Several spots in the kernel perform a sequence like:
      
      	skb_queue_tail(&sk->s_receive_queue, skb);
      	sk->sk_data_ready(sk, skb->len);
      
      But at the moment we place the SKB onto the socket receive queue it
      can be consumed and freed up.  So this skb->len access is potentially
      to freed up memory.
      
      Furthermore, the skb->len can be modified by the consumer so it is
      possible that the value isn't accurate.
      
      And finally, no actual implementation of this callback actually uses
      the length argument.  And since nobody actually cared about it's
      value, lots of call sites pass arbitrary values in such as '0' and
      even '1'.
      
      So just remove the length argument from the callback, that way there
      is no confusion whatsoever and all of these use-after-free cases get
      fixed as a side effect.
      
      Based upon a patch by Eric Dumazet and his suggestion to audit this
      issue tree-wide.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      676d2369
  12. 19 1月, 2014 1 次提交
  13. 19 11月, 2013 1 次提交
  14. 15 11月, 2013 1 次提交
  15. 16 8月, 2013 1 次提交
  16. 13 6月, 2013 1 次提交
  17. 29 5月, 2013 1 次提交
  18. 22 3月, 2013 1 次提交
  19. 28 2月, 2013 1 次提交
    • S
      hlist: drop the node parameter from iterators · b67bfe0d
      Sasha Levin 提交于
      I'm not sure why, but the hlist for each entry iterators were conceived
      
              list_for_each_entry(pos, head, member)
      
      The hlist ones were greedy and wanted an extra parameter:
      
              hlist_for_each_entry(tpos, pos, head, member)
      
      Why did they need an extra pos parameter? I'm not quite sure. Not only
      they don't really need it, it also prevents the iterator from looking
      exactly like the list iterator, which is unfortunate.
      
      Besides the semantic patch, there was some manual work required:
      
       - Fix up the actual hlist iterators in linux/list.h
       - Fix up the declaration of other iterators based on the hlist ones.
       - A very small amount of places were using the 'node' parameter, this
       was modified to use 'obj->member' instead.
       - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
       properly, so those had to be fixed up manually.
      
      The semantic patch which is mostly the work of Peter Senna Tschudin is here:
      
      @@
      iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
      
      type T;
      expression a,c,d,e;
      identifier b;
      statement S;
      @@
      
      -T b;
          <+... when != b
      (
      hlist_for_each_entry(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue(a,
      - b,
      c) S
      |
      hlist_for_each_entry_from(a,
      - b,
      c) S
      |
      hlist_for_each_entry_rcu(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_rcu_bh(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue_rcu_bh(a,
      - b,
      c) S
      |
      for_each_busy_worker(a, c,
      - b,
      d) S
      |
      ax25_uid_for_each(a,
      - b,
      c) S
      |
      ax25_for_each(a,
      - b,
      c) S
      |
      inet_bind_bucket_for_each(a,
      - b,
      c) S
      |
      sctp_for_each_hentry(a,
      - b,
      c) S
      |
      sk_for_each(a,
      - b,
      c) S
      |
      sk_for_each_rcu(a,
      - b,
      c) S
      |
      sk_for_each_from
      -(a, b)
      +(a)
      S
      + sk_for_each_from(a) S
      |
      sk_for_each_safe(a,
      - b,
      c, d) S
      |
      sk_for_each_bound(a,
      - b,
      c) S
      |
      hlist_for_each_entry_safe(a,
      - b,
      c, d, e) S
      |
      hlist_for_each_entry_continue_rcu(a,
      - b,
      c) S
      |
      nr_neigh_for_each(a,
      - b,
      c) S
      |
      nr_neigh_for_each_safe(a,
      - b,
      c, d) S
      |
      nr_node_for_each(a,
      - b,
      c) S
      |
      nr_node_for_each_safe(a,
      - b,
      c, d) S
      |
      - for_each_gfn_sp(a, c, d, b) S
      + for_each_gfn_sp(a, c, d) S
      |
      - for_each_gfn_indirect_valid_sp(a, c, d, b) S
      + for_each_gfn_indirect_valid_sp(a, c, d) S
      |
      for_each_host(a,
      - b,
      c) S
      |
      for_each_host_safe(a,
      - b,
      c, d) S
      |
      for_each_mesh_entry(a,
      - b,
      c, d) S
      )
          ...+>
      
      [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
      [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
      [akpm@linux-foundation.org: checkpatch fixes]
      [akpm@linux-foundation.org: fix warnings]
      [akpm@linux-foudnation.org: redo intrusive kvm changes]
      Tested-by: NPeter Senna Tschudin <peter.senna@gmail.com>
      Acked-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: NSasha Levin <sasha.levin@oracle.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: Gleb Natapov <gleb@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b67bfe0d
  20. 19 2月, 2013 2 次提交
  21. 19 11月, 2012 1 次提交
  22. 11 9月, 2012 1 次提交
  23. 15 8月, 2012 1 次提交
  24. 18 6月, 2012 1 次提交
  25. 21 4月, 2012 2 次提交
  26. 16 4月, 2012 1 次提交
  27. 14 4月, 2012 2 次提交
  28. 13 4月, 2012 1 次提交
    • E
      phonet: Sort out initiailziation and cleanup code. · 03478756
      Eric W. Biederman 提交于
      Recently an oops was reported in phonet if there was a failure during
      network namespace creation.
      
      [  163.733755] ------------[ cut here ]------------
      [  163.734501] kernel BUG at include/net/netns/generic.h:45!
      [  163.734501] invalid opcode: 0000 [#1] PREEMPT SMP
      [  163.734501] CPU 2
      [  163.734501] Pid: 19145, comm: trinity Tainted: G        W 3.4.0-rc1-next-20120405-sasha-dirty #57
      [  163.734501] RIP: 0010:[<ffffffff824d6062>]  [<ffffffff824d6062>] phonet_pernet+0x182/0x1a0
      [  163.734501] RSP: 0018:ffff8800674d5ca8  EFLAGS: 00010246
      [  163.734501] RAX: 000000003fffffff RBX: 0000000000000000 RCX: ffff8800678c88d8
      [  163.734501] RDX: 00000000003f4000 RSI: ffff8800678c8910 RDI: 0000000000000282
      [  163.734501] RBP: ffff8800674d5cc8 R08: 0000000000000000 R09: 0000000000000000
      [  163.734501] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880068bec920
      [  163.734501] R13: ffffffff836b90c0 R14: 0000000000000000 R15: 0000000000000000
      [  163.734501] FS:  00007f055e8de700(0000) GS:ffff88007d000000(0000) knlGS:0000000000000000
      [  163.734501] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  163.734501] CR2: 00007f055e6bb518 CR3: 0000000070c16000 CR4: 00000000000406e0
      [  163.734501] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  163.734501] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  163.734501] Process trinity (pid: 19145, threadinfo ffff8800674d4000, task ffff8800678c8000)
      [  163.734501] Stack:
      [  163.734501]  ffffffff824d5f00 ffffffff810e2ec1 ffff880067ae0000 00000000ffffffd4
      [  163.734501]  ffff8800674d5cf8 ffffffff824d667a ffff880067ae0000 00000000ffffffd4
      [  163.734501]  ffffffff836b90c0 0000000000000000 ffff8800674d5d18 ffffffff824d707d
      [  163.734501] Call Trace:
      [  163.734501]  [<ffffffff824d5f00>] ? phonet_pernet+0x20/0x1a0
      [  163.734501]  [<ffffffff810e2ec1>] ? get_parent_ip+0x11/0x50
      [  163.734501]  [<ffffffff824d667a>] phonet_device_destroy+0x1a/0x100
      [  163.734501]  [<ffffffff824d707d>] phonet_device_notify+0x3d/0x50
      [  163.734501]  [<ffffffff810dd96e>] notifier_call_chain+0xee/0x130
      [  163.734501]  [<ffffffff810dd9d1>] raw_notifier_call_chain+0x11/0x20
      [  163.734501]  [<ffffffff821cce12>] call_netdevice_notifiers+0x52/0x60
      [  163.734501]  [<ffffffff821cd235>] rollback_registered_many+0x185/0x270
      [  163.734501]  [<ffffffff821cd334>] unregister_netdevice_many+0x14/0x60
      [  163.734501]  [<ffffffff823123e3>] ipip_exit_net+0x1b3/0x1d0
      [  163.734501]  [<ffffffff82312230>] ? ipip_rcv+0x420/0x420
      [  163.734501]  [<ffffffff821c8515>] ops_exit_list+0x35/0x70
      [  163.734501]  [<ffffffff821c911b>] setup_net+0xab/0xe0
      [  163.734501]  [<ffffffff821c9416>] copy_net_ns+0x76/0x100
      [  163.734501]  [<ffffffff810dc92b>] create_new_namespaces+0xfb/0x190
      [  163.734501]  [<ffffffff810dca21>] unshare_nsproxy_namespaces+0x61/0x80
      [  163.734501]  [<ffffffff810afd1f>] sys_unshare+0xff/0x290
      [  163.734501]  [<ffffffff8187622e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
      [  163.734501]  [<ffffffff82665539>] system_call_fastpath+0x16/0x1b
      [  163.734501] Code: e0 c3 fe 66 0f 1f 44 00 00 48 c7 c2 40 60 4d 82 be 01 00 00 00 48 c7 c7 80 d1 23 83 e8 48 2a c4 fe e8 73 06 c8 fe 48 85 db 75 0e <0f> 0b 0f 1f 40 00 eb fe 66 0f 1f 44 00 00 48 83 c4 10 48 89 d8
      [  163.734501] RIP  [<ffffffff824d6062>] phonet_pernet+0x182/0x1a0
      [  163.734501]  RSP <ffff8800674d5ca8>
      [  163.861289] ---[ end trace fb5615826c548066 ]---
      
      After investigation it turns out there were two issues.
      1) Phonet was not implementing network devices but was using register_pernet_device
         instead of register_pernet_subsys.
      
         This was allowing there to be cases when phonenet was not initialized and
         the phonet net_generic was not set for a network namespace when network
         device events were being reported on the netdevice_notifier for a network
         namespace leading to the oops above.
      
      2) phonet_exit_net was implementing a confusing and special case of handling all
         network devices from going away that it was hard to see was correct, and would
         only occur when the phonet module was removed.
      
         Now that unregister_netdevice_notifier has been modified to synthesize unregistration
         events for the network devices that are extant when called this confusing special
         case in phonet_exit_net is no longer needed.
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Acked-by: NRémi Denis-Courmont <remi.denis-courmont@nokia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      03478756
  29. 06 4月, 2012 1 次提交
    • S
      phonet: Check input from user before allocating · bcf1b70a
      Sasha Levin 提交于
      A phonet packet is limited to USHRT_MAX bytes, this is never checked during
      tx which means that the user can specify any size he wishes, and the kernel
      will attempt to allocate that size.
      
      In the good case, it'll lead to the following warning, but it may also cause
      the kernel to kick in the OOM and kill a random task on the server.
      
      [ 8921.744094] WARNING: at mm/page_alloc.c:2255 __alloc_pages_slowpath+0x65/0x730()
      [ 8921.749770] Pid: 5081, comm: trinity Tainted: G        W    3.4.0-rc1-next-20120402-sasha #46
      [ 8921.756672] Call Trace:
      [ 8921.758185]  [<ffffffff810b2ba7>] warn_slowpath_common+0x87/0xb0
      [ 8921.762868]  [<ffffffff810b2be5>] warn_slowpath_null+0x15/0x20
      [ 8921.765399]  [<ffffffff8117eae5>] __alloc_pages_slowpath+0x65/0x730
      [ 8921.769226]  [<ffffffff81179c8a>] ? zone_watermark_ok+0x1a/0x20
      [ 8921.771686]  [<ffffffff8117d045>] ? get_page_from_freelist+0x625/0x660
      [ 8921.773919]  [<ffffffff8117f3a8>] __alloc_pages_nodemask+0x1f8/0x240
      [ 8921.776248]  [<ffffffff811c03e0>] kmalloc_large_node+0x70/0xc0
      [ 8921.778294]  [<ffffffff811c4bd4>] __kmalloc_node_track_caller+0x34/0x1c0
      [ 8921.780847]  [<ffffffff821b0e3c>] ? sock_alloc_send_pskb+0xbc/0x260
      [ 8921.783179]  [<ffffffff821b3c65>] __alloc_skb+0x75/0x170
      [ 8921.784971]  [<ffffffff821b0e3c>] sock_alloc_send_pskb+0xbc/0x260
      [ 8921.787111]  [<ffffffff821b002e>] ? release_sock+0x7e/0x90
      [ 8921.788973]  [<ffffffff821b0ff0>] sock_alloc_send_skb+0x10/0x20
      [ 8921.791052]  [<ffffffff824cfc20>] pep_sendmsg+0x60/0x380
      [ 8921.792931]  [<ffffffff824cb4a6>] ? pn_socket_bind+0x156/0x180
      [ 8921.794917]  [<ffffffff824cb50f>] ? pn_socket_autobind+0x3f/0x90
      [ 8921.797053]  [<ffffffff824cb63f>] pn_socket_sendmsg+0x4f/0x70
      [ 8921.798992]  [<ffffffff821ab8e7>] sock_aio_write+0x187/0x1b0
      [ 8921.801395]  [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
      [ 8921.803501]  [<ffffffff8111842c>] ? __lock_acquire+0x42c/0x4b0
      [ 8921.805505]  [<ffffffff821ab760>] ? __sock_recv_ts_and_drops+0x140/0x140
      [ 8921.807860]  [<ffffffff811e07cc>] do_sync_readv_writev+0xbc/0x110
      [ 8921.809986]  [<ffffffff811958e7>] ? might_fault+0x97/0xa0
      [ 8921.811998]  [<ffffffff817bd99e>] ? security_file_permission+0x1e/0x90
      [ 8921.814595]  [<ffffffff811e17e2>] do_readv_writev+0xe2/0x1e0
      [ 8921.816702]  [<ffffffff810b8dac>] ? do_setitimer+0x1ac/0x200
      [ 8921.818819]  [<ffffffff810e2ec1>] ? get_parent_ip+0x11/0x50
      [ 8921.820863]  [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
      [ 8921.823318]  [<ffffffff811e1926>] vfs_writev+0x46/0x60
      [ 8921.825219]  [<ffffffff811e1a3f>] sys_writev+0x4f/0xb0
      [ 8921.827127]  [<ffffffff82658039>] system_call_fastpath+0x16/0x1b
      [ 8921.829384] ---[ end trace dffe390f30db9eb7 ]---
      Signed-off-by: NSasha Levin <levinsasha928@gmail.com>
      Acked-by: NRémi Denis-Courmont <remi.denis-courmont@nokia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bcf1b70a
  30. 02 4月, 2012 1 次提交
  31. 13 1月, 2012 1 次提交
  32. 19 11月, 2011 1 次提交
  33. 01 11月, 2011 2 次提交
  34. 02 8月, 2011 1 次提交
  35. 10 6月, 2011 1 次提交
    • G
      rtnetlink: Compute and store minimum ifinfo dump size · c7ac8679
      Greg Rose 提交于
      The message size allocated for rtnl ifinfo dumps was limited to
      a single page.  This is not enough for additional interface info
      available with devices that support SR-IOV and caused a bug in
      which VF info would not be displayed if more than approximately
      40 VFs were created per interface.
      
      Implement a new function pointer for the rtnl_register service that will
      calculate the amount of data required for the ifinfo dump and allocate
      enough data to satisfy the request.
      Signed-off-by: NGreg Rose <gregory.v.rose@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      c7ac8679
  36. 24 5月, 2011 1 次提交
    • D
      net: convert %p usage to %pK · 71338aa7
      Dan Rosenberg 提交于
      The %pK format specifier is designed to hide exposed kernel pointers,
      specifically via /proc interfaces.  Exposing these pointers provides an
      easy target for kernel write vulnerabilities, since they reveal the
      locations of writable structures containing easily triggerable function
      pointers.  The behavior of %pK depends on the kptr_restrict sysctl.
      
      If kptr_restrict is set to 0, no deviation from the standard %p behavior
      occurs.  If kptr_restrict is set to 1, the default, if the current user
      (intended to be a reader via seq_printf(), etc.) does not have CAP_SYSLOG
      (currently in the LSM tree), kernel pointers using %pK are printed as 0's.
       If kptr_restrict is set to 2, kernel pointers using %pK are printed as
      0's regardless of privileges.  Replacing with 0's was chosen over the
      default "(null)", which cannot be parsed by userland %p, which expects
      "(nil)".
      
      The supporting code for kptr_restrict and %pK are currently in the -mm
      tree.  This patch converts users of %p in net/ to %pK.  Cases of printing
      pointers to the syslog are not covered, since this would eliminate useful
      information for postmortem debugging and the reading of the syslog is
      already optionally protected by the dmesg_restrict sysctl.
      Signed-off-by: NDan Rosenberg <drosenberg@vsecurity.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Thomas Graf <tgraf@infradead.org>
      Cc: Eugene Teo <eugeneteo@kernel.org>
      Cc: Kees Cook <kees.cook@canonical.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Eric Paris <eparis@parisplace.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      71338aa7
新手
引导
客服 返回
顶部