1. 17 5月, 2014 1 次提交
  2. 12 4月, 2014 1 次提交
    • D
      net: Fix use after free by removing length arg from sk_data_ready callbacks. · 676d2369
      David S. Miller 提交于
      Several spots in the kernel perform a sequence like:
      
      	skb_queue_tail(&sk->s_receive_queue, skb);
      	sk->sk_data_ready(sk, skb->len);
      
      But at the moment we place the SKB onto the socket receive queue it
      can be consumed and freed up.  So this skb->len access is potentially
      to freed up memory.
      
      Furthermore, the skb->len can be modified by the consumer so it is
      possible that the value isn't accurate.
      
      And finally, no actual implementation of this callback actually uses
      the length argument.  And since nobody actually cared about it's
      value, lots of call sites pass arbitrary values in such as '0' and
      even '1'.
      
      So just remove the length argument from the callback, that way there
      is no confusion whatsoever and all of these use-after-free cases get
      fixed as a side effect.
      
      Based upon a patch by Eric Dumazet and his suggestion to audit this
      issue tree-wide.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      676d2369
  3. 11 4月, 2014 1 次提交
  4. 29 3月, 2014 1 次提交
    • V
      net: Account for all vlan headers in skb_mac_gso_segment · 53d6471c
      Vlad Yasevich 提交于
      skb_network_protocol() already accounts for multiple vlan
      headers that may be present in the skb.  However, skb_mac_gso_segment()
      doesn't know anything about it and assumes that skb->mac_len
      is set correctly to skip all mac headers.  That may not
      always be the case.  If we are simply forwarding the packet (via
      bridge or macvtap), all vlan headers may not be accounted for.
      
      A simple solution is to allow skb_network_protocol to return
      the vlan depth it has calculated.  This way skb_mac_gso_segment
      will correctly skip all mac headers.
      Signed-off-by: NVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      53d6471c
  5. 28 3月, 2014 1 次提交
  6. 14 3月, 2014 1 次提交
  7. 12 3月, 2014 5 次提交
  8. 17 2月, 2014 1 次提交
  9. 12 2月, 2014 1 次提交
  10. 29 1月, 2014 1 次提交
  11. 27 1月, 2014 1 次提交
  12. 23 1月, 2014 1 次提交
    • M
      fuse: fix pipe_buf_operations · 28a625cb
      Miklos Szeredi 提交于
      Having this struct in module memory could Oops when if the module is
      unloaded while the buffer still persists in a pipe.
      
      Since sock_pipe_buf_ops is essentially the same as fuse_dev_pipe_buf_steal
      merge them into nosteal_pipe_buf_ops (this is the same as
      default_pipe_buf_ops except stealing the page from the buffer is not
      allowed).
      Reported-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NMiklos Szeredi <mszeredi@suse.cz>
      Cc: stable@vger.kernel.org
      28a625cb
  13. 15 1月, 2014 1 次提交
    • P
      net: add skb_checksum_setup · ed1f50c3
      Paul Durrant 提交于
      This patch adds a function to set up the partial checksum offset for IP
      packets (and optionally re-calculate the pseudo-header checksum) into the
      core network code.
      The implementation was previously private and duplicated between xen-netback
      and xen-netfront, however it is not xen-specific and is potentially useful
      to any network driver.
      Signed-off-by: NPaul Durrant <paul.durrant@citrix.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Veaceslav Falico <vfalico@redhat.com>
      Cc: Alexander Duyck <alexander.h.duyck@intel.com>
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ed1f50c3
  14. 07 1月, 2014 1 次提交
  15. 22 12月, 2013 1 次提交
  16. 18 12月, 2013 1 次提交
  17. 06 12月, 2013 1 次提交
  18. 22 11月, 2013 1 次提交
  19. 11 11月, 2013 1 次提交
    • J
      netfilter: push reasm skb through instead of original frag skbs · 6aafeef0
      Jiri Pirko 提交于
      Pushing original fragments through causes several problems. For example
      for matching, frags may not be matched correctly. Take following
      example:
      
      <example>
      On HOSTA do:
      ip6tables -I INPUT -p icmpv6 -j DROP
      ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT
      
      and on HOSTB you do:
      ping6 HOSTA -s2000    (MTU is 1500)
      
      Incoming echo requests will be filtered out on HOSTA. This issue does
      not occur with smaller packets than MTU (where fragmentation does not happen)
      </example>
      
      As was discussed previously, the only correct solution seems to be to use
      reassembled skb instead of separete frags. Doing this has positive side
      effects in reducing sk_buff by one pointer (nfct_reasm) and also the reams
      dances in ipvs and conntrack can be removed.
      
      Future plan is to remove net/ipv6/netfilter/nf_conntrack_reasm.c
      entirely and use code in net/ipv6/reassembly.c instead.
      Signed-off-by: NJiri Pirko <jiri@resnulli.us>
      Acked-by: NJulian Anastasov <ja@ssi.bg>
      Signed-off-by: NMarcelo Ricardo Leitner <mleitner@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6aafeef0
  20. 08 11月, 2013 2 次提交
  21. 05 11月, 2013 2 次提交
  22. 04 11月, 2013 1 次提交
  23. 20 10月, 2013 1 次提交
    • E
      net: generalize skb_segment() · 030737bc
      Eric Dumazet 提交于
      While implementing GSO/TSO support for IPIP, I found skb_segment()
      was assuming network header was immediately following mac header.
      
      Its not really true in the case inet_gso_segment() is stacked :
      By the time tcp_gso_segment() is called, network header points
      to the inner IP header.
      
      Let's instead assume nothing and pick the current offsets found in
      original skb, we have skb_headers_offset_update() helper for that.
      
      Also move the csum_start update inside skb_headers_offset_update()
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      030737bc
  24. 10 10月, 2013 1 次提交
    • E
      net: gro: allow to build full sized skb · 8a29111c
      Eric Dumazet 提交于
      skb_gro_receive() is currently limited to 16 or 17 MSS per GRO skb,
      typically 24616 bytes, because it fills up to MAX_SKB_FRAGS frags.
      
      It's relatively easy to extend the skb using frag_list to allow
      more frags to be appended into the last sk_buff.
      
      This still builds very efficient skbs, and allows reaching 45 MSS per
      skb.
      
      (45 MSS GRO packet uses one skb plus a frag_list containing 2 additional
      sk_buff)
      
      High speed TCP flows benefit from this extension by lowering TCP stack
      cpu usage (less packets stored in receive queue, less ACK packets
      processed)
      
      Forwarding setups could be hurt, as such skbs will need to be
      linearized, although its not a new problem, as GRO could already
      provide skbs with a frag_list.
      
      We could make the 65536 bytes threshold a tunable to mitigate this.
      
      (First time we need to linearize skb in skb_needs_linearize(), we could
      lower the tunable to ~16*1460 so that following skb_gro_receive() calls
      build smaller skbs)
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8a29111c
  25. 04 9月, 2013 1 次提交
  26. 02 8月, 2013 1 次提交
  27. 25 7月, 2013 1 次提交
  28. 13 7月, 2013 1 次提交
  29. 04 7月, 2013 1 次提交
  30. 28 6月, 2013 1 次提交
  31. 26 6月, 2013 1 次提交
  32. 24 6月, 2013 1 次提交
    • W
      net: Unmap fragment page once iterator is done · aeb193ea
      Wedson Almeida Filho 提交于
      Callers of skb_seq_read() are currently forced to call skb_abort_seq_read()
      even when consuming all the data because the last call to skb_seq_read (the
      one that returns 0 to indicate the end) fails to unmap the last fragment page.
      
      With this patch callers will be allowed to traverse the SKB data by calling
      skb_prepare_seq_read() once and repeatedly calling skb_seq_read() as originally
      intended (and documented in the original commit 677e90ed), that is, only call
      skb_abort_seq_read() if the sequential read is actually aborted.
      Signed-off-by: NWedson Almeida Filho <wedsonaf@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aeb193ea
  33. 11 6月, 2013 2 次提交