1. 04 May, 2016 1 commit
  2. 13 Apr, 2016 1 commit
  3. 17 Feb, 2016 1 commit
  4. 27 Jul, 2015 1 commit
  5. 11 May, 2015 1 commit
  6. 02 Mar, 2015 1 commit
  7. 25 Jan, 2015 1 commit
  8. 10 Dec, 2014 3 commits
  9. 24 Nov, 2014 1 commit
  10. 05 Nov, 2014 1 commit
    • David S. Miller's avatar
      net: Add and use skb_copy_datagram_msg() helper. · 51f3d02b
      David S. Miller authored
      This encapsulates all of the skb_copy_datagram_iovec() callers
      with call argument signature "skb, offset, msghdr->msg_iov, length".
      When we move to iov_iters in the networking, the iov_iter object will
      sit in the msghdr.
      Having a helper like this means there will be less places to touch
      during that transformation.
      Based upon descriptions and patch from Al Viro.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  11. 24 Oct, 2014 1 commit
  12. 28 Sep, 2014 1 commit
  13. 28 Jan, 2014 1 commit
    • Dave Jones's avatar
      llc: remove noisy WARN from llc_mac_hdr_init · 0f1a24c9
      Dave Jones authored
      Sending malformed llc packets triggers this spew, which seems excessive.
      WARNING: CPU: 1 PID: 6917 at net/llc/llc_output.c:46 llc_mac_hdr_init+0x85/0x90 [llc]()
      device type not supported: 0
      CPU: 1 PID: 6917 Comm: trinity-c1 Not tainted 3.13.0+ #95
       0000000000000009 00000000007e257d ffff88009232fbe8 ffffffffac737325
       ffff88009232fc30 ffff88009232fc20 ffffffffac06d28d ffff88020e07f180
       ffff88009232fec0 00000000000000c8 0000000000000000 ffff88009232fe70
      Call Trace:
       [<ffffffffac737325>] dump_stack+0x4e/0x7a
       [<ffffffffac06d28d>] warn_slowpath_common+0x7d/0xa0
       [<ffffffffac06d30c>] warn_slowpath_fmt+0x5c/0x80
       [<ffffffffc01736d5>] llc_mac_hdr_init+0x85/0x90 [llc]
       [<ffffffffc0173759>] llc_build_and_send_ui_pkt+0x79/0x90 [llc]
       [<ffffffffc057cdba>] llc_ui_sendmsg+0x23a/0x400 [llc2]
       [<ffffffffac605d8c>] sock_sendmsg+0x9c/0xe0
       [<ffffffffac185a37>] ? might_fault+0x47/0x50
       [<ffffffffac606321>] SYSC_sendto+0x121/0x1c0
       [<ffffffffac011847>] ? syscall_trace_enter+0x207/0x270
       [<ffffffffac6071ce>] SyS_sendto+0xe/0x10
       [<ffffffffac74aaa4>] tracesys+0xdd/0xe2
      Until 2009, this was a printk, when it was changed in
      bf9ae538: "llc: use dev_hard_header".
      Let userland figure out what -EINVAL means by itself.
      Signed-off-by: default avatarDave Jones <davej@fedoraproject.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  14. 19 Jan, 2014 1 commit
  15. 03 Jan, 2014 1 commit
  16. 02 Jan, 2014 1 commit
    • Daniel Borkmann's avatar
      net: llc: fix use after free in llc_ui_recvmsg · 4d231b76
      Daniel Borkmann authored
      While commit 30a584d9 fixes datagram interface in LLC, a use
      after free bug has been introduced for SOCK_STREAM sockets that do
      not make use of MSG_PEEK.
      The flow is as follow ...
        if (!(flags & MSG_PEEK)) {
          sk_eat_skb(sk, skb, false);
        if (used + offset < skb->len)
      ... where sk_eat_skb() calls __kfree_skb(). Therefore, cache
      original length and work on skb_len to check partial reads.
      Fixes: 30a584d9 ("[LLX]: SOCK_DGRAM interface fixes")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  17. 27 Dec, 2013 1 commit
  18. 20 Nov, 2013 1 commit
    • Hannes Frederic Sowa's avatar
      net: rework recvmsg handler msg_name and msg_namelen logic · f3d33426
      Hannes Frederic Sowa authored
      This patch now always passes msg->msg_namelen as 0. recvmsg handlers must
      set msg_namelen to the proper size <= sizeof(struct sockaddr_storage)
      to return msg_name to the user.
      This prevents numerous uninitialized memory leaks we had in the
      recvmsg handlers and makes it harder for new code to accidentally leak
      uninitialized memory.
      Optimize for the case recvfrom is called with NULL as address. We don't
      need to copy the address at all, so set it to NULL before invoking the
      recvmsg handler. We can do so, because all the recvmsg handlers must
      cope with the case a plain read() is called on them. read() also sets
      msg_name to NULL.
      Also document these changes in include/linux/net.h as suggested by David
      Changes since RFC:
      Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
      non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
      affect sendto as it would bail out earlier while trying to copy-in the
      address. It also more naturally reflects the logic by the callers of
      With this change in place I could remove "
      if (!uaddr || msg_sys->msg_namelen == 0)
      	msg->msg_name = NULL
      This change does not alter the user visible error logic as we ignore
      msg_namelen as long as msg_name is NULL.
      Also remove two unnecessary curly brackets in ___sys_recvmsg and change
      comments to netdev style.
      Cc: David Miller <davem@davemloft.net>
      Suggested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  19. 03 Sep, 2013 1 commit
  20. 15 Aug, 2013 1 commit
  21. 07 Apr, 2013 1 commit
    • Mathias Krause's avatar
      llc: Fix missing msg_namelen update in llc_ui_recvmsg() · c77a4b9c
      Mathias Krause authored
      For stream sockets the code misses to update the msg_namelen member
      to 0 and therefore makes net/socket.c leak the local, uninitialized
      sockaddr_storage variable to userland -- 128 bytes of kernel stack
      memory. The msg_namelen update is also missing for datagram sockets
      in case the socket is shutting down during receive.
      Fix both issues by setting msg_namelen to 0 early. It will be
      updated later if we're going to fill the msg_name member.
      Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  22. 27 Feb, 2013 1 commit
    • Sasha Levin's avatar
      hlist: drop the node parameter from iterators · b67bfe0d
      Sasha Levin authored
      I'm not sure why, but the hlist for each entry iterators were conceived
              list_for_each_entry(pos, head, member)
      The hlist ones were greedy and wanted an extra parameter:
              hlist_for_each_entry(tpos, pos, head, member)
      Why did they need an extra pos parameter? I'm not quite sure. Not only
      they don't really need it, it also prevents the iterator from looking
      exactly like the list iterator, which is unfortunate.
      Besides the semantic patch, there was some manual work required:
       - Fix up the actual hlist iterators in linux/list.h
       - Fix up the declaration of other iterators based on the hlist ones.
       - A very small amount of places were using the 'node' parameter, this
       was modified to use 'obj->member' instead.
       - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
       properly, so those had to be fixed up manually.
      The semantic patch which is mostly the work of Peter Senna Tschudin is here:
      iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
      type T;
      expression a,c,d,e;
      identifier b;
      statement S;
      -T b;
          <+... when != b
      - b,
      c, d) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c, d) S
      - b,
      c, d) S
      - b,
      c) S
      for_each_busy_worker(a, c,
      - b,
      d) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c) S
      -(a, b)
      + sk_for_each_from(a) S
      - b,
      c, d) S
      - b,
      c) S
      - b,
      c, d, e) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c, d) S
      - b,
      c) S
      - b,
      c, d) S
      - for_each_gfn_sp(a, c, d, b) S
      + for_each_gfn_sp(a, c, d) S
      - for_each_gfn_indirect_valid_sp(a, c, d, b) S
      + for_each_gfn_indirect_valid_sp(a, c, d) S
      - b,
      c) S
      - b,
      c, d) S
      - b,
      c, d) S
      [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
      [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
      [akpm@linux-foundation.org: checkpatch fixes]
      [akpm@linux-foundation.org: fix warnings]
      [akpm@linux-foudnation.org: redo intrusive kvm changes]
      Tested-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Acked-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: Gleb Natapov <gleb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  23. 18 Nov, 2012 1 commit
    • Eric W. Biederman's avatar
      net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm · df008c91
      Eric W. Biederman authored
      Allow an unpriviled user who has created a user namespace, and then
      created a network namespace to effectively use the new network
      namespace, by reducing capable(CAP_NET_ADMIN) and
      capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
      CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.
      Allow creation of af_key sockets.
      Allow creation of llc sockets.
      Allow creation of af_packet sockets.
      Allow sending xfrm netlink control messages.
      Allow binding to netlink multicast groups.
      Allow sending to netlink multicast groups.
      Allow adding and dropping netlink multicast groups.
      Allow sending to all netlink multicast groups and port ids.
      Allow reading the netfilter SO_IP_SET socket option.
      Allow sending netfilter netlink messages.
      Allow setting and getting ip_vs netfilter socket options.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  24. 17 Sep, 2012 7 commits
  25. 15 Aug, 2012 1 commit
    • Mathias Krause's avatar
      llc: fix info leak via getsockname() · 3592aaeb
      Mathias Krause authored
      The LLC code wrongly returns 0, i.e. "success", when the socket is
      zapped. Together with the uninitialized uaddrlen pointer argument from
      sys_getsockname this leads to an arbitrary memory leak of up to 128
      bytes kernel stack via the getsockname() syscall.
      Return an error instead when the socket is zapped to prevent the info
      leak. Also remove the unnecessary memset(0). We don't directly write to
      the memory pointed by uaddr but memcpy() a local structure at the end of
      the function that is properly initialized.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  26. 14 Aug, 2012 4 commits
  27. 06 Aug, 2012 1 commit
  28. 11 Jul, 2012 1 commit
  29. 17 May, 2012 1 commit