Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.0.2 2015-03-16T02:19:17Z 2015-03-16T02:19:17Z Al Viro viro@ZenIV.linux.org.uk 2015-03-14T05:22:21Z urn:sha1:3eeff778e00c956875c70b145c52638c313dfb23 It should be checking flags, not msg->msg_flags. It's ->sendmsg() instances that need to look for that in ->msg_flags, ->recvmsg() ones (including the other ->recvmsg() instance in that file, as well as unix_dgram_recvmsg() this one claims to be imitating) check in flags. Braino had been introduced in commit dcda13 ("caif: Bugfix - use MSG_TRUNC in receive") back in 2010, so it goes quite a while back. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> 2014-12-09T21:29:03Z Al Viro viro@zeniv.linux.org.uk 2014-11-24T15:42:55Z urn:sha1:c0371da6047abd261bc483c744dbc7d81a116172 Note that the code _using_ ->msg_iter at that point will be very unhappy with anything other than unshifted iovec-backed iov_iter. We still need to convert users to proper primitives. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2014-11-24T09:28:51Z Al Viro viro@zeniv.linux.org.uk 2014-04-07T01:51:23Z urn:sha1:7eab8d9e8a722ca07bc785f73e21c3d3418defa6 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2014-11-24T09:28:48Z Al Viro viro@zeniv.linux.org.uk 2014-04-07T01:25:44Z urn:sha1:6ce8e9ce5989ae13f493062975304700be86d20e Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2014-11-05T21:46:40Z David S. Miller davem@davemloft.net 2014-11-05T21:46:40Z urn:sha1:51f3d02b980a338cd291d2bc7629cdfb2568424b This encapsulates all of the skb_copy_datagram_iovec() callers with call argument signature "skb, offset, msghdr->msg_iov, length". When we move to iov_iters in the networking, the iov_iter object will sit in the msghdr. Having a helper like this means there will be less places to touch during that transformation. Based upon descriptions and patch from Al Viro. Signed-off-by: David S. Miller <davem@davemloft.net> 2014-07-03T00:05:29Z Fabian Frederick fabf@skynet.be 2014-06-27T21:07:43Z urn:sha1:fb0d164cc1e46ddb22e8fac9f9cb94fdaeddd70f based on checkpatch: "debugfs_remove_recursive(NULL) is safe this check is probably not required" Cc: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no> Cc: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: David S. Miller <davem@davemloft.net> 2014-04-11T20:15:36Z David S. Miller davem@davemloft.net 2014-04-11T20:15:36Z urn:sha1:676d23690fb62b5d51ba5d659935e9f7d9da9f8e Several spots in the kernel perform a sequence like: skb_queue_tail(&sk->s_receive_queue, skb); sk->sk_data_ready(sk, skb->len); But at the moment we place the SKB onto the socket receive queue it can be consumed and freed up. So this skb->len access is potentially to freed up memory. Furthermore, the skb->len can be modified by the consumer so it is possible that the value isn't accurate. And finally, no actual implementation of this callback actually uses the length argument. And since nobody actually cared about it's value, lots of call sites pass arbitrary values in such as '0' and even '1'. So just remove the length argument from the callback, that way there is no confusion whatsoever and all of these use-after-free cases get fixed as a side effect. Based upon a patch by Eric Dumazet and his suggestion to audit this issue tree-wide. Signed-off-by: David S. Miller <davem@davemloft.net> 2013-11-21T02:52:30Z Hannes Frederic Sowa hannes@stressinduktion.org 2013-11-21T02:14:22Z urn:sha1:f3d3342602f8bcbf37d7c46641cb9bca7618eb1c This patch now always passes msg->msg_namelen as 0. recvmsg handlers must set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) to return msg_name to the user. This prevents numerous uninitialized memory leaks we had in the recvmsg handlers and makes it harder for new code to accidentally leak uninitialized memory. Optimize for the case recvfrom is called with NULL as address. We don't need to copy the address at all, so set it to NULL before invoking the recvmsg handler. We can do so, because all the recvmsg handlers must cope with the case a plain read() is called on them. read() also sets msg_name to NULL. Also document these changes in include/linux/net.h as suggested by David Miller. Changes since RFC: Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address. It also more naturally reflects the logic by the callers of verify_iovec. With this change in place I could remove " if (!uaddr || msg_sys->msg_namelen == 0) msg->msg_name = NULL ". This change does not alter the user visible error logic as we ignore msg_namelen as long as msg_name is NULL. Also remove two unnecessary curly brackets in ___sys_recvmsg and change comments to netdev style. Cc: David Miller <davem@davemloft.net> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-04-23T17:25:51Z sjur.brandeland@stericsson.com sjur.brandeland@stericsson.com 2013-04-22T23:57:01Z urn:sha1:26ee65e680f4a2291f6258e11beceae0ad4eeba3 Remove my soon bouncing email address. Also remove the "Contact:" line in file header. The MAINTAINERS file is a better place to find the contact person anyway. Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-04-07T22:37:01Z David S. Miller davem@davemloft.net 2013-04-07T22:37:01Z urn:sha1:d978a6361ad13f1f9694fcb7b5852d253a544d92 Conflicts: drivers/nfc/microread/mei.c net/netfilter/nfnetlink_queue_core.c Pull in 'net' to get Eric Biederman's AF_UNIX fix, upon which some cleanups are going to go on-top. Signed-off-by: David S. Miller <davem@davemloft.net>