2019-05-27 14:55:01 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* RAW sockets for IPv6
|
2007-02-09 22:24:49 +08:00
|
|
|
* Linux INET6 implementation
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
|
|
|
* Authors:
|
2007-02-09 22:24:49 +08:00
|
|
|
* Pedro Roque <roque@di.fc.ul.pt>
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
|
|
|
* Adapted from linux/net/ipv4/raw.c
|
|
|
|
*
|
|
|
|
* Fixes:
|
|
|
|
* Hideaki YOSHIFUJI : sin6_scope_id support
|
2007-02-09 22:24:49 +08:00
|
|
|
* YOSHIFUJI,H.@USAGI : raw checksum (RFC2292(bis) compliance)
|
2005-04-17 06:20:36 +08:00
|
|
|
* Kazunori MIYAZAWA @USAGI: change process style to use ip6_append_data
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/socket.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 16:04:11 +08:00
|
|
|
#include <linux/slab.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/sockios.h>
|
|
|
|
#include <linux/net.h>
|
|
|
|
#include <linux/in6.h>
|
|
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <linux/if_arp.h>
|
|
|
|
#include <linux/icmpv6.h>
|
|
|
|
#include <linux/netfilter.h>
|
|
|
|
#include <linux/netfilter_ipv6.h>
|
2005-12-14 15:16:37 +08:00
|
|
|
#include <linux/skbuff.h>
|
2011-02-04 09:59:32 +08:00
|
|
|
#include <linux/compat.h>
|
2015-02-20 05:58:07 +08:00
|
|
|
#include <linux/uaccess.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <asm/ioctls.h>
|
|
|
|
|
2007-09-12 18:01:34 +08:00
|
|
|
#include <net/net_namespace.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <net/ip.h>
|
|
|
|
#include <net/sock.h>
|
|
|
|
#include <net/snmp.h>
|
|
|
|
|
|
|
|
#include <net/ipv6.h>
|
|
|
|
#include <net/ndisc.h>
|
|
|
|
#include <net/protocol.h>
|
|
|
|
#include <net/ip6_route.h>
|
|
|
|
#include <net/ip6_checksum.h>
|
|
|
|
#include <net/addrconf.h>
|
|
|
|
#include <net/transp_v6.h>
|
|
|
|
#include <net/udp.h>
|
|
|
|
#include <net/inet_common.h>
|
2005-08-10 11:08:28 +08:00
|
|
|
#include <net/tcp_states.h>
|
2012-10-30 00:23:10 +08:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
2006-08-24 11:35:31 +08:00
|
|
|
#include <net/mip6.h>
|
|
|
|
#endif
|
2008-04-03 08:22:53 +08:00
|
|
|
#include <linux/mroute6.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-11-20 14:36:45 +08:00
|
|
|
#include <net/raw.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <net/rawv6.h>
|
|
|
|
#include <net/xfrm.h>
|
|
|
|
|
|
|
|
#include <linux/proc_fs.h>
|
|
|
|
#include <linux/seq_file.h>
|
2011-07-15 23:47:34 +08:00
|
|
|
#include <linux/export.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-08-02 21:51:34 +08:00
|
|
|
#define ICMPV6_HDRLEN 4 /* ICMPv6 header, RFC 4443 Section 2.1 */
|
|
|
|
|
2022-06-18 11:47:05 +08:00
|
|
|
struct raw_hashinfo raw_v6_hashinfo;
|
2016-10-21 18:03:44 +08:00
|
|
|
EXPORT_SYMBOL_GPL(raw_v6_hashinfo);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2023-03-16 23:32:00 +08:00
|
|
|
bool raw_v6_match(struct net *net, const struct sock *sk, unsigned short num,
|
2022-06-18 11:47:04 +08:00
|
|
|
const struct in6_addr *loc_addr,
|
|
|
|
const struct in6_addr *rmt_addr, int dif, int sdif)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2022-06-18 11:47:04 +08:00
|
|
|
if (inet_sk(sk)->inet_num != num ||
|
|
|
|
!net_eq(sock_net(sk), net) ||
|
|
|
|
(!ipv6_addr_any(&sk->sk_v6_daddr) &&
|
|
|
|
!ipv6_addr_equal(&sk->sk_v6_daddr, rmt_addr)) ||
|
|
|
|
!raw_sk_bound_dev_eq(net, sk->sk_bound_dev_if,
|
|
|
|
dif, sdif))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (ipv6_addr_any(&sk->sk_v6_rcv_saddr) ||
|
|
|
|
ipv6_addr_equal(&sk->sk_v6_rcv_saddr, loc_addr) ||
|
|
|
|
(ipv6_addr_is_multicast(loc_addr) &&
|
|
|
|
inet6_mc_check(sk, loc_addr, rmt_addr)))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2022-06-18 11:47:04 +08:00
|
|
|
EXPORT_SYMBOL_GPL(raw_v6_match);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* 0 - deliver
|
|
|
|
* 1 - block
|
|
|
|
*/
|
2012-09-25 15:03:40 +08:00
|
|
|
static int icmpv6_filter(const struct sock *sk, const struct sk_buff *skb)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2013-08-02 21:51:19 +08:00
|
|
|
struct icmp6hdr _hdr;
|
2012-09-25 15:03:40 +08:00
|
|
|
const struct icmp6hdr *hdr;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-08-02 21:51:34 +08:00
|
|
|
/* We require only the four bytes of the ICMPv6 header, not any
|
|
|
|
* additional bytes of message body in "struct icmp6hdr".
|
|
|
|
*/
|
2012-09-25 15:03:40 +08:00
|
|
|
hdr = skb_header_pointer(skb, skb_transport_offset(skb),
|
2013-08-02 21:51:34 +08:00
|
|
|
ICMPV6_HDRLEN, &_hdr);
|
2012-09-25 15:03:40 +08:00
|
|
|
if (hdr) {
|
|
|
|
const __u32 *data = &raw6_sk(sk)->filter.data[0];
|
|
|
|
unsigned int type = hdr->icmp6_type;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-09-25 15:03:40 +08:00
|
|
|
return (data[type >> 5] & (1U << (type & 31))) != 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2012-09-25 15:03:40 +08:00
|
|
|
return 1;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2012-10-30 00:23:10 +08:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
2011-01-20 15:37:53 +08:00
|
|
|
typedef int mh_filter_t(struct sock *sock, struct sk_buff *skb);
|
2007-06-27 14:56:32 +08:00
|
|
|
|
2011-01-20 15:37:53 +08:00
|
|
|
static mh_filter_t __rcu *mh_filter __read_mostly;
|
|
|
|
|
|
|
|
int rawv6_mh_filter_register(mh_filter_t filter)
|
2007-06-27 14:56:32 +08:00
|
|
|
{
|
2012-01-12 12:41:32 +08:00
|
|
|
rcu_assign_pointer(mh_filter, filter);
|
2007-06-27 14:56:32 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(rawv6_mh_filter_register);
|
|
|
|
|
2011-01-20 15:37:53 +08:00
|
|
|
int rawv6_mh_filter_unregister(mh_filter_t filter)
|
2007-06-27 14:56:32 +08:00
|
|
|
{
|
2011-08-02 00:19:00 +08:00
|
|
|
RCU_INIT_POINTER(mh_filter, NULL);
|
2007-06-27 14:56:32 +08:00
|
|
|
synchronize_rcu();
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(rawv6_mh_filter_unregister);
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* demultiplex raw sockets.
|
|
|
|
* (should consider queueing the skb in the sock receive_queue
|
|
|
|
* without calling rawv6.c)
|
|
|
|
*
|
|
|
|
* Caller owns SKB so we must make clones.
|
|
|
|
*/
|
2012-05-19 02:57:34 +08:00
|
|
|
static bool ipv6_raw_deliver(struct sk_buff *skb, int nexthdr)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2022-06-18 11:47:04 +08:00
|
|
|
struct net *net = dev_net(skb->dev);
|
2011-04-22 12:53:02 +08:00
|
|
|
const struct in6_addr *saddr;
|
|
|
|
const struct in6_addr *daddr;
|
raw: Fix NULL deref in raw_get_next().
Dae R. Jeong reported a NULL deref in raw_get_next() [0].
It seems that the repro was running these sequences in parallel so
that one thread was iterating on a socket that was being freed in
another netns.
unshare(0x40060200)
r0 = syz_open_procfs(0x0, &(0x7f0000002080)='net/raw\x00')
socket$inet_icmp_raw(0x2, 0x3, 0x1)
pread64(r0, &(0x7f0000000000)=""/10, 0xa, 0x10000000007f)
After commit 0daf07e52709 ("raw: convert raw sockets to RCU"), we
use RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW
sockets. However, we should use spinlock for slow paths to avoid
the NULL deref.
Also, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object
is not reused during iteration in the grace period. In fact, the
lockless readers do not check the nulls marker with get_nulls_value().
So, SOCK_RAW should use hlist instead of hlist_nulls.
Instead of adding an unnecessary barrier by sk_nulls_for_each_rcu(),
let's convert hlist_nulls to hlist and use sk_for_each_rcu() for
fast paths and sk_for_each() and spinlock for /proc/net/raw.
[0]:
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225
seq_read+0x224/0x320 fs/seq_file.c:162
pde_read fs/proc/inode.c:316 [inline]
proc_reg_read+0x23f/0x330 fs/proc/inode.c:328
vfs_read+0x31e/0xd30 fs/read_write.c:468
ksys_pread64 fs/read_write.c:665 [inline]
__do_sys_pread64 fs/read_write.c:675 [inline]
__se_sys_pread64 fs/read_write.c:672 [inline]
__x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x478d29
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
RAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29
RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000
R10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740
R13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92ff166000 CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fixes: 0daf07e52709 ("raw: convert raw sockets to RCU")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Dae R. Jeong <threeearcat@gmail.com>
Link: https://lore.kernel.org/netdev/ZCA2mGV_cmq7lIfV@dragonet/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-04-04 03:49:58 +08:00
|
|
|
struct hlist_head *hlist;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sock *sk;
|
2012-05-19 02:57:34 +08:00
|
|
|
bool delivered = false;
|
2005-04-17 06:20:36 +08:00
|
|
|
__u8 hash;
|
|
|
|
|
2007-04-26 08:54:47 +08:00
|
|
|
saddr = &ipv6_hdr(skb)->saddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
daddr = saddr + 1;
|
|
|
|
|
2023-02-02 17:41:00 +08:00
|
|
|
hash = raw_hashfunc(net, nexthdr);
|
2022-06-18 11:47:05 +08:00
|
|
|
hlist = &raw_v6_hashinfo.ht[hash];
|
|
|
|
rcu_read_lock();
|
raw: Fix NULL deref in raw_get_next().
Dae R. Jeong reported a NULL deref in raw_get_next() [0].
It seems that the repro was running these sequences in parallel so
that one thread was iterating on a socket that was being freed in
another netns.
unshare(0x40060200)
r0 = syz_open_procfs(0x0, &(0x7f0000002080)='net/raw\x00')
socket$inet_icmp_raw(0x2, 0x3, 0x1)
pread64(r0, &(0x7f0000000000)=""/10, 0xa, 0x10000000007f)
After commit 0daf07e52709 ("raw: convert raw sockets to RCU"), we
use RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW
sockets. However, we should use spinlock for slow paths to avoid
the NULL deref.
Also, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object
is not reused during iteration in the grace period. In fact, the
lockless readers do not check the nulls marker with get_nulls_value().
So, SOCK_RAW should use hlist instead of hlist_nulls.
Instead of adding an unnecessary barrier by sk_nulls_for_each_rcu(),
let's convert hlist_nulls to hlist and use sk_for_each_rcu() for
fast paths and sk_for_each() and spinlock for /proc/net/raw.
[0]:
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225
seq_read+0x224/0x320 fs/seq_file.c:162
pde_read fs/proc/inode.c:316 [inline]
proc_reg_read+0x23f/0x330 fs/proc/inode.c:328
vfs_read+0x31e/0xd30 fs/read_write.c:468
ksys_pread64 fs/read_write.c:665 [inline]
__do_sys_pread64 fs/read_write.c:675 [inline]
__se_sys_pread64 fs/read_write.c:672 [inline]
__x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x478d29
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
RAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29
RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000
R10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740
R13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92ff166000 CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fixes: 0daf07e52709 ("raw: convert raw sockets to RCU")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Dae R. Jeong <threeearcat@gmail.com>
Link: https://lore.kernel.org/netdev/ZCA2mGV_cmq7lIfV@dragonet/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-04-04 03:49:58 +08:00
|
|
|
sk_for_each_rcu(sk, hlist) {
|
2006-08-24 11:35:31 +08:00
|
|
|
int filtered;
|
|
|
|
|
2022-06-18 11:47:04 +08:00
|
|
|
if (!raw_v6_match(net, sk, nexthdr, daddr, saddr,
|
|
|
|
inet6_iif(skb), inet6_sdif(skb)))
|
|
|
|
continue;
|
2012-05-19 02:57:34 +08:00
|
|
|
delivered = true;
|
2006-08-24 11:35:31 +08:00
|
|
|
switch (nexthdr) {
|
|
|
|
case IPPROTO_ICMPV6:
|
|
|
|
filtered = icmpv6_filter(sk, skb);
|
|
|
|
break;
|
2007-06-27 14:56:32 +08:00
|
|
|
|
2012-10-30 00:23:10 +08:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
2006-08-24 11:35:31 +08:00
|
|
|
case IPPROTO_MH:
|
2007-06-27 14:56:32 +08:00
|
|
|
{
|
2006-08-24 11:35:31 +08:00
|
|
|
/* XXX: To validate MH only once for each packet,
|
|
|
|
* this is placed here. It should be after checking
|
|
|
|
* xfrm policy, however it doesn't. The checking xfrm
|
|
|
|
* policy is placed in rawv6_rcv() because it is
|
|
|
|
* required for each socket.
|
|
|
|
*/
|
2011-01-20 15:37:53 +08:00
|
|
|
mh_filter_t *filter;
|
2007-06-27 14:56:32 +08:00
|
|
|
|
|
|
|
filter = rcu_dereference(mh_filter);
|
2011-01-20 15:37:53 +08:00
|
|
|
filtered = filter ? (*filter)(sk, skb) : 0;
|
2006-08-24 11:35:31 +08:00
|
|
|
break;
|
2007-06-27 14:56:32 +08:00
|
|
|
}
|
2006-08-24 11:35:31 +08:00
|
|
|
#endif
|
|
|
|
default:
|
|
|
|
filtered = 0;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (filtered < 0)
|
|
|
|
break;
|
|
|
|
if (filtered == 0) {
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
|
|
|
|
/* Not releasing hash table! */
|
2023-03-21 23:58:44 +08:00
|
|
|
if (clone)
|
2005-04-17 06:20:36 +08:00
|
|
|
rawv6_rcv(sk, clone);
|
|
|
|
}
|
|
|
|
}
|
2022-06-18 11:47:05 +08:00
|
|
|
rcu_read_unlock();
|
2005-08-10 10:45:02 +08:00
|
|
|
return delivered;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2012-05-19 02:57:34 +08:00
|
|
|
bool raw6_local_deliver(struct sk_buff *skb, int nexthdr)
|
2007-11-20 14:35:57 +08:00
|
|
|
{
|
2022-06-18 11:47:04 +08:00
|
|
|
return ipv6_raw_deliver(skb, nexthdr);
|
2007-11-20 14:35:57 +08:00
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* This cleans up af_inet6 a bit. -DaveM */
|
|
|
|
static int rawv6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
|
|
|
|
{
|
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
|
|
|
struct ipv6_pinfo *np = inet6_sk(sk);
|
|
|
|
struct sockaddr_in6 *addr = (struct sockaddr_in6 *) uaddr;
|
2006-11-15 12:56:00 +08:00
|
|
|
__be32 v4addr = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
int addr_type;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (addr_len < SIN6_LEN_RFC2133)
|
|
|
|
return -EINVAL;
|
2014-01-20 12:16:39 +08:00
|
|
|
|
|
|
|
if (addr->sin6_family != AF_INET6)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
addr_type = ipv6_addr_type(&addr->sin6_addr);
|
|
|
|
|
|
|
|
/* Raw sockets are IPv6 only */
|
|
|
|
if (addr_type == IPV6_ADDR_MAPPED)
|
2009-11-06 15:01:17 +08:00
|
|
|
return -EADDRNOTAVAIL;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
lock_sock(sk);
|
|
|
|
|
|
|
|
err = -EINVAL;
|
|
|
|
if (sk->sk_state != TCP_CLOSE)
|
|
|
|
goto out;
|
|
|
|
|
2009-11-06 15:01:17 +08:00
|
|
|
rcu_read_lock();
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Check if the address belongs to the host. */
|
|
|
|
if (addr_type != IPV6_ADDR_ANY) {
|
|
|
|
struct net_device *dev = NULL;
|
|
|
|
|
2013-03-08 10:07:19 +08:00
|
|
|
if (__ipv6_addr_needs_scope_id(addr_type)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
if (addr_len >= sizeof(struct sockaddr_in6) &&
|
|
|
|
addr->sin6_scope_id) {
|
|
|
|
/* Override any existing binding, if another
|
|
|
|
* one is supplied by user.
|
|
|
|
*/
|
|
|
|
sk->sk_bound_dev_if = addr->sin6_scope_id;
|
|
|
|
}
|
2007-02-09 22:24:49 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Binding to link-local address requires an interface */
|
|
|
|
if (!sk->sk_bound_dev_if)
|
2009-11-06 15:01:17 +08:00
|
|
|
goto out_unlock;
|
2019-05-21 02:57:17 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2019-05-21 02:57:17 +08:00
|
|
|
if (sk->sk_bound_dev_if) {
|
2009-11-06 15:01:17 +08:00
|
|
|
err = -ENODEV;
|
|
|
|
dev = dev_get_by_index_rcu(sock_net(sk),
|
|
|
|
sk->sk_bound_dev_if);
|
|
|
|
if (!dev)
|
|
|
|
goto out_unlock;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2007-02-09 22:24:49 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* ipv4 addr of the socket is invalid. Only the
|
|
|
|
* unspecified and mapped address have a v4 equivalent.
|
|
|
|
*/
|
|
|
|
v4addr = LOOPBACK4_IPV6;
|
2015-07-09 07:58:22 +08:00
|
|
|
if (!(addr_type & IPV6_ADDR_MULTICAST) &&
|
net-ipv6: bugfix - raw & sctp - switch to ipv6_can_nonlocal_bind()
Found by virtue of ipv6 raw sockets not honouring the per-socket
IP{,V6}_FREEBIND setting.
Based on hits found via:
git grep '[.]ip_nonlocal_bind'
We fix both raw ipv6 sockets to honour IP{,V6}_FREEBIND and IP{,V6}_TRANSPARENT,
and we fix sctp sockets to honour IP{,V6}_TRANSPARENT (they already honoured
FREEBIND), and not just the ipv6 'ip_nonlocal_bind' sysctl.
The helper is defined as:
static inline bool ipv6_can_nonlocal_bind(struct net *net, struct inet_sock *inet) {
return net->ipv6.sysctl.ip_nonlocal_bind || inet->freebind || inet->transparent;
}
so this change only widens the accepted opt-outs and is thus a clean bugfix.
I'm not entirely sure what 'fixes' tag to add, since this is AFAICT an ancient bug,
but IMHO this should be applied to stable kernels as far back as possible.
As such I'm adding a 'fixes' tag with the commit that originally added the helper,
which happened in 4.19. Backporting to older LTS kernels (at least 4.9 and 4.14)
would presumably require open-coding it or backporting the helper as well.
Other possibly relevant commits:
v4.18-rc6-1502-g83ba4645152d net: add helpers checking if socket can be bound to nonlocal address
v4.18-rc6-1431-gd0c1f01138c4 net/ipv6: allow any source address for sendmsg pktinfo with ip_nonlocal_bind
v4.14-rc5-271-gb71d21c274ef sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND
v4.7-rc7-1883-g9b9742022888 sctp: support ipv6 nonlocal bind
v4.1-12247-g35a256fee52c ipv6: Nonlocal bind
Cc: Lorenzo Colitti <lorenzo@google.com>
Fixes: 83ba4645152d ("net: add helpers checking if socket can be bound to nonlocal address")
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Reviewed-By: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-04-05 15:06:52 +08:00
|
|
|
!ipv6_can_nonlocal_bind(sock_net(sk), inet)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
err = -EADDRNOTAVAIL;
|
2008-03-26 01:26:21 +08:00
|
|
|
if (!ipv6_chk_addr(sock_net(sk), &addr->sin6_addr,
|
2008-01-11 14:43:18 +08:00
|
|
|
dev, 0)) {
|
2009-11-06 15:01:17 +08:00
|
|
|
goto out_unlock;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-10-15 14:30:45 +08:00
|
|
|
inet->inet_rcv_saddr = inet->inet_saddr = v4addr;
|
ipv6: make lookups simpler and faster
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-04 06:42:29 +08:00
|
|
|
sk->sk_v6_rcv_saddr = addr->sin6_addr;
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!(addr_type & IPV6_ADDR_MULTICAST))
|
2011-11-21 11:39:03 +08:00
|
|
|
np->saddr = addr->sin6_addr;
|
2005-04-17 06:20:36 +08:00
|
|
|
err = 0;
|
2009-11-06 15:01:17 +08:00
|
|
|
out_unlock:
|
|
|
|
rcu_read_unlock();
|
2005-04-17 06:20:36 +08:00
|
|
|
out:
|
|
|
|
release_sock(sk);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2007-11-20 14:35:57 +08:00
|
|
|
static void rawv6_err(struct sock *sk, struct sk_buff *skb,
|
2005-04-17 06:20:36 +08:00
|
|
|
struct inet6_skb_parm *opt,
|
2009-06-23 19:31:07 +08:00
|
|
|
u8 type, u8 code, int offset, __be32 info)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2023-09-13 00:02:08 +08:00
|
|
|
bool recverr = inet6_test_bit(RECVERR6, sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
struct ipv6_pinfo *np = inet6_sk(sk);
|
|
|
|
int err;
|
|
|
|
int harderr;
|
|
|
|
|
|
|
|
/* Report error on raw socket, if:
|
|
|
|
1. User requested recverr.
|
|
|
|
2. Socket is connected (otherwise the error indication
|
|
|
|
is useless without recverr and error is hard.
|
|
|
|
*/
|
2023-09-13 00:02:08 +08:00
|
|
|
if (!recverr && sk->sk_state != TCP_ESTABLISHED)
|
2005-04-17 06:20:36 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
harderr = icmpv6_err_convert(type, code, &err);
|
2012-06-16 05:54:11 +08:00
|
|
|
if (type == ICMPV6_PKT_TOOBIG) {
|
|
|
|
ip6_sk_update_pmtu(skb, sk, info);
|
2023-09-13 00:02:11 +08:00
|
|
|
harderr = (READ_ONCE(np->pmtudisc) == IPV6_PMTUDISC_DO);
|
2012-06-16 05:54:11 +08:00
|
|
|
}
|
2013-09-20 18:21:25 +08:00
|
|
|
if (type == NDISC_REDIRECT) {
|
2012-07-12 15:25:15 +08:00
|
|
|
ip6_sk_redirect(skb, sk);
|
2013-09-20 18:21:25 +08:00
|
|
|
return;
|
|
|
|
}
|
2023-09-13 00:02:08 +08:00
|
|
|
if (recverr) {
|
2005-04-17 06:20:36 +08:00
|
|
|
u8 *payload = skb->data;
|
2023-08-16 16:15:38 +08:00
|
|
|
if (!inet_test_bit(HDRINCL, sk))
|
2005-04-17 06:20:36 +08:00
|
|
|
payload += offset;
|
|
|
|
ipv6_icmp_error(sk, skb, err, 0, ntohl(info), payload);
|
|
|
|
}
|
|
|
|
|
2023-09-13 00:02:08 +08:00
|
|
|
if (recverr || harderr) {
|
2005-04-17 06:20:36 +08:00
|
|
|
sk->sk_err = err;
|
2021-06-28 06:48:21 +08:00
|
|
|
sk_error_report(sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-11-20 14:35:57 +08:00
|
|
|
void raw6_icmp_error(struct sk_buff *skb, int nexthdr,
|
2009-06-23 19:31:07 +08:00
|
|
|
u8 type, u8 code, int inner_offset, __be32 info)
|
2007-11-20 14:35:57 +08:00
|
|
|
{
|
2022-06-18 11:47:04 +08:00
|
|
|
struct net *net = dev_net(skb->dev);
|
raw: Fix NULL deref in raw_get_next().
Dae R. Jeong reported a NULL deref in raw_get_next() [0].
It seems that the repro was running these sequences in parallel so
that one thread was iterating on a socket that was being freed in
another netns.
unshare(0x40060200)
r0 = syz_open_procfs(0x0, &(0x7f0000002080)='net/raw\x00')
socket$inet_icmp_raw(0x2, 0x3, 0x1)
pread64(r0, &(0x7f0000000000)=""/10, 0xa, 0x10000000007f)
After commit 0daf07e52709 ("raw: convert raw sockets to RCU"), we
use RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW
sockets. However, we should use spinlock for slow paths to avoid
the NULL deref.
Also, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object
is not reused during iteration in the grace period. In fact, the
lockless readers do not check the nulls marker with get_nulls_value().
So, SOCK_RAW should use hlist instead of hlist_nulls.
Instead of adding an unnecessary barrier by sk_nulls_for_each_rcu(),
let's convert hlist_nulls to hlist and use sk_for_each_rcu() for
fast paths and sk_for_each() and spinlock for /proc/net/raw.
[0]:
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225
seq_read+0x224/0x320 fs/seq_file.c:162
pde_read fs/proc/inode.c:316 [inline]
proc_reg_read+0x23f/0x330 fs/proc/inode.c:328
vfs_read+0x31e/0xd30 fs/read_write.c:468
ksys_pread64 fs/read_write.c:665 [inline]
__do_sys_pread64 fs/read_write.c:675 [inline]
__se_sys_pread64 fs/read_write.c:672 [inline]
__x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x478d29
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
RAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29
RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000
R10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740
R13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92ff166000 CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fixes: 0daf07e52709 ("raw: convert raw sockets to RCU")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Dae R. Jeong <threeearcat@gmail.com>
Link: https://lore.kernel.org/netdev/ZCA2mGV_cmq7lIfV@dragonet/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-04-04 03:49:58 +08:00
|
|
|
struct hlist_head *hlist;
|
2007-11-20 14:35:57 +08:00
|
|
|
struct sock *sk;
|
|
|
|
int hash;
|
|
|
|
|
2023-02-02 17:41:00 +08:00
|
|
|
hash = raw_hashfunc(net, nexthdr);
|
2022-06-18 11:47:05 +08:00
|
|
|
hlist = &raw_v6_hashinfo.ht[hash];
|
|
|
|
rcu_read_lock();
|
raw: Fix NULL deref in raw_get_next().
Dae R. Jeong reported a NULL deref in raw_get_next() [0].
It seems that the repro was running these sequences in parallel so
that one thread was iterating on a socket that was being freed in
another netns.
unshare(0x40060200)
r0 = syz_open_procfs(0x0, &(0x7f0000002080)='net/raw\x00')
socket$inet_icmp_raw(0x2, 0x3, 0x1)
pread64(r0, &(0x7f0000000000)=""/10, 0xa, 0x10000000007f)
After commit 0daf07e52709 ("raw: convert raw sockets to RCU"), we
use RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW
sockets. However, we should use spinlock for slow paths to avoid
the NULL deref.
Also, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object
is not reused during iteration in the grace period. In fact, the
lockless readers do not check the nulls marker with get_nulls_value().
So, SOCK_RAW should use hlist instead of hlist_nulls.
Instead of adding an unnecessary barrier by sk_nulls_for_each_rcu(),
let's convert hlist_nulls to hlist and use sk_for_each_rcu() for
fast paths and sk_for_each() and spinlock for /proc/net/raw.
[0]:
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225
seq_read+0x224/0x320 fs/seq_file.c:162
pde_read fs/proc/inode.c:316 [inline]
proc_reg_read+0x23f/0x330 fs/proc/inode.c:328
vfs_read+0x31e/0xd30 fs/read_write.c:468
ksys_pread64 fs/read_write.c:665 [inline]
__do_sys_pread64 fs/read_write.c:675 [inline]
__se_sys_pread64 fs/read_write.c:672 [inline]
__x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x478d29
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
RAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29
RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000
R10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740
R13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92ff166000 CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fixes: 0daf07e52709 ("raw: convert raw sockets to RCU")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Dae R. Jeong <threeearcat@gmail.com>
Link: https://lore.kernel.org/netdev/ZCA2mGV_cmq7lIfV@dragonet/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-04-04 03:49:58 +08:00
|
|
|
sk_for_each_rcu(sk, hlist) {
|
2008-04-11 22:51:26 +08:00
|
|
|
/* Note: ipv6_hdr(skb) != skb->data */
|
2011-04-22 12:53:02 +08:00
|
|
|
const struct ipv6hdr *ip6h = (const struct ipv6hdr *)skb->data;
|
2007-11-20 14:35:57 +08:00
|
|
|
|
2022-06-18 11:47:04 +08:00
|
|
|
if (!raw_v6_match(net, sk, nexthdr, &ip6h->saddr, &ip6h->daddr,
|
|
|
|
inet6_iif(skb), inet6_iif(skb)))
|
|
|
|
continue;
|
|
|
|
rawv6_err(sk, skb, NULL, type, code, inner_offset, info);
|
2007-11-20 14:35:57 +08:00
|
|
|
}
|
2022-06-18 11:47:05 +08:00
|
|
|
rcu_read_unlock();
|
2007-11-20 14:35:57 +08:00
|
|
|
}
|
|
|
|
|
2011-08-12 03:30:52 +08:00
|
|
|
static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2023-02-02 17:40:58 +08:00
|
|
|
enum skb_drop_reason reason;
|
|
|
|
|
2011-08-12 03:30:52 +08:00
|
|
|
if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) &&
|
2005-11-11 05:01:24 +08:00
|
|
|
skb_checksum_complete(skb)) {
|
2007-11-14 12:31:14 +08:00
|
|
|
atomic_inc(&sk->sk_drops);
|
2023-02-02 17:40:58 +08:00
|
|
|
kfree_skb_reason(skb, SKB_DROP_REASON_SKB_CSUM);
|
2008-08-30 05:06:51 +08:00
|
|
|
return NET_RX_DROP;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Charge it to the socket. */
|
ipv4: PKTINFO doesnt need dst reference
Le lundi 07 novembre 2011 à 15:33 +0100, Eric Dumazet a écrit :
> At least, in recent kernels we dont change dst->refcnt in forwarding
> patch (usinf NOREF skb->dst)
>
> One particular point is the atomic_inc(dst->refcnt) we have to perform
> when queuing an UDP packet if socket asked PKTINFO stuff (for example a
> typical DNS server has to setup this option)
>
> I have one patch somewhere that stores the information in skb->cb[] and
> avoid the atomic_{inc|dec}(dst->refcnt).
>
OK I found it, I did some extra tests and believe its ready.
[PATCH net-next] ipv4: IP_PKTINFO doesnt need dst reference
When a socket uses IP_PKTINFO notifications, we currently force a dst
reference for each received skb. Reader has to access dst to get needed
information (rt_iif & rt_spec_dst) and must release dst reference.
We also forced a dst reference if skb was put in socket backlog, even
without IP_PKTINFO handling. This happens under stress/load.
We can instead store the needed information in skb->cb[], so that only
softirq handler really access dst, improving cache hit ratios.
This removes two atomic operations per packet, and false sharing as
well.
On a benchmark using a mono threaded receiver (doing only recvmsg()
calls), I can reach 720.000 pps instead of 570.000 pps.
IP_PKTINFO is typically used by DNS servers, and any multihomed aware
UDP application.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-11-09 15:24:35 +08:00
|
|
|
skb_dst_drop(skb);
|
2023-02-02 17:40:58 +08:00
|
|
|
if (sock_queue_rcv_skb_reason(sk, skb, &reason) < 0) {
|
|
|
|
kfree_skb_reason(skb, reason);
|
2008-08-30 05:06:51 +08:00
|
|
|
return NET_RX_DROP;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2007-02-09 22:24:49 +08:00
|
|
|
* This is next to useless...
|
2005-04-17 06:20:36 +08:00
|
|
|
* if we demultiplex in network layer we don't need the extra call
|
2007-02-09 22:24:49 +08:00
|
|
|
* just to queue the skb...
|
|
|
|
* maybe we could have the network decide upon a hint if it
|
2005-04-17 06:20:36 +08:00
|
|
|
* should call raw_rcv for demultiplexing
|
|
|
|
*/
|
|
|
|
int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
|
|
|
struct raw6_sock *rp = raw6_sk(sk);
|
|
|
|
|
2007-02-09 22:24:49 +08:00
|
|
|
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
|
2007-11-14 12:31:14 +08:00
|
|
|
atomic_inc(&sk->sk_drops);
|
2023-02-02 17:40:58 +08:00
|
|
|
kfree_skb_reason(skb, SKB_DROP_REASON_XFRM_POLICY);
|
2007-02-09 22:24:49 +08:00
|
|
|
return NET_RX_DROP;
|
|
|
|
}
|
2023-03-21 23:58:44 +08:00
|
|
|
nf_reset_ct(skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (!rp->checksum)
|
|
|
|
skb->ip_summed = CHECKSUM_UNNECESSARY;
|
|
|
|
|
2006-08-30 07:44:56 +08:00
|
|
|
if (skb->ip_summed == CHECKSUM_COMPLETE) {
|
2007-04-11 11:50:43 +08:00
|
|
|
skb_postpull_rcsum(skb, skb_network_header(skb),
|
2007-03-17 04:26:39 +08:00
|
|
|
skb_network_header_len(skb));
|
2007-04-26 08:54:47 +08:00
|
|
|
if (!csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
|
|
|
|
&ipv6_hdr(skb)->daddr,
|
2009-10-15 14:30:45 +08:00
|
|
|
skb->len, inet->inet_num, skb->csum))
|
2005-04-17 06:20:36 +08:00
|
|
|
skb->ip_summed = CHECKSUM_UNNECESSARY;
|
|
|
|
}
|
2007-04-10 02:59:39 +08:00
|
|
|
if (!skb_csum_unnecessary(skb))
|
2007-04-26 08:54:47 +08:00
|
|
|
skb->csum = ~csum_unfold(csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
|
|
|
|
&ipv6_hdr(skb)->daddr,
|
|
|
|
skb->len,
|
2009-10-15 14:30:45 +08:00
|
|
|
inet->inet_num, 0));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2023-08-16 16:15:38 +08:00
|
|
|
if (inet_test_bit(HDRINCL, sk)) {
|
2005-11-11 05:01:24 +08:00
|
|
|
if (skb_checksum_complete(skb)) {
|
2007-11-14 12:31:14 +08:00
|
|
|
atomic_inc(&sk->sk_drops);
|
2023-02-02 17:40:58 +08:00
|
|
|
kfree_skb_reason(skb, SKB_DROP_REASON_SKB_CSUM);
|
2008-08-30 05:06:51 +08:00
|
|
|
return NET_RX_DROP;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
rawv6_rcv_skb(sk, skb);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This should be easy, if there is something there
|
|
|
|
* we return it, otherwise we block.
|
|
|
|
*/
|
|
|
|
|
2015-03-02 15:37:48 +08:00
|
|
|
static int rawv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
|
net: remove noblock parameter from recvmsg() entities
The internal recvmsg() functions have two parameters 'flags' and 'noblock'
that were merged inside skb_recv_datagram(). As a follow up patch to commit
f4b41f062c42 ("net: remove noblock parameter from skb_recv_datagram()")
this patch removes the separate 'noblock' parameter for recvmsg().
Analogue to the referenced patch for skb_recv_datagram() the 'flags' and
'noblock' parameters are unnecessarily split up with e.g.
err = sk->sk_prot->recvmsg(sk, msg, size, flags & MSG_DONTWAIT,
flags & ~MSG_DONTWAIT, &addr_len);
or in
err = INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udp_recvmsg,
sk, msg, size, flags & MSG_DONTWAIT,
flags & ~MSG_DONTWAIT, &addr_len);
instead of simply using only flags all the time and check for MSG_DONTWAIT
where needed (to preserve for the formerly separated no(n)block condition).
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://lore.kernel.org/r/20220411124955.154876-1-socketcan@hartkopp.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2022-04-11 20:49:55 +08:00
|
|
|
int flags, int *addr_len)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct ipv6_pinfo *np = inet6_sk(sk);
|
2014-01-18 05:53:15 +08:00
|
|
|
DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
size_t copied;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (flags & MSG_OOB)
|
|
|
|
return -EOPNOTSUPP;
|
2007-02-09 22:24:49 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (flags & MSG_ERRQUEUE)
|
2013-11-23 07:46:12 +08:00
|
|
|
return ipv6_recv_error(sk, msg, len, addr_len);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-04-23 19:26:09 +08:00
|
|
|
if (np->rxpmtu && np->rxopt.bits.rxpmtu)
|
2013-11-23 07:46:12 +08:00
|
|
|
return ipv6_recv_rxpmtu(sk, msg, len, addr_len);
|
2010-04-23 19:26:09 +08:00
|
|
|
|
2022-04-05 00:30:22 +08:00
|
|
|
skb = skb_recv_datagram(sk, flags, &err);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!skb)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
copied = skb->len;
|
2007-02-09 22:24:49 +08:00
|
|
|
if (copied > len) {
|
|
|
|
copied = len;
|
|
|
|
msg->msg_flags |= MSG_TRUNC;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-04-10 02:59:39 +08:00
|
|
|
if (skb_csum_unnecessary(skb)) {
|
2014-11-06 05:46:40 +08:00
|
|
|
err = skb_copy_datagram_msg(skb, 0, msg, copied);
|
2005-04-17 06:20:36 +08:00
|
|
|
} else if (msg->msg_flags&MSG_TRUNC) {
|
2005-11-11 05:01:24 +08:00
|
|
|
if (__skb_checksum_complete(skb))
|
2005-04-17 06:20:36 +08:00
|
|
|
goto csum_copy_err;
|
2014-11-06 05:46:40 +08:00
|
|
|
err = skb_copy_datagram_msg(skb, 0, msg, copied);
|
2005-04-17 06:20:36 +08:00
|
|
|
} else {
|
2014-04-07 06:47:38 +08:00
|
|
|
err = skb_copy_and_csum_datagram_msg(skb, 0, msg);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (err == -EINVAL)
|
|
|
|
goto csum_copy_err;
|
|
|
|
}
|
|
|
|
if (err)
|
|
|
|
goto out_free;
|
|
|
|
|
|
|
|
/* Copy the address. */
|
|
|
|
if (sin6) {
|
|
|
|
sin6->sin6_family = AF_INET6;
|
2006-07-26 08:05:35 +08:00
|
|
|
sin6->sin6_port = 0;
|
2011-11-21 11:39:03 +08:00
|
|
|
sin6->sin6_addr = ipv6_hdr(skb)->saddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
sin6->sin6_flowinfo = 0;
|
2013-03-08 10:07:19 +08:00
|
|
|
sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr,
|
2014-08-01 09:52:58 +08:00
|
|
|
inet6_iif(skb));
|
2013-11-18 11:20:45 +08:00
|
|
|
*addr_len = sizeof(*sin6);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2022-04-28 04:02:37 +08:00
|
|
|
sock_recv_cmsgs(msg, sk, skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (np->rxopt.all)
|
2013-01-31 09:02:24 +08:00
|
|
|
ip6_datagram_recv_ctl(sk, msg, skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
err = copied;
|
|
|
|
if (flags & MSG_TRUNC)
|
|
|
|
err = skb->len;
|
|
|
|
|
|
|
|
out_free:
|
|
|
|
skb_free_datagram(sk, skb);
|
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
|
|
|
|
csum_copy_err:
|
2005-12-14 15:16:37 +08:00
|
|
|
skb_kill_datagram(sk, skb, flags);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* Error for blocking case is chosen to masquerade
|
|
|
|
as some normal condition.
|
|
|
|
*/
|
|
|
|
err = (flags&MSG_DONTWAIT) ? -EAGAIN : -EHOSTUNREACH;
|
2005-12-14 15:16:37 +08:00
|
|
|
goto out;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2011-03-13 05:22:43 +08:00
|
|
|
static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
|
2005-04-20 13:30:14 +08:00
|
|
|
struct raw6_sock *rp)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2023-01-10 08:59:06 +08:00
|
|
|
struct ipv6_txoptions *opt;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
int err = 0;
|
2005-04-20 13:30:14 +08:00
|
|
|
int offset;
|
|
|
|
int len;
|
2005-05-04 05:24:36 +08:00
|
|
|
int total_len;
|
2006-11-15 13:35:48 +08:00
|
|
|
__wsum tmp_csum;
|
|
|
|
__sum16 csum;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (!rp->checksum)
|
|
|
|
goto send;
|
|
|
|
|
2014-10-29 19:57:51 +08:00
|
|
|
skb = skb_peek(&sk->sk_write_queue);
|
|
|
|
if (!skb)
|
2005-04-17 06:20:36 +08:00
|
|
|
goto out;
|
|
|
|
|
2005-04-20 13:30:14 +08:00
|
|
|
offset = rp->offset;
|
2011-10-11 09:43:33 +08:00
|
|
|
total_len = inet_sk(sk)->cork.base.length;
|
2023-01-10 08:59:06 +08:00
|
|
|
opt = inet6_sk(sk)->cork.opt;
|
|
|
|
total_len -= opt ? opt->opt_flen : 0;
|
|
|
|
|
2005-05-04 05:24:36 +08:00
|
|
|
if (offset >= total_len - 1) {
|
2005-04-17 06:20:36 +08:00
|
|
|
err = -EINVAL;
|
2005-04-20 13:30:14 +08:00
|
|
|
ip6_flush_pending_frames(sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* should be check HW csum miyazawa */
|
|
|
|
if (skb_queue_len(&sk->sk_write_queue) == 1) {
|
|
|
|
/*
|
|
|
|
* Only one fragment on the socket.
|
|
|
|
*/
|
|
|
|
tmp_csum = skb->csum;
|
|
|
|
} else {
|
2005-04-20 13:30:14 +08:00
|
|
|
struct sk_buff *csum_skb = NULL;
|
2005-04-17 06:20:36 +08:00
|
|
|
tmp_csum = 0;
|
|
|
|
|
|
|
|
skb_queue_walk(&sk->sk_write_queue, skb) {
|
|
|
|
tmp_csum = csum_add(tmp_csum, skb->csum);
|
2005-04-20 13:30:14 +08:00
|
|
|
|
|
|
|
if (csum_skb)
|
|
|
|
continue;
|
|
|
|
|
2007-04-26 08:55:53 +08:00
|
|
|
len = skb->len - skb_transport_offset(skb);
|
2005-04-20 13:30:14 +08:00
|
|
|
if (offset >= len) {
|
|
|
|
offset -= len;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
csum_skb = skb;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2005-04-20 13:30:14 +08:00
|
|
|
|
|
|
|
skb = csum_skb;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2007-04-26 08:55:53 +08:00
|
|
|
offset += skb_transport_offset(skb);
|
ipv6: handle -EFAULT from skb_copy_bits
By setting certain socket options on ipv6 raw sockets, we can confuse the
length calculation in rawv6_push_pending_frames triggering a BUG_ON.
RIP: 0010:[<ffffffff817c6390>] [<ffffffff817c6390>] rawv6_sendmsg+0xc30/0xc40
RSP: 0018:ffff881f6c4a7c18 EFLAGS: 00010282
RAX: 00000000fffffff2 RBX: ffff881f6c681680 RCX: 0000000000000002
RDX: ffff881f6c4a7cf8 RSI: 0000000000000030 RDI: ffff881fed0f6a00
RBP: ffff881f6c4a7da8 R08: 0000000000000000 R09: 0000000000000009
R10: ffff881fed0f6a00 R11: 0000000000000009 R12: 0000000000000030
R13: ffff881fed0f6a00 R14: ffff881fee39ba00 R15: ffff881fefa93a80
Call Trace:
[<ffffffff8118ba23>] ? unmap_page_range+0x693/0x830
[<ffffffff81772697>] inet_sendmsg+0x67/0xa0
[<ffffffff816d93f8>] sock_sendmsg+0x38/0x50
[<ffffffff816d982f>] SYSC_sendto+0xef/0x170
[<ffffffff816da27e>] SyS_sendto+0xe/0x10
[<ffffffff81002910>] do_syscall_64+0x50/0xa0
[<ffffffff817f7cbc>] entry_SYSCALL64_slow_path+0x25/0x25
Handle by jumping to the failure path if skb_copy_bits gets an EFAULT.
Reproducer:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define LEN 504
int main(int argc, char* argv[])
{
int fd;
int zero = 0;
char buf[LEN];
memset(buf, 0, LEN);
fd = socket(AF_INET6, SOCK_RAW, 7);
setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, &zero, 4);
setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, &buf, LEN);
sendto(fd, buf, 1, 0, (struct sockaddr *) buf, 110);
}
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-12-23 00:16:22 +08:00
|
|
|
err = skb_copy_bits(skb, offset, &csum, 2);
|
|
|
|
if (err < 0) {
|
|
|
|
ip6_flush_pending_frames(sk);
|
|
|
|
goto out;
|
|
|
|
}
|
2005-04-20 13:30:14 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* in case cksum was not initialized */
|
2005-04-20 13:30:14 +08:00
|
|
|
if (unlikely(csum))
|
2006-11-15 13:36:54 +08:00
|
|
|
tmp_csum = csum_sub(tmp_csum, csum_unfold(csum));
|
2005-04-20 13:30:14 +08:00
|
|
|
|
2011-03-13 05:22:43 +08:00
|
|
|
csum = csum_ipv6_magic(&fl6->saddr, &fl6->daddr,
|
|
|
|
total_len, fl6->flowi6_proto, tmp_csum);
|
2005-04-20 13:30:14 +08:00
|
|
|
|
2011-03-13 05:22:43 +08:00
|
|
|
if (csum == 0 && fl6->flowi6_proto == IPPROTO_UDP)
|
2006-11-16 18:36:50 +08:00
|
|
|
csum = CSUM_MANGLED_0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-07-12 04:25:38 +08:00
|
|
|
BUG_ON(skb_store_bits(skb, offset, &csum, 2));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
send:
|
|
|
|
err = ip6_push_pending_frames(sk);
|
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2014-11-28 08:36:28 +08:00
|
|
|
static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length,
|
2011-03-13 05:22:43 +08:00
|
|
|
struct flowi6 *fl6, struct dst_entry **dstp,
|
2018-07-04 06:42:50 +08:00
|
|
|
unsigned int flags, const struct sockcm_cookie *sockc)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2015-09-16 09:04:11 +08:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
struct ipv6hdr *iph;
|
|
|
|
struct sk_buff *skb;
|
|
|
|
int err;
|
2010-06-04 06:23:57 +08:00
|
|
|
struct rt6_info *rt = (struct rt6_info *)*dstp;
|
2011-11-18 10:20:04 +08:00
|
|
|
int hlen = LL_RESERVED_SPACE(rt->dst.dev);
|
|
|
|
int tlen = rt->dst.dev->needed_tailroom;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-06-11 14:31:35 +08:00
|
|
|
if (length > rt->dst.dev->mtu) {
|
2011-03-13 05:22:43 +08:00
|
|
|
ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu);
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EMSGSIZE;
|
|
|
|
}
|
ipv4, ipv6: ensure raw socket message is big enough to hold an IP header
raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied
from the userspace contains the IPv4/IPv6 header, so if too few bytes are
copied, parts of the header may remain uninitialized.
This bug has been detected with KMSAN.
For the record, the KMSAN report:
==================================================================
BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0
inter: 0
CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x143/0x1b0 lib/dump_stack.c:52
kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078
__kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510
nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577
ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
nf_hook_entry_hookfn ./include/linux/netfilter.h:102
nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310
nf_hook ./include/linux/netfilter.h:212
NF_HOOK ./include/linux/netfilter.h:255
rawv6_send_hdrinc net/ipv6/raw.c:673
rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919
inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg net/socket.c:643
SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
SyS_sendto+0xbc/0xe0 net/socket.c:1664
do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
RIP: 0033:0x436e03
RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000
origin: 00000000d9400053
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362
kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257
kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270
slab_alloc_node mm/slub.c:2735
__kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341
__kmalloc_reserve net/core/skbuff.c:138
__alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
alloc_skb ./include/linux/skbuff.h:933
alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678
sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903
sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920
rawv6_send_hdrinc net/ipv6/raw.c:638
rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919
inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg net/socket.c:643
SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
SyS_sendto+0xbc/0xe0 net/socket.c:1664
do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
==================================================================
, triggered by the following syscalls:
socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM
A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket
instead of a PF_INET6 one.
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-05-03 23:06:58 +08:00
|
|
|
if (length < sizeof(struct ipv6hdr))
|
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
if (flags&MSG_PROBE)
|
|
|
|
goto out;
|
|
|
|
|
2008-05-13 11:48:31 +08:00
|
|
|
skb = sock_alloc_send_skb(sk,
|
2011-11-18 10:20:04 +08:00
|
|
|
length + hlen + tlen + 15,
|
2008-05-13 11:48:31 +08:00
|
|
|
flags & MSG_DONTWAIT, &err);
|
2015-03-29 21:00:04 +08:00
|
|
|
if (!skb)
|
2007-02-09 22:24:49 +08:00
|
|
|
goto error;
|
2011-11-18 10:20:04 +08:00
|
|
|
skb_reserve(skb, hlen);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-08-26 18:31:23 +08:00
|
|
|
skb->protocol = htons(ETH_P_IPV6);
|
2023-07-28 23:03:18 +08:00
|
|
|
skb->priority = READ_ONCE(sk->sk_priority);
|
2019-09-12 03:50:51 +08:00
|
|
|
skb->mark = sockc->mark;
|
2018-07-04 06:42:50 +08:00
|
|
|
skb->tstamp = sockc->transmit_time;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-03-11 06:57:15 +08:00
|
|
|
skb_put(skb, length);
|
|
|
|
skb_reset_network_header(skb);
|
2007-04-26 08:54:47 +08:00
|
|
|
iph = ipv6_hdr(skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
|
|
|
2018-12-18 01:24:00 +08:00
|
|
|
skb_setup_tx_timestamp(skb, sockc->tsflags);
|
2018-12-18 01:23:59 +08:00
|
|
|
|
2017-02-07 05:14:16 +08:00
|
|
|
if (flags & MSG_CONFIRM)
|
|
|
|
skb_set_dst_pending_confirm(skb, 1);
|
|
|
|
|
2007-04-11 12:21:55 +08:00
|
|
|
skb->transport_header = skb->network_header;
|
2014-11-29 04:48:29 +08:00
|
|
|
err = memcpy_from_msg(iph, msg, length);
|
2018-10-05 01:12:37 +08:00
|
|
|
if (err) {
|
|
|
|
err = -EFAULT;
|
|
|
|
kfree_skb(skb);
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
skb_dst_set(skb, &rt->dst);
|
|
|
|
*dstp = NULL;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2016-09-11 03:09:53 +08:00
|
|
|
/* if egress device is enslaved to an L3 master device pass the
|
|
|
|
* skb to its handler for processing
|
|
|
|
*/
|
|
|
|
skb = l3mdev_ip6_out(sk, skb);
|
|
|
|
if (unlikely(!skb))
|
|
|
|
return 0;
|
|
|
|
|
2018-10-05 01:12:37 +08:00
|
|
|
/* Acquire rcu_read_lock() in case we need to use rt->rt6i_idev
|
|
|
|
* in the error path. Since skb has been freed, the dst could
|
|
|
|
* have been queued for deletion.
|
|
|
|
*/
|
|
|
|
rcu_read_lock();
|
2015-09-16 09:04:11 +08:00
|
|
|
IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len);
|
2015-09-16 09:04:16 +08:00
|
|
|
err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, sk, skb,
|
2015-10-08 05:48:35 +08:00
|
|
|
NULL, rt->dst.dev, dst_output);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (err > 0)
|
ip: Report qdisc packet drops
Christoph Lameter pointed out that packet drops at qdisc level where not
accounted in SNMP counters. Only if application sets IP_RECVERR, drops
are reported to user (-ENOBUFS errors) and SNMP counters updated.
IP_RECVERR is used to enable extended reliable error message passing,
but these are not needed to update system wide SNMP stats.
This patch changes things a bit to allow SNMP counters to be updated,
regardless of IP_RECVERR being set or not on the socket.
Example after an UDP tx flood
# netstat -s
...
IP:
1487048 outgoing packets dropped
...
Udp:
...
SndbufErrors: 1487048
send() syscalls, do however still return an OK status, to not
break applications.
Note : send() manual page explicitly says for -ENOBUFS error :
"The output queue for a network interface was full.
This generally indicates that the interface has stopped sending,
but may be caused by transient congestion.
(Normally, this does not occur in Linux. Packets are just silently
dropped when a device queue overflows.) "
This is not true for IP_RECVERR enabled sockets : a send() syscall
that hit a qdisc drop returns an ENOBUFS error.
Many thanks to Christoph, David, and last but not least, Alexey !
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-09-03 09:05:33 +08:00
|
|
|
err = net_xmit_errno(err);
|
2018-10-05 01:12:37 +08:00
|
|
|
if (err) {
|
|
|
|
IP6_INC_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
|
|
|
|
rcu_read_unlock();
|
|
|
|
goto error_check;
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
2005-04-17 06:20:36 +08:00
|
|
|
out:
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error:
|
2015-09-16 09:04:11 +08:00
|
|
|
IP6_INC_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
|
2018-10-05 01:12:37 +08:00
|
|
|
error_check:
|
2023-09-13 00:02:08 +08:00
|
|
|
if (err == -ENOBUFS && !inet6_test_bit(RECVERR6, sk))
|
ip: Report qdisc packet drops
Christoph Lameter pointed out that packet drops at qdisc level where not
accounted in SNMP counters. Only if application sets IP_RECVERR, drops
are reported to user (-ENOBUFS errors) and SNMP counters updated.
IP_RECVERR is used to enable extended reliable error message passing,
but these are not needed to update system wide SNMP stats.
This patch changes things a bit to allow SNMP counters to be updated,
regardless of IP_RECVERR being set or not on the socket.
Example after an UDP tx flood
# netstat -s
...
IP:
1487048 outgoing packets dropped
...
Udp:
...
SndbufErrors: 1487048
send() syscalls, do however still return an OK status, to not
break applications.
Note : send() manual page explicitly says for -ENOBUFS error :
"The output queue for a network interface was full.
This generally indicates that the interface has stopped sending,
but may be caused by transient congestion.
(Normally, this does not occur in Linux. Packets are just silently
dropped when a device queue overflows.) "
This is not true for IP_RECVERR enabled sockets : a send() syscall
that hit a qdisc drop returns an ENOBUFS error.
Many thanks to Christoph, David, and last but not least, Alexey !
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-09-03 09:05:33 +08:00
|
|
|
err = 0;
|
2007-02-09 22:24:49 +08:00
|
|
|
return err;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2014-11-25 01:10:46 +08:00
|
|
|
struct raw6_frag_vec {
|
|
|
|
struct msghdr *msg;
|
|
|
|
int hlen;
|
|
|
|
char c[4];
|
|
|
|
};
|
|
|
|
|
|
|
|
static int rawv6_probe_proto_opt(struct raw6_frag_vec *rfv, struct flowi6 *fl6)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2014-11-25 01:10:46 +08:00
|
|
|
int err = 0;
|
|
|
|
switch (fl6->flowi6_proto) {
|
|
|
|
case IPPROTO_ICMPV6:
|
|
|
|
rfv->hlen = 2;
|
|
|
|
err = memcpy_from_msg(rfv->c, rfv->msg, rfv->hlen);
|
|
|
|
if (!err) {
|
|
|
|
fl6->fl6_icmp_type = rfv->c[0];
|
|
|
|
fl6->fl6_icmp_code = rfv->c[1];
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case IPPROTO_MH:
|
|
|
|
rfv->hlen = 4;
|
|
|
|
err = memcpy_from_msg(rfv->c, rfv->msg, rfv->hlen);
|
|
|
|
if (!err)
|
|
|
|
fl6->fl6_mh_type = rfv->c[2];
|
|
|
|
}
|
|
|
|
return err;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-11-25 01:10:46 +08:00
|
|
|
static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,
|
|
|
|
struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct raw6_frag_vec *rfv = from;
|
|
|
|
|
|
|
|
if (offset < rfv->hlen) {
|
|
|
|
int copy = min(rfv->hlen - offset, len);
|
|
|
|
|
|
|
|
if (skb->ip_summed == CHECKSUM_PARTIAL)
|
|
|
|
memcpy(to, rfv->c + offset, copy);
|
|
|
|
else
|
|
|
|
skb->csum = csum_block_add(
|
|
|
|
skb->csum,
|
|
|
|
csum_partial_copy_nocheck(rfv->c + offset,
|
2020-07-11 12:12:07 +08:00
|
|
|
to, copy),
|
2014-11-25 01:10:46 +08:00
|
|
|
odd);
|
|
|
|
|
|
|
|
odd = 0;
|
|
|
|
offset += copy;
|
|
|
|
to += copy;
|
|
|
|
len -= copy;
|
|
|
|
|
|
|
|
if (!len)
|
|
|
|
return 0;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-11-25 01:10:46 +08:00
|
|
|
offset -= rfv->hlen;
|
2006-08-24 11:36:47 +08:00
|
|
|
|
2014-11-25 02:23:40 +08:00
|
|
|
return ip_generic_getfrag(rfv->msg, to, offset, len, odd, skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2015-03-02 15:37:48 +08:00
|
|
|
static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2015-11-30 11:37:57 +08:00
|
|
|
struct ipv6_txoptions *opt_to_free = NULL;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct ipv6_txoptions opt_space;
|
2014-01-18 05:53:15 +08:00
|
|
|
DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
|
2010-06-02 05:35:01 +08:00
|
|
|
struct in6_addr *daddr, *final_p, final;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
|
|
|
struct ipv6_pinfo *np = inet6_sk(sk);
|
|
|
|
struct raw6_sock *rp = raw6_sk(sk);
|
|
|
|
struct ipv6_txoptions *opt = NULL;
|
|
|
|
struct ip6_flowlabel *flowlabel = NULL;
|
|
|
|
struct dst_entry *dst = NULL;
|
2014-11-25 01:10:46 +08:00
|
|
|
struct raw6_frag_vec rfv;
|
2011-03-13 05:22:43 +08:00
|
|
|
struct flowi6 fl6;
|
2016-05-03 12:40:07 +08:00
|
|
|
struct ipcm6_cookie ipc6;
|
2005-04-17 06:20:36 +08:00
|
|
|
int addr_len = msg->msg_namelen;
|
2019-06-06 15:15:18 +08:00
|
|
|
int hdrincl;
|
2005-04-17 06:20:36 +08:00
|
|
|
u16 proto;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
/* Rough check on arithmetic overflow,
|
[IPv6]: Fix incorrect length check in rawv6_sendmsg()
In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says:
> From: Sridhar Samudrala <sri@us.ibm.com>
> Date: Thu, 29 Mar 2007 14:17:28 -0700
>
> > The check for length in rawv6_sendmsg() is incorrect.
> > As len is an unsigned int, (len < 0) will never be TRUE.
> > I think checking for IPV6_MAXPLEN(65535) is better.
> >
> > Is it possible to send ipv6 jumbo packets using raw
> > sockets? If so, we can remove this check.
>
> I don't see why such a limitation against jumbo would exist,
> does anyone else?
>
> Thanks for catching this Sridhar. A good compiler should simply
> fail to compile "if (x < 0)" when 'x' is an unsigned type, don't
> you think :-)
Dave, we use "int" for returning value,
so we should fix this anyway, IMHO;
we should not allow len > INT_MAX.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Acked-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-31 05:45:35 +08:00
|
|
|
better check is made in ip6_append_data().
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
[IPv6]: Fix incorrect length check in rawv6_sendmsg()
In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says:
> From: Sridhar Samudrala <sri@us.ibm.com>
> Date: Thu, 29 Mar 2007 14:17:28 -0700
>
> > The check for length in rawv6_sendmsg() is incorrect.
> > As len is an unsigned int, (len < 0) will never be TRUE.
> > I think checking for IPV6_MAXPLEN(65535) is better.
> >
> > Is it possible to send ipv6 jumbo packets using raw
> > sockets? If so, we can remove this check.
>
> I don't see why such a limitation against jumbo would exist,
> does anyone else?
>
> Thanks for catching this Sridhar. A good compiler should simply
> fail to compile "if (x < 0)" when 'x' is an unsigned type, don't
> you think :-)
Dave, we use "int" for returning value,
so we should fix this anyway, IMHO;
we should not allow len > INT_MAX.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Acked-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-03-31 05:45:35 +08:00
|
|
|
if (len > INT_MAX)
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EMSGSIZE;
|
|
|
|
|
|
|
|
/* Mirror BSD error message compatibility */
|
2007-02-09 22:24:49 +08:00
|
|
|
if (msg->msg_flags & MSG_OOB)
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
2023-08-16 16:15:38 +08:00
|
|
|
hdrincl = inet_test_bit(HDRINCL, sk);
|
2019-06-06 15:15:18 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2007-02-09 22:24:49 +08:00
|
|
|
* Get and verify the address.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2011-03-13 05:22:43 +08:00
|
|
|
memset(&fl6, 0, sizeof(fl6));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2023-07-28 23:03:15 +08:00
|
|
|
fl6.flowi6_mark = READ_ONCE(sk->sk_mark);
|
2016-11-04 01:23:43 +08:00
|
|
|
fl6.flowi6_uid = sk->sk_uid;
|
2008-01-31 11:08:16 +08:00
|
|
|
|
2018-07-06 22:12:55 +08:00
|
|
|
ipcm6_init(&ipc6);
|
2023-08-31 21:52:11 +08:00
|
|
|
ipc6.sockc.tsflags = READ_ONCE(sk->sk_tsflags);
|
2023-07-28 23:03:15 +08:00
|
|
|
ipc6.sockc.mark = fl6.flowi6_mark;
|
2016-05-03 12:40:07 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (sin6) {
|
2007-02-09 22:24:49 +08:00
|
|
|
if (addr_len < SIN6_LEN_RFC2133)
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2007-02-09 22:24:49 +08:00
|
|
|
if (sin6->sin6_family && sin6->sin6_family != AF_INET6)
|
2010-09-23 04:43:57 +08:00
|
|
|
return -EAFNOSUPPORT;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* port is the proto value [0..255] carried in nexthdr */
|
|
|
|
proto = ntohs(sin6->sin6_port);
|
|
|
|
|
|
|
|
if (!proto)
|
2009-10-15 14:30:45 +08:00
|
|
|
proto = inet->inet_num;
|
2023-05-22 20:08:20 +08:00
|
|
|
else if (proto != inet->inet_num &&
|
|
|
|
inet->inet_num != IPPROTO_RAW)
|
2010-09-23 04:43:57 +08:00
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (proto > 255)
|
2010-09-23 04:43:57 +08:00
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
daddr = &sin6->sin6_addr;
|
2023-09-13 00:02:12 +08:00
|
|
|
if (inet6_test_bit(SNDFLOW, sk)) {
|
2011-03-13 05:22:43 +08:00
|
|
|
fl6.flowlabel = sin6->sin6_flowinfo&IPV6_FLOWINFO_MASK;
|
|
|
|
if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) {
|
|
|
|
flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
|
2019-07-07 17:34:45 +08:00
|
|
|
if (IS_ERR(flowlabel))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Otherwise it will be difficult to maintain
|
|
|
|
* sk->sk_dst_cache.
|
|
|
|
*/
|
|
|
|
if (sk->sk_state == TCP_ESTABLISHED &&
|
ipv6: make lookups simpler and faster
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-04 06:42:29 +08:00
|
|
|
ipv6_addr_equal(daddr, &sk->sk_v6_daddr))
|
|
|
|
daddr = &sk->sk_v6_daddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (addr_len >= sizeof(struct sockaddr_in6) &&
|
|
|
|
sin6->sin6_scope_id &&
|
2013-03-08 10:07:19 +08:00
|
|
|
__ipv6_addr_needs_scope_id(__ipv6_addr_type(daddr)))
|
2011-03-13 05:22:43 +08:00
|
|
|
fl6.flowi6_oif = sin6->sin6_scope_id;
|
2005-04-17 06:20:36 +08:00
|
|
|
} else {
|
2007-02-09 22:24:49 +08:00
|
|
|
if (sk->sk_state != TCP_ESTABLISHED)
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EDESTADDRREQ;
|
2007-02-09 22:24:49 +08:00
|
|
|
|
2009-10-15 14:30:45 +08:00
|
|
|
proto = inet->inet_num;
|
ipv6: make lookups simpler and faster
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-04 06:42:29 +08:00
|
|
|
daddr = &sk->sk_v6_daddr;
|
2011-03-13 05:22:43 +08:00
|
|
|
fl6.flowlabel = np->flow_label;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2011-03-13 05:22:43 +08:00
|
|
|
if (fl6.flowi6_oif == 0)
|
|
|
|
fl6.flowi6_oif = sk->sk_bound_dev_if;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (msg->msg_controllen) {
|
|
|
|
opt = &opt_space;
|
|
|
|
memset(opt, 0, sizeof(struct ipv6_txoptions));
|
|
|
|
opt->tot_len = sizeof(struct ipv6_txoptions);
|
2016-05-03 12:40:07 +08:00
|
|
|
ipc6.opt = opt;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-07-06 22:12:57 +08:00
|
|
|
err = ip6_datagram_send_ctl(sock_net(sk), sk, msg, &fl6, &ipc6);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (err < 0) {
|
|
|
|
fl6_sock_release(flowlabel);
|
|
|
|
return err;
|
|
|
|
}
|
2011-03-13 05:22:43 +08:00
|
|
|
if ((fl6.flowlabel&IPV6_FLOWLABEL_MASK) && !flowlabel) {
|
|
|
|
flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
|
2019-07-07 17:34:45 +08:00
|
|
|
if (IS_ERR(flowlabel))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
if (!(opt->opt_nflen|opt->opt_flen))
|
|
|
|
opt = NULL;
|
|
|
|
}
|
2015-11-30 11:37:57 +08:00
|
|
|
if (!opt) {
|
|
|
|
opt = txopt_get(np);
|
|
|
|
opt_to_free = opt;
|
2016-05-03 12:40:07 +08:00
|
|
|
}
|
2005-11-20 11:23:18 +08:00
|
|
|
if (flowlabel)
|
|
|
|
opt = fl6_merge_options(&opt_space, flowlabel, opt);
|
|
|
|
opt = ipv6_fixup_options(&opt_space, opt);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-03-13 05:22:43 +08:00
|
|
|
fl6.flowi6_proto = proto;
|
2019-09-12 03:50:51 +08:00
|
|
|
fl6.flowi6_mark = ipc6.sockc.mark;
|
2019-06-06 15:15:19 +08:00
|
|
|
|
|
|
|
if (!hdrincl) {
|
|
|
|
rfv.msg = msg;
|
|
|
|
rfv.hlen = 0;
|
|
|
|
err = rawv6_probe_proto_opt(&rfv, &fl6);
|
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
}
|
2007-02-09 22:24:49 +08:00
|
|
|
|
2008-04-11 12:38:24 +08:00
|
|
|
if (!ipv6_addr_any(daddr))
|
2011-11-21 11:39:03 +08:00
|
|
|
fl6.daddr = *daddr;
|
2008-04-11 12:38:24 +08:00
|
|
|
else
|
2011-03-13 05:22:43 +08:00
|
|
|
fl6.daddr.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */
|
|
|
|
if (ipv6_addr_any(&fl6.saddr) && !ipv6_addr_any(&np->saddr))
|
2011-11-21 11:39:03 +08:00
|
|
|
fl6.saddr = np->saddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-03-13 05:22:43 +08:00
|
|
|
final_p = fl6_update_dst(&fl6, opt, &final);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-03-13 05:22:43 +08:00
|
|
|
if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
|
|
|
|
fl6.flowi6_oif = np->mcast_oif;
|
2012-02-08 17:11:08 +08:00
|
|
|
else if (!fl6.flowi6_oif)
|
|
|
|
fl6.flowi6_oif = np->ucast_oif;
|
2020-09-28 10:38:26 +08:00
|
|
|
security_sk_classify_flow(sk, flowi6_to_flowi_common(&fl6));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2019-06-06 15:15:18 +08:00
|
|
|
if (hdrincl)
|
2015-05-23 11:56:02 +08:00
|
|
|
fl6.flowi6_flags |= FLOWI_FLAG_KNOWN_NH;
|
|
|
|
|
2016-06-12 02:08:19 +08:00
|
|
|
if (ipc6.tclass < 0)
|
|
|
|
ipc6.tclass = np->tclass;
|
|
|
|
|
|
|
|
fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel);
|
|
|
|
|
2019-12-04 22:35:52 +08:00
|
|
|
dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p);
|
2011-03-02 05:19:07 +08:00
|
|
|
if (IS_ERR(dst)) {
|
|
|
|
err = PTR_ERR(dst);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto out;
|
2007-05-25 09:17:54 +08:00
|
|
|
}
|
2016-05-03 12:40:07 +08:00
|
|
|
if (ipc6.hlimit < 0)
|
|
|
|
ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2016-05-03 12:40:07 +08:00
|
|
|
if (ipc6.dontfrag < 0)
|
2023-09-13 00:02:07 +08:00
|
|
|
ipc6.dontfrag = inet6_test_bit(DONTFRAG, sk);
|
2010-04-23 19:26:08 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (msg->msg_flags&MSG_CONFIRM)
|
|
|
|
goto do_confirm;
|
|
|
|
|
|
|
|
back_from_confirm:
|
2019-06-06 15:15:18 +08:00
|
|
|
if (hdrincl)
|
2018-07-04 06:42:50 +08:00
|
|
|
err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst,
|
2018-07-06 22:12:57 +08:00
|
|
|
msg->msg_flags, &ipc6.sockc);
|
2010-06-04 06:23:57 +08:00
|
|
|
else {
|
2016-05-03 12:40:07 +08:00
|
|
|
ipc6.opt = opt;
|
2005-04-17 06:20:36 +08:00
|
|
|
lock_sock(sk);
|
2014-11-25 01:10:46 +08:00
|
|
|
err = ip6_append_data(sk, raw6_getfrag, &rfv,
|
2016-05-03 12:40:07 +08:00
|
|
|
len, 0, &ipc6, &fl6, (struct rt6_info *)dst,
|
2018-07-06 22:12:57 +08:00
|
|
|
msg->msg_flags);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (err)
|
|
|
|
ip6_flush_pending_frames(sk);
|
|
|
|
else if (!(msg->msg_flags & MSG_MORE))
|
2011-03-13 05:22:43 +08:00
|
|
|
err = rawv6_push_pending_frames(sk, &fl6, rp);
|
2007-09-15 07:45:40 +08:00
|
|
|
release_sock(sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
done:
|
2006-02-14 07:56:13 +08:00
|
|
|
dst_release(dst);
|
2007-02-09 22:24:49 +08:00
|
|
|
out:
|
2005-04-17 06:20:36 +08:00
|
|
|
fl6_sock_release(flowlabel);
|
2015-11-30 11:37:57 +08:00
|
|
|
txopt_put(opt_to_free);
|
2014-08-25 04:53:10 +08:00
|
|
|
return err < 0 ? err : len;
|
2005-04-17 06:20:36 +08:00
|
|
|
do_confirm:
|
2017-02-07 05:14:16 +08:00
|
|
|
if (msg->msg_flags & MSG_PROBE)
|
|
|
|
dst_confirm_neigh(dst, &fl6.daddr);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!(msg->msg_flags & MSG_PROBE) || len)
|
|
|
|
goto back_from_confirm;
|
|
|
|
err = 0;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
2007-02-09 22:24:49 +08:00
|
|
|
static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
|
2020-07-23 14:09:07 +08:00
|
|
|
sockptr_t optval, int optlen)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
switch (optname) {
|
|
|
|
case ICMPV6_FILTER:
|
|
|
|
if (optlen > sizeof(struct icmp6_filter))
|
|
|
|
optlen = sizeof(struct icmp6_filter);
|
2020-07-23 14:09:07 +08:00
|
|
|
if (copy_from_sockptr(&raw6_sk(sk)->filter, optval, optlen))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
default:
|
|
|
|
return -ENOPROTOOPT;
|
2007-04-21 08:09:22 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-02-09 22:24:49 +08:00
|
|
|
static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
|
2005-04-17 06:20:36 +08:00
|
|
|
char __user *optval, int __user *optlen)
|
|
|
|
{
|
|
|
|
int len;
|
|
|
|
|
|
|
|
switch (optname) {
|
|
|
|
case ICMPV6_FILTER:
|
|
|
|
if (get_user(len, optlen))
|
|
|
|
return -EFAULT;
|
|
|
|
if (len < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
if (len > sizeof(struct icmp6_filter))
|
|
|
|
len = sizeof(struct icmp6_filter);
|
|
|
|
if (put_user(len, optlen))
|
|
|
|
return -EFAULT;
|
|
|
|
if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
|
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
default:
|
|
|
|
return -ENOPROTOOPT;
|
2007-04-21 08:09:22 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2006-03-21 14:45:21 +08:00
|
|
|
static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
|
2020-07-23 14:09:07 +08:00
|
|
|
sockptr_t optval, unsigned int optlen)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct raw6_sock *rp = raw6_sk(sk);
|
|
|
|
int val;
|
|
|
|
|
2021-12-30 04:09:47 +08:00
|
|
|
if (optlen < sizeof(val))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2020-07-23 14:09:07 +08:00
|
|
|
if (copy_from_sockptr(&val, optval, sizeof(val)))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
switch (optname) {
|
2015-12-17 00:22:47 +08:00
|
|
|
case IPV6_HDRINCL:
|
|
|
|
if (sk->sk_type != SOCK_RAW)
|
|
|
|
return -EINVAL;
|
2023-08-16 16:15:38 +08:00
|
|
|
inet_assign_bit(HDRINCL, sk, val);
|
2015-12-17 00:22:47 +08:00
|
|
|
return 0;
|
2011-07-01 17:43:08 +08:00
|
|
|
case IPV6_CHECKSUM:
|
|
|
|
if (inet_sk(sk)->inet_num == IPPROTO_ICMPV6 &&
|
|
|
|
level == IPPROTO_IPV6) {
|
|
|
|
/*
|
|
|
|
* RFC3542 tells that IPV6_CHECKSUM socket
|
|
|
|
* option in the IPPROTO_IPV6 level is not
|
|
|
|
* allowed on ICMPv6 sockets.
|
|
|
|
* If you want to set it, use IPPROTO_RAW
|
|
|
|
* level IPV6_CHECKSUM socket option
|
|
|
|
* (Linux extension).
|
|
|
|
*/
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
2008-04-25 12:30:38 +08:00
|
|
|
|
2011-07-01 17:43:08 +08:00
|
|
|
/* You may get strange result with a positive odd offset;
|
|
|
|
RFC2292bis agrees with me. */
|
|
|
|
if (val > 0 && (val&1))
|
|
|
|
return -EINVAL;
|
|
|
|
if (val < 0) {
|
|
|
|
rp->checksum = 0;
|
|
|
|
} else {
|
|
|
|
rp->checksum = 1;
|
|
|
|
rp->offset = val;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-07-01 17:43:08 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-07-01 17:43:08 +08:00
|
|
|
default:
|
|
|
|
return -ENOPROTOOPT;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-03-21 14:45:21 +08:00
|
|
|
static int rawv6_setsockopt(struct sock *sk, int level, int optname,
|
2020-07-23 14:09:07 +08:00
|
|
|
sockptr_t optval, unsigned int optlen)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-07-01 17:43:08 +08:00
|
|
|
switch (level) {
|
|
|
|
case SOL_RAW:
|
|
|
|
break;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-07-01 17:43:08 +08:00
|
|
|
case SOL_ICMPV6:
|
|
|
|
if (inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return rawv6_seticmpfilter(sk, level, optname, optval, optlen);
|
|
|
|
case SOL_IPV6:
|
2015-12-17 00:22:47 +08:00
|
|
|
if (optname == IPV6_CHECKSUM ||
|
|
|
|
optname == IPV6_HDRINCL)
|
2011-07-01 17:43:08 +08:00
|
|
|
break;
|
2020-03-13 06:50:22 +08:00
|
|
|
fallthrough;
|
2011-07-01 17:43:08 +08:00
|
|
|
default:
|
|
|
|
return ipv6_setsockopt(sk, level, optname, optval, optlen);
|
2007-04-21 08:09:22 +08:00
|
|
|
}
|
|
|
|
|
2006-03-21 14:45:21 +08:00
|
|
|
return do_rawv6_setsockopt(sk, level, optname, optval, optlen);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int do_rawv6_getsockopt(struct sock *sk, int level, int optname,
|
|
|
|
char __user *optval, int __user *optlen)
|
|
|
|
{
|
|
|
|
struct raw6_sock *rp = raw6_sk(sk);
|
|
|
|
int val, len;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-08-25 04:53:10 +08:00
|
|
|
if (get_user(len, optlen))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
switch (optname) {
|
2015-12-17 00:22:47 +08:00
|
|
|
case IPV6_HDRINCL:
|
2023-08-16 16:15:38 +08:00
|
|
|
val = inet_test_bit(HDRINCL, sk);
|
2015-12-17 00:22:47 +08:00
|
|
|
break;
|
2005-04-17 06:20:36 +08:00
|
|
|
case IPV6_CHECKSUM:
|
2008-04-25 12:30:38 +08:00
|
|
|
/*
|
|
|
|
* We allow getsockopt() for IPPROTO_IPV6-level
|
|
|
|
* IPV6_CHECKSUM socket option on ICMPv6 sockets
|
|
|
|
* since RFC3542 is silent about it.
|
|
|
|
*/
|
2005-04-17 06:20:36 +08:00
|
|
|
if (rp->checksum == 0)
|
|
|
|
val = -1;
|
|
|
|
else
|
|
|
|
val = rp->offset;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
return -ENOPROTOOPT;
|
|
|
|
}
|
|
|
|
|
|
|
|
len = min_t(unsigned int, sizeof(int), len);
|
|
|
|
|
|
|
|
if (put_user(len, optlen))
|
|
|
|
return -EFAULT;
|
2014-08-25 04:53:10 +08:00
|
|
|
if (copy_to_user(optval, &val, len))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-03-21 14:45:21 +08:00
|
|
|
static int rawv6_getsockopt(struct sock *sk, int level, int optname,
|
|
|
|
char __user *optval, int __user *optlen)
|
|
|
|
{
|
2011-07-01 17:43:08 +08:00
|
|
|
switch (level) {
|
|
|
|
case SOL_RAW:
|
|
|
|
break;
|
2006-03-21 14:45:21 +08:00
|
|
|
|
2011-07-01 17:43:08 +08:00
|
|
|
case SOL_ICMPV6:
|
|
|
|
if (inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return rawv6_geticmpfilter(sk, level, optname, optval, optlen);
|
|
|
|
case SOL_IPV6:
|
2015-12-17 00:22:47 +08:00
|
|
|
if (optname == IPV6_CHECKSUM ||
|
|
|
|
optname == IPV6_HDRINCL)
|
2011-07-01 17:43:08 +08:00
|
|
|
break;
|
2020-03-13 06:50:22 +08:00
|
|
|
fallthrough;
|
2011-07-01 17:43:08 +08:00
|
|
|
default:
|
|
|
|
return ipv6_getsockopt(sk, level, optname, optval, optlen);
|
2007-04-21 08:09:22 +08:00
|
|
|
}
|
|
|
|
|
2006-03-21 14:45:21 +08:00
|
|
|
return do_rawv6_getsockopt(sk, level, optname, optval, optlen);
|
|
|
|
}
|
|
|
|
|
net: ioctl: Use kernel memory on protocol ioctl callbacks
Most of the ioctls to net protocols operates directly on userspace
argument (arg). Usually doing get_user()/put_user() directly in the
ioctl callback. This is not flexible, because it is hard to reuse these
functions without passing userspace buffers.
Change the "struct proto" ioctls to avoid touching userspace memory and
operate on kernel buffers, i.e., all protocol's ioctl callbacks is
adapted to operate on a kernel memory other than on userspace (so, no
more {put,get}_user() and friends being called in the ioctl callback).
This changes the "struct proto" ioctl format in the following way:
int (*ioctl)(struct sock *sk, int cmd,
- unsigned long arg);
+ int *karg);
(Important to say that this patch does not touch the "struct proto_ops"
protocols)
So, the "karg" argument, which is passed to the ioctl callback, is a
pointer allocated to kernel space memory (inside a function wrapper).
This buffer (karg) may contain input argument (copied from userspace in
a prep function) and it might return a value/buffer, which is copied
back to userspace if necessary. There is not one-size-fits-all format
(that is I am using 'may' above), but basically, there are three type of
ioctls:
1) Do not read from userspace, returns a result to userspace
2) Read an input parameter from userspace, and does not return anything
to userspace
3) Read an input from userspace, and return a buffer to userspace.
The default case (1) (where no input parameter is given, and an "int" is
returned to userspace) encompasses more than 90% of the cases, but there
are two other exceptions. Here is a list of exceptions:
* Protocol RAW:
* cmd = SIOCGETVIFCNT:
* input and output = struct sioc_vif_req
* cmd = SIOCGETSGCNT
* input and output = struct sioc_sg_req
* Explanation: for the SIOCGETVIFCNT case, userspace passes the input
argument, which is struct sioc_vif_req. Then the callback populates
the struct, which is copied back to userspace.
* Protocol RAW6:
* cmd = SIOCGETMIFCNT_IN6
* input and output = struct sioc_mif_req6
* cmd = SIOCGETSGCNT_IN6
* input and output = struct sioc_sg_req6
* Protocol PHONET:
* cmd == SIOCPNADDRESOURCE | SIOCPNDELRESOURCE
* input int (4 bytes)
* Nothing is copied back to userspace.
For the exception cases, functions sock_sk_ioctl_inout() will
copy the userspace input, and copy it back to kernel space.
The wrapper that prepare the buffer and put the buffer back to user is
sk_ioctl(), so, instead of calling sk->sk_prot->ioctl(), the callee now
calls sk_ioctl(), which will handle all cases.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230609152800.830401-1-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-06-09 23:27:42 +08:00
|
|
|
static int rawv6_ioctl(struct sock *sk, int cmd, int *karg)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-07-01 17:43:08 +08:00
|
|
|
switch (cmd) {
|
|
|
|
case SIOCOUTQ: {
|
net: ioctl: Use kernel memory on protocol ioctl callbacks
Most of the ioctls to net protocols operates directly on userspace
argument (arg). Usually doing get_user()/put_user() directly in the
ioctl callback. This is not flexible, because it is hard to reuse these
functions without passing userspace buffers.
Change the "struct proto" ioctls to avoid touching userspace memory and
operate on kernel buffers, i.e., all protocol's ioctl callbacks is
adapted to operate on a kernel memory other than on userspace (so, no
more {put,get}_user() and friends being called in the ioctl callback).
This changes the "struct proto" ioctl format in the following way:
int (*ioctl)(struct sock *sk, int cmd,
- unsigned long arg);
+ int *karg);
(Important to say that this patch does not touch the "struct proto_ops"
protocols)
So, the "karg" argument, which is passed to the ioctl callback, is a
pointer allocated to kernel space memory (inside a function wrapper).
This buffer (karg) may contain input argument (copied from userspace in
a prep function) and it might return a value/buffer, which is copied
back to userspace if necessary. There is not one-size-fits-all format
(that is I am using 'may' above), but basically, there are three type of
ioctls:
1) Do not read from userspace, returns a result to userspace
2) Read an input parameter from userspace, and does not return anything
to userspace
3) Read an input from userspace, and return a buffer to userspace.
The default case (1) (where no input parameter is given, and an "int" is
returned to userspace) encompasses more than 90% of the cases, but there
are two other exceptions. Here is a list of exceptions:
* Protocol RAW:
* cmd = SIOCGETVIFCNT:
* input and output = struct sioc_vif_req
* cmd = SIOCGETSGCNT
* input and output = struct sioc_sg_req
* Explanation: for the SIOCGETVIFCNT case, userspace passes the input
argument, which is struct sioc_vif_req. Then the callback populates
the struct, which is copied back to userspace.
* Protocol RAW6:
* cmd = SIOCGETMIFCNT_IN6
* input and output = struct sioc_mif_req6
* cmd = SIOCGETSGCNT_IN6
* input and output = struct sioc_sg_req6
* Protocol PHONET:
* cmd == SIOCPNADDRESOURCE | SIOCPNDELRESOURCE
* input int (4 bytes)
* Nothing is copied back to userspace.
For the exception cases, functions sock_sk_ioctl_inout() will
copy the userspace input, and copy it back to kernel space.
The wrapper that prepare the buffer and put the buffer back to user is
sk_ioctl(), so, instead of calling sk->sk_prot->ioctl(), the callee now
calls sk_ioctl(), which will handle all cases.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230609152800.830401-1-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-06-09 23:27:42 +08:00
|
|
|
*karg = sk_wmem_alloc_get(sk);
|
|
|
|
return 0;
|
2011-07-01 17:43:08 +08:00
|
|
|
}
|
|
|
|
case SIOCINQ: {
|
|
|
|
struct sk_buff *skb;
|
|
|
|
|
|
|
|
spin_lock_bh(&sk->sk_receive_queue.lock);
|
|
|
|
skb = skb_peek(&sk->sk_receive_queue);
|
2015-03-29 21:00:05 +08:00
|
|
|
if (skb)
|
net: ioctl: Use kernel memory on protocol ioctl callbacks
Most of the ioctls to net protocols operates directly on userspace
argument (arg). Usually doing get_user()/put_user() directly in the
ioctl callback. This is not flexible, because it is hard to reuse these
functions without passing userspace buffers.
Change the "struct proto" ioctls to avoid touching userspace memory and
operate on kernel buffers, i.e., all protocol's ioctl callbacks is
adapted to operate on a kernel memory other than on userspace (so, no
more {put,get}_user() and friends being called in the ioctl callback).
This changes the "struct proto" ioctl format in the following way:
int (*ioctl)(struct sock *sk, int cmd,
- unsigned long arg);
+ int *karg);
(Important to say that this patch does not touch the "struct proto_ops"
protocols)
So, the "karg" argument, which is passed to the ioctl callback, is a
pointer allocated to kernel space memory (inside a function wrapper).
This buffer (karg) may contain input argument (copied from userspace in
a prep function) and it might return a value/buffer, which is copied
back to userspace if necessary. There is not one-size-fits-all format
(that is I am using 'may' above), but basically, there are three type of
ioctls:
1) Do not read from userspace, returns a result to userspace
2) Read an input parameter from userspace, and does not return anything
to userspace
3) Read an input from userspace, and return a buffer to userspace.
The default case (1) (where no input parameter is given, and an "int" is
returned to userspace) encompasses more than 90% of the cases, but there
are two other exceptions. Here is a list of exceptions:
* Protocol RAW:
* cmd = SIOCGETVIFCNT:
* input and output = struct sioc_vif_req
* cmd = SIOCGETSGCNT
* input and output = struct sioc_sg_req
* Explanation: for the SIOCGETVIFCNT case, userspace passes the input
argument, which is struct sioc_vif_req. Then the callback populates
the struct, which is copied back to userspace.
* Protocol RAW6:
* cmd = SIOCGETMIFCNT_IN6
* input and output = struct sioc_mif_req6
* cmd = SIOCGETSGCNT_IN6
* input and output = struct sioc_sg_req6
* Protocol PHONET:
* cmd == SIOCPNADDRESOURCE | SIOCPNDELRESOURCE
* input int (4 bytes)
* Nothing is copied back to userspace.
For the exception cases, functions sock_sk_ioctl_inout() will
copy the userspace input, and copy it back to kernel space.
The wrapper that prepare the buffer and put the buffer back to user is
sk_ioctl(), so, instead of calling sk->sk_prot->ioctl(), the callee now
calls sk_ioctl(), which will handle all cases.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230609152800.830401-1-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-06-09 23:27:42 +08:00
|
|
|
*karg = skb->len;
|
|
|
|
else
|
|
|
|
*karg = 0;
|
2011-07-01 17:43:08 +08:00
|
|
|
spin_unlock_bh(&sk->sk_receive_queue.lock);
|
net: ioctl: Use kernel memory on protocol ioctl callbacks
Most of the ioctls to net protocols operates directly on userspace
argument (arg). Usually doing get_user()/put_user() directly in the
ioctl callback. This is not flexible, because it is hard to reuse these
functions without passing userspace buffers.
Change the "struct proto" ioctls to avoid touching userspace memory and
operate on kernel buffers, i.e., all protocol's ioctl callbacks is
adapted to operate on a kernel memory other than on userspace (so, no
more {put,get}_user() and friends being called in the ioctl callback).
This changes the "struct proto" ioctl format in the following way:
int (*ioctl)(struct sock *sk, int cmd,
- unsigned long arg);
+ int *karg);
(Important to say that this patch does not touch the "struct proto_ops"
protocols)
So, the "karg" argument, which is passed to the ioctl callback, is a
pointer allocated to kernel space memory (inside a function wrapper).
This buffer (karg) may contain input argument (copied from userspace in
a prep function) and it might return a value/buffer, which is copied
back to userspace if necessary. There is not one-size-fits-all format
(that is I am using 'may' above), but basically, there are three type of
ioctls:
1) Do not read from userspace, returns a result to userspace
2) Read an input parameter from userspace, and does not return anything
to userspace
3) Read an input from userspace, and return a buffer to userspace.
The default case (1) (where no input parameter is given, and an "int" is
returned to userspace) encompasses more than 90% of the cases, but there
are two other exceptions. Here is a list of exceptions:
* Protocol RAW:
* cmd = SIOCGETVIFCNT:
* input and output = struct sioc_vif_req
* cmd = SIOCGETSGCNT
* input and output = struct sioc_sg_req
* Explanation: for the SIOCGETVIFCNT case, userspace passes the input
argument, which is struct sioc_vif_req. Then the callback populates
the struct, which is copied back to userspace.
* Protocol RAW6:
* cmd = SIOCGETMIFCNT_IN6
* input and output = struct sioc_mif_req6
* cmd = SIOCGETSGCNT_IN6
* input and output = struct sioc_sg_req6
* Protocol PHONET:
* cmd == SIOCPNADDRESOURCE | SIOCPNDELRESOURCE
* input int (4 bytes)
* Nothing is copied back to userspace.
For the exception cases, functions sock_sk_ioctl_inout() will
copy the userspace input, and copy it back to kernel space.
The wrapper that prepare the buffer and put the buffer back to user is
sk_ioctl(), so, instead of calling sk->sk_prot->ioctl(), the callee now
calls sk_ioctl(), which will handle all cases.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230609152800.830401-1-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-06-09 23:27:42 +08:00
|
|
|
return 0;
|
2011-07-01 17:43:08 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-07-01 17:43:08 +08:00
|
|
|
default:
|
2008-04-03 08:22:53 +08:00
|
|
|
#ifdef CONFIG_IPV6_MROUTE
|
net: ioctl: Use kernel memory on protocol ioctl callbacks
Most of the ioctls to net protocols operates directly on userspace
argument (arg). Usually doing get_user()/put_user() directly in the
ioctl callback. This is not flexible, because it is hard to reuse these
functions without passing userspace buffers.
Change the "struct proto" ioctls to avoid touching userspace memory and
operate on kernel buffers, i.e., all protocol's ioctl callbacks is
adapted to operate on a kernel memory other than on userspace (so, no
more {put,get}_user() and friends being called in the ioctl callback).
This changes the "struct proto" ioctl format in the following way:
int (*ioctl)(struct sock *sk, int cmd,
- unsigned long arg);
+ int *karg);
(Important to say that this patch does not touch the "struct proto_ops"
protocols)
So, the "karg" argument, which is passed to the ioctl callback, is a
pointer allocated to kernel space memory (inside a function wrapper).
This buffer (karg) may contain input argument (copied from userspace in
a prep function) and it might return a value/buffer, which is copied
back to userspace if necessary. There is not one-size-fits-all format
(that is I am using 'may' above), but basically, there are three type of
ioctls:
1) Do not read from userspace, returns a result to userspace
2) Read an input parameter from userspace, and does not return anything
to userspace
3) Read an input from userspace, and return a buffer to userspace.
The default case (1) (where no input parameter is given, and an "int" is
returned to userspace) encompasses more than 90% of the cases, but there
are two other exceptions. Here is a list of exceptions:
* Protocol RAW:
* cmd = SIOCGETVIFCNT:
* input and output = struct sioc_vif_req
* cmd = SIOCGETSGCNT
* input and output = struct sioc_sg_req
* Explanation: for the SIOCGETVIFCNT case, userspace passes the input
argument, which is struct sioc_vif_req. Then the callback populates
the struct, which is copied back to userspace.
* Protocol RAW6:
* cmd = SIOCGETMIFCNT_IN6
* input and output = struct sioc_mif_req6
* cmd = SIOCGETSGCNT_IN6
* input and output = struct sioc_sg_req6
* Protocol PHONET:
* cmd == SIOCPNADDRESOURCE | SIOCPNDELRESOURCE
* input int (4 bytes)
* Nothing is copied back to userspace.
For the exception cases, functions sock_sk_ioctl_inout() will
copy the userspace input, and copy it back to kernel space.
The wrapper that prepare the buffer and put the buffer back to user is
sk_ioctl(), so, instead of calling sk->sk_prot->ioctl(), the callee now
calls sk_ioctl(), which will handle all cases.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230609152800.830401-1-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-06-09 23:27:42 +08:00
|
|
|
return ip6mr_ioctl(sk, cmd, karg);
|
2008-04-03 08:22:53 +08:00
|
|
|
#else
|
2011-07-01 17:43:08 +08:00
|
|
|
return -ENOIOCTLCMD;
|
2008-04-03 08:22:53 +08:00
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-02-04 09:59:32 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
static int compat_rawv6_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg)
|
|
|
|
{
|
|
|
|
switch (cmd) {
|
|
|
|
case SIOCOUTQ:
|
|
|
|
case SIOCINQ:
|
|
|
|
return -ENOIOCTLCMD;
|
|
|
|
default:
|
|
|
|
#ifdef CONFIG_IPV6_MROUTE
|
|
|
|
return ip6mr_compat_ioctl(sk, cmd, compat_ptr(arg));
|
|
|
|
#else
|
|
|
|
return -ENOIOCTLCMD;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static void rawv6_close(struct sock *sk, long timeout)
|
|
|
|
{
|
2009-10-15 14:30:45 +08:00
|
|
|
if (inet_sk(sk)->inet_num == IPPROTO_RAW)
|
2008-07-19 15:28:58 +08:00
|
|
|
ip6_ra_control(sk, -1);
|
2008-04-03 08:22:53 +08:00
|
|
|
ip6mr_sk_done(sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
sk_common_release(sk);
|
|
|
|
}
|
|
|
|
|
2008-06-15 08:04:49 +08:00
|
|
|
static void raw6_destroy(struct sock *sk)
|
raw: Raw socket leak.
The program below just leaks the raw kernel socket
int main() {
int fd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
struct sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
inet_aton("127.0.0.1", &addr.sin_addr);
addr.sin_family = AF_INET;
addr.sin_port = htons(2048);
sendto(fd, "a", 1, MSG_MORE, &addr, sizeof(addr));
return 0;
}
Corked packet is allocated via sock_wmalloc which holds the owner socket,
so one should uncork it and flush all pending data on close. Do this in the
same way as in UDP.
Signed-off-by: Denis V. Lunev <den@openvz.org>
Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-06-05 06:16:12 +08:00
|
|
|
{
|
|
|
|
lock_sock(sk);
|
|
|
|
ip6_flush_pending_frames(sk);
|
|
|
|
release_sock(sk);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static int rawv6_init_sk(struct sock *sk)
|
|
|
|
{
|
2007-02-07 16:07:39 +08:00
|
|
|
struct raw6_sock *rp = raw6_sk(sk);
|
|
|
|
|
2009-10-15 14:30:45 +08:00
|
|
|
switch (inet_sk(sk)->inet_num) {
|
2007-02-07 16:07:39 +08:00
|
|
|
case IPPROTO_ICMPV6:
|
2005-04-17 06:20:36 +08:00
|
|
|
rp->checksum = 1;
|
|
|
|
rp->offset = 2;
|
2007-02-07 16:07:39 +08:00
|
|
|
break;
|
|
|
|
case IPPROTO_MH:
|
|
|
|
rp->checksum = 1;
|
|
|
|
rp->offset = 4;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-09-23 04:43:57 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
struct proto rawv6_prot = {
|
2006-03-21 14:48:35 +08:00
|
|
|
.name = "RAWv6",
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.close = rawv6_close,
|
raw: Raw socket leak.
The program below just leaks the raw kernel socket
int main() {
int fd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
struct sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
inet_aton("127.0.0.1", &addr.sin_addr);
addr.sin_family = AF_INET;
addr.sin_port = htons(2048);
sendto(fd, "a", 1, MSG_MORE, &addr, sizeof(addr));
return 0;
}
Corked packet is allocated via sock_wmalloc which holds the owner socket,
so one should uncork it and flush all pending data on close. Do this in the
same way as in UDP.
Signed-off-by: Denis V. Lunev <den@openvz.org>
Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-06-05 06:16:12 +08:00
|
|
|
.destroy = raw6_destroy,
|
2014-01-20 12:16:39 +08:00
|
|
|
.connect = ip6_datagram_connect_v6_only,
|
2016-10-21 00:39:40 +08:00
|
|
|
.disconnect = __udp_disconnect,
|
2006-03-21 14:48:35 +08:00
|
|
|
.ioctl = rawv6_ioctl,
|
|
|
|
.init = rawv6_init_sk,
|
|
|
|
.setsockopt = rawv6_setsockopt,
|
|
|
|
.getsockopt = rawv6_getsockopt,
|
|
|
|
.sendmsg = rawv6_sendmsg,
|
|
|
|
.recvmsg = rawv6_recvmsg,
|
|
|
|
.bind = rawv6_bind,
|
|
|
|
.backlog_rcv = rawv6_rcv_skb,
|
2008-03-23 07:56:51 +08:00
|
|
|
.hash = raw_hash_sk,
|
|
|
|
.unhash = raw_unhash_sk,
|
2006-03-21 14:48:35 +08:00
|
|
|
.obj_size = sizeof(struct raw6_sock),
|
2023-07-20 19:09:01 +08:00
|
|
|
.ipv6_pinfo_offset = offsetof(struct raw6_sock, inet6),
|
ip: Define usercopy region in IP proto slab cache
The ICMP filters for IPv4 and IPv6 raw sockets need to be copied to/from
userspace. In support of usercopy hardening, this patch defines a region
in the struct proto slab cache in which userspace copy operations are
allowed.
example usage trace:
net/ipv4/raw.c:
raw_seticmpfilter(...):
...
copy_from_user(&raw_sk(sk)->filter, ..., optlen)
raw_geticmpfilter(...):
...
copy_to_user(..., &raw_sk(sk)->filter, len)
net/ipv6/raw.c:
rawv6_seticmpfilter(...):
...
copy_from_user(&raw6_sk(sk)->filter, ..., optlen)
rawv6_geticmpfilter(...):
...
copy_to_user(..., &raw6_sk(sk)->filter, len)
This region is known as the slab cache's usercopy region. Slab caches
can now check that each dynamically sized copy operation involving
cache-managed memory falls entirely within the slab's usercopy region.
This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor <dave@nullcore.net>
[kees: split from network patch, provide usage trace]
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
2017-08-25 07:49:14 +08:00
|
|
|
.useroffset = offsetof(struct raw6_sock, filter),
|
|
|
|
.usersize = sizeof_field(struct raw6_sock, filter),
|
2008-03-23 07:56:51 +08:00
|
|
|
.h.raw_hash = &raw_v6_hashinfo,
|
2006-03-21 14:45:21 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
2011-02-04 09:59:32 +08:00
|
|
|
.compat_ioctl = compat_rawv6_ioctl,
|
2006-03-21 14:45:21 +08:00
|
|
|
#endif
|
2016-10-21 18:03:44 +08:00
|
|
|
.diag_destroy = raw_abort,
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
|
|
static int raw6_seq_show(struct seq_file *seq, void *v)
|
|
|
|
{
|
2013-05-31 23:05:48 +08:00
|
|
|
if (v == SEQ_START_TOKEN) {
|
|
|
|
seq_puts(seq, IPV6_SEQ_DGRAM_HEADER);
|
|
|
|
} else {
|
|
|
|
struct sock *sp = v;
|
|
|
|
__u16 srcp = inet_sk(sp)->inet_num;
|
|
|
|
ip6_dgram_sock_seq_show(seq, v, srcp, 0,
|
|
|
|
raw_seq_private(seq)->bucket);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-07-11 14:07:31 +08:00
|
|
|
static const struct seq_operations raw6_seq_ops = {
|
2007-11-20 14:38:33 +08:00
|
|
|
.start = raw_seq_start,
|
|
|
|
.next = raw_seq_next,
|
|
|
|
.stop = raw_seq_stop,
|
2005-04-17 06:20:36 +08:00
|
|
|
.show = raw6_seq_show,
|
|
|
|
};
|
|
|
|
|
2010-01-17 11:35:32 +08:00
|
|
|
static int __net_init raw6_init_net(struct net *net)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2018-04-11 01:42:55 +08:00
|
|
|
if (!proc_create_net_data("raw6", 0444, net->proc_net, &raw6_seq_ops,
|
|
|
|
sizeof(struct raw_iter_state), &raw_v6_hashinfo))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -ENOMEM;
|
2008-01-14 21:36:50 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-01-17 11:35:32 +08:00
|
|
|
static void __net_exit raw6_exit_net(struct net *net)
|
2008-01-14 21:36:50 +08:00
|
|
|
{
|
2013-02-18 09:34:56 +08:00
|
|
|
remove_proc_entry("raw6", net->proc_net);
|
2008-01-14 21:36:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct pernet_operations raw6_net_ops = {
|
|
|
|
.init = raw6_init_net,
|
|
|
|
.exit = raw6_exit_net,
|
|
|
|
};
|
|
|
|
|
|
|
|
int __init raw6_proc_init(void)
|
|
|
|
{
|
|
|
|
return register_pernet_subsys(&raw6_net_ops);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
void raw6_proc_exit(void)
|
|
|
|
{
|
2008-01-14 21:36:50 +08:00
|
|
|
unregister_pernet_subsys(&raw6_net_ops);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
#endif /* CONFIG_PROC_FS */
|
2007-12-11 18:25:35 +08:00
|
|
|
|
2018-06-29 00:43:44 +08:00
|
|
|
/* Same as inet6_dgram_ops, sans udp_poll. */
|
2017-06-04 00:29:25 +08:00
|
|
|
const struct proto_ops inet6_sockraw_ops = {
|
2007-12-11 18:25:35 +08:00
|
|
|
.family = PF_INET6,
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.release = inet6_release,
|
|
|
|
.bind = inet6_bind,
|
|
|
|
.connect = inet_dgram_connect, /* ok */
|
|
|
|
.socketpair = sock_no_socketpair, /* a do nothing */
|
|
|
|
.accept = sock_no_accept, /* a do nothing */
|
|
|
|
.getname = inet6_getname,
|
2018-06-29 00:43:44 +08:00
|
|
|
.poll = datagram_poll, /* ok */
|
2007-12-11 18:25:35 +08:00
|
|
|
.ioctl = inet6_ioctl, /* must change */
|
2019-04-18 04:51:48 +08:00
|
|
|
.gettstamp = sock_gettstamp,
|
2007-12-11 18:25:35 +08:00
|
|
|
.listen = sock_no_listen, /* ok */
|
|
|
|
.shutdown = inet_shutdown, /* ok */
|
|
|
|
.setsockopt = sock_common_setsockopt, /* ok */
|
|
|
|
.getsockopt = sock_common_getsockopt, /* ok */
|
|
|
|
.sendmsg = inet_sendmsg, /* ok */
|
|
|
|
.recvmsg = sock_common_recvmsg, /* ok */
|
|
|
|
.mmap = sock_no_mmap,
|
|
|
|
#ifdef CONFIG_COMPAT
|
2020-05-18 14:28:06 +08:00
|
|
|
.compat_ioctl = inet6_compat_ioctl,
|
2007-12-11 18:25:35 +08:00
|
|
|
#endif
|
|
|
|
};
|
|
|
|
|
|
|
|
static struct inet_protosw rawv6_protosw = {
|
|
|
|
.type = SOCK_RAW,
|
|
|
|
.protocol = IPPROTO_IP, /* wild card */
|
|
|
|
.prot = &rawv6_prot,
|
|
|
|
.ops = &inet6_sockraw_ops,
|
|
|
|
.flags = INET_PROTOSW_REUSE,
|
|
|
|
};
|
|
|
|
|
|
|
|
int __init rawv6_init(void)
|
|
|
|
{
|
2015-05-29 05:02:17 +08:00
|
|
|
return inet6_register_protosw(&rawv6_protosw);
|
2007-12-11 18:25:35 +08:00
|
|
|
}
|
|
|
|
|
2007-12-13 21:34:58 +08:00
|
|
|
void rawv6_exit(void)
|
2007-12-11 18:25:35 +08:00
|
|
|
{
|
|
|
|
inet6_unregister_protosw(&rawv6_protosw);
|
|
|
|
}
|