mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-10 07:44:23 +08:00
dd04213138
commitd38afeec26
upstream. Originally, inet6_sk(sk)->XXX were changed under lock_sock(), so we were able to clean them up by calling inet6_destroy_sock() during the IPv6 -> IPv4 conversion by IPV6_ADDRFORM. However, commit03485f2adc
("udpv6: Add lockless sendmsg() support") added a lockless memory allocation path, which could cause a memory leak: setsockopt(IPV6_ADDRFORM) sendmsg() +-----------------------+ +-------+ - do_ipv6_setsockopt(sk, ...) - udpv6_sendmsg(sk, ...) - sockopt_lock_sock(sk) ^._ called via udpv6_prot - lock_sock(sk) before WRITE_ONCE() - WRITE_ONCE(sk->sk_prot, &tcp_prot) - inet6_destroy_sock() - if (!corkreq) - sockopt_release_sock(sk) - ip6_make_skb(sk, ...) - release_sock(sk) ^._ lockless fast path for the non-corking case - __ip6_append_data(sk, ...) - ipv6_local_rxpmtu(sk, ...) - xchg(&np->rxpmtu, skb) ^._ rxpmtu is never freed. - goto out_no_dst; - lock_sock(sk) For now, rxpmtu is only the case, but not to miss the future change and a similar bug fixed in commite27326009a
("net: ping6: Fix memleak in ipv6_renew_options()."), let's set a new function to IPv6 sk->sk_destruct() and call inet6_cleanup_sock() there. Since the conversion does not change sk->sk_destruct(), we can guarantee that we can clean up IPv6 resources finally. We can now remove all inet6_destroy_sock() calls from IPv6 protocol specific ->destroy() functions, but such changes are invasive to backport. So they can be posted as a follow-up later for net-next. Fixes:03485f2adc
("udpv6: Add lockless sendmsg() support") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
129 lines
3.7 KiB
C
129 lines
3.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Definitions for the UDP-Lite (RFC 3828) code.
|
|
*/
|
|
#ifndef _UDPLITE_H
|
|
#define _UDPLITE_H
|
|
|
|
#include <net/ip6_checksum.h>
|
|
|
|
/* UDP-Lite socket options */
|
|
#define UDPLITE_SEND_CSCOV 10 /* sender partial coverage (as sent) */
|
|
#define UDPLITE_RECV_CSCOV 11 /* receiver partial coverage (threshold ) */
|
|
|
|
extern struct proto udplite_prot;
|
|
extern struct udp_table udplite_table;
|
|
|
|
/*
|
|
* Checksum computation is all in software, hence simpler getfrag.
|
|
*/
|
|
static __inline__ int udplite_getfrag(void *from, char *to, int offset,
|
|
int len, int odd, struct sk_buff *skb)
|
|
{
|
|
struct msghdr *msg = from;
|
|
return copy_from_iter_full(to, len, &msg->msg_iter) ? 0 : -EFAULT;
|
|
}
|
|
|
|
/*
|
|
* Checksumming routines
|
|
*/
|
|
static inline int udplite_checksum_init(struct sk_buff *skb, struct udphdr *uh)
|
|
{
|
|
u16 cscov;
|
|
|
|
/* In UDPv4 a zero checksum means that the transmitter generated no
|
|
* checksum. UDP-Lite (like IPv6) mandates checksums, hence packets
|
|
* with a zero checksum field are illegal. */
|
|
if (uh->check == 0) {
|
|
net_dbg_ratelimited("UDPLite: zeroed checksum field\n");
|
|
return 1;
|
|
}
|
|
|
|
cscov = ntohs(uh->len);
|
|
|
|
if (cscov == 0) /* Indicates that full coverage is required. */
|
|
;
|
|
else if (cscov < 8 || cscov > skb->len) {
|
|
/*
|
|
* Coverage length violates RFC 3828: log and discard silently.
|
|
*/
|
|
net_dbg_ratelimited("UDPLite: bad csum coverage %d/%d\n",
|
|
cscov, skb->len);
|
|
return 1;
|
|
|
|
} else if (cscov < skb->len) {
|
|
UDP_SKB_CB(skb)->partial_cov = 1;
|
|
UDP_SKB_CB(skb)->cscov = cscov;
|
|
if (skb->ip_summed == CHECKSUM_COMPLETE)
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
skb->csum_valid = 0;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Slow-path computation of checksum. Socket is locked. */
|
|
static inline __wsum udplite_csum_outgoing(struct sock *sk, struct sk_buff *skb)
|
|
{
|
|
const struct udp_sock *up = udp_sk(skb->sk);
|
|
int cscov = up->len;
|
|
__wsum csum = 0;
|
|
|
|
if (up->pcflag & UDPLITE_SEND_CC) {
|
|
/*
|
|
* Sender has set `partial coverage' option on UDP-Lite socket.
|
|
* The special case "up->pcslen == 0" signifies full coverage.
|
|
*/
|
|
if (up->pcslen < up->len) {
|
|
if (0 < up->pcslen)
|
|
cscov = up->pcslen;
|
|
udp_hdr(skb)->len = htons(up->pcslen);
|
|
}
|
|
/*
|
|
* NOTE: Causes for the error case `up->pcslen > up->len':
|
|
* (i) Application error (will not be penalized).
|
|
* (ii) Payload too big for send buffer: data is split
|
|
* into several packets, each with its own header.
|
|
* In this case (e.g. last segment), coverage may
|
|
* exceed packet length.
|
|
* Since packets with coverage length > packet length are
|
|
* illegal, we fall back to the defaults here.
|
|
*/
|
|
}
|
|
|
|
skb->ip_summed = CHECKSUM_NONE; /* no HW support for checksumming */
|
|
|
|
skb_queue_walk(&sk->sk_write_queue, skb) {
|
|
const int off = skb_transport_offset(skb);
|
|
const int len = skb->len - off;
|
|
|
|
csum = skb_checksum(skb, off, (cscov > len)? len : cscov, csum);
|
|
|
|
if ((cscov -= len) <= 0)
|
|
break;
|
|
}
|
|
return csum;
|
|
}
|
|
|
|
/* Fast-path computation of checksum. Socket may not be locked. */
|
|
static inline __wsum udplite_csum(struct sk_buff *skb)
|
|
{
|
|
const struct udp_sock *up = udp_sk(skb->sk);
|
|
const int off = skb_transport_offset(skb);
|
|
int len = skb->len - off;
|
|
|
|
if ((up->pcflag & UDPLITE_SEND_CC) && up->pcslen < len) {
|
|
if (0 < up->pcslen)
|
|
len = up->pcslen;
|
|
udp_hdr(skb)->len = htons(up->pcslen);
|
|
}
|
|
skb->ip_summed = CHECKSUM_NONE; /* no HW support for checksumming */
|
|
|
|
return skb_checksum(skb, off, len, 0);
|
|
}
|
|
|
|
void udplite4_register(void);
|
|
int udplite_get_port(struct sock *sk, unsigned short snum,
|
|
int (*scmp)(const struct sock *, const struct sock *));
|
|
#endif /* _UDPLITE_H */
|