Commit 1235f504 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

netlink: netlink_recvmsg() fix

commit 1dacc76d
(net/compat/wext: send different messages to compat tasks)
introduced a race condition on netlink, in case MSG_PEEK is used.

An skb given by skb_recv_datagram() might be shared, we must copy it
before any modification, or risk fatal corruption.
Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7b5e078c
...@@ -1406,7 +1406,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, ...@@ -1406,7 +1406,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
struct netlink_sock *nlk = nlk_sk(sk); struct netlink_sock *nlk = nlk_sk(sk);
int noblock = flags&MSG_DONTWAIT; int noblock = flags&MSG_DONTWAIT;
size_t copied; size_t copied;
struct sk_buff *skb, *frag __maybe_unused = NULL; struct sk_buff *skb;
int err; int err;
if (flags&MSG_OOB) if (flags&MSG_OOB)
...@@ -1441,7 +1441,21 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, ...@@ -1441,7 +1441,21 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
kfree_skb(skb); kfree_skb(skb);
skb = compskb; skb = compskb;
} else { } else {
frag = skb_shinfo(skb)->frag_list; /*
* Before setting frag_list to NULL, we must get a
* private copy of skb if shared (because of MSG_PEEK)
*/
if (skb_shared(skb)) {
struct sk_buff *nskb;
nskb = pskb_copy(skb, GFP_KERNEL);
kfree_skb(skb);
skb = nskb;
err = -ENOMEM;
if (!skb)
goto out;
}
kfree_skb(skb_shinfo(skb)->frag_list);
skb_shinfo(skb)->frag_list = NULL; skb_shinfo(skb)->frag_list = NULL;
} }
} }
...@@ -1478,10 +1492,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, ...@@ -1478,10 +1492,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
if (flags & MSG_TRUNC) if (flags & MSG_TRUNC)
copied = skb->len; copied = skb->len;
#ifdef CONFIG_COMPAT_NETLINK_MESSAGES
skb_shinfo(skb)->frag_list = frag;
#endif
skb_free_datagram(sk, skb); skb_free_datagram(sk, skb);
if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment