net: add length argument to skb_copy_and_csum_datagram_iovec

Without this length argument, we can read past the end of the iovec in memcpy_toiovec because we have no way of knowing the total length of the iovec's buffers. This is needed for stable kernels where 89c22d8c3b27 ("net: Fix skb csum races when peeking") has been backported but that don't have the ioviter conversion, which is almost all the stable trees <= 3.18. This also fixes a kernel crash for NFS servers when the client uses -onfsvers=3,proto=udp to mount the export. Change-Id: I1865e3d7a1faee42a5008a9ad58c4d3323ea4bab Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
2015-10-15 12:25:00 -05:00 · 2015-10-15 12:25:00 -05:00 · dee2fdf682
parent 0f76dbb686
commit dee2fdf682
7 changed files with 14 additions and 7 deletions
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@ -2146,7 +2146,8 @@ extern int	       skb_copy_datagram_iovec(const struct sk_buff *from,
 					       int size);
 extern int	       skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
 							int hlen,
-							struct iovec *iov);
+							struct iovec *iov,
 							int len);
 extern int	       skb_copy_datagram_from_iovec(struct sk_buff *skb,
 						    int offset,
 						    const struct iovec *from,
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@ -677,6 +677,7 @@ EXPORT_SYMBOL(__skb_checksum_complete);
 *	@skb: skbuff
 *	@hlen: hardware length
 *	@iov: io vector
 *	@len: amount of data to copy from skb to iov
 *
 *	Caller _must_ check that skb will fit to this iovec.
 *
@ -686,11 +687,14 @@ EXPORT_SYMBOL(__skb_checksum_complete);
 *			   can be modified!
 */
 int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
-				     int hlen, struct iovec *iov)
+				     int hlen, struct iovec *iov, int len)
 {
 	__wsum csum;
 	int chunk = skb->len - hlen;
 	if (chunk > len)
 		chunk = len;
 	if (!chunk)
 		return 0;
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@ -5228,7 +5228,7 @@ static int tcp_copy_to_iovec(struct sock *sk, struct sk_buff *skb, int hlen)
 		err = skb_copy_datagram_iovec(skb, hlen, tp->ucopy.iov, chunk);
 	else
 		err = skb_copy_and_csum_datagram_iovec(skb, hlen,
-						       tp->ucopy.iov);
+						       tp->ucopy.iov, chunk);
 	if (!err) {
 		tp->ucopy.len -= chunk;
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@ -1211,7 +1211,7 @@ try_again:
 	else {
 		err = skb_copy_and_csum_datagram_iovec(skb,
 						       sizeof(struct udphdr),
-						       msg->msg_iov);
+						       msg->msg_iov, copied);
 		if (err == -EINVAL)
 			goto csum_copy_err;
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@ -480,7 +480,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
 			goto csum_copy_err;
 		err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 	} else {
-		err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov);
+		err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov, copied);
 		if (err == -EINVAL)
 			goto csum_copy_err;
 	}
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@ -384,7 +384,8 @@ try_again:
 		err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
 					      msg->msg_iov, copied       );
 	else {
-		err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov);
+		err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
 						       msg->msg_iov, copied);
 		if (err == -EINVAL)
 			goto csum_copy_err;
 	}
--- a/net/rxrpc/ar-recvmsg.c
+++ b/net/rxrpc/ar-recvmsg.c
@ -185,7 +185,8 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock,
 						      msg->msg_iov, copy);
 		} else {
 			ret = skb_copy_and_csum_datagram_iovec(skb, offset,
-							       msg->msg_iov);
+							       msg->msg_iov,
 							       copy);
 			if (ret == -EINVAL)
 				goto csum_copy_error;
 		}