Darkangeel_hd
/
lineage_android_kernel_samsung_jf
mirror of https://github.com/Darkangeel-hd/lineage_android_kernel_samsung_jf.git
1
0
Fork 0
Code Issues Releases Wiki Activity

net: add length argument to skb_copy_and_csum_datagram_iovec 

Without this length argument, we can read past the end of the iovec in
memcpy_toiovec because we have no way of knowing the total length of the
iovec's buffers.

This is needed for stable kernels where 89c22d8c3b27 ("net: Fix skb
csum races when peeking") has been backported but that don't have the
ioviter conversion, which is almost all the stable trees <= 3.18.

This also fixes a kernel crash for NFS servers when the client uses
 -onfsvers=3,proto=udp to mount the export.

Change-Id: I1865e3d7a1faee42a5008a9ad58c4d3323ea4bab
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
This commit is contained in:
Sabrina Dubroca 2015-10-15 12:25:00 -05:00 committed by Dan Pasanen
parent 0f76dbb686
commit dee2fdf682
7 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/linux/skbuff.h
View File

@ -2146,7 +2146,8 @@ extern int skb_copy_datagram_iovec(const struct sk_buff *from,
int size);
extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
int hlen,
struct iovec *iov);
struct iovec *iov,
int len);
extern int skb_copy_datagram_from_iovec(struct sk_buff *skb,
int offset,
const struct iovec *from,

6
net/core/datagram.c
View File

@ -677,6 +677,7 @@ EXPORT_SYMBOL(__skb_checksum_complete);
* @skb: skbuff
* @hlen: hardware length
* @iov: io vector
* @len: amount of data to copy from skb to iov
*
* Caller _must_ check that skb will fit to this iovec.
*
@ -686,11 +687,14 @@ EXPORT_SYMBOL(__skb_checksum_complete);
* can be modified!
*/
int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
int hlen, struct iovec *iov)
int hlen, struct iovec *iov, int len)
{
__wsum csum;
int chunk = skb->len - hlen;
if (chunk > len)
chunk = len;
if (!chunk)
return 0;

2
net/ipv4/tcp_input.c
View File

@ -5228,7 +5228,7 @@ static int tcp_copy_to_iovec(struct sock *sk, struct sk_buff *skb, int hlen)
err = skb_copy_datagram_iovec(skb, hlen, tp->ucopy.iov, chunk);
else
err = skb_copy_and_csum_datagram_iovec(skb, hlen,
tp->ucopy.iov);
tp->ucopy.iov, chunk);
if (!err) {
tp->ucopy.len -= chunk;

2
net/ipv4/udp.c
View File

@ -1211,7 +1211,7 @@ try_again:
else {
err = skb_copy_and_csum_datagram_iovec(skb,
sizeof(struct udphdr),
msg->msg_iov);
msg->msg_iov, copied);
if (err == -EINVAL)
goto csum_copy_err;

2
net/ipv6/raw.c
View File

@ -480,7 +480,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
goto csum_copy_err;
err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
} else {
err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov);
err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov, copied);
if (err == -EINVAL)
goto csum_copy_err;
}

3
net/ipv6/udp.c
View File

@ -384,7 +384,8 @@ try_again:
err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
msg->msg_iov, copied );
else {
err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov);
err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
msg->msg_iov, copied);
if (err == -EINVAL)
goto csum_copy_err;
}

3
net/rxrpc/ar-recvmsg.c
View File

@ -185,7 +185,8 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock,
msg->msg_iov, copy);
} else {
ret = skb_copy_and_csum_datagram_iovec(skb, offset,
msg->msg_iov);
msg->msg_iov,
copy);
if (ret == -EINVAL)
goto csum_copy_error;
}