mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
eeddd9177a
[ Upstream commit 8822b64a0f
]
We accidentally call down to ip6_push_pending_frames when uncorking
pending AF_INET data on a ipv6 socket. This results in the following
splat (from Dave Jones):
skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:126!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
+netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Stack:
ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
Call Trace:
[<ffffffff8159a9aa>] skb_push+0x3a/0x40
[<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
[<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
[<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
[<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
[<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
[<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
[<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
[<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
[<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
[<ffffffff816f5d54>] tracesys+0xdd/0xe2
Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
RSP <ffff8801e6431de8>
This patch adds a check if the pending data is of address family AF_INET
and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
if that is the case.
This bug was found by Dave Jones with trinity.
(Also move the initialization of fl6 below the AF_INET check, even if
not strictly necessary.)
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Dave Jones <davej@redhat.com>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
271 lines
8.2 KiB
C
271 lines
8.2 KiB
C
/*
|
|
* INET An implementation of the TCP/IP protocol suite for the LINUX
|
|
* operating system. INET is implemented using the BSD Socket
|
|
* interface as the means of communication with the user level.
|
|
*
|
|
* Definitions for the UDP module.
|
|
*
|
|
* Version: @(#)udp.h 1.0.2 05/07/93
|
|
*
|
|
* Authors: Ross Biro
|
|
* Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
|
|
*
|
|
* Fixes:
|
|
* Alan Cox : Turned on udp checksums. I don't want to
|
|
* chase 'memory corruption' bugs that aren't!
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
#ifndef _UDP_H
|
|
#define _UDP_H
|
|
|
|
#include <linux/list.h>
|
|
#include <linux/bug.h>
|
|
#include <net/inet_sock.h>
|
|
#include <net/sock.h>
|
|
#include <net/snmp.h>
|
|
#include <net/ip.h>
|
|
#include <linux/ipv6.h>
|
|
#include <linux/seq_file.h>
|
|
#include <linux/poll.h>
|
|
|
|
/**
|
|
* struct udp_skb_cb - UDP(-Lite) private variables
|
|
*
|
|
* @header: private variables used by IPv4/IPv6
|
|
* @cscov: checksum coverage length (UDP-Lite only)
|
|
* @partial_cov: if set indicates partial csum coverage
|
|
*/
|
|
struct udp_skb_cb {
|
|
union {
|
|
struct inet_skb_parm h4;
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
struct inet6_skb_parm h6;
|
|
#endif
|
|
} header;
|
|
__u16 cscov;
|
|
__u8 partial_cov;
|
|
};
|
|
#define UDP_SKB_CB(__skb) ((struct udp_skb_cb *)((__skb)->cb))
|
|
|
|
/**
|
|
* struct udp_hslot - UDP hash slot
|
|
*
|
|
* @head: head of list of sockets
|
|
* @count: number of sockets in 'head' list
|
|
* @lock: spinlock protecting changes to head/count
|
|
*/
|
|
struct udp_hslot {
|
|
struct hlist_nulls_head head;
|
|
int count;
|
|
spinlock_t lock;
|
|
} __attribute__((aligned(2 * sizeof(long))));
|
|
|
|
/**
|
|
* struct udp_table - UDP table
|
|
*
|
|
* @hash: hash table, sockets are hashed on (local port)
|
|
* @hash2: hash table, sockets are hashed on (local port, local address)
|
|
* @mask: number of slots in hash tables, minus 1
|
|
* @log: log2(number of slots in hash table)
|
|
*/
|
|
struct udp_table {
|
|
struct udp_hslot *hash;
|
|
struct udp_hslot *hash2;
|
|
unsigned int mask;
|
|
unsigned int log;
|
|
};
|
|
extern struct udp_table udp_table;
|
|
extern void udp_table_init(struct udp_table *, const char *);
|
|
static inline struct udp_hslot *udp_hashslot(struct udp_table *table,
|
|
struct net *net, unsigned num)
|
|
{
|
|
return &table->hash[udp_hashfn(net, num, table->mask)];
|
|
}
|
|
/*
|
|
* For secondary hash, net_hash_mix() is performed before calling
|
|
* udp_hashslot2(), this explains difference with udp_hashslot()
|
|
*/
|
|
static inline struct udp_hslot *udp_hashslot2(struct udp_table *table,
|
|
unsigned int hash)
|
|
{
|
|
return &table->hash2[hash & table->mask];
|
|
}
|
|
|
|
/* Note: this must match 'valbool' in sock_setsockopt */
|
|
#define UDP_CSUM_NOXMIT 1
|
|
|
|
/* Used by SunRPC/xprt layer. */
|
|
#define UDP_CSUM_NORCV 2
|
|
|
|
/* Default, as per the RFC, is to always do csums. */
|
|
#define UDP_CSUM_DEFAULT 0
|
|
|
|
extern struct proto udp_prot;
|
|
|
|
extern atomic_long_t udp_memory_allocated;
|
|
|
|
/* sysctl variables for udp */
|
|
extern long sysctl_udp_mem[3];
|
|
extern int sysctl_udp_rmem_min;
|
|
extern int sysctl_udp_wmem_min;
|
|
|
|
struct sk_buff;
|
|
|
|
/*
|
|
* Generic checksumming routines for UDP(-Lite) v4 and v6
|
|
*/
|
|
static inline __sum16 __udp_lib_checksum_complete(struct sk_buff *skb)
|
|
{
|
|
return __skb_checksum_complete_head(skb, UDP_SKB_CB(skb)->cscov);
|
|
}
|
|
|
|
static inline int udp_lib_checksum_complete(struct sk_buff *skb)
|
|
{
|
|
return !skb_csum_unnecessary(skb) &&
|
|
__udp_lib_checksum_complete(skb);
|
|
}
|
|
|
|
/**
|
|
* udp_csum_outgoing - compute UDPv4/v6 checksum over fragments
|
|
* @sk: socket we are writing to
|
|
* @skb: sk_buff containing the filled-in UDP header
|
|
* (checksum field must be zeroed out)
|
|
*/
|
|
static inline __wsum udp_csum_outgoing(struct sock *sk, struct sk_buff *skb)
|
|
{
|
|
__wsum csum = csum_partial(skb_transport_header(skb),
|
|
sizeof(struct udphdr), 0);
|
|
skb_queue_walk(&sk->sk_write_queue, skb) {
|
|
csum = csum_add(csum, skb->csum);
|
|
}
|
|
return csum;
|
|
}
|
|
|
|
static inline __wsum udp_csum(struct sk_buff *skb)
|
|
{
|
|
__wsum csum = csum_partial(skb_transport_header(skb),
|
|
sizeof(struct udphdr), skb->csum);
|
|
|
|
for (skb = skb_shinfo(skb)->frag_list; skb; skb = skb->next) {
|
|
csum = csum_add(csum, skb->csum);
|
|
}
|
|
return csum;
|
|
}
|
|
|
|
/* hash routines shared between UDPv4/6 and UDP-Litev4/6 */
|
|
static inline void udp_lib_hash(struct sock *sk)
|
|
{
|
|
BUG();
|
|
}
|
|
|
|
extern void udp_lib_unhash(struct sock *sk);
|
|
extern void udp_lib_rehash(struct sock *sk, u16 new_hash);
|
|
|
|
static inline void udp_lib_close(struct sock *sk, long timeout)
|
|
{
|
|
sk_common_release(sk);
|
|
}
|
|
|
|
extern int udp_lib_get_port(struct sock *sk, unsigned short snum,
|
|
int (*)(const struct sock *,const struct sock *),
|
|
unsigned int hash2_nulladdr);
|
|
|
|
/* net/ipv4/udp.c */
|
|
extern int udp_get_port(struct sock *sk, unsigned short snum,
|
|
int (*saddr_cmp)(const struct sock *,
|
|
const struct sock *));
|
|
extern void udp_err(struct sk_buff *, u32);
|
|
extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk,
|
|
struct msghdr *msg, size_t len);
|
|
extern int udp_push_pending_frames(struct sock *sk);
|
|
extern void udp_flush_pending_frames(struct sock *sk);
|
|
extern int udp_rcv(struct sk_buff *skb);
|
|
extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg);
|
|
extern int udp_disconnect(struct sock *sk, int flags);
|
|
extern unsigned int udp_poll(struct file *file, struct socket *sock,
|
|
poll_table *wait);
|
|
extern int udp_lib_getsockopt(struct sock *sk, int level, int optname,
|
|
char __user *optval, int __user *optlen);
|
|
extern int udp_lib_setsockopt(struct sock *sk, int level, int optname,
|
|
char __user *optval, unsigned int optlen,
|
|
int (*push_pending_frames)(struct sock *));
|
|
extern struct sock *udp4_lib_lookup(struct net *net, __be32 saddr, __be16 sport,
|
|
__be32 daddr, __be16 dport,
|
|
int dif);
|
|
extern struct sock *__udp4_lib_lookup(struct net *net, __be32 saddr, __be16 sport,
|
|
__be32 daddr, __be16 dport,
|
|
int dif, struct udp_table *tbl);
|
|
extern struct sock *udp6_lib_lookup(struct net *net, const struct in6_addr *saddr, __be16 sport,
|
|
const struct in6_addr *daddr, __be16 dport,
|
|
int dif);
|
|
extern struct sock *__udp6_lib_lookup(struct net *net, const struct in6_addr *saddr, __be16 sport,
|
|
const struct in6_addr *daddr, __be16 dport,
|
|
int dif, struct udp_table *tbl);
|
|
|
|
/*
|
|
* SNMP statistics for UDP and UDP-Lite
|
|
*/
|
|
#define UDP_INC_STATS_USER(net, field, is_udplite) do { \
|
|
if (is_udplite) SNMP_INC_STATS_USER((net)->mib.udplite_statistics, field); \
|
|
else SNMP_INC_STATS_USER((net)->mib.udp_statistics, field); } while(0)
|
|
#define UDP_INC_STATS_BH(net, field, is_udplite) do { \
|
|
if (is_udplite) SNMP_INC_STATS_BH((net)->mib.udplite_statistics, field); \
|
|
else SNMP_INC_STATS_BH((net)->mib.udp_statistics, field); } while(0)
|
|
|
|
#define UDP6_INC_STATS_BH(net, field, is_udplite) do { \
|
|
if (is_udplite) SNMP_INC_STATS_BH((net)->mib.udplite_stats_in6, field);\
|
|
else SNMP_INC_STATS_BH((net)->mib.udp_stats_in6, field); \
|
|
} while(0)
|
|
#define UDP6_INC_STATS_USER(net, field, __lite) do { \
|
|
if (__lite) SNMP_INC_STATS_USER((net)->mib.udplite_stats_in6, field); \
|
|
else SNMP_INC_STATS_USER((net)->mib.udp_stats_in6, field); \
|
|
} while(0)
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
#define UDPX_INC_STATS_BH(sk, field) \
|
|
do { \
|
|
if ((sk)->sk_family == AF_INET) \
|
|
UDP_INC_STATS_BH(sock_net(sk), field, 0); \
|
|
else \
|
|
UDP6_INC_STATS_BH(sock_net(sk), field, 0); \
|
|
} while (0);
|
|
#else
|
|
#define UDPX_INC_STATS_BH(sk, field) UDP_INC_STATS_BH(sock_net(sk), field, 0)
|
|
#endif
|
|
|
|
/* /proc */
|
|
int udp_seq_open(struct inode *inode, struct file *file);
|
|
|
|
struct udp_seq_afinfo {
|
|
char *name;
|
|
sa_family_t family;
|
|
struct udp_table *udp_table;
|
|
const struct file_operations *seq_fops;
|
|
struct seq_operations seq_ops;
|
|
};
|
|
|
|
struct udp_iter_state {
|
|
struct seq_net_private p;
|
|
sa_family_t family;
|
|
int bucket;
|
|
struct udp_table *udp_table;
|
|
};
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
extern int udp_proc_register(struct net *net, struct udp_seq_afinfo *afinfo);
|
|
extern void udp_proc_unregister(struct net *net, struct udp_seq_afinfo *afinfo);
|
|
|
|
extern int udp4_proc_init(void);
|
|
extern void udp4_proc_exit(void);
|
|
#endif
|
|
|
|
extern void udp_init(void);
|
|
|
|
extern int udp4_ufo_send_check(struct sk_buff *skb);
|
|
extern struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb,
|
|
netdev_features_t features);
|
|
#endif /* _UDP_H */
|