Eric Lee / smarc-fsl-linux-kernel

04 May, 2019

2 commits

  • b424e432e   netlink: add validation of NLA_F_NESTED flag ... Browse Code »

    Add new validation flag NL_VALIDATE_NESTED which adds three consistency
    checks of NLA_F_NESTED_FLAG:

    - the flag is set on attributes with NLA_NESTED{,_ARRAY} policy
    - the flag is not set on attributes with other policies except NLA_UNSPEC
    - the flag is set on attribute passed to nla_parse_nested()

    Signed-off-by: Michal Kubecek

    v2: change error messages to mention NLA_F_NESTED explicitly
    Reviewed-by: Johannes Berg
    Reviewed-by: David Ahern
    Signed-off-by: David S. Miller

    Michal Kubecek
     
  • d54a16b20   netlink: set bad attribute also on maxtype check ... Browse Code »

    The check that attribute type is within 0...maxtype range in
    __nla_validate_parse() sets only error message but not bad_attr in extack.
    Set also bad_attr to tell userspace which attribute failed validation.

    Signed-off-by: Michal Kubecek
    Reviewed-by: Johannes Berg
    Reviewed-by: David Ahern
    Signed-off-by: David S. Miller

    Michal Kubecek
     

28 Apr, 2019

3 commits

  • 56738f460   netlink: add strict parsing for future attributes ... Browse Code »

    Unfortunately, we cannot add strict parsing for all attributes, as
    that would break existing userspace. We currently warn about it, but
    that's about all we can do.

    For new attributes, however, the story is better: nobody is using
    them, so we can reject bad sizes.

    Also, for new attributes, we need not accept them when the policy
    doesn't declare their usage.

    David Ahern and I went back and forth on how to best encode this, and
    the best way we found was to have a "boundary type", from which point
    on new attributes have all possible validation applied, and NLA_UNSPEC
    is rejected.

    As we didn't want to add another argument to all functions that get a
    netlink policy, the workaround is to encode that boundary in the first
    entry of the policy array (which is for type 0 and thus probably not
    really valid anyway). I put it into the validation union for the rare
    possibility that somebody is actually using attribute 0, which would
    continue to work fine unless they tried to use the extended validation,
    which isn't likely. We also didn't find any in-tree users with type 0.

    The reason for setting the "start strict here" attribute is that we
    never really need to start strict from 0, which is invalid anyway (or
    in legacy families where that isn't true, it cannot be set to strict),
    so we can thus reserve the value 0 for "don't do this check" and don't
    have to add the tag to all policies right now.

    Thus, policies can now opt in to this validation, which we should do
    for all existing policies, at least when adding new attributes.

    Note that entirely *new* policies won't need to set it, as the use
    of that should be using nla_parse()/nlmsg_parse() etc. which anyway
    do fully strict validation now, regardless of this.

    So in effect, this patch only covers the "existing command with new
    attribute" case.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • 8cb081746   netlink: make validation more configurable for future strictness ... Browse Code »

    We currently have two levels of strict validation:

    1) liberal (default)
    - undefined (type >= max) & NLA_UNSPEC attributes accepted
    - attribute length >= expected accepted
    - garbage at end of message accepted
    2) strict (opt-in)
    - NLA_UNSPEC attributes accepted
    - attribute length >= expected accepted

    Split out parsing strictness into four different options:
    * TRAILING - check that there's no trailing data after parsing
    attributes (in message or nested)
    * MAXTYPE - reject attrs > max known type
    * UNSPEC - reject attributes with NLA_UNSPEC policy entries
    * STRICT_ATTRS - strictly validate attribute size

    The default for future things should be *everything*.
    The current *_strict() is a combination of TRAILING and MAXTYPE,
    and is renamed to _deprecated_strict().
    The current regular parsing has none of this, and is renamed to
    *_parse_deprecated().

    Additionally it allows us to selectively set one of the new flags
    even on old policies. Notably, the UNSPEC flag could be useful in
    this case, since it can be arranged (by filling in the policy) to
    not be an incompatible userspace ABI change, but would then going
    forward prevent forgetting attribute entries. Similar can apply
    to the POLICY flag.

    We end up with the following renames:
    * nla_parse -> nla_parse_deprecated
    * nla_parse_strict -> nla_parse_deprecated_strict
    * nlmsg_parse -> nlmsg_parse_deprecated
    * nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
    * nla_parse_nested -> nla_parse_nested_deprecated
    * nla_validate_nested -> nla_validate_nested_deprecated

    Using spatch, of course:
    @@
    expression TB, MAX, HEAD, LEN, POL, EXT;
    @@
    -nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
    +nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)

    @@
    expression NLH, HDRLEN, TB, MAX, POL, EXT;
    @@
    -nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
    +nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)

    @@
    expression NLH, HDRLEN, TB, MAX, POL, EXT;
    @@
    -nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
    +nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)

    @@
    expression TB, MAX, NLA, POL, EXT;
    @@
    -nla_parse_nested(TB, MAX, NLA, POL, EXT)
    +nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)

    @@
    expression START, MAX, POL, EXT;
    @@
    -nla_validate_nested(START, MAX, POL, EXT)
    +nla_validate_nested_deprecated(START, MAX, POL, EXT)

    @@
    expression NLH, HDRLEN, MAX, POL, EXT;
    @@
    -nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
    +nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)

    For this patch, don't actually add the strict, non-renamed versions
    yet so that it breaks compile if I get it wrong.

    Also, while at it, make nla_validate and nla_parse go down to a
    common __nla_validate_parse() function to avoid code duplication.

    Ultimately, this allows us to have very strict validation for every
    new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
    next patch, while existing things will continue to work as is.

    In effect then, this adds fully strict validation for any new command.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • 6f455f5f4   netlink: add NLA_MIN_LEN ... Browse Code »

    Rather than using NLA_UNSPEC for this type of thing, use NLA_MIN_LEN
    so we can make NLA_UNSPEC be NLA_REJECT under certain conditions for
    future attributes.

    While at it, also use NLA_EXACT_LEN for the struct example.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     

09 Oct, 2018

1 commit

  • a5f6cba29   netlink: Add strict version of nlmsg_parse and nla_parse ... Browse Code »

    nla_parse is currently lenient on message parsing, allowing type to be 0
    or greater than max expected and only logging a message

    "netlink: %d bytes leftover after parsing attributes in process `%s'."

    if the netlink message has unknown data at the end after parsing. What this
    could mean is that the header at the front of the attributes is actually
    wrong and the parsing is shifted from what is expected.

    Add a new strict version that actually fails with EINVAL if there are any
    bytes remaining after the parsing loop completes, if the atttrbitue type
    is 0 or greater than max expected.

    Signed-off-by: David Ahern
    Acked-by: Christian Brauner
    Signed-off-by: David S. Miller

    David Ahern
     

02 Oct, 2018

2 commits

  • 33188bd64   netlink: add validation function to policy ... Browse Code »

    Add the ability to have an arbitrary validation function attached
    to a netlink policy that doesn't already use the validation_data
    pointer in another way.

    This can be useful to validate for example the content of a binary
    attribute, like in nl80211 the "(information) elements", which must
    be valid streams of "u8 type, u8 length, u8 value[length]".

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • 3e48be05f   netlink: add attribute range validation to policy ... Browse Code »

    Without further bloating the policy structs, we can overload
    the `validation_data' pointer with a struct of s16 min, max
    and use those to validate ranges in NLA_{U,S}{8,16,32,64}
    attributes.

    It may sound strange to validate NLA_U32 with a s16 max, but
    in many cases NLA_U32 is used for enums etc. since there's no
    size benefit in using a smaller attribute width anyway, due
    to netlink attribute alignment; in cases like that it's still
    useful, particularly when the attribute really transports an
    enum value.

    Doing so lets us remove quite a bit of validation code, if we
    can be sure that these attributes aren't used by userspace in
    places where they're ignored today.

    To achieve all this, split the 'type' field and introduce a
    new 'validation_type' field which indicates what further
    validation (beyond the validation prescribed by the type of
    the attribute) is done. This currently allows for no further
    validation (the default), as well as min, max and range checks.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     

29 Sep, 2018

5 commits

  • 1501d1359   netlink: add nested array policy validation ... Browse Code »

    Sometimes nested netlink attributes are just used as arrays, with
    the nla_type() of each not being used; we have this in nl80211 and
    e.g. NFTA_SET_ELEM_LIST_ELEMENTS.

    Add the ability to validate this type of message directly in the
    policy, by adding the type NLA_NESTED_ARRAY which does exactly
    this: require a first level of nesting but ignore the attribute
    type, and then inside each require a second level of nested and
    validate those attributes against a given policy (if present).

    Note that some nested array types actually require that all of
    the entries have the same index, this is possible to express in
    a nested policy already, apart from the validation that only the
    one allowed type is used.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • 9a659a35b   netlink: allow NLA_NESTED to specify nested policy to validate ... Browse Code »

    Now that we have a validation_data pointer, and the len field in
    the policy is unused for NLA_NESTED, we can allow using them both
    to have nested validation. This can be nice in code, although we
    still have to use nla_parse_nested() or similar which would also
    take a policy; however, it also serves as documentation in the
    policy without requiring a look at the code.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • c29f1845b   netlink: move extack setting into validate_nla() ... Browse Code »

    This unifies the code between nla_parse() which sets the bad
    attribute pointer and an error message, and nla_validate()
    which only sets the bad attribute pointer.

    It also cleans up the code for NLA_REJECT and paves the way
    for nested policy validation, as it will allow us to easily
    skip setting the "generic" message without any extra args
    like the **error_msg now, just passing the extack through is
    now enough.

    While at it, remove the unnecessary label in nla_parse().

    Suggested-by: David Ahern
    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • 48fde90a7   netlink: make validation_data const ... Browse Code »

    The validation data is only used within the policy that
    should usually already be const, and isn't changed in any
    code that uses it. Therefore, make the validation_data
    pointer const.

    While at it, remove the duplicate variable in the bitfield
    validation that I'd otherwise have to change to const.

    Reviewed-by: David Ahern
    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • fe3b30ddb   netlink: remove NLA_NESTED_COMPAT ... Browse Code »

    This isn't used anywhere, so we might as well get rid of it.

    Reviewed-by: David Ahern
    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     

19 Sep, 2018

2 commits

  • b60b87fc2   netlink: add ethernet address policy types ... Browse Code »

    Commonly, ethernet addresses are just using a policy of
    { .len = ETH_ALEN }
    which leaves userspace free to send more data than it should,
    which may hide bugs.

    Introduce NLA_EXACT_LEN which checks for exact size, rejecting
    the attribute if it's not exactly that length. Also add
    NLA_EXACT_LEN_WARN which requires the minimum length and will
    warn on longer attributes, for backward compatibility.

    Use these to define NLA_POLICY_ETH_ADDR (new strict policy) and
    NLA_POLICY_ETH_ADDR_COMPAT (compatible policy with warning);
    these are used like this:

    static const struct nla_policy [...] = {
    [NL_ATTR_NAME] = NLA_POLICY_ETH_ADDR,
    ...
    };

    Signed-off-by: Johannes Berg
    Reviewed-by: Marcelo Ricardo Leitner
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • 568b742a9   netlink: add NLA_REJECT policy type ... Browse Code »

    In some situations some netlink attributes may be used for output
    only (kernel->userspace) or may be reserved for future use. It's
    then helpful to be able to prevent userspace from using them in
    messages sent to the kernel, since they'd otherwise be ignored and
    any future will become impossible if this happens.

    Add NLA_REJECT to the policy which does nothing but reject (with
    EINVAL) validation of any messages containing this attribute.
    Allow for returning a specific extended ACK error message in the
    validation_data pointer.

    While at it clear up the documentation a bit - the NLA_BITFIELD32
    documentation was added to the list of len field descriptions.

    Also, use NL_SET_BAD_ATTR() in one place where it's open-coded.

    The specific case I have in mind now is a shared nested attribute
    containing request/response data, and it would be pointless and
    potentially confusing to have userspace include response data in
    the messages that actually contain a request.

    Signed-off-by: Johannes Berg
    Reviewed-by: Marcelo Ricardo Leitner
    Signed-off-by: David S. Miller

    Johannes Berg
     

28 Jun, 2018

1 commit

08 Dec, 2017

1 commit

  • 6e237d099   netlink: Relax attr validation for fixed length types ... Browse Code »

    Commit 28033ae4e0f5 ("net: netlink: Update attr validation to require
    exact length for some types") requires attributes using types NLA_U* and
    NLA_S* to have an exact length. This change is exposing bugs in various
    userspace commands that are sending attributes with an invalid length
    (e.g., attribute has type NLA_U8 and userspace sends NLA_U32). While
    the commands are clearly broken and need to be fixed, users are arguing
    that the sudden change in enforcement is breaking older commands on
    newer kernels for use cases that otherwise "worked".

    Relax the validation to print a warning mesage similar to what is done
    for messages containing extra bytes after parsing.

    Fixes: 28033ae4e0f5 ("net: netlink: Update attr validation to require exact length for some types")
    Signed-off-by: David Ahern
    Reviewed-by: Johannes Berg
    Signed-off-by: David S. Miller

    David Ahern
     

11 Nov, 2017

1 commit

02 Nov, 2017

1 commit

  • b24413180   License cleanup: add SPDX GPL-2.0 license identifier to files with no license ... Browse Code »

    Many source files in the tree are missing licensing information, which
    makes it harder for compliance tools to determine the correct license.

    By default all files without license information are under the default
    license of the kernel, which is GPL version 2.

    Update the files which contain no license information with the 'GPL-2.0'
    SPDX license identifier. The SPDX identifier is a legally binding
    shorthand, which can be used instead of the full boiler plate text.

    This patch is based on work done by Thomas Gleixner and Kate Stewart and
    Philippe Ombredanne.

    How this work was done:

    Patches were generated and checked against linux-4.14-rc6 for a subset of
    the use cases:
    - file had no licensing information it it.
    - file was a */uapi/* one with no licensing information in it,
    - file was a */uapi/* one with existing licensing information,

    Further patches will be generated in subsequent months to fix up cases
    where non-standard license headers were used, and references to license
    had to be inferred by heuristics based on keywords.

    The analysis to determine which SPDX License Identifier to be applied to
    a file was done in a spreadsheet of side by side results from of the
    output of two independent scanners (ScanCode & Windriver) producing SPDX
    tag:value files created by Philippe Ombredanne. Philippe prepared the
    base worksheet, and did an initial spot review of a few 1000 files.

    The 4.13 kernel was the starting point of the analysis with 60,537 files
    assessed. Kate Stewart did a file by file comparison of the scanner
    results in the spreadsheet to determine which SPDX license identifier(s)
    to be applied to the file. She confirmed any determination that was not
    immediately clear with lawyers working with the Linux Foundation.

    Criteria used to select files for SPDX license identifier tagging was:
    - Files considered eligible had to be source code files.
    - Make and config files were included as candidates if they contained >5
    lines of source
    - File already had some variant of a license header in it (even if
    Reviewed-by: Philippe Ombredanne
    Reviewed-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

04 Sep, 2017

1 commit

  • b63f6044d   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    Netfilter updates for net-next

    The following patchset contains Netfilter updates for your net-next
    tree. Basically, updates to the conntrack core, enhancements for
    nf_tables, conversion of netfilter hooks from linked list to array to
    improve memory locality and asorted improvements for the Netfilter
    codebase. More specifically, they are:

    1) Add expection to hashes after timer initialization to prevent
    access from another CPU that walks on the hashes and calls
    del_timer(), from Florian Westphal.

    2) Don't update nf_tables chain counters from hot path, this is only
    used by the x_tables compatibility layer.

    3) Get rid of nested rcu_read_lock() calls from netfilter hook path.
    Hooks are always guaranteed to run from rcu read side, so remove
    nested rcu_read_lock() where possible. Patch from Taehee Yoo.

    4) nf_tables new ruleset generation notifications include PID and name
    of the process that has updated the ruleset, from Phil Sutter.

    5) Use skb_header_pointer() from nft_fib, so we can reuse this code from
    the nf_family netdev family. Patch from Pablo M. Bermudo.

    6) Add support for nft_fib in nf_tables netdev family, also from Pablo.

    7) Use deferrable workqueue for conntrack garbage collection, to reduce
    power consumption, from Patch from Subash Abhinov Kasiviswanathan.

    8) Add nf_ct_expect_iterate_net() helper and use it. From Florian
    Westphal.

    9) Call nf_ct_unconfirmed_destroy only from cttimeout, from Florian.

    10) Drop references on conntrack removal path when skbuffs has escaped via
    nfqueue, from Florian.

    11) Don't queue packets to nfqueue with dying conntrack, from Florian.

    12) Constify nf_hook_ops structure, from Florian.

    13) Remove neededlessly branch in nf_tables trace code, from Phil Sutter.

    14) Add nla_strdup(), from Phil Sutter.

    15) Rise nf_tables objects name size up to 255 chars, people want to use
    DNS names, so increase this according to what RFC 1035 specifies.
    Patch series from Phil Sutter.

    16) Kill nf_conntrack_default_on, it's broken. Default on conntrack hook
    registration on demand, suggested by Eric Dumazet, patch from Florian.

    17) Remove unused variables in compat_copy_entry_from_user both in
    ip_tables and arp_tables code. Patch from Taehee Yoo.

    18) Constify struct nf_conntrack_l4proto, from Julia Lawall.

    19) Constify nf_loginfo structure, also from Julia.

    20) Use a single rb root in connlimit, from Taehee Yoo.

    21) Remove unused netfilter_queue_init() prototype, from Taehee Yoo.

    22) Use audit_log() instead of open-coding it, from Geliang Tang.

    23) Allow to mangle tcp options via nft_exthdr, from Florian.

    24) Allow to fetch TCP MSS from nft_rt, from Florian. This includes
    a fix for a miscalculation of the minimal length.

    25) Simplify branch logic in h323 helper, from Nick Desaulniers.

    26) Calculate netlink attribute size for conntrack tuple at compile
    time, from Florian.

    27) Remove protocol name field from nf_conntrack_{l3,l4}proto structure.
    From Florian.

    28) Remove holes in nf_conntrack_l4proto structure, so it becomes
    smaller. From Florian.

    29) Get rid of print_tuple() indirection for /proc conntrack listing.
    Place all the code in net/netfilter/nf_conntrack_standalone.c.
    Patch from Florian.

    30) Do not built in print_conntrack() if CONFIG_NF_CONNTRACK_PROCFS is
    off. From Florian.

    31) Constify most nf_conntrack_{l3,l4}proto helper functions, from
    Florian.

    32) Fix broken indentation in ebtables extensions, from Colin Ian King.

    33) Fix several harmless sparse warning, from Florian.

    34) Convert netfilter hook infrastructure to use array for better memory
    locality, joint work done by Florian and Aaron Conole. Moreover, add
    some instrumentation to debug this.

    35) Batch nf_unregister_net_hooks() calls, to call synchronize_net once
    per batch, from Florian.

    36) Get rid of noisy logging in ICMPv6 conntrack helper, from Florian.

    37) Get rid of obsolete NFDEBUG() instrumentation, from Varsha Rao.

    38) Remove unused code in the generic protocol tracker, from Davide
    Caratti.

    I think I will have material for a second Netfilter batch in my queue if
    time allow to make it fit in this merge window.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

01 Aug, 2017

1 commit

31 Jul, 2017

1 commit

  • 64c83d837   net netlink: Add new type NLA_BITFIELD32 ... Browse Code »

    Generic bitflags attribute content sent to the kernel by user.
    With this netlink attr type the user can either set or unset a
    flag in the kernel.

    The value is a bitmap that defines the bit values being set
    The selector is a bitmask that defines which value bit is to be
    considered.

    A check is made to ensure the rules that a kernel subsystem always
    conforms to bitflags the kernel already knows about. i.e
    if the user tries to set a bit flag that is not understood then
    the _it will be rejected_.

    In the most basic form, the user specifies the attribute policy as:
    [ATTR_GOO] = { .type = NLA_BITFIELD32, .validation_data = &myvalidflags },

    where myvalidflags is the bit mask of the flags the kernel understands.

    If the user _does not_ provide myvalidflags then the attribute will
    also be rejected.

    Examples:
    value = 0x0, and selector = 0x1
    implies we are selecting bit 1 and we want to set its value to 0.

    value = 0x2, and selector = 0x2
    implies we are selecting bit 2 and we want to set its value to 1.

    Suggested-by: Jiri Pirko
    Signed-off-by: Jamal Hadi Salim
    Signed-off-by: David S. Miller

    Jamal Hadi Salim
     

21 Jun, 2017

1 commit

16 Jun, 2017

2 commits

  • 4df864c1d   networking: make skb_put & friends return void pointers ... Browse Code »

    It seems like a historic accident that these return unsigned char *,
    and in many places that means casts are required, more often than not.

    Make these functions (skb_put, __skb_put and pskb_put) return void *
    and remove all the casts across the tree, adding a (u8 *) cast only
    where the unsigned char pointer was used directly, all done with the
    following spatch:

    @@
    expression SKB, LEN;
    typedef u8;
    identifier fn = { skb_put, __skb_put };
    @@
    - *(fn(SKB, LEN))
    + *(u8 *)fn(SKB, LEN)

    @@
    expression E, SKB, LEN;
    identifier fn = { skb_put, __skb_put };
    type T;
    @@
    - E = ((T *)(fn(SKB, LEN)))
    + E = fn(SKB, LEN)

    which actually doesn't cover pskb_put since there are only three
    users overall.

    A handful of stragglers were converted manually, notably a macro in
    drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
    instances in net/bluetooth/hci_sock.c. In the former file, I also
    had to fix one whitespace problem spatch introduced.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • 59ae1d127   networking: introduce and use skb_put_data() ... Browse Code »

    A common pattern with skb_put() is to just want to memcpy()
    some data into the new space, introduce skb_put_data() for
    this.

    An spatch similar to the one for skb_put_zero() converts many
    of the places using it:

    @@
    identifier p, p2;
    expression len, skb, data;
    type t, t2;
    @@
    (
    -p = skb_put(skb, len);
    +p = skb_put_data(skb, data, len);
    |
    -p = (t)skb_put(skb, len);
    +p = skb_put_data(skb, data, len);
    )
    (
    p2 = (t2)p;
    -memcpy(p2, data, len);
    |
    -memcpy(p, data, len);
    )

    @@
    type t, t2;
    identifier p, p2;
    expression skb, data;
    @@
    t *p;
    ...
    (
    -p = skb_put(skb, sizeof(t));
    +p = skb_put_data(skb, data, sizeof(t));
    |
    -p = (t *)skb_put(skb, sizeof(t));
    +p = skb_put_data(skb, data, sizeof(t));
    )
    (
    p2 = (t2)p;
    -memcpy(p2, data, sizeof(*p));
    |
    -memcpy(p, data, sizeof(*p));
    )

    @@
    expression skb, len, data;
    @@
    -memcpy(skb_put(skb, len), data, len);
    +skb_put_data(skb, data, len);

    (again, manually post-processed to retain some comments)

    Reviewed-by: Stephen Hemminger
    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     

14 Jun, 2017

1 commit

  • aa9f979c4   networking: use skb_put_zero() ... Browse Code »

    Use the recently introduced helper to replace the pattern of
    skb_put() && memset(), this transformation was done with the
    following spatch:

    @@
    identifier p;
    expression len;
    expression skb;
    @@
    -p = skb_put(skb, len);
    -memset(p, 0, len);
    +p = skb_put_zero(skb, len);

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     

14 Apr, 2017

1 commit

20 Nov, 2016

1 commit

  • 32d84cdcf   netlink: smaller nla_attr_minlen table ... Browse Code »

    Length of a netlink attribute may be u16 but lengths of basic attributes
    are much smaller, so small we can save 16 bytes of .rodata and pocket
    change inside .text.

    16-bit is worse on x86-64 than 8-bit because of operand size override prefix.

    add/remove: 0/0 grow/shrink: 0/3 up/down: 0/-19 (-19)
    function old new delta
    validate_nla 418 417 -1
    nla_policy_len 66 64 -2
    nla_attr_minlen 32 16 -16
    Total: Before=154865051, After=154865032, chg -0.00%

    Signed-off-by: Alexey Dobriyan
    Signed-off-by: David S. Miller

    Alexey Dobriyan
     

24 Apr, 2016

1 commit

22 Apr, 2016

1 commit

01 Apr, 2015

1 commit

  • 5899f0478   netlink: pad nla_memcpy dest buffer with zeroes ... Browse Code »

    This is especially important in cases where the kernel allocs a new
    structure and expects a field to be set from a netlink attribute. If such
    attribute is shorter than expected, the rest of the field is left containing
    previous data. When such field is read back by the user space, kernel memory
    content is leaked.

    Signed-off-by: Jiri Benc
    Acked-by: Thomas Graf
    Signed-off-by: David S. Miller

    Jiri Benc
     

13 Feb, 2015

1 commit

  • fb41f9d71   lib/nlattr.c: remove redundant include ... Browse Code »

    nlattr.c doesn't seem to rely on anything from netdevice.h. Removing it
    yields identical objdump -d output for each of {allyes,allno,def}config,
    and eliminates more than 200 lines from the generated dependency file.

    Signed-off-by: Rasmus Villemoes
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Rasmus Villemoes
     

09 Jun, 2014

1 commit

  • 3f17ea6de   Merge branch 'next' (accumulated 3.16 merge window patches) into master ... Browse Code »

    Now that 3.15 is released, this merges the 'next' branch into 'master',
    bringing us to the normal situation where my 'master' branch is the
    merge window.

    * accumulated work in next: (6809 commits)
    ufs: sb mutex merge + mutex_destroy
    powerpc: update comments for generic idle conversion
    cris: update comments for generic idle conversion
    idle: remove cpu_idle() forward declarations
    nbd: zero from and len fields in NBD_CMD_DISCONNECT.
    mm: convert some level-less printks to pr_*
    MAINTAINERS: adi-buildroot-devel is moderated
    MAINTAINERS: add linux-api for review of API/ABI changes
    mm/kmemleak-test.c: use pr_fmt for logging
    fs/dlm/debug_fs.c: replace seq_printf by seq_puts
    fs/dlm/lockspace.c: convert simple_str to kstr
    fs/dlm/config.c: convert simple_str to kstr
    mm: mark remap_file_pages() syscall as deprecated
    mm: memcontrol: remove unnecessary memcg argument from soft limit functions
    mm: memcontrol: clean up memcg zoneinfo lookup
    mm/memblock.c: call kmemleak directly from memblock_(alloc|free)
    mm/mempool.c: update the kmemleak stack trace for mempool allocations
    lib/radix-tree.c: update the kmemleak stack trace for radix tree allocations
    mm: introduce kmemleak_update_trace()
    mm/kmemleak.c: use %u to print ->checksum
    ...

    Linus Torvalds
     

05 Jun, 2014

1 commit

03 Jun, 2014

1 commit

  • bfc5184b6   netlink: rate-limit leftover bytes warning and print process name ... Browse Code »

    Any process is able to send netlink messages with leftover bytes.
    Make the warning rate-limited to prevent too much log spam.

    The warning is supposed to help find userspace bugs, so print the
    triggering command name to implicate the buggy program.

    [v2: Use pr_warn_ratelimited instead of printk_ratelimited.]

    Signed-off-by: Michal Schmidt
    Signed-off-by: David S. Miller

    Michal Schmidt
     

02 Apr, 2014

1 commit

  • 8b7b93243   netlink: don't compare the nul-termination in nla_strcmp ... Browse Code »

    nla_strcmp compares the string length plus one, so it's implicitly
    including the nul-termination in the comparison.

    int nla_strcmp(const struct nlattr *nla, const char *str)
    {
    int len = strlen(str) + 1;
    ...
    d = memcmp(nla_data(nla), str, len);

    However, if NLA_STRING is used, userspace can send us a string without
    the nul-termination. This is a problem since the string
    comparison will not match as the last byte may be not the
    nul-termination.

    Fix this by skipping the comparison of the nul-termination if the
    attribute data is nul-terminated. Suggested by Thomas Graf.

    Cc: Florian Westphal
    Cc: Thomas Graf
    Signed-off-by: Pablo Neira Ayuso
    Signed-off-by: David S. Miller

    Pablo Neira
     

31 Aug, 2012

1 commit

08 Mar, 2012

1 commit

05 Nov, 2011

1 commit

  • c30bc9475   netlink: validate NLA_MSECS length ... Browse Code »
    1

    L2TP for example uses NLA_MSECS like this:
    policy:
    [L2TP_ATTR_RECV_TIMEOUT] = { .type = NLA_MSECS, },
    code:
    if (info->attrs[L2TP_ATTR_RECV_TIMEOUT])
    cfg.reorder_timeout = nla_get_msecs(info->attrs[L2TP_ATTR_RECV_TIMEOUT]);

    As nla_get_msecs() is essentially nla_get_u64() plus the
    conversion to a HZ-based value, this will not properly
    reject attributes from userspace that aren't long enough
    and might overrun the message.

    Add NLA_MSECS to the attribute minlen array to check the
    size properly.

    Cc: Thomas Graf
    Cc: stable@vger.kernel.org
    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     

01 Mar, 2011

1 commit