netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] llc_cmsg_rcv was getting called after sk_eat_skb.
@ 2011-12-16  9:01 Alexandru Juncu
  2011-12-16 15:29 ` Daniel Baluta
  2011-12-19 20:59 ` David Miller
  0 siblings, 2 replies; 3+ messages in thread
From: Alexandru Juncu @ 2011-12-16  9:01 UTC (permalink / raw)
  To: acme, davem, netdev; +Cc: alex.juncu, Alexandru Juncu, Kunjan Naik

Received non stream protocol packets were calling llc_cmsg_rcv that used a
skb after that skb was released by sk_eat_skb. This caused received STP
packets to generate kernel panics.

Signed-off-by: Alexandru Juncu <ajuncu@ixiacom.com>
Signed-off-by: Kunjan Naik <knaik@ixiacom.com>
---
 net/llc/af_llc.c |   14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index dfd3a64..a18e6c3 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -833,15 +833,15 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
 		copied += used;
 		len -= used;
 
+		/* For non stream protcols we get one packet per recvmsg call */
+		if (sk->sk_type != SOCK_STREAM)
+			goto copy_uaddr;
+
 		if (!(flags & MSG_PEEK)) {
 			sk_eat_skb(sk, skb, 0);
 			*seq = 0;
 		}
 
-		/* For non stream protcols we get one packet per recvmsg call */
-		if (sk->sk_type != SOCK_STREAM)
-			goto copy_uaddr;
-
 		/* Partial read */
 		if (used + offset < skb->len)
 			continue;
@@ -857,6 +857,12 @@ copy_uaddr:
 	}
 	if (llc_sk(sk)->cmsg_flags)
 		llc_cmsg_rcv(msg, skb);
+
+	if (!(flags & MSG_PEEK)) {
+			sk_eat_skb(sk, skb, 0);
+			*seq = 0;
+	}
+
 	goto out;
 }
 
-- 
1.7.4.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] llc_cmsg_rcv was getting called after sk_eat_skb.
  2011-12-16  9:01 [PATCH] llc_cmsg_rcv was getting called after sk_eat_skb Alexandru Juncu
@ 2011-12-16 15:29 ` Daniel Baluta
  2011-12-19 20:59 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel Baluta @ 2011-12-16 15:29 UTC (permalink / raw)
  To: Alexandru Juncu
  Cc: acme, davem, netdev, alex.juncu, Kunjan Naik, Eric Dumazet

Hello Alex,

Please add a llc: prefix to the Subject. Also the title
should suggest what is the patch supposed to do.

e.g:

llc: Don't call llc_cmsg_rcv after sk_eat_skb

On Fri, Dec 16, 2011 at 11:01 AM, Alexandru Juncu <ajuncu@ixiacom.com> wrote:
> Received non stream protocol packets were calling llc_cmsg_rcv that used a
> skb after that skb was released by sk_eat_skb. This caused received STP
> packets to generate kernel panics.
>
> Signed-off-by: Alexandru Juncu <ajuncu@ixiacom.com>
> Signed-off-by: Kunjan Naik <knaik@ixiacom.com>
> ---
>  net/llc/af_llc.c |   14 ++++++++++----
>  1 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
> index dfd3a64..a18e6c3 100644
> --- a/net/llc/af_llc.c
> +++ b/net/llc/af_llc.c
> @@ -833,15 +833,15 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
>                copied += used;
>                len -= used;
>
> +               /* For non stream protcols we get one packet per recvmsg call */
> +               if (sk->sk_type != SOCK_STREAM)
> +                       goto copy_uaddr;
> +
>                if (!(flags & MSG_PEEK)) {
>                        sk_eat_skb(sk, skb, 0);
>                        *seq = 0;
>                }
>
> -               /* For non stream protcols we get one packet per recvmsg call */
> -               if (sk->sk_type != SOCK_STREAM)
> -                       goto copy_uaddr;
> -
>                /* Partial read */
>                if (used + offset < skb->len)
>                        continue;
> @@ -857,6 +857,12 @@ copy_uaddr:
>        }
>        if (llc_sk(sk)->cmsg_flags)
>                llc_cmsg_rcv(msg, skb);
> +
> +       if (!(flags & MSG_PEEK)) {
> +                       sk_eat_skb(sk, skb, 0);
> +                       *seq = 0;
> +       }
> +
>        goto out;
>  }
>
> --
> 1.7.4.1

David, Eric could you please review this?

thanks,
Daniel.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] llc_cmsg_rcv was getting called after sk_eat_skb.
  2011-12-16  9:01 [PATCH] llc_cmsg_rcv was getting called after sk_eat_skb Alexandru Juncu
  2011-12-16 15:29 ` Daniel Baluta
@ 2011-12-19 20:59 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2011-12-19 20:59 UTC (permalink / raw)
  To: ajuncu; +Cc: acme, netdev, alex.juncu, knaik, shemminger

From: Alexandru Juncu <ajuncu@ixiacom.com>
Date: Fri, 16 Dec 2011 11:01:25 +0200

> Received non stream protocol packets were calling llc_cmsg_rcv that used a
> skb after that skb was released by sk_eat_skb. This caused received STP
> packets to generate kernel panics.
> 
> Signed-off-by: Alexandru Juncu <ajuncu@ixiacom.com>
> Signed-off-by: Kunjan Naik <knaik@ixiacom.com>

This bug was introduced by commit 30a584d944fbd599d4a8f470f75bf7af1a15b466:

commit 30a584d944fbd599d4a8f470f75bf7af1a15b466
Author: Stephen Hemminger <shemminger@osdl.org>
Date:   Thu Aug 3 16:38:49 2006 -0700

    [LLX]: SOCK_DGRAM interface fixes

The new logic added by this fix is slightly clumsy, but seems correct
and I can't suggest a better fix at this time.

I'll apply this, thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-12-19 20:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-16  9:01 [PATCH] llc_cmsg_rcv was getting called after sk_eat_skb Alexandru Juncu
2011-12-16 15:29 ` Daniel Baluta
2011-12-19 20:59 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).