From: Al Viro <viro@ZenIV.linux.org.uk>
To: David Laight <David.Laight@ACULAB.COM>
Cc: "davem@davemloft.net" <davem@davemloft.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH 15/17] switch kernel_sendmsg() and kernel_recvmsg() to iov_iter_kvec()
Date: Tue, 14 Apr 2015 17:59:21 +0100 [thread overview]
Message-ID: <20150414165920.GB889@ZenIV.linux.org.uk> (raw)
In-Reply-To: <063D6719AE5E284EB5DD2968C1650D6D1CB1DE00@AcuExch.aculab.com>
On Tue, Apr 14, 2015 at 04:36:36PM +0000, David Laight wrote:
> From: Al Viro
> > Sent: 14 April 2015 17:34
> > On Tue, Apr 14, 2015 at 04:21:02PM +0000, David Laight wrote:
> >
> > > Massive NAK.
> > > This breaks any code that is using msg_control to set SCTP parameters
> > > when sending data.
> >
> > Huh? ->sendmsg() expects ->msg_control already in kernel space;
> > it's ->recvmsg() that plays silly buggers with userland pointers there.
>
> I read your commit message as implying that you hadn't found any
> users of kernel_sendmsg() that used msg_control.
> Not that the data was always read from kernel space.
Sigh... The situation is:
* ->sendmsg() expects ->msg_control copied to userland. sendmsg(2),
sendto(2), etc. do that copying. See ___sys_sendmsg() - there we have
/*
* Careful! Before this, msg_sys->msg_control contains a user pointer.
* Afterwards, it will be a kernel pointer. Thus the compiler-assisted
* checking falls down on this.
*/
if (copy_from_user(ctl_buf,
(void __user __force *)msg_sys->msg_control,
ctl_len))
goto out_freectl;
msg_sys->msg_control = ctl_buf;
As the result, ->sendmsg() instances access ->msg_control contents as normal
kernel data.
* ->recvmsg() expects ->msg_control to point to userland. See
net/core/scm.c for the helpers used to store into it. recvmsg(2) et.al.
simply leave the userland pointer there; worse, that pointer might be
to native or to compat variants, and layouts _are_ different. Thus those
if (MSG_CMSG_COMPAT & msg->msg_flags) in net/core/scm.c...
* kernel-side users of ->sendmsg() do not depend on setfs() for
access to their ->msg_control, simply because ->sendmsg() won't be using
copy_from_user()/get_user() to access it anyway.
* kernel-side users of ->recvmsg() are less lucky - most of them
don't give a damn either (they have NULL ->msg_control), but there's an
exception (somewhere in sunrpc, IIRC). So there we need to keep
playing with setfs(), even though the data side would be just fine without
that.
next prev parent reply other threads:[~2015-04-14 16:59 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-11 21:17 [call for review] netdev-related stuff in vfs.git Al Viro
2015-04-11 21:18 ` [PATCH 01/17] fs: remove ki_nbytes Al Viro
2015-04-11 21:18 ` [PATCH 02/17] fuse: handle synchronous iocbs internally Al Viro
2015-04-11 21:18 ` [PATCH 03/17] fs: don't allow to complete sync iocbs through aio_complete Al Viro
2015-04-14 18:00 ` Tadeusz Struk
2015-04-14 18:26 ` Al Viro
2015-04-14 18:37 ` Tadeusz Struk
2015-04-14 19:22 ` Al Viro
2015-04-11 21:18 ` [PATCH 04/17] fs: split generic and aio kiocb Al Viro
2015-04-11 21:18 ` [PATCH 05/17] fs: move struct kiocb to fs.h Al Viro
2015-04-11 21:18 ` [PATCH 06/17] saner iov_iter initialization primitives Al Viro
2015-04-11 21:18 ` [PATCH 07/17] RxRPC: Fix the conversion to iov_iter Al Viro
2015-04-11 21:18 ` [PATCH 08/17] RxRPC: Don't call skb_add_data() if there's no data to copy Al Viro
2015-04-11 21:18 ` [PATCH 09/17] RxRPC: Use iov_iter_count() in rxrpc_send_data() instead of the len argument Al Viro
2015-04-11 21:18 ` [PATCH 10/17] AFS: afs_send_empty_reply() doesn't require an iovec array Al Viro
2015-04-11 21:18 ` [PATCH 11/17] RxRPC: Handle VERSION Rx protocol packets Al Viro
2015-04-11 21:18 ` [PATCH 12/17] kafs: Add more "unified AFS" error codes Al Viro
2015-04-11 21:18 ` [PATCH 13/17] net: switch sendto() and recvfrom() to import_single_range() Al Viro
2015-04-11 21:18 ` [PATCH 14/17] net: switch importing msghdr from userland to {compat_,}import_iovec() Al Viro
2015-04-11 21:18 ` [PATCH 15/17] switch kernel_sendmsg() and kernel_recvmsg() to iov_iter_kvec() Al Viro
2015-04-14 16:21 ` David Laight
2015-04-14 16:34 ` Al Viro
2015-04-14 16:36 ` David Laight
2015-04-14 16:59 ` Al Viro [this message]
2015-04-15 9:08 ` David Laight
2015-04-15 9:36 ` Daniel Borkmann
2015-04-15 9:53 ` David Laight
2015-04-11 21:18 ` [PATCH 16/17] get rid of the size argument of sock_sendmsg() Al Viro
2015-04-14 16:25 ` David Laight
2015-04-14 16:35 ` Al Viro
2015-04-14 16:44 ` Al Viro
2015-04-14 17:55 ` David Miller
2015-04-15 8:37 ` David Laight
2015-04-15 10:15 ` Eric Dumazet
2015-04-15 16:06 ` David Miller
2015-04-11 21:18 ` [PATCH 17/17] new helper: msg_data_left() Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150414165920.GB889@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=David.Laight@ACULAB.COM \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).