linux-stable.git/net/bluetooth/af_bluetooth.c, branch linux-3.2.y Linux kernel stable tree net: rework recvmsg handler msg_name and msg_namelen logic 2014-01-03T04:33:33+00:00 Hannes Frederic Sowa hannes@stressinduktion.org 2013-11-21T02:14:22+00:00 a598f7fa9c24c3ef458043d59c237b8fc5d1adad [ Upstream commit f3d3342602f8bcbf37d7c46641cb9bca7618eb1c ] This patch now always passes msg->msg_namelen as 0. recvmsg handlers must set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) to return msg_name to the user. This prevents numerous uninitialized memory leaks we had in the recvmsg handlers and makes it harder for new code to accidentally leak uninitialized memory. Optimize for the case recvfrom is called with NULL as address. We don't need to copy the address at all, so set it to NULL before invoking the recvmsg handler. We can do so, because all the recvmsg handlers must cope with the case a plain read() is called on them. read() also sets msg_name to NULL. Also document these changes in include/linux/net.h as suggested by David Miller. Changes since RFC: Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address. It also more naturally reflects the logic by the callers of verify_iovec. With this change in place I could remove " if (!uaddr || msg_sys->msg_namelen == 0) msg->msg_name = NULL ". This change does not alter the user visible error logic as we ignore msg_namelen as long as msg_name is NULL. Also remove two unnecessary curly brackets in ___sys_recvmsg and change comments to netdev style. Cc: David Miller <davem@davemloft.net> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
[ Upstream commit f3d3342602f8bcbf37d7c46641cb9bca7618eb1c ]

This patch now always passes msg->msg_namelen as 0. recvmsg handlers must
set msg_namelen to the proper size <= sizeof(struct sockaddr_storage)
to return msg_name to the user.

This prevents numerous uninitialized memory leaks we had in the
recvmsg handlers and makes it harder for new code to accidentally leak
uninitialized memory.

Optimize for the case recvfrom is called with NULL as address. We don't
need to copy the address at all, so set it to NULL before invoking the
recvmsg handler. We can do so, because all the recvmsg handlers must
cope with the case a plain read() is called on them. read() also sets
msg_name to NULL.

Also document these changes in include/linux/net.h as suggested by David
Miller.

Changes since RFC:

Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
affect sendto as it would bail out earlier while trying to copy-in the
address. It also more naturally reflects the logic by the callers of
verify_iovec.

With this change in place I could remove "
if (!uaddr || msg_sys->msg_namelen == 0)
	msg->msg_name = NULL
".

This change does not alter the user visible error logic as we ignore
msg_namelen as long as msg_name is NULL.

Also remove two unnecessary curly brackets in ___sys_recvmsg and change
comments to netdev style.

Cc: David Miller <davem@davemloft.net>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Bluetooth: fix possible info leak in bt_sock_recvmsg() 2013-05-13T14:02:39+00:00 Mathias Krause minipli@googlemail.com 2013-04-07T01:51:49+00:00 95ee0fb7a014cdf80be37b329fa462ff3847f7c0 [ Upstream commit 4683f42fde3977bdb4e8a09622788cc8b5313778 ] In case the socket is already shutting down, bt_sock_recvmsg() returns with 0 without updating msg_namelen leading to net/socket.c leaking the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix this by moving the msg_namelen assignment in front of the shutdown test. Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
[ Upstream commit 4683f42fde3977bdb4e8a09622788cc8b5313778 ]

In case the socket is already shutting down, bt_sock_recvmsg() returns
with 0 without updating msg_namelen leading to net/socket.c leaking the
local, uninitialized sockaddr_storage variable to userland -- 128 bytes
of kernel stack memory.

Fix this by moving the msg_namelen assignment in front of the shutdown
test.

Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Bluetooth: Handle fragmented skbs in bt_sock_stream_recvmsg() 2011-09-27T21:16:07+00:00 Mat Martineau mathewm@codeaurora.org 2011-07-22T21:53:59+00:00 5b668eb3270f3f9c13ddf6e4fb57bf20c83dccff ERTM reassembly will be more efficient when skbs are linked together rather than copying every incoming data byte. The existing stream recv function assumes skbs are linear, so it needs to know how to handle fragments before reassembly is changed. bt_sock_recvmsg() already handles fragmented skbs. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> 
ERTM reassembly will be more efficient when skbs are linked together
rather than copying every incoming data byte. The existing stream recv
function assumes skbs are linear, so it needs to know how to handle
fragments before reassembly is changed.

bt_sock_recvmsg() already handles fragmented skbs.

Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Bluetooth: Fix lost wakeups waiting for sock state change 2011-08-11T22:50:26+00:00 Peter Hurley peter@hurleysoftware.com 2011-07-24T04:10:46+00:00 9be4e3fbf2d3603e7a7010ede0697166738a788b Fix race conditions which can cause lost wakeups while waiting for sock state to change. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> 
Fix race conditions which can cause lost wakeups while waiting
for sock state to change.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Bluetooth: remove unnecessary call to hci_sock_cleanup 2011-02-26T01:36:58+00:00 Anand Gadiyar gadiyar@ti.com 2011-02-22T07:13:26+00:00 0ed54dad52e8056f4440da723a4c117f2aef1f68 hci_sock_cleanup is already called after the sock_err label. It appears that we can drop this call. Signed-off-by: Anand Gadiyar <gadiyar@ti.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> 
hci_sock_cleanup is already called after the sock_err label.
It appears that we can drop this call.

Signed-off-by: Anand Gadiyar <gadiyar@ti.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Bluetooth: fix checkpatch errors in af_bluetooth.c 2011-02-17T22:24:05+00:00 Gustavo F. Padovan padovan@profusion.mobi 2011-02-17T22:24:05+00:00 8ffd878419839638d1aea102455b575da39c1a62 Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> 
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Bluetooth: Merge L2CAP and SCO modules into bluetooth.ko 2011-02-14T20:27:36+00:00 Gustavo F. Padovan padovan@profusion.mobi 2011-02-07T22:08:52+00:00 642745184f82688eb3ef0cdfaa4ba632055be9af Actually doesn't make sense have these modules built separately. The L2CAP layer is needed by almost all Bluetooth protocols and profiles. There isn't any real use case without having L2CAP loaded. SCO is only essential for Audio transfers, but it is so small that we can have it loaded always in bluetooth.ko without problems. If you really doesn't want it you can disable SCO in the kernel config. Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> 
Actually doesn't make sense have these modules built separately.
The L2CAP layer is needed by almost all Bluetooth protocols and profiles.
There isn't any real use case without having L2CAP loaded.
SCO is only essential for Audio transfers, but it is so small that we can
have it loaded always in bluetooth.ko without problems.
If you really doesn't want it you can disable SCO in the kernel config.

Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Bluetooth: fix crash by disabling tasklet in sock accept 2011-02-08T03:40:08+00:00 Andrei Emeltchenko andrei.emeltchenko@nokia.com 2011-01-24T08:53:24+00:00 d37f50e19094862a5d60d79637d6f4dbdc42f4f1 Crash can happen when tasklet handling connect/disconnect requests preempts socket accept. Can be reproduced with "l2test -r" on one side and several "l2test -c -b 1000 -i hci0 -P 10 <bdaddr>" on the other side. disable taskets in socket accept and change lock_sock and release_sock to bh_lock_sock and bh_unlock_sock since we have to use spinlocks and there is no need to mark sock as owned by user. ... [ 3555.897247] Unable to handle kernel NULL pointer dereference at virtual address 000000bc [ 3555.915039] pgd = cab9c000 [ 3555.917785] [000000bc] *pgd=8bf3d031, *pte=00000000, *ppte=00000000 [ 3555.928314] Internal error: Oops: 17 [#1] PREEMPT [ 3555.999786] CPU: 0 Not tainted (2.6.32.21-13874-g67918ef #65) ... [ 3556.005981] PC is at bt_accept_unlink+0x20/0x58 [bluetooth] [ 3556.011627] LR is at bt_accept_dequeue+0x3c/0xe8 [bluetooth] ... [ 3556.161285] [<bf0007fc>] (bt_accept_unlink+0x20/0x58 [bluetooth]) from [<bf000870>] (bt_accept_dequeue+0x3c/0xe8 [bluetooth]) [ 3556.172729] [<bf000870>] (bt_accept_dequeue+0x3c/0xe8 [bluetooth]) from [<bf324df8>] (l2cap_sock_accept+0x100/0x15c [l2cap]) [ 3556.184082] [<bf324df8>] (l2cap_sock_accept+0x100/0x15c [l2cap]) from [<c026a0a8>] (sys_accept4+0x120/0x1e0) [ 3556.193969] [<c026a0a8>] (sys_accept4+0x120/0x1e0) from [<c002c9a0>] (ret_fast_syscall+0x0/0x2c) [ 3556.202819] Code: e5813000 e5901164 e580c160 e580c15c (e1d13bbc) ... Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> 
Crash can happen when tasklet handling connect/disconnect requests
preempts socket accept. Can be reproduced with "l2test -r" on one
side and several "l2test -c -b 1000 -i hci0 -P 10 <bdaddr>" on the
other side.

disable taskets in socket accept and change lock_sock and release_sock
to bh_lock_sock and bh_unlock_sock since we have to use spinlocks and
there is no need to mark sock as owned by user.

...
[ 3555.897247] Unable to handle kernel NULL pointer dereference at virtual
address 000000bc
[ 3555.915039] pgd = cab9c000
[ 3555.917785] [000000bc] *pgd=8bf3d031, *pte=00000000, *ppte=00000000
[ 3555.928314] Internal error: Oops: 17 [#1] PREEMPT
[ 3555.999786] CPU: 0    Not tainted  (2.6.32.21-13874-g67918ef #65)
...
[ 3556.005981] PC is at bt_accept_unlink+0x20/0x58 [bluetooth]
[ 3556.011627] LR is at bt_accept_dequeue+0x3c/0xe8 [bluetooth]
...
[ 3556.161285] [<bf0007fc>] (bt_accept_unlink+0x20/0x58 [bluetooth]) from
[<bf000870>] (bt_accept_dequeue+0x3c/0xe8 [bluetooth])
[ 3556.172729] [<bf000870>] (bt_accept_dequeue+0x3c/0xe8 [bluetooth]) from
[<bf324df8>] (l2cap_sock_accept+0x100/0x15c [l2cap])
[ 3556.184082] [<bf324df8>] (l2cap_sock_accept+0x100/0x15c [l2cap]) from
[<c026a0a8>] (sys_accept4+0x120/0x1e0)
[ 3556.193969] [<c026a0a8>] (sys_accept4+0x120/0x1e0) from [<c002c9a0>]
(ret_fast_syscall+0x0/0x2c)
[ 3556.202819] Code: e5813000 e5901164 e580c160 e580c15c (e1d13bbc)
...

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Bluetooth: Do not use assignments in IF conditions 2011-02-08T03:40:08+00:00 Andrei Emeltchenko andrei.emeltchenko@nokia.com 2011-01-11T15:20:20+00:00 5a08eccedaa1e12b74cf3afea9e11a9aefc29f73 Fix checkpatch warnings concerning assignments in if conditions. Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> 
Fix checkpatch warnings concerning assignments in if conditions.

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Bluetooth: Add common code for stream-oriented recvmsg() 2010-10-12T15:44:51+00:00 Mat Martineau mathewm@codeaurora.org 2010-09-08T17:05:27+00:00 796c86eec84ddfd02281c5071838ed1fefda6b90 This commit adds a bt_sock_stream_recvmsg() function for use by any Bluetooth code that uses SOCK_STREAM sockets. This code is copied from rfcomm_sock_recvmsg() with minimal modifications to remove RFCOMM-specific functionality and improve readability. L2CAP (with the SOCK_STREAM socket type) and RFCOMM have common needs when it comes to reading data. Proper stream read semantics require that applications can read from a stream one byte at a time and not lose any data. The RFCOMM code already operated on and pulled data from the underlying L2CAP socket, so very few changes were required to make the code more generic for use with non-RFCOMM data over L2CAP. Applications that need more awareness of L2CAP frame boundaries are still free to use SOCK_SEQPACKET sockets, and may verify that they connection did not fall back to basic mode by calling getsockopt(). Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> 
This commit adds a bt_sock_stream_recvmsg() function for use by any
Bluetooth code that uses SOCK_STREAM sockets.  This code is copied
from rfcomm_sock_recvmsg() with minimal modifications to remove
RFCOMM-specific functionality and improve readability.

L2CAP (with the SOCK_STREAM socket type) and RFCOMM have common needs
when it comes to reading data.  Proper stream read semantics require
that applications can read from a stream one byte at a time and not
lose any data.  The RFCOMM code already operated on and pulled data
from the underlying L2CAP socket, so very few changes were required to
make the code more generic for use with non-RFCOMM data over L2CAP.

Applications that need more awareness of L2CAP frame boundaries are
still free to use SOCK_SEQPACKET sockets, and may verify that they
connection did not fall back to basic mode by calling getsockopt().

Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>