linux.git/net/socket.c, branch v2.6.14 Linux kernel source tree [NET]: Fix module reference counts for loadable protocol modules 2005-09-27T22:23:38+00:00 Frank Filz ffilzlnx@us.ibm.com 2005-09-27T22:23:38+00:00 a79af59efd20990473d579b1d8d70bb120f0920c I have been experimenting with loadable protocol modules, and ran into several issues with module reference counting. The first issue was that __module_get failed at the BUG_ON check at the top of the routine (checking that my module reference count was not zero) when I created the first socket. When sk_alloc() is called, my module reference count was still 0. When I looked at why sctp didn't have this problem, I discovered that sctp creates a control socket during module init (when the module ref count is not 0), which keeps the reference count non-zero. This section has been updated to address the point Stephen raised about checking the return value of try_module_get(). The next problem arose when my socket init routine returned an error. This resulted in my module reference count being decremented below 0. My socket ops->release routine was also being called. The issue here is that sock_release() calls the ops->release routine and decrements the ref count if sock->ops is not NULL. Since the socket probably didn't get correctly initialized, this should not be done, so we will set sock->ops to NULL because we will not call try_module_get(). While searching for another bug, I also noticed that sys_accept() has a possibility of doing a module_put() when it did not do an __module_get so I re-ordered the call to security_socket_accept(). Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
I have been experimenting with loadable protocol modules, and ran into
several issues with module reference counting.

The first issue was that __module_get failed at the BUG_ON check at
the top of the routine (checking that my module reference count was
not zero) when I created the first socket. When sk_alloc() is called,
my module reference count was still 0. When I looked at why sctp
didn't have this problem, I discovered that sctp creates a control
socket during module init (when the module ref count is not 0), which
keeps the reference count non-zero. This section has been updated to
address the point Stephen raised about checking the return value of
try_module_get().

The next problem arose when my socket init routine returned an error.
This resulted in my module reference count being decremented below 0.
My socket ops->release routine was also being called. The issue here
is that sock_release() calls the ops->release routine and decrements
the ref count if sock->ops is not NULL. Since the socket probably
didn't get correctly initialized, this should not be done, so we will
set sock->ops to NULL because we will not call try_module_get().

While searching for another bug, I also noticed that sys_accept() has
a possibility of doing a module_put() when it did not do an
__module_get so I re-ordered the call to security_socket_accept().

Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: Make sure ctl buffer is aligned properly in sys_sendmsg(). 2005-09-26T21:28:02+00:00 Alex Williamson alex.williamson@hp.com 2005-09-26T21:28:02+00:00 b9d717a7b413f227ebb2d61d9c118335f7292137 It's on the stack and declared as "unsigned char[]", but pointers and similar can be in here thus we need to give it an explicit alignment attribute. Signed-off-by: Alex Williamson <alex.williamson@hp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
It's on the stack and declared as "unsigned char[]", but pointers
and similar can be in here thus we need to give it an explicit
alignment attribute.

Signed-off-by: Alex Williamson <alex.williamson@hp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: Do not leak MSG_CMSG_COMPAT into userspace. 2005-09-16T23:51:01+00:00 David S. Miller davem@davemloft.net 2005-09-16T23:51:01+00:00 37f7f421cce13435fdc0d870caf51141e5ebf079 Noticed by Sridhar Samudrala. Signed-off-by: David S. Miller <davem@davemloft.net> 
Noticed by Sridhar Samudrala.

Signed-off-by: David S. Miller <davem@davemloft.net>
[PATCH] Fix 32bit sendmsg() flaw 2005-09-08T15:14:11+00:00 Al Viro viro@zeniv.linux.org.uk 2005-09-08T01:28:51+00:00 8920e8f94c44e31a73bdf923b04721e26e88cadd When we copy 32bit ->msg_control contents to kernel, we walk the same userland data twice without sanity checks on the second pass. Second version of this patch: the original broke with 64-bit arches running 32-bit-compat-mode executables doing sendmsg() syscalls with unaligned CMSG data areas Another thing is that we use kmalloc() to allocate and sock_kfree_s() to free afterwards; less serious, but also needs fixing. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> 
When we copy 32bit ->msg_control contents to kernel, we walk the same
userland data twice without sanity checks on the second pass.

Second version of this patch: the original broke with 64-bit arches
running 32-bit-compat-mode executables doing sendmsg() syscalls with
unaligned CMSG data areas

Another thing is that we use kmalloc() to allocate and sock_kfree_s()
to free afterwards; less serious, but also needs fixing.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
[NET]: Use file->private_data to get socket pointer. 2005-09-06T21:42:45+00:00 Eric Dumazet dada1@cosmosbay.com 2005-09-06T21:42:45+00:00 b69aee04fbfc027fc4ddaddc809ea8711cef9511 Avoid touching file->f_dentry on sockets, since file->private_data directly gives us the socket pointer. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Avoid touching file->f_dentry on sockets, since file->private_data
directly gives us the socket pointer.

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: use __read_mostly on kmem_cache_t , DEFINE_SNMP_STAT pointers 2005-08-29T23:11:18+00:00 Eric Dumazet dada1@cosmosbay.com 2005-08-26T19:05:31+00:00 ba89966c1984513f4f2cc0a6c182266be44ddd03 This patch puts mostly read only data in the right section (read_mostly), to help sharing of these data between CPUS without memory ping pongs. On one of my production machine, tcp_statistics was sitting in a heavily modified cache line, so *every* SNMP update had to force a reload. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch puts mostly read only data in the right section
(read_mostly), to help sharing of these data between CPUS without
memory ping pongs.

On one of my production machine, tcp_statistics was sitting in a
heavily modified cache line, so *every* SNMP update had to force a
reload.

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: Fix sparse warnings 2005-08-29T23:01:32+00:00 Arnaldo Carvalho de Melo acme@mandriva.com 2005-08-16T05:18:02+00:00 20380731bc2897f2952ae055420972ded4cd786e Of this type, mostly: CHECK net/ipv6/netfilter.c net/ipv6/netfilter.c:96:12: warning: symbol 'ipv6_netfilter_init' was not declared. Should it be static? net/ipv6/netfilter.c:101:6: warning: symbol 'ipv6_netfilter_fini' was not declared. Should it be static? Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Of this type, mostly:

CHECK   net/ipv6/netfilter.c
net/ipv6/netfilter.c:96:12: warning: symbol 'ipv6_netfilter_init' was not declared. Should it be static?
net/ipv6/netfilter.c:101:6: warning: symbol 'ipv6_netfilter_fini' was not declared. Should it be static?

Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: Make use of ->private_data in sockfd_lookup 2005-08-29T22:56:38+00:00 Benjamin LaHaise bcrl@linux.intel.com 2005-08-10T21:16:04+00:00 07dc3f0718d2c88c3094a0aadeeb4744effc5439 Please consider the patch below which makes use of file->private_data to store the pointer to the socket, which avoids touching several unused cachelines in the dentry and inode in sockfd_lookup. Signed-off-by: Benjamin LaHaise <bcrl@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Please consider the patch below which makes use of file->private_data to
store the pointer to the socket, which avoids touching several unused
cachelines in the dentry and inode in sockfd_lookup.

Signed-off-by: Benjamin LaHaise <bcrl@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: dont use strlen() but the result from a prior sprintf() 2005-06-22T21:32:51+00:00 Eric Dumazet dada1@cosmosbay.com 2005-06-22T21:32:51+00:00 f31f5f051269746179b01017fc5e3dcf6b37c67e Small patch to save an unecessary call to strlen() : sprintf() gave us the length, just trust it. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Small patch to save an unecessary call to strlen() : sprintf() gave us
the length, just trust it.

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
AUDIT: Fix user pointer deref thinko in sys_socketcall(). 2005-06-02T11:13:21+00:00 David Woodhouse dwmw2@shinybook.infradead.org 2005-06-02T11:13:21+00:00 4bcff1b37e7c3aed914d1ce5b45994adc7dbf455 I cunningly put the audit call immediately after the copy_from_user().... but used the _userspace_ copy of the args still. Let's not do that. Signed-off-by: David Woodhouse <dwmw2@infradead.org> 
I cunningly put the audit call immediately after the 
copy_from_user().... but used the _userspace_ copy of the args still. 
Let's not do that.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>