• Paul Moore's avatar
    ipv6: make ipv6_renew_options() interrupt/kernel safe · a9ba23d4
    Paul Moore authored
    At present the ipv6_renew_options_kern() function ends up calling into
    access_ok() which is problematic if done from inside an interrupt as
    access_ok() calls WARN_ON_IN_IRQ() on some (all?) architectures
    (x86-64 is affected).  Example warning/backtrace is shown below:
    
     WARNING: CPU: 1 PID: 3144 at lib/usercopy.c:11 _copy_from_user+0x85/0x90
     ...
     Call Trace:
      <IRQ>
      ipv6_renew_option+0xb2/0xf0
      ipv6_renew_options+0x26a/0x340
      ipv6_renew_options_kern+0x2c/0x40
      calipso_req_setattr+0x72/0xe0
      netlbl_req_setattr+0x126/0x1b0
      selinux_netlbl_inet_conn_request+0x80/0x100
      selinux_inet_conn_request+0x6d/0xb0
      security_inet_conn_request+0x32/0x50
      tcp_conn_request+0x35f/0xe00
      ? __lock_acquire+0x250/0x16c0
      ? selinux_socket_sock_rcv_skb+0x1ae/0x210
      ? tcp_rcv_state_process+0x289/0x106b
      tcp_rcv_state_process+0x289/0x106b
      ? tcp_v6_do_rcv+0x1a7/0x3c0
      tcp_v6_do_rcv+0x1a7/0x3c0
      tcp_v6_rcv+0xc82/0xcf0
      ip6_input_finish+0x10d/0x690
      ip6_input+0x45/0x1e0
      ? ip6_rcv_finish+0x1d0/0x1d0
      ipv6_rcv+0x32b/0x880
      ? ip6_make_skb+0x1e0/0x1e0
      __netif_receive_skb_core+0x6f2/0xdf0
      ? process_backlog+0x85/0x250
      ? process_backlog+0x85/0x250
      ? process_backlog+0xec/0x250
      process_backlog+0xec/0x250
      net_rx_action+0x153/0x480
      __do_softirq+0xd9/0x4f7
      do_softirq_own_stack+0x2a/0x40
      </IRQ>
      ...
    
    While not present in the backtrace, ipv6_renew_option() ends up calling
    access_ok() via the following chain:
    
      access_ok()
      _copy_from_user()
      copy_from_user()
      ipv6_renew_option()
    
    The fix presented in this patch is to perform the userspace copy
    earlier in the call chain such that it is only called when the option
    data is actually coming from userspace; that place is
    do_ipv6_setsockopt().  Not only does this solve the problem seen in
    the backtrace above, it also allows us to simplify the code quite a
    bit by removing ipv6_renew_options_kern() completely.  We also take
    this opportunity to cleanup ipv6_renew_options()/ipv6_renew_option()
    a small amount as well.
    
    This patch is heavily based on a rough patch by Al Viro.  I've taken
    his original patch, converted a kmemdup() call in do_ipv6_setsockopt()
    to a memdup_user() call, made better use of the e_inval jump target in
    the same function, and cleaned up the use ipv6_renew_option() by
    ipv6_renew_options().
    
    CC: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    a9ba23d4
ipv6.h 31.4 KB