linux/fs/dlm
David S. Miller 676d23690f net: Fix use after free by removing length arg from sk_data_ready callbacks.
Several spots in the kernel perform a sequence like:

	skb_queue_tail(&sk->s_receive_queue, skb);
	sk->sk_data_ready(sk, skb->len);

But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up.  So this skb->len access is potentially
to freed up memory.

Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.

And finally, no actual implementation of this callback actually uses
the length argument.  And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.

So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.

Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-11 16:15:36 -04:00
..
ast.c dlm: use INFO for recovery messages 2014-02-14 11:54:44 -06:00
ast.h dlm: use workqueue for callbacks 2011-07-15 12:30:43 -05:00
config.c dlm: config: using strlcpy instead of strncpy 2013-06-25 12:53:06 -05:00
config.h dlm: fix deadlock between dlm_send and dlm_controld 2012-08-08 11:33:35 -05:00
debug_fs.c dlm: use rsbtbl as resource directory 2012-07-16 14:16:19 -05:00
dir.c dlm: use INFO for recovery messages 2014-02-14 11:54:44 -06:00
dir.h dlm: use rsbtbl as resource directory 2012-07-16 14:16:19 -05:00
dlm_internal.h dlm: use INFO for recovery messages 2014-02-14 11:54:44 -06:00
Kconfig fs/dlm: remove CONFIG_EXPERIMENTAL 2012-11-01 15:27:24 -05:00
lock.c dlm: use INFO for recovery messages 2014-02-14 11:54:44 -06:00
lock.h dlm: use rsbtbl as resource directory 2012-07-16 14:16:19 -05:00
lockspace.c dlm: use INFO for recovery messages 2014-02-14 11:54:44 -06:00
lockspace.h dlm: detect available userspace daemon 2008-08-28 11:49:43 -05:00
lowcomms.c net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
lowcomms.h dlm: fix deadlock between dlm_send and dlm_controld 2012-08-08 11:33:35 -05:00
lvb_table.h [DLM] The core of the DLM for GFS2/CLVM 2006-01-18 09:30:29 +00:00
main.c dlm: fix deadlock between dlm_send and dlm_controld 2012-08-08 11:33:35 -05:00
Makefile dlm: move plock code from gfs2 2008-04-21 11:22:28 -05:00
member.c dlm: use INFO for recovery messages 2014-02-14 11:54:44 -06:00
member.h dlm: add recovery callbacks 2012-01-04 08:56:31 -06:00
memory.c dlm: NULL dereference on failure in kmem_cache_create() 2012-05-15 10:39:28 -05:00
memory.h dlm: improve rsb searches 2011-07-12 16:02:09 -05:00
midcomms.c dlm: fix up memory allocation flags 2008-12-23 10:15:40 -06:00
midcomms.h [DLM] The core of the DLM for GFS2/CLVM 2006-01-18 09:30:29 +00:00
netlink.c genetlink: only pass array to genl_register_family_with_ops() 2013-11-19 16:39:05 -05:00
plock.c dlm: avoid unnecessary posix unlock 2013-04-08 12:03:15 -05:00
rcom.c dlm: fix unlock balance warnings 2012-08-08 11:33:49 -05:00
rcom.h dlm: use rsbtbl as resource directory 2012-07-16 14:16:19 -05:00
recover.c dlm: use INFO for recovery messages 2014-02-14 11:54:44 -06:00
recover.h dlm: use rsbtbl as resource directory 2012-07-16 14:16:19 -05:00
recoverd.c dlm: use INFO for recovery messages 2014-02-14 11:54:44 -06:00
recoverd.h dlm: fix unlock balance warnings 2012-08-08 11:33:49 -05:00
requestqueue.c dlm: fixes for nodir mode 2012-05-02 14:15:27 -05:00
requestqueue.h dlm: use proper C for dlm/requestqueue stuff (and fix alignment bug) 2008-02-04 01:21:32 -06:00
user.c dlm: remove signal blocking 2013-08-12 15:22:43 -05:00
user.h dlm: record full callback state 2011-03-10 10:40:00 -06:00
util.c dlm: do not byteswap rcom_config 2008-02-04 01:23:43 -06:00
util.h [DLM] The core of the DLM for GFS2/CLVM 2006-01-18 09:30:29 +00:00