/* * netsniff-ng - the packet sniffing beast * By Daniel Borkmann * Copyright 2012 Daniel Borkmann , * Swiss federal institute of technology (ETH Zurich) * Subject to the GPL, version 2. */ /* lex-func-prefix: yy */ %{ #include #include #include #include #include "bpf_parser.tab.h" #include "xmalloc.h" extern void yyerror(const char *); %} %option align %option nounput %option noyywrap %option noreject %option 8bit %option caseless %option noinput %option nodefault number_oct ([0][0-9]+) number_hex ([0][x][a-fA-F0-9]+) number_bin ([0][b][0-1]+) number_dec (([0])|([-+]?[1-9][0-9]*)) label [a-zA-Z_][a-zA-Z0-9_]+ %% "ldb" { return OP_LDB; } "ldh" { return OP_LDH; } "ld" { return OP_LD; } "ldi" { return OP_LDI; } "ldx" { return OP_LDX; } "ldxi" { return OP_LDXI; } "ldxb" { return OP_LDXB; } "st" { return OP_ST; } "stx" { return OP_STX; } "jmp"|"ja" { return OP_JMP; } "jeq" { return OP_JEQ; } "jneq"|"jne" { return OP_JNEQ; } "jlt" { return OP_JLT; } "jle" { return OP_JLE; } "jgt" { return OP_JGT; } "jge" { return OP_JGE; } "jset" { return OP_JSET; } "add" { return OP_ADD; } "sub" { return OP_SUB; } "mul" { return OP_MUL; } "div" { return OP_DIV; } "mod" { return OP_MOD; } "neg" { return OP_NEG; } "and" { return OP_AND; } "xor" { return OP_XOR; } "or" { return OP_OR; } "lsh" { return OP_LSH; } "rsh" { return OP_RSH; } "ret" { return OP_RET; } "tax" { return OP_TAX; } "txa" { return OP_TXA; } "#"?("len"|"pktlen") { return K_PKT_LEN; } "#"?("pto"|"proto") { return K_PROTO; } "#"?("type") { return K_TYPE; } "#"?("poff") { return K_POFF; } "#"?("ifx"|"ifidx") { return K_IFIDX; } "#"?("nla") { return K_NLATTR; } "#"?("nlan") { return K_NLATTR_NEST; } "#"?("mark") { return K_MARK; } "#"?("que"|"queue"|"Q") { return K_QUEUE; } "#"?("hat"|"hatype") { return K_HATYPE; } "#"?("rxh"|"rxhash") { return K_RXHASH; } "#"?("cpu") { return K_CPU; } "#"?("vlant"|"vlan_tci") { return K_VLANT; } "#"?("vlana"|"vlan_acc") { return K_VLANP; } "#"?("vlanp") { return K_VLANP; } ":" { return ':'; } "," { return ','; } "#" { return '#'; } "[" { return '['; } "]" { return ']'; } "(" { return '('; } ")" { return ')'; } "x" { return 'x'; } "a" { return 'a'; } "+" { return '+'; } "M" { return 'M'; } "*" { return '*'; } "&" { return '&'; } {number_hex} { yylval.number = strtoul(yytext, NULL, 16); return number; } {number_oct} { yylval.number = strtol(yytext + 1, NULL, 8); return number; } {number_bin} { yylval.number = strtol(yytext + 2, NULL, 2); return number; } {number_dec} { yylval.number = strtol(yytext, NULL, 10); return number; } {label} { yylval.label = xstrdup(yytext); return label; } "/*"([^\*]|\*[^/])*"*/" { /* NOP */ } ";"[^\n]* {/* NOP */} ^#.* {/* NOP */} "\n" { yylineno++; } [ \t]+ {/* NOP */ } . { printf("Unknown character '%s'", yytext); yyerror("lex Unknown character"); } %% a7252d276a57126d56c7d37e64'>arch

diff options

author	Eric Dumazet <edumazet@google.com>	2017-01-27 08:11:44 -0800
committer	David S. Miller <davem@davemloft.net>	2017-01-29 18:30:56 -0500
commit	f1712c73714088a7252d276a57126d56c7d37e64 (patch)
tree	962ee49daf8d1cba8403fcf03b315d4a142ec944 /arch
parent	dc97a89e726c4e1830320d1db8215ef77ecebae0 (diff)

can: Fix kernel panic at security_sock_rcv_skb

Zhang Yanmin reported crashes [1] and provided a patch adding a synchronize_rcu() call in can_rx_unregister() The main problem seems that the sockets themselves are not RCU protected. If CAN uses RCU for delivery, then sockets should be freed only after one RCU grace period. Recent kernels could use sock_set_flag(sk, SOCK_RCU_FREE), but let's ease stable backports with the following fix instead. [1] BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff81495e25>] selinux_socket_sock_rcv_skb+0x65/0x2a0 Call Trace: <IRQ> [<ffffffff81485d8c>] security_sock_rcv_skb+0x4c/0x60 [<ffffffff81d55771>] sk_filter+0x41/0x210 [<ffffffff81d12913>] sock_queue_rcv_skb+0x53/0x3a0 [<ffffffff81f0a2b3>] raw_rcv+0x2a3/0x3c0 [<ffffffff81f06eab>] can_rcv_filter+0x12b/0x370 [<ffffffff81f07af9>] can_receive+0xd9/0x120 [<ffffffff81f07beb>] can_rcv+0xab/0x100 [<ffffffff81d362ac>] __netif_receive_skb_core+0xd8c/0x11f0 [<ffffffff81d36734>] __netif_receive_skb+0x24/0xb0 [<ffffffff81d37f67>] process_backlog+0x127/0x280 [<ffffffff81d36f7b>] net_rx_action+0x33b/0x4f0 [<ffffffff810c88d4>] __do_softirq+0x184/0x440 [<ffffffff81f9e86c>] do_softirq_own_stack+0x1c/0x30 <EOI> [<ffffffff810c76fb>] do_softirq.part.18+0x3b/0x40 [<ffffffff810c8bed>] do_softirq+0x1d/0x20 [<ffffffff81d30085>] netif_rx_ni+0xe5/0x110 [<ffffffff8199cc87>] slcan_receive_buf+0x507/0x520 [<ffffffff8167ef7c>] flush_to_ldisc+0x21c/0x230 [<ffffffff810e3baf>] process_one_work+0x24f/0x670 [<ffffffff810e44ed>] worker_thread+0x9d/0x6f0 [<ffffffff810e4450>] ? rescuer_thread+0x480/0x480 [<ffffffff810ebafc>] kthread+0x12c/0x150 [<ffffffff81f9ccef>] ret_from_fork+0x3f/0x70 Reported-by: Zhang Yanmin <yanmin.zhang@intel.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'arch')