summaryrefslogtreecommitdiff
path: root/net/rds/send.c
diff options
context:
space:
mode:
authorshamir rabinovitch <shamir.rabinovitch@oracle.com>2018-12-16 09:01:09 +0200
committerDavid S. Miller <davem@davemloft.net>2018-12-19 10:27:58 -0800
commitc75ab8a55ac1083c232e4407f52b0cadae6c1e0e (patch)
treee83b619d72b6c229928260b1a9644c79ba08dda5 /net/rds/send.c
parentea010070d0a7497253d5a6f919f6dd107450b31a (diff)
net/rds: remove user triggered WARN_ON in rds_sendmsg
per comment from Leon in rdma mailing list https://lkml.org/lkml/2018/10/31/312 : Please don't forget to remove user triggered WARN_ON. https://lwn.net/Articles/769365/ "Greg Kroah-Hartman raised the problem of core kernel API code that will use WARN_ON_ONCE() to complain about bad usage; that will not generate the desired result if WARN_ON_ONCE() is configured to crash the machine. He was told that the code should just call pr_warn() instead, and that the called function should return an error in such situations. It was generally agreed that any WARN_ON() or WARN_ON_ONCE() calls that can be triggered from user space need to be fixed." in addition harden rds_sendmsg to detect and overcome issues with invalid sg count and fail the sendmsg. Suggested-by: Leon Romanovsky <leon@kernel.org> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: shamir rabinovitch <shamir.rabinovitch@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rds/send.c')
-rw-r--r--net/rds/send.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/net/rds/send.c b/net/rds/send.c
index ec2267cbf85f..b39b30706210 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -886,6 +886,9 @@ static int rds_rm_size(struct msghdr *msg, int num_sgs,
bool zcopy_cookie = false;
struct rds_iov_vector *iov, *tmp_iov;
+ if (num_sgs < 0)
+ return -EINVAL;
+
for_each_cmsghdr(cmsg, msg) {
if (!CMSG_OK(msg, cmsg))
return -EINVAL;
@@ -1259,11 +1262,9 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
/* Attach data to the rm */
if (payload_len) {
- rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs);
- if (!rm->data.op_sg) {
- ret = -ENOMEM;
+ rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs, &ret);
+ if (!rm->data.op_sg)
goto out;
- }
ret = rds_message_copy_from_user(rm, &msg->msg_iter, zcopy);
if (ret)
goto out;