Re: [PATCH 2/2] net/netlabel: Avoid call to genlmsg_cancel

From: Julia Lawall
Date: Fri Jan 28 2011 - 09:58:21 EST


On Fri, 28 Jan 2011, Paul Moore wrote:

> On Fri, 2011-01-28 at 15:17 +0100, Julia Lawall wrote:
> > genlmsg_cancel subtracts some constants from its second argument before
> > calling nlmsg_cancel. nlmsg_cancel then calls nlmsg_trim on the same
> > arguments. nlmsg_trim tests for NULL before doing any computation, but a
> > NULL second argument to genlmsg_cancel is no longer NULL due to the initial
> > subtraction. Nothing else happens in this execution, so the call to
> > genlmsg_cancel is simply unnecessary in this case.
> >
> > The semantic match that finds this problem is as follows:
> > (http://coccinelle.lip6.fr/)
> >
> > // <smpl>
> > @@
> > expression data;
> > @@
> >
> > if (data == NULL) { ...
> > * genlmsg_cancel(..., data);
> > ...
> > return ...;
> > }
> > // </smpl>
> >
> > Signed-off-by: Julia Lawall <julia@xxxxxxx>
>
> In all of the cases below, these functions are called multiple times to
> generate data chunks (additional netlink attributes) which are appended
> to an existing skbuff. I believe that the calls to genlmsg_cancel() are
> still needed to help cleanup in the case where the functions fail on the
> Nth call.
>
> If I'm wrong, feel free to enlighten me.

Perhaps something is needed, but I don't see how the current code can
work. The call is genlmsg_cancel(cb_arg->skb, NULL) in each case.

The definition of genlmsg_cancel is:

static inline void genlmsg_cancel(struct sk_buff *skb, void *hdr)
{
nlmsg_cancel(skb, hdr - GENL_HDRLEN - NLMSG_HDRLEN);
}

Now the second argument to nlmsg_cancel is essentially a negative integer
(or a very large pointer).

nlmsg_cancel will call nlmsg_trim, which is defined as follows:

static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
{
if (mark)
skb_trim(skb, (unsigned char *) mark - skb->data);
}

I guess that the subtraction is going to result in an even larger negative
number. The whole process is likely to end in doing nothing in the
definition of skb_trim, which is as follows:

void skb_trim(struct sk_buff *skb, unsigned int len)
{
if (skb->len > len)
__skb_trim(skb, len);
}

since the result of casting a negative number to unsigned is likely to be
larger than skb->len.


> > ---
> > net/netlabel/netlabel_cipso_v4.c | 2 +-
> > net/netlabel/netlabel_mgmt.c | 4 ++--
> > net/netlabel/netlabel_unlabeled.c | 2 +-
> > 3 files changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
> > index 5f14c84..0a1f77b 100644
> > --- a/net/netlabel/netlabel_cipso_v4.c
> > +++ b/net/netlabel/netlabel_cipso_v4.c
> > @@ -635,7 +635,7 @@ static int netlbl_cipsov4_listall_cb(struct cipso_v4_doi *doi_def, void *arg)
> > cb_arg->seq, &netlbl_cipsov4_gnl_family,
> > NLM_F_MULTI, NLBL_CIPSOV4_C_LISTALL);
> > if (data == NULL)
> > - goto listall_cb_failure;
> > + return ret_val;
> >
> > ret_val = nla_put_u32(cb_arg->skb, NLBL_CIPSOV4_A_DOI, doi_def->doi);
> > if (ret_val != 0)
> > diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
> > index 998e85e..daaa01d 100644
> > --- a/net/netlabel/netlabel_mgmt.c
> > +++ b/net/netlabel/netlabel_mgmt.c
> > @@ -452,7 +452,7 @@ static int netlbl_mgmt_listall_cb(struct netlbl_dom_map *entry, void *arg)
> > cb_arg->seq, &netlbl_mgmt_gnl_family,
> > NLM_F_MULTI, NLBL_MGMT_C_LISTALL);
> > if (data == NULL)
> > - goto listall_cb_failure;
> > + return ret_val;
> >
> > ret_val = netlbl_mgmt_listentry(cb_arg->skb, entry);
> > if (ret_val != 0)
> > @@ -617,7 +617,7 @@ static int netlbl_mgmt_protocols_cb(struct sk_buff *skb,
> > &netlbl_mgmt_gnl_family, NLM_F_MULTI,
> > NLBL_MGMT_C_PROTOCOLS);
> > if (data == NULL)
> > - goto protocols_cb_failure;
> > + return ret_val;
> >
> > ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL, protocol);
> > if (ret_val != 0)
> > diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
> > index e2b0a68..b5d3945 100644
> > --- a/net/netlabel/netlabel_unlabeled.c
> > +++ b/net/netlabel/netlabel_unlabeled.c
> > @@ -1141,7 +1141,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
> > cb_arg->seq, &netlbl_unlabel_gnl_family,
> > NLM_F_MULTI, cmd);
> > if (data == NULL)
> > - goto list_cb_failure;
> > + return ret_val;
> >
> > if (iface->ifindex > 0) {
> > dev = dev_get_by_index(&init_net, iface->ifindex);
> >
>
> --
> paul moore
> linux @ hp
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/