search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
can: Fix raw_getname() leak
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / net / can / raw.c
blob5df3bf60d692ad90c9ef3a1a89e6869bfcc79b83
1 /*
2 * raw.c - Raw sockets for protocol family CAN
3 *
4 * Copyright (c) 2002-2007 Volkswagen Group Electronic Research
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of Volkswagen nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * Alternatively, provided that this notice is retained in full, this
20 * software may be distributed under the terms of the GNU General
21 * Public License ("GPL") version 2, in which case the provisions of the
22 * GPL apply INSTEAD OF those given above.
23 *
24 * The provided data structures and external interfaces from this code
25 * are not restricted to be used by modules with a GPL compatible license.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
28 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
29 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
30 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
31 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
32 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
33 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
37 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
38 * DAMAGE.
39 *
40 * Send feedback to <socketcan-users@lists.berlios.de>
41 *
42 */
43
44 #include <linux/module.h>
45 #include <linux/init.h>
46 #include <linux/uio.h>
47 #include <linux/net.h>
48 #include <linux/netdevice.h>
49 #include <linux/socket.h>
50 #include <linux/if_arp.h>
51 #include <linux/skbuff.h>
52 #include <linux/can.h>
53 #include <linux/can/core.h>
54 #include <linux/can/raw.h>
55 #include <net/sock.h>
56 #include <net/net_namespace.h>
57
58 #define CAN_RAW_VERSION CAN_VERSION
59 static __initdata const char banner[] =
60 KERN_INFO "can: raw protocol (rev " CAN_RAW_VERSION ")\n";
61
62 MODULE_DESCRIPTION("PF_CAN raw protocol");
63 MODULE_LICENSE("Dual BSD/GPL");
64 MODULE_AUTHOR("Urs Thuermann <urs.thuermann@volkswagen.de>");
65
66 #define MASK_ALL 0
67
68 /*
69 * A raw socket has a list of can_filters attached to it, each receiving
70 * the CAN frames matching that filter. If the filter list is empty,
71 * no CAN frames will be received by the socket. The default after
72 * opening the socket, is to have one filter which receives all frames.
73 * The filter list is allocated dynamically with the exception of the
74 * list containing only one item. This common case is optimized by
75 * storing the single filter in dfilter, to avoid using dynamic memory.
76 */
77
78 struct raw_sock {
79 struct sock sk;
80 int bound;
81 int ifindex;
82 struct notifier_block notifier;
83 int loopback;
84 int recv_own_msgs;
85 int count; /* number of active filters */
86 struct can_filter dfilter; /* default/single filter */
87 struct can_filter *filter; /* pointer to filter(s) */
88 can_err_mask_t err_mask;
89 };
90
91 static inline struct raw_sock *raw_sk(const struct sock *sk)
92 {
93 return (struct raw_sock *)sk;
94 }
95
96 static void raw_rcv(struct sk_buff *skb, void *data)
97 {
98 struct sock *sk = (struct sock *)data;
99 struct raw_sock *ro = raw_sk(sk);
100 struct sockaddr_can *addr;
101
102 /* check the received tx sock reference */
103 if (!ro->recv_own_msgs && skb->sk == sk)
104 return;
105
106 /* clone the given skb to be able to enqueue it into the rcv queue */
107 skb = skb_clone(skb, GFP_ATOMIC);
108 if (!skb)
109 return;
110
111 /*
112 * Put the datagram to the queue so that raw_recvmsg() can
113 * get it from there. We need to pass the interface index to
114 * raw_recvmsg(). We pass a whole struct sockaddr_can in skb->cb
115 * containing the interface index.
116 */
117
118 BUILD_BUG_ON(sizeof(skb->cb) < sizeof(struct sockaddr_can));
119 addr = (struct sockaddr_can *)skb->cb;
120 memset(addr, 0, sizeof(*addr));
121 addr->can_family = AF_CAN;
122 addr->can_ifindex = skb->dev->ifindex;
123
124 if (sock_queue_rcv_skb(sk, skb) < 0)
125 kfree_skb(skb);
126 }
127
128 static int raw_enable_filters(struct net_device *dev, struct sock *sk,
129 struct can_filter *filter, int count)
130 {
131 int err = 0;
132 int i;
133
134 for (i = 0; i < count; i++) {
135 err = can_rx_register(dev, filter[i].can_id,
136 filter[i].can_mask,
137 raw_rcv, sk, "raw");
138 if (err) {
139 /* clean up successfully registered filters */
140 while (--i >= 0)
141 can_rx_unregister(dev, filter[i].can_id,
142 filter[i].can_mask,
143 raw_rcv, sk);
144 break;
145 }
146 }
147
148 return err;
149 }
150
151 static int raw_enable_errfilter(struct net_device *dev, struct sock *sk,
152 can_err_mask_t err_mask)
153 {
154 int err = 0;
155
156 if (err_mask)
157 err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG,
158 raw_rcv, sk, "raw");
159
160 return err;
161 }
162
163 static void raw_disable_filters(struct net_device *dev, struct sock *sk,
164 struct can_filter *filter, int count)
165 {
166 int i;
167
168 for (i = 0; i < count; i++)
169 can_rx_unregister(dev, filter[i].can_id, filter[i].can_mask,
170 raw_rcv, sk);
171 }
172
173 static inline void raw_disable_errfilter(struct net_device *dev,
174 struct sock *sk,
175 can_err_mask_t err_mask)
176
177 {
178 if (err_mask)
179 can_rx_unregister(dev, 0, err_mask | CAN_ERR_FLAG,
180 raw_rcv, sk);
181 }
182
183 static inline void raw_disable_allfilters(struct net_device *dev,
184 struct sock *sk)
185 {
186 struct raw_sock *ro = raw_sk(sk);
187
188 raw_disable_filters(dev, sk, ro->filter, ro->count);
189 raw_disable_errfilter(dev, sk, ro->err_mask);
190 }
191
192 static int raw_enable_allfilters(struct net_device *dev, struct sock *sk)
193 {
194 struct raw_sock *ro = raw_sk(sk);
195 int err;
196
197 err = raw_enable_filters(dev, sk, ro->filter, ro->count);
198 if (!err) {
199 err = raw_enable_errfilter(dev, sk, ro->err_mask);
200 if (err)
201 raw_disable_filters(dev, sk, ro->filter, ro->count);
202 }
203
204 return err;
205 }
206
207 static int raw_notifier(struct notifier_block *nb,
208 unsigned long msg, void *data)
209 {
210 struct net_device *dev = (struct net_device *)data;
211 struct raw_sock *ro = container_of(nb, struct raw_sock, notifier);
212 struct sock *sk = &ro->sk;
213
214 if (!net_eq(dev_net(dev), &init_net))
215 return NOTIFY_DONE;
216
217 if (dev->type != ARPHRD_CAN)
218 return NOTIFY_DONE;
219
220 if (ro->ifindex != dev->ifindex)
221 return NOTIFY_DONE;
222
223 switch (msg) {
224
225 case NETDEV_UNREGISTER:
226 lock_sock(sk);
227 /* remove current filters & unregister */
228 if (ro->bound)
229 raw_disable_allfilters(dev, sk);
230
231 if (ro->count > 1)
232 kfree(ro->filter);
233
234 ro->ifindex = 0;
235 ro->bound = 0;
236 ro->count = 0;
237 release_sock(sk);
238
239 sk->sk_err = ENODEV;
240 if (!sock_flag(sk, SOCK_DEAD))
241 sk->sk_error_report(sk);
242 break;
243
244 case NETDEV_DOWN:
245 sk->sk_err = ENETDOWN;
246 if (!sock_flag(sk, SOCK_DEAD))
247 sk->sk_error_report(sk);
248 break;
249 }
250
251 return NOTIFY_DONE;
252 }
253
254 static int raw_init(struct sock *sk)
255 {
256 struct raw_sock *ro = raw_sk(sk);
257
258 ro->bound = 0;
259 ro->ifindex = 0;
260
261 /* set default filter to single entry dfilter */
262 ro->dfilter.can_id = 0;
263 ro->dfilter.can_mask = MASK_ALL;
264 ro->filter = &ro->dfilter;
265 ro->count = 1;
266
267 /* set default loopback behaviour */
268 ro->loopback = 1;
269 ro->recv_own_msgs = 0;
270
271 /* set notifier */
272 ro->notifier.notifier_call = raw_notifier;
273
274 register_netdevice_notifier(&ro->notifier);
275
276 return 0;
277 }
278
279 static int raw_release(struct socket *sock)
280 {
281 struct sock *sk = sock->sk;
282 struct raw_sock *ro = raw_sk(sk);
283
284 unregister_netdevice_notifier(&ro->notifier);
285
286 lock_sock(sk);
287
288 /* remove current filters & unregister */
289 if (ro->bound) {
290 if (ro->ifindex) {
291 struct net_device *dev;
292
293 dev = dev_get_by_index(&init_net, ro->ifindex);
294 if (dev) {
295 raw_disable_allfilters(dev, sk);
296 dev_put(dev);
297 }
298 } else
299 raw_disable_allfilters(NULL, sk);
300 }
301
302 if (ro->count > 1)
303 kfree(ro->filter);
304
305 ro->ifindex = 0;
306 ro->bound = 0;
307 ro->count = 0;
308
309 release_sock(sk);
310 sock_put(sk);
311
312 return 0;
313 }
314
315 static int raw_bind(struct socket *sock, struct sockaddr *uaddr, int len)
316 {
317 struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
318 struct sock *sk = sock->sk;
319 struct raw_sock *ro = raw_sk(sk);
320 int ifindex;
321 int err = 0;
322 int notify_enetdown = 0;
323
324 if (len < sizeof(*addr))
325 return -EINVAL;
326
327 lock_sock(sk);
328
329 if (ro->bound && addr->can_ifindex == ro->ifindex)
330 goto out;
331
332 if (addr->can_ifindex) {
333 struct net_device *dev;
334
335 dev = dev_get_by_index(&init_net, addr->can_ifindex);
336 if (!dev) {
337 err = -ENODEV;
338 goto out;
339 }
340 if (dev->type != ARPHRD_CAN) {
341 dev_put(dev);
342 err = -ENODEV;
343 goto out;
344 }
345 if (!(dev->flags & IFF_UP))
346 notify_enetdown = 1;
347
348 ifindex = dev->ifindex;
349
350 /* filters set by default/setsockopt */
351 err = raw_enable_allfilters(dev, sk);
352 dev_put(dev);
353 } else {
354 ifindex = 0;
355
356 /* filters set by default/setsockopt */
357 err = raw_enable_allfilters(NULL, sk);
358 }
359
360 if (!err) {
361 if (ro->bound) {
362 /* unregister old filters */
363 if (ro->ifindex) {
364 struct net_device *dev;
365
366 dev = dev_get_by_index(&init_net, ro->ifindex);
367 if (dev) {
368 raw_disable_allfilters(dev, sk);
369 dev_put(dev);
370 }
371 } else
372 raw_disable_allfilters(NULL, sk);
373 }
374 ro->ifindex = ifindex;
375 ro->bound = 1;
376 }
377
378 out:
379 release_sock(sk);
380
381 if (notify_enetdown) {
382 sk->sk_err = ENETDOWN;
383 if (!sock_flag(sk, SOCK_DEAD))
384 sk->sk_error_report(sk);
385 }
386
387 return err;
388 }
389
390 static int raw_getname(struct socket *sock, struct sockaddr *uaddr,
391 int *len, int peer)
392 {
393 struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
394 struct sock *sk = sock->sk;
395 struct raw_sock *ro = raw_sk(sk);
396
397 if (peer)
398 return -EOPNOTSUPP;
399
400 memset(addr, 0, sizeof(*addr));
401 addr->can_family = AF_CAN;
402 addr->can_ifindex = ro->ifindex;
403
404 *len = sizeof(*addr);
405
406 return 0;
407 }
408
409 static int raw_setsockopt(struct socket *sock, int level, int optname,
410 char __user *optval, int optlen)
411 {
412 struct sock *sk = sock->sk;
413 struct raw_sock *ro = raw_sk(sk);
414 struct can_filter *filter = NULL; /* dyn. alloc'ed filters */
415 struct can_filter sfilter; /* single filter */
416 struct net_device *dev = NULL;
417 can_err_mask_t err_mask = 0;
418 int count = 0;
419 int err = 0;
420
421 if (level != SOL_CAN_RAW)
422 return -EINVAL;
423 if (optlen < 0)
424 return -EINVAL;
425
426 switch (optname) {
427
428 case CAN_RAW_FILTER:
429 if (optlen % sizeof(struct can_filter) != 0)
430 return -EINVAL;
431
432 count = optlen / sizeof(struct can_filter);
433
434 if (count > 1) {
435 /* filter does not fit into dfilter => alloc space */
436 filter = kmalloc(optlen, GFP_KERNEL);
437 if (!filter)
438 return -ENOMEM;
439
440 if (copy_from_user(filter, optval, optlen)) {
441 kfree(filter);
442 return -EFAULT;
443 }
444 } else if (count == 1) {
445 if (copy_from_user(&sfilter, optval, optlen))
446 return -EFAULT;
447 }
448
449 lock_sock(sk);
450
451 if (ro->bound && ro->ifindex)
452 dev = dev_get_by_index(&init_net, ro->ifindex);
453
454 if (ro->bound) {
455 /* (try to) register the new filters */
456 if (count == 1)
457 err = raw_enable_filters(dev, sk, &sfilter, 1);
458 else
459 err = raw_enable_filters(dev, sk, filter,
460 count);
461 if (err) {
462 if (count > 1)
463 kfree(filter);
464 goto out_fil;
465 }
466
467 /* remove old filter registrations */
468 raw_disable_filters(dev, sk, ro->filter, ro->count);
469 }
470
471 /* remove old filter space */
472 if (ro->count > 1)
473 kfree(ro->filter);
474
475 /* link new filters to the socket */
476 if (count == 1) {
477 /* copy filter data for single filter */
478 ro->dfilter = sfilter;
479 filter = &ro->dfilter;
480 }
481 ro->filter = filter;
482 ro->count = count;
483
484 out_fil:
485 if (dev)
486 dev_put(dev);
487
488 release_sock(sk);
489
490 break;
491
492 case CAN_RAW_ERR_FILTER:
493 if (optlen != sizeof(err_mask))
494 return -EINVAL;
495
496 if (copy_from_user(&err_mask, optval, optlen))
497 return -EFAULT;
498
499 err_mask &= CAN_ERR_MASK;
500
501 lock_sock(sk);
502
503 if (ro->bound && ro->ifindex)
504 dev = dev_get_by_index(&init_net, ro->ifindex);
505
506 /* remove current error mask */
507 if (ro->bound) {
508 /* (try to) register the new err_mask */
509 err = raw_enable_errfilter(dev, sk, err_mask);
510
511 if (err)
512 goto out_err;
513
514 /* remove old err_mask registration */
515 raw_disable_errfilter(dev, sk, ro->err_mask);
516 }
517
518 /* link new err_mask to the socket */
519 ro->err_mask = err_mask;
520
521 out_err:
522 if (dev)
523 dev_put(dev);
524
525 release_sock(sk);
526
527 break;
528
529 case CAN_RAW_LOOPBACK:
530 if (optlen != sizeof(ro->loopback))
531 return -EINVAL;
532
533 if (copy_from_user(&ro->loopback, optval, optlen))
534 return -EFAULT;
535
536 break;
537
538 case CAN_RAW_RECV_OWN_MSGS:
539 if (optlen != sizeof(ro->recv_own_msgs))
540 return -EINVAL;
541
542 if (copy_from_user(&ro->recv_own_msgs, optval, optlen))
543 return -EFAULT;
544
545 break;
546
547 default:
548 return -ENOPROTOOPT;
549 }
550 return err;
551 }
552
553 static int raw_getsockopt(struct socket *sock, int level, int optname,
554 char __user *optval, int __user *optlen)
555 {
556 struct sock *sk = sock->sk;
557 struct raw_sock *ro = raw_sk(sk);
558 int len;
559 void *val;
560 int err = 0;
561
562 if (level != SOL_CAN_RAW)
563 return -EINVAL;
564 if (get_user(len, optlen))
565 return -EFAULT;
566 if (len < 0)
567 return -EINVAL;
568
569 switch (optname) {
570
571 case CAN_RAW_FILTER:
572 lock_sock(sk);
573 if (ro->count > 0) {
574 int fsize = ro->count * sizeof(struct can_filter);
575 if (len > fsize)
576 len = fsize;
577 if (copy_to_user(optval, ro->filter, len))
578 err = -EFAULT;
579 } else
580 len = 0;
581 release_sock(sk);
582
583 if (!err)
584 err = put_user(len, optlen);
585 return err;
586
587 case CAN_RAW_ERR_FILTER:
588 if (len > sizeof(can_err_mask_t))
589 len = sizeof(can_err_mask_t);
590 val = &ro->err_mask;
591 break;
592
593 case CAN_RAW_LOOPBACK:
594 if (len > sizeof(int))
595 len = sizeof(int);
596 val = &ro->loopback;
597 break;
598
599 case CAN_RAW_RECV_OWN_MSGS:
600 if (len > sizeof(int))
601 len = sizeof(int);
602 val = &ro->recv_own_msgs;
603 break;
604
605 default:
606 return -ENOPROTOOPT;
607 }
608
609 if (put_user(len, optlen))
610 return -EFAULT;
611 if (copy_to_user(optval, val, len))
612 return -EFAULT;
613 return 0;
614 }
615
616 static int raw_sendmsg(struct kiocb *iocb, struct socket *sock,
617 struct msghdr *msg, size_t size)
618 {
619 struct sock *sk = sock->sk;
620 struct raw_sock *ro = raw_sk(sk);
621 struct sk_buff *skb;
622 struct net_device *dev;
623 int ifindex;
624 int err;
625
626 if (msg->msg_name) {
627 struct sockaddr_can *addr =
628 (struct sockaddr_can *)msg->msg_name;
629
630 if (addr->can_family != AF_CAN)
631 return -EINVAL;
632
633 ifindex = addr->can_ifindex;
634 } else
635 ifindex = ro->ifindex;
636
637 if (size != sizeof(struct can_frame))
638 return -EINVAL;
639
640 dev = dev_get_by_index(&init_net, ifindex);
641 if (!dev)
642 return -ENXIO;
643
644 skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT,
645 &err);
646 if (!skb)
647 goto put_dev;
648
649 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
650 if (err < 0)
651 goto free_skb;
652 err = sock_tx_timestamp(msg, sk, skb_tx(skb));
653 if (err < 0)
654 goto free_skb;
655 skb->dev = dev;
656 skb->sk = sk;
657
658 err = can_send(skb, ro->loopback);
659
660 dev_put(dev);
661
662 if (err)
663 goto send_failed;
664
665 return size;
666
667 free_skb:
668 kfree_skb(skb);
669 put_dev:
670 dev_put(dev);
671 send_failed:
672 return err;
673 }
674
675 static int raw_recvmsg(struct kiocb *iocb, struct socket *sock,
676 struct msghdr *msg, size_t size, int flags)
677 {
678 struct sock *sk = sock->sk;
679 struct sk_buff *skb;
680 int err = 0;
681 int noblock;
682
683 noblock = flags & MSG_DONTWAIT;
684 flags &= ~MSG_DONTWAIT;
685
686 skb = skb_recv_datagram(sk, flags, noblock, &err);
687 if (!skb)
688 return err;
689
690 if (size < skb->len)
691 msg->msg_flags |= MSG_TRUNC;
692 else
693 size = skb->len;
694
695 err = memcpy_toiovec(msg->msg_iov, skb->data, size);
696 if (err < 0) {
697 skb_free_datagram(sk, skb);
698 return err;
699 }
700
701 sock_recv_timestamp(msg, sk, skb);
702
703 if (msg->msg_name) {
704 msg->msg_namelen = sizeof(struct sockaddr_can);
705 memcpy(msg->msg_name, skb->cb, msg->msg_namelen);
706 }
707
708 skb_free_datagram(sk, skb);
709
710 return size;
711 }
712
713 static struct proto_ops raw_ops __read_mostly = {
714 .family = PF_CAN,
715 .release = raw_release,
716 .bind = raw_bind,
717 .connect = sock_no_connect,
718 .socketpair = sock_no_socketpair,
719 .accept = sock_no_accept,
720 .getname = raw_getname,
721 .poll = datagram_poll,
722 .ioctl = NULL, /* use can_ioctl() from af_can.c */
723 .listen = sock_no_listen,
724 .shutdown = sock_no_shutdown,
725 .setsockopt = raw_setsockopt,
726 .getsockopt = raw_getsockopt,
727 .sendmsg = raw_sendmsg,
728 .recvmsg = raw_recvmsg,
729 .mmap = sock_no_mmap,
730 .sendpage = sock_no_sendpage,
731 };
732
733 static struct proto raw_proto __read_mostly = {
734 .name = "CAN_RAW",
735 .owner = THIS_MODULE,
736 .obj_size = sizeof(struct raw_sock),
737 .init = raw_init,
738 };
739
740 static struct can_proto raw_can_proto __read_mostly = {
741 .type = SOCK_RAW,
742 .protocol = CAN_RAW,
743 .capability = -1,
744 .ops = &raw_ops,
745 .prot = &raw_proto,
746 };
747
748 static __init int raw_module_init(void)
749 {
750 int err;
751
752 printk(banner);
753
754 err = can_proto_register(&raw_can_proto);
755 if (err < 0)
756 printk(KERN_ERR "can: registration of raw protocol failed\n");
757
758 return err;
759 }
760
761 static __exit void raw_module_exit(void)
762 {
763 can_proto_unregister(&raw_can_proto);
764 }
765
766 module_init(raw_module_init);
767 module_exit(raw_module_exit);
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree