Skip to content

Commit

Permalink
ipv4: Pass struct flowi4 directly to rt_fill_info
Browse files Browse the repository at this point in the history 
This is partly a backport of d6c0a4f60984
  (ipv4: Kill 'rt_src' from 'struct rtable').

skb->sk can be null, and in fact it is when creating the buffer
in inet_rtm_getroute. There is no other way of accessing the flow,
so pass it directly.

Fixes invalid memory address when running 'ip route get $IPADDR'

Bug: https://gitlab.com/LineageOS/issues/android/issues/492

Change-Id: I7b9e5499614b96360c9c8420907e82e145bb97f3
  • Loading branch information
@z3ntu @sb6596
z3ntu authored and sb6596 committed Jun 1, 2019
1 parent 42d61bd commit f44b4b1
Showing 1 changed file with 13 additions and 13 deletions.
26 changes: 13 additions & 13 deletions net/ipv4/route.c
View file
Expand Up @@ -2986,14 +2986,13 @@ struct rtable *ip_route_output_flow(struct net *net, struct flowi4 *flp4,
}
EXPORT_SYMBOL_GPL(ip_route_output_flow);

static int rt_fill_info(struct net *net,
static int rt_fill_info(struct net *net, struct flowi4 *fl4,
struct sk_buff *skb, u32 pid, u32 seq, int event,
int nowait, unsigned int flags)
{
struct rtable *rt = skb_rtable(skb);
struct rtmsg *r;
struct nlmsghdr *nlh;
struct flowi4 *fl4 = &(inet_sk(skb->sk))->cork.fl.u.ip4;
unsigned long expires = 0;
const struct inet_peer *peer = rt->peer;
u32 id = 0, ts = 0, tsage = 0, error;
Expand Down Expand Up @@ -3107,6 +3106,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void
struct rtmsg *rtm;
struct nlattr *tb[RTA_MAX+1];
struct rtable *rt = NULL;
struct flowi4 fl4;
__be32 dst = 0;
__be32 src = 0;
u32 iif;
Expand Down Expand Up @@ -3146,6 +3146,14 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void
else
uid = (iif ? INVALID_UID : current_uid());

memset(&fl4, 0, sizeof(fl4));
fl4.daddr = dst;
fl4.saddr = src;
fl4.flowi4_tos = rtm->rtm_tos;
fl4.flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0;
fl4.flowi4_mark = mark;
fl4.flowi4_uid = uid;

if (iif) {
struct net_device *dev;

Expand All @@ -3166,14 +3174,6 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void
if (err == 0 && rt->dst.error)
err = -rt->dst.error;
} else {
struct flowi4 fl4 = {
.daddr = dst,
.saddr = src,
.flowi4_tos = rtm->rtm_tos,
.flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0,
.flowi4_mark = mark,
.flowi4_uid = uid,
};
rt = ip_route_output_key(net, &fl4);

err = 0;
Expand All @@ -3188,7 +3188,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void
if (rtm->rtm_flags & RTM_F_NOTIFY)
rt->rt_flags |= RTCF_NOTIFY;

err = rt_fill_info(net, skb, NETLINK_CB(in_skb).pid, nlh->nlmsg_seq,
err = rt_fill_info(net, &fl4, skb, NETLINK_CB(in_skb).pid, nlh->nlmsg_seq,
RTM_NEWROUTE, 0, 0);
if (err <= 0)
goto errout_free;
Expand Down Expand Up @@ -3226,8 +3226,8 @@ int ip_rt_dump(struct sk_buff *skb, struct netlink_callback *cb)
if (rt_is_expired(rt))
continue;
skb_dst_set_noref(skb, &rt->dst);
if (rt_fill_info(net, skb, NETLINK_CB(cb->skb).pid,
cb->nlh->nlmsg_seq, RTM_NEWROUTE,
if (rt_fill_info(net, &(inet_sk(skb->sk))->cork.fl.u.ip4, skb,
NETLINK_CB(cb->skb).pid, cb->nlh->nlmsg_seq, RTM_NEWROUTE,
1, NLM_F_MULTI) <= 0) {
skb_dst_drop(skb);
rcu_read_unlock_bh();
Expand Down

1 comment on commit f44b4b1

@Catfriend1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, some time ago I've put a detection by looking at kernel version to start with "3.4." into Syncthing-Fork to prevent the hot reboot behaviour on affected roms. Today got a phone n7000 with lineageos 16 build 20200407 from xda where this patch wasn't included in the kernel build. How can I best detect an affected kernel from java as this one had another version? Could I probably run something like 'ip --version" in a non root shell and verify against a string?

Please sign in to comment.