1 /* 2 * Linux Socket Filter - Kernel level socket filtering 3 * 4 * Author: 5 * Jay Schulist <jschlst@samba.org> 6 * 7 * Based on the design of: 8 * - The Berkeley Packet Filter 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License 12 * as published by the Free Software Foundation; either version 13 * 2 of the License, or (at your option) any later version. 14 * 15 * Andi Kleen - Fix a few bad bugs and races. 16 * Kris Katterjohn - Added many additional checks in sk_chk_filter() 17 */ 18 19 #include <linux/module.h> 20 #include <linux/types.h> 21 #include <linux/mm.h> 22 #include <linux/fcntl.h> 23 #include <linux/socket.h> 24 #include <linux/in.h> 25 #include <linux/inet.h> 26 #include <linux/netdevice.h> 27 #include <linux/if_packet.h> 28 #include <linux/gfp.h> 29 #include <net/ip.h> 30 #include <net/protocol.h> 31 #include <net/netlink.h> 32 #include <linux/skbuff.h> 33 #include <net/sock.h> 34 #include <linux/errno.h> 35 #include <linux/timer.h> 36 #include <asm/uaccess.h> 37 #include <asm/unaligned.h> 38 #include <linux/filter.h> 39 #include <linux/reciprocal_div.h> 40 #include <linux/ratelimit.h> 41 #include <linux/seccomp.h> 42 43 /* No hurry in this branch 44 * 45 * Exported for the bpf jit load helper. 46 */ 47 void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, unsigned int size) 48 { 49 u8 *ptr = NULL; 50 51 if (k >= SKF_NET_OFF) 52 ptr = skb_network_header(skb) + k - SKF_NET_OFF; 53 else if (k >= SKF_LL_OFF) 54 ptr = skb_mac_header(skb) + k - SKF_LL_OFF; 55 56 if (ptr >= skb->head && ptr + size <= skb_tail_pointer(skb)) 57 return ptr; 58 return NULL; 59 } 60 61 static inline void *load_pointer(const struct sk_buff *skb, int k, 62 unsigned int size, void *buffer) 63 { 64 if (k >= 0) 65 return skb_header_pointer(skb, k, size, buffer); 66 return bpf_internal_load_pointer_neg_helper(skb, k, size); 67 } 68 69 /** 70 * sk_filter - run a packet through a socket filter 71 * @sk: sock associated with &sk_buff 72 * @skb: buffer to filter 73 * 74 * Run the filter code and then cut skb->data to correct size returned by 75 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller 76 * than pkt_len we keep whole skb->data. This is the socket level 77 * wrapper to sk_run_filter. It returns 0 if the packet should 78 * be accepted or -EPERM if the packet should be tossed. 79 * 80 */ 81 int sk_filter(struct sock *sk, struct sk_buff *skb) 82 { 83 int err; 84 struct sk_filter *filter; 85 86 /* 87 * If the skb was allocated from pfmemalloc reserves, only 88 * allow SOCK_MEMALLOC sockets to use it as this socket is 89 * helping free memory 90 */ 91 if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC)) 92 return -ENOMEM; 93 94 err = security_sock_rcv_skb(sk, skb); 95 if (err) 96 return err; 97 98 rcu_read_lock(); 99 filter = rcu_dereference(sk->sk_filter); 100 if (filter) { 101 unsigned int pkt_len = SK_RUN_FILTER(filter, skb); 102 103 err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM; 104 } 105 rcu_read_unlock(); 106 107 return err; 108 } 109 EXPORT_SYMBOL(sk_filter); 110 111 /** 112 * sk_run_filter - run a filter on a socket 113 * @skb: buffer to run the filter on 114 * @fentry: filter to apply 115 * 116 * Decode and apply filter instructions to the skb->data. 117 * Return length to keep, 0 for none. @skb is the data we are 118 * filtering, @filter is the array of filter instructions. 119 * Because all jumps are guaranteed to be before last instruction, 120 * and last instruction guaranteed to be a RET, we dont need to check 121 * flen. (We used to pass to this function the length of filter) 122 */ 123 unsigned int sk_run_filter(const struct sk_buff *skb, 124 const struct sock_filter *fentry) 125 { 126 void *ptr; 127 u32 A = 0; /* Accumulator */ 128 u32 X = 0; /* Index Register */ 129 u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */ 130 u32 tmp; 131 int k; 132 133 /* 134 * Process array of filter instructions. 135 */ 136 for (;; fentry++) { 137 #if defined(CONFIG_X86_32) 138 #define K (fentry->k) 139 #else 140 const u32 K = fentry->k; 141 #endif 142 143 switch (fentry->code) { 144 case BPF_S_ALU_ADD_X: 145 A += X; 146 continue; 147 case BPF_S_ALU_ADD_K: 148 A += K; 149 continue; 150 case BPF_S_ALU_SUB_X: 151 A -= X; 152 continue; 153 case BPF_S_ALU_SUB_K: 154 A -= K; 155 continue; 156 case BPF_S_ALU_MUL_X: 157 A *= X; 158 continue; 159 case BPF_S_ALU_MUL_K: 160 A *= K; 161 continue; 162 case BPF_S_ALU_DIV_X: 163 if (X == 0) 164 return 0; 165 A /= X; 166 continue; 167 case BPF_S_ALU_DIV_K: 168 A = reciprocal_divide(A, K); 169 continue; 170 case BPF_S_ALU_MOD_X: 171 if (X == 0) 172 return 0; 173 A %= X; 174 continue; 175 case BPF_S_ALU_MOD_K: 176 A %= K; 177 continue; 178 case BPF_S_ALU_AND_X: 179 A &= X; 180 continue; 181 case BPF_S_ALU_AND_K: 182 A &= K; 183 continue; 184 case BPF_S_ALU_OR_X: 185 A |= X; 186 continue; 187 case BPF_S_ALU_OR_K: 188 A |= K; 189 continue; 190 case BPF_S_ANC_ALU_XOR_X: 191 case BPF_S_ALU_XOR_X: 192 A ^= X; 193 continue; 194 case BPF_S_ALU_XOR_K: 195 A ^= K; 196 continue; 197 case BPF_S_ALU_LSH_X: 198 A <<= X; 199 continue; 200 case BPF_S_ALU_LSH_K: 201 A <<= K; 202 continue; 203 case BPF_S_ALU_RSH_X: 204 A >>= X; 205 continue; 206 case BPF_S_ALU_RSH_K: 207 A >>= K; 208 continue; 209 case BPF_S_ALU_NEG: 210 A = -A; 211 continue; 212 case BPF_S_JMP_JA: 213 fentry += K; 214 continue; 215 case BPF_S_JMP_JGT_K: 216 fentry += (A > K) ? fentry->jt : fentry->jf; 217 continue; 218 case BPF_S_JMP_JGE_K: 219 fentry += (A >= K) ? fentry->jt : fentry->jf; 220 continue; 221 case BPF_S_JMP_JEQ_K: 222 fentry += (A == K) ? fentry->jt : fentry->jf; 223 continue; 224 case BPF_S_JMP_JSET_K: 225 fentry += (A & K) ? fentry->jt : fentry->jf; 226 continue; 227 case BPF_S_JMP_JGT_X: 228 fentry += (A > X) ? fentry->jt : fentry->jf; 229 continue; 230 case BPF_S_JMP_JGE_X: 231 fentry += (A >= X) ? fentry->jt : fentry->jf; 232 continue; 233 case BPF_S_JMP_JEQ_X: 234 fentry += (A == X) ? fentry->jt : fentry->jf; 235 continue; 236 case BPF_S_JMP_JSET_X: 237 fentry += (A & X) ? fentry->jt : fentry->jf; 238 continue; 239 case BPF_S_LD_W_ABS: 240 k = K; 241 load_w: 242 ptr = load_pointer(skb, k, 4, &tmp); 243 if (ptr != NULL) { 244 A = get_unaligned_be32(ptr); 245 continue; 246 } 247 return 0; 248 case BPF_S_LD_H_ABS: 249 k = K; 250 load_h: 251 ptr = load_pointer(skb, k, 2, &tmp); 252 if (ptr != NULL) { 253 A = get_unaligned_be16(ptr); 254 continue; 255 } 256 return 0; 257 case BPF_S_LD_B_ABS: 258 k = K; 259 load_b: 260 ptr = load_pointer(skb, k, 1, &tmp); 261 if (ptr != NULL) { 262 A = *(u8 *)ptr; 263 continue; 264 } 265 return 0; 266 case BPF_S_LD_W_LEN: 267 A = skb->len; 268 continue; 269 case BPF_S_LDX_W_LEN: 270 X = skb->len; 271 continue; 272 case BPF_S_LD_W_IND: 273 k = X + K; 274 goto load_w; 275 case BPF_S_LD_H_IND: 276 k = X + K; 277 goto load_h; 278 case BPF_S_LD_B_IND: 279 k = X + K; 280 goto load_b; 281 case BPF_S_LDX_B_MSH: 282 ptr = load_pointer(skb, K, 1, &tmp); 283 if (ptr != NULL) { 284 X = (*(u8 *)ptr & 0xf) << 2; 285 continue; 286 } 287 return 0; 288 case BPF_S_LD_IMM: 289 A = K; 290 continue; 291 case BPF_S_LDX_IMM: 292 X = K; 293 continue; 294 case BPF_S_LD_MEM: 295 A = mem[K]; 296 continue; 297 case BPF_S_LDX_MEM: 298 X = mem[K]; 299 continue; 300 case BPF_S_MISC_TAX: 301 X = A; 302 continue; 303 case BPF_S_MISC_TXA: 304 A = X; 305 continue; 306 case BPF_S_RET_K: 307 return K; 308 case BPF_S_RET_A: 309 return A; 310 case BPF_S_ST: 311 mem[K] = A; 312 continue; 313 case BPF_S_STX: 314 mem[K] = X; 315 continue; 316 case BPF_S_ANC_PROTOCOL: 317 A = ntohs(skb->protocol); 318 continue; 319 case BPF_S_ANC_PKTTYPE: 320 A = skb->pkt_type; 321 continue; 322 case BPF_S_ANC_IFINDEX: 323 if (!skb->dev) 324 return 0; 325 A = skb->dev->ifindex; 326 continue; 327 case BPF_S_ANC_MARK: 328 A = skb->mark; 329 continue; 330 case BPF_S_ANC_QUEUE: 331 A = skb->queue_mapping; 332 continue; 333 case BPF_S_ANC_HATYPE: 334 if (!skb->dev) 335 return 0; 336 A = skb->dev->type; 337 continue; 338 case BPF_S_ANC_RXHASH: 339 A = skb->rxhash; 340 continue; 341 case BPF_S_ANC_CPU: 342 A = raw_smp_processor_id(); 343 continue; 344 case BPF_S_ANC_NLATTR: { 345 struct nlattr *nla; 346 347 if (skb_is_nonlinear(skb)) 348 return 0; 349 if (A > skb->len - sizeof(struct nlattr)) 350 return 0; 351 352 nla = nla_find((struct nlattr *)&skb->data[A], 353 skb->len - A, X); 354 if (nla) 355 A = (void *)nla - (void *)skb->data; 356 else 357 A = 0; 358 continue; 359 } 360 case BPF_S_ANC_NLATTR_NEST: { 361 struct nlattr *nla; 362 363 if (skb_is_nonlinear(skb)) 364 return 0; 365 if (A > skb->len - sizeof(struct nlattr)) 366 return 0; 367 368 nla = (struct nlattr *)&skb->data[A]; 369 if (nla->nla_len > A - skb->len) 370 return 0; 371 372 nla = nla_find_nested(nla, X); 373 if (nla) 374 A = (void *)nla - (void *)skb->data; 375 else 376 A = 0; 377 continue; 378 } 379 #ifdef CONFIG_SECCOMP_FILTER 380 case BPF_S_ANC_SECCOMP_LD_W: 381 A = seccomp_bpf_load(fentry->k); 382 continue; 383 #endif 384 default: 385 WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n", 386 fentry->code, fentry->jt, 387 fentry->jf, fentry->k); 388 return 0; 389 } 390 } 391 392 return 0; 393 } 394 EXPORT_SYMBOL(sk_run_filter); 395 396 /* 397 * Security : 398 * A BPF program is able to use 16 cells of memory to store intermediate 399 * values (check u32 mem[BPF_MEMWORDS] in sk_run_filter()) 400 * As we dont want to clear mem[] array for each packet going through 401 * sk_run_filter(), we check that filter loaded by user never try to read 402 * a cell if not previously written, and we check all branches to be sure 403 * a malicious user doesn't try to abuse us. 404 */ 405 static int check_load_and_stores(struct sock_filter *filter, int flen) 406 { 407 u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */ 408 int pc, ret = 0; 409 410 BUILD_BUG_ON(BPF_MEMWORDS > 16); 411 masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL); 412 if (!masks) 413 return -ENOMEM; 414 memset(masks, 0xff, flen * sizeof(*masks)); 415 416 for (pc = 0; pc < flen; pc++) { 417 memvalid &= masks[pc]; 418 419 switch (filter[pc].code) { 420 case BPF_S_ST: 421 case BPF_S_STX: 422 memvalid |= (1 << filter[pc].k); 423 break; 424 case BPF_S_LD_MEM: 425 case BPF_S_LDX_MEM: 426 if (!(memvalid & (1 << filter[pc].k))) { 427 ret = -EINVAL; 428 goto error; 429 } 430 break; 431 case BPF_S_JMP_JA: 432 /* a jump must set masks on target */ 433 masks[pc + 1 + filter[pc].k] &= memvalid; 434 memvalid = ~0; 435 break; 436 case BPF_S_JMP_JEQ_K: 437 case BPF_S_JMP_JEQ_X: 438 case BPF_S_JMP_JGE_K: 439 case BPF_S_JMP_JGE_X: 440 case BPF_S_JMP_JGT_K: 441 case BPF_S_JMP_JGT_X: 442 case BPF_S_JMP_JSET_X: 443 case BPF_S_JMP_JSET_K: 444 /* a jump must set masks on targets */ 445 masks[pc + 1 + filter[pc].jt] &= memvalid; 446 masks[pc + 1 + filter[pc].jf] &= memvalid; 447 memvalid = ~0; 448 break; 449 } 450 } 451 error: 452 kfree(masks); 453 return ret; 454 } 455 456 /** 457 * sk_chk_filter - verify socket filter code 458 * @filter: filter to verify 459 * @flen: length of filter 460 * 461 * Check the user's filter code. If we let some ugly 462 * filter code slip through kaboom! The filter must contain 463 * no references or jumps that are out of range, no illegal 464 * instructions, and must end with a RET instruction. 465 * 466 * All jumps are forward as they are not signed. 467 * 468 * Returns 0 if the rule set is legal or -EINVAL if not. 469 */ 470 int sk_chk_filter(struct sock_filter *filter, unsigned int flen) 471 { 472 /* 473 * Valid instructions are initialized to non-0. 474 * Invalid instructions are initialized to 0. 475 */ 476 static const u8 codes[] = { 477 [BPF_ALU|BPF_ADD|BPF_K] = BPF_S_ALU_ADD_K, 478 [BPF_ALU|BPF_ADD|BPF_X] = BPF_S_ALU_ADD_X, 479 [BPF_ALU|BPF_SUB|BPF_K] = BPF_S_ALU_SUB_K, 480 [BPF_ALU|BPF_SUB|BPF_X] = BPF_S_ALU_SUB_X, 481 [BPF_ALU|BPF_MUL|BPF_K] = BPF_S_ALU_MUL_K, 482 [BPF_ALU|BPF_MUL|BPF_X] = BPF_S_ALU_MUL_X, 483 [BPF_ALU|BPF_DIV|BPF_X] = BPF_S_ALU_DIV_X, 484 [BPF_ALU|BPF_MOD|BPF_K] = BPF_S_ALU_MOD_K, 485 [BPF_ALU|BPF_MOD|BPF_X] = BPF_S_ALU_MOD_X, 486 [BPF_ALU|BPF_AND|BPF_K] = BPF_S_ALU_AND_K, 487 [BPF_ALU|BPF_AND|BPF_X] = BPF_S_ALU_AND_X, 488 [BPF_ALU|BPF_OR|BPF_K] = BPF_S_ALU_OR_K, 489 [BPF_ALU|BPF_OR|BPF_X] = BPF_S_ALU_OR_X, 490 [BPF_ALU|BPF_XOR|BPF_K] = BPF_S_ALU_XOR_K, 491 [BPF_ALU|BPF_XOR|BPF_X] = BPF_S_ALU_XOR_X, 492 [BPF_ALU|BPF_LSH|BPF_K] = BPF_S_ALU_LSH_K, 493 [BPF_ALU|BPF_LSH|BPF_X] = BPF_S_ALU_LSH_X, 494 [BPF_ALU|BPF_RSH|BPF_K] = BPF_S_ALU_RSH_K, 495 [BPF_ALU|BPF_RSH|BPF_X] = BPF_S_ALU_RSH_X, 496 [BPF_ALU|BPF_NEG] = BPF_S_ALU_NEG, 497 [BPF_LD|BPF_W|BPF_ABS] = BPF_S_LD_W_ABS, 498 [BPF_LD|BPF_H|BPF_ABS] = BPF_S_LD_H_ABS, 499 [BPF_LD|BPF_B|BPF_ABS] = BPF_S_LD_B_ABS, 500 [BPF_LD|BPF_W|BPF_LEN] = BPF_S_LD_W_LEN, 501 [BPF_LD|BPF_W|BPF_IND] = BPF_S_LD_W_IND, 502 [BPF_LD|BPF_H|BPF_IND] = BPF_S_LD_H_IND, 503 [BPF_LD|BPF_B|BPF_IND] = BPF_S_LD_B_IND, 504 [BPF_LD|BPF_IMM] = BPF_S_LD_IMM, 505 [BPF_LDX|BPF_W|BPF_LEN] = BPF_S_LDX_W_LEN, 506 [BPF_LDX|BPF_B|BPF_MSH] = BPF_S_LDX_B_MSH, 507 [BPF_LDX|BPF_IMM] = BPF_S_LDX_IMM, 508 [BPF_MISC|BPF_TAX] = BPF_S_MISC_TAX, 509 [BPF_MISC|BPF_TXA] = BPF_S_MISC_TXA, 510 [BPF_RET|BPF_K] = BPF_S_RET_K, 511 [BPF_RET|BPF_A] = BPF_S_RET_A, 512 [BPF_ALU|BPF_DIV|BPF_K] = BPF_S_ALU_DIV_K, 513 [BPF_LD|BPF_MEM] = BPF_S_LD_MEM, 514 [BPF_LDX|BPF_MEM] = BPF_S_LDX_MEM, 515 [BPF_ST] = BPF_S_ST, 516 [BPF_STX] = BPF_S_STX, 517 [BPF_JMP|BPF_JA] = BPF_S_JMP_JA, 518 [BPF_JMP|BPF_JEQ|BPF_K] = BPF_S_JMP_JEQ_K, 519 [BPF_JMP|BPF_JEQ|BPF_X] = BPF_S_JMP_JEQ_X, 520 [BPF_JMP|BPF_JGE|BPF_K] = BPF_S_JMP_JGE_K, 521 [BPF_JMP|BPF_JGE|BPF_X] = BPF_S_JMP_JGE_X, 522 [BPF_JMP|BPF_JGT|BPF_K] = BPF_S_JMP_JGT_K, 523 [BPF_JMP|BPF_JGT|BPF_X] = BPF_S_JMP_JGT_X, 524 [BPF_JMP|BPF_JSET|BPF_K] = BPF_S_JMP_JSET_K, 525 [BPF_JMP|BPF_JSET|BPF_X] = BPF_S_JMP_JSET_X, 526 }; 527 int pc; 528 529 if (flen == 0 || flen > BPF_MAXINSNS) 530 return -EINVAL; 531 532 /* check the filter code now */ 533 for (pc = 0; pc < flen; pc++) { 534 struct sock_filter *ftest = &filter[pc]; 535 u16 code = ftest->code; 536 537 if (code >= ARRAY_SIZE(codes)) 538 return -EINVAL; 539 code = codes[code]; 540 if (!code) 541 return -EINVAL; 542 /* Some instructions need special checks */ 543 switch (code) { 544 case BPF_S_ALU_DIV_K: 545 /* check for division by zero */ 546 if (ftest->k == 0) 547 return -EINVAL; 548 ftest->k = reciprocal_value(ftest->k); 549 break; 550 case BPF_S_ALU_MOD_K: 551 /* check for division by zero */ 552 if (ftest->k == 0) 553 return -EINVAL; 554 break; 555 case BPF_S_LD_MEM: 556 case BPF_S_LDX_MEM: 557 case BPF_S_ST: 558 case BPF_S_STX: 559 /* check for invalid memory addresses */ 560 if (ftest->k >= BPF_MEMWORDS) 561 return -EINVAL; 562 break; 563 case BPF_S_JMP_JA: 564 /* 565 * Note, the large ftest->k might cause loops. 566 * Compare this with conditional jumps below, 567 * where offsets are limited. --ANK (981016) 568 */ 569 if (ftest->k >= (unsigned int)(flen-pc-1)) 570 return -EINVAL; 571 break; 572 case BPF_S_JMP_JEQ_K: 573 case BPF_S_JMP_JEQ_X: 574 case BPF_S_JMP_JGE_K: 575 case BPF_S_JMP_JGE_X: 576 case BPF_S_JMP_JGT_K: 577 case BPF_S_JMP_JGT_X: 578 case BPF_S_JMP_JSET_X: 579 case BPF_S_JMP_JSET_K: 580 /* for conditionals both must be safe */ 581 if (pc + ftest->jt + 1 >= flen || 582 pc + ftest->jf + 1 >= flen) 583 return -EINVAL; 584 break; 585 case BPF_S_LD_W_ABS: 586 case BPF_S_LD_H_ABS: 587 case BPF_S_LD_B_ABS: 588 #define ANCILLARY(CODE) case SKF_AD_OFF + SKF_AD_##CODE: \ 589 code = BPF_S_ANC_##CODE; \ 590 break 591 switch (ftest->k) { 592 ANCILLARY(PROTOCOL); 593 ANCILLARY(PKTTYPE); 594 ANCILLARY(IFINDEX); 595 ANCILLARY(NLATTR); 596 ANCILLARY(NLATTR_NEST); 597 ANCILLARY(MARK); 598 ANCILLARY(QUEUE); 599 ANCILLARY(HATYPE); 600 ANCILLARY(RXHASH); 601 ANCILLARY(CPU); 602 ANCILLARY(ALU_XOR_X); 603 } 604 } 605 ftest->code = code; 606 } 607 608 /* last instruction must be a RET code */ 609 switch (filter[flen - 1].code) { 610 case BPF_S_RET_K: 611 case BPF_S_RET_A: 612 return check_load_and_stores(filter, flen); 613 } 614 return -EINVAL; 615 } 616 EXPORT_SYMBOL(sk_chk_filter); 617 618 /** 619 * sk_filter_release_rcu - Release a socket filter by rcu_head 620 * @rcu: rcu_head that contains the sk_filter to free 621 */ 622 void sk_filter_release_rcu(struct rcu_head *rcu) 623 { 624 struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu); 625 626 bpf_jit_free(fp); 627 kfree(fp); 628 } 629 EXPORT_SYMBOL(sk_filter_release_rcu); 630 631 static int __sk_prepare_filter(struct sk_filter *fp) 632 { 633 int err; 634 635 fp->bpf_func = sk_run_filter; 636 637 err = sk_chk_filter(fp->insns, fp->len); 638 if (err) 639 return err; 640 641 bpf_jit_compile(fp); 642 return 0; 643 } 644 645 /** 646 * sk_unattached_filter_create - create an unattached filter 647 * @fprog: the filter program 648 * @pfp: the unattached filter that is created 649 * 650 * Create a filter independent of any socket. We first run some 651 * sanity checks on it to make sure it does not explode on us later. 652 * If an error occurs or there is insufficient memory for the filter 653 * a negative errno code is returned. On success the return is zero. 654 */ 655 int sk_unattached_filter_create(struct sk_filter **pfp, 656 struct sock_fprog *fprog) 657 { 658 struct sk_filter *fp; 659 unsigned int fsize = sizeof(struct sock_filter) * fprog->len; 660 int err; 661 662 /* Make sure new filter is there and in the right amounts. */ 663 if (fprog->filter == NULL) 664 return -EINVAL; 665 666 fp = kmalloc(fsize + sizeof(*fp), GFP_KERNEL); 667 if (!fp) 668 return -ENOMEM; 669 memcpy(fp->insns, fprog->filter, fsize); 670 671 atomic_set(&fp->refcnt, 1); 672 fp->len = fprog->len; 673 674 err = __sk_prepare_filter(fp); 675 if (err) 676 goto free_mem; 677 678 *pfp = fp; 679 return 0; 680 free_mem: 681 kfree(fp); 682 return err; 683 } 684 EXPORT_SYMBOL_GPL(sk_unattached_filter_create); 685 686 void sk_unattached_filter_destroy(struct sk_filter *fp) 687 { 688 sk_filter_release(fp); 689 } 690 EXPORT_SYMBOL_GPL(sk_unattached_filter_destroy); 691 692 /** 693 * sk_attach_filter - attach a socket filter 694 * @fprog: the filter program 695 * @sk: the socket to use 696 * 697 * Attach the user's filter code. We first run some sanity checks on 698 * it to make sure it does not explode on us later. If an error 699 * occurs or there is insufficient memory for the filter a negative 700 * errno code is returned. On success the return is zero. 701 */ 702 int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk) 703 { 704 struct sk_filter *fp, *old_fp; 705 unsigned int fsize = sizeof(struct sock_filter) * fprog->len; 706 int err; 707 708 /* Make sure new filter is there and in the right amounts. */ 709 if (fprog->filter == NULL) 710 return -EINVAL; 711 712 fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL); 713 if (!fp) 714 return -ENOMEM; 715 if (copy_from_user(fp->insns, fprog->filter, fsize)) { 716 sock_kfree_s(sk, fp, fsize+sizeof(*fp)); 717 return -EFAULT; 718 } 719 720 atomic_set(&fp->refcnt, 1); 721 fp->len = fprog->len; 722 723 err = __sk_prepare_filter(fp); 724 if (err) { 725 sk_filter_uncharge(sk, fp); 726 return err; 727 } 728 729 old_fp = rcu_dereference_protected(sk->sk_filter, 730 sock_owned_by_user(sk)); 731 rcu_assign_pointer(sk->sk_filter, fp); 732 733 if (old_fp) 734 sk_filter_uncharge(sk, old_fp); 735 return 0; 736 } 737 EXPORT_SYMBOL_GPL(sk_attach_filter); 738 739 int sk_detach_filter(struct sock *sk) 740 { 741 int ret = -ENOENT; 742 struct sk_filter *filter; 743 744 filter = rcu_dereference_protected(sk->sk_filter, 745 sock_owned_by_user(sk)); 746 if (filter) { 747 RCU_INIT_POINTER(sk->sk_filter, NULL); 748 sk_filter_uncharge(sk, filter); 749 ret = 0; 750 } 751 return ret; 752 } 753 EXPORT_SYMBOL_GPL(sk_detach_filter); 754