Commit 5f935920 authored by Andreas Gruenbacher's avatar Andreas Gruenbacher Committed by Philipp Reisner

drbd: Make drbd's use of netlink attribute flags less confusing

Make it more clear in the flag names which flags are internal to drbd, and
which are not.

The check for mandatory attributes is the only extension visible at the netlink
layer.  Attributes with this flag set would look like unknown attributes to
some kernel versions.  The netlink layer would ignore them and also skip
consistency checks on the attribute type and legth.  To avoid this, we check
for mandatory attributes first, remove the mandatory flag, and then process the
attributes normally.
Signed-off-by: default avatarPhilipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: default avatarLars Ellenberg <lars.ellenberg@linbit.com>
parent bbbef2d5
This diff is collapsed.
...@@ -3,53 +3,6 @@ ...@@ -3,53 +3,6 @@
#include <linux/genl_magic_struct.h> #include <linux/genl_magic_struct.h>
/*
* Extension of genl attribute validation policies {{{1
* {{{2
*/
/**
* nla_is_required - return true if this attribute is required
* @nla: netlink attribute
*/
static inline int nla_is_required(const struct nlattr *nla)
{
return nla->nla_type & GENLA_F_REQUIRED;
}
/**
* nla_is_mandatory - return true if understanding this attribute is mandatory
* @nla: netlink attribute
* Note: REQUIRED attributes are implicitly MANDATORY as well
*/
static inline int nla_is_mandatory(const struct nlattr *nla)
{
return nla->nla_type & (GENLA_F_MANDATORY | GENLA_F_REQUIRED);
}
/* Functionality to be integrated into nla_parse(), and validate_nla(),
* respectively.
*
* Enforcing the "mandatory" bit is done here,
* by rejecting unknown mandatory attributes.
*
* Part of enforcing the "required" flag would mean to embed it into
* nla_policy.type, and extending validate_nla(), which currently does
* BUG_ON(pt->type > NLA_TYPE_MAX); we have to work on existing kernels,
* so we cannot do that. Thats why enforcing "required" is done in the
* generated assignment functions below. */
static int nla_check_unknown(int maxtype, struct nlattr *head, int len)
{
struct nlattr *nla;
int rem;
nla_for_each_attr(nla, head, len, rem) {
__u16 type = nla_type(nla);
if (type > maxtype && nla_is_mandatory(nla))
return -EOPNOTSUPP;
}
return 0;
}
/* /*
* Magic: declare tla policy {{{1 * Magic: declare tla policy {{{1
* Magic: declare nested policies * Magic: declare nested policies
...@@ -80,13 +33,13 @@ static struct nla_policy s_name ## _nl_policy[] __read_mostly = \ ...@@ -80,13 +33,13 @@ static struct nla_policy s_name ## _nl_policy[] __read_mostly = \
#undef __field #undef __field
#define __field(attr_nr, attr_flag, name, nla_type, _type, __get, \ #define __field(attr_nr, attr_flag, name, nla_type, _type, __get, \
__put, __is_signed) \ __put, __is_signed) \
[__nla_type(attr_nr)] = { .type = nla_type }, [attr_nr] = { .type = nla_type },
#undef __array #undef __array
#define __array(attr_nr, attr_flag, name, nla_type, _type, maxlen, \ #define __array(attr_nr, attr_flag, name, nla_type, _type, maxlen, \
__get, __put, __is_signed) \ __get, __put, __is_signed) \
[__nla_type(attr_nr)] = { .type = nla_type, \ [attr_nr] = { .type = nla_type, \
.len = maxlen - (nla_type == NLA_NUL_STRING) }, .len = maxlen - (nla_type == NLA_NUL_STRING) },
#include GENL_MAGIC_INCLUDE_FILE #include GENL_MAGIC_INCLUDE_FILE
...@@ -189,6 +142,43 @@ static struct nlattr *nested_attr_tb[128]; ...@@ -189,6 +142,43 @@ static struct nlattr *nested_attr_tb[128];
#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); })) #define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); }))
#endif #endif
static inline int drbd_nla_check_mandatory(int maxtype, struct nlattr *nla)
{
struct nlattr *head = nla_data(nla);
int len = nla_len(nla);
int rem;
/*
* validate_nla (called from nla_parse_nested) ignores attributes
* beyond maxtype, and does not understand the DRBD_GENLA_F_MANDATORY flag.
* In order to have it validate attributes with the DRBD_GENLA_F_MANDATORY
* flag set also, check and remove that flag before calling
* nla_parse_nested.
*/
nla_for_each_attr(nla, head, len, rem) {
if (nla->nla_type & DRBD_GENLA_F_MANDATORY) {
if (nla_type(nla) > maxtype)
return -EOPNOTSUPP;
nla->nla_type &= ~DRBD_GENLA_F_MANDATORY;
}
}
return 0;
}
static inline int drbd_nla_parse_nested(struct nlattr *tb[], int maxtype,
struct nlattr *nla,
const struct nla_policy *policy)
{
int err;
err = drbd_nla_check_mandatory(maxtype, nla);
if (!err)
err = nla_parse_nested(tb, maxtype, nla, policy);
return err;
}
#undef GENL_struct #undef GENL_struct
#define GENL_struct(tag_name, tag_number, s_name, s_fields) \ #define GENL_struct(tag_name, tag_number, s_name, s_fields) \
/* *_from_attrs functions are static, but potentially unused */ \ /* *_from_attrs functions are static, but potentially unused */ \
...@@ -204,12 +194,9 @@ static int __ ## s_name ## _from_attrs(struct s_name *s, \ ...@@ -204,12 +194,9 @@ static int __ ## s_name ## _from_attrs(struct s_name *s, \
if (!tla) \ if (!tla) \
return -ENOMSG; \ return -ENOMSG; \
DPRINT_TLA(#s_name, "<=-", #tag_name); \ DPRINT_TLA(#s_name, "<=-", #tag_name); \
err = nla_parse_nested(ntb, maxtype, tla, s_name ## _nl_policy); \ err = drbd_nla_parse_nested(ntb, maxtype, tla, s_name ## _nl_policy); \
if (err) \ if (err) \
return err; \ return err; \
err = nla_check_unknown(maxtype, nla_data(tla), nla_len(tla)); \
if (err) \
return err; \
\ \
s_fields \ s_fields \
return 0; \ return 0; \
...@@ -226,17 +213,17 @@ static int s_name ## _from_attrs_for_change(struct s_name *s, \ ...@@ -226,17 +213,17 @@ static int s_name ## _from_attrs_for_change(struct s_name *s, \
} __attribute__((unused)) \ } __attribute__((unused)) \
#define __assign(attr_nr, attr_flag, name, nla_type, type, assignment...) \ #define __assign(attr_nr, attr_flag, name, nla_type, type, assignment...) \
nla = ntb[__nla_type(attr_nr)]; \ nla = ntb[attr_nr]; \
if (nla) { \ if (nla) { \
if (exclude_invariants && ((attr_flag) & GENLA_F_INVARIANT)) { \ if (exclude_invariants && ((attr_flag) & DRBD_F_INVARIANT)) { \
pr_info("<< must not change invariant attr: %s\n", #name); \ pr_info("<< must not change invariant attr: %s\n", #name); \
return -EEXIST; \ return -EEXIST; \
} \ } \
assignment; \ assignment; \
} else if (exclude_invariants && ((attr_flag) & GENLA_F_INVARIANT)) { \ } else if (exclude_invariants && ((attr_flag) & DRBD_F_INVARIANT)) { \
/* attribute missing from payload, */ \ /* attribute missing from payload, */ \
/* which was expected */ \ /* which was expected */ \
} else if ((attr_flag) & GENLA_F_REQUIRED) { \ } else if ((attr_flag) & DRBD_F_REQUIRED) { \
pr_info("<< missing attr: %s\n", #name); \ pr_info("<< missing attr: %s\n", #name); \
return -ENOMSG; \ return -ENOMSG; \
} }
...@@ -415,7 +402,7 @@ static inline int s_name ## _to_unpriv_skb(struct sk_buff *skb, \ ...@@ -415,7 +402,7 @@ static inline int s_name ## _to_unpriv_skb(struct sk_buff *skb, \
#undef __field #undef __field
#define __field(attr_nr, attr_flag, name, nla_type, type, __get, __put, \ #define __field(attr_nr, attr_flag, name, nla_type, type, __get, __put, \
__is_signed) \ __is_signed) \
if (!exclude_sensitive || !((attr_flag) & GENLA_F_SENSITIVE)) { \ if (!exclude_sensitive || !((attr_flag) & DRBD_F_SENSITIVE)) { \
DPRINT_FIELD(">>", nla_type, name, s, NULL); \ DPRINT_FIELD(">>", nla_type, name, s, NULL); \
__put(skb, attr_nr, s->name); \ __put(skb, attr_nr, s->name); \
} }
...@@ -423,7 +410,7 @@ static inline int s_name ## _to_unpriv_skb(struct sk_buff *skb, \ ...@@ -423,7 +410,7 @@ static inline int s_name ## _to_unpriv_skb(struct sk_buff *skb, \
#undef __array #undef __array
#define __array(attr_nr, attr_flag, name, nla_type, type, maxlen, \ #define __array(attr_nr, attr_flag, name, nla_type, type, maxlen, \
__get, __put, __is_signed) \ __get, __put, __is_signed) \
if (!exclude_sensitive || !((attr_flag) & GENLA_F_SENSITIVE)) { \ if (!exclude_sensitive || !((attr_flag) & DRBD_F_SENSITIVE)) { \
DPRINT_ARRAY(">>",nla_type, name, s, NULL); \ DPRINT_ARRAY(">>",nla_type, name, s, NULL); \
__put(skb, attr_nr, min_t(int, maxlen, \ __put(skb, attr_nr, min_t(int, maxlen, \
s->name ## _len + (nla_type == NLA_NUL_STRING)),\ s->name ## _len + (nla_type == NLA_NUL_STRING)),\
......
...@@ -26,50 +26,34 @@ extern void CONCAT_(GENL_MAGIC_FAMILY, _genl_unregister)(void); ...@@ -26,50 +26,34 @@ extern void CONCAT_(GENL_MAGIC_FAMILY, _genl_unregister)(void);
* Extension of genl attribute validation policies {{{2 * Extension of genl attribute validation policies {{{2
*/ */
/** /*
* GENLA_F_FLAGS - policy type flags to ease compatible ABI evolvement * @DRBD_GENLA_F_MANDATORY: By default, netlink ignores attributes it does not
* * know about. This flag can be set in nlattr->nla_type to indicate that this
* @GENLA_F_REQUIRED: attribute has to be present, or message is considered invalid. * attribute must not be ignored.
* Adding new REQUIRED attributes breaks ABI compatibility, so don't do that.
* *
* @GENLA_F_MANDATORY: if present, receiver _must_ understand it. * We check and remove this flag in drbd_nla_check_mandatory() before
* Without this, unknown attributes (> maxtype) are _silently_ ignored * validating the attribute types and lengths via nla_parse_nested().
* by validate_nla(). */
#define DRBD_GENLA_F_MANDATORY (1 << 14)
/*
* Flags specific to drbd and not visible at the netlink layer, used in
* <struct>_from_attrs and <struct>_to_skb:
* *
* To be used for API extensions, so older kernel can reject requests for not * @DRBD_F_REQUIRED: Attribute is required; a request without this attribute is
* yet implemented features, if newer userland tries to use them even though * invalid.
* the genl_family version clearly indicates they are not available.
* *
* NOTE: These flags overload * @DRBD_F_SENSITIVE: Attribute includes sensitive information and must not be
* NLA_F_NESTED (1 << 15) * included in unpriviledged get requests or broadcasts.
* NLA_F_NET_BYTEORDER (1 << 14)
* from linux/netlink.h, which are not useful for validate_nla():
* NET_BYTEORDER is not used anywhere, and NESTED would be specified by setting
* .type = NLA_NESTED in the appropriate policy.
* *
* See also: nla_type() * @DRBD_F_INVARIANT: Attribute is set when an object is initially created, but
* cannot subsequently be changed.
*/ */
enum { #define DRBD_F_REQUIRED (1 << 0)
GENLA_F_MANDATORY = 1 << 14, #define DRBD_F_SENSITIVE (1 << 1)
GENLA_F_REQUIRED = 1 << 15, #define DRBD_F_INVARIANT (1 << 2)
/* Below will not be present in the __u16 .nla_type, but can be
* triggered on in <struct>_to_skb resp. <struct>_from_attrs */
/* To exclude "sensitive" information from broadcasts, or on
* unpriviledged get requests. This is useful because genetlink
* multicast groups can be listened in on by anyone. */
GENLA_F_SENSITIVE = 1 << 16,
/* INVARIAN options cannot be changed at runtime.
* Useful to share an attribute policy and struct definition,
* between some "create" and "change" commands,
* but disallow certain fields to be changed online.
*/
GENLA_F_INVARIANT = 1 << 17,
};
#define __nla_type(x) ((__u16)((__u16)(x) & (__u16)NLA_TYPE_MASK)) #define __nla_type(x) ((__u16)((x) & NLA_TYPE_MASK & ~DRBD_GENLA_F_MANDATORY))
/* }}}1 /* }}}1
* MAGIC * MAGIC
...@@ -170,12 +154,12 @@ enum { \ ...@@ -170,12 +154,12 @@ enum { \
#undef __field #undef __field
#define __field(attr_nr, attr_flag, name, nla_type, type, \ #define __field(attr_nr, attr_flag, name, nla_type, type, \
__get, __put, __is_signed) \ __get, __put, __is_signed) \
T_ ## name = (__u16)(attr_nr | attr_flag), T_ ## name = (__u16)(attr_nr | ((attr_flag) & DRBD_GENLA_F_MANDATORY)),
#undef __array #undef __array
#define __array(attr_nr, attr_flag, name, nla_type, type, \ #define __array(attr_nr, attr_flag, name, nla_type, type, \
maxlen, __get, __put, __is_signed) \ maxlen, __get, __put, __is_signed) \
T_ ## name = (__u16)(attr_nr | attr_flag), T_ ## name = (__u16)(attr_nr | ((attr_flag) & DRBD_GENLA_F_MANDATORY)),
#include GENL_MAGIC_INCLUDE_FILE #include GENL_MAGIC_INCLUDE_FILE
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment