mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-21 10:01:00 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Eric Dumazet cb4f789860 tcp: fix error recovery in tcp_zerocopy_receive() 
[ Upstream commit e776af608f ]

If user provides wrong virtual address in TCP_ZEROCOPY_RECEIVE
operation we want to return -EINVAL error.

But depending on zc->recv_skip_hint content, we might return
-EIO error if the socket has SOCK_DONE set.

Make sure to return -EINVAL in this case.

BUG: KMSAN: uninit-value in tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline]
BUG: KMSAN: uninit-value in do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685
CPU: 1 PID: 625 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline]
 do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685
 tcp_getsockopt+0xf8/0x1f0 net/ipv4/tcp.c:3728
 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3131
 __sys_getsockopt+0x533/0x7b0 net/socket.c:2177
 __do_sys_getsockopt net/socket.c:2192 [inline]
 __se_sys_getsockopt+0xe1/0x100 net/socket.c:2189
 __x64_sys_getsockopt+0x62/0x80 net/socket.c:2189
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1deeb72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000004e01e0 RCX: 000000000045c829
RDX: 0000000000000023 RSI: 0000000000000006 RDI: 0000000000000009
RBP: 000000000078bf00 R08: 0000000020000200 R09: 0000000000000000
R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000001d8 R14: 00000000004d3038 R15: 00007f1deeb736d4

Local variable ----zc@do_tcp_getsockopt created at:
 do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670
 do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670

Fixes: 05255b823a ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-20 08:20:10 +02:00
..
6lowpan
9p 9p pull request for inclusion in 5.4 2019-09-27 15:10:34 -07:00
802
8021q vlan: vlan_changelink() should propagate errors 2020-01-12 12:21:50 +01:00
appletalk appletalk: enforce CAP_NET_RAW for raw sockets 2019-09-24 16:37:18 +02:00
atm net: atm: Reduce the severity of logging in unlink_clip_vcc 2019-11-18 17:08:20 -08:00
ax25 ax25: enforce CAP_NET_RAW for raw sockets 2019-09-24 16:37:18 +02:00
batman-adv batman-adv: Fix refcnt leak in batadv_v_ogm_process 2020-05-14 07:58:28 +02:00
bluetooth Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl 2020-04-13 10:48:13 +02:00
bpf
bpfilter net/bpfilter: remove superfluous testing message 2020-04-21 09:04:53 +02:00
bridge net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:18:58 +01:00
caif net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
can can: j1939: j1939_sk_bind(): take priv after lock is held 2019-12-31 16:45:56 +01:00
ceph libceph: fix alloc_msg_with_page_vector() memory leaks 2020-04-02 15:11:02 +02:00
core net: fix a potential recursive NETDEV_FEAT_CHANGE 2020-05-20 08:20:08 +02:00
dcb
dccp net: ipv6: add net argument to ip6_dst_lookup_flow 2019-12-18 16:08:40 +01:00
decnet net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:18:58 +01:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:36:45 +02:00
dsa net: dsa: Do not make user port errors fatal 2020-05-20 08:20:03 +02:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:20:06 +01:00
hsr hsr: check protocol version in hsr_newlink() 2020-04-21 09:04:44 +02:00
ieee802154 nl802154: add missing attribute validation for dev_type 2020-03-18 07:17:44 +01:00
ife net: Fix Kconfig indentation 2019-09-26 08:56:17 +02:00
ipv4 tcp: fix error recovery in tcp_zerocopy_receive() 2020-05-20 08:20:10 +02:00
ipv6 Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" 2020-05-20 08:20:09 +02:00
iucv
kcm kcm: disable preemption in kcm_parse_func_strparser() 2019-09-27 10:27:14 +02:00
key
l2tp l2tp: Allow management of tunnels and session in user namespace 2020-04-21 09:04:44 +02:00
l3mdev
lapb
llc llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) 2020-01-12 12:21:45 +01:00
mac80211 mac80211: add ieee80211_is_any_nullfunc() 2020-05-10 10:31:32 +02:00
mac802154
mpls net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup 2019-12-18 16:08:42 +01:00
ncsi net/ncsi: Disable global multicast filter 2019-09-19 18:04:40 -07:00
netfilter netfilter: nf_osf: avoid passing pointer to local var 2020-05-14 07:58:29 +02:00
netlabel netlabel: cope with NULL catmap 2020-05-20 08:20:08 +02:00
netlink netlink: Use netlink header as base to calculate bad attribute offset 2020-03-18 07:17:40 +01:00
netrom net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node 2020-04-29 16:33:08 +02:00
nfc nfc: add missing attribute validation for vendor subcommand 2020-03-18 07:17:46 +01:00
nsh
openvswitch net: openvswitch: ovs_ct_exit to be done under ovs_lock 2020-04-29 16:33:08 +02:00
packet net/packet: tpacket_rcv: avoid a producer race condition 2020-04-01 11:01:35 +02:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
psample net: psample: fix skb_over_panic 2019-12-04 22:30:54 +01:00
qrtr net: qrtr: send msgs from local of same id as broadcast 2020-04-21 09:04:47 +02:00
rds rds: ib: update WR sizes when bringing up connection 2019-11-16 12:59:08 -08:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:21:33 +01:00
rose net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
rxrpc rxrpc: Fix DATA Tx to disable nofrag for UDP on AF_INET6 socket 2020-05-02 08:48:47 +02:00
sched net_sched: fix tcm_parent in tc filter dump 2020-05-20 08:20:07 +02:00
sctp sctp: Fix bundling of SHUTDOWN with COOKIE-ACK 2020-05-14 07:58:24 +02:00
smc net/smc: cancel event worker during device removal 2020-03-18 07:17:59 +01:00
strparser
sunrpc SUNRPC: Fix GSS privacy computation of auth->au_ralign 2020-05-20 08:20:05 +02:00
switchdev
tipc tipc: fix partial topology connection closure 2020-05-14 07:58:22 +02:00
tls net/tls: Fix sk_psock refcnt leak when in tls_data_ready() 2020-05-14 07:58:22 +02:00
unix af_unix: add compat_ioctl support 2020-01-17 19:48:52 +01:00
vmw_vsock hv_sock: Remove the accept port restriction 2020-02-14 16:34:07 -05:00
wimax
wireless nl80211: fix NL80211_ATTR_FTM_RESPONDER policy 2020-04-21 09:04:59 +02:00
x25 net/x25: Fix x25_neigh refcnt leak when receiving frame 2020-04-29 16:33:09 +02:00
xdp xsk: Add missing check on user supplied headroom size 2020-04-23 10:36:21 +02:00
xfrm xfrm: policy: Fix doulbe free in xfrm_policy_timer 2020-04-01 11:02:07 +02:00
compat.c
Kconfig net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build 2020-04-01 11:02:18 +02:00
Makefile
socket.c compat_ioctl: handle SIOCOUTQNSD 2020-01-17 19:48:52 +01:00
sysctl_net.c