github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 05:55:44 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
79aa8706b4
linux/net
History
Eric Dumazet 79aa8706b4 net/sched: sch_taprio: fix undefined behavior in ktime_mono_to_any 
[ Upstream commit 6dc25401cb ]

1) if q->tk_offset == TK_OFFS_MAX, then get_tcp_tstamp() calls
   ktime_mono_to_any() with out-of-bound value.

2) if q->tk_offset is changed in taprio_parse_clockid(),
   taprio_get_time() might also call ktime_mono_to_any()
   with out-of-bound value as sysbot found:

UBSAN: array-index-out-of-bounds in kernel/time/timekeeping.c:908:27
index 3 is out of range for type 'ktime_t *[3]'
CPU: 1 PID: 25668 Comm: kworker/u4:0 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:151
 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291
 ktime_mono_to_any+0x1d4/0x1e0 kernel/time/timekeeping.c:908
 get_tcp_tstamp net/sched/sch_taprio.c:322 [inline]
 get_packet_txtime net/sched/sch_taprio.c:353 [inline]
 taprio_enqueue_one+0x5b0/0x1460 net/sched/sch_taprio.c:420
 taprio_enqueue+0x3b1/0x730 net/sched/sch_taprio.c:485
 dev_qdisc_enqueue+0x40/0x300 net/core/dev.c:3785
 __dev_xmit_skb net/core/dev.c:3869 [inline]
 __dev_queue_xmit+0x1f6e/0x3630 net/core/dev.c:4194
 batadv_send_skb_packet+0x4a9/0x5f0 net/batman-adv/send.c:108
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0x6d7/0x8e0 net/batman-adv/bat_iv_ogm.c:1701
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Fixes: 7ede7b0348 ("taprio: make clock reference conversions easier")
Fixes: 5400206610 ("taprio: Adjust timestamps for TCP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vedang Patel <vedang.patel@intel.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://lore.kernel.org/r/20211108180815.1822479-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-11-18 14:04:27 +01:00
..
6lowpan 6lowpan: iphc: Fix an off-by-one check of array index 2021-09-15 09:50:34 +02:00
9p 9p/trans_virtio: Remove sysfs file on probe failure 2021-09-26 14:08:57 +02:00
802 net/802/garp: fix memleak in garp_request_join() 2021-07-31 08:16:11 +02:00
8021q net: vlan: fix a UAF in vlan_dev_real_dev() 2021-11-18 14:04:26 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 15:00:08 +02:00
atm
ax25
batman-adv net: batman-adv: fix error handling 2021-11-02 19:48:22 +01:00
bluetooth Bluetooth: fix init and cleanup of sco_conn.timeout_work 2021-11-18 14:04:01 +01:00
bpf bpf, test, cgroup: Use sk_{alloc,free} for test cases 2021-10-27 09:56:56 +02:00
bpfilter bpfilter: Specify the log level for the kmsg message 2021-07-14 16:56:29 +02:00
bridge net: bridge: mcast: use multicast_membership_interval for IGMPv3 2021-10-27 09:56:54 +02:00
caif net-caif: avoid user-triggerable WARN_ON(1) 2021-09-22 12:27:56 +02:00
can can: j1939: j1939_can_recv(): ignore messages with invalid source address 2021-11-18 14:03:48 +01:00
ceph
core bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2021-11-18 14:04:27 +01:00
dcb net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands 2021-01-23 16:04:01 +01:00
dccp tcp: switch orphan_count to bare per-cpu counters 2021-11-18 14:04:08 +01:00
decnet net: decnet: Fix sleeping inside in af_decnet 2021-07-28 14:35:38 +02:00
dns_resolver
dsa net: dsa: don't allocate the slave_mii_bus using devres 2021-09-30 10:11:02 +02:00
ethernet
ethtool ethtool: fix ethtool msg len calculation for pause stats 2021-11-18 14:04:25 +01:00
hsr net: hsr: fix mac_len checks 2021-06-03 09:00:50 +02:00
ieee802154 net: Fix memory leak in ieee802154_raw_deliver 2021-08-18 08:59:12 +02:00
ife
ipv4 bpf, sockmap: Remove unhash handler for BPF sockmap usage 2021-11-18 14:04:27 +01:00
ipv6 udp6: allow SO_MARK ctrl msg to affect routing 2021-11-18 14:04:13 +01:00
iucv net/af_iucv: remove WARN_ONCE on malformed RX packets 2021-03-07 12:34:05 +01:00
kcm
key af_key: relax availability checks for skb size calculation 2021-02-13 13:55:02 +01:00
l2tp net/l2tp: Fix reference count leak in l2tp_udp_recv_core 2021-09-22 12:27:56 +02:00
l3mdev
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:29:14 +01:00
llc net: llc: fix skb_over_panic 2021-08-04 12:46:43 +02:00
mac80211 mac80211: check return value of rhashtable_init 2021-10-17 10:43:33 +02:00
mac802154 net: mac802154: Fix general protection fault 2021-04-14 08:42:13 +02:00
mpls net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 2021-03-17 17:06:11 +01:00
mptcp mptcp: don't return sockets in foreign netns 2021-10-06 15:55:52 +02:00
ncsi net/ncsi: Avoid channel_monitor hrtimer deadlock 2021-04-14 08:42:08 +02:00
netfilter netfilter: nfnetlink_queue: fix OOB when mac header was cleared 2021-11-18 14:04:24 +01:00
netlabel net: fix NULL pointer reference in cipso_v4_doi_free 2021-09-18 13:40:35 +02:00
netlink netlink: annotate data races around nlk->bound 2021-10-13 10:04:27 +02:00
netrom netrom: Decrease sock refcount when sock timers expire 2021-07-28 14:35:38 +02:00
nfc nfc: nci: fix the UAF of rf_conn_info object 2021-10-27 09:56:53 +02:00
nsh
openvswitch ovs: clear skb->tstamp in forwarding path 2021-08-26 08:35:50 -04:00
packet net/packet: annotate accesses to po->ifindex 2021-06-30 08:47:22 -04:00
phonet
psample net: psample: Fix netlink skb length with tunnel info 2021-03-07 12:34:07 +01:00
qrtr net: qrtr: fix another OOB Read in qrtr_endpoint_post 2021-09-03 10:09:21 +02:00
rds rds: stop using dmapool 2021-11-18 14:03:44 +01:00
rfkill
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-11-20 10:04:58 -08:00
rxrpc rxrpc: Fix _usecs_to_jiffies() by using usecs_to_jiffies() 2021-11-18 14:04:03 +01:00
sched net/sched: sch_taprio: fix undefined behavior in ktime_mono_to_any 2021-11-18 14:04:27 +01:00
sctp sctp: add vtag check in sctp_sf_ootb 2021-11-02 19:48:24 +01:00
smc net/smc: Correct spelling mistake to TCPF_SYN_RECV 2021-11-18 14:03:44 +01:00
strparser bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2021-11-18 14:04:27 +01:00
sunrpc nfsd: don't alloc under spinlock in rpc_parse_scope_id 2021-11-18 14:04:22 +01:00
switchdev net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP 2021-02-07 15:37:12 +01:00
tipc tipc: fix size validations for the MSG_CRYPTO type 2021-11-02 19:48:19 +01:00
tls net/tls: Fix flipped sign in async_wait.err assignment 2021-11-02 19:48:23 +01:00
unix af_unix: fix races in sk_peer_pid and sk_peer_cred accesses 2021-10-06 15:55:58 +02:00
vmw_vsock vsock/virtio: avoid potential deadlock when vsock device remove 2021-08-18 08:59:14 +02:00
wimax
wireless cfg80211: correct bridge/4addr mode check 2021-11-02 19:48:22 +01:00
x25 net/x25: Return the correct errno code 2021-06-18 10:00:06 +02:00
xdp xsk: Fix broken Tx ring validation 2021-07-14 16:56:23 +02:00
xfrm net: xfrm: Fix end of loop tests for list_for_each_entry 2021-08-26 08:35:35 -04:00
compat.c net: Return the correct errno code 2021-06-18 10:00:06 +02:00
devres.c
Kconfig
Makefile
socket.c ethtool: improve compat ioctl handling 2021-09-18 13:40:21 +02:00
sysctl_net.c