github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
d4ebd0fc93
linux/net/ipv4
History
Eric Dumazet d4ebd0fc93 tcp: fix error recovery in tcp_zerocopy_receive() 
[ Upstream commit e776af608f ]

If user provides wrong virtual address in TCP_ZEROCOPY_RECEIVE
operation we want to return -EINVAL error.

But depending on zc->recv_skip_hint content, we might return
-EIO error if the socket has SOCK_DONE set.

Make sure to return -EINVAL in this case.

BUG: KMSAN: uninit-value in tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline]
BUG: KMSAN: uninit-value in do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685
CPU: 1 PID: 625 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline]
 do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685
 tcp_getsockopt+0xf8/0x1f0 net/ipv4/tcp.c:3728
 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3131
 __sys_getsockopt+0x533/0x7b0 net/socket.c:2177
 __do_sys_getsockopt net/socket.c:2192 [inline]
 __se_sys_getsockopt+0xe1/0x100 net/socket.c:2189
 __x64_sys_getsockopt+0x62/0x80 net/socket.c:2189
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1deeb72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000004e01e0 RCX: 000000000045c829
RDX: 0000000000000023 RSI: 0000000000000006 RDI: 0000000000000009
RBP: 000000000078bf00 R08: 0000000020000200 R09: 0000000000000000
R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000001d8 R14: 00000000004d3038 R15: 00007f1deeb736d4

Local variable ----zc@do_tcp_getsockopt created at:
 do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670
 do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670

Fixes: 05255b823a ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-20 08:18:36 +02:00
..
bpfilter bpfilter: remove trailing newline 2018-07-24 14:10:42 -07:00
netfilter netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct 2020-01-23 08:21:33 +01:00
af_inet.c net: don't clear sock->sk early to avoid trouble in strparser 2020-01-27 14:50:52 +01:00
ah4.c
arp.c
cipso_ipv4.c netlabel: cope with NULL catmap 2020-05-20 08:18:35 +02:00
datagram.c inet: stop leaking jiffies on the wire 2019-11-10 11:27:37 +01:00
devinet.c net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin 2020-04-21 09:03:03 +02:00
esp4_offload.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2018-07-27 09:33:37 -07:00
esp4.c esp4: add length check for UDP encapsulation 2019-05-25 18:23:41 +02:00
fib_frontend.c ipv4: fix route update on metric change. 2019-11-10 11:27:50 +01:00
fib_lookup.h
fib_notifier.c
fib_rules.c
fib_semantics.c ipv4: Fix table id reference in fib_sync_down_addr 2019-11-12 19:20:27 +01:00
fib_trie.c ipv4: fix a RCU-list lock in fib_triestat_seq_show 2020-04-13 10:44:57 +02:00
fou.c net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv 2019-04-27 09:36:31 +02:00
gre_demux.c gre: fix uninit-value in __iptunnel_pull_header 2020-03-18 07:14:11 +01:00
gre_offload.c Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net 2018-07-03 10:29:26 +09:00
icmp.c net: icmp: fix data-race in cmp_global_allow() 2020-01-04 19:13:30 +01:00
igmp.c ipv4/igmp: fix v1/v2 switchback timeout based on rfc3376, 8.12 2019-12-01 09:17:05 +01:00
inet_connection_sock.c net: memcg: fix lockdep splat in inet_csk_accept() 2020-03-18 07:14:14 +01:00
inet_diag.c inet_diag: return classid for all socket types 2020-03-18 07:14:11 +01:00
inet_fragment.c net: IP defrag: encapsulate rbtree defrag code into callable functions 2019-04-27 09:36:33 +02:00
inet_hashtables.c tcp/dccp: fix possible race __inet_lookup_established() 2020-01-04 19:13:41 +01:00
inet_timewait_sock.c
inetpeer.c inetpeer: fix data-race in inet_putpeer / inet_putpeer 2020-01-04 19:13:29 +01:00
ip_forward.c net: clear skb->tstamp in forwarding paths 2019-01-09 17:38:31 +01:00
ip_fragment.c net: IP defrag: encapsulate rbtree defrag code into callable functions 2019-04-27 09:36:33 +02:00
ip_gre.c net: ip_gre: Accept IFLA_INFO_DATA-less configuration 2020-04-02 15:28:13 +02:00
ip_input.c vrf: check accept_source_route on the original netdevice 2019-04-17 08:38:42 +02:00
ip_options.c vrf: check accept_source_route on the original netdevice 2019-04-17 08:38:42 +02:00
ip_output.c net: always initialize pagedlen 2020-01-27 14:50:03 +01:00
ip_sockglue.c net: bpfilter: fix iptables failure if bpfilter_umh is disabled 2019-12-01 09:17:18 +01:00
ip_tunnel_core.c ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL 2019-08-04 09:30:57 +02:00
ip_tunnel.c net, ip_tunnel: fix interface lookup with no key 2020-04-13 10:44:57 +02:00
ip_vti.c vti4: removed duplicate log message. 2020-04-29 16:31:08 +02:00
ipcomp.c
ipconfig.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
ipip.c ipip: validate header length in ipip_tunnel_xmit 2019-08-09 17:52:30 +02:00
ipmr_base.c net: ipmr: fix unresolved entry dumps 2018-10-17 22:35:42 -07:00
ipmr.c ipmr: Fix skb headroom in ipmr_get_route(). 2019-11-20 18:45:11 +01:00
Kconfig vti[6]: fix packet tx through bpf_redirect() in XinY cases 2020-04-02 15:28:18 +02:00
Makefile net: remove blank lines at end of file 2018-07-24 14:10:43 -07:00
metrics.c net: metrics: add proper netlink validation 2018-06-05 12:29:43 -04:00
netfilter.c netfilter: utils: move nf_ip_checksum* from ipv4 to utils 2018-07-16 17:51:48 +02:00
netlink.c ipv4: Add ICMPv6 support when parse route ipproto 2019-03-10 07:17:17 +01:00
ping.c net: add helpers checking if socket can be bound to nonlocal address 2018-08-01 09:50:04 -07:00
proc.c tcp: tcp_fragment() should apply sane memory limits 2019-06-17 19:51:56 +02:00
protocol.c
raw_diag.c inet_diag: return classid for all socket types 2020-03-18 07:14:11 +01:00
raw.c ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop 2019-07-03 13:14:46 +02:00
route.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:13:37 +01:00
syncookies.c tcp: handle inet_csk_reqsk_queue_add() failures 2019-03-19 13:12:39 +01:00
sysctl_net_ipv4.c tcp: add tcp_min_snd_mss sysctl 2019-06-17 19:51:56 +02:00
tcp_bbr.c tcp_bbr: improve arithmetic division in bbr_update_bw() 2020-01-29 16:43:17 +01:00
tcp_bic.c
tcp_cdg.c
tcp_cong.c tcp: fix tcp_set_congestion_control() use from bpf hook 2019-07-28 08:29:26 +02:00
tcp_cubic.c
tcp_dctcp.c tcp: Ensure DCTCP reacts to losses 2019-04-17 08:38:41 +02:00
tcp_diag.c tcp: annotate tp->rcv_nxt lockless reads 2020-01-09 10:19:08 +01:00
tcp_fastopen.c
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: do not leave dangling pointers in tp->highest_sack 2020-01-29 16:43:17 +01:00
tcp_ipv4.c tcp: annotate tp->rcv_nxt lockless reads 2020-01-09 10:19:08 +01:00
tcp_lp.c
tcp_metrics.c
tcp_minisocks.c tcp: annotate tp->rcv_nxt lockless reads 2020-01-09 10:19:08 +01:00
tcp_nv.c
tcp_offload.c tcp: Don't coalesce decrypted and encrypted SKBs 2018-07-16 00:12:09 -07:00
tcp_output.c tcp: do not leave dangling pointers in tp->highest_sack 2020-01-29 16:43:17 +01:00
tcp_rate.c tcp: expose both send and receive intervals for rate sample 2018-07-11 23:01:56 -07:00
tcp_recovery.c tcp: add stat of data packet reordering events 2018-08-01 09:56:10 -07:00
tcp_scalable.c
tcp_timer.c tcp: fix SNMP TCP timeout under-estimation 2019-12-13 08:52:20 +01:00
tcp_ulp.c tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach 2018-08-16 14:58:08 -07:00
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tcp.c tcp: fix error recovery in tcp_zerocopy_receive() 2020-05-20 08:18:36 +02:00
tunnel4.c
udp_diag.c inet_diag: return classid for all socket types 2020-03-18 07:14:11 +01:00
udp_impl.h
udp_offload.c net/udp_gso: Allow TX timestamp with UDP GSO 2020-01-27 14:50:56 +01:00
udp_tunnel.c
udp.c Revert "udp: do rmem bulk free even if the rx sk queue is empty" 2020-01-29 16:43:17 +01:00
udplite.c
xfrm4_input.c xfrm: reset transport header back to network header after all input transforms ahave been applied 2018-09-04 10:26:30 +02:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c xfrm: reset transport header back to network header after all input transforms ahave been applied 2018-09-04 10:26:30 +02:00
xfrm4_mode_tunnel.c
xfrm4_output.c xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish 2020-04-29 16:31:23 +02:00
xfrm4_policy.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:13:37 +01:00
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c