Eric Lee / smarc-fsl-linux-kernel

15 Nov, 2020

1 commit

  • 057a10fa1   sctp: change to hold/put transport for proto_unreach_timer ... Browse Code »

    A call trace was found in Hangbin's Codenomicon testing with debug kernel:

    [ 2615.981988] ODEBUG: free active (active state 0) object type: timer_list hint: sctp_generate_proto_unreach_event+0x0/0x3a0 [sctp]
    [ 2615.995050] WARNING: CPU: 17 PID: 0 at lib/debugobjects.c:328 debug_print_object+0x199/0x2b0
    [ 2616.095934] RIP: 0010:debug_print_object+0x199/0x2b0
    [ 2616.191533] Call Trace:
    [ 2616.194265]
    [ 2616.202068] debug_check_no_obj_freed+0x25e/0x3f0
    [ 2616.207336] slab_free_freelist_hook+0xeb/0x140
    [ 2616.220971] kfree+0xd6/0x2c0
    [ 2616.224293] rcu_do_batch+0x3bd/0xc70
    [ 2616.243096] rcu_core+0x8b9/0xd00
    [ 2616.256065] __do_softirq+0x23d/0xacd
    [ 2616.260166] irq_exit+0x236/0x2a0
    [ 2616.263879] smp_apic_timer_interrupt+0x18d/0x620
    [ 2616.269138] apic_timer_interrupt+0xf/0x20
    [ 2616.273711]

    This is because it holds asoc when transport->proto_unreach_timer starts
    and puts asoc when the timer stops, and without holding transport the
    transport could be freed when the timer is still running.

    So fix it by holding/putting transport instead for proto_unreach_timer
    in transport, just like other timers in transport.

    v1->v2:
    - Also use sctp_transport_put() for the "out_unlock:" path in
    sctp_generate_proto_unreach_event(), as Marcelo noticed.

    Fixes: 50b5d6ad6382 ("sctp: Fix a race between ICMP protocol unreachable and connect()")
    Reported-by: Hangbin Liu
    Signed-off-by: Xin Long
    Acked-by: Marcelo Ricardo Leitner
    Link: https://lore.kernel.org/r/102788809b554958b13b95d33440f5448113b8d6.1605331373.git.lucien.xin@gmail.com
    Signed-off-by: Jakub Kicinski

    Xin Long
     

03 Nov, 2020

1 commit

  • b6df8c814   sctp: Fix COMM_LOST/CANT_STR_ASSOC err reporting on big-endian platforms ... Browse Code »

    Commit 978aa0474115 ("sctp: fix some type cast warnings introduced since
    very beginning")' broke err reading from sctp_arg, because it reads the
    value as 32-bit integer, although the value is stored as 16-bit integer.
    Later this value is passed to the userspace in 16-bit variable, thus the
    user always gets 0 on big-endian platforms. Fix it by reading the __u16
    field of sctp_arg union, as reading err field would produce a sparse
    warning.

    Fixes: 978aa0474115 ("sctp: fix some type cast warnings introduced since very beginning")
    Signed-off-by: Petr Malat
    Acked-by: Marcelo Ricardo Leitner
    Link: https://lore.kernel.org/r/20201030132633.7045-1-oss@malat.biz
    Signed-off-by: Jakub Kicinski

    Petr Malat
     

09 Oct, 2020

2 commits

  • 9d49aea13   Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net ... Browse Code »

    Small conflict around locking in rxrpc_process_event() -
    channel_lock moved to bundle in next, while state lock
    needs _bh() from net.

    Signed-off-by: Jakub Kicinski

    Jakub Kicinski
     
  • d42ee76ec   sctp: fix sctp_auth_init_hmacs() error path ... Browse Code »

    After freeing ep->auth_hmacs we have to clear the pointer
    or risk use-after-free as reported by syzbot:

    BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
    BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
    BUG: KASAN: use-after-free in sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
    Read of size 8 at addr ffff8880a8ff52c0 by task syz-executor941/6874

    CPU: 0 PID: 6874 Comm: syz-executor941 Not tainted 5.9.0-rc8-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x198/0x1fd lib/dump_stack.c:118
    print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
    __kasan_report mm/kasan/report.c:513 [inline]
    kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
    sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
    sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
    sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
    sctp_endpoint_destroy+0x95/0x240 net/sctp/endpointola.c:203
    sctp_endpoint_put net/sctp/endpointola.c:236 [inline]
    sctp_endpoint_free+0xd6/0x110 net/sctp/endpointola.c:183
    sctp_destroy_sock+0x9c/0x3c0 net/sctp/socket.c:4981
    sctp_v6_destroy_sock+0x11/0x20 net/sctp/socket.c:9415
    sk_common_release+0x64/0x390 net/core/sock.c:3254
    sctp_close+0x4ce/0x8b0 net/sctp/socket.c:1533
    inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
    inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:475
    __sock_release+0xcd/0x280 net/socket.c:596
    sock_close+0x18/0x20 net/socket.c:1277
    __fput+0x285/0x920 fs/file_table.c:281
    task_work_run+0xdd/0x190 kernel/task_work.c:141
    exit_task_work include/linux/task_work.h:25 [inline]
    do_exit+0xb7d/0x29f0 kernel/exit.c:806
    do_group_exit+0x125/0x310 kernel/exit.c:903
    __do_sys_exit_group kernel/exit.c:914 [inline]
    __se_sys_exit_group kernel/exit.c:912 [inline]
    __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:912
    do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x43f278
    Code: Bad RIP value.
    RSP: 002b:00007fffe0995c38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f278
    RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
    RBP: 00000000004bf068 R08: 00000000000000e7 R09: ffffffffffffffd0
    R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000001
    R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000

    Allocated by task 6874:
    kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
    kasan_set_track mm/kasan/common.c:56 [inline]
    __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
    kmem_cache_alloc_trace+0x174/0x300 mm/slab.c:3554
    kmalloc include/linux/slab.h:554 [inline]
    kmalloc_array include/linux/slab.h:593 [inline]
    kcalloc include/linux/slab.h:605 [inline]
    sctp_auth_init_hmacs+0xdb/0x3b0 net/sctp/auth.c:464
    sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
    sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
    sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
    __sys_setsockopt+0x2db/0x610 net/socket.c:2132
    __do_sys_setsockopt net/socket.c:2143 [inline]
    __se_sys_setsockopt net/socket.c:2140 [inline]
    __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
    do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

    Freed by task 6874:
    kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
    kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
    kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
    __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
    __cache_free mm/slab.c:3422 [inline]
    kfree+0x10e/0x2b0 mm/slab.c:3760
    sctp_auth_destroy_hmacs net/sctp/auth.c:511 [inline]
    sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
    sctp_auth_init_hmacs net/sctp/auth.c:496 [inline]
    sctp_auth_init_hmacs+0x2b7/0x3b0 net/sctp/auth.c:454
    sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
    sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
    sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
    __sys_setsockopt+0x2db/0x610 net/socket.c:2132
    __do_sys_setsockopt net/socket.c:2143 [inline]
    __se_sys_setsockopt net/socket.c:2140 [inline]
    __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
    do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

    Fixes: 1f485649f529 ("[SCTP]: Implement SCTP-AUTH internals")
    Signed-off-by: Eric Dumazet
    Cc: Vlad Yasevich
    Cc: Neil Horman
    Cc: Marcelo Ricardo Leitner
    Acked-by: Marcelo Ricardo Leitner
    Signed-off-by: Jakub Kicinski

    Eric Dumazet
     

23 Sep, 2020

1 commit

  • 3ab0a7a0c   Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net ... Browse Code »

    Two minor conflicts:

    1) net/ipv4/route.c, adding a new local variable while
    moving another local variable and removing it's
    initial assignment.

    2) drivers/net/dsa/microchip/ksz9477.c, overlapping changes.
    One pretty prints the port mode differently, whilst another
    changes the driver to try and obtain the port mode from
    the port node rather than the switch node.

    Signed-off-by: David S. Miller

    David S. Miller
     

21 Sep, 2020

1 commit

  • fe81d9f61   net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant ... Browse Code »

    When calculating ancestor_size with IPv6 enabled, simply using
    sizeof(struct ipv6_pinfo) doesn't account for extra bytes needed for
    alignment in the struct sctp6_sock. On x86, there aren't any extra
    bytes, but on ARM the ipv6_pinfo structure is aligned on an 8-byte
    boundary so there were 4 pad bytes that were omitted from the
    ancestor_size calculation. This would lead to corruption of the
    pd_lobby pointers, causing an oops when trying to free the sctp
    structure on socket close.

    Fixes: 636d25d557d1 ("sctp: not copy sctp_sock pd_lobby in sctp_copy_descendant")
    Signed-off-by: Henry Ptasinski
    Acked-by: Marcelo Ricardo Leitner
    Signed-off-by: David S. Miller

    Henry Ptasinski
     

05 Sep, 2020

1 commit

  • 44a8c4f33   Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net ... Browse Code »

    We got slightly different patches removing a double word
    in a comment in net/ipv4/raw.c - picked the version from net.

    Simple conflict in drivers/net/ethernet/ibm/ibmvnic.c. Use cached
    values instead of VNIC login response buffer (following what
    commit 507ebe6444a4 ("ibmvnic: Fix use-after-free of VNIC login
    response buffer") did).

    Signed-off-by: Jakub Kicinski

    Jakub Kicinski
     

04 Sep, 2020

1 commit

  • 3e8d3bdc2   Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net ... Browse Code »

    Pull networking fixes from David Miller:

    1) Use netif_rx_ni() when necessary in batman-adv stack, from Jussi
    Kivilinna.

    2) Fix loss of RTT samples in rxrpc, from David Howells.

    3) Memory leak in hns_nic_dev_probe(), from Dignhao Liu.

    4) ravb module cannot be unloaded, fix from Yuusuke Ashizuka.

    5) We disable BH for too lokng in sctp_get_port_local(), add a
    cond_resched() here as well, from Xin Long.

    6) Fix memory leak in st95hf_in_send_cmd, from Dinghao Liu.

    7) Out of bound access in bpf_raw_tp_link_fill_link_info(), from
    Yonghong Song.

    8) Missing of_node_put() in mt7530 DSA driver, from Sumera
    Priyadarsini.

    9) Fix crash in bnxt_fw_reset_task(), from Michael Chan.

    10) Fix geneve tunnel checksumming bug in hns3, from Yi Li.

    11) Memory leak in rxkad_verify_response, from Dinghao Liu.

    12) In tipc, don't use smp_processor_id() in preemptible context. From
    Tuong Lien.

    13) Fix signedness issue in mlx4 memory allocation, from Shung-Hsi Yu.

    14) Missing clk_disable_prepare() in gemini driver, from Dan Carpenter.

    15) Fix ABI mismatch between driver and firmware in nfp, from Louis
    Peens.

    * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (110 commits)
    net/smc: fix sock refcounting in case of termination
    net/smc: reset sndbuf_desc if freed
    net/smc: set rx_off for SMCR explicitly
    net/smc: fix toleration of fake add_link messages
    tg3: Fix soft lockup when tg3_reset_task() fails.
    doc: net: dsa: Fix typo in config code sample
    net: dp83867: Fix WoL SecureOn password
    nfp: flower: fix ABI mismatch between driver and firmware
    tipc: fix shutdown() of connectionless socket
    ipv6: Fix sysctl max for fib_multipath_hash_policy
    drivers/net/wan/hdlc: Change the default of hard_header_len to 0
    net: gemini: Fix another missing clk_disable_unprepare() in probe
    net: bcmgenet: fix mask check in bcmgenet_validate_flow()
    amd-xgbe: Add support for new port mode
    net: usb: dm9601: Add USB ID of Keenetic Plus DSL
    vhost: fix typo in error message
    net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init()
    pktgen: fix error message with wrong function name
    net: ethernet: ti: am65-cpsw: fix rmii 100Mbit link mode
    cxgb4: fix thermal zone device registration
    ...

    Linus Torvalds
     

25 Aug, 2020

8 commits

  • b8d7a7c62   net: sctp: ulpqueue.c: delete duplicated word ... Browse Code »

    Drop the repeated word "an".

    Signed-off-by: Randy Dunlap
    Cc: Vlad Yasevich
    Cc: Neil Horman
    Cc: Marcelo Ricardo Leitner
    Cc: linux-sctp@vger.kernel.org
    Cc: "David S. Miller"
    Cc: Jakub Kicinski
    Signed-off-by: David S. Miller

    Randy Dunlap
     
  • 14f45bb7b   net: sctp: sm_make_chunk.c: delete duplicated words + fix typo ... Browse Code »

    Drop the repeated words "for", "that", and "a".
    Change "his" to "this".

    Signed-off-by: Randy Dunlap
    Cc: Vlad Yasevich
    Cc: Neil Horman
    Cc: Marcelo Ricardo Leitner
    Cc: linux-sctp@vger.kernel.org
    Cc: "David S. Miller"
    Cc: Jakub Kicinski
    Signed-off-by: David S. Miller

    Randy Dunlap
     
  • 93c3216a7   net: sctp: protocol.c: delete duplicated words + punctuation ... Browse Code »

    Drop the repeated words "of" and "that".
    Add some punctuation for readability.

    Signed-off-by: Randy Dunlap
    Cc: Vlad Yasevich
    Cc: Neil Horman
    Cc: Marcelo Ricardo Leitner
    Cc: linux-sctp@vger.kernel.org
    Cc: "David S. Miller"
    Cc: Jakub Kicinski
    Signed-off-by: David S. Miller

    Randy Dunlap
     
  • 9932564f1   net: sctp: chunk.c: delete duplicated word ... Browse Code »

    Drop the repeated word "the".

    Signed-off-by: Randy Dunlap
    Cc: Vlad Yasevich
    Cc: Neil Horman
    Cc: Marcelo Ricardo Leitner
    Cc: linux-sctp@vger.kernel.org
    Cc: "David S. Miller"
    Cc: Jakub Kicinski
    Signed-off-by: David S. Miller

    Randy Dunlap
     
  • 440d39903   net: sctp: bind_addr.c: delete duplicated word ... Browse Code »

    Drop the repeated word "of".

    Signed-off-by: Randy Dunlap
    Cc: Vlad Yasevich
    Cc: Neil Horman
    Cc: Marcelo Ricardo Leitner
    Cc: linux-sctp@vger.kernel.org
    Cc: "David S. Miller"
    Cc: Jakub Kicinski
    Signed-off-by: David S. Miller

    Randy Dunlap
     
  • 861e7021a   net: sctp: auth.c: delete duplicated words ... Browse Code »

    Drop the repeated word "the" and "now".

    Signed-off-by: Randy Dunlap
    Cc: Vlad Yasevich
    Cc: Neil Horman
    Cc: Marcelo Ricardo Leitner
    Cc: linux-sctp@vger.kernel.org
    Cc: "David S. Miller"
    Cc: Jakub Kicinski
    Signed-off-by: David S. Miller

    Randy Dunlap
     
  • 5e80a0ccb   net: sctp: associola.c: delete duplicated words ... Browse Code »

    Drop the repeated word "the" in two places.

    Signed-off-by: Randy Dunlap
    Cc: Vlad Yasevich
    Cc: Neil Horman
    Cc: Marcelo Ricardo Leitner
    Cc: linux-sctp@vger.kernel.org
    Cc: "David S. Miller"
    Cc: Jakub Kicinski
    Signed-off-by: David S. Miller

    Randy Dunlap
     
  • 3106ecb43   sctp: not disable bh in the whole sctp_get_port_local() ... Browse Code »

    With disabling bh in the whole sctp_get_port_local(), when
    snum == 0 and too many ports have been used, the do-while
    loop will take the cpu for a long time and cause cpu stuck:

    [ ] watchdog: BUG: soft lockup - CPU#11 stuck for 22s!
    [ ] RIP: 0010:native_queued_spin_lock_slowpath+0x4de/0x940
    [ ] Call Trace:
    [ ] _raw_spin_lock+0xc1/0xd0
    [ ] sctp_get_port_local+0x527/0x650 [sctp]
    [ ] sctp_do_bind+0x208/0x5e0 [sctp]
    [ ] sctp_autobind+0x165/0x1e0 [sctp]
    [ ] sctp_connect_new_asoc+0x355/0x480 [sctp]
    [ ] __sctp_connect+0x360/0xb10 [sctp]

    There's no need to disable bh in the whole function of
    sctp_get_port_local. So fix this cpu stuck by removing
    local_bh_disable() called at the beginning, and using
    spin_lock_bh() instead.

    The same thing was actually done for inet_csk_get_port() in
    Commit ea8add2b1903 ("tcp/dccp: better use of ephemeral
    ports in bind()").

    Thanks to Marcelo for pointing the buggy code out.

    v1->v2:
    - use cond_resched() to yield cpu to other tasks if needed,
    as Eric noticed.

    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: Ying Xu
    Signed-off-by: Xin Long
    Acked-by: Marcelo Ricardo Leitner
    Signed-off-by: David S. Miller

    Xin Long
     

24 Aug, 2020

1 commit

  • df561f668   treewide: Use fallthrough pseudo-keyword ... Browse Code »

    Replace the existing /* fall through */ comments and its variants with
    the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary
    fall-through markings when it is the case.

    [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through

    Signed-off-by: Gustavo A. R. Silva

    Gustavo A. R. Silva
     

21 Aug, 2020

1 commit

  • ab921f3cd   net: sctp: Fix negotiation of the number of data streams. ... Browse Code »

    The number of output and input streams was never being reduced, eg when
    processing received INIT or INIT_ACK chunks.
    The effect is that DATA chunks can be sent with invalid stream ids
    and then discarded by the remote system.

    Fixes: 2075e50caf5ea ("sctp: convert to genradix")
    Signed-off-by: David Laight
    Acked-by: Marcelo Ricardo Leitner
    Signed-off-by: David S. Miller

    David Laight
     

08 Aug, 2020

1 commit

  • 453431a54   mm, treewide: rename kzfree() to kfree_sensitive() ... Browse Code »

    As said by Linus:

    A symmetric naming is only helpful if it implies symmetries in use.
    Otherwise it's actively misleading.

    In "kzalloc()", the z is meaningful and an important part of what the
    caller wants.

    In "kzfree()", the z is actively detrimental, because maybe in the
    future we really _might_ want to use that "memfill(0xdeadbeef)" or
    something. The "zero" part of the interface isn't even _relevant_.

    The main reason that kzfree() exists is to clear sensitive information
    that should not be leaked to other future users of the same memory
    objects.

    Rename kzfree() to kfree_sensitive() to follow the example of the recently
    added kvfree_sensitive() and make the intention of the API more explicit.
    In addition, memzero_explicit() is used to clear the memory to make sure
    that it won't get optimized away by the compiler.

    The renaming is done by using the command sequence:

    git grep -w --name-only kzfree |\
    xargs sed -i 's/kzfree/kfree_sensitive/'

    followed by some editing of the kfree_sensitive() kerneldoc and adding
    a kzfree backward compatibility macro in slab.h.

    [akpm@linux-foundation.org: fs/crypto/inline_crypt.c needs linux/slab.h]
    [akpm@linux-foundation.org: fix fs/crypto/inline_crypt.c some more]

    Suggested-by: Joe Perches
    Signed-off-by: Waiman Long
    Signed-off-by: Andrew Morton
    Acked-by: David Howells
    Acked-by: Michal Hocko
    Acked-by: Johannes Weiner
    Cc: Jarkko Sakkinen
    Cc: James Morris
    Cc: "Serge E. Hallyn"
    Cc: Joe Perches
    Cc: Matthew Wilcox
    Cc: David Rientjes
    Cc: Dan Carpenter
    Cc: "Jason A . Donenfeld"
    Link: http://lkml.kernel.org/r/20200616154311.12314-3-longman@redhat.com
    Signed-off-by: Linus Torvalds

    Waiman Long
     

26 Jul, 2020

1 commit

  • a57066b1a   Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net ... Browse Code »

    The UDP reuseport conflict was a little bit tricky.

    The net-next code, via bpf-next, extracted the reuseport handling
    into a helper so that the BPF sk lookup code could invoke it.

    At the same time, the logic for reuseport handling of unconnected
    sockets changed via commit efc6b6f6c3113e8b203b9debfb72d81e0f3dcace
    which changed the logic to carry on the reuseport result into the
    rest of the lookup loop if we do not return immediately.

    This requires moving the reuseport_has_conns() logic into the callers.

    While we are here, get rid of inline directives as they do not belong
    in foo.c files.

    The other changes were cases of more straightforward overlapping
    modifications.

    Signed-off-by: David S. Miller

    David S. Miller
     

25 Jul, 2020

3 commits

  • 623b57bec   sctp: remove redundant initialization of variable status ... Browse Code »

    The variable status is being initialized with a value that is never read
    and it is being updated later with a new value. The initialization is
    redundant and can be removed. Also put the variable declarations into
    reverse christmas tree order.

    Addresses-Coverity: ("Unused value")
    Signed-off-by: Colin Ian King
    Acked-by: Marcelo Ricardo Leitner
    Signed-off-by: David S. Miller

    Colin Ian King
     
  • dfd3d5266   sctp: fix slab-out-of-bounds in SCTP_DELAYED_SACK processing ... Browse Code »

    This sockopt accepts two kinds of parameters, using struct
    sctp_sack_info and struct sctp_assoc_value. The mentioned commit didn't
    notice an implicit cast from the smaller (latter) struct to the bigger
    one (former) when copying the data from the user space, which now leads
    to an attempt to write beyond the buffer (because it assumes the storing
    buffer is bigger than the parameter itself).

    Fix it by allocating a sctp_sack_info on stack and filling it out based
    on the small struct for the compat case.

    Changelog stole from an earlier patch from Marcelo Ricardo Leitner.

    Fixes: ebb25defdc17 ("sctp: pass a kernel pointer to sctp_setsockopt_delayed_ack")
    Reported-by: syzbot+0e4699d000d8b874d8dc@syzkaller.appspotmail.com
    Signed-off-by: Christoph Hellwig
    Acked-by: Marcelo Ricardo Leitner
    Signed-off-by: David S. Miller

    Christoph Hellwig
     
  • a7b75c5a8   net: pass a sockptr_t into ->setsockopt ... Browse Code »

    Rework the remaining setsockopt code to pass a sockptr_t instead of a
    plain user pointer. This removes the last remaining set_fs(KERNEL_DS)
    outside of architecture specific code.

    Signed-off-by: Christoph Hellwig
    Acked-by: Stefan Schmidt [ieee802154]
    Acked-by: Matthieu Baerts
    Signed-off-by: David S. Miller

    Christoph Hellwig
     

23 Jul, 2020

2 commits

  • 3ecdda3e9   sctp: shrink stream outq when fails to do addstream reconf ... Browse Code »

    When adding a stream with stream reconf, the new stream firstly is in
    CLOSED state but new out chunks can still be enqueued. Then once gets
    the confirmation from the peer, the state will change to OPEN.

    However, if the peer denies, it needs to roll back the stream. But when
    doing that, it only sets the stream outcnt back, and the chunks already
    in the new stream don't get purged. It caused these chunks can still be
    dequeued in sctp_outq_dequeue_data().

    As its stream is still in CLOSE, the chunk will be enqueued to the head
    again by sctp_outq_head_data(). This chunk will never be sent out, and
    the chunks after it can never be dequeued. The assoc will be 'hung' in
    a dead loop of sending this chunk.

    To fix it, this patch is to purge these chunks already in the new
    stream by calling sctp_stream_shrink_out() when failing to do the
    addstream reconf.

    Fixes: 11ae76e67a17 ("sctp: implement receiver-side procedures for the Reconf Response Parameter")
    Reported-by: Ying Xu
    Signed-off-by: Xin Long
    Signed-off-by: David S. Miller

    Xin Long
     
  • 8f13399db   sctp: shrink stream outq only when new outcnt < old outcnt ... Browse Code »

    It's not necessary to go list_for_each for outq->out_chunk_list
    when new outcnt >= old outcnt, as no chunk with higher sid than
    new (outcnt - 1) exists in the outqueue.

    While at it, also move the list_for_each code in a new function
    sctp_stream_shrink_out(), which will be used in the next patch.

    Signed-off-by: Xin Long
    Signed-off-by: David S. Miller

    Xin Long
     

20 Jul, 2020

15 commits