Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/net/ipv4
History
Cong Wang 119034328d tcp_bpf: fix return value of tcp_bpf_sendmsg() 
[ Upstream commit fe1910f9337bd46a9343967b547ccab26b4b2c6e ]

When we cork messages in psock->cork, the last message triggers the
flushing will result in sending a sk_msg larger than the current
message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes
negative at least in the following case:

468         case __SK_DROP:
469         default:
470                 sk_msg_free_partial(sk, msg, tosend);
471                 sk_msg_apply_bytes(psock, tosend);
472                 *copied -= (tosend + delta); // <==== HERE
473                 return -EACCES;

Therefore, it could lead to the following BUG with a proper value of
'copied' (thanks to syzbot). We should not use negative 'copied' as a
return value here.

  ------------[ cut here ]------------
  kernel BUG at net/socket.c:733!
  Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
  Modules linked in:
  CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0
  Hardware name: linux,dummy-virt (DT)
  pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
  pc : sock_sendmsg_nosec net/socket.c:733 [inline]
  pc : sock_sendmsg_nosec net/socket.c:728 [inline]
  pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745
  lr : sock_sendmsg_nosec net/socket.c:730 [inline]
  lr : __sock_sendmsg+0x54/0x60 net/socket.c:745
  sp : ffff800088ea3b30
  x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000
  x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000
  x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90
  x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001
  x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf
  x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
  x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0
  x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000
  x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900
  x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef
  Call trace:
   sock_sendmsg_nosec net/socket.c:733 [inline]
   __sock_sendmsg+0x5c/0x60 net/socket.c:745
   ____sys_sendmsg+0x274/0x2ac net/socket.c:2597
   ___sys_sendmsg+0xac/0x100 net/socket.c:2651
   __sys_sendmsg+0x84/0xe0 net/socket.c:2680
   __do_sys_sendmsg net/socket.c:2689 [inline]
   __se_sys_sendmsg net/socket.c:2687 [inline]
   __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687
   __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
   invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
   el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
   do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
   el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
   el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
   el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
  Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000)
  ---[ end trace 0000000000000000 ]---

Fixes: 4f738adba30a ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data")
Reported-by: syzbot+58c03971700330ce14d8@syzkaller.appspotmail.com
Cc: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20240821030744.320934-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-01-19 00:10:01 +01:00
..
bpfilter Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netfilter Revert "netfilter: nf_tables: prevent nf_skb_duplicated corruption" 2024-11-24 00:23:12 +01:00
af_inet.c gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2025-01-19 00:10:01 +01:00
ah4.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
arp.c arp: Prevent overflow in arp_req_get(). 2024-11-18 22:25:42 +01:00
bpf_tcp_ca.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
cipso_ipv4.c cipso: fix total option length computation 2024-11-19 14:19:08 +01:00
datagram.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
devinet.c Revert "ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR)." 2024-11-24 00:23:08 +01:00
esp4.c Revert "net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP" 2024-11-24 00:23:57 +01:00
esp4_offload.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fib_frontend.c Revert "ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family" 2024-11-24 00:23:08 +01:00
fib_lookup.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fib_notifier.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fib_rules.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fib_semantics.c net: Add l3mdev index to flow struct and avoid oif reset for port devices 2024-11-23 23:21:52 +01:00
fib_trie.c net: Add l3mdev index to flow struct and avoid oif reset for port devices 2024-11-23 23:21:52 +01:00
fou.c fou: remove sparse errors 2025-01-19 00:10:01 +01:00
gre_demux.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gre_offload.c gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2025-01-19 00:10:01 +01:00
icmp.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
igmp.c bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument 2024-11-19 08:44:49 +01:00
inet_connection_sock.c tcp: properly terminate timers for kernel sockets 2024-11-19 09:22:44 +01:00
inet_diag.c inet_diag: Initialize pad field in struct inet_diag_req_v2 2024-11-19 14:19:41 +01:00
inet_fragment.c Revert "inet: inet_defrag: prevent sk release while still in use" 2024-11-24 00:23:32 +01:00
inet_hashtables.c Revert "net: set SOCK_RCU_FREE before inserting socket into hashtable" 2024-11-24 00:23:47 +01:00
inet_timewait_sock.c tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() 2024-11-19 11:32:40 +01:00
inetpeer.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ip_forward.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ip_fragment.c Revert "inet: inet_defrag: prevent sk release while still in use" 2024-11-24 00:23:32 +01:00
ip_gre.c Revert "ipv4: ip_gre: Fix drops of small packets in ipgre_xmit" 2024-11-24 00:23:12 +01:00
ip_input.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ip_options.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ip_output.c net: ipv4: fix a memleak in ip_setup_cork 2024-11-18 12:13:22 +01:00
ip_sockglue.c bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument 2024-11-19 08:44:49 +01:00
ip_tunnel.c net: Handle l3mdev in ip_tunnel_init_flow 2024-11-23 23:21:53 +01:00
ip_tunnel_core.c tunnels: fix out of bounds access when building IPv6 PMTU error 2024-11-18 12:13:24 +01:00
ip_vti.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ipcomp.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ipconfig.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ipip.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ipmr.c ipmr: fix tables suspicious RCU usage 2024-12-17 13:24:16 +01:00
ipmr_base.c ipmr: Fix access to mfc_cache_list without lock held 2024-12-17 13:23:58 +01:00
Kconfig Revert "net: tcp: bbrplus for 5.10" 2025-01-17 22:17:46 +01:00
Makefile Revert "net: tcp: bbrplus for 5.10" 2025-01-17 22:17:46 +01:00
metrics.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netfilter.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netlink.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
nexthop.c Revert "net: nexthop: Initialize all fields in dumped nexthops" 2024-11-24 00:23:55 +01:00
ping.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
proc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
protocol.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
raw.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
raw_diag.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
route.c Revert "ipv4: Fix incorrect source address in Record Route option" 2024-11-24 00:23:56 +01:00
syncookies.c tcp: fix cookie_init_timestamp() overflows 2024-11-18 11:42:50 +01:00
sysctl_net_ipv4.c tcp: add sysctls for TCP PLB parameters 2024-12-18 15:08:12 +01:00
tcp.c Revert "tcp: add rcv_wnd and plb_rehash to TCP_INFO" 2024-12-18 15:32:40 +01:00
tcp_bbr.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_bic.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_bpf.c tcp_bpf: fix return value of tcp_bpf_sendmsg() 2025-01-19 00:10:01 +01:00
tcp_cdg.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_cong.c Revert "net-tcp: add fast_ack_mode=1: skip rwin check in tcp_fast_ack_mode__tcp_ack_snd_check()" 2024-12-18 15:32:27 +01:00
tcp_cubic.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_dctcp.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_dctcp.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tcp_diag.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tcp_fastopen.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tcp_highspeed.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_htcp.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_hybla.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_illinois.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_input.c Revert "tcp: tracking packets with CE marks in BW rate sample" 2024-12-18 15:36:41 +01:00
tcp_ipv4.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_lp.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_metrics.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_minisocks.c Revert "tcp: introduce per-route feature RTAX_FEATURE_ECN_LOW" 2024-12-18 15:36:29 +01:00
tcp_nv.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_offload.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tcp_output.c Revert "net: tcp: bbrplus for 5.10" 2025-01-17 22:17:46 +01:00
tcp_rate.c Revert "tcp: tracking packets with CE marks in BW rate sample" 2024-12-18 15:36:41 +01:00
tcp_recovery.c tcp: fix excessive TLP and RACK timeouts from HZ rounding 2024-11-08 11:26:10 +01:00
tcp_scalable.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_timer.c net-tcp_bbr: broaden app-limited rate sample detection 2024-12-18 15:07:30 +01:00
tcp_ulp.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tcp_vegas.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_vegas.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tcp_veno.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_westwood.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcp_yeah.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tunnel4.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
udp.c udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). 2024-11-19 14:19:43 +01:00
udp_bpf.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
udp_diag.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
udp_impl.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
udp_offload.c fou: remove sparse errors 2025-01-19 00:10:01 +01:00
udp_tunnel_core.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
udp_tunnel_nic.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
udp_tunnel_stub.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
udplite.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xfrm4_input.c xfrm: Preserve vlan tags for transport mode software GRO 2024-11-19 11:32:45 +01:00
xfrm4_output.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xfrm4_policy.c xfrm: respect ip protocols rules criteria when performing dst lookups 2024-11-23 23:22:00 +01:00
xfrm4_protocol.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xfrm4_state.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xfrm4_tunnel.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00