Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp586481img; Fri, 22 Mar 2019 04:35:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqy/aTq2A4RdDVm6QIlvvuSUclrOXHf3D6nYQJfFOG599MIARWE35yq3kB104EbAS4JI1PW9 X-Received: by 2002:a17:902:9b86:: with SMTP id y6mr8858350plp.71.1553254558344; Fri, 22 Mar 2019 04:35:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553254558; cv=none; d=google.com; s=arc-20160816; b=hFll5IkzjpXo2H81J2vsEPGDq6s6vIku7ruQt/v/rVE4J4cA6MH4uZRZsPPZz792V5 yZYAggBUqlyvJF8Q0lrkxG+2X2/ZWnv/RsY78gJSFxsARgEQWRrPzZy9Z/ToCFm4PDPU I3c/5+f2agwaANcgO29tPBvSmAw6Yy3fFbvgn4Qa4DMm9wbG1tmeZPGlNeAcbkctNbWw p2TE7dCct4ISaJOvUN6pS2fECjVyuw1UC7f7xB8y5lntJVvF9eK8YGqBx1AmM90zJr0b iFLcqU2/ybOaoDv1aiXkqgNriSZYz864K1B009Mj8/5YjzVt8Q0iM8LNv0bfT6/0P6rQ imxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=O6IrxoEN8L2rgKLw/HGcLAEV5YAqF0b3L5ZAWDy7IUQ=; b=ZYrHXEsdMvP2u4eham4Q7xujGbxPYHQFoib7n35o3SUeI6ER8OMIpVm8cJ8aW4kFqn 6LJcbqEZW3PynW86/HO0wYaJOY82Y7KMtMGCVl42uN2qRYBTrdbEwVpSIEMzcjJnU+ty gOUPFPPq7Ck6q3/h6Mc0cIsrf9IkJeOH/IRl7LfZEpeg8qYlaFmUsYaNAy2/l6bm/sGu COE+d+xnHGzIXz7GqF3YzxXchEdocbUdX+9eWPmcYXa7P3qgVfM0t1Jxf7/Akp5QpGX0 2fF+XdeIGgJohGpi17vmBe1dSuyV1JDnb3vj3jYL2tFeX8G7TU1OqqoH8e0NmMr1CGla bkrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=q9vcwYnn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f6si6805750plr.411.2019.03.22.04.35.43; Fri, 22 Mar 2019 04:35:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=q9vcwYnn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730344AbfCVLd6 (ORCPT + 99 others); Fri, 22 Mar 2019 07:33:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:34430 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729745AbfCVLdz (ORCPT ); Fri, 22 Mar 2019 07:33:55 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F17532183E; Fri, 22 Mar 2019 11:33:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553254434; bh=mbRQdXsdkCaFliX0FG6KRvpfNBcoPVWX20HdIk4peD0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=q9vcwYnnuG24/lBx/skSzRR+wDshIJrNEEQdBnuhZufUpeEoesCeAxspZmEdjKuRh YZMInQpOUNt7VO9Aer+gneYsoDN6uzktjUddjNwZTY081KYEDRwnQXJGUiOf6EpZKc 3FRUdKbeOcZv0eBP+HRm3QQTyoHjJeRLQ/5vNMcI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Andrey Konovalov , Benjamin LaHaise , Herbert Xu , "David S. Miller" , Zubin Mithra Subject: [PATCH 4.4 119/230] udplite: call proper backlog handlers Date: Fri, 22 Mar 2019 12:14:17 +0100 Message-Id: <20190322111245.019934032@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111236.796964179@linuxfoundation.org> References: <20190322111236.796964179@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet commit 30c7be26fd3587abcb69587f781098e3ca2d565b upstream. In commits 93821778def10 ("udp: Fix rcv socket locking") and f7ad74fef3af ("net/ipv6/udp: UDP encapsulation: break backlog_rcv into __udpv6_queue_rcv_skb") UDP backlog handlers were renamed, but UDPlite was forgotten. This leads to crashes if UDPlite header is pulled twice, which happens starting from commit e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") Bug found by syzkaller team, thanks a lot guys ! Note that backlog use in UDP/UDPlite is scheduled to be removed starting from linux-4.10, so this patch is only needed up to linux-4.9 Fixes: 93821778def1 ("udp: Fix rcv socket locking") Fixes: f7ad74fef3af ("net/ipv6/udp: UDP encapsulation: break backlog_rcv into __udpv6_queue_rcv_skb") Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov Cc: Benjamin LaHaise Cc: Herbert Xu Signed-off-by: David S. Miller Cc: Zubin Mithra Signed-off-by: Greg Kroah-Hartman --- net/ipv4/udp.c | 2 +- net/ipv4/udp_impl.h | 2 +- net/ipv4/udplite.c | 2 +- net/ipv6/udp.c | 2 +- net/ipv6/udp_impl.h | 2 +- net/ipv6/udplite.c | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1463,7 +1463,7 @@ static void udp_v4_rehash(struct sock *s udp_lib_rehash(sk, new_hash); } -static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) +int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) { int rc; --- a/net/ipv4/udp_impl.h +++ b/net/ipv4/udp_impl.h @@ -25,7 +25,7 @@ int udp_recvmsg(struct sock *sk, struct int flags, int *addr_len); int udp_sendpage(struct sock *sk, struct page *page, int offset, size_t size, int flags); -int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); +int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); void udp_destroy_sock(struct sock *sk); #ifdef CONFIG_PROC_FS --- a/net/ipv4/udplite.c +++ b/net/ipv4/udplite.c @@ -50,7 +50,7 @@ struct proto udplite_prot = { .sendmsg = udp_sendmsg, .recvmsg = udp_recvmsg, .sendpage = udp_sendpage, - .backlog_rcv = udp_queue_rcv_skb, + .backlog_rcv = __udp_queue_rcv_skb, .hash = udp_lib_hash, .unhash = udp_lib_unhash, .get_port = udp_v4_get_port, --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -585,7 +585,7 @@ out: sock_put(sk); } -static int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) +int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) { int rc; --- a/net/ipv6/udp_impl.h +++ b/net/ipv6/udp_impl.h @@ -26,7 +26,7 @@ int compat_udpv6_getsockopt(struct sock int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len); int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, int flags, int *addr_len); -int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); +int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); void udpv6_destroy_sock(struct sock *sk); void udp_v6_clear_sk(struct sock *sk, int size); --- a/net/ipv6/udplite.c +++ b/net/ipv6/udplite.c @@ -45,7 +45,7 @@ struct proto udplitev6_prot = { .getsockopt = udpv6_getsockopt, .sendmsg = udpv6_sendmsg, .recvmsg = udpv6_recvmsg, - .backlog_rcv = udpv6_queue_rcv_skb, + .backlog_rcv = __udpv6_queue_rcv_skb, .hash = udp_lib_hash, .unhash = udp_lib_unhash, .get_port = udp_v6_get_port,