Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp2931996ybk; Mon, 18 May 2020 11:24:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwyvxuv78/LSHnd/8Oz1I6AhNYNjnspx6dCM7wd4DdVbBAcEfarQRKsn5jbvRiD6gtDInaz X-Received: by 2002:a50:b202:: with SMTP id o2mr14391146edd.251.1589826284767; Mon, 18 May 2020 11:24:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589826284; cv=none; d=google.com; s=arc-20160816; b=adr0Pb9WeP/Zs8DzOyhN2LMB67+UPiWovMSrOXyF4ZF7HuPN3+j/UYUpw46V5SFG1B LAU7wJFWdBvWUSumhq5/tCVIsBBPH/XzyN0mDiKmZo7oyVhUnUY3myovwU3To52Ajkbe sbK+qRmUHCA6pdRzsnQbjbQnbpCtQXWnp/fuYkdfPCQvyLhwXTrLDO5d4k+8l6zlpGax yK6Rs4H3KZYqvZ2SmDDKcDnXcHCrnJ6DANpNpCPOcPMlPXDRs0CWgKD06qO8NVSRg/be wMQyx1rY/XX4opzqKLuXzj86CKB7b8Bga9OTwbmu2XYjRcBK58GWtDd7rswdhkEDEXD0 lSNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=TfpzLnRcHJNAs0I/SfsTklfeobGI1TyixaBOtaqlPr0=; b=vCDhsDH3GXaSjNu+/qMVova1FOr+eH2A9c8UXWbmUwNVYSRbzykPvnVdhj66UMAsvC ikLnZjZddMt9xUDL7qtQor8vhNR41L+d7icomzRqLQpexKoe7cWMKbTxB51i7WNECfMz JeD+8inoSPZkn8qljIizSJQlXP1tvfapUv0fdAxIv09iwLiwfV6JVFLvBQNeL2ca8SSD Y/eR6fxdl2ngpXRgfC7uFZXDAW+WkQxMAcjOOO0M0aYALfDSkCfBLFh6nWgKC4VoruFv YpIRnbFZo/qwl+BNHhY4jLG0ulXfgrkw0mZpMZQ15fEmoGJr/oD6h56dhHJ0ZhBBA3MV LqNw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FoKYT3yS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rl1si6898816ejb.167.2020.05.18.11.24.21; Mon, 18 May 2020 11:24:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FoKYT3yS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387685AbgERSWY (ORCPT + 99 others); Mon, 18 May 2020 14:22:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:52980 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730772AbgERRun (ORCPT ); Mon, 18 May 2020 13:50:43 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C16F320674; Mon, 18 May 2020 17:50:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589824242; bh=cQVQT3iUocej6eK0goFCTG8v0zVNtUi2E3q8neVuBng=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FoKYT3ySgQ6DsEiixRdSUdgNvJeXDnNLOUusNh1CxEfuBqxCAcXHXYy3N+43IduNv xr5UgF6/WrXrdc3aAE3DnD9sPbObK9hqVcSTX3+kbpgLF2hAhrr51cbehHM+ymf5J2 UVNkL6TmMPKEsEUri6sDj0vt0xe/BaH9SNlluanc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , Soheil Hassas Yeganeh , "David S. Miller" Subject: [PATCH 4.19 14/80] tcp: fix error recovery in tcp_zerocopy_receive() Date: Mon, 18 May 2020 19:36:32 +0200 Message-Id: <20200518173453.263188710@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200518173450.097837707@linuxfoundation.org> References: <20200518173450.097837707@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit e776af608f692a7a647455106295fa34469e7475 ] If user provides wrong virtual address in TCP_ZEROCOPY_RECEIVE operation we want to return -EINVAL error. But depending on zc->recv_skip_hint content, we might return -EIO error if the socket has SOCK_DONE set. Make sure to return -EINVAL in this case. BUG: KMSAN: uninit-value in tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline] BUG: KMSAN: uninit-value in do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685 CPU: 1 PID: 625 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x220 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline] do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685 tcp_getsockopt+0xf8/0x1f0 net/ipv4/tcp.c:3728 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3131 __sys_getsockopt+0x533/0x7b0 net/socket.c:2177 __do_sys_getsockopt net/socket.c:2192 [inline] __se_sys_getsockopt+0xe1/0x100 net/socket.c:2189 __x64_sys_getsockopt+0x62/0x80 net/socket.c:2189 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45c829 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1deeb72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 00000000004e01e0 RCX: 000000000045c829 RDX: 0000000000000023 RSI: 0000000000000006 RDI: 0000000000000009 RBP: 000000000078bf00 R08: 0000000020000200 R09: 0000000000000000 R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000001d8 R14: 00000000004d3038 R15: 00007f1deeb736d4 Local variable ----zc@do_tcp_getsockopt created at: do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670 do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670 Fixes: 05255b823a61 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive") Signed-off-by: Eric Dumazet Reported-by: syzbot Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -1774,10 +1774,11 @@ static int tcp_zerocopy_receive(struct s down_read(¤t->mm->mmap_sem); - ret = -EINVAL; vma = find_vma(current->mm, address); - if (!vma || vma->vm_start > address || vma->vm_ops != &tcp_vm_ops) - goto out; + if (!vma || vma->vm_start > address || vma->vm_ops != &tcp_vm_ops) { + up_read(¤t->mm->mmap_sem); + return -EINVAL; + } zc->length = min_t(unsigned long, zc->length, vma->vm_end - address); tp = tcp_sk(sk);