korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-26 13:44:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
8811f4a983
linux/net
History
Eric Dumazet 8811f4a983 tcp: add sanity tests to TCP_QUEUE_SEQ 
Qingyu Li reported a syzkaller bug where the repro
changes RCV SEQ _after_ restoring data in the receive queue.

mprotect(0x4aa000, 12288, PROT_READ)    = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 0
setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0
sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0x0000000000000003\0\0", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20
setsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0
setsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0
recvfrom(3, NULL, 20, 0, NULL, NULL)    = -1 ECONNRESET (Connection reset by peer)

syslog shows:
[  111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0
[  111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0

This should not be allowed. TCP_QUEUE_SEQ should only be used
when queues are empty.

This patch fixes this case, and the tx path as well.

Fixes: ee9952831c ("tcp: Initial repair mode")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=212005
Reported-by: Qingyu Li <ieatmuttonchuan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-03-01 15:32:05 -08:00
..
6lowpan
9p net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
802
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-01-14 18:34:50 -08:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-02-12 16:40:28 -08:00
atm net: atm: pppoatm: use new API for wakeup tasklet 2021-01-29 18:24:05 -08:00
ax25
batman-adv This feature/cleanup patchset is an updated version of the pull request 2021-02-08 11:32:40 -08:00
bluetooth Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kern 2021-02-11 14:59:01 -08:00
bpf Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-01-20 12:16:11 -08:00
bpfilter net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
bridge bridge: mrp: Update br_mrp to use new return values of br_mrp_switchdev 2021-02-16 14:47:46 -08:00
caif net: caif: Use netif_rx_any_context(). 2021-02-15 13:21:48 -08:00
can net: introduce CAN specific pointer in the struct net_device 2021-02-24 14:32:15 -08:00
ceph libceph: remove osdtimeout option entirely 2021-02-16 12:09:52 +01:00
core net: expand textsearch ts_state to fit skb_seq_state 2021-03-01 15:25:24 -08:00
dcb net: dcb: use obj-$(CONFIG_DCB) form in net/Makefile 2021-01-27 17:03:52 -08:00
dccp dccp: Return the correct errno code 2021-02-06 11:15:28 -08:00
decnet net: decnet: fix netdev refcount leaking on error path 2021-01-27 17:33:46 -08:00
dns_resolver net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
dsa net: dsa: tag_mtk: fix 802.1ad VLAN egress 2021-03-01 15:29:43 -08:00
ethernet net: datagram: fix some kernel-doc markups 2020-11-17 14:15:03 -08:00
ethtool ethtool: fix the check logic of at least one channel for RX/TX 2021-02-28 11:49:07 -08:00
hsr net: hsr: add support for EntryForgetTime 2021-02-25 09:41:51 -08:00
ieee802154 treewide: rename nla_strlcpy to nla_strscpy. 2020-11-16 08:08:54 -08:00
ife net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
ipv4 tcp: add sanity tests to TCP_QUEUE_SEQ 2021-03-01 15:32:05 -08:00
ipv6 net: always use icmp{,v6}_ndo_send from ndo_start_xmit 2021-03-01 13:11:35 -08:00
iucv net/af_iucv: build SG skbs for TRANS_HIPER sockets 2021-01-28 20:36:22 -08:00
kcm net: group skb_shinfo zerocopy related bits together. 2021-01-07 16:08:37 -08:00
key af_key: relax availability checks for skb size calculation 2021-01-04 10:05:50 +01:00
l2tp lsm,selinux: pass flowi_common instead of flowi to the LSM hooks 2020-11-23 18:36:21 -05:00
l3mdev net: l3mdev: use obj-$(CONFIG_NET_L3_MASTER_DEV) form in net/Makefile 2021-01-27 17:03:52 -08:00
lapb net: lapb: Copy the skb before sending a packet 2021-02-02 08:40:48 -08:00
llc net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
mac80211 cfg80211/mac80211: Support disabling HE mode 2021-02-12 09:33:34 +01:00
mac802154 net: mac802154: convert tasklets to use new tasklet_setup() API 2020-11-07 10:40:56 -08:00
mpls mpls: drop skb's dst in mpls_forward() 2020-11-03 12:55:53 -08:00
mptcp mptcp: do not wakeup listener for MPJ subflows 2021-02-22 18:54:59 -08:00
ncsi net/ncsi: Use real net-device for response handler 2020-12-23 12:22:23 -08:00
netfilter netfilter: nftables: introduce table ownership 2021-02-15 18:17:15 +01:00
netlabel Merge https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-11-19 19:08:46 -08:00
netlink mptcp: avoid lock_fast usage in accept path 2021-02-12 16:31:46 -08:00
netrom
nfc TTY/Serial driver changes for 5.12-rc1 2021-02-20 21:28:04 -08:00
nsh
openvswitch net: openvswitch: add log message for error case 2021-01-14 16:32:14 -08:00
packet net/packet: Improve the comment about LL header visibility criteria 2021-02-06 14:59:28 -08:00
phonet
psample net: psample: Fix netlink skb length with tunnel info 2021-02-25 09:49:46 -08:00
qrtr net/qrtr: fix __netdev_alloc_skb call 2021-03-01 13:24:03 -08:00
rds net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS 2021-02-02 08:44:08 -08:00
rfkill rfkill: add a reason to the HW rfkill state 2020-12-11 12:47:17 +01:00
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-11-20 10:04:58 -08:00
rxrpc rxrpc: Fix dependency on IPv6 in udp tunnel config 2021-02-12 16:42:05 -08:00
sched net/sched: cls_flower: validate ct_state for invalid and reply flags 2021-02-23 12:23:44 -08:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-02-10 13:30:12 -08:00
smc net/smc: use memcpy instead of snprintf to avoid out of bounds read 2021-01-12 20:22:01 -08:00
strparser
sunrpc Optimization: 2021-02-22 13:29:55 -08:00
switchdev net: bridge: propagate extack through switchdev_port_attr_set 2021-02-14 17:38:11 -08:00
tipc tipc: remove duplicated code in tipc_msg_create 2021-01-27 18:50:07 -08:00
tls net/tls: Select SOCK_RX_QUEUE_MAPPING from TLS_DEVICE 2021-02-11 19:08:06 -08:00
unix af_unix: handle idmapped mounts 2021-01-24 14:27:18 +01:00
vmw_vsock vsock: fix locking in vsock_shutdown() 2021-02-09 15:31:22 -08:00
wireless cfg80211/mac80211: Support disabling HE mode 2021-02-12 09:33:34 +01:00
x25 net: x25: Remove unimplemented X.25-over-LLC code stubs 2020-12-12 17:15:33 -08:00
xdp xsk: Fold xp_assign_dev and __xp_assign_dev 2021-01-25 23:56:33 +01:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2021-02-09 11:23:41 -08:00
compat.c iov_iter: transparently handle compat iovecs in import_iovec 2020-10-03 00:02:13 -04:00
devres.c
Kconfig net/sock: Add kernel config SOCK_RX_QUEUE_MAPPING 2021-02-11 19:08:06 -08:00
Makefile net: l3mdev: use obj-$(CONFIG_NET_L3_MASTER_DEV) form in net/Makefile 2021-01-27 17:03:52 -08:00
socket.c idmapped-mounts-v5.12 2021-02-23 13:39:45 -08:00
sysctl_net.c