* [PATCH 0/3] rxrpc: Fix oops and missing config conditionals
@ 2022-11-16 8:16 David Howells
2022-11-16 8:16 ` [PATCH net-next 1/3] rxrpc: Fix missing IPV6 #ifdef David Howells
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: David Howells @ 2022-11-16 8:16 UTC (permalink / raw)
To: netdev; +Cc: dhowells, linux-afs, linux-kernel
The patches that were pulled into net-next previously[1] had some issues
that this patchset fixes:
(1) Fix missing IPV6 config conditionals.
(2) Fix an oops caused by calling udpv6_sendmsg() directly on an AF_INET
socket.
(3) Fix the validation of network addresses on entry to socket functions
so that we don't allow an AF_INET6 address if we've selected an
AF_INET transport socket.
Link: https://lore.kernel.org/r/166794587113.2389296.16484814996876530222.stgit@warthog.procyon.org.uk/ [1]
---
The patches are tagged here:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/rxrpc-next-20221116
And can be found on this branch:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-next
David
---
David Howells (3):
rxrpc: Fix missing IPV6 #ifdef
rxrpc: Fix oops from calling udpv6_sendmsg() on AF_INET socket
rxrpc: Fix network address validation
net/rxrpc/af_rxrpc.c | 9 +++++----
net/rxrpc/local_object.c | 3 ++-
net/rxrpc/output.c | 18 ++++++++++++------
3 files changed, 19 insertions(+), 11 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net-next 1/3] rxrpc: Fix missing IPV6 #ifdef
2022-11-16 8:16 [PATCH 0/3] rxrpc: Fix oops and missing config conditionals David Howells
@ 2022-11-16 8:16 ` David Howells
2022-11-16 8:16 ` [PATCH net-next 2/3] rxrpc: Fix oops from calling udpv6_sendmsg() on AF_INET socket David Howells
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: David Howells @ 2022-11-16 8:16 UTC (permalink / raw)
To: netdev; +Cc: dhowells, linux-afs, linux-kernel
Fix rxrpc_encap_err_rcv() to make the call to ipv6_icmp_error conditional
on IPV6 support being enabled.
Fixes: b6c66c4324e7 ("rxrpc: Use the core ICMP/ICMP6 parsers")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
---
net/rxrpc/local_object.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
index a178f71e5082..a943fdf91e24 100644
--- a/net/rxrpc/local_object.c
+++ b/net/rxrpc/local_object.c
@@ -33,7 +33,8 @@ static void rxrpc_encap_err_rcv(struct sock *sk, struct sk_buff *skb, int err,
{
if (ip_hdr(skb)->version == IPVERSION)
return ip_icmp_error(sk, skb, err, port, info, payload);
- return ipv6_icmp_error(sk, skb, err, port, info, payload);
+ if (IS_ENABLED(CONFIG_AF_RXRPC_IPV6))
+ return ipv6_icmp_error(sk, skb, err, port, info, payload);
}
/*
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net-next 2/3] rxrpc: Fix oops from calling udpv6_sendmsg() on AF_INET socket
2022-11-16 8:16 [PATCH 0/3] rxrpc: Fix oops and missing config conditionals David Howells
2022-11-16 8:16 ` [PATCH net-next 1/3] rxrpc: Fix missing IPV6 #ifdef David Howells
@ 2022-11-16 8:16 ` David Howells
2022-11-16 8:16 ` [PATCH net-next 3/3] rxrpc: Fix network address validation David Howells
2022-11-18 12:20 ` [PATCH 0/3] rxrpc: Fix oops and missing config conditionals patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: David Howells @ 2022-11-16 8:16 UTC (permalink / raw)
To: netdev; +Cc: dhowells, linux-afs, linux-kernel
If rxrpc sees an IPv6 address, it assumes it can call udpv6_sendmsg() on it
- even if it got it on an IPv4 socket. Fix do_udp_sendmsg() to give an
error in such a case.
general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
...
RIP: 0010:ipv6_addr_v4mapped include/net/ipv6.h:749 [inline]
RIP: 0010:udpv6_sendmsg+0xd0a/0x2c70 net/ipv6/udp.c:1361
...
Call Trace:
do_udp_sendmsg net/rxrpc/output.c:27 [inline]
do_udp_sendmsg net/rxrpc/output.c:21 [inline]
rxrpc_send_abort_packet+0x73b/0x860 net/rxrpc/output.c:367
rxrpc_release_calls_on_socket+0x211/0x300 net/rxrpc/call_object.c:595
rxrpc_release_sock net/rxrpc/af_rxrpc.c:886 [inline]
rxrpc_release+0x263/0x5a0 net/rxrpc/af_rxrpc.c:917
__sock_release+0xcd/0x280 net/socket.c:650
sock_close+0x18/0x20 net/socket.c:1365
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0x16b/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb35/0x2a20 kernel/exit.c:820
do_group_exit+0xd0/0x2a0 kernel/exit.c:950
__do_sys_exit_group kernel/exit.c:961 [inline]
__se_sys_exit_group kernel/exit.c:959 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:959
Fixes: ed472b0c8783 ("rxrpc: Call udp_sendmsg() directly")
Reported-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
---
net/rxrpc/output.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
index 46432e70a16b..a2fe1a262f8a 100644
--- a/net/rxrpc/output.c
+++ b/net/rxrpc/output.c
@@ -18,15 +18,21 @@
extern int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len);
-static ssize_t do_udp_sendmsg(struct socket *sk, struct msghdr *msg, size_t len)
+static ssize_t do_udp_sendmsg(struct socket *socket, struct msghdr *msg, size_t len)
{
-#if IS_ENABLED(CONFIG_AF_RXRPC_IPV6)
struct sockaddr *sa = msg->msg_name;
+ struct sock *sk = socket->sk;
- if (sa->sa_family == AF_INET6)
- return udpv6_sendmsg(sk->sk, msg, len);
-#endif
- return udp_sendmsg(sk->sk, msg, len);
+ if (IS_ENABLED(CONFIG_AF_RXRPC_IPV6)) {
+ if (sa->sa_family == AF_INET6) {
+ if (sk->sk_family != AF_INET6) {
+ pr_warn("AF_INET6 address on AF_INET socket\n");
+ return -ENOPROTOOPT;
+ }
+ return udpv6_sendmsg(sk, msg, len);
+ }
+ }
+ return udp_sendmsg(sk, msg, len);
}
struct rxrpc_abort_buffer {
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net-next 3/3] rxrpc: Fix network address validation
2022-11-16 8:16 [PATCH 0/3] rxrpc: Fix oops and missing config conditionals David Howells
2022-11-16 8:16 ` [PATCH net-next 1/3] rxrpc: Fix missing IPV6 #ifdef David Howells
2022-11-16 8:16 ` [PATCH net-next 2/3] rxrpc: Fix oops from calling udpv6_sendmsg() on AF_INET socket David Howells
@ 2022-11-16 8:16 ` David Howells
2022-11-18 12:20 ` [PATCH 0/3] rxrpc: Fix oops and missing config conditionals patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: David Howells @ 2022-11-16 8:16 UTC (permalink / raw)
To: netdev; +Cc: dhowells, linux-afs, linux-kernel
Fix network address validation on entry to uapi functions such as connect()
for AF_RXRPC. The check for address compatibility with the transport
socket isn't correct and allows an AF_INET6 address to be given to an
AF_INET socket, resulting in an oops now that rxrpc is calling
udp_sendmsg() directly.
Sample program:
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <linux/rxrpc.h>
static unsigned char ctrl[256] =
"\x18\x00\x00\x00\x00\x00\x00\x00\x10\x01\x00\x00\x01";
int main(void)
{
struct sockaddr_rxrpc srx = {
.srx_family = AF_RXRPC,
.transport_type = SOCK_DGRAM,
.transport_len = 28,
.transport.sin6.sin6_family = AF_INET6,
};
struct mmsghdr vec = {
.msg_hdr.msg_control = ctrl,
.msg_hdr.msg_controllen = 0x18,
};
int s;
s = socket(AF_RXRPC, SOCK_DGRAM, AF_INET);
if (s < 0) {
perror("socket");
exit(1);
}
if (connect(s, (struct sockaddr *)&srx, sizeof(srx)) < 0) {
perror("connect");
exit(1);
}
if (sendmmsg(s, &vec, 1, MSG_NOSIGNAL | MSG_MORE) < 0) {
perror("sendmmsg");
exit(1);
}
return 0;
}
If working properly, connect() should fail with EAFNOSUPPORT.
Fixes: ed472b0c8783 ("rxrpc: Call udp_sendmsg() directly")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
---
net/rxrpc/af_rxrpc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index 2f3991cf8715..aacdd96a9886 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -93,12 +93,11 @@ static int rxrpc_validate_address(struct rxrpc_sock *rx,
srx->transport_len > len)
return -EINVAL;
- if (srx->transport.family != rx->family &&
- srx->transport.family == AF_INET && rx->family != AF_INET6)
- return -EAFNOSUPPORT;
-
switch (srx->transport.family) {
case AF_INET:
+ if (rx->family != AF_INET &&
+ rx->family != AF_INET6)
+ return -EAFNOSUPPORT;
if (srx->transport_len < sizeof(struct sockaddr_in))
return -EINVAL;
tail = offsetof(struct sockaddr_rxrpc, transport.sin.__pad);
@@ -106,6 +105,8 @@ static int rxrpc_validate_address(struct rxrpc_sock *rx,
#ifdef CONFIG_AF_RXRPC_IPV6
case AF_INET6:
+ if (rx->family != AF_INET6)
+ return -EAFNOSUPPORT;
if (srx->transport_len < sizeof(struct sockaddr_in6))
return -EINVAL;
tail = offsetof(struct sockaddr_rxrpc, transport) +
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] rxrpc: Fix oops and missing config conditionals
2022-11-16 8:16 [PATCH 0/3] rxrpc: Fix oops and missing config conditionals David Howells
` (2 preceding siblings ...)
2022-11-16 8:16 ` [PATCH net-next 3/3] rxrpc: Fix network address validation David Howells
@ 2022-11-18 12:20 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-11-18 12:20 UTC (permalink / raw)
To: David Howells; +Cc: netdev, linux-afs, linux-kernel
Hello:
This series was applied to netdev/net-next.git (master)
by David Howells <dhowells@redhat.com>:
On Wed, 16 Nov 2022 08:16:32 +0000 you wrote:
> The patches that were pulled into net-next previously[1] had some issues
> that this patchset fixes:
>
> (1) Fix missing IPV6 config conditionals.
>
> (2) Fix an oops caused by calling udpv6_sendmsg() directly on an AF_INET
> socket.
>
> [...]
Here is the summary with links:
- [net-next,1/3] rxrpc: Fix missing IPV6 #ifdef
https://git.kernel.org/netdev/net-next/c/41cf3a9156ba
- [net-next,2/3] rxrpc: Fix oops from calling udpv6_sendmsg() on AF_INET socket
https://git.kernel.org/netdev/net-next/c/6423ac2eb31e
- [net-next,3/3] rxrpc: Fix network address validation
https://git.kernel.org/netdev/net-next/c/66f6fd278c67
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-18 12:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-16 8:16 [PATCH 0/3] rxrpc: Fix oops and missing config conditionals David Howells
2022-11-16 8:16 ` [PATCH net-next 1/3] rxrpc: Fix missing IPV6 #ifdef David Howells
2022-11-16 8:16 ` [PATCH net-next 2/3] rxrpc: Fix oops from calling udpv6_sendmsg() on AF_INET socket David Howells
2022-11-16 8:16 ` [PATCH net-next 3/3] rxrpc: Fix network address validation David Howells
2022-11-18 12:20 ` [PATCH 0/3] rxrpc: Fix oops and missing config conditionals patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.