* [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-11 21:21 Arjun Roy
2021-02-12 2:08 ` Jakub Kicinski
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Arjun Roy @ 2021-02-11 21:21 UTC (permalink / raw)
To: davem, netdev
Cc: arjunroy, edumazet, soheil, David Ahern, Leon Romanovsky, Jakub Kicinski
From: Arjun Roy <arjunroy@google.com>
Explicitly define reserved field and require it and any subsequent
fields to be zero-valued for now. Additionally, limit the valid CMSG
flags that tcp_zerocopy_receive accepts.
Fixes: 7eeba1706eba ("tcp: Add receive timestamp support for receive zerocopy.")
Signed-off-by: Arjun Roy <arjunroy@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Suggested-by: David Ahern <dsahern@gmail.com>
Suggested-by: Leon Romanovsky <leon@kernel.org>
Suggested-by: Jakub Kicinski <kuba@kernel.org>
---
include/uapi/linux/tcp.h | 2 +-
net/ipv4/tcp.c | 11 ++++++++++-
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
index 42fc5a640df4..8fc09e8638b3 100644
--- a/include/uapi/linux/tcp.h
+++ b/include/uapi/linux/tcp.h
@@ -357,6 +357,6 @@ struct tcp_zerocopy_receive {
__u64 msg_control; /* ancillary data */
__u64 msg_controllen;
__u32 msg_flags;
- /* __u32 hole; Next we must add >1 u32 otherwise length checks fail. */
+ __u32 reserved; /* set to 0 for now */
};
#endif /* _UAPI_LINUX_TCP_H */
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e1a17c6b473c..9896ca10bb34 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2030,6 +2030,7 @@ static int tcp_zerocopy_vm_insert_batch(struct vm_area_struct *vma,
err);
}
+#define TCP_VALID_ZC_MSG_FLAGS (TCP_CMSG_TS)
static void tcp_recv_timestamp(struct msghdr *msg, const struct sock *sk,
struct scm_timestamping_internal *tss);
static void tcp_zc_finalize_rx_tstamp(struct sock *sk,
@@ -4152,13 +4153,21 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
return -EFAULT;
if (len < offsetofend(struct tcp_zerocopy_receive, length))
return -EINVAL;
- if (len > sizeof(zc)) {
+ if (unlikely(len > sizeof(zc))) {
+ err = check_zeroed_user(optval + sizeof(zc),
+ len - sizeof(zc));
+ if (err < 1)
+ return err == 0 ? -EINVAL : err;
len = sizeof(zc);
if (put_user(len, optlen))
return -EFAULT;
}
if (copy_from_user(&zc, optval, len))
return -EFAULT;
+ if (zc.reserved)
+ return -EINVAL;
+ if (zc.msg_flags & ~(TCP_VALID_ZC_MSG_FLAGS))
+ return -EINVAL;
lock_sock(sk);
err = tcp_zerocopy_receive(sk, &zc, &tss);
release_sock(sk);
--
2.30.0.478.g8a0d178c01-goog
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
2021-02-11 21:21 [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive Arjun Roy
@ 2021-02-12 2:08 ` Jakub Kicinski
2021-02-12 3:10 ` patchwork-bot+netdevbpf
2021-02-15 12:03 ` Dan Carpenter
2 siblings, 0 replies; 14+ messages in thread
From: Jakub Kicinski @ 2021-02-12 2:08 UTC (permalink / raw)
To: Arjun Roy
Cc: davem, netdev, arjunroy, edumazet, soheil, David Ahern, Leon Romanovsky
On Thu, 11 Feb 2021 13:21:07 -0800 Arjun Roy wrote:
> + if (unlikely(len > sizeof(zc))) {
> + err = check_zeroed_user(optval + sizeof(zc),
> + len - sizeof(zc));
> + if (err < 1)
> + return err == 0 ? -EINVAL : err;
nit: return err ? : -EINVAL;
> len = sizeof(zc);
> if (put_user(len, optlen))
> return -EFAULT;
> }
> if (copy_from_user(&zc, optval, len))
> return -EFAULT;
> + if (zc.reserved)
> + return -EINVAL;
> + if (zc.msg_flags & ~(TCP_VALID_ZC_MSG_FLAGS))
nit: parens unnecessary
But neither is a big deal:
Acked-by: Jakub Kicinski <kuba@kernel.org>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
2021-02-11 21:21 [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive Arjun Roy
2021-02-12 2:08 ` Jakub Kicinski
@ 2021-02-12 3:10 ` patchwork-bot+netdevbpf
2021-02-15 12:03 ` Dan Carpenter
2 siblings, 0 replies; 14+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-02-12 3:10 UTC (permalink / raw)
To: Arjun Roy; +Cc: davem, netdev, arjunroy, edumazet, soheil, dsahern, leon, kuba
Hello:
This patch was applied to netdev/net-next.git (refs/heads/master):
On Thu, 11 Feb 2021 13:21:07 -0800 you wrote:
> From: Arjun Roy <arjunroy@google.com>
>
> Explicitly define reserved field and require it and any subsequent
> fields to be zero-valued for now. Additionally, limit the valid CMSG
> flags that tcp_zerocopy_receive accepts.
>
> Fixes: 7eeba1706eba ("tcp: Add receive timestamp support for receive zerocopy.")
> Signed-off-by: Arjun Roy <arjunroy@google.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
> Suggested-by: David Ahern <dsahern@gmail.com>
> Suggested-by: Leon Romanovsky <leon@kernel.org>
> Suggested-by: Jakub Kicinski <kuba@kernel.org>
>
> [...]
Here is the summary with links:
- [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
https://git.kernel.org/netdev/net-next/c/3c5a2fd042d0
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
2021-02-11 21:21 [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive Arjun Roy
2021-02-12 2:08 ` Jakub Kicinski
@ 2021-02-15 12:03 ` Dan Carpenter
2021-02-15 12:03 ` Dan Carpenter
2 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 12:03 UTC (permalink / raw)
To: kbuild, Arjun Roy, davem, netdev
Cc: lkp, kbuild-all, arjunroy, edumazet, soheil, David Ahern,
Leon Romanovsky, Jakub Kicinski
[-- Attachment #1: Type: text/plain, Size: 3441 bytes --]
Hi Arjun,
url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
config: x86_64-randconfig-m001-20210209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
vim +/len +4158 net/ipv4/tcp.c
3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
"len" is int.
[ snip ]
05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
05255b823a6173 Eric Dumazet 2018-04-27 4151
05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
The problem is that negative values of "len" are type promoted to high
positive values. So the fix is to write this as:
if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
return -EINVAL;
110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
^^^^^^^^^^^^^^^^
Potentially "len - a negative value".
110912bdf28392 Arjun Roy 2021-02-11 4159 if (err < 1)
110912bdf28392 Arjun Roy 2021-02-11 4160 return err == 0 ? -EINVAL : err;
c8856c05145490 Arjun Roy 2020-02-14 4161 len = sizeof(zc);
0b7f41f68710cc Arjun Roy 2020-02-25 4162 if (put_user(len, optlen))
0b7f41f68710cc Arjun Roy 2020-02-25 4163 return -EFAULT;
0b7f41f68710cc Arjun Roy 2020-02-25 4164 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 29600 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-15 12:03 ` Dan Carpenter
0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 12:03 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 3503 bytes --]
Hi Arjun,
url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
config: x86_64-randconfig-m001-20210209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
vim +/len +4158 net/ipv4/tcp.c
3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
"len" is int.
[ snip ]
05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
05255b823a6173 Eric Dumazet 2018-04-27 4151
05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
The problem is that negative values of "len" are type promoted to high
positive values. So the fix is to write this as:
if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
return -EINVAL;
110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
^^^^^^^^^^^^^^^^
Potentially "len - a negative value".
110912bdf28392 Arjun Roy 2021-02-11 4159 if (err < 1)
110912bdf28392 Arjun Roy 2021-02-11 4160 return err == 0 ? -EINVAL : err;
c8856c05145490 Arjun Roy 2020-02-14 4161 len = sizeof(zc);
0b7f41f68710cc Arjun Roy 2020-02-25 4162 if (put_user(len, optlen))
0b7f41f68710cc Arjun Roy 2020-02-25 4163 return -EFAULT;
0b7f41f68710cc Arjun Roy 2020-02-25 4164 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 29600 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-15 12:03 ` Dan Carpenter
0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 12:03 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 3503 bytes --]
Hi Arjun,
url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
config: x86_64-randconfig-m001-20210209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
vim +/len +4158 net/ipv4/tcp.c
3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
"len" is int.
[ snip ]
05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
05255b823a6173 Eric Dumazet 2018-04-27 4151
05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
The problem is that negative values of "len" are type promoted to high
positive values. So the fix is to write this as:
if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
return -EINVAL;
110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
^^^^^^^^^^^^^^^^
Potentially "len - a negative value".
110912bdf28392 Arjun Roy 2021-02-11 4159 if (err < 1)
110912bdf28392 Arjun Roy 2021-02-11 4160 return err == 0 ? -EINVAL : err;
c8856c05145490 Arjun Roy 2020-02-14 4161 len = sizeof(zc);
0b7f41f68710cc Arjun Roy 2020-02-25 4162 if (put_user(len, optlen))
0b7f41f68710cc Arjun Roy 2020-02-25 4163 return -EFAULT;
0b7f41f68710cc Arjun Roy 2020-02-25 4164 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 29600 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
2021-02-15 12:03 ` Dan Carpenter
(?)
(?)
@ 2021-02-15 15:04 ` David Ahern
2021-02-15 16:02 ` Dan Carpenter
-1 siblings, 1 reply; 14+ messages in thread
From: David Ahern @ 2021-02-15 15:04 UTC (permalink / raw)
To: Dan Carpenter, kbuild, Arjun Roy, davem, netdev
Cc: lkp, kbuild-all, arjunroy, edumazet, soheil, David Ahern,
Leon Romanovsky, Jakub Kicinski
On 2/15/21 5:03 AM, Dan Carpenter wrote:
> Hi Arjun,
>
> url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> config: x86_64-randconfig-m001-20210209 (attached as .config)
> compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> smatch warnings:
> net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
>
> vim +/len +4158 net/ipv4/tcp.c
>
> 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
> 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
> ^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
> 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
> ^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
> 6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
> ^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
>
> "len" is int.
>
> [ snip ]
> 05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
> 05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
> 7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
> e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
> 05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
> 05255b823a6173 Eric Dumazet 2018-04-27 4151
> 05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
> 05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
> c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
> 05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
>
>
> The problem is that negative values of "len" are type promoted to high
> positive values. So the fix is to write this as:
>
> if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> return -EINVAL;
>
> 110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
> 110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
> 110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
> ^^^^^^^^^^^^^^^^
> Potentially "len - a negative value".
>
>
get_user(len, optlen) is called multiple times in that function. len < 0
was checked after the first one at the top.
Also, maybe I am missing something here, but offsetofend can not return
a negative value, so this checks catches len < 0 as well:
if (len < offsetofend(struct tcp_zerocopy_receive, length))
return -EINVAL;
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
2021-02-15 15:04 ` David Ahern
2021-02-15 16:02 ` Dan Carpenter
@ 2021-02-15 16:02 ` Dan Carpenter
0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 16:02 UTC (permalink / raw)
To: David Ahern
Cc: kbuild, Arjun Roy, davem, netdev, lkp, kbuild-all, arjunroy,
edumazet, soheil, Leon Romanovsky, Jakub Kicinski
On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > Hi Arjun,
> >
> > url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> > base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> >
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > smatch warnings:
> > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> >
> > vim +/len +4158 net/ipv4/tcp.c
> >
> > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
> > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
> > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
> > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
> > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
> > 6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
> > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
> >
> > "len" is int.
> >
> > [ snip ]
> > 05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
> > 05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
> > 7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
> > e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
> > 05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
> > 05255b823a6173 Eric Dumazet 2018-04-27 4151
> > 05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
> > 05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
> > c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > 05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
> >
> >
> > The problem is that negative values of "len" are type promoted to high
> > positive values. So the fix is to write this as:
> >
> > if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > return -EINVAL;
> >
> > 110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
> > 110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
> > 110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
> > ^^^^^^^^^^^^^^^^
> > Potentially "len - a negative value".
> >
> >
>
> get_user(len, optlen) is called multiple times in that function. len < 0
> was checked after the first one at the top.
>
What you're describing is a "Double Fetch" bug, where the attack is we
get some data from the user, and we verify it, then we get it from the
user a second time and trust it. The problem is that the user modifies
it between the first and second get_user() call so it ends up being a
security vulnerability.
But I'm glad you pointed out the first get_user() because it has an
ancient, harmless pre git bug in it.
net/ipv4/tcp.c
3888 static int do_tcp_getsockopt(struct sock *sk, int level,
3889 int optname, char __user *optval, int __user *optlen)
3890 {
3891 struct inet_connection_sock *icsk = inet_csk(sk);
3892 struct tcp_sock *tp = tcp_sk(sk);
3893 struct net *net = sock_net(sk);
3894 int val, len;
3895
3896 if (get_user(len, optlen))
3897 return -EFAULT;
3898
3899 len = min_t(unsigned int, len, sizeof(int));
3900
3901 if (len < 0)
^^^^^^^
This is impossible. "len" has to be in the 0-4 range because of the
min_t() assignment. It's harmless though and the condition should just
be removed.
3902 return -EINVAL;
3903
3904 switch (optname) {
3905 case TCP_MAXSEG:
Anyway, I will create a new Smatch warning for this situation.
> Also, maybe I am missing something here, but offsetofend can not return
> a negative value, so this checks catches len < 0 as well:
>
> if (len < offsetofend(struct tcp_zerocopy_receive, length))
> return -EINVAL;
>
offsetofend is (unsigned long)12. If we compare a negative integer with
(unsigned long)12 then negative number is type promoted to a high
positive value.
if (-1 < (usigned long)12)
printf("dan is wrong\n");
regards,
dan carpenter
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-15 16:02 ` Dan Carpenter
0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 16:02 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 5207 bytes --]
On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > Hi Arjun,
> >
> > url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> > base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> >
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > smatch warnings:
> > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> >
> > vim +/len +4158 net/ipv4/tcp.c
> >
> > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
> > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
> > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
> > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
> > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
> > 6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
> > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
> >
> > "len" is int.
> >
> > [ snip ]
> > 05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
> > 05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
> > 7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
> > e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
> > 05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
> > 05255b823a6173 Eric Dumazet 2018-04-27 4151
> > 05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
> > 05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
> > c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > 05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
> >
> >
> > The problem is that negative values of "len" are type promoted to high
> > positive values. So the fix is to write this as:
> >
> > if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > return -EINVAL;
> >
> > 110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
> > 110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
> > 110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
> > ^^^^^^^^^^^^^^^^
> > Potentially "len - a negative value".
> >
> >
>
> get_user(len, optlen) is called multiple times in that function. len < 0
> was checked after the first one at the top.
>
What you're describing is a "Double Fetch" bug, where the attack is we
get some data from the user, and we verify it, then we get it from the
user a second time and trust it. The problem is that the user modifies
it between the first and second get_user() call so it ends up being a
security vulnerability.
But I'm glad you pointed out the first get_user() because it has an
ancient, harmless pre git bug in it.
net/ipv4/tcp.c
3888 static int do_tcp_getsockopt(struct sock *sk, int level,
3889 int optname, char __user *optval, int __user *optlen)
3890 {
3891 struct inet_connection_sock *icsk = inet_csk(sk);
3892 struct tcp_sock *tp = tcp_sk(sk);
3893 struct net *net = sock_net(sk);
3894 int val, len;
3895
3896 if (get_user(len, optlen))
3897 return -EFAULT;
3898
3899 len = min_t(unsigned int, len, sizeof(int));
3900
3901 if (len < 0)
^^^^^^^
This is impossible. "len" has to be in the 0-4 range because of the
min_t() assignment. It's harmless though and the condition should just
be removed.
3902 return -EINVAL;
3903
3904 switch (optname) {
3905 case TCP_MAXSEG:
Anyway, I will create a new Smatch warning for this situation.
> Also, maybe I am missing something here, but offsetofend can not return
> a negative value, so this checks catches len < 0 as well:
>
> if (len < offsetofend(struct tcp_zerocopy_receive, length))
> return -EINVAL;
>
offsetofend is (unsigned long)12. If we compare a negative integer with
(unsigned long)12 then negative number is type promoted to a high
positive value.
if (-1 < (usigned long)12)
printf("dan is wrong\n");
regards,
dan carpenter
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-15 16:02 ` Dan Carpenter
0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2021-02-15 16:02 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 5207 bytes --]
On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > Hi Arjun,
> >
> > url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> > base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> >
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > smatch warnings:
> > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> >
> > vim +/len +4158 net/ipv4/tcp.c
> >
> > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
> > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
> > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
> > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
> > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
> > 6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
> > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
> >
> > "len" is int.
> >
> > [ snip ]
> > 05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
> > 05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
> > 7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
> > e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
> > 05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
> > 05255b823a6173 Eric Dumazet 2018-04-27 4151
> > 05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
> > 05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
> > c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > 05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
> >
> >
> > The problem is that negative values of "len" are type promoted to high
> > positive values. So the fix is to write this as:
> >
> > if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > return -EINVAL;
> >
> > 110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
> > 110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
> > 110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
> > ^^^^^^^^^^^^^^^^
> > Potentially "len - a negative value".
> >
> >
>
> get_user(len, optlen) is called multiple times in that function. len < 0
> was checked after the first one at the top.
>
What you're describing is a "Double Fetch" bug, where the attack is we
get some data from the user, and we verify it, then we get it from the
user a second time and trust it. The problem is that the user modifies
it between the first and second get_user() call so it ends up being a
security vulnerability.
But I'm glad you pointed out the first get_user() because it has an
ancient, harmless pre git bug in it.
net/ipv4/tcp.c
3888 static int do_tcp_getsockopt(struct sock *sk, int level,
3889 int optname, char __user *optval, int __user *optlen)
3890 {
3891 struct inet_connection_sock *icsk = inet_csk(sk);
3892 struct tcp_sock *tp = tcp_sk(sk);
3893 struct net *net = sock_net(sk);
3894 int val, len;
3895
3896 if (get_user(len, optlen))
3897 return -EFAULT;
3898
3899 len = min_t(unsigned int, len, sizeof(int));
3900
3901 if (len < 0)
^^^^^^^
This is impossible. "len" has to be in the 0-4 range because of the
min_t() assignment. It's harmless though and the condition should just
be removed.
3902 return -EINVAL;
3903
3904 switch (optname) {
3905 case TCP_MAXSEG:
Anyway, I will create a new Smatch warning for this situation.
> Also, maybe I am missing something here, but offsetofend can not return
> a negative value, so this checks catches len < 0 as well:
>
> if (len < offsetofend(struct tcp_zerocopy_receive, length))
> return -EINVAL;
>
offsetofend is (unsigned long)12. If we compare a negative integer with
(unsigned long)12 then negative number is type promoted to a high
positive value.
if (-1 < (usigned long)12)
printf("dan is wrong\n");
regards,
dan carpenter
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
2021-02-15 16:02 ` Dan Carpenter
(?)
(?)
@ 2021-02-25 22:59 ` Arjun Roy
-1 siblings, 0 replies; 14+ messages in thread
From: Arjun Roy @ 2021-02-25 22:59 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 5806 bytes --]
On Mon, Feb 15, 2021 at 8:02 AM Dan Carpenter <dan.carpenter@oracle.com>
wrote:
> On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> > On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > > Hi Arjun,
> > >
> > > url:
> https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> > > base:
> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
> e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > >
> > > smatch warnings:
> > > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer
> overflow 'len'
> > >
> > > vim +/len +4158 net/ipv4/tcp.c
> > >
> > > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int
> do_tcp_getsockopt(struct sock *sk, int level,
> > > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897
> int optname, char __user *optval, int __user *optlen)
> > > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
> > > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct
> inet_connection_sock *icsk = inet_csk(sk);
> > > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct
> tcp_sock *tp = tcp_sk(sk);
> > > 6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net
> *net = sock_net(sk);
> > > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val,
> len;
> > >
> > > "len" is int.
> > >
> > > [ snip ]
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef
> CONFIG_MMU
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4147 case
> TCP_ZEROCOPY_RECEIVE: {
> > > 7eeba1706eba6d Arjun Roy 2021-01-20 4148
> struct scm_timestamping_internal tss;
> > > e0fecb289ad3fd Arjun Roy 2020-12-10 4149
> struct tcp_zerocopy_receive zc = {};
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4150
> int err;
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4151
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4152 if
> (get_user(len, optlen))
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4153
> return -EFAULT;
> > > c8856c05145490 Arjun Roy 2020-02-14 4154 if
> (len < offsetofend(struct tcp_zerocopy_receive, length))
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4155
> return -EINVAL;
> > >
> > >
> > > The problem is that negative values of "len" are type promoted to high
> > > positive values. So the fix is to write this as:
> > >
> > > if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive,
> length))
> > > return -EINVAL;
> > >
> > > 110912bdf28392 Arjun Roy 2021-02-11 4156 if
> (unlikely(len > sizeof(zc))) {
> > > 110912bdf28392 Arjun Roy 2021-02-11 4157
> err = check_zeroed_user(optval + sizeof(zc),
> > > 110912bdf28392 Arjun Roy 2021-02-11 @4158
> len - sizeof(zc));
> > >
> ^^^^^^^^^^^^^^^^
> > > Potentially "len - a negative value".
> > >
> > >
> >
> > get_user(len, optlen) is called multiple times in that function. len < 0
> > was checked after the first one at the top.
> >
>
> What you're describing is a "Double Fetch" bug, where the attack is we
> get some data from the user, and we verify it, then we get it from the
> user a second time and trust it. The problem is that the user modifies
> it between the first and second get_user() call so it ends up being a
> security vulnerability.
>
> But I'm glad you pointed out the first get_user() because it has an
> ancient, harmless pre git bug in it.
>
> net/ipv4/tcp.c
> 3888 static int do_tcp_getsockopt(struct sock *sk, int level,
> 3889 int optname, char __user *optval, int __user
> *optlen)
> 3890 {
> 3891 struct inet_connection_sock *icsk = inet_csk(sk);
> 3892 struct tcp_sock *tp = tcp_sk(sk);
> 3893 struct net *net = sock_net(sk);
> 3894 int val, len;
> 3895
> 3896 if (get_user(len, optlen))
> 3897 return -EFAULT;
> 3898
> 3899 len = min_t(unsigned int, len, sizeof(int));
> 3900
> 3901 if (len < 0)
> ^^^^^^^
> This is impossible. "len" has to be in the 0-4 range because of the
> min_t() assignment. It's harmless though and the condition should just
> be removed.
>
> 3902 return -EINVAL;
> 3903
> 3904 switch (optname) {
> 3905 case TCP_MAXSEG:
>
> Anyway, I will create a new Smatch warning for this situation.
>
> > Also, maybe I am missing something here, but offsetofend can not return
> > a negative value, so this checks catches len < 0 as well:
> >
> > if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > return -EINVAL;
> >
>
> offsetofend is (unsigned long)12. If we compare a negative integer with
> (unsigned long)12 then negative number is type promoted to a high
> positive value.
>
> if (-1 < (usigned long)12)
> printf("dan is wrong\n");
>
> regards,
> dan carpenter
>
>
Thank you for the catch. I will send out a fix momentarily.
Actually, now I'm curious - why does do_tcp_getsockopt get called so many
times, per getsockopt target - rather than just using the originally read
value?
-Arjun
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 7804 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
2021-02-15 16:02 ` Dan Carpenter
@ 2021-02-25 23:00 ` Arjun Roy
-1 siblings, 0 replies; 14+ messages in thread
From: Arjun Roy @ 2021-02-25 23:00 UTC (permalink / raw)
To: Dan Carpenter
Cc: David Ahern, kbuild, Arjun Roy, David Miller, netdev, lkp,
kbuild-all, Eric Dumazet, Soheil Hassas Yeganeh, Leon Romanovsky,
Jakub Kicinski
On Mon, Feb 15, 2021 at 8:02 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> > On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > > Hi Arjun,
> > >
> > > url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> > > base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > >
> > > smatch warnings:
> > > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> > >
> > > vim +/len +4158 net/ipv4/tcp.c
> > >
> > > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
> > > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
> > > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
> > > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
> > > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
> > > 6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
> > > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
> > >
> > > "len" is int.
> > >
> > > [ snip ]
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
> > > 7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
> > > e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4151
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
> > > c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
> > >
> > >
> > > The problem is that negative values of "len" are type promoted to high
> > > positive values. So the fix is to write this as:
> > >
> > > if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > > return -EINVAL;
> > >
> > > 110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
> > > 110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
> > > 110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
> > > ^^^^^^^^^^^^^^^^
> > > Potentially "len - a negative value".
> > >
> > >
> >
> > get_user(len, optlen) is called multiple times in that function. len < 0
> > was checked after the first one at the top.
> >
>
> What you're describing is a "Double Fetch" bug, where the attack is we
> get some data from the user, and we verify it, then we get it from the
> user a second time and trust it. The problem is that the user modifies
> it between the first and second get_user() call so it ends up being a
> security vulnerability.
>
> But I'm glad you pointed out the first get_user() because it has an
> ancient, harmless pre git bug in it.
>
> net/ipv4/tcp.c
> 3888 static int do_tcp_getsockopt(struct sock *sk, int level,
> 3889 int optname, char __user *optval, int __user *optlen)
> 3890 {
> 3891 struct inet_connection_sock *icsk = inet_csk(sk);
> 3892 struct tcp_sock *tp = tcp_sk(sk);
> 3893 struct net *net = sock_net(sk);
> 3894 int val, len;
> 3895
> 3896 if (get_user(len, optlen))
> 3897 return -EFAULT;
> 3898
> 3899 len = min_t(unsigned int, len, sizeof(int));
> 3900
> 3901 if (len < 0)
> ^^^^^^^
> This is impossible. "len" has to be in the 0-4 range because of the
> min_t() assignment. It's harmless though and the condition should just
> be removed.
>
> 3902 return -EINVAL;
> 3903
> 3904 switch (optname) {
> 3905 case TCP_MAXSEG:
>
> Anyway, I will create a new Smatch warning for this situation.
>
> > Also, maybe I am missing something here, but offsetofend can not return
> > a negative value, so this checks catches len < 0 as well:
> >
> > if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > return -EINVAL;
> >
>
> offsetofend is (unsigned long)12. If we compare a negative integer with
> (unsigned long)12 then negative number is type promoted to a high
> positive value.
>
> if (-1 < (usigned long)12)
> printf("dan is wrong\n");
>
> regards,
> dan carpenter
>
>
Thank you for the catch. I will send out a fix momentarily.
Actually, now I'm curious - why does do_tcp_getsockopt get called so
many times, per getsockopt target - rather than just using the
originally read value?
-Arjun
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-25 23:00 ` Arjun Roy
0 siblings, 0 replies; 14+ messages in thread
From: Arjun Roy @ 2021-02-25 23:00 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 5902 bytes --]
On Mon, Feb 15, 2021 at 8:02 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> On Mon, Feb 15, 2021 at 08:04:11AM -0700, David Ahern wrote:
> > On 2/15/21 5:03 AM, Dan Carpenter wrote:
> > > Hi Arjun,
> > >
> > > url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
> > > base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
> > > config: x86_64-randconfig-m001-20210209 (attached as .config)
> > > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > >
> > > smatch warnings:
> > > net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
> > >
> > > vim +/len +4158 net/ipv4/tcp.c
> > >
> > > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
> > > 3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
> > > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
> > > 295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
> > > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
> > > 6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
> > > ^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
> > >
> > > "len" is int.
> > >
> > > [ snip ]
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
> > > 7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
> > > e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4151
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
> > > c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > > 05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
> > >
> > >
> > > The problem is that negative values of "len" are type promoted to high
> > > positive values. So the fix is to write this as:
> > >
> > > if (len < 0 || len < offsetofend(struct tcp_zerocopy_receive, length))
> > > return -EINVAL;
> > >
> > > 110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
> > > 110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
> > > 110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
> > > ^^^^^^^^^^^^^^^^
> > > Potentially "len - a negative value".
> > >
> > >
> >
> > get_user(len, optlen) is called multiple times in that function. len < 0
> > was checked after the first one at the top.
> >
>
> What you're describing is a "Double Fetch" bug, where the attack is we
> get some data from the user, and we verify it, then we get it from the
> user a second time and trust it. The problem is that the user modifies
> it between the first and second get_user() call so it ends up being a
> security vulnerability.
>
> But I'm glad you pointed out the first get_user() because it has an
> ancient, harmless pre git bug in it.
>
> net/ipv4/tcp.c
> 3888 static int do_tcp_getsockopt(struct sock *sk, int level,
> 3889 int optname, char __user *optval, int __user *optlen)
> 3890 {
> 3891 struct inet_connection_sock *icsk = inet_csk(sk);
> 3892 struct tcp_sock *tp = tcp_sk(sk);
> 3893 struct net *net = sock_net(sk);
> 3894 int val, len;
> 3895
> 3896 if (get_user(len, optlen))
> 3897 return -EFAULT;
> 3898
> 3899 len = min_t(unsigned int, len, sizeof(int));
> 3900
> 3901 if (len < 0)
> ^^^^^^^
> This is impossible. "len" has to be in the 0-4 range because of the
> min_t() assignment. It's harmless though and the condition should just
> be removed.
>
> 3902 return -EINVAL;
> 3903
> 3904 switch (optname) {
> 3905 case TCP_MAXSEG:
>
> Anyway, I will create a new Smatch warning for this situation.
>
> > Also, maybe I am missing something here, but offsetofend can not return
> > a negative value, so this checks catches len < 0 as well:
> >
> > if (len < offsetofend(struct tcp_zerocopy_receive, length))
> > return -EINVAL;
> >
>
> offsetofend is (unsigned long)12. If we compare a negative integer with
> (unsigned long)12 then negative number is type promoted to a high
> positive value.
>
> if (-1 < (usigned long)12)
> printf("dan is wrong\n");
>
> regards,
> dan carpenter
>
>
Thank you for the catch. I will send out a fix momentarily.
Actually, now I'm curious - why does do_tcp_getsockopt get called so
many times, per getsockopt target - rather than just using the
originally read value?
-Arjun
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive.
@ 2021-02-12 2:28 kernel test robot
0 siblings, 0 replies; 14+ messages in thread
From: kernel test robot @ 2021-02-12 2:28 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 27881 bytes --]
CC: kbuild-all(a)lists.01.org
In-Reply-To: <20210211212107.662291-1-arjunroy.kdev@gmail.com>
References: <20210211212107.662291-1-arjunroy.kdev@gmail.com>
TO: Arjun Roy <arjunroy.kdev@gmail.com>
TO: davem(a)davemloft.net
TO: netdev(a)vger.kernel.org
CC: arjunroy(a)google.com
CC: edumazet(a)google.com
CC: soheil(a)google.com
CC: David Ahern <dsahern@gmail.com>
CC: Leon Romanovsky <leon@kernel.org>
CC: Jakub Kicinski <kuba@kernel.org>
Hi Arjun,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on net-next/master]
url: https://github.com/0day-ci/linux/commits/Arjun-Roy/tcp-Sanitize-CMSG-flags-and-reserved-args-in-tcp_zerocopy_receive/20210212-052537
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git e4b62cf7559f2ef9a022de235e5a09a8d7ded520
:::::: branch date: 5 hours ago
:::::: commit date: 5 hours ago
config: x86_64-randconfig-m001-20210209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
net/ipv4/tcp.c:4158 do_tcp_getsockopt() warn: check for integer overflow 'len'
vim +/len +4158 net/ipv4/tcp.c
1c885808e45601 Francis Yan 2016-11-27 3895
3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3896 static int do_tcp_getsockopt(struct sock *sk, int level,
3fdadf7d27e3fb Dmitry Mishin 2006-03-20 3897 int optname, char __user *optval, int __user *optlen)
^1da177e4c3f41 Linus Torvalds 2005-04-16 3898 {
295f7324ff8d9e Arnaldo Carvalho de Melo 2005-08-09 3899 struct inet_connection_sock *icsk = inet_csk(sk);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3900 struct tcp_sock *tp = tcp_sk(sk);
6fa251663069e0 Nikolay Borisov 2016-02-03 3901 struct net *net = sock_net(sk);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3902 int val, len;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3903
^1da177e4c3f41 Linus Torvalds 2005-04-16 3904 if (get_user(len, optlen))
^1da177e4c3f41 Linus Torvalds 2005-04-16 3905 return -EFAULT;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3906
^1da177e4c3f41 Linus Torvalds 2005-04-16 3907 len = min_t(unsigned int, len, sizeof(int));
^1da177e4c3f41 Linus Torvalds 2005-04-16 3908
^1da177e4c3f41 Linus Torvalds 2005-04-16 3909 if (len < 0)
^1da177e4c3f41 Linus Torvalds 2005-04-16 3910 return -EINVAL;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3911
^1da177e4c3f41 Linus Torvalds 2005-04-16 3912 switch (optname) {
^1da177e4c3f41 Linus Torvalds 2005-04-16 3913 case TCP_MAXSEG:
c1b4a7e69576d6 David S. Miller 2005-07-05 3914 val = tp->mss_cache;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3915 if (!val && ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
^1da177e4c3f41 Linus Torvalds 2005-04-16 3916 val = tp->rx_opt.user_mss;
5e6a3ce6573f0c Pavel Emelyanov 2012-04-19 3917 if (tp->repair)
5e6a3ce6573f0c Pavel Emelyanov 2012-04-19 3918 val = tp->rx_opt.mss_clamp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3919 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3920 case TCP_NODELAY:
^1da177e4c3f41 Linus Torvalds 2005-04-16 3921 val = !!(tp->nonagle&TCP_NAGLE_OFF);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3922 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3923 case TCP_CORK:
^1da177e4c3f41 Linus Torvalds 2005-04-16 3924 val = !!(tp->nonagle&TCP_NAGLE_CORK);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3925 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3926 case TCP_KEEPIDLE:
df19a626770545 Eric Dumazet 2009-08-28 3927 val = keepalive_time_when(tp) / HZ;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3928 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3929 case TCP_KEEPINTVL:
df19a626770545 Eric Dumazet 2009-08-28 3930 val = keepalive_intvl_when(tp) / HZ;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3931 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3932 case TCP_KEEPCNT:
df19a626770545 Eric Dumazet 2009-08-28 3933 val = keepalive_probes(tp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3934 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3935 case TCP_SYNCNT:
6fa251663069e0 Nikolay Borisov 2016-02-03 3936 val = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3937 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3938 case TCP_LINGER2:
^1da177e4c3f41 Linus Torvalds 2005-04-16 3939 val = tp->linger2;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3940 if (val >= 0)
1e579caa18b96f Nikolay Borisov 2016-02-03 3941 val = (val ? : net->ipv4.sysctl_tcp_fin_timeout) / HZ;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3942 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3943 case TCP_DEFER_ACCEPT:
b103cf34382f26 Julian Anastasov 2009-10-19 3944 val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept,
b103cf34382f26 Julian Anastasov 2009-10-19 3945 TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3946 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3947 case TCP_WINDOW_CLAMP:
^1da177e4c3f41 Linus Torvalds 2005-04-16 3948 val = tp->window_clamp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3949 break;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3950 case TCP_INFO: {
^1da177e4c3f41 Linus Torvalds 2005-04-16 3951 struct tcp_info info;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3952
^1da177e4c3f41 Linus Torvalds 2005-04-16 3953 if (get_user(len, optlen))
^1da177e4c3f41 Linus Torvalds 2005-04-16 3954 return -EFAULT;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3955
^1da177e4c3f41 Linus Torvalds 2005-04-16 3956 tcp_get_info(sk, &info);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3957
^1da177e4c3f41 Linus Torvalds 2005-04-16 3958 len = min_t(unsigned int, len, sizeof(info));
^1da177e4c3f41 Linus Torvalds 2005-04-16 3959 if (put_user(len, optlen))
^1da177e4c3f41 Linus Torvalds 2005-04-16 3960 return -EFAULT;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3961 if (copy_to_user(optval, &info, len))
^1da177e4c3f41 Linus Torvalds 2005-04-16 3962 return -EFAULT;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3963 return 0;
^1da177e4c3f41 Linus Torvalds 2005-04-16 3964 }
6e9250f59ef9ef Eric Dumazet 2015-04-28 3965 case TCP_CC_INFO: {
6e9250f59ef9ef Eric Dumazet 2015-04-28 3966 const struct tcp_congestion_ops *ca_ops;
6e9250f59ef9ef Eric Dumazet 2015-04-28 3967 union tcp_cc_info info;
6e9250f59ef9ef Eric Dumazet 2015-04-28 3968 size_t sz = 0;
6e9250f59ef9ef Eric Dumazet 2015-04-28 3969 int attr;
6e9250f59ef9ef Eric Dumazet 2015-04-28 3970
6e9250f59ef9ef Eric Dumazet 2015-04-28 3971 if (get_user(len, optlen))
6e9250f59ef9ef Eric Dumazet 2015-04-28 3972 return -EFAULT;
6e9250f59ef9ef Eric Dumazet 2015-04-28 3973
6e9250f59ef9ef Eric Dumazet 2015-04-28 3974 ca_ops = icsk->icsk_ca_ops;
6e9250f59ef9ef Eric Dumazet 2015-04-28 3975 if (ca_ops && ca_ops->get_info)
6e9250f59ef9ef Eric Dumazet 2015-04-28 3976 sz = ca_ops->get_info(sk, ~0U, &attr, &info);
6e9250f59ef9ef Eric Dumazet 2015-04-28 3977
6e9250f59ef9ef Eric Dumazet 2015-04-28 3978 len = min_t(unsigned int, len, sz);
6e9250f59ef9ef Eric Dumazet 2015-04-28 3979 if (put_user(len, optlen))
6e9250f59ef9ef Eric Dumazet 2015-04-28 3980 return -EFAULT;
6e9250f59ef9ef Eric Dumazet 2015-04-28 3981 if (copy_to_user(optval, &info, len))
6e9250f59ef9ef Eric Dumazet 2015-04-28 3982 return -EFAULT;
6e9250f59ef9ef Eric Dumazet 2015-04-28 3983 return 0;
6e9250f59ef9ef Eric Dumazet 2015-04-28 3984 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 3985 case TCP_QUICKACK:
31954cd8bb6670 Wei Wang 2019-01-25 3986 val = !inet_csk_in_pingpong_mode(sk);
^1da177e4c3f41 Linus Torvalds 2005-04-16 3987 break;
5f8ef48d240963 Stephen Hemminger 2005-06-23 3988
5f8ef48d240963 Stephen Hemminger 2005-06-23 3989 case TCP_CONGESTION:
5f8ef48d240963 Stephen Hemminger 2005-06-23 3990 if (get_user(len, optlen))
5f8ef48d240963 Stephen Hemminger 2005-06-23 3991 return -EFAULT;
5f8ef48d240963 Stephen Hemminger 2005-06-23 3992 len = min_t(unsigned int, len, TCP_CA_NAME_MAX);
5f8ef48d240963 Stephen Hemminger 2005-06-23 3993 if (put_user(len, optlen))
5f8ef48d240963 Stephen Hemminger 2005-06-23 3994 return -EFAULT;
6687e988d9aeac Arnaldo Carvalho de Melo 2005-08-10 3995 if (copy_to_user(optval, icsk->icsk_ca_ops->name, len))
5f8ef48d240963 Stephen Hemminger 2005-06-23 3996 return -EFAULT;
5f8ef48d240963 Stephen Hemminger 2005-06-23 3997 return 0;
e56fb50f2b7958 William Allen Simpson 2009-12-02 3998
734942cc4ea647 Dave Watson 2017-06-14 3999 case TCP_ULP:
734942cc4ea647 Dave Watson 2017-06-14 4000 if (get_user(len, optlen))
734942cc4ea647 Dave Watson 2017-06-14 4001 return -EFAULT;
734942cc4ea647 Dave Watson 2017-06-14 4002 len = min_t(unsigned int, len, TCP_ULP_NAME_MAX);
d97af30f615eea Dave Watson 2017-06-26 4003 if (!icsk->icsk_ulp_ops) {
d97af30f615eea Dave Watson 2017-06-26 4004 if (put_user(0, optlen))
d97af30f615eea Dave Watson 2017-06-26 4005 return -EFAULT;
d97af30f615eea Dave Watson 2017-06-26 4006 return 0;
d97af30f615eea Dave Watson 2017-06-26 4007 }
734942cc4ea647 Dave Watson 2017-06-14 4008 if (put_user(len, optlen))
734942cc4ea647 Dave Watson 2017-06-14 4009 return -EFAULT;
734942cc4ea647 Dave Watson 2017-06-14 4010 if (copy_to_user(optval, icsk->icsk_ulp_ops->name, len))
734942cc4ea647 Dave Watson 2017-06-14 4011 return -EFAULT;
734942cc4ea647 Dave Watson 2017-06-14 4012 return 0;
734942cc4ea647 Dave Watson 2017-06-14 4013
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4014 case TCP_FASTOPEN_KEY: {
f19008e676366c Jason Baron 2020-08-10 4015 u64 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u64)];
f19008e676366c Jason Baron 2020-08-10 4016 unsigned int key_len;
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4017
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4018 if (get_user(len, optlen))
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4019 return -EFAULT;
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4020
f19008e676366c Jason Baron 2020-08-10 4021 key_len = tcp_fastopen_get_cipher(net, icsk, key) *
0f1ce0236865e8 Jason Baron 2019-05-29 4022 TCP_FASTOPEN_KEY_LENGTH;
0f1ce0236865e8 Jason Baron 2019-05-29 4023 len = min_t(unsigned int, len, key_len);
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4024 if (put_user(len, optlen))
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4025 return -EFAULT;
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4026 if (copy_to_user(optval, key, len))
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4027 return -EFAULT;
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4028 return 0;
1fba70e5b6bed5 Yuchung Cheng 2017-10-18 4029 }
3c0fef0b7d36e5 Josh Hunt 2010-07-30 4030 case TCP_THIN_LINEAR_TIMEOUTS:
3c0fef0b7d36e5 Josh Hunt 2010-07-30 4031 val = tp->thin_lto;
3c0fef0b7d36e5 Josh Hunt 2010-07-30 4032 break;
4a7f6009441144 Yuchung Cheng 2017-01-12 4033
3c0fef0b7d36e5 Josh Hunt 2010-07-30 4034 case TCP_THIN_DUPACK:
4a7f6009441144 Yuchung Cheng 2017-01-12 4035 val = 0;
3c0fef0b7d36e5 Josh Hunt 2010-07-30 4036 break;
dca43c75e7e545 Jerry Chu 2010-08-27 4037
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4038 case TCP_REPAIR:
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4039 val = tp->repair;
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4040 break;
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4041
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4042 case TCP_REPAIR_QUEUE:
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4043 if (tp->repair)
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4044 val = tp->repair_queue;
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4045 else
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4046 return -EINVAL;
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4047 break;
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4048
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4049 case TCP_REPAIR_WINDOW: {
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4050 struct tcp_repair_window opt;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4051
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4052 if (get_user(len, optlen))
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4053 return -EFAULT;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4054
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4055 if (len != sizeof(opt))
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4056 return -EINVAL;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4057
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4058 if (!tp->repair)
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4059 return -EPERM;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4060
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4061 opt.snd_wl1 = tp->snd_wl1;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4062 opt.snd_wnd = tp->snd_wnd;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4063 opt.max_window = tp->max_window;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4064 opt.rcv_wnd = tp->rcv_wnd;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4065 opt.rcv_wup = tp->rcv_wup;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4066
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4067 if (copy_to_user(optval, &opt, len))
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4068 return -EFAULT;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4069 return 0;
b1ed4c4fa9a5cc Andrey Vagin 2016-06-27 4070 }
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4071 case TCP_QUEUE_SEQ:
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4072 if (tp->repair_queue == TCP_SEND_QUEUE)
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4073 val = tp->write_seq;
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4074 else if (tp->repair_queue == TCP_RECV_QUEUE)
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4075 val = tp->rcv_nxt;
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4076 else
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4077 return -EINVAL;
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4078 break;
ee9952831cfd0b Pavel Emelyanov 2012-04-19 4079
dca43c75e7e545 Jerry Chu 2010-08-27 4080 case TCP_USER_TIMEOUT:
9bcc66e1983d10 Jon Maxwell 2018-07-19 4081 val = icsk->icsk_user_timeout;
dca43c75e7e545 Jerry Chu 2010-08-27 4082 break;
1536e2857bd38e Kenjiro Nakayama 2014-04-17 4083
1536e2857bd38e Kenjiro Nakayama 2014-04-17 4084 case TCP_FASTOPEN:
0536fcc039a892 Eric Dumazet 2015-09-29 4085 val = icsk->icsk_accept_queue.fastopenq.max_qlen;
1536e2857bd38e Kenjiro Nakayama 2014-04-17 4086 break;
1536e2857bd38e Kenjiro Nakayama 2014-04-17 4087
19f6d3f3c8422d Wei Wang 2017-01-23 4088 case TCP_FASTOPEN_CONNECT:
19f6d3f3c8422d Wei Wang 2017-01-23 4089 val = tp->fastopen_connect;
19f6d3f3c8422d Wei Wang 2017-01-23 4090 break;
19f6d3f3c8422d Wei Wang 2017-01-23 4091
71c02379c762cb Christoph Paasch 2017-10-23 4092 case TCP_FASTOPEN_NO_COOKIE:
71c02379c762cb Christoph Paasch 2017-10-23 4093 val = tp->fastopen_no_cookie;
71c02379c762cb Christoph Paasch 2017-10-23 4094 break;
71c02379c762cb Christoph Paasch 2017-10-23 4095
a842fe1425cb20 Eric Dumazet 2019-06-12 4096 case TCP_TX_DELAY:
a842fe1425cb20 Eric Dumazet 2019-06-12 4097 val = tp->tcp_tx_delay;
a842fe1425cb20 Eric Dumazet 2019-06-12 4098 break;
a842fe1425cb20 Eric Dumazet 2019-06-12 4099
93be6ce0e91b6a Andrey Vagin 2013-02-11 4100 case TCP_TIMESTAMP:
9a568de4818dea Eric Dumazet 2017-05-16 4101 val = tcp_time_stamp_raw() + tp->tsoffset;
93be6ce0e91b6a Andrey Vagin 2013-02-11 4102 break;
c9bee3b7fdecb0 Eric Dumazet 2013-07-22 4103 case TCP_NOTSENT_LOWAT:
c9bee3b7fdecb0 Eric Dumazet 2013-07-22 4104 val = tp->notsent_lowat;
c9bee3b7fdecb0 Eric Dumazet 2013-07-22 4105 break;
b75eba76d3d72e Soheil Hassas Yeganeh 2018-05-01 4106 case TCP_INQ:
b75eba76d3d72e Soheil Hassas Yeganeh 2018-05-01 4107 val = tp->recvmsg_inq;
b75eba76d3d72e Soheil Hassas Yeganeh 2018-05-01 4108 break;
cd8ae85299d541 Eric Dumazet 2015-05-03 4109 case TCP_SAVE_SYN:
cd8ae85299d541 Eric Dumazet 2015-05-03 4110 val = tp->save_syn;
cd8ae85299d541 Eric Dumazet 2015-05-03 4111 break;
cd8ae85299d541 Eric Dumazet 2015-05-03 4112 case TCP_SAVED_SYN: {
cd8ae85299d541 Eric Dumazet 2015-05-03 4113 if (get_user(len, optlen))
cd8ae85299d541 Eric Dumazet 2015-05-03 4114 return -EFAULT;
cd8ae85299d541 Eric Dumazet 2015-05-03 4115
cd8ae85299d541 Eric Dumazet 2015-05-03 4116 lock_sock(sk);
cd8ae85299d541 Eric Dumazet 2015-05-03 4117 if (tp->saved_syn) {
70a217f1976f75 Martin KaFai Lau 2020-08-20 4118 if (len < tcp_saved_syn_len(tp->saved_syn)) {
70a217f1976f75 Martin KaFai Lau 2020-08-20 4119 if (put_user(tcp_saved_syn_len(tp->saved_syn),
70a217f1976f75 Martin KaFai Lau 2020-08-20 4120 optlen)) {
aea0929e516a1f Eric B Munson 2015-05-18 4121 release_sock(sk);
aea0929e516a1f Eric B Munson 2015-05-18 4122 return -EFAULT;
aea0929e516a1f Eric B Munson 2015-05-18 4123 }
aea0929e516a1f Eric B Munson 2015-05-18 4124 release_sock(sk);
aea0929e516a1f Eric B Munson 2015-05-18 4125 return -EINVAL;
aea0929e516a1f Eric B Munson 2015-05-18 4126 }
70a217f1976f75 Martin KaFai Lau 2020-08-20 4127 len = tcp_saved_syn_len(tp->saved_syn);
cd8ae85299d541 Eric Dumazet 2015-05-03 4128 if (put_user(len, optlen)) {
cd8ae85299d541 Eric Dumazet 2015-05-03 4129 release_sock(sk);
cd8ae85299d541 Eric Dumazet 2015-05-03 4130 return -EFAULT;
cd8ae85299d541 Eric Dumazet 2015-05-03 4131 }
70a217f1976f75 Martin KaFai Lau 2020-08-20 4132 if (copy_to_user(optval, tp->saved_syn->data, len)) {
cd8ae85299d541 Eric Dumazet 2015-05-03 4133 release_sock(sk);
cd8ae85299d541 Eric Dumazet 2015-05-03 4134 return -EFAULT;
cd8ae85299d541 Eric Dumazet 2015-05-03 4135 }
cd8ae85299d541 Eric Dumazet 2015-05-03 4136 tcp_saved_syn_free(tp);
cd8ae85299d541 Eric Dumazet 2015-05-03 4137 release_sock(sk);
cd8ae85299d541 Eric Dumazet 2015-05-03 4138 } else {
cd8ae85299d541 Eric Dumazet 2015-05-03 4139 release_sock(sk);
cd8ae85299d541 Eric Dumazet 2015-05-03 4140 len = 0;
cd8ae85299d541 Eric Dumazet 2015-05-03 4141 if (put_user(len, optlen))
cd8ae85299d541 Eric Dumazet 2015-05-03 4142 return -EFAULT;
cd8ae85299d541 Eric Dumazet 2015-05-03 4143 }
cd8ae85299d541 Eric Dumazet 2015-05-03 4144 return 0;
cd8ae85299d541 Eric Dumazet 2015-05-03 4145 }
05255b823a6173 Eric Dumazet 2018-04-27 4146 #ifdef CONFIG_MMU
05255b823a6173 Eric Dumazet 2018-04-27 4147 case TCP_ZEROCOPY_RECEIVE: {
7eeba1706eba6d Arjun Roy 2021-01-20 4148 struct scm_timestamping_internal tss;
e0fecb289ad3fd Arjun Roy 2020-12-10 4149 struct tcp_zerocopy_receive zc = {};
05255b823a6173 Eric Dumazet 2018-04-27 4150 int err;
05255b823a6173 Eric Dumazet 2018-04-27 4151
05255b823a6173 Eric Dumazet 2018-04-27 4152 if (get_user(len, optlen))
05255b823a6173 Eric Dumazet 2018-04-27 4153 return -EFAULT;
c8856c05145490 Arjun Roy 2020-02-14 4154 if (len < offsetofend(struct tcp_zerocopy_receive, length))
05255b823a6173 Eric Dumazet 2018-04-27 4155 return -EINVAL;
110912bdf28392 Arjun Roy 2021-02-11 4156 if (unlikely(len > sizeof(zc))) {
110912bdf28392 Arjun Roy 2021-02-11 4157 err = check_zeroed_user(optval + sizeof(zc),
110912bdf28392 Arjun Roy 2021-02-11 @4158 len - sizeof(zc));
110912bdf28392 Arjun Roy 2021-02-11 4159 if (err < 1)
110912bdf28392 Arjun Roy 2021-02-11 4160 return err == 0 ? -EINVAL : err;
c8856c05145490 Arjun Roy 2020-02-14 4161 len = sizeof(zc);
0b7f41f68710cc Arjun Roy 2020-02-25 4162 if (put_user(len, optlen))
0b7f41f68710cc Arjun Roy 2020-02-25 4163 return -EFAULT;
0b7f41f68710cc Arjun Roy 2020-02-25 4164 }
05255b823a6173 Eric Dumazet 2018-04-27 4165 if (copy_from_user(&zc, optval, len))
05255b823a6173 Eric Dumazet 2018-04-27 4166 return -EFAULT;
110912bdf28392 Arjun Roy 2021-02-11 4167 if (zc.reserved)
110912bdf28392 Arjun Roy 2021-02-11 4168 return -EINVAL;
110912bdf28392 Arjun Roy 2021-02-11 4169 if (zc.msg_flags & ~(TCP_VALID_ZC_MSG_FLAGS))
110912bdf28392 Arjun Roy 2021-02-11 4170 return -EINVAL;
05255b823a6173 Eric Dumazet 2018-04-27 4171 lock_sock(sk);
7eeba1706eba6d Arjun Roy 2021-01-20 4172 err = tcp_zerocopy_receive(sk, &zc, &tss);
05255b823a6173 Eric Dumazet 2018-04-27 4173 release_sock(sk);
7eeba1706eba6d Arjun Roy 2021-01-20 4174 if (len >= offsetofend(struct tcp_zerocopy_receive, msg_flags))
7eeba1706eba6d Arjun Roy 2021-01-20 4175 goto zerocopy_rcv_cmsg;
c8856c05145490 Arjun Roy 2020-02-14 4176 switch (len) {
7eeba1706eba6d Arjun Roy 2021-01-20 4177 case offsetofend(struct tcp_zerocopy_receive, msg_flags):
7eeba1706eba6d Arjun Roy 2021-01-20 4178 goto zerocopy_rcv_cmsg;
7eeba1706eba6d Arjun Roy 2021-01-20 4179 case offsetofend(struct tcp_zerocopy_receive, msg_controllen):
7eeba1706eba6d Arjun Roy 2021-01-20 4180 case offsetofend(struct tcp_zerocopy_receive, msg_control):
7eeba1706eba6d Arjun Roy 2021-01-20 4181 case offsetofend(struct tcp_zerocopy_receive, flags):
7eeba1706eba6d Arjun Roy 2021-01-20 4182 case offsetofend(struct tcp_zerocopy_receive, copybuf_len):
7eeba1706eba6d Arjun Roy 2021-01-20 4183 case offsetofend(struct tcp_zerocopy_receive, copybuf_address):
33946518d493cd Arjun Roy 2020-02-14 4184 case offsetofend(struct tcp_zerocopy_receive, err):
33946518d493cd Arjun Roy 2020-02-14 4185 goto zerocopy_rcv_sk_err;
c8856c05145490 Arjun Roy 2020-02-14 4186 case offsetofend(struct tcp_zerocopy_receive, inq):
c8856c05145490 Arjun Roy 2020-02-14 4187 goto zerocopy_rcv_inq;
c8856c05145490 Arjun Roy 2020-02-14 4188 case offsetofend(struct tcp_zerocopy_receive, length):
c8856c05145490 Arjun Roy 2020-02-14 4189 default:
c8856c05145490 Arjun Roy 2020-02-14 4190 goto zerocopy_rcv_out;
c8856c05145490 Arjun Roy 2020-02-14 4191 }
7eeba1706eba6d Arjun Roy 2021-01-20 4192 zerocopy_rcv_cmsg:
7eeba1706eba6d Arjun Roy 2021-01-20 4193 if (zc.msg_flags & TCP_CMSG_TS)
7eeba1706eba6d Arjun Roy 2021-01-20 4194 tcp_zc_finalize_rx_tstamp(sk, &zc, &tss);
7eeba1706eba6d Arjun Roy 2021-01-20 4195 else
7eeba1706eba6d Arjun Roy 2021-01-20 4196 zc.msg_flags = 0;
33946518d493cd Arjun Roy 2020-02-14 4197 zerocopy_rcv_sk_err:
33946518d493cd Arjun Roy 2020-02-14 4198 if (!err)
33946518d493cd Arjun Roy 2020-02-14 4199 zc.err = sock_error(sk);
c8856c05145490 Arjun Roy 2020-02-14 4200 zerocopy_rcv_inq:
c8856c05145490 Arjun Roy 2020-02-14 4201 zc.inq = tcp_inq_hint(sk);
c8856c05145490 Arjun Roy 2020-02-14 4202 zerocopy_rcv_out:
05255b823a6173 Eric Dumazet 2018-04-27 4203 if (!err && copy_to_user(optval, &zc, len))
05255b823a6173 Eric Dumazet 2018-04-27 4204 err = -EFAULT;
05255b823a6173 Eric Dumazet 2018-04-27 4205 return err;
05255b823a6173 Eric Dumazet 2018-04-27 4206 }
05255b823a6173 Eric Dumazet 2018-04-27 4207 #endif
^1da177e4c3f41 Linus Torvalds 2005-04-16 4208 default:
^1da177e4c3f41 Linus Torvalds 2005-04-16 4209 return -ENOPROTOOPT;
3ff50b7997fe06 Stephen Hemminger 2007-04-20 4210 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 4211
^1da177e4c3f41 Linus Torvalds 2005-04-16 4212 if (put_user(len, optlen))
^1da177e4c3f41 Linus Torvalds 2005-04-16 4213 return -EFAULT;
^1da177e4c3f41 Linus Torvalds 2005-04-16 4214 if (copy_to_user(optval, &val, len))
^1da177e4c3f41 Linus Torvalds 2005-04-16 4215 return -EFAULT;
^1da177e4c3f41 Linus Torvalds 2005-04-16 4216 return 0;
^1da177e4c3f41 Linus Torvalds 2005-04-16 4217 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 4218
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 29600 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2021-02-25 23:01 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-11 21:21 [net-next] tcp: Sanitize CMSG flags and reserved args in tcp_zerocopy_receive Arjun Roy
2021-02-12 2:08 ` Jakub Kicinski
2021-02-12 3:10 ` patchwork-bot+netdevbpf
2021-02-15 12:03 ` Dan Carpenter
2021-02-15 12:03 ` Dan Carpenter
2021-02-15 12:03 ` Dan Carpenter
2021-02-15 15:04 ` David Ahern
2021-02-15 16:02 ` Dan Carpenter
2021-02-15 16:02 ` Dan Carpenter
2021-02-15 16:02 ` Dan Carpenter
2021-02-25 22:59 ` Arjun Roy
2021-02-25 23:00 ` Arjun Roy
2021-02-25 23:00 ` Arjun Roy
2021-02-12 2:28 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.