All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net 1/1] tipc: fix kernel warning when sending SYN message
@ 2023-02-07  1:20 Tung Nguyen
  2023-02-08  5:34 ` Jakub Kicinski
  0 siblings, 1 reply; 4+ messages in thread
From: Tung Nguyen @ 2023-02-07  1:20 UTC (permalink / raw)
  To: netdev
  Cc: davem, kuba, edumazet, pabeni, jmaloy, ying.xue, viro,
	syzbot+d43608d061e8847ec9f3

When sending a SYN message, this kernel stack trace is observed:

...
[   13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550
...
[   13.398494] Call Trace:
[   13.398630]  <TASK>
[   13.398630]  ? __alloc_skb+0xed/0x1a0
[   13.398630]  tipc_msg_build+0x12c/0x670 [tipc]
[   13.398630]  ? shmem_add_to_page_cache.isra.71+0x151/0x290
[   13.398630]  __tipc_sendmsg+0x2d1/0x710 [tipc]
[   13.398630]  ? tipc_connect+0x1d9/0x230 [tipc]
[   13.398630]  ? __local_bh_enable_ip+0x37/0x80
[   13.398630]  tipc_connect+0x1d9/0x230 [tipc]
[   13.398630]  ? __sys_connect+0x9f/0xd0
[   13.398630]  __sys_connect+0x9f/0xd0
[   13.398630]  ? preempt_count_add+0x4d/0xa0
[   13.398630]  ? fpregs_assert_state_consistent+0x22/0x50
[   13.398630]  __x64_sys_connect+0x16/0x20
[   13.398630]  do_syscall_64+0x42/0x90
[   13.398630]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
to copy to/from iterator") has introduced sanity check for copying
from/to iov iterator. Lacking of copy direction from the iterator
viewpoint would lead to kernel stack trace like above.

This commit fixes this issue by initializing the iov iterator with
the correct copy direction.

Reported-by: syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
---
 net/tipc/msg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 5c9fd4791c4b..cce118fea07a 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -381,6 +381,9 @@ int tipc_msg_build(struct tipc_msg *mhdr, struct msghdr *m, int offset,
 
 	msg_set_size(mhdr, msz);
 
+	if (!dsz)
+		iov_iter_init(&m->msg_iter, ITER_SOURCE, NULL, 0, 0);
+
 	/* No fragmentation needed? */
 	if (likely(msz <= pktmax)) {
 		skb = tipc_buf_acquire(msz, GFP_KERNEL);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH net 1/1] tipc: fix kernel warning when sending SYN message
  2023-02-07  1:20 [PATCH net 1/1] tipc: fix kernel warning when sending SYN message Tung Nguyen
@ 2023-02-08  5:34 ` Jakub Kicinski
  2023-02-08  6:56   ` Tung Quang Nguyen
  0 siblings, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2023-02-08  5:34 UTC (permalink / raw)
  To: Tung Nguyen
  Cc: netdev, davem, edumazet, pabeni, jmaloy, ying.xue, viro,
	syzbot+d43608d061e8847ec9f3

On Tue,  7 Feb 2023 01:20:46 +0000 Tung Nguyen wrote:
> When sending a SYN message, this kernel stack trace is observed:
> 
> ...
> [   13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550
> ...
> [   13.398494] Call Trace:
> [   13.398630]  <TASK>
> [   13.398630]  ? __alloc_skb+0xed/0x1a0
> [   13.398630]  tipc_msg_build+0x12c/0x670 [tipc]
> [   13.398630]  ? shmem_add_to_page_cache.isra.71+0x151/0x290
> [   13.398630]  __tipc_sendmsg+0x2d1/0x710 [tipc]
> [   13.398630]  ? tipc_connect+0x1d9/0x230 [tipc]
> [   13.398630]  ? __local_bh_enable_ip+0x37/0x80
> [   13.398630]  tipc_connect+0x1d9/0x230 [tipc]
> [   13.398630]  ? __sys_connect+0x9f/0xd0
> [   13.398630]  __sys_connect+0x9f/0xd0
> [   13.398630]  ? preempt_count_add+0x4d/0xa0
> [   13.398630]  ? fpregs_assert_state_consistent+0x22/0x50
> [   13.398630]  __x64_sys_connect+0x16/0x20
> [   13.398630]  do_syscall_64+0x42/0x90
> [   13.398630]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
> to copy to/from iterator") has introduced sanity check for copying
> from/to iov iterator. Lacking of copy direction from the iterator
> viewpoint would lead to kernel stack trace like above.

How far does the bug itself date, tho?
Can we get a Fixes tag?

> This commit fixes this issue by initializing the iov iterator with
> the correct copy direction.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: [PATCH net 1/1] tipc: fix kernel warning when sending SYN message
  2023-02-08  5:34 ` Jakub Kicinski
@ 2023-02-08  6:56   ` Tung Quang Nguyen
       [not found]     ` <20230207233033.6b5f4882@kernel.org>
  0 siblings, 1 reply; 4+ messages in thread
From: Tung Quang Nguyen @ 2023-02-08  6:56 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: netdev, davem, edumazet, pabeni, jmaloy, ying.xue, viro,
	syzbot+d43608d061e8847ec9f3



>-----Original Message-----
>From: Jakub Kicinski <kuba@kernel.org>
>Sent: Wednesday, February 8, 2023 12:35 PM
>To: Tung Quang Nguyen <tung.q.nguyen@dektech.com.au>
>Cc: netdev@vger.kernel.org; davem@davemloft.net; edumazet@google.com; pabeni@redhat.com; jmaloy@redhat.com;
>ying.xue@windriver.com; viro@zeniv.linux.org.uk; syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com
>Subject: Re: [PATCH net 1/1] tipc: fix kernel warning when sending SYN message
>
>On Tue,  7 Feb 2023 01:20:46 +0000 Tung Nguyen wrote:
>> When sending a SYN message, this kernel stack trace is observed:
>>
>> ...
>> [   13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550
>> ...
>> [   13.398494] Call Trace:
>> [   13.398630]  <TASK>
>> [   13.398630]  ? __alloc_skb+0xed/0x1a0
>> [   13.398630]  tipc_msg_build+0x12c/0x670 [tipc]
>> [   13.398630]  ? shmem_add_to_page_cache.isra.71+0x151/0x290
>> [   13.398630]  __tipc_sendmsg+0x2d1/0x710 [tipc]
>> [   13.398630]  ? tipc_connect+0x1d9/0x230 [tipc]
>> [   13.398630]  ? __local_bh_enable_ip+0x37/0x80
>> [   13.398630]  tipc_connect+0x1d9/0x230 [tipc]
>> [   13.398630]  ? __sys_connect+0x9f/0xd0
>> [   13.398630]  __sys_connect+0x9f/0xd0
>> [   13.398630]  ? preempt_count_add+0x4d/0xa0
>> [   13.398630]  ? fpregs_assert_state_consistent+0x22/0x50
>> [   13.398630]  __x64_sys_connect+0x16/0x20
>> [   13.398630]  do_syscall_64+0x42/0x90
>> [   13.398630]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>>
>> It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
>> to copy to/from iterator") has introduced sanity check for copying
>> from/to iov iterator. Lacking of copy direction from the iterator
>> viewpoint would lead to kernel stack trace like above.
>
>How far does the bug itself date, tho?
This issue appeared since the introduction of commit a41dad905e5a in December 2022.
>Can we get a Fixes tag?
I will add a Fixes tag in v2.
>
>> This commit fixes this issue by initializing the iov iterator with
>> the correct copy direction.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: [PATCH net 1/1] tipc: fix kernel warning when sending SYN message
       [not found]     ` <20230207233033.6b5f4882@kernel.org>
@ 2023-02-08  7:48       ` Tung Quang Nguyen
  0 siblings, 0 replies; 4+ messages in thread
From: Tung Quang Nguyen @ 2023-02-08  7:48 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: netdev, davem, edumazet, pabeni, jmaloy, ying.xue, viro,
	syzbot+d43608d061e8847ec9f3



>-----Original Message-----
>From: Jakub Kicinski <kuba@kernel.org>
>Sent: Wednesday, February 8, 2023 2:31 PM
>To: Tung Quang Nguyen <tung.q.nguyen@dektech.com.au>
>Cc: netdev@vger.kernel.org; davem@davemloft.net; edumazet@google.com; pabeni@redhat.com; jmaloy@redhat.com;
>ying.xue@windriver.com; viro@zeniv.linux.org.uk; syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com"
><syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com>
>Subject: Re: [PATCH net 1/1] tipc: fix kernel warning when sending SYN message
>
>On Wed, 8 Feb 2023 06:56:26 +0000 Tung Quang Nguyen wrote:
>> >> It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
>> >> to copy to/from iterator") has introduced sanity check for copying
>> >> from/to iov iterator. Lacking of copy direction from the iterator
>> >> viewpoint would lead to kernel stack trace like above.
>> >
>> >How far does the bug itself date, tho?
>> This issue appeared since the introduction of commit a41dad905e5a in December 2022.
>
>I presume that commit a41dad905e5a just added a warning to catch
>abuses. Unless this is a false positive the bug itself must have
>been introduced earlier.
Yes, since 2014. I added in v2
>
>> >Can we get a Fixes tag?
>> I will add a Fixes tag in v2.
>
>Thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-02-08  7:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-07  1:20 [PATCH net 1/1] tipc: fix kernel warning when sending SYN message Tung Nguyen
2023-02-08  5:34 ` Jakub Kicinski
2023-02-08  6:56   ` Tung Quang Nguyen
     [not found]     ` <20230207233033.6b5f4882@kernel.org>
2023-02-08  7:48       ` Tung Quang Nguyen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.