linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] net: socket: fix recvmmsg not returning error from sock_error
@ 2017-02-21 17:35 Maxime Jayat
  2017-02-21 18:35 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Maxime Jayat @ 2017-02-21 17:35 UTC (permalink / raw)
  To: David S. Miller
  Cc: Arnaldo Carvalho de Melo, netdev, linux-kernel, Maxime Jayat

Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"),
changed the exit path of recvmmsg to always return the datagrams
variable and modified the error paths to set the variable to the error
code returned by recvmsg if necessary.

However in the case sock_error returned an error, the error code was
then ignored, and recvmmsg returned 0.

Change the error path of recvmmsg to correctly return the error code
of sock_error.

The bug was triggered by using recvmmsg on a CAN interface which was
not up. Linux 4.6 and later return 0 in this case while earlier
releases returned -ENETDOWN.

Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>
---
 net/socket.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/socket.c b/net/socket.c
index b7a63d5bc915..2c1e8677ff2d 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2228,8 +2228,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
 		return err;
 
 	err = sock_error(sock->sk);
-	if (err)
+	if (err) {
+		datagrams = err;
 		goto out_put;
+	}
 
 	entry = mmsg;
 	compat_entry = (struct compat_mmsghdr __user *)mmsg;
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] net: socket: fix recvmmsg not returning error from sock_error
  2017-02-21 17:35 [PATCH] net: socket: fix recvmmsg not returning error from sock_error Maxime Jayat
@ 2017-02-21 18:35 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2017-02-21 18:35 UTC (permalink / raw)
  To: maxime.jayat; +Cc: acme, netdev, linux-kernel

From: Maxime Jayat <maxime.jayat@mobile-devices.fr>
Date: Tue, 21 Feb 2017 18:35:51 +0100

> Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"),
> changed the exit path of recvmmsg to always return the datagrams
> variable and modified the error paths to set the variable to the error
> code returned by recvmsg if necessary.
> 
> However in the case sock_error returned an error, the error code was
> then ignored, and recvmmsg returned 0.
> 
> Change the error path of recvmmsg to correctly return the error code
> of sock_error.
> 
> The bug was triggered by using recvmmsg on a CAN interface which was
> not up. Linux 4.6 and later return 0 in this case while earlier
> releases returned -ENETDOWN.
> 
> Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
> Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>

Good catch, applied and queued up for -stable.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-02-21 18:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-21 17:35 [PATCH] net: socket: fix recvmmsg not returning error from sock_error Maxime Jayat
2017-02-21 18:35 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).