linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: gregkh@linuxfoundation.org
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	Pavel Emelyanov <xemul@parallels.com>,
	Qingyu Li <ieatmuttonchuan@gmail.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 013/120] tcp: add sanity tests to TCP_QUEUE_SEQ
Date: Mon, 15 Mar 2021 14:56:04 +0100	[thread overview]
Message-ID: <20210315135720.451315222@linuxfoundation.org> (raw)
In-Reply-To: <20210315135720.002213995@linuxfoundation.org>

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 8811f4a9836e31c14ecdf79d9f3cb7c5d463265d ]

Qingyu Li reported a syzkaller bug where the repro
changes RCV SEQ _after_ restoring data in the receive queue.

mprotect(0x4aa000, 12288, PROT_READ)    = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 0
setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0
sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0x0000000000000003\0\0", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20
setsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0
setsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0
recvfrom(3, NULL, 20, 0, NULL, NULL)    = -1 ECONNRESET (Connection reset by peer)

syslog shows:
[  111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0
[  111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0

This should not be allowed. TCP_QUEUE_SEQ should only be used
when queues are empty.

This patch fixes this case, and the tx path as well.

Fixes: ee9952831cfd ("tcp: Initial repair mode")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=212005
Reported-by: Qingyu Li <ieatmuttonchuan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp.c |   23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2886,16 +2886,23 @@ static int do_tcp_setsockopt(struct sock
 		break;
 
 	case TCP_QUEUE_SEQ:
-		if (sk->sk_state != TCP_CLOSE)
+		if (sk->sk_state != TCP_CLOSE) {
 			err = -EPERM;
-		else if (tp->repair_queue == TCP_SEND_QUEUE)
-			WRITE_ONCE(tp->write_seq, val);
-		else if (tp->repair_queue == TCP_RECV_QUEUE) {
-			WRITE_ONCE(tp->rcv_nxt, val);
-			WRITE_ONCE(tp->copied_seq, val);
-		}
-		else
+		} else if (tp->repair_queue == TCP_SEND_QUEUE) {
+			if (!tcp_rtx_queue_empty(sk))
+				err = -EPERM;
+			else
+				WRITE_ONCE(tp->write_seq, val);
+		} else if (tp->repair_queue == TCP_RECV_QUEUE) {
+			if (tp->rcv_nxt != tp->copied_seq) {
+				err = -EPERM;
+			} else {
+				WRITE_ONCE(tp->rcv_nxt, val);
+				WRITE_ONCE(tp->copied_seq, val);
+			}
+		} else {
 			err = -EINVAL;
+		}
 		break;
 
 	case TCP_REPAIR_OPTIONS:

next prev parent reply	other threads:[~2021-03-15 14:10 UTC|newest]

Thread overview: 137+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-15 13:55 [PATCH 4.19 000/120] 4.19.181-rc1 review gregkh
2021-03-15 13:55 ` [PATCH 4.19 001/120] uapi: nfnetlink_cthelper.h: fix userspace compilation error gregkh
2021-03-15 13:55 ` [PATCH 4.19 002/120] ethernet: alx: fix order of calls on resume gregkh
2021-03-15 13:55 ` [PATCH 4.19 003/120] ath9k: fix transmitting to stations in dynamic SMPS mode gregkh
2021-03-15 13:55 ` [PATCH 4.19 004/120] net: Fix gro aggregation for udp encaps with zero csum gregkh
2021-03-15 13:55 ` [PATCH 4.19 005/120] net: Introduce parse_protocol header_ops callback gregkh
2021-03-15 13:55 ` [PATCH 4.19 006/120] can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership gregkh
2021-03-15 13:55 ` [PATCH 4.19 007/120] can: flexcan: assert FRZ bit in flexcan_chip_freeze() gregkh
2021-03-15 13:55 ` [PATCH 4.19 008/120] can: flexcan: enable RX FIFO after FRZ/HALT valid gregkh
2021-03-15 13:56 ` [PATCH 4.19 009/120] netfilter: x_tables: gpf inside xt_find_revision() gregkh
2021-03-15 13:56 ` [PATCH 4.19 010/120] mt76: dma: do not report truncated frames to mac80211 gregkh
2021-03-15 13:56 ` [PATCH 4.19 011/120] tcp: annotate tp->copied_seq lockless reads gregkh
2021-03-16  9:41   ` Pavel Machek
2021-03-16  9:48     ` Greg KH
2021-03-16  9:49     ` Eric Dumazet
2021-03-15 13:56 ` [PATCH 4.19 012/120] tcp: annotate tp->write_seq " gregkh
2021-03-16  9:50   ` Pavel Machek
2021-03-16  9:52     ` Eric Dumazet
2021-03-16  9:53     ` Pavel Machek
2021-03-16  9:59     ` Eric Dumazet
2021-03-15 13:56 ` gregkh [this message]
2021-03-15 13:56 ` [PATCH 4.19 014/120] cifs: return proper error code in statfs(2) gregkh
2021-03-15 13:56 ` [PATCH 4.19 015/120] scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names gregkh
2021-03-15 13:56 ` [PATCH 4.19 016/120] Revert "mm, slub: consider rest of partial list if acquire_slab() fails" gregkh
2021-03-15 13:56 ` [PATCH 4.19 017/120] sh_eth: fix TRSCER mask for SH771x gregkh
2021-03-15 13:56 ` [PATCH 4.19 018/120] net: check if protocol extracted by virtio_net_hdr_set_proto is correct gregkh
2021-03-15 13:56 ` [PATCH 4.19 019/120] net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 gregkh
2021-03-15 13:56 ` [PATCH 4.19 020/120] net/mlx4_en: update moderation when config reset gregkh
2021-03-15 13:56 ` [PATCH 4.19 021/120] net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10 gregkh
2021-03-15 13:56 ` [PATCH 4.19 022/120] net: sched: avoid duplicates in classes dump gregkh
2021-03-15 13:56 ` [PATCH 4.19 023/120] net: usb: qmi_wwan: allow qmimux add/del with master up gregkh
2021-03-15 13:56 ` [PATCH 4.19 024/120] cipso,calipso: resolve a number of problems with the DOI refcounts gregkh
2021-03-15 13:56 ` [PATCH 4.19 025/120] net: lapbether: Remove netif_start_queue / netif_stop_queue gregkh
2021-03-15 13:56 ` [PATCH 4.19 026/120] net: davicom: Fix regulator not turned off on failed probe gregkh
2021-03-15 13:56 ` [PATCH 4.19 027/120] net: davicom: Fix regulator not turned off on driver removal gregkh
2021-03-15 13:56 ` [PATCH 4.19 028/120] net: qrtr: fix error return code of qrtr_sendmsg() gregkh
2021-03-15 13:56 ` [PATCH 4.19 029/120] net: stmmac: stop each tx channel independently gregkh
2021-03-15 13:56 ` [PATCH 4.19 030/120] net: stmmac: fix watchdog timeout during suspend/resume stress test gregkh
2021-03-15 13:56 ` [PATCH 4.19 031/120] selftests: forwarding: Fix race condition in mirror installation gregkh
2021-03-15 13:56 ` [PATCH 4.19 032/120] perf traceevent: Ensure read cmdlines are null terminated gregkh
2021-03-15 13:56 ` [PATCH 4.19 033/120] s390/cio: return -EFAULT if copy_to_user() fails again gregkh
2021-03-15 13:56 ` [PATCH 4.19 034/120] drm/compat: Clear bounce structures gregkh
2021-03-15 13:56 ` [PATCH 4.19 035/120] drm: meson_drv add shutdown function gregkh
2021-03-15 13:56 ` [PATCH 4.19 036/120] s390/cio: return -EFAULT if copy_to_user() fails gregkh
2021-03-15 13:56 ` [PATCH 4.19 037/120] sh_eth: fix TRSCER mask for R7S9210 gregkh
2021-03-15 13:56 ` [PATCH 4.19 038/120] media: usbtv: Fix deadlock on suspend gregkh
2021-03-15 13:56 ` [PATCH 4.19 039/120] media: v4l: vsp1: Fix uif null pointer access gregkh
2021-03-15 13:56 ` [PATCH 4.19 040/120] media: v4l: vsp1: Fix bru " gregkh
2021-03-15 13:56 ` [PATCH 4.19 041/120] net: phy: fix save wrong speed and duplex problem if autoneg is on gregkh
2021-03-15 13:56 ` [PATCH 4.19 042/120] i2c: rcar: optimize cacheline to minimize HW race condition gregkh
2021-03-15 13:56 ` [PATCH 4.19 043/120] udf: fix silent AED tagLocation corruption gregkh
2021-03-15 13:56 ` [PATCH 4.19 044/120] mmc: mxs-mmc: Fix a resource leak in an error handling path in mxs_mmc_probe() gregkh
2021-03-15 13:56 ` [PATCH 4.19 045/120] mmc: mediatek: fix race condition between msdc_request_timeout and irq gregkh
2021-03-15 13:56 ` [PATCH 4.19 046/120] powerpc/pci: Add ppc_md.discover_phbs() gregkh
2021-03-15 13:56 ` [PATCH 4.19 047/120] powerpc: improve handling of unrecoverable system reset gregkh
2021-03-15 13:56 ` [PATCH 4.19 048/120] powerpc/perf: Record counter overflow always if SAMPLE_IP is unset gregkh
2021-03-15 13:56 ` [PATCH 4.19 049/120] sparc32: Limit memblock allocation to low memory gregkh
2021-03-15 13:56 ` [PATCH 4.19 050/120] sparc64: Use arch_validate_flags() to validate ADI flag gregkh
2021-03-15 13:56 ` [PATCH 4.19 051/120] PCI: xgene-msi: Fix race in installing chained irq handler gregkh
2021-03-15 13:56 ` [PATCH 4.19 052/120] PCI: mediatek: Add missing of_node_put() to fix reference leak gregkh
2021-03-15 13:56 ` [PATCH 4.19 053/120] PCI: Fix pci_register_io_range() memory leak gregkh
2021-03-15 13:56 ` [PATCH 4.19 054/120] i40e: Fix memory leak in i40e_probe gregkh
2021-03-15 13:56 ` [PATCH 4.19 055/120] s390/smp: __smp_rescan_cpus() - move cpumask away from stack gregkh
2021-03-15 13:56 ` [PATCH 4.19 056/120] scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling gregkh
2021-03-15 13:56 ` [PATCH 4.19 057/120] scsi: target: core: Add cmd length set before cmd complete gregkh
2021-03-15 13:56 ` [PATCH 4.19 058/120] scsi: target: core: Prevent underflow for service actions gregkh
2021-03-15 13:56 ` [PATCH 4.19 059/120] ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk gregkh
2021-03-15 13:56 ` [PATCH 4.19 060/120] ALSA: hda/hdmi: Cancel pending works before suspend gregkh
2021-03-15 13:56 ` [PATCH 4.19 061/120] ALSA: hda: Drop the BATCH workaround for AMD controllers gregkh
2021-03-15 13:56 ` [PATCH 4.19 062/120] ALSA: hda: Avoid spurious unsol event handling during S3/S4 gregkh
2021-03-15 13:56 ` [PATCH 4.19 063/120] ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar gregkh
2021-03-15 13:56 ` [PATCH 4.19 064/120] ALSA: usb-audio: Apply the control quirk to Plantronics headsets gregkh
2021-03-15 13:56 ` [PATCH 4.19 065/120] Revert 95ebabde382c ("capabilities: Dont allow writing ambiguous v3 file capabilities") gregkh
2021-03-15 13:56 ` [PATCH 4.19 066/120] s390/dasd: fix hanging DASD driver unbind gregkh
2021-03-15 13:56 ` [PATCH 4.19 067/120] s390/dasd: fix hanging IO request during " gregkh
2021-03-15 13:56 ` [PATCH 4.19 068/120] mmc: core: Fix partition switch time for eMMC gregkh
2021-03-15 13:57 ` [PATCH 4.19 069/120] mmc: cqhci: Fix random crash when remove mmc module/card gregkh
2021-03-15 13:57 ` [PATCH 4.19 070/120] Goodix Fingerprint device is not a modem gregkh
2021-03-15 13:57 ` [PATCH 4.19 071/120] USB: gadget: u_ether: Fix a configfs return code gregkh
2021-03-15 13:57 ` [PATCH 4.19 072/120] usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot gregkh
2021-03-15 13:57 ` [PATCH 4.19 073/120] usb: gadget: f_uac1: stop playback on function disable gregkh
2021-03-15 13:57 ` [PATCH 4.19 074/120] usb: dwc3: qcom: Honor wakeup enabled/disabled state gregkh
2021-03-15 13:57 ` [PATCH 4.19 075/120] USB: usblp: fix a hang in poll() if disconnected gregkh
2021-03-15 13:57 ` [PATCH 4.19 076/120] usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM gregkh
2021-03-15 13:57 ` [PATCH 4.19 077/120] xhci: Improve detection of device initiated wake signal gregkh
2021-03-15 13:57 ` [PATCH 4.19 078/120] usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing gregkh
2021-03-15 13:57 ` [PATCH 4.19 079/120] USB: serial: io_edgeport: fix memory leak in edge_startup gregkh
2021-03-15 13:57 ` [PATCH 4.19 080/120] USB: serial: ch341: add new Product ID gregkh
2021-03-15 13:57 ` [PATCH 4.19 081/120] USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter gregkh
2021-03-15 13:57 ` [PATCH 4.19 082/120] USB: serial: cp210x: add some more GE USB IDs gregkh
2021-03-15 13:57 ` [PATCH 4.19 083/120] usbip: fix stub_dev to check for stream socket gregkh
2021-03-15 13:57 ` [PATCH 4.19 084/120] usbip: fix vhci_hcd " gregkh
2021-03-15 13:57 ` [PATCH 4.19 085/120] usbip: fix vudc " gregkh
2021-03-15 13:57 ` [PATCH 4.19 086/120] usbip: fix stub_dev usbip_sockfd_store() races leading to gpf gregkh
2021-03-15 13:57 ` [PATCH 4.19 087/120] usbip: fix vhci_hcd attach_store() " gregkh
2021-03-15 13:57 ` [PATCH 4.19 088/120] usbip: fix vudc usbip_sockfd_store " gregkh
2021-03-15 13:57 ` [PATCH 4.19 089/120] staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan() gregkh
2021-03-15 13:57 ` [PATCH 4.19 090/120] staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() gregkh
2021-03-15 13:57 ` [PATCH 4.19 091/120] staging: rtl8712: unterminated string leads to read overflow gregkh
2021-03-15 13:57 ` [PATCH 4.19 092/120] staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() gregkh
2021-03-15 13:57 ` [PATCH 4.19 093/120] staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() gregkh
2021-03-15 13:57 ` [PATCH 4.19 094/120] staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd gregkh
2021-03-15 13:57 ` [PATCH 4.19 095/120] staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan gregkh
2021-03-15 13:57 ` [PATCH 4.19 096/120] staging: comedi: addi_apci_1032: Fix endian problem for COS sample gregkh
2021-03-15 13:57 ` [PATCH 4.19 097/120] staging: comedi: addi_apci_1500: Fix endian problem for command sample gregkh
2021-03-15 13:57 ` [PATCH 4.19 098/120] staging: comedi: adv_pci1710: Fix endian problem for AI command data gregkh
2021-03-15 13:57 ` [PATCH 4.19 099/120] staging: comedi: das6402: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 100/120] staging: comedi: das800: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 101/120] staging: comedi: dmm32at: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 102/120] staging: comedi: me4000: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 103/120] staging: comedi: pcl711: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 104/120] staging: comedi: pcl818: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 105/120] sh_eth: fix TRSCER mask for R7S72100 gregkh
2021-03-15 13:57 ` [PATCH 4.19 106/120] NFSv4.2: fix return value of _nfs4_get_security_label() gregkh
2021-03-15 13:57 ` [PATCH 4.19 107/120] block: rsxx: fix error return code of rsxx_pci_probe() gregkh
2021-03-15 13:57 ` [PATCH 4.19 108/120] configfs: fix a use-after-free in __configfs_open_file gregkh
2021-03-15 13:57 ` [PATCH 4.19 109/120] hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event() gregkh
2021-03-15 13:57 ` [PATCH 4.19 110/120] stop_machine: mark helpers __always_inline gregkh
2021-03-15 13:57 ` [PATCH 4.19 111/120] include/linux/sched/mm.h: use rcu_dereference in in_vfork() gregkh
2021-03-15 13:57 ` [PATCH 4.19 112/120] prctl: fix PR_SET_MM_AUXV kernel stack leak gregkh
2021-03-15 13:57 ` [PATCH 4.19 113/120] powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() gregkh
2021-03-15 13:57 ` [PATCH 4.19 114/120] binfmt_misc: fix possible deadlock in bm_register_write gregkh
2021-03-15 13:57 ` [PATCH 4.19 115/120] x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2 gregkh
2021-03-15 13:57 ` [PATCH 4.19 116/120] hwmon: (lm90) Fix max6658 sporadic wrong temperature reading gregkh
2021-03-15 13:57 ` [PATCH 4.19 117/120] KVM: arm64: Fix exclusive limit for IPA size gregkh
2021-03-15 13:57 ` [PATCH 4.19 118/120] xen/events: reset affinity of 2-level event when tearing it down gregkh
2021-03-15 13:57 ` [PATCH 4.19 119/120] xen/events: dont unmask an event channel when an eoi is pending gregkh
2021-03-15 13:57 ` [PATCH 4.19 120/120] xen/events: avoid handling the same event on two cpus at the same time gregkh
2021-03-15 21:38 ` [PATCH 4.19 000/120] 4.19.181-rc1 review Pavel Machek
2021-03-15 22:57 ` Jason Self
2021-03-16  9:33 ` Naresh Kamboju
2021-03-16 21:13 ` Guenter Roeck
2021-03-17  1:11 ` Samuel Zou
2021-03-17  2:57 ` Ross Schmidt
2021-03-18 11:59 ` Samuel Zou
2021-03-19  9:41   ` Greg KH
2021-03-19  1:50 ` Samuel Zou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210315135720.451315222@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=ieatmuttonchuan@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=xemul@parallels.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).