From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 4.4 05/91] cls_rsvp: fix rsvp_policy
Date: Thu, 13 Feb 2020 07:19:22 -0800 [thread overview]
Message-ID: <20200213151823.421606574@linuxfoundation.org> (raw)
In-Reply-To: <20200213151821.384445454@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 ]
NLA_BINARY can be confusing, since .len value represents
the max size of the blob.
cls_rsvp really wants user space to provide long enough data
for TCA_RSVP_DST and TCA_RSVP_SRC attributes.
BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x220 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
rsvp_get net/sched/cls_rsvp.h:258 [inline]
gen_handle net/sched/cls_rsvp.h:402 [inline]
rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg net/socket.c:659 [inline]
____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
___sys_sendmsg net/socket.c:2384 [inline]
__sys_sendmsg+0x451/0x5f0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45b349
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
slab_alloc_node mm/slub.c:2774 [inline]
__kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
__kmalloc_reserve net/core/skbuff.c:141 [inline]
__alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
alloc_skb include/linux/skbuff.h:1049 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg net/socket.c:659 [inline]
____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
___sys_sendmsg net/socket.c:2384 [inline]
__sys_sendmsg+0x451/0x5f0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 6fa8c0144b77 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/cls_rsvp.h | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -455,10 +455,8 @@ static u32 gen_tunnel(struct rsvp_head *
static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = {
[TCA_RSVP_CLASSID] = { .type = NLA_U32 },
- [TCA_RSVP_DST] = { .type = NLA_BINARY,
- .len = RSVP_DST_LEN * sizeof(u32) },
- [TCA_RSVP_SRC] = { .type = NLA_BINARY,
- .len = RSVP_DST_LEN * sizeof(u32) },
+ [TCA_RSVP_DST] = { .len = RSVP_DST_LEN * sizeof(u32) },
+ [TCA_RSVP_SRC] = { .len = RSVP_DST_LEN * sizeof(u32) },
[TCA_RSVP_PINFO] = { .len = sizeof(struct tc_rsvp_pinfo) },
};
next prev parent reply other threads:[~2020-02-13 16:11 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-13 15:19 [PATCH 4.4 00/91] 4.4.214-stable review Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 01/91] media: iguanair: fix endpoint sanity check Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 02/91] x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 03/91] sparc32: fix struct ipc64_perm type definition Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 04/91] ASoC: qcom: Fix of-node refcount unbalance to link->codec_of_node Greg Kroah-Hartman
2020-02-13 15:19 ` Greg Kroah-Hartman [this message]
2020-02-13 15:19 ` [PATCH 4.4 06/91] net: hsr: fix possible NULL deref in hsr_handle_frame() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 07/91] net_sched: fix an OOB access in cls_tcindex Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 08/91] tcp: clear tp->total_retrans in tcp_disconnect() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 09/91] tcp: clear tp->segs_{in|out} " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 10/91] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 11/91] mfd: dln2: More sanity checking for endpoints Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 12/91] brcmfmac: Fix memory leak in brcmf_usbdev_qinit Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 13/91] usb: gadget: legacy: set max_speed to super-speed Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 14/91] usb: gadget: f_ncm: Use atomic_t to track in-flight request Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 15/91] usb: gadget: f_ecm: " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 16/91] ALSA: dummy: Fix PCM format loop in proc output Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 17/91] lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 18/91] powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 19/91] mmc: spi: Toggle SPI polarity, do not hardcode it Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 20/91] PCI: keystone: Fix link training retries initiation Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 21/91] crypto: api - Check spawn->alg under lock in crypto_drop_spawn Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 22/91] scsi: qla2xxx: Fix mtcp dump collection failure Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 23/91] power: supply: ltc2941-battery-gauge: fix use-after-free Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 24/91] Revert "ovl: modify ovl_permission() to do checks on two inodes" Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 25/91] of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 26/91] dm space map common: fix to ensure new block isnt already in use Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 27/91] padata: Remove broken queue flushing Greg Kroah-Hartman
2020-02-15 1:30 ` [PATCH v2 4.4] " Daniel Jordan
2020-02-13 15:19 ` [PATCH 4.4 28/91] crypto: pcrypt - Do not clear MAY_SLEEP flag in original request Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 29/91] crypto: api - Fix race condition in crypto_spawn_alg Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 30/91] crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 31/91] btrfs: set trans->drity in btrfs_commit_transaction Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 32/91] ARM: tegra: Enable PLLP bypass during Tegra124 LP1 Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 33/91] mwifiex: fix unbalanced locking in mwifiex_process_country_ie() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 34/91] sunrpc: expiry_time should be seconds not timeval Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 35/91] KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 36/91] KVM: x86: Protect DR-based index computations from " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 37/91] KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 38/91] KVM: x86: Protect ioapic_write_indirect() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 39/91] KVM: x86: Protect MSR-based index computations in pmu.h " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 40/91] KVM: x86: Protect ioapic_read_indirect() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 41/91] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 42/91] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 43/91] KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() " Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 44/91] KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 45/91] KVM: PPC: Book3S PR: Free shared page if mmu initialization fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 46/91] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 47/91] scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 48/91] scsi: csiostor: Adjust indentation in csio_device_reset Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 49/91] scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 50/91] ext2: Adjust indentation in ext2_fill_super Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 51/91] powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 52/91] NFC: pn544: Adjust indentation in pn544_hci_check_presence Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 53/91] ppp: Adjust indentation into ppp_async_input Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 54/91] net: smc911x: Adjust indentation in smc911x_phy_configure Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 55/91] net: tulip: Adjust indentation in {dmfe, uli526x}_init_module Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 56/91] mfd: da9062: Fix watchdog compatible string Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 57/91] mfd: rn5t618: Mark ADC control register volatile Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 58/91] net: systemport: Avoid RBUF stuck in Wake-on-LAN mode Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 59/91] bonding/alb: properly access headers in bond_alb_xmit() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 60/91] NFS: Fix memory leaks and corruption in readdir Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 61/91] NFS: Fix bool initialization/comparison Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 62/91] NFS: Directory page cache pages need to be locked when read Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 63/91] Btrfs: fix assertion failure on fsync with NO_HOLES enabled Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 64/91] btrfs: remove trivial locking wrappers of tree mod log Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 65/91] Btrfs: fix race between adding and putting tree mod seq elements and nodes Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 66/91] drm: atmel-hlcdc: enable clock before configuring timing engine Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 67/91] drm/dp_mst: Remove VCPI while disabling topology mgr Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 68/91] KVM: x86: drop picdev_in_range() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 69/91] KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 70/91] KVM: x86: Protect pmu_intel.c from " Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 71/91] KVM: x86: Protect kvm_lapic_reg_write() " Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 72/91] btrfs: flush write bio if we loop in extent_write_cache_pages Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 73/91] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 74/91] KVM: VMX: Add non-canonical check on writes to RTIT address MSRs Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 75/91] KVM: nVMX: vmread should not set rflags to specify success in case of #PF Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 76/91] cifs: fail i/o on soft mounts if sessionsetup errors out Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 77/91] clocksource: Prevent double add_timer_on() for watchdog_timer Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 78/91] perf/core: Fix mlock accounting in perf_mmap() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 79/91] ASoC: pcm: update FE/BE trigger order based on the command Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 80/91] scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 81/91] rtc: hym8563: Return -EINVAL if the time is known to be invalid Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 82/91] ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 83/91] ARM: dts: at91: sama5d3: fix maximum peripheral clock rates Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 84/91] ARM: dts: at91: sama5d3: define clock rate range for tcb1 Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 85/91] powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 86/91] pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 87/91] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 88/91] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 89/91] libertas: dont exit from lbs_ibss_join_existing() with RCU read lock held Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 90/91] libertas: make lbs_ibss_join_existing() return error code on rates overflow Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 91/91] dm: fix potential for q->make_request_fn NULL pointer Greg Kroah-Hartman
2020-02-13 16:57 ` [PATCH 4.4 00/91] 4.4.214-stable review Chris Paterson
2020-02-13 23:17 ` Greg Kroah-Hartman
2020-02-14 1:21 ` shuah
2020-02-14 5:26 ` Guenter Roeck
2020-02-14 10:25 ` Jon Hunter
2020-02-14 10:37 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200213151823.421606574@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).