forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/include/net
History
Eric Dumazet ad4adb10e3 soreuseport: initialise timewait reuseport field 
commit 3099a52918 upstream.

syzbot reported an uninit-value in inet_csk_bind_conflict() [1]

It turns out we never propagated sk->sk_reuseport into timewait socket.

[1]
BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
 inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320
 inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399
 SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
 SyS_bind+0x54/0x80 net/socket.c:1460
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4416e9
RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9
RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004
RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08
R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478
R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
 tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283
 tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
 tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
 sk_backlog_rcv include/net/sock.h:908 [inline]
 __release_sock+0x2d6/0x680 net/core/sock.c:2271
 release_sock+0x97/0x2a0 net/core/sock.c:2786
 tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
 inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
 inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
 sock_release net/socket.c:595 [inline]
 sock_close+0xe0/0x300 net/socket.c:1149
 __fput+0x49e/0xa10 fs/file_table.c:209
 ____fput+0x37/0x40 fs/file_table.c:243
 task_work_run+0x243/0x2c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x10e1/0x38d0 kernel/exit.c:867
 do_group_exit+0x1a0/0x360 kernel/exit.c:970
 SYSC_exit_group+0x21/0x30 kernel/exit.c:981
 SyS_exit_group+0x25/0x30 kernel/exit.c:979
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
 inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182
 tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
 tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
 tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
 sk_backlog_rcv include/net/sock.h:908 [inline]
 __release_sock+0x2d6/0x680 net/core/sock.c:2271
 release_sock+0x97/0x2a0 net/core/sock.c:2786
 tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
 inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
 inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
 sock_release net/socket.c:595 [inline]
 sock_close+0xe0/0x300 net/socket.c:1149
 __fput+0x49e/0xa10 fs/file_table.c:209
 ____fput+0x37/0x40 fs/file_table.c:243
 task_work_run+0x243/0x2c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x10e1/0x38d0 kernel/exit.c:867
 do_group_exit+0x1a0/0x360 kernel/exit.c:970
 SYSC_exit_group+0x21/0x30 kernel/exit.c:981
 SyS_exit_group+0x25/0x30 kernel/exit.c:979
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
 inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163
 tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
 tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
 tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
 sk_backlog_rcv include/net/sock.h:908 [inline]
 __release_sock+0x2d6/0x680 net/core/sock.c:2271
 release_sock+0x97/0x2a0 net/core/sock.c:2786
 tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
 inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
 inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
 sock_release net/socket.c:595 [inline]
 sock_close+0xe0/0x300 net/socket.c:1149
 __fput+0x49e/0xa10 fs/file_table.c:209
 ____fput+0x37/0x40 fs/file_table.c:243
 task_work_run+0x243/0x2c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x10e1/0x38d0 kernel/exit.c:867
 do_group_exit+0x1a0/0x360 kernel/exit.c:970
 SYSC_exit_group+0x21/0x30 kernel/exit.c:981
 SyS_exit_group+0x25/0x30 kernel/exit.c:979
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Fixes: da5e36308d ("soreuseport: TCP/IPv4 implementation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-16 10:06:50 +02:00
..
9p
bluetooth Bluetooth: L2CAP: Fix returning correct LE CoC response codes 2015-11-05 04:04:00 +01:00
caif
irda
iucv
netfilter netfilter: nf_queue: Make the queue_handler pernet 2018-02-16 20:09:40 +01:00
netns netfilter: nf_queue: Make the queue_handler pernet 2018-02-16 20:09:40 +01:00
nfc
phonet
sctp sctp: potential read out of bounds in sctp_ulpevent_type_enabled() 2017-10-21 17:09:01 +02:00
tc_act
6lowpan.h
act_api.h
addrconf.h ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf 2017-05-14 13:32:58 +02:00
af_ieee802154.h
af_rxrpc.h
af_unix.h af_unix: split 'u->readlock' into two: 'iolock' and 'bindlock' 2016-09-30 10:18:36 +02:00
af_vsock.h
ah.h
arp.h ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY 2018-01-31 12:06:14 +01:00
atmclip.h
ax25.h
ax88796.h
bond_3ad.h bonding: simplify / unify event handling code for 3ad mode. 2015-11-02 22:52:24 -05:00
bond_alb.h
bond_options.h
bonding.h bonding: fix bond_get_stats() 2016-04-20 15:42:04 +09:00
busy_poll.h
cfg80211-wext.h
cfg80211.h cfg80211: make RATE_INFO_BW_20 the default 2018-04-13 19:50:00 +02:00
cfg802154.h
checksum.h
cipso_ipv4.h netlabel: out of bound access in cipso_v4_validate() 2017-02-18 16:39:26 +01:00
cls_cgroup.h
codel.h net_sched: update hierarchical backlog too 2016-05-18 17:06:39 -07:00
compat.h
datalink.h
dcbevent.h
dcbnl.h
dn.h
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
dsa.h
dsfield.h
dst.h ipv4: add reference counting to metrics 2017-06-07 12:05:59 +02:00
dst_cache.h net: add dst_cache support 2018-02-25 11:03:34 +01:00
dst_metadata.h gro: Make GRO aware of lightweight tunnels. 2016-03-03 15:07:04 -08:00
dst_ops.h
esp.h
ethoc.h
fib_rules.h
firewire.h
flow.h
flow_dissector.h
flowcache.h
fou.h
garp.h
gen_stats.h
genetlink.h netlink: add a start callback for starting a netlink dump 2017-12-05 11:22:49 +01:00
geneve.h
gre.h
gro_cells.h
gue.h
icmp.h
ieee80211_radiotap.h
ieee802154_netdev.h
if_inet6.h
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h
inet_connection_sock.h tcp/dccp: fix another race at listener dismantle 2016-03-03 15:07:07 -08:00
inet_ecn.h ipv6: update skb->csum when CE mark is propagated 2016-01-31 11:29:01 -08:00
inet_frag.h Revert "net: fix percpu memory leaks" 2017-09-27 11:00:11 +02:00
inet_hashtables.h
inet_sock.h tcp/dccp: fix other lockdep splats accessing ireq_opt 2017-11-18 11:11:07 +01:00
inet_timewait_sock.h soreuseport: initialise timewait reuseport field 2018-05-16 10:06:50 +02:00
inetpeer.h inet: tcp: fix inetpeer_set_addr_v4() 2015-12-16 00:14:12 -05:00
ip.h ipv4: igmp: guard against silly MTU values 2018-01-02 20:33:24 +01:00
ip6_checksum.h
ip6_fib.h ipv6: fix sparse warning on rt6i_node 2017-09-27 11:00:10 +02:00
ip6_route.h net: ipv6: Compare lwstate in detecting duplicate nexthops 2017-07-21 07:44:55 +02:00
ip6_tunnel.h net: replace dst_cache ip6_tunnel implementation with the generic one 2018-02-25 11:03:34 +01:00
ip_fib.h ipv4: add reference counting to metrics 2017-06-07 12:05:59 +02:00
ip_tunnels.h ip_tunnel: replace dst_cache with generic implementation 2018-02-28 10:17:21 +01:00
ip_vs.h ipvs: drop first packet to redirect conntrack 2016-05-11 11:21:09 +02:00
ipcomp.h
ipconfig.h
ipv6.h ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL 2018-01-31 12:06:12 +01:00
ipx.h
iw_handler.h wext: handle NULL extra data in iwe_stream_add_point better 2017-08-11 09:08:56 -07:00
l3mdev.h net: Propagate lookup failure in l3mdev_get_saddr to caller 2016-01-04 22:58:30 -05:00
lapb.h
lib80211.h
llc.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h llc: delete timers synchronously in llc_sk_free() 2018-04-29 07:50:05 +02:00
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
lwtunnel.h
mac80211.h mac80211: Add RX flag to indicate ICV stripped 2018-05-16 10:06:46 +02:00
mac802154.h
mip6.h
mld.h
mpls.h
mpls_iptunnel.h
mrp.h
ndisc.h Revert "ipv6: ndisc: inherit metadata dst when creating ndisc requests" 2015-12-01 15:07:59 -05:00
neighbour.h
net_namespace.h net: tcp: close sock if net namespace is exiting 2018-01-31 12:06:14 +01:00
net_ratelimit.h
netevent.h
netlabel.h
netlink.h netlink: fix nla_put_{u8,u16,u32} for KASAN 2018-02-25 11:03:51 +01:00
netprio_cgroup.h
netrom.h
nexthop.h net: fix rtnh_ok() 2018-05-16 10:06:50 +02:00
nl802154.h
p8022.h
ping.h
pkt_cls.h
pkt_sched.h
protocol.h
psnap.h
raw.h
rawv6.h
red.h net_sched: red: Avoid illegal values 2018-02-25 11:03:40 +01:00
regulatory.h
request_sock.h
rose.h
route.h net: Propagate lookup failure in l3mdev_get_saddr to caller 2016-01-04 22:58:30 -05:00
rtnetlink.h
sch_generic.h net_sched: fix order of queue length updates in qdisc_replace() 2017-08-30 10:19:21 +02:00
scm.h unix: correctly track in-flight fds in sending process user_struct 2016-03-03 15:07:05 -08:00
secure_seq.h
slhc_vj.h slip: Check if rstate is initialized before uncompressing 2018-04-24 09:32:04 +02:00
snmp.h
sock.h net: avoid sk_forward_alloc overflows 2016-11-15 07:46:36 +01:00
Space.h
stp.h
switchdev.h switchdev: pass pointer to fib_info instead of copy 2016-06-24 10:18:16 -07:00
tcp.h tcp: sysctl: Fix a race to avoid unexpected 0 window from space 2018-03-22 09:23:22 +01:00
tcp_memcontrol.h
tcp_states.h
timewait_sock.h
transp_v6.h
tso.h
udp.h
udp_tunnel.h
udplite.h udplite: fix partial checksum initialization 2018-03-11 16:19:46 +01:00
vsock_addr.h
vxlan.h vxlan: fix incorrect RCO bit in VXLAN header 2015-12-05 18:15:29 -05:00
wext.h
wimax.h
x25.h net: x25: fix one potential use-after-free issue 2018-04-13 19:50:07 +02:00
x25device.h
xfrm.h xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY 2017-07-05 14:37:21 +02:00