kernel/net/socket.c, branch linux-4.1.y Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-4.1.y 2018-01-17T17:55:32Z net: initialize msg.msg_flags in recvfrom 2018-01-17T17:55:32Z Alexander Potapenko glider@google.com 2017-03-08T17:08:16Z urn:sha1:b8fcc2ddaeffd3ed32437c7a52d9f6ef189450a7 [ Upstream commit 9f138fa609c47403374a862a08a41394be53d461 ] KMSAN reports a use of uninitialized memory in put_cmsg() because msg.msg_flags in recvfrom haven't been initialized properly. The flag values don't affect the result on this path, but it's still a good idea to initialize them explicitly. Signed-off-by: Alexander Potapenko <glider@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> net: socket: fix recvmmsg not returning error from sock_error 2018-01-17T17:25:03Z Maxime Jayat maxime.jayat@mobile-devices.fr 2017-02-21T17:35:51Z urn:sha1:7a69ea1de73b9be5d5b18d81980e5f9972a39748 [ Upstream commit e623a9e9dec29ae811d11f83d0074ba254aba374 ] Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"), changed the exit path of recvmmsg to always return the datagrams variable and modified the error paths to set the variable to the error code returned by recvmsg if necessary. However in the case sock_error returned an error, the error code was then ignored, and recvmmsg returned 0. Change the error path of recvmmsg to correctly return the error code of sock_error. The bug was triggered by using recvmmsg on a CAN interface which was not up. Linux 4.6 and later return 0 in this case while earlier releases returned -ENETDOWN. Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path") Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> net: Fix use after free in the recvmmsg exit path 2016-07-11T03:07:03Z Arnaldo Carvalho de Melo acme@redhat.com 2016-03-14T12:56:35Z urn:sha1:8ca7bf099ae0e6ff096b3910895b5285a112aeb5 [ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ] The syzkaller fuzzer hit the following use-after-free: Call Trace: [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295 [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261 [< inline >] SYSC_recvmmsg net/socket.c:2281 [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270 [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 And, as Dmitry rightly assessed, that is because we can drop the reference and then touch it when the underlying recvmsg calls return some packets and then hit an error, which will make recvmmsg to set sock->sk->sk_err, oops, fix it. Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Eric Dumazet <edumazet@google.com> Cc: Kostya Serebryany <kcc@google.com> Cc: Sasha Levin <sasha.levin@oracle.com> Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall") http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> net: fix uninitialized variable issue 2016-01-23T04:54:15Z tadeusz.struk@intel.com tadeusz.struk@intel.com 2015-12-15T18:46:17Z urn:sha1:1c72e110be7f6860ccb4e226beb34e2c4537f6bb [ Upstream commit 130ed5d105dde141e7fe60d5440aa53e0a84f13b ] msg_iocb needs to be initialized on the recv/recvfrom path. Otherwise afalg will wrongly interpret it as an async call. Cc: stable@vger.kernel.org Reported-by: Harald Freudenberger <freude@linux.vnet.ibm.com> Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> VFS: net/: d_inode() annotations 2015-04-15T19:06:56Z David Howells dhowells@redhat.com 2015-03-17T22:26:16Z urn:sha1:c5ef60352893b139147b7c033354e8e028e7f52a socket inodes and sunrpc filesystems - inodes owned by that code Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> make new_sync_{read,write}() static 2015-04-12T02:29:40Z Al Viro viro@zeniv.linux.org.uk 2015-04-03T19:41:18Z urn:sha1:5d5d568975307877e9195f5305f4240e506a2807 All places outside of core VFS that checked ->read and ->write for being NULL or called the methods directly are gone now, so NULL {read,write} with non-NULL {read,write}_iter will do the right thing in all cases. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> new helper: msg_data_left() 2015-04-11T19:53:35Z Al Viro viro@zeniv.linux.org.uk 2014-12-16T02:39:31Z urn:sha1:01e97e6517053d7c0b9af5248e944a9209909cf5 convert open-coded instances Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> get rid of the size argument of sock_sendmsg() 2015-04-11T19:27:37Z Al Viro viro@zeniv.linux.org.uk 2014-12-11T05:02:50Z urn:sha1:d8725c86aebaf3516e220760aaf5fefc73825188 it's equal to iov_iter_count(&msg->msg_iter) in all cases Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> switch kernel_sendmsg() and kernel_recvmsg() to iov_iter_kvec() 2015-04-09T04:02:34Z Al Viro viro@zeniv.linux.org.uk 2015-03-21T23:56:16Z urn:sha1:6aa248145ab0b1809de2411cf129ec1fc315a46f For kernel_sendmsg() that eliminates the need to play with setfs(); for kernel_recvmsg() it does *not* - a couple of callers are using it with non-NULL ->msg_control, which would be treated as userland address on recvmsg side of things. In all cases we are really setting a kvec-backed iov_iter, though. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> net: switch importing msghdr from userland to {compat_,}import_iovec() 2015-04-09T04:02:26Z Al Viro viro@zeniv.linux.org.uk 2015-03-21T23:29:06Z urn:sha1:da18428498fb24438a23d982259461fe22bc1f46 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>