From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 4.4 05/91] cls_rsvp: fix rsvp_policy
Date: Thu, 13 Feb 2020 07:19:22 -0800 [thread overview]
Message-ID: <20200213151823.421606574@linuxfoundation.org> (raw)
In-Reply-To: <20200213151821.384445454@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 ]
NLA_BINARY can be confusing, since .len value represents
the max size of the blob.
cls_rsvp really wants user space to provide long enough data
for TCA_RSVP_DST and TCA_RSVP_SRC attributes.
BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x220 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
rsvp_get net/sched/cls_rsvp.h:258 [inline]
gen_handle net/sched/cls_rsvp.h:402 [inline]
rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg net/socket.c:659 [inline]
____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
___sys_sendmsg net/socket.c:2384 [inline]
__sys_sendmsg+0x451/0x5f0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45b349
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
slab_alloc_node mm/slub.c:2774 [inline]
__kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
__kmalloc_reserve net/core/skbuff.c:141 [inline]
__alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
alloc_skb include/linux/skbuff.h:1049 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg net/socket.c:659 [inline]
____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
___sys_sendmsg net/socket.c:2384 [inline]
__sys_sendmsg+0x451/0x5f0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 6fa8c0144b77 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/cls_rsvp.h | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -455,10 +455,8 @@ static u32 gen_tunnel(struct rsvp_head *
static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = {
[TCA_RSVP_CLASSID] = { .type = NLA_U32 },
- [TCA_RSVP_DST] = { .type = NLA_BINARY,
- .len = RSVP_DST_LEN * sizeof(u32) },
- [TCA_RSVP_SRC] = { .type = NLA_BINARY,
- .len = RSVP_DST_LEN * sizeof(u32) },
+ [TCA_RSVP_DST] = { .len = RSVP_DST_LEN * sizeof(u32) },
+ [TCA_RSVP_SRC] = { .len = RSVP_DST_LEN * sizeof(u32) },
[TCA_RSVP_PINFO] = { .len = sizeof(struct tc_rsvp_pinfo) },
};
next prev parent reply other threads:[~2020-02-13 16:11 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-13 15:19 [PATCH 4.4 00/91] 4.4.214-stable review Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 01/91] media: iguanair: fix endpoint sanity check Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 02/91] x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 03/91] sparc32: fix struct ipc64_perm type definition Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 04/91] ASoC: qcom: Fix of-node refcount unbalance to link->codec_of_node Greg Kroah-Hartman
2020-02-13 15:19 ` Greg Kroah-Hartman [this message]
2020-02-13 15:19 ` [PATCH 4.4 06/91] net: hsr: fix possible NULL deref in hsr_handle_frame() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 07/91] net_sched: fix an OOB access in cls_tcindex Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 08/91] tcp: clear tp->total_retrans in tcp_disconnect() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 09/91] tcp: clear tp->segs_{in|out} " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 10/91] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 11/91] mfd: dln2: More sanity checking for endpoints Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 12/91] brcmfmac: Fix memory leak in brcmf_usbdev_qinit Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 13/91] usb: gadget: legacy: set max_speed to super-speed Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 14/91] usb: gadget: f_ncm: Use atomic_t to track in-flight request Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 15/91] usb: gadget: f_ecm: " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 16/91] ALSA: dummy: Fix PCM format loop in proc output Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 17/91] lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 18/91] powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 19/91] mmc: spi: Toggle SPI polarity, do not hardcode it Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 20/91] PCI: keystone: Fix link training retries initiation Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 21/91] crypto: api - Check spawn->alg under lock in crypto_drop_spawn Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 22/91] scsi: qla2xxx: Fix mtcp dump collection failure Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 23/91] power: supply: ltc2941-battery-gauge: fix use-after-free Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 24/91] Revert "ovl: modify ovl_permission() to do checks on two inodes" Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 25/91] of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 26/91] dm space map common: fix to ensure new block isnt already in use Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 27/91] padata: Remove broken queue flushing Greg Kroah-Hartman
2020-02-15 1:30 ` [PATCH v2 4.4] " Daniel Jordan
2020-02-13 15:19 ` [PATCH 4.4 28/91] crypto: pcrypt - Do not clear MAY_SLEEP flag in original request Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 29/91] crypto: api - Fix race condition in crypto_spawn_alg Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 30/91] crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 31/91] btrfs: set trans->drity in btrfs_commit_transaction Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 32/91] ARM: tegra: Enable PLLP bypass during Tegra124 LP1 Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 33/91] mwifiex: fix unbalanced locking in mwifiex_process_country_ie() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 34/91] sunrpc: expiry_time should be seconds not timeval Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 35/91] KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 36/91] KVM: x86: Protect DR-based index computations from " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 37/91] KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 38/91] KVM: x86: Protect ioapic_write_indirect() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 39/91] KVM: x86: Protect MSR-based index computations in pmu.h " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 40/91] KVM: x86: Protect ioapic_read_indirect() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 41/91] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.4 42/91] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 43/91] KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() " Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 44/91] KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 45/91] KVM: PPC: Book3S PR: Free shared page if mmu initialization fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 46/91] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 47/91] scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 48/91] scsi: csiostor: Adjust indentation in csio_device_reset Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 49/91] scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 50/91] ext2: Adjust indentation in ext2_fill_super Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 51/91] powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 52/91] NFC: pn544: Adjust indentation in pn544_hci_check_presence Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 53/91] ppp: Adjust indentation into ppp_async_input Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 54/91] net: smc911x: Adjust indentation in smc911x_phy_configure Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 55/91] net: tulip: Adjust indentation in {dmfe, uli526x}_init_module Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 56/91] mfd: da9062: Fix watchdog compatible string Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 57/91] mfd: rn5t618: Mark ADC control register volatile Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 58/91] net: systemport: Avoid RBUF stuck in Wake-on-LAN mode Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 59/91] bonding/alb: properly access headers in bond_alb_xmit() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 60/91] NFS: Fix memory leaks and corruption in readdir Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 61/91] NFS: Fix bool initialization/comparison Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 62/91] NFS: Directory page cache pages need to be locked when read Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 63/91] Btrfs: fix assertion failure on fsync with NO_HOLES enabled Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 64/91] btrfs: remove trivial locking wrappers of tree mod log Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 65/91] Btrfs: fix race between adding and putting tree mod seq elements and nodes Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 66/91] drm: atmel-hlcdc: enable clock before configuring timing engine Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 67/91] drm/dp_mst: Remove VCPI while disabling topology mgr Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 68/91] KVM: x86: drop picdev_in_range() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 69/91] KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 70/91] KVM: x86: Protect pmu_intel.c from " Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 71/91] KVM: x86: Protect kvm_lapic_reg_write() " Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 72/91] btrfs: flush write bio if we loop in extent_write_cache_pages Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 73/91] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 74/91] KVM: VMX: Add non-canonical check on writes to RTIT address MSRs Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 75/91] KVM: nVMX: vmread should not set rflags to specify success in case of #PF Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 76/91] cifs: fail i/o on soft mounts if sessionsetup errors out Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 77/91] clocksource: Prevent double add_timer_on() for watchdog_timer Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 78/91] perf/core: Fix mlock accounting in perf_mmap() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 79/91] ASoC: pcm: update FE/BE trigger order based on the command Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 80/91] scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 81/91] rtc: hym8563: Return -EINVAL if the time is known to be invalid Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 82/91] ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 83/91] ARM: dts: at91: sama5d3: fix maximum peripheral clock rates Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 84/91] ARM: dts: at91: sama5d3: define clock rate range for tcb1 Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 85/91] powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 86/91] pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 87/91] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 88/91] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 89/91] libertas: dont exit from lbs_ibss_join_existing() with RCU read lock held Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 90/91] libertas: make lbs_ibss_join_existing() return error code on rates overflow Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.4 91/91] dm: fix potential for q->make_request_fn NULL pointer Greg Kroah-Hartman
2020-02-13 16:57 ` [PATCH 4.4 00/91] 4.4.214-stable review Chris Paterson
2020-02-13 23:17 ` Greg Kroah-Hartman
2020-02-14 1:21 ` shuah
2020-02-14 5:26 ` Guenter Roeck
[not found] ` <20200213151821.384445454-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-02-14 10:25 ` Jon Hunter
2020-02-14 10:25 ` Jon Hunter
2020-02-14 10:37 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200213151823.421606574@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.