From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Junling Zheng <zhengjunling@huawei.com>,
Hanbing Xu <xuhanbing@huawei.com>, Li Zefan <lizefan@huawei.com>,
Al Viro <viro@zeniv.linux.org.uk>,
David Miller <davem@davemloft.net>
Subject: [PATCH 3.14 08/64] net: socket: Fix the wrong returns for recvmsg and sendmsg
Date: Wed, 3 Jun 2015 20:42:36 +0900 [thread overview]
Message-ID: <20150603063928.824548155@linuxfoundation.org> (raw)
In-Reply-To: <20150603063928.472620468@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junling Zheng <zhengjunling@huawei.com>
Based on 08adb7dabd4874cc5666b4490653b26534702ce0 upstream.
We found that after v3.10.73, recvmsg might return -EFAULT while -EINVAL
was expected.
We tested it through the recvmsg01 testcase come from LTP testsuit. It set
msg->msg_namelen to -1 and the recvmsg syscall returned errno 14, which is
unexpected (errno 22 is expected):
recvmsg01 4 TFAIL : invalid socket length ; returned -1 (expected -1),
errno 14 (expected 22)
Linux mainline has no this bug for commit 08adb7dab fixes it accidentally.
However, it is too large and complex to be backported to LTS 3.10.
Commit 281c9c36 (net: compat: Update get_compat_msghdr() to match
copy_msghdr_from_user() behaviour) made get_compat_msghdr() return
error if msg_sys->msg_namelen was negative, which changed the behaviors
of recvmsg and sendmsg syscall in a lib32 system:
Before commit 281c9c36, get_compat_msghdr() wouldn't fail and it would
return -EINVAL in move_addr_to_user() or somewhere if msg_sys->msg_namelen
was invalid and then syscall returned -EINVAL, which is correct.
And now, when msg_sys->msg_namelen is negative, get_compat_msghdr() will
fail and wants to return -EINVAL, however, the outer syscall will return
-EFAULT directly, which is unexpected.
This patch gets the return value of get_compat_msghdr() as well as
copy_msghdr_from_user(), then returns this expected value if
get_compat_msghdr() fails.
Fixes: 281c9c36 (net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour)
Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
Signed-off-by: Hanbing Xu <xuhanbing@huawei.com>
Cc: Li Zefan <lizefan@huawei.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/socket.c | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
--- a/net/socket.c
+++ b/net/socket.c
@@ -2007,14 +2007,12 @@ static int ___sys_sendmsg(struct socket
int err, ctl_len, total_len;
err = -EFAULT;
- if (MSG_CMSG_COMPAT & flags) {
- if (get_compat_msghdr(msg_sys, msg_compat))
- return -EFAULT;
- } else {
+ if (MSG_CMSG_COMPAT & flags)
+ err = get_compat_msghdr(msg_sys, msg_compat);
+ else
err = copy_msghdr_from_user(msg_sys, msg);
- if (err)
- return err;
- }
+ if (err)
+ return err;
if (msg_sys->msg_iovlen > UIO_FASTIOV) {
err = -EMSGSIZE;
@@ -2219,14 +2217,12 @@ static int ___sys_recvmsg(struct socket
struct sockaddr __user *uaddr;
int __user *uaddr_len;
- if (MSG_CMSG_COMPAT & flags) {
- if (get_compat_msghdr(msg_sys, msg_compat))
- return -EFAULT;
- } else {
+ if (MSG_CMSG_COMPAT & flags)
+ err = get_compat_msghdr(msg_sys, msg_compat);
+ else
err = copy_msghdr_from_user(msg_sys, msg);
- if (err)
- return err;
- }
+ if (err)
+ return err;
if (msg_sys->msg_iovlen > UIO_FASTIOV) {
err = -EMSGSIZE;
next prev parent reply other threads:[~2015-06-03 11:42 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-03 11:42 [PATCH 3.14 00/64] 3.14.44-stable review Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 01/64] staging: wlags49_h2: fix extern inline functions Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 02/64] staging, rtl8192e, LLVMLinux: Change extern inline to static inline Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 03/64] staging: rtl8712, rtl8712: avoid lots of build warnings Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 04/64] staging, rtl8192e, LLVMLinux: Remove unused inline prototype Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 05/64] kernel: use the gnu89 standard explicitly Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 06/64] qla2xxx: remove redundant declaration in qla_gbl.h Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 07/64] KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages Greg Kroah-Hartman
2015-06-03 11:42 ` Greg Kroah-Hartman [this message]
2015-06-03 11:42 ` [PATCH 3.14 09/64] fs, omfs: add NULL terminator in the end up the token list Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 10/64] xfs: xfs_iozero can return positive errno Greg Kroah-Hartman
2015-06-03 13:15 ` Luis Henriques
2015-06-03 11:42 ` [PATCH 3.14 11/64] lguest: fix out-by-one error in address checking Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 12/64] libceph: request a new osdmap if lingering request maps to no osd Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 13/64] xen/events: dont bind non-percpu VIRQs with percpu chip Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 14/64] hwmon: (ntc_thermistor) Ensure iio channel is of type IIO_VOLTAGE Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 15/64] hwmon: (nct6775) Add missing sysfs attribute initialization Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 16/64] lib: Fix strnlen_user() to not touch memory after specified maximum Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 17/64] d_walk() might skip too much Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 18/64] ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 19/64] ALSA: hda - Add headphone quirk for Lifebook E752 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 21/64] ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 22/64] ASoC: uda1380: Avoid accessing i2c bus when codec is disabled Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 23/64] ASoC: wm8960: fix "RINPUT3" audio route error Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 24/64] ASoC: wm8994: correct BCLK DIV 348 to 384 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 26/64] target/pscsi: Dont leak scsi_host if hba is VIRTUAL_HOST Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 27/64] xhci: fix isoc endpoint dequeue from advancing too far on transaction error Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 28/64] xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256 Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 29/64] xhci: gracefully handle xhci_irq dead device Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 30/64] USB: visor: Match I330 phone more precisely Greg Kroah-Hartman
2015-06-03 11:42 ` [PATCH 3.14 31/64] USB: pl2303: Remove support for Samsung I330 Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 32/64] USB: cp210x: add ID for KCF Technologies PRN device Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 33/64] usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 34/64] usb: gadget: configfs: Fix interfaces array NULL-termination Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 35/64] powerpc: Align TOC to 256 bytes Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 36/64] mmc: atmel-mci: fix bad variable type for clkdiv Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 37/64] tty/n_gsm.c: fix a memory leak when gsmtty is removed Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 38/64] ext4: fix NULL pointer dereference when journal restart fails Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 39/64] ext4: check for zero length extent explicitly Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 40/64] jbd2: fix r_count overflows leading to buffer overflow in journal recovery Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 41/64] libata: Add helper to determine when PHY events should be ignored Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 42/64] libata: Ignore spurious PHY event on LPM policy change Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 43/64] rt2x00: add new rt2800usb device DWA 130 Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 44/64] gpio: gpio-kempld: Fix get_direction return value Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 45/64] crypto: s390/ghash - Fix incorrect ghash icv buffer handling Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 46/64] mac80211: move WEP tailroom size check Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 48/64] ARM: fix missing syscall trace exit Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 49/64] tools/vm: fix page-flags build Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 50/64] mm, numa: really disable NUMA balancing by default on single node machines Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 51/64] svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 52/64] thermal: step_wise: Revert optimization Greg Kroah-Hartman
2015-06-12 11:58 ` Luis Henriques
2015-06-03 11:43 ` [PATCH 3.14 53/64] md/raid5: dont record new size if resize_stripes fails Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 54/64] md/raid0: fix restore to sector variable in raid0_make_request Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 55/64] rtlwifi: rtl8192cu: Fix kernel deadlock Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 56/64] Input: elantech - fix semi-mt protocol for v3 HW Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 57/64] storvsc: Set the SRB flags correctly when no data transfer is needed Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 58/64] sd: Disable support for 256 byte/sector disks Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 59/64] ACPI / init: Fix the ordering of acpi_reserve_resources() Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 60/64] drm/radeon: add new bonaire pci id Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 63/64] vfs: read file_handle only once in handle_to_path Greg Kroah-Hartman
2015-06-03 11:43 ` [PATCH 3.14 64/64] fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings Greg Kroah-Hartman
2015-06-03 16:52 ` [PATCH 3.14 00/64] 3.14.44-stable review Shuah Khan
2015-06-03 18:15 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150603063928.824548155@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=xuhanbing@huawei.com \
--cc=zhengjunling@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).