diff mbox series

[net,1/1] tipc: fix kernel warning when sending SYN message

Message ID 20230207012046.8683-1-tung.q.nguyen@dektech.com.au (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net,1/1] tipc: fix kernel warning when sending SYN message | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present fail Series targets non-next tree, but doesn't contain any Fixes tags
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 1 maintainers not CCed: tipc-discussion@lists.sourceforge.net
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Tung Quang Nguyen Feb. 7, 2023, 1:20 a.m. UTC 
When sending a SYN message, this kernel stack trace is observed:

...
[   13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550
...
[   13.398494] Call Trace:
[   13.398630]  <TASK>
[   13.398630]  ? __alloc_skb+0xed/0x1a0
[   13.398630]  tipc_msg_build+0x12c/0x670 [tipc]
[   13.398630]  ? shmem_add_to_page_cache.isra.71+0x151/0x290
[   13.398630]  __tipc_sendmsg+0x2d1/0x710 [tipc]
[   13.398630]  ? tipc_connect+0x1d9/0x230 [tipc]
[   13.398630]  ? __local_bh_enable_ip+0x37/0x80
[   13.398630]  tipc_connect+0x1d9/0x230 [tipc]
[   13.398630]  ? __sys_connect+0x9f/0xd0
[   13.398630]  __sys_connect+0x9f/0xd0
[   13.398630]  ? preempt_count_add+0x4d/0xa0
[   13.398630]  ? fpregs_assert_state_consistent+0x22/0x50
[   13.398630]  __x64_sys_connect+0x16/0x20
[   13.398630]  do_syscall_64+0x42/0x90
[   13.398630]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
to copy to/from iterator") has introduced sanity check for copying
from/to iov iterator. Lacking of copy direction from the iterator
viewpoint would lead to kernel stack trace like above.

This commit fixes this issue by initializing the iov iterator with
the correct copy direction.

Reported-by: syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
---
 net/tipc/msg.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Jakub Kicinski Feb. 8, 2023, 5:34 a.m. UTC | #1 
On Tue,  7 Feb 2023 01:20:46 +0000 Tung Nguyen wrote:
> When sending a SYN message, this kernel stack trace is observed:
> 
> ...
> [   13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550
> ...
> [   13.398494] Call Trace:
> [   13.398630]  <TASK>
> [   13.398630]  ? __alloc_skb+0xed/0x1a0
> [   13.398630]  tipc_msg_build+0x12c/0x670 [tipc]
> [   13.398630]  ? shmem_add_to_page_cache.isra.71+0x151/0x290
> [   13.398630]  __tipc_sendmsg+0x2d1/0x710 [tipc]
> [   13.398630]  ? tipc_connect+0x1d9/0x230 [tipc]
> [   13.398630]  ? __local_bh_enable_ip+0x37/0x80
> [   13.398630]  tipc_connect+0x1d9/0x230 [tipc]
> [   13.398630]  ? __sys_connect+0x9f/0xd0
> [   13.398630]  __sys_connect+0x9f/0xd0
> [   13.398630]  ? preempt_count_add+0x4d/0xa0
> [   13.398630]  ? fpregs_assert_state_consistent+0x22/0x50
> [   13.398630]  __x64_sys_connect+0x16/0x20
> [   13.398630]  do_syscall_64+0x42/0x90
> [   13.398630]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
> to copy to/from iterator") has introduced sanity check for copying
> from/to iov iterator. Lacking of copy direction from the iterator
> viewpoint would lead to kernel stack trace like above.

How far does the bug itself date, tho?
Can we get a Fixes tag?

> This commit fixes this issue by initializing the iov iterator with
> the correct copy direction.
Tung Quang Nguyen Feb. 8, 2023, 6:56 a.m. UTC | #2 
>-----Original Message-----
>From: Jakub Kicinski <kuba@kernel.org>
>Sent: Wednesday, February 8, 2023 12:35 PM
>To: Tung Quang Nguyen <tung.q.nguyen@dektech.com.au>
>Cc: netdev@vger.kernel.org; davem@davemloft.net; edumazet@google.com; pabeni@redhat.com; jmaloy@redhat.com;
>ying.xue@windriver.com; viro@zeniv.linux.org.uk; syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com
>Subject: Re: [PATCH net 1/1] tipc: fix kernel warning when sending SYN message
>
>On Tue,  7 Feb 2023 01:20:46 +0000 Tung Nguyen wrote:
>> When sending a SYN message, this kernel stack trace is observed:
>>
>> ...
>> [   13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550
>> ...
>> [   13.398494] Call Trace:
>> [   13.398630]  <TASK>
>> [   13.398630]  ? __alloc_skb+0xed/0x1a0
>> [   13.398630]  tipc_msg_build+0x12c/0x670 [tipc]
>> [   13.398630]  ? shmem_add_to_page_cache.isra.71+0x151/0x290
>> [   13.398630]  __tipc_sendmsg+0x2d1/0x710 [tipc]
>> [   13.398630]  ? tipc_connect+0x1d9/0x230 [tipc]
>> [   13.398630]  ? __local_bh_enable_ip+0x37/0x80
>> [   13.398630]  tipc_connect+0x1d9/0x230 [tipc]
>> [   13.398630]  ? __sys_connect+0x9f/0xd0
>> [   13.398630]  __sys_connect+0x9f/0xd0
>> [   13.398630]  ? preempt_count_add+0x4d/0xa0
>> [   13.398630]  ? fpregs_assert_state_consistent+0x22/0x50
>> [   13.398630]  __x64_sys_connect+0x16/0x20
>> [   13.398630]  do_syscall_64+0x42/0x90
>> [   13.398630]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>>
>> It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
>> to copy to/from iterator") has introduced sanity check for copying
>> from/to iov iterator. Lacking of copy direction from the iterator
>> viewpoint would lead to kernel stack trace like above.
>
>How far does the bug itself date, tho?
This issue appeared since the introduction of commit a41dad905e5a in December 2022.
>Can we get a Fixes tag?
I will add a Fixes tag in v2.
>
>> This commit fixes this issue by initializing the iov iterator with
>> the correct copy direction.
Tung Quang Nguyen Feb. 8, 2023, 7:48 a.m. UTC | #3 
>-----Original Message-----
>From: Jakub Kicinski <kuba@kernel.org>
>Sent: Wednesday, February 8, 2023 2:31 PM
>To: Tung Quang Nguyen <tung.q.nguyen@dektech.com.au>
>Cc: netdev@vger.kernel.org; davem@davemloft.net; edumazet@google.com; pabeni@redhat.com; jmaloy@redhat.com;
>ying.xue@windriver.com; viro@zeniv.linux.org.uk; syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com"
><syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com>
>Subject: Re: [PATCH net 1/1] tipc: fix kernel warning when sending SYN message
>
>On Wed, 8 Feb 2023 06:56:26 +0000 Tung Quang Nguyen wrote:
>> >> It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
>> >> to copy to/from iterator") has introduced sanity check for copying
>> >> from/to iov iterator. Lacking of copy direction from the iterator
>> >> viewpoint would lead to kernel stack trace like above.
>> >
>> >How far does the bug itself date, tho?
>> This issue appeared since the introduction of commit a41dad905e5a in December 2022.
>
>I presume that commit a41dad905e5a just added a warning to catch
>abuses. Unless this is a false positive the bug itself must have
>been introduced earlier.
Yes, since 2014. I added in v2
>
>> >Can we get a Fixes tag?
>> I will add a Fixes tag in v2.
>
>Thanks!
diff mbox series

Patch

diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 5c9fd4791c4b..cce118fea07a 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -381,6 +381,9 @@  int tipc_msg_build(struct tipc_msg *mhdr, struct msghdr *m, int offset,
 
 	msg_set_size(mhdr, msz);
 
+	if (!dsz)
+		iov_iter_init(&m->msg_iter, ITER_SOURCE, NULL, 0, 0);
+
 	/* No fragmentation needed? */
 	if (likely(msz <= pktmax)) {
 		skb = tipc_buf_acquire(msz, GFP_KERNEL);