user/sven/linux.git/net/socket.c, branch v4.1.41

net: Fix use after free in the recvmmsg exit path

2016-07-11T03:07:03Z

[ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ] The syzkaller fuzzer hit the following use-after-free: Call Trace: [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295 [] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261 [< inline >] SYSC_recvmmsg net/socket.c:2281 [] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270 [] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 And, as Dmitry rightly assessed, that is because we can drop the reference and then touch it when the underlying recvmsg calls return some packets and then hit an error, which will make recvmmsg to set sock->sk->sk_err, oops, fix it. Reported-and-Tested-by: Dmitry Vyukov Cc: Alexander Potapenko Cc: Eric Dumazet Cc: Kostya Serebryany Cc: Sasha Levin Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall") http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin

net: fix uninitialized variable issue

2016-01-23T04:54:15Z

[ Upstream commit 130ed5d105dde141e7fe60d5440aa53e0a84f13b ] msg_iocb needs to be initialized on the recv/recvfrom path. Otherwise afalg will wrongly interpret it as an async call. Cc: stable@vger.kernel.org Reported-by: Harald Freudenberger Signed-off-by: Tadeusz Struk Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

VFS: net/: d_inode() annotations

2015-04-15T19:06:56Z

socket inodes and sunrpc filesystems - inodes owned by that code Signed-off-by: David Howells Signed-off-by: Al Viro

make new_sync_{read,write}() static

2015-04-12T02:29:40Z

All places outside of core VFS that checked ->read and ->write for being NULL or called the methods directly are gone now, so NULL {read,write} with non-NULL {read,write}_iter will do the right thing in all cases. Signed-off-by: Al Viro

new helper: msg_data_left()

2015-04-11T19:53:35Z

convert open-coded instances Signed-off-by: Al Viro

get rid of the size argument of sock_sendmsg()

2015-04-11T19:27:37Z

it's equal to iov_iter_count(&msg->msg_iter) in all cases Signed-off-by: Al Viro

switch kernel_sendmsg() and kernel_recvmsg() to iov_iter_kvec()

2015-04-09T04:02:34Z

For kernel_sendmsg() that eliminates the need to play with setfs(); for kernel_recvmsg() it does *not* - a couple of callers are using it with non-NULL ->msg_control, which would be treated as userland address on recvmsg side of things. In all cases we are really setting a kvec-backed iov_iter, though. Signed-off-by: Al Viro

net: switch importing msghdr from userland to {compat_,}import_iovec()

2015-04-09T04:02:26Z

Signed-off-by: Al Viro

net: switch sendto() and recvfrom() to import_single_range()

2015-04-09T04:02:21Z

Signed-off-by: Al Viro

Merge branch 'iocb' into for-davem

2015-04-09T04:01:38Z

trivial conflict in net/socket.c and non-trivial one in crypto - that one had evaded aio_complete() removal. Signed-off-by: Al Viro