Revision - dc24f8b - mptcp: add dummy icsk_sync_mss()

Revision dc24f8b4ecd3d6c4153a1ec1bc2006ab32a41b8d authored by Paolo Abeni on 26 February 2020, 11:19:03 UTC, committed by David S. Miller on 27 February 2020, 04:49:50 UTC

mptcp: add dummy icsk_sync_mss()

syzbot noted that the master MPTCP socket lacks the icsk_sync_mss
callback, and was able to trigger a null pointer dereference:

BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 8e171067 P4D 8e171067 PUD 93fa2067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8984 Comm: syz-executor066 Not tainted 5.6.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffffc900020b7b80 EFLAGS: 00010246
RAX: 1ffff110124ba600 RBX: 0000000000000000 RCX: ffff88809fefa600
RDX: ffff8880994cdb18 RSI: 0000000000000000 RDI: ffff8880925d3140
RBP: ffffc900020b7bd8 R08: ffffffff870225be R09: fffffbfff140652a
R10: fffffbfff140652a R11: 0000000000000000 R12: ffff8880925d35d0
R13: ffff8880925d3140 R14: dffffc0000000000 R15: 1ffff110124ba6ba
FS:  0000000001a0b880(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000a6d6f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 cipso_v4_sock_setattr+0x34b/0x470 net/ipv4/cipso_ipv4.c:1888
 netlbl_sock_setattr+0x2a7/0x310 net/netlabel/netlabel_kapi.c:989
 smack_netlabel security/smack/smack_lsm.c:2425 [inline]
 smack_inode_setsecurity+0x3da/0x4a0 security/smack/smack_lsm.c:2716
 security_inode_setsecurity+0xb2/0x140 security/security.c:1364
 __vfs_setxattr_noperm+0x16f/0x3e0 fs/xattr.c:197
 vfs_setxattr fs/xattr.c:224 [inline]
 setxattr+0x335/0x430 fs/xattr.c:451
 __do_sys_fsetxattr fs/xattr.c:506 [inline]
 __se_sys_fsetxattr+0x130/0x1b0 fs/xattr.c:495
 __x64_sys_fsetxattr+0xbf/0xd0 fs/xattr.c:495
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440199
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcadc19e48 EFLAGS: 00000246 ORIG_RAX: 00000000000000be
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440199
RDX: 0000000020000200 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000003 R09: 00000000004002c8
R10: 0000000000000009 R11: 0000000000000246 R12: 0000000000401a20
R13: 0000000000401ab0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
CR2: 0000000000000000

Address the issue adding a dummy icsk_sync_mss callback.
To properly sync the subflows mss and options list we need some
additional infrastructure, which will land to net-next.

Reported-by: syzbot+f4dfece964792d80b139@syzkaller.appspotmail.com
Fixes: 2303f994b3e1 ("mptcp: Associate MPTCP context with TCP socket")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 parent 4f31c53

Files
Changes

Permalinks

File	Mode	Size
actions
analogbits
at91
axis
axs10x
bcm
berlin
davinci
h8300
hisilicon
imgtec
imx
ingenic
keystone
loongson1
mediatek
meson
microchip
mmp
mvebu
mxs
nxp
pistachio
pxa
qcom
renesas
rockchip
samsung
sifive
sirf
socfpga
spear
sprd
st
sunxi
sunxi-ng
tegra
ti
uniphier
ux500
versatile
x86
zte
zynq
zynqmp
Kconfig	-rw-r--r--	11.3 KB
Makefile	-rw-r--r--	4.8 KB
clk-asm9260.c	-rw-r--r--	10.8 KB
clk-aspeed.c	-rw-r--r--	20.0 KB
clk-aspeed.h	-rw-r--r--	2.3 KB
clk-ast2600.c	-rw-r--r--	21.6 KB
clk-axi-clkgen.c	-rw-r--r--	11.9 KB
clk-axm5516.c	-rw-r--r--	13.0 KB
clk-bd718x7.c	-rw-r--r--	3.9 KB
clk-bm1880.c	-rw-r--r--	27.1 KB
clk-bulk.c	-rw-r--r--	5.0 KB
clk-cdce706.c	-rw-r--r--	17.6 KB
clk-cdce925.c	-rw-r--r--	21.0 KB
clk-clps711x.c	-rw-r--r--	4.7 KB
clk-composite.c	-rw-r--r--	10.8 KB
clk-conf.c	-rw-r--r--	3.7 KB
clk-cs2000-cp.c	-rw-r--r--	11.4 KB
clk-devres.c	-rw-r--r--	3.2 KB
clk-divider.c	-rw-r--r--	14.5 KB
clk-efm32gg.c	-rw-r--r--	3.2 KB
clk-fixed-factor.c	-rw-r--r--	6.3 KB
clk-fixed-mmio.c	-rw-r--r--	2.3 KB
clk-fixed-rate.c	-rw-r--r--	5.2 KB
clk-fractional-divider.c	-rw-r--r--	5.0 KB
clk-fsl-sai.c	-rw-r--r--	2.3 KB
clk-gate.c	-rw-r--r--	4.8 KB
clk-gemini.c	-rw-r--r--	11.8 KB
clk-gpio.c	-rw-r--r--	6.0 KB
clk-hi655x.c	-rw-r--r--	2.8 KB
clk-highbank.c	-rw-r--r--	7.6 KB
clk-hsdk-pll.c	-rw-r--r--	10.9 KB
clk-lochnagar.c	-rw-r--r--	7.7 KB
clk-max77686.c	-rw-r--r--	7.2 KB
clk-max9485.c	-rw-r--r--	9.9 KB
clk-milbeaut.c	-rw-r--r--	17.1 KB
clk-moxart.c	-rw-r--r--	2.4 KB
clk-multiplier.c	-rw-r--r--	3.8 KB
clk-mux.c	-rw-r--r--	5.5 KB
clk-nomadik.c	-rw-r--r--	13.1 KB
clk-npcm7xx.c	-rw-r--r--	21.6 KB
clk-nspire.c	-rw-r--r--	3.6 KB
clk-oxnas.c	-rw-r--r--	6.5 KB
clk-palmas.c	-rw-r--r--	7.5 KB
clk-plldig.c	-rw-r--r--	7.0 KB
clk-pwm.c	-rw-r--r--	3.4 KB
clk-qoriq.c	-rw-r--r--	35.3 KB
clk-rk808.c	-rw-r--r--	5.0 KB
clk-s2mps11.c	-rw-r--r--	7.1 KB
clk-scmi.c	-rw-r--r--	4.6 KB
clk-scpi.c	-rw-r--r--	7.4 KB
clk-si514.c	-rw-r--r--	9.5 KB
clk-si5341.c	-rw-r--r--	33.5 KB
clk-si5351.c	-rw-r--r--	42.1 KB
clk-si5351.h	-rw-r--r--	5.5 KB
clk-si544.c	-rw-r--r--	12.5 KB
clk-si570.c	-rw-r--r--	12.8 KB
clk-stm32f4.c	-rw-r--r--	50.7 KB
clk-stm32h7.c	-rw-r--r--	36.3 KB
clk-stm32mp1.c	-rw-r--r--	53.8 KB
clk-tango4.c	-rw-r--r--	2.6 KB
clk-twl6040.c	-rw-r--r--	3.7 KB
clk-u300.c	-rw-r--r--	37.7 KB
clk-versaclock5.c	-rw-r--r--	26.4 KB
clk-vt8500.c	-rw-r--r--	17.7 KB
clk-wm831x.c	-rw-r--r--	9.3 KB
clk-xgene.c	-rw-r--r--	18.7 KB
clk.c	-rw-r--r--	122.5 KB
clk.h	-rw-r--r--	1.0 KB
clkdev.c	-rw-r--r--	10.5 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...