From nobody Mon Apr 13 18:37:02 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8196C4332F for ; Wed, 16 Nov 2022 08:18:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238682AbiKPISL (ORCPT ); Wed, 16 Nov 2022 03:18:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51278 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237857AbiKPIRo (ORCPT ); Wed, 16 Nov 2022 03:17:44 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5293BBA for ; Wed, 16 Nov 2022 00:16:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668586606; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=i9d1x3IOEClUC0qavYogMQagsbboIJFcHLUHadOyzrg=; b=fXIcC0xNySq2teBggHM6rgpolIYY/cT4qBRksiZf8ZCUFSKWU7Vo60EuW6mRndojpal043 K8SgSNWjAKIjKZ5CdggrzYi+WDeG/fKuJsAlR980VPXImjY4H1vC4EOuOEigTaXTU6m4TR rYcrDzJuqrKjgx+f7/nJHG744qBpays= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-407-wIQBQWIKOBG1HOOwGEY4Aw-1; Wed, 16 Nov 2022 03:16:44 -0500 X-MC-Unique: wIQBQWIKOBG1HOOwGEY4Aw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 25AF8381494B; Wed, 16 Nov 2022 08:16:44 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.33.36.24]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9A20E140EBF3; Wed, 16 Nov 2022 08:16:43 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH net-next 1/3] rxrpc: Fix missing IPV6 #ifdef From: David Howells To: netdev@vger.kernel.org Cc: dhowells@redhat.com, linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org Date: Wed, 16 Nov 2022 08:16:40 +0000 Message-ID: <166858660085.2154965.8163437106785496427.stgit@warthog.procyon.org.uk> In-Reply-To: <166858659236.2154965.18023032361364343888.stgit@warthog.procyon.org.uk> References: <166858659236.2154965.18023032361364343888.stgit@warthog.procyon.org.uk> User-Agent: StGit/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fix rxrpc_encap_err_rcv() to make the call to ipv6_icmp_error conditional on IPV6 support being enabled. Fixes: b6c66c4324e7 ("rxrpc: Use the core ICMP/ICMP6 parsers") Reported-by: kernel test robot Signed-off-by: David Howells cc: Marc Dionne cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org --- net/rxrpc/local_object.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c index a178f71e5082..a943fdf91e24 100644 --- a/net/rxrpc/local_object.c +++ b/net/rxrpc/local_object.c @@ -33,7 +33,8 @@ static void rxrpc_encap_err_rcv(struct sock *sk, struct s= k_buff *skb, int err, { if (ip_hdr(skb)->version =3D=3D IPVERSION) return ip_icmp_error(sk, skb, err, port, info, payload); - return ipv6_icmp_error(sk, skb, err, port, info, payload); + if (IS_ENABLED(CONFIG_AF_RXRPC_IPV6)) + return ipv6_icmp_error(sk, skb, err, port, info, payload); } =20 /* From nobody Mon Apr 13 18:37:02 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C595EC4332F for ; Wed, 16 Nov 2022 08:19:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238794AbiKPITG (ORCPT ); Wed, 16 Nov 2022 03:19:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232115AbiKPISN (ORCPT ); Wed, 16 Nov 2022 03:18:13 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 07A6A60CF for ; Wed, 16 Nov 2022 00:17:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668586631; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UjChVR3JL0IE4M+ycBoVPEnLs7suZyUWAlBSRhFsres=; b=BNnYwN8YyQ0KHG+vz0+XxJuR3w8BsmMCg9QQV9D/M4H3NVBtXRQ0gV+ZOiINFqnWRA3JYi tBosOIPbzzARekDPVTesTdJvq8Zg2de8+ci1gq9RZffchirJ5aRUNk5fctT5y741ILuyDp sy+7GUPbImhSNAw48oxWg8NsfTjgVgA= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-389-D4sxpjaUPC-sqN_MCLADiw-1; Wed, 16 Nov 2022 03:16:52 -0500 X-MC-Unique: D4sxpjaUPC-sqN_MCLADiw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 911C9101A528; Wed, 16 Nov 2022 08:16:52 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.33.36.24]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1088140C2086; Wed, 16 Nov 2022 08:16:51 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH net-next 2/3] rxrpc: Fix oops from calling udpv6_sendmsg() on AF_INET socket From: David Howells To: netdev@vger.kernel.org Cc: dhowells@redhat.com, linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org Date: Wed, 16 Nov 2022 08:16:49 +0000 Message-ID: <166858660930.2154965.8554587152080422824.stgit@warthog.procyon.org.uk> In-Reply-To: <166858659236.2154965.18023032361364343888.stgit@warthog.procyon.org.uk> References: <166858659236.2154965.18023032361364343888.stgit@warthog.procyon.org.uk> User-Agent: StGit/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If rxrpc sees an IPv6 address, it assumes it can call udpv6_sendmsg() on it - even if it got it on an IPv4 socket. Fix do_udp_sendmsg() to give an error in such a case. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] ... RIP: 0010:ipv6_addr_v4mapped include/net/ipv6.h:749 [inline] RIP: 0010:udpv6_sendmsg+0xd0a/0x2c70 net/ipv6/udp.c:1361 ... Call Trace: do_udp_sendmsg net/rxrpc/output.c:27 [inline] do_udp_sendmsg net/rxrpc/output.c:21 [inline] rxrpc_send_abort_packet+0x73b/0x860 net/rxrpc/output.c:367 rxrpc_release_calls_on_socket+0x211/0x300 net/rxrpc/call_object.c:595 rxrpc_release_sock net/rxrpc/af_rxrpc.c:886 [inline] rxrpc_release+0x263/0x5a0 net/rxrpc/af_rxrpc.c:917 __sock_release+0xcd/0x280 net/socket.c:650 sock_close+0x18/0x20 net/socket.c:1365 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16b/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb35/0x2a20 kernel/exit.c:820 do_group_exit+0xd0/0x2a0 kernel/exit.c:950 __do_sys_exit_group kernel/exit.c:961 [inline] __se_sys_exit_group kernel/exit.c:959 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:959 Fixes: ed472b0c8783 ("rxrpc: Call udp_sendmsg() directly") Reported-by: Eric Dumazet Suggested-by: Eric Dumazet Signed-off-by: David Howells cc: Marc Dionne cc: linux-afs@lists.infradead.org --- net/rxrpc/output.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index 46432e70a16b..a2fe1a262f8a 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -18,15 +18,21 @@ =20 extern int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len); =20 -static ssize_t do_udp_sendmsg(struct socket *sk, struct msghdr *msg, size_= t len) +static ssize_t do_udp_sendmsg(struct socket *socket, struct msghdr *msg, s= ize_t len) { -#if IS_ENABLED(CONFIG_AF_RXRPC_IPV6) struct sockaddr *sa =3D msg->msg_name; + struct sock *sk =3D socket->sk; =20 - if (sa->sa_family =3D=3D AF_INET6) - return udpv6_sendmsg(sk->sk, msg, len); -#endif - return udp_sendmsg(sk->sk, msg, len); + if (IS_ENABLED(CONFIG_AF_RXRPC_IPV6)) { + if (sa->sa_family =3D=3D AF_INET6) { + if (sk->sk_family !=3D AF_INET6) { + pr_warn("AF_INET6 address on AF_INET socket\n"); + return -ENOPROTOOPT; + } + return udpv6_sendmsg(sk, msg, len); + } + } + return udp_sendmsg(sk, msg, len); } =20 struct rxrpc_abort_buffer { From nobody Mon Apr 13 18:37:02 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 441CDC433FE for ; Wed, 16 Nov 2022 08:18:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238675AbiKPISs (ORCPT ); Wed, 16 Nov 2022 03:18:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238650AbiKPISG (ORCPT ); Wed, 16 Nov 2022 03:18:06 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 158662652 for ; Wed, 16 Nov 2022 00:17:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668586626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4FUxSmniLD14VLHoPL3KFajG/AKabia6aRRvo1/Xox4=; b=hQpcj5Xj5bhq8p76i5OCbYNXq7y71gPXjvPmB1cfBfE4+stADiCEUHbjaYwWEArb/OhCpQ eai8ODoUXAWBJCFiLX4Grx9n7CxXGs4I0LkJ/hS94qQroOMVJGMVH2nfARmSpoBg8nE0t9 9Q+FGvFYLGO7tQbyF3FhhH4jo3qmsjQ= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-635-D9a8XzmmPfG5YNHHKLdqnA-1; Wed, 16 Nov 2022 03:17:03 -0500 X-MC-Unique: D9a8XzmmPfG5YNHHKLdqnA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6162C3C10ED2; Wed, 16 Nov 2022 08:17:01 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.33.36.24]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7D559C1912A; Wed, 16 Nov 2022 08:17:00 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH net-next 3/3] rxrpc: Fix network address validation From: David Howells To: netdev@vger.kernel.org Cc: dhowells@redhat.com, linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org Date: Wed, 16 Nov 2022 08:16:57 +0000 Message-ID: <166858661773.2154965.17789493627949980987.stgit@warthog.procyon.org.uk> In-Reply-To: <166858659236.2154965.18023032361364343888.stgit@warthog.procyon.org.uk> References: <166858659236.2154965.18023032361364343888.stgit@warthog.procyon.org.uk> User-Agent: StGit/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fix network address validation on entry to uapi functions such as connect() for AF_RXRPC. The check for address compatibility with the transport socket isn't correct and allows an AF_INET6 address to be given to an AF_INET socket, resulting in an oops now that rxrpc is calling udp_sendmsg() directly. Sample program: #define _GNU_SOURCE #include #include #include #include #include static unsigned char ctrl[256] =3D "\x18\x00\x00\x00\x00\x00\x00\x00\x10\x01\x00\x00\x01"; int main(void) { struct sockaddr_rxrpc srx =3D { .srx_family =3D AF_RXRPC, .transport_type =3D SOCK_DGRAM, .transport_len =3D 28, .transport.sin6.sin6_family =3D AF_INET6, }; struct mmsghdr vec =3D { .msg_hdr.msg_control =3D ctrl, .msg_hdr.msg_controllen =3D 0x18, }; int s; s =3D socket(AF_RXRPC, SOCK_DGRAM, AF_INET); if (s < 0) { perror("socket"); exit(1); } if (connect(s, (struct sockaddr *)&srx, sizeof(srx)) < 0) { perror("connect"); exit(1); } if (sendmmsg(s, &vec, 1, MSG_NOSIGNAL | MSG_MORE) < 0) { perror("sendmmsg"); exit(1); } return 0; } If working properly, connect() should fail with EAFNOSUPPORT. Fixes: ed472b0c8783 ("rxrpc: Call udp_sendmsg() directly") Reported-by: Eric Dumazet Signed-off-by: David Howells cc: Marc Dionne cc: linux-afs@lists.infradead.org --- net/rxrpc/af_rxrpc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c index 2f3991cf8715..aacdd96a9886 100644 --- a/net/rxrpc/af_rxrpc.c +++ b/net/rxrpc/af_rxrpc.c @@ -93,12 +93,11 @@ static int rxrpc_validate_address(struct rxrpc_sock *rx, srx->transport_len > len) return -EINVAL; =20 - if (srx->transport.family !=3D rx->family && - srx->transport.family =3D=3D AF_INET && rx->family !=3D AF_INET6) - return -EAFNOSUPPORT; - switch (srx->transport.family) { case AF_INET: + if (rx->family !=3D AF_INET && + rx->family !=3D AF_INET6) + return -EAFNOSUPPORT; if (srx->transport_len < sizeof(struct sockaddr_in)) return -EINVAL; tail =3D offsetof(struct sockaddr_rxrpc, transport.sin.__pad); @@ -106,6 +105,8 @@ static int rxrpc_validate_address(struct rxrpc_sock *rx, =20 #ifdef CONFIG_AF_RXRPC_IPV6 case AF_INET6: + if (rx->family !=3D AF_INET6) + return -EAFNOSUPPORT; if (srx->transport_len < sizeof(struct sockaddr_in6)) return -EINVAL; tail =3D offsetof(struct sockaddr_rxrpc, transport) +