Patch "net/ieee802154: don't warn zero-sized raw_sendmsg()" has been added to the 4.9-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    net/ieee802154: don't warn zero-sized raw_sendmsg()

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-ieee802154-don-t-warn-zero-sized-raw_sendmsg.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 637fd3cc21e4aacaf120b725f0aad9282f5f2126
Author: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Date:   Tue Oct 4 21:47:50 2022 -0400

    net/ieee802154: don't warn zero-sized raw_sendmsg()
    
    [ Upstream commit b12e924a2f5b960373459c8f8a514f887adf5cac ]
    
    syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],
    for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting
    __dev_queue_xmit() with skb->len == 0.
    
    Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was
    able to return 0, don't call __dev_queue_xmit() if packet length is 0.
    
      ----------
      #include <sys/socket.h>
      #include <netinet/in.h>
    
      int main(int argc, char *argv[])
      {
        struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };
        struct iovec iov = { };
        struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 };
        sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0);
        return 0;
      }
      ----------
    
    Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't
    redirect packets with invalid pkt_len") should be reverted, for
    skb->len == 0 was acceptable for at least PF_IEEE802154 socket.
    
    Link: https://syzkaller.appspot.com/bug?extid=5ea725c25d06fb9114c4 [1]
    Reported-by: syzbot <syzbot+5ea725c25d06fb9114c4@xxxxxxxxxxxxxxxxxxxxxxxxx>
    Fixes: fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len")
    Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Alexander Aring <aahringo@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20221005014750.3685555-2-aahringo@xxxxxxxxxx
    Signed-off-by: Stefan Schmidt <stefan@xxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index c624a54502f3..aadd445ea88a 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -284,6 +284,10 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
 		err = -EMSGSIZE;
 		goto out_dev;
 	}
+	if (!size) {
+		err = 0;
+		goto out_dev;
+	}
 
 	hlen = LL_RESERVED_SPACE(dev);
 	tlen = dev->needed_tailroom;
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux