This is a note to let you know that I've just added the patch titled [PATCH 4.4 05/16] udp: properly support MSG_PEEK with truncated buffers to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: udp-properly-support-msg_peek-with-truncated-buffers.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From stable-owner@xxxxxxxxxxxxxxx Tue Aug 30 06:36:52 2016 From: "Levin, Alexander" <alexander.levin@xxxxxxxxxxx> Date: Tue, 30 Aug 2016 00:34:58 -0400 Subject: [PATCH 4.4 05/16] udp: properly support MSG_PEEK with truncated buffers To: "gregkh@xxxxxxxxxxxxxxxxxxx" <gregkh@xxxxxxxxxxxxxxxxxxx> Cc: "stable@xxxxxxxxxxxxxxx" <stable@xxxxxxxxxxxxxxx> Message-ID: <1472531709-18002-6-git-send-email-alexander.levin@xxxxxxxxxxx> From: Eric Dumazet <edumazet@xxxxxxxxxx> [ Upstream commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 ] Backport of this upstream commit into stable kernels : 89c22d8c3b27 ("net: Fix skb csum races when peeking") exposed a bug in udp stack vs MSG_PEEK support, when user provides a buffer smaller than skb payload. In this case, skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov); returns -EFAULT. This bug does not happen in upstream kernels since Al Viro did a great job to replace this into : skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); This variant is safe vs short buffers. For the time being, instead reverting Herbert Xu patch and add back skb->ip_summed invalid changes, simply store the result of udp_lib_checksum_complete() so that we avoid computing the checksum a second time, and avoid the problematic skb_copy_and_csum_datagram_iovec() call. This patch can be applied on recent kernels as it avoids a double checksumming, then backported to stable kernels as a bug fix. Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx> Acked-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv4/udp.c | 6 ++++-- net/ipv6/udp.c | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1275,6 +1275,7 @@ int udp_recvmsg(struct sock *sk, struct int peeked, off = 0; int err; int is_udplite = IS_UDPLITE(sk); + bool checksum_valid = false; bool slow; if (flags & MSG_ERRQUEUE) @@ -1300,11 +1301,12 @@ try_again: */ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { - if (udp_lib_checksum_complete(skb)) + checksum_valid = !udp_lib_checksum_complete(skb); + if (!checksum_valid) goto csum_copy_err; } - if (skb_csum_unnecessary(skb)) + if (checksum_valid || skb_csum_unnecessary(skb)) err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), msg, copied); else { --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -402,6 +402,7 @@ int udpv6_recvmsg(struct sock *sk, struc int peeked, off = 0; int err; int is_udplite = IS_UDPLITE(sk); + bool checksum_valid = false; int is_udp4; bool slow; @@ -433,11 +434,12 @@ try_again: */ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { - if (udp_lib_checksum_complete(skb)) + checksum_valid = !udp_lib_checksum_complete(skb); + if (!checksum_valid) goto csum_copy_err; } - if (skb_csum_unnecessary(skb)) + if (checksum_valid || skb_csum_unnecessary(skb)) err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), msg, copied); else { Patches currently in stable-queue which might be from alexander.levin@xxxxxxxxxxx are queue-4.4/0065-megaraid_sas-Add-an-i-o-barrier.patch queue-4.4/0110-ntp-Fix-ADJ_SETOFFSET-being-used-w-ADJ_NANO.patch queue-4.4/0070-arm64-KVM-Configure-TCR_EL2.PS-at-runtime.patch queue-4.4/0004-i40e-fix-do-not-sleep-in-netdev_ops.patch queue-4.4/0125-tda10071-Fix-dependency-to-REGMAP_I2C.patch queue-4.4/0009-i40e-clean-whole-mac-filter-list.patch queue-4.4/cxlflash-fix-to-avoid-virtual-lun-failover-failure.patch queue-4.4/0078-drm-atomic-Do-not-unset-crtc-when-an-encoder-is-stol.patch queue-4.4/0017-clk-xgene-Fix-divider-with-non-zero-shift-value.patch queue-4.4/0104-perf-x86-cqm-Fix-CQM-handling-of-grouping-events-int.patch queue-4.4/0042-cxl-Fix-possible-idr-warning-when-contexts-are-relea.patch queue-4.4/0131-drm-i915-Check-VBT-for-port-presence-in-addition-to-.patch queue-4.4/0032-lightnvm-fix-missing-grown-bad-block-type.patch queue-4.4/0076-drm-i915-bxt-update-list-of-PCIIDs.patch queue-4.4/0071-net-cavium-liquidio-fix-check-for-in-progress-flag.patch queue-4.4/0056-lpfc-Fix-mbox-reuse-in-PLOGI-completion.patch queue-4.4/0090-UVC-Add-support-for-R200-depth-camera.patch queue-4.4/0066-pwm-fsl-ftm-Fix-clock-enable-disable-when-using-PM.patch queue-4.4/0013-igb-fix-NULL-derefs-due-to-skipped-SR-IOV-enabling.patch queue-4.4/keys-fix-asn.1-indefinite-length-object-parsing.patch queue-4.4/0107-net-thunderx-Fix-receive-packet-stats.patch queue-4.4/0008-i40evf-check-rings-before-freeing-resources.patch queue-4.4/0036-tools-hv-report-ENOSPC-errors-in-hv_fcopy_daemon.patch queue-4.4/0093-net-mlx5e-Don-t-modify-CQ-before-it-was-created.patch queue-4.4/0038-drivers-hv-cleanup-synic-msrs-if-vmbus-connect-faile.patch queue-4.4/0083-net-thunderx-Fix-for-Qset-error-due-to-CQ-full.patch queue-4.4/0133-netfilter-x_tables-check-for-size-overflow.patch queue-4.4/0007-i40e-don-t-add-zero-MAC-filter.patch queue-4.4/0030-lightnvm-unlock-rq-and-free-ppa_list-on-submission-f.patch queue-4.4/0120-block-fix-blk_rq_get_max_sectors-for-driver-private-.patch queue-4.4/0052-lpfc-Fix-driver-crash-when-module-parameter-lpfc_fcp.patch queue-4.4/0034-Drivers-hv-util-Increase-the-timeout-for-util-servic.patch queue-4.4/0119-irqchip-gicv3-its-numa-Enable-workaround-for-Cavium-.patch queue-4.4/0010-i40e-Fix-Rx-hash-reported-to-the-stack-by-our-driver.patch queue-4.4/0132-Bluetooth-Add-support-for-Intel-Bluetooth-device-826.patch queue-4.4/0134-tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch queue-4.4/0026-cxlflash-a-couple-off-by-one-bugs.patch queue-4.4/0074-i40e-i40evf-Fix-RSS-rx-flow-hash-configuration-throu.patch queue-4.4/0109-time-Verify-time-values-in-adjtimex-ADJ_SETOFFSET-to.patch queue-4.4/0022-fm10k-always-check-init_hw-for-errors.patch queue-4.4/0121-lpfc-Fix-DMA-faults-observed-upon-plugging-loopback-.patch queue-4.4/0135-tipc-fix-nl-compat-regression-for-link-statistics.patch queue-4.4/0049-lpfc-Fix-FCF-Infinite-loop-in-lpfc_sli4_fcf_rr_next_.patch queue-4.4/0021-fm10k-reset-max_queues-on-init_hw_vf-failure.patch queue-4.4/0067-pwm-lpc32xx-correct-number-of-PWM-channels-from-2-to.patch queue-4.4/0002-i40evf-handle-many-MAC-filters-correctly.patch queue-4.4/0055-lpfc-Fix-RDP-ACC-being-too-long.patch queue-4.4/0128-net-thunderx-Fix-link-status-reporting.patch queue-4.4/0029-lightnvm-add-check-after-mempool-allocation.patch queue-4.4/0033-NVMe-fix-build-with-CONFIG_NVM-enabled.patch queue-4.4/0031-lightnvm-fix-locking-and-mempool-in-rrpc_lun_gc.patch queue-4.4/0023-fm10k-reinitialize-queuing-scheme-after-calling-init.patch queue-4.4/0088-ALSA-hda-add-codec-support-for-Kabylake-display-audi.patch queue-4.4/0115-cxlflash-Fix-to-resolve-dead-lock-during-EEH-recover.patch queue-4.4/net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch queue-4.4/0027-lightnvm-fix-bio-submission-issue.patch queue-4.4/0096-arcmsr-fixes-not-release-allocated-resource.patch queue-4.4/0045-cxlflash-Resolve-oops-in-wait_port_offline.patch queue-4.4/0091-mmc-sdhci-Do-not-BUG-on-invalid-vdd.patch queue-4.4/0097-Drivers-hv-vmbus-avoid-infinite-loop-in-init_vp_inde.patch queue-4.4/0092-net-mlx5e-Don-t-try-to-modify-CQ-moderation-if-it-is.patch queue-4.4/0101-intel_idle-Support-for-Intel-Xeon-Phi-Processor-x200.patch queue-4.4/0035-Drivers-hv-utils-run-polling-callback-always-in-inte.patch queue-4.4/0015-e1000-fix-data-race-between-tx_ring-next_to_clean.patch queue-4.4/0014-ixgbe-Fix-handling-of-NAPI-budget-when-multiple-queu.patch queue-4.4/0068-pwm-lpc32xx-fix-and-simplify-duty-cycle-and-period-c.patch queue-4.4/0118-clocksource-Allow-unregistering-the-watchdog.patch queue-4.4/crypto-nx-842-mask-xers0-bit-in-return-value.patch queue-4.4/0124-crypto-vmx-Fix-ABI-detection.patch queue-4.4/0051-lpfc-Fix-RegLogin-failed-error-seen-on-Lancer-FC-dur.patch queue-4.4/0123-crypto-vmx-comply-with-ABIs-that-specify-vrsave-as-r.patch queue-4.4/0025-fm10k-Cleanup-exception-handling-for-mailbox-interru.patch queue-4.4/0054-lpfc-Fix-RDP-Speed-reporting.patch queue-4.4/0057-lpfc-Fix-external-loopback-failure.patch queue-4.4/0059-s390-cio-fix-measurement-characteristics-memleak.patch queue-4.4/0061-s390-cio-update-measurement-characteristics.patch queue-4.4/0094-s390-pci_dma-fix-DMA-table-corruption-with-4-TB-main.patch queue-4.4/0073-mpt3sas-Fix-for-Asynchronous-completion-of-timedout-.patch queue-4.4/0069-irqchip-gic-v3-Make-sure-read-from-ICC_IAR1_EL1-is-v.patch queue-4.4/0130-drm-i915-Only-ignore-eDP-ports-that-are-connected.patch queue-4.4/0113-ecryptfs-fix-handling-of-directory-opening.patch queue-4.4/0063-megaraid_sas-Do-not-allow-PCI-access-during-OCR.patch queue-4.4/0126-crypto-vmx-IV-size-failing-on-skcipher-API.patch queue-4.4/0011-igb-don-t-unmap-NULL-hw_addr.patch queue-4.4/0072-mpt3sas-A-correction-in-unmap_resources.patch queue-4.4/0103-s390-crypto-provide-correct-file-mode-at-device-regi.patch queue-4.4/0099-Drivers-hv-vmbus-don-t-manipulate-with-clocksources-.patch queue-4.4/0111-drm-Balance-error-path-for-GEM-handle-allocation.patch queue-4.4/0127-x86-hyperv-Avoid-reporting-bogus-NMI-status-for-Gen2.patch queue-4.4/0058-qeth-initialize-net_device-with-carrier-off.patch queue-4.4/0122-HID-core-prevent-out-of-bound-readings.patch queue-4.4/0053-lpfc-Fix-crash-in-fcp-command-completion-path.patch queue-4.4/netfilter-x_tables-check-for-size-overflow.patch queue-4.4/cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch queue-4.4/0077-drm-i915-skl-Add-missing-SKL-ids.patch queue-4.4/0084-ahci-Workaround-for-ThunderX-Errata-22536.patch queue-4.4/cxlflash-move-to-exponential-back-off-when-cmd_room-is-not-available.patch queue-4.4/0018-fm10k-do-not-assume-VF-always-has-1-queue.patch queue-4.4/0075-hrtimer-Catch-illegal-clockids.patch queue-4.4/0080-qla2xxx-Use-ATIO-type-to-send-correct-tmr-response.patch queue-4.4/ib-ipoib-do-not-set-skb-truesize-since-using-one-linearskb.patch queue-4.4/kernel-add-noaudit-variant-of-ns_capable.patch queue-4.4/0001-i40e-Workaround-fix-for-mss-256-issue.patch queue-4.4/0006-i40e-properly-delete-VF-MAC-filters.patch queue-4.4/0020-fm10k-Fix-handling-of-NAPI-budget-when-multiple-queu.patch queue-4.4/0102-proc-revert-proc-pid-maps-stack-TID-annotation.patch queue-4.4/0081-drm-amdgpu-fix-dp-link-rate-selection-v2.patch queue-4.4/fs-check-for-invalid-i_uid-in-may_follow_link.patch queue-4.4/0087-drm-i915-Fix-hpd-live-status-bits-for-g4x.patch queue-4.4/0117-btrfs-Continue-write-in-case-of-can_not_nocow.patch queue-4.4/0116-blk-mq-End-unstarted-requests-on-dying-queue.patch queue-4.4/udp-properly-support-msg_peek-with-truncated-buffers.patch queue-4.4/0085-arm64-Add-workaround-for-Cavium-erratum-27456.patch queue-4.4/0089-sched-numa-Fix-use-after-free-bug-in-the-task_numa_c.patch queue-4.4/0016-e1000e-fix-division-by-zero-on-jumbo-MTUs.patch queue-4.4/0041-Drivers-hv-vmbus-fix-rescind-offer-handling-for-devi.patch queue-4.4/0086-tipc-fix-nullptr-crash-during-subscription-cancel.patch queue-4.4/0105-perf-x86-cqm-Fix-CQM-memory-leak-and-notifier-leak.patch queue-4.4/0012-igb-use-the-correct-i210-register-for-EEMNGCTL.patch queue-4.4/0098-Drivers-hv-vmbus-avoid-scheduling-in-interrupt-conte.patch queue-4.4/0037-Drivers-hv-util-catch-allocation-errors.patch queue-4.4/0039-Drivers-hv-vss-run-only-on-supported-host-versions.patch queue-4.4/0064-megaraid_sas-Fix-SMAP-issue.patch queue-4.4/0062-megaraid-Fix-possible-NULL-pointer-deference-in-mrai.patch queue-4.4/0028-lightnvm-fix-incorrect-nr_free_blocks-stat.patch queue-4.4/0048-cxl-Enable-PCI-device-ID-for-future-IBM-CXL-adapter.patch queue-4.4/0095-arcmsr-fixed-getting-wrong-configuration-data.patch queue-4.4/0114-drm-radeon-mst-fix-regression-in-lane-link-handling.patch queue-4.4/0046-cxlflash-Enable-device-id-for-future-IBM-CXL-adapter.patch queue-4.4/0112-ALSA-hda-add-AMD-Polaris-10-11-AZ-PCI-IDs-with-prope.patch queue-4.4/0043-cxl-Fix-DSI-misses-when-the-context-owning-task-exit.patch queue-4.4/0024-fm10k-Cleanup-MSI-X-interrupts-in-case-of-failure.patch queue-4.4/0108-Input-xpad-correctly-handle-concurrent-LED-and-FF-re.patch queue-4.4/0082-drm-radeon-fix-dp-link-rate-selection-v2.patch queue-4.4/0047-cxl-fix-build-for-GCC-4.6.x.patch queue-4.4/drivers-hv-lock-access-to-hyperv_mmio-resource-tree.patch queue-4.4/0100-cxlflash-Fix-to-avoid-unnecessary-scan-with-internal.patch queue-4.4/0019-fm10k-Correct-MTU-for-jumbo-frames.patch queue-4.4/drm-amdgpu-cz-enable-disable-vce-dpm-even-if-vce-pg-is-disabled.patch queue-4.4/0003-i40e-i40evf-Fix-RS-bit-update-in-Tx-path-and-disable.patch queue-4.4/0050-lpfc-Fix-the-FLOGI-discovery-logic-to-comply-with-T1.patch queue-4.4/cxlflash-fix-to-escalate-link_reset-also-on-port-1.patch queue-4.4/0040-Drivers-hv-vmbus-serialize-process_chn_event-and-vmb.patch queue-4.4/0005-i40e-Fix-memory-leaks-sideband-filter-programming.patch queue-4.4/0106-net-thunderx-Fix-for-multiqset-not-configured-upon-i.patch queue-4.4/0044-cxlflash-Fix-to-resolve-cmd-leak-after-host-reset.patch queue-4.4/0079-mmc-sdhci-64-bit-DMA-actually-has-4-byte-alignment.patch queue-4.4/0060-s390-cio-ensure-consistent-measurement-state.patch queue-4.4/0129-Input-xpad-move-pending-clear-to-the-correct-locatio.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html