Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-02 00:51:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
93161922c6
linux/drivers/net
History
Craig Gallek 93161922c6 tun/tap: sanitize TUNSETSNDBUF input 
Syzkaller found several variants of the lockup below by setting negative
values with the TUNSETSNDBUF ioctl.  This patch adds a sanity check
to both the tun and tap versions of this ioctl.

  watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [repro:2389]
  Modules linked in:
  irq event stamp: 329692056
  hardirqs last  enabled at (329692055): [<ffffffff824b8381>] _raw_spin_unlock_irqrestore+0x31/0x75
  hardirqs last disabled at (329692056): [<ffffffff824b9e58>] apic_timer_interrupt+0x98/0xb0
  softirqs last  enabled at (35659740): [<ffffffff824bc958>] __do_softirq+0x328/0x48c
  softirqs last disabled at (35659731): [<ffffffff811c796c>] irq_exit+0xbc/0xd0
  CPU: 0 PID: 2389 Comm: repro Not tainted 4.14.0-rc7 #23
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  task: ffff880009452140 task.stack: ffff880006a20000
  RIP: 0010:_raw_spin_lock_irqsave+0x11/0x80
  RSP: 0018:ffff880006a27c50 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
  RAX: ffff880009ac68d0 RBX: ffff880006a27ce0 RCX: 0000000000000000
  RDX: 0000000000000001 RSI: ffff880006a27ce0 RDI: ffff880009ac6900
  RBP: ffff880006a27c60 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000001 R11: 000000000063ff00 R12: ffff880009ac6900
  R13: ffff880006a27cf8 R14: 0000000000000001 R15: ffff880006a27cf8
  FS:  00007f4be4838700(0000) GS:ffff88000cc00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000020101000 CR3: 0000000009616000 CR4: 00000000000006f0
  Call Trace:
   prepare_to_wait+0x26/0xc0
   sock_alloc_send_pskb+0x14e/0x270
   ? remove_wait_queue+0x60/0x60
   tun_get_user+0x2cc/0x19d0
   ? __tun_get+0x60/0x1b0
   tun_chr_write_iter+0x57/0x86
   __vfs_write+0x156/0x1e0
   vfs_write+0xf7/0x230
   SyS_write+0x57/0xd0
   entry_SYSCALL_64_fastpath+0x1f/0xbe
  RIP: 0033:0x7f4be4356df9
  RSP: 002b:00007ffc18101c08 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
  RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4be4356df9
  RDX: 0000000000000046 RSI: 0000000020101000 RDI: 0000000000000005
  RBP: 00007ffc18101c40 R08: 0000000000000001 R09: 0000000000000001
  R10: 0000000000000001 R11: 0000000000000293 R12: 0000559c75f64780
  R13: 00007ffc18101d30 R14: 0000000000000000 R15: 0000000000000000

Fixes: 33dccbb050 ("tun: Limit amount of queued packets per device")
Fixes: 20d29d7a91 ("net: macvtap driver")
Signed-off-by: Craig Gallek <kraig@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-11-01 20:52:36 +09:00
..
appletalk
arcnet
bonding net: bonding: fix tlb_dynamic_lb default value 2017-09-12 20:58:12 -07:00
caif
can can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages 2017-10-24 13:00:36 +02:00
cris
dsa net: dsa: mv88e6060: fix switch MAC address 2017-10-14 18:40:03 -07:00
ethernet mlxsw: i2c: Fix buffer increment counter for write transaction 2017-11-01 20:40:58 +09:00
fddi net: defxx: constify eisa_device_id 2017-08-19 17:13:41 -07:00
fjes
hamradio
hippi
hyperv hv_netvsc: fix send buffer failure on MTU change 2017-09-21 15:17:16 -07:00
ieee802154 ieee802154: ca8210: Fix a potential NULL pointer dereference 2017-08-20 20:51:30 +02:00
ipvlan tap: reference to KVA of an unloaded module causes kernel panic 2017-10-28 19:17:21 +09:00
phy net: phy: marvell: Only configure RGMII delays when using RGMII 2017-11-01 11:26:08 +09:00
plip
ppp ppp: fix race in ppp device destruction 2017-10-06 10:16:34 -07:00
slip
team
usb cdc_ether: flag the Huawei ME906/ME909 as WWAN 2017-10-24 18:32:54 +09:00
vmxnet3
wan net: lapbether: fix double free 2017-11-01 12:11:02 +09:00
wimax wimax/i2400m: Remove VLAIS 2017-10-10 12:35:05 -07:00
wireless Merge ath-current from ath.git 2017-10-31 16:26:48 +02:00
xen-netback xen-netfront, xen-netback: Use correct minimum MTU values 2017-10-16 16:00:44 -04:00
dummy.c
eql.c
geneve.c geneve: Fix function matching VNI and tunnel ID on big-endian 2017-10-21 02:50:42 +01:00
gtp.c
ifb.c
Kconfig x86/lguest: Remove lguest support 2017-08-24 09:57:28 +02:00
LICENSE.SRC
loopback.c
macsec.c macsec: fix memory leaks when skb_to_sgvec fails 2017-10-11 14:07:20 -07:00
macvlan.c macvlan: add offload features for encapsulation 2017-08-18 16:06:54 -07:00
macvtap.c tap: reference to KVA of an unloaded module causes kernel panic 2017-10-28 19:17:21 +09:00
Makefile irda: move drivers/net/irda to drivers/staging/irda/drivers 2017-08-28 16:42:57 -07:00
mdio.c
mii.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c tun/tap: sanitize TUNSETSNDBUF input 2017-11-01 20:52:36 +09:00
tun.c tun/tap: sanitize TUNSETSNDBUF input 2017-11-01 20:52:36 +09:00
veth.c
virtio_net.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
vrf.c net: vrf: avoid gcc-4.6 warning 2017-09-15 14:22:21 -07:00
vsockmon.c
vxlan.c vxlan: factor out VXLAN-GPE next protocol 2017-08-29 15:16:52 -07:00
xen-netfront.c xen-netfront, xen-netback: Use correct minimum MTU values 2017-10-16 16:00:44 -04:00