mirros/rockchip-kernel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
98de4e0ea47d106846fc0e30ce4e644283fa7fc2
rockchip-kernel/include/net
History
Alexander Potapenko b1f5bfc27a sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() 
If the length field of the iterator (|pos.p| or |err|) is past the end
of the chunk, we shouldn't access it.

This bug has been detected by KMSAN. For the following pair of system
calls:

  socket(PF_INET6, SOCK_STREAM, 0x84 /* IPPROTO_??? */) = 3
  sendto(3, "A", 1, MSG_OOB, {sa_family=AF_INET6, sin6_port=htons(0),
         inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0,
         sin6_scope_id=0}, 28) = 1

the tool has reported a use of uninitialized memory:

  ==================================================================
  BUG: KMSAN: use of uninitialized memory in sctp_rcv+0x17b8/0x43b0
  CPU: 1 PID: 2940 Comm: probe Not tainted 4.11.0-rc5+ #2926
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
  01/01/2011
  Call Trace:
   <IRQ>
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x172/0x1c0 lib/dump_stack.c:52
   kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927
   __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469
   __sctp_rcv_init_lookup net/sctp/input.c:1074
   __sctp_rcv_lookup_harder net/sctp/input.c:1233
   __sctp_rcv_lookup net/sctp/input.c:1255
   sctp_rcv+0x17b8/0x43b0 net/sctp/input.c:170
   sctp6_rcv+0x32/0x70 net/sctp/ipv6.c:984
   ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279
   NF_HOOK ./include/linux/netfilter.h:257
   ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322
   dst_input ./include/net/dst.h:492
   ip6_rcv_finish net/ipv6/ip6_input.c:69
   NF_HOOK ./include/linux/netfilter.h:257
   ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203
   __netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208
   __netif_receive_skb net/core/dev.c:4246
   process_backlog+0x667/0xba0 net/core/dev.c:4866
   napi_poll net/core/dev.c:5268
   net_rx_action+0xc95/0x1590 net/core/dev.c:5333
   __do_softirq+0x485/0x942 kernel/softirq.c:284
   do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902
   </IRQ>
   do_softirq kernel/softirq.c:328
   __local_bh_enable_ip+0x25b/0x290 kernel/softirq.c:181
   local_bh_enable+0x37/0x40 ./include/linux/bottom_half.h:31
   rcu_read_unlock_bh ./include/linux/rcupdate.h:931
   ip6_finish_output2+0x19b2/0x1cf0 net/ipv6/ip6_output.c:124
   ip6_finish_output+0x764/0x970 net/ipv6/ip6_output.c:149
   NF_HOOK_COND ./include/linux/netfilter.h:246
   ip6_output+0x456/0x520 net/ipv6/ip6_output.c:163
   dst_output ./include/net/dst.h:486
   NF_HOOK ./include/linux/netfilter.h:257
   ip6_xmit+0x1841/0x1c00 net/ipv6/ip6_output.c:261
   sctp_v6_xmit+0x3b7/0x470 net/sctp/ipv6.c:225
   sctp_packet_transmit+0x38cb/0x3a20 net/sctp/output.c:632
   sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885
   sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750
   sctp_side_effects net/sctp/sm_sideeffect.c:1773
   sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147
   sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88
   sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954
   inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
   sock_sendmsg_nosec net/socket.c:633
   sock_sendmsg net/socket.c:643
   SYSC_sendto+0x608/0x710 net/socket.c:1696
   SyS_sendto+0x8a/0xb0 net/socket.c:1664
   do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285
   entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
  RIP: 0033:0x401133
  RSP: 002b:00007fff6d99cd38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
  RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401133
  RDX: 0000000000000001 RSI: 0000000000494088 RDI: 0000000000000003
  RBP: 00007fff6d99cd90 R08: 00007fff6d99cd50 R09: 000000000000001c
  R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
  R13: 00000000004063d0 R14: 0000000000406460 R15: 0000000000000000
  origin:
   save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59
   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302
   kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198
   kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:211
   slab_alloc_node mm/slub.c:2743
   __kmalloc_node_track_caller+0x200/0x360 mm/slub.c:4351
   __kmalloc_reserve net/core/skbuff.c:138
   __alloc_skb+0x26b/0x840 net/core/skbuff.c:231
   alloc_skb ./include/linux/skbuff.h:933
   sctp_packet_transmit+0x31e/0x3a20 net/sctp/output.c:570
   sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885
   sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750
   sctp_side_effects net/sctp/sm_sideeffect.c:1773
   sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147
   sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88
   sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954
   inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
   sock_sendmsg_nosec net/socket.c:633
   sock_sendmsg net/socket.c:643
   SYSC_sendto+0x608/0x710 net/socket.c:1696
   SyS_sendto+0x8a/0xb0 net/socket.c:1664
   do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285
   return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
  ==================================================================

Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-15 14:39:41 -07:00
..
9p
9p: constify ->d_name handling
2017-01-12 04:01:17 -05:00
bluetooth
Bluetooth: Set LE Default PHY preferences
2017-05-18 13:52:49 +02:00
caif
irda
scripts/spelling.txt: add "overide" pattern and fix typo instances
2017-03-09 17:01:09 -08:00
iucv
s390/iucv: do not use arrays as argument
2015-09-21 16:03:04 -07:00
netfilter
net: convert nf_bridge_info.use from atomic_t to refcount_t
2017-07-01 07:39:07 -07:00
netns
tcp: Namespaceify sysctl_tcp_timestamps
2017-06-08 10:53:29 -04:00
nfc
NFC: Add nfc_dbg() macro
2017-04-05 10:15:20 +02:00
phonet
sock: struct proto hash function may error
2016-02-11 03:54:14 -05:00
sctp
sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
2017-07-15 14:39:41 -07:00
tc_act
net: sched: introduce helper to identify gact trap action
2017-06-06 12:45:23 -04:00
6lowpan.h
6lowpan: Fix IID format for Bluetooth
2017-04-12 22:02:36 +02:00
act_api.h
net: sched: add termination action to allow goto chain
2017-05-17 15:22:13 -04:00
addrconf.h
net, ipv6: convert inet6_ifaddr.refcnt from atomic_t to refcount_t
2017-07-04 01:29:04 -07:00
af_ieee802154.h
ieee802154: af_ieee802154: fix typo in comment.
2015-09-17 13:20:05 +02:00
af_rxrpc.h
rxrpc: Provide a cmsg to specify the amount of Tx data for a call
2017-06-07 17:15:46 +01:00
af_unix.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
af_vsock.h
VSOCK: Add vsockmon tap functions
2017-04-24 12:35:56 -04:00
ah.h
arp.h
net: convert neighbour.refcnt from atomic_t to refcount_t
2017-07-01 07:39:07 -07:00
atmclip.h
ax25.h
net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t
2017-07-04 22:35:19 +01:00
ax88796.h
bond_3ad.h
bonding: 3ad: apply ad_actor settings changes immediately
2016-02-09 04:45:49 -05:00
bond_alb.h
bond_options.h
bonding: Prevent duplicate userspace notification
2017-05-27 18:51:41 -04:00
bonding.h
bonding: fix wq initialization for links created via netlink
2017-04-21 15:28:37 -04:00
busy_poll.h
net: Commonize busy polling code to focus on napi_id instead of socket
2017-03-24 20:49:31 -07:00
calipso.h
net, calipso: convert calipso_doi.refcount from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
cfg80211-wext.h
cfg80211.h
nl80211: add authorized flag to ROAM event
2017-06-13 11:04:37 +02:00
cfg802154.h
ieee802154: add netns support
2016-07-08 12:20:57 +02:00
checksum.h
csum: eliminate sparse warning in remcsum_unadjust()
2017-01-20 12:12:13 -05:00
cipso_ipv4.h
net, ipv4: convert cipso_v4_doi.refcount from atomic_t to refcount_t
2017-07-04 01:29:04 -07:00
cls_cgroup.h
cls_cgroup: get sk_classid only from full sockets
2016-04-19 20:09:25 -04:00
codel_impl.h
codel: split into multiple files
2016-04-25 16:44:27 -04:00
codel_qdisc.h
net_sched: fq_codel: cache skb->truesize into skb->cb
2016-06-25 12:19:35 -04:00
codel.h
codel: split into multiple files
2016-04-25 16:44:27 -04:00
compat.h
packet: compat support for sock_fprog
2016-06-09 23:41:03 -07:00
datalink.h
dcbevent.h
dcbnl.h
devlink.h
net/devlink: Add E-Switch encapsulation control
2017-04-22 20:26:37 +03:00
dn_dev.h
dn_fib.h
net, decnet: convert dn_fib_info.fib_clntref from atomic_t to refcount_t
2017-07-04 22:35:15 +01:00
dn_neigh.h
netfilter: Pass net into okfn
2015-09-17 17:18:37 -07:00
dn_nsp.h
dn_route.h
dn.h
dsa.h
net: dsa: Associate slave network device with CPU port
2017-06-13 16:35:03 -04:00
dsfield.h
dst_cache.h
net: add dst_cache support
2016-02-16 20:21:48 -05:00
dst_metadata.h
net: store port/representator id in metadata_dst
2017-06-25 11:42:01 -04:00
dst_ops.h
net: add confirm_neigh method to dst_ops
2017-02-07 13:07:46 -05:00
dst.h
net: add debug atomic_inc_not_zero() in dst_hold()
2017-06-17 22:54:01 -04:00
esp.h
esp6: Reorganize esp_output
2017-04-14 10:06:42 +02:00
ethoc.h
net/ethoc: support big-endian register layout
2015-09-23 15:33:15 -07:00
fib_rules.h
net: convert fib_rule.refcnt from atomic_t to refcount_t
2017-07-01 07:39:09 -07:00
firewire.h
flow_dissector.h
net/flow_dissector: add support for dissection of misc ip header fields
2017-06-04 18:12:23 -04:00
flow.h
flowcache: make flow_key_size() return "unsigned int"
2017-04-03 19:04:48 -07:00
flowcache.h
flowcache: more "unsigned int"
2017-04-03 19:04:48 -07:00
fou.h
fou: Add encap ops for IPv6 tunnels
2016-05-20 18:03:16 -04:00
fq_impl.h
fq.h: Port memory limit mechanism from fq_codel
2016-09-30 13:29:21 +02:00
fq.h
fq.h: Port memory limit mechanism from fq_codel
2016-09-30 13:29:21 +02:00
garp.h
gen_stats.h
net_sched: gen_estimator: complete rewrite of rate estimators
2016-12-05 15:21:59 -05:00
genetlink.h
genetlink: remove ops_list from genetlink header.
2017-06-05 10:54:55 -04:00
geneve.h
net: Remove deprecated tunnel specific UDP offload functions
2016-06-17 20:23:32 -07:00
gre.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-08-18 01:17:32 -04:00
gro_cells.h
gro_cells: move to net/core/gro_cells.c
2017-02-08 14:38:18 -05:00
gtp.h
gtp: #define #define _GTP_H_ and not #define _GTP_H
2016-07-25 17:55:43 -07:00
gue.h
hwbm.h
net: add a hardware buffer management helper API
2016-03-14 12:19:46 -04:00
icmp.h
net: snmp: kill STATS_BH macros
2016-04-27 22:48:25 -04:00
ieee80211_radiotap.h
wireless: radiotap: rewrite the radiotap header file
2017-01-25 16:00:33 +01:00
ieee802154_netdev.h
mac802154: constify ieee802154_llsec_ops structure
2016-01-04 20:40:41 +01:00
if_inet6.h
net, ipv6: convert ifacaddr6.aca_refcnt from atomic_t to refcount_t
2017-07-04 01:29:04 -07:00
ife.h
net: Introduce ife encapsulation module
2017-02-03 15:16:45 -05:00
ila.h
ila: Add generic ILA translation facility
2015-12-15 23:25:20 -05:00
inet6_connection_sock.h
inet: drop ->bind_conflict
2017-01-18 13:04:28 -05:00
inet6_hashtables.h
tcp/dccp: do not touch listener sk_refcnt under synflood
2016-04-04 22:11:20 -04:00
inet_common.h
net: Work around lockdep limitation in sockets that use sockets
2017-03-09 18:23:27 -08:00
inet_connection_sock.h
tcp: ULP infrastructure
2017-06-15 12:12:40 -04:00
inet_ecn.h
ipv6: suppress sparse warnings in IP6_ECN_set_ce()
2016-08-13 15:08:00 -07:00
inet_frag.h
Merge branch 'for-4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu
2017-07-06 08:59:41 -07:00
inet_hashtables.h
net: make sk_ehashfn() static
2017-07-03 03:29:14 -07:00
inet_sock.h
net/tcp-fastopen: Add new API support
2017-01-25 14:04:38 -05:00
inet_timewait_sock.h
ipv4: Namespaceify tcp_tw_recycle and tcp_max_tw_buckets knob
2016-12-29 11:38:31 -05:00
inetpeer.h
net: convert inet_peer.refcnt from atomic_t to refcount_t
2017-07-01 07:39:07 -07:00
ip6_checksum.h
ipv6: Pass proto to csum_ipv6_magic as __u8 instead of unsigned short
2016-03-13 23:55:13 -04:00
ip6_fib.h
net: remove DST_NOCACHE flag
2017-06-17 22:54:01 -04:00
ip6_route.h
net: ipv6: Compare lwstate in detecting duplicate nexthops
2017-07-06 10:48:01 +01:00
ip6_tunnel.h
ip6_tunnel: Allow policy-based routing through tunnels
2017-04-21 13:21:30 -04:00
ip_fib.h
net, ipv4: convert fib_info.fib_clntref from atomic_t to refcount_t
2017-07-04 01:29:04 -07:00
ip_tunnels.h
ip_tunnel: Allow policy-based routing through tunnels
2017-04-21 13:21:31 -04:00
ip_vs.h
ipvs: remove unused function ip_vs_set_state_timeout
2017-04-28 12:00:10 +02:00
ip.h
net: ipv4: Refine the ipv4_default_advmss
2017-04-13 13:19:48 -04:00
ipcomp.h
ipconfig.h
ipv6.h
net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t
2017-07-04 01:29:03 -07:00
ipx.h
net, ipx: convert ipx_route.refcnt from atomic_t to refcount_t
2017-07-04 22:35:17 +01:00
iw_handler.h
wext: uninline stream addition functions
2017-01-13 09:38:42 +01:00
kcm.h
kcm: Use stream parser
2016-08-17 19:36:23 -04:00
l3mdev.h
net: ipv4: Do not drop to make_route if oif is l3mdev
2016-10-13 12:05:26 -04:00
lapb.h
net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
net: Pass kern from net_proto_family.create to sk_alloc
2015-05-11 10:50:17 -04:00
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
net, llc: convert llc_sap.refcnt from atomic_t to refcount_t
2017-07-04 22:35:15 +01:00
lwtunnel.h
net: add extack arg to lwtunnel build state
2017-05-30 11:55:32 -04:00
mac80211.h
mac80211: manage RX BA session offload without SKB queue
2017-06-08 14:16:29 +02:00
mac802154.h
ieee802154: cleanup WARN_ON for fc fetch
2016-07-08 13:23:12 +02:00
mip6.h
mld.h
mpls_iptunnel.h
net: mpls: Increase max number of labels for lwt encap
2017-04-01 20:21:44 -07:00
mpls.h
openvswitch: use mpls_hdr
2016-10-03 02:00:22 -04:00
mrp.h
ncsi.h
net/ncsi: Introduce ncsi_stop_dev()
2016-10-04 02:11:51 -04:00
ndisc.h
net: convert neighbour.refcnt from atomic_t to refcount_t
2017-07-01 07:39:07 -07:00
neighbour.h
net: convert neigh_params.refcnt from atomic_t to refcount_t
2017-07-01 07:39:07 -07:00
net_namespace.h
net: convert net.passive from atomic_t to refcount_t
2017-07-01 07:39:09 -07:00
net_ratelimit.h
netevent.h
neigh: Send a notification when DELAY_PROBE_TIME changes
2016-07-05 09:06:29 -07:00
netlabel.h
net: convert netlbl_lsm_cache.refcount from atomic_t to refcount_t
2017-07-01 07:39:09 -07:00
netlink.h
netlink: correctly document nla_put_u64_64bit()
2017-07-13 09:26:27 -07:00
netprio_cgroup.h
net: wrap sock->sk_cgrp_prioidx and ->sk_classid inside a struct
2015-12-08 22:02:33 -05:00
netrom.h
net, netrom: convert nr_node.refcount from atomic_t to refcount_t
2017-07-04 22:35:17 +01:00
nexthop.h
nl802154.h
ieee802154: add netns support
2016-07-08 12:20:57 +02:00
p8022.h
ping.h
net: ping: make ping_v6_sendmsg static
2016-03-23 22:09:58 -04:00
pkt_cls.h
sched: add helper for updating statistics on all actions
2017-05-31 17:58:13 -04:00
pkt_sched.h
net: sched: move tc_classify function to cls_api.c
2017-05-17 15:22:13 -04:00
pptp.h
pptp: Refactor the struct and macros of PPTP codes
2016-08-15 10:55:53 -07:00
protocol.h
net: Add sysctl to toggle early demux for tcp and udp
2017-03-24 13:17:07 -07:00
psample.h
net: Introduce psample, a new genetlink channel for packet sampling
2017-01-24 13:44:28 -05:00
psnap.h
raw.h
net: ip, diag -- Add diag interface for raw sockets
2016-10-23 19:35:24 -04:00
rawv6.h
net: ip, diag -- Add diag interface for raw sockets
2016-10-23 19:35:24 -04:00
red.h
ktime: Get rid of the union
2016-12-25 17:21:22 +01:00
regulatory.h
request_sock.h
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
rose.h
route.h
ipv4: call dst_hold_safe() properly
2017-06-17 22:54:00 -04:00
rtnetlink.h
net: add netlink_ext_ack argument to rtnl_link_ops.slave_validate
2017-06-26 23:13:22 -04:00
sch_generic.h
net, sched: convert Qdisc.refcnt from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
scm.h
sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h>
2017-03-02 08:42:31 +01:00
secure_seq.h
tcp: Namespaceify sysctl_tcp_timestamps
2017-06-08 10:53:29 -04:00
seg6_hmac.h
ipv6: sr: add core files for SR HMAC support
2016-11-09 20:40:06 -05:00
seg6.h
ipv6: sr: add core files for SR HMAC support
2016-11-09 20:40:06 -05:00
slhc_vj.h
smc.h
smc: netlink interface for SMC sockets
2017-01-09 16:07:41 -05:00
snmp.h
net: snmp: fix 64bit stats on 32bit arches
2016-04-28 11:49:45 -04:00
sock_reuseport.h
soreuseport: fix NULL ptr dereference SO_REUSEPORT after bind
2016-01-19 14:44:23 -05:00
sock.h
socket: add documentation for missing elements
2017-07-12 14:39:43 -07:00
Space.h
stp.h
strparser.h
kcm: Remove TCP specific references from kcm and strparser
2016-08-28 23:32:41 -04:00
switchdev.h
net: switchdev: add SET_SWITCHDEV_OPS helper
2017-07-01 08:51:32 -07:00
tcp_states.h
tcp.h
bpf: Add support for changing congestion control
2017-07-01 16:15:14 -07:00
timewait_sock.h
inet: remove BUG_ON() in twsk_destructor()
2015-07-09 15:12:20 -07:00
tls.h
tls: kernel TLS support
2017-06-15 12:12:40 -04:00
transp_v6.h
ipv6: add new struct ipcm6_cookie
2016-05-03 16:08:14 -04:00
tso.h
net: tso: add support for IPv6
2015-10-26 22:24:22 -07:00
udp_tunnel.h
vxlan: Add new UDP encapsulation offload type for VXLAN-GPE
2016-06-17 20:23:32 -07:00
udp.h
udp: move scratch area helpers into the include file
2017-06-27 15:43:56 -04:00
udplite.h
udp: use a separate rx queue for packet reception
2017-05-16 15:41:29 -04:00
vsock_addr.h
vxlan.h
net, vxlan: convert vxlan_sock.refcnt from atomic_t to refcount_t
2017-07-04 22:35:15 +01:00
wext.h
dev_ioctl: copy only the smaller struct iwreq for wext
2017-06-14 13:52:44 +02:00
wimax.h
x25.h
net, x25: convert x25_neigh.refcnt from atomic_t to refcount_t
2017-07-04 22:35:18 +01:00
x25device.h
xfrm.h
net, xfrm: convert sec_path.refcnt from atomic_t to refcount_t
2017-07-04 22:35:18 +01:00