From patchwork Sun Jul 8 06:00:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 940899 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="ALZD7qF+"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41Nd9C6StNz9s29 for ; Sun, 8 Jul 2018 16:00:15 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751337AbeGHGAH (ORCPT ); Sun, 8 Jul 2018 02:00:07 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:41751 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751031AbeGHGAG (ORCPT ); Sun, 8 Jul 2018 02:00:06 -0400 Received: by mail-pg1-f193.google.com with SMTP id l65-v6so666745pgl.8 for ; Sat, 07 Jul 2018 23:00:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=l+Ae6sHUk5K/3cf2G1J3KjPmhmnHKeFN5dJjpUpedJ4=; b=ALZD7qF+B7rFkiwjvteAaBAd+8dRKafoAQdzOXLC6Ti2dTI3b7AdLNw2MFCbUJR1/X 9FfQz61zrqJojf9giJNv3JTF35QK8rmTF8aVdi0QrpUem/qi7A3UCdrHVWxVsLaxTDBR E6YNE/DsJjkA9ulVYKfN+vXELMKL8Hc5Gx/AueMeWCwIzTaFyvCG7od4S2m9gBWW8JYO xJCw4q/rjsfAJ3sds/klqpAlaHIiJ+mGoIUj5jCA3iXQfUEDM16vmMlWOHTa23G+7R8+ heeyYFa/w422diWp+xWG8nVSIZ0n7eHSVqeFMIHPiIz5JqnmbAvYngmQ4PATesAVZosk tnXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=l+Ae6sHUk5K/3cf2G1J3KjPmhmnHKeFN5dJjpUpedJ4=; b=nK1I691wi1Ibi13+jiSUF0z4PFlMlubtrLsFa8UIE0tQopOL+MKAP9bS2vR4+qDOiv qbETw8PwpuBRYk1AHnQRlfqlvwkrFvgFkxVJDE+pP65kCiWwdN82G3mu6y8ZKucvdwA7 +8KE+YE4VrsKZ1Lw9It4dIdY62pygrwNq3nD2LDlzZIf4oDmaCO5HTMaED2ENM8cxMul VCbCyIYT7uuwxNoHYHJbak26R0MP4Bf7VTnUSqWwJvVf0bWZZiDgMmkbMyZ15N87QBhu xXhgDJI082vSEzHDTv15+fKSWzu3J4ZTaf8yU94MhoUwB5GDq1poVWRinRRJVCotgZba uchQ== X-Gm-Message-State: APt69E2g+zy6Sz2DHKLiCEBg3yTYKSvg8Z/fL86fmqLt2zClKlUrlG/r AV39aEYEyh0ZO4tL6Qr2oijjJg== X-Google-Smtp-Source: AAOMgpdVhsnVwxipDpPEQlWls6z/A3md058jnwwDzvI7G/G724bv76mO2LvY1SRIQXtm1F2WYBYucg== X-Received: by 2002:a63:b40e:: with SMTP id s14-v6mr8692967pgf.9.1531029604850; Sat, 07 Jul 2018 23:00:04 -0700 (PDT) Received: from localhost ([2620:15c:2c4:201:f5a:7eca:440a:3ead]) by smtp.gmail.com with ESMTPSA id j2-v6sm10259771pff.35.2018.07.07.23.00.03 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 07 Jul 2018 23:00:04 -0700 (PDT) From: Eric Dumazet To: "David S . Miller" Cc: netdev , Eric Dumazet , Eric Dumazet Subject: [PATCH net] tcp: cleanup copied_seq and urg_data in tcp_disconnect Date: Sat, 7 Jul 2018 23:00:01 -0700 Message-Id: <20180708060001.59291-1-edumazet@google.com> X-Mailer: git-send-email 2.18.0.203.gfac676dfb9-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org tcp_zerocopy_receive() relies on tcp_inq() to limit number of bytes requested by user. syzbot found that after tcp_disconnect(), tcp_inq() was returning a stale value (number of bytes in queue before the disconnect). Note that after this patch, ioctl(fd, SIOCINQ, &val) is also fixed and returns 0, so this might be a candidate for all known linux kernels. While we are at this, we probably also should clear urg_data to avoid other syzkaller reports after it discovers how to deal with urgent data. syzkaller repro : socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(20000), sin_addr=inet_addr("224.0.0.1")}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(20000), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 send(3, ..., 4096, 0) = 4096 connect(3, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 128) = 0 getsockopt(3, SOL_TCP, TCP_ZEROCOPY_RECEIVE, ..., [16]) = 0 // CRASH Fixes: 05255b823a61 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive") Signed-off-by: Eric Dumazet Reported-by: syzbot --- net/ipv4/tcp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index c959bb6ea4ed7c7e236a701209ec3aa493961a0a..0d43705dd001c4bf6d41afd5515327c7585da184 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2562,6 +2562,8 @@ int tcp_disconnect(struct sock *sk, int flags) tcp_clear_xmit_timers(sk); __skb_queue_purge(&sk->sk_receive_queue); + tp->copied_seq = tp->rcv_nxt; + tp->urg_data = 0; tcp_write_queue_purge(sk); tcp_fastopen_active_disable_ofo_check(sk); skb_rbtree_purge(&tp->out_of_order_queue);