Skip to content

Commit 11a4d6f

Browse files
Tung Nguyenkuba-moo
Tung Nguyen
authored and
kuba-moo
committed
tipc: fix kernel warning when sending SYN message
When sending a SYN message, this kernel stack trace is observed: ... [ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550 ... [ 13.398494] Call Trace: [ 13.398630] <TASK> [ 13.398630] ? __alloc_skb+0xed/0x1a0 [ 13.398630] tipc_msg_build+0x12c/0x670 [tipc] [ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290 [ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc] [ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc] [ 13.398630] ? __local_bh_enable_ip+0x37/0x80 [ 13.398630] tipc_connect+0x1d9/0x230 [tipc] [ 13.398630] ? __sys_connect+0x9f/0xd0 [ 13.398630] __sys_connect+0x9f/0xd0 [ 13.398630] ? preempt_count_add+0x4d/0xa0 [ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50 [ 13.398630] __x64_sys_connect+0x16/0x20 [ 13.398630] do_syscall_64+0x42/0x90 [ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd It is because commit a41dad9 ("iov_iter: saner checks for attempt to copy to/from iterator") has introduced sanity check for copying from/to iov iterator. Lacking of copy direction from the iterator viewpoint would lead to kernel stack trace like above. This commit fixes this issue by initializing the iov iterator with the correct copy direction when sending SYN or ACK without data. Fixes: f25dcc7 ("tipc: tipc ->sendmsg() conversion") Reported-by: syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com Acked-by: Jon Maloy <jmaloy@redhat.com> Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> Link: https://lore.kernel.org/r/20230214012606.5804-1-tung.q.nguyen@dektech.com.au Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent 207ce62 commit 11a4d6f

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

net/tipc/socket.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2614,6 +2614,7 @@ static int tipc_connect(struct socket *sock, struct sockaddr *dest,
26142614
/* Send a 'SYN-' to destination */
26152615
m.msg_name = dest;
26162616
m.msg_namelen = destlen;
2617+
iov_iter_kvec(&m.msg_iter, ITER_SOURCE, NULL, 0, 0);
26172618

26182619
/* If connect is in non-blocking case, set MSG_DONTWAIT to
26192620
* indicate send_msg() is never blocked.
@@ -2776,6 +2777,7 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags,
27762777
__skb_queue_head(&new_sk->sk_receive_queue, buf);
27772778
skb_set_owner_r(buf, new_sk);
27782779
}
2780+
iov_iter_kvec(&m.msg_iter, ITER_SOURCE, NULL, 0, 0);
27792781
__tipc_sendstream(new_sock, &m, 0);
27802782
release_sock(new_sk);
27812783
exit:

0 commit comments

Comments
 (0)