From: Daniel Borkmann <daniel@iogearbox.net>
Date: Wed, 8 Aug 2018 17:23:13 +0000 (+0200)
Subject: bpf, sockmap: fix bpf_tcp_sendmsg sock error handling
X-Git-Tag: v4.17.15~93
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2be94d24f6a7f43087158209391a159a90fe492;p=thirdparty%2Fkernel%2Fstable.git

bpf, sockmap: fix bpf_tcp_sendmsg sock error handling

commit 5121700b346b6160ccc9411194e3f1f417c340d1 upstream.

While working on bpf_tcp_sendmsg() code, I noticed that when a
sk->sk_err is set we error out with err = sk->sk_err. However
this is problematic since sk->sk_err is a positive error value
and therefore we will neither go into sk_stream_error() nor will
we report an error back to user space. I had this case with EPIPE
and user space was thinking sendmsg() succeeded since EPIPE is
a positive value, thinking we submitted 32 bytes. Fix it by
negating the sk->sk_err value.

Fixes: 4f738adba30a ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
index 642b696514a55..70edc41a88d56 100644
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -952,7 +952,7 @@ static int bpf_tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
 		int copy;
 
 		if (sk->sk_err) {
-			err = sk->sk_err;
+			err = -sk->sk_err;
 			goto out_err;
 		}