From dad60816757b439ca51b34dc7c7d34d8b9f33a2f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 27 Jan 2024 13:27:07 -0800 Subject: [PATCH] 6.1-stable patches added patches: nbd-always-initialize-struct-msghdr-completely.patch --- ...-initialize-struct-msghdr-completely.patch | 77 +++++++++++++++++++ queue-6.1/series | 1 + 2 files changed, 78 insertions(+) create mode 100644 queue-6.1/nbd-always-initialize-struct-msghdr-completely.patch diff --git a/queue-6.1/nbd-always-initialize-struct-msghdr-completely.patch b/queue-6.1/nbd-always-initialize-struct-msghdr-completely.patch new file mode 100644 index 00000000000..ce915528900 --- /dev/null +++ b/queue-6.1/nbd-always-initialize-struct-msghdr-completely.patch @@ -0,0 +1,77 @@ +From 53a5a05195516274e37ebefa023bcaef003a1da4 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 26 Jan 2024 20:59:08 -0700 +Subject: nbd: always initialize struct msghdr completely + +From: Eric Dumazet + +commit 78fbb92af27d0982634116c7a31065f24d092826 upstream. + +syzbot complains that msg->msg_get_inq value can be uninitialized [1] + +struct msghdr got many new fields recently, we should always make +sure their values is zero by default. + +[1] + BUG: KMSAN: uninit-value in tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 + tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 + inet_recvmsg+0x131/0x580 net/ipv4/af_inet.c:879 + sock_recvmsg_nosec net/socket.c:1044 [inline] + sock_recvmsg+0x12b/0x1e0 net/socket.c:1066 + __sock_xmit+0x236/0x5c0 drivers/block/nbd.c:538 + nbd_read_reply drivers/block/nbd.c:732 [inline] + recv_work+0x262/0x3100 drivers/block/nbd.c:863 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700 + worker_thread+0xf45/0x1490 kernel/workqueue.c:2781 + kthread+0x3ed/0x540 kernel/kthread.c:388 + ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 + +Local variable msg created at: + __sock_xmit+0x4c/0x5c0 drivers/block/nbd.c:513 + nbd_read_reply drivers/block/nbd.c:732 [inline] + recv_work+0x262/0x3100 drivers/block/nbd.c:863 + +CPU: 1 PID: 7465 Comm: kworker/u5:1 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +Workqueue: nbd5-recv recv_work + +Fixes: f94fd25cb0aa ("tcp: pass back data left in socket after receive") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: stable@vger.kernel.org +Cc: Josef Bacik +Cc: Jens Axboe +Cc: linux-block@vger.kernel.org +Cc: nbd@other.debian.org +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240112132657.647112-1-edumazet@google.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -494,7 +494,7 @@ static int __sock_xmit(struct nbd_device + struct iov_iter *iter, int msg_flags, int *sent) + { + int result; +- struct msghdr msg; ++ struct msghdr msg = { }; + unsigned int noreclaim_flag; + + if (unlikely(!sock)) { +@@ -509,10 +509,6 @@ static int __sock_xmit(struct nbd_device + noreclaim_flag = memalloc_noreclaim_save(); + do { + sock->sk->sk_allocation = GFP_NOIO | __GFP_MEMALLOC; +- msg.msg_name = NULL; +- msg.msg_namelen = 0; +- msg.msg_control = NULL; +- msg.msg_controllen = 0; + msg.msg_flags = msg_flags | MSG_NOSIGNAL; + + if (send) diff --git a/queue-6.1/series b/queue-6.1/series index c8c5770a08c..8ed0104c7e1 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -113,3 +113,4 @@ net-mvpp2-clear-bm-pool-before-initialization.patch selftests-netdevsim-fix-the-udp_tunnel_nic-test.patch fjes-fix-memleaks-in-fjes_hw_setup.patch net-fec-fix-the-unhandled-context-fault-from-smmu.patch +nbd-always-initialize-struct-msghdr-completely.patch -- 2.47.3